Prediktivní antimalwarovou ochranu s podporou hlubokého učení má Sophos

6.2.2018 SecurityWorld Zabezpečení
Technologie hlubokého učení, kterou Intercept X nově využívá, je podle výrobce výrazně účinnější než tradiční strojové učení. Sophos je tak prý schopen nabídnout vysokou míru detekce infekci při nízkém stupni falešně pozitivních zjištění.

Dostupnost svého produktu Intercept X, který pro detekci malware využívá neuronové sítě s technologií hlubokého učení, oznámil Sophos. Hluboké učení přináší masivně škálovatelnou detekci, která se učí na celém dostupném spektru hrozeb.

Díky svým schopnostem zpracovávat stovky miliónů vzorků může být technologie hlubokého učení – ve srovnání s tradičním strojovým učením – přesnější i rychlejší a také méně náchylnější na falešně pozitivní zjištění.

“Úspěšnost tradičních modelů strojového učení velmi silně závisí na výběru atributů použitých pro tréning a tím se do celého systémů vnáší vliv lidského faktoru. Přidáváním nových dat navíc složitost těchto modelů neustále roste, systémy opírající se o gigabajty dat jsou těžkopádné a pomalé. Problémem je i velká míra falešně pozitivních zjištění, díky kterým musí administrátoři posuzovat, zda je daný software legitimní nebo jde o malware. A důsledkem tohoto jejich vytížení je nižší produktivita IT oddělení,“ vysvětluje Tony Palmer, analytik společnosti Enterprise Strategy Group (ESG).

Neuronová síť v Intercept X podle něj využívá technologii hlubokého učení, která je oproti tradičním modelům navržená tak, aby se učila na základě zkušeností a hledala vzájemné souvislosti mezi pozorovaným chováním a malware.

Tyto korelace podle Palmera umožňují dosahovat vysoké přesnosti jak v případě identifikace již existujícího, tak i dosud nezveřejněného (zero-day) malware. Významným přínosem je prý i snížení výskytu falešně pozitivních zjištění.

Součástí nové verze Intercept X jsou I inovace v oblasti boje proti ransomwarU i ochrany proti zneužívání zranitelností. Nechybí ani mechanismy pro aktivní boj s hackerskými pokusy, jako je například ochrana proti krádežím přihlašovacích údajů.

Jde o důležitá vylepšení, protože právě krádeže identit jsou stále častějším nástrojem, který kybernetičtí zločinci využívají pro průnik do chráněné informační architektury, ve které se pak mohou pochybovat jako zcela legitimní uživatelé. Nový Intercept X umí tato podezřelá chování odhalit a předejít možným důsledkům.

Intercept X lze nasadit prostřednictvím cloudové konzole Sophos Central, a to vedle jakékoli stávající softwarové ochrany koncových bodů – míru bezpečnosti tak lze zvýšit prakticky okamžitě. Při použití ve spojení s firewally Sophos XG přináší Intercept X NAVÍC výhody synchronizované ochrany, které ještě více posílí bezpečnost dané informační architektury.

Nové funkce a vlastnosti Intercept X jsou podle výrobce ty níže uvedené.

Detekce malware pomocí strojového učení:

Hluboké učení umí odhalit známý i dosud neznámý malware i potenciálně nežádoucí aplikace ještě před jejich spuštěním, a to bez využívání identifikačních vzorů
Model si vystačí s méně než 20 MB a nevyžaduje časté aktualizace dat

Aktivní opatření

Ochrana před krádeží přihlašovacích údajů – nový Intercept X zabraňuje zjišťování hesel a dalších přihlašovacích informací z paměti, registrů i úložišť a předchází tak mechanismům, které využívá například nástroj Mimikatz.
Zjišťování přítomnosti cizích programových částí propašovaných do jiných aplikacích, což je technika využívaná pro přetrvávající hrozby a vyhýbání se antivirovým kontrolám.
Ochrana před zneužitím APC (Application Procedure Calls), tedy před útoky typu AtomBombing a mechanismy šíření, které byly využité například u hrozeb WannaCry a NotPetya. Útočníci tato volání zneužili prostřednictvím exploitů EternalBlue a DoublePulsar a mohli tak škodlivý kód provést pomocí jiného procesu.

Nové a vylepšené techniky proti zneužívání zranitelností

Ochrana před migracemi škodlivých procesů, která detekuje vzdálené zneužívání dynamických knihoven, tedy techniky pro přesouvání mezi procesy běžícími na konkrétním systému.
Ochrana před zvyšováním oprávnění, která brání tomu, aby neprivilegované procesy získaly přístup k chráněným částem systému.

Pokročilejší omezování aplikací

Omezování aplikací na úrovni prohlížeče, které brání nežádoucímu spouštění příkazů PowerShell
Omezování HTA aplikací, které brání nežádoucímu chování stejně, jako by šlo o prohlížeč.


 

Gold Dragon Implant Linked to Pyeongchang Olympics Attacks
5.2.2018 securityweek APT
McAfee has discovered an implant that they believe was used as a second-state payload in the recent fileless attacks targeting organizations involved with the upcoming Olympics Games in Pyeongchang, South Korea.

In early January, McAfee's security researchers warned that hackers had already began targeting the Pyeongchang Olympic Games with malware-infected emails. The first such attacks reportedly took place on December 22, with the sender’s address spoofed to appear as if the messages came from the South Korea's National Counter-Terrorism Center.

The hackers were using a PowerShell implant to establish a channel to the attacker’s server and gather basic system-level data, but McAfee couldn’t immediately determine what the attackers did after gaining initial access to a victim’s system.

McAfee has since published a report detailing additional implants used in the attacks, which were used to gain persistence on targeted systems and for continued data exfiltration, including Gold Dragon, Brave Prince, Ghost419, and RunningRat.

Gold Dragon, a Korean-language implant observed on December 24, 2017, is believed to be the second-stage payload in the Olympics attack, with a much more robust persistence mechanism than the initial PowerShell implant.

Designed as a data-gathering implant, Gold Dragon has the domain golddragon.com hardcoded and acts as a reconnaissance tool and downloader for subsequent payloads. It also generates a key to encrypt data gathered from the system, which is then sent to the server ink.inkboom.co.kr.

Gold Dragon is not a full-fledged spyware, as it only has limited reconnaissance and data-gathering functionality. The malware, which had its first variant in the wild in South Korea in July 2017, features elements, code, and behavior similar to Ghost419 and Brave Prince, implants that McAfee has been tracking since May 2017.

The malware lists the directories in the user’s Desktop folder, in the user’s recently accessed files, and in the system’s %programfiles% folder, and gathers this information along with system details, the ixe000.bin file from the current user’s UserProfiles, and registry key and value information for the current user’s Run key, encrypts the data, and sends it to the remote server.

The malware can check the system for processes related to antivirus products and cleaner applications, which it can then terminate to evade detection. Furthermore, it supports the download and execution of additional components retrieved from the command and control (C&C) server.

Also a Korean-language implant featuring similarities to Gold Dragon, Brave Prince too was designed for system profiling, capable of gathering information on directories and files, network configuration, address resolution protocol cache, and systemconfig. The malware was first seen in December 13, 2017. It is also capable of terminating a process associated with a tool that can block malicious code.

First observed in the wild in December 18, 2017, Ghost419 is a Korean-language implant that can be traced to July 29, 2017, to a sample that only shares 46% of the code used in the December samples. This malware appears based on Gold Dragon and Brave Prince, featuring shared elements and code, especially related to system reconnaissance.

The attackers also used a remote access Trojan (RAT) in the Pyeongchang Olympics attacks, the security researchers say. Dubbed RunningRat, this tool operates with two DLLs, the first of which kills any antimalware solution on the system and unpacks and executes the main RAT DLL, in addition to gaining persistence.

The second DLL, which employs anti-debugging techniques, is decompressed in memory, which results in a fileless attack, as it never touches the user’s file system. The malware gathers information about the operating system, along with driver and processor information, and starts capturing user keystrokes and sending them to the C&C server.

“From our analysis, stealing keystrokes is the main function of RunningRat; however, the DLL has code for more extensive functionality. Code is included to copy the clipboard, delete files, compress files, clear event logs, shut down the machine, and much more. However, our current analysis shows no way for such code to be executed,” McAfee reveals.

All of these implants can establish a permanent presence on the victim’s system, but they require a first-stage malware that provides the attacker with an initial foothold on the victim’s system. Some of the implants would only achieve persistence if Hangul Word (the South Korean-specific alternative to Microsoft Office) is running on the system.

“With the discovery of these implants, we now have a better understanding of the scope of this operation. Gold Dragon, Brave Prince, Ghost419, and RunningRat demonstrate a much wider campaign than previously known. The persistent data exfiltration we see from these implants could give the attacker a potential advantage during the Olympics,” McAffee concludes.


Alleged Kelihos Botnet Mastermind Extradited to U.S.
5.2.2018 securityweek BotNet
A 37-year-old Russian national accused of being the mastermind behind the notorious Kelihos botnet has been extradited from Spain to the United States.

The U.S. Justice Department announced that Peter Yuryevich Levashov, also known as Petr Levashov, Pyotr Levashov, Peter Severa, Petr Severa and Sergey Astakhov, of St. Petersburg, Russia, was arraigned on Friday in Connecticut. He has pleaded not guilty to the charges brought against him.

Levashov was arrested in April 2017 by Spanish authorities based on a U.S. warrant and has been in custody ever since. The suspect had been on holiday at the time of his arrest, which coincided with a takedown operation targeting the Kelihos botnet. He was indicted roughly two weeks later by a federal grand jury in Connecticut.

Russia had attempted to block his extradition to the United States. Levashov claimed that he had previously worked for President Vladimir Putin's United Russia party, and feared that he would be killed if extradited to the U.S. Initial media reports said his arrest may be linked to the U.S. election hacks, but officials denied there was any connection.

The suspect has been charged on eight counts, including causing intentional damage to a protected computer, conspiracy, accessing protected computers in furtherance of fraud, wire fraud, threatening to damage a protected computer, fraud in connection with email, and aggravated identity theft. He faces more than 50 years in prison for these charges.

According to U.S. authorities, Levashov controlled and operated the Kelihos botnet, using it to send spam, harvest personal information, and deliver other malware. At the time of his arrest, investigators said the botnet at times had ensnared as many as 100,000 computers, including many in the United States.

While some security firms track Kelihos as Waldac, many have classified it as a successor of Waledac, a botnet disrupted by authorities in 2010.

Another Russian national who will be extradited to the United States is Alexander Vinnik, owner of the cryptocurrency exchange BTC-e. Greece’s Supreme Court recently approved the extradition of Vinnik, who is said to have laundered $4 billion using bitcoins.

Yevgeni Nikulin, who U.S. authorities say hacked into the systems of LinkedIn, Formspring and Dropbox, will also soon be extradited after a high court in the Czech Republic upheld an earlier ruling authorizing his extradition.


Multiple Flaws Patched in WD MyCloud Device Firmware
5.2.2018 securityweek
Vulnerebility
Vulnerabilities that could allow unauthorized file deletion, unauthorized command execution and authentication bypass impacted WD (Western Digital) MyCloud devices, Trustwave reports.

The vulnerabilities were discovered in the MyCloud personal storage device and were reported to Western Digital last year. The company has already released a firmware update to address them.

All of the issue were found by Trustwave security researcher Martin Rakhmanov in the nas_sharing.cgi binary.

The first of them was the inclusion of hardcoded credentials in the binary, which could allow anyone to authenticate to the device.

The hardcoded username was "mydlinkBRionyg" and represents an issue that other security researchers observed as well. Earlier this year, GulfTech’s James Bercegay revealed that this admin user can be used with password “abc12345cba” as a backdoor that could be turned into a root shell. D-Link devices were previously impacted by the same issue.

The nas_sharing.cgi binary, Rakhmanov discovered, would also allow any user to execute shell commands as root. An attacker looking to exploit the issue can use the “artist” parameter to execute a command to create a file, for example.

The same faulty binary can be used for arbitrary file deletion, an operation possible through manipulating the “path” parameter, the security researcher says. A command using the “path” parameter can be passed using base64 encoding, the same as with the “artist” parameter.

Rakhmanov explains that “usually on embedded systems many processes run unrestricted (i.e. as root) so no security checks are performed at all once a command (file deletion in this case) is about to execute.”

Trustwave’s researcher also published proof of concept code that combines the hardcoded credential issue with command execution and arbitrary file deletion, respectively.

Western Digital apparently resolved these issues with the release of firmware version 2.30.172 a couple of months ago.

The update patched a SMB server (samba) security vulnerability (CVE-2017-7494), along with “critical security vulnerabilities that potentially allowed unauthorized file deletion, unauthorized command execution and authentication bypass,” the company revealed in the release notes (PDF).


UK Judges Block US Extradition of Alleged Hacker Lauri Love
5.2.2018 securityweek Crime
British judges on Monday rejected a US request for the extradition of a man accused of hacking into thousands of US government computers in a ruling that could set a precedent for similar pending cases.

Lauri Love, 33, faces charges in the United States for allegedly hacking into the networks of the US Federal Reserve, US Army and NASA, among others, in 2012 and 2013.

"The reason I've gone through this ordeal is not just to save myself from being kidnapped and locked up for 99 years in a country I've never visited, said Love, who has dual British and Finnish citizenship.

Love suffers from Asperger's syndrome and has also been diagnosed with depression. He was arrested at his home in Britain in October 2013.

"But it's to set a precedent whereby this will not happen to other people in the future," Love told reporters outside High Court in London.

"If there is suspected criminality then it will be tried here in the UK and America will not try to exercise exorbitant extra-territorial jurisdiction." Kaim Todner, the law firm representing Love, hailed what it called a "landmark judgement".

"The British justice system has taken the stance that we should deal with the matter ourselves, rather than accept the US government's demands," it said.

"It has also been recognised that mental health provisions in US prisons are not adequate to satisfy us that Lauri would not have come to serious harm if he were extradited," the firm said in a statement.

Judge Ian Burnett handed down the ruling, to cheers from people in the court's public gallery.

The defense said the United States now has 14 days in which to appeal the ruling at the UK Supreme Court.

Love had appealed against a 2016 British court ruling that he could be extradited to the United States to face the charges.


Hackers Linked to Luminosity RAT Targeted by Law Enforcement
5.2.2018 securityweek CyberCrime
Europol’s European Cybercrime Centre (EC3) and the UK’s National Crime Agency (NCA) on Monday released the details of an international law enforcement operation targeting sellers and users of the Luminosity Trojan.

Over a dozen law enforcement agencies from Europe, the US and Australia took part in a joint campaign carried out in September 2017 – details are made public only now due to operational reasons.

Authorities in the United Kingdom learned of Luminosity, also known as LuminosityLink, back in September 2016 when they arrested an individual suspected of hacking-related offences as part of a separate investigation.

That individual’s arrest led to an international operation that, according to Europol and the NCA, resulted in Luminosity no longer being available and no longer working for those who purchased it.

Since September, law enforcement agencies executed arrests, search warrants, and cease and desist notifications across Europe, America and Australia, targeting both sellers and users of Luminosity. The NCA said a small network of individuals in the UK was responsible for the distribution of the remote access trojan (RAT) to more than 8,600 buyers across 78 countries.

Luminosity first emerged in May 2015 and it had been available for purchase for as little as $40. The RAT allowed hackers to easily take complete control of infected computers, including disable security software, log keystrokes, steal passwords and other data, and spy on victims via the device’s webcam.

Luminosity RAT was one of the pieces of malware used last year by Nigerian cybercriminals in attacks aimed at industrial firms.

Investigators have identified passwords, photos, videos and other data stolen from thousands of victims, but the number is expected to increase significantly as devices seized from suspects continue to be analyzed. The NCA said police seized more than 100 devices during the operation in the UK.

“The sale and deployment of this hacking tool were uncovered following a single arrest and the subsequent forensic examination of the computer,” said Detective Inspector Ed Heath, head of the South West Regional Cyber Crime Unit, which led the investigation. “More than a year’s complex work with international policing partners led us to identify a large number of offenders.”


Booz Allen Hamilton Awarded $621 Million DHS Cyber Contract
5.2.2018 securityweek IT
Technology consulting firm Booz Allen has been awarded a $621 million contract by the Department of Homeland Security (DHS) to support the government-wide Continuous Diagnostics and Mitigation (CDM) Dynamic and Evolving Federal Enterprise Network Defense (DEFEND) Program.

Created help defend Federal IT networks from cyber threats, the CDM program was designed to provide continuous monitoring sensors (tools), diagnosis, mitigation tools, dashboards, and Continuous Monitoring as a Service (CMaaS).

The program is the result of the executive order from President Barack Obama which requires the DHS to ensure unclassified government networks are scanned constantly for threats, defended from attacks, and regularly audited to be compliant with computer security rules.

For more than two years, Booz Allen says that it has helped 13 Federal Agencies deploy cybersecurity tools to protect four million computers through DHS CDM efforts.

According to Booz Allen, the new contract will extend across the three current and possible future CDM Phases and is part of the larger DEFEND Program, which has a total value of up to $3.4 billion.

McLean, Virginia-based Booz Allen has more than 24,000 employees globally, and annual revenue of approximately $5.8 billion.


MacUpdate Distributes Mac Crypto-Mining Malware
5.2.2018 securityweek Apple
Maliciously modified versions of popular applications distributed via the MacUpdate site were observed installing crypto-mining malware on Mac computers, Malwarebytes reports.

The issue was observed on Friday, one day after maliciously modified versions of Firefox, OnyX, and Deeper applications started being distributed via the website. MacUpdate was quick to acknowledge the issue, and revealed in a comment that it was their fault and that the legitimate apps weren’t compromised.

What led to this situation is pretty straightforward: instead of linking to the applications’ official download websites, MacUpdate ended up linking to fake domains that resembled the legitimate ones.

Thus, instead of titanium-software.fr, it listed titaniumsoftware.org (registered on January 23) for the download URLs of OnyX and Deeper (both products made by Titanium Software). The download link for Firefox was even more crafty, using the domain download-installer.cdn-mozilla.net, instead of mozilla.net.

For all three applications, however, users ended up downloading disk image files (.dmg) that looked pretty convincing, Malwarebytes says. They also asked the user to drag the file into the Applications folder, just as the legitimate apps would.

The fake applications were created by Platypus, a developer tool used to build macOS software from scripts such as shell or Python.

Once installed, the fake apps download and install a payload from public.adobecc.com (a legitimate site owned by Adobe), after which it attempts to open a copy of the legitimate app as decoy. This operation, however, isn’t always successful, due to various errors the actor behind the fake apps made.

The security researchers discovered that the malicious OnyX app would run on Mac OS X 10.7 and up, but the decoy app requires macOS 10.13 and up, which means that only the malware is executed on systems with previous platform versions.

When it comes to the fake Deeper app, things are similar, but the reason is laughable. The actor included an OnyX app instead of Deeper as decoy, which clearly results the decoy not executing to cover the malicious behavior.

Upon execution, a script in the fake app checks whether it already runs and, if not, it downloads the malware and unzips it into the Library folder, which is hidden by default. A malicious launch agent file named MacOSupdate.plist is installed, designed to recurrently run another script.

The launch agent downloads a new MacOS.plist file and installs it, but first removes the previous MacOS.plist file, supposedly to update it. The downloaded MacOS.plist file was observed loading a malicious sysmdworker process and passing in arguments, including an email address.

“That sysmdworker process will then do the work of mining the Monero cryptocurrency, using a command-line tool called minergate-cli, and periodically connecting to minergate.com, passing in the above email address as the login,” Malwarebytes explains.

To stay protected from this and similar threats, users are advised to always download applications from the legitimate websites only, such as the developer’s site or the Mac App Store.

As Malwarebytes points out, this is not the first time MacUpdate has been abused for malicious purposes. A couple of years ago, it fell to a similar hack and ended up distributing the OSX.Eleanor malware.


Cisco and FireEye Pointing Finger at North Korea Hacking Group For Adobe Flash 0-Day In The Wild
5.2.2018 securityaffairs BigBrothers

According to security researchers at Cisco and FireEye a North Korea Hacking Group is behind the attacks that exploited the recently discovered Adobe Flash 0-Day vulnerability.
There have been over 1,000 Adobe Flash vulnerabilities since it was released. Designed to make website development easier and providing additional features not supported by standard web browsers, it also adds complexity and a much broader attack surface. Web browsers no longer support Flash by default, but users often re-enable it for convenience. And just having it installed on your system may be enough for this latest zero-day Adobe Player vulnerability to be exploited.

KISA, the South Korean CERT issued a security bulletin on January 31, 2018, warning of a “use-after-free” vulnerability in Adobe Flash Player being actively exploited in the wild. The following day, Adobe issued Security Advisory APSA18-01 confirming CVE-2018-4878 as a potential remote code vulnerability and announcing plans to release a security patch on February 5, 2018. The attack is carried out with a malicious SWF file embedded inside a Microsoft Office or Hancom Hangul document or spreadsheet. Once opened, the victim’s computer executes the malicious SWF through Adobe Flash if it is installed.

“Upon opening and successful exploitation, a decryption key for an encrypted embedded payload would be downloaded from compromised third-party websites hosted in South Korea,” according to FireEye.

The embedded payload is likely to be DOGCALL malware which facilitates the installation of ROKRAT command and control trojan which gives the remote attackers access to the victim’s system.

Experts warn that while waiting for the patch from Adobe on February 5th, users should be very cautious opening unexpected spreadsheets and document files. In reality, one should always be wary of any unexpected or suspicious document, especially ones that support embedding since they can hide all kinds of malware. You should also strongly consider uninstalling Adobe Flash. Even if it is disabled in your browser, having it installed on your system is enough for this latest exploit to execute successfully. Chances are you don’t need Adobe Flash any more. As explained by Sophos,

“The most common “need” we hear for Flash is to watch web videos, but almost all websites will use HTML5 for videos if you don’t have Flash. If you uninstall it, your browser will use its built-in video player instead – so you probably don’t need Flash after all.”

Cisco and FireEye have both been investigating, and warn that a North Korean group that they have been following for a while are likely behind this latest attack. Called TEMP.Reaper by FireEye and Group 123 by Cisco, the group with ties to North Korea was very active in 2017.

According to FireEye: “Historically, the majority of their targeting has been focused on the South Korean government, military, and defense industrial base; however, they have expanded to other international targets in the last year.”

In addition to expanding their targets, the hacking group appears to have been expanding its skills, utilizing a variety of different techniques to deploy destructive wiper malware and the command and control trojans.

There have been many hacking accusations pointed at North Korea in the past few years. With tensions rising in 2017 and the impending Olympics in South Korea this month there is a lot of opportunities and potential motivation for something significant. This latest attack shows that this hacking group is poised to take advantage of these opportunities.

As described by Cisco’s Talos security team, “Group 123 have now joined some of the criminal elite with this latest payload of ROKRAT. They have used an Adobe Flash 0 day which was outside of their previous capabilities – they did use exploits in previous campaigns but never a net new exploit as they have done now. This change represents a major shift in Group 123s maturity level, we can now confidentially assess Group 123 has a highly skilled, highly motivated and highly sophisticated group.”


Hacking Amazon Key – Hacker shows how to access a locked door after the delivery
5.2.2018 securityaffairs Hacking

Other problems for the Amazon Key technology, a hacker posted a video on Twitter to show how to access a locked door after a delivery worker’s one-time code has been used.
Earlier in November, Amazon announced for its Prime members the Amazon Key, a program that would allow a delivery person to enter your home under video surveillance, securely drop off the package, and leave with the door locking behind them. The system could also be used to grant access to the people you trust, like your family, friends, or house cleaner.

A few days after the announcement, researchers with Rhino Security Labs demonstrated how to disable the camera on Amazon Key, which could let a rogue courier access the customers’ home.

Amazon Key app.png

Unfortunately, the technology seems to be totally secure, a hacker has in fact demonstrated another attack on the Amazan Key.

The hacker posted a video on Twitter to show how to access a locked door after a delivery worker’s one-time code has been used.

MG
@_MG_
I call this the "Break & Enter dropbox" and it pairs well with my Amazon Key (smartlock & smartcam combo).

It's all current software. Amazon downplayed the last attack on this product because it needed an evil delivery driver to execute. This doesn't.

10:50 PM - Feb 4, 2018
39 39 Replies 1,035 1,035 Retweets 1,187 1,187 likes
Twitter Ads info and privacy
Technical details of the attack are not available, the hacker used a “dropbox” device that appears as tiny PC with Wi-Fi connectivity that is able to control the Amazon Key.

The Dropbox can be used to unlock the Amazon Key or to trigger a DoS condition in which the Amazon’s device is not able to lock the door after a courier accessed the customers’ home.


Almost all WordPress websites could be taken down due to unpatched CVE-2018-6389 DoS flaw
5.2.2018 securityaffairs
Vulnerebility

The Israeli security researcher Barak Tawily a vulnerability tracked as CVE-2018-6389 that could be exploited to trigger DoS condition of WordPress websites.
The expert explained that the CVE-2018-6389 flaw is an application-level DoS issued that affects the WordPress CMS and that could be exploited by an attacker even without a massive amount of malicious traffic.

“In this article I am going to explain how Denial of Service can easily be caused to almost any WordPress website online, and how you can patch your WordPress website in order to avoid this vulnerability being exploited.” reads the analysis of the expert.

Tawily revealed that the flaw exists in almost all versions of WordPress released in last nine years, including the latest one (Version 4.9.2).
The flaw affects the “load-scripts.php” WordPress script, it receives a parameter called load[] with value is ‘jquery-ui-core’. In the response, the CMS provides the JS module ‘jQuery UI Core’ that was requested.

CVE-2018-6389 WordPress flaw

As you know, WordPress is open-source project, for this reason, it was easy for the expert to perform code review and analyzed the feature in detail.

The load-scripts.php file was designed for WordPress admins and allows to load multiple JavaScript files into a single request, but the researcher noticed that that is is possible to call the function before login allowing anyone to invoke it.

The response provided by the WordPress CMS depends upon the installed plugins and modules. It is possible to load them by simply passing the module and plugin names, separated by a comma, to the load-scripts.php file through the “load” parameter.
https://your-wordpress-site.com/wp-admin/load-scripts.php?c=1&load%5B%5D=eutil,common,wp-a11y,sack,quicktag,colorpicker,editor,wp-fullscreen-stu,wp-ajax-response,wp-api-request,wp-pointer,autosave,heartbeat,wp-auth-check,wp-lists,prototype,scriptaculous-root,scriptaculous-builder,scriptaculous-dragdrop,scriptaculous-effects,scriptaculous-slider,scriptaculous-sound,scriptaculous-controls,scriptaculous

The ‘load-scripts.php’ finds the JavaScript files included in the URL and appends their content into a single file and then send back it to the user’s web browser.

The researcher highlighted that the wp_scripts list is hard-coded and is defined in the script-loader.php file, so he decided to send a request that in response will get all the JS module of the WordPress instance.

“There is a well-defined list ($wp_scripts), that can be requested by users as part of the load[] parameter. If the requested value exists, the server will perform an I/O read action for a well-defined path associated with the supplied value from the user.”

“I wondered what would happen if I sent the server a request to supply me every JS module that it stored? A single request would cause the server to perform 181 I/O actions and provide the file contents in the response.”

Tawily developed a proof-of-concept (PoC) python script called doser.py that he used to makes large numbers of concurrent requests to the same URL to saturate the resources of the servers.

An attacker with a good bandwidth or a limited number of bots can trigger the CVE-2018-6389 vulnerability to target popular WordPress websites.

Below a video PoC of the attack.

Tawily reported this DoS vulnerability to the WordPress team through HackerOne platform, but the company refused to acknowledge the flaw.

“After going back and forth about it a few times and my trying to explain and provide a PoC, they refused to acknowledge it and claimed that:
“This kind of thing should really be mitigated at the server or network level rather than the application level, which is outside of WordPress’s control.“” Tawily wrote.

The expert has implemented the mitigation against this vulnerability in a forked version of WordPress, he has also released a bash script that addresses the issue.


Flash Zero-Day Attacks Analyzed by FireEye, Cisco
5.2.2018 securityweek
Vulnerebility
FireEye and Cisco have analyzed the attacks involving a recently disclosed Flash Player zero-day vulnerability and linked them to a group known for targeting South Korean entities.

South Korea’s Internet & Security Agency (KISA) warned last week of a zero-day flaw in Flash Player. Some local security experts said the vulnerability had been exploited by North Korean hackers since mid-November 2017 in attacks aimed at individuals in South Korea.

Adobe has confirmed the existence of the flaw, which affects Flash Player 28.0.0.137 and earlier, and it plans on patching it sometime this week. The security hole, tracked as CVE-2018-4878, is a use-after-free issue that can allow a remote attacker to execute arbitrary code.

FireEye has launched an investigation following the alert from KISA and linked the attack to a group it tracks as TEMP.Reaper. This threat actor is believed to be operating out of North Korea based on the fact that it has been spotted interacting with command and control (C&C) servers from IP addresses associated with Star JV, the North Korean-Thai joint venture that connects the country to the Internet.

“Historically, the majority of their targeting has been focused on the South Korean government, military, and defense industrial base; however, they have expanded to other international targets in the last year. They have taken interest in subject matter of direct importance to the Democratic People's Republic of Korea (DPRK) such as Korean unification efforts and North Korean defectors,” FireEye said.

FireEye said its researchers spotted a new wiper malware, dubbed “RUHAPPY,” being developed by the Reaper group in the past year. North Korean threat actors have been known to use wiper malware, but Reaper has not been seen using RUHAPPY in attacks.

The security firm’s analysis showed that the hackers have exploited the Flash Player zero-day vulnerability using malicious Office documents and spreadsheets containing a specially crafted SWF file. If the flaw is exploited successfully, a piece of malware named by FireEye “DOGCALL” is delivered.

Cisco Talos has published several reports in the past months on this remote access trojan (RAT), which it tracks as ROKRAT.

The company has attributed the Flash Player zero-day attacks to an actor it has named “Group 123.” Talos last month detailed several campaigns conducted by this group against South Korean targets, but researchers have refrained from explicitly attributing the operations to North Korea.

“Group 123 have now joined some of the criminal elite with this latest payload of ROKRAT,” Talos researchers said in a blog post on Friday. “They have used an Adobe Flash 0 day which was outside of their previous capabilities - they did use exploits in previous campaigns but never a net new exploit as they have done now. This change represents a major shift in Group 123s maturity level, we can now confidentially assess Group 123 has a highly skilled, highly motivated and highly sophisticated group.”


Leaked memo suggest NSA and US Army compromised Tor, I2P, VPNs and want to unmask Monero users
5.2.2018 securityaffairs BigBrothers

The image of a memo leaked online suggests US Army and NSA are able to unmask Tor, I2P, VPNs users and they are working to track Monero,
US Army and NSA are able to unmask Tor, I2P, VPNs users and they are working to track Monero, this is the truth revealed by a photo alleged leaked by US Army.
The image revealed a joint project to track anonymous cryptocurrencies conducted by US Army’s Cyber Protection Team (CPT) from the Cyber Protection Brigade and NSA.
The photo of the memo is dated August 21, 2017, and was posted in the biz section of 4chan. The content reads:
“MEMORANDUM FOR RECORD

SUBJECT: Additional resource request for ACC project

2nd Battalion’s joint NSA/CPT [Cyber Protection Team] anonymous cryptocurrency project needs additional support in the form of new hires and additional funding to meet GWOT [Global War On Terror] and drug interdiction objectives outlined in July’s Command update brief.
• Requesting authorization to add additional civilian consultants to the ACC project and to initiate their SCI investigations
• Requesting additional funds for class 7 and 9, amounts indicated in attached cost analysis worksheet.
The success we have had with Tor, I2P, and VPN cannot be replicated with those currencies that do not rely on nodes [?]. There is a growing trend in the employment of Stealth address and ring signatures that will require additional R&D. Please reference the weekly SITREP [SITuation REPort] ON SIPR for more details regarding the TTPs involved.
BLUF [Bottom Line, Up Front]: In order to put the CPT back on track, we need to identify and employ additional personnel who are familiar with the CryptoNote code available for use in anonymous currencies.
Include this request for discussion at the next training meeting.
Point of contact for this memorandum is CW4 Henry, James P. at DSN (312)-780-2222.
JAMES,HENRY
.P1363921716

JAMES P. HENRY
CW4, USASPB”

NSA US army unmask Monero Tor I2P VPN

The memo explicitly refers to the difficulties in unmasking cryptocurrencies that are based on the CryptoNote that is an application layer protocol implemented in the scheme of several decentralized privacy oriented digital currencies.

The document requests the allocation of additional resources to track anonymous cryptocurrencies like Monero (XMR), Anonymous Electronic Online CoiN (AEON), DarkNet Coin (DNC), Fantomcoin (FCN), and Bytecoin (BCN).

The US authorities believe that Monero would become the main cryptocurrency in the criminal underground.

Researchers at DeepDotWeb verified the authenticity of Defense Switched Network (DSN) phone number listed for James P. Henry

“There is a Defense Switched Network (DSN) phone number listed for James P. Henry. When this DSN phone number was converted into a phone number that can be reached from the regular commercial phone network and called, the number was in fact the US Army’s Cyber Protection Brigade located in Fort Gordon, Georgia, just as the document purported to originate from.” states the blog post published by DeepDotWeb.

“While it is possible someone could have done a search for the Cyber Protection Brigade telephone number and used the conversion chart to recreate the DSN version of the phone number, it should be noted that the DSN phone number was not published on the internet prior to the release of this leak.”

DeepDotWeb requested comments from a Monero developer and others sources who were formerly in the Army, they all confirmed that the document appears to be authentic and its content plausible.

DeepDotWeb cited an anonymous source who is still serving in the US Army, that after analyzed the document said it was accurate.

Security experts believe that the US intelligence and military are using internal resources to conduct surveillance on blockchains.

It is still unclear who leaked the memo, someone speculates it was intentionally published with a deterrence purpose.

Tor, I2P, and VPNs are not completely compromised by the intelligence agency, persistent attackers have already proposed and implemented techniques to unmask users but that are not effective for dragnet surveillance.

Documents leaked by Edward Snowden revealed that the NSA is able to unmask VPN solutions based on vulnerable VPN protocols such as the PPTP, however, VPNs which rely on OpenVPN may not be compromised.

Don’t forget that anonymizing networks are essential to fight censorship and to ensure freedom of speech.

Looking at the photo it is possible to note above the laptop’s monitor, in the bottom right of the photo, a Common Access Card (CAC) that is a smart ID card used by the Department of Defense.

I believe it was intentionally put there with a diversionary intent.


GandCrab, a new ransomware-as-a-service emerges from Russian crime underground
3.2.2018 securityaffairs
Ransomware

Experts at cyber security firm LMNTRIX have discovered a new ransomware-as-a-service dubbed GandCrab. advertised in Russian hacking community on the dark web.
Experts at cyber security firm LMNTRIX have discovered a new ransomware-as-a-service in the dark web dubbed GandCrab.

GandCrab raas

The GandCrab was advertised in Russian hacking community, researchers noticed that authors leverage the RIG and GrandSoft exploit kits to distribute the malware.

“Over the last three days LMNTRIX Labs has been tracking an influx of GandCrab ransomware. The ransomware samples are being pushed by RIG Exploit delivery channels.” reads the analysis published by LMNTRIX.

GandCrab raas

As usually happen for Russian threat actors, members cannot use the ransomware to infect systems in countries in the former Soviet Republics that now comprise the Commonwealth of Independent States.

Below some interesting points from the advertisement:

Prospective buyers are asked to join the ‘partner program’, in which profits from the ransomware are split 60:40
Large’ partners are able to increase their percentage of proceeds to 70 per cent
As a Ransomware-as-a-service offering, technical support and updates are offered to ‘partners’
Partners are prohibited from targeting countries in the Commonwealth of Independent States (Azerbaijan, Armenia, Belarus, Kazakhstan, Kyrgyzstan, Moldova, Russia, Tajikistan, Turkmenistan, Uzbekistan and Ukraine) – violating this rule results in account deletion
Partners must apply to use the ransomware, and there is a limited amount of ‘seats’ available.” reads the translation of the ad.
The operators behind the RaaS offer they platform maintaining 40% of the ransom, the percentage is reduced to 30% for large partners.

Once infected, if the victim does not pay on time, he will have to pay a double ransom.

Other specific features related to GandCrab RaaS is the that it allows payment using the cryptocurrency Dash and the service is provided by a server hosted on a .bit domain.

The authors of the GandCrab RaaS also offers technical support and updates to its members, they also published a video tutorial that shows how the ransomware is able to avoid antivirus detection.

The RaaS implements a user-friendly admin console, which is accessible via Tor Network, to allow malware customization (i.e. ransom amount, individual bots and encryption masks)

The experts shared the Indicators of Compromise in their blog post.


More than 1 million worth of ETH stolen from Bee Token ICO Participants with phishing emails
3.2.2018 securityaffairs
Phishing

Participants to the Bee Token ICO were robbed for 100s of ETH, scammers sent out a phishing email stating that the ICO was now open, followed by an Ethereum address they controlled.
Another day, another incident involving cryptocurrencies, hundreds of users fell victims to email scams in the last days.

The victims were tricked by scammers into sending more than $1 million worth of Ethereum to them as part of Bee Token ICO (Initial Coin Offering). Bee Token is a blockchain-based home sharing service, it launched the ICO on January 31 and ended on February 2, when the Bee team obtained the $5 million necessary to start their project.

During the period of the ICO, the crooks sent phishing emails posing as the Bee Token ICO.

The scammers, impersonating the Bee team, sent out emails with a character of urgency to the potential investors inviting them to buy Bee Tokens by transferring Ethereum coins to their wallets.

The scammers attempted to convince users to participate to the ICO by sending Ethereum spreading the news that the company started a partnership with Microsoft and would be giving participants a 100% bonus for all contributions in the next 6 hours.

Cybercriminals also guaranteed that the value of Bee Token would double within 2 months, or participants would receive their RTH back.

“Today, investors who were eagerly waiting for their opportunity to join the Bee Token ICO were robbed for 100s of ETH. Scammers managed to get their hands on the Bee Token mailing list and sent out a phishing email stating that the ICO was now open, followed by an Ethereum address to send their contributions to.” states the blog post published TheRippleCryptocurrency.

After the Bee team became aware of fraudulent activity it issued three security alerts to warn of the ongoing scam:

https://medium.com/@thebeetoken/security-notice-6edb5741039b
https://medium.com/@thebeetoken/security-update-38d5bbfaa50e
https://medium.com/@thebeetoken/bee-token-security-announcement-2-7397f32f5bf6
“The Bee Token team has been made aware of phishing sites that have copied the Bee Token website in an attempt to deceive users into sending them their money. Please DO NOT trust any website other than https://www.beetoken.com/ . REPEAT: DO NOT trust any website other than https://www.beetoken.com/” reads one of the Bee Token Security Notice.

The Bee Token team also created a Google scam reporting form to allow users to report scams.

The RippleCryptocurrency.com had access to two different versions of the email that reported the following Ethereum addresses used by crooks:

0xe336327426b8f95A5F5eB1f74144fD9065069C28
0x2A6D8021861f27aB992572D8689017b7A83C989D
a third one was reported on Reddit by users:

0xdf1ec2E44a8B1774B068eCfc5EF1c937A86bAf3E
The overall amount of money contained in the three wallets at the end of the ICO was over $1 million.

Unfortunately such kind of incident is not uncommon, for this reason, Facebook banned ads for ICOs and cryptocurrencies on its social network.


UK Government Advices Industry Sectors To Comply With Guidance Or Pay $17 Million Fine
3.2.2018 securityaffairs BigBrothers

Aiming to tackle threats from rogue nations and hackers The UK Government urges to boost security measures of services in critical sectors.
On November 2016 United Kingdom published the National Cyber Security Strategy to address cyber threats from rogue nations like Iran, Russia, China, terrorists, states sponsored hackers and cyber menaces like ransomware against the national infrastructure.

On August 2017 UK government published a public consultation to improve United Kingdom essential services in electricity, transport, water, energy, health and digital infrastructure in accordance with the Directive of Security of Network and Information Systems (known as NIS Directive) in cooperation with the Member States within the European Union (EU).

The NIS Directive consultation covered six main topics that are the following: identification of essential services, national Framework to manage implementation, security requirements for operators of essential services, incident reporting requirements for operators of essential services, requirements on Digital Service Providers and proposed penalty regime.

The Directive comes into play to cover aspects of network security that are not present in GDPR. Regarding GDPR the Directive aligns itself with the deadline for the implementation.

It is important to notice that there are two major and distinct bodies inspecting the compliance of the NIS Directive, the Competent Authorities, and NCSC. NCSC stands for National Cyber Security Centre a part of GCHQ, while Competent Authority stands for Regulator Body defined in NIS Directive scope for different critical sectors. This division aims to allow NCSC to carry out its function in providing expert advice and incident response capability to cyber attacks.

The NIS Directive is established in a layered fashion with a mandatory security outcome to be achieved with each principle like the NIST Security Framework. This assures that the NIS Directive can be implemented throughout the whole industry regardless their sectors. The layered approach takes into account the implementation of the principles without discarding the actual infrastructure.

The NIS Directive is composed of 14 principles that can be divided into four major objectives: Management of security risks (Governance, Risk Management, Asset Management, Supply chain), Protection of cyber attacks (Service protection policies and processes, Identity and access control, Data Security, System security, Resilient Networks & Systems, Staff Awareness & Training), Detection of cyber security events (Security Monitoring, Anomaly Detection) and reduction of the impact of cyber security events (Response and Recovery Planning, Improvements).

The directive sets the scope for the identification of operators of essential services and significant disruptive effects that that may pose a threat to national security, the potential threat to public safety and the possibility of significant adverse social or economic impact. The NIS Directive lay the ground for a national framework where Government ensures that the Competent Authorities have the necessary legislative provision to accomplish their duties and the necessary resources to conduct their activities.

The penalty will only be applied once the operator of essential service fails to comply with the directive tacking into account these following criteria listed in article 14, Security requirements and incident notification: the number of users affected by the disruption of the essential service, duration of the incident and the geographical spread with regard to the area affected by the incident. The fine will be judged and decided upon the accordance with the proper measures that were not taken and nor implemented, with a maximum value of €17 million. There are some uncertainties if essential services providers can accomplish the implementation requirements of NIS Directive until May 2018.

Sources:

http://www.bbc.com/news/technology-42861676
http://www.securityweek.com/uk-warns-critical-industries-boost-cyber-defense-or-face-hefty-fines
http://www.itpro.co.uk/cyber-warfare/30405/uk-energy-companies-face-17m-fines-for-poor-cybersecurity
https://www.infosecurity-magazine.com/news/uk-government-warns-of-17m/
http://www.itpro.co.uk/cyber-warfare/30405/uk-energy-companies-face-17m-fines-for-poor-cybersecurity
http://www.businessinsurance.com/article/20180129/STORY/912318798/UK-to-fine-firms-up-to-%2424-million-for-lax-cybersecurity
https://www.gov.uk/government/news/government-acts-to-protect-essential-services-from-cyber-attack
https://www.scmagazineuk.com/uk-companies-warned-to-boost-cyber-security-or-face-fines/article/740029/
https://www.computing.co.uk/ctg/news/3025464/critical-infrastructure-firms-could-be-fined-up-to-gbp17m-for-lacklustre-cyber-security
http://www.computerweekly.com/news/252433946/Hefty-fines-confirmed-for-CNI-providers-with-poor-cyber-security
https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/677065/NIS_Consultation_Response_-_Government_Policy_Response.pdf
https://www.ncsc.gov.uk/guidance/nis-directive-top-level-objectives
https://www.ncsc.gov.uk/guidance/nis-guidance-collection
https://www.gov.uk/government/consultations/consultation-on-the-security-of-network-and-information-systems-directive
https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/567242/national_cyber_security_strategy_2016.pdf
http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:OJ.L_.2016.194.01.0001.01.ENG&toc=OJ:L:2016:194:TOC


Japan’s Financial Services Agency raided the Coincheck headquarters in Tokyo after the hack
3.2.2018 securityaffairs BigBrothers

Cryptocurrencies are in the middle of a Tempest, on Thursday India announced it would adopt measures to prevent the use of virtual currencies in the country, the value of Bitcoin dropped below $9,000 for the first time since November. Finance Minister Arun Jaitley, in his annual budget, explained its government would “take all measures to eliminate use of these crypto-assets in financing illegitimate activities or as part of the payment system”.

coincheck hack coindesk

A week after the security breach suffered by the virtual currency exchange Coincheck, Japanese authorities raided the company.

The hackers stole 58 billion yen ($530 million), an amount of money that is greater than the value of bitcoins which disappeared from MtGox in 2014.

After the MtGox case, the Japanese government passed a law on cryptocurrencies that assigns to the FSA the tack of regulating the exchanges operating in the country.

Coincheck had submitted an application to the FSA for a licence, the company was waiting for the permission.

This week, Coincheck announced it will refund about $400 million to 260,000 customers after the hack, the company will use its own funds.

Coincheck was founded in 2012, it is one of the most important cryptocurrency exchange in Asia. The company announced it will refund about $400 million to customers after the hack.

Japanese media criticized the company blaming the management to have underestimated the importance of security of its investor, they said Coincheck “expanded business by putting safety second”.

On Friday, agents of the Financial Services Agency raided the Coincheck’s headquarters in Tokyo’s Shibuya district with the intent to verify that the company adopted proper security measures to protect its assets.

“We have launched an on-site inspection to ensure preservation of clients’ assets,” said Finance Minister Taro Aso.

Japan’s Financial Services Agency gave Coincheck until February 13 to investigate the hack, implements additional security measures and “properly” deal with the affected clients.

According to Japanese bitcoin monitoring site Jpbitcoin.com, in November, yen-denominated bitcoin trades reached a record 4.51 million bitcoins, or nearly half of the world’s major exchanges of 9.29 million bitcoin.


Why are we all silent on the surveillance?
3.2.2018 securityaffairs BigBrothers

Silicon Valley with its bright minds has come to a point where almost every day they collect information about individuals. Why are we all silent on the surveillance?
NSA spying apart, what Facebook, Apple, and Google know about their usual users is quite overwhelming. Each of these major players is trying to find more about us. They even go to our friends, family and job network.

The big guns know when you are sad, happy, as well as your general internet spendings and many more.

Technology is changing so dramatically and has the power to find every bit of information about you. A perfect example of this is the Google Home Assistant or the new self-driving cars that shockingly knows where you want to go, or where’s your home.

In quick succession, step by step these big guys are creating probably the most invasive surveillance population in time.

It is quite worrisome how a group of known criminals hack them pretty often. Take Uber as an example; the ride-sharing firm is accused of getting hacked for multiple times – not just once or twice.

Californians, the world, and privacy

From all of this, you might think Californians are often talking about the privacy policy not only in most private sector, where is believed that law is more occasionally meeting with people.

But they actually talk in the private sector, where they have the protection of the 4th Amendment if they encounter problems as “unreasonable” searches.

I wish to have a talk at a coffee or a dinner with a tech investor and to ask him “What is your company doing with all the information?” For the moment, there is no possibility of a confrontation at this.

Even if California, for the USA, is the center of everything. As for technology, investors, the most brilliant minds, residents and elected officials are the targeted ones when it comes to the privacy policy. And, for sure, as in everything, there are exceptions.

I would love to see in the next US elections to prioritize this issue, or it can be an impactful subject in a ballot initiative.

Unfortunately, not so many exceptions for tech employees to feel human again. However, the one pushing is the employer, who digs deep into the privacy and enjoys it.

surveillance

The idea to do good is far to be reached

As I stated above, California might encounter the most impactful debate regarding privacy in the whole world in coming future. Do you consider letting companies keep user data forever? To move in a way and change the terms of service, so they breach privacy?

Should they share information with governments? Would there be an option purge information after a while or to just request to anonymize? It’s an option for only a company to sell information and meanwhile, they discharge the debt in bankruptcy?

What obligation parents have regarding their children’s privacy? It is awkward how Instagram tracks kids’ behavior before reaching the age of consent. Should Instagram keep that information until they are adults?

A very out of date law from California gives us a glimpse of how out of date they are: prohibiting someone to record a phone call without the consent of the other party.

For sure it is not a bad law, however, restricts everyone just for the idea of privacy. Sadly, this rule is not applied since data is gathered without shame. We can imagine revenging porn laws that protect us from unauthorized shops from centerfolds.

All in all, we exposed ourselves to comprehensive, intrusive, relentless surveillance at our daily activities.

John Naughton an Irish academic affirmed, “and we have no idea what the long-term implications of this (surveillance) will be.”

Some end thoughts

Some of this is the threat when others are scared by the idea of imposed limits. Yet, people value privacy and having it updated can mean a better future. For sure it is impossible to stop privacy threats sometimes.

But in exchange shouldn’t we prioritize and make things better? Californians have a high position here, more than anyone, yet they haven’t made a bit of effort.

And of course, not just the ones living in California – we all, no one, should keep their voice low against the surveillance. Speak up!


Western Digital My Cloud flaws allows local attacker to gain root access to the devices
3.2.2018 securityaffairs
Attack

Trustwave disclosed two vulnerabilities in Western Digital My Cloud network storage devices could be exploited by a local attacker to gain root access to the NAS devices.
Researchers at Trustwave disclosed two new vulnerabilities in Western Digital My Cloud network storage devices could be exploited by a local attacker to delete files stored on devices or to execute shell commands as root.

The two Western Digital My Cloud flaws are an arbitrary command execution vulnerability and an arbitrary file deletion issue. The arbitrary command execution vulnerability affects the common gateway interface script “nas_sharing.cgi” that allows a local user to execute shell commands as root. Hardcoded credentials allows any users to authenticate to the device using the username “mydlinkBRionyg.”

“The first finding was discovering hardcoded administrator credentials in the nas_sharing.cgibinary. These credentials allow anyone to authenticate to the device with the username “mydlinkBRionyg”.” states the analysis published by Trustwave. “Considering how many devices are affected this is very serious one. Interestingly enough another researcher independently released details on the same issue less than a month ago.”

The arbitrary file deletion vulnerability is also tied to the common gateway interface script “nas_sharing.cgi”.

“Another problem I discovered in nas_sharing.cgi is that it allows any user execute shell commands as root. To exploit this issue the “artist” parameter can be used.” continues the analysis.

Western Digital My Cloud

Chaining the two flaws it is possible to execute commands as root, a local attacker could log in using the hardcoded credentials and executing a command that is passed inside the “artist” parameter using base64 encoding.

The Western Digital models affected are My Cloud Gen 2, My Cloud PR2100, My Cloud PR4100, My Cloud EX2 Ultra, My Cloud EX2, My Cloud EX4, My Cloud EX2100, My Cloud EX4100, My Cloud DL2100 and My Cloud DL4100.

Trustwave reported the issues to Western Digital in 2017, according to the researchers the flaws are addressed with the firmware (version 2.30.172 ) update, released on Nov. 16, 2017.

“As a reminder, we urge customers to ensure the firmware on their products is always up to date; enabling automatic updates is recommended. We also urge you to implement sound data protection practices such as regular data backups and password protection, including to secure your router when you use a personal cloud or network-attached storage device.” recommends Western Digital.


JenX botnet leverages Grand Theft Auto videogame community to infect devices
3.2.2018 securityaffairs BotNet

Researchers at security firm Radware have spotted a new IoT botnet, dubbed JenX, the leverages the Grand Theft Auto videogame community to infect devices.
Researchers at security firm Radware have spotted a new IoT botnet, dubbed JenX, that exploits vulnerabilities triggered by the Satori botnet and is leveraging the Grand Theft Auto videogame community to infect devices.

The activity of the Satori botnet has been observed in 2017 by researchers from Check Point security, it uses A Zero-Day vulnerability (CVE-2017-17215) in the Huawei home router HG532.

JenX exploits the CVE-2014-8361 (Realtek SDK Miniigd UPnP SOAP command execution) and CVE-2017-17215 (Huawei Router HG532 arbitrary command execution). that affect Huawei and Realtek routers.

“A new botnet recently started recruiting IoT devices. The botnet uses hosted servers to find and infect new victims leveraging one of two known vulnerabilities that have become popular in IoT botnets recently:

CVE-2014-8361 “Realtek SDK Miniigd UPnP SOAP Command Execution” vulnerability and related exploit.
CVE-2017–17215 “Huawei Router HG532 – Arbitrary Command Execution” vulnerability and related exploit.” states Radware in a blog post.
“Both exploit vectors are known from the Satori botnet and based on code that was part of a recent public Pastebin post by the “Janit0r,” author of “BrickerBot.”

JenX also implemented some techniques used by the recently discovered PureMasuta botnet.

The command-and-control server is hosted at the site San Calvicie, which offers multiplayer mod support for Grand Theft Auto: San Andreas, and also DDoS-for-hire service.

JenX is a DDoS botnet, the DDoS option offered by San Calvicie is called “Corriente Divina.”

The users of the website can rent a GTA San Andreas multiplayer modded server for $16 and a Teamspeak server goes for $9. Adding $20 it is possible to power massive DDoS attacks that can peak 290 and 300 Gbps.

“The Corriente Divina (‘divine stream’) option is described as ‘God’s wrath will be employed against the IP that you provide us,” wrote Radware’s Cyber Security expert Pascal Geenens. “It provides a DDoS service with a guaranteed bandwidth of 90-100 Gbps and attack vectors including Valve Source Engine Query and 32 bytes floods, TS3 scripts and a ‘Down OVH’ option which most probably refers to attacks targeting the hosting service of OVH, a cloud hosting provider that also was a victim of the original Mirai attacks back in September 2016. OVH is well known for hosting multi-player gaming servers such as Minecraft, which was the target of the Mirai attacks at the time.”

jenx botnet

Differently from Satori and PureMasuta botnets, JenX has a centralized infrastructure, it uses a central server to perform the scanning of new hosts.

“The drawback of the central approach is a less than linear growth with the number of deployed servers. Much slower compared to the exponential growth rate of and less aggressive than distributed scanning botnets,” continues the analysis.

The presence of a central server that coordinates the activity makes it easy for law enforcement and security firms to take down the botnet. Of course, threat actors can deploy the control server to the Dark Web making hard take over from law enforcement.

Even if the JenX is able to power massive DDoS attacks, for now, is doesn’t represent a serious threat because it aims to disrupt services from competing for GTA SA multiplayer servers.

“The botnet is supposed to serve a specific purpose and be used to disrupt services from competing GTA SA multiplayer servers. I do not believe that this will be the botnet that will take down the internet,” Geenens concluded.

“But it does contain some interesting new evolutions and it adds to a list of IoT botnets that is growing longer and faster every month! That said, there is nothing that stops one from using the cheap $20 per target service to perform 290Gbps attacks on business targets and even government related targets. I cannot believe the San Calvicie group would oppose to it.”


Japan Raids Hacked Crypto Exchange, Bitcoin Plunges Further
3.2.2018 securityweek Hacking
Japanese authorities on Friday raided virtual currency exchange Coincheck, a week after the Tokyo-based firm lost $530 million in cryptocurrency to hackers.

The raid comes as bitcoin dipped below $9,000 for the first time since November after India said Thursday it would take measures to prevent the use of cryptocurrencies.

The search of Coincheck's headquarters in Tokyo's Shibuya district was carried out by the Financial Services Agency, which had already slapped the company with an administrative order following the hack.

"We have launched an on-site inspection to ensure preservation of clients' assets," Finance Minister Taro Aso said at a briefing.

Japanese officials have suggested Coincheck lacked proper security measures, making itself vulnerable to theft.

The January 26 hack, which saw thieves syphon away 523 million units of the cryptocurrency NEM, exceeds the $480 million stolen in 2014 from another Japanese virtual currency exchange, MtGox.

Earlier this week, Japan's FSA gave Coincheck until February 13 to investigate the cause of the incident, "properly" deal with clients, strengthen risk management and take preventive measures.

Coincheck has said it will use its own funds to reimburse all 260,000 customers who lost holdings, at a rate of 88.549 yen per NEM.

The refund, which will be paid in yen, not virtual currency, will set the firm back about 46.3 billion yen ($422 million).

In the wake of the MtGox scandal, Japan passed a law on cryptocurrencies that requires exchanges to be regulated by the FSA. The law went into effect in 2017.

Coincheck had submitted an application to the FSA for a licence and was allowed to continue operating while it awaited a decision, the agency said.

Japan is a leading market for cryptocurrencies, with nearly a third of global bitcoin transactions in December denominated in yen, according to specialist website jpbitcoin.com.

Virtual currencies are popular elsewhere in Asia, including South Korea and China, but India's government on Thursday said it would crack down on their use.

Finance Minister Arun Jaitley, in his annual budget, said New Delhi would "take all measures to eliminate use of these crypto-assets in financing illegitimate activities or as part of the payment system".

Bitcoin, which soared to nearly $20,000 a unit in December, was down at $8,800 on Friday, while other digital units such as Litecoin and Ethereum have also suffered massive losses from their recent peaks.


Kaspersky Patches Vulnerabilities in Secure Mail Gateway
3.2.2018 securityweek
Vulnerebility
Kaspersky Lab this week released an update for its Secure Mail Gateway to resolve a series of vulnerabilities that could lead to account takeover, code execution, and privilege escalation.

The Kaspersky Secure Mail Gateway is an integrated email system and security solution that comes bundled with anti-spam, anti-malware, and anti-phishing and deployed on a virtual appliance.

Core Security Technologies found four security flaws in Kaspersky’s product, including Cross-Site Request Forgery, Improper Neutralization of Special Elements in Output Used by a Downstream Component, Improper Privilege Management, and Improper Neutralization of Input during Web Page Generation.

A remote attacker could exploit these issues to gain command execution as root, Core Security's researchers say. The bugs were found in Kaspersky Secure Mail Gateway 1.1.0.379.

Kaspersky Secure Mail Gateway comes with a Web Management Console to monitor the application status and manage operations, but has no cross-site request forgery protection site-wide, which could lead to administrative account takeover, Core Security's advisory noted.

An attacker could submit authenticated requests when an authenticated user browses an attacker-controlled domain, the researchers explain. Thus, a feature that allows users to restore a backup file that overwrites the appliance's configuration can be abused to overwrite the original passwd file and provide the attacker with admin access.

Furthermore, an attacker who accesses the Web Console could gain command execution as root through the injection of arbitrary content into the appliance's Postfix configuration.

The console makes it possible to add a "BCC Address for all Messages", a configuration parameter written verbatim to the appliance's Postfix main.cf configuration file. When adding LF characters to it, an attacker could inject a configuration parameter to execute arbitrary commands on the appliance as root.

This allows the attacker to execute any binary on the system, but can’t pass arguments to it. However, it is possible to overcome this by abusing another Web Console functionality to upload a Python script to the file system, the researchers discovered.

The third issue could allow an attacker to elevate privileges from kluser to root by abusing a setuid binary shipped with the appliance and execute a script on the attacker-controlled location with root privileges.

A reflected cross-site scripting flaw also impacts the Management Console. The issue resides in the callback parameter of the importSettings action method.

The security researchers reported the bugs to Kaspersky in early October 2017. On February 1, 2017, Kaspersky published an advisory to announce the patching of these issues in Kaspersky Secure Mail Gateway 1.1 MR1. Impacted customers are advised to upgrade to the new release as soon as possible.