FCC Just Killed Net Neutrality—What Does This Mean? What Next?
17.12.2017 thehackernews  IT
FCC Just Killed Net Neutrality
Net neutrality is DEAD—3 out of 5 federal regulators voted Thursday to hand control of the future of the Internet to cable and telecommunication companies, giving them powers to speed up service for websites they favor or slow down others.
As proposed this summer, the US Federal Communications Commission (FCC) has rolled back Net Neutrality rules that require Internet Service Providers (ISPs) to treat all services and websites on the Internet equally and prohibit them from blocking sites or charging for higher-quality service.
This action repeals the FCC's 2015 Open Internet Order decision taken during the Obama administration.
What is Net Neutrality and Why Is It Important?
Net Neutrality is simply Internet Freedom—Free, Fast and Open Internet for all.
In other words, Net Neutrality is the principle that governs ISPs to give consumers access to all and every content on an equal basis, treating all Internet traffic equally.
Today, if there's something that makes everyone across the world 'Equal,' it is the Internet.
Equality over the Internet means, all ISPs have to treat major websites like Facebook and Google in the same way as someone's local shop website, and the wealthiest man in the world has the same rights to access the Internet as the poorer.
This is what "Net Neutrality" aims at.
Here's Why the FCC Repeals Net Neutrality Rules
FCC-Net-Neutrality
The FCC Chairman for the Trump administration, Ajit Pai, who has openly expressed his views against net neutrality, was previously quoted as saying that Net Neutrality was "a mistake."
Pai has previously argued that the 2015 regulations had discouraged internet providers from investing in their networks, as well as slowed the expansion of internet access.
On Thursday, the FCC's two Democrats voted to object the decision to repeal Net Neutrality, and the three Republican members, including Chairman Pai, Commissioner Brendan Carr, and Commissioner Mike O'Rielly, voted to overturn protections put in place in 2015.
Here's what all the three Republicans said in their remarks about their decision to repeal Net Neutrality:
"Prior to the FCC's 2015 decision, consumers and innovators alike benefitted from a free and open internet. This is not because the government imposed utility-style regulation. It didn't. This is not because the FCC had a rule regulating internet conduct. It had none. Instead through Republican and Democratic administrations alike, including the first six years of the Obama administration, the FCC abided by a 20-year bipartisan consensus that the government should not control or heavily regulate internet access," said Commissioner Carr.
"I sincerely doubt that legitimate businesses are willing to subject themselves to a PR nightmare for attempting to engage in blocking, throttling, or improper discrimination. It is simply not worth the reputational cost and potential loss of business," said Commissioner O'Rielly.
"How does a company decide to restrict someone's accounts or block their tweets because it thinks their views are inflammatory or wrong? How does a company decide to demonetize videos from political advocates without any notice?...You don't have any insight into any of these decisions, and neither do I, but these are very real actual threats to an open internet," said Chairman Pai.
Here's How the Internet & Tech Firms Reacted
Net-Neutrality
The response from the tech industry was swift and loud and predictable. The industry isn't happy with what is turning out to be the Trump administration's biggest regulatory move yet.
"We are incredibly disappointed that the FCC voted this morning – along partisan lines – to remove protections for the open internet. This is the result of broken processes, broken politics, and broken policies. As we have said over and over, we'll keep fighting for the open internet, and hope that politicians decide to protect their constituents rather than increase the power of ISPs," Mozilla said in a statement.
"Today's decision from the Federal Communications Commission to end net neutrality is disappointing and harmful. An open internet is critical for new ideas and economic opportunity – and internet providers shouldn't be able to decide what people can see online or charge more for certain websites," Sheryl Sandberg said, Chief Operating Officer of Facebook.
"We're disappointed in the decision to gut #NetNeutrality protections that ushered in an unprecedented era of innovation, creativity & civic engagement. This is the beginning of a longer legal battle. Netflix stands w/ innovators, large & small, to oppose this misguided FCC order," Netflix tweeted.
Obviously, Internet providers are more likely to strike valuable deals with large, established services and websites than relatively unknown companies or startups, which will be hit hardest by the repeal.
With no surprise, ISPs including Comcast, Verizon, and AT&T have welcomed the new rules, saying they will not block or throttle any legal content but may engage in paid prioritization.
Since the commission will take a few weeks to make final adjustments to the new rules, you will not see any potential change right away.
What Next? Can Net Neutrality Be Saved?
Net-Neutrality
Obviously, you cannot do anything overnight to repeal the decision.
Reportedly, attorney generals from across the country and consumer advocacy groups are considering suing the FCC in an attempt to reverse Thursday's repeal of net neutrality rules.
To overturn the FCC's order, critics and internet activists are also going to push for Congress to step in and pass a resolution of disapproval using the Congressional Review Act.
"This fight isn't over. With our allies and our users, we will turn to Congress and the courts to fix the broken policies," Mozilla said.
"We're ready to work with members of Congress and others to help make the internet free and open for everyone," Sheryl Sandberg said.
"We will continue our fight to defend the open Internet and reverse this misguided decision," Twitter said.
The FCC's repeal of net neutrality will take effect 60 days after publication in the Federal Register, which doesn't happen immediately and could take six weeks or even more after the FCC vote.
Once it become law, the repeal will return everything to the state it was before 2015.


19 Million California Voter records held for ransom attack on a MongoDB instance
16.12.2017 securityaffairs Ransomware

Voter registration data for more than 19 million California residents stored in an unsecured MongoDB instance has been deleted and held for ransom.
Voter registration data for more than 19 million California residents that was stored in an unsecured MongoDB database has been deleted and held for ransom by attackers.

The incident was discovered by researchers at Kromtech, it is the last of a long string of ransom attacks targeting unsecured MongoDB database.

“In early December Kromtech security researchers discovered an unprotected instance of MongoDB database that appear to have contained voter data. The database named ‘cool_db’ contained two collections and was available for anybody with Internet connection to view and/or edit.

One was a manually crafted set of voter registration data for a local district and the other appeared to contain the entire state of California with 19,264,123 records, all open for public access.” reported Kromtech.

According to the LA Times California had 18.2 million registered voters in 2016 so this would logically be a complete list of their records.”

The attack sequence is similar to other hacks, the attacker scanned the internet for unsecured MongoDB databases, found this one containing the voter data, wiped the data in the archive and left a ransom request for 0.2 Bitcoin ($3,582 US at the current price).

Kromtech researchers were not able to identify the owner of the database because crooks deleted the content of the archive, they only analyzed stats data as well as a few records sample extracted from the database shortly before it has been wiped out.

MongoDB ransom attack voter database

It is impossible to determine if the attacker made a copy of the data before wiping the MongoDB database or if other hacker groups found and made a copy of the voter registration database before it was deleted.

“It is unclear who exactly compiled the database in question or the ownership, but researchers believe that this could have been a political action committee or a specific campaign based on the unofficial title of the repository (“cool_db”), but this is only a suspicion. Political firms assist campaigns in building voter profiles. This information of California voters is governed by state law that dictates what kind of information can be released, and for what purposes.” states Kromtech.

In June, security firm UpGuard found an Amazon S3 bucket containing the details of 198 million US voters.

Once in the hands of crooks, voter data could end up for sale on the Dark Web, in June 2016 a seller using the pseudonym of ‘DataDirect’ offered US voters’ registration records on the darknet marketplace “The Real Deal.”

US VOTERS REGISTRATION RECORDS

Back to the case of the California Voter registration archive, Bob Diachenko, head of communications, Kromtech Security Center said:

“This is a massive amount of data and a wake up call for millions citizens of California who have done nothing more than fulfil the civic duty to vote. This discovery highlights how a simple human error of failing to enact the basic security measures can result in a serious risk to stored data. The MongoDB was left publically available and was later discovered by cyber criminals who seemed to steal the data, which origin is still unknown.”

If you are curious, like me, give a look at the transactions for the wallet in the ransom note and see if someone has paid 😉
https://blockchain.info/address/1EPA6qXtthvmp5kU82q8zTNkFfvUknsShS


Triton malware was developed by Iran and used to target Saudi Arabia
16.12.2017 securityaffairs APT  ICS

CyberX who analyzed samples of the Triton malware believes it was likely developed by Iran and used to target an organization in Saudi Arabia.
Security experts from security firms FireEye and Dragos reported this week the discovery of a new strain of malware dubbed Triton (aka Trisis) specifically designed to target industrial control systems (ICS).

Both FireEye and Dragos would not attribute the Triton malware to a specific threat actor.

The Triton malware has been used in attacks aimed at an unnamed critical infrastructure organization, it caused a shutdown at a critical infrastructure organization somewhere in the Middle East.

“Mandiant recently responded to an incident at a critical infrastructure organization where an attacker deployed malware designed to manipulate industrial safety systems. The targeted systems provided emergency shutdown capability for industrial processes.” reads the analysis published by FireEye.

“We assess with moderate confidence that the attacker was developing the capability to cause physical damage and inadvertently shutdown operations. This malware, which we call TRITON, is an attack framework built to interact with Triconex Safety Instrumented System (SIS) controllers.”

Triton malware

According to report published by ICS cyber security firm Dragos, which tracked the threat as “TRISIS”, the victim was an industrial asset owner in the Middle East.

The Triton malware is designed to target Schneider Electric’s Triconex Safety Instrumented System (SIS) controllers that are used in industrial environments to monitor the state of a process and restore it to a safe state or safely shut it down if parameters indicate a potentially hazardous situation.

TRITON is designed to communicate using the proprietary TriStation protocol which is not publicly documented, this implies that the attackers reverse engineered the protocol to carry out the attack.

Now, security experts at CyberX who analyzed samples of the malware provided further details on the attack, revealing that Triton was likely developed by Iran and used to target an organization in Saudi Arabia.

Iranian hackers are becoming even more aggressive, but experts always highlighted that they are not particularly sophisticated.

In October, the OilRig gang was spotted using a new Trojan in attacks aimed at targets in the Middle East.

OilRig is just one of the Iran-linked hacker crews, other groups tracked by security experts are APT33, Rocket Kitten, Cobalt Gypsy (Magic Hound), Charming Kitten (aka Newscaster and NewsBeef) and CopyKittens.

In February, researchers at Palo Alto Networks have discovered a new cyber espionage campaign linked to Iran that targeted several organizations in the Middle East.

The espionage campaign dubbed Magic Hound, dates back at least mid-2016. Hackers targeted organizations in the energy, government, and technology industries, all the targets are located or have an interest in Saudi Arabia.

Iran was responsible for destructive attacks on Saudi Aramco systems in 2012, and now CyberX is attributing the Triton malware to the Government of Teheran.

According to the experts, the shutdown was likely an accident during the reconnaissance phase conducted by the threat actors whose final goal was the sabotage.

Schneider Electric is investigating the attack to discover if the threat actors exploited any vulnerability in the Triconex product.

Schneider published a security advisory to warn its customers, it suggests avoiding leaving the front panel key position in “Program” mode when the controller is not being configured. The malicious code can only deliver its payload if the key switch is set to this mode.

“Schneider Electric is aware of a directed incident targeting a single customer’s Triconex Tricon safety shutdown system. We are working closely with our customer, independent cybersecurity organizations and ICSCERT to investigate and mitigate the risks of this type of attack.” reads the security advisory.

“The modules of this malware are designed to disrupt Triconex safety controllers, which are used widely in critical infrastructure. The malware requires the keyswitch to be in the “PROGRAM” mode in order to deliver its payload. Among others, the reported malware has the capability to scan and map the industrial control system environment to provide reconnaissance and issue commands directly to Tricon safety controllers.”

According to Phil Neray, VP of Industrial Cybersecurity for CyberX OT environments are ‘vulnerable by design’ for this reason they are a privileged target for hackers that could use them as an entry point in industrial environment.

“I think it’s a little comical that Schneider Electric felt obliged to state that the attack did not leverage any vulnerabilities in the Tritex product,” Phil Neray told SecurityWeek. “OT environments are ‘vulnerable by design’ because they lack many of the controls we now take for granted in IT networks such as strong authentication. As a result, once an attacker gets into the OT network — by stealing credentials or connecting an infected laptop or USB, for example — they have almost free reign to connect to any control device they choose, and then reprogram them with malicious ladder logic to cause unsafe conditions. Based on the FireEye report, this appears to be exactly what the TRITON attackers did, similar to the way Industroyer modified ABB configuration files to perform its attack on the Ukrainian grid.”


Lazarus APT Group targets a London cryptocurrency company
16.12.2017 securityaffairs APT

Security experts from Secureworks revealed the Lazarus APT group launched a spearphishing campaign against a London cryptocurrency company.
The dreaded Lazarus APT group is back and launched a spearphishing campaign against a London cryptocurrency company to steal employee credentials.

The activity of the Lazarus Group surged in 2014 and 2015, its members used mostly custom-tailored malware in their attacks and experts that investigated on the crew consider it highly sophisticated.

This threat actor has been active since at least 2009, possibly as early as 2007, and it was involved in both cyber espionage campaigns and sabotage activities aimed to destroy data and disrupt systems. Security researchers discovered that North Korean Lazarus APT group was behind recent attacks on banks, including the Bangladesh cyber heist.

According to security experts, the group was behind, other large-scale cyber espionage campaigns against targets worldwide, including the Troy Operation, the DarkSeoul Operation, and the Sony Picture hack.

Many experts believe the WannaCry ransomware was developed by the Lazarus Group due to similarities in the attack codes. UK Government also linked the WannaCry attack that crippled NHS to North Korea.

Lazarus targets Bitcoin company

According to the experts at Secureworks, the Lazarus APT group is behind a targeted email campaign aiming to trick victims into clicking on a compromised link for a job opening for a chief financial officer role at a London cryptocurrency company.
“Those who clicked on the hiring link were infected by malicious code from an attached document in the email that installed software to take remote control of a victim’s device, allowing hackers to download further malware or steal data.” reported the Reuters.

“This malware shares technical links with former campaigns staged by the mysterious cybercrime group Lazarus, which Secureworks has labeled “Nickel Academy”. Secureworks did not say whether anyone who received the email actually clicked on the link.”

Researchers found many similarities between the TTPs (techniques, tactics, and procedures) observed in this attack and previous ones attributed to the Lazarus APT group.

“The so-called “spearphishing” attempt appears to have been delivered on October 25, but initial activity was observed by Secureworks researchers dating back to 2016. The researchers said in a statement they believe the efforts to steal credentials are still on-going.” reported the Reuters.

“Recent intrusions into several bitcoin exchanges in South Korea have been tentatively attributed to North Korea, it said.”

Secureworks found evidence dating back to 2013 of North Korean interest in bitcoin, when multiple states sponsored hackers used a collection of usernames originating from computers using North Korean internet addresses were found researching bitcoin.

The same internet addresses were linked to previous North Korean operations.

The researchers believe the Lazarus phishing campaign is still ongoing and is warning of potential effects.

“Given the current rise in bitcoin prices, CTU suspects that North Korea’s interest in cryptocurrency remains high and (it) is likely continuing its activities surrounding the cryptocurrency,” Secureworks said in a statement to Reuters.

Secureworks announced the publishing of a detailed report.


Avast releases open sources Machine-Code Decompiler (RetDec) to fight malware
16.12.2017 securityaffairs Hacker techniques

RetDec is the retargetable machine-code decompiler (RetDec) released by the anti-malware firm Avast to boost the fight against malicious codes.
The anti-malware company Avast announced the release of retargetable machine-code decompiler (RetDec) as open source in an effort to boost the fight against malicious codes.

RetDec, short for Retargetable Decompiler, was originally created as a joint project by the Faculty of Information Technology of the Brno University of Technology and AVG Technologies. Avast acquired AVG Technologies in 2016.

RetDec is now available for anyone on GitHub under the MIT license, this means that security experts can modify its source code and redistribute it.

RetDec is a retargetable machine-code decompiler based on LLVM that could be used by the experts to perform platform-independent analysis of executable files.

Avast decided to open-source the Retargetable Decompiler to provide “a generic tool to transform platform-specific code, such as x86/PE executable files, into a higher form of representation, such as C source code.”

The utility includes support for multiple platforms, different architectures, file formats, and compilers.

“The decompiler is not limited to any particular target architecture, operating system, or executable file format:

Supported file formats: ELF, PE, Mach-O, COFF, AR (archive), Intel HEX, and raw machine code.
Supported architectures (32b only): Intel x86, ARM, MIPS, PIC32, and PowerPC.”
The tool currently supports only Windows (7 or later) and Linux, but pre-built packages are available only for Windows.

RetDec

RetDec features are:

Static analysis of executable files with detailed information.
Compiler and packer detection.
Loading and instruction decoding.
Signature-based removal of statically linked library code.
Extraction and utilization of debugging information (DWARF, PDB).
Reconstruction of instruction idioms.
Detection and reconstruction of C++ class hierarchies (RTTI, vtables).
Demangling of symbols from C++ binaries (GCC, MSVC, Borland).
Reconstruction of functions, types, and high-level constructs.
Integrated disassembler.
Output in two high-level languages: C and a Python-like language.
Generation of call graphs, control-flow graphs, and various statistics.
Courtesy of an IDA (Interactive Disassembler) plugin, the utility is able to decompile files directly from the IDA disassembler.

RetDec is a powerful utility that allows optimizing reconstruction of original source code “by using a large set of supported architectures and file formats, as well as in-house heuristics and algorithms to decode and reconstruct applications.”

Avast also provides web service for decompilation in browser, an IDA plugin and REST API that allows the creation of apps that can interact with RetDec through HTTP requests.

The decompiler can be used via the API through retdec-python.


US Military wants cyber warriors along with soldiers on the Battlefield
16.12.2017 securityaffairs BigBrothers

Cyber warriors and soldiers will fight together on the battlefield, the US Army will soon send its cyber experts to support the conventional army.
The news was reported by officials this week, it confirms the strategic importance of Information warfare in the modern military. Cyber warriors will be engaged in the offensive against enemy computer networks.

The Army is investing in cyber capabilities training a new generation of cyber soldiers at a huge center in southern California.

According to Colonel Robert Ryan, who commands a Hawaii-based combat team, while the Army’s mission is generally to “attack and destroy,” the cyber troops will have a different and crucial role in the battle.

“Not everything is destroy. How can I influence by non-kinetic means? How can I reach up and create confusion and gain control?” he explained.

The involvement of cyber troops in military operations is not a novelty, cyber warriors have been integrated for six months in infantry units. Colonel William Hartman of the Army’s Cyber Command added that they will tailor operations according to commanders’ needs.

Hartman didn’t reveal details on cyber operations that will be assigned to cyber soldiers, he only referred that they would be involved in information gathering and intelligence.

In August, President Donald Trump ordered the US Military to create a separate cyber warfare command tasked with cyber warfare operations.

President was thinking of a separate command specialized on electronic and online offensive and defensive operations.

“This new Unified Combatant Command will strengthen our cyberspace operations and create more opportunities to improve our nation’s defense,” Trump said in a statement.

“The elevation of United States Cyber Command demonstrates our increased resolve against cyberspace threats and will help reassure our allies and partners and deter our adversaries.”

US cyber warriors have been involved also in counter-terrorism operations, according to the New York Times, CYBERCOM conducted missions to infiltrate and spy on Islamic State group networks. In some cases, the cyber troops alter commanders’ messages so they unwittingly direct ISIS militant to areas likely to be hit by drone or plane strikes.


The cybersecurity firm Fox-IT disclosed a security breach that affected its infrastructure
16.12.2017 securityaffairs Hacking

For Fox-IT disclosed a security breach that affected its infrastructure and demonstrated how to manage it in an outstanding way.
The cybersecurity firm Fox-IT, one of the top security companies currently owned by the UK giant NCC Group, disclosed a security breach that affected its infrastructure. According to the firm, on September 19 an unknown attacker carried out a Man-in-the-Middle (MitM) attack and spied on a limited number of customers.

“It’s become a widely accepted mantra that experiencing a cyber breach is a question of ‘when’ and not ‘if’. For Fox-IT ‘if’ became ‘when’ on Tuesday, September 19 2017, when we fell victim to a “Man-in-the-Middle” attack.” reads the security breach disclosure published by the company.

According to Fox-IT, the attackers hijacked the company’s domain name for 10 hours and 24 minutes and obtained an SSL certificate in Fox-IT’s name.


The hackers redirected the domain to a private VPS server under their control in order to power a MitM attack. In this position the attackers were able to receive traffic intended for the Fox-IT domain, using the SSL certificate to read the content of HTTPS connections, and then forward the traffic to the actual Fox-IT server.

According to Fox-IT, the attackers only targeted ClientPortal website by intercepting traffic for it. According to Fox-IT, hackers accessed any information sent to the Client portal, including login attempts and credentials, and files.

“the attacker was able to redirect inbound traffic to ClientPortal and emails going to the fox-it.com domain for a short period of time. At no stage did they have access to any external or internal Fox-IT system, or indeed system level access to our ClientPortal.” continues the breach notification.

Fox-IT promptly detected the domain hijacking and MitM attack after just 5 hours and disabled 2FA login process as a mitigation measure. The hackers only intercepted credentials for 9 users and a total of 12 files, none of the files were marked as “secret,” and did not contain sensitive information.

In response to the incident, Fox-IT notified affected customers and reset intercepted passwords, of course, it notified Dutch law enforcement of the incident.

Below is a detailed timeline of the cyber attack:

Sept 16 2017 First reconnaissance activities against our infrastructure that we believe are attributable to the attacker. These included regular port scans, vulnerability scans and other scanning activities.
Sept 19 2017, 00:38 The attacker changed DNS records for fox-it.com domain at a third party provider.
Sept 19 2017, 02:02 Latest moment in time that we have been able to determine that clientportal.fox-it.com still pointed to our legitimate ClientPortal server. This means that traffic destined for the ClientPortal was not being intercepted yet.
Sept 19 2017, 02:05-02:15 Maximum 10-minute time window during which the attacker temporarily rerouted and intercepted Fox-IT email for the specific purpose of proving that they owned our domain in the process of fraudulently registering an SSL certificate for our ClientPortal.
Sept 19 2017, 02:21 The actual MitM against our ClientPortal starts. At this point, the fraudulent SSL certificate for ClientPortal was in place and the IP DNS record for clientportal.fox-it.com was changed to point to a VPS provider abroad.
Sept 19 2017, 07:25 We determined that our name servers for the fox-it.com domain had been redirected and that this change was not authorized. We changed the DNS settings back to our own name servers and changed the password to the account at our domain registrar. This change will have taken time to have full effect, due to caching and the distributed nature of the domain name system.
Sept 19 2017, 12:45 We disabled the
second factorauthentication for our ClientPortal login authentication system (text messages), effectively preventing users of ClientPortal from successfully logging in and having their traffic intercepted. Other than that, we kept ClientPortal functional in order not to disclose to the attacker that we knew what they were doing, and to give ourselves more time to investigate. At this point, the MitM against ClientPortal was still active technically, but would no longer receive traffic to intercept as users would not be able to perform

two factorauthentication and

log in.

Sept 19 – Sept 20 2017 A full investigation into the incident was undertaken, along with notification of all clients that had files intercepted and the relevant authorities, including the Dutch Data Protection Authority. A police investigation was launched and is still ongoing. Based on the outcome of our investigation, we understood the scope of the incident, we knew that the attack was fully countered and we were prepared to re-enable two factor authentication on ClientPortal in order to make it fully functional again.
Sept 20, 15:38 ClientPortal fully functional again. Our internal investigation into the incident continued.


Germany – Court rules against foreign intelligence agency (BND) surveillance
16.12.2017 securityaffairs BigBrothers

According to a German court, the BND must not store the metadata of international phone calls for the purpose of intelligence analysis.
Just a week ago, we discussed the German Government is preparing a law that will force hardware vendors to include a backdoor in their products and to allow its unit to hack back, now German court rules against foreign intelligence mass communication surveillance.

According to the court, the German foreign intelligence agency (BND) must not store the metadata of international phone calls for the purpose of intelligence analysis.

In April 2016, the German government replaced the head of the external intelligence service after a barrage of criticism over the support offered by the Bundesnachrichtendienst (BND) to the NSA in spying activities on European targets.

In June 2016, the government of Berlin approved new measures to rein in the activities of BND agency after its scandalous support to NSA surveillance activity.

In June 2015, Wikileaks released another collection of documents on the extended economic espionage activity conducted by the NSA in Germany. The cyber the spies were particularly interested in the Greek debt crisis. The US intelligence targeted German government representatives due to their privileged position in the negotiations between Greece and the UE.

Germany had reacted with outrage when Snowden leaked documents that demonstrate the surveillance activity, in response, the Chancellor Merkel proposed the establishment of an external watchdog panel of jurists in order to evaluate the activities of the intelligence agency.

“Spying on friends is not on at all” said the Chancellor Merkel at the time.

“Surveillance is a sensitive issue in Germany after the abuses by the Gestapo during the Nazi era and the Stasi in Communist East Germany during the Cold War. Whistleblower Edward Snowden’s revelations about the United States spying on Germany also caused upset.” reports the Reuters Agency.

BND
Source G-Data

In 2015, the Media freedom organization Reporters Without Borders filed a lawsuit against the BND accusing it to have breached the organization’s secrecy and harmed the partners and reporters it worked with.

“The verdict shows that it pays off when human rights organizations defend themselves against the mass storage of data by the BND,” said Christian Mihr, Reporters Without Borders director in Berlin.

The Reuters agency asked about the ruling and the BND said it would wait for the final verdict’s legal justification.


Iran Used "Triton" Malware to Target Saudi Arabia: Researchers
15.12.2017 securityweek Virus
The recently uncovered malware known as “Triton” and “Trisis” was likely developed by Iran and used to target an organization in Saudi Arabia, according to industrial cybersecurity and threat intelligence firm CyberX.

FireEye and Dragos reported on Thursday that a new piece of malware designed to target industrial control systems (ICS) had caused a shutdown at a critical infrastructure organization somewhere in the Middle East.

CyberX has also obtained samples of the malware and based on its threat intelligence team's investigation, Triton/Trisis was likely created by Iran and the victim was likely an organization in Saudi Arabia.

“It's widely believed that Iran was responsible for destructive attacks on Saudi Arabian IT networks in 2012 and more recently in 2017 with Shamoon, which destroyed ordinary PCs. This would definitely be an escalation of that threat because now we're talking about critical infrastructure -- but it's also a logical next step for the adversary,” Phil Neray, VP of Industrial Cybersecurity for CyberX, told SecurityWeek.

“Stuxnet and more recently Industroyer showed that modern industrial malware can be used to reprogram and manipulate critical devices such as industrial controllers, and Triton appears to be simply an evolution of those approaches,” Neray added.

FireEye and Dragos would not comment on CyberX’s theory about Triton being developed and used by Iran. FireEye did however note in its report that the methods used were consistent with attacks previously attributed to Russian, Iranian, U.S., North Korean and Israeli nation-state actors.

Triton is designed to target Schneider Electric’s Triconex Safety Instrumented System (SIS) controllers, which are used to monitor the state of a process and restore it to a safe state or safely shut it down if parameters indicate a potentially dangerous situation.

The malware uses the proprietary TriStation protocol to communicate with SIS controllers, and it’s capable of adding new ladder logic that allows the attackers to manipulate devices.

In the attack analyzed by FireEye and Dragos, the hackers’ activities resulted in the SIS controller triggering a process shutdown, which led to the discovery of the attack. However, experts believe the shutdown was likely an accident. One possible scenario is that the attackers were conducting reconnaissance as part of an operation whose ultimate goal was to cause physical damage.

Schneider Electric has published an advisory to inform customers about the incident and provide recommendations on how to prevent potential attacks. The company says there is no evidence that the malware exploits any vulnerabilities in the Triconex product, but it’s still working on determining if there are any other attack vectors.

“I think it's a little comical that Schneider Electric felt obliged to state that the attack did not leverage any vulnerabilities in the Tritex product,” Neray commented. “OT environments are ‘vulnerable by design’ because they lack many of the controls we now take for granted in IT networks such as strong authentication. As a result, once an attacker gets into the OT network -- by stealing credentials or connecting an infected laptop or USB, for example -- they have almost free reign to connect to any control device they choose, and then reprogram them with malicious ladder logic to cause unsafe conditions. Based on the FireEye report, this appears to be exactly what the TRITON attackers did, similar to the way Industroyer modified ABB configuration files to perform its attack on the Ukrainian grid.”


Hackers Target Security Firm Fox-IT
15.12.2017 securityweek Hacking
Fox-IT, the Netherlands-based cybersecurity firm owned by NCC Group, revealed on Thursday that it had been the victim of a man-in-the-middle (MitM) attack made possible by DNS records getting changed at its third-party domain registrar.

The incident took place back in September and Fox-IT decided to disclose it now after conducting a detailed analysis. A law enforcement investigation is ongoing so the company has not shared any information on who might be behind the attack.

The security firm traced the attackers’ initial activities to September 16, when it detected port and vulnerability scanning attempts. Then, on September 19, using compromised credentials, the hackers changed the DNS records for fox-it.com at the company’s service provider.

The main target was apparently Fox-IT’s ClientPortal, an application used to securely exchange files with customers and suppliers.

For a total of roughly 10 minutes, the attackers also managed to reroute Fox-IT emails in an effort to demonstrate that they owned the company’s domain so that they could fraudulently register an SSL certificate for the ClientPortal application.

Shortly after that, the rogue SSL certificate was used for an MitM attack on ClientPortal, with traffic to the portal routed through a virtual private server (VPS) provider abroad.

Fox-IT noticed the malicious activity after roughly five hours and quickly worked to restore DNS settings and secure its account with the domain registrar. However, due to caching and how DNS works, it took some time for the changes to take effect and the MitM attack was carried out for 10 hours and 24 minutes.

During this time, the attacker managed to intercept the credentials of nine users, one mobile phone number, a “subset” of names and email addresses, ClientPortal account names, and 12 files, including three that contained confidential client information, Fox-IT said. All affected customers have been notified.

The security firm has not been able to determine what other messages the hackers may have intercepted during the 10 minutes while they had control over Fox-IT email.

After discovering the incident, the company said it blocked the attacker from intercepting additional customer information by disabling the two-factor authentication (2FA) mechanism on the ClientPortal application. By disabling 2FA, Fox-IT prevented customers from logging in to their account – 2FA is mandatory on the portal – but avoided letting the attackers know that the intrusion had been detected in an effort to continue observing their actions.

Fox-IT believes the attackers likely gained access to its DNS registrar account using credentials that were leaked following a breach at a third-party service provider. The password had not been changed by the security firm since 2013, and the DNS provider does not offer 2FA, allowing the hackers to easily change DNS records.

“The use of full packet capture and CTMp network sensors was crucial in determining the scope of the attack,” Fox-IT said in a blog post. “We could, within a few hours of finding out about the attack, determine exactly who was affected and what the scope of the attacker was. This helped us to understand the incident with confidence and to quickly notify those directly affected and the Dutch Data Protection Authority.”

It’s not uncommon for cybersecurity firms and their employees to be targeted by hackers. For example, Kaspersky and Avast’s CCleaner were breached by sophisticated actors, while Bitdefender and FireEye were targeted by individuals who made exaggerated claims.


Synaptics to Remove "Keylogger" Functionality From Drivers
15.12.2017 securityweek Vulnerebility
Synaptics says recent reports inaccurately characterized a debugging tool found in its touchpad drivers as a keylogger, but the company has decided to remove the functionality from its products.

Earlier this month, a researcher reported finding what appeared to be keylogger functionality in a Synaptics touchpad driver shipped with hundreds of HP laptops. The functionality is disabled by default, but a user with administrator privileges can enable it and abuse it to log keystrokes.

The vulnerability, tracked as CVE-2017-17556, was reported to HP and patched by the company in November.

HP classified the vulnerability as medium severity (CVSS score of 6.1), and Synaptics has assigned it a low severity rating (CVSS score of 2.0). Some people agree that the flaw is not serious, arguing that an attacker with administrator privileges can install a proper keylogger and other types of malware.

Synaptics said the functionality was added to some of its drivers for diagnosing, tuning and debugging touchpads, but it was disabled before being shipped to customers. The same drivers are provided to other PC manufacturers, not just HP, but no other company has been named to date.

“Synaptics believes now, for best industry practices, that it should remove this debug tool for production versions of the driver,” the firm said. “Synaptics is unaware of any breach of security related to this debug tool.”

The company says it’s working with partners to identify affected products and release new drivers. It also recommends restricting administrator access to systems in order to prevent unauthorized activities.

“Synaptics takes great pride in making sure that its TouchPad drivers and other products meet industry-best security standards. In our new normal of heightened concern for security and privacy, Synaptics would like to apologize for any concerns that our debug tool may have raised. We have a path to immediately address this issue and other security concerns should they arise,” Synaptics stated.


Nigerian Sentenced to Prison in U.S. for BEC Scams
15.12.2017 securityweek Crime
A Nigerian national has been sentenced by a United States court to 41 months in prison for his role in business email compromise (BEC) scams, the Department of Justice announced on Thursday.

The scammer, David Chukwuneke Adindu, was arrested by U.S. authorities in November 2016. He pleaded guilty in June to one count of conspiracy to use a means of identification in connection with a federal crime, and one count of conspiracy to commit wire fraud. He faced at least 15 years in prison for his crimes.

In addition to the prison sentence, the Nigerian has been ordered to pay $1.4 million in restitution.

According to prosecutors, Adindu, who resided in both Nigeria and China, was part of a scheme that involved sending out specially crafted emails designed to trick organizations into wiring significant amounts of money to bank accounts controlled by him and his co-conspirators. The man took part in the operation between 2014 and 2016.

These types of emails typically purport to come from managers at the targeted company or known business partners and they instruct recipients to wire money to a specified account. The scam is referred to as a business email compromise scam because the attacker often hacks into the targeted organization’s email accounts to obtain information that can be leveraged to make the wire transfer requests more credible.

Last year, the FBI received over 12,000 complaints related to BEC and EAC (email account compromise) scams, with losses totaling more than $360 million.

Authorities said the scheme Adindu was involved in targeted thousands of victims around the world and attempted to defraud them of more than $25 million. Reuters learned from the man’s lawyer that his main role was to set up bank accounts in China and Hong Kong.

Adindu is not the first Nigerian sentenced in the United States. Earlier this year, three individuals were given prison sentences totaling 235 years for their role in a massive scheme that involved romance scams, identity theft, fraud and money laundering.


New "PRILEX" ATM Malware Used in Targeted Attacks
15.12.2017 securityweek Virus
Trend Micro security researchers recently discovered a highly targeted piece of malware designed to steal information from automated teller machines (ATMs).

Dubbed PRILEX and written in Visual Basic 6.0 (VB6), the threat was designed to hijack a banking application and steal information from ATM users. The malware was spotted in Brazil, but similar threats could prove as harmful anywhere around the world, the security researchers say.

First reported in October 2017, PRILEX was designed to hook certain dynamic-link libraries (DLLs) and replace them with its own application screens. The targeted DLLs (P32disp0.dll, P32mmd.dll, and P32afd.dll) belong to the ATM application of a bank in Brazil.

Because of this atypical behavior, the researchers concluded that the malware was being used in a highly targeted attack. What’s more, the threat only affects a specific brand of ATMs, meaning that its operators might have possibly analyzed the machines to devise their attack method, Trend Micro explains.

After infecting a machine, the malware starts operating jointly with the banking application. Thus, the malware can display its own fake screen requesting the user to provide their account security code. The code is delivered to the user as part of a two-factor authentication method meant to protect ATM and online transactions, and the malware captures and stores the code.

The malware attempts to communicate with the command and control (C&C) server to send stolen credit card data and account security code. The security researchers believe the malware’s operators might be dealing bulk credit card credentials.

“To our knowledge, this is the first ATM malware that assumes it is connected to the internet. It is likely that this bank’s ATMs are connected, since the attackers seem to be very familiar with this particular bank’s methods and processes,” Trend Micro says.

PRILEX also shows that cybercriminals can analyze the methods and processes of any bank to abuse them in highly targeted attacks. Thus, all financial institutions should take this into consideration when defending their ATM infrastructure, especially since a silent attack as this could go unnoticed for months, if not years.

At the DefCamp conference in Bucharest in early November, Kaspersky Lab’s Olga Kochetova and Alexey Osipov explained how easy it is to create ATM botnets. Discoverable online, these devices are susceptible to a broad range of attacks and infecting a single machine could allow attackers to compromise a bank’s entire network.

“A targeted malware likely took significant time and resources to develop. This shows that in today’s world, criminals consider that a worthwhile investment. Gone are the days when banks were seen as unassailable—now they are simply the biggest fish in the sea. It is not easy to kill a whale, but it is possible—and doing so allows an attacker to eat for a long time,” Trend Micro notes.

CUTLET MAKER gets cracked

In addition to PRILEX, Trend Micro analyzed CUTLET MAKER, a relatively new ATM malware that was first detailed in October this year. A run-of-the-mill program, the malware consists of multiple components and can be run from a USB memory stick connected to an ATM. The malware relies on the Diebold Nixdorf DLL (CSCWCNG.dll) to send commands to the ATM’s dispensing unit.

Designed to empty the ATM of all its banknotes, the malware was found being sold on underground markets for as much as $5,000. However, it appears that competitors have already managed to crack its code, allowing anyone to use it for free.

Each time the malware is executed, a code is required to use the program and empty the ATM. Apparently, the threat doesn’t use time-based codes, but just an algorithm, which means that the same input would generate the same output, and some cybercriminals have already built a “key generator” to automatically calculate the return code.

“The code is available on the internet and relatively easy to find. This means that anybody can start victimizing ATMs without having to pay for the program—or at least ATMs with an accessible USB port,” Trend Micro says.

Thus, some have started selling the malware along with the keygen for much lower prices compared to the original. It appears that the malware’s developers haven’t responded yet, and no new version of the tool that uses a different algorithm has been released.


Study Examines Value of Data
15.12.2017 securityweek IT
IP is Valued Above Email but Below PII, Survey Finds

In mitigating an asset-risk by risk transfer (such as an insurance policy), the value of the asset is directly related to the cost of the transfer (the insurance premium). The same principle should be applied to other forms of risk mitigation, such as defending the asset. Where the asset is data, an information security policy should reflect the value of the data -- but this assumes that the value of data is understood.

Trustwave, a Chicago, IL-based threat, vulnerability and compliance management firm, wanted to see how organizations value the prime categories of the data they hold -- which it assumes to be personally identifiable information (PII), payment card data (PC), intellectual property (IP), and email content information. It commissioned Quocirca to analyze the financial value placed by different industry segments in different geographical regions on these four categories of data. Five hundred IT and risk managers were surveyed in the U.S., Canada, Australia, Japan and the UK (100 for each region).

Two specific metrics are used in the ensuing report (PDF): the per capita value (PCV) for data; and a data risk vigilance (DRV) score. PCV is calculated by dividing the overall value of a data set by the number of records it contains. It consequently provides a subjective view for each organization. The same principle was also applied to discover the comparative data PCVs for the criminal fraternity and regulators.

The second metric, the DRV score, isn't simply a question of security budgets, but aggregates ten factors -- four relating directly to risk, four to data value assessments and two to the impact of data theft.

The results are surprising in their diversity. For example, U.S. professionals value their PII data at more than twice the PCV value asserted by their UK counterparts ($1,820 versus $843). The difference may be less today following the recent 20% fall in the value of the pound, but is still surprising.

It would be tempting to think this might reflect the vast number of data protection regulations, both state and federal, in the U.S.; and that simply for compliance reasons US security officers value data more highly. If this were so, then the UK PCV would likely increase dramatically from next year when the GDPR with its very high non-compliance sanctions comes into effect.

Ziv Mador, VP security research at Trustwave, doesn't believe this is cause of the difference. "It is likely," he told SecurityWeek, "that the sheer volume of PII held in the U.S. by the big international organizations, and the knowledge that they are a tempting target for attackers, increases the awareness of PII value." If this is the case, GDPR will more likely increase the disparity between the U.S. and the UK since it will still be U.S. organizations holding huge amounts of European PII.

Many of the findings of this survey and analysis are easy to understand and explain. For example, PII (which includes personal health information -- PHI) gets the highest overall PCV rating. This is understandable given the potential cost of a breach, including law-suits, regulatory fines, and the cost of restitution. This is followed by IP and payment card data -- again understandable in that card data is often held by third parties. More surprising, however, is that email is given the lowest PCV by a long distance.

Email seems not to be considered a serious area of concern despite the volume of sensitive data often sent within it. This ranges from PII to IP and user passwords in clear text. While IP is given a high value, emails that often contain IP or access to it are not. The demise of Nortel is a case in point. Hackers had access to Nortel for about a decade. An investigation subsequently found two rootkits giving the hackers remote access to corporate email. It is believed that IP stolen from Nortel enabled competitors from China to produce almost identical products at a fraction of the cost -- ultimately leading to Nortel's demise.

It would appear from the Trustwave survey that many organizations have still not learned the true value of, and threat from, email; and are likely to inadequately defend it. This is potentially confirmed in the report's second metric -- the data risk vigilance score. PC data replaces PII as having the greater vigilance. This may be, however, that companies holding large amounts of PC data (merchants, for example) hold lesser amounts of other types of data; and consequently bias the overall result.

Despite the example of Nortel in the importance of IP, IP ranks only third. Corporate email is a relatively distant fourth.

The strength of this report is that it will likely make organizations question whether they have correctly valued their own data, and have consequently applied the correct level of security controls for their different assets.

"Today," explains Mador, "data is one of the most valuable commodities possessed by any business. Whether that data belongs to the organization itself, its employees, suppliers or customers, it has a duty to protect that data to best of its ability. Companies that fail to accurately value their data are unlikely to make the right decisions regarding the level of cyber security investments to protect that data and are those most likely to fall short of regulations, such as the upcoming European Union General Data Protection Regulation (GDPR) coming into effect in 2018."

The biggest single takeaway is that companies should perhaps re-evaluate both the PCV and DRV they apply to their corporate email systems.


Facebook Releases New Certificate Transparency Tools
15.12.2017 securityweek Krypto  Social
Following the release of the Certificate Transparency Monitoring utility in December 2016, Facebook has decided to release new tools for developers using the Certificate Transparency framework.

Last year’s tool was designed to provide access to data collected through Facebook’s own service monitoring the issuance of TLS certificates. It leverages Google’s Certificate Transparency (CT) framework, which can detect mis-issued TLS certificates and stop attempts to leverage them to intercept HTTPS traffic.

The tool allows developers to search for certificates and receive alerts when a new certificate is issued for their domains. The tool ensures that newly issued certificates that have been logged to Certificate Transparency Logs (CT logs) aren’t mis-used to perform man-in-the-middle attacks.

With hundreds of Certificate Authorities (CAs) issuing publicly-trusted TLS certificates for any website out there, a single breach at any CA could result in the mis-issuance of publicly-trusted TLS certificates, the company says.

“We match every new certificate with a set of domain subscriptions in our system, and we notify respective subscribers about the updates. If a domain owner receives a notification that a CA issued a certificate for their domain without an explicit request, they will likely want to contact the CA, make sure their identity is not compromised, and consider revoking the certificate,” Facebook explains.

To provide push-based integrations with its system, Facebook is now releasing Webhooks API, which allows developers to register a webhook and define domains for monitoring instead of periodically pulling certificates from external sources or waiting for notifications. Each time a new certificate is issued for these domains, information about the cert is sent to the developer-specified endpoint.

Additionally, the social media giant announced the release of an API that helps querying certificates programmatically. Since receiving detailed information about the certificates and analyzing millions without proper infrastructure is difficult, the interface was designed to provide certificates metadata for the domain names that match a given query.

Developers taking advantage of the Certificate Transparency features were being initially notified via email on new certificates issued for their domains. Starting this year, everyone can see certificate updates on Facebook via push notifications and all developers creating a subscription at developers.facebook.com/tools/ct can take advantage of this feature.

Facebook is currently monitoring over 20 publicly available CT logs and says it sends around 2,500 notifications every day. Around 40,000 new certificates are observed in CT logs every hour and that number is expected to grow next year, when Google Chrome will start requiring all websites certificates to be logged in the CT logs. To ensure scalability, the same backend system that powers the Facebook Graph is used to search through the logged certificates.

The social network company also notes that they are currently working on implementing Expect-CT header, meaning that compatible browsers will require that certificates used to access Facebook are logged to public CT logs first.


Google Details How It Protects Data Within Its Infrastructure
14.12.2017 securityweek Krypto
Google has decided to share detailed information on how it protects service-to-service communications within its infrastructure at the application layer and the the system it uses for data protection.

Called Application Layer Transport Security (ALTS), the technology was designed to authenticate communication between Google services and keep data protected while in transit. When sent to Google, data is protected using secure communication protocols such as TLS (Transport Layer Security).

According to the Web search giant, it started development of ALTS in 2007, when TLS was bundled with support protocols that did not satisfy the company’s minimum security standards. Thus, the company found it more suitable to design its own security solution than patch an existing system.

More secure than older TLS, Google describes ALTS as “a highly reliable, trusted system that provides authentication and security for […] internal Remote Procedure Call (RPC) communications,” that ensures security within the company’s infrastructure.

The system, Google explains, requires minimal involvement from the services themselves, as data is protected by default. All RPCs issued or received by a production workload are protected by ALTS by default, as long as they stay within a physical boundary controlled by or on behalf of Google.

According to Google, the ALTS configuration is transparent to the application layer; all cryptographic primitives and protocols used by ALTS are up-to-date with current known attacks; ALTS performs authentication primarily by identity rather than host name; the system relies on each workload having an identity, which is expressed as a set of credentials; after an initial ALTS handshake, connections can be persisted for a longer time to improve overall system performance; ALTS is considerably simpler than TLS as Google controls both clients and servers, the company also says.

Benefits of ALTS also include more precise security. Workloads that run on the same machine can authenticate using their own identity rather than the machine’s identity, Google explains in a whitepaper detailing the system. Overhead of potentially expensive cryptographic operations is reduced with ALTS.

ALTS also offers improved scalability, courtesy of an efficient resumption mechanism embedded in its handshake protocol. The system can also accommodate authentication and encryption needs for a large number of RPCs (services on Google production systems collectively issue on the order of O(1010) RPCs per second), the company says.

The system also includes a wide array of features designed to ensure security and scalability, and features a flexible trust model suited for different types of entities on the network (physical machines, containerized workloads, and even human users).

Within Google’s infrastructure, all scheduled production workloads are initialized with a certificate that is securely delivered and which asserts their identity. The remote peer identity and certificate are verified when a workload is involved in an ALTS handshake. Certificates have a relatively short lifespan.

ALTS uses a Diffie-Hellman (DH) based authenticated key exchange protocol for handshakes and provides applications with an authenticated remote peer identity that can be used for fine-grained authorization policies at the application layer, the company explains.

“After a handshake is complete and the client and server negotiate the necessary shared secrets, ALTS secures RPC traffic by forcing integrity, and optional encryption, using the negotiated shared secrets. We support multiple protocols for integrity guarantees, e.g., AES-GMAC and AES-VMAC with 128-bit keys,” Google says.

When traffic leaves a physical boundary controlled by or on behalf of Google, protocols are automatically upgraded to ensure encryption and integrity. AES-GCM and AES-VCM protocols with 128-bit keys are employed in such cases, the company also explains.


U.S. Military to Send Cyber Soldiers to the Battlefield
14.12.2017 securityweek BigBrothers
The US Army will soon send teams of cyber warriors to the battlefield, officials said Wednesday, as the military increasingly looks to take the offensive against enemy computer networks.

While the Army's mission is generally to "attack and destroy," the cyber troops have a slightly different goal, said Colonel Robert Ryan, who commands a Hawaii-based combat team.

"Not everything is destroy. How can I influence by non-kinetic means? How can I reach up and create confusion and gain control?" he told reporters.

The cyber soldiers have been integrated for six months in infantry units, and will tailor operations according to commanders' needs, said Colonel William Hartman of the Army's Cyber Command.

The Army has for the past three years conducted training for such operations at a huge center in southern California.

Hartman didn't give details on what the cyber troops can achieve, except to say that they would be scooping up information or intercepting planned attacks.

According to the New York Times, CYBERCOM has previously placed "implants" in Islamic State group networks that let experts monitor the group's behavior and ultimately imitate or alter commanders' messages so they unwittingly direct fighters to areas likely to be hit by drone or plane strikes.

Another technique likely being employed is a common type of cyber attack known as a denial of service.

Cyber Command had previously been a subordinate part of the US Strategic Command, but President Donald Trump in August ordered the Pentagon to elevate it to its own command, in a sign of its growing importance.


U.S. Prosecutors Confirm Uber Target of Criminal Probe
14.12.2017 securityweek BigBrothers
A letter made public Wednesday in Waymo's civil suit against Uber over swiped self-driving car secrets confirmed the ride-share service is the target of a US criminal investigation.

The US Attorney's Office in Northern California sent the letter to US Judge William Alsup last month to share some of what they have learned "in the course of a United States' pending criminal investigation," according to a copy of the paperwork obtained by AFP.

Alsup had referred the case to the Justice Department to look into possible criminal charges, but prosecutors remained mum after that. Information shared by the department with Alsup sparked a courtroom furor over the possibility that Uber operated a program to hide nefarious tactics.

It also resulted in the trial being delayed a second time, with the judge setting a new start date of February 5.

The US Attorney's Office said in the missive to Alsup that they interviewed former Uber manager of global intelligence Richard Jacobs, who contended that "employees routinely used non-attributable electronic devices to store and transmit information that they wished to separate from Uber's official systems."

Attorneys representing Uber have repeatedly assured the judge no files taken from Waymo ever touched Uber servers.

Jacobs' attorney laid out his allegations in May in a letter to Uber's associate general counsel, according to the Justice document.

Alsup continues to mull whether it should have been shared during an evidence-gathering phase of the civil case.

The letter signed by Jacobs told of an effort to evade discovery requests, court orders, and government investigations "in violation of state and federal law, as well as ethical rules governing the legal profession."

Techniques used included smartphones or laptop computers that couldn't be traced back to the company, and communicating through encrypted, vanishing message service Wickr, according to the letter and a transcript of courtroom testimony obtained by AFP.

Jacobs testified that he left Uber early this year with a compensation deal valued at $4.5 million.

As part of that agreement with Uber, Jacobs remained a consultant on the payroll.

Uber executives who testified denied any wrongdoing or trail-covering.

The civil case stems from a lawsuit filed by Waymo -- previously known as the Google self-driving car unit -- which claimed former manager Anthony Levandowski took technical data with him when he left to launch a competing venture that went on to become Otto and was later acquired by Uber.

Uber is also a target of investigations and lawsuits over the cover-up of a hack that compromised personal information of 57 million users and drivers.

Uber purportedly paid data thieves $100,000 to destroy the swiped information -- and remained quiet about the breach for a year.

US justice officials are also investigating suspicions of foreign bribery and use of illegal software to spy on competitors or escape scrutiny of regulators.


Traffic to Major Tech Firms Rerouted to Russia
14.12.2017 securityweek BigBrothers
Internet traffic for some of the world’s largest tech firms was briefly rerouted to Russia earlier this week in what appeared to be a Border Gateway Protocol (BGP) attack.

OpenDNS-owned Internet monitoring service BGPmon reported the incident on Tuesday. BGPmon noticed that 80 IP prefixes for organizations such as Google, Microsoft, Apple, Facebook, NTT Communications, Twitch and Riot Games had been announced by a Russian Autonomous System (AS).

It happened twice on Tuesday and each time it only lasted for roughly three minutes. The first event took place between 04:43 and 04:46 UTC, and the second between 07:07 and 07:10 UTC.

Despite being short-lived, BGPmon said the incidents were significant, including due to the fact that the announcements were picked up by several peers and some large ISPs, such as Hurricane Electric and Zayo in the U.S., Telstra in Australia, and NORDUnet, which is a joint project of several Nordic countries.

Another interesting aspect was that all the targeted traffic was associated with high-profile organizations. Experts also pointed out that the Russian AS (AS39523) had not been seen making announcements for several years before this incident.

“What makes this incident suspicious is the prefixes that were affected are all high profile destinations, as well as several more specific prefixes that aren’t normally seen on the Internet. This means that this isn’t a simple leak, but someone is intentionally inserting these more specific prefixes, possibly with the intent the attract traffic,” BGPmon said in a blog post.

“Whatever caused the incident today, it’s another clear example of how easy it is to re-route traffic for 3rd parties, intentionally or by accident. It also is a good reminder for every major ISP to filter customers,” the company added.

Robert Hamilton, director of product marketing at Imperva, said it’s hard to say what the goal was in this specific case considering that the attack was short-lived, but he noted that these types of attacks can be used for various things, “like spoofing websites in order to get visitors to download malicious content or to give up personal details or financial information.”

Chris Morales, head of security analytics at Vectra, a California-based provider of automated threat management solutions, pointed out that users accessing online resources of Google, Apple, Facebook, Microsoft and the other impacted companies trust that their communications are secure because of the use of HTTPS. However, entities that are capable of manipulating the BGP routing protocol to perform man-in-the-middle (MitM) attacks can also manipulate the TLS/SSL encryption and eavesdrop on users.

BGP hijacking

BGP is a protocol used for exchanging routing information between independent networks on the Internet, also known as Autonomous Systems, particularly determining the most efficient route between them. Each AS announces a list of IP address spaces that are known as prefixes, and shares data with its neighbors (peers) to help determine the most efficient path.

Jason Kent, CTO of security consulting firm AsTech, has provided a simple explanation of how it all works and why the “suspicious” event spotted by BGPmon was possible.

“The routers [that peer with these big organizations] all communicate with one another to create the largest routing tables. When a member of a new group of routers announces its routes, to the other members, they all update a table. When a user goes to apple.com, really they are going to one of Apple’s web servers with IP addresses like 105.68.88.209, but the user's ISP has to figure out where that is. So the ISP has this big routing table that says, basically, the way to get to 105.x.y.z is via this peer, and sends it the traffic,” Kent explained.

“The big routing table is kept updated by announcements from other devices. Basically a large community of routers within the Internet all tell one another the places they know how to go,” Kent said. “These announcements and updates are performed over a system [BGP] that is both old and rarely updated. It’s possible to spoof the announcements, in the right way and method, and fool all devices that route traffic, that your controlled device knows where to take it and has the best path.”

BGP hijacking attacks have been conducted for many years and while protections against such threats do exist for ISPs, they can often be bypassed by both cybercriminals and state-sponsored actors.

“For example, governments can use it for restricting internet access to particular websites or filtering content like advertisements that they deem illegal,” explained Joseph Carson, chief security scientist at PAM solutions provider Thycotic. “One of the most well-known cases was when in 2008 Pakistan attempted to block YouTube access and took YouTube down completely and brought their own internet access to its knees.”

“For cybercriminals, it is typically used to replace content from third party website requests like advertisements with infected websites used to distribute malware,” Carson added. “You could also use it to take down websites or even direct web traffic to a country causing a DDOS attack.”


Fortinet's FortiClient Product Exposed VPN Credentials
14.12.2017 securityweek Vulnerebility
Updates released by Fortinet for its FortiClient product patch a serious information disclosure vulnerability that can be exploited to obtain VPN authentication credentials.

FortiClient is a next-generation endpoint protection product that includes web filtering, application firewall, vulnerability assessment, anti-malware, and SSL and IPsec VPN features for desktop and mobile systems running Windows, macOS, Linux, Android and iOS.

Researchers at SEC Consult have discovered a couple of issues that can be exploited to access VPN authentication credentials associated with the product.

One of the problems is related to the fact that the VPN credentials are stored in a configuration file (on Linux and macOS) and in the registry (on Windows) – locations that are easily accessible.

The second issue is that while the credentials are stored in an encrypted form, the decryption key is hardcoded in the application and it’s the same across all installations. An attacker can easily find the encrypted passwords and decrypt them using the hardcoded key.

“The vulnerabilities are mostly problematic in an enterprise environment where the VPN is often authenticated against domain accounts,” Johannes Greil, head of the SEC Consult Vulnerability Lab, told SecurityWeek. “(Internal) attackers with valid domain credentials can then harvest all credentials of all other VPN users and gain access to their domain user account (e.g. read emails, etc).”

SEC Consult has created a proof-of-concept (PoC) tool that exploits the vulnerability to recover passwords, but it will only be made public after users have had a chance to update their FortiClient installations.

The security hole is tracked as CVE-2017-14184, and SEC Consult has classified it as having high severity, while Fortinet has assigned it a 4/5 risk rating.

The vulnerability affects FortiClient 5.6.0 and earlier for Windows and Mac, and version 4.4.2334 and earlier of the SSL VPN client for Linux – the Android and iOS apps are not impacted. Patches are included in FortiClient 5.6.1 for Windows and Mac, and FortiClient 4.4.2335 for Linux, which the vendor released alongside FortiOS 5.4.7.

Fortinet was informed about the security hole in mid-September and the patches were released a few weeks ago.


New Cisco App Helps Organizations Secure iOS Devices
14.12.2017 securityweek iOS
Cisco on Thursday announced the availability of Security Connector, an iOS application designed to provide organizations visibility and control for mobile devices running Apple’s operating system.

Security Connector for iOS, the result of a partnership between Apple and Cisco, is an application that combines functionality from the Cisco Umbrella secure internet gateway and the Cisco Advanced Malware Protection (AMP) endpoint security product, specifically its Clarity component.

Enterprises can download the application from the Apple App Store – the app itself is free but requires a license from Cisco – and deploy it on devices running iOS 11 via mobile device management (MDM) solutions such as Cisco’s Meraki Systems Manager. Once installed, the app provides deep visibility to ensure compliance, establish risk exposure, and aid incident response.

Cisco Security Connector also offers control over iPhones and iPads to ensure that their users cannot connect to malicious website, regardless of whether they are using the corporate network, their own cellular data plan, or public Wi-Fi connections. Cisco claims the product has no impact on employees’ mobile experience.

The new product leverages the Network Extension Framework in iOS 11, which exposes APIs that give developers the ability to customize network features, to enable organizations to monitor and control DNS traffic and provide insight into traffic generated by users, apps and devices.

Several Cisco customers have already tested Security Connector and the networking giant has described a scenario in the healthcare sector to show its potential usefulness.

“Ransomware and malware are spreading across the Internet and increasingly targeting mobile devices. Together with Apple, we are helping enterprises become the most connected, collaborative, and secure businesses in the world,” said David Ulevitch, senior vice president and general manager of Cisco’s Security Business Group. “With this app, we want to provide businesses with tools to meet their security, risk, and compliance requirements.”


Avast Open Sources Machine-Code Decompiler in Battle Against Malware
14.12.2017 securityweek Virus
In an effort to boost the fight against malicious software, anti-malware company Avast this week announced the release of its retargetable machine-code decompiler as open source.

Dubbed RetDec, short for Retargetable Decompiler, the software utility is the result of seven years of development and was originally created as a joint project by the Faculty of Information Technology of the Brno University of Technology in the Czech Republic, and AVG Technologies. Avast acquired AVG Technologies in 2016.

The tool allows the security community to perform platform-independent analysis of executable files. With its source code published to GitHub under the MIT license, RetDec is now available for anyone to freely use it, study its source code, modify it, and redistribute it.

By open-sourcing the decompiler, Avast aims to provide “a generic tool to transform platform-specific code, such as x86/PE executable files, into a higher form of representation, such as C source code.”

The analytical utility includes support for multiple platforms, different architectures, file formats, and compilers. It supports architectures such as: (32b only) Intel x86, ARM, MIPS, PIC32, and PowerPC, and the following file formats: ELF, PE, Mach-O, COFF, AR (archive), Intel HEX, and raw machine code.

Currently, the tool can be used on Windows and Linux machines, but pre-built packages are available for Windows only (Linux users need to build and install the decompiler by themselves).

RetDec can be used to perform static analysis of executable files with detailed information; for compiler and packer detection; for loading and instruction decoding; signature-based removal of statically linked library code; extraction and utilization of debugging information (DWARF, PDB), reconstruction of instruction idioms; detection and reconstruction of C++ class hierarchies (RTTI, vtables); demangling of symbols from C++ binaries (GCC, MSVC, Borland); reconstruction of functions, types, and high-level constructs; and generation of call graphs, control-flow graphs, and various statistics.

There is also an integrated disassembler to take advantage of and output is available in two languages: C and a Python-like language. Courtesy of an IDA plugin, decompilation of files directly from the IDA disassembler is also possible.

Decompilers aren’t normally able to perfectly reconstruct original source code because information is lost during the compilation process and because of the obfuscation techniques malware authors often use. According to Avast, RetDec addresses these issues “by using a large set of supported architectures and file formats, as well as in-house heuristics and algorithms to decode and reconstruct applications.”

In addition to publishing RetDec’s source code, Avast provides several ways to take full advantage of the decompiler, starting with its web service. The security company also made its IDA plugin available, along with an REST API that allows the creation of apps that can interact with RetDec through HTTP requests. The decompiler can be used via the API through retdec-python.


Critical 0-Day Allows Remote Hacking of DirecTV Video Bridge
14.12.2017 securityweek Vulnerebility
An unpatched critical vulnerability impacting a wireless video bridge used by DirecTV allows for an attacker to remotely execute code on the vulnerable devices, Zero-Day Initiative researchers reveal.

The security vulnerability was discovered in the Linksys WVBR0-25 wireless video bridge, which was designed to pair with the Wireless Genie Mini (C41W) cable box to ensure communication with DirecTV’s main Genie DVR.

Tracked as CVE-2017-17411 and featuring a CVSS score of 10, the vulnerability was discovered by Trend Micro DVLabs researcher Ricky Lawshae, who says that authentication isn’t necessary when attempting to exploit the vulnerability for executing arbitrary code.

“The specific flaw exists within the web management portal. The issue lies in the lack of proper validation of user data before executing a system call. An attacker could leverage this vulnerability to execute code with root privileges,” a ZDI advisory reads.

While attempting to browse to the web server on the device, Lawshae discovered that, instead of a login prompt or an index page, the service would deliver “the output of several diagnostic scripts containing just about everything you could want to know about the bridge, including the WPS pin, connected clients, running processes, and much more.”

Not only is this an information disclosure issue, but the log file also revealed the commands being executed and the output of every command. Moreover, it showed that the user’s IP address and user-agent were used in a system command as a form of access logging or tracking functionality.

Nonetheless, the device isn’t properly sanitizing the user-agent it is given and the researcher was able to change the user-agent and send untrusted data to the system for execution. What Lawshae discovered was that the system executed the command as root, without a login prompt or input sanitization before sending the command to the function responsible for its execution.

Because the lighttpd process runs with root privileges, executed commands run with root privileges as well, even if they come from untrusted input.

“It literally took 30 seconds of looking at this device to find and verify an unauthenticated remote root command injection vulnerability,” Lawshae says.

After performing a deeper analysis of the device, the researcher discovered that it was running a lighttpd web server. It was configured to render a SysInfo.asp file when browsing to the root of the website, and this file was the page displaying all the diagnostic output.

“It also showed dispatcher.cgi was actually a symbolic link to apply.cgi, which itself is a compiled ARC executable file used as kind of a “do everything” agent for the web server. It was in apply.cgi that I found the actual root cause,” Lawshae, who also published a video detailing the vulnerability, explains.

The ZDI attempted to work with Linksys to address the vulnerability, but to no avail. Although it was informed on the bug in June, the company hasn’t even acknowledged it yet, which determined ZDI to publish the 0-day report.

SecurityWeek contacted Linksys for a comment on the matter but hasn’t received a response yet. We’ll update the article as soon as we hear back from them.

“In the absence of an actual patch from the vendor, users should protect themselves by limiting the devices that can interact with the WVBR0-25 to those that actually need to reach it,” Lawshae concludes.


New "Triton" ICS Malware Used in Critical Infrastructure Attack
14.12.2017 securityweek ICS
A new piece of malware designed to target industrial control systems (ICS) has been used in an attack aimed at a critical infrastructure organization, FireEye reported on Thursday. Experts believe the attack was launched by a state-sponsored actor whose goal may have been to cause physical damage.

Few have been provided about the targeted organization, and FireEye has not linked the attack to any known group, but believes with moderate confidence that it’s a nation state actor. This assumption is based on the apparent lack of financial motivation and the amount of resources necessary to pull off such an attack.

The activity observed by FireEye may have been conducted during the reconnaissance phase of a campaign, and it’s consistent with attacks previously attributed to Russian, Iranian, U.S., North Korean and Israeli nation-state actors.

The malware, which FireEye has dubbed “Triton,” is designed to target Schneider Electric’s Triconex Safety Instrumented System (SIS) controllers, which are used to monitor the state of a process and restore it to a safe state or safely shut it down if parameters indicate a potentially hazardous situation.

According to analysis (PDF) conducted by ICS cyber security firm Dragos, which calls the malware "TRISIS", the victim was an industrial asset owner in the Middle East. Triton ICS malware targets Schneider Triconex controllers

The engineering and maintenance tool used by Triconex SIS products is TriStation. The TriStation protocol is proprietary and there is no public documentation for it, but Triton does leverage this protocol, which suggests that the attackers reverse engineered it when creating their malware.

Triton, which FireEye has described as an attack framework, is designed to interact with Triconex SIS controllers. The malware can write and read programs and functions to and from the controller, and query its state, but not all capabilities had been leveraged in this specific attack.

The hackers deployed Triton on a Windows-based engineering workstation. The malware had left legitimate programs running on the controllers in place, but added its own programs to the execution table. The threat attempts to return the controller to a running state in case of a failure, or overwrite the malicious program with junk data if the attempt fails, likely in an effort to cover its tracks.

In general, once the SIS controller has been compromised, the attacker can reprogram the device to trigger a safe state, which could cause downtime and result in financial losses. Attackers could also reprogram the SIS so that it allows dangerous parameters without triggering the safe state, which can have a physical impact, including on human safety, products and equipment, FireEye said.

However, the physical damage that can be done via the SIS controller is limited by the mechanical safety systems deployed by an organization.

In the case of the critical infrastructure attack investigated by FireEye, the attackers shut down operations after causing the SIS controllers to initiate a safe shutdown, but they may have done it inadvertently while trying to determine how they could cause physical damage.

On the other hand, FireEye noted that “intrusions of this nature do not necessarily indicate an immediate intent to disrupt targeted systems, and may be preparation for a contingency.”

Schneider Electric has launched an investigation into this incident, but initial evidence suggests that Triton does not leverage any vulnerabilities in the Triconex product and the company is not aware of any other attacks.

“It is important to note that in this instance, the Triconex system responded appropriately, safely shutting down plant operations. No harm was incurred by the customer or the environment,” the industrial giant said.

Schneider said the targeted safety controllers are widely used in critical infrastructure, and it’s working on determining if there are any additional attack vectors. In the meantime, customers have been advised not to leave the front panel key position in “Program” mode when the controller is not being configured. The malware can only deliver its payload if the key switch is set to this mode. Signatures of the malware samples identified by FireEye have been provided to cybersecurity firms so security products should be able to detect at least some variants of the threat.

There are only a handful of malware families specifically designed to target industrial systems, including the notorious Stuxnet, and Industroyer, the malware used in the December 2016 attack aimed at an electrical substation in Ukraine. Last year, FireEye identified an ICS malware dubbed IRONGATE, but it had not been observed in any actual attacks, leading experts to believe that it may have been developed for research purposes.


UK Spy Chiefs Peel Back Secrecy -- to Fight Cybercrime
14.12.2017 securityweek BigBrothers
Britain's cyber-spooks are reaching out from behind their veil of secrecy with the aim of cultivating the nation's next generation of high-tech sentries -- a move not without security risks.

With recruiting initiatives levelled at tech-savvy hipsters, start-ups pitching ideas and even Christmas puzzles, the top-secret Government Communications Headquarters (GCHQ) is letting the public in, ever so slightly.

The latest move was this month's "Cyber Accelerator" event at the National Cyber Security Centre (NCSC) -- part of GCHQ -- when investors, journalists and entrepreneurs were offered a rare glimpse behind the scenes.

The Accelerator project connects tech entrepreneurs with GCHQ experts and information, aiming to help the budding companies turn their ideas into ready-for-market cyber-defence products.

The move is the latest in a series of initiatives by the security services to open their doors to young tech wizards -- a subtle effort to recruit the best and brightest as Britain's future cyber-sentries.

GCHQ has previously used stencil graffiti recruitment adverts in the fashionable east London tech hub, and also launched an online puzzle comprising 29 blocks of letters to be decoded by aspiring cyber spies.

During the visit to Accelerator, visitors were whisked up to the National Cyber Security Centre's offices in central London in space-age lifts.

Once arrived, they got to see the latest weapons the entrepreneurs were pitching to private investors as part of the programme.

"Razor wire is there to keep people out, but it does quite a good job of keeping people in. It does create an internal community and we wanted to break out of that," said Chris Ensor, NCSC's deputy director for cyber-skills and growth.

"Accelerator is the natural next step, going out into the wider world."

Nine businesses, who are working with GCHQ for nine months, pitched ideas including defences for crypto-currencies and domestic web-connected products as well as hardware that can wipe the contents of a laptop in case of theft.

Matt Hancock, a junior minister for digital and culture affairs, encouraged investors to dig deep, saying that GCHQ's efforts to engage with the outside world were bearing fruit.

"The small acorn is now beginning to grow into an oak," he said.

- Security risk -

Stressing the urgency of the challenge, NCSC technical director Ian Levy revealed that the agency has dealt with 600 major cyber incidents in its first year, 35 of which were classed as serious.

"They have taught us some things," he said. "Our adversaries are infinitely inventive, they're brilliant."

Alan Woodward, a cybersecurity expert at the University of Surrey, praised Britain for harnessing individual inspiration with the power of government.

"Some of the best ideas have come from one man and his shed, it's the modern version of that.

"They don't always find a natural home in big business or government, this is about trying to give them a leg up," he said.

The event's Silicon Valley spirit and prospects of hard cash are both intended to lure sharp young minds towards working for the nation's defence, he added.

"You can pay someone £30,000 ($40,000, 34,000 euros) a year to go and work at GCHQ and they can basically double that by going to industry. It's hard to get them in and retain them."

- 'Keen to attract young talent' -

"We also know GCHQ is very, very keen to attract young talent," said Anthony Glees, director of the Buckingham University Centre for Security and Intelligence Studies.

"Some of the most succesful hackers have been 16 and 17-year old lads working out of their bedrooms."

However, the necessity of information sharing with private citizens creates potential security "pitfalls", he said, with the leaks by private contractor Edward Snowden while working for the NSA -- GCHQ's US equivalent -- serving as a warning.

GCHQ conduct thorough background checks, but this is "an extremely expensive process", said Glees.

The government must therefore walk a fine line in judging what information to share.

"Exchanging information is always hazardous... but it is necessary," said Glees.

But some things will remain stamped "Top secret", including the location where the entrepreneurs do their work with Britain's cyber-spies.

"It's a physical place, but you can't tell anyone where it is," said the NCSC's Ensor.


New Triton malware detected in attacks against a Critical Infrastructure operator
14.12.2017 securityaffairs ICS

Triton malware – A new strain of malware specifically designed to target industrial control systems (ICS) system has been spotted by researchers at FireEye
A new strain of malware dubbed Triton specifically designed to target industrial control systems (ICS) system has been spotted by researchers at FireEye.

The Triton malware has been used in attacks aimed at an unnamed critical infrastructure organization, experts speculate the involvement of a state-sponsored actor for sabotage purpose due to the lack of financial motivation and the level of sophistication of the attacks.

FireEye has not linked the Triton attack to any known APT group, the experts believe the activity they detected was part of the reconnaissance phase of a campaign, and it’s consistent with many attacks and reconnaissance activities carried out globally previously attributed to Russian, Iranian, U.S., North Korean and Israeli nation-state actors.

The Triton malware is designed to target Schneider Electric’s Triconex Safety Instrumented System (SIS) controllers that are used in industrial environments to monitor the state of a process and restore it to a safe state or safely shut it down if parameters indicate a potentially hazardous situation.

“Mandiant recently responded to an incident at a critical infrastructure organization where an attacker deployed malware designed to manipulate industrial safety systems. The targeted systems provided emergency shutdown capability for industrial processes.” reads the analysis published by FireEye.

“We assess with moderate confidence that the attacker was developing the capability to cause physical damage and inadvertently shutdown operations. This malware, which we call TRITON, is an attack framework built to interact with Triconex Safety Instrumented System (SIS) controllers.”

Triton malware

Once gained access to the SIS system, the threat actor deployed the TRITON malware, a circumstance that indicates that attackers had a knowledge of such systems. According to FireEye the attackers pre-built and tested the tool which would require access to hardware and software that is not widely available. TRITON is also designed to communicate using the proprietary TriStation protocol which is not publicly documented, this implies that the attackers reverse engineered the protocol to carry out the attack.

The Triton malware interacts with Triconex SIS controllers., it is able to read and write programs and functions to and from the controller.

“TRITON was deployed on an SIS engineering workstation running the Microsoft Windows operating system. The malware was named to masquerade as the legitimate Triconex Trilog application. This application is used for reviewing logs and is a part of the TriStation application suite.” continues FireEye.

“The malware was delivered as a Py2EXE compiled python script dependent on a zip file containing standard Python libraries, open source libraries, as well as the attacker-developed Triconex attack framework for interacting with the Triconex controllers. Along with the executable, two binary files, inject.bin (malicious function code) and imain.bin (malicious control logic), were deployed as the controller’s payload. These file names were hard coded in the Py2EXE compiled python script.”

Triton Malware Triconex

The hackers deployed the Triton malware on a Windows-based engineering workstation, the malicious code added its own programs to the execution table. In case of a failure, the malware attempts to return the controller to a running state, it also overwrites the malicious program with junk data if the attempt fails, likely to delete any track of the attack.

The attack against a SIS controller is very dangerous, once it has been compromised, the attacker can reprogram the device to trigger a safe state with a dramatic impact on the operations of the targeted environment. Attackers could also reprogram the SIS controller to avoid triggering actions when parameters assume dangerous values.

“The attacker targeted the SIS suggesting an interest in causing a high-impact attack with physical consequences. This is an attack objective not typically seen from cyber-crime groups.” continues FireEye.

“If the SIS and DCS controls fail, the final line of defense is the design of the industrial facility, which includes mechanical protections on equipment (e.g. rupture discs), physical alarms, emergency response procedures and other mechanisms to mitigate dangerous situations.”

Back to the attack detected by FireEye, hackers shut down operations after causing the SIS controllers to initiate a safe shutdown, but experts believe they may have inadvertently triggered it during a reconnaissance phase.

Schneider Electric is investigating the attack to discover if the threat actors exploited any vulnerability in the Triconex product.

Schneider published a security advisory to warn its customers, it suggests to avoid leaving the front panel key position in “Program” mode when the controller is not being configured. The malicious code can only deliver its payload if the key switch is set to this mode.

“Schneider Electric is aware of a directed incident targeting a single customer’s Triconex Tricon safety shutdown system. We are working closely with our customer, independent cybersecurity organizations and ICSCERT to investigate and mitigate the risks of this type of attack.” reads the security advisory.

“The modules of this malware are designed to disrupt Triconex safety controllers, which are used widely in critical infrastructure. The malware requires the keyswitch to be in the “PROGRAM” mode in order to deliver its payload. Among others, the reported malware has the capability to scan and map the industrial control system environment to provide reconnaissance and issue commands directly to Tricon safety controllers.”

FireEye report included the Indicators of Compromise (IoCs) for the threat.

Signatures of the malware samples identified by FireEye have been provided to cybersecurity firms so security products should be able to detect at least some variants of the threat.

Despite a large number of infections reported for ICS systems across the years, at the time experts only detected four pieces of ICS tailored malware; Stuxnet, Havex, BlackEnergy2, and IRONGATE, and Industroyer.


US DoJ charges 3 Men with developing and running the Mirai Botnet
14.12.2017 securityaffairs BotNet

The US DoJ announced plea agreements for Paras Jha, Josiah White, and Dalton Norman, 21 for creating and operating the dreaded Mirai botnet.
US authorities charge three men with developing and running the dreaded Mirai botnet that was involved in several massive DDoS attacks.

According to documents released by the US Department of Justice (DOJ), the three men are Paras Jha, Josiah White, and Dalton Norman.

According to the plea agreements, White developed the Telnet scanner component used by Mirai, Jha created the botnet’s core infrastructure and the malware’s remote control features, while Norman developed new exploits.

Jha, who goes online with the moniker “Anna-senpai” leaked the source code for the Mirai malware on a criminal forum, allowing other threat actors to use it and making hard the attribution of the attacks.

Jha also pleaded guilty to carrying out multiple DDoS attacks against his alma mater Rutgers University between November 2014 and September 2016, before creating the Mirai botnet.

The Mirai bot was first spotted by the malware researchers MalwareMustDie in August 2016, the malicious code was developed to target IoT devices.

Dyn DNS service mirai-botnet ddos

The IoT malware runs a brute force password attack via telnet using a list of default credentials to gain access to the target device.

mirai-botnet-test-2

Once the Mirai component gains access to the target IoT device, it connects out to download the full virus and runs it. Then it starts sending out SYN packets at a high rate of speed, looking for other potential victims.

The Mirai botnet peaked a size of over 300,000 infected devices, mainly composed of DVRs, security cameras, and routers.

The three men advertised the botnet on hacking forums, as a DDoS-for-hire service, but only Jha also used it to blackmail a hosting company.

According to court documents, the three men used the Mirai botnet to make money through “click fraud” activity. The botnet was used to emulate the behavior of real users clicking on an advertisement for the purpose of artificially generating profits for operators.

The three also generated some $180,000 from the scheme in bitcoin.

The Mirai botnet was also used against the website of the popular investigator Brian Krebs that was able to identify Jha and White as the operators of the botnet.

The three face possible prison terms and monetary fines.


Experts disclosed an unpatched zero-day vulnerability in the firmware of AT&T DirecTV WVB kit
14.12.2017 securityaffairs Vulnerebility

Security researchers at Trend Micro have publicly disclosed an unpatched zero-day flaw in the firmware of AT&T DirecTV WVB kit after manufactured failed to patch it
Security researchers at Trend Micro have discovered an unpatched zero-day vulnerability in the firmware of AT&T DirecTV WVB kit after the manufacturer failed to patch this flaw over the past few months.

The issue affects a core component of the Genie DVR that’s shipped free of cost with DirecTV. The flaw can be easily exploited by attackers to gain root access to the device, posing millions DirecTV service users at risk.

The vulnerability resides in WVBR0-25, a Linux-powered wireless video bridge manufactured by Linksys.

DirecTV Wireless Video Bridge WVBR0-25 allows the Genie DVR to communicate over the air with customers’ Genie client boxes that are plugged into their TVs in the same home.

The Trend Micro expert Ricky Lawshae analyzed the kit and discovered that Linksys WVBR0-25 doesn’t implement any authentication to access internal diagnostic information from the device’s web server.

The expert discovered that accessing the wireless bridge’s web server on the device it was possible to see a text streaming.

“I started out by trying to browse to the web server on the device. I expected to find a login page of some sort. What I found instead was a wall of text streaming before my eyes.” wrote Ricky Lawshae.

DirecTV WVB kit hacking

The output of several diagnostic scripts was containing a lot of information about the DirecTV Wireless Video Bridge, including the WPS pin, running processes, connected clients, and much more.

A deeper analysis of the scripts revealed that the device was accepting commands remotely with a “root” access, meaning that an attacker could have taken full control over it.

“The return value also showed the device had happily executed my new commands and executed them as the root user, too! No login prompt. No input sanitization.” continues the analysis.

“It literally took 30 seconds of looking at this device to find and verify an unauthenticated, remote root command injection vulnerability. It was at this point that I became pretty frustrated,”

“The vendors involved here should have had some form of secure development to prevent bugs like this from shipping. More than that, we as security practitioners have failed to affect the changes needed in the industry to prevent these simple yet impactful bugs from reaching unsuspecting consumers.”

Lawshae also published a video PoC demonstrating how to easily get a root shell on the DirecTV wireless box in less a few seconds.

The vulnerability was promptly reported by the ZDI Initiative to Linksys more than six months ago, but the vendor had yet not fixed the problem, for this reason, the expert opted to publicly disclose the zero-day vulnerability.


Trump signed a bill prohibiting the use of Kaspersky Lab product and services
14.12.2017 securityaffairs BigBrothers

The US President Donald Trump signed a bill that bans the use of Kaspersky Lab products and services in federal agencies.
Section 1634 of the bill prohibits the use of security software and services provided by security giant Kaspersky Lab, the ban will start from October 1, 2018.

Below the details of the ban included in the section 1634 of the National Defense Authorization Act for Fiscal Year 2018.

“SEC. 1634. Prohibition on use of products and services developed or provided by Kaspersky Lab.

(a) Prohibition.—No department, agency, organization, or other element of the Federal Government may use, whether directly or through work with or on behalf of another department, agency, organization, or element of the Federal Government, any hardware, software, or services developed or provided, in whole or in part, by—

(1) Kaspersky Lab (or any successor entity);
(2) any entity that controls, is controlled by, or is under common control with Kaspersky Lab; or
(3) any entity of which Kaspersky Lab has majority ownership.

(b) Effective date.—The prohibition in subsection (a) shall take effect on October 1, 2018.”

Senator Jeanne Shaheen joyed for the news, asserting that the US Government gathered all necessary evidence to motivate such decision.

“The case against Kaspersky is well-documented and deeply concerning. This law is long overdue, and I appreciate the urgency of my bipartisan colleagues on the Senate Armed Services Committee to remove this threat from government systems.” commented Shaheen.

Sen. Shaheen is the author of a letter recently sent to the Trump administration asking that information on Kaspersky Lab be declassified “to raise public awareness regarding the serious threat that the Moscow-based software company poses to the United States’ national security.”

12 Dec

Sen. Jeanne Shaheen

@SenatorShaheen
The defense bill also provides funding for a nationwide health study on the impact of contaminants in drinking water. Seacoast families deserve peace of mind and I’m glad that we can finally move forward with this study. http://bit.ly/2l3833k https://twitter.com/SenatorShaheen/status/940668478704537601 …


Sen. Jeanne Shaheen

@SenatorShaheen
Also included is my amendment to ban the use of Kaspersky Lab software on all government computers. The case against Kaspersky is well-documented & deeply concerning, & I’ll continue to advocate for measures to strengthen our nation’s cybersecurity. http://bit.ly/2BFJ6SG

8:47 PM - Dec 12, 2017
3 3 Replies 15 15 Retweets 32 32 likes
Twitter Ads info and privacy
Kaspersky Lab issued the following statement about the Section 1634.

“Kaspersky Lab continues to have serious concerns about Section 1634 of the National Defense Authorization Act due to its geographic-specific approach to cybersecurity, singling out Kaspersky Lab, which we maintain, does little to mitigate information security risks affecting government networks.” reads the statement issued by Kaspersky.

“Nevertheless, Kaspersky Lab is assessing its options, while continuing to protect its customers from cyber threats, and collaborating globally with the IT security community to fight cybercrime.”

kaspersky lab CEO

In September, the U.S. DHS ordered federal agencies to stop using Kaspersky software and service.

The ban was the response to the concerns about possible ties between Kaspersky and Russian intelligence agencies.

According to The Washington Post, which first reported the news, the order applies to all civilian government networks, but not the military ones.

Recently the UK’s National Cyber Security Center (NCSC) has also issued a warning regarding the use of Kaspersky software and services by government agencies.

The CEO of the UK National Cyber Security Centre (NCSC), Ciaran Martin, wrote to permanent secretaries regarding the issue of supply chain risk in cloud-based products, including anti-virus (AV) software.

The NCSC is a branch of the UK Government Communications Headquarters (GCHQ), the UK intelligence and security agency.

The letter warns against software made in hostile states, specifically Russia, as the Prime Minister’s Guildhall speech set out, the Government of Moscow is acting against the UK’s national interest in cyberspace.

Kaspersky has repeatedly denied the accusations and it announced the launch of a transparency initiative that involves giving partners access to the source code of its solutions.


FortiClient improper access control exposes users’ VPN credentials
14.12.2017 securityaffairs Vulnerebility

FortiClient for Linux, Mac OSX and Windows stores encrypted VPN authentication credentials in improperly secured locations.
Fortinet provided security updates for its next-generation endpoint protection FortiClient product that address a serious information disclosure vulnerability.

The flaw, tracked as CVE-2017-14184, could be exploited by an attacker to obtain VPN authentication credentials.

FortiClient is a powerful product that includes many components and features such as web filtering, application firewall, vulnerability assessment, anti-malware, and SSL and IPsec VPN features.

Experts at SEC Consult discovered security flaws that can be exploited to access VPN authentication credentials associated with the product.

“FortiClient for Linux, Mac OSX and Windows stores encrypted VPN authentication credentials in improperly secured locations; regular users may therefore be able to see each other’s encrypted credentials. This is an issue, because the key used to encrypt the aforementioned credentials may be retrieved from the binary.” reads the project description published by SEC Consult.

SEC Consult rated the issue as “high severity”, while Fortinet has assigned it a 4/5 risk rating.

The first issue is related to the fact that the VPN credentials are stored in a configuration file, on both Linux and macOS systems, and in the registry on Windows. This means that for an attacker the configuration files are easily accessible.

The second issue is related to the fact that decryption key for credentials is hardcoded in the application and it’s the same for all the Fortinet installs. An attacker can find the key and decrypt the passwords.

“FortiClient stores the VPN authentication credentials in a configuration file (on Linux or Mac OSX) or in registry (on Windows). The credentials are encrypted but can still be recovered since the decryption key is hardcoded in the program and the same on all installations. Above all, the aforementioned storage is world readable, which actually lays the foundation for the credential recovery.” continues the analysis published by SEC Consult.

FortiClient flaws

The flaws are very insidious especially in enterprise environments when an insider with valid domain credentials can then harvest all credentials of all other VPN users and gain access to their domain user account.

“FortiClient for Linux, Mac OSX and Windows stores encrypted VPN authentication credentials in improperly secured locations; regular users may therefore be able to see each other’s encrypted credentials. This is an issue, because the key used to encrypt the aforementioned credentials may be retrieved from the binary.” reads the advisory published by Fortinet.

SEC Consult has developed a proof-of-concept (PoC) tool that leverages on these issued to recover passwords, the company plans to release it in the future giving the users the time to update their FortiClient installs.

According to Fortinet the flaw affects FortiClient 5.6.0 and earlier for Windows and Mac, and version 4.4.2334 and earlier of the SSL VPN client for Linux. Android and iOS apps are not impacted.

Versions FortiClient 5.6.1 for Windows and Mac, and FortiClient 4.4.2335 for Linux, running FortiOS 5.4.7 fixed the problems.

Below the Vendor contact timeline:

2017-08-30: Contacting vendor through psirt@fortinet.com
2017-09-19: Contacting vendor again due to lost message
2017-09-20: Vendor confirmed and assigned CVE-2017-14184 to the issues
2017-10-19: Vendor requested to postpone the release date
2017-11-02: Vendor informed the fix for Windows and OS X was done
2017-11-22/23: Vendor released 5.6.1 for OS X and 5.6.2 for Windows
2017-12-08: Vendor informed that the fix for Linux is available together with FortiOS release version 5.4.7
2017-12-13: Public disclosure of advisory


Three Plead Guilty in Mirai Botnet Attacks
13.12.2017 securityweek BotNet
US officials unveiled criminal charges Wednesday against a former university student and two others in the Mirai botnet attacks which shut down parts of the internet in several countries starting in mid-2016.

The Justice Department announced plea agreements for Paras Jha, 21 -- a former Rutgers University computer science student who acknowledged writing the malware code -- and Josiah White, 20, and Dalton Norman, 21, who helped profit from the attacks.

In documents unsealed Wednesday, Jha admitted writing the code for the botnet which harnessed more than 100,000 "internet of things" (IoT) devices such as cameras, light bulbs and appliances to launch the attacks.

By commanding an army of bots -- or computers under control of the attackers -- the malware shut down networks and websites in the United States, Germany, Liberia and elsewhere.

Jha admitted he "set up and managed command and control servers to manage the infected computers" in the scheme.

Officials said the three used the botnet "to conduct a number of powerful distributed denial-of-service" attacks which flood the internet and can shut down networks.

Later, Jha posted the source code for the Mirai malware on a criminal forum, allowing other groups to use it.

The malware was used to make money through "click fraud," a scheme that makes it appear that a real user has clicked on an advertisement for the purpose of artificially generating revenue, according to officials.

The three generated some $180,000 from the scheme in bitcoin, Justice officials added.

Jha was identified as a suspect earlier this year by security blogger Brian Krebs -- who was himself a victim of the attacks.

Krebs said Jha used the online moniker Anna-Senpai, who had claimed responsibility for earlier denial of service attacks using various versions of Mirai -- including some targeting Rutgers University, the school in New Jersey where Jha was studying.

In January 2017, "Jha and his co-conspirators leased access to their botnet to other criminals in exchange for payment," according to the plea agreement in federal court.

According to Krebs, Jha and White operated ProTraf Solutions LLC, which masqueraded as a security firm that dealt with "denial of service" attacks it created.

The three face possible prison terms and monetary fines as a result of the conspiracy and fraud charges.

Jha pleaded guilty separately to a series of attacks which shut down the Rutgers computer networks from 2014 to 2016, officials said.


Patchwork Cyberspies Adopt New Exploit Techniques
13.12.2017 securityweek CyberSpy
Malware campaigns attributed to the Patchwork cyberespionage group have been using a new delivery mechanism and exploiting recently patched vulnerabilities, Trend Micro warns.

Also known as Dropping Elephant or Chinastrats and believed to be operating out of the Indian subcontinent, the group is said to have been active since 2014. Initially focused on government-associated organizations that have connections to Southeast Asia and the South China Sea, the actor has expanded its target list to include entities in a broad range of industries.

In a new report (PDF) on Patchwork’s latest operations, Trend Micro says that the group has added businesses to its list of targets and that its use of numerous infection vectors and payloads makes it a credible threat.

Campaigns that security researchers have associated with the group over the course of 2017 revealed diverse methods (social engineering hooks, attack chains, and backdoors), along with the adoption of Dynamic Data Exchange (DDE), Windows Script Component (SCT), and exploits for recently reported vulnerabilities.

“These imply they’re at least keeping an eye on other threats and security flaws that they can repurpose for their own ends. Also of note are its attempts to be more cautious and efficient in their operations,” Trend Micro notes.

Targets and attack vectors

The observed campaigns focused on multiple sectors in China and South Asia, but also hit organizations in the U.K., Turkey, and Israel. Using spear-phishing emails, the cyberespionage group targeted high-profile personalities, business-to-consumer (B2C) online retailers, telecommunications and media companies, aerospace researchers, and financial institutions. The United Nations Development Programme was targeted as well.

The spear-phishing emails contained website redirects, direct links, or malicious attachments. Some emails contained direct links to malicious documents hosted on the attacker-owned servers. The group spoofed a news site and used it to divert visitors to socially engineered, malware-ridden documents and was also observed misusing email and newsletter distribution services.

A fake Youku Tudou website (a social video platform popular in China) was used for drive-by downloads. The victim was tricked into downloading and executing a fake Adobe Flash Player update that was, in fact, a variant of the xRAT Trojan.

Patchwork was also observed phishing for credentials to take over a target’s emails and other online accounts. One attack copied a webpage from a legitimate web development company and displayed the fake page to victims alone.

Using Rich Text Format (RTF) documents, the group exploited vulnerabilities such as CVE-2012-1856 – a remote code execution (RCE) in the Windows common control MSCOMCTL, or CVE-2015-1641 – a memory corruption in Microsoft Office. They also exploited the CVE-2014-4114 Sandworm RCE vulnerability in Windows’ Object Linking and Embedding (OLE) via PowerPoint (PPSX) files.

More recent vulnerabilities the actor has been abusing include CVE-2017-0199 – an RCE in Microsoft Office’s Windows OLE, patched in April 2017, and CVE-2017-8570 – an RCE in Microsoft Office patched in July 2017. They were exploited via PowerPoint (PPT) and PPSX files.

The malicious PPSX files exploiting CVE-2017-8570 downloaded a Windows Script Component (SCT) file from a Patchwork-owned server to eventually deliver the xRAT malware.

“Apart from exploit-laden documents, Patchwork also misused DDE to retrieve and execute xRAT in the infected machine. They also sent a document embedded with an executable, which downloads a decoy document and a backdoor, then executes the latter,” Trend Micro explains.

Malware and infrastructure

In addition to using a variety of malicious documents for their nefarious purposes, the Patchwork hackers also deployed a miscellany of backdoors and information stealers onto their victims’ machines. Some of these tools appear to be used solely by this group, the security researchers say.

The threat actor was observed dropping malware such as the NDiskMonitor custom backdoor (believed to be Patchwork’s own, it can list files and logical drives and download and execute files from specified URLs); and Socksbot, which can start Socket Secure (SOCKS) proxy, take screenshots, and run executables and PowerShell scripts.

Malware such as the xRAT remote access tool (its source code is available online) and the Badnews backdoor (potent information-stealing and file-executing malware) were also associated with the group’s activities, as well as a series of file stealers (Taskhost Stealer and Wintel Stealer targeting .doc, .docx, .xls, .xlsx, .ppt, .pptx, .pdf, and RTF files, along with .eml and .msg email messages; as well as versions of file stealers written in AutoIt).

Trend Micro has discovered 30 to 40 IP addresses and domain names used by the group in 2017 and says that each of the servers has had a different purpose. While some were only meant as command and control (C&C) servers that would collect data from the used stealers, others were used only to host phishing websites.

In some cases, the same server was being used for both C&C communication and to host distributing malware (or malicious documents) through hosting content copied from legitimate websites.

The group has been using publicly available PHP scripts for retrieving files from the server without disclosing their real paths, likely to prevent security researchers from finding open directories. Trend Micro also observed the group temporarily removing a file so it could not be retrieved or replacing it with a legitimate one. Sometimes they would display “a fake 302 redirection page to trick researchers into thinking the files are gone.”

“Patchwork is in a vicious cycle, given the group’s habit of rehashing tools and malware. The more those are used, the likelier that they’d be incorporated in the group’s arsenal. The takeaway for enterprises? The gamut of tools and techniques at Patchwork’s disposal highlights the significance of defense in depth: arraying proactive defense to thwart threats at each level—from the gateways, endpoints, and networks to servers,” Trend Micro notes.


Golduck Malware Infects Classic Android Games
13.12.2017 securityweek Android
Several classic game applications in Google Play have been silently downloading and installing a malicious APK file onto Android devices, Appthority reports.

The malicious code was downloaded from a "Golduck" server and installed on devices using a technique called Java reflection. The offending applications, the security company says, were also observed running shell commands and sending SMS messages.

Appthority describes the malicious applications as high quality classic games, including Tank and Bomber. Rated high on Google Play, the games had up to 10.5 million downloads when their nefarious behavior was exposed.

The extra APK was being fetched from hxxp://golduck.info/pluginapk/gp.apk, after which the original game app would load the downloaded code via the /system/bin/dex2oat command.

Appthority's security researchers discovered three folders inside the loaded gp.apk file, each featuring seemly benign names, such as “google.android”, “startapp.android.unity.ads,” and “unity.ads.” The malicious code was hidden inside the google.android folder.

By analyzing the content of the folders, Appthority found code (PackageUtils.class) designed to silently install applications using system permissions.

“These malicious apps seem to be at their initial stage and the code is not obfuscated,” the company notes.

The downloaded payload also contains code for sending SMS messages to users’ contacts. These messages contained game information, thus potentially increasing the chances that the malware would spread to other users.

The Golduck malware, the security company says, could allow attackers to completely compromise the infected device, especially if root is available. The threat also sets the stage for adware-related attacks.

Appthority found two Golduck-infected applications in Google Play and informed Google on the matter on Nov. 20, 2017. All of the offending applications have been taken down by the Android Security team.

To stay protected from the Golduck malware, users are advised to keep an eye on unusual activity on their mobile devices, such as the availability of root access without their intent. SMS charges from unknown sources would also indicate possible infection.

Users are also advised to avoid installing applications from unknown developers and from unofficial app stores.

The applications Appthority has found infected with Golduck include Classic Block Puzzle, Classic Bomber, and Classic Tank vs Super Bomber. Users are advised to uninstall these as soon as possible.


Adobe Patches 'Business Logic Error' in Flash Player
13.12.2017 securityweek Vulnerebility
The only security update released by Adobe this Patch Tuesday addresses a moderate severity regression issue affecting Flash Player.

The vulnerability, tracked as CVE-2017-11305 and described as a “business logic error,” can lead to the unintended reset of the global settings preference file.

There is no evidence of exploitation in the wild and Adobe appears to have discovered the bug on its own.

The flaw affects version 27.0.0.187 and earlier of Flash Player on Windows, Mac, Linux and Chrome OS, and it has been patched with the release of version 28.0.0.126. Microsoft has also updated the Flash Player components used by its software in order to address this issue.

Last month, Adobe addressed a total of 80 vulnerabilities across Flash Player, Photoshop, Connect, Acrobat and Reader, DNG Converter, InDesign, Digital Editions, Shockwave Player, and Experience Manager. Five of the security holes affected Flash.

In October, the company initially announced that it had no Patch Tuesday updates, but a few days later it was forced to release an out-of-band update for Flash Player after Kaspersky Lab researchers noticed that a Middle Eastern threat actor named BlackOasis had been exploiting a zero-day vulnerability to deliver spyware.

The number of flaws found in Flash Player in the past months has decreased considerably, which may be a result of the decision to kill Flash Player by 2020. Nevertheless, as long as the software is still widely utilized, zero-day exploits are highly valuable to malicious actors.


Millions Impacted by Credential-Stealers in Google Play
13.12.2017 securityweek Android
During October and November 2017, Kaspersky Lab researchers discovered 85 applications in Google Play that were designed to steal credentials for Russian social network VK.com. One of the malicious applications had more than a million downloads.

While most of the applications were listed in the marketplace in October and gathered fewer than 1,000 installations, some were uploaded in July and proved to be highly popular among users. Seven of the apps had between 10,000 and 100,000 downloads, while nine had between 1,000 and 10,000 installations.

The most popular of the apps masqueraded as a game. It was submitted to Google Play in April 2017 without malicious code in it, but an update in October 2017 added the information stealing capabilities. The game gathered more than 1 million downloads in the seven months it was active on Google Play.

Most of the offending applications were designed to look like apps for the VK.com social platform, supposedly allowing users to listen to music or monitor user page visits. Because apps of this type normally ask for the user to log into their account, they didn’t raise suspicion. Some of the programs were game apps.

The campaign was targeted at VK users only. The platform is highly popular in CIS countries, and the malicious apps first checked the device language and only asked for login credentials if Russian, Ukrainian, Kazakh, Armenian, Azerbaijani, Belarusian, Kyrgyz, Romanian, Tajik, and Uzbek were in use, Kaspersky has discovered.

The actors behind these apps had been publishing their malicious applications in Google Play for over two years, so they had to modify their code to bypass detection, Kaspersky's researchers say.

The recently observed apps used a modified VK SDK with tricky code, which served the standard login page to the user, relied on malicious JS code to steal credentials from the login page and pass them back to the app. The stolen credentials were encrypted and then uploaded to a remote server.

Most of the malicious apps had the described functionality, but some were slightly different: they also used malicious JS code from the OnPageFinished method for extracting credentials and for uploading them.

“We think that cybercriminals use stolen credentials mostly for promoting groups in VK.com. They silently add users to promote various groups and increase their popularity by doing so. We have reason to think so because there were complaints from some infected users that their accounts had been silently added to such groups,” Kaspersky says.

The researchers also note that other Google Play apps submitted by these miscreants were published as unofficial clients for popular messaging app Telegram. Built using an open source Telegram SDK, these apps would work just as any other such software, but they would also add users to promoted groups/chats (based on a list received from the server).

The credential-stealing apps are detected as Trojan-PSW.AndroidOS.MyVk.o. Kaspersky reported 72 of the apps to Google, all of which were removed (13 apps had been removed before). The malicious Telegram clients are detected as not-a-virus:HEUR:RiskTool.AndroidOS.Hcatam.a. They too were removed from Google Play.


SAP Becomes CVE Numbering Authority
13.12.2017 securityweek Vulnerebility
Released this week with fixes for 11 vulnerabilities, SAP’s Security Patch Day for December 2017 marks a change in the history of SAP patches: it also includes CVE numbers in the titles of the security notes.

The change is a result of SAP becoming a CVE Numbering Authority (CNA) and now being authorized to assign CVE's to vulnerabilities in their products. The company has the goal of disclosing the CVE numbers of addressed vulnerabilities on its Security Patch day, in an effort to increase “transparency and facilitate faster patch consumption for all SAP customers.”

Of the security notes the company included in this month’s Security Patch day, one was Hot News, or Very High priority, featuring a CVSS score of 9.1. The flaw, an OS Command Injection vulnerability in Report for Terminology Export impacting SAP Netweaver Documentation and Translation tools, is an update to a security note released in November 2017.

The note, Onapsis says, is actually a re-released version, as it was initially published one year ago. At the time, SAP removed the affected lines of code, as they were obsolete. All the code that used to run when the report was executed in background was removed, but the original patch apparently failed to properly solve the issue.

In the re-release, SAP added a new step toward solving the bug. Thus, in addition to implementing the correction instructions referenced by the SAP note, impacted customers also need to follow the manual steps in the document Manual instructions for creating GUI status related to note 2357141.pdf, which is available on the SAP customer portal.

“Onapsis Research Labs has tested the component and discovered that the previous patch properly solves the bug. Despite securing the vulnerability, it introduced a little malfunction in the SAP software. Even though the relevant report is secure, after installing the patch the report interface then breaks in the SAP GUI by being unresponsive to interactions such as button clicks,” Onapsis explains.

The new instructions provide information on how to manually correct the issue to execute the report and also remain secure. According to Onapsis, there are no additional security concerns related to the re-released security note and those who have already applied the original patch are protected. Those who haven’t should apply the note as soon as possible, considering that it is Hot News.

The new set of SAP security patches also include three High priority notes. One addresses an Additional Authentication check in Trusted RFC on same system (CVE-2017-16689), another fixes a Missing Authentication check in SAP BI Promotion Management Application (CVE-2017-16684), while the third updates an August 2014 patch note: SBOP solution for Apache Struts1.x vulnerability (CVE-2014-0094).

The rest of the flaws addressed this month were Medium priority. The most important of them include a Cross-Site Scripting (XSS) vulnerability in SAP BW Universal Data Integration (CVE-2017-16685), Server-Site Request Forgery (SSRF) vulnerability in SAP NetWeaver Knowledge Management Configuration Service (CVE-2017-16678), Denial of service (DOS) in SAP BusinessObjects Platform (CVE-2017-16683), and an XSS vulnerability in BI Promotion Management Application (CVE-2017-16681).

The 11 security notes released as part of the December 2017 Security Patch day are accompanied by 4 updates to previously released notes and 4 support package notes, for a total of 19 security notes, ERPScan reveals. 6 of the notes were released after the second Tuesday of the previous month and before the second Tuesday of this month.

Implementation flaw was the most common type of vulnerability addressed this month (5 flaws), followed by XSS (2 bugs), Information Disclosure (2), Missing Authorization Check (2), Denial of Service (2), OS command execution (2), Remote Command Execution (1), Open Redirect (1), SSRF (1), and Log injection (1).

The Log injection vulnerability (CVE-2017-16687) impacts SAP HANA XS classic user self-service and features a CVSS Base Score of 5.3. By exploiting the flaw, an attacker could inject arbitrary data in the audit log. By flooding it with a large amount of illegal data, the audit log can no longer be easily analyzed. The operation could also result in a rapid depletion of disk space and in damage to the event log.


Stealthy Admin Accounts Found in Hybrid Office 365 Deployments
13.12.2017 securityweek Hacking
Vulnerability in Azure AD Connect Software Can Provide Stealthy Admins With Full Domain Control

One term used for privileged Admin accounts that exist outside of protected groups is 'stealthy admins'. They are less protected and less monitored than those within protected groups, and can consequently provide a major security risk.

The team at Preempt Security has discovered an automatically generated stealthy admin account in hybrid on-premise/Azure Microsoft Office 365 (O365) deployments.

One aspect of the Preempt Platform's operation is to investigate and prevent insider threats, and this in turn involves detecting insider opportunities for escalating privileges. Escalation involves acquiring the rights of or using a privileged administrator account; and for this reason admin accounts should always be given greater protection.

"Organizations have well-defined groups for administrators, where they can be monitored and protected," explains Ajit Sancheti, CEO and co-founder of Preempt; "but sometimes users are given administrator rights without the account being placed into an administrator group. That's what we call a 'stealthy administrator'. Part of our job is to detect these."

Researchers from Preempt discovered that a stealthy admin is created as a matter of course during the normal use of Microsoft's Azure AD Connect. AD Connect is a tool used by organizations with hybrid on premise and cloud Office 365 deployments. It integrates on premise Active Directory with Azure AD, so that users can have a common identity throughout.

The default express use of AD Connect creates a Microsoft On Line account (MSOL) that has domain admin privileges but exists outside of any protected admin group; that is, it lives in the built-in Users Group. In order to synchronize passwords between on premise accounts and cloud, it has the ability to replicate the domain.

"Most Active Directory audit systems easily alert on excessive privileges, but will often miss users who have elevated domain privileges indirectly through domain discretionary access control list (DACL) configuration," said Roman Blachman, CTO and co-founder at Preempt. "We refer to these users as stealthy admins. The majority of our customers have Office 365 hybrid deployments and almost every one of them were vulnerable to this because Azure AD Connect was installed in express settings and created this flaw." Blachman has also explained the issue in a blog posted today.

Anyone with access to User accounts could gain access through these to the MSOL account and acquire high level domain privileges. This could be an attacker already on the network looking to escalate privilege, or a 'rogue' employee. In the latter instance, Preempt gives the example of a help desk that uses a contract employee. That employee would be a domain user, but also an account operator for help desk functional purposes.

The help desk staff is effectively part of the supply chain but with direct -- and legitimate -- access to user accounts, plus one account with domain level privileges. If compromised -- or simply rogue -- the help desk operator's account could get access to every admin account on the domain via the MSOL account. Since the MSOL account is not in a protected admin group, it will not be tracked or monitored like other admin accounts -- and its use by an attacker will not trigger the alerts that it should.

The MSOL account will exist as a stealthy admin as a matter of course for any organization that has used AD Connect to synchronize user passwords between on premise and cloud deployments of Office 365.

Preempt reported the issue to Microsoft, which has today issued an advisory and fix. "Suppose there is a malicious on-premises AD administrator with limited access to customer's on-premises AD but has Reset-Password permission to the AD DS account," explains the advisory. "The malicious administrator can reset the password of the AD DS account to a known password value. This in turn allows the malicious administrator to gain unauthorized, privileged access to the customer's on-premises AD."

Microsoft's solution going forward is an 'improvement' to Azure AD Connect that ensures that the account it creates will in future have the recommended permissions. For Azure users who have already used AD Connect, Microsoft says, "You can use the PowerShell script available at Prepare Active Directory Forest and Domains for Azure AD Connect Sync to help you implement the permission changes on the AD DS account."

The Microsoft fix is not a patch for existing implementations. AD Connect will be updated so that its future use will not lead to a stealthy MSOL account. For existing implementations, it is releasing a script that will find and move the MSOL account to a safe location.

It is worth noting, however, that MSOL is unlikely to be the only stealthy admin on a network. While this Microsoft fix will detect the MSOL stealthy admin, it will not solve the problem of other stealthy accounts.

"We're seeing this in almost all of our customers," commented Sancheti. "We have never installed product with any customer without finding at least one or more stealthy admins -- usually anything between 5 to 100. Because of the complexity of Active Directory, it is quite common for one account to be given access to another account without ever realizing what permissions are quietly inherited in the process."

Preempt has developed and released a free tool called Preempt Inspector. "It's purpose is to detect all stealthy accounts, that are often innocently created through configuration errors -- but that create a hidden risk for the network."


Microsoft Patches 19 Critical Browser Vulnerabilities
13.12.2017 securityweek Vulnerebility
Microsoft’s Patch Tuesday updates for December 2017 address more than 30 vulnerabilities, including 19 critical flaws affecting the company’s Internet Explorer and Edge web browsers.

The critical vulnerabilities are memory corruption issues that can be exploited for remote code execution in the context of the targeted user. The security holes – in most cases related to the browser’s scripting engine – can be exploited by getting the target to visit a specially crafted website or a site that serves malicious ads (i.e. malvertising).

These flaws were reported to Microsoft by researchers at Google, Palo Alto Networks, McAfee and Qihoo 360. The Google Project Zero researcher known as Lokihardt has again been credited for finding many of the weaknesses.

Trend Micro’s Zero Day Initiative (ZDI) pointed out that one interesting vulnerability, albeit rated only “important,” is CVE-2017-11927, an information disclosure flaw in Windows that “takes us all the way back to the early days of Internet Explorer and CHM (compressed help) files.” The issue affects the Windows its:// protocol handler – ITS, or InfoTech Storage Format, is the storage format used in CHM files.

“In theory, you shouldn’t be able to access remote content using ITS outside of the Local Machine Zone thanks to a 2005 update,” ZDI explained in a blog post. “It appears that has been circumvented by this bug, as it allows attackers who trick users into browsing to a malicious website or to malicious SMB destinations to leak info. If an attacker can get the target to disclose the user's NTLM hash, they could then attempt a brute-force attack to obtain the corresponding password.”

The list of vulnerabilities fixed this month also includes information disclosure flaws in Office, a spoofing issue in Exchange, a privilege escalation bug in SharePoint, and a remote code execution vulnerability in Excel.

According to Microsoft, none of the vulnerabilities patched this month have been exploited in attacks or disclosed publicly before fixes were released.

Earlier this month, Microsoft informed users that it had released a patch for a critical remote code execution vulnerability affecting its Malware Protection Engine. The flaw, discovered by the UK's National Cyber Security Centre (NCSC), can be exploited to take control of the targeted system.

After publishing an advisory with information on how users can protect themselves against recent attacks abusing the Dynamic Data Exchange (DDE) protocol, Microsoft announced on Tuesday that it has released a defense-in-depth update that disables DDE in supported versions of Word.

Adobe has only patched one moderate severity vulnerability in Flash Player this Patch Tuesday.


Trump Signs Bill Banning Kaspersky Products
13.12.2017 securityweek BigBrothers
U.S. President Donald Trump on Tuesday signed a bill that prohibits the use of Kaspersky Lab products and services in federal agencies.

The National Defense Authorization Act for FY2018 (H.R. 2810) focuses on Department of Defense and Department of Energy programs, authorizes recruitment and retention bonuses for the Armed Forces, and makes changes to national security and foreign affairs programs.

Section 1634 of the bill bans the use of products and services provided by Russia-based cybersecurity firm Kaspersky Lab. The prohibition will go into effect on October 1, 2018.

“No department, agency, organization, or other element of the Federal Government may use, whether directly or through work with or on behalf of another department, agency, organization, or element of the Federal Government, any hardware, software, or services developed or provided, in whole or in part, by (1) Kaspersky Lab (or any successor entity); (2) any entity that controls, is controlled by, or is under common control with Kaspersky Lab; or (3) any entity of which Kaspersky Lab has majority ownership,” the bill reads.

Senator Jeanne Shaheen, who has spearheaded the campaign against Kaspersky, stated, “The case against Kaspersky is well-documented and deeply concerning. This law is long overdue, and I appreciate the urgency of my bipartisan colleagues on the Senate Armed Services Committee to remove this threat from government systems.”

Sen. Shaheen recently sent a letter to the Trump administration asking that information on Kaspersky Lab be declassified “to raise public awareness regarding the serious threat that the Moscow-based software company poses to the United States’ national security.”

The U.S. Department of Homeland Security (DHS) ordered federal agencies to stop using Kaspersky products back in September, and the bill signed on Tuesday reinforces that order. However, the government has yet to provide any evidence of wrongdoing and even Sen. Shaheen’s statements appear to be largely based on various media reports citing anonymous officials.

One of the most recent media reports involving Kaspersky claimed Russian spies exploited the company’s products to steal sensitive files from an NSA contractor’s computer. The contractor in question has been charged and the cybersecurity firm has shared its side of the story.

The UK's National Cyber Security Center (NCSC) has also issued a warning regarding the use of Kaspersky products by government agencies. While the ban is less explicit compared to the US, it is expected to have a similar effect.

Kaspersky has repeatedly denied the accusations and it recently announced the launch of a transparency initiative that involves giving partners access to source code and paying significantly larger bug bounties for vulnerabilities found in the firm’s products.

UPDATE. Kaspersky Lab has provided the following statement:

“Kaspersky Lab continues to have serious concerns about Section 1634 of the National Defense Authorization Act due to its geographic-specific approach to cybersecurity, singling out Kaspersky Lab, which we maintain, does little to mitigate information security risks affecting government networks. Nevertheless, Kaspersky Lab is assessing its options, while continuing to protect its customers from cyber threats, and collaborating globally with the IT security community to fight cybercrime.”


Upstream Security Raises $9 Million to Protect Connected Cars Through the Cloud
13.12.2017 securityweek IT
Upstream Security, a Herzliya, Israel-based cybersecurity company that helps protect connected cars and autonomous vehicles from cyber threats, today announced that it has raised $9 million through a Series A funding round.

The company explains that it has developed a cloud-based automotive cybersecurity platform that leverages artificial intelligence and machine learning that can be applied to the vast amount of data continuously produced by vehicles.

The platform, Upstream describes, “provides customers with data protection, anomaly detection and real-time analytics of cyber attacks and vehicle fleet health. By centralizing cybersecurity in the cloud instead of in-vehicle, threats are detected and prevented before they even reach a vehicle's network.”

Upstream says the new funding will help expand its R&D program and open sales and marketing offices in the United States and Europe, with plans to open an office in Silicon Valley in the coming months.

Cyber threats to automotive systems are not new, and are becoming more of an issue as more cars become connected to the Internet and to other devices such as smartphones, smart keys, diagnostic tools and other vehicles.

A number of security researchers have demonstrated the ability hack into modern vehicles to manipulate steering, acceleration, speedometers and safety sensors, sparking concerns that malicious attackers could use similar techniques to compromise a vehicle's Electronic Control Units (ECUs) allowing manipulation of a car's engine, brakes, airbags and other safety systems or vehicle components.

Researchers have demonstrated over the past years that vehicles such as the Toyota Prius, Tesla Model S, Jeep Cherokee, and Nissan Leaf are exposed to hacker attacks due to vulnerabilities in connected systems.

With Gartner forecasting there to be 250 million connected vehicles by 2020, Upstream is not the only company looking to tap this market.

Several companies that specialize in automotive security have emerged recently, including Karamba Security and Argus Cyber Security. Some traditional security industry players, such as Symantec and IOActive, have also launched vehicle security divisions. In late 2016, German carmaker Volkswagen teamed up with three Israeli cybersecurity experts to launch CYMOTIVE.

Just last month, Argus Cyber Security was acquired by Continental subsidiary Elektrobit (EB), which provides embedded software solutions to the automotive industry.

Led by CRV (Charles River Ventures), Upstream’s Series A funding round included expanded investments from Israeli-based Glilot Capital Partners and Maniv Mobility. The company previously raised a $2 million seed funding round in June of this year.


Old Crypto Vulnerability Hits Major Tech Firms
13.12.2017 securityweek Vulnerebility
A team of researchers has revived an old crypto vulnerability and determined that it affects the products of several major vendors and a significant number of the world’s top websites.

Last month, F5 Networks informed customers that some of its BIG-IP products include a vulnerability that can be exploited by a remote attacker for recovering encrypted data and launching man-in-the-middle (MitM) attacks.

The security hole was reported to the vendor by Tripwire’s Craig Young, researcher and journalist Hanno Böck, and Juraj Somorovsky of Ruhr-Universität Bochum. The experts noted at the time that the issue affected products from other vendors as well and promised to release details at a later time.

While proof-of-concept (PoC) code will only be made available after affected organizations have had a chance to patch their systems, the researchers have published some additional details.ROBOT crypto attack

The attack method now has a name, a logo and a website. It has been dubbed ROBOT (Return Of Bleichenbacher's Oracle Threat) and, as the name suggests, it’s related to an attack method discovered by Daniel Bleichenbacher back in 1998.

The vulnerability affects TLS connections that use RSA encryption and it can allow an attacker to access protected data. The weakness, however, cannot be exploited to obtain private keys.

“For hosts that are vulnerable and only support RSA encryption key exchanges it's pretty bad. It means an attacker can passively record traffic and later decrypt it,” researchers explained. “For hosts that usually use forward secrecy, but still support a vulnerable RSA encryption key exchange the risk depends on how fast an attacker is able to perform the attack. We believe that a server impersonation or man in the middle attack is possible, but it is more challenging.”

In addition to F5, the vulnerability impacts products from Citrix (CVE-2017-17382), Radware (CVE-2017-17427), Cisco (CVE-2017-17428), Bouncy Castle (CVE-2017-13098), Erlang (CVE-2017-1000385) and WolfSSL (CVE-2017-13099). These organizations have released patches, except for Cisco, whose vulnerable ACE appliances have reached end-of-life. Several other vendors are also affected, but they will not be named until they release fixes.

Experts have determined that the best workaround is to disable RSA encryption, an action which they believe has relatively low costs.

Researchers have made available an online tool that can be used to test public HTTPS servers. An analysis showed that at least 27 of the top 100 Alexa websites, including Facebook and PayPal, were affected.

The vulnerability that allows ROBOT attacks has been known since 1998 and several variations have been found over the years. One recent version of the attack is known as DROWN, which Somorovsky and several others discovered last year.

Each new attack method resulted in a series of countermeasures being developed to protect systems against potential attacks. However, these measures have become increasingly complex, making them difficult for vendors to implement.

The experts who discovered ROBOT said the vulnerability had been hiding in plain sight and the attack involves only minor modifications to the original Bleichenbacher method.


AIG Creates New Model to Score Client Cyber Risk
13.12.2017 securityweek Safety
Insurance giant American International Group said this week that it has developed a new cyber benchmarking model that quantifies and scores the cyber risk of its clients.

The new model, AIG says, evaluates a client’s cyber security maturity against 10 common attack patterns across 11 commonly used technology devices.

While the insurer did not provide details on the attack patterns and technologies used to benchmark cyber risk, it says the model “incorporates critical security data, such as current threat intelligence from multiple sources, effectiveness of an organization’s cyber controls, potential impact of a cyber breach on an organization, and insights gained from the thousands of cyber claims handled by AIG.”

“We developed the model based on historical insights and patterns of how companies experience cyber breaches – the points of entry and the types of attacks and vulnerabilities seen in the vast majority of cyber breach scenarios,” says Tracie Grella, Head of Cyber Risk Insurance at AIG. “Companies have been demanding a way to benchmark their cyber maturity against these known cyber risks to quantify what they are up against and where they stand.”

Clients that provide the required information can receive a report detailing security scores, peer benchmarking, and key risk mitigation controls to help quantify cyber risk.

To support its new model, AIG also announced the launch of CyberMatics, an analytics tool that leverages cyber threat detection firms CrowdStrike and Darktrace. CyberMatics, AIG explains, verifies inputs into AIG’s model from clients’ cyber security tools, which AIG says will provide greater confidence in underwriting information, and ultimately allows for better tailored terms and conditions in cyber insurance policies.
“AIG is partnering with Darktrace to leverage its AI technology to address a cumbersome and outdated process for assessing cyber risk -- manual questionnaires asking for information that most corporations don’t even know the correct answers to, leading to high premiums based on little to no hard evidence,” a Darktrace spokesperson told SecurityWeek.

“As an insurer, we gain a better understanding of the level of risk we are taking on with each client so we can react accordingly,” said Grella. “Our new model combined with CyberMatics can help our clients make informed and quantifiable decisions about their preparedness for cyber security risk events and insurance cover.”

In 2014, AIG expanded its cyber insurance offering to include property damage and bodily injury that could be caused as a result of cyberattacks.

While AIG has developed its own model to rank client cyber risk, third part solutions are also available to help brokers and underwriters. In August 2014, FireEye announced a new line of services designed specifically to help brokers and underwriters gain visibility into enterprises' exposure to cyber threats.


Critical Flaws Found in Palo Alto Networks Security Platform
13.12.2017 securityweek Vulnerebility
Updates released by Palo Alto Networks for the company’s PAN-OS security platform patch critical and high severity vulnerabilities that can be exploited for remote code execution and command injection.

The issue classified by the company as “critical” is actually a combination of vulnerabilities in the management interface that can be exploited by a remote and unauthenticated attacker to execute arbitrary code on affected firewalls.

PAN-OS 6.1.18, 7.0.18, 7.1.13, 8.0.5 and earlier versions are affected. Patches are included in PAN-OS 6.1.19, 7.0.19, 7.1.14 and 8.0.6, but attacks can also be blocked using vulnerability signatures made available by the company.

The flaws, collectively tracked as CVE-2017-15944, were reported to Palo Alto Networks by Philip Pettersson, who has released an advisory of his own this week. The expert said the security holes were reported to the vendor in July.

Pettersson’s advisory, which includes complete technical details, describes three vulnerabilities: a partial authentication bypass, an arbitrary directory creation issue, and a command injection bug. Combining these flaws allows an unauthenticated attacker to execute arbitrary code with root privileges through the web interface.

Palo Alto Networks has advised customers to avoid exposing the web interface of its devices to the Internet, but the Sonar and Shodan search engines show that it’s not uncommon for organizations to make it remotely accessible.

PAN-OS updates also address a high severity flaw in the web interface packet capture management component. The security hole, reported by researchers from Samsung and tracked as CVE-2017-15940, allows an authenticated attacker to inject arbitrary commands.

Palo Alto Networks has also informed customers of a low severity flaw discovered by a CrowdStrike researcher in the macOS version of the GlobalProtect Client. The vulnerability, identified as CVE-2017-15870, can be exploited by an attacker who has root privileges to the local system to achieve a certain level of persistence.

This issue affects GlobalProtect for macOS 4.0.2 and earlier, and it has been fixed with the release of version 4.0.3.


Apple Patches KRACK Flaws in AirPort Base Station
13.12.2017 securityweek Vulnerebility
Apple this week released security updates to the firmware for its AirPort Base Stations to resolve vulnerabilities that make the network routers at risk to Key Reinstallation Attacks (KRACK).

The KRACK vulnerabilities were discovered earlier this year in the Wi-Fi standard itself. Because of the flaws, all Wi-Fi Protected Access II (WPA2) protocol implementations, including correct ones, were rendered vulnerable to a new type of attack. Industrial networking devices were also found to be vulnerable.

Discovered by Mathy Vanhoef and Frank Piessens, the flaws could be exploited by tricking the victim into reinstalling an already-in-use key through manipulating and replaying handshake messages. An attacker within range of a victim could access information previously assumed to be safely encrypted.

Soon after the vulnerabilities became public in mid-October 2017, vendors raced to patch them in their products. Depending on implementation, each product could be impacted by one or more of the 10 issues associated with the KRACK attack.

Apple released the first set of KRACK-related patches on October 31. At the time, the company addressed the issue tracked as CVE-2017-13080 in iOS, tvOS, and watchOS, as well as three bugs (CVE-2017-13077, CVE-2017-13078, and CVE-2017-13080) in macOS High Sierra.

Earlier this month, the company released another set of KRACK-related patches to address CVE-2017-13080 in Apple Watch (1st Generation) and Apple Watch Series 3, Apple TV (4th generation), and multiple iOS devices (iPhone 6s, iPhone 6s Plus, iPhone 6, iPhone 6 Plus, iPhone SE, iPhone 5s, 12.9-inch iPad Pro 1st generation, iPad Air 2, iPad Air, iPad 5th generation, iPad mini 4, iPad mini 3, iPad mini 2, and iPod touch 6th generation).

The company has now patched the issues in AirPort Base Station Firmware and released two security updates for the wireless routers.

With the release of AirPort Base Station Firmware Update 7.6.9 on Tuesday, Apple addresses three KRACK vulnerabilities (CVE-2017-13077, CVE-2017-13078, and CVE-2017-13080) in AirPort Express, AirPort Extreme, and AirPort Time Capsule base stations with 802.11n.

AirPort Base Station Firmware Update 7.7.9, on the other hand, patches the three bugs in AirPort Extreme and AirPort Time Capsule base stations with 802.11ac. The update also fixes a fourth bug – CVE-2017-9417 – that could allow an attacker within range to execute arbitrary code on the Wi-Fi chip.

In an alert published on Tuesday, the United States Computer Emergency Readiness Team (US-CERT) “encourages users and administrators to review the Apple security pages for AirPort Base Station Firmware Update 7.6.9 and Firmware Update 7.7.9 and apply the necessary updates.”