Critical Oracle Micros POS Flaw Affects Over 300,000 Payment Systems
1.2.2018 thehackernews

Oracle has released a security patch update to address a critical remotely exploitable vulnerability that affects its MICROS point-of-sale (POS) business solutions for the hospitality industry.
The fix has been released as part of Oracle's January 2018 update that patches a total of 238 security vulnerabilities in its various products.
According to public disclosure by ERPScan, the security firm which discovered and reported this issue to the company, Oracle's MICROS EGateway Application Service, deployed by over 300,000 small retailers and business worldwide, is vulnerable to directory traversal attack.
If exploited, the vulnerability (CVE-2018-2636) could allow attackers to read sensitive data and receive information about various services from vulnerable MICROS workstations without any authentication.
Using directory traversal flaw, an unauthorized insider with access to the vulnerable application could read sensitive files from the MICROS workstation, including service logs and configuration files.
As explained by the researchers, two such sensitive files stored within the application storage—SimphonyInstall.xml or Dbconfix.xml—contain usernames and encrypted passwords for connecting to the database.
"So, the attacker can snatch DB usernames and password hashes, brute them and gain full access to the DB with all business data. There are several ways of its exploitation, leading to the whole MICROS system compromise," the researchers warned.
"If you believe that gaining access to POS URL is a snap, bear in mind that hackers can find digital scales or other devices that use RJ45, connect it to Raspberry PI, and scan the internal network. That is where they easily discover a POS system. Remember this fact when you pop into a store."
ERPScan has also released a proof-of-concept Python-based exploit, which, if executed on a vulnerable MICROS server, would send a malicious request to get the content of sensitive files in response.
Besides this, Oracle's January 2018 patch update also provides fixes for Spectre and Meltdown Intel processor vulnerabilities affecting certain Oracle products.

Serious Flaws Affect Several ManageEngine Products
1.2.2018 securityweek 
Researchers at Digital Defense have uncovered several potentially serious vulnerabilities in IT management products from ManageEngine, including ones that allow an attacker to take complete control of the affected application. The vendor has released patches to address the flaws.

Zoho-owned ManageEngine provides network, data center, desktop and mobile device, and security solutions to more than 40,000 customers, including three out of every five Fortune 500 company.

One of the flaws found by Digital Defense affects ManageEnegine’s ServiceDesk Plus help desk software. An unauthenticated file upload vulnerability allows an attacker to upload a JavaScript web shell and use it to execute arbitrary commands with SYSTEM privileges.

Experts also discovered several blind SQL injection vulnerabilities that allow an unauthenticated attacker to take complete control of an application and possibly even the underlying host.

These types of flaws have been found in the OpManager network monitoring product, Network Configuration Manager, bandwidth monitoring and traffic analysis product NetFlow Analyzer, firewall configuration and log management product Firewall Analyzer, and IP address management app OpUtils.

These products are also impacted by an enumeration issue that can be exploited to access user information such as usernames, email addresses and phone numbers.

An attacker could gain access to the content of files on the host running ManageEngine applications by leveraging an unauthenticated XML External Entity (XXE) vulnerability.

Digital Defense said ManageEngine promptly responded to its vulnerability reports and released updates for each of the affected applications to address the security holes.

“Application layer vulnerabilities continue to be a key area of focus for software vendors,” said Mike Cotton, vice president of engineering at Digital Defense. “We are pleased to work collaboratively with affected vendors to facilitate prompt resolution, ensuring our clients and enterprises are protected from any potential exploitation of these vulnerabilities.”

Digital Defense recently reported discovering authentication bypass, arbitrary file upload, and path traversal vulnerabilities affecting data protection products from both Dell EMC and VMware.

Malware exploiting Spectre and Meltdown flaws are currently based on available PoC
1.2.2018 securityaffairs

Malware Exploiting Spectre, Meltdown Flaws Emerges
Researchers at the antivirus testing firm AV-TEST have discovered more than 130 samples of malware that were specifically developed to exploit the Spectre and Meltdown CPU vulnerabilities.

The good news is that these samples appear to be the result of testing activities, but experts fear that we could soon start observing attacks in the wild.

Most of the codes obtained by AV-TEST are just recompiled versions of the Proof of Concept code available online. Experts at AV-TEST also found the first JavaScript PoC codes for web browsers like IE, Chrome or Firefox in our database now.

“We also found the first JavaScript PoC codes for web browsers like IE, Chrome or Firefox in our database now.”Andreas Marx, CEO of AV-TEST, told SecurityWeek.

The Meltdown attack could allow attackers to read the entire physical memory of the target machines stealing credentials, personal information, and more.

The Meltdown exploits the speculative execution to breach the isolation between user applications and the operating system, in this way any application can access all system memory.

The Spectre attack allows user-mode applications to extract information from other processes running on the same system. It can also be exploited to extract information from its own process via code, for example, a malicious JavaScript can be used to extract login cookies for other sites from the browser’s memory.

The Spectre attack breaks the isolation between different applications, allowing to leak information from the kernel to user programs, as well as from virtualization hypervisors to guest systems.

On January 17, experts at AV-TEST reported that they had detected 77 malware samples apparently related to the Intel vulnerabilities.


#Spectre & #Meltdown: So far, the AV-TEST Institute discovered 77 samples which appear to be related to recently reported CPU vulnerabilities. #CVE-2017-5715 #CVE-2017-5753 #CVE-2017-5754

2:49 PM - Jan 17, 2018
7 7 Replies 24 24 Retweets 27 27 likes
Twitter Ads info and privacy
The number of malware samples related to Meltdown and Spectre reached pi119 by January 23.


[UPDATE: 2018-01-23] #Spectre & #Meltdown: So far, the AV-TEST Institute discovered 119 samples which appear to be related to recently reported CPU vulnerabilities. #CVE-2017-5715 #CVE-2017-5753 #CVE-2017-5754

SHA256 Hashes: …

4:23 PM - Jan 23, 2018
2 2 Replies 14 14 Retweets 24 24 likes
Twitter Ads info and privacy
On January 31, AV-TEST confirmed to be in possession of 139 samples from various sources.


[UPDATE: 2018-01-23] #Spectre & #Meltdown: So far, the AV-TEST Institute discovered 119 samples which appear to be related to recently reported CPU vulnerabilities. #CVE-2017-5715 #CVE-2017-5753 #CVE-2017-5754

SHA256 Hashes: …

4:23 PM - Jan 23, 2018
2 2 Replies 14 14 Retweets 24 24 likes
Twitter Ads info and privacy

According to the AV-TEST CEO, several groups of experts are working on a malware that could trigger Intel flaws, most of them are re-engineering the available PoC.

“We aren’t the only ones concerned. Others in the cybersecurity community have clearly taken notice, because between January 7 and January 22 the research team at AV-Test discovered 119 new samples associated with these vulnerabilities,” reads a blog post published by Fortinet. “FortiGuard Labs has analyzed all of the publicly available samples, representing about 83 percent of all the samples that have been collected, and determined that they were all based on proof of concept code. The other 17 percent may have not been shared publicly because they were either under NDA or were unavailable for reasons unknown to us.”

Mozilla fixes a critical remote code execution vulnerability in Firefox
1.2.2018 securityaffairs

Mozilla has released security updates for Firefox 58 that addresses a critical remote code vulnerability that allows a remote attacker to run arbitrary code on vulnerable systems.
Mozilla has released an update for the Firefox 58 browser (aka Firefox Quantum) that addresses a critical flaw that could be exploited by a remote attacker to execute arbitrary code on computers running the vulnerable version of the browser.
The vulnerability, tracked as CVE-2018-5124, affects Firefox versions 56 through 58, meanwhile, it doesn’t impact Firefox for Android and Firefox 52 ESR.
The development teams behind major Linux distributions have also started rolling out updated packages that fix the flaw.

It was discovered by the Mozilla developer Johann Hofmann.

According to a security advisory published by Cisco, the Firefox 58.0.1 version fixed an ‘arbitrary code execution’ flaw that originates due to ‘insufficient sanitization’ of HTML fragments in chrome-privileged documents (browser UI).

“A vulnerability in Mozilla Firefox could allow an unauthenticated, remote attacker to execute arbitrary code on a targeted system.” states the security advisory.

“The vulnerability is due to insufficient sanitization of HTML fragments in chrome-privileged documents by the affected software. An attacker could exploit the vulnerability by persuading a user to access a link or file that submits malicious input to the affected software. A successful exploit could allow the attacker to execute arbitrary code with the privileges of the user. If the user has elevated privileges, the attacker could compromise the system completely.“

Firefox 58 was released on January 23, it addresses more than 30 vulnerabilities in the popular browser, some of them rated as high severity, including a use-after-free, buffer overflow, and integer overflow flaws.

According to Mozilla, its bug bounty program has already paid out nearly $1 million to white hat hackers who reported vulnerabilities.

Don’t waste time, apply the software updates as soon as possible.

FBI Pushes for Small Business Information Sharing
31.1.2018 securityweek BigBrothers
Howard S. Marshall, Deputy Assistant Director of the Cyber Division of the FBI, spoke Tuesday before the House Small Business Committee on the subject of 'Small Business Information Sharing: Combating Foreign Cyber Threats.' The purpose was to outline the FBI's role in helping small businesses defend against cyber threats.

His statement came in two parts: first, to outline the major cyber threats to U.S. business, and then to outline the FBI's response to these threats.

"Some of the more prevalent or rising cyber threats to small businesses," he said, include business e-mail compromise (BEC); ransomware; criminal data breach activity; and the internet of things (IoT). He did not provide any statistics on these cybercrimes, but instead concentrated on a high-level description of the threats with a brief explanation of FBI advice on countering them.

The FBI's advice for BEC is that companies should require a second, independent verification on payment requests; that e-mail accounts should have regularly changed strong passwords and two-factor authentication; and that companies should use their own domain-based email rather than free web-based email. Wherever possible, the last recommendation should be supported a filter system that flags emails with look-alike domain names.

The primary advice against ransomware, which the FBI expects "to remain a significant threat to businesses in the U.S. and worldwide", is that businesses should schedule regular backups to drives not connected to their network. "These drives can be used to restore a system to the backup version without paying the ransom to the perpetrator."

There is no specific advice on whether businesses should or should not pay the ransom, although it is known that the FBI -- and LEAs generally -- would prefer that ransoms are not paid. Marshall did say, however, "It is important to note that even if a ransom is paid, there is no guarantee the business or individual will obtain their files from the cyber criminal."

In two recent ransomware incidents, two separate healthcare organizations were infected with different variants of the SamSam ransomware. One, Hancock Health, decided to pay the ransom. It was infected on January 11 and was back online by January 15. The second, Allscripts, chose not to pay the ransom. It was infected on January 18. On January 26, Allscripts emailed SecurityWeek, "We are pleased to announce that service to all affected clients has been restored." In the final analysis, whether to pay or not is a risk-based decision for each individual victim.

'Criminal data breach activity' is such a vast subject that the statement makes little attempt to discuss it in detail. This is probably a mistake since it could leave politicians with the idea that small businesses are at less risk of hacker attacks than large organizations -- which is not correct. All that Marshall says here is, "We encourage businesses to apply a variety of best practices to secure their network architecture."

The growing IoT threat is discussed as a problem with no current solution. "Increased connectivity through IoT devices will only increase the potential attack surface for networks, as cyber security is largely under-prioritized from device design through implementation." Marshall highlighted the IoT-based DDoS attacksof late 2016. He said, "Individuals and businesses can prevent their devices from being compromised by changing default user name and passwords, ensuring device firmware is up to date, implementing strong firewall rules, and by turning off or rebooting devices when not in use."

The long-term solution to the IoT threat will come from better designed and built devices, and he noted that NIST is currently developing standards to improve IoT devices.

The description of current threats provides the background for the second half of the statement: 'FBI Cyber private sector engagement', which is described as a key component of the FBI's strategy for combating cyber threats. This engagement has required a change to the FBI's traditional methods of intelligence gathering. Traditionally, intelligence has been gathered from its own operations, from intelligence services, and from other LEAs.

"However," said Marshall, "we are now also looking to integrate private industry information into our intelligence cycle to enhance our ability to identify and respond to both emerging and ongoing threats." The FBI is particularly looking to private industry to share both its understanding of sector-specific networks, and its threat intelligence in order to integrate that understanding into its own intelligence cycle. "This type of information sharing enables us to provide more specific, actionable, and timely information to our industry partners so they can protect their systems in a proactive manner."

The FBI accepts that such information sharing must be two-way. Marshall described some of the FBI's outreach projects: nearly 70 public service announcements (PSAs) over the past five years, and other notifications including FBI Liaison Alert System (FLASH) reports, and private industry notifications (PINs).

Other projects include its involvement with the National Cyber-Forensics and Training Alliance (NCFTA); its public awareness campaigns or 'open houses' to educate businesses on serious cyber threats; its workshops on specific threats (such as BEC); and its countrywide briefings, conferences, and workshops for key executives throughout industry. There have been nearly 2800 of the latter over the past five years.

This is achievable through the FBI's countrywide decentralized organization, with field offices in every state. "Cyber-trained special agents are in each field office, providing locally available expertise to deploy to victim sites immediately upon notice of an incident," he said.

One aspect of the FBI statement stands out. Marshall goes to some length to stress that the FBI will treat cyber victims as the victim. "No matter what course of action is deemed appropriate, the FBI views a company that has been attacked as a victim and will protect investigative information appropriately." This goes to the heart of the FBI's problem in engaging with small businesses. While companies will automatically consider the FBI as the first port of call in an emergency, other engagements are traditionally avoided or concerning.

Voluntarily offering operational details to the FBI is not yet in the psyche of small business -- and yet this must be achieved for the FBI to fulfil its purpose. That ultimate purpose, says the statement, is to "provide information that can be used to initiate indictments, affect arrests, generate demarches, or produce international sanctions against those who conduct cyber attacks or aggressive actions against entities in the United States."

Mozilla Patches Critical Code Execution Flaw in Firefox
31.1.2018 securityweek
An update released this week by Mozilla for Firefox 58 patches a critical vulnerability that can be exploited by a remote attacker for arbitrary code execution.

Mozilla developer Johann Hofmann discovered that arbitrary code execution is possible due to unsanitized output in the browser UI.

The vulnerability, tracked as CVE-2018-5124, affects Firefox versions 56 through 58 and it has been fixed with the release of Firefox 58.0.1. According to Mozilla, Firefox for Android and Firefox 52 ESR are not impacted. Linux distributions have also started pushing out updated packages that include the fix.

“The vulnerability is due to insufficient sanitization of HTML fragments in chrome-privileged documents by the affected software,” Cisco said in an advisory describing this flaw. “An attacker could exploit the vulnerability by persuading a user to access a link or file that submits malicious input to the affected software. A successful exploit could allow the attacker to execute arbitrary code with the privileges of the user. If the user has elevated privileges, the attacker could compromise the system completely.”

Firefox 58, which Mozilla released on January 23, patches more than 30 vulnerabilities, including a potentially exploitable use-after-free bug and various memory safety issues that have been rated critical.

Firefox 58 also addresses over a dozen high severity flaws, including use-after-free, buffer overflow, and integer overflow bugs. A vulnerability that allows WebExtensions to bypass user prompts to download and open an arbitrarily file has also been classified as high severity.

Ten of these security holes were also addressed earlier this month in the Thunderbird email client with the release of version 52.6. Mozilla pointed out that the flaws typically cannot be exploited against Thunderbird using specially crafted emails.

Mozilla runs a bug bounty program for Firefox and the organization claims it has paid out nearly $1 million to experts who reported vulnerabilities. Hackers can earn between $3,000 and $7,500 for critical and high severity flaws in Mozilla software, but a novel exploit or form of exploitation can earn more than $10,000.

In addition to its software bug bounty program, Mozilla rewards flaws discovered in its websites and services with up to $5,000. The organization says it has paid out a total of roughly $3 million across its bug bounty programs.

Asus Router Flaws Disclosed by Several Researchers
31.1.2018 securityweek
Several security researchers and companies have recently disclosed the details of potentially serious vulnerabilities they discovered in the past months in various Asus routers.

Fortinet reported on Tuesday that its researchers had found a vulnerability in some Asus routers that allows an authenticated attacker to execute arbitrary commands with root privileges.

“Technically, vulnerable models are prone to OS command injections via unsanitized parameters passed to the /apply.cgi,” Fortinet explained. “In Main_Analysis_Content.asp in particular, the SystemCmd variable is created on the client side in the JavaScript function updateOptions(), which in turn uses the values from the input fields pingCNT and destIP. A web proxy can then be used to bypass the local checks that are normally done, and then /cmdRet_check.htm is used to asynchronously return the response from the request. The command is then executed with no further checks performed on the server side.”

Eugene Dokukin, aka “MustLive,” a member of the Ukrainian Cyber Forces activist group, has also disclosed the details of some cross-site scripting (XSS) and cross-site request forgery (CSRF) vulnerabilities affecting several Asus RT-N10 models.Vulnerabilities in Asus routers

Vulnerabilities in Asus routers

Dokukin claimed that the Ukrainian Cyber Forces, who are fighting a cyberwar against the Russian government and separatists in Eastern Ukraine, have exploited these vulnerabilities to take control of devices belonging to their targets.

Researcher Pedro Ribeiro informed Asus of two vulnerabilities via Beyond Security’s SecuriTeam Secure Disclosure program, including access bypass and configuration manipulation issues.

According to Ribeiro, the AsusWRT operating system running on mid-range and high-end Asus routers is affected by vulnerabilities that allow an unauthenticated attacker with access to the local network to remotely execute arbitrary code.

One of the flaws found by the expert allows an attacker to reset the device’s administrator password by sending a specially crafted request. Once the password has been reset, the attacker can log into the web interface with the new password, enable SSH, and then access the device via SSH. Ribeiro also noted that arbitrary command execution is also possible without resetting the admin password.

Finally, Víctor Calvo of Spain-based security firm S2 Grupo, discovered that an attacker can change the credentials of any user, including the device’s administrator, by sending a specially crafted request to the password reset form.

Calvo also found that the Asus AiCloud service, which allows users to remotely access their home network, is affected by XML External Entity (XXE) vulnerabilities that can be exploited to access system files, including ones that store user credentials.

The researchers who identified these vulnerabilities informed Asus of their findings – except for Dokukin, who typically doesn’t inform vendors of the flaws exploited by his group. The company in most cases developed patches within a few weeks after being notified. Information on the latest firmware patches is available on Asus’ Product Security Advisory page.

New AMD Processors to Include Protections for Spectre-like Exploits
31.1.2018 securityweek
AMD’s new Zen 2 and future processors will include protections against Spectre and other similar exploits, the tech giant revealed on Tuesday as it announced its earnings for 2017.

AMD CEO Lisa Su reiterated that the company’s CPUs are not vulnerable to Meltdown attacks and one variant of the Spectre attack is difficult to carry out against its products.AMD processors will include Spectre protections

“For Spectre Variant 1, we continue actively working with our ecosystem partners on mitigations, including operating system patches that have begun to roll out. We continue to believe that Variant 2 of Spectre is difficult to exploit on AMD processors, however we are deploying CPU microcode patches – in combination with OS updates – to provide additional mitigation steps,” Su explained.

The CEO highlighted that in the long-term the company plans on including protections for Specter-like exploits into all future processor cores. These protections have already been implemented into the design of recently unveiled Zen 2 CPUs, which are expected to become available next year.

AMD reported revenue of $5.33 billion for 2017, which it says represents a 25 percent increase compared to the previous year. However, the company warned that the Spectre and Meltdown exploits could have a negative impact on the company’s revenue, including as a result of lawsuits, which have already been filed against the organization.

“Actual or perceived security vulnerabilities of AMD products may subject AMD to adverse publicity, damage to its brand and reputation, and could materially harm AMD’s business or financial results,” the company stated.

Intel also informed customers that it’s working on CPUs that will include built-in protections against Meltdown and Spectre attacks.

In the meantime, existing software and microcode patches have caused problems for many users, which has led to vendors halting updates and disabling mitigations until issues are resolved.

700,000 Bad Android Apps Removed From Google Play in 2017
31.1.2018 securityweek Android
Google took down over 700,000 Android applications from the official software marketplace last year, 70% more than were removed from the store in 2016.

Additonally, Google improved its ability to identify bad applications earlier, and 99% of apps featuring abusive contents were rejected before reaching users, the company claims.

According to Andrew Ahn, Product Manager, Google Play, this was possible because of new machine learning models and techniques that power Google’s abuse detection abilities (including impersonation, inappropriate content, or malware).

Furthermore, the company focused on identifying repeat offenders and abusive developer networks, which resulted in taking down 100,000 bad developers in 2017. It also “made it more difficult for bad actors to create new accounts and attempt to publish yet another set of bad apps,” Ahn says.

Last year, Google took action against copycat apps, or those programs attempting to deceive users by posing as popular programs. Because famous programs get massive search traffic for particular keywords, the bad actors attempt to take advantage of this by publishing impersonating apps to Google Play Store.

Some of the methods employed include the use of confusable Unicode characters or the hiding of impersonating app icons in a different locale. Google says it took down over a quarter of a million such applications last year.

Applications that contain or promote inappropriate content (pornography, extreme violence, hate, and illegal activities) aren’t accepted in the app store either, and Google removed tens of thousands of such programs from the Android marketplace last year.

Potentially Harmful Applications (PHAs) – malware that performs SMS fraud, acts as Trojans, or phishes user's information – can harm people or their devices despite going to lengths to appear as legitimate programs. According to Ahn, Google Play Protect helped the Internet giant reduce the annual PHA installs rates on Google Play by 50% last year.

“Despite the new and enhanced detection capabilities that led to a record-high takedowns of bad apps and malicious developers, we know a few still manage to evade and trick our layers of defense. We take these extremely seriously, and will continue to innovate our capabilities to better detect and protect against abusive apps and the malicious actors behind them,” Ahn says.

Malware Exploiting Spectre, Meltdown Flaws Emerges
31.1.2018 securityweek
Researchers have discovered more than 130 malware samples designed to exploit the recently disclosed Spectre and Meltdown CPU vulnerabilities. While a majority of the samples appear to be in the testing phase, we could soon start seeing attacks.

The Meltdown and Spectre attack methods allow malicious applications to bypass memory isolation mechanisms and access passwords, photos, documents, emails, and other sensitive data. Shortly after Spectre and Meltdown were disclosed on January 3, experts warned that we could soon see remote attacks, especially since a JavaScript-based proof-of-concept (PoC) exploit for Spectre had been made available.

On January 17, antivirus testing firm AV-TEST reported that it had seen 77 malware samples apparently related to the CPU vulnerabilities, and the number had increased to 119 by January 23.

On Wednesday, AV-TEST told SecurityWeek that it has obtained 139 samples from various sources, including researchers, testers and antivirus companies.

Number of Spectre/Meltdown malware samples

“Most appear to be recompiled/extended versions of the PoCs - interestingly, for various platforms like Windows, Linux and MacOS,” Andreas Marx, CEO of AV-TEST, told SecurityWeek. “We also found the first JavaScript PoC codes for web browsers like IE, Chrome or Firefox in our database now.”

Fortinet, which also analyzed many of the samples, confirmed that a majority of them were based on available PoC code.

Marx believes different groups are working on the PoC exploits to determine if they can be used for some purpose. “Most likely, malicious purposes at some point,” he said.

The expert believes the current malware samples are still in the “research phase” and attackers are most likely looking for ways to extract information from computers, particularly from web browsers. He would not be surprised if we started seeing targeted and even widespread attacks in the future.

Processor and operating system vendors have been working on microcode and software mitigations for the Meltdown and Spectre attacks, but the patches have often caused problems, leading to companies halting updates and disabling mitigations until instability issues are resolved.

In addition to installing operating system and BIOS updates, Marx has two other recommendations that should reduce the chances of a successful attack: switching off the PC when it’s not needed for more than an hour, and closing the web browser during work breaks. “This should decrease your attack surface a lot and also save quite some energy,” Marx said.

Remotely Exploitable Vulnerability Could Impact 300,000 Oracle PoS Systems
31.1.2018 securityweek
A vulnerability Oracle addressed in the MICROS Point-of-Sale (PoS) terminals with the January 2018 Critical Patch Update could impact more than 300,000 payment systems worldwide.

Tracked as CVE-2018-2636 and featuring a CVSS v3 score of 8.1, the vulnerability was discovered in September 2017 as a directory traversal vulnerability. Hackers looking to abuse it could read any file by sending a packet to a particular web service of a PoS terminal.

The security bug can be exploited remotely without authentication to read files from the impacted PoS systems. Furthermore, attackers could abuse it to access configuration files that store sensitive information including passwords.

Attackers looking to exploit the flaw could gain full access to the operating system for espionage, sabotage or fraud operations, ERPScan, a company that specializes in securing Oracle and SAP products, reveals. By exploiting the flaw, cybercriminals could, for example, pilfer credit card numbers, the company says.

Because of the wide use of MICROS PoS terminals, the impact of such a security issue could be dire. At the moment, Oracle’s MICROS has more than 330,000 cash registers worldwide. The terminals can be found in over 200,000 food and beverage outlets and more than 30,000 hotels across 180 countries, ERPScan points out.

The vulnerability was discovered as a directory traversal in Oracle MICROS EGateway Application Service. With access to the URL, an attacker could exfiltrate files from the MICROS workstations, including services logs, and could also read files that contain usernames and encrypted passwords to gain full access to the database with all business data.

“After sending a malicious request, for example, the request to read SeviceHost.xml file, the vulnerable MICROS server sends back a special response with the SeviceHost.xml contents,” the security firm explains.

The vulnerability was addressed in Oracle’s January 2018 CPU, but the patch was unlikely to have been already deployed to all of the vulnerable MICROS PoS systems out there.

“POS systems directly process and transmit our payment orders, so it’s self-evident that they are extremely important and valuable. We use them on the daily and hope to be secure from thefts. As a user, I want to rest safe and to avoid any problem while making payments with my card. We worry for the security of our money, and it makes sense,” Alexander Polyakov, CTO of ERPScan, says.

Is ICEMAN behind the malware-based attack on Crystal Finance Millennium?
31.1.2018 securityaffairs

Exclusive – The Iceman gang taking responsibility for infecting Crystal Finance Millennium, the journalist Marc Miller interviewd one of the members of the crew.
Iceman gang member confirms that they are behind the introduction and spreading of malware that infected the systems at Crystal Finance Millennium.

In Septemeber security experts at TrendMicro reported that the Ukraine based Account Firm, Crystal Finance Millennium (CFM), has been hacked and is found to be distributing malware.

The incident caused the firm to take down its website to stop spreading the threat.

Crystal Finance Millennium ICEMAN
Crystal Finance Millennium attack (Source Trend Micro)

Marc Miller had a chance to speak to one of the gang members on XMMP and he confirmed that the Iceman group is behind this attack. They started with a simple web attack (SQLI which lead to web shell upload, no privilege escalation was needed) in order to gain access to the web servers of the company.

He confirmed that the math was simple, the Ukrainian company had many clients in the financial and medical sector which facilitated the propagation of their malware. From the archived web page, it becomes apparent they provide accounting software, personalization of medical records, blood service and “full automation of the doctor’s office” – contrary to what their company name suggests, it appears they are (mostly) focused on medical software.

The group sent phishing emails to various targets based in Ukraine and former Soviet countries. The emails contained a ZIP file that, in turn, contained a JavaScript file. When users unzipped the archive and ran the JS file, the script would download a file named load.exe from the CFM’s web server.
The loader (load.exe file) will, later on, download a Purge ransomware that was modified for that operation by the Iceman group. According to the gang, each target was treated individually to maximize profit. Sometimes they would run a ransomware program and sometimes they would run a banking Trojan. “When you sophisticate your attack, you can drain the sharks” – he said.

An inclusive interview is in the making to unveil the course of this attack. It will be released in the upcoming weeks.

Marc Miller is a web journalist, focused on cybercrime.
He started a blog called: THE PURPLE HAT – Cyber Gangs NAKED, dedicated to exposing the methods and works of cybercrime gangs such as “CARBANAK” or similar sophisticated syndicated Cybercrime organizations.

In the past. he worked as a web front-end programmer. Also, he is passionate about hardware, hacking, security and marketing.

Cybercriminals Stealing From Cybercriminals Ransomware Victims Left Stranded
31.1.2018 securityaffairs

What do you get when you add Bitcoin, with a TOR network proxy and cybercriminals? Even more cybercrime!
Bitcoin is the preferred cryptocurrency for ransomware payments. Like most cryptocurrencies it is largely anonymous, allowing the ransoming cybercriminals to collect their money while staying safely in the shadows. Even though Bitcoin is the most popular cryptocurrency, the majority of victims do not have a ready cache of Bitcoin to pay ransom with so the cybercriminals came up with a process to facilitate these ransom payments.

Payment websites are hosted on the Tor network where victims login, purchase Bitcoin and deposit them into the wallet of the bad actors. Sounds convenient, unless there is another bad actor in the middle. To understand how that happens, we first need to explain the Tor network.

Tor is an acronym based on a software project called The Onion Router. It “[redirects] Internet traffic through a free, worldwide, volunteer overlay network consisting of more than seven thousand relays to conceal a user’s location and usage…“, Tor (anonymity network), Wikipedia. In other words, you must use a Tor client to connect to the Tor network and in doing so, you participate as a relay in the network helping to provide anonymity for all other users.

There are many situations where this type of Internet anonymity would be useful: researching a company without alerting them to who is looking, researching a controversial topic without being identified, avoiding oppressive government restrictions or spying, and facilitating Bitcoin payments while hiding the location of the web server. The challenge for the ransomers is that victims are even less likely to be set up with a Tor client than they are to have Bitcoin! To solve this problem, there are individuals who run “Tor proxies.” These proxies are accessible with a regular browser on the Internet so no special software is required. For example, the hidden server on the Tor network might be addressed by hxxps://sketchwebsite.onion which requires a Tor browser to connect. However by entering hxxps:// into a regular browser, a connection is made with a “regular server” on the Internet which redirects (proxies) the request to sketchwebsite.onion on your behalf. You can surf the Tor network, and make your Bitcoin payments with no special software required. By design, a proxy takes a connection from one party and passes it to another. This involves looking at the incoming request to understand where it needs to be forwarded. This also creates an opportunity for the proxy to make changes in between.

Proofpoint is the security vendor that identified cybercriminals taking advantage of Tor proxies to steal from victims and the ransoming cybercriminals. They discovered that when victims attempted to connect to the ransomers’ website through a Tor proxy, the criminals operating the proxy made changes to the stream. Instead of the Bitcoin being deposited to the intended ransomer’s digital wallets, the funds were redirected to the proxy operator’s wallet. While you won’t be sympathetic to the ransoming cybercriminals’ loss of revenue, the real problem is that without payment they won’t release the decryption key to the victim. The ransomware victim thought they were paying Bitcoin to the ransomer for the decryption key, but with the man-in-the-middle attack at the Tor proxy they paid for nothing.

Through some very detailed analysis documented here, Proofpoint estimates that approximately 2 BTC have been redirected (around $20,000 at the time they published their article.) It was a notice on the LockeR ransomware payment portal that alerted Proofpoint researchers that something was amiss in the cybercrime underworld:

bitcoin ransomware

“While this is not necessarily a bad thing, it does raise an interesting business problem for ransomware threat actors and practical issues for ransomware victims by further increasing the risk to victims who would resort to paying ransomware ransoms,” Proofpoint researchers said. “This kind of scheme also reflects the broader trend of threat actors of all stripes targeting cryptocurrency theft. Continued volatility in cryptocurrency markets and increasing interest in the Tor network will likely drive further potential abuses of Tor proxies, creating additional risks for new users.”

US Attorney General set up the Joint Criminal Opioid Darknet Enforcement team to fight online opioid trafficking
31.1.2018 securityaffairs CyberCrime

The US Attorney General announced the creation of the Joint Criminal Opioid Darknet Enforcement team to fight online opioid trafficking.
Tor network is still a privileged ecosystem for cyber criminals and pedos, law enforcement and intelligence agencies worldwide reserve a significative effort in fighting any illegal practice that leverages anonymizing networks.

The US Attorney General has set up a task force, dubbed Joint Criminal Opioid Darknet Enforcement (J-CODE), composed of federal agents and cyber experts to dismantle black marketplaces that offer for sale any kind of drug.

The Joint Criminal Opioid Darknet Enforcement team will be distributed in many cities across the US, the feds are tasked to infiltrate the black markets, identify the operators, and shut down them.

The darknet, and in particular black marketplaces, have a relevant aggregation role for the distribution of illegal opioids. Even if many sellers are overseas, the Joint Criminal Opioid Darknet Enforcement team will be focused on domestic operators.

During the official announcement of the task force, Attorney General Jeff explained the abuses of anonymizing networks, but he also highlighted that they can be used for good purposes, such as to avoid censorship. Sessions added that the hard work of law enforcement agencies allowed the infiltration of illegal rings.

“Criminals think that they are safe on the darknet, but they are in for a rude awakening,” Sessions said.

“We have already infiltrated their networks, and we are determined to bring them to justice. The J-CODE team will help us continue to shut down the online marketplaces that drug traffickers use and ultimately that will help us reduce addiction and overdoses across the nation.”

Drugs represent a serious threat to the state, it has been estimated that opioids kill more than 90 Americans every day through overdoses, and this is the tip of the iceberg of a phenomenon that has many other dramatic consequences.

The creation of the Joint Criminal Opioid Darknet Enforcement is an important investment in fighting online opioid trafficking in term or resources and cyber capabilities.

“J-CODE will more than double the FBI’s investment in fighting online opioid trafficking. The FBI is dedicating dozens more Special Agents, Intelligence Analysts, and professional staff to J-CODE so that they can focus on this one issue of online opioid trafficking.” concluded the press release published by the DoJ.

Once again, Oracle MICROS PoS have been breached
31.1.2018 securityweek

Security experts from ERPScan discovered a new flaw in Oracle MICROS PoS terminals that could be exploited by an attacker to read sensitive data from devices.
Security experts from ERPScan discovered a new directory traversal vulnerability in Oracle MICROS Point-of-Sale terminals, tracked as CVE-2018-2636, which could be exploited by an attacker to read sensitive data from devices without authentication from a vulnerable workstation.

“CVE-2018-2636 states for a directory traversal vulnerability in Oracle MICROS EGateway Application Service. In case an insider has access to the vulnerable URL, he or she can pilfer numerous files from the MICROS workstation including services logs and read files like SimphonyInstall.xml or Dbconfix.xml that contain usernames and encrypted passwords to connect to DB, get information about ServiceHost, etc.” reads the analysis published by ERPScan.

“So, the attacker can snatch DB usernames and password hashes, brute them and gain full access to the DB with all business data. There are several ways of its exploitation, leading to the whole MICROS system compromise.”

Oracle’s MICROS has more than 330,000 cash registers worldwide, it is widely adopted in food and beverage outlets (200,000+) and hotels (30,000).

The researchers explained that it could be easy for a local attacker to access a MICRO POS URL, for example, he can find a digital scales or other devices that use RJ45 in the outlet and connect it to Raspberry PI, then scan the internal network. Another option is to locate such kind of devices exposed on the Internet, at the time of writing, there are 139 MICROS POS systems exposed online, most of them located in US and Canada.


This is not the first time when MICROS security is touched. In 2016, there was an incident where hackers attacked MICROS through the Customer Support Portal.

The vulnerability received the 8.1 CVSS v3 score.

“If you want to secure your system from cyberattacks, you have to persistently implement all security patches provided by your vendor. In our case, refer to Oracle CPU January 2018.” concluded the post.

This isn’t the first time that we approach the security of Oracle MICROS PoS systems, on August 2016, the systems of the Oracle MICROS payment terminals division were infected with a malware.

Microsoft vydal nový update Windows, řeší restarty kvůli chybám čipů Intelu

31.1.2018 SecurityWorld  Zranitelnosti
Intel nedávno varoval uživatele, aby si nestahovali firmwarové aktualizace, vydané za účelem řešení zranitelností Spectre a Meltdown, protože způsobovaly náhodné restartování systému. Microsoft na to o víkendu reagoval vydáním aktualizace KB4078130.

Bezpečnostní aktualizace deaktivovala předchozí nestabilní záplatu. Nová aktualizace je reakcí Microsoftu na týden staré oznámení, které zákazníky firmy – podniky, výrobce i koncové uživatele – varovalo před nestabilní záplatou.

Podle Intelu může nový firmware „může způsobit neočekávaně vysoký počet restartů a dalších nepředvídatelných systémových reakcí na procesorech Broadwell a Haswell.“ Tyto stále ještě rozšířené čipy pochází z let 2015 a 2013.

Microsoft na nepříjemné zprávy reagoval odstraněním mitigací pro jednu ze tří zranitelných oblastí, které Meltdown a Spectre zasahují.

„Naše vlastní zkušenost je, že nestabilita systému může v určitých případech způsobit ztrátu dat,“ potvrzuje v podpůrném dokumentu k nové aktualizaci Microsoft. „Zatímco Intel testuje, aktualizuje a nasazuje nový mikrokód, my zpřístupňujeme aktualizace KB4078130, který specificky ruší mitigaci CVE-2017-5715 ‚Branch target injection vulnerability‘. V našem testování se ukázalo, že tato aktualizace popsané chování blokuje.“

Aktualizace je dostupná pro všechny dosud podporované verze Windows, tedy 7, 8.1, 10 a související Windows Server edice. Spolu s tím Microsoft zveřejnil klíče, které IT administrátorům umožňují v registrech libovolně aktivovat či deaktivovat vybrané mitigace Spectre a Meltdown zranitelností.

Společnost Microsoft dále doporučuje uživatelům, aby poté, co Intel oznámí vyřešení problémů, uživatelé zablokované mitigace znovu povolili.

Tenable, Cylance Disclose Revenue Metrics
30.1.2018 securityweek IT
Cybersecurity solutions providers Tenable and Cylance this week shared financial metrics for 2017, with both privately-held companies showing strong revenue growth.

Cylance reported revenue of more than $100 million last year, which the company says represents a year-over-year growth of 177 percent.

The company’s AI-powered endpoint protection and threat detection solutions are used by over 3,800 enterprises, including 87 percent of Fortune 500 firms. Cylance’s customers include The Gap, Dell, Panasonic, Noble Energy, the National Hockey League Players Association, United Service Organizations (USO), and Partners In Health.

Cylance has raised more than $170 million in funding, including $20 million in February 2014, $42 million in June 2015, and $100 million in June 2016.

When announcing its financial results, Cylance highlighted that its growth rate and the time it took the company to reach $100 million in annual revenue surpassed other cybersecurity firms, including Palo Alto Networks, FireEye, Symantec and CyberArk.

Tenable announced record billings of more than $250 million in 2017, which it says represents a 45 percent growth. The company has attributed this success to strong performance in North America, Europe and Asia. The fourth quarter of 2017 was the seventh consecutive quarter of greater than 40 percent year-over-year billings growth.

As for revenue, Tenable reported $189 million for the 12-month period that ended on December 31, 2017, which represents over 50 percent growth.

Tenable, makers of vulnerability scanners and software solutions that help find network security gaps, has more than 24,000 customers across 160 countries. The list includes more than 50 percent of Fortune 500 companies, over 20 percent of Global 2000 firms, and the ten largest tech companies in the U.S.

Tenable recently announced a partnership with Siemens that aims to provide asset discovery and vulnerability management solutions for industrial networks.

Tenable has raised more than $300 million, including $250 million in November 2015 and $50 million in September 2012.

RELX Group to Acquire Fraud Fighting Firm ThreatMetrix for $815 Million
30.1.2018 securityweek IT

RELX Group, a provider of b2b Information and analytics services, announced on Monday that it has agreed to acquire fraud detection firm ThreatMetrix for £580 million (approximately $815 million) in cash.

Founded in 2005, San Jose, Calif.-based ThreatMetrix’s technology analyzes connections among devices, locations, identity information and threat intelligence, and combines the data with behavioral analytics to identify high-risk transactions in real time.

“ThreatMetrix has built the largest digital identity network that can determine when an individual’s credentials are being used by cybercriminals in real time, which enables businesses to better understand the global footprint of stolen identities,” Alisdair Faulkner, chief products officer at ThreatMetrix, said in 2015 when the company launched its ThreatMetrix Digital Identity Network.

The company says the network currently analyzes more than 100 million transactions per day across 35,000 websites from 5,000 customers.

According to a report published by ThreatMetrix in mid-2017, the United States was the world's primary target for cyber fraud attacks, and Europe has emerged as the major source of attacks, now accounting for 50% more attacks than the US. The report also found that growth in attacks was outpacing the growth of transactions; and that in a 90-day period, 130 million fraud attacks were detected.

Accoding to the company, ThreatMetrix will become part of Risk & Business Analytics, which under the LexisNexis Risk Solutions brand addresses fraud and authentication challenges by "applying advanced analytics to physical identity attributes, including identity credentials, addresses and asset ownership."

LexisNexis Risk Solutions has an existing partnership with ThreatMetrix, as ThreatMetrix’s device intelligence solutions are already integrated into its Risk Defense Platform.

“Further integration of ThreatMetrix’s capabilities in device, email and social intelligence will build a more complete picture of risk in today’s global, mobile digital economy, providing both physical and digital identity solutions,” the company said.

ThreatMetrix has raised more than $90 million in funding, including $20 million in Series E funding in March 2014, $30 million in growth funding from Silicon Valley Bank in October 2016, and $12.1 million in 2010.

The transaction is expected to close during the first half of 2018.

Cisco Patches Critical Code Execution Flaw in Security Appliances
30.1.2018 securityweek
Cisco informed customers on Monday that updates released for its Adaptive Security Appliance (ASA) software patch a critical vulnerability that can be exploited to gain full control of devices or cause them to reload.

The security hole, tracked as CVE-2018-0101 and assigned a CVSS score of 10, allows a remote and unauthenticated attacker to execute arbitrary code or cause a denial-of-service (DoS) condition.

The flaw exists in the Secure Sockets Layer (SSL) VPN functionality of the ASA software. If this “webvpn” feature is enabled on a device, an attempt to double free a memory region occurs. A remote attacker can trigger the bug by sending specially crafted XML packets to a webvpn-configured interface.

Several security appliances using ASA software are affected, including 3000 Series Industrial Security Appliances (ISA), ASA 5500 security appliances and firewalls, ASA services modules for Catalyst 6500 series switches and 7600 series routers, ASA cloud firewalls, ASAv virtual appliances, and various Firepower devices.

Cisco has released fixes for each of the affected ASA releases, except for ones that are no longer supported.

Cisco is not aware of any malicious attacks exploiting this flaw, but its product security incident response team (PSIRT) “is aware of public knowledge of the vulnerability.”

Cedric Halbronn, the NCC Group researcher who reported the weakness to Cisco, will disclose its details on February 2 at the Recon Brussels 2018 conference.

Researchers at NCC Group have been investigating Cisco ASA devices and their firmware, and they have released a series of tools and blog posts dedicated to analyzing ASA firmware and finding vulnerabilities.

The experts started analyzing Cisco’s ASA software following the discovery of two critical vulnerabilities back in 2016, namely the IKEv1/IKEv2 buffer overflow tracked as CVE-2016-1287, and CVE-2016-6366, which Cisco identified following the release of an Equation Group exploit by the Shadow Brokers hacker group.

Security Explorations Launches New Research Program
30.1.2018 securityweek Safety
After 10 years of conducting complex research often without expecting any monetary rewards, Poland-based Security Explorations has now decided to launch a commercial offering that gives organizations the chance to gain exclusive or non-exclusive access to the company’s most interesting and unique projects.

Security Explorations is known for conducting in-depth research into digital satellite platforms, Nokia phones, and Java, including Java SE, Oracle Java Cloud Service and the Java VM in Oracle Database, Apple Quicktime for Java, and Google App Engine for Java. The firm’s findings - a total of more than 200 vulnerabilities - were reported to the respective vendors and in many cases made public.

Google did award the company $100,000 following the discovery of more than 30 vulnerabilities in the search giant’s App Engine product. However, Security Explorations said most of its research so far was done pro bono in an effort to raise awareness of flaws that put both users and vendors at risk.

In addition to its on-demand security analysis service, Security Explorations has now decided to launch a Security Research Program (SRP) that allows organizations to obtain access to the results of complex and unique research conducted by the company.Security Explorations launches Security Research Program

The first research offered through the SRP targets digital video broadcasting (DVB) devices from STMicroelectronics. The vendor’s products were analyzed several years ago as part of Security Explorations’ analysis of digital satellite TV platforms. Security Explorations believes STMicroelectronics, which exited the set-top box business two years ago, and other vendors have done little to address vulnerabilities, leaving devices at risk of attacks and failing to prevent premium TV piracy.

According to Security Explorations, its research into STMicroelectronics chipsets can be useful to other companies in this industry as it can help them identify the presence of vulnerabilities, develop patches, and conduct further security research.

Companies interested in Security Explorations research offered via the SRP can opt for an exclusive purchase (EP) and become the owner of the research material - the information will not be provided to anyone else from that point on - or they can choose the access only (AO) option and obtain a copy of the materials. Both options provide access to research reports, proof-of-concept (PoC) code, and tools, and Security Explorations is prepared to provide clarifications if needed, but the offer does not include ongoing support.

In the case of the STMicroelectronics research, pricing for the AO option is 50,000 EUR (roughly 62,000 USD). Information on pricing for exclusive purchases is only provided under a non-disclosure agreement (NDA).

“Each material released as part of our SRP program is separately priced,” Adam Gowdiak, CEO and founder of Security Explorations, told SecurityWeek. “The final price depends on the complexity of the research process and the amount of hours dedicated by Security Explorations to complete it. The impact of discovered vulnerabilities is also taken into account.”

“For our first material, the SRP AO price is less than the offers we have received for reverse engineering work of some PayTV solutions. The SRP EP price is set to be a fraction of the costs of replacing vulnerable ST chipsets / STB devices still deployed to the market,” Gowdiak added. “In general, SRP AO will be below the costs of conducting a given research (it should be always more attractive to purchase access to SRP material than to engage its own resources / achieve given research results on its own).”

Gowdiak says his company is currently working on two undisclosed projects, one of which will be released to the public for free, while the other one will be offered through the new program. He says the goal of the new offering is to help fund the firm’s non-commercial research.

Security Explorations will typically pick its research targets and once the analysis has been completed the company will announce it on its website and reach out to potentially interested parties. The vendor whose products have been analyzed can acquire exclusive rights to the materials to ensure that it cannot fall into the wrong hands, it can acquire access to the research, or ignore the report and instead work on improving the security of its products on its own.

“While the latter does not warrant that vulnerabilities or exploitation techniques targeted by SRP get found or remediated, the net effect should be always positive: a vendor putting additional resources into security, new weaknesses being discovered and fixed, flawed products being recalled/replaced from the market,” Security Explorations said.

Gowdiak has described the new offering as an alternative to bug bounty programs and security evaluations - with some significant differences.

“For Bug Bounties, a researcher decides about a target, a vendor decides about a reward (if any). For a consulting work, a customer decides about a target, a provider decides about a price for security evaluation services. For SRP, we decide both about a target and a price for our work,” Gowdiak explained.

The advantages of this approach for the company conducting the research include not being “the vendor’s hostage for consulting gigs and bug bounties,” which results in unbiased and independent research, and eliminating the issues that can arise during the disclosure process, Gowdiak said.

Security Explorations has reserved the right to deny access to any organization to its research, but the company has admitted that it has no way of enforcing its license terms and ensuring that its findings are not abused.

Tech Support Scammers Fined in US, Jailed in UK
30.1.2018 securityweek
Ohio Attorney General Mike DeWine and the Federal Trade Commission (FTC) announced Monday that operators of a nationwide computer repair scam have been banned from the tech support business as part of settlements with the FTC and Ohio.

Commonly known as the 'tech support scam', repair fraud has become a global problem. A Microsoft survey with details published in October 2017 suggests that 2 out of 3 people have experienced a tech support scam in the last 12 months.

One in five U.S. respondents to this survey reported losing money to the scammers. "Since 2014," wrote Microsoft Assistant General Counsel Courtney Gregoire in an associated blog, "Microsoft has supported law enforcement agencies across the country who took legal action against known fraudsters responsible for approximately $165 million in consumer losses."

The scam attempts to engage victims in a telephone discussion about their computer, and to persuade them that it has problems that can be fixed for a price. In the current case, the scammers first caused pop-ups to appear on their victims' computers resembling security alerts from well-known technology companies. These are usually Apple and Microsoft.

ESET senior research fellow David Harley (who has been monitoring support scams for many years), calls them "opportunistic SEO-friendly ads claiming to be from real vendor helplines."

The false alerts claimed the computers had been breached by a virus or hacker, and urged the 'victims' to call a toll-free number for assistance. Telemarketers then took over and asked for remote access to the 'infected' computer. They then ran 'diagnostic tests' that falsely claimed to find major problems that could be solved through the purchase of a one-time fix or a long-term service plan that would cost hundreds of dollars.

The FTC filed a complaint in Ohio last year as part of an ongoing campaign called Operation Tech Trap. The defendants were Repair All PC LLC; Pro PC Repair LLC; I Fix PC LLC; WebTech World LLC; Online Assist LLC; Datadeck LLC; I Fix PC (also doing business as Techers 247, I Fix PC, and I Fix PC 247); Jessica Marie Serrano; Dishant Khanna; Mohit Malik; Romil Bhatia; Lalit Chadha; and Roopkala Chadha.

The settlements announced Monday resolve the case. The defendants have been barred from offering tech support products or services, whether genuine or fraudulent, and misrepresenting their affiliation with another company. Perhaps more to the point, the settlements also impose a $12.4 million judgement that will be suspended upon payment by the defendants of a total of $122,376.

"This scheme affected people in Ohio and across the country, and we were pleased to work with the Federal Trade Commission to shut it down," said Attorney General DeWine. "Scams regularly cross state and national borders, so this kind of collaboration is an important part of protecting consumers."

In the UK, the National Trading Standards (NTS) announced on Friday that Narendra Harilal Vadgama (age 56) has been sentenced to 12 months in prison (reduced to 9 months on a guilty plea) for a very similar offense. "Mr Vadgama's victims were targeted through cold-calling or with computer pop-ups," said the NTS. "In many of the cold-calls Mr Vadgama's company gained the trust of their victims by falsely claiming to be computer technicians from companies like Microsoft. They then claimed that the victim's computer had been compromised or their routers had been hacked or infected and needed urgent action to stop the victim's computer or data from being compromised."

Vadgama was discovered following a joint investigation by NTS, Microsoft, the UK's National Fraud Intelligence Bureau and Leicestershire police. "This case demonstrates precisely why public-private partnership is critical to tackling modern day fraud operating at global scale," commented the City of London Police's Commander Dave Clark (the national coordinator for economic crime). "Partnerships like this are increasingly being used and should send a warning to criminals that the UK is increasingly becoming a hostile environment to commit fraud in."

Whether individual successes against the support tech criminals in both the U.S. and the UK will have any great effect on the overall crime rate is a different matter. "How effective the FTC's ruling will be in practice is another question," Harley told SecurityWeek. "I suspect that it will do little to discourage the many other companies executing similar spams (though we can always hope). While there may be individual call-center operatives who don't realize that they're executing a scam -- they're not always the sharpest knives in the drawer -- I imagine that the companies who employ them are usually fully cognizant from day one. Even if the FTC sanctions are sufficiently scary to stop them operating in the same way, I suspect that there's little to stop them cashing out and/or regrouping."

Ultimately, the best defense against tech support scams is heightened user awareness. Reputable firms like Apple and Microsoft and (especially in the UK, BT) simply do not cold call their customers. Interestingly, the Microsoft survey figures suggest that aged consumers are not, as one might expect, either the prime targets or main victims. According to Microsoft, 50% of its respondents "who continued with a fraudulent interaction" were millennials aged between 18 and 34. Only 17% were over 55.

Security professionals should make sure that both their children and their parents are aware of this scam.

[Update] The FTC has just announced that it is sending 3,791 checks averaging around $176 (a total of $668,000) to victims of a tech support scam action that was settled in May 2017. Part of the settlement included turning over financial assets to the FTC. "These are legitimate checks," says the announcement. "The FTC never requires consumers to pay money or provide account information to cash a refund check."

Interestingly, the FTC also issued a warning today on a different scam: an email claiming to be Secretary Tillerson announcing a $1.8million government refund, provided the recipient sends him $320 plus personal information.

FTC law enforcement actions provided more than $6.4 billion dollars in refunds to consumers between July 2016 and June 2017.

ATM Jackpotting Attacks Strike in U.S.
30.1.2018 securityweek Hacking
Hackers have been targeting automated teller machines (ATMs) in the United States to make them spill out cash using an attack technique known as “jackpotting.”

As part of the attacks, individuals with physical access to the machines connect to them and “install malware, or specialized electronics, or a combination of both to control the operations of the ATM,” The United States Secret Service revealed in a warning issued on Friday.

The attackers targeted stand-alone ATMs located in pharmacies, big box retailers, and drive thru ATMs, the alert reads. Both individual suspects and large organized groups (both local and international organized crime syndicates) are engaged in such attacks.

“The Secret Service recently obtained credible information about planned jackpotting attacks in the U.S. through partners of our Electronic Crimes Task Force (ECTF). Subsequently, we alerted other law enforcement partners and financial institutions who could potentially be impacted by this crime,” the Secret Service warning (PDF) reads.

“The two most common ways to implement jackpotting are via Trojans and Blackbox attacks,” Sergey Golovanov, Principal Security Researcher at Kaspersky Lab, explained in an email to SecurityWeek.

When performing jackpotting via Trojans, the attackers connect a flash drive or a CD-ROM to upload the malware to the ATM, or attempt to compromise the machine via the network, Golovanov said.

“The second scenario, Blackbox, assumes that third party equipment (such as a laptop, or raspberry pie) is connected to the cash dispenser, which is responsible for collecting the money and cashing it out to the client,” Golovanov continued.

These and other compromise methods were detailed by Kaspersky Lab researchers in an interview with SecurityWeek at the DefCamp conference in Bucharest late last year.

Specific protection methods exist for both jackpotting attack methods, but ultimately it’s up to the bank to implement them or not, Golovanov said.

Although they have been long observed in Europe and Asia, jackpotting attacks haven’t targeted U.S. ATM operators until earlier this month. As part of the recently observed attacks, miscreants relied on the Blackbox technique to drain the cash from the ATMs.

In addition to the Secret Service, ATM vendors such as NCR and Diebold Nixdorf also sent out alerts last week, security blogger Brian Krebs reported.

“NCR confirms the matters reported by Brian Krebs, and had previously issued its own alert and guidance on this situation. NCR regularly and actively works with our financial solutions customers to address the security and fraud issues that impact this industry,” Owen Wild, security marketing director, NCR, told SecurityWeek via email.

“NCR has received reports from the U.S Secret Service and other sources of logical (jackpot) attacks on ATMs in the US. While at present these appear focused on non-NCR ATMs, logical attacks are an industry-wide issue. This represents the first confirmed cases of losses due to logical attacks in the US,” the company’s last week alert, which was shared with SecurityWeek, reads.

The company also provided guidance on how ATM deployers could protect their machines against these attacks and mitigate any consequences.

SecurityWeek has also contacted Diebold Nixdorf for comment, but haven’t heard back yet.

In the U.S., the attackers appear to be mainly targeting the Opteva 500 and 700 series ATMs from Diebold. With the help of an endoscope, they look inside the cash machine to locate ports to connect a laptop that contains a mirror image of the ATMs operating system, Krebs reports.

The Ploutus.D malware is also said to have been used in these attacks. Ploutus was first discovered in 2013 targeting ATMs in Mexico, and by 2014 it could also be used to withdraw cash using SMS messages.

Ploutus.D was first detailed in January last year, observed as part of attacks where money mules would open the top portion of the ATM, connect to the machine’s internals, and wait for activation codes from the actor in charge of the operation. Mainly targeting Diebold ATMs, the malware could easily be repurposed to hit machines from 40 different vendors in 80 countries.

Even unsophisticated attackers can defraud an ATM, David Vergara, Head of Global Product Marketing, VASCO Data Security, told SecurityWeek in an emailed comment. Anyone can become “a professional thief in this segment with a modest investment in cash,” Vergara says. He also urges banks to look “at and beyond reader devices and hidden cameras” when it comes to securing ATMs.

"With banks’ focus on digital channels, like ATM and mobile, to drive down costs and better serve customers, it’s no surprise that cybercrime is following. The relatively low-tech skimming attacks still represent the vast majority of ATM losses, but more coordinated attacks using physical access to the machine (i.e. master key and keyboard) along with more sophisticated malware are enabling much bigger paydays for hackers,” Vergara said.

Three Dutch banks and Tax Agency under DDoS Attacks … is it a Russian job?
30.1.2018 securityaffairs

Three Dutch Banks (ABN AMRO, ING Bank, Rabobank) and Tax Agency were targeted by a coordinated DDoS Attacks a few days the revelation of the Russian APT Hack.
Early this week a massive DDoS attack targeted three Dutch banks, ABN AMRO, ING Bank, Rabobank, and the Dutch Taxation Authority (Belastingdienst).

The attack against the system of ABN AMRO started over the weekend, while both ING Bank and Rabobank suffered coordinated DDoS attacks on Monday.
while the other two banks were hit on Monday.
The DDoS attacks caused severe accessibility problems to the bank infrastructure, they prevented customers from accessing the web services.

The attack against the Dutch Tax Authority prevented taxpayers filing tax-related documents.


Who is behind the attack?

According to security experts from ESET, the origins of the attacks are servers in Russia.

“The DDoS attacks that hit ABN Amro, ING and Rabobank over the weekend and on Monday, came from servers in Russia, according to security company ESET. The company adds that this does not automatically mean that the perpetrators are also in Russia, the Telegraaf reports.” states NL Times.

“The perpetrators used a so-called botnet – an army of hijacked computers and smart devices – to commit the DDoS attacks. Using the program Zbot, they remotely ordered these devices to visit a certain site en masse, thereby overloading the site’s server and crashing the site. The command and control servers are mainly in Russia, ESET determined.”

It is difficult to attribute the attack to a specific threat actor. anyway, the cybersecurity expert Richey Gevers noted that the attacks came a few days after the story of the Cozy Bear hack operated by the Dutch Intelligence Agency AIVD. According to Gevers, the DDoS attack peaked 40 Gbps in volume of traffic.

Rickey Gevers
Hey fellow DFIR people. Jan 25th the story broke the Dutch Intelligence Agency AIVD hacked Cozy Bear. At this moment critical Dutch infra is under (40Gbps) DDoS attack. Has anyone seen infected clients/network traffic performing a DDoS attack on Dutch infra? Please let me know.

7:51 PM - Jan 29, 2018
5 5 Replies 67 67 Retweets 57 57 likes
Twitter Ads info and privacy
The expert also added that the attackers powered the attacks using a botnet composed of home routers.

29 Jan

Replying to @UID_
What are the source IPs? IoT devices?

Rickey Gevers
The banks are not sharing much info. But they said some IPs look like routers. Thats all I know.

9:20 PM - Jan 29, 2018
Replies Retweets 2 2 likes
Twitter Ads info and privacy

The Ministry of Justice and Security called the attacks on the Dutch institutions very advanced, according to BNR. “But for example Dutch banks are known in Europe for having their cyber security in order. You often see that this provokes more advanced attacks. We are now fighting at a very high level”, the Ministry said. The Ministry can’t yet say who is behind these attacks.

Researchers from ESET claimed the attackers used the Zbot malware, a very old threat based on the infamous ZeuS banking trojan.

According to BNR, even is the malware is not complex, the Ministry of Justice and Security has classified the attacks on the Dutch institutions as very complex

“But for example Dutch banks are known in Europe for having their cyber security in order. You often see that this provokes more advanced attacks. We are now fighting at a very high level”, the Ministry said. The Ministry can’t yet say who is behind these attacks.

Crooks target ATMs with Ploutus-D malware, these are the first confirmed cases of Jackpotting in US
30.1.2018 securityaffairs Hacking

Cybercriminals are targeting ATM machines in the US forcing them to spit out hundreds of dollars with ‘jackpotting‘ attacks.
According to a senior US Secret Service official, the organization has managed to steal more than $1m from ATM machines using this technique.

Once crooks gain physical access to the ATM, they will infect it with a malware or specialized electronics that is designed to instruct the machine to deliver money in response to specific commands.

The jackpotting technique was first proposed by white hat hacker Barnaby Jack in 2010.


The popular investigator Brian Krebs obtained an alert issued by ATM maker manufacturers Diebold Nixdorf this month, the company warns of an ongoing campaign conducted by a gang in the US.

“On Jan. 21, 2018, KrebsOnSecurity began hearing rumblings about jackpotting attacks, also known as “logical attacks,” hitting U.S. ATM operators. I quickly reached out to ATM giant NCR Corp. to see if they’d heard anything. NCR said at the time it had received unconfirmed reports, but nothing solid yet.” wrote Krebs.

“On Jan. 26, NCR sent an advisory to its customers saying it had received reports from the Secret Service and other sources about jackpotting attacks against ATMs in the United States.”

“While at present these appear focused on non-NCR ATMs, logical attacks are an industry-wide issue,” the NCR alert reads. “This represents the first confirmed cases of losses due to logical attacks in the US. This should be treated as a call to action to take appropriate steps to protect their ATMs against these forms of attack and mitigate any consequences.”

The crooks are infecting the ATM with the Ploutus-D malware, the vendor warns that Opteva 500 and 700 series machines are particularly vulnerable to these attacks.

These attacks are the first confirmed cases of jackpotting attacks against ATMs in the US. Jackpotting attacks were already reported in Europe, in May 27 people have been arrested by the Europol for jackpotting attacks on ATM across many countries in Europe.

Ploutus is one of the sophisticated ATM malware that was first discovered in Mexico back in 2013. The malicious code allows crooks to steal cash from ATMs using either an external keyboard attached to the machine or by sending it SMS messages.

In January, experts at FireEye Labs have discovered a new version of the Ploutus ATM malware, the so-called Ploutus-D, that works the KAL’s Kalignite multivendor ATM platform.

The experts observed the Ploutus-D in attacks against ATM of the vendor Diebold, but the most worrisome aspect of the story is that minor changes to the malware code could allow Ploutus-D to target a wide range of ATM vendors in 80 countries.


The alert issued by Secret Service explains that the cybercriminals use an endoscope to inspect the internal parts of the ATM searching for the place where they can attach a cord that allows them to sync their laptop with the ATM’s computer.


Diebold Nixdorf urges the improvement of physical security for ATMs, especially for those located in public places such as malls and pharmacies. Also, tightening the security configuration of the firmware is recommended.

The alert issued by Secret service recommends to limit physical access to the ATM machines and implement protection mechanisms for cash modules (i.e. Use firmware with latest security functionality. use the most secure configuration of encrypted communications incl. physical authentication).

Cisco ASA software is affected by a flaw with 10 out of 10 severity rating. Patch it asap
30.1.2018 securityaffairs

Cisco released security updates to address a critical security vulnerability, tracked as CVE-2018-0101, in Cisco ASA software
Cisco addressed a critical security flaw, tracked as CVE-2018-0101, in Adaptive Security Appliance (ASA) software.

The vulnerability could be exploited by a remote and unauthenticated attacker to execute arbitrary code or trigger a denial-of-service (DoS) condition causing the reload of the system.

The vulnerability was discovered by the researcher Cedric Halbronn from NCC Group, he will disclose technical details on February 2 at the Recon Brussels 2018 conference.

The flaw resides in the Secure Sockets Layer (SSL) VPN feature implemented by CISCO ASA software.

According to CISCO, it is related to the attempt to double free a memory region when the “webvpn” feature is enabled on a device. An attacker can exploit the vulnerability by sending specially crafted XML packets to a webvpn-configured interface.

“A vulnerability in the Secure Sockets Layer (SSL) VPN functionality of the Cisco Adaptive Security Appliance (ASA) Software could allow an unauthenticated, remote attacker to cause a reload of the affected system or to remotely execute code.” reads the security advisory published by CISCO.

“The vulnerability is due to an attempt to double free a region of memory when the webvpn feature is enabled on the Cisco ASA device. An attacker could exploit this vulnerability by sending multiple, crafted XML packets to a webvpn-configured interface on the affected system. An exploit could allow the attacker to execute arbitrary code and obtain full control of the system, or cause a reload of the affected device.”

Below the list of affected CISCO ASA products:

3000 Series Industrial Security Appliance (ISA)
ASA 5500 Series Adaptive Security Appliances
ASA 5500-X Series Next-Generation Firewalls
ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers
ASA 1000V Cloud Firewall
Adaptive Security Virtual Appliance (ASAv)
Firepower 2100 Series Security Appliance
Firepower 4110 Security Appliance
Firepower 9300 ASA Security Module
Firepower Threat Defense Software (FTD)
The vulnerability was introduced in Firepower Threat Defense 6.2.2 that implemented the remote access VPN feature since September 2017.

Cisco has addressed the vulnerability by issuing security updates for each of the affected CISCO ASA software that are still supported by the company.

The Cisco Product Security Incident Response Team (PSIRT) is aware of public knowledge of the vulnerability, but Cisco confirmed that it is not aware of any attacks in the wild that are exploiting this vulnerability.

Heat Map Released by Fitness Tracker Reveals Location of Secret Military Bases
30.1.2018 thehackernews BigBrothers

Every one of us now has at least one internet-connected smart device, which makes this question even more prominent —how much does your smart device know about you?
Over the weekend, the popular fitness tracking app Strava proudly published a "2017 heat map" showing activities from its users around the world, but unfortunately, the map revealed what it shouldn't—locations of the United States military bases worldwide.
Strava which markets itself as a "social-networking app for athletes" publicly made available the global heat map, showing the location of all the rides, runs, swims, and downhills taken by its users, as collected by their smartphones and wearable devices like Fitbit.
Since Strava has been designed to track users’ routes and locations, IUCA analyst Nathan Ruser revealed that the app might have unintentionally mapped out the location of some of the military forces around the world, especially some secret ones from the United States.
With a total of one billion activities logged on the Strava's activity map, it is a whole lot of useful data from all over the world.
Although Strava's publicly available activity map was live as of November 2017, Ruser recently noticed that the map includes the fitness routes of army soldiers and agents in secret base locations, including U.S. military bases in Afghanistan and Syria, a suspected CIA base in Somalia and even Area 51.

Besides American military bases, the map also revealed the UK's RAF Mount Pleasant airbase in the Falkland Islands, Lake Macphee and Gull Island Pond, among others. Russian bases have also been showed up by the Strava data.
What's more? Security experts on Twitter have also discovered potentially sensitive American military bases in Somalia, Afghanistan and Syria; secret Russian military bases in Ukraine; a secret missile base in Taiwan, as well as an NSA base in Hawaii.
Ruser said that the map allowed him to find out regular jogging routes for military personnel, which is bad news for security, as it establishes reliable "pattern of life" information that would otherwise be secret from the rest of the world.
"If soldiers use the app like normal people do, by turning it on tracking when they go to do exercise, it could be especially dangerous. This particular track looks like it logs a regular jogging route. I shouldn't be able to establish any Pattern of life info from this far away," Ruser tweeted.
Should Strava be blamed entirely for this revelation?
Strava said its heat map is based only on publically available data, and the company does offer a private mode that allows its users to turn off data sharing outside of the app.
However, it appears that many American and foreign military personnel using the app were sharing the confidential information publicly—perhaps without the knowledge or realising the implication, which is terrible.
What's even worse?
A security researcher told the Washington Post that this publically available data could even help enemy forces plan an "attack or ambush U.S. troops in or around the bases."
To make things even worse, some experts have also found ways to deanonymize the Strava heatmap, identifying individuals and their location where they have been exercising.
Strava has reminded its users that they could turn off location services for the app and that the map does not include private activities or areas deemed private.
"Our global heat map represents an aggregated and anonymised view of over a billion activities uploaded to our platform," Strava said in a statement. "It excludes activities that have been marked as private and user-defined privacy zones. We are committed to helping people better understand our settings to give them control over what they share."
The incident is a great reminder for people, especially for those working in or around sensitive locations, to turn off location sharing services for everything.
Moreover, militaries should also consider limiting smartphones and wearables use in sensitive areas as well as educate their soldiers on the importance of privacy.

Someone Stole Almost Half a BILLION Dollars from Japanese Cryptocurrency Exchange
30.1.2018 thehackernews CyberCrime

Coincheck, a Tokyo-based cryptocurrency exchange, has suffered what appears to be the biggest hack in the history of cryptocurrencies, losing $532 million in digital assets (nearly $420 million in NEM tokens and $112 in Ripples).
In 2014, Mt Gox, one of the largest bitcoin exchange at that time, filed for bankruptcy after admitting it had lost $450 million worth of Bitcoins.
Apparently, the cryptocurrency markets reacted negatively to the news, which resulted in 5% drop in Bitcoin price early this morning.
In a blog post published today, the Tokyo-based cryptocurrency exchange confirmed the cyber heist without explaining how the tokens were stolen, and abruptly froze most of its services, including deposits, withdrawals and trade of almost all cryptocurrencies, except Bitcoin.
Coincheck also said the exchange had even stopped deposits into NEM cryptocurrencies, which resulted in 16.5% drop in NEM coin value, as well as other deposit methods including credit cards.
During a late-night press conference at the Tokyo Stock Exchange, Coincheck Inc. co-founder Yusuke Otsuka also said that over 500 million NEM tokens (then worth around $420 million) were taken from Coincheck's digital wallets on Friday, but the company didn’t know how the tokens went missing, according to new source Asahi.
The digital-token exchange has already reported the incident to the law enforcement authorities and to Japan's Financial Services Agency to investigate the cause of the missing tokens.
"We will report on the damage situation and cause of the case, measures to prevent recurrence, but first we would like you to take every possible measure to protect our customers," said Executives of the Financial Services Agency (translated).
This incident marks yet another embarrassing hack in the world of digital currency technology, once again reminding us that the volatility in cryptocurrency prices is not going away anytime soon.
So far, the exchange has not provided any official statement regarding the cause of this hack. We will keep you updated about this incident. Stay Tuned!

Nearly 2000 WordPress Websites Infected with a Keylogger
30.1.2018 thehackernews

More than 2,000 WordPress websites have once again been found infected with a piece of crypto-mining malware that not only steals the resources of visitors' computers to mine digital currencies but also logs visitors' every keystroke.
Security researchers at Sucuri discovered a malicious campaign that infects WordPress websites with a malicious script that delivers an in-browser cryptocurrency miner from CoinHive and a keylogger.
Coinhive is a popular browser-based service that offers website owners to embed a JavaScript to utilise CPUs power of their website visitors in an effort to mine the Monero cryptocurrency.
Sucuri researchers said the threat actors behind this new campaign is the same one who infected more than 5,400 Wordpress websites last month since both campaigns used keylogger/cryptocurrency malware called cloudflare[.]solutions.
Spotted in April last year, Cloudflare[.]solutions is cryptocurrency mining malware and is not at all related to network management and cybersecurity firm Cloudflare. Since the malware used the cloudflare[.]solutions domain to initially spread the malware, it has been given this name.
The malware was updated in November to include a keylogger. The keylogger behaves the same way as in previous campaigns and can steal both the site's administrator login page and the website's public facing frontend.

If the infected WordPress site is an e-commerce platform, hackers can steal much more valuable data, including payment card data. If hackers manage to steal the admin credentials, they can just log into the site without relying upon a flaw to break into the site.
The cloudflare[.]solutions domain was taken down last month, but criminals behind the campaign registered new domains to host their malicious scripts that are eventually loaded onto WordPress sites.
The new web domains registered by hackers include cdjs[.]online (registered on December 8th), cdns[.]ws (on December 9th), and msdns[.]online (on December 16th).
Just like in the previous cloudflare[.]solutions campaign, the cdjs[.]online script is injected into either a WordPress database or the theme's functions.php file. The cdns[.]ws and msdns[.]online scripts are also found injected into the theme's functions.php file.
The number of infected sites for cdns[.]ws domain include some 129 websites, and 103 websites for cdjs[.]online, according to source-code search engine PublicWWW, though over a thousand sites were reported to have been infected by the msdns[.]online domain.
Researchers said it's likely that the majority of the websites have not been indexed yet.
"While these new attacks do not yet appear to be as massive as the original Cloudflare[.]solutions campaign, the reinfection rate shows that there are still many sites that have failed to properly protect themselves after the original infection. It’s possible that some of these websites didn't even notice the original infection," Sucuri researchers concluded.
If your website has already been compromised with this infection, you will require to remove the malicious code from theme's functions.php and scan wp_posts table for any possible injection.
Users are advised to change all WordPress passwords and update all server software including third-party themes and plugins just to be on the safer side.

Hard-coded Password Lets Attackers Bypass Lenovo's Fingerprint Scanner
30.1.2018 thehackernews Safety

Lenovo has recently rolled out security patches for a severe vulnerability in its Fingerprint Manager Pro software that could allow leak sensitive data stored by the users.
Fingerprint Manager Pro is a utility for Microsoft Windows 7, 8 and 8.1 operating systems that allows users to log into their fingerprint-enabled Lenovo PCs using their fingers. The software could also be configured to store website credentials and authenticate site via fingerprint.
In addition to fingerprint data, the software also stores users sensitive information like their Windows login credentials—all of which are encrypted using a weak cryptography algorithm.
According to the company, Fingerprint Manager Pro version 8.01.86 and earlier contains a hard-coded password vulnerability, identified as CVE-2017-3762, that made the software accessible to all users with local non-administrative access.
"Sensitive data stored by Lenovo Fingerprint Manager Pro, including users’ Windows logon credentials and fingerprint data, is encrypted using a weak algorithm, contains a hard-coded password, and is accessible to all users with local non-administrative access to the system it is installed in," the company said in its advisory, giving brief about the vulnerability.


The vulnerability impacts Lenovo ThinkPad, ThinkCentre and ThinkStation laptops, and affects more than two dozen Lenovo ThinkPad models, five ThinkStation Models and eight ThinkCentre models that run Windows 7, 8 and the 8.1 operating systems.
Here's the full list of Lenovo devices compatible with Fingerprint Manager Pro and impacted by the vulnerability:
ThinkPad L560
ThinkPad P40 Yoga, P50s
ThinkPad T440, T440p, T440s, T450, T450s, T460, T540p, T550, T560
ThinkPad W540, W541, W550s
ThinkPad X1 Carbon (Type 20A7, 20A8), X1 Carbon (Type 20BS, 20BT)
ThinkPad X240, X240s, X250, X260
ThinkPad Yoga 14 (20FY), Yoga 460
ThinkCentre M73, M73z, M78, M79, M83, M93, M93p, M93z
ThinkStation E32, P300, P500, P700, P900
Lenovo has credited security researcher Jackson Thuraisamy with Security Compass for discovering and responsibly reporting the vulnerability.
The popular Chinese computer manufacturer strongly recommends its ThinkPad customers to update their devices to Fingerprint Manager Pro version 8.01.87 or later to address the issue. You can also head on to the company's official website to do so.
Since Microsoft added native fingerprint reader support with Windows 10 operating system, thus eliminating the need for the Fingerprint Manager Pro software, Lenovo laptops running Windows 10 are not impacted by the vulnerability.

Intel reportedly alerted Chinese companies before US Government about Meltdown and Spectre flaws
30.1.2018 securityaffairs  BigBrothers

According to the Wall Stree Journal, Intel reportedly alerted Chinese companies before US Gov about Meltdown and Spectre vulnerabilities.
There is no peace for Intel, according to a report published by The Wall Street Journal the company warned Chinese tech giants about the Meltdown and Spectre vulnerabilities before notifying them to the US government.

Citing unnamed people familiar with the matter and some of the companies involved, The WSJ revealed that the list of Chinese companies includes Lenovo and Alibaba.

It is not clear when Intel notified the flaw to Lenovo, but a leaked memo from Intel to computer makers suggests the company reported the issues to an unnamed group of on November 29 via a non-disclosure agreement. The same day, the Intel CEO Brian Krzanich sold off his shares.

Last week, French tech publication LeMagIT’s Christophe Bardy disclosed the first page of the “Technical Advisory” issued by the Intel Product Security Incident Response Team.

Of course, security experts speculate the companies might have passed this information to the Chinese Government, but Alibaba spokesman refused any accusation.

I personally believe that the Chinese Government was informed by the companies about the Meltdown and Spectre vulnerabilities and it is disconcerting that the US intelligence agencies neither US CERTs were not aware of the flaws.

Meltdown Spectre patches

We also know that the Meltdown flaw is easy to exploit, this means that it is likely that threat actors might have triggered it to extract passwords and other sensitive data from a target machine. The situation is worrisome in cloud-computing environments were many customers share the same servers, in this scenario an attacker can launch a Meltdown attack to steal info belonging to other clients with applications hosted on the same server.

El Reg reached Intel for a comment, below the reply of the chip vendor:

“The Google Project Zero team and impacted vendors, including Intel, followed best practices of responsible and coordinated disclosure. Standard and well-established practice on initial disclosure is to work with industry participants to develop solutions and deploy fixes ahead of publication. In this case, news of the exploit was reported ahead of the industry coalition’s intended public disclosure date at which point Intel immediately engaged the US government and others.” states the El Reg.

Let me close with this eloquent Tweet published by security journalist Zach Whittaker:

Zack Whittaker

This is grade A crap. Several people told me Meltdown/Spectre's planned disclosure was set for Jan. 9 but was revealed on Jan. 3 after a PoC came out. Based on WSJ, Intel was going to tell the US gov. only a week before disclosure?! It knew since June!

8:39 PM - Jan 28, 2018 · Manhattan, NY

#ThinkBeyond – Security solutions from market leaders may all fail in your particular environment
30.1.2018 securityaffairs Security

Buying solutions proposed by analyst firms without carefully analyzing your organization expose it to cyber threats. It’s time to #ThinkBeyond this broken paradigm.
The cybersecurity market is expected to double by 2022, analysts estimated the growth could reach three hundred thousand dollars, at a Compound Annual Growth Rate (CAGR) of 11.0%. In the same period, the number of cyber attacks are expected to increase, hackers will adopt new sophisticated techniques while the surface of attacks of companies and organizations is enlarging due to the adoption of paradigms such as the Internet of Things, Cloud computing, and mobile computing.

Another important element that will characterize the next months it the adoption of new regulations and directives, such as the GDPR and the NIS directive, that will influence the evolution of the market.

Businesses will face the “perfect storm,” the ideal condition for security firms that continue to develop new solutions designed to cover a specific portion of the market instead of responding to the real needs for cyber security of their customers.

The increasing number of successful cyber attacks and the daily security breaches reported by experts demonstrate that most of the companies are still far from an adequate security posture.

In origin it was mainly a problem of awareness on cyber threats, but now the critical issue is represented by the ability of businesses and decision makers in buying security solutions that match their needs.

The purchase of a new security solution or a service is often driven by the recommendations of analysts that produce any kind of report to influence the final decision of the management and the IT staff.

The emulation is part of the human nature, for C-Level personnel is easy to select their business partners by choosing them from the companies listed in authoritative studies and publications such as the Gartner Magic Quadrant.

Evidently, this approach is not sufficient to ensure the resilience to cyber attacks of a modern business.

In many cases the same security companies suggested by these reports were involved in embarrassing incidents, this is the case of the accountancy firm Deloitte that was awarded as the best Security Consulting Services providers by Gartner, but that was victims itself of a sophisticated hack that compromised its global email server in 2016.

These studies could influence a blind and an unaware choice of security solutions, they could give businesses a false sense of security.

It is absurd to compose a security infrastructure only by implementing the recommendations of the analyst firms while the events in the threat landscape demonstrate that such an approach is ruinous.

A model of cyber security driven by profits could not be effective against cyber threats. Threat actors rapidly and continuously change their Tactics, Techniques, and Procedures (TTPs ), and security industry is not able to follow them.

Security investments should be measured by the amount of cyber risk mitigated per dollar spent, only in this way it is possible to evaluate real enhancement of the resilience of an architecture while adding new components to the mosaic.

Before deciding to read a report from major analyst companies that suggest products from IT giants, it is essential for any organization to assess and prioritize all cyber risks and business processes.

The risk assessment must involve as many stakeholders, this is the best way to protect our infrastructure from several threat actors.

Once all the risks are identified and prioritized, the company will have to mitigate them by using systems inside their infrastructure and eventually integrating them with proper solutions. Instruments like Gartner’s Magic Quadrant could help companies to select vendors with a filtrated vision of the market, however, we cannot forget that security solutions from market leaders may all fail in a particular environment.

The adoption of security solutions that are recognized by the analysis as leading products of the cyber security industry will not protect our organizations for multiple reasons.

The reality is disconcerting, in most of the security breaches the attackers were able to bypass the stack of security solutions deployed by the victims to defend their infrastructure.

We cannot continue to build our defence implementing a model of cyber security that is imposed by a restricted number of firms. From the attacker’s perspective, #ThinkBeyondit is easy to predict the type of defence measures in place and adopt the necessary changes in their attack chain.

Don’t forget that threat actors continuously monitor our infrastructure and companies need to avoid in providing points of reference that could be the starting points for their offensive.

The choice of the components for the infrastructure of a company must be driven by an objective analysis of the context in which they operate and carefully considering the evolution of cyber threats.

Security solutions must be user-friendly, overly-complex systems make it hard to use. Another problem related to the choice of security products and services is related to the capability of the organization in processing their output of the defence systems. In a real scenario, cyber security analysts often miss the vast majority of alerts and warnings because of the huge volume of information generated by security solutions.

Most of the leading security firms urge a layered approach in cyber security, but what happens if these layers are not able to “correctly” exchange information each other, or in a worst scenario there are affected by vulnerabilities that can be triggered to compromise the security of the overall architecture.

Building a layered defense system doesn’t mean to simply put together the security products and service suggested by prominent studies, but the analysis must go beyond.

The integration is the most complicated part in setting up a security infrastructure, every time the IT staff intends to add another piece to their cyber barricade it needs to carefully understand the way various components interact and which are the behavior of the resulting system.

Buying solutions proposed by analyst firms will not protect the organizations, spending more doesn’t necessarily mean you will be secure, this must be clear to anyone that works to increase the resilience of its systems to cyber attacks. It’s time to #ThinkBeyond this broken paradigm.

Dridex banking Trojan and the FriedEx ransomware were developed by the same group
30.1.2018 securityaffairs

Security researchers from ESET have tied another family of ransomware, dubbed FriedEx (aka BitPaymer), to the authors of the Dridex Trojan.
The Dridex banking Trojan that has been around since 2014, it was involved in numerous campaigns against financial institutions over the years and crooks have continuously improved it.

In April 2017, millions of people were targeted by a phishing campaign exploiting a Microsoft Word 0day and aimed to spread the Dridex Banking Trojan, a few days ago security researchers at Forcepoint spotted a new spam campaign that is abusing compromised FTP servers as a repository for malicious documents and infecting users with the Dridex banking Trojan.

Now, security researchers from ESET have tied another strain of ransomware, dubbed FriedEx (aka BitPaymer), to the authors of the Dridex Trojan.

FriedEx was first spotted in July, and in August it was responsible for infections at NHS hospitals in Scotland.

The FriedEx ransomware was involved in attacks against high profile targets, researchers believe it was delivered via Remote Desktop Protocol (RDP) brute force attacks.

The ransomware encrypts each file using a randomly generated RC4 key that is then encrypted with a hardcoded 1024-bit RSA public key.

“Initially dubbed BitPaymer, based on text in its ransom demand web site, this ransomware was discovered in early July 2017 by Michael Gillespie. In August, it returned to the spotlight and made headlines by infecting NHS hospitals in Scotland.” states the analysis published by ESET.

“FriedEx focuses on higher profile targets and companies rather than regular end users and is usually delivered via an RDP brute force attack. The ransomware encrypts each file with a randomly generated RC4 key, which is then encrypted using the hardcoded 1024-bit RSA public key and saved in the corresponding .readme_txt file.”

The analysis of FriedEx code revealed that many similarities with Dridex code.

For example, the Dridex and FriedEx binaries share the same portion of a function used for generating UserID, the experts also noticed that the order of the functions in the binaries is the same in both malware families, a circumstance that suggests the two malware share the same codebase.


“It resolves all system API calls on the fly by searching for them by hash, stores all strings in encrypted form, looks up registry keys and values by hash, etc. The resulting binary is very low profile in terms of static features and it’s very hard to tell what the malware is doing without a deeper analysis.” states ESET.

Both Dridex and FriedEx use the same packer, but experts explained that the same packer is also used by other malware families like QBot, Emotet or Ursnif also use it.

Another similarity discovered by the researchers is related to the PDB (Program Database) paths included in both malware. PDB paths point to a file that contains debug symbols used by vxers to identify crashes, the paths revealed the binaries of both threats are compiled in Visual Studio 2015.

The experts also analyzed the timestamps of the binaries and discovered in many cases they had the same date of compilation, but it is not a coincidence.

“Not only do the compilations with the same date have time differences of several minutes at most (which implies Dridex guys probably compile both projects concurrently), but the randomly generated constants are also identical in these samples. These constants change with each compilation as a form of polymorphism, to make the analysis harder and to help avoid detection.” continues the analysis.

The experts concluded that FriedEx was developed by the Dridex development team, they believe that the criminal gang not only will continue to improve the banking Trojan but it will also follow malware “trends” developing their own strain of ransomware.

Microsoft Disables Spectre Mitigations Due to Instability
30.1.2018 securityweek 
Out-of-band Windows updates released by Microsoft over the weekend disable mitigations for one of the Spectre attack variants as they can cause systems to become unstable.

Both microcode and software updates designed to address the Spectre and Meltdown vulnerabilities have turned out to be buggy, often making systems unbootable or causing them to reboot more frequently. Intel has suspended its patches until the issue is resolved and advised customers to stop deploying the updates.

HP, Dell, Lenovo, VMware, Red Hat and others had paused the patches and now Microsoft has done the same.

The problem appears to be related to CVE-2017-5715, which has been described as a “branch target injection vulnerability.” This is one of the flaws that allows Spectre attacks, specifically Spectre Variant 2 attacks.

Microsoft has confirmed that Intel’s patches cause system instability and can in some cases lead to data loss or corruption. Update KB4078130 released by the company over the weekend for Windows 7, Windows 8.1 and Windows 10 – for both clients and servers – disables the mitigation for CVE-2017-5715.

The company has also provided instructions for advanced users on how to manually enable and disable Spectre Variant 2 mitigations through registry settings.

“As of January 25, there are no known reports to indicate that this Spectre variant 2 (CVE 2017-5715 ) has been used to attack customers. We recommend Windows customers, when appropriate, reenable the mitigation against CVE-2017-5715 when Intel reports that this unpredictable system behavior has been resolved for your device,” Microsoft said in its advisory.

Microsoft quickly released mitigations for Meltdown and Spectre after the attack methods were disclosed, but the company’s own updates were also buggy. Shortly after it had started rolling them out, Microsoft was forced to suspend patches for devices with AMD processors due to instability issues.

The Spectre and Meltdown vulnerabilities allow malicious applications to bypass memory isolation mechanisms and access sensitive data. The Meltdown attack relies on one vulnerability, tracked as CVE-2017-5754, but there are two main variants of the Spectre attack, including CVE-2017-5753 (Variant 1) and CVE-2017-5715 (Variant 2).

Meltdown and Variant 1 of Spectre can be patched efficiently with software updates, but Spectre Variant 2 requires microcode updates for a complete fix.

Intel, AMD and Apple face class action lawsuits over the Spectre and Meltdown vulnerabilities. However, Intel does not appear too concerned that the incident will affect its bottom line – the company expects 2018 to be a record year in terms of revenue.

Exercise Tracking App Reveals Details of Military Sites
30.1.2018 securityweek  BigBrothers
A map showing paths taken by users of an exercise tracking app reveals potentially sensitive information about American and allied military personnel in places including Afghanistan, Iraq and Syria.

While some bases are well known to groups that want to attack them, the map also shows what appear to be routes taken by forces moving outside of bases -- information that could be used in planning bombings or ambushes.

The map, made by Strava Labs, shows the movements of its app users around the world, indicating the intensity of travel along a given path -- a "direct visualization of Strava's global network of athletes," it says.

Routes are highlighted over large parts of some countries, but in others, specific locations stand out.

The map of Iraq is largely dark, indicating limited use of the Strava app, but a series of well-known military bases where American and allied forces have been deployed as part of their war against the Islamic State (IS) group are highlighted in detail.

These include Taji north of Baghdad, Qayyarah south of Mosul and Al-Asad in Anbar Province. Strava%20heatmap%20exposes%20military%20sites%20-%20credits%3A%20Tobias%20Schneider


Smaller sites also appear on the map in northern and western Iraq, indicating the presence of other, lesser-known installations.

Stretches of road are also highlighted, indicating that Strava users kept their devices on while traveling, potentially providing details about commonly-taken routes.

In Afghanistan, Bagram Airfield north of Kabul is a hive of activity, as are several locations in the country's south and west.

- Opting out an option -

Tobias Schneider, a security analyst who was among the group of people who highlighted the military bases shown on the map, noted that it shows military sites in Syria and Iraq as well as the Madama base used by French forces in Niger.

"In Syria, known Coalition (i.e. US) bases light up the night. Some light markers over known Russian positions, no notable coloring for Iranian bases," Schneider wrote on Twitter.

US troops are deployed in support of local forces battling IS in Syria as well as Iraq, while Russian and Iranian units are backing President Bashar al-Assad's Syria government in that country's civil war.

"A lot of people are going to have to sit thru lectures come Monday morning," Schneider wrote, referring to soldiers likely to be taken to task for inadvertently revealing sensitive information while trying to keep in shape.

"Bases are fixed & hard to conceal," he wrote, so the "biggest potential threat is to tracking movement."

The US Department of Defense said it is "reviewing" the situation.

"Recent data releases emphasize the need for situational awareness when members of the military share personal information," Major Audricia Harris, a Pentagon spokeswoman, told AFP.

"DoD takes matters like these very seriously and is reviewing the situation to determine if any additional training or guidance is required, and if any additional policy must be developed to ensure the continued safety of DoD personnel at home and abroad," Harris said.

The Pentagon "recommends limiting public profiles on the internet, including personal social media accounts," she said.

The issue could have been fairly easily avoided. According to Strava, "athletes with the Metro/heatmap opt-out privacy setting have all data excluded" from the mapping project.

Top Dutch Banks, Revenue Service Hit by Cyber Attacks
30.1.2018 securityweek 
The top three banks in the Netherlands have been targeted in multiple cyber attacks over the past week, blocking access to websites and internet banking services, they said on Monday.

The Dutch Revenue Service was also briefly targeted on Monday by a similar attack, but services were quickly restored, a spokesman said.

The number one Dutch bank, ING, was hit by a so-called distributed denial of service (DDoS) attack on Sunday evening while the eurozone nation's third largest lender, ABN Amro, suffered three attacks over the weekend in a total of seven over the last week, Dutch media reported.

Rabobank, the country's number two lender, saw its internet banking services go down on Monday morning.

"We have been targeted by a DDoS attack since 9.10 am (0810 GMT) this morning (Monday) and our clients don't have access or very little access to online banking," Rabobank spokeswoman Margo van Wijgerden said. "We are working to resolve the problem as quickly as possible," she told AFP.

Also on Monday, the Dutch Revenue Services saw its website go down for about 10 minutes due to an attack, spokesman Andre Karels said.

"Things are running as normal and we are investigating the incident," Karels told AFP.

ING, which has some eight million private clients, experienced an attack on Sunday evening, it said on its website.

"During the DDoS attack ING's internet site was blasted with data traffic causing our servers to overload and which put pressure on the availability of online banking," ING said, adding services had been restored.

ABN Amro experienced a similar attack but also said services were restored. It will "keep monitoring availability and is extra alert since the weekend's attacks," it said in a statement.

The banks all stressed that clients' banking details were not compromised or leaked.

It is not the first time Dutch banks were targeted in a DDoS attack with central bank chief Klaas Knot telling a TV news programme Sunday there were "thousands of attacks a day" on his own institution.

"I think these (recent) attacks are serious, but our own website is being attacked thousands of times per day," Knot told the Buitenhof talk show. "That is the reality in 2018," he said.

*UPDATED with brief cyber attack on Dutch Revenue services

phpBB Website Served Malicious Packages
30.1.2018 securityweek 
The developers of the free and open source forum software phpBB informed users over the weekend that the official website had served malicious files for roughly three hours on Friday.

According to phpBB staff, the download URLs for two packages, namely version 3.2.2 of the full package and the automatic updater package for 3.2.1 to 3.2.2, pointed to a third-party server. Users who downloaded one of these packages between 12:02 PM and 15:03 PM UTC on January 26 likely obtained the malicious version.

phpBB hacked

It’s unclear how the links were replaced, but phpBB noted that the “point of entry was a third-party site” and the attack did not exploit any vulnerabilities in the phpBB software or website.

The modified packages contain malicious code designed to load JavaScript from a remote server. The domain hosting that JavaScript code is now controlled by phpBB, which neutralizes the attack.

“We can additionally say that due to the limited window during which the packages were live, we estimate the total number of affected downloads does not exceed 500,” the phpBB team said in a security alert.

Users who believe they have downloaded the malicious packages have been advised to check the validity of the file by comparing its SHA256 hash to the one listed on the downloads page.

Users who have already installed one of the compromised packages can file an incident report and the phpBB team will help them remove the malicious code.

This is not the first time malicious actors have targeted phpBB. Back in 2009, hackers managed to obtain 400,000 email addresses belonging to phpBB users after exploiting a vulnerability in the email marketing tool phpList.

In 2014, phpBB shut down its network and asked users to change their passwords after hackers breached several of its servers.

Dridex Authors Build New Ransomware
30.1.2018 securityweek 
The authors of the infamous Dridex banking Trojan have created a sophisticated ransomware family, ESET warns.

Around since 2014, Dridex has been one of the most prolific financial threats over the past several years, and the actors behind it have been constantly adopting new techniques, improving their malware, and changing resources to ensure increased efficiency.

Thus, it did not come too much as a surprise when the Locky ransomware was tied to Dridex two years ago, when ransomware was booming. Locky became a top threat fast, catching a lot of attention from the security community as well, and its developers attempted alternatives such as Bart in 2016 and Jaff in May 2017.

Now, security researchers have tied yet another ransomware family to the Dridex authors, namely FriedEx, which is also known as BitPaymer.

This ransomware was initially discovered in July 2017 and made it to the headlines in August, when it infected NHS hospitals in Scotland.

Mainly focused on high profile targets and companies rather than end users, the malware is typically delivered via Remote Desktop Protocol (RDP) brute force attacks. Once it has managed to infect a system, the malware encrypts each file on it with a randomly generated RC4 key (which it then encrypts using a hardcoded 1024-bit RSA public key and saves it in a .readme_txt file).

While analyzing FriedEx, ESET discovered that it features code resemblance to Dridex. The ransomware also uses the same techniques as the banking Trojan, hiding as much information about its behavior as possible.

The malware “resolves all system API calls on the fly by searching for them by hash, stores all strings in encrypted form, looks up registry keys and values by hash, etc. The resulting binary is very low profile in terms of static features and it’s very hard to tell what the malware is doing without a deeper analysis,” ESET explains.

The researchers discovered that the very same part of a function used for generating UserID that is present across all Dridex binaries can be found in the FriedEx binaries as well. The order of the functions in the binaries is the same in both malware families, which suggests they use the same codebase or static library.

Both Dridex and FriedEx use the same malware packer, but that is not proof that they are connected, since other well-known families like QBot, Emotet or Ursnif also use it.

ESET also discovered that samples of both Dridex and FriedEx include PDB (Program Database) paths, which revealed that their binaries are being built in the same, distinctively named directory. The binaries of both Dridex and FriedEx are compiled in Visual Studio 2015.

Some binaries for both projects revealed the same date of compilation, and the researchers say this isn’t coincidence. The samples have time differences of several minutes at most and feature identical randomly generated constants (these constants change with each compilation to hinder analysis), which suggests they were probably built during the same compilation session.

“With all this evidence, we confidently claim that FriedEx is indeed the work of the Dridex developers. This discovery gives us a better picture of the group’s activities – we can see that the group continues to be active and not only consistently updates their banking Trojan to maintain its webinject support for the latest versions of Chrome and to introduce new features like Atom Bombing, but that it also follows the latest malware “trends”, creating their own ransomware,” ESET says.

UK Warns Critical Industries to Boost Cyber Defense or Face Hefty Fines
30.1.2018 securityweek  BigBrothers
The UK government has warned that Britain's most critical industries must boost their cybersecurity or face potentially hefty fines under the EU's Networks and Information Systems Directive (NISD).

The warning comes less than four months before the deadline for the NISD, adopted by the EU on July 6, 2016, to be transposed into EU member states' national laws (May 9, 2018, which aligns with the date for GDPR enforcement).

NISD is designed to ensure the security of network systems not already covered by the GDPR -- but its primary purpose is to ensure the security of the industries that comprise the critical infrastructure (such as power and water, healthcare and transport). These companies, or covered entities, are defined within the directive as 'operators of essential services' (OES), and 'digital service providers' (DSPs).

Since it is a Directive rather than a Regulation, the NIS Directive has some national flexibility in its implementation. For example, the UK government had earlier proposed that maximum fines under the directive should be between €10 million and €20 million or 2% to 4% of annual global turnover. It has now settled on a maximum fine of €17 million.

The government announcement on Sunday stems from its published response (PDF) to a public consultation it initiated in August 2017.

The UK has made it clear that a breach of an OES will not automatically trigger a fine. This will depend on the judgment of separate industry sector regulators, or competent authorities. The primary factor will be whether the breached OES/DSP has made adequate cyber security provisions -- in practice, this will probably depend upon how well the firm has implemented the 'NIS Directive: Top-level objectives' guidelines published by the National Cyber Security Centre (NCSC, part of GCHQ) Sunday. However, the government also states, "New regulators will be able to assess critical industries to make sure plans are as robust as possible."

The key part of the EU's NIS Directive is Article 14: Security requirements and incident notification. This specifies, "Member States shall ensure that operators of essential services take appropriate and proportionate technical and organizational measures to manage the risks posed to the security of network and information systems."

The NCSC guidelines say this can be implemented through conforming to four top-level objectives comprising 14 security principles. The top-level objectives are: managing security risk; protecting against cyber-attack; detecting cyber security events; and minimizing the impact of cyber security incidents. Each of the objectives is then broken into the series of sector-agnostic security principles. "Each principle," states the NCSC, "describes mandatory security outcomes to be achieved."

Only one of the four objectives takes the traditional view of cyber security: protecting against cyber-attack -- recognizing the difference between commercial and critical organizations. For the former, personal information and profitability are the primary motivations; for the latter, it is continuity (or recovery) of operation that is important. "This legislation clearly signals the move away from pure protection-based cybersecurity thinking," comments Steve Malone, director of security product management at Mimecast. "Robust business continuity strategies have never been more important to ensure organizations can continue to operate during an attack and get back up on their feet quickly afterwards."

The objective that concentrates on protection against a cyber-attack recognizes that technology is not a complete solution. For example, Principle B1 deals with policies and procedures. Principle B6 handles staff awareness and training. This latter is particularly welcomed by Stephen Burke, Founder and CEO at Cyber Risk Aware.

Noting that the critical infrastructure is actively targeted by nation state actors more than cyber criminals, he asks, "But how do nation states get in? The simple answer is through people. For example, the Saudi Aramco breach affected 35,000 machines and the attackers got in because a Saudi Aramco employee clicked on a link in a spear-phishing email and meant 10 percent of the world's supply was at risk.

"This emphasizes the fact that any institutions no matter how big they are and no matter how sophisticated their technical defenses are, they need to help staff and make them become aware of the cyber dangers they face as that’s how actors are going to breach defenses.”

But it isn't just about cyber-attacks and data loss. NISD "will also cover other threats affecting IT such as power outages, hardware failures and environmental hazards," says the government announcement. "Under the new measures recent cyber breaches such as WannaCry and high-profile systems failures would be covered by the Network and Information Systems (NIS) Directive.

"These incidents would have to be reported to the regulator who would assess whether appropriate security measures were in place. The regulator will have the power to issue legally-binding instructions to improve security, and – if appropriate – impose financial penalties."

This raises another issue. Most of the critical industries will have customer databases, and that could make them liable to GDPR as well as NISD, plus any existing sector-specific regulations. "Under this new legislation," warns Andy Miles, CEO of ThinkMarble, "companies could potentially be fined under the GDPR, the Government and by a regulator, so there is a risk of double or even triple jeopardy here."

The government's response document specifies the regulator (or 'competent authority') for the different critical sectors. This is often the government itself; that is, the relevant Secretary of State for that sector -- although it is the Information Commissioner (ICO) who is the competent authority for digital service providers just as with the GDPR. This could lead to confusion and lack of consistency since Secretaries of State change, and different enforcement levels could change rapidly in line with a changing political situation. "I believe that the NCSC, working alongside the ICO, should take the lead in putting these sanctions in place -- and the regulators should feed into them, not the other way around," suggests Miles.

There is a danger that NISD has simply been overshadowed by GDPR. There is concern that many of the covered entities will not be ready for its implementation in May 2018. Miles warns that "27% of respondents [to the governments consultation period] had no plans to implement further security measures, and 31% did not know if they would make any changes. This suggests that there is much still to be done in educating companies about the importance of protecting themselves from cyber-attacks."

Lorena Marciano, EMEAR data protection & privacy officer at Cisco, told SecurityWeek that organizations seen as privacy-immature experience far greater losses than those considered as privacy-mature. The implication, she said, is that NISD provisions, "shouldn’t be adopted for the single purpose of avoiding fines, but that organizations which are willing to go beyond the set compliances will reap the long-term financial benefits as well as protecting customer data.”

This means that the NCSC's guidelines should be considered as the base-line for critical industries, and that they should then go beyond them. The first step would clearly be a gap analysis between existing security controls and the NCSC's guidelines.

"Importantly, meeting those four objectives and 14 principles will demand a degree of cyber maturity that is far removed from prescriptive, compliance-based tick-box exercises," comments Robert Orr, cyber security principal consultant CNI, Context Information Security. "This means that [covered entities] will need to put as much emphasis on NIS as they should be putting on that other EU regulation, GDPR; not least because the level of fine for non-compliance is similarly punitive." That will require OES and DSPs to assess their existing cyber security and resilience, to identify any gaps in meeting the NIS outcomes, and to develop improvement plans to close those gaps -- and then go beyond them.

Phishing Pages Hidden in "well-known" Directory
30.1.2018 securityweek 
UK-based cybercrime disruption services provider Netcraft has spotted thousands of phishing pages placed by cybercriminals in special directories that are present on millions of websites.

In the past month, the company spotted more than 400 new phishing websites hosted in a folder named /.well-known/. This directory serves as a Uniform Resource Identifier (URI) path prefix that allows users and automated processes to obtain policy and other information about the host.

The /.well-known/ directory is commonly used to demonstrate ownership of a domain. The administrators of HTTPS-protected websites that use Automatic Certificate Management Environment (ACME) to manage SSL certificates place a unique token inside the /.well-known/acme-challenge/ or /.well-known/pki-validation/ folders to show the certificate issuer that they control the domain.

“Consequently, most of the phishing attacks that make use of the /.well-known/ directory have been deployed on sites that support HTTPS, using certificates issued by ACME-driven certificate authorities like Let's Encrypt and cPanel,” Netcraft’s Paul Mutton explained.


The /.well-known/ location can be a great place to hide a phishing page due to the fact that while the folder is present on millions of websites – mainly due to the success of ACME and Let’s Encrypt – many administrators are not aware of its presence.

Mutton noted that since there is a dot in front of the directory’s name, listing files using the ls command will not display it as files and folders that start with “.” are hidden. In an effort to make their phishing pages even more difficult to find, cybercriminals have placed them in subdirectories of /acme-challenge/ and /pki-validation/.

“Shared hosting platforms are particularly vulnerable to misuse if the file system permissions on the /.well-known/ directories are overly permissive, allowing one website to place content on another customer's website,” Mutton warned. “Some of the individual servers involved in these attacks were hosting ‘well-known’ phishing sites for multiple hostnames, which lends weight to this hypothesis.”

The expert pointed out that while /acme-challenge/ and /pki-validation/ are not the only well-known URIs, these are the only ones that have been used to host phishing sites.

Netcraft said it was not clear how malicious actors had hijacked the websites found to be hosting these phishing pages.

Researchers Connect Lizard Squad to Mirai Botnet
30.1.2018 securityweek  BotNet
Lizard Squad and Mirai, which are responsible for a series of notorious distributed denial of service (DDoS) attacks, are connected to one another, a recent ZingBox report reveals.

Lizard Squad is a hacking group known for some of the most highly publicized DDoS attacks in history, including the disruption of Sony PlayStation and Xbox Live networks. Over the past several years, multiple individuals suspected to have used Lizard Squad’s LizardStresser DDoS service have been arrested.

While the hacking group has been operating for several years, Mirai has been around for only one year and a half, making headlines in late 2016 following massive DDoS attacks against Brian Krebs’ blog and Dyn’s DNS infrastructure. The malware’s source code was made public within weeks of these attacks and numerous variants have emerged since.

Now, ZingBox researchers claim to have discovered evidence that links the Lizard Squad hackers and Mirai, including the common use of the same Ukraine hosting provider Blazingfast.

The Mirai source code, the researchers point out, was released nine days after Lizard Squad founder Zachary Buchta was arrested. According to them, the DDoS attack on Brian Krebs’ blog in late 2016 appears the result of the journalist’s criticism against Lizard Squad, and there are also references to Mirai on a Lizard Squad website.

Analysis of a domain associated with a Mirai-based malware campaign in late 2017 led the researchers to bigbotPein, a group linked to Lizard Squad. The analyzed domain was registered by an individual associated with Lizard Squad, a ZingBox report (PDF ) claims.

bigbotPein, a group that emerged in support to Buchta following his arrest, adopted Mirai as part of their Internet of Things arsenal and is currently targeting multiple architectures, including x86, x64, ARM, MIPS, SuperH, SPARC and ARC.

What’s more, the group has also added Ethereum and Monero miners to their malware portfolio, while also adopting increased sophistication, the security researchers say.

A Mirai-based campaign observed in October 2017 was pointing to the domain bigbotpein[.]com. The website’s Start of Authority (SOA) points to blazingfast[.]io, the Ukraine hosting provider that is also used by Mirai authors for the botnet control server, ZingBox says.

The security researchers claim they were also able to link the group to multiple Mirai variants out there, including Satori and Masuta. According to them, the Satori campaign was initially called Okiru and was using the control[.]almahosting[.]ru and network[.]bigbotpein[.]com domains.

Starting with mid-January 2018, all the domains related to Lizard Squad and bigbotPein switched to US-base ISPs (Rackspace and Search Guide), which suggests a clear connection between the two groups.

Two other Mirai variants observed last year include Masuta and Memes. The former, detailed only this month, targeted x86, ARM and MIPS architectures. The latter appears to be the work of the same author and might be an evolution of Masuta.

The malware code, ZingBox claims, includes a “structure previously identified in July 2017 related to Lizard Squad.” This code allows the malware to hide and decode second stage payload in memory. Both an Ethereum dropper variant linked to Lizard Squad and Masuta/Memes use this same code structure.

Other evidence linking Lizard Squad and Mirai include the dropping of a file from bigbotPein domain control[.]almahosting[.]ru as part of a Satori campaign in November 2017, leading to the Monero Stratum miner.

A Satori variant observed in early January 2018 was employing an extra level of obfuscation, along with the s[.]sunnyjuly[.]gq domain, and pointing to the use of an Etherum miner for Windows, although the initial attack vector, however, targeted the MIPS architecture.

“During this research, we witnessed firsthand the evolving complexity of the different variants of Lizard Squad and bigbotPein group’s malware within a span of one year […]. The Lizard Squad and bigbotPein groups used to be very active creating most of the well-known variants of Mirai,” ZingBox’ report reads.

“Despite the courageous efforts of our law enforcement agencies to identify and tear down various hacking groups, the collaboration between groups makes it extremely difficult to completely shut down their efforts for good. Arrests of high-profile members and founders of such groups certainly slows down their momentum, but organizations can’t take their foot off the gas when it comes to being vigilant about the security of their network,” Xu Zou, CEO and co-founder, ZingBox, said.

Lenovo Addresses Hardcoded Password in Fingerprint Manager
30.1.2018 securityweek 
Computer maker Lenovo has updated Fingerprint Manager Pro for Windows 7, 8, and 8.1 to address several insecure credential storage issues in the software, including the presence of a hardcoded password.

Rated High severity and tracked as CVE-2017-3762, the vulnerability was discovered by Jackson Thuraisamy from Security Compass. An attacker attempting to exploit the issue could escalate their privileges on the local system.

The flaw only impacts Lenovo Fingerprint Manager Pro, a utility for Windows 7, 8, and 8.1 that has been designed to help users log into their PCs or authenticate to configured websites by means of fingerprint recognition.

The bug resides in the use of a weak algorithm when encrypting sensitive data stored by Fingerprint Manager Pro, such as users’ Windows logon credentials and fingerprint data, the company said in an advisory.

What’s more, the application was found to contain a hardcoded password and to be accessible to all users with local non-administrative access to the computer it is installed on.

According to Lenovo, the application may be installed on a large number of device models, including ThinkPad L560, P40 Yoga, P50s, T440, T440p, T440s, T450, T450s, T460, T540p, T550, T560, W540, W541, W550s, X1 Carbon (Type 20A7, 20A8), X1 Carbon (Type 20BS, 20BT), X240, X240s, X250, X260, Yoga 14 (20FY), and Yoga 460; ThinkCentre M73, M73z, M78, M79, M83, M93, M93p, and M93z; and ThinkStation E32, P300, P500, P700, P900.

The vulnerability has been addressed in Lenovo Fingerprint Manager Pro version 8.01.87. Owners of the aforementioned models should update to the new software release.

U.S. Floats Idea Nationalizing High-Speed Networks, Drawing Rebukes
30.1.2018 securityweek  BigBrothers
US officials have launched a debate on a proposal to nationalize the newest generation of high-speed wireless internet networks in the name of national security, provoking sharp criticism from across the political spectrum.

One official familiar with the proposal but not authorized to speak publicly told AFP the idea "has been discussed over the past couple of weeks" at the request of US national security officials.

The proposal was first reported by the news website Axios, citing a memo proposing government control of the newest and fastest part of the nation's mobile network -- the fifth generation, or 5G -- to guard against China's growing online capabilities.

Axios cited a memo by a senior official as contending that the US need to quickly deploy 5G because China is in a top position with the technology and "is the dominant malicious actor" online.

But the proposal -- which would run counter to the longstanding US policy of relying on private telecom networks -- drew immediate rebukes from the industry and even from US regulatory officials.

The official familiar with the proposal noted that "it's not hard to find people who think it's a dumb idea."

Industry leaders pointed out that the private sector is already in the process of building and deploying 5G systems, which will be important for a range of connected devices from appliances to self-driving cars.

The federal government stepping in would "slam the brakes" on momentum to deploy 5G, argued Jonathan Spalter, chief of USTelecom trade association.

"The best way to future-proof the nation's communications networks is to continue to encourage and incentivize America's broadband companies... in partnership with government, to continue do what we do best: invest, innovate, and lead," Spalter said in a statement.

Meredith Attwell Baker, president of the wireless industry group CTIA, added that while 5G is important, "the government should pursue the free market policies that enabled the US wireless industry to win the race to 4G."

Federal Communications Commission chairman Ajit Pai, whose agency regulates the telecom sector, also voiced strong opposition.

"Any federal effort to construct a nationalized 5G network would be a costly and counterproductive distraction from the policies we need to help the United States win the 5G future," Pai, a Republican, said.

Pai's Democratic colleague on the FCC, Mignon Clyburn, agreed, saying a network built by the federal government "does not leverage the best approach needed for our nation to win the 5G race."

Conservative advocacy group FreedomWorks also came out against the idea, arguing that the move would put the US on the same level as China in controlling online access.

FreedomWorks president Adam Brandon said, "We're not beating the Chinese if we sacrifice what makes our government so different from theirs."

Military personnel improperly used Fitness Strava Tracker exposed their bases
30.1.2018 securityaffairs BigBrothers

Military worldwide have publicly shared online their exercise routes recorded through the fitness tracker Strava revealing the fitness sessions conducted inside or near military bases
We discussed many times privacy risks related to IoT devices, here we are to discuss an alarming case, fitness tracker Strava revealed details of Military Bases.

American and allied military worldwide have publicly shared their exercise routes online revealing the fitness sessions conducted inside or near military bases, including Afghanistan, Iraq, and Syria.

This leak of information has happened because military personnel turned on their fitness Strava tracker while making exercises at the bases.

A map showing exercise routes recorded by users of a tracking app reveals sensitive information about military personnel in locations around the world, including Afghanistan, Iraq, and Syria.

Such kind of information could be used by enemies and terrorists to plan an attack.

Obviously while in some regions of the globe it is impossible to distinguish the activity of the military personnel, in other locations the routes immediately stand out.

For example, examining the map of Iraq you can notice that the entire region is dark, except for a series of well-known military bases used by the American military and its allies.

The list of the bases easy to locate thank to the map associated to the fitness tracker Strava includes Taji north of Baghdad, Qayyarah south of Mosul, Speicher near Tikrit and Al-Asad in Anbar Province and a number of minor sites highlighted in northern and western Iraq.

Searching for bases in Afghanistan, it is easy to locate the Bagram Air Field in the north of Kabul along with other smaller sites south of the country.


The movements of soldiers within Bagram air base – the largest US military facility in Afghanistan – Source BBC

Similarly, in Syria it is Qamishli in the northwest, a stronghold of US-allied Kurdish forces, is clearly visible.

Tobias Schneider, one of the security experts that discovered the map, shared details about the bases on Twitter, including the French Madama base in Niger.

27 Jan

Tobias Schneider

Replying to @tobiaschneider
Worth browsing a bit. Three positions around the US outpost at Tanf:

Tobias Schneider

My focus is on Syria, but obviously works all over. French military base Madama in Niger:

7:57 PM - Jan 27, 2018
View image on Twitter
7 7 Replies 174 174 Retweets 331 331 likes
Twitter Ads info and privacy
27 Jan

Tobias Schneider

Replying to @tobiaschneider
A lot of people are going to have to sit thru lectures come Monday morning.

Tobias Schneider

So much cool stuff to be done. Outposts around Mosul (or locals who enjoy running in close circles around their houses):

8:37 PM - Jan 27, 2018
View image on Twitter
10 10 Replies 187 187 Retweets 469 469 likes
Twitter Ads info and privacy
The researchers Nathan Ruser spotted also activities of Russians in Khmeimim.

27 Jan

Nathan Ruser
Replying to @Nrg8000
Not just US bases. Here is a Turkish patrol N of Manbij

Nathan Ruser
You can see the Russian operating area in Khmeimim, but also the guard patrol to the NE.

7:28 PM - Jan 27, 2018
View image on Twitter
3 3 Replies 77 77 Retweets 114 114 likes
Twitter Ads info and privacy
The good news is this issue could be easily fixed, Strava confirmed that “athletes with the Metro/heatmap opt-out privacy setting have all data excluded.”

The app allows users to set up “privacy zones,” that are areas where the Strava tracker doesn’t collect GPS info. These areas can be designed around the user’s home or work, but evidently, the military personnel ignored it.

A new report from MALWAREBYTES reveals a rise of 90% on ransomware detection in business
30.1.2018 securityaffairs

A new report from MALWAREBYTES titled “Malwarebytes Annual State of Malware Report” reveals a rise of 90% on ransomware detection in business.
The report brings to light new trends on hackers activities and threats especially the rise of ransomware as a tool of choice.

Researchers from MALWAREBYTES had gathered an enormous amount of data from the telemetry of their products, intel teams, and data science from January to November 2016 and to January to November 2017 to consolidate the evolution of the threat landscape of malware.

It is taken into account the tactics of infection, attack methods, development and distribution techniques used by hackers to target and compromise business and customers alike. There was a surge of 90% in ransomware detection for business customers in such way that it had become the fifth most detected threat. Regarding its modus operandi, the researchers found out a change in the distribution of malicious payloads, which includes banker Trojans and cryptocurrency miners.

Ransomware was on the rise, but it was not the only method employed by hackers. The report reveals that hackers had used banking trojans, spyware and hijackers to steal data, login credentials, contact lists, credit card data and spy on the user as an alternative way to compromise system security. The report discovered that hijackers detection grew 40% and spyware detection grew 30%. The report lists the Top 10 business threat detections with the five most significant threats being: Hijacker, Adware, Riskware Tool, Backdoor, and Ransomware respectively.

While the report covers a variety of threats, it emphasizes how malware outbreak had evolved. A game changer to the ransomware outbreak like WannaCry was the government exploit tool EternalBlue that was leaked and has been employed to compromise update processes and increased geo-targeting attacks. According to the report these tactics had been adopted to bypass traditional methods of detection.

The report highlights the delivery techniques utilized by ransomware due to the EternalBlue exploit tool leaked from NSA. The usage of this exploit tool was a ground break landmark to the development of WannaCry and NotPetya ransomware. The EternalBlue (CVE-2017-0144) is a vulnerability in Server Message Block (SMB) handling present in many Windows operating systems. WannaCry was able to widespread globally due to operating systems that were not properly updated.

The report dedicates a special attention to NotPetya ransomware, as it was influenced by ransomware Petya and WannaCry. This ransomware has used two Server Message Block (SMB) vulnerabilities: EternalBlue (CVE2017-0144) and EternalRomance (CVE-2017-0145) and was also able to encrypt the MFT (Master File Table) and the MBR (Master Boot Record) on affected systems. Other malware analyzed in the report, that used the leaked exploit tools from the NSA was: Adylkuzz, CoinMiner, and Retefe.

The researchers also unveil a new attack vector employed by hackers: Geo Targeting attacks. In this type of attack, groups of hackers or rogue nations employ a variety of techniques to disrupt, destabilize, or compromise data in specific countries. The Magniber malicious code targeted South Korea specifically and the BadRabbit had targeted Ukraine. Although NotPetya emerged in Ukraine its action was not limited within its borders.

Finally, the report brings forth to light trends based on data collected. Cyptocurrency miners already become a new threat with the recent news of a steal of bitcoins from Japan. Other trends to watch out this year in the report is the attacks on the supply chain, the increase of malware in MAC systems and leaks in government and in companies that will lead to new zero-day vulnerabilities

On Saturday Malwarebytes delivered a buggy update that caused excessive memory usage and crashes.
30.1.2018 securityaffairs

On Saturday Malwarebytes issued a buggy update to its home and enterprise products that caused serious problems for the users, including excessive memory usage, connectivity issues, and in some cases system crashes.
A buggy update rolled out over the weekend by Malwarebytes to its home and enterprise products caused serious problem for the users, including excessive memory usage, connectivity issues, and in some cases system crashes.

Malwarebytes issued the buggy update on Saturday morning (PST) and according to the security firm the software was only available only for 16 minutes before it removed it.

“On the morning of Saturday, January 27th, 2018 protection update v1.0.3798 was released for all versions of Malwarebytes for Windows. As endpoints updated to this release, customers noticed their machines were reporting many Internet block notifications, and a sudden large increase in RAM usage” reads the Root Cause Analysis published by Malwarebytes.

“There are detection syntax controls in place to prevent such events as the one experienced in this incident. Recently we have been improving our products so that we can show the reason for a block, i.e. the detection “category” for the web protection blocks. In order to support this new feature, we added enhanced detection syntaxes to include the block category in the definitions. The unfortunate oversight was that one of the syntax controls was not implemented in the new detection syntax, which cause the malformed detection to be pushed into production.”


Some users reported problems to their connections that were blocked by the security software after the installation of the buggy update. Another displeasing problems reported by the users is the abnormal memory usage, the process associated with the application had used up more than 10 Gb of the (RAM), in some cases were also observed system crashes.


Malwarebytes confirmed that the broken detection was present in the update version v1.0.3798 thru v1.0.3802. (v2018.01.27.03 – v2018.01.27.11
for MBES customers).

The buggy update was issued to all software versions for Windows, below the list of affected versions:

Malwarebytes for Windows Premium
Malwarebytes for Windows Premium Trial
Malwarebytes Endpoint Security (MBES)
Malwarebytes Endpoint Protection (Cloud Console)
The problem was addressed with the v1.0.3803 (v2018.01.27.12 for MBES customers).

Affected users can follow the recovery solutions published by the company to remove the buggy update and install the correct one.

The company remarked that it pushes tens of thousands updates routinely testing each one before it is distributed.

“We have pushed upwards of 20,000 of these protection updates routinely. We test every single one before it goes out. We pride ourselves on the safety and accuracy of our detection engines and will work to ensure that this does not happen again,” Malwarebytes stated following the incident.

Over the weekend Microsoft rolled out out-of-band updates to disable mitigations for Spectre v2 attacks
30.1.2018 securityaffairs

Over the weekend, Microsoft rolled out out-of-band updates to disable mitigations for one of the Spectre attack variants because they can cause systems to become unstable.
The situation is becoming embarrassing! Just after the release of the Meltdown and Spectre security updates Intel excluded any problems for their deployments citing testing activities of conducted by other tech giants.

At the same time, some companies were claiming severe issued, including performance degradation and in some cases crashes.

Last week, Intel changed its position on the security patches, it first published the results of the test conducted on the Meltdown and Spectre patches and confirmed that the impact on performance could be serious, then it recommended to stop deploying the current versions of Spectre/Meltdown patches.

Over the weekend, Microsoft rolled out out-of-band updates to disable mitigations for one of the Spectre attack variants because they can cause systems to become unstable.

“Our own experience is that system instability can in some circumstances cause data loss or corruption.” states the security advisory published by Microsoft.

“While Intel tests, updates and deploys new microcode, we are making available an out of band update today, KB4078130, that specifically disables only the mitigation against CVE-2017-5715 – “Branch target injection vulnerability.” In our testing this update has been found to prevent the behavior described.”

Microsoft was among the first companies that provided security updates for Meltdown and Spectre vulnerabilities, anyway, the patches caused severe issues to AMD architectures.

The decision follows the similar actions adopted by other tech giants like Red Hat, HP, Dell, Lenovo, VMware.

Microsoft and the companies above observed problems after the installation of the Spectre vulnerability (Variant 2, aka CVE-2017-5715, that is a branch target injection vulnerability) for this reason opted to revert previous patches.

While the Meltdown and Variant 1 of the Spectre attacks can be mitigated efficiently with software updates, the Spectre Variant 2 requires microcode updates to be fully addressed.

Intel published a technical note about the mitigation of the Spectre flaw, it addressed the issue with an opt-in flag dubbed IBRS_ALL bit (IBRS states for Indirect Branch Restricted Speculation).

The famous Linus Torvalds expressed in an email to the Linux Kernel mailing list his disappointment, he defined the Linux Spectre Patches “UTTER GARBAGE”

Microsoft confirmed that the patches issued by Intel cause system instability and can in some cases lead to data loss or corruption, for this reason, the company distributed over the weekend the Update KB4078130 for Windows 7, Windows 8.1 and Windows 10 that disables the mitigation for CVE-2017-5715.

The company has also provided detailed instructions for manually enable and disable Spectre Variant 2 mitigations through registry settings.

Microsoft said it is not aware of any attack in the wild that exploited the Spectre variant 2 (CVE 2017-5715 ).

“As of January 25, there are no known reports to indicate that this Spectre variant 2 (CVE 2017-5715 ) has been used to attack customers. We recommend Windows customers, when appropriate, reenable the mitigation against CVE-2017-5715 when Intel reports that this unpredictable system behavior has been resolved for your device,” continues the advisory.

Malwarebytes Delivers Buggy Update to Home, Enterprise Users
29.1.2018 securityweek
A protection update pushed out over the weekend by Malwarebytes to its home and enterprise users caused serious problems, including Web connection issues, excessive memory usage, and even system crashes.

The problematic update was released on Saturday morning, Pacific Standard Time (PST), and it was only available for 16 minutes before Malwarebytes took action to stop it from being distributed. However, it was enough for the update to reach a significant number of devices protected by the security firm’s products.

“There are detection syntax controls in place to prevent such events as the one experienced in this incident. Recently we have been improving our products so that we can show the reason for a block, i.e. the detection ‘category’ for the web protection blocks,” Malwarebytes explained. “In order to support this new feature, we added enhanced detection syntaxes to include the block category in the definitions. The unfortunate oversight was that one of the syntax controls was not implemented in the new detection syntax, which caused the malformed detection to be pushed into production.”

Some users reported that their Web connections had been blocked and the process associated with the Malwarebytes application had used up more than 10 Gb of their random access memory (RAM), causing their systems to become very slow and even crash.

The buggy protection update, namely v1.0.3798, was sent out to all versions of Malwarebytes for Windows. The affected applications include Malwarebytes for Windows Premium, including the trial version, Malwarebytes Endpoint Security (MBES), and Malwarebytes Endpoint Protection (Cloud Console). The Mac, Android, and other apps were not impacted.

Malwarebytes has provided detailed instructions for both home and enterprise users on how to recover from this incident and install the correct update on their systems. Users who had their devices turned off when the buggy update was delivered should not be affected.

“We have pushed upwards of 20,000 of these protection updates routinely. We test every single one before it goes out. We pride ourselves on the safety and accuracy of our detection engines and will work to ensure that this does not happen again,” Malwarebytes stated following the incident.

This was not the first time a security solutions provider released an update that caused headaches for home users and system administrators. Other companies involved in similar incidents in recent years include Panda Security, ESET, and Webroot.

Microsoft Disables Spectre Mitigations Due to Instability
29.1.2018 securityweek

Out-of-band Windows updates released by Microsoft over the weekend disable mitigations for one of the Spectre attack variants as they can cause systems to become unstable.

Both microcode and software updates designed to address the Spectre and Meltdown vulnerabilities have turned out to be buggy, often making systems unbootable or causing them to reboot more frequently. Intel has temporarily suspended its patches until the issue is resolved and advised customers to stop deploying the updates.

HP, Dell, Lenovo, VMware, Red Hat and others had paused the patches and now Microsoft has done the same.

The problem appears to be related to CVE-2017-5715, which has been described as a “branch target injection vulnerability.” This is one of the flaws that allows Spectre attacks, specifically Spectre Variant 2 attacks.

Microsoft has confirmed that Intel’s patches cause system instability and can in some cases lead to data loss or corruption. Update KB4078130 released by the company over the weekend for Windows 7, Windows 8.1 and Windows 10 – for both clients and servers – disables the mitigation for CVE-2017-5715.

The company has also provided instructions for advanced users on how to manually enable and disable Spectre Variant 2 mitigations through registry settings.

“As of January 25, there are no known reports to indicate that this Spectre variant 2 (CVE 2017-5715 ) has been used to attack customers. We recommend Windows customers, when appropriate, reenable the mitigation against CVE-2017-5715 when Intel reports that this unpredictable system behavior has been resolved for your device,” Microsoft said in its advisory.

Microsoft quickly released mitigations for Meltdown and Spectre after the attack methods were disclosed, but the company’s own updates were also buggy. Shortly after it had started rolling them out, Microsoft was forced to suspend patches for devices with AMD processors due to instability issues.

The Spectre and Meltdown vulnerabilities allow malicious applications to bypass memory isolation mechanisms and access sensitive data. The Meltdown attack relies on one vulnerability, tracked as CVE-2017-5754, but there are two main variants of the Spectre attack, including CVE-2017-5753 (Variant 1) and CVE-2017-5715 (Variant 2).

Meltdown and Variant 1 of Spectre can be patched efficiently with software updates, but Spectre Variant 2 requires microcode updates for a complete fix.

Intel, AMD and Apple face class action lawsuits over the Spectre and Meltdown vulnerabilities. However, Intel does not appear too concerned that the incident will affect its bottom line – the company expects 2018 to be a record year in terms of revenue.

Japan-based digital exchange Coincheck to refund to customers after cyberheist
29.1.2018 securityaffairs Incindent

Coincheck announced it will refund about $400 million to 260,000 customers after the hack, the company will use its own funds.
On Friday the news of the hack of the Japan-based digital exchange Coincheck caused the drop in the value of the major cryptocurrencies, the incident had a significant impact on the NEM value that dropped more than 16 percent in 24 hours.

The company suspended the operations of deposits and withdrawals for all the virtual currencies except Bitcoin, the exchange announced it was investigating an “unauthorised access” to the exchange.

According to the company, the hackers stole worth half a billion US dollars of NEM, the 10th biggest cryptocurrency by market capitalization.

The hackers stole 58 billion yen ($530 million), an amount of money that is greater than the value of bitcoins which disappeared from MtGox in 2014.

Coincheck was founded in 2012, it is one of the most important cryptocurrency exchange in Asia.

The company announced it will refund about $400 million to customers after the hack.

Coincheck will use its own funds to reimburse about 46.3 billion yen to its 260,000 customers who were impacted by the cyberheist.

“At 3 am (1800 GMT) today, 523 million NEMs were sent from the NEM address of Coincheck. It’s worth 58 billion yen based on the calculation at the rate when detected,” said Coincheck COO Yusuke Otsuka.

“We’re still examining how many of our customers are affected,”

Experts believe that the Financial Services Agency will to take disciplinary measures against Coincheck.

It has been estimated that as many as 10,000 businesses in Japan accept bitcoin and bitFlyer, nearly one-third of global Bitcoin transactions in December were denominated in yen.The Cryptocurrencies, and in particular Bitcoin, are very popular in Japan, in April, the Bitcoin was proclaimed by the local authorities as legal tender.

According to Japanese bitcoin monitoring site, in November, yen-denominated bitcoin trades reached a record 4.51 million bitcoins, or nearly half of the world’s major exchanges of 9.29 million bitcoin.

Japanese media criticized the company blaming the management to have underestimated the importance of security of its investor, they said Coincheck “expanded business by putting safety second”.

Politicians and experts that participated in the World Economic Forum in Davos issued warnings about the dangers of cryptocurrencies, it is expected that government will adopt further measures to avoid abuse and illegal uses of cryptocrurrencies.

Neutopte se v bezpečnostních datech

29.1.2018 SecurityWorld Bezpečnost
Mnoho firem si myslí, že vědí, co jsou klíče k jejich království a kde se nacházejí příslušné brány. Bohužel často zjišťují, že nejzávažnější narušení jejich výsostného území se často stane úplně někde jinde. Threat intelligence jim umožní mít bezpečnostní rizika i bezpečnostní programy pod kontrolou.

Organizace mohou například sledovat aktivity v bankomatech a uniknou jim jemné varovné signály procházející přes jejich centrální počítač, říká Sharon Vardi, marketingový šéf v Securonix. „Aniž si to uvědomují, nechávají firmy své korunovační klenoty napospas.“

Chceme-li vědět, co je nutné hlídat, je potřeba sbírat data k analýze a nechat někoho takovou analýzu vykonávat. Firmy však neuspějí, pokud neshromažďují a neanalyzují úplný datový proud – úspěch vyžaduje více než jen snímek z omezeného časového intervalu. Data se musejí shromažďovat předtím, během a poté, co dojde k záškodnické aktivitě.

„Podniky také musejí zahrnout data z celé sítě, z každého jednotlivého koncového bodu a potenciálně dokonce z externích a veřejných zdrojů umístěných vně sítě,“ vysvětluje Alan Hall, ředitel strategie ve firmě Blue Coat Systems. „V opačném případě budou reakce přinejlepším limitované.“

Nutný kontext

Schopnost reakce na incidenty je místo, kde mohou vznikat problémy. To vyžaduje získat kontext – informace nad rámec toho, co se nachází v nezpracované podobě. Kontext lze použít k identifikaci pokročilého či jinak skrytého útoku nebo kompromitace a poskytuje prostředky ke zjištění nejvhodnějšího způsobu reakce.

„K řádné správě bezpečnostních incidentů potřebují firmy nejen sběr dat, ale také jejich analýzu v reálném čase a ukládání těchto dat, aby je bylo možné použít později k nalezení souvislostí s novými daty proudícími v reálném čase,“ vysvětluje Travis Smith, výzkumník ve společnosti Tripwire. „Problémem je, že ukládání dat stojí peníze a správa a využití těchto dat mohou být také skutečným problémem.“

Realitou je, že bezpečnostní týmy, jež chtějí analyzovat protokoly, jsou vydané na milost vývojářům, kteří rozhodují o tom, co protokolovat a z jakých systémů. Tyto podrobnosti se často vestavějí do systémů (nebo přesněji řečeno se opomíjejí) už při jejich vývoji.

Bezpečnostní protokoly jsou však i tak jen špičkou ledovce. Skutečná podstata spočívá v zachytávání paketů v rámci celé sítě. Překonání této bariéry tvořené jen protokoly a přechod na zachytávání síťového provozu sice přinášejí firmám velké množství bezpečnostních dat, ale také další problém: „Data zabezpečení nejsou totéž co big data,“ vysvětluje Smith. „Jsou to morbidně obézní data.“

Normální osvědčené postupy pro ukládání dat počítají se 30 dny provozu, ačkoli některé oborové zásady vyžadují více a některá vládní nařízení dokonce ještě více. „Je to téměř nedbalost, když bezpečnostní tým funguje jen v režimu pohotovosti a nedokáže analyzovat kontext,“ dodává Hall.

Někdy je to více než jen otázka jak moc – mohla by to být také otázka jak: zákazníci se snaží od svých programů pro správu zabezpečení dostat to, co chtějí. „Bezpečnostní týmy buď nedostávají žádné výstrahy či příliš málo výstrah ... Nebo trpí vážnou přemírou výstrah a následným vyčerpáním,“ říká John Humphreys, viceprezident společnosti Proficio.

„Rozhodně zachytávejte svá data protokolů, ale směřujte svou pozornost nad rámec protokolů a využívejte také informace z interní sítě. Měli byste také provázat relace dohromady, zachytávat řetězce paketů a nakonec využívat plné zachytávání paketů,“ doporučuje Smith z Tripwiru.

Podle Vardiho by podniky měly uvážit také využití externích zdrojů dat, které se tradičně nepovažují za bezpečnostní údaje. To zahrnuje například aktivity na Facebooku, vyhledávače zaměstnání a další dostupné datové zdroje.

„Za těchto okolností je férové využívat data společnosti za pomoci zpravodajských kanálů z otevřených zdrojů,“ dodává Vardi. Tyto zdroje dat nemusejí vypadat jako bezpečnostní data, ale mohou dramaticky změnit kontext bezpečnostních dat a poskytnout firmám nový způsob, jak se dívat na svůj rizikový profil.

Samozřejmě je pro užitečnost threat intelligence nutné, aby byly zpravodajské kanály věrohodné a založené na spolehlivých zdrojích, jež zahrnují i ty vlastní interní. Existuje velké množství aplikací, které generují spoustu zdánlivě neškodných interních přenosů, z nichž většina je navržena pro sdílení dat, aby mohly firemní týmy dělat svou práci. Přesto není možné zahrnutí těchto zdrojů dat a kvalitu těchto dat opomíjet.

Výhradně interní síťové přenosy se totiž často ignorují nebo nedochází k jejich detekci, pokud se sledují jen systémové protokoly pro vniknutí a úniky dat. To je obvykle způsobené tím, že takové přenosy probíhají horizontálně uvnitř sítě a nikdy neprocházejí přes systémy, které nativně monitorují vniknutí, a ani při své cestě neputují přes hraniční firewall.

„Vniknutí a úniky nastávají jen tehdy, když přenosy zařízení vstupují do podnikové sítě nebo ji opouštějí,“ vysvětluje Carmine Clementelli, manažer divize PFU Systems ve společnosti Fujitsu. „Podobně také řídicí komunikace probíhá mimo síť pomocí externích dočasných webových stránek. Ve většině případů platí, že pokud najdete problém na této vrstvě, je už příliš pozdě.“

Jaký kontext hledat?

Když přijde otázka na určení kontextu, který se použije pro vyhledání hrozeb, jimž společnost čelí, a probíhajících útoků, je nutné vybrat jednu z následujících tří možností:

Nechat systém automaticky definovat kontext a doufat, že jeho dodavatelé definovali konfigurace a pravidla, tak „aby to fungovalo dobře“.
Použít svůj vlastní naučený kontext, který jste během času získali, a doufat, že své prostředí znáte dostatečně nebo alespoň tak dobře jako útočníci.
Definovat kontext za běhu způsobem ad hoc a pokoušet se k tomu použít data o hrozbách a podpůrné informace a pak se doslova modlit, abyste měli stále náskok a nestali se obětí únavy z nadmíry varování.

Anebo lze využít výhody bezpečnostní komunity a využívat oborové sady a oborové profily definované ostatními pro výběr a následné úpravy kontextu. „Bezpečnostní týmy potřebují pozorovat svůj IT život v realitě pomocí zkušeností jiných firem,“ tvrdí Humphreys a dodává, že právě to je dobrý způsob, jak pochopit skutečný kontext.

Co se týká lidí zevnitř, kteří by mohli krást data a posílat je konkurenci, spočívá kontext ve sledování toho, zda nějací zaměstnanci či smluvní dodavatelé nepřistupují k datům mimo obvyklý rámec, například častěji. Můžete také zachytit provoz, který ukazuje, že zaměstnanci sdílejí citlivé údaje mimo organizaci, například pomocí osobního e-mailového účtu nebo vyměnitelného USB disku.

Zaměstnance, který nedávno dostal nějaké špatné hodnocení, lze označit za ještě větší riziko. A pokud se například dodavatel (třetí strana) snaží několikrát přihlásit a přistupovat k systémům firmy mimo obvyklý rámec, může to být příznak, že se buď chová zle on sám, nebo že se stal obětí phishingového útoku.

Ale nejsou to jen lidé a systémy, co poskytují kontext. „Entitou může být také dokument,“ vysvětluje Vardi. „Chování dokumentu je stejně tak důležité sledovat. Kde se nachází? Kdo k němu přistupuje? Z jaké IP adresy se k němu přistupuje? Kam se přenáší?“

Každý z těchto aspektů – při sledování společně s dalšími událostmi a varováními – může přinést dodatečný kontext k jinak nezjištěné škodlivé aktivitě. Pokud se například zaměstnanec, partner nebo zákazník obvykle přihlašují z počítače se systémem Windows a používají Firefox a najednou dochází ke stahování dokumentů z počítače Mac pomocí prohlížeče Safari, potom by to mohl být příznak probíhajícího problému.

Bankomatový podvod je dalším příkladem z reálného světa, který v současné době významně roste. Představte si klienty banky, kteří jsou jejími zákazníky 20 let a většinu této doby s bankou komunikují určitým způsobem. Můžete hledat anomálie v jejich aktivitách: výše jejich výběrů, místa výběrů, použitou kartu. Dokonce i počet použití karty během dne na různých místech.

A stejný princip můžete použít pro monitorování přístupu k podnikovým zdrojům a dalších aktivit uživatelů a systémů v síti. Zde je několik příkladů:

Koncový bod přidělený jednomu uživateli se přihlašuje do sítě několikrát pomocí více uživatelských identit. Pokud toto vidíte, existuje reálná možnost, že došlo ke kompromitaci systému.

Nešifrované přenosy typu sever-jih se souvislostí s interními přenosy východ-západ – mějte se na pozoru před síťovými aktivitami, které přijdou zvenčí a pohybují se laterálně. Takto související přenosy mohou být příznakem neautorizovaného uživatele či zařízení v síti.

Využívání metod detekce založených na chování – sledování odchozích přenosů a přenosů peer-to-peer pro zjišťování, kam přenosy směřují a jak často danou cestou putují. Zaměření na vstup by ale nemělo být jediným přístupem – musíte totiž také předpokládat, že malware je už uvnitř, a sledovat proto i výstupy.

Využijte výhodu detekce řízení a identifikace existujících útoků, které pravděpodobně odesílají data. Uvědomte si přitom, že odesílání dat často neprobíhá jako jeden přenos a může proběhnout jako řada malých akcí za dlouhou dobu. Ve středu, který představuje dlouhé období aktivity, dochází k bočním pohybům. Identifikace je v tomto případě možná na základě chování, nikoliv pouhou analýzou paketů. Uvažte, že web schválený oddělením IT nebo oddělením zabezpečení, který je však unesený a využívaný útočníkem jako úložná služba, nebudou vaše systémy pro reputaci a filtrování vůbec detekovat.

Při analýze používaných funkcí aplikací jděte nad rámec monitorování aplikací na nejvyšší úrovni. Facebook jako celek se může v případě některých zaměstnanců ještě akceptovat, ale jak a kdy se využívají řešení jako chat Facebooku nebo sledování a odesílání videa v rámci této sociální sítě? Jaká a kolik dat se přenáší při využití uvedených funkcí?

Russia Infrastructure Spying Could Cause 'Total Chaos': UK Defence Minister
28.1.2018 securityweek BigBrothers

Britain's Defence Secretary Gavin Williamson has accused Russia of spying on its critical infrastructure as part of possible plans to create "total chaos" in the country that could "cause thousands and thousands of deaths".

In unusually alarmist words from a senior minister Williamson told the Daily Telegraph that, in its research on UK power supply connections with Europe, Moscow appeared intent on sowing "panic" and hurting Britain.

"What they are looking at doing is they are going to be thinking 'how can we just cause so much pain to Britain?'" he said in comments published Thursday night.

"Damage its economy, rip its infrastructure apart, actually cause thousands and thousands and thousands of deaths, but actually have an element of creating total chaos within the country."

Williamson, who only became defence chief in November after predecessor Michael Fallon resigned over allegations of misconduct, gave the interview at the outset of a new five-month defence review.

He is reportedly pressuring finance minister Philip Hammond to allocate more money to defence and scrap further cuts to Britain's strained armed forces.

In the interview the minister said Russia acts in a way "that any other nation would see as completely unacceptable".

Related: Learn More at SecurityWeek's ICS Cyber Security Conference

"Why would they keep photographing and looking at power stations, why are they looking at the interconnectors that bring so much electricity and so much energy into our country," he questioned in the paper.

"They are looking at these things because they are saying these are the ways that we can hurt Britain."

Earlier this week Fallon joined calls from the head of the army for more British military spending, amid warnings the country may struggle to match Russian battlefield capabilities.

Meanwhile the head of the National Cyber Security Centre said the country will likely face a major cyber-attack within two years.

Ciaran Martin told the Guardian it was inevitable a hostile actor would launch an online attack aimed at crippling Britain's critical infrastructure, such as energy supplies, and it was lucky not to have fallen victim to such a strike already.

Williamson, who is tipped as a possible future ruling Conservative party leader, described his scenario planning as "the real threat that I believe the country is facing at the moment."

A spokesman for the Ministry of Defence said it had nothing further to add to his remarks.

The Russian Embassy in London could not be reached for comment Thursday.

Japan's Crypto Exchange to Refund to Customers After Theft
28.1.2018 securityweek Incindent
Japan-based virtual currency exchange Coincheck said Sunday it will refund about $400 million to customers after hackers stole hundreds of millions of dollars' worth of digital assets.

The company said it will use its own funds to reimburse about 46.3 billion yen to all 260,000 customers who lost their holdings of NEM, the 10th biggest cryptocurrency by market capitalization.

On Friday, the company detected an "unauthorised access" of the exchange, and later suspended trading for all cryptocurrencies apart from bitcoin.

The resulting 58 billion yen ($530 million) loss exceeded the value of bitcoins which disappeared from MtGox in 2014.

The major Tokyo-based bitcoin exchange collapsed after admitting that 850,000 coins -- worth around $480 million at the time -- had disappeared from its vaults.

The high-profile demise of MtGox failed to douse the enthusiasm for virtual currencies in Japan, which in April became the first country in the world to proclaim it as legal tender.

Nearly one third of global bitcoin transactions in December were denominated in yen, according to specialist website

As many as 10,000 businesses in Japan are thought to accept bitcoin and bitFlyer, the country's main bitcoin exchange, saw its user base pass the one-million mark in November.

Many Japanese, especially younger investors, have been seduced by the idea of strong profits as the economy has seen years of ultra-low interest rates offering little in the way of traditional returns.

Major Japanese newspapers on Sunday labelled the management of virtual currencies at Coincheck as "sloppy" and said the company had "expanded business by putting safety second".

Local media added the Financial Services Agency was expected to take disciplinary measures against Coincheck, which proclaims itself "the leading bitcoin and cryptocurrency exchange in Asia", following the theft.

Iran-linked APT OilRig target IIS Web Servers with new RGDoor Backdoor
28.1.2018 securityweek APT

The Iran-linked cyber-espionage group tracked as OilRig started using a backdoor subbed RGDoor to target Internet Information Services (IIS) Web servers.

The OilRig hacker group is an Iran-linked APT that has been around since at least 2015, when targeted mainly organizations in the financial and government sectors, in the United States and Middle Eastern countries.

The hackers used the RGDoor backdoor to target Middle Eastern government organizations and financial and educational institutions.

According to the researchers, RGDoor is a secondary backdoor that allows the hackers to regain access to a compromised Web server when primary TwoFace webshell is discovered and removed.

OilRig hackers are using the TwoFace webshell since at least June 2016, the backdoor

“Unlike TwoFace, the actors did not develop RGDoor in C# to be interacted with at specific URLs hosted by the targeted IIS web server. Instead, the developer created RGDoor using C++, which results in a compiled dynamic link library (DLL).” states the analysis from PaloAlto Networks.

“The DLL has an exported function named “RegisterModule”, which is important as it led us to believe that this DLL was used as a custom native-code HTTP module that the threat actor would load into IIS.”

The attackers exploited the IIS 7 functionality that allows developers to create modules in C++ to extend IIS’ capabilities, in this way they could carry out custom actions on requests

The “native-code modules can be installed either in the IIS Manager GUI or via the command-line using the ‘appcmd’ application,” Palo Alto has explains.


Malware researchers from Paloalto Networks discovered that the code calls the RegisterModule function with arguments that ignore inbound HTTP GET requests, but act on all HTTP POST requests.

When the IIS server receives an inbound HTTP POST request, the backdoor parses the requests searching for the string in HTTP “Cookie” field.

The find was used to issue cmd$ [command to execute], upload$ [path to file], or download$ [path to file] commands.

“RGDoor then constructs its own HTTP response by first setting the “Content-Type” field within the HTTP header to “text/plain”.” continues the analysis.

The choice of the Cookie fields makes it hard to analyze inbound requests related to RGDoor backdoor because IIS does not log the values within these specific fields of inbound HTTP requests by default.

“This backdoor has a rather limited set of commands, however, the three commands provide plenty of functionality for a competent backdoor, as they allow an actor to upload and download files to the sever, as well as run commands via command prompt. The use of RGDoor suggests that this group has contingency plans to regain access to a compromised network in the event their webshells are discovered and remediated.” concluded Palo Alto Networks.

Technical details, including IoCs are reported in the analysis published by PaloAlto Networks.

Download URLs for two packages of the phpBB forum software were compromised
28.1.2018 securityaffairs

Hacker compromised the download URLs of the popular phpBB forum software, for around three hours they were delivering infected versions of legitimate files.
The popular phpBB free and open source forum software has been compromised by an unknown hacker. According to a security advisory released by the phpBB maintainers, the attacker has compromised download URLs for two phpBB packages.

[Security] phpBB 3.2.2 Packages Compromised

4:15 AM - Jan 27, 2018
1 1 Reply 8 8 Retweets 3 3 likes
Twitter Ads info and privacy
The downloads URLs compromised were related to the phpBB 3.2.2 full package and the phpBB 3.2.1 -> 3.2.2 automatic updater.

“Earlier today, we identified that the download URLs for two phpBB packages available on were redirecting to a server that did not belong to us. We immediately took down the links and launched an investigation.” reads the announcement published by the development team.

“The point of entry was a third-party site. Neither nor the phpBB software were exploited in this attack.
If you downloaded either the 3.2.2 full package or the 3.2.1 -> 3.2.2 automatic updater package between the hours of 12:02 PM UTC and 15:03 PM UTC on January 26th, you received an archive modified with a malicious payload. “

The compromised download links were online for around three hours, between 12:02 PM UTC and 15:03 PM UTC on January 26, those who used them received a malware.

Users who downloaded phpBB 3.2.2 packages on January 26 must verify the SHA256 file hash of the file they downloaded with the one reported on the phpBB official downloads page.


The phpBB development team is investigating the incident, it only revealed that the entry point is likely a third-party site and clarified that neither nor the phpBB software were exploited in this attack.

At the time of writing it is still unclear how hackers compromised the download URLs.

The phpBB maintainers quickly removed the links to the malicious payload.

Developers that have already used the package to install or update a phpBB forum, are advised to file an incident report on the forum tracker to receive assistance with removal of the malicious code.

Attackers behind Cloudflare_solutions Keylogger are back, 2000 WordPress sites already infected
28.1.2018 securityaffairs

More than 2,000 WordPress sites have been infected with a malicious script that can deliver both a keylogger and the cryptocurrency miner CoinHive.
More than 2,000 sites running the WordPress CMS have been infected with a malicious script that can deliver both a keylogger and the in-browser cryptocurrency miner CoinHive.

This new hacking campaign was spotted by experts from the security firm Sucuri, the experts believe the attackers are the same that launched a campaign that infected 5,500 WordPress sites in December.

In both campaigns, the threat actors used a keylogger dubbed cloudflare[.]solutions, but be careful, there is no link to security firm Cloudflare.

After the discovery in December of campaign, the cloudflare[.]solutions domain was taken down, but this new discovery confirms that threat actors are still active and are using a new set of recently registers domains to host the malicious scripts that are injected into WordPress sites.

By querying the search engine PublicWWW, researchers discovered that the number of infected sites includes 129 from the domain cdns[.]ws and 103 websites for cdjs[.]online.

“A few days after our keylogger post was released on Dec 8th, 2017, the Cloudflare[.]solutions domain was taken down. This was not the end of the malware campaign, however; attackers immediately registered a number of new domains including cdjs[.]online on Dec 8th, cdns[.]ws on Dec 9th, and msdns[.]online on Dec 16th.” reads the analysis published by Sucuri.

“PublicWWW has already identified relatively few infected sites: 129 websites for cdns[.]ws and 103 websites for cdjs[.]online, but it’s likely that the majority of the websites have not been indexed yet. Since mid-December, msdns[.]online has infected over a thousand websites, though the majority are reinfections from sites that have already been compromised.”

Most of the infected domains are tied to msdns[.]online, with over a thousand reported infections. In many cases, threat actors re-infected WordPress sites compromised in the previous campaign.


The attackers target outdated and poorly configured WordPress sites, they inject the cdjs[.]online script either a WordPress database (wp_posts table) or into the theme’s functions.php file.

The Keylogger script is able to capture data entered on every website form, including the admin login form, information is sent back to the attackers via the WebSocket protocol.

Just like previous versions of the campaign leveraging a Fake GoogleAnalytics Script, researchers identified a fake googleanalytics.js that loads an obfuscated script used to load the malicious scripts “startGoogleAnalytics” from the attackers’ domains.

Experts discovered many similarities also in the cryptominer component of this campaign.

“We’ve identified that the library jquery-3.2.1.min.js is similar to the encrypted CoinHive cryptomining library from the previous version, loaded from hxxp:// 3117488091/lib/jquery-3.2.1.min.js?v=3.2.11 (or hxxp://185 .209 .23 .219/lib/jquery-3.2.1.min.js?v=3.2.11, a more familiar representation of the IP address). This is not surprising since cdjs[.]online also exists on the server 185 .209 .23 .219.” continues the analysis.

“It’s interesting to note that this script extends the CoinHive library and adds an alternative configuration using the 185 .209 .23 .219 server (and now specifically cdjs[.]online) for LIB_URL and WEBSOCKET_SHARDS.”

According to Sucuri experts, the threat actors behind this hacking campaign are active at least since April 2017. Sucuri has tracked at least other three different malicious scripts hosted on the same domain across the months.

The first attack leveraging on these scripts was observed in April when hackers used a malicious JavaScript file to embed banner ads on hacked sites.

In November, experts from Sucuri reported the same attackers were loading malicious scripts disguised as fake jQuery and Google Analytics JavaScript files that were actually a copy of the Coinhive in-browser cryptocurrency miner. By November 22, the experts observed 1,833 sites compromised by the attackers.

Experts noticed that this campaign is still not massive as the one spotted in December, anyway it could not be underestimated.

“While these new attacks do not yet appear to be as massive as the original cloudflare[.]solutions campaign, the reinfection rate shows that there are still many sites that have failed to properly protect themselves after the original infection,” concluded Sucuri.

Intel Working on CPUs With Meltdown, Spectre Protections
27.1.2018 securityweek Safety

Intel is working on CPUs that will include built-in protections against the notorious Meltdown and Spectre attacks, CEO Brian Krzanich revealed on Thursday during a conference call discussing the company’s latest earnings report.

Intel has released some microcode updates to address the vulnerabilities, but the patches have caused serious problems for many users, which has led to Intel and other vendors halting updates.

“Our near term focus is on delivering high quality mitigations to protect our customers’ infrastructure from these exploits. We're working to incorporate silicon-based changes to future products that will directly address the Spectre and Meltdown threats in hardware. And those products will begin appearing later this year,” Krzanich said.Intel to release CPUs with Meltdown and Spectre protections

“However, these circumstances are highly dynamic and we updated our risk factors to reflect both the evolving nature of these specific threats and litigation, as well as the security challenge, more broadly,” he added.

The latest financial report shows that the company had a great 2017, with a record fourth-quarter revenue of $17.1 billion and a record full-year revenue of $62.8 billion. Despite its reputation taking a hit due to the Meltdown and Spectre vulnerabilities, the company expects 2018 to also be a record year.

It’s worth noting, however, that one of the factors that could cause results to differ from the company’s expectations are vulnerabilities in Intel processors and other products. In addition to the security flaws themselves, Intel is concerned about the adverse performance and system instability introduced by mitigations, associated lawsuits, the negative publicity they generate, and the impact they may have on customer relationships and reputation, the company said.

Several class action lawsuits have already been filed against Intel, accusing the company of violating state consumer laws by misleading customers about its product and breaching warranties.

Krzanich sold all the stock he was legally allowed to, worth roughly $24 million, just weeks before the existence of Spectre and Meltdown came to light, which has raised insider trading concerns.

Intel has denied the allegations, but French publication LeMagIT reported this week that Intel started informing its partners of the flaws on the same day the company’s CEO sold his shares, specifically November 29.

Iranian Hackers Target IIS Web Servers With New Backdoor
27.1.2018 securityweek CyberSpy

The Iran-linked cyber-espionage group known as OilRig is using a backdoor to target Internet Information Services (IIS) Web servers used by Middle Eastern government organizations and financial and educational institutions.

Dubbed RGDoor, the malware is believed to be a secondary backdoor that allows the actor to regain access to a compromised Web server in the event the primary malware is detected and removed. This primary malicious tool is the TwoFace webshell, which OilRig is believed to have been using since at least June 2016.

Around since 2015, the OilRig threat group has targeted mainly organizations in the financial and government sectors, in the United States and Middle Eastern countries. Believed to be operating out of Iran, the group is using multiple tools, is expanding its arsenal, and is quick to adopt new exploits.

The backdoor was created using C++, which results in a compiled dynamic link library (DLL) with an exported function named “RegisterModule.” Because of that, Palo Alto's researchers believe the DLL was used as a custom native-code HTTP module loaded into IIS, and suggest that there is no visual representation of the shell for the actors to interact with.

This approach takes advantage of IIS 7 functionality that allows developers to create modules in C++ to extend IIS’ capabilities, such as carry out custom actions on requests. These “native-code modules can be installed either in the IIS Manager GUI or via the command-line using the ‘appcmd’ application,” Palo Alto has explains.

The researchers also found that RGDoor would call the “RegisterModule” function with arguments that ignore inbound HTTP GET requests, but act on all HTTP POST requests, even those issued over HTTPS. The malware parses these requests to look for a specific string in the HTTP “Cookie” field, so as to find whether cmd$ [command to execute], upload$ [path to file], or download$ [path to file] commands were issued to it.

“The sample then transmits the data back to the actor by creating a loop that calls the IHttpResponse::WriteEntityChunk method until all of the data is sent to the actor within HTTP responses. If the WriteEntityChunk method fails at any point during this loop, the code will respond to the actor with a HTTP 500 “Server Error” response by using the IHttpResponse::SetStatus method,” the researchers explain.

Because IIS does not log the values within Cookie fields of inbound HTTP requests by default, it’s difficult to locate and analyze inbound requests related to RGDoor. Furthermore, because the module checks all inbound POST requests for commands, the actor can use any URL to interact with it.

The actors behind the backdoor used the TwoFace webshell to load it onto an IIS Web server and gain backdoor access to the compromised system. The main purpose of the tool, however, appears to be regaining access to the server in the event the TwoFace webshell was removed.

“This backdoor has a rather limited set of commands, however, the three commands provide plenty of functionality for a competent backdoor, as they allow an actor to upload and download files to the sever, as well as run commands via command prompt. The use of RGDoor suggests that this group has contingency plans to regain access to a compromised network in the event their webshells are discovered and remediated,” Palo Alto concludes.

Six Months in Jail for University Email Hacker
27.1.2018 securityweek Crime

A man who accessed over 1,000 email accounts maintained by a New York City-area university to download inappropriate photos and videos was sentenced to 6 months in prison this week.

The man, Jonathan Powell, 30, of Phoenix, Arizona, pled guilty to the charges on August 9, 2017, in Manhattan federal court before United States District Judge Alison J. Nathan, who also imposed the sentence.

According to the allegation he pled guilty to, Powell gained unauthorized access to the email accounts by accessing the password reset utility maintained by the email servers of a United States University that has its primary campus in New York, New York. The tool was meant for authorized users to reset their forgotten passwords.

Powell abused the utility between October 2015 and September 2016 to change the email account passwords of students and others affiliated with the University and to gain access to more than 1,000 accounts.

Once inside the email accounts, he obtained unauthorized access to other password-protected email, social media, and online accounts to which the users of the compromised accounts were registered. These include Apple iCloud, Facebook, Google, LinkedIn, and Yahoo! accounts.

Powell requested password resets for the linked accounts and changed those passwords as well, after a password reset email was sent to the compromised email accounts. Then, he logged into the linked accounts and started looking for private and confidential content.

The investigation into Powell’s nefarious activities revealed that he accessed all of the compromised accounts to download sexually explicit photographs and videos of college-aged women.

Between October 2015 and September 2016, Powell accessed the password reset utility approximately 18,640 different times and attempted around 18,600 password changes for an estimated number of 2,054 unique University email accounts. He succeeded in changing approximately 1,378 passwords for 1,035 email accounts, as he compromised some of the accounts multiple times.

Powell was also found to have compromised 15 email accounts hosted by a University in Pennsylvania. He also admitted to compromising email accounts at several other educational institutions in Arizona, Florida, Ohio, and Texas.

Power was also sentenced to two years of supervised release and ordered to pay $278,855 in restitution.

“Jonathan Powell used his computer skills to breach the security of a university to gain access to the students’ personal accounts. Once Powell had access, he searched the accounts for compromising photos and videos. No college student should have to fear that personal, private information could be mined by strangers for potentially compromising material,” Geoffrey S. Berman, the United States Attorney for the Southern District of New York, commented.

Data Privacy Concerns Cause Sales Delays: Cisco
27.1.2018 securityweek Privacy

Nearly two-thirds of businesses worldwide have experienced significant delays in sales due to customer data privacy concerns, according to Cisco’s 2018 Privacy Maturity Benchmark Study.

The study, based on the responses of roughly 3,000 cybersecurity professionals from 25 countries, shows that 65% of businesses reported sales cycle delays due to concerns over data privacy, with an average delay of nearly 8 weeks.

However, organizations with a mature privacy process are less affected compared to privacy-immature companies. Privacy-mature firms experienced delays of only 3.4 weeks, while immature businesses reported delays averaging nearly 17 weeks.

Sales delays have also varied depending on several other factors, including country, with the longest delays reported in Mexico and Latin America, and industry, with the longest delays in the government and healthcare sectors.


The report also shows that privacy-mature organizations suffer lower losses as a result of data breaches. According to Cisco, only 39% of privacy-mature organizations experienced losses exceeding $500,000, compared to 74% of companies that have an immature privacy process.

The type of model adopted by organizations for privacy resources also appears to be an important factor. According to the study, businesses with fully centralized and decentralized resources had sales delays of 10 and 7 weeks, respectively. On the other hand, organizations with a hybrid model, which represents a mix between centralized and decentralized, reported delays of less than 5 weeks.

“This study provides valuable empirical evidence of the linkage between firm privacy policies and performance-relevant impacts. These results are indicative of the direction that future empirical research on privacy, and cybersecurity more generally, should take to better validate and focus our understanding of best practices in these important areas,” said Dr. William Lehr, economist at MIT.

The complete 2018 Privacy Maturity Benchmark Study is available for download in PDF format.

Cryptocurrencies Fall After Hack Hits Japan's Coincheck
27.1.2018 securityweek Hacking

Cryptocurrencies fell Friday after Japan-based digital exchange Coincheck suspended client deposits and withdrawals for virtual currencies except bitcoin, saying it had been hacked.

Coincheck said it was investigating "unauthorised access" of the exchange that appeared to result in a loss worth half a billion US dollars of NEM, the 10th biggest cryptocurrency by market capitalisation.

"At 3 am (1800 GMT) today, 523 million NEMs were sent from the NEM address of Coincheck. It's worth 58 billion yen based on the calculation at the the rate when detected," said Coincheck's chief operating officer Yusuke Otsuka late Friday.

"We're still examining how many of our customers are affected," he said, adding that the exchange was trying to find out whether the breach was from Japan or another country.

After the exchange suspended deposits and withdrawals, NEM plunged more than 16 percent in a 24-hour period, according to

Major virtual currencies had rebounded slightly by late Friday but were still down, with Bitcoin dropping 2.13 percent to $10,987.70, ripple sliding more than six percent and ethereum flat.

Coincheck said it had discovered the breach at 11.25 am and announced it had suspended trading for all cryptocurrencies apart from bitcoin in a series of tweets.

According to its website, which proclaims it is "the leading bitcoin and cryptocurrency exchange in Asia", Tokyo-based Coincheck was founded in 2012 and had 71 employees as of July last year.

In 2014 major Tokyo-based bitcoin exchange MtGox collapsed after admitting that 850,000 coins -- worth around $480 million at the time -- had disappeared from its vaults.

Bitcoin is recognized as legal tender in Japan and nearly one third of global bitcoin transactions in December were denominated in yen, according to specialist website

The virtual currency is well down from record highs approaching $20,000 in late December, having rocketed 25-fold last year, before being hit by concerns about a bubble and worries about crackdowns on trading it.

Billionaire investor George Soros, known for his legendarily successful currency trading, has dismissed bitcoin as a "typical bubble".

But speaking Thursday at the Davos summit, he said the cryptocurrency would likely avoid a full crash because authoritarians would still use it to make secret investments abroad.

PCI Council Introduces New Standard for Mobile Card Payments
27.1.2018 securityweek Mobil

Responding to the market's growing interest in, and use of, mobile payments, the PCI Security Standards Council (PCI SSC) has announced a new standard for software-based PIN entry on commercial off-the-shelf devices (COTS); such as smartphones and tablets.

"Mobile point-of-sale (MPOS) solutions have become very popular with smaller merchants for their flexibility and efficiency," explained said Aite Group senior analyst Ron van Wezel. "MPOS has enabled them to take orders and accept payments on a tablet or smartphone, anytime and anywhere."

The problem is the cost of hardware-based chip-and-pin can be prohibitive for small merchants in mobile situations.

"With the new PIN entry standard," van Wezel continued, "the PCI Council has responded to market need by specifying the security requirements for allowing PIN entry directly on the mobile touchscreen. This means that merchants can accept payments with just their mobile device and a small, cost efficient card reader connected to it along with a secure PIN entry application."

The new standard has been in the pipeline since last summer. In a July 2017 blog post, PCI SSC CTO Troy Leach announced, "We are starting work on a new standard that specifically focuses on software-based PIN-entry on commercial off-the-shelf (COTS) devices, such as consumer-grade mobile phones or tablets."

This is the standard (PDF) now announced. A separate document, Software-Based PIN Entry on COTS Test Requirements, will be published in the next month.

"With advancements in monitoring capabilities and the ability to isolate account data, we are introducing a security approach that leverages software-based security for accepting a PIN within the boundaries of a COTS device," said Leach in a new blog post on Wednesday -- adding that it was an alternative to, and not a replacement for, the existing PCI PIN Transaction Security Point of Interaction (PTS POI) standard.

There are five core principles to the new standard: isolation of PIN from other account data; ensuring the security of the PIN entry application on the COTS device; active security monitoring of the device; a secure card reader device to encrypt account data; and the restriction of transactions to EMV contact and contactless cards.

Initial reaction from the security industry has been mixed; that is, it is a good basic idea, but with reservations.

"While the new PCI PIN requirements are a good idea," Joseph Carson, chief security scientist at Thycotic told SecurityWeek, "this introduces increased risks as end to end security for PIN cannot be guaranteed. For example, credit card theft in Europe has been less impacted than credit card theft in the USA due to the PIN requirement -- meaning that credit card fraud in Europe has been limited due to the PIN. The new requirements mean the risk of the PIN getting exposed is increased and the risk on cyberattacks against the merchants will also increase. The PIN has been protected up until now; however, this new standard is actually lowering that protection."

Chris Morales, head of security analytics at Vectra Networks, has a different concern. "I have questions around how the PCI council intends for vendors to implement the required continuous monitoring for security threats," he said. "Continuous monitoring could be a costly and time-consuming exercise only large vendors or the payment system supplier would be able to afford to implement correctly. I believe these will need to be vetted out with further review by the security community."

Chris Roberts, chief security architect at Acalvio is also concerned about the monitoring aspect. "Monitoring and actually 'doing' anything about it are two different things. We've run afoul of that so many times in the past where companies are monitoring but are asleep at the wheel. It might be time for PCI to look at technologies that go beyond simply reacting.

"It's good they have realized that payments are going mobile," he added, "but it does feel as if they are in reactive mode as opposed to proactively looking at the marketplace and working with the vendors ahead of time to help shape the future as opposed to being part of the problem in 'gatekeeping'."

PCI SSC believes it has got the security right by isolating the PIN within the COTS device from the account identifying information. "This isolation happens as the Primary Account Number (PAN) is never entered on the COTS device with the PIN," said Leach. "Instead that information is captured by an EMV Chip reader that is approved as an SCRP that encrypts the contact or contactless transaction."

And it should be said that he has support. Sanjay Kalra, co-founder and chief product officer at Lacework, comments, "Businesses required to comply to PCI cover many industries -- retail, hospitality, entertainment, healthcare, electronics and more -- and are all rapidly being disrupted by mobile and cloud computing. They need to upgrade their payment processes to reflect the technology disruptions. This update to the PCI standard is welcome and will help organizations safely take advantage of new mobile technologies. Nobody should be surprised if similar changes come to regulations for the cloud."

Cybercriminals are offering for sale infant fullz on the dark web
27.1.2018 securityaffairs CyberCrime

Cybercriminals are offering for sale infant fullz on the dark web, this is the first time that unscrupulous sellers offer this kind of merchandise on a black marketplace.
Crooks are offering for sale Social Security numbers of babies on the dark web, the news was reported by the CNN.

The news is disconcerting, this is the first time that unscrupulous sellers offer this kind of merchandise on a black marketplace.

The offer appeared on the Dream Market marketplace, one of the biggest Tor marketplace that has been around since around Nov/Dec 2013.

The seller is offering Social Security numbers of babies along with their dates of birth and mother’s maiden names, the ‘Infant fullz’ goes for $300 worth of bitcoin.

The slang term “Fullz” refers full packages of individuals’ identifying information. A “Fullz” package contains an individual’s name, Social Security number, birth date, account numbers and other data.

“Infant fullz get em befor tax seson [sic],” reads the ad.

‘Infant Fullz’ are a precious commodity in the criminal underground they allow crooks to access a clean credit history, they also allow crooks to apply for government benefits or take out mortgages.

The use of children PII is considered secure by cyber criminals because this specific type of identity theft could remain undiscovered for years.

“The listing for infant data was discovered by researchers at Terbium Labs, a dark web intelligence firm. The cost and age of the alleged victims came as a surprise to Emily Wilson, the company’s director of analysis.” states the CNN.

“Although the firm has seen child data for sale before, this was the first time it has seen infants’ data for sale.”

“It’s unusual to have information specifically marked as belonging to children or to infants on these markets,” Wilson said.


Identity theft crimes involving children is not a novelty, according to a 2011 report published by Carnegie Mellon University’s CyLab, the rate of this specific type of crimes for children as being 51 times greater than that of adults.

Researchers highlighted that “parents typically don’t monitor their children’s identities”.

Cryptocurrencies Black Friday – Japan-based digital exchange Coincheck hacked
27.1.2018 securityaffairs Hacking

It is a black Friday for cryptocurrencies, after the news of the hack of the Japan-based digital exchange Coincheck the value of major cryptocurrencies dropped.
It is a black Friday for cryptocurrencies, the news of the hack of the Japan-based digital exchange Coincheck had a significant impact on their value.

Coincheck was founded in 2012, it is one of the most important cryptocurrency exchange in Asia.

The Coincheck suspended the operations of deposits and withdrawals for all the virtual currencies except bitcoin, the exchange announced it was investigating an “unauthorised access” to the exchange.

According to the company, the hackers stole worth half a billion US dollars of NEM, the 10th biggest cryptocurrency by market capitalization.

The news of the incident has a significant impact on the NEM value that dropped more than 16 percent in 24 hours.

“At 3 am (1800 GMT) today, 523 million NEMs were sent from the NEM address of Coincheck. It’s worth 58 billion yen based on the calculation at the rate when detected,” said Coincheck COO Yusuke Otsuka.

“We’re still examining how many of our customers are affected,”

NEM Charts –

The experts at the exchange are investigating the security breach to find out whether it was from Japan or another country.

Coincheck discovered the incident at 11.25 am and notified the suspension of trading for all cryptocurrencies apart from bitcoin via Twitter.

We are currently halting deposits, withdrawals, buying and selling of NEM. Please accept our sincere apologies for this inconvenience and rest assured that we are working to resolve this issue as quickly as possible.

5:04 AM - Jan 26, 2018

*Urgent update regarding deposits of NEM* | Coincheck Cryptocurrency Exchange
View the latest news today for bitcoin market in Japan, cryptocurrency, new features, and campaign at Coincheck Blog.

Twitter Ads info and privacy
In February 2014, Mt. Gox suspended trading and filed for bankruptcy protection from creditors.

At the time, the company was handling over 70% of all bitcoin transactions worldwide, it announced that approximately 850,000 bitcoins ($450 million at the time) belonging to customers and the company were stolen.

Hurry up, update your Lenovo Fingerprint Manager Pro if you use Windows 7, 8 and 8.1
27.1.2018 securityaffairs

Lenovo has fixed a hardcoded password vulnerability in Lenovo Fingerprint Manager Pro affecting a dozen laptop models running Windows 7, 8 and the 8.1 OS.
The PC vendor Lenovo has fixed a hardcoded password vulnerability, tracked as (CVE-2017-3762), affecting a dozen Lenovo laptop models that run versions of Microsoft Windows 7, 8 and the 8.1 operating system.

Lenovo laptops running Windows 10 are not impacted by the vulnerability because that OS version natively supports fingerprint reader technology.

The list of impacted family models includes ThinkPad, ThinkCentre, and ThinkStation laptops.

“A vulnerability has been identified in Lenovo Fingerprint Manager Pro. Sensitive data stored by Lenovo Fingerprint Manager Pro, including users’ Windows logon credentials and fingerprint data, is encrypted using a weak algorithm, contains a hard-coded password, and is accessible to all users with local non-administrative access to the system it is installed in.” states the security advisory published by Lenovo.


The Lenovo Fingerprint Manager Pro is a utility that allows users to log into their laptop and configured websites by using the fingerprint.

The flaw resides in the Lenovo Fingerprint Manager Pro that encrypts sensitive data such as fingerprint data and login credentials using a weak algorithm.

Customers urge to update Fingerprint Manager Pro to version 8.01.87 or later.

The complete list of laptops that need to update their Lenovo Fingerprint Manager Pro version is:

ThinkPad L560
ThinkPad P40 Yoga, P50s
ThinkPad T440, T440p, T440s, T450, T450s, T460, T540p, T550, T560
ThinkPad W540, W541, W550s
ThinkPad X1 Carbon (Type 20A7, 20A8), X1 Carbon (Type 20BS, 20BT)
ThinkPad X240, X240s, X250, X260
ThinkPad Yoga 14 (20FY), Yoga 460
ThinkCentre M73, M73z, M78, M79, M83, M93, M93p, M93z
ThinkStation E32, P300, P500, P700, P900
The flaw was disclosed by Lenovo this week, the company credited Jackson Thuraisamy, a senior security consultant with Security Compass, for the discovery.

Trend Micro spotted a malvertising campaign abusing Google’s DoubleClick to deliver Coinhive Miner
27.1.2018 securityaffairs

Trend Micro uncovered a spike in the number of Coinhie miners over the past few days, including Coinhive, apparently linked to Google’s DoubleClick ads that are proposed on YouTube and other sites.
The number of cyber-attacks against cryptocurrencies is increased due to a rapid increase in the value of currencies such as Bitcoin and Ethereum.

Hackers targeted almost any actor involved in the business of cryptocurrencies, single users, miners and of course exchanges.

Security firms have detected several malware applications specifically designed to steal cryptocurrencies, and many websites were compromised to install script used to mine virtual coins abusing computational resources of unaware visitors.

Researchers at Trend Micro uncovered a spike in the number of Coinhie miners over the past few days apparently linked to Google’s DoubleClick ads that are proposed on YouTube and other sites.

“On January 24, 2018, we observed that the number of Coinhive web miner detections tripled due to a malvertising campaign. We discovered that advertisements found on high-traffic sites not only used Coinhive (detected by Trend Micro as JS_COINHIVE.GN), but also a separate web miner that connects to a private pool.” states the analysis published by Trend Micro.

“We detected an almost 285% increase in the number of Coinhive miners on January 24. We started seeing an increase in traffic to five malicious domains on January 18. After closely examining the network traffic, we discovered that the traffic came from DoubleClick advertisements.“


The researchers observed two separate web cryptocurrency miner scripts, both hosted on AWS, that were called from a web page that presents the DoubleClick ad.

The advertisement uses a JavaScript code that generates a random number between 1 and 101. If the number generated is greater than 10, the advertisement will call the coinhive.min.js script to mine 80% of the CPU power. For the remaining 10%, the advertisement launch a private web miner, the mqoj_1.js script.

“The two web miners were configured with throttle 0.2, which means the miners will use 80% of the CPU’s resources for mining.” continues the analysis.


Google promptly took action against the ads that abuse users’ resources violating its policies.

Blocking JavaScript-based applications from running on browsers can prevent the execution of Coinhive miners, the experts suggest to regularly patch and update web browsers to reduce the risks.

Dutch Spies Watched as Russians Hacked US Democrats: Report
26.1.2018 securityweek BigBrothers

Dutch intelligence services hacked Russian cyber attackers and alerted US counterparts after watching them transfer "thousands" of Democratic Party emails ahead of the 2016 US election, Dutch media reported Friday.

The Dutch national intelligence service (AIVD) had been watching the notorious group known as Cozy Bear since 2014, according to the respected Volkskrant daily, and a Dutch TV news programme Nieuwsuur.

But as well as stumbling upon the group's computer network which was run out of a university building near Moscow's Red Square, the Dutch agents also gained access to the security cameras surveilling the room.

"Not only can the intelligence service now see what the Russians are doing, they can also see who's doing it," the Volkskrant said, citing anonymous US and Dutch sources.

The AIVD alerted its US counterparts when in 2015 it became a "witness to the Russian hackers harassing and penetrating the leaders of the Democratic Party, transferring thousands of emails and documents," it said.

"Yet, it will be months before the United States realise what this warning means: that with these hacks the Russians have interfered with the American elections. And the AIVD hackers have seen it happening before their very eyes."

Cozy Bear has been widely blamed for meddling in the 2016 US elections won by now President Donald Trump.

Although Trump has vehemently denied working with the Russians, his White House is under investigation by special prosecutor and former FBI director Robert Mueller.

Mueller's team is seeking to uncover whether the Trump campaign colluded with Russia's efforts to sway the election, including leaks of hacked Democratic Party files.

Mueller's team has spent the past eight months interviewing members of Trump's campaign and White House staff, and has issued four indictments, with two guilty pleas.

A spokeswoman for the AIVD refused to confirm the Dutch media reports, telling AFP "we never comment on operations."

But American intelligence agencies have said "with high confidence" they believe the Kremlin was behind the attack on the Democratic Party.

That confidence is based on "AIVD hackers having had access to the office-like space in the centre of Moscow for years," the Volkskrant said, citing sources who added that the Dutch had provided "technical evidence" of the attack on the Democratic Party.

Maersk Reinstalled 50,000 Computers After NotPetya Attack
26.1.2018 securityweek

Jim Hagemann Snabe, chairman of Danish shipping giant A.P. Moller–Maersk, revealed this week at the World Economic Forum in Switzerland that the company was forced to reinstall software on nearly 50,000 devices following the NotPetya attack.

In a panel on securing a common future in cyberspace, Hagemann Snabe, former co-CEO of SAP, said the NotPetya malware had hit a large number of systems housed by the company.

According to Hagemann Snabe, Maersk’s IT team had to reinstall software on its entire infrastructure, including 45,000 PCs and 4,000 servers, totaling 2,500 applications.

The mammoth task took only 10 days to complete, during which time the company manually coordinated operations. This was not easy considering that Maersk is the largest container shipping company in the world and it’s responsible for roughly 20 percent of world trade. Hagemann Snabe noted that a ship carrying 10,000-20,000 containers docks into a port every 15 minutes.

Maersk employees managed to manually process 80 percent of the work volume, but the NotPetya incident still cost the company $250-$300 million.

In the aftermath of the cyberattack, the shipping giant realized that its cybersecurity capabilities had been only “average,” but Hagemann Snabe says the company is now determined to improve cybersecurity to the point where it “becomes a competitive advantage.”

“We need a very significant increase in our level of understanding of this problem,” Hagemann Snabe told the panel. “It is time to stop being naive when it comes to cybersecurity. I think many companies will be caught if they are naive – even size does not help you. I think it is very important that we are not just reactive but proactive, and I think we can’t be average, we got to be the best we can.”

Hagemann Snabe believes his company was probably collateral damage in a state-sponsored attack.

The NotPetya malware outbreak, which U.S. and Ukrainian government agencies have attributed to Russia, affected tens of thousands of systems in more than 65 countries. Many of the victims were located in Ukraine, the home of a tax software firm whose product was used as the main attack vector.

Researchers initially believed NotPetya (also known as PetrWrap, exPetr, GoldenEye and Diskcoder.C) was a piece of ransomware. However, a closer analysis revealed that it was actually a wiper.

In addition to Maersk, the list of major organizations hit by the incident includes Rosneft, Merck, FedEx-owned TNT Express, Mondelez International, Nuance Communications, Reckitt Benckiser, and Saint-Gobain. These companies reported that the attack had cost them tens and even hundreds of millions of dollars.

The Dutch intelligence service AIVD ‘hacked’ Russian Cozy Bear systems for years
26.1.2018 securityaffairs BigBrothers

Spying on spies – The hackers from the Dutch intelligence service AIVD ‘compromised’ for years the network of the Russian APT Cozy Bear.
It’s not a mystery, technology firms that intend to work with Russia need to allow the Government experts to scan their code for backdoors and vulnerabilities.

The problem is that this software is often used by the US Government, this means that Russian experts could found bugs or backdoors to exploit in cyber attacks against US Agencies.

Many tech giants already allowed their software review, including McAfee, SAP, Symantec, and HPE, the risk is that foreign Governments could exploit a bug or a backdoor to control them.

Anyway, other firms like Trend Micro has refused to allow the Russians to conduct a source code review of their products.

Of course, the companies defend their position clarifying that the code review s were done under controlled conditions and that not code was allowed to be copied.

News of the day is that the Dutch intelligence service AIVD ‘hacked’ Russian state-sponsored hackers.

The news was reported by the newspaper de Volkskrant, AIVD in 2014 monitored the activity of the Russian APT Cozy Bear (aka APT29) and its efforts to hack into systems at the US Democratic Party‘s and US government servers.

Dutch intelligence service AIVD provided the FBI with crucial information about Russian interference with the American elections.

The AIVD cyber spies compromised security cameras surrounding the building used by the Cozy Bear crew, the Dutch agents were looking for known Russian spies accessing the structure.

“Hackers from the Dutch intelligence service AIVD have provided the FBI with crucial information about Russian interference with the American elections,” reports the Dutch daily newspaper

“That’s how the AIVD becomes witness to the Russian hackers harassing and penetrating the leaders of the Democratic Party, transferring thousands of emails and documents. It won’t be the last time they alert their American counterparts.”


The Dutch hackers conducted a Computer Network Attack against Russians, they are involved in offensive operations aim to compromise adversary networks.

The unit operates under the Joint Sigint Cyber Unit, a collaborative unit of the AIVD and the Dutch Military Intelligence and Security Service MIVD, of about 300 people.

The Dutch cyber unit is composed of about 80-100 people, part of them is focused on intercepting or managing sources, while another team is dedicated to Computer Network Defence.

It’s unknown what exact information the Dutch hackers collected, the unique certainty is that it linked Cozy Bear to the attacks against the US Government.

“Three American intelligence services state with ‘high confidence’ that the Kremlin was behind the attack on the Democratic Party. That certainty, sources say, is derived from the AIVD hackers having had access to the office-like space in the center of Moscow for years. This is so exceptional that the directors of the foremost American intelligence services are all too happy to receive the Dutchmen.” continues the newspaper.

The Cozy Bear hackers are located in a university building near the Red Square, the team is composed on average of ten people. The entrance is in a curved hallway controlled by a security camera that was hacked by Dutch cyber spies.

Thanks to the AIVD, the NSA was able to locate the command and control servers used by Cozy Bear while it was targeting the systems at the State Department.

“Access to Cozy Bear turns out to be a goldmine for the Dutch hackers. For years, it supplies them with valuable intelligence about targets, methods and the interests of the highest ranking officials of the Russian security service. From the pictures taken of visitors, the AIVD deduces that the hacker group is led by Russia’s external intelligence agency SVR.” continues the Volkskrant.

“There’s a reason the AIVD writes in its annual report about 2014 that many Russian government officials, including president Putin, use secret services to obtain information.”

The AIVD hackers left Cozy Bear’s computer network after an investigation that lasted for 1 and 2,5 years, likely because the Russians cut off their access.

Stealth CrossRAT malware targets Windows, MacOS, and Linux systems
26.1.2018 securityaffairs

The popular former NSA hacker Patrick Wardle published a detailed analysis of the CrossRAT malware used by Dark Caracal for surveillance.
Last week a joint report published by security firm Lookout and digital civil rights group the Electronic Frontier Foundation detailed the activity of a long-running hacking group linked to the Beirut Government and tracked as Dark Caracal. The hacking campaigns conducted by Dark Caracal leverage a custom Android malware included in fake versions of secure messaging apps like Signal and WhatsApp.

The report detailed a new strain of cross-platform malware tracked as CrossRAT (version 0.1), it is remote access Trojan that can infect systems based on Windows, Solaris, Linux, and macOS.

The malware implements classic RAT features, such as taking screenshots and running arbitrary commands on the infected systems.

At the time of its discovery, the malware was not detected by almost all the anti-virus software (only two out of 58).


The Dark Caracal attack chain implemented relies primarily on social engineering, the hackers used messages sent to the victims via Facebook group and WhatsApp messages. At a high-level, the hackers have designed three different kinds of phishing messages to trick victims into visiting a compromised website, a typical watering hole attack.

CrossRAT is written in Java programming language, for this reason, researchers can easily decompile it.
The popular former NSA hacker Patrick Wardle published a detailed analysis of the CrossRAT malware.

Once executed on the victim’s system, CrossRAT will determine the operating system it’s running on to trigger the proper installation procedure.

On Linux systems, the RAT also attempts to query systemd files to determine the distribution (i.e. Arch Linux, Centos, Debian, Kali Linux, Fedora, and Linux Mint).

Wardle explained that the author implemented specific persistence mechanisms for each operating system. Once installed the malware will attempt to contact the C&C server.
“Now the malware has persistently installed itself, it checks in with the C&C server for tasking. As noted the EFF/Lookout report the malware will connect to on port 2223. ” states the analysis published by Wardle.

The expert discovered that the CrossRAT includes reference ‘jnativehook Java library that provides global keyboard and mouse listeners for Java, but didn’t see any code within that implant that referenced the jnativehook package, likely because the analyzed version was still under development.

Wardle detailed the persistence mechanism implemented for each OS, this information is useful to detect the presence of CrossRAT on a system.

Check the HKCU\Software\Microsoft\Windows\CurrentVersion\Run\ registry key. If infected it will contain a command that includes, java, -jar and mediamgrs.jar.
Check for jar file, mediamgrs.jar, in ~/Library. Also look for launch agent in /Library/LaunchAgents or ~/Library/LaunchAgents named mediamgrs.plist.
Check for jar file, mediamgrs.jar, in /usr/var. Also look for an ‘autostart’ file in the ~/.config/autostart likely named mediamgrs.desktop.

Beware! Undetectable CrossRAT malware targets Windows, MacOS, and Linux systems
26.1.2018 thehackernews

Are you using Linux or Mac OS? If you think your system is not prone to viruses, then you should read this.
Wide-range of cybercriminals are now using a new piece of 'undetectable' spying malware that targets Windows, macOS, Solaris and Linux systems.
Just last week we published a detailed article on the report from EFF/Lookout that revealed a new advanced persistent threat (APT) group, called Dark Caracal, engaged in global mobile espionage campaigns.
Although the report revealed about the group's successful large-scale hacking operations against mobile phones rather than computers, it also shed light on a new piece of cross-platform malware called CrossRAT (version 0.1), which is believed to be developed by, or for, the Dark Caracal group.
CrossRAT is a cross-platform remote access Trojan that can target all four popular desktop operating systems, Windows, Solaris, Linux, and macOS, enabling remote attackers to manipulate the file system, take screenshots, run arbitrary executables, and gain persistence on the infected systems.
According to researchers, Dark Caracal hackers do not rely on any "zero-day exploits" to distribute its malware; instead, it uses basic social engineering via posts on Facebook groups and WhatsApp messages, encouraging users to visit hackers-controlled fake websites and download malicious applications.
CrossRAT is written in Java programming language, making it easy for reverse engineers and researchers to decompile it.

Since at the time of writing only two out of 58 popular antivirus solutions (according to VirusTotal) can detect CrossRAT, ex-NSA hacker Patrick Wardle decided to analyse the malware and provide a comprehensive technical overview including its persistence mechanism, command and control communication as well as its capabilities.
CrossRAT 0.1 — Cross-Platform Persistent Surveillance Malware
Once executed on the targeted system, the implant (hmar6.jar) first checks the operating system it's running on and then installs itself accordingly.
Besides this, the CrossRAT implant also attempts to gather information about the infected system, including the installed OS version, kernel build and architecture.
Moreover, for Linux systems, the malware also attempts to query systemd files to determine its distribution, like Arch Linux, Centos, Debian, Kali Linux, Fedora, and Linux Mint, among many more.
CrossRAT then implements OS specific persistence mechanisms to automatically (re)executes whenever the infected system is rebooted and register itself to the C&C server, allowing remote attackers to send command and exfiltrate data.
As reported by Lookout researchers, CrossRAT variant distributed by Dark Caracal hacking group connects to 'flexberry(dot)com' on port 2223, whose information is hardcoded in the 'crossrat/k.class' file.
CrossRAT Includes Inactive Keylogger Module

The malware has been designed with some basic surveillance capabilities, which get triggered only when received respective predefined commands from the C&C server.
Interestingly, Patrick noticed that the CrossRAT has also been programmed to use 'jnativehook,' an open-source Java library to listen to keyboard and mouse events, but the malware does not have any predefined command to activate this keylogger.
"However, I didn’t see any code within that implant that referenced the jnativehook package—so at this point it appears that this functionality is not leveraged? There may be a good explanation for this. As noted in the report, the malware identifies it’s version as 0.1, perhaps indicating it’s still a work in progress and thus not feature complete," Patrick said.
How to Check If You're Infected with CrossRAT?
Since CrossRAT persists in an OS-specific manner, detecting the malware will depend on what operating system you are running.
For Windows:
Check the 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run\' registry key.
If infected it will contain a command that includes, java, -jar and mediamgrs.jar.
For macOS:
Check for jar file, mediamgrs.jar, in ~/Library.
Also look for launch agent in /Library/LaunchAgents or ~/Library/LaunchAgents named mediamgrs.plist.
For Linux:
Check for jar file, mediamgrs.jar, in /usr/var.
Also look for an 'autostart' file in the ~/.config/autostart likely named mediamgrs.desktop.
How to Protect Against CrossRAT Trojan?

Only 2 out of 58 antivirus products detect CrossRAT at the time of writing, which means that your AV would hardly protect you from this threat.
"As CrossRAT is written in Java, it requires Java to be installed. Luckily recent versions of macOS do not ship with Java," Patrick said.
"Thus, most macOS users should be safe! Of course, if a Mac user already has Java installed, or the attacker is able to coerce a naive user to install Java first, CrossRAT will run just dandy, even on the latest version of macOS (High Sierra)."
Users are advised to install behaviour-based threat detection software. Mac users can use BlockBlock, a simple utility developed by Patrick that alerts users whenever anything is persistently installed.

Critical Flaw Hits Popular Windows Apps Built With Electron JS Framework
26.1.2018 thehackernews

A critical remote code execution vulnerability has been reported in Electron—a popular web application framework that powers thousands of widely-used desktop applications including Skype, Signal, Wordpress and Slack—that allows for remote code execution.
Electron is an open-source framework that is based on Node.js and Chromium Engine and allows app developers to build cross-platform native desktop applications for Windows, macOS and Linux, without knowledge of programming languages used for each platform.
The vulnerability, assigned as the number CVE-2018-1000006, affects only those apps that run on Microsoft Windows and register themselves as the default handler for a protocol like myapp://.
"Such apps can be affected regardless of how the protocol is registered, e.g. using native code, the Windows registry, or Electron's app.setAsDefaultProtocolClient API," Electron says in an advisory published Monday.
The Electron team has also confirmed that applications designed for Apple's macOS and Linux are not vulnerable to this issue, and neither those (including for Windows) that do not register themselves as the default handler for a protocol like myapp://.
The Electron developers have already released two new versions of their framework, i.e. 1.8.2-beta.4, 1.7.11, and 1.6.16 to address this critical vulnerability.
"If for some reason you are unable to upgrade your Electron version, you can append—as the last argument when calling app.setAsDefaultProtocolClient, which prevents Chromium from parsing further options," the company says.
End users can do nothing about this vulnerability; instead, developers using Electron JS framework have to upgrade their applications immediately to protect their user base.
Much details of the remote code execution vulnerability have not been disclosed yet, neither the advisory named any of the vulnerable apps (that make themselves the default protocol handler) for security reason.
We will update you as soon as any details about the flaw come out.

EU Antitrust Regulators Fine Qualcomm $1.2 Billion Over Apple Deal
26.1.2018 thehackernews IT

The European Commission has levied a fine of €997 Million, approximately $1.2 Billion, against U.S. chipmaker Qualcomm Inc. for violating antitrust laws in a series of deals with Apple by "abusing its market dominance in LTE baseband chipsets."
According to the European Union (EU), Qualcomm paid Apple billions of dollars to make the iPhone-maker exclusively use its 4G chips in all its iPhones and iPads, reducing competition from other competing manufacturers in the LTE baseband chip industry like Intel.
The European Commission launched an investigation in 2015, which revealed that Qualcomm abused its market dominance in LTE baseband chipsets and struck a deal with Apple in 2011, which meant the iPhone maker would have to repay Qualcomm if it decided to use a rival's chipsets until the end of 2016, hurting innovation in the chip sector.
"This meant that no rival could effectively challenge Qualcomm in this market, no matter how good their products were. This is illegal under EU antitrust rules and why we have taken today's decision," EU competition commissioner Margrethe Vestager said in a press statement.
Apple received payments from Qualcomm for approximately 5 years between 2011 and 2016. The company still uses Qualcomm components in its iPhones and iPads, but it began using Intel LTE modems in its iPhone 7 and 7 Plus devices after the agreement ended.
The fine imposed on the chip maker is hefty, but won't hurt Qualcomm's bottom line significantly as it represents 4.9 percent of the company's turnover in 2017, according to the EU's antitrust commission.
Qualcomm said it 'strongly disagrees' with the European Commission's decision and will 'immediately appeal' it at the General Court of the European Union. The company also believes its agreement with Apple does not violate European Union competition law.
"We are confident this agreement did not violate EU competition rules or adversely affect market competition or European consumers," Qualcomm General Counsel Don Rosenberg said in a statement. "We have a strong case for judicial review, and we will immediately commence that process."
Not just one, Qualcomm is facing a patent fight with Apple over chip royalties, and simultaneously fending off a $100 billion hostile takeover from rival chipmaker Broadcom, but it rejected the bid last November, saying it 'dramatically undervalued' the company.

Yikes! Three armed men tried to rob a Bitcoin Exchange in Canada
26.1.2018 thehackernews Crime

As many non-tech savvy people think that Bitcoin looks like a Gold coin as illustrated in many stock images, perhaps these robbers also planned to rob a cryptocurrency exchange thinking that way.
All jokes apart, we saw one such attempt on Tuesday morning, when three men armed with handguns entered the offices of a Canadian Bitcoin exchange in Ottawa, and restrained four of its employees.
The intruders then struck one of the employees in the head with a handgun, asking them to make an outbound transaction from the cryptocurrency exchange.
A fifth employee in another cabin, who remained unseen in an office, called the police before any assets could be taken, and the robbers left empty-handed.
One of the suspects arrested later Wednesday after arriving police officers saw him run into a ravine north of Colonnade Road and deployed "extensive resources," including K-9 unit officers, to find him, CBC News reports.
"Police are looking for two additional suspects, both described as black males," the police says. "Investigators are also interested in identifying and speaking to a person of interest that was inside the premise as the suspects arrived. That person did not remain at the scene."
The suspect in custody, identified as 19-year-old Jimmy St-Hilaire, has been charged with the following offences:
5 counts of robbery with a firearm
5 counts of point a firearm
5 counts of forcible confinement
Wear disguise
Conspiracy to Commit an indictable offence
Carry concealed weapon
Possess firearm while prohibited
Possess weapon for committing an offence
Possess loaded regulated firearm
St-Hilaire is set to appear in court on January 24, 2018. Ottawa police are now looking for the remaining two suspects.
The authorities have not revealed the name of the cryptocurrency exchange.
A similar incident happened last month when armed robbers kidnapped a top executive at UK-registered crypto-exchange EXMO Finance and allegedly stole more than $1.8 million of Ether for releasing him.
The New York District Attorney's Office charged New Jersey native Louis Meza for the kidnapping and robbery, claiming Meza held "demanded that the victim turns over his cell phone, wallet, and keys while holding the victim at gunpoint."

Maersk chair revealed its company reinstalled 45,000 PCs and 4,000 Servers after NotPetya Attack
26.1.2018 securityaffairs

The shipping giant Maersk chair Jim Hagemann Snabe revealed its company reinstalled 45,000 PCs and 4,000 Servers after NotPetya the attack.
The shipping giant Maersk was one of the companies that suffered the NotPetya massive attack, in August 2017 the company announced that it would incur hundreds of millions in U.S. dollar losses due to the ransomware massive attack.

According to the second quarter earnings report, there were expecting losses between $200 million and $300 million due to “significant business interruption” because the company was forced to temporarily halt critical systems infected with the ransomware.


Now the Møller-Maersk chair Jim Hagemann Snabe has shared further details on the attack suffered by the company during a speech at the World Economic Forum this week.

Snabe explained that the attack forced the IT staff to reinstall “4,000 new servers, 45,000 new PCs, and 2,500 applications,” practically “a complete infrastructure.”

The IT staff worked hard for ten days to restore normal operations.

“And that was done in a heroic effort over ten days,” Snabe said.

“Normally – I come from the IT industry – you would say that would take six months. I can only thank the employees and partners we had doing that.”

Snabe defined the incident as a “very significant wake-up call,” a strong security posture for a company is essential for the development of its business.

Snabe pointed out that Maersk was the victim of the militarization of a cyberspace, the damages were caused by a cyber weapon used by a foreign government to hit Ukraine.

Maersk ship docks worldwide every 15 minutes, unloading between 10,000 to 20,000 containers. The effects of the attack were dramatic and only the heroic effort of the staff that manually restored the normal situation allowed to contain the damages.

Snabe claimed only “a 20 per cent drop in volumes,” and described the efforts of its IT staff as “human resilience”.

Snabe is aware of the risks for companies that operate on the Internet and urges an improvement of infrastructure.

“There is a need for a radical improvement of infrastructure.” he said.

Maersk chair also highlighted the importance of collaboration between companies, technology companies, and law enforcement.

Former Yahoo CISO Bob Lord Joins DNC
26.1.2018 securityweek IT

Former Yahoo chief information security officer Bob Lord has been appointed chief security officer at the Democratic National Committee (DNC), the formal governing body for the United States Democratic Party.

The announcement was made on Thursday and Lord has already told his Twitter followers that he is looking to hire.

“Very honored to be able to work with [DNC CTO Raffi Krikorian], [DNC Chairman Tom Perez], and the rest of the amazing team at the DNC,” Lord said on Twitter.Bob Lord named CSO of DNC

Lord is the DNC’s first CSO. His hiring comes after the organization was the target of cyberattacks in the months leading up to the 2016 presidential election in the United States. Security firms and intelligence agencies attributed the attacks to threat groups previously linked to the Russian government.

Before joining the DNC, Lord was Yahoo’s CISO for nearly two years. While at the tech firm, he led the investigations into the massive data breaches suffered by the company in 2013 and 2014. He was lured by Yahoo after the company’s former security chief, Alex Stamos, joined Facebook as CSO.

A veteran with more than 20 years of experience in cybersecurity, Lord has held leadership positions at AOL, Red Hat, Twitter and Rapid7.

Information Disclosure, DoS Flaws Patched in libcurl
25.1.2018 securityweek

The developers of the popular multiprotocol data transfer library libcurl informed users on Wednesday that the latest version addresses two vulnerabilities.

Libcurl is a free and highly portable file transfer library that supports roughly two dozen protocols and various features. The libcurl website lists more than 250 organizations that use the library in their products, including Adobe, Apple, the BBC, BMW, Broadcom, Cisco, Electronic Arts, Facebook, Google, Intel, Mozilla, Samsung, Sony, VMware and several cybersecurity firms.

The latest Libcurl release, version 7.58.0, patches a total of 82 bugs, including two vulnerabilities that can lead to information disclosure or a denial-of-service (DoS) condition.

One of the security holes, tracked as CVE-2018-1000007, can lead to authentication data getting leaked to third parties.

“When asked to send custom headers in its HTTP requests, libcurl will send that set of headers first to the host in the initial URL but also, if asked to follow redirects and a 30X HTTP response code is returned, to the host mentioned in URL in the Location: response header value,” developers said in an advisory.

“Sending the same set of headers to subsequest hosts is in particular a problem for applications that pass on custom Authorization: headers, as this header often contains privacy sensitive information or data that could allow others to impersonate the libcurl-using client's request,” they added.

This vulnerability has existed in the libcurl code for a long time. “It existed in the first commit we have recorded in the project,” developers noted.

The second flaw, identified as CVE-2018-1000005, has been described as an out-of-bounds read issue that can lead to a DoS condition or information disclosure.

“The problem is that the code that creates HTTP/1-like headers from the HTTP/2 trailer data once appended a string like ‘:’ to the target buffer, while this was recently changed to ‘: ‘ (a space was added after the colon) but the associated math wasn't updated correspondingly,” developers explained. “When accessed, the data is read out of bounds and causes either a crash or that the (too large) data gets passed to the libcurl callback.”

This vulnerability only affects libcurl versions 7.49.0 through 7.57.0.

CVE-2018-1000007 was reported to cURL developers on January 18, while CVE-2018-1000005 was brought to their attention on January 10. Developers said they had not been aware of any attempts to exploit these flaws.

Various Linux distributions are also working on pushing out updates that patch the flaws.

Google Parent Alphabet Launches Cybersecurity Firm Chronicle
25.1.2018 securityweek Cyber

Google parent Alphabet on Wednesday announced a new standalone business dedicated to cybersecurity.

Called Chronicle, the newly unveiled company was born in 2016 as a project within X, Alphabet’s “moonshot” factory, with ambitions of analyzing massive amounts of data to provide security teams with insights into areas of “likely vulnerability” to help them protect their data.

“X, the moonshot factory, has been our home for the last two years while we figured out where we had the potential to make the biggest impact on this enormous problem,” Stephen Gillett, CEO of Chronicle, wrote in a blog post.

The new company, Gillett says, “will have two parts: a new cybersecurity intelligence and analytics platform that we hope can help enterprises better manage and understand their own security-related data; and VirusTotal, a malware intelligence service acquired by Google in 2012 which will continue to operate as it has for the last few years.”

“We want to 10x the speed and impact of security teams’ work by making it much easier, faster and more cost-effective for them to capture and analyze security signals that have previously been too difficult and expensive to find,” added Gillett, a former executive at Symantec, Best Buy and Starbucks. “We are building our intelligence and analytics platform to solve this problem.”

Few details have been provided, and many questions remain on exactly what Chronicle’s platform will bring to the table, and how it will be deployed in an enterprise. With that said, Google has been innovative with its own internal security tools and initiatives, and it’s likely that Chronicle’s offerings will be compelling.

In June 2017, Google shared details on the security infrastructure that protects its data centers. Late last year, Google also shared detailed information on how it protects service-to-service communications within its infrastructure at the application layer and the system it uses for data protection. The search giant also has provided technical details on how it uses a “Tiered Access” model to secure devices for its global workforce of more than 61,000 employees.

“Inspired by Google’s own security techniques, we’re advancing cybersecurity for enterprises of all sizes,” Chronicle’s website says.

Chronicle, says X’s Astro Teller, is starting “by trying to give organizations a much higher-resolution view of their security situation than they’ve ever had by combining machine learning, large amounts of computing power and large amounts of storage.”

According to Gillett, the company will have its own contracts and data policies with its customers, while also being able to tap expertise across the entire Alphabet ecosystem.

Mirai-Based Masuta Botnet Weaponizes Old Router Vulnerability
25.1.2018 securityweek BotNet 

A new Internet of Things-targeting piece of malware based on Mirai’s publicly released source code has been observed at large, ensnaring devices into a botnet.

Dubbed Masuta, the botnet has at least two variants at large, and is believed to be the work of a well-known IoT threat actor, NewSky Security says. What’s also unique to the botnet is that it exploits an old router vulnerability, being the first threat known to weaponize it in a botnet campaign.

Masuta (Japanese for “master”) botnet’s source code was found on an invite only dark forum. The malware’s configuration file, the researchers discovered, uses a different seed of the cipher key compared to Mirai, having the strings in the configuration files XORed by 0x45.

Thus, the researchers discovered that it uses the domain nexusiotsolutions(dot)net, the command and control (C&C) server that Nexus Zeta, the individual involved in the recent Satori attacks, uses. The domain was registered using the nexuszeta1337@gmail(.)com email address.

Thus, NewSky Security suggests that Nexus Zeta has been involved in the creation of the Masuta botnet, in addition to building Satori, the Mirai variant that has been wreaking havoc over the past couple of months.

In fact, Masuta isn’t new either, and attacks involving it have been steadily increasing since September, and the botnet’s standard variant has been observed using several known/weak/default credentials to compromise IoT devices.

An evolved variant of Masuta, called PureMasuta, contains the most typical of Mirai style code, and a list of weak credentials to use. What makes this malware variant stand out, however, is its usage of EDB 38722 D-Link exploit.

The exploit PureMasuta uses resides in the HNAP (Home Network Administration Protocol), which is based on the SOAP protocol. It is possible to craft a SOAP query to bypass authentication by using hxxp://, and improper string handling can lead to arbitrary code execution, and an attacker can abuse this combination of issues to run code on targeted devices.

What the botnet does is to download a shell script from the C&C server and run it. Thus, the malware author first bypasses authentication and then executes code on the targeted devices.

The PureMasuta variant uses the same C&C server ( as the original Masuta variant, which led the researchers to believe it is the evolved creation of the same threat actor.

“Nexus Zeta is no stranger when it comes to implementing SOAP related exploits. The threat actor has already been observed in implementing two other known SOAP related exploits, CVE-2014–8361 and CVE-2017–17215 in his Satori botnet project,” NewSky Security notes.

Thus, the TR-069 bug and EDB 38722 are the third and fourth SOAP related exploits abused by IoT botnets.

“Protocol exploits are more desirable for threat actors as they usually have a wider scope. A protocol can be implemented by various vendors/models and a bug in the protocol itself can get carried on to a wider range of devices,” the researchers conclude.

Lebanon Must Investigate Claims of Mass Spying: Rights Groups
25.1.2018 securityweek BigBrothers

Eight rights groups including Human Rights Watch called on Lebanese authorities Wednesday to investigate reports of a massive espionage campaign traced back to a government security agency.

Digital researchers last week said they had uncovered a hacking campaign using malware-infected messaging apps to steal smartphone data from people in more than 20 countries, including journalists and activists.

The report tracked the threat, which the researchers dubbed "Dark Caracal", to a building in Beirut belonging to the Lebanese General Security Directorate.

Eight rights groups and media organizations called on Lebanon's general prosecutor on Wednesday to investigate who was behind the campaign.

"If these allegations are true, this intrusive surveillance makes a mockery of people's right to privacy and jeopardises free expression and opinion," said Lama Fakih, deputy Middle East director at Human Rights Watch. "Lebanese authorities should immediately end any ongoing surveillance that violates the nation's laws or human rights, and investigate the reports of egregious privacy violations."

Other signatories included the Lebanese Center for Human Rights (CLDH), the SKeyes Center for Media and Cultural Freedom, and Lebanon's Social Media Exchange (SMEX).

Hundreds of gigabytes of data have been taken from thousands of victims in more than 21 countries, said the report, authored by digital rights group Electronic Frontier Foundation and mobile security firm Lookout.

They called Dark Caracal "one of the most prolific" mobile espionage campaigns to date. With fake versions of secure messaging services like WhatsApp and Signal, the scheme has enabled attackers to take pictures, capture audio, pinpoint locations, and mine handsets for private data.

According to the report, Dark Caracal used FinFisher, surveillance software used by governments around the world.

In 2015, Toronto-based research group Citizen Lab found that General Security and other Lebanese security forces have used FinFisher for surveillance in Lebanon.

General Security chief Abbas Ibrahim did not explicitly deny the report.

"The report is very, very, very exaggerated. We don't have these capabilities. I wish we had those abilities," he said.

In comments to the media, Interior Minister Nouhad Mashnuq also appeared to confirm there was at least some truth to the report. "It's not that it's not true, it's just very overblown," said Mashuq.

Lawmakers Raise Questions About Disclosure of CPU Flaws
25.1.2018 securityweek

The U.S. House Energy and Commerce Committee on Wednesday sent letters to several tech giants, raising questions about how the disclosure of the CPU vulnerabilities known as Spectre and Meltdown was handled.

Lawmakers have asked the CEOs of Intel, AMD, ARM, Apple, Google and Microsoft to answer a series of questions on how the disclosure of the flaws was coordinated.

Specifically, the tech giants have been asked about why an embargo was imposed and who proposed it, when were US-CERT and CERT/CC notified, the impact of the embargo on critical infrastructure and other technology companies, the resources and best practices used in implementing the embargo, and lessons learned. The targeted companies have been instructed to respond by February 7.

The Meltdown and Spectre vulnerabilities allow malicious applications to exploit weaknesses in CPU designs and bypass memory isolation mechanisms. An attacker can leverage the flaws to access data as it’s being processed, including passwords, photos, documents, and emails.

The vulnerabilities were discovered independently by researchers at Google and various universities and companies. Major vendors were first notified in June 2017 and the disclosure of the flaws was initially planned for January 9, but some experts figured out that Microsoft and Linux developers had been preparing patches for critical CPU flaws and the disclosure was moved to January 3.

The companies that were notified quickly rolled out patches after information on the Meltdown and Spectre attack methods was made public – some firms released fixes even before disclosure – but some organizations, such as Digital Ocean, were caught off guard by the news and complained about the embargo.

“While we acknowledge that critical vulnerabilities such as these create challenging trade-offs between disclosure and secrecy, as premature disclosure may give malicious actors time to exploit the vulnerabilities before mitigations are developed and deployed, we believe that this situation has shown the need for additional scrutiny regarding multi-party coordinated vulnerability disclosures,” the congressional committee wrote in its letter.

“As more products and services become connected, no one company, or even one sector, working in isolation can provide sufficient protection for their products and users,” the lawmakers added. “Today, effective responses require extensive collaboration not only between individual companies, but also across sectors traditionally siloed from one another. This reality raises serious questions about not just the embargo imposed on information regarding the Meltdown and Spectre vulnerabilities, but on embargos regarding cybersecurity vulnerabilities in general.”

While many companies have managed to quickly address the vulnerabilities, mitigations have been found to introduce performance penalties and cause systems to become unstable. Both software and microcode updates caused problems for users, and system manufacturers have decided to halt BIOS updates due to buggy patches provided by Intel.

Chrome 64 Brings Additional Mitigations for CPU Flaw
25.1.2018 securityweek

Google this week released Chrome 64 in the stable channel with fixes for 53 security flaws and with additional mitigations against the web-exploitable “Spectre” CPU vulnerability.

Made public in the beginning of this year along with a bug called Meltdown, Spectre is a speculative side-channel attack technique impacting modern processors from Intel, AMD, and ARM. Putting billions of devices at risk, the two vulnerabilities have fueled an industry-wide race to release patches and mitigations.

In early December 2017, Google added Site Isolation to Chrome 63 as the first step in its attempt to mitigate these attack methods. The new Chrome release, available for Windows, Mac, and Linux as version 64.0.3282.119, brings additional mitigations against the speculative side-channel attack techniques.

The new browser iteration also includes an improved pop-up blocker, capable of preventing sites that employ abusive experiences from opening tabs or windows. Some of these deceptive tactics include masquerading links to third-party websites as play buttons or other site controls, or using transparent overlays on websites that capture all clicks and open new tabs or windows.

Site owners can check whether their websites have been found to use such abusive experiences by using the Abusive Experiences Report in Google Search Console. Thus, they can improve their user experience, Google says.

In addition to security improvements and fixes, Chrome 64 also brings some new features for developers, Google revealed in a blog post.

Of the 53 vulnerabilities that Chrome 64 patches, nearly half were discovered by external researchers, most of which are Medium and Low severity bugs.

Three High risk issues were resolved in the application: CVE-2018-6031 (Use after free in PDFium), CVE-2018-6032 (Same origin bypass in Shared Worker), and CVE-2018-6033 (Race when opening downloaded files). Google awarded the reporting researchers $3000, $2000, and $1000, respectively.

The Medium severity bugs addressed in Chrome 64 include an integer overflow issue in Blink, several insufficient isolation of devtools from extensions flaws, integer underflow in WebAssembly, insufficient user gesture requirements in autofill, heap buffer overflow in WebGL, XSS in DevTools, content security policy bypass, URL spoof issues in Navigation and OmniBox, insufficient escaping with external URL handlers, and cross origin URL leak in WebGL.

Google also resolved a referrer policy bypass bug in Blink, URL spoofing in Omnibox, UI spoof flaws in Permissions and in OmniBox, referrer leak in XSS Auditor, incomplete no-referrer policy implementation, leak of page thumbnails in New Tab Page, and use after free in WebUI vulnerabilities.

Overall, the Internet giant paid over $20,000 in bug bounties to the researchers who reported these vulnerabilities. However, the company hasn’t revealed all of the paid rewards yet.

Railway Cybersecurity Firm Cylus Emerges From Stealth
25.1.2018 securityweek Cyber

Cylus Obtains $4.7 Million in Funding to Help Protect Rail Industry Against Cyberattacks

Cylus, an Israel-based startup that specializes in cybersecurity solutions for the rail industry, emerged from stealth mode on Thursday with $4.7 million in seed funding.

Researchers have warned on several occasions in the past years that modern railway systems are vulnerable to cyberattacks, and the rail industry has been targeted by both cybercriminals and state-sponsored cyberspies.

Cylus aims to address the challenges of securing railway systems by developing a solution that is specifically designed for this sector. The product relies on a set of non-intrusive sensors that provide deep visibility into operational networks and help detect malicious activities. Customers are provided an automated assessment and instructions on how to respond when a threat is detected.

Railway Cybersecurity Startup Cylus Emerges From Stealth

The sensors are deployed in control centers, train management systems, interlocking systems, rolling stock, and trackside components. Information collected by the sensors is fed to an on-premises server that aggregates data and generates alerts based on rules derived from machine learning algorithms and research conducted by Cylus.

A centralized dashboard provides a view of all components, and alerts users when suspicious activities are detected, including failed authentication attempts, abnormal signaling communications, and unauthorized communications between components.

In addition to step-by-step instructions on how to respond to a specific threat, Cylus’ product offers forensic analysis capabilities designed to allow railroad companies to investigate incidents.

Cylus has obtained $4.7 million in seed funding from Zohar Zisapel, Magma Venture Partners, Vertex Ventures, and the SBI Group.

“Current approaches to cybersecurity do not fit the architecture of railway networks today,” said Cylus CEO Amir Levintal. “Our team of world-class cyber specialists together with rail industry experts have tailored a solution to the industry’s unique requirements. Our solution enables rail companies to detect cyber-attacks in their operational network, including their signaling systems and rolling stocks, and block attackers before they can cause any damage. The automotive industry has woken up to the critical need for cyber protection– it’s time the railway industry got on board as well.”

Cylus told SecurityWeek that it’s currently in negotiations with several large national railways to test its product. Pricing is scalable and depends on the specific needs of each customer.

“Railway companies cannot compromise on passenger safety, and one of the pillars of passenger safety is cybersecurity,” said Boaz Zafrir, President of Cylus and former CEO of Israel Railways. “Railway executives are acutely aware of the dangers and are looking for answers. The extraordinary team at Cylus has rich experience creating effective cybersecurity solutions, and I am confident that the company's unique technology will help keep passengers safe all over the world.”

North Korea-linked Lazarus Hackers Update Arsenal of Hacking Tools
25.1.2018 securityweek BigBrothers

Recent cyberattacks associated with the North Korea-linked Lazarus group have used an evolved backdoor, along with a Remote Controller tool, Trend Micro reports.

Targeting financial institutions, the campaign employed watering hole attacks and an evolved variant of the Lazarus-linked RATANKBA Trojan, which is capable of delivering multiple payloads, including hacking tools and software targeting banking systems.

The Lazarus group has been active since at least 2009 and is believed to be backed by the North Korean government. The threat actor has targeted government, military, media, aerospace, financial and manufacturing organizations, and is believed to be the most serious threat against banks.

Servers the group used as part of the recently observed campaign for temporarily holding stolen data allowed security researchers to gain insight into attacks and victims. Thus, they discovered that around 55% of the victims were located in India and neighboring countries and that most of them didn’t use enterprise versions of Microsoft software.

In a December 2017 report, Proofpoint researchers revealed that Lazarus had started targeting individuals, and that a new Windows executable downloader and a new first-stage implant were being used in attacks.

“Less than 5% of the victims were Microsoft Windows Enterprise users, which means that currently, RATANKBA mostly affects smaller organizations or individual users, not larger organizations. It’s possible that Lazarus is using tools other than RATANKBA to target larger organizations,” Trend Micro says.

By looking at the victims’ IP addresses, the security researchers also determined that none can be associated with a large bank or a financial institution. However, victims that are likely employees of web software development companies in India and South Korea appear to have been targeted.

The hackers delivered the RATANKBA malware to their intended targets via malicious Office documents (containing topics related to software development or digital currencies), CHM files, and script downloaders. The goal of the attacks was to install the RATANKBA backdoor onto the victims’ machines to steal user information and execute commands on the system.

The hackers use a Remote Controller tool to send jobs to compromised endpoints. Through the controller, attackers queue tasks on the main server, and RATANKBA connects to this server to retrieve the tasks and execute it. This means that real-time communication between the backdoor and the attacker isn’t employed.

The controller provides a graphical UI interface and allows the attacker to both push code to the server and download victim profiles from it.

The RATANKBA variant used in these attacks was written in Powershell, an evolution from the original variant, which was in PE form. The new malware iteration is more difficult to detect.

The members of the Lazarus group, Trend Micro says, appear to be native Korean speakers, “or at least have Korean language proficiency that is at the near-native level.” At least one of them is believed to also understand Chinese. The group appears interested in crypto-currencies such as Bitcoin (BTC) and Ant Share (NEO).

“Given Lazarus’ use of a wide array of tools and techniques in their operations, it’s reasonable to assume that the group will continue to use ever-evolving tactics in their malicious activities. Overall, an organization will need multilayered security strategies, as Lazarus and other similar groups are experienced cybercriminals who employ different strategies to get past organizational defenses,” the researchers conclude.

New Targets, $2 Million in Prizes Announced for Pwn2Own 2018
25.1.2018 securityweek Congress

Trend Micro’s Zero Day Initiative (ZDI) announced on Thursday that this year’s Pwn2Own hacking competition offers $2 million in cash and prizes, with several new pieces of software added to the list of targets.

Pwn2Own 2018 is scheduled to take place on March 14-16 alongside the CanSecWest conference in Vancouver, Canada. This year, ZDI has partnered with Microsoft for the event, and VMware has been announced as a sponsor.

This year’s categories are virtualization, web browsers, enterprise applications, servers, and the Windows Insider Preview challenge.

In the virtualization category, Pwn2Own 2018 introduces a new target, namely Oracle VirtualBox. Researchers can earn $35,000 and a $30,000 bonus if they can execute a privilege escalation via a Windows kernel vulnerability on the host. The base prize for VMware Workstation is $70,000 and for Microsoft Hyper-V it’s $150,000.

All major web browsers are targeted at Pwn2Own 2018. A sandbox escape can earn contestants $60,000 if it works on Chrome or Edge, $55,000 on Safari, and $40,000 on Firefox. Hackers can earn a bonus of $50,000-$70,000 if they combine their exploit with a virtual machine escape via a kernel privilege escalation vulnerability.

The targeted apps in the enterprise category are Adobe Reader, with a maximum prize of $90,000, Office 365 ProPlus, with a maximum prize of $50,000, and Microsoft Outlook, for which organizers are prepared to pay out up to $100,000. This will be the first time Outlook is a target at Pwn2Own.

In the servers category, there are no less than three new targets, including NGINX, Microsoft Windows SMB, and OpenSSL. Apache Web Server, the only target in this category in last year’s event, will remain on the list. Vulnerabilities in each of these pieces of software can earn researchers up to $100,000.

Since Microsoft is a partner of Pwn2Own 2018, it has asked ZDI to introduce a special category for some of its flagship pre-release security technologies in the latest Windows Insider Preview for Business running on Surface Book 2 devices.

Targets include Windows Defender Application Guard for Edge, Windows SMB, and the Windows Hyper-V client. Prizes range between $10,000 and $250,000.

As always, the contestant or team with the highest number of Master of Pwn points will earn 65,000 ZDI reward points, which are worth roughly $25,000. In addition, the first-round winner for each category can win a laptop.

At Pwn2Own 2017, ZDI paid out a total of $833,000 for 51 vulnerabilities, nearly double than the $460,000 earned by hackers in the previous year for only 21 new flaws. Given that this year’s prize pool is $2 million, double than what organizers offered last year, we can expect some interesting exploits.

30 Million Possibly Impacted in Crypto-Currency Mining Operation
25.1.2018 securityweek

A large-scale crypto-currency mining operation active for over 4 months is believed to have impacted around 30 million systems worldwide, Palo Alto Networks security researchers say.

The campaign, which attempts to mine the Monero cryptocurrency using the open-source XMRig utility, has affected mainly users in South-East Asia, Northern Africa, and South America. The campaign employed VBS files and URL shortening services to install the mining tool and also used XMRig proxy services on the hosts to mask the used wallets.

Telemetry data from the URL shortening service suggested that at least 15 million people were impacted. However, with less than half of the identified samples using, the researchers speculate that the actual number of affected users could be upwards of 30 million.

The campaign employed over 250 unique Microsoft Windows PE files, over half of which were downloaded from online cloud storage provider 4sync. What the researchers couldn’t establish, however, was how the file downloads were initiated.

The attackers attempted to make their files appear to have both generic names and to originate from popular looking file sharing services.

The URL shortening service that pays users when their links are clicked was also used in this campaign. When users clicked on these URLs, they were redirected and ended up downloading the crypto-currency mining malware instead.

The malware used in this campaign was meant to execute the XMRig mining software via VBS files and uses XMRig proxy services to hide the ultimate mining pool destination. It also uses Nicehash, a popular marketplace that allows users to trade hashing processing power (it supports various crypto-currencies and sellers are paid in Bitcoin).

Before October 20, 2017, the attackers behind this campaign were using the Windows built-in BITSAdmin tool to download the XMRig mining tool from a remote location. The final payload was mainly installed with the filename ‘msvc.exe’.

After October 20, 2017, the attackers started experimenting with HTTP redirection services, but continued using SFX files to download and deploy their malware. They also started supplementing mining queries with a username and making obfuscation attempts within the VBS files to avoid detection.

Starting on November 16, 2017, the attackers dropped the SFX files and adopted executables compiled in Microsoft .NET Framework. These would write a VBS file to disk and modify Run registry keys to achieve persistence.

In late December, the dropper was compiled with Borland Delphi and would place the VBS file in the victim’s startup folder to achieve persistence. The latest samples using this dropper also switched to a new IP address for XMRig communication, namely 5.23.48[.]207.

The campaign, researchers say, affected most countries around the world. Based on telemetry data, the attacks appear to have hit Thailand (3,545,437 victims), Vietnam (1,830,065), Egypt (1,132,863), Indonesia (988,163), Turkey (665,058), Peru (646,985), Algeria (614,870), Brazil (550,053), Philippines (406,294), and Venezuela (400,661) the most.

“Monero mining campaigns are certainly not a new development, as there have been various reported instances recently. However, it is less common to observe such a large-scale campaign go relatively unnoticed for such a long period of time. By targeting random end-users via malicious advertisements, using seemingly innocuous names for the malware files, and using both built-in Windows utilities and scripting files, the attackers are able to gain a foothold on victim systems at large scale,” Palo Alto concludes.

Malware in 2017 Was Full of Twists and Turns
25.1.2018 securityweek

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering, and ups and downs in ransomware.

These conclusions come from the 'Cybercrime tactics and techniques: 2017 state of malware' report (PDF) published today by Malwarebytes.

"We look at our own detection telemetry and what we find in our honeypots to see what the criminals are pushing out," Malwarebytes director of malware intelligence, Adam Kujawa, told SecurityWeek, "and we see what trends are apparent." The report covers the period of January to November 2017 and compares it to the same period for 2016.

In some cases, those trends are surprising. Ransomware figured heavily in 2017; but with nuances. Over the year, detections for consumers increased by 93% over 2016, and by 90% for businesses. But those figures disguise a decline in consumer ransomware and an increase in business ransomware over the last few months of 2017.

It's not clear why this happened, but Kujawa conjectures that improving awareness of ransomware and better defenses is making it harder for the criminals to get a good return from consumers. At the same time, while succeeding against business is even more difficult than infecting consumers, the potential return is much higher per victim. Earlier this month, Hancock Health paid $55,000 to recover from a SamSam ransomware attack.

At the same time as ransomware declined at the end of the year, "We saw," said Kujawa, "a significant increase in spyware, banking trojans, hijackers and even adware." He also pointed to a one-month dramatic spike in ransomware detections in September coinciding with an equally dramatic dip in spyware detections. "It indicates that the same type of campaign was being used to distribute both spyware and ransomware," he suggested.

For consumers, adware is now the most-detected threat -- representing around 40% of all consumer detections (it's the second most-detected threat for businesses). Anti-malware firms have been increasingly active against all forms of unwanted apps; and Malwarebytes has been in the vanguard of this. In November it won a court case brought by Enigma Software, supplier of SpyHunter, which Malwarebytes it detects and blocks as unwanted software.

Concurrent with the adware market becoming more difficult, there has been a reduction in the number of players. But, commented Kujawa, "despite there being less players in the game, the attacks themselves are more sophisticated -- we see adware, something we regularly classify as a PUP, using root kit functionality to block security software from running, or just blocking the ability to remove it at all."

The report specifies Smart Service, which is bundled with adware and PUPs to prevent their removal. It hooks into the Windows CreateProcess function, so it can inspect new processes before they run. It also "protects certain processes from being terminated, and stops the user from removing critical files and registry keys."

Apart from adware, the decline in ransomware for business was replaced by an upsurge in spyware and banking trojans. For all malware, the primary tactics of infection changed from 2016 to 2017. "In 2016 we saw lots and lots of exploit kits (also in 2015)," said Kujawa. "Now suddenly spreading malware through email is popular again. It's based on tricking the user into opening something. There's less attacking the computer (exploit kits delivering malware without the user being aware) and more attacking the person (social engineering emails)."

For the consumer, the big growth malware in 2017 has been crypto-miners. Exploit kits, drive-by attacks, phishing and malicious spam attacks have all pushed miners. "We blocked one of the primary pushers of this technology, CoinHive," explained Kujawa, "and that turned out to be our #1 detection over many months. We're talking about multi-million detections per day -- averaging about 8 million per day, but I've seen it go up to 12 million and even 20 million on occasion."

One area that did not show an expected increase during 2017 was botnet activity. "The last year showed a steady decline in detections for botnet malware, a huge shift from what we saw in 2016," notes the report. "This aligns for both business and consumer customer telemetry."

There's likely little comfort in this. "Declines," adds the author, "are likely due to a shift in focus away from the desktop, aiming at IoT devices such as routers or smart appliances instead." We learned the potential for large IoT-based botnets at the end of 2016, with the Mirai attacks. "While there was a lack of massive IoT attacks in 2017, attackers have been spending their time focused on developing new tools to take advantage of IoT with cryptocurrency mining, spam-spreading botnets, and likely more DDoS attacks."

Ransomware is currently showing a downward trend. Crypto-mining may not survive the volatility in market prices (Bitcoin is currently trading at around $11,000; down from nearly $20,000 just a few weeks ago) and the likelihood of greater international cryptocurrency regulation. But Malwarebytes warns they could be replaced by something new and potentially more worrying.

"It is not farfetched," says the report, "to think we may see DDoS attacks against large organizations, like airline companies and power utilities, demanding a ransom payment to call off an army of botnet-infected IoT devices." Ransomware might decline, merely to be replaced by larger DDoS ransoms.

"Hide 'N Seek" IoT Botnet Ensnares 20,000 Devices in Days
25.1.2018 securityweek IoT  BotNet

An Internet of Things (IoT) botnet featuring a worm-like spreading mechanism managed to ensnare over 20,000 devices over the course of several days, Bitdefender reports.

Dubbed Hide ‘N Seek, the botnet was first spotted on January 10, when it focused on IP cameras manufactured by a Korean company, but vanished just days after. On January 20, however, the researchers observed a new, improved variant of the malware, which has ensnared more than 20,000 devices worldwide and continues to spread quickly.

The malware was designed to exfiltrate data, execute code, and interfere with the device operation. Employing a complex and decentralized communication technique and multiple anti-tampering methods to prevent hijacking, the botnet uses the same exploit as Reaper (CVE-2016-10401 and other vulnerabilities), Bitdefender says.

The bot’s worm-like spreading mechanism consists of randomly generating a list of IP addresses to target, and then initiating a raw socket SYN connection to each host on specific destination ports (23, 2323, 80, and 8080). After establishing a connection, the bot first looks for a specific banner (“buildroot login:”) and attempts log in via predefined credentials, or launches a dictionary attack if that fails.

Next, the malware attempts to properly identify the target device and select a compromise method, such as setting up a TFTP server if the target is on the same LAN, or a remote payload delivery method if the target is on the Internet.

These pre-configured exploitation techniques are located in a digitally signed memory location to prevent tampering and can be updated remotely and propagated among infected hosts. Targeting IoT devices, the botnet can’t achieve persistence, meaning that a device reboot would clear up the infection.

After Hajime, Hide ‘N Seek becomes the second known IoT botnet to use a decentralized, peer-to-peer architecture. The difference is that, while Hajime used p2p functionality based on the BitTorrent protocol, the new botnet uses a custom-built p2p communication mechanism.

“The bot opens a random port on the victim, and adds firewall rules to allow inbound traffic for the port. It then listens for connections on the open port and only accepts the specific commands described below,” Bitdefender Senior Threat Analyst Bogdan Botezatu explains.

To prevent infiltration or poisoning attempts, the malware uses an elliptic curve key within the file used to authenticate the command for updating the memory zone where configuration settings are stored.

The bot includes support for multiple commands for configuration updates, a data exfiltration mechanism, and a scanning component (which sends to a peer valid credentials found via dictionary attack). It also supports commands to add a new peer to the list and send a peer IP as a response.

“While IoT botnets have been around for years, mainly used for DDoS attacks, the discoveries made during the investigation of the Hide and Seek bot reveal greater levels of complexity and novel capabilities such as information theft – potentially suitable for espionage or extortion. It is also worth noting that the botnet is undergoing constant redesign and rapid expansion,” Botezatu concludes.

A recent NETSCOUT Arbor report on distributed denial of service attacks has revealed that compromised IoT devices can fuel new, complex assaults. The emergence of new IoT botnets such as Masuta or Satori has proved once again the need for improved security for Internet-connected devices.

“As IoT devices become increasing popularity in our modern lives, they also become more attractive to cybercriminals. In fact, in 2017 we recorded a record number of IoT vulnerabilities, with them more than doubling since 2016,” Nadav Avital, security research team leader at Imperva, told SecurityWeek in an emailed statement.

“This [Bitdefender] research also emphasizes the need for an account takeover solution which protects all devices with a network presence. Account takeover is a big problem, however it is not something which IoT vendors provide protection for. It is therefore a good idea for organizations to deploy an external solution for security,” Avital concluded.

A look into the cyber arsenal used by Lazarus APT hackers in recent attacks against financial institutions
25.1.2018 securityaffairs APT

Security experts at Trend Micro have analyzed malware and a tool used by the Lazarus APT group in the recent attacks against financial institutions.
Security experts at Trend Micro have analyzed the attacks conducted by the notorious Lazarus APT group against financial institutions.

The activity of the Lazarus Group surged in 2014 and 2015, its members used mostly custom-tailored malware in their attacks and experts that investigated on the crew consider it highly sophisticated.

This threat actor has been active since at least 2009, possibly as early as 2007, and it was involved in both cyber espionage campaigns and sabotage activities aimed to destroy data and disrupt systems. Security researchers discovered that North Korean Lazarus APT group was behind attacks on banks, including the Bangladesh cyber heist.

In the last campaigns against financial firms, the cyber spies launched watering hole attacks and leveraged a variant of the Lazarus-linked RATANKBA Trojan.

“The malware known as RATANKBA is just one of the weapons in Lazarus’ arsenal. This malicious software, which could have been active since late 2016, was used in a recent campaign targeting financial institutions using watering hole attacks. The variant used during these attacks (TROJ_RATANKBA.A) delivered multiple payloads that include hacking tools and software targeting banking systems.” reads the analysis published by Trend Micro.

“We analyzed a new RATANKBA variant (BKDR_RATANKBA.ZAEL–A), discovered in June 2017, that uses a PowerShell script instead of its more traditional PE executable form—a version that other researchers also recently identified.“

The researchers identified and hacked in some servers used by the cyber spies for temporarily storing stolen data, the analysis of the backend revealed that around 55% of the victims were located in India and neighboring countries.

The majority of the victims were not using enterprise versions of Microsoft software, less than 5% of the victims were Microsoft Windows Enterprise users.

The IP addresses of the victims don’t belong to a large bank or a financial institution, according to Trend Micro victims are likely employees of three web software development companies in India and one in South Korea.

The RATANKBA Trojan is delivered via weaponized Office documents (containing topics related to cryptocurrencies and software development), CHM files, and script downloaders.

Experts noticed that attackers don’t implement a real-time communication with the malware. Once compromised a target machine, the attackers will use a Remote Controller tool to send jobs to the system, the queue of jobs is then processed by RATANKBA.

“During our analysis, we collected a copy of the RATANKBA malware’s Lazarus Remote Controller tool. The remote controller provides a user interface that allows attackers to send jobs to any compromised endpoint. The controller gives the attackers the ability to manipulate the victims’ host by queueing tasks on the main server. RATANKBA retrieves and executes the tasks, and retrieves the collected information.” continues the analysis.

The controller tools used by the Lazarus APT implements a graphical UI interface that allows hackers to push code to the server and download victim profiles from it.


Trend Micro also provided a profile of the members of the Lazarus APT group, the hackers appear to be native Korean speakers and at least one of them is believed to also understand Chinese.

“Given Lazarus’ use of a wide array of tools and techniques in their operations, it’s reasonable to assume that the group will continue to use ever-evolving tactics in their malicious activities.” concluded Trend Micro.

Critical code execution flaw in Electron framework impacts popular Desktop apps such as Skype and Signal
25.1.2018 securityaffairs

A critical RCE vulnerability in the Electron framework impacts popular desktop applications, including Skype, Signal, Slack, GitHub Desktop, Twitch, and
A remote code execution vulnerability tracked as CVE-2018-1000006 was fixed in the Electron framework, which is used by popular desktop applications, including Skype, Signal, Slack, GitHub Desktop, Twitch, and

Electron is a node.js, V8, and Chromium open-source framework that allows developers to use web technologies such as JavaScript, HTML, and CSS to build desktop apps.

The framework is currently being developed by GitHub, the Electron dev team released the versions v1.8.2-beta.4, electron v1.7.11, and electron v1.6.16 to address the issue.

“A remote code execution vulnerability has been discovered affecting Electron apps that use custom protocol handlers. This vulnerability has been assigned the CVE identifier CVE-2018-1000006.” states the Electron team in a post.

“Electron apps designed to run on Windows that register themselves as the default handler for a protocol, like myapp://, are vulnerable.

Such apps can be affected regardless of how the protocol is registered, e.g. using native code, the Windows registry, or Electron’s app.setAsDefaultProtocolClient API.”


,Currently, more than 460 cross-platform desktop applications leverage the Electron framework, but the code execution flaw affects only that use custom protocol handlers, macOS and Linux are not vulnerable to the issue.

All three releases are available for download on GitHub.

The experts also provided a workaround to avoid the exploitation of the vulnerability.

“If for some reason you are unable to upgrade your Electron version, you can append “–“ as the last argument when calling app.setAsDefaultProtocolClient, which prevents Chromium from parsing further options. The double dash “–“ signifies the end of command options, after which only positional parameters are accepted,” Electron explains.

Electron developers are advised to update their application immediately.

“We’ve published new versions of Electron which include fixes for this vulnerability:
, and
. We urge all Electron developers to update their apps to the latest stable version immediately.” Electron team added.

New HNS botnet has already compromised more than 20,000 IoT devices
25.1.2018 securityaffairs BotNet  IoT

A new botnet called Hide ‘N Seek (HNS botnet) appeared in the threat landscape, the malware is rapidly spreading infecting unsecured IoT devices, mainly IP cameras.
The HNS botnet was first spotted on January 10th by malware researchers from Bitdefender, then it disappeared for a few days, and it has risen over the weekend.

The number of infected systems grew up from 12 at the time of the discovery up to over 20,000 bots, at the time of writing.


“Bitdefender researchers have uncovered an emerging botnet that uses advanced communication techniques to exploit victims and build its infrastructure. The bot, dubbed HNS, was intercepted by our IoT honeypot system following a credentials dictionary attack on the Telnet service.” states the analysis from Bitdefender.

“The samples identified in our honeypots on Jan. 10 revolved around IP cameras manufactured by a Korean company. These devices seemed to play a major role in the botnet as, out of the 12 IP addresses hardcoded in the sample, 10 used to belong to Focus H&S devices. The new version, observed on Jan. 20, dropped the hardcoded IPs.”

Recently security experts spotted other IoT botnets, most of them linked to the Mirai botnet, such as Satori, Okiru, and Masuta, but the HNS botnet has a different genesis and doesn’t share the source code.

Researchers at Bitdefender found similarities between the HNS and the Hajime botnets, unlike Mirai, Hajime doesn’t use C&C servers, instead, it implements a peer-to-peer network.

Hajime is more sophisticated than Mirai, it implements more mechanisms to hide its activity and running processes and its modular structure allows operators to add new capabilities on the fly.

“It is the second known IoT botnet to date, after the notorious Hajime botnet, that has a decentralized, peer-to-peer architecture,” states Bitdefender. “However, if in the case of Hajime, the P2P functionality was based on the BitTorrent protocol, here we have a custom-built P2P communication mechanism.”

The HNS malware is able to infect a series of IoT devices using the exploit as Reaper, the current version is able to receive and execute several types of commands, such as data exfiltration, code execution and interference with a device’s operation.

According to the experts, the botnet is still under development, it doesn’t include DDoS capabilities, a circumstance that suggests it is intended to be deployed as a proxy network.

“While IoT botnets have been around for years, mainly used for DDoS attacks, the discoveries made during the investigation of the Hide and Seek bot reveal greater levels of complexity and novel capabilities such as information theft – potentially suitable for espionage or extortion.” concluded Bitdefender.

“It is also worth noting that the botnet is undergoing constant redesign and rapid expansion.”

The bot spread by randomly generates a list of IP addresses that could be potentially compromised. It then initiates a raw socket SYN connection to each potential target and continues communication with those devices that answer the request on specific destination ports (23 2323, 80, 8080).

Once the bot has established a connection it will look for a specific banner (“buildroot login:”) presented by the victim. If it gets this login banner, it attempts to log in using a list of default credentials. If the credentials are not correct, the botnet launches a dictionary attack using a hardcoded list.

Once connected to the victim, the malware will run through a “state machine” to determine the type of target device and select the most suitable compromise method. Experts explained that if the device shares the same network with the bot, the bot sets up TFTP server to allow the victim to download the malicious code from the bot. If the victim is located on the internet, the bot will attempt to use a specific remote payload delivery method to get the target device to download and execute the sample.

“These exploitation techniques are preconfigured and are located in a memory location that is digitally signed to prevent tampering. This list can be updated remotely and propagated among infected hosts.” continues the analysis.

Experts observed that the HNS botnet cannot establish persistence on infected devices, once the device restart, the malware will be removed, this means that botnet operators have to continuously manage the HNS botnet.

Let’s monitor the growth of the new-born botnet.

libcurl has had authentication leak bug dated back to before September 1999
25.1.2018 securityaffairs

According to a security advisory, libcurl is affected by a couple of issues, one of them might cause the leakage of authentication data to third parties.
libcurl is a free and easy-to-use client-side URL transfer library, it builds and works identically on numerous platforms.

According to a security advisory, libcurl is affected by a couple of issues, one of them might cause the leakage of authentication data to third parties.

The problem is related to the way it handles custom headers in HTTP requests.

“When asked to send custom headers in its HTTP requests, libcurl will send that set of headers first to the host in the initial URL but also, if asked to follow redirects and a 30X HTTP response code is returned, to the host mentioned in URL in the `Location:` response header value.” states the advisory.

“Sending the same set of headers to subsequest hosts is in particular a problem for applications that pass on custom `Authorization:` headers, as this header often contains privacy sensitive information or data that could allow others to impersonate the libcurl-using client’s request. We are not aware of any exploit of this flaw.”

Applications that pass on custom authorization headers could leak credentials or information that could be abused by attackers to impersonate the libcurl-using client’s request.

This vulnerability tracked as CVE-2018-1000007 has been present since before curl 6.0, back to before September 1999. Affected versions are libcurl 7.1 to and including 7.57.0, later versions (7.58.0) are not affected, the patch was published on GitHub.

“In libcurl version 7.58.0, custom `Authorization:` headers will be limited the same way other such headers is controlled within libcurl: they will only be sent to the host used in the original URL unless libcurl is told that it is ok to pass on to others using the `CURLOPT_UNRESTRICTED_AUTH` option.” states the advisory.

“this solution creates a slight change in behavior. Users who actually want to pass on the header to other hosts now need to give curl that specific permission. You do this with [–location-trusted](–location-trusted) with the curl command line tool.”

libcurl is also affected by an “HTTP/2 trailer out-of-bounds read” vulnerability tracked as CVE-2018-1000005.

The issue is related to the code that creates HTTP/1-like headers from the HTTP/2 trailer data that appends a string like `”:”` to the target buffer (it was recently changed to `”: “` (a space was added after the colon) but the associated math wasn’t updated correspondingly.

“When accessed, the data is read out of bounds and causes either a crash or that the (too large) data gets passed to the libcurl callback. This might lead to a denial-of-service situation or an information disclosure if someone has a service that echoes back or uses the trailers for something.” reads the advisory.

The second issue, CVE-2018-1000005, is described as an “HTTP/2 trailer out-of-bounds read”. The advisory says “reading an HTTP/2 trailer could mess up future trailers since the stored size was one byte less than required.”

“When accessed, the data is read out of bounds and causes either a crash or that the (too large) data gets passed to the libcurl callback. This might lead to a denial-of-service situation or an information disclosure if someone has a service that echoes back or uses the trailers for something.”

Affected versions are libcurl 7.49.0 to and including 7.57.0, experts are not aware of any exploit of this vulnerability in the wild.

Spritecoin ransomware masquerades as cryptocurrency wallet and also harvests victim’s data
25.1.2018 securityaffairs

Fortinet discovered a strain of ransomware dubbed Spritecoin ransomware that only allows victims Monero payments and pretends to be a cryptocurrency-related password store.
Researchers from Fortinet FortiGuard Labs has discovered a strain of ransomware that only allows victims Monero payments and pretends to be a cryptocurrency-related password store.

The ransomware poses itself as a “spritecoin” wallet, it asks users to create their desired password, but instead of downloading the block-chain it encrypts the victim’s data files.

The malware asks for a 0.3 Monero ransom ($105 USD at the time of writing) and drops on the target system a ransom note of “Your files are encrypted.”


The malware includes an embedded SQLite engine, a circumstance that leads experts to believe it also implements a credentials harvesting feature for Chrome and Firefox credential store. The malicious code appends the .encrypted file extension to encrypted files (i.e. resume.doc.encrypted).

While decrypting the files, the Spritecoin ransomware also deploys another piece of malware that is able to harvest certificates, parse images, and control the web camera.

“In a cruel twist, if the victim decides to pay and obtain a decryption key they are then delivered a new malicious executable [80685e4eb850f8c5387d1682b618927105673fe3a2692b5c1ca9c66fb62b386b], detected as W32/Generic!tr.” reads the report.

“While have not yet fully analyzed this malicious payload, we can verify that it does have the capability to activate web cameras and parse certificates and keys that will likely leave the victim more compromised than before.”

The experts speculate the ransomware is being spread via forum spam that targets users interested in cryptocurrency.

“Ransomware is usually delivered via social engineering techniques, but can also be delivered without user interaction via exploits. These often arrive (but are not limited to) via email, exploit kits, malicious crafted Excel/Word/PDF macros, or JavaScript downloaders.” states the analysis published by Fortinet.

“The attacker often uses social engineering and carefully crafted malicious emails to trick and entice the victim to run these executables. These files are often seen using compelling file names to lure the victim into opening the file. Usually, the ransomware requires some user interaction to successfully compromise the victim’s machine.”

In this case, the threat arrives as a “SpriteCoin” package (spritecoind[.]exe) under the guise of a SpriteCoin crypto-currency wallet.”

Once installed on the victim’s machine, the malware will present a user with a prompt to “Enter your desired wallet password.”


When the victims provide their credentials the Spritecoin ransomware inform users it is downloading the blockchain, while it is actually encrypting the files.

The ransomware connects to a TOR site via an Onion proxy (http://jmqapf3nflatei35[.]*) that allows the victim to communicate with the attacker’s website without the need for a TOR connection.

Further details, including IoCs are included in the report.

Facebook Acquires ID Verification Startup Confirm
24.1.2018 securityweek

Facebook has acquired Confirm, a Boston-based startup that specializes in identity verification solutions. Financial terms of the deal have not been disclosed.

Confirm has developed APIs and SDKs that can be integrated into applications that require easy and secure authentication of driver’s licenses and other government IDs. The company’s product leverages advanced pattern analysis and forensic checks to determine if an ID is legitimate.

Before being acquired by Facebook, the company’s website said its products had been used by more than 750 organizations around the world to authenticate customer identity documents.

“When we launched Confirm, our mission was to become the market's trusted identity origination platform for which other multifactor verification services can build upon,” reads a message posted on the website following the acquisition. “Now, we're ready to take the next step on our journey with Facebook.”

Confirm has informed customers that it will wind down its existing ID authentication products. The company’s employees will join Facebook in Boston.

“We are excited to welcome the Confirm team to Facebook,” a Facebook spokesperson told SecurityWeek. “Their technology and expertise will support our ongoing efforts to keep our community safe.”

Facebook asks users to send a scan or photo of their ID to show account ownership or confirm their name. It is possible that the technology obtained as a result of the Confirm acquisition will be used to improve this system.

Confirm was founded by Walter Doyle, whose consumer mobile company was acquired by PayPal in 2011; mobile entrepreneur and venture capitalist Bob Geiman; and Ralph Rodriguez, founder of Delfigo Security, a multifactor authentication company acquired by IBM.

In January 2016, the company announced that it had raised $4 million in a seed funding round.

Bell Canada Hit by Data Breach
24.1.2018 securityweek Incindent

Bell Canada has started informing customers that their personal data has been compromised in a breach that reportedly affects up to 100,000 individuals.

Bell told customers that their names and email addresses were aaccessed by hackers, but the company said in an emailed statement that the attackers also obtained phone numbers, usernames and/or account numbers for a limited number of people. The telecoms company, however, says there is no evidence that credit card or banking information has been compromised.

In response to the incident, Bell has implemented additional authentication and identification requirements for accessing accounts. The company has also advised users to frequently change their password and security questions, and regularly review their financial and online accounts for unauthorized activity.

“The protection of consumer and corporate information is of primary importance to Bell,” John Watson, Executive Vice-President of Customer Experience at Bell Canada, told customers. “We work closely with the RCMP and other law enforcement agencies, government bodies and the broader technology industry to combat the growth of cyber crimes.”

Lisa Baergen, marketing director with Vancouver-based NuData Security, a Mastercard company, pointed out that even limited information such as names and email addresses can be useful to malicious actors.

“We all know bad actors are very talented at preparing fraud schemes with that information, such as phishing scams or dictionary attacks – where fraudsters try certain common passwords based on the user’s personal information,” Baergen said.

“Bell is doing the right thing by evaluating the extent of the damage and keeping customers updated,” she added. “However, to avoid damage after a breach, companies that share clients with Bell can consider applying multi-layered security solutions based on passive biometrics to protect their business and their customers from account takeover of another type of fraud. Online security technologies that evaluate a user or a transaction based on their behavior and not only on their – potentially stolen – static information, thwart all fraudulent attempts that inevitably come after a data breach.”

This is the second time Bell Canada has informed customers of a data breach. In May last year, the company admitted that approximately 1.9 million active email addresses and roughly 1,700 names and active phone numbers were accessed by a hacker.

Bell told SecurityWeek that the latest incident is unrelated to the cyberattack disclosed in May.

Apple Patches Meltdown Flaw in Older Versions of macOS
24.1.2018 securityweek Apple

Apple on Tuesday released security updates for a majority of its products, and it patched the vulnerability that allows Meltdown attacks in earlier versions of its Mac operating system.

Apple rolled out the first mitigations for the Meltdown attack before the flaws were disclosed, in early December, with the release of iOS 11.2, macOS 10.13.2 and tvOS 11.2. Protections against Spectre attacks were added on January 8 with the release of iOS 11.2.2, macOS High Sierra 10.13.2 Supplemental Update, and Safari 11.0.2.

The latest security updates released by the tech giant for Mac computers patch 17 vulnerabilities, including a kernel flaw that allows Meltdown attacks (CVE-2017-5754) in macOS Sierra 10.12.6 and OS X El Capitan 10.11.6.

The update for High Sierra also addresses several other kernel vulnerabilities that can be exploited to read restricted memory and execute arbitrary code with elevated privileges, including ones found by Jann Horn, the Google researcher who independently discovered the Meltdown and Spectre weaknesses.

Other macOS vulnerabilities patched on Monday affect the audio, cURL, LinkPresentation, QuartzCore, sandbox, security, WebKit and Wi-Fi components.

The updates for macOS High Sierra 10.13.2, macOS Sierra 10.12.6, and OS X El Capitan 10.11.6 also fix the IOHIDFamily local privilege escalation vulnerability disclosed by a researcher on New Year’s Eve. The expert disclosed the flaw without giving Apple the chance to release a patch, arguing that it’s not remotely exploitable and the PoC he made public is not stealthy.

iOS 11.2.5 patches 13 security holes, including in the audio, Bluetooth, kernel, LinkPresentation, QuartzCore, security, and WebKit components. Some of these flaws are the same ones that affect macOS.

Since watchOS and tvOS are also based on iOS, a majority of the vulnerabilities have also been patched in the Apple Watch and Apple TV operating systems.

The WebKit flaws have also been resolved by Apple in iCloud for Windows, iTunes for Windows, and Safari.

Despite being among the first vendors to start releasing patches, Apple is facing class action lawsuits over the Meltdown and Spectre CPU vulnerabilities. Apple’s processors are affected due to the fact that they use ARM technology.

Amazon Acquires Threat Hunting Firm Sqrrl
24.1.2018 securityweek Security

Sqrrl, a Cambridge, Mass.-based big data analytics startup that is commercializing NSA technology to help organizations detect threats lurking in their infrastructure, has been acquired by Amazon.

The company announced Tuesday that it has been acquired by Amazon and would be joining the Amazon Web Services (AWS) family.

Sqrrl Logo

Founded in 2012, Sqrrl has raised more than $28 million in funding, including $12.3 million in June 2017 and $7 million in February 2015.

At the core of Sqrrl Enterprise is Accumulo, a database project that began at the NSA in 2008 when the spy agency was searching for a platform that could meet its growing data challenges. In 2011, NSA open sourced Accumulo, which has since become a project at the Apache Foundation. Accumulo was inspired by Google's BigTable design and is built on top of Apache Hadoop, Zookeeper, and Thrift.

In the summer of 2012, a group of the core creators, committers, and contributors to the Accumulo project co-founded Sqrrl.

Built on top of Accumulo, Sqrrl’s software analyzes masses of data in order to uncover hidden patterns, trends, and links, and enables security analysts to visually navigate the relationships between assets and actors involved in a given event. As a result, security teams can detect and mitigate data breaches resulting from cyber-espionage, insider threats, and other types of hard-to-detect attacks.

Six of the seven original members of the Sqrrl had worked for the NSA.

The company did not provide details on how its technology would be integrated into AWS offerings, but it could be used to enhance Macie, a recently-launched security service that helps AWS users discover, classify and protect sensitive data. Amazon Macie uses machine learning to automatically identify and protect personally identifiable information (PII), intellectual property and other sensitive data, and informs users of how their data is being accessed or moved via dashboards and alerts.

“For now, it is business as usual at Sqrrl,” noted Mark Terenzoni, Sqrrl CEO. “We will continue to work with customers to provide advanced threat hunting capabilities. And, over time, we’ll work with AWS to do even more on your behalf.”

Terms of the acquisition were not disclosed, though Axios reported in December that talks were under way for Amazon to buy Sqrrl for "a bit north" of $40 million.

Sqrrl's financial backers include Spring Lake Equity Partners, Matrix Partners, Rally Ventures, Accomplice, and Atlas Venture.

Clothing Retailer Fallas Hit by Payment Card Breach
24.1.2018 securityweek Security

Clothing retailer National Stores, which operates 340 stores across the United States, informed customers this week that their payment card information may have been stolen by hackers.

Los Angeles, California-based National Stores, Inc. operates Fallas, Fallas Paredes, Fallas Discount Stores, Factory 2-U, Anna's Linens, and Falas stores in 22 U.S. states and Puerto Rico.

On December 22, the company learned from a third-party that its payment systems may have been breached by malicious hackers. An investigation launched by National Stores revealed that its point-of-sale (PoS) systems had been infected with malware.

According to the company, the malware may have stolen credit card information between July 16 and December 11, 2017. The compromised data includes names, payment card numbers, expiration dates, and security codes.

The list of potentially impacted stores includes more than 270 locations in California, New York, Nevada, Texas, Arizona, New Mexico, Illinois, Florida, Oklahoma, New Jersey, Massachusetts, Virginia, North Carolina, South Carolina, Maryland, Wisconsin, Michigan, Ohio, Georgia, and Puerto Rico. Over 90 of the affected stores are in California, followed by Texas, with 45 locations.

“We have been working closely with the FBI, cybersecurity experts, and payment card brands to contain the incident and protect our customers' payment cards,” said Michael Fallas, CEO of National Stores. “The malware has been removed from our system, and no customers will be responsible for any fraudulent charges to their accounts. We are in the process of strengthening the security of our point of sale systems to prevent this from happening in the future.”

The retailer has advised customers to keep a close eye on account statements and credit reports, and immediately notify their bank of any suspicious activity.

Fallas is not the only clothing retailer to suffer a payment card breach in recent years. The list also includes Brooks Brothers, Buckle, Forever 21 and Eddie Bauer.

World Economic Forum Announces Global Centre for Cybersecurity
24.1.2018 securityweek Cyber

The World Economic Forum (WEF) is establishing a new Global Centre for Cybersecurity "to help build a safe and secure global cyberspace."

This was announced at the 48th Annual Meeting currently taking place in Davos-Klosters, Switzerland. This year's WEF theme is Creating a Shared Future in a Fractured World. WEF's annual Global Risk Report for 2018 shows cyberattacks are now considered the third most serious global threat behind only extreme weather and natural disasters. Data fraud/theft is fourth.

World Economic Forum 2014
Aerial photo from the futuristic and stylish Intercontinental Hotel in Davos, Switzerland. The Annual Meeting of the World Economic Forum takes place in Davos-Klosters, Switzerland from January 23 to 26, 2018. (Image Credit: World Economic Forum)
The Global Centre for Cybersecurity is seen as providing a unique opportunity to promote a global public/private response to increasing cyber threats. Alois Zwinggi, managing director at the WEF and head of the new center said cybercrime is currently costing the world economy $500 billion annually and is still growing. "As such, addressing the topic is really important for us. The Forum sees a need for much greater collaboration in that space."

WEF describes five main areas of operation for the center: consolidating existing initiatives (such as its Cyber Resiliency Playbook); establishing a library of best practices; improving partners' understanding of cybersecurity; promoting a regulatory framework; and serving as a think tank for future cybersecurity scenarios (such as the fourth industrial revolution and the effect of quantum computing). Although not specified per se, a consistent theme for the new center will be global cybersecurity information sharing.

Rob Wainwright, Executive Director of Europol, said that the center has "absolutely full support from Europol." He explained that Europol, which includes the European Cybercrime Centre) can only function as well as it does because of the public/private networks it has established in Europe: "but it is not nearly enough... That's why I am so delighted that WEF, with its unique networking capability, is now establishing this Global Centre for Cybersecurity -- because it will interconnect a large, dynamic, a very important business community... and will take us to a new level of public/private cooperation."

The Global Centre for Cybersecurity will be located in Geneva, Switzerland, and will be operational in March 2018. Although under the umbrella of WEF, it will be autonomous. WEF spokesperson Georg Schmitt told SecurityWeek that it will be funded by members, with an initial investment of several million Swiss francs from the forum itself. Ongoing, he said in an email, "partner companies will have to pay a certain fee to join. Fees for governments, academia and civil society will be waived. We are planning to hire 20-30 staff this year alone."

It's not yet known how many 'government partners' will join the center. "We will be able to announce the government partners at a later stage, but to give you an impression: at our preparatory meeting in November representatives of almost 20 governments participated, including several G7 and G20 countries."

Effective threat information sharing between the public and private sectors is often seen as the holy grail of cybersecurity -- but has so far proved just as elusive. However, business, like cybercrime, is transnational; and if any organization is well-suited to tackle the problem it is a global business organization. "The announcement of the creation of a Global Security Centre at WEF is welcomed as a potentially hugely valuable way forward in coordinating the activities of nations against this scourge of modern times," Jim Palmer, CISO at ThinkMarble told SecurityWeek. "That said," he continued, "the proof of its effectiveness will be in the pudding -- adequate funding and the positive cooperation from all will be an essential enabler. As a cyber and information security company, we watch with interest."

Mark Noctor, VP EMEA at Arxan Technologies, is hopeful. "We are delighted to see a body with the global importance of the WEF addressing the growing sophistication of cyber threats," he told SecurityWeek. "This move by the WEF will help governments and international organizations to work more closely with industry, manufacturers and software providers to create safe environments and eliminate cyber threats."

But there are many who don't believe that WEF actually delivers on its potential. Bono famously described it as 'fat cats in the snow'. It has also been described as 'a mix of pomp and platitudes'. And there are many in the security industry who do not believe the new Center will achieve much.

"This is what happens when you get a bunch of politicians in a room who have no clear understanding on cybersecurity and the threats," comments Joseph Carson, Chief Security Scientist at Thycotic. "When the need to have a Global Centre for Cybersecurity is being discussed at the World Economic Forum it becomes a pointless political debate usually without industry experts' input."

Carson doesn't believe that centralizing the effort against cybercrime will be effective. "Cybersecurity is most effective when we work together collectively but decentralized. Being decentralized in cybersecurity is a strength as it reduces the risk. We have had this discussion for many years in the EU about a European Centre for Cybersecurity though in the EU, it has been important to be working as a collective and at the same time, being decentralized."

Nevertheless, the potential of a WEF-backed global cybersecurity center cannot be denied. "The Global Centre for Cybersecurity could ultimately become an organization that fosters industry change and helps to educate the market and reduce the success cybercriminals are having on a daily basis," said Sam Curry, chief security officer at Cybereason.

The question is whether the WEF can deliver. "It is premature to declare victory," he continued; "and ultimately whether or not this works is dependent upon the collaboration of enterprises and a focused and determined group of leaders. It is clear to me that there will be minimal success if the organization is filled with toothless sinecures for washed up security hacks."

Code Execution Flaw Impacts Popular Desktop Apps
24.1.2018 securityweek

A remote code execution vulnerability was addressed in the Electron framework, which powers highly popular desktop applications, including Slack, Skype, Signal, GitHub Desktop, Twitch,, and others.

Created in 2013, the framework allows developers to use web technologies such as JavaScript, HTML, and CSS to develop native desktop applications. An open source project maintained by GitHub and an active community of contributors, Electron uses Chromium and Node.js and supports Windows, macOS, and Linux platforms.

There are over 460 cross-platform desktop applications using Electron, but only those that use custom protocol handlers are impacted by the vulnerability. Only applications built for Windows are affected by the bug. macOS and Linux not vulnerable.

Tracked as CVE-2018-1000006, the flaw impacts Electron applications for Windows that register themselves as the default handler for a protocol, like myapp://.

According to Electron, these applications are vulnerable regardless of how the protocol is registered (using native code, the Windows registry, or Electron's app.setAsDefaultProtocolClient API).

The vulnerability was addressed with the release of electron v1.8.2-beta.4, electron v1.7.11, and electron v1.6.16. All three releases are available for download on GitHub.

“If for some reason you are unable to upgrade your Electron version, you can append “--“ as the last argument when calling app.setAsDefaultProtocolClient, which prevents Chromium from parsing further options. The double dash “--“ signifies the end of command options, after which only positional parameters are accepted,” Electron explains.

Although only Windows applications that register themselves as handlers are affected by the remote code vulnerability, all Electron developers are advised to update their software to the latest stable version as soon as possible.

Are you a Tinder user? Watch out, someone could spy on you
24.1.2018 securityaffairs

Experts at security firm Checkmarx discovered two security vulnerabilities in the Tinder mobile apps that could be exploited to spy on users.
Security experts at Checkmarx discovered two security vulnerabilities in the Tinder Android and iOS dating applications that could be exploited by an attacker on the same wi-fi network as a target to spy on users and modify their content.

Attackers can view a target user’s Tinder profile, see the profile images they view and determine the actions they take.

“The vulnerabilities, found in both the app’s Android and iOS versions, allow an attacker using the same network as the user to monitor the user’s every move on the app. It is also possible for an attacker to take control over the profile pictures the user sees, swapping them for inappropriate content, rogue advertising or other type of malicious content (as demonstrated in the research).” reads the analysis published by Checkmarx.

“While no credential theft and no immediate financial impact are involved in this process, an attacker targeting a vulnerable user can blackmail the victim, threatening to expose highly private information from the user’s Tinder profile and actions in the app.”

An attacker can conduct many other malicious activities, including intercepting traffic and launching DNS poisoning attacks.

The first issue is related to the fact that both the iOS and Android Tinder apps download profile pictures via insecure HTTP connections, this means that an attacker can access the traffic to determine which profiles are viewed by a Tinder user.


An attacker could also modify traffic for example to swap images.

“Attackers can easily discover what device is viewing which profiles,” continues the analysis. “Furthermore, if the user stays online long enough, or if the app initializes while on the vulnerable network, the attacker can identify and explore the user’s profile.” “Profile images that the victim sees can be swapped, rogue advertising can be placed and malicious content can be injected,”

Obviously, such kind of issue could be mitigated with the adoption of HTTPS.

Checkmarx also discovered another issue related to the use of HTTPS, the flaw was called “Predictable HTTPS Response Size”.

“By carefully analyzing the traffic coming from the client to the API server and correlating with the HTTP image requests traffic, it is possible for an attacker to determine not only which image the user is seeing on Tinder, but also which action did the user take.” states Checkmarx. “This is done by checking the API server’s encrypted response payload size to determine the action,”

An attacker that is in the position of analyzing the traffic can discover the user’s interest in a specific profile by detecting a 278-byte encrypted response that is delivered by the API server when he swipes left on a profile picture. Swiping right, the Tinder user likes a particular profile, in this case, the response generated is composed of 374 bytes.

The researchers also noticed that Tinder member pictures are downloaded to the app via HTTP connection, this makes possible for an attacker to view the profile images of those users being swiped left and right.

In order to mitigate this issue, researchers suggest padding requests, if the responses were padded to a fixed size, it would be impossible to discriminate the user’s action.

Checkmarx disclosed both vulnerabilities to Tinder.