A Flaw in Hotspot Shield VPN From AnchorFree Can Expose Users Locations
9.2.2018 securityweek Vulnerebility
Security expert Paulos Yibelo has discovered a vulnerability in Hotspot Shield VPN from AnchorFree that can expose locations of the users.
Paulos Yibelo, a security researcher, has discovered a vulnerability that can expose users and locations around the globe compromising their anonymity and privacy. The company has about 500 million users globally.
VPN services providers are used nowadays to protect the identity of individual users and against the eavesdropping of their browsing habits. In countries like North Korea and China they are popular among political activists or dissidents where internet access is restricted because of censorship or heavily monitored once these services hide the IP addresses of the real users, that can be used to locate the person real address.
The Great Firewall of China is an example. Locating a Hotspot Shield user in a rogue country could pose a risk to their life and their families.
The VPN Hotspot Shield developed by AnchorFree to secure the connection of users and protect their privacy contained flaws that allow sensitive information disclosure such as the country, the name of WIFI network connection and the user’s real IP address, according to the researcher.
“By disclosing information such as Wi-Fi name, an attacker can easily narrow down or pinpoint where the victim is located, you can narrow down a list of places where your victim is located”. states Paulos Yibelo.
The vulnerability CVE-2018-6460 was published without a response from the company on Monday, but on Wednesday a patch was released to address the issue. The vulnerability is present on the local web server (127.0.0.1 on port 895) that Hotspot Shield installs on the user’s machine.
“http://localhost:895/status.js generates a sensitive JSON response that reveals whether the user is connected to VPN, to which VPN he/she is connected to what and what their real IP address is & other system juicy information. There are other multiple endpoints that return sensitive data including configuration details.” continues the researcher.
“While that endpoint is presented without any authorization, status.js is actually a JSON endpoint so there are no sensitive functions to override, but when we send the parameter func with $_APPLOG.Rfunc, it returns that function as a JSONP name. We can obviously override this in our malicious page and steal its contents by supplying a tm parameter timestamp, that way we can provide a logtime“.
Once running, the server hosts multiple JSONP endpoints, with no authentication requests and also with responses that leak sensitive information pertaining the VPN service, such as the configuration details. The researcher released a proof of concept (PoC) for the flaw, however, the reporter Zack Whittaker, from ZDNET, independently verified that flaw revealed only the Wi-Fi network name and the country, not the real IP address.
The company replied to the researcher allegation:
“We have found that this vulnerability does not leak the user’s real IP address or any personal information, but may expose some generic information such as the user’s country. We are committed to the safety and security of our users, and will provide an update this week that will completely remove the component capable of leaking even generic information”.
US authorities dismantled the global cyber theft ring known as Infraud Organization
9.2.2018 securityaffairs Cyber
The US authorities have dismantled a global cybercrime organization tracked Infraud Organization involved in stealing and selling credit card and personal identity data.
The US authorities have taken down a global cybercrime organization, the Justice Department announced indictments for 36 people charged with being part of a crime ring specialized in stealing and selling credit card and personal identity data.
According to the DoJ, the activities of the ring tracked as ‘Infraud Organization’, caused $530 million in losses. The group is active since 2010, when it created in Ukraine by Svyatoslav Bondarenko.
Bondarenko remains at large, but Russian co-founder Sergey Medvedev has been arrested by the authorities.
Most of the crooks were arrested in the US (30), the remaining members come from Australia, Britain, France, Italy, Kosovo, and Serbia.
The indicted leaders of the organization included people from the United States, France, Britain, Egypt, Pakistan, Kosovo, Serbia, Bangladesh, Canada and Australia.
The motto of the Infraud Organization was “In Fraud We Trust,” it has a primary role in the criminal ecosystem as a “premier one-stop shop for cybercriminals worldwide,” explained the Deputy Assistant Attorney General David Rybicki.
“As alleged in the indictment, Infraud operated like a business to facilitate cyberfraud on a global scale,” said Acting Assistant Attorney General John Cronan.
The platform offered a privileged aggregator for criminals (10,901 approved “members” in early 2017) that could buy and sell payment card and personal data.
“Members ‘join the Infraud Organization via an online forum. To be granted
membership, an Infraud Administrator must approve the request. Once granted
membership, members can post and pay for advertisements within the Infraud forum. Members may move up and down the Infraud hierarchy.” said the indictment.
“The Infraud Organization continuously screens the wares and services of the vendors within the forum to ensure quality products. Vendors who are considered subpar are swiftly identified and punished by the Infraud Organization’s Administrators.”
The Infraud Organization used a number of websites to commercialize the data, it implemented a classic and efficient e-commerce for the stolen card and personal data, implementing also a rating and feedback system and an escrow” service for payments in digital currencies like Bitcoin.
Swisscom data breach Hits 800,000 Customers, 10% of Swiss population
9.2.2018 securityaffairs Incindent
Swisscom data breach – Telco company Swisscom confirmed it has suffered a data breach that affected roughly 800,000 of its customers, roughly 10% of the Swiss population.
Swiss telco company Swisscom confirmed it has suffered a data breach that affected roughly 800,000 of its customers, roughly 10% of the Swiss population.
According to Swisscom, unauthorized parties gained access to data in Autumn, the attackers accessed the customers’ records using a sales partner’s credentials.
The security breach was discovered by Swisscom during a routine check, most of the exposed data are related to the mobile services subscribers.
“In autumn of 2017, unknown parties misappropriated the access rights of a sales partner, gaining unauthorised access to customers’ name, address, telephone number and date of birth. Under data protection law this data is classed as “non-sensitive”.” reads the press release issued by the company.
“Prompted by this incident, Swisscom has now also tightened security for this customer information. The data accessed included the first and last names, home addresses, dates of birth and telephone numbers of Swisscom customers; contact details which, for the most part, are in the public domain or available from list brokers.”
Exposed data includes names, physical addresses, phone numbers, and dates of birth, the telecom giant collects this type of data when customers subscribe an agreement.
It is not clear how the hackers obtained the credentials, the good news is that sales partners are allowed to access only information for customers’ identification and to manage contracts.
Swisscom highlighted that data accessed by the intruders are not considered sensitive under data protection laws, anyway, accessed info is a precious commodity in the criminal underground because crooks can use them to conduct phishing campaigns against the company’s customers.
Swisscom has reported the data breach to the Swiss Federal Data Protection and Information Commissioner (FDPIC).
“Swisscom stresses that the system was not hacked and no sensitive data, such as passwords, conversation or payment data, was affected by the incident,” continues the press release.“Rigorous long-established security mechanisms are already in place in this case.”
After the Swisscom data breach, the company revoked the credentials used to access its systems and implemented tighter controls for partners.
Swisscom implemented a number of changes to improve its security, including:
Access by partner companies will now be subject to tighter controls and any unusual activity will automatically trigger an alarm and block access.
In the future, it will no longer be possible to run high-volume queries for all customer information in the systems.
In addition, two-factor authentication will be introduced in 2018 for all data access required by sales partners.
Customers are advised to report any suspicious calls or email.
The source code of the Apple iOS iBoot Bootloader leaked online
9.2.2018 securityaffairs Apple
The source code for Apple iOS iBoot secure bootloader has been leaked to GitHub, now we will try to understand why this component is so important for the iOS architecture.
The iBoot is the component loaded in the early stages of the boot sequence and it is tasked with loading the kernel, it is stored in a boot ROM chip.
“This is the first step in the chain of trust where each step ensures that the next is signed by Apple.” states Apple describing the iBoot.
The leaked code is related to iOS 9, but experts believe it could still present in the latest iOS 11.
Apple promptly reacted to the data leak asking to remove the content for a violation of the Digital Millennium Copyright Act (DMCA).
“This repository is currently disabled due to a DMCA takedown notice. We have disabled public access to the repository. The notice has been publicly posted.” reads the notice on the GitHub repository.
“Reproduction of Apple’s “iBoot” source code, which is responsible for ensuring trusted boot operation of Apple’s iOS software. The “iBoot” source code is proprietary and it includes Apple’s copyright notice. It is not open-source.”
The data leak is considered very dangerous because hackers and security experts can analyze the code searching for security vulnerabilities that could be triggered to compromise the iBoot.
Even is the code cannot be modified, the exploit of a flaw could allow loading other components compromising the overall security of the architecture.
The boot sequence is:
Bootrom → Low Level Bootloader → iBoot → Device tree → Kernel.
The Jailbreak consists of compromising one of the above phases, typically the kernel one.
Newer iPhones have an ARM-based coprocessor that enhances iOS security, so-called Secure Enclave Processor, it makes impossible the access to the code to conduct reverse engineering of the code.
But now the iBoot code has been leaked online and experts can analyze it.
The jailbreak could allow removing security restrictions making it possible to install third-party software and packages, also code that is not authorized by Apple and therefore not signed by the IT giant.
Compromising the iBoot could theoretically allow loading any malicious code in the boot phase or a tainted kernel.
Apple tried to downplay the issue saying that it implements a layered model of security
“Old source code from three years ago appears to have been leaked, but by design the security of our products doesn’t depend on the secrecy of our source code. There are many layers of hardware and software protections built into our products, and we always encourage customers to update to the newest software releases to benefit from the latest protection,” reads a statement issued by Apple.
Researcher found multiple vulnerabilities in NETGEAR Routers, update them now!
9.2.2018 securityaffairs Vulnerebility
Security researchers Martin Rakhmanov from Trustwave conducted a one-year-study on the firmware running on Netgear routers and discovered vulnerabilities in a couple of dozen models.
Netgear has just released many security updates that address vulnerabilities in a couple of dozen models.
The vulnerabilities have been reported by security researchers Martin Rakhmanov from Trustwave, which conducted a one-year-study on the firmware running on Netgear’s box.
Users are recommended to apply the security patches as soon as possible, they can be exploited by hackers to compromise gateways and wireless points.
The expert discovered that 17 different Netgear routers are affected by a remote authentication bypass that could be exploited by a remote attacker to access target networks without having to provide a password.
“This also affects large set of products (17 total) and is trivial to exploit. Authentication is bypassed if “&genie=1″ is found within the query string.” reads the analysis published by Rakhmanov.
Yes, it’s right, an attacker just needs to append the “&genie=1” the URL to bypass authentication, of course, the attack works against any gateways with remote configuration access enabled.
Attackers can access the device changing its DNS settings to redirect browsers to malicious sites.
Another 17 Netgear routers are affected by Password Recovery and File Access vulnerabilities. The flaws reside in the genie_restoring.cgi script used by the Netgear box’s built-in web server, the vulnerability can be triggered to extract files and passwords from its filesystem in flash storage and to pull files from USB sticks plugged into the router.
“Some routers allow arbitrary file reading from the device provided that the path to file is known. Proof-of-concept for Nighthawk X8 running firmware 184.108.40.206 or earlier:
curl -d “id=304966648&next_file=cgi-bin/../../tmp/mnt/usb0/part1/README.txt” http://192.168.1.1/genie_restoring.cgi?id=304966648
The above will fetch README.txt file located on a USB thumb drive inserted into the router. Total of 17 products are affected. Specific models are listed in the Advisory notes.” continues the analysis.
The list of issues discovered by the researcher includes a command Injection Vulnerability on D7000, EX6200v2, and Some Routers, PSV-2017-2181. After pressing the WPS button, the Netgear routers allows for two minutes a remote attacker to execute arbitrary code on the box with root privileges.
“Only 6 products are affected, this allows to run OS commands as root during short time window when WPS is activated.” states the analysis.
UDPOS PoS malware exfiltrates credit card data DNS queries
9.2.2018 securityaffairs Virus
A new PoS malware dubbed UDPoS appeared in the threat landscape and implements a novel and hard to detect technique to steal credit card data from infected systems.
The UDPoS malware was spotted by researchers from ForcePoint Labs, it relies upon User Datagram Protocol (UDP) DNS traffic for data exfiltration instead of HTTP that is the protocol used by most POS malware.
The UDPoS malware is the first PoS malicious code that implements this technique disguises itself as an update from LogMeIn, which is a legitimate remote desktop control application.
“According to our investigation, the malware is intended to deceive an unsuspecting user into executing a malicious email, link or file, possibly containing the LogMeIn name,” reads a blogpost published by LogMeIn noted.
“This link, file or executable isn’t provided by LogMeIn and updates for LogMeIn products, including patches, updates, etc., will always be delivered securely in-product. You’ll never be contacted by us with a request to update your software that also includes either an attachment or a link to a new version or update.”
The UDPoS malware only targets older POS systems that use LogMeIn.
“However, in amongst the digital haystack there exists the occasional needle: we recently came across a sample apparently disguised as a LogMeIn service pack which generated notable amounts of ‘unusual’ DNS requests. Deeper investigation revealed something of a flawed gem, ultimately designed to steal magnetic stripe payment card data: a hallmark of PoS malware.” reads the analysis published by ForcePoint.
The command and control (C&C) server are hosted by a Swiss-based VPS provider, another unusual choice for such kind of malware.
The server hosts a 7-Zip self-extracting archive, update.exe, containing LogmeinServicePack_5.115.22.001.exe and log that is the actual malware.
The malicious code implements a number of evasion techniques, it searches for antivirus software disables them, it also checks if it is running in a virtualized environment.
“For the anti-AV and anti-VM solution, there are four DLL and three Named Pipe identifiers stored in both service and monitor components:
However, only the monitor component makes use of these and, moreover, the code responsible for opening module handles is flawed: it will only try to open cmdvrt32.dll – a library related to Comodo security products – and nothing else.” continues the analysis.
“It is unclear at present whether this is a reflection of the malware still being in a relatively early stage of development/testing or a straightforward error on the part of the developers.”
It must be highlighted that currently there is no evidence of the UDPoS malware currently being used in attacks in the wild, but the activity of the C&C servers suggests crooks were preparing the attacks.
In the past other malware adopted the DNS traffic to exfiltrate data, one of them is the DNSMessenger RAT spotted by Talos experts in 2017. The researchers from Cisco Talos team spotted the malware that leverages PowerShell scripts to fetch commands from DNS TXT records.
Further info about the UDPoS malware, including IoCs, are available in the blog post.
Apple's iBoot Source Code for iPhone Leaked on Github
8.2.2018 thehackernews Apple
Apple source code for a core component of iPhone's operating system has purportedly been leaked on GitHub, that could allow hackers and researchers to discover currently unknown zero-day vulnerabilities to develop persistent malware and iPhone jailbreaks.
The source code appears to be for iBoot—the critical part of the iOS operating system that's responsible for all security checks and ensures a trusted version of iOS is loaded.
In other words, it's like the BIOS of an iPhone which makes sure that the kernel and other system files being booted whenever you turn on your iPhone are adequately signed by Apple and are not modified anyhow.
The iBoot code was initially shared online several months back on Reddit, but it just resurfaced today on GitHub (repository now unavailable due to DMCA takedown). Motherboard consulted some security experts who have confirmed the legitimacy of the code.
However, at this moment, it is unclear if the iBoot source code is completely authentic, who is behind this significant leak, and how the leaker managed to get his/her hands on the code in the first place.
The leaked iBoot code appears to be from a version of iOS 9, which signifies that the code is not entirely relevant to the latest iOS 11.2.5 operating system, but some parts of the code from iOS 9 are likely still used by Apple in iOS 11.
"This is the SRC for 9.x. Even though you can’t compile it due to missing files, you can mess with the source code and find vulnerabilities as a security researcher. It also contains the bootrom source code for certain devices…," a security expert said on Twitter.
The leaked source code is being cited as "the biggest leak in history" by Jonathan Levin, the author of a number of books on iOS and macOS internals. He says the leaked code seems to be the real iBoot code as it matches with the code he reverse-engineered himself.
Apple has open sourced some portions of macOS and iOS in recent years, but the iBoot code has been carefully kept private.
As Motherboard points out, the company treats iBoot as integral to the iOS security system and classifies secure boot components as a top-tier vulnerability in its bug bounty program, offering $200,000 for each reported vulnerability.
Therefore, the leaked iBoot code can pose a serious security risk, allowing hackers and security researchers to dig into the code to hunt for undisclosed vulnerabilities and write persistent malware exploits like rootkits and bootkits.
Moreover, jailbreakers could find something useful from the iBoot source code to jailbreak iOS and come up with a tethered jailbreak for iOS 11.2 and later.
It is worth noting that newer iPhones and other iOS devices ship with Secure Enclave, which protects against some of the potential issues that come with the leaked iBoot source code. So, I really doubt that the leaked code will be of much help.
Apple has yet to comment on the recent leak, though Github has already disabled the repository that was hosting the iBoot code after the company issued a DMCA takedown notice. However, the code is already out there.
We will update the article if we learn more.
Intel Releases New Spectre Patch Update for Skylake Processors
8.2.2018 thehackernews Vulnerebility
After leaving million of devices at risk of hacking and then rolling out broken patches, Intel has now released a new batch of security patches only for its Skylake processors to address one of the Spectre vulnerabilities (Variant 2).
For those unaware, Spectre (Variant 1, Variant 2) and Meltdown (Variant 3) are security flaws disclosed by researchers earlier last month in processors from Intel, ARM, and AMD, leaving nearly every PC, server, and mobile phone on the planet vulnerable to data theft.
Shortly after the researchers disclosed the Spectre and Meltdown exploits, Intel started releasing microcode patches for its systems running Broadwell, Haswell, Skylake, Kaby Lake, and Coffee Lake processors.
However, later the chip maker rollbacked the firmware updates and had to tell users to stop using an earlier update due to users complaining of frequent reboots and other unpredictable system behavior after installing patches.
Although it should be a bit quicker, Intel is currently working on new patches and already in contact with hardware companies so that they can include the new microcode patch in their new range of firmware updates.
So far, the new microcode update only addresses devices equipped with mobile Skylake and mainstream desktop Skylake chips, leaving the Broadwell, Haswell, Kaby Lake, Skylake X, Skylake SP, and Coffee Lake processors still vulnerable to Spectre (Variant 2) vulnerability.
So, everyone else still has to wait for the company to release microcode updates for their systems.
"Earlier this week, we released production microcode updates for several Skylake-based platforms to our OEM customers and industry partners, and we expect to do the same for more platforms in the coming days," the company says in a blog post.
"We also continue to release beta microcode updates so that customers and partners have the opportunity to conduct extensive testing before we move them into production."
Intel has strongly urged its customers to install this update as soon as possible, because if not patched, these processor vulnerabilities could allow attackers to bypass memory isolation mechanisms and access everything, including memory allocated for the kernel containing sensitive data like passwords, encryption keys, and other private information.
Moreover, after the release of proof-of-concept (PoC) exploit for the CPU vulnerabilities last month, hundreds of malware samples are spotted in the wild, most of which are based on the publicly released exploit and designed to work on major operating systems and web browsers.
Although we have not yet seen any fully-featured malware based on Spectre and Meltdown vulnerabilities, it doesn't take much time for hackers to develop one.
So, users are urged to always keep a close eye on any update that becomes available on their system, and install them as soon as they become available.
Source Code of iOS Security Component iBoot Posted on GitHub
8.2.2018 securityweek Apple
What appears to be the source code of iBoot, a key component of Apple’s iOS platform responsible for trusted boot operation, was posted on GitHub yesterday.
The code was posted on the open-source portal by an individual going by the username of ZioShiba. The repository, labeled iBoot, has since been taken down, after Apple filed a copyright takedown request with GitHub.
The code in question is what loads the iOS, being the first piece of software that runs when an iOS device is turned on. It is responsible for checking the integrity of the platform and whether the kernel is properly signed.
This clearly makes iBoot a critical operating system component, and Apple is aware of that. As part of its bug bounty program, the tech giant is willing to pay as much as $200,000 for critical flaws in secure boot firmware components, the highest award.
Vulnerabilities in the secure boot firmware components can be used to jailbreak devices. Hackers could also abuse them to gain access to vulnerable devices.
In the DMCA Notice sent to GitHub, Apple appears to confirm the legitimacy of the leak.
“Reproduction of Apple's "iBoot" source code, which is responsible for ensuring trusted boot operation of Apple's iOS software. The "iBoot" source code is proprietary and it includes Apple's copyright notice. It is not open-source,” the notice reads.
Following the takedown, the repo is no longer accessible, but its contents were undoubtedly already downloaded by interested parties.
This means that the iBoot source code likely continues to be available online for cybercriminals to abuse to find vulnerabilities they can exploit in attacks.
In fact, flaws in iOS have long already proved highly valuable, with some companies willing to pay millions of dollars for zero-day vulnerabilities in the mobile operating system. In fact, one team of hackers already earned $1 million for such a security bug.
Just like any other operating system out there, iOS isn’t infallible, and the new code leak clearly proves that, Rusty Carter, Vice President of Product Management for Arxan Technology, told SecurityWeek in an emailed comment.
“Apple iOS is widely viewed as the most trusted mobile operating system out there. But the leak of this source code is proof that no environment or OS is infallible, and application protection from within the application itself is crucial, especially for business-critical, data-sensitive applications. It's only a matter of time before the release of this source code results in new and very stealthy ways to compromise applications running on iOS,” Carter said.
SecurityWeek emailed Apple for an official comment and additional details on this incident.
“Old source code from three years ago appears to have been leaked, but by design the security of our products doesn’t depend on the secrecy of our source code. There are many layers of hardware and software protections built into our products, and we always encourage customers to update to the newest software releases to benefit from the latest protections,” an Apple spokesperson said.
Most of the iOS devices out there (93%) are already running newer platform releases, which diminishes any security impact of the leak. In fact, 65% of them run iOS 11, which includes Apple’s latest security improvements.
Apple is also running its own open source program, offering the platform to researchers interested in analyzing it.
*Updated with statement from Apple
Cisco Aware of Attacks Exploiting Critical Firewall Flaw
8.2.2018 securityweek Vulnerebility
Cisco informed customers on Wednesday that it has become aware of malicious attacks attempting to exploit a recently patched vulnerability affecting the company’s Adaptive Security Appliance (ASA) software.
No other information has been provided by the networking giant, but it’s worth noting that a proof-of-concept (PoC) exploit designed to cause a denial-of-service (DoS) condition on devices running ASA software was made public this week.
Cato Networks reported finding roughly 120,000 potentially vulnerable Cisco devices connected to the Internet, with a vast majority located in the United States and Europe.
The ASA software vulnerability, tracked as CVE-2018-0101, allows a remote and unauthenticated attacker to execute arbitrary code or cause a DoS condition.
The flaw affects several products running ASA software, including Firepower firewalls, 3000 series industrial security appliances, ASA 5000 and 5500 series appliances, 1000V cloud firewalls, ASA service modules for routers and switches, and Firepower Threat Defense (FTD) software. Cisco first notified customers about the availability of fixes on January 29.
Cisco initially said the security hole was related to the webvpn feature, but it later discovered that more than a dozen other features were impacted as well. The company released new patches this week after identifying new attack vectors and determining that the original fix had been incomplete.
The details of the vulnerability were disclosed on February 2 by Cedric Halbronn, the NCC Group researcher who reported the issue to Cisco.
“When exploited, this vulnerability known as CVE-2018-0101 allows the attacker to see all of the data passing through the system and provides them with administrative privileges, enabling them to remotely gain access to the network behind it,” NCC Group said. “Targeting the vulnerability without a specially-crafted exploit would cause the firewall to crash and would potentially disrupt the connectivity to the network.”
SecurityWeek has reached out to Cisco to see if the company can provide additional details regarding the malicious attacks and will update this article if the company responds.
Cisco on Wednesday also released new advisories describing several critical and high severity vulnerabilities, including a remote code execution flaw in RV132W ADSL2+ and RV134W VDSL2 routers, a DoS flaw in Cisco Virtualized Packet Core-Distributed Instance (VPC-DI) software, a command execution flaw in UCS Central, and an authentication bypass bug in Cisco Policy Suite.
Google Paid $2.9 Million in Vulnerability Rewards in 2017
8.2.2018 securityweek Vulnerebility
Google paid nearly $3 million to security researchers in 2017 who reported valid vulnerabilities in its products.
The internet giant said that it paid out $1.1 million in rewards for vulnerabilities discovered in Google products, and roughly the same amount to the researchers who reported security bugs in Android. With the bug bounties awarded for Chrome flaws added to the mix, a total of $2.9 million was paid throughout the year.
In the seven years since Google’s Vulnerability Reward Program was launched, the search giant has paid almost $12 million in rewards.
Last year, 274 researchers received rewards for their vulnerability reports, and a total of 1,230 individual rewards were paid, Google says.
“Drilling-down a bit further, we awarded $125,000 to more than 50 security researchers from all around the world through our Vulnerability Research Grants Program, and $50,000 to the hard-working folks who improve the security of open-source software as part of our Patch Rewards Program,” Jan Keller, Google VRP Technical Pwning Master explains in a blog post.
The biggest single reward paid in 2017 was of $112,500. This bug bounty went to researcher Guang Gong, for an exploit chain on Pixel phones, revealed in August 2017. The researcher discovered that it was possible to abuse a remote code execution bug in the sandboxed Chrome render process and a sandbox escape through Android’s libgralloc.
Google also paid a $100,000 pwnium award to researcher “Gzob Qq,” who discovered it was possible to achieve remote code execution in Chrome OS guest mode by leveraging a chain of bugs across five components.
Another award worth mentioning went to Alex Birsan, who discovered access to internal Google Issue Tracker data was open to anyone. The researcher received $15,600 for his efforts.
Last year, Google also worked on advancing the Android and Play Security Reward programs and announced increased top reward for an Android exploit chain (a remote exploit chain – or exploit leading to TrustZone or Verified Boot compromise) to $200,000. The top-end reward for a remote kernel exploit was increased to $150,000.
Now, the company reveals that the range of rewards for remote code executions is being increased from $1,000 to $5,000. Moreover, a new category for vulnerabilities leading to private user data theft, issues where information is transferred unencrypted, and bugs leading to access to protected app components has been included. Researchers can earn $1,000 for such bugs.
Malware is Pervasive Across Cloud Platforms: Report
8.2.2018 securityweek Virus
Leading Cloud Service Providers and Majority of AV Engines Failed to Detect New Ransomware Variant
Cloud Access Security Brokers (CASBs) provide visibility into the cloud. Some CASBs provide malware protection. Some clouds provide malware protection. Bitglass analyzed the efficacy of cloud-only protection by scanning the files of its customers that had not implemented its own Advanced Threat Protection (actually Cylance).
Bitglass scanned tens of millions of customer files and found (PDF) a remarkably high number of infections: 44% of organizations had at least one piece of malware in their cloud applications; and nearly one-in-three SaaS app instances contained at least one threat. Among the SaaS apps, 54.4% of OneDrive and 42.9% of Google Drive instances were infected. Dropbox and Box followed, both at 33%.
The research discovered that the average company had nearly 450,000 files held in the cloud, with more than 20 of the files containing malware. Forty-two percent of the infected file types were script and executable files, 21% were Office documents, 10% were Windows system files, and 8% were compressed formats. The other 19% were in various different file formats.
Among the infections it discovered a malware that Cylance confirmed as a zero-day ransomware -- which it calls ShurL0ckr. ShurL0ckr is ransomware-as-a-service , "meaning," says Bitglass, "the hacker generates a ransomware payload and distributes it via phishing or drive-by-download to encrypt files on disk in a background process until a Bitcoin ransom is paid." No analysis of the malware and its inner workings is provided.
It is, however, undetected by either Microsoft's or Google's cloud offerings.
"The sad truth," comments Meni Farjon, co-founder and CTO at SoleBIT Labs, "is that today, most cloud services providers still do not supply advanced malware detection capabilities, thus making this vector a perfect choice for attackers who aim to infect corporate users on a massive scale. I believe we will definitely see more ransomware variants targeting cloud application in the coming months, at least until the major cloud services providers offer malware detection capabilities to those services."
Bitglass checked whether mainstream anti-malware would detect the ShurL0ckr ransomware. "The team," writes Bitglass, "then leveraged VirusTotal to scrutinize a file containing the ransomware across dozens of antivirus engines. Only 7% of said engines (five in sixty-seven) detected the malware - one of these engines was Cylance, a Bitglass technology partner."
VirusTotal was acquired by Google in 2012.
The key takeaways from this research are that security teams' concerns about cloud security are valid, and there's a new ransomware that goes largely undetected. That last point is, however, not clear cut. The purpose of VirusTotal (VT) is to allow concerned users to gain insight into a suspect file -- could it be, or is it likely not, malicious? It is not an anti-malware comparative tool.
VirusTotal itself says, "Antivirus engines can be sophisticated tools that have additional detection features that may not function within the VirusTotal scanning environment. Because of this, VirusTotal scan results aren't intended to be used for the comparison of the effectiveness of antivirus products."
"In other words," comments ESET senior research fellow David Harley, "a VirusTotal report is not a reliable indicator as to whether a product detects or blocks a given sample out in the field, because VirusTotal doesnít necessarily make use of all the layers of protection made available by a specific product in the real world. To draw any conclusions about the efficacy of any product based on one sample isnít testing at all," he added; "itís just marketing."
Lenny Zeltser, VP of products at Minerva Labs, isn't surprised by the VT engines' low detection rate. "Attackers continually find ways of getting around AV tools, due to the inherent weaknesses of any approach to detecting malicious software on the basis of previously-seen patterns. This is a reality for all types of AV solutions," he told SecurityWeek, "regardless of whether they employ AI or not."
He believes that it is reasonable for Bitglass to quote a low VT detection rate because "this research focused on the way in which files stored on cloud services are identified as malware. I believe the providers of such services rely on static scans, which makes VirusTotal a reasonable approximation of AV efficacy in such scenarios. The findings show that organizations cannot rely solely on the scans performed by these providers, and should deploy anti-malware protection to their endpoints as well.î
What we now know is that there is another ransomware to worry about. We know that Cylance can detect it, but we don't know whether other anti-malware products deployed in the field will also catch it -- we do not know that only 7% will detect it. Bitglass hasn't provided any IOCs in its report, so it will be difficult for security teams to check for themselves.
However, since Bitglass uploaded an infected file to VirusTotal, VT will have shared details with its partner AV companies. They will now be making sure that they will detect it in the future -- so it might be useful for security teams to check directly with their own anti-malware provider to make sure they are already covered.
Silicon Valley-based Bitglass raised $45 million in a Series C funding round in January 2017, adding to the $25 million Series B round in 2014.
Swisscom Breach Hits 800,000 Customers
8.2.2018 securityweek Crime
Swiss telecoms giant Swisscom on Wednesday said it had tightened security controls after suffering a data breach that affected roughly 800,000 of its customers.
The company said unauthorized parties gained access to customer data by leveraging the access privileges of a sales partner. The attackers somehow obtained the partner’s credentials and used them to access contact information, including names, physical addresses, phone numbers, and dates of birth.
Swisscom pointed out that it collects this type of data legally from customers when they enter a subscription agreement, and sales partners are given limited access to records for identification and contracting purposes.
The company noted that this type of information is not considered sensitive under data protection laws, and it’s mostly either already in the public domain or in the hands of list brokers.
The data breach has affected approximately 800,000 Swisscom customers, mostly mobile services subscribers. The company said it had detected the incident during a routine check, but an in-depth investigation was launched following its discovery.
“Swisscom stresses that the system was not hacked and no sensitive data, such as passwords, conversation or payment data, was affected by the incident,” Swisscom stated. “Rigorous long-established security mechanisms are already in place in this case.”
While the compromised data is non-sensitive, Swisscom has reported the incident to the Swiss Federal Data Protection and Information Commissioner (FDPIC).
In response to the breach, the company has revoked access for the firm whose credentials were stolen and implemented tighter controls for partners. In the future, Swisscom wants to ensure that high-volume queries for customer information can no longer be run, and introduce two-factor authentication for sales partners when accessing its systems.
The company says it is not aware of any schemes leveraging the stolen data, but it has advised customers to be wary of any suspicious calls.
Joomla 3.8.4 release addresses three XSS and SQL Injection vulnerabilities
8.2.2018 securityaffairs Vulnerebility
Joomla development team has released the Joomla 3.8.4 that addresses many issues, including an SQL injection bug and three cross-site scripting (XSS) flaws.
Joomla development team has released the Joomla 3.8.4 that addresses a large number of issues, including an SQL injection bug and three cross-site scripting (XSS) vulnerabilities. The latest release also includes several improvements.
The XSS and SQL injection vulnerabilities have been classified as “low priority”
“Joomla 3.8.4 is now available. This is a security release for the 3.x series of Joomla addressing four security vulnerabilities and including over 100 bug fixes and improvements.” reads the announcement.
The most severe issue is the SQL injection vulnerability tracked as CVE-2018-6376 due to its high impact.
The issue was reported by the researcher Karim Ouerghemmi from RIPS Technologies (ripstech.com), it affects Joomla! CMS versions 3.7.0 through 3.8.3.
“The lack of type casting of a variable in SQL statement leads to a SQL injection vulnerability in the Hathor postinstall message.” states the security advisory published by Joomla.
“Recent updates to our analysis engine lead to the discovery of a new vulnerability in the Joomla! core affecting versions prior to 3.8.4. RIPS discovered a second-order SQL injection that could be used by attackers to leverage lower permissions and to escalate them into full admin permissions.” reads the analysis published by RIPS.
The experts explained that the flaw could be exploited to gain admin privileges and take over the Joomla installs.
“An attacker exploiting this vulnerability can read arbitrary data from the database. This data can be used to further extend the permissions of the attacker. By gaining full administrative privileges she can take over the Joomla! installation by executing arbitrary PHP code.” continues the post.
The researchers discovered the vulnerability by using their static code analyzer, an attacker can first inject arbitrary content into the targeted install’s database and then create a specially crafted query to gain admin privileges.
The XSS flaws affect the Uri class (versions 1.5.0 through 3.8.3), the com_fields component (versions 3.7.0 through 3.8.3), and the Module chrome (versions 3.0.0 through 3.8.3).
According to the development team, the Uri class (formerly JUri) fails to properly filter the input opening to XSS attacks.
Cyber Espionage Group Targets Asian Countries With Bitcoin Mining Malware
8.2.2018 thehahckernews CyberSpy CoinMine
Security researchers have discovered a custom-built piece of malware that's wreaking havoc in Asia for past several months and is capable of performing nasty tasks, like password stealing, bitcoin mining, and providing hackers complete remote access to compromised systems.
Dubbed Operation PZChao, the attack campaign discovered by the security researchers at Bitdefender have been targeting organizations in the government, technology, education, and telecommunications sectors in Asia and the United States.
Researchers believe nature, infrastructure, and payloads, including variants of the Gh0stRAT trojan, used in the PZChao attacks are reminiscent of the notorious Chinese hacker group—Iron Tiger.
However, this campaign has evolved its payloads to drop trojan, conduct cyber espionage and mine Bitcoin cryptocurrency.
The PZChao campaign is attacking targets across Asia and the U.S. by using similar attack tactics as of Iron Tiger, which, according to the researchers, signifies the possible return of the notorious Chinese APT group.
Since at least July last year, the PZChao campaign has been targeting organizations with a malicious VBS file attachment that delivers via highly-targeted phishing emails.
If executed, the VBS script downloads additional payloads to an affected Windows machine from a distribution server hosting "down.pzchao.com," which resolved to an IP address (220.127.116.11) in South Korea at the time of the investigation.
The threat actors behind the attack campaign have control over at least five malicious subdomains of the "pzchao.com" domain, and each one is used to serve specific tasks, like download, upload, RAT related actions, malware DLL delivery.
The payloads deployed by the threat actors are "diversified and include capabilities to download and execute additional binary files, collect private information and remotely execute commands on the system," researchers noted.
The first payload dropped on the compromised machines is a Bitcoin miner, disguised as a 'java.exe' file, that mines cryptocurrency every three weeks at 3 AM, when most people are not in front of their systems.
For password stealing, the malware also deploys one of two versions of the Mimikatz password-scraping utility (depending on the operating architecture of the affected machine) to harvest passwords and upload them to the command and control server.
PZChao's final payload includes a slightly modified version of Gh0st remote access trojan (RAT) which is designed to act as a backdoor implant and behaves very similar to the versions detected in cyber attacks associated with the Iron Tiger APT group.
The Gh0st RAT is equipped with massive cyber-espionage capabilities, including:
Real-time and offline remote keystroke logging
Listing of all active processes and opened windows
Listening in on conversations via microphone
Eavesdropping on webcams' live video feed
Allowing for remote shutdown and reboot of the system
Downloading binaries from the Internet to remote host
Modifying and stealing files and more.
All of the above capabilities allows a remote attacker to take full control of the compromised system, spy on the victims and exfiltrate confidential data easily.
While the tools used in the PZChao campaign are a few years old, "they are battle-tested and more than suitable for future attacks," researchers say.
Active since 2010, Iron Tiger, also known as "Emissary Panda" or "Threat Group-3390," is a Chinese advanced persistent threat (APT) group that was behind previous campaigns resulting in the theft of massive amounts of data from the directors and managers of US-based defense contractors.
Similar to the PZChao campaign, the group also carried out attacks against entities in China, the Philippines, and Tibet, besides attacking targets in the U.S.
For further insights, you can read the detailed technical paper published by Bitdefender.
Critical Flaw in Grammarly Spell Checker Could Let Attackers Steal Your Data
8.2.2018 thehahckernews Vulnerebility
A critical vulnerability discovered in the Chrome and Firefox browser extension of the grammar-checking software Grammarly inadvertently left all 22 million users' accounts, including their personal documents and records, vulnerable to remote hackers.
In other words, any website a Grammarly user visits could steal his/her authentication tokens, which is enough to login into the user's account and access every "documents, history, logs, and all other data" without permission.
"I'm calling this a high severity bug, because it seems like a pretty severe violation of user expectations," Ormandy said in a vulnerability report. "Users would not expect that visiting a website gives it permission to access documents or data they've typed into other websites."
Ormandy has also provided a proof-of-concept (PoC) exploit, which explains how one can easily trigger this serious bug to steal Grammarly user's access token with just four lines of code.
This high-severity flaw was discovered on Friday and fixed early Monday morning by the Grammarly team, which, according to the researcher, is "a really impressive response time" for addressing such bugs.
Security updates are now available for both Chrome and Firefox browser extensions, which should get automatically updated without requiring any action by Grammarly users.
A Grammarly spokesperson also told in an email that the company has no evidence of users being compromised by this vulnerability.
"Grammarly resolved a security bug reported by Google's Project Zero security researcher, Tavis Ormandy, within hours of its discovery. At this time, Grammarly has no evidence that any user information was compromised by this issue," the spokesperson said.
"We're continuing to monitor actively for any unusual activity. The security issue potentially affected text saved in the Grammarly Editor. This bug did not affect the Grammarly Keyboard, the Grammarly Microsoft Office add-in, or any text typed on websites while using the Grammarly browser extension. The bug is fixed, and there is no action required by Grammarly users."
Stay tuned for more updates.
Watch Out! New Cryptocurrency-Mining Android Malware is Spreading Rapidly
8.2.2018 thehahckernews Android CoinMine
Due to the recent surge in cryptocurrency prices, threat actors are increasingly targeting every platform, including IoT, Android, and Windows, with malware that leverages the CPU power of victims' devices to mine cryptocurrency.
Just last month, Kaspersky researchers spotted fake antivirus and porn Android apps infected with malware that mines Monero cryptocurrency, launches DDoS attacks, and performs several other malicious tasks, causing the phone's battery to bulge out of its cover.
Now, security researchers at Chinese IT security firm Qihoo 360 Netlab discovered a new piece of wormable Android malware, dubbed ADB.Miner, that scans wide-range of IP addresses to find vulnerable devices and infect them to mine digital cryptocurrency.
According to the researchers, ADB.Miner is the first Android worm to reuse the scanning code programmed in Mirai—the infamous IoT botnet malware that knocked major Internet companies offline last year by launching massive DDoS attacks against Dyndns.
ADB.Miner scans for Android devices—including smartphones, smart TVs, and TV set-top boxes—with publicly accessible ADB debug interface running over port 5555 and then infects them with a malware that mines Monero cryptocurrency for its operators.
Android Debug Bridge (ADB) is a command-line tool that helps developers debug Android code on the emulator and grants access to some of the operating system’s most sensitive features.
It should be noted that almost all Android devices by default come with the ADB port disabled, so botnet would target only those devices that have manually been configured to enable port 5555.
Besides mining Monero cryptocurrency, ADB.Miner installed on an infected device also attempts to propagate itself by scanning for more targets on the Internet.
Researchers did not reveal exactly how or by exploiting which ADB flaw hackers are installing malware onto Android devices.
However, the researchers believed hackers are not exploiting any vulnerability that targets any specific device vendor since they found devices from a wide range of manufacturers impacted.
According to the researchers, the infection started on January 21, and the number of attacks has increased recently. As of Sunday, the researchers detected 7,400 unique IP addresses using the Monero mining code—that's more than 5,000 impacted devices in just 24 hours.
Based on the scanning IP addresses, the highest number of infection has been noticed in China (40%) and South Korea (31%), the researchers estimated.
In order to fight against such malware Android users are advised not to install unnecessary and untrusted applications from the app store, even from Google Play Store, and keep your devices behind a firewall or a VPN.
Researcher Claims Hotspot Shield VPN Service Exposes You on the Internet
8.2.2018 thehahckernews Vulnerebility
Virtual Private Network (VPN) is one of the best solutions you can have to protect your privacy and data on the Internet, but you should be more vigilant while choosing a VPN service which truly respects your privacy.
If you are using the popular VPN service Hotspot Shield for online anonymity and privacy, you may inadvertently be leaking your real IP address and other sensitive information.
Developed by AnchorFree GmbH, Hotspot Shield is a VPN service available for free on Google Play Store and Apple Mac App Store with an estimated 500 million users around the world.
The service promises to "secure all online activities," hide users' IP addresses and their identities and protect them from tracking by transferring their internet and browsing traffic through its encrypted channel.
However, an 'alleged' information disclosure vulnerability discovered in Hotspot Shield results in the exposure of users data, like the name of Wi-Fi network name (if connected), their real IP addresses, which could reveal their location, and other sensitive information.
The vulnerability, assigned CVE-2018-6460, has been discovered and reported to the company by an independent security researcher, Paulos Yibelo, but he made details of the vulnerability to the public on Monday after not receiving a response from the company.
According to the researcher claims, the flaw resides in the local web server (runs on a hardcoded host 127.0.0.1 and port 895) that Hotspot Shield installs on the user's machine.
This server hosts multiple JSONP endpoints, which are surprisingly accessible to unauthenticated requests as well that in response could reveal sensitive information about the active VPN service, including its configuration details.
"http://localhost:895/status.js generates a sensitive JSON response that reveals whether the user is connected to VPN, to which VPN he/she is connected to what and what their real IP address is & other system juicy information. There are other multiple endpoints that return sensitive data including configuration details," Yibelo claims.
"User-controlled input is not sufficiently filtered: an unauthenticated attacker can send a POST request to /status.js with the parameter func=$_APPLOG.Rfunc and extract sensitive information about the machine," the vulnerability description reads.
However, ZDNet reporter Zack Whittaker tries to verify researcher's claim and found that the PoC code only revealed the Wi-Fi network name and country, but not the real IP address.
In a statement, AnchorFree spokesperson acknowledged the vulnerability but denied the disclosure of real IP address as claimed by Yibelo.
"We have found that this vulnerability does not leak the user's real IP address or any personal information, but may expose some generic information such as the user's country," the spokesperson told ZDNet.
The researcher also claims that he was able to leverage this vulnerability to achieve remote code execution.
Hotspot Shield also made headlines in August last year, when the Centre for Democracy and Technology (CDT), a US non-profit advocacy group for digital rights, accused the service of allegedly tracking, intercepting and collecting its customers' data.
Intel Releases New Spectre Patches for Skylake CPUs
8.2.2018 securityweek Vulnerebility
Intel has started releasing new microcode updates that should address one of the Spectre vulnerabilities after the first round of patches caused significant problems for many users.
The company has so far released new firmware updates only for its Skylake processors, but expects updates to become available for other platforms as well in the coming days. Customers and partners have been provided beta updates to ensure that they can be extensively tested before being moved into production.
The chipmaker started releasing microcode patches for the Spectre and Meltdown vulnerabilities shortly after the attack methods were disclosed by researchers. However, the company was forced to suspend updates due to frequent reboots and other unpredictable system behavior. Microsoft and other vendors also disabled mitigations or stopped providing firmware updates due to Intel’s buggy patches.Intel provides new microcode updates for Skylake CPUs
Intel claims to have identified the root of an issue that caused systems to reboot more frequently after the patches were installed.
The company initially said only systems running Broadwell and Haswell CPUs experienced more frequent reboots, but similar behavior was later observed on Ivy Bridge-, Sandy Bridge-, Skylake-, and Kaby Lake-based platforms as well.
The problem appears to be related to the fix for CVE-2017-5715, one of the flaws that allows Spectre attacks, specifically Spectre Variant 2. Meltdown and Variant 1 of Spectre can be patched efficiently with software updates, but Spectre Variant 2 requires microcode updates for a complete fix.
Both Intel and AMD announced recently that they are working on processors that will have built-in protections against exploits such as Spectre and Meltdown.
In the meantime, Intel has urged customers to always install updates as soon as they become available. On the other hand, many users might decide to take a risk and not immediately apply fixes in order to avoid potential problems such as the ones introduced by the first round of Spectre and Meltdown patches.
Intel has admitted that researchers or malicious actors will likely find new variants of the Spectre and Meltdown attacks.
Security firms have already spotted more than 100 malware samples exploiting the Spectre and Meltdown vulnerabilities. While a majority appeared to be in the testing phase, we could soon start seeing attacks in the wild, especially since the samples analyzed by experts are designed to work on major operating systems and browsers.
Intel, AMD and Apple face class action lawsuits over the Spectre and Meltdown vulnerabilities.
U.S. Announces Takedown of Global Cyber Theft Ring
8.2.2018 securityweek IT
The US Justice Department announced indictments Wednesday for 36 people accused of running a transnational ring stealing and selling credit card and personal identity data, causing $530 million in losses.
Thirteen members of the "Infraud Organization" were arrested in the United States, Australia, Britain, France, Italy, Kosovo and Serbia, it said.
Created in Ukraine in 2010 by Svyatoslav Bondarenko, Infraud was a key hub for card fraud, touting itself with the motto "In Fraud We Trust."
It was "the premier one-stop shop for cybercriminals worldwide," said Deputy Assistant Attorney General David Rybicki.
Members could buy and sell card and personal data for use to buy goods on the internet, defrauding the card owners, card issuers and vendors.
Infraud operated automated vending sites to make it easy for someone to buy card and identity data from them. It had 10,901 approved "members" registered to buy and sell with them in early 2017, and maintained a rating and feedback system for members.
The senior administrators continuously screened the products and services of vendors "to ensure quality products," said the indictment.
The group operated moderated web forums to share advice among customers, and operated an "escrow" service for payments in digital currencies like Bitcoin, the Justice Department said.
"As alleged in the indictment, Infraud operated like a business to facilitate cyberfraud on a global scale," said Acting Assistant Attorney General John Cronan.
The network of indicted Infraud leaders included people from the United States, France, Britain, Egypt, Pakistan, Kosovo, Serbia, Bangladesh, Canada and Australia.
Bondarenko remains at large, but the number two figure in the organization, Russian co-founder Sergey Medvedev has been arrested, according to US officials.
Bangladesh to File U.S. Suit Over Central Bank Heist
8.2.2018 securityweek Cyber
Bangladesh's central bank will file a lawsuit in New York against a Philippine bank over the world's largest cyber heist, the finance minister said Wednesday.
Unidentified hackers stole $81 million in February 2016 from the Bangladesh central bank's account with the US Federal Reserve in New York.
The money was transferred to a Manila branch of the Rizal Commercial Banking Corp (RCBC), then quickly withdrawn and laundered through local casinos.
With only a small amount of the stolen money recovered and frustration growing in Dhaka, Bangladesh's Finance Minister A.M.A Muhith said last year he wanted to "wipe out" RCBC.
On Wednesday he said Bangladesh Bank lawyers were discussing the case in New York and may file a joint lawsuit against the RCBC with the US Federal Reserve.
"It will be (filed) in New York. Fed may be a party," he told reporters in Dhaka.
The deputy central bank governor Razee Hassan told AFP the case would be filed in April.
"They (RCBC) are the main accused," he said.
"Rizal Commercial Banking Corporation (RCBC) and its various officials are involved in money heist from Bangladesh Bank's reserve account and the bank is liable in this regard," Hassan said in a written statement.
The Philippines in 2016 imposed a record $21 million fine on RCBC after investigating its role in the audacious cyber heist.
Philippine authorities have also filed money-laundering charges against the RCBC branch manager.
The bank has rejected the allegations and last year accused Bangladesh's central bank of a "massive cover-up".
The hackers bombarded the US Federal Reserve with dozens of transfer requests, attempting to steal a further $850 million.
But the bank's security systems and typing errors in some requests prevented the full theft.
The hack took place on a Friday, when Bangladesh Bank is closed. The Federal Reserve Bank in New York is closed on Saturday and Sunday, slowing the response.
The US reserve bank, which manages the Bangladesh Bank reserve account, has denied its own systems were breached.
Cryptocurrency Mining Malware Hits Monitoring Systems at European Water Utility
8.2.2018 securityweek CoinMine
Malware Chewed Up CPU of HMI at Wastewater Facility
Cryptocurrency mining malware worked its way onto four servers connected to an operational technology (OT) network at a wastewater facility in Europe, industrial cybersecurity firm Radiflow told SecurityWeek Wednesday.
Radiflow says the incident is the first documented cryptocurrency malware attack to hit an OT network of a critical infrastructure operator.
The servers were running Windows XP and CIMPLICITY SCADA software from GE Digital.
“In this case the [infected] server was a Human Machine Interface (HMI),” Yehonatan Kfir, CTO at Radiflow, told SecurityWeek. “The main problem,” Kfir continued “is that this kind of malware in an OT network slows down the HMIs. Those servers are responsible for monitoring physical processes.”
Radiflow wasn’t able to name the exact family of malware it found, but said the threat was designed to mine Monero cryptocurrency and was discovered as part of routine monitoring of the OT network of the water utility customer.
“A cryptocurrency malware attack increases device CPU and network bandwidth consumption, causing the response times of tools used to monitor physical changes on an OT network, such as HMI and SCADA servers, to be severely impaired,” the company explained. “This, in turn, reduces the control a critical infrastructure operator has over its operations and slows down its response times to operational problems.”
While the investigation is still underway, Radiflow’s team has determined that the cryptocurrency malware was designed to run in a stealth mode on a computer or device, and even disable its security tools in order to operate undetected and maximize its mining processes for as long as possible.
“Cryptocurrency malware attacks involve extremely high CPU processing and network bandwidth consumption, which can threaten the stability and availability of the physical process of a critical infrastructure operator,” Kfir said. “While it is known that ransomware attacks have been launched on OT networks, this new case of a cryptocurrency malware attack on an OT network poses new threats as it runs in stealth mode and can remain undetected over time.”
“PCs in an OT network run sensitive HMI and SCADA applications that cannot get the latest Windows, antivirus and other important updates, and will always be vulnerable to malware attacks,” Kfir said.
While the malware was able to infect an HMI machine at a critical infrastructure operator, the attack was likely not specifically targeted at the water utility.
Thousands of industrial facilities have their systems infected with common malware every year, and the number of attacks targeting ICS is higher than it appears, according to a 2017 report by industrial cybersecurity firm Dragos.
Existing public information on ICS attacks shows numbers that are either very high (e.g. over 500,000 attacks according to unspecified reports cited by Dragos), or very low (e.g. roughly 290 incidents per year reported by ICS-CERT). It its report, Dragos set out to provide more realistic numbers on malware infections in ICS, based on information available from public sources such as VirusTotal, Google and DNS data.
As part of a project it calls MIMICS (malware in modern ICS), Dragos was able to identify roughly 30,000 samples of malicious ICS files and installers dating back to 2003. Non-targeted infections involving viruses such as Sivis, Ramnit and Virut are the most common, followed by Trojans that can provide threat actors access to Internet-facing environments.
These incidents may not be as severe as targeted attacks and they are unlikely to cause physical damage or pose a safety risk. However, they can cause liability issues and downtime to operations, which leads to increased financial costs, Robert M. Lee, CEO and founder of Dragos, told SecurityWeek in March 2017.
One example is the incident involving a German nuclear energy plant in Gundremmingen, whose systems got infected with Conficker and Ramnit malware. The malware did not cause any damage and it was likely picked up by accident, but the incident did trigger a shutdown of the plant as a precaution.
Stealthy Data Exfiltration Possible via Magnetic Fields
8.2.2018 securityweek Virus
Researchers have demonstrated that a piece of malware present on an isolated computer can use magnetic fields to exfiltrate sensitive data, even if the targeted device is inside a Faraday cage.
A team of researchers at the Ben-Gurion University of the Negev in Israel have created two types of proof-of-concept (PoC) malware that use magnetic fields generated by a device’s CPU to stealthily transmit data.
A magnetic field is a force field created by moving electric charges (e.g. electric current flowing through a wire) and magnetic dipoles, and it exerts a force on other nearby moving charges and magnetic dipoles. The properties of a magnetic field are direction and strength.
The CPUs present in modern computers generate low frequency magnetic signals which, according to researchers, can be manipulated to transmit data over an air gap.
The attacker first needs to somehow plant a piece of malware on the air-gapped device from which they want to steal data. The Stuxnet attack and other incidents have shown that this task can be accomplished by a motivated attacker.
Once the malware is in place, it can collect small pieces of information, such as keystrokes, passwords and encryption keys, and send it to a nearby receiver.
The malware can manipulate the magnetic fields generated by the CPU by regulating its workload – for example, overloading the processor with calculations increases power consumption and generates a stronger magnetic field.
The collected data can be modulated using one of two schemes proposed by the researchers. Using on-off keying (OOK) modulation, an attacker can transmit “0” or “1” bits through the signal generated by the magnetic field – the presence of a signal represents a “1” bit and its absence a “0” bit.
Since the frequency of the signal can also be manipulated, the malware can use a specific frequency to transmit “1” bits and a different frequency to transmit “0” bits. This is known as binary frequency-shift keying (FSK) modulation.
Ben Gurion University researchers have developed two pieces of malware that rely on magnetic fields to exfiltrate data from an air-gapped device. One of them is called ODINI and it uses this method to transmit the data to a nearby magnetic sensor. The second piece of malware is named MAGNETO and it sends data to a smartphone, which typically have magnetometers for determining the device’s orientation.
In the case of ODINI, experts managed to achieve a maximum transfer rate of 40 bits/sec over a distance of 100 to 150 cm (3-5 feet). MAGNETO is less efficient, with a rate of only 0.2 - 5 bits/sec over a distance of up to 12.5 cm (5 inches). Since transmitting one character requires 8 bits, these methods can be efficient for stealing small pieces of sensitive information, such as passwords.
Researchers demonstrated that ODINI and MAGNETO also work if the targeted air-gapped device is inside a Faraday cage, an enclosure used to block electromagnetic fields, including Wi-Fi, Bluetooth, cellular and other wireless communications.
In the case of MAGNETO, the malware was able to transmit data even if the smartphone was placed inside a Faraday bag or if the phone was set to airplane mode.
Ben-Gurion researchers have found several ways of exfiltrating data from air-gapped networks, including through infrared cameras, router LEDs, scanners, HDD activity LEDs, USB devices, the noise emitted by hard drives and fans, and heat emissions.
Meet PinME, A Brand New Attack To Track Smartphones With GPS Turned Off.
8.2.2018 securityaffairs Attack
Researchers from Princeton University have developed an app called PinME to locate and track smartphone without using GPS.
The research team led by Prateek Mittal, assistant professor in Princeton’s Department of Electrical Engineering and PinMe paper co-author developed the PinMe application that mines information stored on smartphones that don’t require permissions for access.
The data is processed alongside with public available maps and weather reports resulting on information if a person is traveling by foot, car, train or airplane and their travel route. The applications for intelligence and law enforcement agencies to solve crimes like kidnapping, missing people and terrorism are very significant.
As the researchers notice, the application utilizes a series of algorithms to locate and track someone using information like the phone IP address and time zone combined with data from its sensors. The phone sensors collect compass details from the gyroscope, air pressure reading from barometer and accelerometer data while remaining undetected from the user. The resulting data processed can be used to extract contextual information about users’ habits, regular activities, and even relationships.
This technology as many others have two sides: Help solving crimes at large, and implications on privacy and security of the users. The researchers hope to be fomenting the development of security measures to switch off sensor data by revealing this sensor security flaw. Nowadays such sensor data is collected by fitness and game applications to track people movement.
Another key point where the application can be a game changer is an alternative navigation tool, as highlighted by the researchers. Gps signals used in autonomous cars and ships can be the target of hackers putting the safety of the passengers in danger. The researchers conducted their experiment using Galaxy S4 i9500, iPhone 6 and iPhone 6S. To determine the last Wi-Fi connection, the PinMe application read the latest IP address used and the network status.
To determine how a user is traveling, the application utilizes a machine learning algorithm that recognizes the different patterns of walking, driving and flying by gathering data from the phones sensor like speed, direction of travel, delay between movement and altitude.
Once determined the pattern of activity of a user, the application then executes one of four additional algorithms to determine the type transportation. By comparing the phone data against public information the route of the user is determined. Maps from Google and the U.S. Geological Survey were used to determine the altitude details of every point on Earth. Details regarding temperature, humidity, and air pressure reports were also used to determine the use of trains or planes.
The researchers wanted also to raise the question about privacy and data collected without the user consent as Prateek Mittal states: “PinMe demonstrates how information from seemingly innocuous sensors can be exploited using machine-learning techniques to infer sensitive details about our lives”.
For the second time CISCO issues security patch to fix a critical vulnerability in CISCO ASA
8.2.2018 securityaffairs Vulnerebility
Cisco has rolled out new security patches for a critical vulnerability, tracked as CVE-2018-0101, in its CISCO ASA (Adaptive Security Appliance) software.
At the end of January, the company released security updates the same flaw in Cisco ASA software. The vulnerability could be exploited by a remote and unauthenticated attacker to execute arbitrary code or trigger a denial-of-service (DoS) condition causing the reload of the system.
The vulnerability resides in the Secure Sockets Layer (SSL) VPN feature implemented by CISCO ASA software, it was discovered by the researcher Cedric Halbronn from NCC Group.
The flaw received a Common Vulnerability Scoring System base score of 10.0.
According to CISCO, it is related to the attempt to double free a memory region when the “webvpn” feature is enabled on a device. An attacker can exploit the vulnerability by sending specially crafted XML packets to a webvpn-configured interface.
Further investigation of the flaw revealed additional attack vectors, for this reason, the company released a new update. The researchers also found a denial of service issue affecting Cisco ASA platforms.
“After broadening the investigation, Cisco engineers found other attack vectors and features that are affected by this vulnerability that were not originally identified by the NCC Group and subsequently updated the security advisory,” reads a blog post published by Cisco.
The experts noticed that the flaw ties with the XML parser in the CISCO ASA software, an attacker can trigger the vulnerability by sending a specifically crafted XML file to a vulnerable interface.
The list of affected CISCO ASA products include:
3000 Series Industrial Security Appliance (ISA)
ASA 5500 Series Adaptive Security Appliances
ASA 5500-X Series Next-Generation Firewalls
ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers
ASA 1000V Cloud Firewall
Adaptive Security Virtual Appliance (ASAv)
Firepower 2100 Series Security Appliance
Firepower 4110 Security Appliance
Firepower 9300 ASA Security Module
Firepower Threat Defense Software (FTD)
According to Cisco experts, there is no news about the exploitation of the vulnerability in the wild, anyway, it is important to apply the security updates immediately.
Automation Software Flaws Expose Gas Stations to Hacker Attacks
7.2.2018 securityweek CyberCrime
Gas stations worldwide are exposed to remote hacker attacks due to several vulnerabilities affecting the automation software they use, researchers at Kaspersky Lab reported on Wednesday.
The vulnerable product is SiteOmat from Orpak, which is advertised by the vendor as the “heart of the fuel station.” The software, designed to run on embedded Linux machines or a standard PC, provides “complete and secure site automation, managing the dispensers, payment terminals, forecourt devices and fuel tanks to fully control and record any transaction.”
Kaspersky researchers discovered that the “secure” part is not exactly true and more than 1,000 of the gas stations using the product allow remote access from the Internet. Over half of the exposed stations are located in the United States and India.
“Before the research, we honestly believed that all fueling systems, without exception, would be isolated from the internet and properly monitored. But we were wrong,” explained Kaspersky’s Ido Naor. “With our experienced eyes, we came to realize that even the least skilled attacker could use this product to take over a fueling system from anywhere in the world.”
According to the security firm, the vulnerabilities affecting SiteOmat could be exploited by malicious actors for a wide range of purposes, including to modify fuel prices, shut down fueling systems, or cause a fuel leakage.
The security holes can also allow hackers to move laterally within the targeted company’s network, gain access to payment systems and steal financial data, and obtain information on the station’s customers (e.g. license plates, driver identity data). Another possible scenario described by Kaspersky involves disrupting the station’s operations and demanding a ransom.
These attacks are possible due to a series of vulnerabilities, including hardcoded credentials (CVE-2017-14728), persistent XSS (CVE-2017-14850), SQL injection (CVE-2017-14851), insecure communications (CVE-2017-14852), code injection (CVE-2017-14853), and remote code execution (CVE-2017-14854). Exploiting the flaws does not require advanced hacking skills, Naor said.
The fact that the vendor has made available technical information about the device and a detailed user manual made it easier for experts to find the security holes.
The systems analyzed by Kaspersky were often embedded in fueling systems and researchers believe they had been connected to the Internet for more than a decade.
Orpak was informed about the flaws in September and the company told researchers a month later that it had been in the process of rolling out a hardened version of its system, but it has since not shared any updates on the status of patches. SecurityWeek has reached out to the vendor for comment and will update this article if the company responds.
Hackers From Florida, Canada Behind 2016 Uber Breach
7.2.2018 securityweek Hacking
Uber shares more details about 2016 data breach
Two individuals living in Canada and Florida were responsible for the massive data breach suffered by Uber in 2016, the ride-sharing company’s chief information security officer said on Tuesday.
In a hearing before the Senate Subcommittee on Consumer Protection, Product Safety, Insurance, and Data Security, Uber CISO John Flynn shared additional details on the data breach that the company covered up for more than a year.
The details of 57 million Uber riders and drivers were taken from the company’s systems between mid-October and mid-November 2016. The compromised data included names, email addresses, phone numbers, user IDs, password hashes, and the driver’s license numbers of roughly 600,000 drivers. The incident was only disclosed by Uber’s CEO, Dara Khosrowshahi, on November 21, 2017.
Flynn told the Senate committee on Tuesday that the data accessed by the hackers had been stored in an Amazon Web Services (AWS) S3 bucket used for backup purposes. The attackers had gained access to it with credentials they had found in a GitHub repository used by Uber engineers. Uber decided to stop using GitHub for anything other than open source code following the incident.
Uber’s security team was contacted on November 14, 2016, by an anonymous individual claiming to have accessed Uber data and demanding a six-figure payment. After confirming that the data obtained by the hackers was valid, the company decided to pay the attackers $100,000 through its HackerOne-based bug bounty program to have them destroy the data they had obtained.
While some members of Uber’s security team were working on containing the incident and finding the point of entry, others were trying to identify the attackers. The man who initially contacted Uber was from Canada and his partner, who actually obtained the data, was located in Florida, the Uber executive said.
“Our primary goal in paying the intruders was to protect our consumers’ data,” Flynn said in a prepared statement. “This was not done in a way that is consistent with the way our bounty program normally operates, however. In my view, the key distinction regarding this incident is that the intruders not only found a weakness, they also exploited the vulnerability in a malicious fashion to access and download data.”
A code of conduct added by HackerOne to its disclosure guidelines last month includes an entry on extortion and blackmail, prohibiting “any attempt to obtain bounties, money or services by coercion.” It’s unclear if this is in response to the Uber incident, but the timing suggests that it may be.
The Uber CISO has not said if any actions have been taken against the hackers, but Reuters reported in December that the Florida resident was a 20-year-old who was living with his mother in a small home, trying to help pay the bills. The news agency learned from sources that Uber had decided not to press charges as the individual did not appear to pose a further threat.
Flynn admitted that “it was wrong not to disclose the breach earlier,” and said the ride-sharing giant has taken steps to ensure that such incidents are avoided in the future. He also admitted that the company should not have used its bug bounty program to deal with extortionists.
Uber’s chief security officer, Joe Sullivan, and in-house lawyer Craig Clark were fired over their roles in the breach. Class action lawsuits have been filed against the company over the incident and some U.S. states have announced launching investigations into the cover-up.
U.S. officials are not happy with the way Uber has handled the situation.
“The fact that the company took approximately a year to notify impacted users raises red flags within this Committee as to what systemic issues prevented such time-sensitive information from being made available to those left vulnerable,” said Sen. Jerry Moran, chairman of the congressional committee.
Just before the Senate hearing, Congresswoman Jan Schakowsky and Congressman Ben Ray Lujan highlighted that Uber had deceived the Federal Trade Commission (FTC) by failing to mention the 2016 breach while the agency had been investigating another, smaller cybersecurity incident suffered by the firm in 2014.
XSS, SQL Injection Flaws Patched in Joomla
7.2.2018 securityweek Vulnerebility
One SQL injection and three cross-site scripting (XSS) vulnerabilities have been patched with the release of Joomla 3.8.4 last week. The latest version of the open-source content management system (CMS) also includes more than 100 bug fixes and improvements.
The XSS and SQL injection vulnerabilities affect the Joomla core, but none of them appear to be particularly dangerous – they have all been classified by Joomla developers as “low priority.”
The XSS flaws affect the Uri class (versions 1.5.0 through 3.8.3), the com_fields component (versions 3.7.0 through 3.8.3), and the Module chrome (versions 3.0.0 through 3.8.3).
The SQL injection vulnerability is considered more serious – Joomla developers have classified it as low severity, but high impact.
The security hole, tracked as CVE-2018-6376, affects versions 3.7.0 through 3.8.3. The issue was reported to Joomla by RIPS Technologies on January 17 and a patch was proposed by the CMS’s developers the same day.
In a blog post published on Tuesday, RIPS revealed that the vulnerability found by its static code analyzer is a SQL injection that can be exploited by an authenticated attacker with low privileges (i.e. Manager account) to obtain full administrator permissions.
“An attacker exploiting this vulnerability can read arbitrary data from the database. This data can be used to further extend the permissions of the attacker. By gaining full administrative privileges she can take over the Joomla! installation by executing arbitrary PHP code,” said RIPS researcher Karim El Ouerghemmi.
The researcher explained that this is a two-phase attack. First, the attacker injects arbitrary content into the targeted site’s database, and then they create a special SQL query that leverages the previously injected payload to obtain information that can be used to gain admin privileges.
This is not the first time RIPS has found a vulnerability in Joomla. In September, the company reported identifying a flaw that could have been exploited by an attacker to obtain an administrator’s username and password by guessing the credentials character by character.
Questionable Interpretation of Cybersecurity's Hidden Labor Cost
7.2.2018 securityweek Cyber
Report Claims a 2,000 Employee Organization Spends $16 Million Annually on Incident Triaging
The de facto standard for cybersecurity has always been detect and respond: detect a threat and respond to it, either by blocking its entry or clearing its presence. A huge security industry has evolved over the last two decades based on this model; and most businesses have invested vast sums in implementing the approach. It can be described as 'detect-to-protect'.
In recent years a completely different isolation cyber security paradigm has emerged. Rather than detect threats, simply isolate applications from them. This is achieved by running the app in a safe container where malware can do no harm. If an application is infected, the container and the malware is abandoned, and a clean version of the application is loaded into the container. There is no need to spend time and money on threat detection since it can do no harm. This is the isolation model.
The difficulty for vendors of isolation technology is that potential customers are already heavily invested in the detect paradigm. Getting them to switch to isolation is tantamount to asking them to abandon their existing investment as a waste of money.
Bromium, one of the earliest and leading isolation companies, has chosen to demonstrate the unnecessary continuing manpower cost of operating a detect-to-protect model, together with the unnecessary cybersecurity technology that supports it.
Bromium commissioned independent market research firm Vanson Bourne to survey 500 CISOs (200 in the U.S.; 200 in the UK; and 100 Germany) in order to understand and demonstrate the operational cost of detect-to-protect. All the surveyed CISOs are employed by firms with between 1000 and 5000 employees, allowing the research to quote figures based on an average organization of 2000 employees.
The bottom-line of this research (PDF) is that a company with 2,000 employees spends $16.7 million dollars every year on protect-to-detect. No comparable figure is given for an isolation model, but the reader is allowed to assume it would be considerably less.
The total cost is achieved by combining threat triaging costs, computer rebuilds, and emergency patching costs to provide the overall labor cost, plus the technology cost of nearly $350,000. The implication is that it is not so worrying to abandon $350,000 for a saving of $16 million -- and indeed, that would be true if the manpower costs are valid. But they are questionable.
All costs in the report are based on figures returned by the survey respondents. For example, according to the report, "Our research showed that enterprises issue emergency patches five times per month on average, with each fix taking 13 hours to deploy. That’s 780 hours a year, which—multiplied by the $39.24 average hourly rate for a cybersecurity professional—incurs costs of $30,607 per year."
But since these are emergency patches, we can add an additional $19,900 in overtime and/or contractor costs: a total of $49,900 every year that could be all but eliminated by switching to an isolation model.
The cost of computer rebuilds comes from the cost of rebuilding compromised computers that detect-to-protect has failed to protect. "On average," says the report, "organizations rebuild 51 devices every month, with each taking four hours to rebuild—equating to 2,448 hours each year. When multiplied by the average hourly wage of a cybersecurity professional, $39.24, that’s an average cost of $96,059 per year."
All these costs would seem to be realistic for a detect-to-protect model. The implication is that a switch to the isolate model would save nearly $500,000 per year to offset the cost of isolation. But the report goes much further, and suggests that much of a colossal $16 million can also be saved every year by an organization with 2,000 employees that will no longer require incident triaging by the security team.
How? "Well," claims the report, "on average SOC teams triage 796 alerts per week, taking an average of 10 hours per alert—that’s 413,920 hours across the year. When you consider that the average hourly rate for a cybersecurity professional is $39.24, that’s an annual average cost of more than $16 million each year."
The math works. But an alternative way of looking at these figures is that 7,960 hours of triaging would take more than 47 employees doing nothing but triaging 24 hours a day, seven days a week. Frankly, I doubt if any company with 2,000 employees does anything near this amount of triaging. It is, I suggest, misleading to state bluntly (as the report does): "Organizations spend $16 million per year triaging alerts."
“Application isolation provides the last line of defense in the new security stack and is the only way to tame the spiraling labor costs that result from detection-based solutions,” says Gregory Webb, CEO at Bromium. “Application isolation allows malware to fully execute, because the application is hardware isolated, so the threat has nowhere to go and nothing to steal. This eliminates reimaging and rebuilds, as machines do not get owned. It also significantly reduces false positives, as SOC teams are only alerted to real threats. Emergency patching is not needed, as the applications are already protected in an isolated container. Triage time is drastically reduced because SOC teams can analyze the full kill chain.”
All of this is perfectly valid -- except for the $16 million annual detect-to-protect triaging claim. SecurityWeek has invited Bromium to comment on our concerns, and will update this article with any response.
Capable Luminosity RAT Apparently Killed in 2017
7.2.2018 securityweek Virus
The prevalence of the Luminosity remote access Trojan (RAT) is fading away after the malware was supposedly killed half a year ago, Palo Alto Networks says.
First seen in April 2015, Luminosity, also known as LuminosityLink, has seen broad use among cybercriminals, mainly due to its low price and long list of capabilities. Last year, Nigerian hackers used the RAT in attacks aimed at industrial firms.
Luminosity’s author might have claimed that the RAT was a legitimate tool, but its features told a different story: surveillance (remote desktop, webcam, and microphone), smart keylogger (record keystrokes, target specific programs, keylogger viewer), crypto-currency miner, distributed denial of service (DDoS) module.
Earlier this week, Europol’s European Cybercrime Centre (EC3) and the UK’s National Crime Agency (NCA) announced a law enforcement operation targeting sellers and users of the Luminosity Trojan, but Palo Alto says the threat appears to have died about half a year ago, long before this announcement.
The luminosity[.]link and luminosityvpn[.]com, domains associated with the malware, have been taken down as well. In fact, the sales of the RAT through luminosity[.]link ceased in July 2017, and customers started complaining about their licenses no longer working.
With Luminosity’s author, who goes by the online handle of KFC Watermelon, keeping a low profile and closing down sales, and with Nanocore RAT author arrested earlier, speculation emerged on the developer being arrested as well. It was also suggested that he might have handed over his customer list.
To date, however, no report of an arrest in the case of the Luminosity author has emerged, and Europol’s announcement focuses on the RAT’s users, without mentioning the developer. According to Palo Alto, this author (who also built Plasma RAT) lives in Kentucky, which would also explain his online handle.
The security firm collected over 43,000 unique Luminosity samples during the two years when the threat was being sold, and says that thousands of customers submitted samples for analysis.
To verify the legitimate use of the RAT, the command and control servers had to contact a licensing server. In July 2017, researchers observed a sharp drop in sales, with the licensing server going down, despite some samples still being seen. Palo Alto believes the RAT’s prevalence was likely fueled by cracked versions, as development had already stopped.
“Based on our analysis and the recent Europol announcement, it does seem though that LuminosityLink is indeed dead, and we await news of what has indeed happened to the author of this malware. In support of this, we have seen LuminosityLink prevalence drop significantly and we believe any remaining observable instances are likely due to cracked versions,” Palo Alto notes.
The researchers also note that, although some of the Luminosity’s features might be put to legitimate use, the “preponderance of questionable or outright illegitimate features discredit any claims to legitimacy” that the RAT’s author might have.
The Argument Against a Mobile Device Backdoor for Government
7.2.2018 securityweek Mobil
Just as the Scope of 'Responsible Encryption' is Vague, So Too Are the Technical Requirements Necessary to Achieve It
The 'responsible encryption' demanded by law enforcement and some politicians will not prevent criminals 'going dark'; will weaken cyber security for innocent Americans; and will have a hit on the U.S. economy. At the same time, there are existing legal methods for law enforcement to gain access to devices without requiring new legislation.
These are the conclusions of Riana Pfefferkorn, cryptography fellow at the Center for Internet and Society at the Stanford Law School in a paper published Tuesday titled, The Risks of “Responsible Encryption” (PDF).
One of the difficulties in commenting on government proposals for responsible encryption is that there are no proposals -- merely demands that it be introduced. Pfefferkorn consequently first analyzes the various comments of two particularly vocal proponents: U.S. Deputy Attorney General, Rod Rosenstein, and the current director of the FBI, Christopher Wray to understand what they, and other proponents, might be seeking.
Wray seems to prefer a voluntary undertaking from the technology sector. Rosenstein is looking for a federal legislative approach. Rosenstein seems primarily concerned with mobile device encryption. Wray is also concerned with access to encrypted mobile devices (and possibly other devices), but sees responsible encryption also covering messaging apps (but perhaps not other forms of data in transit).
Just as the scope of 'responsible encryption' is vague, so too are the technical requirements necessary to achieve it.
"The only technical requirement that both officials clearly want," concludes Pfefferkorn, "is a key-escrow model for exceptional access, though they differ on the specifics. Rosenstein seems to prefer that the provider store its own keys; Wray appears to prefer third-party key escrow."
The basic argument is that golden keys to devices and/or messaging apps should be maintained somewhere that law enforcement can access with a court order: that is, some form of key escrow. This is a slightly lesser ambition than that sought by government in the mid-1990s in the discussions between government (then, as now, not just in the U.S.) and technologists during what became known as the First Crypto War. At that time, government sought much wider control over encryption, and access to everyone's computer at chip level. New America published a history (PDF) of that era in 2015.
Rosenstein has argued that device and application manufacturers already have and use a form of key escrow to manage and perform software updates. The argument is that if they can do this for themselves, they can do it for government to prevent criminal communications from 'going dark'. Pfefferkorn, however, offers four arguments against this.
First, the scale is completely different. The software update key is known and used by only a very small number of internal and highly trusted staff, and then used only infrequently. But, suggests Pfefferkorn, "with law enforcement agencies from around the globe sending in requests to the manufacturer or third-party escrow agent at all hours (and expecting prompt turn-around), the decryption key would likely be called into use several times a day, every day. This, in turn, means the holder of the key would have to provide enough staff to comply expeditiously with all those demands."
Increased use of the key increases the risk of loss through human error or malfeasance (such as extortion or bribery) -- and the loss of that key could be catastrophic.
Second, attackers will seek to exploit the process through social engineering with spear-phishing attacks against the vendor's or escrow agent's employees; and it is generally only a matter of time before spear-phishing succeeds. The likelihood of spear-phishing succeeding will increase with the sheer volume of LEA demands received. The FBI has claimed that it had around 7,800 seized phones it could not unlock in the last fiscal year. These alone, not including any phones seized by the thousands of State and local law enforcement offices, would average at more than 20 key requests every day, making a spear-phishing attempt less obvious.
Third, it would harm the U.S. economy both through loss of market share at home and abroad (since security could not be guaranteed), and through the economic effect of ID and IP theft following the likely abuse of the system.
Finally, Pfefferkorn argues that access to devices through key escrow still won't necessarily provide access to communications or content if these are separately encrypted by the user. "If the user chooses a reasonable password for the app," she says, "then unlocking the phone will not do any good... In short, an exceptional-access mandate for devices will never be completely effective."
Pfefferkorn goes further by suggesting that there are already numerous ways in which LEAs can obtain information from mobile devices. If the device is locked with a biometric identifier, the police can compel its owner to unlock it (not so with a password lock). If it is synced with other devices or backed up to the cloud, then access may be easier from these other destinations. Law enforcement already claims wide-ranging powers under the Stored Communications Act to access stored communications and transactional records held by ISPs -- as seen in the long-running battle between Microsoft and the government.
Metadata is another source of legal information. This can be gleaned from message headers, while cell towers can provide location and journey tracking. Far more metadata is likely to become available through the internet of things.
Finally, there are forensics and 'government hacking' opportunities. In early 2016 the FBI asked, and then got a court order, for Apple to provide access to the locked iPhone of Syed Rizwan Farook, known as the San Bernardino Shooter. Apple declined -- but either through contract hackers or a forensics company such as Cellebrite, the FBI eventually succeeded without help from Apple. "The success of tools such as Cellebrite’s in circumventing device encryption," says Pfefferkorn, "stands as a counterpoint to federal officials’ asserted need to require device vendors by law to weaken their own encryption."
Pfefferkorn's opinion in the ongoing argument for law enforcement to be granted an 'exceptional-access' mandate is clear: "It would be unwise."
Automated Hacking Tool Autosploit Cause Concerns Over Mass Exploitation
7.2.2018 securityaffairs Exploit
The Autosploit hacking tool was developed aiming to automate the compromising of remote hosts both by collecting automatically targets as well as by using Shodan.io API.
Users can define its platform search queries like Apache, IIS and so forth to gather targets to be attacked. After gathering the targets, the tool uses Metasploit modules of its exploit component to compromise the hosts.
The Metasploit modules to be used will depend on the comparison of the name of the module and the query search. The developer also added a type of attack where all modules can be used at once. As the author noticed, Metasploit modules were added with the intent of enabling Remote Code Execution as well as gaining Reverse TCP Shell or Meterpreter Sessions.
There are different opinions about the release of the tool by experts. As noticed by Bob Noel, Director of Strategic Relationships and Marketing at Plixer:
“AutoSploit doesn’t introduce anything new in terms of malicious code or attack vectors. What it does present is an opportunity for those who are less technically adept to use this tool to cause substantial damage. Once initiated by a person, the script automates and couples the process of finding vulnerable devices and attacking them. The compromised devices can be used to hack Internet entities, mine cryptocurrencies, or be recruited into a botnet for DDoS attacks. The release of tools like these exponentially expands the threat landscape by allowing a wider group of hackers to launch global attacks at will”.
On the other hand, Chris Roberts, chief security architect at Acalvio states:
” The kids are not more dangerous. They already were dangerous. We’ve simply given them a newer, simpler, shinier way to exploit everything that’s broken. Maybe we should fix the ROOT problem”.
The recent revelation that adult sex toys can be accessed remotely by hackers using Shodan is a scenario where the tool can represent a great and grave danger.
The risks and dangers looming around always existed. The release of the tool is not a new attack vector itself according to Gavin Millard, Technical Director at Tenable:
“Most organizations should have a process in place for measuring their cyber risk and identifying issues that could be easily leveraged by automated tools. For those that don’t, this would be an ideal time to understand where those exposures are and address them before a curious kid pops a web server and causes havoc with a couple of commands”.
A recommendation is given by Jason Garbis, VP at Cyxtera: ” In order to protect themselves, organizations need to get a clear, accurate, and up-to-date picture of every service they expose to the Internet. Security teams must combine internal tools with external systems like Shodan to ensure they’re aware of all their points of exposure”.
Hackers can remotely access adult sex toys compromising at least 50.000 users
7.2.2018 securityaffairs Hacking
Researchers discovered that sex toys from German company Amor Gummiwaren GmbH and its cloud platform are affected by critical security flaws.
As a result for Master Thesis by Werner Schober in cooperation with SEC Consult and the University of Applied Sciences St. Pölten, it was discovered that sex toys from German company Amor Gummiwaren GmbH and its cloud platform are affected by critical security flaws.
In an astonishing revelation, multiple vulnerabilities were discovered in “Vibratissimo” secy toys and in its cloud platform that compromised not only the privacy and data protection but also physical safety of owners.
The database pertaining all customers data was accessible via internet in such a way that explicit images, chat logs, sexual orientation, email addresses and passwords in clear text were compromised.
A total lack of security measures had caused the enumeration of all explicit images of users compromising their identities due to the utilization of predictable numbers and absence of authorization verification. Hackers could even give pleasure to users without their consent using the internet or standing nearby the address within the range of Bluetooth. These are only a few dangers users are exposed once connected to the world of the Internet of Things (IoT).
The Internet of Things (IoT) is a technology that comprises a myriad of devices connected to the internet and has evolved in such way that is present in many products used in a daily basis, from cars to home utilities. Once taking this into account we see the arising of a new sub-category within the Internet of Things (IoT) named Internet of Dildos (IoD). The Internet of Dildos (IoD) comprehends every device connected to networks that give mankind pleasure. According to the article, the term from 1975 given to this area of research is the following: “Teledildonics (also known as “cyberdildonics”) is technology for remote sex (or, at least, remote mutual masturbation), where tactile sensations are communicated over a data link between the participants”.
The products from Amor Gummiwaren GmbH that are vulnerable are the following: Vibratissimo Panty Buster, MagicMotion Flamingo, and Realov Lydia. The analysis of researchers focused on Vibratissimo Panty Buster. The panty buster is a sex toy that can be controlled remotely with mobile applications (Android, iOS), but the mobile application, the backend server, hardware, and firmware are developed by third-party company. The application presents many interactive features that enable extensive communication and sharing capabilities, in such a manner that creates a social network where users can expand their experience. Some features are: Search for other users, the creation of friends lists, video chat, message board and sharing of image galleries that can be stored across its social network.
The vulnerabilities found were: Customer Database Credential Disclosure, Exposed administrative interfaces on the internet, Cleartext Storage of Passwords, Unauthenticated Bluetooth LE Connections, Insufficient Authentication Mechanism, Insecure Direct Object Reference, Missing Authentication in Remote Control and Reflected Cross-Site Scripting. As we start taking a glimpse at the vulnerabilities discovered we can consider the following: All credentials of Vibratissimo database environment were leaked on the internet, alongside with the PHPMyAdmin interface that can have allowed hackers to access the database and dump all content.
The PHPMyAdmin interface was accessible throughout the URL http://www.vibratissimo.com/phpmyadmin/ with the stored passwords without encryption in clear text format. The content pertained to the database might have the following data: Usernames, Session Tokens, Cleartext passwords, chat histories and explicit image galleries created by the users themselves. The DS_STORE file and config.ini.php was found on the web server of Vibratissimo in such way that hackers could exploit attack vector like directory listing and discover the operating system which in this case is a MAC OSX.
Also, as disclosed by the researchers, there are great dangers to users in the remote control of the vibrator. The first is related to the connection between the Bluetooth LE of the vibrator and the smartphone application that could lead to eavesdropping, replay and MitM attacks. Although the equipment offers several pairing methods the most dangerous is “no pairing” as noted in the report. This method can allow hackers to search for information on the device as well as write data. If a hacker is in range, he could take control of the device. Also, a man in the middle attack is possible due to the lack of authentication, where a hacker can create a link for itself and then decrement or increment the ID to get direct access to the link used by the person. Due to the lack of authentication, a reflected cross-site scripting is also possible, but as noticed by the researchers it is not as dangerous as the other security issues.
Last but not least the researchers recommend a complete update in the software and mobile application used by the devices. It is highly recommended for all users to change their login information as well as their passwords for greater protection. Not all security flaws were addressed and corrected, therefore there are some dangers loaming around that can be exploited by tools like Shodan and autosploit. It is a social security concern these vulnerabilities since they pose a grave danger to user’s reputation, that can lead to suicide.