Iran Used "Triton" Malware to Target Saudi Arabia: Researchers
15.12.2017 securityweek Virus
The recently uncovered malware known as “Triton” and “Trisis” was likely developed by Iran and used to target an organization in Saudi Arabia, according to industrial cybersecurity and threat intelligence firm CyberX.

FireEye and Dragos reported on Thursday that a new piece of malware designed to target industrial control systems (ICS) had caused a shutdown at a critical infrastructure organization somewhere in the Middle East.

CyberX has also obtained samples of the malware and based on its threat intelligence team's investigation, Triton/Trisis was likely created by Iran and the victim was likely an organization in Saudi Arabia.

“It's widely believed that Iran was responsible for destructive attacks on Saudi Arabian IT networks in 2012 and more recently in 2017 with Shamoon, which destroyed ordinary PCs. This would definitely be an escalation of that threat because now we're talking about critical infrastructure -- but it's also a logical next step for the adversary,” Phil Neray, VP of Industrial Cybersecurity for CyberX, told SecurityWeek.

“Stuxnet and more recently Industroyer showed that modern industrial malware can be used to reprogram and manipulate critical devices such as industrial controllers, and Triton appears to be simply an evolution of those approaches,” Neray added.

FireEye and Dragos would not comment on CyberX’s theory about Triton being developed and used by Iran. FireEye did however note in its report that the methods used were consistent with attacks previously attributed to Russian, Iranian, U.S., North Korean and Israeli nation-state actors.

Triton is designed to target Schneider Electric’s Triconex Safety Instrumented System (SIS) controllers, which are used to monitor the state of a process and restore it to a safe state or safely shut it down if parameters indicate a potentially dangerous situation.

The malware uses the proprietary TriStation protocol to communicate with SIS controllers, and it’s capable of adding new ladder logic that allows the attackers to manipulate devices.

In the attack analyzed by FireEye and Dragos, the hackers’ activities resulted in the SIS controller triggering a process shutdown, which led to the discovery of the attack. However, experts believe the shutdown was likely an accident. One possible scenario is that the attackers were conducting reconnaissance as part of an operation whose ultimate goal was to cause physical damage.

Schneider Electric has published an advisory to inform customers about the incident and provide recommendations on how to prevent potential attacks. The company says there is no evidence that the malware exploits any vulnerabilities in the Triconex product, but it’s still working on determining if there are any other attack vectors.

“I think it's a little comical that Schneider Electric felt obliged to state that the attack did not leverage any vulnerabilities in the Tritex product,” Neray commented. “OT environments are ‘vulnerable by design’ because they lack many of the controls we now take for granted in IT networks such as strong authentication. As a result, once an attacker gets into the OT network -- by stealing credentials or connecting an infected laptop or USB, for example -- they have almost free reign to connect to any control device they choose, and then reprogram them with malicious ladder logic to cause unsafe conditions. Based on the FireEye report, this appears to be exactly what the TRITON attackers did, similar to the way Industroyer modified ABB configuration files to perform its attack on the Ukrainian grid.”

Hackers Target Security Firm Fox-IT
15.12.2017 securityweek Hacking
Fox-IT, the Netherlands-based cybersecurity firm owned by NCC Group, revealed on Thursday that it had been the victim of a man-in-the-middle (MitM) attack made possible by DNS records getting changed at its third-party domain registrar.

The incident took place back in September and Fox-IT decided to disclose it now after conducting a detailed analysis. A law enforcement investigation is ongoing so the company has not shared any information on who might be behind the attack.

The security firm traced the attackers’ initial activities to September 16, when it detected port and vulnerability scanning attempts. Then, on September 19, using compromised credentials, the hackers changed the DNS records for at the company’s service provider.

The main target was apparently Fox-IT’s ClientPortal, an application used to securely exchange files with customers and suppliers.

For a total of roughly 10 minutes, the attackers also managed to reroute Fox-IT emails in an effort to demonstrate that they owned the company’s domain so that they could fraudulently register an SSL certificate for the ClientPortal application.

Shortly after that, the rogue SSL certificate was used for an MitM attack on ClientPortal, with traffic to the portal routed through a virtual private server (VPS) provider abroad.

Fox-IT noticed the malicious activity after roughly five hours and quickly worked to restore DNS settings and secure its account with the domain registrar. However, due to caching and how DNS works, it took some time for the changes to take effect and the MitM attack was carried out for 10 hours and 24 minutes.

During this time, the attacker managed to intercept the credentials of nine users, one mobile phone number, a “subset” of names and email addresses, ClientPortal account names, and 12 files, including three that contained confidential client information, Fox-IT said. All affected customers have been notified.

The security firm has not been able to determine what other messages the hackers may have intercepted during the 10 minutes while they had control over Fox-IT email.

After discovering the incident, the company said it blocked the attacker from intercepting additional customer information by disabling the two-factor authentication (2FA) mechanism on the ClientPortal application. By disabling 2FA, Fox-IT prevented customers from logging in to their account – 2FA is mandatory on the portal – but avoided letting the attackers know that the intrusion had been detected in an effort to continue observing their actions.

Fox-IT believes the attackers likely gained access to its DNS registrar account using credentials that were leaked following a breach at a third-party service provider. The password had not been changed by the security firm since 2013, and the DNS provider does not offer 2FA, allowing the hackers to easily change DNS records.

“The use of full packet capture and CTMp network sensors was crucial in determining the scope of the attack,” Fox-IT said in a blog post. “We could, within a few hours of finding out about the attack, determine exactly who was affected and what the scope of the attacker was. This helped us to understand the incident with confidence and to quickly notify those directly affected and the Dutch Data Protection Authority.”

It’s not uncommon for cybersecurity firms and their employees to be targeted by hackers. For example, Kaspersky and Avast’s CCleaner were breached by sophisticated actors, while Bitdefender and FireEye were targeted by individuals who made exaggerated claims.

Synaptics to Remove "Keylogger" Functionality From Drivers
15.12.2017 securityweek Vulnerebility
Synaptics says recent reports inaccurately characterized a debugging tool found in its touchpad drivers as a keylogger, but the company has decided to remove the functionality from its products.

Earlier this month, a researcher reported finding what appeared to be keylogger functionality in a Synaptics touchpad driver shipped with hundreds of HP laptops. The functionality is disabled by default, but a user with administrator privileges can enable it and abuse it to log keystrokes.

The vulnerability, tracked as CVE-2017-17556, was reported to HP and patched by the company in November.

HP classified the vulnerability as medium severity (CVSS score of 6.1), and Synaptics has assigned it a low severity rating (CVSS score of 2.0). Some people agree that the flaw is not serious, arguing that an attacker with administrator privileges can install a proper keylogger and other types of malware.

Synaptics said the functionality was added to some of its drivers for diagnosing, tuning and debugging touchpads, but it was disabled before being shipped to customers. The same drivers are provided to other PC manufacturers, not just HP, but no other company has been named to date.

“Synaptics believes now, for best industry practices, that it should remove this debug tool for production versions of the driver,” the firm said. “Synaptics is unaware of any breach of security related to this debug tool.”

The company says it’s working with partners to identify affected products and release new drivers. It also recommends restricting administrator access to systems in order to prevent unauthorized activities.

“Synaptics takes great pride in making sure that its TouchPad drivers and other products meet industry-best security standards. In our new normal of heightened concern for security and privacy, Synaptics would like to apologize for any concerns that our debug tool may have raised. We have a path to immediately address this issue and other security concerns should they arise,” Synaptics stated.

Nigerian Sentenced to Prison in U.S. for BEC Scams
15.12.2017 securityweek Crime
A Nigerian national has been sentenced by a United States court to 41 months in prison for his role in business email compromise (BEC) scams, the Department of Justice announced on Thursday.

The scammer, David Chukwuneke Adindu, was arrested by U.S. authorities in November 2016. He pleaded guilty in June to one count of conspiracy to use a means of identification in connection with a federal crime, and one count of conspiracy to commit wire fraud. He faced at least 15 years in prison for his crimes.

In addition to the prison sentence, the Nigerian has been ordered to pay $1.4 million in restitution.

According to prosecutors, Adindu, who resided in both Nigeria and China, was part of a scheme that involved sending out specially crafted emails designed to trick organizations into wiring significant amounts of money to bank accounts controlled by him and his co-conspirators. The man took part in the operation between 2014 and 2016.

These types of emails typically purport to come from managers at the targeted company or known business partners and they instruct recipients to wire money to a specified account. The scam is referred to as a business email compromise scam because the attacker often hacks into the targeted organization’s email accounts to obtain information that can be leveraged to make the wire transfer requests more credible.

Last year, the FBI received over 12,000 complaints related to BEC and EAC (email account compromise) scams, with losses totaling more than $360 million.

Authorities said the scheme Adindu was involved in targeted thousands of victims around the world and attempted to defraud them of more than $25 million. Reuters learned from the man’s lawyer that his main role was to set up bank accounts in China and Hong Kong.

Adindu is not the first Nigerian sentenced in the United States. Earlier this year, three individuals were given prison sentences totaling 235 years for their role in a massive scheme that involved romance scams, identity theft, fraud and money laundering.

New "PRILEX" ATM Malware Used in Targeted Attacks
15.12.2017 securityweek Virus
Trend Micro security researchers recently discovered a highly targeted piece of malware designed to steal information from automated teller machines (ATMs).

Dubbed PRILEX and written in Visual Basic 6.0 (VB6), the threat was designed to hijack a banking application and steal information from ATM users. The malware was spotted in Brazil, but similar threats could prove as harmful anywhere around the world, the security researchers say.

First reported in October 2017, PRILEX was designed to hook certain dynamic-link libraries (DLLs) and replace them with its own application screens. The targeted DLLs (P32disp0.dll, P32mmd.dll, and P32afd.dll) belong to the ATM application of a bank in Brazil.

Because of this atypical behavior, the researchers concluded that the malware was being used in a highly targeted attack. What’s more, the threat only affects a specific brand of ATMs, meaning that its operators might have possibly analyzed the machines to devise their attack method, Trend Micro explains.

After infecting a machine, the malware starts operating jointly with the banking application. Thus, the malware can display its own fake screen requesting the user to provide their account security code. The code is delivered to the user as part of a two-factor authentication method meant to protect ATM and online transactions, and the malware captures and stores the code.

The malware attempts to communicate with the command and control (C&C) server to send stolen credit card data and account security code. The security researchers believe the malware’s operators might be dealing bulk credit card credentials.

“To our knowledge, this is the first ATM malware that assumes it is connected to the internet. It is likely that this bank’s ATMs are connected, since the attackers seem to be very familiar with this particular bank’s methods and processes,” Trend Micro says.

PRILEX also shows that cybercriminals can analyze the methods and processes of any bank to abuse them in highly targeted attacks. Thus, all financial institutions should take this into consideration when defending their ATM infrastructure, especially since a silent attack as this could go unnoticed for months, if not years.

At the DefCamp conference in Bucharest in early November, Kaspersky Lab’s Olga Kochetova and Alexey Osipov explained how easy it is to create ATM botnets. Discoverable online, these devices are susceptible to a broad range of attacks and infecting a single machine could allow attackers to compromise a bank’s entire network.

“A targeted malware likely took significant time and resources to develop. This shows that in today’s world, criminals consider that a worthwhile investment. Gone are the days when banks were seen as unassailable—now they are simply the biggest fish in the sea. It is not easy to kill a whale, but it is possible—and doing so allows an attacker to eat for a long time,” Trend Micro notes.

CUTLET MAKER gets cracked

In addition to PRILEX, Trend Micro analyzed CUTLET MAKER, a relatively new ATM malware that was first detailed in October this year. A run-of-the-mill program, the malware consists of multiple components and can be run from a USB memory stick connected to an ATM. The malware relies on the Diebold Nixdorf DLL (CSCWCNG.dll) to send commands to the ATM’s dispensing unit.

Designed to empty the ATM of all its banknotes, the malware was found being sold on underground markets for as much as $5,000. However, it appears that competitors have already managed to crack its code, allowing anyone to use it for free.

Each time the malware is executed, a code is required to use the program and empty the ATM. Apparently, the threat doesn’t use time-based codes, but just an algorithm, which means that the same input would generate the same output, and some cybercriminals have already built a “key generator” to automatically calculate the return code.

“The code is available on the internet and relatively easy to find. This means that anybody can start victimizing ATMs without having to pay for the program—or at least ATMs with an accessible USB port,” Trend Micro says.

Thus, some have started selling the malware along with the keygen for much lower prices compared to the original. It appears that the malware’s developers haven’t responded yet, and no new version of the tool that uses a different algorithm has been released.

Study Examines Value of Data
15.12.2017 securityweek IT
IP is Valued Above Email but Below PII, Survey Finds

In mitigating an asset-risk by risk transfer (such as an insurance policy), the value of the asset is directly related to the cost of the transfer (the insurance premium). The same principle should be applied to other forms of risk mitigation, such as defending the asset. Where the asset is data, an information security policy should reflect the value of the data -- but this assumes that the value of data is understood.

Trustwave, a Chicago, IL-based threat, vulnerability and compliance management firm, wanted to see how organizations value the prime categories of the data they hold -- which it assumes to be personally identifiable information (PII), payment card data (PC), intellectual property (IP), and email content information. It commissioned Quocirca to analyze the financial value placed by different industry segments in different geographical regions on these four categories of data. Five hundred IT and risk managers were surveyed in the U.S., Canada, Australia, Japan and the UK (100 for each region).

Two specific metrics are used in the ensuing report (PDF): the per capita value (PCV) for data; and a data risk vigilance (DRV) score. PCV is calculated by dividing the overall value of a data set by the number of records it contains. It consequently provides a subjective view for each organization. The same principle was also applied to discover the comparative data PCVs for the criminal fraternity and regulators.

The second metric, the DRV score, isn't simply a question of security budgets, but aggregates ten factors -- four relating directly to risk, four to data value assessments and two to the impact of data theft.

The results are surprising in their diversity. For example, U.S. professionals value their PII data at more than twice the PCV value asserted by their UK counterparts ($1,820 versus $843). The difference may be less today following the recent 20% fall in the value of the pound, but is still surprising.

It would be tempting to think this might reflect the vast number of data protection regulations, both state and federal, in the U.S.; and that simply for compliance reasons US security officers value data more highly. If this were so, then the UK PCV would likely increase dramatically from next year when the GDPR with its very high non-compliance sanctions comes into effect.

Ziv Mador, VP security research at Trustwave, doesn't believe this is cause of the difference. "It is likely," he told SecurityWeek, "that the sheer volume of PII held in the U.S. by the big international organizations, and the knowledge that they are a tempting target for attackers, increases the awareness of PII value." If this is the case, GDPR will more likely increase the disparity between the U.S. and the UK since it will still be U.S. organizations holding huge amounts of European PII.

Many of the findings of this survey and analysis are easy to understand and explain. For example, PII (which includes personal health information -- PHI) gets the highest overall PCV rating. This is understandable given the potential cost of a breach, including law-suits, regulatory fines, and the cost of restitution. This is followed by IP and payment card data -- again understandable in that card data is often held by third parties. More surprising, however, is that email is given the lowest PCV by a long distance.

Email seems not to be considered a serious area of concern despite the volume of sensitive data often sent within it. This ranges from PII to IP and user passwords in clear text. While IP is given a high value, emails that often contain IP or access to it are not. The demise of Nortel is a case in point. Hackers had access to Nortel for about a decade. An investigation subsequently found two rootkits giving the hackers remote access to corporate email. It is believed that IP stolen from Nortel enabled competitors from China to produce almost identical products at a fraction of the cost -- ultimately leading to Nortel's demise.

It would appear from the Trustwave survey that many organizations have still not learned the true value of, and threat from, email; and are likely to inadequately defend it. This is potentially confirmed in the report's second metric -- the data risk vigilance score. PC data replaces PII as having the greater vigilance. This may be, however, that companies holding large amounts of PC data (merchants, for example) hold lesser amounts of other types of data; and consequently bias the overall result.

Despite the example of Nortel in the importance of IP, IP ranks only third. Corporate email is a relatively distant fourth.

The strength of this report is that it will likely make organizations question whether they have correctly valued their own data, and have consequently applied the correct level of security controls for their different assets.

"Today," explains Mador, "data is one of the most valuable commodities possessed by any business. Whether that data belongs to the organization itself, its employees, suppliers or customers, it has a duty to protect that data to best of its ability. Companies that fail to accurately value their data are unlikely to make the right decisions regarding the level of cyber security investments to protect that data and are those most likely to fall short of regulations, such as the upcoming European Union General Data Protection Regulation (GDPR) coming into effect in 2018."

The biggest single takeaway is that companies should perhaps re-evaluate both the PCV and DRV they apply to their corporate email systems.

Facebook Releases New Certificate Transparency Tools
15.12.2017 securityweek Krypto  Social
Following the release of the Certificate Transparency Monitoring utility in December 2016, Facebook has decided to release new tools for developers using the Certificate Transparency framework.

Last year’s tool was designed to provide access to data collected through Facebook’s own service monitoring the issuance of TLS certificates. It leverages Google’s Certificate Transparency (CT) framework, which can detect mis-issued TLS certificates and stop attempts to leverage them to intercept HTTPS traffic.

The tool allows developers to search for certificates and receive alerts when a new certificate is issued for their domains. The tool ensures that newly issued certificates that have been logged to Certificate Transparency Logs (CT logs) aren’t mis-used to perform man-in-the-middle attacks.

With hundreds of Certificate Authorities (CAs) issuing publicly-trusted TLS certificates for any website out there, a single breach at any CA could result in the mis-issuance of publicly-trusted TLS certificates, the company says.

“We match every new certificate with a set of domain subscriptions in our system, and we notify respective subscribers about the updates. If a domain owner receives a notification that a CA issued a certificate for their domain without an explicit request, they will likely want to contact the CA, make sure their identity is not compromised, and consider revoking the certificate,” Facebook explains.

To provide push-based integrations with its system, Facebook is now releasing Webhooks API, which allows developers to register a webhook and define domains for monitoring instead of periodically pulling certificates from external sources or waiting for notifications. Each time a new certificate is issued for these domains, information about the cert is sent to the developer-specified endpoint.

Additionally, the social media giant announced the release of an API that helps querying certificates programmatically. Since receiving detailed information about the certificates and analyzing millions without proper infrastructure is difficult, the interface was designed to provide certificates metadata for the domain names that match a given query.

Developers taking advantage of the Certificate Transparency features were being initially notified via email on new certificates issued for their domains. Starting this year, everyone can see certificate updates on Facebook via push notifications and all developers creating a subscription at can take advantage of this feature.

Facebook is currently monitoring over 20 publicly available CT logs and says it sends around 2,500 notifications every day. Around 40,000 new certificates are observed in CT logs every hour and that number is expected to grow next year, when Google Chrome will start requiring all websites certificates to be logged in the CT logs. To ensure scalability, the same backend system that powers the Facebook Graph is used to search through the logged certificates.

The social network company also notes that they are currently working on implementing Expect-CT header, meaning that compatible browsers will require that certificates used to access Facebook are logged to public CT logs first.

Google Details How It Protects Data Within Its Infrastructure
14.12.2017 securityweek Krypto
Google has decided to share detailed information on how it protects service-to-service communications within its infrastructure at the application layer and the the system it uses for data protection.

Called Application Layer Transport Security (ALTS), the technology was designed to authenticate communication between Google services and keep data protected while in transit. When sent to Google, data is protected using secure communication protocols such as TLS (Transport Layer Security).

According to the Web search giant, it started development of ALTS in 2007, when TLS was bundled with support protocols that did not satisfy the company’s minimum security standards. Thus, the company found it more suitable to design its own security solution than patch an existing system.

More secure than older TLS, Google describes ALTS as “a highly reliable, trusted system that provides authentication and security for […] internal Remote Procedure Call (RPC) communications,” that ensures security within the company’s infrastructure.

The system, Google explains, requires minimal involvement from the services themselves, as data is protected by default. All RPCs issued or received by a production workload are protected by ALTS by default, as long as they stay within a physical boundary controlled by or on behalf of Google.

According to Google, the ALTS configuration is transparent to the application layer; all cryptographic primitives and protocols used by ALTS are up-to-date with current known attacks; ALTS performs authentication primarily by identity rather than host name; the system relies on each workload having an identity, which is expressed as a set of credentials; after an initial ALTS handshake, connections can be persisted for a longer time to improve overall system performance; ALTS is considerably simpler than TLS as Google controls both clients and servers, the company also says.

Benefits of ALTS also include more precise security. Workloads that run on the same machine can authenticate using their own identity rather than the machine’s identity, Google explains in a whitepaper detailing the system. Overhead of potentially expensive cryptographic operations is reduced with ALTS.

ALTS also offers improved scalability, courtesy of an efficient resumption mechanism embedded in its handshake protocol. The system can also accommodate authentication and encryption needs for a large number of RPCs (services on Google production systems collectively issue on the order of O(1010) RPCs per second), the company says.

The system also includes a wide array of features designed to ensure security and scalability, and features a flexible trust model suited for different types of entities on the network (physical machines, containerized workloads, and even human users).

Within Google’s infrastructure, all scheduled production workloads are initialized with a certificate that is securely delivered and which asserts their identity. The remote peer identity and certificate are verified when a workload is involved in an ALTS handshake. Certificates have a relatively short lifespan.

ALTS uses a Diffie-Hellman (DH) based authenticated key exchange protocol for handshakes and provides applications with an authenticated remote peer identity that can be used for fine-grained authorization policies at the application layer, the company explains.

“After a handshake is complete and the client and server negotiate the necessary shared secrets, ALTS secures RPC traffic by forcing integrity, and optional encryption, using the negotiated shared secrets. We support multiple protocols for integrity guarantees, e.g., AES-GMAC and AES-VMAC with 128-bit keys,” Google says.

When traffic leaves a physical boundary controlled by or on behalf of Google, protocols are automatically upgraded to ensure encryption and integrity. AES-GCM and AES-VCM protocols with 128-bit keys are employed in such cases, the company also explains.

U.S. Military to Send Cyber Soldiers to the Battlefield
14.12.2017 securityweek BigBrothers
The US Army will soon send teams of cyber warriors to the battlefield, officials said Wednesday, as the military increasingly looks to take the offensive against enemy computer networks.

While the Army's mission is generally to "attack and destroy," the cyber troops have a slightly different goal, said Colonel Robert Ryan, who commands a Hawaii-based combat team.

"Not everything is destroy. How can I influence by non-kinetic means? How can I reach up and create confusion and gain control?" he told reporters.

The cyber soldiers have been integrated for six months in infantry units, and will tailor operations according to commanders' needs, said Colonel William Hartman of the Army's Cyber Command.

The Army has for the past three years conducted training for such operations at a huge center in southern California.

Hartman didn't give details on what the cyber troops can achieve, except to say that they would be scooping up information or intercepting planned attacks.

According to the New York Times, CYBERCOM has previously placed "implants" in Islamic State group networks that let experts monitor the group's behavior and ultimately imitate or alter commanders' messages so they unwittingly direct fighters to areas likely to be hit by drone or plane strikes.

Another technique likely being employed is a common type of cyber attack known as a denial of service.

Cyber Command had previously been a subordinate part of the US Strategic Command, but President Donald Trump in August ordered the Pentagon to elevate it to its own command, in a sign of its growing importance.

U.S. Prosecutors Confirm Uber Target of Criminal Probe
14.12.2017 securityweek BigBrothers
A letter made public Wednesday in Waymo's civil suit against Uber over swiped self-driving car secrets confirmed the ride-share service is the target of a US criminal investigation.

The US Attorney's Office in Northern California sent the letter to US Judge William Alsup last month to share some of what they have learned "in the course of a United States' pending criminal investigation," according to a copy of the paperwork obtained by AFP.

Alsup had referred the case to the Justice Department to look into possible criminal charges, but prosecutors remained mum after that. Information shared by the department with Alsup sparked a courtroom furor over the possibility that Uber operated a program to hide nefarious tactics.

It also resulted in the trial being delayed a second time, with the judge setting a new start date of February 5.

The US Attorney's Office said in the missive to Alsup that they interviewed former Uber manager of global intelligence Richard Jacobs, who contended that "employees routinely used non-attributable electronic devices to store and transmit information that they wished to separate from Uber's official systems."

Attorneys representing Uber have repeatedly assured the judge no files taken from Waymo ever touched Uber servers.

Jacobs' attorney laid out his allegations in May in a letter to Uber's associate general counsel, according to the Justice document.

Alsup continues to mull whether it should have been shared during an evidence-gathering phase of the civil case.

The letter signed by Jacobs told of an effort to evade discovery requests, court orders, and government investigations "in violation of state and federal law, as well as ethical rules governing the legal profession."

Techniques used included smartphones or laptop computers that couldn't be traced back to the company, and communicating through encrypted, vanishing message service Wickr, according to the letter and a transcript of courtroom testimony obtained by AFP.

Jacobs testified that he left Uber early this year with a compensation deal valued at $4.5 million.

As part of that agreement with Uber, Jacobs remained a consultant on the payroll.

Uber executives who testified denied any wrongdoing or trail-covering.

The civil case stems from a lawsuit filed by Waymo -- previously known as the Google self-driving car unit -- which claimed former manager Anthony Levandowski took technical data with him when he left to launch a competing venture that went on to become Otto and was later acquired by Uber.

Uber is also a target of investigations and lawsuits over the cover-up of a hack that compromised personal information of 57 million users and drivers.

Uber purportedly paid data thieves $100,000 to destroy the swiped information -- and remained quiet about the breach for a year.

US justice officials are also investigating suspicions of foreign bribery and use of illegal software to spy on competitors or escape scrutiny of regulators.

Traffic to Major Tech Firms Rerouted to Russia
14.12.2017 securityweek BigBrothers
Internet traffic for some of the world’s largest tech firms was briefly rerouted to Russia earlier this week in what appeared to be a Border Gateway Protocol (BGP) attack.

OpenDNS-owned Internet monitoring service BGPmon reported the incident on Tuesday. BGPmon noticed that 80 IP prefixes for organizations such as Google, Microsoft, Apple, Facebook, NTT Communications, Twitch and Riot Games had been announced by a Russian Autonomous System (AS).

It happened twice on Tuesday and each time it only lasted for roughly three minutes. The first event took place between 04:43 and 04:46 UTC, and the second between 07:07 and 07:10 UTC.

Despite being short-lived, BGPmon said the incidents were significant, including due to the fact that the announcements were picked up by several peers and some large ISPs, such as Hurricane Electric and Zayo in the U.S., Telstra in Australia, and NORDUnet, which is a joint project of several Nordic countries.

Another interesting aspect was that all the targeted traffic was associated with high-profile organizations. Experts also pointed out that the Russian AS (AS39523) had not been seen making announcements for several years before this incident.

“What makes this incident suspicious is the prefixes that were affected are all high profile destinations, as well as several more specific prefixes that aren’t normally seen on the Internet. This means that this isn’t a simple leak, but someone is intentionally inserting these more specific prefixes, possibly with the intent the attract traffic,” BGPmon said in a blog post.

“Whatever caused the incident today, it’s another clear example of how easy it is to re-route traffic for 3rd parties, intentionally or by accident. It also is a good reminder for every major ISP to filter customers,” the company added.

Robert Hamilton, director of product marketing at Imperva, said it’s hard to say what the goal was in this specific case considering that the attack was short-lived, but he noted that these types of attacks can be used for various things, “like spoofing websites in order to get visitors to download malicious content or to give up personal details or financial information.”

Chris Morales, head of security analytics at Vectra, a California-based provider of automated threat management solutions, pointed out that users accessing online resources of Google, Apple, Facebook, Microsoft and the other impacted companies trust that their communications are secure because of the use of HTTPS. However, entities that are capable of manipulating the BGP routing protocol to perform man-in-the-middle (MitM) attacks can also manipulate the TLS/SSL encryption and eavesdrop on users.

BGP hijacking

BGP is a protocol used for exchanging routing information between independent networks on the Internet, also known as Autonomous Systems, particularly determining the most efficient route between them. Each AS announces a list of IP address spaces that are known as prefixes, and shares data with its neighbors (peers) to help determine the most efficient path.

Jason Kent, CTO of security consulting firm AsTech, has provided a simple explanation of how it all works and why the “suspicious” event spotted by BGPmon was possible.

“The routers [that peer with these big organizations] all communicate with one another to create the largest routing tables. When a member of a new group of routers announces its routes, to the other members, they all update a table. When a user goes to, really they are going to one of Apple’s web servers with IP addresses like, but the user's ISP has to figure out where that is. So the ISP has this big routing table that says, basically, the way to get to 105.x.y.z is via this peer, and sends it the traffic,” Kent explained.

“The big routing table is kept updated by announcements from other devices. Basically a large community of routers within the Internet all tell one another the places they know how to go,” Kent said. “These announcements and updates are performed over a system [BGP] that is both old and rarely updated. It’s possible to spoof the announcements, in the right way and method, and fool all devices that route traffic, that your controlled device knows where to take it and has the best path.”

BGP hijacking attacks have been conducted for many years and while protections against such threats do exist for ISPs, they can often be bypassed by both cybercriminals and state-sponsored actors.

“For example, governments can use it for restricting internet access to particular websites or filtering content like advertisements that they deem illegal,” explained Joseph Carson, chief security scientist at PAM solutions provider Thycotic. “One of the most well-known cases was when in 2008 Pakistan attempted to block YouTube access and took YouTube down completely and brought their own internet access to its knees.”

“For cybercriminals, it is typically used to replace content from third party website requests like advertisements with infected websites used to distribute malware,” Carson added. “You could also use it to take down websites or even direct web traffic to a country causing a DDOS attack.”

Fortinet's FortiClient Product Exposed VPN Credentials
14.12.2017 securityweek Vulnerebility
Updates released by Fortinet for its FortiClient product patch a serious information disclosure vulnerability that can be exploited to obtain VPN authentication credentials.

FortiClient is a next-generation endpoint protection product that includes web filtering, application firewall, vulnerability assessment, anti-malware, and SSL and IPsec VPN features for desktop and mobile systems running Windows, macOS, Linux, Android and iOS.

Researchers at SEC Consult have discovered a couple of issues that can be exploited to access VPN authentication credentials associated with the product.

One of the problems is related to the fact that the VPN credentials are stored in a configuration file (on Linux and macOS) and in the registry (on Windows) – locations that are easily accessible.

The second issue is that while the credentials are stored in an encrypted form, the decryption key is hardcoded in the application and it’s the same across all installations. An attacker can easily find the encrypted passwords and decrypt them using the hardcoded key.

“The vulnerabilities are mostly problematic in an enterprise environment where the VPN is often authenticated against domain accounts,” Johannes Greil, head of the SEC Consult Vulnerability Lab, told SecurityWeek. “(Internal) attackers with valid domain credentials can then harvest all credentials of all other VPN users and gain access to their domain user account (e.g. read emails, etc).”

SEC Consult has created a proof-of-concept (PoC) tool that exploits the vulnerability to recover passwords, but it will only be made public after users have had a chance to update their FortiClient installations.

The security hole is tracked as CVE-2017-14184, and SEC Consult has classified it as having high severity, while Fortinet has assigned it a 4/5 risk rating.

The vulnerability affects FortiClient 5.6.0 and earlier for Windows and Mac, and version 4.4.2334 and earlier of the SSL VPN client for Linux – the Android and iOS apps are not impacted. Patches are included in FortiClient 5.6.1 for Windows and Mac, and FortiClient 4.4.2335 for Linux, which the vendor released alongside FortiOS 5.4.7.

Fortinet was informed about the security hole in mid-September and the patches were released a few weeks ago.

New Cisco App Helps Organizations Secure iOS Devices
14.12.2017 securityweek iOS
Cisco on Thursday announced the availability of Security Connector, an iOS application designed to provide organizations visibility and control for mobile devices running Apple’s operating system.

Security Connector for iOS, the result of a partnership between Apple and Cisco, is an application that combines functionality from the Cisco Umbrella secure internet gateway and the Cisco Advanced Malware Protection (AMP) endpoint security product, specifically its Clarity component.

Enterprises can download the application from the Apple App Store – the app itself is free but requires a license from Cisco – and deploy it on devices running iOS 11 via mobile device management (MDM) solutions such as Cisco’s Meraki Systems Manager. Once installed, the app provides deep visibility to ensure compliance, establish risk exposure, and aid incident response.

Cisco Security Connector also offers control over iPhones and iPads to ensure that their users cannot connect to malicious website, regardless of whether they are using the corporate network, their own cellular data plan, or public Wi-Fi connections. Cisco claims the product has no impact on employees’ mobile experience.

The new product leverages the Network Extension Framework in iOS 11, which exposes APIs that give developers the ability to customize network features, to enable organizations to monitor and control DNS traffic and provide insight into traffic generated by users, apps and devices.

Several Cisco customers have already tested Security Connector and the networking giant has described a scenario in the healthcare sector to show its potential usefulness.

“Ransomware and malware are spreading across the Internet and increasingly targeting mobile devices. Together with Apple, we are helping enterprises become the most connected, collaborative, and secure businesses in the world,” said David Ulevitch, senior vice president and general manager of Cisco’s Security Business Group. “With this app, we want to provide businesses with tools to meet their security, risk, and compliance requirements.”

Avast Open Sources Machine-Code Decompiler in Battle Against Malware
14.12.2017 securityweek Virus
In an effort to boost the fight against malicious software, anti-malware company Avast this week announced the release of its retargetable machine-code decompiler as open source.

Dubbed RetDec, short for Retargetable Decompiler, the software utility is the result of seven years of development and was originally created as a joint project by the Faculty of Information Technology of the Brno University of Technology in the Czech Republic, and AVG Technologies. Avast acquired AVG Technologies in 2016.

The tool allows the security community to perform platform-independent analysis of executable files. With its source code published to GitHub under the MIT license, RetDec is now available for anyone to freely use it, study its source code, modify it, and redistribute it.

By open-sourcing the decompiler, Avast aims to provide “a generic tool to transform platform-specific code, such as x86/PE executable files, into a higher form of representation, such as C source code.”

The analytical utility includes support for multiple platforms, different architectures, file formats, and compilers. It supports architectures such as: (32b only) Intel x86, ARM, MIPS, PIC32, and PowerPC, and the following file formats: ELF, PE, Mach-O, COFF, AR (archive), Intel HEX, and raw machine code.

Currently, the tool can be used on Windows and Linux machines, but pre-built packages are available for Windows only (Linux users need to build and install the decompiler by themselves).

RetDec can be used to perform static analysis of executable files with detailed information; for compiler and packer detection; for loading and instruction decoding; signature-based removal of statically linked library code; extraction and utilization of debugging information (DWARF, PDB), reconstruction of instruction idioms; detection and reconstruction of C++ class hierarchies (RTTI, vtables); demangling of symbols from C++ binaries (GCC, MSVC, Borland); reconstruction of functions, types, and high-level constructs; and generation of call graphs, control-flow graphs, and various statistics.

There is also an integrated disassembler to take advantage of and output is available in two languages: C and a Python-like language. Courtesy of an IDA plugin, decompilation of files directly from the IDA disassembler is also possible.

Decompilers aren’t normally able to perfectly reconstruct original source code because information is lost during the compilation process and because of the obfuscation techniques malware authors often use. According to Avast, RetDec addresses these issues “by using a large set of supported architectures and file formats, as well as in-house heuristics and algorithms to decode and reconstruct applications.”

In addition to publishing RetDec’s source code, Avast provides several ways to take full advantage of the decompiler, starting with its web service. The security company also made its IDA plugin available, along with an REST API that allows the creation of apps that can interact with RetDec through HTTP requests. The decompiler can be used via the API through retdec-python.

Critical 0-Day Allows Remote Hacking of DirecTV Video Bridge
14.12.2017 securityweek Vulnerebility
An unpatched critical vulnerability impacting a wireless video bridge used by DirecTV allows for an attacker to remotely execute code on the vulnerable devices, Zero-Day Initiative researchers reveal.

The security vulnerability was discovered in the Linksys WVBR0-25 wireless video bridge, which was designed to pair with the Wireless Genie Mini (C41W) cable box to ensure communication with DirecTV’s main Genie DVR.

Tracked as CVE-2017-17411 and featuring a CVSS score of 10, the vulnerability was discovered by Trend Micro DVLabs researcher Ricky Lawshae, who says that authentication isn’t necessary when attempting to exploit the vulnerability for executing arbitrary code.

“The specific flaw exists within the web management portal. The issue lies in the lack of proper validation of user data before executing a system call. An attacker could leverage this vulnerability to execute code with root privileges,” a ZDI advisory reads.

While attempting to browse to the web server on the device, Lawshae discovered that, instead of a login prompt or an index page, the service would deliver “the output of several diagnostic scripts containing just about everything you could want to know about the bridge, including the WPS pin, connected clients, running processes, and much more.”

Not only is this an information disclosure issue, but the log file also revealed the commands being executed and the output of every command. Moreover, it showed that the user’s IP address and user-agent were used in a system command as a form of access logging or tracking functionality.

Nonetheless, the device isn’t properly sanitizing the user-agent it is given and the researcher was able to change the user-agent and send untrusted data to the system for execution. What Lawshae discovered was that the system executed the command as root, without a login prompt or input sanitization before sending the command to the function responsible for its execution.

Because the lighttpd process runs with root privileges, executed commands run with root privileges as well, even if they come from untrusted input.

“It literally took 30 seconds of looking at this device to find and verify an unauthenticated remote root command injection vulnerability,” Lawshae says.

After performing a deeper analysis of the device, the researcher discovered that it was running a lighttpd web server. It was configured to render a SysInfo.asp file when browsing to the root of the website, and this file was the page displaying all the diagnostic output.

“It also showed dispatcher.cgi was actually a symbolic link to apply.cgi, which itself is a compiled ARC executable file used as kind of a “do everything” agent for the web server. It was in apply.cgi that I found the actual root cause,” Lawshae, who also published a video detailing the vulnerability, explains.

The ZDI attempted to work with Linksys to address the vulnerability, but to no avail. Although it was informed on the bug in June, the company hasn’t even acknowledged it yet, which determined ZDI to publish the 0-day report.

SecurityWeek contacted Linksys for a comment on the matter but hasn’t received a response yet. We’ll update the article as soon as we hear back from them.

“In the absence of an actual patch from the vendor, users should protect themselves by limiting the devices that can interact with the WVBR0-25 to those that actually need to reach it,” Lawshae concludes.

New "Triton" ICS Malware Used in Critical Infrastructure Attack
14.12.2017 securityweek ICS
A new piece of malware designed to target industrial control systems (ICS) has been used in an attack aimed at a critical infrastructure organization, FireEye reported on Thursday. Experts believe the attack was launched by a state-sponsored actor whose goal may have been to cause physical damage.

Few have been provided about the targeted organization, and FireEye has not linked the attack to any known group, but believes with moderate confidence that it’s a nation state actor. This assumption is based on the apparent lack of financial motivation and the amount of resources necessary to pull off such an attack.

The activity observed by FireEye may have been conducted during the reconnaissance phase of a campaign, and it’s consistent with attacks previously attributed to Russian, Iranian, U.S., North Korean and Israeli nation-state actors.

The malware, which FireEye has dubbed “Triton,” is designed to target Schneider Electric’s Triconex Safety Instrumented System (SIS) controllers, which are used to monitor the state of a process and restore it to a safe state or safely shut it down if parameters indicate a potentially hazardous situation.

According to analysis (PDF) conducted by ICS cyber security firm Dragos, which calls the malware "TRISIS", the victim was an industrial asset owner in the Middle East. Triton ICS malware targets Schneider Triconex controllers

The engineering and maintenance tool used by Triconex SIS products is TriStation. The TriStation protocol is proprietary and there is no public documentation for it, but Triton does leverage this protocol, which suggests that the attackers reverse engineered it when creating their malware.

Triton, which FireEye has described as an attack framework, is designed to interact with Triconex SIS controllers. The malware can write and read programs and functions to and from the controller, and query its state, but not all capabilities had been leveraged in this specific attack.

The hackers deployed Triton on a Windows-based engineering workstation. The malware had left legitimate programs running on the controllers in place, but added its own programs to the execution table. The threat attempts to return the controller to a running state in case of a failure, or overwrite the malicious program with junk data if the attempt fails, likely in an effort to cover its tracks.

In general, once the SIS controller has been compromised, the attacker can reprogram the device to trigger a safe state, which could cause downtime and result in financial losses. Attackers could also reprogram the SIS so that it allows dangerous parameters without triggering the safe state, which can have a physical impact, including on human safety, products and equipment, FireEye said.

However, the physical damage that can be done via the SIS controller is limited by the mechanical safety systems deployed by an organization.

In the case of the critical infrastructure attack investigated by FireEye, the attackers shut down operations after causing the SIS controllers to initiate a safe shutdown, but they may have done it inadvertently while trying to determine how they could cause physical damage.

On the other hand, FireEye noted that “intrusions of this nature do not necessarily indicate an immediate intent to disrupt targeted systems, and may be preparation for a contingency.”

Schneider Electric has launched an investigation into this incident, but initial evidence suggests that Triton does not leverage any vulnerabilities in the Triconex product and the company is not aware of any other attacks.

“It is important to note that in this instance, the Triconex system responded appropriately, safely shutting down plant operations. No harm was incurred by the customer or the environment,” the industrial giant said.

Schneider said the targeted safety controllers are widely used in critical infrastructure, and it’s working on determining if there are any additional attack vectors. In the meantime, customers have been advised not to leave the front panel key position in “Program” mode when the controller is not being configured. The malware can only deliver its payload if the key switch is set to this mode. Signatures of the malware samples identified by FireEye have been provided to cybersecurity firms so security products should be able to detect at least some variants of the threat.

There are only a handful of malware families specifically designed to target industrial systems, including the notorious Stuxnet, and Industroyer, the malware used in the December 2016 attack aimed at an electrical substation in Ukraine. Last year, FireEye identified an ICS malware dubbed IRONGATE, but it had not been observed in any actual attacks, leading experts to believe that it may have been developed for research purposes.

UK Spy Chiefs Peel Back Secrecy -- to Fight Cybercrime
14.12.2017 securityweek BigBrothers
Britain's cyber-spooks are reaching out from behind their veil of secrecy with the aim of cultivating the nation's next generation of high-tech sentries -- a move not without security risks.

With recruiting initiatives levelled at tech-savvy hipsters, start-ups pitching ideas and even Christmas puzzles, the top-secret Government Communications Headquarters (GCHQ) is letting the public in, ever so slightly.

The latest move was this month's "Cyber Accelerator" event at the National Cyber Security Centre (NCSC) -- part of GCHQ -- when investors, journalists and entrepreneurs were offered a rare glimpse behind the scenes.

The Accelerator project connects tech entrepreneurs with GCHQ experts and information, aiming to help the budding companies turn their ideas into ready-for-market cyber-defence products.

The move is the latest in a series of initiatives by the security services to open their doors to young tech wizards -- a subtle effort to recruit the best and brightest as Britain's future cyber-sentries.

GCHQ has previously used stencil graffiti recruitment adverts in the fashionable east London tech hub, and also launched an online puzzle comprising 29 blocks of letters to be decoded by aspiring cyber spies.

During the visit to Accelerator, visitors were whisked up to the National Cyber Security Centre's offices in central London in space-age lifts.

Once arrived, they got to see the latest weapons the entrepreneurs were pitching to private investors as part of the programme.

"Razor wire is there to keep people out, but it does quite a good job of keeping people in. It does create an internal community and we wanted to break out of that," said Chris Ensor, NCSC's deputy director for cyber-skills and growth.

"Accelerator is the natural next step, going out into the wider world."

Nine businesses, who are working with GCHQ for nine months, pitched ideas including defences for crypto-currencies and domestic web-connected products as well as hardware that can wipe the contents of a laptop in case of theft.

Matt Hancock, a junior minister for digital and culture affairs, encouraged investors to dig deep, saying that GCHQ's efforts to engage with the outside world were bearing fruit.

"The small acorn is now beginning to grow into an oak," he said.

- Security risk -

Stressing the urgency of the challenge, NCSC technical director Ian Levy revealed that the agency has dealt with 600 major cyber incidents in its first year, 35 of which were classed as serious.

"They have taught us some things," he said. "Our adversaries are infinitely inventive, they're brilliant."

Alan Woodward, a cybersecurity expert at the University of Surrey, praised Britain for harnessing individual inspiration with the power of government.

"Some of the best ideas have come from one man and his shed, it's the modern version of that.

"They don't always find a natural home in big business or government, this is about trying to give them a leg up," he said.

The event's Silicon Valley spirit and prospects of hard cash are both intended to lure sharp young minds towards working for the nation's defence, he added.

"You can pay someone £30,000 ($40,000, 34,000 euros) a year to go and work at GCHQ and they can basically double that by going to industry. It's hard to get them in and retain them."

- 'Keen to attract young talent' -

"We also know GCHQ is very, very keen to attract young talent," said Anthony Glees, director of the Buckingham University Centre for Security and Intelligence Studies.

"Some of the most succesful hackers have been 16 and 17-year old lads working out of their bedrooms."

However, the necessity of information sharing with private citizens creates potential security "pitfalls", he said, with the leaks by private contractor Edward Snowden while working for the NSA -- GCHQ's US equivalent -- serving as a warning.

GCHQ conduct thorough background checks, but this is "an extremely expensive process", said Glees.

The government must therefore walk a fine line in judging what information to share.

"Exchanging information is always hazardous... but it is necessary," said Glees.

But some things will remain stamped "Top secret", including the location where the entrepreneurs do their work with Britain's cyber-spies.

"It's a physical place, but you can't tell anyone where it is," said the NCSC's Ensor.