DNS Servers Crash Due to BIND Security Flaw
17.1.2018 securityweek

Updates released by the Internet Systems Consortium (ISC) for BIND patch a remotely exploitable security flaw that has caused some DNS servers to crash.

The high severity vulnerability, tracked as CVE-2017-3145, is caused by a use-after-free bug that can lead to an assertion failure and crash of the BIND name server (named) process.

“BIND was improperly sequencing cleanup operations on upstream recursion fetch contexts, leading in some cases to a use-after-free error that can trigger an assertion failure and crash in named,” ISC said in an advisory.

While there is no evidence that this vulnerability has been exploited in malicious attacks, ISC says crashes caused by the bug have been reported by “multiple parties.” The impacted systems act as DNSSEC validating resolvers, and temporarily disabling DNSSEC validation can be used as a workaround.

The vulnerability, discovered by Jayachandran Palanisamy of Cygate AB, affects BIND versions 9.9.9-P8 to 9.9.11, 9.10.4-P8 to 9.10.6, 9.11.0-P5 to 9.11.2, 9.9.9-S10 to 9.9.11-S1, 9.10.5-S1 to 9.10.6-S1, and 9.12.0a1 to 9.12.0rc1. It has been patched with the release of BIND 9.9.11-P1, 9.10.6-P1, 9.11.2-P1 and 9.12.0rc2.

“Addresses could be referenced after being freed during resolver processing, causing an assertion failure. The chances of this happening were remote, but the introduction of a delay in resolution increased them. (The delay will be addressed in an upcoming maintenance release.),” ISC explained.

The organization has also informed users of CVE-2017-3144, a medium severity DHCP vulnerability affecting versions 4.1.0 to 4.1-ESV-R15, 4.2.0 to 4.2.8, and 4.3.0 to 4.3.6.

“By intentionally exploiting this vulnerability an attacker who is permitted to establish connections to the OMAPI control port can exhaust the pool of socket descriptors available to the DHCP server,” ISC explained.

“Once exhausted, the server will not accept additional connections, potentially denying access to legitimate connections from the server operator. While the server will continue to receive and service DHCP client requests, the operator can be blocked from the ability to use OMAPI to control server state, add new lease reservations, etc.,” it added.

ISC has developed a patch and it plans on adding it to a future maintenance release of DHCP. In the meantime, users can protect themselves against potential attacks by disallowing access to the OMAPI control port from unauthorized clients. Alternatively, organizations can obtain the patch from ISC and integrate it into their own code.

Serious Flaws Found in Phoenix Contact Industrial Switches
17.1.2018 securityweek

Vulnerabilities in Phoenix Contact Industrial Switches Can Allow Hackers to Disrupt Operations

Researchers have discovered potentially serious vulnerabilities in industrial switches made by Phoenix Contact, a Germany-based company that specializes in industrial automation, connectivity and interface solutions.

According to advisories published last week by ICS-CERT and its German counterpart CERT@VDE, Phoenix Contact’s FL SWITCH industrial ethernet switches are affected by authentication bypass and information exposure flaws. Ilya Karpov and Evgeniy Druzhinin of Positive Technologies have been credited for reporting the flaws.


The security holes affect 3xxx, 4xxx and 48xx series switches running firmware versions 1.0 through 1.32. The vendor addressed the weaknesses in version 1.33, but researchers told SecurityWeek that it took the company roughly 160 days to release patches, which they haven’t been able to verify.Vulnerabilities found in Phoenix Contact industrial switches

The more serious of the flaws is tracked as CVE-2017-16743 and it has been assigned a CVSS score of 9.8, which puts it in the “critical severity” category. The vulnerability allows a remote, unauthenticated attacker to bypass authentication and gain administrative access to the targeted device by sending it specially crafted HTTP requests.

The second flaw, CVE-2017-16741, has been rated “medium severity” and it allows a remote and unauthenticated attacker to abuse a device’s Monitor mode in order to read diagnostics information. Firmware version 1.33 allows users to disable the Monitor mode.

Positive Technologies researchers told SecurityWeek that attackers can exploit the vulnerabilities to gain full control of a targeted switch and leverage it to interrupt operations in the ICS network, which can have serious consequences.

While some Phoenix Contact products do appear to be connected directly to the Internet, experts have not found any of its industrial switches on search engines such as Shodan and Censys. Positive Technologies says these industrial switches are typically used for internal PLC networks.

“This does not mean that such devices could not be found and accessed from the internet, it only means that we were not able to find such cases using shodan.io and censys.io,” researchers said.

Device Manufacturers Working on BIOS Updates to Patch CPU Flaws
17.1.2018 securityweek

Acer, Asus, Dell, Fujitsu, HP, IBM, Lenovo, Panasonic, Toshiba and other device manufacturers have started releasing BIOS updates that should patch the recently disclosed Spectre and Meltdown vulnerabilities.

The flaws exploited by the Meltdown and Spectre attacks, tracked as CVE-2017-5715, CVE-2017-5753and CVE-2017-5754, allow malicious applications to bypass memory isolation mechanisms and access sensitive data. Billions of PCs, servers, smartphones and tablets using processors from Intel, AMD, ARM, IBM and Qualcomm are affected.

Computer manufacturers release BIOS updates to patch Meltdown and Spectre

Fortunately, tech companies have already started releasing patches and workarounds designed to prevent attacks. Unfortunately, some of the mitigations can introduce significant performance penalties for certain types of operations.

Intel has released patches, including microcode updates, for many of its processors, and AMD has promised to do the same. Intel has provided the fixes to system manufacturers and they have already released or are in the process of releasing BIOS updates.


Acer has informed customers that the Spectre and Meltdown vulnerabilities affect many of its desktop, notebook and server products. It’s unclear when BIOS updates will become available for a majority of the impacted devices, but the company has set a target date of March 2018 for server updates.

The list of impacted products includes Aspire, Extensa, Gateway, imd, Predator, Revo, ShangQi, Veriton and Wenxiang desktops; Aspire, Extensa, Gateway, Nitro, Packard Bell EasyNote, Spin, Swift, Switch, and TravelMate notebooks; and Altos, AR, AT, AW and Veriton servers.


Asus is also working on releasing BIOS updates. The company expects to release patches for affected laptops, desktops and mini PCs by the end of the month.

Asus has published a separate security advisory for motherboards that support Intel processors vulnerable to Meltdown and Spectre attacks.


Dell has already started releasing BIOS updates for affected Alienware, Inspiron, Edge Gateway, ChengMing, Enterprise Server, Latitude, OptiPlex, Precision, Vostro, Venue and XPS products. The vendor expects many more updates to become available later this month.

Dell has published a separate advisory for EMC products, including PowerEdge and Datacenter Scalable Solutions (DSS). Updates are available for many of the impacted systems.


Fujitsu has informed customers that many of its OEM mainboards, Esprimo PCs, Celsius workstations, Futuro thin clients, Stylistic, Lifebook and Celsius notebooks, Celvin storage devices, Primergy and Primequest servers, Sparc servers, and retail products are affected. However, BIOS updates are available only for a handful of them.


Intel has started integrating the processor microcode fixes into BIOS updates for NUC, Compute Stick and Compute Card mini PCs. Updates are available for many of the products and more are expected to be released later this month.

The company is also working on updates for Server Board and Visual Compute Accelerator products, but only two BIOS updates have been released to date. Intel has not provided an estimate on when more updates should become available.


HP has started releasing BIOS updates that patch the Meltdown and Spectre vulnerabilities for commercial workstations; commercial desktops, notebooks and retail PoS devices; and consumer desktops and notebooks.

Updates for the remaining systems are expected to become available later this month or in early February.


Lenovo says many of its desktop, IdeaPad, ThinkStation, Converged and ThinkAgile, storage, Hyperscale, ThinkServer, ThinkSystem, System X, network switch, and server management products are affected.

Lenovo has released BIOS updates for many of its solutions, and the company has also advised users to update their operating system and NVIDIA drivers to ensure that they are protected against Meltdown and Spectre attacks.

Gigabyte and MSI motherboards

Gigabyte has a long list of impacted motherboards, including the Z370, X299, B250, H110, Z270, H270, Q270, Z170, B150 and H170 families. The company has promised to start releasing BIOS updates in the next few days, with updates for a majority of systems expected to become available over the next few weeks.

MSI has released BIOS updates for Z370, Z270, H270, B250, Z170, H170, B150, H110, X299 and X99 motherboards. Patches are expected to become available for other devices “very soon.”


IBM has released firmware patches for some of its POWER processors. Fixes for its AIX and IBM i operating systems are expected to become available in mid-February.

Getac Technology, a Taiwan-based firm that makes rugged notebook, tablet and handheld computers, has promised to release BIOS updates by the end of this month.

Toshiba has published a list of affected Qosmio, Satellite, Portege, Tecra, Chromebook, Kirabook, AIO, Regza, Mini Notebook, Encore, Excite and dynaPad devices, but it has yet to release any updates. Some of the fixes are expected later this month.

Data center hardware provider QCT says it has integrated the microcode patches into a majority of its recent products. Super Micro has also issued fixes for many of its single, dual and multi-processor systems; SuperBlade, MicroBlade and MicroCloud products; and embedded, workstation and desktop systems.

Computing and storage solutions provider Wiwynn has released BIOS updates for its SV300G3, SV7200G3, SV5100G3 and SV5200G3 products, and more are expected to become available over the next few weeks.

Panasonic hopes to release updates for its laptops and tablets over the next few months.

Islamic State Retreats Online to 'Virtual Caliphate'
17.1.2018 securityweek CyberCrime

On the brink of defeat in Iraq and Syria, the Islamic State group has been taking refuge in its "virtual caliphate" -- but even online, experts say it is in decline.

Back in 2015, when the jihadists held territory the size of Italy, they also commanded a huge digital presence, flooding the web with slick propaganda lionising their fighters and romanticising life under their rule.

Today, with many of the top IS leaders either dead or on the run, what remains of the group's once-sophisticated propaganda machine is also a shadow of its former self.

Their media centres destroyed, remaining propagandists find themselves struggling to maintain an internet connection while battling surveillance from international intelligence services.

The jihadist group is less and less vocal on the web, largely leaving supporters whom it cannot control to speak in its name.

"It's almost as if someone has pressed the mute button on the Islamic State," said Charlie Winter, a researcher at King's College London who has been studying IS communications for years.

Between November 8 and 9 the group even went completely silent for a full 24 hours in what Winter said was an "unprecedented" break from social media.

In 2015, when IS was ruling over roughly seven million people in Iraq and Syria, its propagandists produced "content from 38 different media offices from West Africa to Afghanistan", Winter said.

But by December, more than three quarters of these outlets had been "almost totally silenced," he added.

Albert Ford, a researcher at US think-tank New America who has studied the exodus of foreign fighters to join IS, also said the group's media output was "falling off considerably".

"Fewer places to get information, fewer ways to upload it," he said.

- Pushed to the 'dark web' -

Back in March as Iraqi forces were ousting IS from their long-held bastion Mosul, an AFP journalist was able to pick through the wreckage of what was once a jihadist media centre.

Between the burnt walls of the villa in an upscale part of the city were the remains of computers, printers and broadcasting equipment.

In the months before and since, the US-led military coalition fighting IS has repeatedly announced the deaths of senior IS communications officers, usually in air strikes.

Among them was the top strategist and spokesman Abu Mohamed al-Adnani, killed in a US strike in northern Syria in August 2016.

These days IS propagandists mostly use the web to encourage supporters to launch attacks on their own initiative, with the much-weakened group unable to play a direct hand in organising them.

These calls are often issued via the "deep web", a heavily encrypted part of the internet which is almost impossible to regulate, or the Telegram app.

Winter said he had seen a trend emerging of posts seeking to cultivate a sense of nostalgia among supporters for the height of the group's power.

By portraying events three years ago a "golden age" stolen by "the enemies of Islam", IS is hoping to convince new recruits that such times could come again if they join the cause, Winter said.

Bruce Hoffman, a terrorism specialist at Georgetown University in Washington, said the principal danger of IS now lies in what he calls "enabled attackers".

A jihadist recruit such as this would have "no previous ties to terrorist organisations," Hoffman said.

"But he is furnished very specific targeting instructions and intelligence in order to better facilitate and ensure the success of his attack."

Such wannabe jihadists need look no further than the internet for abundant advice that has been available online for years -- and will merely pop up again after any attempt to remove it.

'MaMi' Mac Malware Hijacks DNS Settings
17.1.2018 securityweek Apple

Researcher Patrick Wardle has analyzed what seems to be a new piece of malware designed to hijack DNS settings on macOS devices. The threat has other capabilities as well, but they do not appear to be active.

The malware, dubbed OSX/MaMi by Wardle based on a core class named “SBMaMiSettings,” is currently only detected – at least based on its signature – by ESET and Ikarus products as OSX/DNSChanger.A and Trojan.OSX.DNSChanger. However, other vendors will likely create signatures for the threat in the upcoming hours and days.

The researcher obtained a sample of MaMi after a user reported on the Malwarebytes forums that a teacher’s Mac had been infected. The user reported that the DNS servers on the compromised system were set to and, and they kept changing back after being removed.

Wardle has not been able to determine how the malware is being distributed, but he has found it on several websites. The expert believes the threat has likely been delivered via email, fake security alerts and pop-ups on websites, or social engineering attacks.

The sample analyzed by the researcher acts as a DNS hijacker, but it also contains code for taking screenshots, simulating mouse events, downloading and uploading files, and executing commands.

The malware does not appear to execute any of these functions, but Wardle says it’s possible that they require some attacker-supplied input or other preconditions that his virtual machine may not have met. The researcher says he will continue to investigate.

Once it infects the system, the malware invokes the security tool and uses it to install a new certificate obtained from a remote location.

“OSX/MaMi isn't particular advanced - but does alter infected systems in rather nasty and persistent ways,” Wardle explained. “By installing a new root certificate and hijacking the DNS servers, the attackers can perform a variety of nefarious actions such as man-in-the-middle'ing traffic (perhaps to steal credentials, or inject ads).”

The easiest way to determine if a macOS system is infected with the MaMi malware is to check DNS settings – the threat is present if the server is set to and The malware does not appear to be designed to target Windows devices.

The most well known DNS-changer malware is DNSChanger, a threat that made rounds in the years leading up to 2011 and which changed DNS settings as part of clickjacking and ad replacement fraud schemes. DNSChanger affected both Windows and OS X machines, and millions of devices worldwide were at risk of losing Internet connectivity after authorities took down its infrastructure.

Microsoft Brings End-to-End Encryption to Skype
17.1.2018 securityweek

Microsoft this week announced that end-to-end encrypted communications are now available for preview to Skype insiders.

Called Private Conversations, the newly introduced feature secures both text chat messages and audio calls, Microsoft Program Manager Ellen Kilbourne revealed.

Furthermore, end-to-end encryption is also applied to any files users send to their conversational partners, including images, audio files, and videos. Not only will the contents of these conversations be hidden in the chat list, but they won’t appear in notifications either, to keep user’s information private.

Private Conversations, Kilbourne explains in a post, is using the industry standard Signal Protocol by Open Whisper Systems. The protocol is already providing end-to-end encryption to users of popular messaging applications such as Signal, WhatsApp, and Facebook Messenger.

Users enrolled in Microsoft’s Skype Insider program can already test the new feature by selecting “New Private Conversation” from the compose menu or from the recipient’s profile. As soon as the recipient has accepted the invitation to a private chat, all calls and messages in that conversation will be encrypted end-to-end, until they choose to end it.

Participation in a private conversation will be available from a single device at a time. Skype users will have the possibility to switch the conversation to any of their devices, but exchanged messages are tied to the device being used at the time.

During the preview period, private conversations will be available only to Skype Insiders running the latest version of the application. The chats are also limited to one-to-one conversations, Kilbourne explains.

The Private Conversations feature is currently available to Skype Insiders using Skype version for iOS, Android, Linux, Mac, and Windows Desktop.

Facebook Paid $880,000 in Bug Bounties in 2017
17.1.2018 securityweek

Facebook received over 12,000 vulnerability submissions in 2017 and ended up paying $880,000 in bug bounties to security researchers.

Of the large number of received submissions, however, just over 400 reports were found valid during the bug bounty program’s sixth year. Last year, Facebook also paid larger bounties to the submitting researchers, as the average reward per submission increased to almost $1,900, up from $1,675 in 2016.

The number of security researchers participating in the company’s bug bounty program also increased, Jack Whitton, Security Engineer with Facebook's Product Security team, explains in a blog post. 32% of the researchers who received a reward last year submitted for the first time in 2017.

The largest bounty the company has paid to date is a $40,000 reward for ImageTragick, a remote code execution vulnerability introduced by the ImageMagick image processing suite. Last year, the company also paid a $10,000 bounty for a critical vulnerability that could result in deleting any photo from the social media network.

The largest number of valid submissions in 2017, Facebook says, came out of India. The United States ended up on the second position, followed by Trinidad & Tobago in the third place.

Facebook acknowledged more than 100 researchers as part of the bug bounty program in 2017.

“Going forward, we are going to take a number of things into consideration: dollar amount, submission validity, and more. We’re doing this to continue to encourage high-quality submissions, and we will be offering new perks to our top participants such as swag and prizes, access to exclusive events and new features,” Whitton explains.

He also reveals that Facebook is planning on investing more resources into getting more timely responses and payments to researchers in 2018.

Researchers interested in submitting reports as part of Facebook’s bug bounty program are encouraged to follow the best practices the company is listing at facebook.com/whitehat/resources.

“After celebrating our 6th anniversary, we paid out over $880,000 to researchers last year, bringing our total paid out to over $6,300,000,” Whitton says.

Facebook launched its bug bounty program in 2011 and paid over $5 million to researchers by October 2016.

US House Passes Crucial Spying Law
17.1.2018 securityweek CyberSpy

The US House of Representatives passed a crucial surveillance law Thursday that reinforced the ability of the country's spy agencies to intercept and make use of Americans' private communications.

The national security establishment saw the reauthorization of the expiring Section 702 of the Foreign Intelligence Surveillance Act as essential, warning that they would not be able to detect terror plots without it.

But rights groups and libertarian-leaning politicians of both the Democratic and Republican parties saw the bill's passage as a blow, especially since former National Security Agency contractor Edward Snowden revealed in 2013 that the NSA was using it to vacuum up massive amounts of data on Americans.

Many had hoped the renewal would strengthen protections against invasive electronic wiretapping and social media monitoring of Americans by the NSA, the country's powerful electronic espionage body, and the Federal Bureau of Investigation.

- Trump tweets stir confusion -

The House's vote for the bill came after President Trump himself sent mixed messages of his own views, tweeting Thursday morning his opposition only to make an abrupt U-turn.

In an initial tweet he said the section 702 provision had been used by the Obama administration to "so badly surveil and abuse the Trump campaign," suggesting he was opposed to the bill.

More than an hour later, he reversed himself, saying "today's vote is about foreign surveillance of foreign bad guys on foreign land. We need it!"

While nearly all lawmakers agree that 702 is an essential tool for US intelligence to safeguard national security, the bill passed the House by 256-164, showing the level of opposition to the powers it gives US spies and law enforcement. The no votes included 45 Republicans.

"The House-passed bill does absolutely nothing to defend the vast majority of law-abiding Americans from warrantless searches, and in many ways it expands the federal government's ability to spy on Americans. A concerted campaign of fear-mongering and misinformation pushed this flawed bill over the line," said Senator Ron Wyden, one of the most vocal critics of the law.

- Post-9/11 law -

Section 702 of the FISA law was passed in 2008 after the Bush administration was shown to have allowed the then-illegal surveillance of telephone and online communications of US citizens and residents in the wake of the September 11, 2001 terror attacks.

Amid concerns it gave the government too much power to spy on citizens, the statute was given a five-year limit, and was renewed in 2012.

It allows the NSA and FBI, in their surveillance on foreign targets outside of the country for national security purposes, to also collect and hold communications by US citizens, so-called incidental collection.

It also permits the CIA and FBI to search that material, which includes social media postings, in the course of criminal investigations.

The NSA and FBI have downplayed their collection and use of the materials on Americans.

But leaks and statements by officials have suggested that the amount of material collected is massive, and that the FBI routinely searches it for information on Americans.

Opponents had hoped the new bill would require agencies to obtain specific warrants to scan and make use of the communications of Americans scooped up in the process of spying on foreigners.

But a slight change that says the FBI needs a warrant to make use of the material in court does not hinder their ability to freely examine NSA files, critics said.

The bill "fails to meaningfully restrict the use of Section 702 to spy on Americans without a warrant," the American Civil Liberties Union said.

The bill could face stronger opposition in the Senate, where Senator Rand Paul has threatened a filibuster. But analysts expect that will only slow its eventual passage.

FireEye Acquires Big Data Firm X15 Software
17.1.2018 securityweek IT

Cyber threat protection firm FireEye said on Friday that it has acquired privately held big data platform provider X15 Software in a deal valued at roughly $20 million.

Under the terms of the acquisition, which closed on Jan. 11, FireEye agreed to pay approximately $15 million in equity and $5 million in cash to acquire Sunnyvale, Calif.-based X15.

FireEye says that X15’s technology will “add significant data management capabilities and provide customers with an open platform for integrating machine-generated data that can easily incorporate new security technologies and big data sources to adapt to the evolving threat environment.”

FireEye LogoShortly after acquiring security orchestration firm Invotas in February of 2016, FireEye made a push into orchestration and automation with the launch of its Security Orchestrator offering, designed to help eliminate repetitive manual processes, reduce process errors, and automate the correct response between different security controls. In late 2016, the company unveiled Helix, a platform designed to help customers efficiently integrate and automate security operations functions.

“Organizations today are overwhelmed by alerts, the number of tools required to manage their security operations, and the challenge of unifying access to the large volumes of data that matter,” John Laliberte, senior vice president of engineering at FireEye, said in a statement. “X15 Software technology will accelerate our strategy of delivering an innovative, next-gen security platform.”

FireEye claims that the integration of X15 Software’s technology will help FireEye’s security operations platform address the challenges of collecting, querying and analyzing large volumes of machine-generated data in real-time and manage security data from on-premise, hybrid and cloud environments.

X15 Software was founded in 2013 and currently employs approximately 20 employees.

Tool Detects Squatted Accounts on Social Networks, Code Repos
17.1.2018 securityweek

Web security company High-Tech Bridge has improved its Trademark Monitoring Radar service with a feature designed to help organizations identify squatted or fraudulent accounts created on social networks and code repositories.

Trademark Monitoring Radar is a free service that hunts for malicious domain names. The service initially allowed organizations to detect potential cybersquatting and typosquatting of their domain or brand. A feature designed to detect phishing websites was later added.

The latest feature allows organizations to find typosquatting or cybersquatting attempts on social networks and code repositories. Users simply enter the name of their own domain and the service displays a list of potentially squatted accounts found on websites such as Facebook, Twitter, YouTube, Google Plus, GitHub and Bitbucket.

High-Tech Bridge told SecurityWeek that new social networks will be added in the upcoming period. The detection algorithms and the database storing information on malicious domains are continuously improved – the company says there is an improvement of roughly 10 percent every month. The results displayed for each tested domain are updated every 24 hours.

The Trademark Monitoring Radar service is fully automated, which can result in false positives. However, the security firm pointed out that it’s virtually impossible to automatically assess the impact of each account. On the other hand, each of the potential problematic accounts is displayed as a link, making it easier for users to manually verify them.

“We prefer to give more than less,” explained Ilia Kolochenko, CEO and founder of High-Tech Bridge. “For some companies, even the same user name can pose a potential problem. We saw when relatively innocent accounts were used in sophisticated credit card fraud.”

It can be useful for organizations to identify squatted or fraudulent accounts on social media websites as they can be abused by malicious hackers in combination with social engineering for spear phishing attacks. As for code repositories, fake accounts can be leveraged for delivering malware, Kolochenko said.

Once the fraudulent domains have been identified, the targeted organization can ask the service provider to take them down. While the process is often simple for major brands, it can be more difficult for smaller companies. “It can take longer or even require an intervention from a law firm,” Kolochenko explained.

Simple Attack Allows Full Remote Access to Most Corporate Laptops
17.1.2018 securityweek

Remote Attack Leverages Flaw in Intel AMT Technology

Attack is Simple to Exploit, Has Incredible Destructive Potential

Researchers have discovered a flaw in Intel's Advanced Management Technology (AMT) implementation that can be abused with less than a minute of physical access to the device.

An Evil Maid attack could ultimately give an adversary full remote access to a corporate network without having to write a single line of code.

The flaw was discovered by F-Secure senior security consultant Harry Sintonen, and disclosed today. It is unrelated to the "Apocalyptic AMT firmware vulnerability" disclosed in May 2017, or the current Meltdown and Spectre issues.

The new flaw is surprising in its simplicity. "It is almost deceptively simple to exploit, but it has incredible destructive potential," explains Sintonen. "In practice, it can give an attacker complete control over an individual's work laptop, despite even the most extensive security measures."

The problem is that setting a BIOS password (standard procedure) does not usually prevent access to the AMT BIOS extension -- the Intel Management Engine BIOS Extension (MEBx). Unless this separate password is changed, and usually it is not, the default 'admin' password will give the attacker access to AMT.

AMT is an out-of-band hardware-based remote management tool. It is chip-level and not dependent on software or an operating system. It requires only power and a connection. Its purpose is to give IT staff remote access to, and therefore control over, corporate devices; and is particularly useful for laptops used away from the office. It is found on computers with Intel vPro-enabled processors, and workstation platforms based on specific Intel Xeon processors -- in short, the vast majority of company endpoints.

If attackers have physical access to such a device, one need only boot up the device pressing CTRL-P during the process, and log in to MEBx with 'admin'. "By changing the default password, enabling remote access and setting AMT's user opt-in to "None", a quick-fingered cyber criminal has effectively compromised the machine," writes F-Secure.

The device itself might be considered secure, with a strong BIOS password, TPM Pin, BitLocker and login credentials -- but all of these can be bypassed remotely if the attackers are able to insert themselves onto the same network segment with the victim. "In certain cases," warns F-Secure, "the assailant can also program AMT to connect to their own server, which negates the necessity of being in the same network segment as the victim."

Once such an attack has succeeded, the target device is fully compromised and the attacker has remote ability to read and modify all data and applications available to the authorized user.

Although physical access is required for the attack, the speed with which it can be accomplished makes the Evil Maid attack (so-called because such attacks can be exploited in a hotel room if a device is left unattended for a brief period of time) a viable threat.

Sintonen describes a potential scenario. "Attackers have identified and located a target they wish to exploit. They approach the target in a public place -- an airport, a cafe or a hotel lobby -- and engage in an 'evil maid' scenario. Essentially, one attacker distracts the mark, while the other briefly gains access to his or her laptop. The attack doesn't require a lot of time -- the whole operation can take well under a minute to complete," Sintonen says.

Preventing such Evil Maid attacks is simple in principle, but complex in practice, requiring granular provisioning. AMT should be disabled for all devices that are unlikely to require it. Where it is required, each device needs to be provisioned with a strong password. This needs to be done for both new and currently deployed devices.

"It is recommended to query the amount of affected devices remotely, and narrow the list of assets needing attention down to a more manageable number. For computers connected to a Windows domain, provisioning can be done with Microsoft System Center Configuration Manager," suggests F-Secure. If any device is found to have an unknown password (in many cases this will be anything other than 'admin'), that device should be considered suspect and appropriate incident response procedures should be initiated.

Sintonen found the issue in July 2017. However, he also notes that Google's Parth Shukla mentioned it in an October 2017 presentation titled 'Intel AMT: Using & Abusing the Ghost in the Machine' delivered at Hack.lu 2017. Since awareness of the issue is already public knowledge, Sintonen recommends that organizations tackle the problem as soon as possible.

ICS Vendors Assessing Impact of Meltdown, Spectre Flaws
17.1.2018 securityweek

Organizations that provide solutions for critical infrastructure sectors, including medical device and industrial control systems (ICS) manufacturers, have started assessing the impact of the recently disclosed Meltdown and Spectre exploits on their products.

The Meltdown and Spectre attacks allow malicious applications to bypass memory isolation mechanisms and access potentially sensitive data. Billions of devices using Intel, AMD, ARM, Qualcomm and IBM processors are affected.

While affected companies have been working on releasing both software and firmware mitigations, the changes made to a system can introduce significant performance penalties and in some cases users reported that the patches had broken their operating system and various applications.Spectre and Meltdown affect industrial control systems

Considering that in the case of industrial systems availability and integrity are of the utmost importance, vendors have warned customers that extensive testing should be conducted before any patches are applied in an effort to avoid disruptions.

Several vendors have published advisories to inform customers that they are assessing the impact of the Spectre and Meltdown exploits. The list includes Siemens, Schneider Electric, ABB, Rockwell Automation, and medical technology company Becton Dickinson (BD). ICS-CERT has also published an advisory directing users to the advisories of some vendors.


In an advisory published on Thursday, Siemens told customers that it’s analyzing the impact of the vulnerabilities and available mitigations. Several of the company’s products may be affected as they are typically installed on systems powered by one of the affected processors.

“Updates for operating systems, processor firmware, and other systems can help to mitigate these vulnerabilities. Siemens is testing the compatibility of the patches released for supported operating systems for several products,” the company said.

“Siemens is aware that some updates can result in compatibility, performance or stability issues on certain products and operating systems. Operating system vendors, such as Microsoft, are still working to address these compatibility issues with their updates. Siemens will therefore continue to evaluate the applicability of those updates,” it added.

Until patches and workarounds can be safely applied, Siemens has advised organizations to ensure that untrusted code cannot be executed on systems running its products, which is a requirement for launching Meltdown and Spectre attacks.

Rockwell Automation

Spectre and Meltdown affect industrial control systems

Rockwell Automation has also confirmed that its customers’ environments are potentially impacted by the vulnerabilities.

The company is working with software and hardware partners on addressing the problem in its E1000, E2000 and E3000 Industrial Data Center (IDC) offerings. Its employees are also working on testing the updates made available by Microsoft.

Rockwell Automation has warned organizations that some of the updates released by Microsoft are known to cause anomalies in FactoryTalk-based products, including Studio 5000, FactoryTalk View SE, and RSLinx Classic. Rockwell has been working with Microsoft on resolving the anomalies.

Schneider Electric

Schneider Electric is also monitoring the situation. The company has informed customers that the list of impacted products includes StruxureWare Data Center Expert (DCE), StruxureWare Data Center Operation (DCO), NetBotz Appliances, APC Network Management Cards, PowerChute Network Shutdown, PowerChute Business Edition, PowerChute Personal Edition, and 1ph and 3ph UPS.

“Many of the initial mitigations proposed by hardware and operating system vendors indicate a high level of potential performance impact, Schneider Electric recommends caution if mitigations or patches are applied to critical and/or performance constrained systems,” Schneider Electric said. “If you elect to apply recommended patches or mitigations in advance of further guidance from Schneider Electric, we strongly recommend evaluating the impact of those measures on a Test & Development environment or an offline infrastructure.”

Schneider Electric’s Wonderware warned users that one of Microsoft’s updates causes Wonderware Historian to become unstable.


Swiss power and automation solutions provider ABB told customers that it has launched an investigation, but all products running on affected processors are potentially impacted.

“The vulnerabilities do not target any ABB products specifically, but potentially affect products that use affected processors in general,” ABB said in an advisory published last week.

Until the company assesses the impact of the attacks on each of its products, it has advised customers to ensure that industrial networks are protected against unauthorized access. Unlike other vendors, ABB has advised customers to install operating system updates without mentioning the potential risks associated with applying unstable patches.


BD pointed out to customers that the vulnerabilities are not exclusive to its products or medical devices in general, and the company believes the risk of attacks is low. BD has provided a list of impacted products.

The company has advised users to apply patches from Microsoft and any firmware updates that may become available. However, the updates from Microsoft should only be applied after they have been tested and approved by BD.

Testing needed before applying patches

While not all ICS vendors mentioned it, any patches and mitigations for the Spectre and Meltdown vulnerabilities should be tested before being deployed to critical systems, particularly since some of them may cause devices to become unstable.

“The changes needed to fix Spectre and Meltdown vulnerabilities more thoroughly are so extensive that costly and extensive testing will be needed before the updates can safely be applied to reliability-critical control systems,” explained Andrew Ginter, VP of Industrial Security at Waterfall Security.

“In the very short term, what every control system owner and operator will be asking is ‘how long can we safely delay this very costly testing process?’ and ‘do I need to drop everything and start testing and applying these fixes yesterday?’,” Ginter added.

AMD Working on Microcode Updates to Mitigate Spectre Attack
12.1.2018 securityweek

AMD has informed customers that it will soon release processor microcode updates that should mitigate one of the recently disclosed Spectre vulnerabilities, and Microsoft has resumed delivering security updates to devices with AMD CPUs.

Shortly after researchers revealed the Spectre and Meltdown attack methods, which allow malicious actors to bypass memory isolation mechanisms and access sensitive data, AMD announced that the risk of attacks against its products was “near zero.”

The company has now provided additional information on the matter, but maintains that the risk of attacks is low.

According to AMD, its processors are not vulnerable to Meltdown attacks thanks to their architecture. They are, however, vulnerable to Spectre attacks.

Spectre attacks are made possible by two vulnerabilities: CVE-2017-5753 and CVE-2017-5715. The former does impact AMD processors, but the chipmaker is confident that operating system patches are sufficient to mitigate any potential attacks.

Microsoft announced a few days ago that it had suspended the delivery of security updates to devices with AMD processors due to some compatibility issues. AMD said the problem affected some older processors, including Opteron, Athlon and Turion families.

Microsoft said on Thursday that it had resumed the delivery of updates to a majority of AMD devices, expect for a “small subset” of older processors. AMD told customers it expects the issue to be corrected for the remaining processors by next week.

As for the second Spectre vulnerability, AMD believes it is difficult to exploit against its products. Nevertheless, the company has been working with operating system vendors to develop patches, and it has also promised to provide optional microcode updates.

The microcode updates should become available for Ryzen and EPYC processors in the next days, and for previous generation products sometime over the coming weeks. The updates will be available from system manufacturers and OS vendors.

AMD claims its GPUs are not impacted by the vulnerabilities. NVIDIA also says its GPUs are immune, but the company has still provided some display driver updates to help mitigate the CPU flaws.

Intel has already released patches, including processor microcode updates, for many of its processors. Linux users can install the microcode updates through the operating system’s built-in mechanism.

The fixes for the Spectre and Meltdown vulnerabilities appear to cause problems on some systems. Ubuntu users complained that their devices failed to boot after installing updates, forcing Canonical to release a new kernel update to address the issue.

Intel has also become aware of reports that systems with Broadwell and Haswell CPUs reboot more often as a result of the patches.

“We are working quickly with these customers to understand, diagnose and address this reboot issue. If this requires a revised firmware update from Intel, we will distribute that update through the normal channels. We are also working directly with data center customers to discuss the issue,” the company stated.

Proposed Legislation Would Create Office of Cybersecurity at FTC
12.1.2018 securityweek Cyber

Two Democratic senators, Elizabeth Warren, D-Mass., and Mark Warner, D-Va, introduced a bill Wednesday that would provide the Federal Trade Commission (FTC) with punitive powers over the credit reporting industry -- primarily Equifax, Credit Union and Experian -- for poor cybersecurity practices.

The bill is in response to the huge Equifax breach disclosed in September, 2017. "Equifax allowed personal data on more than half the adults in the country to get stolen, and its legal liability is so limited that it may end up making money off the breach," said Senator Warren in a Wednesday statement.

If the bill succeeds, it will become the Data Breach Prevention and Compensation Act of 2018. It will create an Office of Cybersecurity at the FTC, "headed", says the bill (PDF), "by a Director, who shall be a career appointee." This Office would be responsible for ensuring that the CRAs conform to the requirements of the legislation, and would have the power to establish new security standards going forwards.

The punitive power of the Act comes in the level of the potential fines, beginning with a base penalty of $100 for each consumer who had one piece of personal identifying information (PII) compromised and another $50 for each additional PII compromised per consumer. On this basis, were the Act already in force, Equifax would be facing a fine of at least $1.5 billion.

Under current law, say the lawmakers, it is difficult for consumers to get compensation when their personal data is stolen. Typical awards range from $1 to $2 per consumer. This bill requires the FTC to use 50% of its penalty to compensate consumers.

The maximum penalty is capped at 50% of the credit agencies' gross revenue from the previous year. This dwarf's even the EU's General Data Protection Regulation (GDPR) maximum fine set at 4% of global revenue -- but it gets worse: it could increase to 75% of gross revenue where the offending CRA fails to comply with the FTC's data security standards or fails to timely notify the agency of a breach.

The bill requires CRAs to notify the FTC of a breach within 10 days of the breach -- it doesn't at this stage specify whether that is 10 days from the breach occurring, or 10 days from discovery of the breach. Within 30 days of being so notified, the FTC is then required to "commence a civil action to recover a civil penalty in a district court of the United States against the covered consumer reporting agency that was subject to the covered breach."

While 50% of any recovered money is to compensate the victims of the breach, the remaining 50% is to be used for cybersecurity research and inspections by the FTC's new Office of Cybersecurity.

"In today's information economy, data is an enormous asset. But if companies like Equifax can't properly safeguard the enormous amounts of highly sensitive data they are collecting and centralizing, then they shouldn't be collecting it in the first place," said Sen. Warner. "This bill will ensure that companies like Equifax -- which gather vast amounts of information on American consumers, often without their knowledge -- are taking appropriate steps to secure data that's central to Americans' identity management and access to credit."

How much traction this bill will receive in the Senate remains to be seen, but it reflects the general dismay felt by the size of the Equifax breach -- which could have been prevented if patches had been applied. It is not the first Equifax-related legislative proposal, but it is by far the most punitive. In November 2017, New York State Attorney General Eric T. Schneiderman introduced the Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) to improve security specifically within New York State.

SHIELD fines are capped at $250,000, and the disclosure requirement is vague: "The disclosure shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement..." Put very simply, both proposals are designed to improve the security of their respective 'covered entities' (CRAs are covered in both bills), but SHIELD seeks to do so in a 'business friendly' manner, while the Data Breach Prevention and Compensation Act of 2018 seeks to do so in a 'consumer friendly' manner.

Bogus Passwords Can Unlock AppStore Preferences in macOS
12.1.2018 securityweek Apple

A security vulnerability impacting macOS High Sierra allows admins to unlock the AppStore Preferences in System Preferences by providing any password.

The issue was found to affect macOS 10.13.2, the latest iteration of the platform, and can be reproduced only if the user is logged in as administrator. For non-admin accounts, the correct credentials are necessary to unlock the preferences pane.

macOS High Sierra 10.13.2 users interested in reproducing the bug should log into their machines as administrators, then navigate to the App Store preferences in System Preferences.

Next, users should click on the padlock icon to lock it if necessary, then click it again. When prompted to enter the login credentials, they can use any password and still unlock the Prefpane.

One thing that should be noted is that the App Store setting is opened up unlocked by default when the user is logged as admin and that no sensitive user information can be accessed by triggering the bug.

Eric Holtam notes the security oversight only impacts the App Store preferences and no other system preferences menu can be unlocked in a similar manner. The admin password is still required when attempting to change user and other system preferences.

The issue, however, is not as dangerous as it might look. For starters, the bug can only be triggered if the user is logged in as admin, which clearly minimizes the vulnerability’s impact, given that the admin can unlock the specific settings.

Users affected by the flaw would be those who, although logged as admins, would still keep the App Store preferences locked. In such cases, if the machine was left unattended, anyone with physical access to it could change the respective settings.

Apple, however, is already working on addressing the issue. A patch has been included in the latest beta seed of macOS High Sierra (10.13.3) and will be released to all Mac users in a future software update.

In late November, the tech giant patched a critical authentication bypass vulnerability in macOS High Sierra 10.13.1, where anyone could login as root by providing any password. The attack however, was possible only if the root account hadn’t been enabled or a password hadn’t been set for it. However, experts revealed that remote attacks were also possible.

Never too late, Skype supports end-to-end encryption for new Private Conversations feature
12.1.2018 securityaffairs

It’s official, Microsoft’s Skype is rolling out a new feature called Private Conversations, which uses end-to-end encryption.
The latest version of Skype implements end-to-end encryption and introduces the support for the Signal protocol. which is the protocol used by WhatsApp, Facebook Messenger, Google Allo, and Signal.

Attackers will not able to snoop on Skype Private Conversations will support text, audio calls, and file transfers, thanks to the introduction of the end-to-end encryption.

“We know extra protection is important as you share sensitive information over Skype so we’re excited to announce the preview of end-to-end encrypted Private Conversations, available now for Skype Insiders.” states the announcement published by Microsoft.

“With Private Conversations, you can have end-to-end encrypted Skype audio calls and send text messages or files like images, audio, or videos, using the industry standard Signal Protocol by Open Whisper Systems. The content of these conversations will be hidden in the chat list as well as in notifications to keep the information you share private.”

Currently, Presently, Private Conversations are only available in the Insider builds of Skype that is already included in the desktop version of the app, along with the iOS, Android, Linux, and macOS clients.

Unfortunately, Private Conversations still don’t support video calling, and this is a very big limitation.

Experts criticized Skype in the past because it always failed in implementing end-to-end encryption, this limitation advantaged many other instant messaging services like WhatsApp and Facebook Messenger.

The adoption of the Signal protocol is very important, this is the first time Microsoft doesn’t use a proprietary encryption Skype protocol.

If you want to test the new feature, select “New Private Conversation” from the compose menu or from the recipient’s profile.

“After the recipient accepts your invite, all calls and messages in that conversation will be encrypted end-to-end until you choose to end it.” continues Microsoft. “You can only participate in a private conversation from a single device at a time. You can switch the conversation to any of your devices, but the messages you send and receive will be tied to the device you’re using at the time.”


Security Operations Firm Arctic Wolf Raises $16 Million
11.1.2018 securityweek IT
Arctic Wolf Networks, a Sunnyvale, Calif.-based company that offers outsourced security operations center (SOC) services, announced on Wednesday that it has raised $16 million in new funding.

According to the company, the new injection of cash will help support overall business growth, and fuel sales and marketing, product development and strategic alliance initatives.

With security operations teams overwhelmed by the sheer volume of vulnerabilities across the enterprise, they are falling behind in efforts to remediate them. According to a mid 2017 report published by EMA, seventy-four per cent of security teams admit they are overwhelmed by the volume of maintenance work required.

This is a problem that Artic Wolf aims to help with. The company offers a turnkey “SOC-as-a-Service” that includes what the company calls a “Concierge Security Engineer” (CSE) that is a single point of contact for a customer and an extension of a customer’s internal security team.

“Security operations centers are an essential element of modern cybersecurity, and every company needs one,” said Brian NeSmith, CEO and co-founder of Arctic Wolf. “We are transforming how companies look at cybersecurity from a product-centric view to one focused on proactive detection and response. The new funding allows us to invest in key areas of the business and maintain our extraordinary growth trajectory.”

The funding round was led by Sonae Investment Management with participation from Lightspeed Venture Partners, Redpoint Ventures and Knollwood Investment Advisory.

Hackers Leak Olympic Committee Emails in Response to Russia Ban
11.1.2018 securityweek Hacking
A group of hackers linked to Russia has leaked several emails apparently exchanged between officials of the International Olympic Committee (IOC) and other individuals involved with the Olympics. The leak comes in response to Russia being banned from the upcoming Pyeongchang 2018 Winter Games in South Korea.

The group, calling itself Fancy Bears and claiming to be a team of hacktivists that “stand for fair play and clean sport,” previously released confidential athlete medical records stolen from the systems of the World Anti-Doping Agency (WADA), and also targeted the International Association of Athletics Federations (IAAF). One of their most recent leaks included emails and medical records related to football (soccer) players who used illegal substances.

The first leaks from Fancy Bears came shortly after Russian athletes were banned from the 2016 Rio Olympics following reports that Russia had been operating a state-sponsored doping program.

While Fancy Bears claim to be hacktivists, researchers have found ties between the group and Fancy Bear, a sophisticated Russian cyber espionage team also known as APT28, Pawn Storm, Sednit, Sofacy, Tsar Team and Strontium.

The latest leak includes emails apparently exchanged between IOC officials and other individuals involved with the Olympics. Some of the messages discuss the recent decision to ban Russia from the upcoming Winter Games based on the findings of the IOC Disciplinary Commission.

“These emails and documents point to the fact that the Europeans and the Anglo-Saxons are fighting for power and cash in the sports world. WADA headquartered in Montreal, Canada supported by the United States Olympic Committee declared the crusade against the IOC on the pretext of defending clean sport,” the hackers said. “However, the genuine intentions of the coalition headed by the Anglo-Saxons are much less noble than a war against doping. It is apparent that the Americans and the Canadians are eager to remove the Europeans from the leadership in the Olympic movement and to achieve political dominance of the English-speaking nations.”

While the hackers claim the emails they leaked prove the accusations, a majority of the messages don’t appear to contain anything critical. Furthermore, Olympics-related organizations whose systems were previously breached by the hackers claimed at the time that some of the leaked files had been doctored.

WADA representatives told Wired that Fancy Bears are looking to “undermine the work of WADA and others,” and claimed that everything they leaked this week is “dated.” WADA officially accused Russia of being behind previous attacks.

It’s unclear how the emails have been obtained by the hackers, but the group has been known to launch phishing attacks involving fake WADA domains. It’s possible that they tricked some of the individuals whose emails have been compromised into handing over their credentials on a phishing site.

Russia has been accused by several experts of disguising some of its cyber campaigns as hacktivism. For instance, a hacker using the moniker Guccifer 2.0 has taken credit for an attack on the U.S. Democratic Party, which may have influenced last year’s presidential election.

Many believe the Fancy Bears attacks are Russia’s response to its athletes being banned. Perhaps unsurprisingly, articles from two major pro-Russia English-language news organizations suggest that the latest leak from Fancy Bears shows that Russia’s exclusion from the Olympics was politically motivated.

Security firm McAfee reported last week that several organizations associated with the Olympics had received emails set up to deliver information-stealing malware, but it’s unclear who is behind the attacks.

Endgame Lands $1 Million Contract From U.S. Navy
11.1.2018 securityweek IT
Endgame, an Arlington, VA-based supplier of advanced endpoint protection software, has been awarded a $1 million contract by the U.S. Fleet Cyber Command/U.S. Tenth Fleet. The purpose of the contract is to protect more than 500,000 computers and ships' hull, mechanical and electrical systems, weapons and navigation systems, aviation systems, and the technology controlling physical devices on bases and facilities.

"Endgame is honored to enter this partnership with the U.S. Navy," said Nate Fick, Endgame CEO and U.S. military combat veteran. "The Navy is widely known as being on the cutting-edge of cybersecurity defenses, and we were happy to exceed their protection requirements during this competitive process. Safeguarding the most targeted organizations across the Department of Defense is an important part of our mission, and we look forward to continuing it with the Navy."

Endgame LogoFleet Cyber Command is the central cyber authority for the entire U.S. Navy, serving (in its own words), "to direct Navy cyberspace operations globally to deter and defeat aggression and to ensure freedom of action to achieve military objectives in and through cyberspace."

Specifically, the contract is for the acquisition of the Endgame Hunt Team Platform with 10,000 sensors, plus maintenance and support.

Endgame credits the contract to its existing history in protecting both federal government and the U.S. military, and its ability to protect against targeted attack techniques and technologies outlined in the MITRE ATT&CK Matrix. In 2016 it was awarded an $18.8 million contract by the U.S. Air Force.

The Navy's contract justification and approval document is more specific: "Delivered as a single agent, replacing the functions of AV, NGAV, IR, EDR, and exploit prevention agents, Endgame stops all targeted attacks and their components." It scans for vulnerabilities, compares against current STIG checklists, and conducts "if-then scenarios with secondary and tertiary effects (also known as a blast radius)..."

The STIG checklist is a NIST Windows 10 Security Technical Implementation Guide designed to improve the security of Department of Defense information systems. Endgame automatically maps the network against the STIG checklist to evaluate the network's security posture.

While stressing that FLTCYBER will continue to monitor the evolution of EDR, EPP and Next Gen AV technologies that could compete with Endgame in the future, it found that no other single technology currently provides all of its requirements. While combinations of other products could provide much of its required functionality, some requirements could still only be found in Endgame.

Of particular note is Endgame's ability to calculate the "blast radius" on a compromised box. Applied to cybersecurity, the blast radius is the potential effect on the overall network from a compromise. Network segmentation can, for example, limit the blast radius. Endgame's ability to apply 'what-if' scenarios can help security teams determine whether their network configuration is able to contain a potential compromise.

"No other product has been found by the FLTCYBER team at this time that can perform the blast radius function of Endgame," the Navy explained. "This has been identified as a key requirement by FLTCYBER."

Endgame was founded in 2008 by Chris Rouland and other executives who previously worked with the CIA and Internet Security Systems. It originally discovered and sold 0-day vulnerabilities, but shifted away from this around 2014. Under Fick's leadership it has grown its commercial offering using a $23 million Series B funding round in March 2013 followed by a $30 million Series C round in November 2014.

Security Flaws Found in Majority of SCADA Mobile Apps
11.1.2018 securityweek Mobil
Researchers from IOActive and Embedi have conducted an analysis of SCADA mobile applications from 34 vendors and found vulnerabilities in a vast majority of them, including flaws that can be exploited to influence industrial processes.

Two years ago, researchers Alexander Bolshev and Ivan Yushkevich analyzed 20 mobile apps designed to work with industrial control systems (ICS) software and hardware. At the time, they had found roughly 50 security issues – at least one in each application.

Bolshev, who now works for IOActive, and Yushkevich, currently an employee of Embedi, have once again decided to analyze mobile applications used for supervisory control and data acquisition (SCADA) systems in an effort to determine how the landscape has evolved now that the Industrial Internet of Things (IIoT) has become more prevalent.

This time, the experts randomly selected SCADA applications offered on the Google Play Store by 34 vendors – in most cases different than the ones tested back in 2015. The analysis focused on the client apps and backend systems, and it targeted both local and remote applications.

Local applications are typically installed on the tablets used by engineers and they connect directly to industrial devices via Bluetooth, Wi-Fi or a serial connection. Since these programs can be used to control devices such as PLCs, RTUs and industrial gateways, they are typically only used within the plant perimeter, which is considered safe. Remote applications, on the other hand, allow engineers to connect to ICS via the Internet and private cell networks. While in most cases they are only designed for monitoring processes, some of them do allow users to control processes.

Bolshev and Yushkevich set out to find vulnerabilities described in the 2016 OWASP Mobile Top 10 list. These flaws can allow attackers with local or remote access to a device – and ones in a man-in-the-middle (MitM) position – to directly or indirectly influence an industrial process, or trick an operator into performing a harmful action.

Apps from both independent developers and major vendors were tested, which led to the discovery of 147 vulnerabilities in clients and their backend systems.


Researchers found that all but two of the applications failed to implement protections against code tampering. The two apps that had such a mechanism only implemented a basic root detection feature. It is easier for malicious hackers to exploit vulnerabilities on rooted Android devices and some malware families are designed to root smartphones and tablets.

More than half of the tested applications also lacked secure authorization mechanisms – only 20 percent of the local apps implemented an authorization system correctly. The most common problems are the lack of password protection and the presence of a “remember password” feature, which defeats the purpose of setting password protection.

The experts also found that more than half of the apps lacked code obfuscation and other mechanisms designed to prevent reverse engineering. Allowing attackers to reverse engineer an application makes it easier for them to find and exploit vulnerabilities.

Nearly half of the tested apps also failed to store data securely. Data is often stored on the SD card or on a virtual partition, and it’s not protected with access control lists (ACLs) or other permission mechanisms.

Unsurprisingly, more than one-third of the analyzed applications failed to secure communications, including via poor handshakes, incorrect SSL versions, and cleartext data transmission. Researchers noted that their tests did not cover applications using Modbus and other ICS protocols, which are insecure by design.

As for backend issues, researchers discovered various types of vulnerabilities, including SQL injection, memory corruption, DoS, and information leakage flaws.

Back in 2015, Bolshev and Yushkevich predicted that the problems they had found would disappear in the future as a result of the rapidly developing nature of mobile software and the growth of IoT. However, their predictions have not proved to be correct, with the latest tests showing that more than 20 percent of the discovered issues allow malicious actors to misinform operators and influence industrial processes.

Highly Targeted Attacks Hit North Korean Defectors
11.1.2018 securityweek BigBrothers
A recent set of attacks aimed at North Korean defectors and journalists were associated with a highly targeted campaign conducted by an actor that does not appear to be related to any known cybercrime groups, McAfee says.

The attacks used a range of vectors to infect victims with malware, including email, the KakaoTalk chat application (which is popular in South Korea), and social network services such as Facebook. Some of the attacks also employed Google-shortened URLs to spread malware.

McAfee’s research into the incident revealed the use of two versions of the dropper malware, namely applications called “Pray for North Korea” and “BloodAssistant.” Most of the clicks leading to infection originated from South Korea in both cases, McAfee's security researchers discovered.

The most frequently observed browser and operating system combination for the clicks was Chrome and Windows, with Android coming in second, McAfee notes in a technical report. Furthermore, the investigation revealed that Facebook was used in 12% of infections to send a malicious link to the targets.

The Trojan used in this campaign, which McAfee detects as Android/HiddenApp.BP, is dropped onto the victim’s device via malicious APK files. Although various malicious apps are used for malware delivery, the dropper mechanism is identical, the researchers say.

The dropper first checks whether the device hasn’t been already infected, then tricks the victim into enabling accessibility permissions. The application then displays an overlay to hide the fact that it turns on required settings and downloads and installs the Trojan. The overlay is removed once the installation has been completed.

The Trojan uses cloud services such as Dropox and Yandex as the command and control (C&C) server. Once installed, it uploads device information to the cloud, then downloads a file containing commands and other data to control the infected device. Malicious behavior such as saving SMS messages and contact information is implemented in a separate DEX file.

Variants of the malicious APKs were found on Google Drive, some using different cloud services as C&Cs, while others also dropping a separate call-recording application.

The researchers discovered that the initial malicious APKs were uploaded to Google Drive from a single account, which was also associated with a social network account. The same account is believed to have been used to send shortened URLs to victims.

The group behind the account appears to know the South Korean culture well, yet the account also revealed the use of the North Korean word for “blood type,” instead of the South Korean word. A North Korean IP address was also found in test log files on some Android devices connected to accounts used to spread the malware.

The researchers also discovered a deleted folder named Sun Team, supposedly revealing the name of the actor behind the campaign, which has been supposedly active since 2016.

“This malware campaign is highly targeted, using social network services and KakaoTalk to directly approach targets and implant spyware. We cannot confirm who is behind this campaign, and the possible actor Sun Team is not related to any previously known cybercrime groups. The actors are familiar with South Korea and appear to want to spy on North Korean defectors, and on groups and individuals who help defectors,” McAfee concludes.

Meltdown Patch Broke Some Ubuntu Systems
11.1.2018 securityweek
Canonical was forced to release a second round of Ubuntu updates that address the recently disclosed CPU vulnerabilities after some users complained that their systems no longer booted after installing the initial patches.

On January 9, Canonical released Ubuntu updates designed to mitigate Spectre and Meltdown, two recently disclosed attack methods that work against processors from Intel, AMD, ARM, Qualcomm and IBM. The Linux kernel updates mitigate the vulnerabilities that allow the Meltdown (CVE-2017-5754) and Spectre (CVE-2017-5753 and CVE-2017-5715) attacks.

Shortly after the kernel was updated to version 4.4.0-108, some Ubuntu users started complaining that their systems had failed to boot. Restoring the system to an earlier version apparently resolved the problem.

The updates released by Microsoft in response to the CPU flaws also caused problems, but only for users with some older AMD processors. The company has decided to no longer deliver the updates to AMD devices until compatibility issues are resolved. In the case of Ubuntu, however, the update has affected users with Intel processors.

Canonical has confirmed that the fix for the Meltdown vulnerability introduced a regression that prevented systems from booting successfully. The issue has been addressed with the release of new updates that deliver version of the kernel.

Many affected users have confirmed that their systems boot properly after updating to 4.4.0-109. While it’s unclear how many devices have been hit, Canonical’s advisories mention “a few systems.”

Affected tech firms started announcing the availability of patches and workarounds for the Spectre and Meltdown vulnerabilities shortly after the flaws were disclosed by researchers. The latest major companies to release mitigations are IBM, whose POWER processors and Power Systems servers are impacted, and NVIDIA, which released updates for GPU display drivers and other products to help mitigate the CPU issues.

Meltdown and Spectre allow malicious applications to bypass memory isolation mechanisms and access passwords, photos, documents, emails, and other sensitive information. Patches for the underlying vulnerabilities may introduce significant performance penalties.

Mac Malware Creator Indicted in U.S.
11.1.2018 securityweek Apple
“FruitFly” Mac Malware Creator Allegedly Spied On Victims for 13 Years

An Ohio man was charged this week in a 16-count indictment for allegedly developing malware known as “FruitFly” and for infecting thousands of computers with it.

The man, Phillip R. Durachinsky, 28, of North Royalton, Ohio, has been charged with using the malware for more than 13 years to watch, listen to, and obtain personal data from unknowing victims, as well as to produce child pornography.

FruitFly, also known as Quimitchin, was first discovered a year ago, despite being said to have been developed over a decade ago. The malware was supposedly designed to exfiltrate data from anything it can access and its presence on machines at biomedical facilities led researchers to believe it was a cyber-espionage tool. What isn’t yet clear is how the malware was distributed to the compromised systems.

At Virus Bulletin last year, security researcher Patrick Wardle presented a paper on a second variant of FruitFly, explaining that the threat is installed persistently on the victims’ machines, that it employs obfuscation, and that it includes support for a large number of commands. By setting up a custom command and control (C&C) server for the threat, he was also able to observe and analyze the malware’s behavior.

The malware, Wardle revealed, included support for around 25 commands, and supports advanced commands rarely seen in macOS malware, such as the ability to simulate mouse and keyboard events, likely in an attempt to interact with system dialogs or alerts from security products.

Although designed to target Macs, FruitFly was found to contain Linux shell commands and to run just fine on Linux, which suggested that a variant targeting this operating system might have been built as well. Windows-based executable files that communicated with the malware’s C&C were also discovered, and one of them was found to use a libjpeg library that hasn't been updated since 1998, but which FruitFly also uses.

According to the indictment the Department of Justice made public this week, Durachinsky from 2003 through Jan. 20, 2017, allegedly orchestrated a scheme to access “thousands of protected computers owned by individuals, companies, schools, a police department, and the government, including one owned by a subsidiary of the U.S. Department of Energy.”

Using the FruitFly malware, he allegedly controlled infected computers “by accessing stored data, uploading files, taking and downloading screenshots, logging a user’s keystrokes, and turning on the camera and microphone to surreptitiously record images and audio,” DoJ said.

The indictment also alleges that Durachinsky used the malware to steal victims’ personal information, including logon credentials, tax records, medical records, photographs, banking records, Internet searches, and communications. He is also charged with using the stolen credentials to access and download information from third-party websites.

Moreover, Durachinsky is said to have used the compromised systems to watch and listen to victims without their knowledge or permission and to intercept oral communications taking place in the room where the infected computer was located. Durachinsky was apparently alerted if a user typed words associated with pornography and is said to have saved millions of images and to have kept detailed notes of what he saw.

“For more than 13 years, Phillip Durachinsky allegedly infected with malware the computers of thousands of Americans and stole their most personal data and communications,” Acting Assistant Attorney General John P. Cronan of the Justice Department’s Criminal Division said.

CSE Malware ZLab – Double Process Hollowing -The stealth process injection of the new Ursnif malware
11.1.2018 securityaffairs

A new variant of the infamous Ursnif malware spread in the wild and adopts a new advanced evasion technique dubbed Double Process Hollowing.
Whereas the malware LockPos, famous for its new incredibly advanced and sophisticated evasion technique, spread and affected many Points of Sale, another variant spread in the wild and adopts a similar but not identical advanced evasion trick. It is likely a new variant of “ursnif v3”, another evolution of an old banking trojan that was spreading since November 2017. Moreover, the command and control of this new malware, oretola[.]at has been sinkholed by authorities, so it is difficult to reconstruct the entire behavior and the real purpose of this malware.

However, it is very interesting to analyze its stealth evasion technique that allows it to be invisible to many modern antivirus software. In fact, its final stage is to hide itself as a thread of “explorer.exe” process and this make the analysis very difficult. To reach its goal, the malware uses a sort of “double process hollowing” technique based on Windows Native API, leveraging the “svchost.exe” system process as a way to make privilege escalation and to get to inject malicious code in “explorer.exe”.

Only after the concealment in “explorer.exe” it starts to make its malicious operations that consist of contacting a series of compromised sites the host encrypted additional payloads. The final step of its malicious behavior is to periodically communicate with its C2C, “oretola[.]at”, where it sends information about the victim host.

This malware probably spreads up through spam mails, the message contains an URL that points to a compromised site on which the sample is hosted. We discovered the malware sample just on one of these compromised sites, in particular it is an Italian blog dedicated to dolls “marinellafashiondolls[.]com/_private/php3.exe”.

Process Hollowing evasion technique

The malware uses almost exclusively the Native API of Windows with also its undocumented functions. The use of them causes a more difficult monitoring by antiviruses.

Once the php3.exe file is executed, it deletes itself from the original path and recopy itself in “%APPDATA%\Roaming\Microsoft\Brdgplua\ddraxpps.exe” path.

Once completed this operation, the malware starts its malicious behavior.

The full report published by researchers at ZLAb details step by step the technique implemented by the malware.

macOS Malware Creator Charged With Spying on Thousands of PCs Over 13 Years
11.1.2017 thehackernews Apple

The U.S. Justice Department unsealed 16-count indictment charges on Wednesday against a computer programmer from Ohio who is accused of creating and installing spyware on thousands of computers for more than 13 years.
According to the indictment, 28-year-old Phillip R. Durachinsky is the alleged author of FruitFly malware that was found targeting Apple Mac users earlier last year worldwide, primarily in the United States.
Interestingly, Durachinsky was just 14 years old when he programmed the first version of the FruitFly malware, and this full-fledged backdoor trojan went largely undetected for several years, despite using unsophisticated and antiquated code.
The malware was initially discovered in January 2017 by Malwarebytes and then Patrick Wardle, an ex-NSA hacker, found around 400 Mac computers infected with the newer strain of FruitFly. However, Wardle believed the number of infected Macs would likely be much higher.
The malware is capable of advanced surveillance on macOS devices with the ability to remotely take control of webcams, microphones, screen, mouse, and keyboards, as well as install additional malicious software.
Since the source code of Fruitfly also includes Linux shell commands, the researchers believe the malware would work just fine on Linux operating system.
From 2003 to January 2017, Durachinsky used spyware, which was later named FruitFly, to gain access to thousands of computers belonging to individuals, companies, schools, a police department, and a subsidiary of the U.S. Department of Energy.
Durachinsky allegedly used the malware to steal the personal data of victims, including their tax records, banking records, medical records, login credentials, photographs, Internet searches, and potentially embarrassing communications.
"He is alleged to have developed computer malware later named “Fruitfly” that he installed on computers and that enabled him to control each computer by accessing stored data, uploading files, taking and downloading screenshots, logging a user’s keystrokes, and turning on the camera and microphone to surreptitiously record images and audio," the DoJ says.
Besides installing Fruitfly, Durachinsky is also accused of producing child pornography, as in some cases, the malware alerted him if a user typed any pornography term. It’s likely such action would prompt recording.
Durachinsky is facing charges of Computer Fraud and Abuse Act violations, Wiretap Act violations, production of child pornography, and aggravated identity theft.
However, the charges are merely allegations at this time, and the defendant is presumed innocent unless proven guilty beyond a reasonable doubt in a court of law.

WhatsApp Flaw Could Allow 'Potential Attackers' to Spy On Encrypted Group Chats
11.1.2017 thehackernews

A more dramatic revelation of 2018—an outsider can secretly eavesdrop on your private end-to-end encrypted group chats on WhatsApp and Signal messaging apps.
Considering protection against three types of attackers—malicious user, network attacker, and malicious server—an end-to-end encryption protocol plays a vital role in securing instant messaging services.
The primary purpose of having end-to-end encryption is to stop trusting the intermediate servers in such a way that no one, not even the company or the server that transmits the data, can decrypt your messages or abuse its centralized position to manipulate the service.
In order words—assuming the worst-case scenario—a corrupt company employee should not be able to eavesdrop on the end-to-end encrypted communication by any mean.
However, so far even the popular end-to-end encrypted messaging services, like WhatsApp, Threema and Signal, have not entirely achieved zero-knowledge system.
Researchers from Ruhr-Universität Bochum (RUB) in Germany found that anyone who controls WhatsApp/Signal servers can covertly add new members to any private group, allowing them to spy on group conversations, even without the permission of the administrator.
As described by the researchers, in the pairwise communication (when only two users communicate with each other) server plays a limited role, but in case of multi-user chats (group chat where encrypted messages are broadcasted to many users), the role of servers increases to manage the entire process.
That's where the issue resides, i.e. trusting the company's servers to manage group members (who eventually have full access to the group conversation) and their actions.
As explained in the newly published RUB paper, titled "More is Less: On the End-to-End Security of Group Chats in Signal, WhatsApp, and Threema," since both Signal and WhatsApp fail to properly authenticate that who is adding a new member to the group, it is possible for an unauthorized person—not a group administrator or even a member of the group—to add someone to the group chat.
What's more? If you are wondering that adding a new member to the group will show a visual notification to other members, it is not the case.
According to the researchers, a compromised admin or rogue employee with access to the server could manipulate (or block) the group management messages that are supposed to alert group members of a new member.
"The described weaknesses enable attacker A, who controls the WhatsApp server or can break the transport layer security, to take full control over a group. Entering the group, however, leaves traces since this operation is listed in the graphical user interface. The WhatsApp server can therefore use the fact that it can stealthily reorder and drop messages in the group," the paper reads.
"Thereby it can cache sent messages to the group, read their content first and decide in which order they are delivered to the members. Additionally, the WhatsApp server can forward these messages to the members individually such that a subtly chosen combination of messages can help it to cover the traces."
WhatsApp has acknowledged the issue, but argued that if any new member is added to a group, let's say by anyone, other group members will get notified for sure.
"We've looked at this issue carefully. Existing members are notified when new people are added to a WhatsApp group. We built WhatsApp so group messages cannot be sent to a hidden user," a WhatsApp spokesperson told Wired.
"The privacy and security of our users is incredibly important to WhatsApp. It's why we collect very little information and all messages sent on WhatsApp are end-to-end encrypted."
But if you are not part of a group with very selected members, I'm sure many of you would relatively ignore such notifications easily.
Researchers also advised companies to fix the issue just by adding an authentication mechanism to make sure that the "signed" group management messages come from the group administrator only.
However, this attack is not easy (exception—services under legal pressure) to execute, so users should not be worried about it.

[Bug] macOS High Sierra App Store Preferences Can Be Unlocked Without a Password
11.1.2017 thehackernews Apple

Yet another password vulnerability has been uncovered in macOS High Sierra, which unlocks App Store System Preferences with any password (or no password at all).
A new password bug has been discovered in the latest version of macOS High Sierra that allows anyone with access to your Mac to unlock App Store menu in System Preferences with any random password or no password at all.
The impact of this vulnerability is nowhere as serious as the previously disclosed root login bug in Apple's desktop OS that enabled access to the root superuser account simply by entering a blank password on macOS High Sierra 10.13.1.
As reported on Open Radar earlier this week, the vulnerability impacts macOS version 10.13.2 and requires the attacker to be logged in with an administrator-level account for this vulnerability to work.
I checked the bug on my fully updated Mac laptop, and it worked by entering a blank password as well as any random password.
If you're running latest macOS High Sierra, check yourself:
Log in as a local administrator
Go to System Preferences and then App Store
Click on the padlock icon (double-click on the lock if it is already unlocked)
Enter any random password (or leave it blank) in login window
Click Unlock, Ta-da!
Once done, you'll gain full access to App Store settings, allowing you to modify settings like disabling automatic installation of macOS updates, app updates, system data files and even security updates that would patch vulnerabilities.
We also tried to reproduce the same bug on the latest developer beta 4 of macOS High Sierra 10.13.3, but it did not work, suggesting Apple probably already knows about this issue and you'll likely get a fix in this upcoming software update.
What's wrong with password prompts in macOS? It's high time Apple should stop shipping updates with such an embarrassing bug.
Apple also patched a similar vulnerability in October in macOS, which affected encrypted volumes using APFS wherein the password hint section was showing the actual password of the user in the plain text.

A security issue in WhatsApp potentially allows attackers to eavesdrop on encrypted Group chats
11.1.2017 securityaffairs  Krypto

An attacker can secretly eavesdrop on your private end-to-end encrypted group chats on WhatsApp, Threema and Signal messaging apps.
Even if the messaging services implement end-to-end encryption, an attacker or someone in the company that provides the service can decrypt your messages.

A Group of researchers from Ruhr-Universität Bochum (RUB) in Germany discovered that anyone who controls WhatsApp/Signal servers can covertly add new members to any private group without permission of the administrator, with this trick it is possible to spy on group conversations.

In case of multi-user chats, the servers manage the entire communication process.

“Contrary to classical multi-user chats, for example, to IRC in which all members are online, groups in IM protocols must work in asynchronous settings; Groups must be createable and messages must be deliverable even if some group members are offline” reads the paper published by the researchers, titled “More is Less: On the End-to-End Security of Group Chats in Signal, WhatsApp, and Threema,”

“We observed two shortcomings in the design of WhatsApp’s group protocol that allow to (1) burgle into a group and to (2) forge acknowledgments. The shortcomings have similar results as the attacks on Signal, although the underlying protocol and exploitation differ”

The experts discovered that both Signal and WhatsApp fail to properly authenticate an entity that is adding a new member to the group, this means that an unauthorized user that is not a group administrator or even a member of the group can add a member to the group conversations.

Experts also discovered that it is possible to add a new member without notifying the action to other members, this is possible because a rogue admin or employee with access to the server could manipulate (or block) the group management messages.

The abilities to burgle into a group and to forge acknowledgments could be chained to allow an attacker who controls the WhatsApp server or can break the transport layer security to fully control group activities.

“The described weaknesses enable attacker A, who controls the WhatsApp server or can break the transport layer security, to take full control over a group. Entering the group, however, leaves traces since this operation is listed in the graphical user interface. The WhatsApp server can therefore use the fact that it can stealthily reorder and drop messages in the group,” explained the researchers.

“Thereby it can cache sent messages to the group, read their content first and decide in which order they are delivered to the members. Additionally, the WhatsApp server can forward these messages to the members individually such that a subtly chosen combination of messages can help it to cover the traces.”

According to WhatsApp, the situation is quite different because if any new member is added to a group other group members will receive a notification.

“We’ve looked at this issue carefully. Existing members are notified when new people are added to a WhatsApp group. We built WhatsApp so group messages cannot be sent to a hidden user,” a WhatsApp spokesperson told Wired.

“The privacy and security of our users is incredibly important to WhatsApp. It’s why we collect very little information and all messages sent on WhatsApp are end-to-end encrypted.”

The RUB team also provide recommendations to the companies that are suggested to solve the issue by adding an authentication mechanism to group management messages, in this way only legitimate administrators can manage the activities of multi chats.

The Ruhr University researchers reported findings of their investigation to WhatsApp in July, in response to their report, WhatsApp fixed one problem with a feature of their encryption that made it harder to crack future messages even after an attacker obtained one decryption key.

“But they told the researchers the group invitation bug they’d found was merely “theoretical” and didn’t even qualify for the so-called bug bounty program run by Facebook, WhatsApp’s corporate owner, in which security researchers are paid for reporting hackable flaws in the company’s software.” continues Wired.

As said the experts also investigated Threema and Signal.

For Threema, the researchers found minor flaws, an attacker who controls the server can replay messages or add users to a group who have been removed. Once informed of the issues, Threema released a version to address the issues.

For Signal the attack is more difficult because the attacker would have to not only control the Signal server but also know an unguessable number called the Group ID. This means that to carry on the attack it is necessary the knowledge of the Group ID that can be obtained from one of the group member’s devices, in this case, the group is likely already compromised.

Italian researcher discovered that Gmail shutdown after sending a Zalgo text
11.1.2018 securityaffairs

Researchers at security firm We Are Segment have discovered a vulnerability in Gmail, a “distorted” message shuts down the most famous webmail in the world.
This Cybersec company We Are Segment, part of the Interlogica group, discovered a severe vulnerability in Gmail.

Last month the Italian firm made the headlines due to the discovery of the Tormoil vulnerability.

The flaw in Gmail was discovered by the white hat hacker Roberto Bindi, the flaw could be exploited to shut down Gmail by sending to the victim a specially crafted message, impeding the user from accessing his/her email address.

“The test was born out of curiosity. Roberto wanted to see what would have happened if a Zalgo text was injected into a web browser.” reads the press release published by the company.

A Zalgo text is a type of text composed of characters and metacharacters (letters, numbers and other symbols) which extend sideways – above and under – the original text, thanks to the effect produced by the standard Unicode combiners.

The first experiment conducted by the expert demonstrated that the insertion of a Zalgo text (which can also be generated by web applications) containing a great number of metacharacters (more than 1.000.000) triggered the browser crash, namely, the web browser shut down for a few minutes. gmail

Despite the already interesting results, Roberto Bindi didn’t stop there, he decided to send a Zalgo text via Gmail again, expecting another browser crash. Unfortunately, he couldn’t even imagine what kind of results this test would reveal.

What he managed to discover surpassed his imagination: it wasn’t the browser crashing; instead, it was Gmail itself.
The email is effectively received by the recipient, but he cannot open it and, after just a few moments, Gmail shuts down showing the “Error 500” message (internal server failure due to unspecified reasons, like an irreversible code error).

The young researcher managed to find a technical artifice to bypass the block and reactivate the email account, in order to repeat the experiment and verify the duration of the Gmail shutdown. He discovered that the account went down for 4 entire days.

Since this discovery, Roberto decided to contact the Google’s team. After a few weeks, the team communicated that they had begun working on the issue.

“After discovering that by sending a series of special characters the Google’s mail system stopped working, I started worrying about the possible consequences and damages that this vulnerability might have caused when publicized. An ill-intentioned person might have blocked email accounts like “purchases@…” or other work emails, by sending a simple email.” explained Roberto Bindi.
“That’s why my company decided to publish this piece of information only after the issue had been solved by Google. Our choice was based on ethics and it mirrors our company’s ethics code, underlining how WeAreSegment is formed by ethical

This Gmail vulnerability discovered by the researcher Roberto Bindi demonstrates how research is one of the most important aspects of cyber security.

“Thanks to this activity, we can directly contribute to the Cyber Security improvement worldwide” – says Filippo Cavallarin, We Are Segment CEO.

New Malware Dubbed LockPos Introduces New Injection Technique To Avoid Detection
11.1.2018 securityaffairs

Security Researchers from Cyberbit have discovered a new malware injection technique being used by a variant of Flokibot malware named LockPoS.
A Point of Sale (PoS) malware is a malicious application that steals credit card data from the memory of computers connected to credit card equipment. Once infected the system, the LockPoS malware tries to gain access and read the memory of the current process in use and begin to search for data that have the pattern of credit card information to send to its command and control server.

“Cyberbit malware researchers recently discovered a stealthy new malware injection technique being used by LockPoS that appears to be a new variant of that used by Flokibot.” reads the analysis published by CyberBit.

“LockPoS is a Point-of-Sale (PoS) malware that steals credit card data from the memory of computers attached to point of sale credit card scanners. LockPos reads the memory of currently running processes on the system, searching for data that looks like credit card information and then sends them to the C&C.”

The same botnet associated with the propagation of Flokibot is being used by LockPoS and its source code have some similarities. In that regard, it is important to notice that the malware has some stages to unpack and decryption with different techniques and routines to call the API for injection-related with Flokibot.

There are three main routines used by PoS malware discovered by CyberBit to inject code in the remote process: NtCreateSection, NtMapViewOfSection, and NtCreateThreadEx. A core dll file native to Windows System, ntdll.dll, is used in the injection technique. The routines related with ntdll that have a “NT” prefix are associated with Windows API that separates user space from kernel space. The injection technique involves the creation of a section object in the kernel with the use of NtCreateSection to call NtMapViewOfSection as a map to view the section in other process and then copy the code into the section and create a remote thread by using NtCreateThreadEx or CreateRemoteThread to execute the code.

Once a routine from ntdll is called the hexadecimal value of the system call is copied to the EAX register, where a instruction is called to make the thread jump to the kernel mode. The kernel then executes the routine based on the value of EAX register. The parameters from the user stack are copied to the kernel stack and executed.

The malware does not call the routines from ntdll to inject code avoiding Anti Virus detection, instead, it maps the routines from ntdll on the disk to its own virtual address space. By doing so the malware maintains a clean copy of dll that is not detected by anti-virus software.

Also, as Cyberbit researchers noticed, a call to NtMapViewOfSection is handled by the malware for the process of explorer.exe.

“One LockPoS malware injection technique involves creating a section object in the kernel using NtCreateSection, calling NtMapViewOfSection to map a view of that section into another process, copying code into that section and creating a remote thread using NtCreateThreadEx or CreateRemoteThread to execute the mapped code.” continues the analysis.


The security researchers report also notice that improving memory analysis is the only effective way to detection since Windows 10 kernel functions can’t be monitored.



AT&T Backs Away From Deal to Supply China Made Huawei Phones
11.1.2018 securityweek IT
AT&T has reportedly walked away from a deal to provide new mobile phones to U.S. customers made by Chinese technology giant Huawei

Based in Shenzhen, China, Huawei announced in December 2017 that it would be supplying smartphones via U.S. carriers this year; and it was widely expected that a deal would be announced during the CES Huawei Keynote speech in Las Vegas on Tuesday.

But just one day earlier, The Wall Street Journal reported that AT&T had backed out the deal under political pressure. Members of the U.S. Senate and house intelligence committees had apparently written to the FCC on 20 December, 2017, noting concerns over "Chinese espionage in general, and Huawei's role in that espionage in particular."

It is assumed that this led to political pressure on AT&T to abandon the deal; and it is believed that Verizon is under pressure not to conclude a similar deal with Huawei later in the year. Huawei has been a persona non grata in U.S. official channels since a 2012 Congressional Report raised concerns over possible state-sponsored espionage delivered via Huawei communications equipment.

Huawei has always denied any involvement with the Chinese government; and the U.S. is almost alone in 'banning' (effectively, if not legally) Huawei equipment. Similar concerns in the UK government have to a large extent been mitigated by the ability to examine hardware and reverse engineer software under GCHQ overview at a location called The Cell in Banbury, near Oxford.

There is little official comment about what happened this week. It seems from Huawei's consumer business unit CEO Richard Yu's comments on Tuesday that Huawei blames AT&T for the break down of the deal. "It's a big loss for consumers," he told his audience, "because they don't have the best choice for devices."

Although entering the market late, Huawei is already the world's third largest supplier of smartphones, behind only Samsung and Apple. Access to the huge American market, where by far the majority of phones are provided by the carriers, will now be seriously limited. It is worth noting that there is no legal ban on Huawei phones, and the Chinese company will still sell them to American consumers through online outlets such as Amazon.

There are some similarities with the US government ban on Russia's Kaspersky Lab products. In both cases, concern has been raised over historical ties with the founders' respective governments. Eugene Kaspersky, founder and CEO of Kaspersky Lab, was educated at a KGB-sponsored school and served in the Russian military as a software engineer; while Ren Zhengfei, founder and president of Huawei Technologies Co, is an ex-People's Liberation Army officer. There is concern that both companies could retain covert relations with their respective governments.

There is, however, one very big difference. With Kaspersky Lab, the ban is on its use by federal agencies. With Huawei, the ban is effectively on anyone seeking to acquire Huawei hardware via a phone-and-data-plan from a carrier; that is, the Huawei ban excludes general consumers -- who could pose no national security risk -- from acquiring these phones in the most popular manner.

This in turn has raised some concerns that the pressure on AT&T is more economic and perhaps geopolitical than it is national security. Could it be additional political pressure on China to be more proactive against North Korea? Or could it be a visible manifestation of 'America First' and President Trump's demand that China balance bilateral trade between the two countries?

Either way, it is unlikely to be good for U.S./China relations.

The South China Morning Post today quoted He Weiwen, a former business counselor at the Chinese consulate in New York. "Investment cooperation between China and the U.S. will be squeezed," he said. "China should contemplate countermeasures."

However, at this stage it is only conjecture (however well-informed) that this is a U.S. political move -- without further details it could be an AT&T business decision.

"This might be because there is something preinstalled on the phones that AT&T doesn't agree with; for example, preinstalled software, certificate authority certificates and other things that might yield some kind of data gathering capabilities and/or control either directly or indirectly," noted F-Secure's principle security consultant Tom Van de Wiele. "It might be that Huawei is putting its foot down on the application eco-system and its rules."

He also pointed out further non-political issues that could have scuppered the deal. "The phone might be too 'open' in that it easily allows you to unlock it and switch telcos, away from AT&T -- and that's still a huge thing in the U.S."

Similarly, there are potential security issues with any phone, possibly heightened by Huawei phones using Huawei proprietary chips. "As Android devices come in a multitude of deployments -- it's easier for overly 'curious' features to get included without being noticed," F-Secure's security adviser Sean Sullivan told SecurityWeek. "There have been several cases in which vendors screwed up and included things such as Baidu components in European deployments."

But he added, "These were budget phones; you get the quality that you pay for. In the case of Huawei -- too many eyes are/would be auditing its devices -- it's doubtful that anything deliberate would be done via an AT&T phone." Sullivan is not convinced that the AT&T deal has been shelved for purely security concerns.

This is the second China deal to have been prevented in the last few days. Last week the U.S. Committee on Foreign Investment rejected Chinese firm Ant Financial's takeover bid for U.S.-based money transfer firm MoneyGram -- again citing national security concerns.

NVIDIA Updates GPU Drivers to Mitigate CPU Flaws
11.1.2018 securityweek
NVIDIA has released updates for its GPU display drivers and other products in an effort to mitigate the recently disclosed attack methods dubbed Meltdown and Spectre.

Shortly after researchers revealed the existence of the flaws that allow Meltdown and Spectre exploits, which can be leveraged to gain access to sensitive data stored in a device’s memory, NVIDIA announced that its GPU hardware is “immune,” but the company has promised to update its GPU drivers to help mitigate the CPU issues.

The Meltdown and Spectre vulnerabilities affect processors from Intel, AMD and ARM. Similar to Qualcomm, some of NVIDIA’s system-on-chip (SoC) products rely on ARM CPUs and the company has promised to develop mitigations.

On Tuesday, NVIDIA informed customers about the availability of GPU display driver updates that include mitigations for one of the Spectre vulnerabilities, specifically CVE-2017-5753. The company is still working on determining if the second Spectre flaw, CVE-2017-5715, affects its GPU drivers. On the other hand, there is no indication that the drivers are impacted by the Meltdown vulnerability (CVE-2017-5754).

NVIDIA has provided display driver updates for the Windows and Linux versions of GeForce, Quadro, and NVS graphics cards. In the case of Tesla GPUs, updates have been provided only for the R384 branch, while an update for R390 is expected to become available during the week of January 22. In the case of the GRID virtual GPU solution, updates should become available by the end of the month.

NVIDIA has also released updates for the Android-based Shield TV media player and Shield Tablet, and the Jetson embedded system, which is built around the Tegra mobile processor. The company says only the Jetson TX2 update includes mitigations for all three CPU vulnerabilities – the other updates include mitigations only for CVE-2017-5753 and in some cases CVE-2017-5715 (i.e. the Spectre flaws).

The mitigations for the Meltdown and Spectre vulnerabilities are known to introduce performance penalties for certain types of operations, but NVIDIA has not provided any information on this issue.

Intel says regular users should not see any difference after applying the fixes, but Microsoft’s tests show that most Windows 7 and 8 systems will likely incur significant penalties if they use 2015-era or older CPUs.

Tests conducted by Red Hat also showed significant slowdowns for certain types of operations. However, Amazon, Google and Apple said they had not seen any noticeable performance problems – although some AWS customers did report degraded performance.

Let's Encrypt Disables TLS-SNI-01 Validation
11.1.2018 securityweek
Free and open Certificate Authority (CA) Let’s Encrypt on Tuesday disabled TLS-SNI-01 validation after learning that users could abuse it to obtain certificates for domains they do not own.

The issue was found to have been created by the use of the ACME TLS-SNI-01 challenge type for domains on a shared hosting infrastructure. Discovered by Frans Rosén of Detectify, the bug could be abused for malicious purposes, which sparked Let’s Encrypt to disable TLS-SNI-01 validation entirely.

The issue doesn’t appear to be related to the certificate authority itself, but to a combination of factors. However, it is centered on the manner in which the ACME server (the CA) validates a domain name’s IP address as part of ACME protocol’s TLS-SNI-01 challenge.

As part of the process, a random token is generated. The ACME client uses it to create a self-signed certificate with an invalid hostname (.acme.invalid) and configures the web server on the domain name to serve the certificate, after which it looks up the domain name’s IP address, initiates a TLS connection, and sends the specific invalid hostname, awaiting to receive a self-signed certificate containing that hostname as response.

When that happens, “the ACME client is considered to be in control of the domain name, and will be allowed to issue certificates for it,” Josh Aas, Internet Security Research Group (ISRG) Executive Director, explains.

However, when more users are hosted on the same IP address, which happens with large hosting providers, and these users also have the ability to upload certificates for arbitrary names without proving domain control, the assumptions behind TLS-SNI are broken and an attack is possible.

Thus, if an attacker controls a website hosted at the same shared hosting IP address as a legitimate site, the attacker can run an ACME client to get a TLS-SNI-01 challenge, and obtain an illegal certificate for the legitimate website.

The attacker would simply install their .acme.invalid certificate on the hosting provider, which will serve it to the ACME server when it looks up the legitimate website. Next, the ACME server will consider the attacker’s ACME client as being authorized to issue certificates for the legitimate website, and the attack is successful.

“This issue only affects domain names that use hosting providers with the above combination of properties. It is independent of whether the hosting provider itself acts as an ACME client. It applies equally to TLS-SNI-02,” Aas explains.

Let’s Encrypt disabled TLS-SNI-01 immediately after becoming aware of the issue, but plans on restoring the service as soon as possible, given that a large number of people and organizations use the TLS-SNI-01 challenge type to get certificates. However, they won’t enable it until they consider it sufficiently secure.

“At this time, we believe that the issue can be addressed by having certain services providers implement stronger controls for domains hosted on their infrastructure. We have been in touch with the providers we know to be affected, and mitigations will start being deployed for their systems shortly,” Aas notes.

Let’s Encrypt is also working on creating a list of vulnerable providers and associated IP addresses and to re-enable the TLS-SNI-01 challenge type with vulnerable providers blocked from using it.

IBM Starts Patching Spectre, Meltdown Vulnerabilities
10.1.2018 securityweek
IBM has started releasing firmware patches for its POWER processors to address the recently disclosed Meltdown and Spectre vulnerabilities. The company is also working on updates for its operating systems, but those are expected to become available only next month.

On January 4, one day after researchers disclosed the Meltdown and Spectre attack methods against Intel, AMD and ARM processors, IBM informed customers that it had started analyzing impact on its own products. On Tuesday, the company revealed that its POWER processors are affected.

IBM told customers that attacks against its Power Systems server line can be fully mitigated only by installing both firmware and operating system patches.

The company has already released firmware patches for its POWER7+ and POWER8 processors, and fixes are expected to become available for POWER9 systems on January 15. Users of earlier products that are still supported will be notified at a later time about the availability of firmware updates.

Users whose devices run Linux can obtain operating system patches from their respective vendors. Red Hat, SUSE and Canonical have already released fixes. As for IBM’s own operating systems, namely AIX and IBM i, patches are expected to become available on February 12.

“If this vulnerability poses a risk to your environment, then the first line of defense is the firewalls and security tools that most organizations already have in place,” IBM explained.

The company has told customers that IBM storage appliances are not impacted by the vulnerabilities.

The mitigations for the Meltdown and Spectre vulnerabilities are known to introduce performance penalties for certain types of operations, but IBM has not mentioned anything about performance impact.

Intel says regular users should not see any difference after applying the fixes, but Microsoft’s tests show that most Windows 7 and 8 systems will likely incur significant penalties if they use 2015-era or older CPUs.

In addition to performance penalties, some mitigations also cause problems due to compatibility issues. Microsoft has required security product vendors to set a specific registry key in order for their customers to receive security updates. Furthermore, one of the company’s updates has been found to break computers with some older AMD processors.

Industrial Cybersecurity Firm Nozomi Networks Raises $15 Million
10.1.2018 securityweek ICS
Industrial cybersecurity firm Nozomi Networks has raised $15 million in a Series B funding round, the company announced Wednesday. The new funding brings the total amount raised by the company to date to $23.8 million.

Nozomi’s flagship offering, SCADAguardian, employs machine learning and behavioral analysis to detect zero-day attacks in real-time; while integration with firewalls and SIEMs, ICS incident alerting and notification systems allow rapid response to alerts.

The company said the additional funding will be used to support worldwide expansion of marketing, sales and support and further bolster product innovation.


Nozomi Networks Exhibits at SecurityWeek's 2017 ICS Cyber Security Conference in Atlanta (Image Credit: SecurityWeek)
The company claims to be rapidly gaining new customers across 5 continents, with more than 200 deployments that span energy, manufacturing, pharmaceuticals, chemicals, mining, utilities and other sectors.

“Now is a prudent time for funding to meet this exploding market opportunity,” said Nozomi Networks CEO Edgard Capdevielle. “We resisted the temptation of raising too much funding before our product leadership was established.”

“FireEye’s recent discovery of Triton malware in the wild highlights how critical infrastructure facilities are increasingly at risk. After extensive testing, we've partnered with Nozomi Networks because they provide the right solution customers need to detect these attacks at the earliest stages and minimize the impact before the safety and reliability of their critical operations is threatened,” Grady Summers, CTO at FireEye, said in a statement.

The Invenergy Future Fund led the Series B round with participation from THI Investments and all existing investors, GGV Capital, Lux Capital and Planven Investments SA. Nozomi previously raised $7.5 million in a Series A funding round in late 2016.

Nozomi is one of several security startups targeting the industrial space that have recently raised funding. Others include Dragos, Indegy, Bayshore Networks, CyberX, Claroty, and SCADAFence. Veteran industrial software firm PAS raised $40 million in April 2017. Darktrace, which has an offering targeted to the industrial sector, recently raised $75 million at a valuation of $825 million.

Rockwell Automation Patches Serious Flaw in MicroLogix 1400 PLC
10.1.2018 securityweek
A firmware update released a few weeks ago by Rockwell Automation for its MicroLogix 1400 programmable logic controllers (PLCs) patches a potentially serious vulnerability.

The MicroLogix PLC family is used worldwide by organizations in the critical infrastructure, food and agriculture, and water and wastewater sectors for controlling processes.

Thiago Alves from the University of Alabama in Huntsville (UAH) discovered that these controllers are affected by a buffer overflow vulnerability. In 2016, Alves and two other UAH researchers published a paper on using virtual testbeds for industrial control systems (ICS).Rockwell Automation MicroLogix 1400 PLC


According to Rockwell Automation, the expert discovered that several MicroLogix 1400 PLCs running version 21.002 and earlier of the firmware are affected by a buffer overflow vulnerability that can be triggered by sending specially crafted Modbus TCP packets to affected devices. The flaw can be exploited remotely by an unauthenticated attacker.

“The Modbus buffer is not deallocated when a packet exceeds a specific length. Repeated sending of Modbus TCP data can cause a denial of service to the Modbus functionality, and potentially cause the controller to fault,” the vendor explained.

The security hole is tracked as CVE-2017-16740 and it has been classified by both Rockwell and ICS-CERT as high severity with a CVSS score of 8.6. While Rockwell’s advisory only mentions DoS attacks, ICS-CERT’s advisory says it may also be possible to exploit the flaw for remote code execution.

Rockwell Automation patched the vulnerability last month with the release of firmware version 21.003 for series B and series C hardware. As a workaround, users can disable Modbus TCP support if it’s not needed, which prevents remote access to the device.

Last month, after discovering a serious DoS vulnerability in several product lines from Siemens, experts at industrial cybersecurity firm CyberX pointed out that these types of flaws should not be taken lightly.

“The December 2016 attack on the Ukrainian electrical grid used this type of exploit to disable protection relays and make it more difficult for operators to recover,” the company told SecurityWeek at the time.

Android Malware Developed in Kotlin Programming Language Found in Google Play
10.1.2018 securityweek Android
Security researchers at Trend Micro have discovered a malicious application in Google Play that was developed using the Kotlin programming language.

Detected as ANDROIDOS_BKOTKLIND.HRX, the malicious program was masquerading as Swift Cleaner, a utility designed to clean and optimize Android devices. The application had between 1,000 and 5,000 installs when discovered.

Kotlin, a first-class language for writing Android apps, was announced in May 2017. Coming from Google, it is open source and is already used by 17% of Android Studio projects. Some of the top applications to use the programming language include Twitter, Pinterest, and Netflix.

Developers using Kotlin can deliver safer applications, due to avoiding entire classes of errors, and can also ensure their software is interoperable by taking advantage of existing libraries for JVM, Android, and the browser. What’s yet uncertain is how malware developers can leverage the programming language when building nefarious code.

The discovered malicious application, Trend Micro says, can engage into a broad range of nefarious activities, including remote command execution. It is also capable of stealing users’ information, sending SMS messages, forwarding URLs, and performing click ad fraud. Furthermore, it has been designed to sign up users for premium SMS subscription services without their permission.

When first launched, the malware sends device information to a remote server and starts a background service to receive tasks from the command and control (C&C) server. Upon the initial infection, the malware also sends a message to a specified number provided by the C&C.

Upon receiving SMS commands, the remote server starts executing URL forwarding and click ad fraud operations on the infected device.

During the click ad fraud routine, the malware uses Wireless Application Protocol (WAP), a technical standard for accessing information over a mobile wireless network. Next, malicious JavaScript code is injected and regular expressions are replaced, so that the malicious actors can parse the ads’ HTML code in a specific search string.

“Subsequently, it will silently open the device’s mobile data, parse the image base64 code, crack the CAPTCHA, and send the finished task to the remote server,” Trend Micro explains.

The malicious program can send information on the service provider, login data, and CAPTCHA images to the C&C server. Once such information is uploaded, the C&C server automatically processes a premium SMS service subscription, which can cost the victim money.

To stay protected from such threats, both end users and enterprise customers are advised to install and maintain a security solution on their devices.

According to Trend Micro, Google was informed on the security risk the Swift Cleaner application poses and the company verified that Google Play Protect can keep users safe from this malware family.

SAP Publishes Light Patch Day for January 2018
10.1.2018 securityweek
SAP this week released its monthly set of security patches to address just three vulnerabilities in its products, all three rated Medium severity.

In addition to the three security notes, the January 2018 SAP Security Patch Day includes four updates to previously released security notes. These too had a Medium severity rating, the company said.

The most severe of the patches were updates to a security note released in October 2014, which addressed a code injection bug in Knowledge Provider. The issue is tracked as CVE-2018-2363 and features a CVSS score of 6.5.

“Depending on the code, attackers can inject and run their own code, obtain additional information that should not be displayed, change and delete data, modify the output of the system, create new users with higher privileges, control the behavior of the system, or escalate privileges by executing malicious code or even perform a DOS attack,” ERPScan, a company that specializes in securing SAP and Oracle products, explains.

SAP also released an update to a security note released in December 2017, addressing CVE-2017-16690, a DLL preload attack possible on NwSapSetup and Installation self-extracting program for SAP Plant Connectivity (CVSS score 5.0).

Newly resolved issues include CVE-2018-2361, an Improper Role Authorizations in SAP Solution Manager 7.2 (CVSS score 6.3), CVE-2018-2360, Missing Authentication check in Startup Service (CVSS score 5.8), and CVE-2018-2362, Information Disclosure in Startup Service in SAP HANA (CVSS score 5.3).

By exploiting CVE-2018-2360, an attacker could access a service “without any authorization procedures and use service functionality that has restricted access. This can lead to an information disclosure, privilege escalation and other attacks,” ERPScan reveals.

CVE-2018-2361’s exploitation could provide an attacker with the possibility to edit all tables on the server, which could result in data compromise, the company continues.

ERPScan, which considers the code injection security note updates as a single patch, says that 10 SAP Security Notes (5 SAP Security Patch Day Notes and 5 Support Package Notes) were closed with the January 2018 SAP Security Patch Day. 3 were updates to previous security notes and 5 were released after the second Tuesday of the previous month and before the second Tuesday of this month.

Electrum patches a critical flaw that exposed Bitcoin Wallets to hack since 2016
10.1.2018 securityaffairs

The development team behind the popular Electrum Bitcoin wallet app has issued an emergency patch for a critical vulnerability in the company bitcoin wallets.
Electrum is a free application that’s used by many cryptocurrency sites to store bitcoin. Administrators can run their own Electrum server and the software supports hardware wallets such as Trezor, Ledger and Keepkey.

The development team behind the popular Electrum Bitcoin wallet app has issued an emergency patch for a critical vulnerability in the company bitcoin wallets.

The vulnerability allowed any website hosting the Electrum wallet to potentially steal the user’s cryptocurrency.

The flaw seems to be present in the software for almost two years, it is related to the exposure of passwords in the JSONRPC interface.

The company first issued a security patch failed to address the issue, but it failed, then Electrum opted out to issue a second update on Sunday evening.

The story has begun in November when many researchers observed numerous massive scans going on for Bitcoin and Ethereum wallets in order to steal their funds.

The security expert Didier Stevens observed a significant scanning activity over the weekend, just two days before Bitcoin price jumped from $7,000 to over $8,000.

The researcher observed a huge number of requests to his honeypot to retrieve Bitcoin wallet files.
Of course, the crooks were exploring the possibility to target also other cryptocurrencies, such as the Ethereum. Very interesting the analysis proposed by Bleepingcomputer.com that reported the discovery made by the researcher Dimitrios Slamaris.

The security expert reported Internet wide Ethereum JSON-RPC scans.

The expert caught a JSON RPC call in his honeypot, someone was making requests to the JSON-RPC interface of Ethereum nodes that should be only exposed locally.

The access to the interface does implement any authentication mechanism and wallet apps installed on the PC can send command to the Ethereum client to manage funds. If the interface is exposed inline, attackers can send requests to this JSON-RPC interface and issue commands to move funds to an attacker’s wallet.

Early November, Slamaris uncovered another massive scan that allowed the attacker to steal 8 Ethers (about $3,200 at current exchange).

Slamaris teamed with SANS Internet Storm Center expert Johannes Ullrich also uncovered a second campaign, they discovered two IP addresses were scanning specifically hard using these requests: – Interserver Inc. (a New Jersey hosting company) – NFOrce Entertainment BV (Durch hosting company)
A user going by the name of “jsmad” noticed that the Electrum wallet app was also exposing a similar JSON RPC online.

“The JSONRPC interface is currently completely unprotected, I believe it should be a priority to add at least some form of password protection.” wrote the user.

“Scans for the JSONRPC interface of Ethereum wallets have already started:

The knowledge of the Electrum password allowed attackers to interact through the JSON RPC interface with the wallers.

The Electrum developers were criticized by the claim of the popular Google white hat hacker Tavis Ormandy who contacted the company.

“Hello, I’m not a bitcoin user, a colleague pointed me at this bug report because localhost RPC servers drive me crazy 😛.” wrote Ormandy.

“I installed Electrum to look, and I’m confused why this isn’t being treated as a critical and urgent vulnerability? If this bug wasn’t already open for months, I would have reported this as a vulnerability, but maybe I misunderstand something.

The JSON RPC server is enabled by default, it does use a random port but a website can simply scan for the right port in seconds.

I made you a demo. It’s very basic, but you get the idea. If you did set a password, some misdirection is required, but it’s still game over, no?

Here is how I reproduced:

Install Electrum 3.0.3 on Windows.
Create a new wallet, all default settings. I left the wallet password blank – the default setting.
Visit in Chrome.
Wait a few seconds while it guesses the port, then an alert() appears with:
seed: {"id": 0.7398595146147573, "result": "pony south strike horror throw acquire able afford pen lunch monster runway", "jsonrpc": "2.0"}
(Note: i dont use bitcoin, you can steal my empty wallet if you like)”

In a real attack scenario, hackers could trick Electrum users into accessing a malicious website that could scan for the Electrum’s random JSON RPC port and empty the wallet by issuing commands.

Below a video of such kind of attack shared by a Twitter user.

Update your #electrum wallets. Only having the program running and surfing the web can be unsafe. Any website can steal your wallet if it is not protected with a password or if it's easy to guess it can be bruteforced #bitcoin

8:02 PM - Jan 7, 2018
10 10 Replies 251 251 Retweets 361 361 likes
Twitter Ads info and privacy
The Electrum development team released the version 3.0.5 that addresses the vulnerability, users urge to update their wallet app.

According to the developers, the flaw affects versions 2.6 to 3.0.4 of Electrum, on all platforms. It also affects clones of Electrum such as Electron Cash.

“In addition, the vulnerability allows an attacker to modify user settings, the list of contacts in a wallet, and the “payto” and “amount” fields of the user interface while Electrum is running.” reads the analysis published by the Electrum development team.

“Although there is no known occurrence of Bitcoin theft occurring because of this vulnerability, the risk increases substantially now that the vulnerability has been made public.”

How Antivirus Software Can be the Perfect Spying Tool
10.1.2018 securityweek
Your antivirus product could be spying on you without you having a clue. It might be intentional but legitimate behavior, yet (malicious) intent is the one step separating antivirus software from a cyber-espionage tool. A perfect one, experts argue.

Because we trust the antivirus to keep us safe from malware, we let it look at all of our files, no questions asked. Regardless of whether personal files or work documents, the antivirus has access to them all, which allows it to work as needed.

We do expect a security product to work in this manner, as most of them have been designed to scan all files on the system to detect any possible threats, and we accept this behavior as being part of our computer’s protection mechanism.

What if the very same features that are meant to protect us from threats become the threats themselves? Would it be possible for an antivirus application to be used as a spying tool, to flag documents of interest and exfiltrate them instead of keeping our files safe? The answer appears to be “Yes!”

"In order for AV to work correctly, it has to be plumbed into the system in such a way that it can basically see and control anything the system can do. Memory allocation, disk reads and writes, communication, etc... This means that it is essentially in the middle of all transactions within the OS. Therefore, it makes a pretty good candidate for take over and compromise,” Jason Kent, CTO at AsTech, told SecurityWeek via email.

In some cases, the data exfiltration, which is legitimate behavior, could result in unintended leakage, as would be the case with security programs that upload binaries to cloud-based multiscanners like Google’s VirusTotal. In an attempt to better assess whether files are malicious or not, these security tools end up leaking data if the analyzed files are accessible to the multiscanner’s subscribers.

But what if your antivirus was intentionally turned into a tool that could spy on you? Would that be possible without modifying the program itself? According to security researcher Patrick Wardle, it is possible.

To prove this and using the "Antivirus Hacker's Handbook" (Joxean Koret) as base for an experiment, he tampered with the virus signatures for Kaspersky Lab’s Internet Security for macOS and modified one of the signatures to automatically detect classified documents and mark them for collection. By modifying signatures instead of the antivirus engine, he didn’t alter the security application’s main purpose.

Wardle conducted his experiment on a Kaspersky product for an obvious reason: last year, reports suggested that the Russian-based security company’s software had been used to steal classified documents from a National Security Agency (NSA) contractor’s computer. The contractor took home sensitive data, including NSA exploits, and was apparently targeted by hackers after a Kaspersky product on his home computer flagged the files as malicious and sent them to the company’s server for further analysis.

In December 2017, the NSA contractor, Vietnam-born Nghia Hoang Pho, agreed to plead guilty to removing and retaining top-secret documents from the agency. Last week, another NSA contractor agreed to plead guilty after being accused of hoarding around 50 terabytes of NSA data and documents in his home and car over a 20-year period.

In September 2017, the United States Department of Homeland Security (DHS) ordered government departments and agencies to stop using Kaspersky products due to concerns regarding the company’s ties to Russian intelligence. Last month, Lithuania said it would ban Kaspersky Lab's products from computers managing key energy, finance and transport systems due to security concerns.

The anti-virus maker has continually denied any connections to the Russian government and even launched a new transparency initiative to clear its name. In December, the company sued the U.S. government over the product ban.

So far, no evenidence has been presented that shows any inappropriate connections between Kaspersky Lab and the Russian government.

In a technical analysis published last year, Kaspersky suggested the report might be referring to a 2014 incident where its antivirus worked as intended by flagging what appeared to be suspected Equation malware source code on a personal computer. The company said it had deleted the files from its servers but couldn’t confirm the NSA contractor was involved in the incident.

What Wardle decided to do was to find out whether the Moscow-based security company’s products can indeed be used to flag and exfiltrate classified documents. He successfully managed to modify a signature for his security product, despite the complex process Kaspersky employs for updating and deploying virus signatures onto the users’ computers.

And while he made the modifications locally, his experiment demonstrated that it is indeed possible to abuse anti-virus programs to spy on users. By modifying their signatures, antivirus programs can become “the absolute perfect cyber-espionage collection” tools. And this isn’t true about Kaspersky’s products only.

“Of course if an anti-virus company wanted to (or was forced to) they'd simply deploy a new signature likely to select clients (targets), in order to persistently detect such documents […]. I am confident without a doubt that any anti-virus product with collection capabilities could arbitrarily collect (exfiltrate) files flagged by their product,” Wardle noted.

The file collection capability is, of course, designed to support legitimate functionality of the product. Thus, for an antivirus product to become a spying tool, it would have to have an actor with malicious intent behind it.

“A malicious or willing insider within any anti-virus company, who could tactically deploy such a signature, would likely remain undetected. And of course, in a hypothetical scenario; any anti-virus company that is coerced to, or is willing to work with a larger entity (such as a government) would equally be able to stealthily leverage their product to detect and exfilitrate any files of interest,” Wardle concluded.

The researcher’s findings aren’t surprising and Kaspersky themselves said last week that “any malicious actor who gains administrative access to a computer could theoretically engage in file searching activity on the computer or subvert almost any application running on it (which is the type of activity that Kaspersky Lab products are designed to detect and prevent).”

SecurityWeek contacted Kaspersky for comment, but they redirected us to last week’s statement, saying that that is their official position.

Security experts contacted by SecurityWeek for perspective agree that antivirus products could potentially be used for nefarious purposes, if a malicious actor was involved. While the general consensus is that users wouldn’t even know if their antivirus was spying on them, it doesn’t mean that antivirus companies engage in such practices. Only that it would be possible to use their products in such a manner.

“AV vendors must be very careful to ensure they are never compromised. Imagine if I could control all of the AV installations at an enterprise. It would be possible to make all of those machines participate in a botnet or use the AV system to load additional code, such as Ransomware. This is conceptually possible as the engine and signatures are designed to be changed via an update process. Compromise there would be a very interesting thing for sure,” Kent told us.

Chris Morales, head of security analytics at San Jose, California-based Vectra Networks, agrees that antivirus products could be manipulated to find and exfiltrate sensitive documents. He also agrees that this could be the act of a malicious or willing insider at any antivirus company.

“AV vendors, as do many security vendors who perform malware scanning on the network and endpoint, have administrative level access to systems to scan files for malicious code. This scanning engine could be manipulated to look for sensitive documents and then upload them to the cloud analysis engine. This would most likely be someone at the vendor with malicious intent,” Morales told SecurityWeek in an emailed comment.

“Security vendors who perform cloud based analysis have to walk a very thin line and it is important that these vendors implement the proper controls to ensure they do not create the security hole for customers. I would say most vendors do a very good job of ensuring their processes are secure and would not cause a problem for the client. This does mean there is a level of trust in security vendors that clients need to validate and should be asking for a description of how their detection processes work,” Morales continued.

Chris Roberts, chief security architect at Santa Clara, Calif.-based threat protection firm, told SecurityWeek that it is a known fact that “Kaspersky is not the only tool that’s built into enterprises to be used against themselves for the fortunes of malicious intent.” Over the past couple of years, several endpoint detection tools have been revealed to have issues identifying problems and to include management techniques that can be turned against enterprises.

“So, yes, Kaspersky software can be used against the intended targets, we have established that. The mechanism is there, however, the INTENT is the issue. The analysis into IS it being used against organizations is the factor that is obviously in dispute. Late last year, the UK took the step to warn all agencies against deploying Kaspersky. The US has already taken that step, but in all honesty, IF we were to look at the plethora of endpoint detection/manipulation/management tools out there, we’d better remove 50% of them for the same insecurities and inabilities to protect the very end-users we’re trying to save,” Roberts says.

He also points out that most security software out there requires access to everything stored on a computer, not only one single product. “The others all being carefully kept out of the news in the hope we don’t all suddenly wake up and realize that everything designed to keep us safe is also designed to access our darkest secrets… and scour them for whatever we hope it’s meant to be finding… or what it WANTS to find,” Roberts continued.

Of course, there’s no proof that an antivirus program has been used for malicious intent, although it is clear that they could be used in such a manner. As Wardle puts it: “Please avoid jumping to the conclusion that this [is] something Kaspersky, or any other anti-virus company actually did!”

Kaspersky Lab has continually denied any inappropriate ties to the Russian intelligence services; and there is no public evidence to suggest otherwise. Unfortunately, for the Moscow-based security company, this is a restult of the effect of geopolitics on cybersecurity.

Turla APT group’s espionage campaigns now employs Adobe Flash Installer and ingenious social engineering
10.1.2018 securityaffairs APT

Turla APT group’s espionage campaigns now employs Adobe Flash Installer and an ingenious social engineering technique, the backdoor is downloaded from what appears to be legitimate Adobe URLs and IP addresses.
Security researchers from ESET who have analyzed recent cyber espionage campaigns conducted by the dreaded Turla APT group reported that hackers leverage on malware downloaded from what appears to be legitimate Adobe URLs and IP addresses.

Turla is the name of a Russian cyber espionage APT group (also known as Waterbug, Venomous Bear and KRYPTON) that has been active since at least 2007 targeting government organizations and private businesses.

The list of victims is long and includes also the Swiss defense firm RUAG, US Department of State, and the US Central Command.

The Turla’s arsenal is composed of sophisticated hacking tools and malware tracked as Turla (Snake and Uroburos rootkit), Epic Turla (Wipbot and Tavdig) and Gloog Turla. In June 2016, researchers from Kaspersky reported that the Turla APT had started using rootkit), Epic Turla (Wipbot and Tavdig) and Gloog Turla.

In the most recent attacks, the group is packaging its macOS backdoor with a real Adobe Flash installer and downloading the malware on victim systems from endpoint systems that use a remote IP belonging to Akamai, the Content Delivery Network that is also used by Adobe for its supply chain. Legitimate Flash installer, in fact, are also distributed through the Akamai network.

“In recent months, we have observed a strange, new behavior, leading to compromise by one of Turla’s backdoors. Not only is it packaged with the real Flash installer, but it also appears to be downloaded from adobe.com.” reads the report published by ESET.

“From the endpoint’s perspective, the remote IP address belongs to Akamai, the official Content Delivery Network (CDN) used by Adobe to distribute their legitimate Flash
installer. “

Researchers noted that Turla installers were exfiltrating information to get.adobe.com URLs since at least July 2016, data were sent back to legitimate URLs at Adobe.com. The download attempts observed by ESET observed were made through HTTP and not via HTTPS, the researchers state with confidence that Adobe was not compromised.

The social engineering technique adopted by Turla group to trick victims into believing they are downloading a legitimate software from Adobe server is very ingenious.

Data collected by the experts revealed that most of the victims belong to the former USSR, targeted entities include embassies and consulates located in East Europe.

At the time of the report is still unclear how the Turla APT group distributed the backdoor through Adobe.com.

Experts speculate that this is possible by compromising a machine on the victim’s network to perform a local man-in-the-middle attack. In this attack scenario, the threat actors redirect traffic from a target system through the compromised server and modifying it on the fly. Another possibility is to leverage on a compromised local gateway that could allow the attackers to potentially intercept and modify traffic for the whole organization.

Other attacks scenarios see Turla executing a man-in-the-middle attack at the ISP level, or BGP hijacking.

“We quickly discarded the hypothesis of a rogue DNS server, since the IP address corresponds to the servers used by Adobe to distribute Flash.” continues the report. “Thus, these are the hypotheses that remain: ➊ a Man-in-theMiddle
(MitM) attack from an already-compromised machine in the local network, ➋ a compromised gateway or proxy of the organization, ➌ a MitM attack at the Internet Service Provider (ISP) level or ➍ a Border Gateway Protocol (BGP) hijack to redirect the traffic to Turla-controlled servers a MitM attack at the Internet Service Provider (ISP) level or ➍ a Border Gateway Protocol (BGP) hijack to redirect the traffic to Turla-controlled servers.”


Researchers believe the most likely scenario sees attackers controlling the router for the traffic hijacking.

Such kind of attack is any way possible because the files are downloaded via HTTP, for this reason, it is important to avoid installing any update or software that was downloaded through unsecured connections.

Administrators must also check that Flash Player installers downloaded are properly signed with a valid Adobe certificate.

Further information, including the IOCs are included in the report published by ESET.

January 2018 Patch Tuesday security updates fix a zero-day vulnerability in MS Office
10.1.2018 securityaffairs

Microsoft has released the January 2018 Patch Tuesday security updates, containing fixes for 56 vulnerabilities including the zero-day vulnerability CVE-2018-0802 in MS Office.
Microsoft has released the January 2018 Patch Tuesday security updates, containing fixes for 56 vulnerabilities including a zero-day vulnerability in MS Office. 16 security updates are rated as critical, 38 as important, 1 is rated moderate, and 1 is rated as low in severity. The security updates fix security vulnerabilities in Windows, Office, Internet Explorer, ChakraCore, Edge, ASP.NET, and the .NET Framework.

The January 2018 Patch Tuesday includes three special security advisories that address flaws related to Adobe Flash, Meltdown & Spectre vulnerabilities, an update for Office suite.

The zero-day vulnerability is a memory corruption flaw in Office tracked as CVE-2018-0802, in the past few months it had been actively exploited by multiple attackers in the wild. The vulnerability can be exploited for remote code execution by tricking the victim into opening a specially crafted malicious Word file in MS Office or WordPad.

The flaw was discovered by several experts from Tencent, Qihoo 360, ACROS Security’s 0Patch Team, and Check Point Software Technologies.

Security firm Check Point has published a detailed analysis of the flaw in a blog post including a video PoC of its exploitation.

The flaw is related the memory-corruption issue CVE-2017-11882 that affects all versions of Microsoft Office released in the past 17 years, it resides in the Equation Editor functionality (EQNEDT32.EXE) and was addressed by Microsoft in November.

The analysis of the flaw CVE-2017-11882 allowed the researchers at 0Patch to discover the CVE-2018-0802 fixed in the January 2018 Patch Tuesday.

Microsoft also addressed nine remote code execution and memory disclosure vulnerabilities in MS Office.

Microsoft also addressed an X509 certificate validation bypass vulnerability tracked as CVE-2018-0786 in .NET Framework (and .NET Core) that could be exploited by threat actors to show their invalid certificates as valid.

“Microsoft is aware of a security vulnerability in the public versions of .NET Core where an attacker could present a certificate that is marked invalid for a specific use, but a component uses it for that purpose. This action disregards the Enhanced Key Usage tagging.” states Microsoft.

The January 2018 Patch Tuesday also addresses a total of 15 vulnerabilities in the scripting engine used by Microsoft Edge and Internet Explorer, the flaws could be exploited by a remote attacker for code execution by tricking the victim into opening a specially-crafted webpage that triggers a memory corruption error.

Finally, Microsoft also patched a flaw in Outlook for Mac (CVE-2018-0819, aka Mailsploit attack) that could be exploited by attackers to send emails with spoofed identities.

Microsoft, Intel Share Data on Performance Impact of CPU Flaw Patches
10.1.2018 securityweek
Microsoft and Intel have shared more information on the performance impact of the patches released for the recently disclosed attack methods known as Spectre and Meltdown.

The Spectre and Meltdown exploits work on systems using CPUs from Intel, AMD and ARM, and they allow malicious applications to bypass memory isolation mechanisms and access passwords, photos, documents, emails, and other sensitive information. Patches and workarounds have been released by both hardware and software vendors, but they may introduce significant performance penalties.

Intel has insisted that average computer users – owners of typical home and business PCs – should not see any significant impact on performance during common tasks, such as reading emails, viewing photos or writing documents. Benchmark tests conducted by the company using SYSmark 2014 showed an impact of 6 percent or less for 8th Generation Core platforms with solid state storage.

All but two of currently supported Intel processors are said to be affected by the Spectre and Meltdown vulnerabilities. However, a technology called PCID (Process-Context Identifiers), which is present in newer processors, should lessen impact on performance.

Intel says it has yet to “build a complete picture of the impact on data center systems,” but points to statements from major vendors who have conducted tests.

Shortly after applying the Meltdown and Spectre patches to its Azure cloud platform, Microsoft said it had not seen any noticeable performance impact. The company noted that some users may experience networking performance impact, but that can be addressed using the Azure Accelerated Networking feature.

After conducting more tests, Microsoft pointed out that mitigations for Meltdown (CVE-2017-5754) and one of the Spectre flaws (CVE-2017-5753) have minimal performance impact, but the remediation for the second Spectre vulnerability (CVE-2017-5715) does introduce more significant performance penalties.

Specifically, Microsoft found that users running Windows 10 on newer chips (2016-era PCs with Skylake, Kabylake or newer CPUs) should not notice any slowdowns. While there are some single-digit performance penalties, they are reflected in milliseconds.

On the other hand, when running Windows 10, Windows 8 or Windows 7 on devices with older chips (2015-era PCs with Haswell or older CPUs), benchmark tests showed more significant penalties and users may actually notice a decrease in performance. On Windows 10, only some users should experience slowdowns, but on older versions of the operating system most users are expected to notice performance issues.

In the case of Windows Server, regardless of what type of chip is used, a more significant performance impact is expected after mitigations are applied, particularly in the case of IO-intensive applications. In the case of Windows Server, Microsoft has actually advised users to evaluate the risk of untrusted code running on their machines and “balance the security versus performance tradeoff” for their specific environment.

“For context, on newer CPUs such as on Skylake and beyond, Intel has refined the instructions used to disable branch speculation to be more specific to indirect branches, reducing the overall performance penalty of the Spectre mitigation. Older versions of Windows have a larger performance impact because Windows 7 and Windows 8 have more user-kernel transitions because of legacy design decisions, such as all font rendering taking place in the kernel,” Microsoft explained.

Red Hat has also reported seeing measurable performance impact, ranging between 8 and 19 percent, for operations involving highly cached random memory.

Amazon said it had not observed any significant performance impact for the overwhelming majority of EC2 workloads, but some AWS customers have complained about degraded performance after the patches were applied starting with December.

Apple, which started performing tests after releasing updates in December, also said it had not seen any measurable reduction in the performance of macOS and iOS. Google also claimed to have observed negligible impact on performance after applying mitigations to its own systems.

Epic Games informed users recently that the CPU usage of its backend cloud services increased significantly after Meltdown mitigations were applied, which led to login issues and service instability.

Microsoft Releases Patches for 16 Critical Flaws, Including a Zero-Day
10.1.2018 thehackernews 
If you think that only CPU updates that address this year's major security flaws—Meltdown and Spectre—are the only ones you are advised to grab immediately, there are a handful of major security flaws that you should pay attention to.
Microsoft has issued its first Patch Tuesday for 2018 to address 56 CVE-listed flaws, including a zero-day vulnerability in MS Office related that had been actively exploited by several threat groups in the wild.
Sixteen of the security updates are listed as critical, 38 are rated important, one is rated moderate, and one is rated as low in severity. The updates address security flaws in Windows, Office, Internet Explorer, Edge, ChakraCore, ASP.NET, and the .NET Framework.
The zero-day vulnerability (CVE-2018-0802), described by Microsoft as a memory corruption flaw in Office, is already being targeted in the wild by several threat actor groups in the past few months.
The vulnerability, discovered by several researchers from Chinese companies Tencent and Qihoo 360, ACROS Security's 0Patch Team, and Check Point Software Technologies, can be exploited for remote code execution by tricking a targeted user into opening a specially crafted malicious Word file in MS Office or WordPad.
According to the company, this security flaw is related to CVE-2017-11882—a 17-year-old vulnerability in the Equation Editor functionality (EQNEDT32.EXE), which Microsoft addressed in November.
When researchers at 0Patch were analysing CVE-2017-11882, they discovered a new, related vulnerability (CVE-2018-0802). More details of CVE-2018-0802 can be found in a blog post published by Check Point.
Besides CVE-2018-0802, the company has addressed nine more remote code execution and memory disclosure vulnerabilities in MS Office.
A spoofing vulnerability (CVE-2018-0819) in Microsoft Outlook for MAC, which has been listed as publicly disclosed (Mailsploit attack), has also addressed by the company. The vulnerability does not allow some versions Outlook for Mac to handle the encoding and display of email addresses properly, causing antivirus or anti-spam scanning not to work as intended.
Microsoft also addressed a certificate validation bypass vulnerability (CVE-2018-0786) in .NET Framework (and .NET Core) that could allow malware authors to show their invalid certificates as valid.
"An attacker could present a certificate that is marked invalid for a specific use, but the component uses it for that purpose," describes Microsoft. "This action disregards the Enhanced Key Usage taggings."
The company has also patched a total of 15 vulnerabilities in the scripting engine used by Microsoft Edge and Internet Explorer.
All these flaws could be exploited for remote code execution by tricking a targeted user into opening a specially-crafted webpage that triggers a memory corruption error, though none of these has been exploited in the wild yet.
Meanwhile, Adobe has patched a single, out of bounds read flaw (CVE-2018-4871) this month that could allow for information disclosure, though no active exploits have been seen in the wild.
Users are strongly advised to apply October security patches as soon as possible to keep hackers and cybercriminals away from taking control of their computers.
For installing security updates, simply head on to Settings → Update & security → Windows Update → Check for updates, or you can install the updates manually.

Microsoft Patches Zero-Day Vulnerability in Office
10.1.2018 securityweek
Microsoft’s January 2018 Patch Tuesday updates address more than 50 vulnerabilities, including a zero-day vulnerability in Office related to an Equation Editor flaw that has been exploited by several threat groups in the past few months.

The zero-day vulnerability, tracked as CVE-2018-0802, has been described by Microsoft as a memory corruption issue that can be exploited for remote code execution by getting targeted users to open a specially crafted file via Office or WordPad.

Microsoft has credited several researchers from Chinese companies Tencent and Qihoo 360, ACROS Security’s 0Patch Team, and experts from Check Point Software Technologies for finding the flaw.

The security hole is related to CVE-2017-11882, a 17-year-old vulnerability in the Equation Editor (EQNEDT32.EXE), which the vendor addressed with the November 2017 Patch Tuesday updates. Based on how the patch was developed, experts believe Microsoft may have lost the application’s source code, which forced it to somehow patch the executable file directly.

Microsoft replaced the Equation Editor component in Office 2007, but kept the old one as well for compatibility reasons. The problematic component has now been removed from Office.

0Patch researchers have been analyzing CVE-2017-11882, which has likely led them to discovering a new, related vulnerability. Check Point has published a blog post with the details of CVE-2018-0802 and showed how an exploit works, but they have not mentioned any attacks.

This suggests that the Chinese researchers may have been the ones who spotted the vulnerability being exploited in attacks. This would not be the first time experts at Qihoo 360 witnessed the exploitation of an Office zero-day. Back in October, after Microsoft released a patch, they reported seeing CVE-2017-11826 being leveraged to deliver malware.

If CVE-2018-0802 is related to CVE-2017-11882, there is a long list of threat actors who may be exploiting it. CVE-2017-11882 has been exploited by Iranian cyberspies, the Cobalt hacking group, someone who uses TelegramRAT, and likely others.

Microsoft’s Patch Tuesday updates also address a spoofing vulnerability in Office for Mac that has already been publicly disclosed. Sixteen of the flaws resolved this month have been rated critical, a majority affecting the scripting engine used by the Edge and Internet Explorer web browsers.

Microsoft has also rated critical a Word vulnerability (CVE-2018-0797) that can be exploited for remote code execution using specially crafted RTF files.

Adobe’s Patch Tuesday updates for this month patch only one information disclosure vulnerability in Flash Player.

VirusTotal announced the availability of a visualization tool, dubbed VirusTotal Graph, designed to help with malware analysis.

10.1.2018 securityweek Virus
The VirusTotal Graph should allow investigators working with multiple reports at the same time, to try to pivot between multiple data points (files, URLs, domains and IP addresses). The observation of the connections across different samples of malware could allow investigators to collect more events from different cases.

“VirusTotal receives a large number of files and URLs every day, and each of them is analyzed by AVs and other tools and sandboxes to extract information about them. This information is critical for our ecosystem, as it connects the dots and makes clear the connections between entities.” states VirusTotal.

“It is common to pivot over many data points (files, URLs, domains and IP addresses) to get the full picture of your investigation, and this usually involves looking at multiple reports at the same time. We know this can be complicated when you have many open tabs, therefore, we’ve developed VirusTotal Graph.”

The tool VirusTotal Graph is based on VirusTotal’s data set and was designed to visualize them in a single graphical interface relationship between files, URLs, domains and IP addresses. The graph is navigable, making easier for malware researchers the investigation of malicious codes.


Analysts can build their own network by exploring and expanding each of the nodes in the graph.

The tool includes a search box, node summary section, node expansion section that allows correlation of the information from more entities, node action menu, detection dropdown, and a node list.

VirusTotal also allows users to save the graphs they generated, as well as to share their findings with other users. All saved graphs are public and also linked in VirusTotal public reports of files, URLs, IP addresses or domains that appear in the graph.

“We feel the community will benefit from this intelligence. We understand that there are scenarios where a higher degree of privacy is needed, and we are working on a solution — expect to see some news around it soon,” VirusTotal concludes.

The complete documentation is available at
Virus Total also published two videos that shows main features implemented in the tool.

Microsoft: Meltdown and Spectre patches could cause noticeable performance slowdowns
10.1.2018 securityaffairs

Microsoft officially confirmed that Meltdown and Spectre patches could cause noticeable performance slowdowns contrary to what initially thought.
Just after the disclosure of the Meltdown and Spectre vulnerabilities, many security experts argued that forthcoming patches will have a significant impact on the performance (30% degradation), but Intel pointed out that average users will not notice any difference.

“Intel continues to believe that the performance impact of these updates is highly workload-dependent and, for the average computer user, should not be significant and will be mitigated over time.” continues Intel.

“While on some discrete workloads the performance impact from the software updates may initially be higher, additional post-deployment identification, testing and improvement of the software updates should mitigate that impact.”

Intel confirmed that extensive testing conducted by tech giants (Apple, Amazon, Google, and Microsoft) to assess any impact on system performance from security updates did not reveal negative effects.

Unfortunately, someone has underestimated the problem and Microsoft Windows patches for the CPU flaws will cause noticeable performance degradation, with most severe impact on Windows servers as well as Windows 7 and 8 client machines.

Microsoft published a blog post that confirmed that Windows servers will experience noticeable performance slowdowns, as will Windows 7 and 8 client machines running older processors (2015-timeframe PCs with Haswell or older CPUs).

The good news is that newer Windows 10 platforms won’t experience perceptible performance degradation.

Below Microsoft’s findings related to performance degradation caused by the installation of Meltdown/Spectre patches.

With Windows 10 on newer silicon (2016-era PCs with Skylake, Kabylake or newer CPU), benchmarks show single-digit slowdowns, but we don’t expect most users to notice a change because these percentages are reflected in milliseconds.
With Windows 10 on older silicon (2015-era PCs with Haswell or older CPU), some benchmarks show more significant slowdowns, and we expect that some users will notice a decrease in system performance.
With Windows 8 and Windows 7 on older silicon (2015-era PCs with Haswell or older CPU), we expect most users to notice a decrease in system performance.
Windows Server on any silicon, especially in any IO-intensive application, shows a more significant performance impact when you enable the mitigations to isolate untrusted code within a Windows Server instance. This is why you want to be careful to evaluate the risk of untrusted code for each Windows Server instance, and balance the security versus performance tradeoff for your environment.
Microsoft announced it is working to solve the problem and the situation appears critical for Windows servers.

Microsoft has patched 41 of its 45 Windows versions and is going to release the remaining four issues as soon as possible.

Microsoft requires entire industry to work together to find the best possible solutions for customers affected by vulnerabilities like Spectre and Meltdown.

WPA3 to Bring Improved Wireless Security in 2018
9.1.2018 secrityweek Safety
Wi-Fi Alliance Announces WPA3, the Successor to Wi-Fi's WPA2 Security Protocol

The Wi-Fi Alliance -- comprising 15 major sponsor members (including Apple, Cisco, Dell, Intel, Microsoft, Qualcomm and more) and hundreds of contributing members -- has announced that WPA3 will be introduced during 2018.

WPA3 is not an immediate replacement for WPA2, which will continue to be maintained and enhanced. In particular, the Alliance will introduce new testing enhancements for WPA2 to reduce the potential for vulnerabilities caused by network misconfigurations; and will further safeguard managed networks with centralized authentication services.

New Wi-Fi Alliance WPA3 certified devices will take some time to filter into widespread use. Use of the new specification will require WPA3 devices and WPA3 routers -- and since the vast majority of home wi-fi users never buy a router but use the one supplied by their ISP, many users won't become WPA3 compatible before they change ISPs. That could take several years.

WPA3 Security ProtocolNevertheless, there are some welcome enhancements over the WP2 specification that has kept users largely, but not entirely, protected for around two decades.

Four new capabilities for both personal and enterprise networks have been announced. There are no technical details in the Wi-Fi announcement, leading to some conjecture over exactly how they will be introduced.

The first will be to provide "robust protections" even when the user fails to use a strong password. Mathy Vanhoef, the researcher who discovered the KRACK WPA2 vulnerability, has suggested on Twitter, "That means dictionary attacks no longer work. The handshake they're referring to is likely Simultaneous Authentication of Equals (SAE). Which is also called Dragonfly;" adding, "The standards behind WPA3 already existed for a while. But now devices are *required* to support them, otherwise they're won't receive the "WPA3-certified" label."

The second will simplify the process of configuring security on wi-fi devices that have limited or no display interface. The obvious use will be for small personal devices, like wearables such as smart watches -- but it could also play some role in improving the future security of the industrial internet of things.

The third will improve the security of open wi-fi hotspots -- such as cafes, hotels and airport lounges -- by giving each user individualized data encryption. On this, Vanhoef commented, "This might refer to Opportunistic Wireless Encryption: encryption without authentication." It won't make the use of wi-fi hotspots completely secure, but should go some way to reassuring security officers who know that corporate employees work from hotspots while traveling.

The fourth will be a 192-bit security suite aligned with the Commercial National Security Algorithm (CNSA) Suite, that will further protect wi-fi networks with higher security requirements; such as government, defense, and industrial.

We can expect that new WPA3 devices will start to appear over the next few months -- particularly since many of the manufacturers will be members of the Alliance. However, the devices will need wait for the launch of the Wi-Fi Alliance's formal certification process before they can be truly called such. The Wi-Fi Certified designation will be important to reassure buyers.

"Security is a foundation of Wi-Fi Alliance certification programs, and we are excited to introduce new features to the Wi-Fi CERTIFIED family of security solutions," commented Edgar Figueroa, president and CEO of Wi-Fi Alliance. "The Wi-Fi CERTIFIED designation means Wi-Fi devices meet the highest standards for interoperability and security protections."

Microsoft Suspends CPU Flaw Patches for AMD Devices
9.1.2018 secrityweek
Microsoft Will Not Deliver Security Updates to Devices With Incompatible Antiviruses

Users whose computers have AMD processors no longer receive the recent Windows updates designed to patch the Meltdown and Spectre vulnerabilities, and Microsoft has warned that some systems may not receive upcoming security updates if the antivirus running on them has not set a specific registry key.

Several individuals whose devices are powered by some AMD processors, particularly older models, complained that they had been unable to boot Windows 10 after installing KB4056892, an update released by Microsoft in response to flaws affecting Intel, AMD and ARM processors.

Many of those affected said their operating system froze during boot. Those who managed to restore their systems by reverting to a previous state needed to quickly disable automatic updates to prevent the patch from being reinstalled.

Some of the impacted users pointed out that since the risk of attacks against AMD CPUs is said to be low, they can wait for proper updates from Microsoft.

Microsoft has confirmed the issue, explaining that “some AMD chipsets do not conform to the documentation previously provided to Microsoft to develop the Windows operating system mitigations to protect against the chipset vulnerabilities known as Spectre and Meltdown.”

The tech giant has decided to temporarily pause Windows updates to devices with impacted AMD processors. For those who have already installed the updates and are experiencing problems, Microsoft has provided some recommendations on how to fix the issue.

Microsoft’s advice for Windows 10 users includes starting the computer in safe mode and uninstalling recent updates, or restoring the system to an earlier point. Several users have complained, however, that they get an error when attempting to restore the system.

In addition to causing problems to Windows, the Spectre and Meltdown updates from Microsoft also break some applications, including the PulseSecure VPN and an Asus utility.

Security updates will not be delivered to devices with incompatible antiviruses

When Microsoft first released the updates designed to prevent Spectre and Meltdown attacks, the company warned that it had identified compatibility issues with some security products. It informed users that if they had not been offered the security updates, it may have been due to the failure of their antivirus to create a specific registry key.

Microsoft later also informed users that they may not receive any future security updates if their antivirus vendor does not address the problem.

Researcher Kevin Beaumont has been keeping track of which security vendors have implemented this requirement. As of Monday, a majority of firms had either released automatic fixes or made available instructions on how to manually create the required registry. The remaining vendors are working on fixes.

Microsoft noted that users who don’t rely on any antivirus will also need to manually create the registry key.

The role of the registry key is to prevent blue screen of death (BSOD) errors triggered due to compatibility issues when security products make unsupported calls to the Windows kernel memory. Microsoft says the requirement for the registry key will remain in place until the company is confident that a majority of consumers will not experience crashes due to the security updates.

Adobe Patch Tuesday Updates Fix Only One Flash Player Flaw
9.1.2018 secrityweek
Adobe’s Patch Tuesday updates for January 2018 resolve only an information disclosure vulnerability affecting Flash Player.

The flaw is tracked as CVE-2018-4871, it has been classified as “important,” and it has been assigned a priority rating of 2, which means it’s unlikely to be exploited in malicious attacks any time soon.

The security hole has been described as an out-of-bounds read issue that can lead to information exposure. It affects Flash Player and earlier on Windows, Mac, Linux and Chrome OS, and it has been patched with the release of version The patch will also be included in the next Chrome release and Microsoft’s Patch Tuesday updates.

Adobe says it has learned about the vulnerability from an anonymous researcher via Trend Micro’s Zero Day Initiative (ZDI).

The number of vulnerabilities discovered by researchers in Flash Player has dropped significantly in the past months after Adobe announced its intention to kill the application by 2020.

However, malicious actors are still finding and exploiting zero-day vulnerabilities in Flash. In October, shortly after Adobe announced that it had no Patch Tuesday updates, the company was forced to quickly release a fix for Flash Player after learning that a cyber espionage group from the Middle East had been leveraging a zero-day to deliver spyware.

The same vulnerability was later exploited by the Russia-linked group APT28 (also known as Fancy Bear, Pawn Storm, Strontium, Sofacy, Sednit and Tsar Team) in attacks aimed at government organizations and aerospace companies. Fortunately, this was apparently the only Flash Player zero-day exploited in 2017.

VirusTotal Launches Visualization Tool
9.1.2018 secrityweek Security
VirusTotal this week announced the availability of a visualization tool designed to help with malware investigations.

Dubbed VirusTotal Graph, the new tool is available at https://www.virustotal.com/graph/ or through a public report in the tool section (which requires a VirusTotal login).

The tool should make it easier for investigators who are working with multiple reports at the same time, attempting to pivot between multiple data points (files, URLs, domains and IP addresses), as such work would normally result in having multiple tabs opened, which could complicate operations.

“VirusTotal receives a large number of files and URLs every day, and each of them is analyzed by AVs and other tools and sandboxes to extract information about them. This information is critical for our ecosystem, as it connects the dots and makes clear the connections between entities,” VirusTotal notes.

Built on top of VirusTotal’s data set, the new tool was designed to “understand the relationship between files, URLs, domains and IP addresses” and to bring the necessary information on these five entity types (relationships are included) together on a single interface, thus making it easier to navigate.

Some of the features available for users include a search box (it even supports multiple indicators of compromise, via a Multi-entity search section), node summary section (summarizes the more relevant information), node expansion section (to correlate information from more than one entity), node action menu, detection dropdown (shows the number of AV detections), and node list (shows the list of all nodes in the panel).

The key elements of the VirusTotal Graph user interface will provide investigators not only with the most relevant information at a glance when clicking on a node, but also with the option to explore and expand each of the nodes in their graph, and build a network and observe connections across samples. Zooming in or out on a graph is also possible.

VirusTotal also allows users to save the graphs so they can access them at any time, as well as to share their findings with other users (generating permalinks to the graph is also possible). VirusTotal makes all saved graphs public and also linked in VirusTotal public reports of files, URLs, IP addresses or domains that appear in the graph.

Furthermore, with the help of VirusTotal Public or VirusTotal Intelligence report, users will be able to add labels and access in-depth reports.

“We feel the community will benefit from this intelligence. We understand that there are scenarios where a higher degree of privacy is needed, and we are working on a solution -- expect to see some news around it soon,” VirusTotal concludes.

Additional information on the new tool is available on VirusTotal’s support page and in two YouTube videos providing tutorials on Files and Domains.

Wi-Fi Alliance launches WPA2 enhancements and announced WPA3
9.1.2018 secrityaffairs Safety

The Wi-Fi Alliance introduced several key improvements to the Wi-Fi Protected Access II (WPA2) security protocol and announced its successor WPA3.Wi-Fi security will be dramatically improved with the introduction of the WPA3 protocol.
The arrival of WPA3 protocol was announced on Monday by the Wi-Fi Alliance, it is the successor of WPA2 protocol for the security of Wi-Fi communication.

WPA3 will build on the core components of WPA2, anyway, the alliance plans to roll out three enhancements for WPA2 in the first part of the year.

“Wi-Fi Alliance is launching configuration, authentication, and encryption enhancements across its portfolio to ensure Wi-Fi CERTIFIED devices continue to implement state of the art security protections.” reads the announcement published by the Wi-Fi Alliance.

“Four new capabilities for personal and enterprise Wi-Fi networks will emerge in 2018 as part of Wi-Fi CERTIFIED WPA3”

The WPA2 is known to be vulnerable to KRACK attacks and DEAUTH attacks. The three key enhancements to the WPA2 protocol will address authentication, encryption, and configuration issues.

The Wi-Fi Alliance includes tech giants like Apple, Cisco, Intel, Qualcomm, and Microsoft it announced WPA3-certified devices for later 2018. They will include two features to improve protection when users choose weak passwords and simplify the choice of proper security settings on devices with limited or no interface screens.


Another feature will strengthen user privacy in open networks by using individualized data encryption. The last feature is a 192-bit security suite, aligned with the Commercial National Security Algorithm (CNSA) Suite from the Committee on National Security Systems, that will ensure the protection of Wi-Fi networks with higher security requirements such as government and defense.

“Security is a foundation of Wi-Fi Alliance certification programs, and we are excited to introduce new features to the Wi-Fi CERTIFIED family of security solutions,” concluded Edgar Figueroa, president and CEO of Wi-Fi Alliance. “The Wi-Fi CERTIFIED designation means Wi-Fi devices meet the highest standards for interoperability and security protections.”

Further information will be made available once the WPA3 program will be launched.

Apple released patches to fix Spectre flaws in Safari, macOS, and iOS
9.1.2018 secrityaffairs Apple

Apple released iOS 11.2.2 software, a macOS High Sierra 10.13.2 supplemental update, and Safari 11.0.2 to fix Spectre flaws.
On Monday, Apple released patches to fix Spectre flaws in Safari, macOS, and iOS, the tech giant released iOS 11.2.2 software a macOS High Sierra 10.13.2 supplemental update. The patches also fixed vulnerabilities in Apple WebKit, the web browser engine used by Safari, Mail, and App Store.

The security updates issued by Apple aim to mitigate the two known methods for exploiting Spectre identified as “bounds check bypass” (CVE-2017-5753/Spectre/v1) and “branch target injection” (CVE-2017-5715/Spectre/v2).

Just after the disclosure of the Meltdown and Spectre attacks, Apple released security updates (iOS 11.2, macOS and tvOS 11.2) to protect its systems against Meltdown attacks.

Apple now released the following security updates:

macOS High Sierra 10.13.2 supplemental;
Safari 11.0.2 that is available for OS X El Capitan 10.11.6 and macOS Sierra 10.12.6;
iOS 11.2.2 available for iPhone 5s and later, iPad Air and later, and iPod touch 6th generation;
After the disclosure of the flaws, security experts pointed out that the Spectre vulnerability is very hard to patch, but fortunately, the exploitation is much more difficult than Meltdown.

Another worrisome aspect of the Spectre attacks is that it breaks the isolation between different applications opening the door to remote attacks, for example, an attacker can remotely bypass sandboxing mechanism implemented by modern browsers.

Každý den kolují internetem statisíce virů

9.1.2018 Novinky/Bezpečnost Analýzy
Bezpečnostní odborníci z antivirové společnosti Kaspersky Lab spočítali, že každý den koluje internetem rekordních 360 000 virů. Toto číslo je alarmující i s ohledem na to, že o rok dříve to bylo o 11,5 % méně. Uživatelé by tak nejrůznější počítačové hrozby rozhodně neměli podceňovat.

Aktivita počítačových pirátů v kyberprostoru se zkrátka neustále zvyšuje, jak je ze statistik patrné. Například v roce 2011 kolovalo internetem pouze 70 000 škodlivých souborů denně. Od té doby prakticky každý rok počet virů pouze roste, v současnosti dosahuje pětinásobku původní hodnoty.

V uplynulých měsících se přitom nejčastěji šířily vyděračské viry z rodiny ransomware.

„V průběhu posledních dvou let jsme zaznamenali enormní nárůst počtu útoků ransomwarem. Předpokládáme, že tento trend bude i nadále pokračovat, protože za vývojem ransomwaru stojí obrovský zločinný ekosystém, který denně produkuje stovky nových hrozeb,“ prohlásil Vyacheslav Zakorzhevsky, vedoucí anti-malwarového týmu ve společnosti Kaspersky Lab.

Jak probíhá útok vyděračského viru
Útoky vyděračských virů probíhají prakticky vždy na chlup stejně. Nejprve zašifrují záškodníci všechna data uložená na pevném disku. Za jejich zpřístupnění pak útočníci požadují výkupné, a to klidně i několik tisíc korun.

Kyberzločinci se zpravidla snaží v majiteli napadeného stroje vzbudit dojem, že se ke svým souborům dostane po zaplacení pokuty. Ta byla údajně vyměřena za používání nelegálního softwaru apod. I proto jim celá řada lidí již výkupné zaplatila.

Ani po zaplacení výkupného se ale uživatelé ke svým datům nedostanou. Místo placení výkupného je totiž nutné virus z počítače odinstalovat. Zpřístupnit nezálohovaná data je už ale ve většině případů nemožné.

„Minulý rok se také výrazně rozšířily minery. Tento malware začali kyberzločinci využívat ve vyšší míře především proto, že stoupala obliba kryptoměn. V neposlední řadě stojí za zvyšujícím se počtem každodenně detekovaných škodlivých souborů i zlepšující se bezpečnostní technologie. Díky každé nové aktualizaci jsme schopni detekovat více druhů malwaru, a tím pádem stoupá i počet objevených hrozeb,“ uzavřel Zakorzhevsky.