Backdoor in Captcha Plugin poses serious risks to 300K WordPress sites
20.12.2017 securityaffairs Hacking

Experts discovered that the popular WordPress Captcha plugin installed on over 300,000 sites was recently updated to deliver a hidden backdoor.
Security experts at WordFence have discovered that the popular WordPress Captcha plugin installed on over 300,000 sites was recently updated to deliver a hidden backdoor. The WordPress team promptly removed the plugin from the official WordPress Plugins repository and provided sanitized versions for affected customers.

WordPress also blocked the author of the plug-in from publishing updates without the review of its development team, WordFence now includes firewall rules to block Captcha and five other plugins from the same author.

WordFence has worked with the WordPress plug-in team to patch pre-4.4.5 versions of the plug-in.

The WordPress team noticed something of strange in September, when the plug-in changed hands. Just three months later the new team distributed the backdoored version Captcha 4.3.7.

Experts found a code triggering an automatic update process that downloads a ZIP file from:

then extracts and installs itself modifying the install of the Captcha plugin running on WordPress site.

“Whenever the WordPress repository removes a plugin with a large user base, we check to see if it was possibly due to something security-related. Wordfence alerts users when any plugin they are running is removed from WordPress repo as well. At the time of its removal, Captcha had over 300,000 active installs, so its removal significantly impacts many users.” states the analysis published by WordPress.

“A backdoor file allows an attacker, or in this case, a plugin author, to gain unauthorized administrative access to your website. This backdoor creates a session with user ID 1 (the default admin user that WordPress creates when you first install it), sets authentication cookies, and then deletes itself.”

1 < $wptuts_plugin_remote_path = '';
2 ---
3 > $wptuts_plugin_remote_path = '';

WordFence investigated the new ownership of the plugin, it noticed that the domain used to deliver the ZIP file containing the backdoor is simplywordpress[.]net that is registered to someone named Stacy Wellington using the email address

It was easy to discover that the same email address was used to register a large number of other domains and the footer of one of them referenced Martin Soiza.

In September, around 200,000 WordPress websites using the Display Widgets Plugin were impacted after it was updated to include malicious code. Further investigation allowed the experts at WordFence to discover that the man behind plugin spam was the Briton Mason Soiza (23) who bought the plugin in late May.

WordFence discovered that also other plug-ins from the simplywordpress domain ( Convert me Popup, Death To Comments, Human Captcha, Smart Recaptcha, and Social Exchange) contain the same backdoor code.

According to the researchers, the backdoor was used to create cloaked backlinks to various payday loan businesses in order to boost their Google rankings.

“If you have not read our previous post on Mason Soiza, I’d suggest you read that first, since he has a long history of buying WordPress plugins in order to place cloaked backlinks on his users’ sites. He then uses these backlinks to increase page rank in SERPs (Search Engine Results Pages) since only web crawlers such as Googlebot can read them.” states WordPress.

“The hostmaster email address is the same for both and (Stacy Wellington”

Let me close with simple recommendation provided by the experts, hurry up,uninstall the Captcha plugin immediately from your site.

Singapore Issues Cryptocurrency Warning
19.12.2017 securityweek Security

Singapore Tuesday issued a warning about cryptocurrencies after a recent surge in prices sent investors flocking to bitcoin.

"The Monetary Authority of Singapore advises the public to act with extreme caution and understand the significant risks they take on if they choose to invest in cryptocurrencies," the city-state's central bank said in a statement.

"MAS is concerned that members of the public may be attracted to invest in cryptocurrencies, such as Bitcoin, due to the recent escalation in their prices."

It said the recent spike in bitcoin prices comes from speculation, and cautioned that the bubble may burst.

Singapore's central bank joins a number of regulators who have warned about cryptocurrency investments, including the US Federal Reserve, which said bitcoin could threaten financial stability.

Regulators in Seoul have banned South Korean financial institutions from dealing in virtual currencies.

The MAS, which also acts as a financial regulator in the city-state, noted that cryptocurrencies are not backed by any central bank and are unregulated, which means those who lose money after investing in them have no room for redress under Singapore law.

"There is also a risk of loss should the cryptocurrency intermediary be hacked, as it may not have sufficiently robust security features," the regulator said.

Earlier on Tuesday, a South Korean virtual currency exchange declared itself bankrupt after being hacked for the second time in a year.

The closure comes eight months after nearly 4,000 bitcoin -- then valued at 5.5 billion won ($5 million), nearly 40 percent of the exchange's total assets -- were stolen in a cyber-attack blamed on North Korea.

Global bitcoin prices have soared around 20-fold this year, with the cryptocurrency trading above $18,000 on Tuesday.

Created in 2009 as a piece of encrypted software, bitcoin been used to buy everything from beer to pizza, and is increasingly accepted by major companies such as online travel giant Expedia.

Analysts have put the surge down to growing acceptance among traditional investors and a decision by US regulators to allow bitcoin futures to trade on major exchanges.

Previously only traded on specialist platforms, bitcoin started trading on the Cboe Futures Exchange earlier this month before hitting the major Chicago Mercantile Exchange (CME) on Monday.

Loapi Android Trojan Does All Sorts of Bad
19.12.2017 securityweek Android
A recently discovered Android malware features a modular architecture that allows it to perform a broad range of nefarious activities, Kaspersky Lab researchers warn.

Detected by Kaspersky as Trojan.AndroidOS.Loapi, the malicious program was found masquerading as antivirus solutions or adult content apps. Its capabilities, the security researchers say, range from mining for cryptocurrencies to displaying a constant stream of ads and to launching distributed denial of service (DDoS) attacks, among others.

The mobile threat was observed distributed via advertising campaigns that redirected users to the attackers’ malicious websites. After installation, the malware attempts to gain device administrator rights, continuously requesting them in a loop. Although it checks whether the device is rooted, the Trojan doesn’t use root privileges.

If the user gives in and grants the malicious app admin privileges, Loapi either hides its icon in the menu or simulates antivirus activity. The displayed behavior depends on the type of application it masquerades as, Kaspersky has discovered.

The Trojan can prevent users from revoking its device manager permissions by locking the screen and closing the window with device manager settings. Moreover, the malware receives from the command and control (C&C) server a list of apps that could pose a danger and uses it to monitor the installation and launch of those apps.

When such an app is installed or launched, the Trojan displays a fake message claiming it has detected malware, prompting the user to delete it. The message is displayed in a loop, thus preventing the user from dismissing it until the application is deleted.

At installation, Loapi receives from the C&C lists of modules to install or remove, a list of domains that serve as C&C, an additional reserved list of domains, the list of “dangerous” apps, and a flag whether to hide its app icon. At a third stage during the process, the necessary modules are downloaded and initialized.

An advertisement module is used to aggressively display ads on the device, but can also be used to open URLs, create shortcuts, show notifications, open pages in popular social network apps (including Facebook, Instagram, VK), and download and install other applications.

An SMS module can perform various text message manipulation operations. Based on C&C commands, it can send inbox SMS messages to attackers’ server, reply to incoming messages, send SMS messages with specified text to specified number, delete SMS messages from inbox and sent folder, and execute requests to URL and run specified JavaScript code in the page received as response.

A Web crawling module can subscribe users to services by covertly executing JavaScript code on web pages with WAP billing, in addition to performing web page crawling. Should operators send text messages asking for confirmation, the SMS module is employed to reply with the required text. Together with the ad module, it was observed attempting to open 28,000 unique URLs on a single device during a 24-hour experiment.

The Trojan also packs a proxy module that allows attackers to send HTTP requests from the victims’ devices via an HTTP proxy server. This feature allows the malware authors to organize DDoS attacks against specified resources or to change the Internet connection type on a device, the security researchers warn.

Another module uses the Android version of minerd to mine for the Monero (XMR) cryptocurrency.

According to Kaspersky, Loapi might be related to the Podec malware (Trojan.AndroidOS.Podec), as both threats use the same C&C server IP address, both use the same obfuscation, and feature similar ways of detecting superuser on the device. Moreover, both collect information with similar structure and content and send it in JSON format to the C&C during the initial stage.

“Loapi is an interesting representative from the world of malicious Android apps. Its creators have implemented almost the entire spectrum of techniques for attacking devices […]. The only thing missing is user espionage, but the modular architecture of this Trojan means it’s possible to add this sort of functionality at any time,” Kaspersky concludes.

Successor to NetTraveler Malware Dissected
19.12.2017 securityweek Virus
A recently observed backdoor could be intended as the successor of the NetTraveler malware, Kaspersky Lab security researchers report.

NetTraveler has been around for more than a decade, but has recently resurfaced in a series of cyber-espionage attacks launched against victims in Russia and neighboring European countries. Several years ago, the malware was associated with a campaign that hit targets in over 40 countries.

The malware was designed for surveillance purposes, and a new variant referred to as Travle or PYLOT appears to have emerged earlier this year. Supposedly the offspring of a Chinese-speaking actor, the new threat gets its name from a typo in a string in one of the analyzed samples: “Travle Path Failed!” (the typo has been corrected in newer releases).

The malware was observed being deployed using malicious documents delivered via spear-phishing attacks on Russian-speaking targets. The executables were maintained in encrypted form using a technique previously used to conceal Enfal, and then the Microcin APT family.

Travle command and control (C&C) domains often overlap with those of Enfal, which in turn was observed using the same encryption method for maintaining the C&C URL as NetTraveler. Thus, Kaspersky believes that Enfal, NetTraveler, Travle and Microcin are related to each other and that the Travle backdoor is the successor of NetTraveler.

Upon initializing communication with its C&C server, the malware sends information about the target operating system in an HTTP POST request. Sent information includes UserID (based on the computer name and IP-address), Computer name, Keyboard layout, OS version, IP-addresses, and MAC address.

The server responds by sending URL paths for receiving commands, for reporting on command execution results, and for downloading and uploading files from C&C. The server also provides the first and second RC4 key, and an ID. After receiving the packet, the backdoor waits for additional commands.

All communication with the server is encrypted, with the ciphering algorithm depending on the type of transmitted object. The bot can send technical messages, which contain information about the OS or about the performed commands, and operational messages, which contain lists of files in a directory or the content of a specific file.

Based on commands received from the C&C, the malware can scan the file system, can execute specified batch file or application with passed arguments, can check if a specified file exists, can delete/rename/move/create files, can download and execute files (scripts or BAT-files), can download DLLs and launch them using the LoadLibrary API function, and can load/unload a library to/from memory.

According to Kaspersky, the actor behind the Travle backdoor has been active during the last few years but doesn’t appear worried about being tracked by security companies. In fact, all of the modifications and new additions they made to their tools have been discovered and detected quite quickly.

“Still, the fact that they didn´t really need to change their TTPs during all these years seems to suggest that they don´t need to increase their sophistication level in order to fulfill their goals. What’s worse, according to subjects of decoy documents these backdoors are used primarily in the CIS region against government organizations, military entities and companies engaged in high-tech research, which indicates that even high-profile targets still have a long way to go to implement IT-sec best practices which efficiently resist targeted attacks,” Kaspersky concludes.

South Korea cryptocurrency exchange Youbit shuts down after second hack in 2017
19.12.2017 securityaffairs Hacking

The South Korea Cryptocurrency Exchange Youbit has gone bankrupt.after suffering a major cyber attack for the second time this year.
The South Korea Cryptocurrency Exchange Youbit shuts down after suffering a major cyber attack for the second time this year. The company announced bankrupt on Tuesday after being hacked for the second time in the last eight months, the company declared it had lost 17 percent of its assets in the last attack.

This is the first time that a cryptocurrency exchange based in South Korean has gone bankrupt.

Eight months ago hackers stole nearly 4,000 bitcoin (5.5 billion won ($5 million) at the time of the hack) that accounted for nearly 40 percent of the Youbit exchange’s total assets.Lazarus targets Bitcoin company

Lazarus targets Bitcoin company

“We will close all trades, suspend all deposits or withdrawals and take steps for bankruptcy,” reads the statement issued by the company after the last attack.

In order to minimize the economic impact of the customers, all the clients will have their cryptocurrency assets marked down by 25 percent, in this way Youbit wants to cover the losses selling the remaining assets and using insurance.

The South Korean market for virtual currencies has become one of the most active, considering that whose trades account for some 20 percent of global Bitcoin transactions. More than one million South Koreans already invested in Bitcoin.

Analysts observed that the demand is very high, for this reason, prices for the unit are around 20 percent higher than in the US.

While global bitcoin prices continue to increase, threat actors are focusing their interests on the virtual currencies.

Recently security experts from Secureworks revealed the Lazarus APT group launched a spearphishing campaign against a London cryptocurrency company.

U.S. blames North Korea for the massive WannaCry ransomware attack
19.12.2017 securityaffairs Ransomware

It’s official, according to Tom Bossert, homeland security adviser, the US Government attributes the massive ransomware attack Wannacry to North Korea.
It’s official, the US Government attributes the massive attack Wannacry to North Korea.

The news of the attribution was first reported by The Wall Street Journal, according to the US Government, the WannaCry attack infected millions of computers worldwide in May is an act of Information Warfare.

WannaCry infected 200,000 computers across 150 countries in a matter of hours last week, it took advantage of a tool named “Eternal Blue”, originally created by the NSA, which exploited a vulnerability present inside the earlier versions of Microsoft Windows. This tool was soon stolen by a hacking group named “Shadow Brokers” which leaked it to the world in April 2017.

The ransomware infected systems in any industry and also targeted critical infrastructures such as hospitals and banks.

wannacry ransomware medical devices
WannaCry ransomware on a Bayer radiology system – Source Forbes

In October, the UK Government linked the WannaCry attack that crippled NHS to North Korea.

“This attack, we believe quite strongly that it came from a foreign state,” Ben Wallace, a junior minister for security, told BBC Radio 4’s Today programme.

“North Korea was the state that we believe was involved in this worldwide attack,” he said, adding that the government was “as sure as possible”.

The attack caused billions of dollars damages, now the United States Homeland Security Advisor Tom Bossert officially blamed Noth Korea for the attack declaring that the US Government has collected evidence that Link Pyongyang to the massive WannaCry attack.

“The attack was widespread and cost billions, and North Korea is directly responsible,” Tom Bossert, homeland security adviser to President Donald Trump, wrote in an article published by the Wall Street Journal.

“North Korea has acted especially badly, largely unchecked, for more than a decade, and its malicious behavior is growing more egregious,” “WannaCry was indiscriminately reckless.”

The US government was expected to follow up with an official statement blaming North Korea for the attack.

The US Government has collected irrefutable proofs that link the North Korea APT Lazarus Group to WannaCry, with a “very high level of confidence” the APT carried out the WannaCry attack.

The activity of the Lazarus Group surged in 2014 and 2015, its members used mostly custom-tailored malware in their attacks and experts that investigated on the crew consider it highly sophisticated.

This threat actor has been active since at least 2009, possibly as early as 2007, and it was involved in both cyber espionage campaigns and sabotage activities aimed to destroy data and disrupt systems. Security researchers discovered that North Korean Lazarus APT group was behind recent attacks on banks, including the Bangladesh cyber heist.

According to security experts, the group was behind, other large-scale cyber espionage campaigns against targets worldwide, including the Troy Operation, the DarkSeoul Operation, and the Sony Picture hack.

The North Korean government hasn’t yet commented the allegation.

New TelegramRAT Exploits Recently Patched Office Vulnerability
19.12.2017 securityweek Vulnerebility
A recently discovered Remote Access Trojan (RAT) is being distributed via documents that exploit a 17-year old Office vulnerability patched in November 2017, Netskope warns.

Dubbed TelegramRAT, the malware leverages the Telegram Messenger application for command and control (C&C), and abuses a cloud storage platform to store its payload. This approach allows the threat to evade some traditional security scanners.

Attacks involving TelegramRAT start with a malicious Office document exploiting CVE-2017-11882, a vulnerability that was introduced in the Microsoft Equation Editor (EQNEDT32.EXE) in November 2000. The bug remained unnoticed for 17 years, until Microsoft manually patched it last month, but it didn’t take long for malicious actors to start abusing it.

As part of the newly observed attack, the URL redirection service is used to conceal the TelegramRAT payload hosted on Dropbox. The malware uses the Telegram BOT API to receive commands and send responses to the attacker. By employing SSL cloud applications for infection and C&C operations, the malware can keep communication hidden from security applications.

“The payload executable strings contained lots of references to Python files. After a quick analysis, the payload looked to be a Python program converted into a standalone binary executable that contained everything needed to run the application,” Netskope says.

Because the Python interpreter, the application code, and all the required libraries are packaged, the executable is large in size, which also makes it less suspicious.

Within the extracted directory, the researchers found PYD files, DLL files, and an out00-PYZ.pyz_extracted folder containing .pyc files. They also discovered a file called “RATAttack” which points to an open-source “RAT-via-Telegram” on GitHub.

The attackers used almost the exact code from GitHub when compiling their Python executable, the security researchers have discovered.

By using Telegram, which supports encrypted communication, the attackers ensure that they can easily communicate with the target without anyone snooping into the communication. The RAT’s authors create a Telegram bot and embed the bot’s Telegram token into the TelegramRAT’s configuration file. The malware then connects to the bot’s Telegram channel, where the attacker can issue commands for the infected machines.

Based on the received commands, the malware can take screenshots, execute shell commands, copy files, delete files/folders, download file from target, encode local files and decode them, enable/disable keyboard freeze, get Google Chrome’s login/passwords, record microphone, get keylogs, get PC information, open a proxy server, reboot/shut down the machine, run a file, schedule a command to run at specific time, display services and processes running, and update executable.

“TelegramRAT offers another unfortunate instance of attackers recognizing that the cloud can be leveraged to evade many traditional security scanners. By making itself cloud native, TelegramRAT uses one cloud application for its payload host, and another for its C&C operation. This cloud application splicing offers resilience to the attack, and requires security scanners to be able to discern cloud application instances, and to inspect SSL traffic to be effective,” Netskope concludes.

Australia Police Accidentally Broadcast Arrest Plans on Social Media
19.12.2017 securityweek BigBrothers
Australian police accidentally broadcast on social media details of an operation to arrest a suspected North Korean agent -- three days before he was taken into custody, media reported Wednesday.

The Sydney-based man, described by authorities as a "loyal agent of North Korea", was arrested on Saturday and charged with trying to sell missile parts and technology on the black market to raise money for Pyongyang in breach of international sanctions.

But a minute of conversation about the case between federal police officers, including the timing of the arrest, was broadcast on Periscope Wednesday and linked to on Twitter, The West Australian reported Tuesday.

The newspaper said it had listened to the discussion, which included a suggestion that officers are "not going in all guns blazing, it's only half-a-dozen people and a forensic van".

The paper added that while the tweet was deleted, the broadcast remained live -- and was watched by 40 people -- before it was also removed after the publication alerted federal police.

It was only by luck that no details of the identity of the target were revealed, the West Australian added.

Federal police confirmed part of a conversation was mistakenly broadcast via its Periscope account while "testing a piece of social media broadcasting equipment".

"Steps have been taken to ensure such incidents will not occur again," the force said in a statement.

"The matter has been referred to the AFP's security area for review."

AFP [Australian Federal Police] Assistant Commissioner Neil Gaughan told reporters on Sunday that the case involving the alleged agent was "like nothing we have ever seen on Australian soil".

He added that the 59-year-old suspect, named in local media as Chan Han Choi, was a "loyal agent of North Korea, believing he was acting to serve some higher patriotic purpose".

Choi, who is in custody, is due back in court this week.

South Korea Cryptocurrency Exchange Shuts Down After Hacking
19.12.2017 securityweek Hacking
A South Korean exchange trading bitcoin and other virtual currencies declared itself bankrupt on Tuesday after being hacked for the second time this year, highlighting the risk over cryptocurrencies as they soar in popularity.

The Youbit exchange said it had lost 17 percent of its assets in the attack on Tuesday.

It came eight months after nearly 4,000 bitcoin -- then valued at 5.5 billion won ($5 million) and nearly 40 percent of the exchange's total assets -- were stolen in a cyber attack blamed on North Korea.

"We will close all trades, suspend all deposits or withdrawals and take steps for bankruptcy," the exchange said in a statement which did not assign blame for the latest attack.

All its customers will have their cryptocurrency assets marked down by 25 percent, it said, adding it would do its best to "minimise" their losses by using insurance and selling the remains of the firm.

The exchange -- founded in 2013 -- brokered trades of multiple virtual currencies including bitcoin and ethereum.

It is the first time that a South Korean cryptocurrency exchange has gone bankrupt.

Investing in virtual currencies has become hugely popular in the hyper-wired South, whose trades account for some 20 percent of global bitcoin transactions.

About one million South Koreans, many of them small-time investors, are estimated to own bitcoin. Demand is so high that prices for the unit are around 20 percent higher than in the US, its biggest market.

Global bitcoin prices have soared around 20-fold this year.

Concerns over a potential bubble have unnerved Seoul's financial regulators, who last week banned its financial institutions from dealing in virtual currencies.

U.S. Declares North Korea Led Huge WannaCry Cyberattack
19.12.2017 securityweek BigBrothers
The United States officially accused North Korea late Monday of carrying out the massive WannaCry attack that infected some 300,000 computers in 150 countries earlier this year.

North Korea was widely suspected of being behind the computer virus and ransomware, which demanded payment to restore access. It has been denounced as such by Britain, but the United States had yet to follow suit.

Homeland Security Advisor Tom Bossert made the announcement in a Wall Street Journal op-ed, and was expected to provide more details in a briefing with reporters early Tuesday.

"The attack was widespread and cost billions, and North Korea is directly responsible," he wrote.

"We do not make this allegation lightly. It is based on evidence."

Among the infected computers were those at Britain's National Health Service (NHS), Spanish telecoms company Telefonica and US logistics company FedEx.

"These disruptions put lives at risk," Bossert wrote.

"North Korea has acted especially badly, largely unchecked, for more than a decade, and its malicious behavior is growing more egregious. WannaCry was indiscriminately reckless."

He said Washington must lead efforts to cooperate with other governments and businesses to "mitigate cyber risk and increase the cost to hackers," and thus improve internet security and resilience.

"When we must, the US will act alone to impose costs and consequences for cyber malfeasance," Bossert added.

President Donald Trump "has already pulled many levers of pressure to address North Korea's unacceptable nuclear and missile developments, and we will continue to use our maximum pressure strategy to curb Pyongyang's ability to mount attacks, cyber or otherwise."

The WannaCry attack spread rapidly around the globe using a security flaw in Microsoft's Windows XP operating system, an older version that is no longer given mainstream tech support by the US giant.

Ransomware, which can be used on PCs as well as tablets and smartphones, is malicious software which locks computer files and forces users to pay the attackers a designated sum in the virtual Bitcoin currency to regain access to the files.

The Washington Post cited a US official as saying Trump's administration would be urging allies to counter North Korea's cyberattack capabilities and implement all "relevant" UN Security Council sanctions.

It said the CIA had already laid blame on North Korea for the attack in November, though the assessment was classified and had not yet been previously reported.

Cambium Wireless Networking Devices Vulnerable to Attacks
19.12.2017 securityweek Vulnerebility
A researcher has discovered nearly a dozen security issues in ePMP and cnPilot wireless networking products from Cambium, including vulnerabilities that can be exploited to take control of devices and the networks they serve.

Cambium’s ePMP and cnPilot wireless broadband solutions are used by managed services providers, governments, retailers, ISPs, hotels, schools, enterprises, and industrial organizations.

Researcher Karn Ganeshen discovered that ePMP 1000, 2000 and Force wireless broadband devices, and cnPilot R190, R200 and R201 Wi-Fi access points are affected by potentially serious vulnerabilities. The flaws were reported to Cambium in September via Rapid7 and a majority of them were patched last month.

While exploitation of the flaws normally requires access to the network, Rapid7’s Project Sonar uncovered more than 36,000 ePMP devices and 133 cnPilot systems accessible from the Internet, and many of them could be vulnerable. The highest number of exposed systems has been seen in Serbia (9,600), the United States (8.200), Italy (5,000), Brazil (3,000), Spain (2,700), Colombia (2,500) and South Africa (1,100).

Several of the vulnerabilities have been rated critical with a CVSS score of 9.0. One of them is CVE-2017-5254, a privilege escalation flaw affecting ePMP devices. These systems are shipped with several default accounts with default credentials, including admin/admin, installer/installer, home/home and readonly/readonly. The home and installer accounts don’t have admin privileges, but Ganeshen discovered that they can be used to change the admin account password.

The admin password normally cannot be changed by a installer or home user as the password field is not editable. However, an attacker who has access to the web interface with one of these low-privileged accounts can use the Inspect Element feature in their browser and delete the disabled=”” property, which makes the password field editable. The password set by the attacker for the admin account can then be used to access the web interface with administrator privileges.

Another critical privilege escalation flaw in ePMP is CVE-2017-5255. It allows an authenticated attacker – even one with a readonly account – to execute OS-level commands as root by sending a specially crafted request to a function named get_chart.

A hacker can also escalate privileges on an ePMP device by exploiting persistent cross-site scripting (XSS) vulnerabilities in the Device Name and System Description fields. An attacker with access to a device’s web interface can insert JavaScript code into these fields and the code will get executed both when the login page is accessed and after the user has logged in.

There are also a couple of other XSS flaws in the ePMP product, but these are more difficult to exploit. The XSS vulnerabilities can allow an attacker to hijack a user’s session, hook the browser, or conduct other activities that can lead to privilege escalation.

The most serious flaw affecting the cnPilot product is related to an undocumented root web shell that can be accessed by any user (CVE-2017-5259). Another critical issue in cnPilot allows privilege escalation via a direct object reference vulnerability (CVE-2017-5260).

cnPilot is also affected by information disclosure and privilege escalation flaws that have been rated medium severity.

The vulnerabilities affect ePMP products running version 3.5 and earlier of the firmware and cnPilot devices running version 4.3.2-R4 and earlier. Fixes have been introduced with the release of versions 3.5.1 and 4.4, respectively. Two issues involving the lack of cross-site request forgery (CSRF) protections and some suspicious binaries have not been patched.

This New Android Malware Can Physically Damage Your Phone
19.12.2017 thehackernews Android

Due to the recent surge in cryptocurrency prices, not only hackers but also legitimate website administrators are increasingly using JavaScript-based cryptocurrency miners to monetize by levying the CPU power of your PC to mine Bitcoin or other cryptocurrencies.
Just last week, researchers from AdGuard discovered that some popular video streaming and ripper sites including openload, Streamango, Rapidvideo, and OnlineVideoConverter hijacks CPU cycles from their over hundreds of millions of visitors for mining Monero cryptocurrency.
Now, researchers from Moscow-based cyber security firm Kaspersky Lab have uncovered a new strain of Android malware lurking in fake anti-virus and porn applications, which is capable of performing a plethora of nefarious activities—from mining cryptocurrencies to launching Distributed Denial of Service (DDoS) attacks.
Dubbed Loapi, the new Android Trojan can perform so many more malicious activities at a time that can exploit a handset to the extent that within just two days of infection it can cause the phone's battery to bulge out of its cover.
Described as a "jack-of-all-trades" by the researchers, Loapi has a modular architecture that lets it conduct a variety of malicious activities, including mining the Monero cryptocurrency, launching DDoS attacks, bombarding infected users with constant ads, redirecting web traffic, sending text messages, and downloading and installing other apps.
Loapi Destroyed An Android Phone In Just 2 Days

When analyzed a Loapi sample, Kaspersky's researchers discovered that the malware mines the Monero cryptocurrency so intensely that it destroyed an Android phone after two days of testing, causing the battery to bulge and deforming the phone cover.
According to researchers, the cybercriminals behind Loapi are the same responsible for the 2015 Android malware Podec. They are distributing the malware through third-party app stores and online advertisements that pose as apps for "popular antivirus solutions and even a famous porn site."
A screenshot in the Kaspersky blog suggests that Loapi impersonates as at least 20 variations of adult-content apps and legitimate antivirus software from AVG, Psafe DFNDR, Kaspersky Lab, Norton, Avira, Dr. Web and CM Security, among others.
Upon installation, Loapi forces the user to grant it 'device administrator' permissions by looping a pop-up until a victim clicks yes, which gives the malicious app the same power over your smartphone that you have.
This highest level privilege on a device would also make the Loapi malware ideal for user espionage, though this capability is not yet present in the malware, the Kaspersky researchers think this can be included in the future.
Loapi Malware Aggressively Fights to Protect Itself
Researchers also said the malware "aggressively fights any attempts to revoke device manager permissions" by locking the screen and closing phone windows by itself.
Loapi communicates with the module-specific command and control (C&C) servers, including advertisement module, SMS module and mining module, web crawler, and proxy module, for different functions to be performed on the infected device.
By connecting with one of the above-mentioned C&C servers, Loapi sends a list of legitimate antivirus apps that pose it danger and claims the real app as malware and urges the user to delete it by showing the pop-up in a loop until the user finally deletes the app.
"Loapi is an interesting representative from the world of malicious Android apps. It’s creators have implemented almost the entire spectrum of techniques for attacking devices: the Trojan can subscribe users to paid services, send SMS messages to any number, generate traffic and make money from showing advertisements, use the computing power of a device to mine cryptocurrencies, as well as perform a variety of actions on the internet on behalf of the user/device," the researchers concluded.
Fortunately, Loapi failed to make its ways to Google Play Store, so users who stick to downloads from the official app store are not affected by the malware. But you are advised to remain vigilant even when downloading apps from Play Store as malware often makes its ways to infect Android users.

Kaspersky Lab Sues U.S. Government Over Software Ban
19.12.2017 thehackernews BigBrothers

Moscow-based cyber security firm Kaspersky Lab has taken the United States government to a U.S. federal court for its decision to ban the use of Kaspersky products in federal agencies and departments.
In September 2017, the United States Department of Homeland Security (DHS) issued a Binding Operational Directive (BOD) ordering civilian government agencies to remove Kaspersky Lab software from their computers and networks within 90 days.
The order came amid mounting concern among United States officials that the Kaspersky antivirus software could be helping Russian government spy on their activities, which may threaten the U.S. national security.
U.S. President Donald Trump also signed into law last week legislation that bans the use of Kaspersky products within the U.S. government, capping a months-long effort to purge Kaspersky from federal agencies amid concerns it's vulnerable to Kremlin influence.
The Kaspersky's appeal is part of an ongoing campaign by the company to refute allegations that the company is vulnerable to Russian influence.
Moreover, there's no substantial evidence yet available which can prove these allegations, but an article published by US media WSJ in October claimed that Kaspersky software helped Russian spies steal highly classified documents and hacking tools belonging to the NSA in 2015 from a staffer's home PC.
Just last month, Kaspersky claimed that its antivirus package running on the staffer's PC detected the copies of the NSA exploits as malware and uploaded them to its cloud for analysis, but its analysts immediately deleted them.
Earlier this month, the NSA staffer, identified as Nghia Hoang Pho, a 67-year-old of Ellicott City, Maryland, pleaded guilty to illegally taking classified documents home, which were later stolen by Russian hackers.
Kaspersky Lab Challenges DHS's Ban on its Software in U.S. Court
Underlining that U.S. authorities have not provided any substantial evidence of wrongdoing by the company, CEO Eugene Kaspersky wrote in an open letter to the Homeland Security agency on Monday, stressing that the "DHS's decision is unconstitutional" and based purely on "subjective, non-technical public sources."
"One of the foundational principles enshrined in the U.S. Constitution, which I deeply respect, is due process: the opportunity to contest any evidence and defend oneself before the government takes adverse action," Kaspersky wrote.
"Unfortunately, in the case of Binding Operational Directive 17-01, DHS did not provide Kaspersky Lab with a meaningful opportunity to be heard before the Directive's issuance, and therefore, Kaspersky Lab's due process rights were infringed."
Kaspersky argues that the company was not given enough time to contest allegations before the DHS issued a ban, and that the documents available at the time of the ban were based more on references than a technical threat that the company could analyze and respond to.
The company also said that it wrote to DHS in mid-July to address any concerns the U.S. agency had, and DHS even acknowledged receipt of the communication in mid-August, appreciating the company's offer to provide information on the matter.
Kaspersky: DHS Harmed Kaspersky Lab's Reputation
However, Kaspersky said the agency did not follow up with the company "until the notification regarding the issuance of Binding Operational Directive 17-01" and accusing Kaspersky products of causing infosec risks on federal information systems.
"DHS has harmed Kaspersky Lab's reputation, negatively affected the livelihoods of its U.S.-based employees and U.S.-based business partners, and undermined the company’s contributions to the broader cybersecurity community," Kaspersky wrote.
"In filing this appeal, Kaspersky Lab hopes to protect its due process rights under the US Constitution and federal law and repair the harm caused to its commercial operations, its US-based employees, and its US-based business partners."
CEO Eugene Kaspersky has repeatedly denied the company's ties to any government and said it would not help a government with cyber espionage, adding that "If the Russian government comes to me and asks me to anything wrong, or my employees, I will move the business out of Russia."
In October, it was also reported that Israeli government hackers hacked into Kaspersky's network in 2015 and caught Russian hackers red-handed hacking United States government with the help of Kaspersky software.
In the wake of this incident, Kaspersky Lab also launched a transparency initiative late October, giving partners access to its antivirus source code and paying large bug bounties for security issues discovered in its products.

The thin line between BlackEnergy, DragonFly and TeamSpy attacks
19.12.2017 securityaffairs APT

Experts from McAfee Labs collected evidence that links DragonFly malware to other hacking campaigns, like BlackEnergy and TeamSpy attacks.
On September 6, Symantec published a detailed analysis of the Dragonfly 2.0 campaign that targeted dozens of energy companies this year. Threat actor is the same behind the Dragonfly campaign observed in 2014.

Further analysis conducted by McAfee Labs lead the experts into believing that the Operation Dragonfly is linked to earlier attacks.

The investigation conducted by McAfee Labs and the Advanced Threat Research team uncovered related attacks targeting the pharmaceutical, financial, and accounting industries.

The experts noticed the same techniques, tactics, and procedures (i.e. spear phishing, watering holes, and exploits of supply-chain technologies) were the same used in previous campaigns.

“By compromising well-established software vulnerabilities and embedding within them “backdoor” malware, the victims think they are installing software from a trusted vendor, while unaware of the supply-side compromise.” reads the analysis published by McAfee Labs.

Once compromised the target network, attackers used remote-desktop protocol to hop among internal or external systems, they connect either to a control server or use an internal compromised server to conduct operations.

Researchers observed threat actors using several backdoors and utilities, in one case a Trojan used in 2017 attacks was also used in a July 2013 attack.

Experts correlated the malware by analyzing their hashes, both contained the same TeamViewer that was spotted by the Hungarian security company Crysys in a report about the TeamSpy malware.

The TeamSpy hackers hit a large variety of high-level subjects including Russia-based Embassy for a not revealed undisclosed country belonging to both NATO and the European Union, multiple research and educational organizations in France and Belgium, an electronics company located in Iran and an industrial manufacturer located in Russia

Crysys researchers mentioned the same hash used in the recent attacks and correlated it to a sample that was compiled on 2011:09:07 – 09:27:58+01:00.

“Although the report attributes the attacks to a threat actor or actors and shared tactics and procedures, the motivations behind TeamSpy appear similar to those of the Dragonfly group. With identical code reuse, could the TeamSpy campaign be the work of Dragonfly?” continues McAfee Labs.

The experts discovered that the 2017 sample contained code blocks associated with BlackEnergy malware.

BlackEnergy code
BlackEnergy sample from 2016 (at left) alongside a Dragonfly sample from 2017. (Source McAfee)

“Self-deleting code is very common in malware, but it is usually implemented by creating a batch file and executing the batch instead of directly calling the delete command, as we see in the preceding examples.” continues the analysis.

“The BlackEnergy sample used in our comparison was captured in the Ukraine on October 31, 2015, and was mentioned in our post on the evolution of the BlackEnergy Trojan. It is remarkable that this piece of code is almost identical in both samples, and suggests a correlation between the BlackEnergy and Dragonfly campaigns.”


The experts pointed out an evolution of the code in the backdoors developed by the threat actors and the reuse of code in their campaigns.

The malicious code is fairly sophisticated in hiding details of their attacks, making hard the attribution through the use of false flags.

Information Warfare At Bay – The Dangers of Russian Menace to Underwater Internet Critical Infrastructure
19.12.2017 securityaffairs BigBrothers

British Armed Forces chief has warned that Russia could compromise underwater communication cables causing severe damage to the financial global economy
It came as silently as a fatal heart stroke, and now the dangers of Russian Cyber Warfare materializes into reality.
Join us to uncover this cripple and stealth threat to our global community.

As defined by the Briefing European Parliamentary Research Service, “Hybrid conflict is a situation in which parties to the conflict refrain from the overt use of armed forces against each other, relying instead on a combination of military intimidation (falling short of an attack), exploitation of economic and political vulnerabilities, and diplomatic or technological means to pursue their objectives.”

In this regard, we take a special account in Russia development of Electronic Warfare and Navy developments to further advance conventional and unconventional threats to US and Allies.

As reported in many media outlets, Air Chief Marshal Sir Stuart Peach, who heads the British Armed Forces, in a speech to the Royal United Services Institute, has warned that Russia could compromise underwater communication cables causing severe damage to the financial global economy. As reported by BBC, “Russia is upgrading and advancing it’s use of conventional and unconventional warfare,” especially in the fifth domain: The Cyberspace.

Russian ships have been spotted regularly near the Atlantic cables and according to Marshal Peach, it is due to the lack of investments in upgrading UK Navy to match the developments of Russia Navy. The Marshal also notice that there are not enough UK ships to monitor the activities of Russia Navy. It is important to notice that since the annexation of Crimea, Russia is developing new technologies of Electronic Warfare which is putting in danger the global security.

underwater cable

Besides the economic danger to UK and US economies, Russian ships can also try to wiretapping and disrupt communications that could cause great danger to the intelligence community and national security of many countries.

The news comes in the midst of scandals involving Russian meddling in US election and the use of Kaspersky software, recently banned from US Government use, to spy on US Government Data. This brings some serious concerns about how secure we are in this interconnected world we live in. A new Theater of Operations is presented were rogue nations can seriously damage our way of live.

It is a serious concern since that Russia is not alone trying to undermine the world, as it has a partnership with Iran, North Korea, Syria, China and Brazil trying to destabilize the global security and economy. We must notice that to China and Brazil had contributed to Russia Cyber Upgrade since this two countries are the leading source of software piracy that causes serious economic losses and exposures to organizations around the world. In Brazil, for example, a copy of Microsoft Windows is sold for 3 dollars on the streets of Santa Ifigênia.

The US and Europe must take a firm stance with sanctions against those rogue nations and maintain an up to date investment in Navy to continuously monitor any activity that could lead to dangers to the global security. Also according to BBC, it is estimated that 97% of global communications are transmitted by underwater cables, and approximately 10 trillion of financial transaction is negotiated on a daily basis through these cables. Any scenario involving an attack to this critical infrastructure could lead not only to an enormous loss of money but also to an enormous loss of life and the collapse of modern society due to its implications on supply chain and product delivery.

Russia’s Neighbors Respond to Putin’s ‘Hybrid War’

Networked Printers are Some of the Oldest IoT Devices, and over 1,000 Lexmark Printers Are Vulnerable Today
19.12.2017 securityaffairs Vulnerebility

Experts at NewSky Security scanned the Internet and discovered that “out of 1,475 unique IPs, 1,123 Lexmark printers had no security.”
We think of Internet of Things (IoT) as all the “new” devices added to networks like webcams, Internet-connected toys, smarthome devices, etc. But we have been connecting unattended things to networks for a very long time with office printers being some of the earliest. With new IoT threats emerging every day, network-connected printers are once again increasing cyber risk for organizations. This week we learn that more than one thousand Lexmark printers are connected to the Internet with no security.
NewSky Security performed a search for Internet-connected Lexmark printers through the search engine for the Internet of Things, Shodan. They were able to determine that, “out of 1,475 unique IPs, 1,123 Lexmark printers had no security.“ That means that anyone on the Internet can access the printer’s admin setup at hxxp://example.ip/cgi-bin/dynamic/printer/config/secure/authsetup.htmlwhere example.ip is the IP address of the printer as identified in Shodan. Once at this page, the visitor can set up a new password and proceed to reconfigure the printer as they wish.
You might wonder what is going on here. Why are printers added to networks with no security? This is the same situation that leads to every IoT compromise and things like the Mirai botnet. Vendors make it simple to get their equipment up and running. In most cases, it is plugged into the network and it starts working. If the person performing the installation is satisfied with the minimum requirements, their work is complete. Anticipating that some users will want to configure their devices once they are on the network, vendors allow remote access through common web interfaces. Without a firewall between the device and the Internet, anyone with a web browser can access the admin pages. We have seen this same scenario played out on webcams, routers, DVRs, and now Lexmark printers.
NewSky Security determined that at least one of the insecure Lexmark printers was in use by Lafayette Consolidate Government and several others are in use by universities. They also identified vulnerable Lexmark printers in many different countries with the majority in the United States.
Lexmark printers vulnerable
The problem isn’t with IoT devices in general or Lexmark printers specifically. As long as the devices can be secured, the vendors are doing the right thing. It is up to users to understand the implications of installing equipment on Internet-connected networks and taking the appropriate steps to secure that equipment. There is rarely a reason for a physical device like a printer to be accessible directly from the Internet. A firewall takes care of the basics and then make sure you change default passwords. It isn’t difficult to secure these devices, but it takes a little more than plugging it in and turning it on.

Kaspersky Lab files Lawsuit over DHS Ban of its products and services
19.12.2017 securityaffairs BigBrothers

Kaspersky Lab sues the U.S. Government over product ban, it’s appeal was filed in the U.S. District Court for the District of Columbia.
Last week, the US President Donald Trump signed a bill that bans the use of Kaspersky Lab products and services in federal agencies.

Section 1634 of the bill prohibits the use of security software and services provided by security giant, the ban will start from October 1, 2018.

Below the details of the ban included in the section 1634 of the National Defense Authorization Act for Fiscal Year 2018.

“SEC. 1634. Prohibition on use of products and services developed or provided by Kaspersky Lab.

(a) Prohibition.—No department, agency, organization, or other element of the Federal Government may use, whether directly or through work with or on behalf of another department, agency, organization, or element of the Federal Government, any hardware, software, or services developed or provided, in whole or in part, by—

(1) Kaspersky Lab (or any successor entity);
(2) any entity that controls, is controlled by, or is under common control with Kaspersky Lab; or
(3) any entity of which Kaspersky Lab has majority ownership.

(b) Effective date.—The prohibition in subsection (a) shall take effect on October 1, 2018.”

Now the security firm sues the U.S. Government over product ban, it’s appeal was filed in the U.S. District Court for the District of Columbia and targets the DHS’s Binding Operational Directive 17-01.

Kaspersky considers the ban as unconstitutional, according to the company the US Government took the decision to prohibit its products based on reports citing anonymous sources without strong evidence of its involvement in cyber espionage activities.

Kaspersky claims to have offered its support to the DHS for its investigation, but the agency issued the 17-01 directive, banning its security software and services without any warning.

The company sustains the DHS should have given it the opportunity to view the information before the directive was issued.

On the other side, Eugene Kaspersky was invited to testify before Congress in September, but he was unable to travel to the U.S. in time for the hearing due to visa problems.

A second hearing was announced for October, but Kaspersky was not invited to testify.


The decision of the US Government is having a significant impact on the brand reputation with a consequent effect on the sales in almost any sector and any country.

“Through Binding Operational Directive 17-01, DHS has harmed Kaspersky Lab’s reputation, negatively affected the livelihoods of its U.S.-based employees and U.S.-based business partners, and undermined the company’s contributions to the broader cybersecurity community,” said Eugene Kaspersky, CEO and co-founder of Kaspersky Lab.

Eugene Kaspersky

What to do when banned without evidence and the right to be heard? Well, we’re securing our rights by taking this to the courts. Why? We’ve done nothing wrong.

7:40 PM - Dec 18, 2017
8 8 Replies 81 81 Retweets 114 114 likes
Twitter Ads info and privacy
“Dissuading consumers and businesses in the United States and abroad from using Kaspersky Lab products solely because of its geographic origins and without any credible evidence does not constitute a risk-based approach to cybersecurity and does little to address information security concerns related to government networks,” Eugene Kaspersky added.

The security firm also announced a new transparency initiative that involves giving partners access to source code to exclude the presence of backdoors, it also proposed to pay huge bug bounties for vulnerabilities found in its security solutions.

Kaspersky Sues U.S. Government Over Product Ban
19.12.2017 securityweek BigBrothers
Kaspersky Lab has filed a lawsuit against the U.S. government in response to the decision of the Department of Homeland Security (DHS) to ban the use of the company’s products in federal agencies.

The Russia-based cybersecurity firm’s appeal, filed in the U.S. District Court for the District of Columbia, targets the DHS’s Binding Operational Directive 17-01, which the agency issued in mid-September. President Donald Trump reinforced the ban last week when he signed the National Defense Authorization Act for FY2018.

Kaspersky says the ban is unconstitutional as it infringes the company’s due process rights. Kaspersky believes the DHS should have given it the opportunity to view the information and contest it before the directive was issued.

The company’s lawsuit also alleges that the decision to prohibit its products in federal agencies is largely based on rumors and media reports citing anonymous sources. While some believe the U.S. government may have actual evidence that Kaspersky Lab has been aiding Russia’s espionage efforts, no proof has been presented and even some officials appear to base their accusations on news reports.

Kaspersky claims that it voluntarily reached out to the DHS in July and offered to assist with any investigation into the company and its products. While the agency seemed to appreciate the offer and promised to get it touch, it did not do so, and instead it issued the 17-01 directive, banning the company’s software and services without warning.

The security firm says that while only a relatively small percentage of its revenue comes from the U.S. government, the DHS’s actions have had a negative impact on sales in other sectors, in both the United States and other countries.

“Through Binding Operational Directive 17-01, DHS has harmed Kaspersky Lab’s reputation, negatively affected the livelihoods of its U.S.-based employees and U.S.-based business partners, and undermined the company’s contributions to the broader cybersecurity community,” said Eugene Kaspersky, CEO and co-founder of Kaspersky Lab.

A majority of the accusations against Kaspersky Lab stem from its founder’s former ties to Russian intelligence. However, the CEO pointed out that most of the intelligence reports published by the company in the past years targeted Russian-speaking espionage groups.

In response to claims by U.S. officials that Kaspersky’s software is dangerous due to the deep level of access and privileges it requires, the Russian businessman highlighted that these capabilities are present in all security products and it’s unfair to single out his company without any evidence of wrongdoing.

“Dissuading consumers and businesses in the United States and abroad from using Kaspersky Lab products solely because of its geographic origins and without any credible evidence does not constitute a risk-based approach to cybersecurity and does little to address information security concerns related to government networks,” Eugene Kaspersky said.

Kaspersky has attempted to clear its name by launching a new transparency initiative that involves giving partners access to source code and paying significantly larger bug bounties for vulnerabilities found in the firm’s products.

Eugene Kaspersky was invited to testify before Congress in September, but he was unable to travel to the U.S. in time for the hearing due to visa problems. A second hearing was announced for October, but the cyber security tycoon was not invited.

Barclays Bank Employee Jailed for Role in Malware Scheme
18.12.2017 securityweek Virus
A Barclays bank employee in London has been sentenced to six years and four months in jail for his role in a scheme to launder money stolen using the Dridex banking Trojan.

Jinal Pethad, 29, worked with money launderers Pavel Gincota and Ion Turcan to set up 105 fraudulent bank accounts for them, in an attempt to launder over £2.5 million ($3.34 million).

To ensure that the bank’s security processes didn’t block the stolen funds, Pethad was managing the accounts personally, the UK’s National Crime Agency says.

The individual was arrested in November 2016, one month after Gincota and Turcan were jailed for the conspiracy. Pethad pleaded guilty last week to conspiring to launder money between 2014 and 2016.

When searching Pethad’s home, NCA officers found over £4,000 ($5,300) in cash, 7 luxury watches, and 3 mobile phones that had been used to communicate with Gincota. Text messages on one of the phones revealed that Gincota and Pethad were making arrangements to open fraudulent accounts.

“Jinal Pethad abused his position of trust at the bank to knowingly set up sham accounts for Gincota and Turcan, providing a vital service which enabled them to launder millions. Using his knowledge of the financial system, he made sure the stolen money was not blocked before entering these accounts, and provided the pair with reports to evidence his efforts and maintain the criminal relationship,” Mark Cains from the NCA’s National Cyber Crime Unit, said.

Dridex, the malware used to steal the laundered funds, is a successor of the Cridex Trojan, has been around for several years and is currently one of the most prolific banking Trojans out there.

Not only did Dridex survive a takedown attempt in October 2015, but its activity has increased since. Last year, the actors behind Dridex launched the Locky ransomware and have been operating both ever since.

California Voter Data Stolen from Insecure MongoDB Database
18.12.2017 securityweek Incindent
An improperly secured MongoDB database has provided cybercriminals with the possibility to steal information on the entire voting population of California, Kromtech security researchers reported.

The information was taken from an unprotected instance of a MongoDB database that was exposed to the Internet, meaning that anyone connected to the web could have accessed, viewed, or edited the database’s content.

Named 'cool_db', the database contained two collections, one being a manually crafted set of voter registration data for a local district, while the other apparently including data on the voting population from the entire state of California: a total of 19,264,123 records.

Bob Diachenko, head of communications, Kromtech Security Center, explains that the security firm was “unable to identify the owner of the database or conduct a detailed analysis.” It appears that the database has been erased by cybercriminals who dropped a ransom note demanding 0.2 Bitcoin for the data.

Given the presence of said ransom note, the incident is believed to be related to the MongoDB ransack campaign that resulted in tens of thousands of databases being erased in January 2017. Similar attacks were observed in September as well, when MongoDB decided to implement new data security measures.

“We were able to analyze the stats data we saw in our report (metadata on total number of records, uptime, names of the collection etc.), as well as 20-records sample extracted from the database shortly before it has been wiped out and ransom note appeared,” Diachenko says.

Kromtech's security researchers haven’t determined who compiled the voter database but believe that a political action committee might have been behind it, given the unofficial name the repository had.

The miscreants behind the attack used ransomware to wipe out the voter data, but are believed to have copied the database to their server first. “Once in the hands of cyber criminals this voter data could end up for sale on the Dark Web. If this were an official database, deleting parts of that data could affect someone’s voting process,” the security researchers note.

The first, smaller collection (4GB) contained data structured with rows containing many fields that included home address, phone number, date of birth, and many more.

Based on EstractDate information, the database appears to have been created on May 31, 2017.

The second, much larger collection (22GB) in the database, which appears to be the complete California voter registration records, contains a total of 409,449,416 records.

The data in the larger collection includes: District, RegistrantId, CountyCode, DistrictName and ObjectId.

“This is a massive amount of data and a wakeup call for millions citizens of California who have done nothing more than fulfil the civic duty to vote. This discovery highlights how a simple human error of failing to enact the basic security measures can result in a serious risk to stored data. The MongoDB was left publically available and was later discovered by cyber criminals who seemed to steal the data, which origin is still unknown,” Diachenko concludes.

The researchers note that the database has been taken down after being initially discovered in early December. The Secretary of State of California was aware of the leak and “looking into it,” Diachenko said.

Pentagon Hacked in New U.S. Air Force Bug Bounty Program
18.12.2017 securityweek BigBrothers
The Hack the Air Force 2.0 bug bounty program kicked off earlier this month with researchers finding a critical vulnerability that could have been exploited to gain access to a network of the U.S. Department of Defense.

Hack the Air Force 2.0 started on December 9 with a live hacking competition hosted by the HackerOne platform at the WeWork Fulton Center inside the Fulton Center subway station in New York City.

During the event, Mathias Karlsson and Brett Buerhaus demonstrated how malicious actors could have breached an unclassified DoD network by exploiting a vulnerability in the Air Force’s website. They earned $10,650 for their findings, which is the largest single payout coming from any bug bounty program run by the U.S. government.

Seven U.S. Airmen and 25 civilian white hat hackers discovered a total of 55 vulnerabilities during the event, for which they earned $26,883.Hack the Air Force 2.0 bug bounty program

Hack the Air Force 2.0 will run until January 1, 2018 and anyone can apply as long as they are a citizen or a permanent resident of Five Eyes countries, NATO countries, or Sweden. People from 31 countries can take part in the initiative, which makes it the most open government bug bounty program to date. Members of the U.S. military can also participate, but they are not eligible for bounties.

While anyone from these countries can apply, not everyone will be invited to actually take part. The Air Force will invite 600 people, 70 percent of which based on their HackerOne reputation score and the other 30 percent will be selected randomly.

“Hack the Air Force allowed us to look outward and leverage the range of talent in our country and partner nations to secure our defenses,” said Air Force CISO Peter Kim. “We're greatly expanding on the tremendous success of the first challenge by opening up approximately 300 public facing AF websites. The cost-benefit of this partnership is invaluable.”

Hack the Air Force 2.0 was announced following the success of the first Hack the Air Force program, which resulted in more than $130,000 being paid out for over 200 valid vulnerability reports.

Previous DoD bug bounty projects included Hack the Pentagon, which resulted in payouts of roughly $75,000, and Hack the Army, with rewards totaling approximately $100,000. The Pentagon has paid more than $300,000 for over 3,000 flaws discovered in its public-facing systems, but the organization estimates that it saved millions of dollars by running these programs.

Roughly one year ago, the Pentagon announced a vulnerability disclosure policy that aims to provide guidance to researchers on how to disclose security holes found in the organization’s public-facing websites. While no monetary rewards are being offered, the policy provides a legal avenue for reporting flaws.

"Zealot" Apache Struts Attacks Abuses NSA Exploits
18.12.2017 securityweek BigBrothers
A sophisticated multi-staged Apache Struts cyber attack campaign is abusing NSA-linked exploits to target internal networks, researchers from F5 Networks have discovered.

Dubbed Zealot, the highly obfuscated attack uses the EternalBlue and EternalSynergy exploits to target Windows and Linux systems. The newly uncovered campaign employs a PowerShell agent to compromise Windows systems and a Python agent to target Linux/OS X. The scripts appear based on the EmpireProject post-exploitation framework, F5 says.

The attack is targeting servers vulnerable to CVE-2017-5638 (Apache Struts Jakarta Multipart Parser attack) and CVE-2017-9822 (a flaw in the DotNetNuke (DNN) content management system). The main purpose of the campaign is to mine for the Monero cryptocurrency.

“The Zealot campaign aggressively targets both Windows and Linux systems, with the DNN and Struts exploits together. When looking more closely at the unusually high obfuscated payload, we discovered a much more sophisticated multi-staged attack, with lateral movement capabilities, leveraging the leaked NSA-attributed EternalBlue and EternalSynergy exploits,” the researchers reveal.

The attack starts with two HTTP requests, one of which is the notorious Apache Struts exploit via the Content-Type header. Java code is executed to determine the underlying OS on the targeted system.

On Linux, shell commands are executed in the background to download and execute a spearhead bash script that checks whether the machine is already infected and then fetches and runs a crypto-miner file named “mule”.

The Python code checks whether a firewall solution is running and fetches more code from the command and control (C&C) server. The received response is encrypted so that it cannot be detected by typical network inspection devices.

“When sending the request to the C&C, specific User-Agent and Cookie headers are added. This technique means that anyone (like us researchers) who tries to access the C&C from their own browser or a tool won’t get the same response as the malware,” F5 explains.

On Windows systems, the Struts payload runs a PowerShell interpreter in a hidden mode, which in turn executes a base64-encoded script pointing to a file on a different domain. Even more heavily obfuscated, the file is “scv.ps1,” a PowerShell script that downloads the miner and runs it. It can also download the malware as a DLL and inject it into the PowerShell process using reflective DLL injection.

The malicious code also downloads the Python installer and deploys it if Python 2.7 is not present on the targeted Windows system. It then downloads the main Python module to initiate propagation over the internal network.

Two more files are downloaded onto the machine, namely “” and “raven64.exe.” The former includes several Python scripts and libraries, including a script designed to execute the EternalBlue and EternalSynergy exploits, an SMB protocol wrapper, and a series of known Python packages.

The “raven64.exe” file scans the internal network for port 445 and calls the main script to inject three different shellcodes for Windows 7 and Windows 8 systems to exploit EternalSynergy and EternalBlue. After execution, a PowerShell downloads the “scv.ps1” agent, but from a different server.

“The “mule” malware is a cryptocurrency malware mining for the Monero currency. Monero has become the cybercrime currency of choice due to its high anonymity. The amount that was paid for this specific miner address was approximately $8,500. It is not known how much profit the threat actor has overall,” F5 says.

The security researchers also determined that the Zealot attackers used the public EmpireProject, a PowerShell and Python post-exploitation agent.

The second HTTP request observed in this campaign is attempting to exploit the ASP.NET-based content management system DotNetNuke by sending a serialized object via a vulnerable DNNPersonalization cookie. The goal is to obtain arbitrary code execution to run the same PowerShell script delivered via the Apache Struts exploit.

The NSA exploits have been abused in previous campaigns, including NotPetya and WannaCry ransomware, along with the Adylkuzz cryptominer, but Zealot seems to be the first Struts campaign using these exploits.

The new attack also opens “new attack vector doors, automatically delivering malware on internal networks via web application vulnerabilities. The level of sophistication we are currently observing in the Zealot campaign is leading us to believe that the campaign was developed and is being run by threat actors several levels above common bot herders,” F5 concludes.

Firewall Bursting: A New Approach to Better Branch Security
18.12.2017 thehackernews Safety

One of the most common network security solutions is the branch firewall. Branch firewall appliances can pack into a single device a wide range of security capabilities including a stateful or next-generation firewall, anti-virus, URL filtering, and IDS/IPS.
But the reality is that most of these edge devices lack the processing power to apply the full scope of capabilities on all of the necessary traffic.
If the firewall deployed in the branch cannot scale to address critical security needs, an alternative strategy must be used. Wholesale appliance upgrades are easy but expensive. Regional security hubs are complex and also costly.
A new approach, called firewall bursting, leverages cloud scalability to offer an easier, more cost-effective alternative to branch office security. (You can find a great table comparing the different Firewall approaches here.)
Costly Appliance Upgrades and Secure Hub Architectures
The existing methods of evolving branch security force IT into a tough trade-off: the cost and complexity of managing appliance sprawl or the complexities of a two-tier network security architecture.
Upgrading all branch firewalls to high-performance, next-generation branch firewalls improve network security, no doubt. Branch offices gain more in-depth packet inspection and more protections to be applied on more traffic. This is a relatively straightforward, but very costly, solution to achieving stronger security.
Aside from the obvious, the firewall upgrade cost, there are also the costs of operating and maintaining the appliance, which includes forced upgrades. Sizing branch firewall appliances correctly can be tricky.
The appliance needs enough power to support the mix of security services across all traffic—encrypted and unencrypted—for the next three to five years.
Alone that would be complex, but the constantly growing traffic volumes only complicate that forecast. And encrypted traffic, which has become the new norm of virtually all Internet traffic, is not only growing but must be first decrypted, exacting a heavy processing toll on the appliance.
All of which means that IT ends up either paying more than necessary to accommodate growth or under provision and risk compromising the company’s security posture.
Regional hubs avoid the problems with upgrading all branch firewalls. Instead, organizations continue with their branch routers and firewalls, but backhaul all traffic to a larger firewall with public Internet access, typically hosted in a regional co-location hub.
The regional hub enables IT to maintain minimal branch security capabilities while benefitting from advanced security.
However, regional hubs bring their own problems. Deployment costs increase as regional hubs must be built out at significant hosting expense and equipment cost. And we’re not just speaking about throwing up an appliance in some low-grade hosting facility.
Hub outages impact not just one small office but the entire region. They need to be highly available, resilient, run the up-to-date software, and maintained by expert staff.
Even then, there are still the same problems of forced upgrades due to increased traffic volume and encrypted traffic share, this time, though, of only the hub firewall appliances.
The network architecture is also made far more complex, particularly for global organizations. Not only must they rollout multiple regional hubs, but multiple hubs must be deployed in geographically dispersed regions or those regions with a high concentration of branches.
In short, while the number of firewall instances can be reduced, regional hubs introduce a level of complexity and cost often too excessive for many organizations.
Firewall Bursting: Stretching your Firewalls to the Cloud
Cloud computing offers a new way to solve the edge firewall dilemma. With "cloud bursting," enterprises seamlessly extend physical data center capacity to a cloud datacenter when traffic spikes or they exhaust resources of their physical datacenter.
Firewall bursting does something similar to under-capacity, branch firewalls. Edge security processing is minimized where firewall capacity is constrained, and advanced security is applied in the cloud, where resources are scalable and elastic.
The on-premise firewall handles basic packet forwarding, but anything requiring "heavy lifting," such as decryption, anti-malware or IPS, is sent to the cloud. This avoids forced branch firewall upgrades.
Firewall bursting is similar to the regional hub approach, but with a key difference: the IT team isn't responsible for building and running the hubs. Hubs are created, scaled, and maintained by the cloud service provider.
Who Delivers Firewall Bursting Capabilities?
Secure web gateways (SWGs) delivered as cloud services, can provide firewall bursting for Internet traffic. However, since firewalls need to apply the same inspection to WAN traffic, SWGs only offer a partial solution.
Purpose-built, global Firewall as a Service (FWaaS) is another option. FWaaS providers, such as Cato Networks, create a global network of Points of Presence (PoPs), providing a full network security stack specifically built for cloud scalability.
While the PoPs are distributed, they act "together" as a single logical firewall instance. The PoPs are highly redundant and resilient, and in case of outages, processing capacity seamlessly shifts inside or across PoPs, so firewall services are always available.
The PoPs are capable of processing very large volumes of WAN and Internet traffic. Because adding processing capacity either within PoPs or by adding new PoPs is transparent to customers, you don't have to adjust policies or reconfigure your environment to accommodate changes in load or traffic mix.
With firewall bursting customers can keep their current edge firewalls and still improve security. If you are running out of gas on your edge firewalls, you have options.
Beyond the obvious approaches of firewall upgrades and hub-and-branches set up, new innovations like FWaaS are now available.
FWaaS leverages cloud elasticity and scalability to globally extend network security with minimal impact on current network design.
Firewall refresh, capacity upgrades, mergers and acquisition, all represent a great opportunity to look at firewall bursting and FWaaS to evolve your network security beyond the edge.

Two Critical 0-Day Remote Exploits for vBulletin Forum Disclosed Publicly
18.12.2017 thehackernews Vulnerebility

Security researchers have discovered and disclosed details of two unpatched critical vulnerabilities in a popular internet forum software—vBulletin—one of which could allow a remote attacker to execute malicious code on the latest version of vBulletin application server.
vBulletin is a widely used proprietary Internet forum software package based on PHP and MySQL database server. It powers more than 100,000 websites on the Internet, including Fortune 500 and Alexa Top 1 million companies websites and forums.
The vulnerabilities were discovered by a security researcher from Italy-based security firm TRUEL IT and an unknown independent security researcher, who disclosed the details of the vulnerabilities by Beyond Security's SecuriTeam Secure Disclosure program.
The vulnerabilities affect version 5 of the vBulletin forum software and are currently unpatched. Beyond Security claims, it tried to contact vBulletin since November 21, 2017, but received no response from the company.
vBulletin Remote Code Execution Vulnerability

The first vulnerability discovered in vBulletin is a file inclusion issue that leads to remote code execution, allowing a remote attacker to include any file from the vBulletin server and execute arbitrary PHP code.
An unauthenticated attacker can trigger the file inclusion vulnerability by sending a GET request to index.php with the routestring= parameter in the request, eventually allowing the attacker to "create a crafted request to Vbulletin server installed on Windows OS and include any file on the web server."
The researcher has also provided Proof-of-Concept (PoC) exploit code to show the exploitation of the vulnerability. A Common Vulnerabilities and Exposures (CVE) number has not been assigned to this particular vulnerability.
vBulletin Remote Arbitrary File Deletion Vulnerability
The second vulnerability discovered in the vBulletin forum software version 5 has been assigned CVE-2017-17672 and described as a deserialization issue that an unauthenticated attacker can exploit to delete arbitrary files and even execute malicious code "under certain circumstances."
The vulnerability is due to unsafe usage of PHP's unserialize() on user-supplied input, which allows an unauthenticated hacker to delete arbitrary files and possibly execute arbitrary code on a vBulletin installation.
A publicly exposed API, called vB_Library_Template's cacheTemplates() function, allows fetching information on a set of given templates from the database to store them inside a cache variable.
"$temnplateidlist variable, which can come directly from user-input, is directly supplied to unserialize(), resulting in an arbitrary deserialization primitive," the advisory explains.
Besides technical details, the advisory also includes Proof-of-Concept (PoC) exploit code to explain the severity of this vulnerability.
We expect the vendor to release the patch for both the security flaws before hackers started exploiting them to target vBulletin installations.

Expert found critical issues in Palo Alto PAN-OS Networks Security Platform
18.12.2017 securityaffairs Vulnerebility

Palo Alto Networks released security updates for its PAN-OS security platform that address critical and high severity vulnerabilities
Last week, Palo Alto Networks released security updates for its PAN-OS security platform that address critical and high severity vulnerabilities that can be exploited by a remote and unauthenticated for remote code execution and command injection.

The critical issue, tracked as CVE-2017-15944, is a combination of flaws that affect the management interface.

PAN-OS 6.1.18, 7.0.18, 7.1.13, 8.0.5 and earlier versions are affected by the issue that was addressed by security updates included in PAN-OS 6.1.19, 7.0.19, 7.1.14 and 8.0.6.

Palo Alto Network also released vulnerability signatures to block the attacks that exploit this issue.

The set of vulnerability was discovered in July by Philip Pettersson that published a security advisory on SecList. Pettersson has found three vulnerabilities (a partial authentication bypass, an arbitrary directory creation issue, and a command injection bug) that can be chained to allow an unauthenticated attacker to execute arbitrary code with root privileges through the vulnerable web interface.

“This is a public advisory for CVE-2017-15944 which is a remote root code execution bug in Palo Alto Networks firewalls. Three separate bugs can be used together to remotely execute commands as root through the web management interface without authentication on: PAN-OS 6.1.18 and earlier, PAN-OS 7.0.18 and earlier, PAN-OS 7.1.13 and earlier, PAN-OS 8.0.5 and earlier.” reads the advisory.

Palo Alto Networks notified customers the vulnerability informing them to avoid exposing the web interface of its devices to the Internet.

Palo Alto PAN-OS Networks Security Platform

The security updated for PAN-OS also address a high severity flaw in the web interface packet capture management component tracked as CVE-2017-15940.

The flaw can be exploited by an authenticated attacker to inject arbitrary commands.

Affected products are PAN-OS 6.1.18 and earlier, PAN-OS 7.0.18 and earlier, PAN-OS 7.1.13 and earlier, PAN-OS 8.0.6 and earlier.

“This issue affects the management interface of the device and is strongly mitigated by following best practices for the isolation of management interfaces for security appliances. We recommend that the management interface be isolated and strictly limited only to security administration personnel through either network segmentation or using the IP access control list restriction feature within PAN-OS.” reads the advisory.

Researchers discovered two serious code execution flaws in vBulletin not yet unpatched
18.12.2017 securityaffairs Vulnerebility

Two code execution vulnerabilities affecting version 5 of the vBulletin forum software were disclosed by researchers last week.
Two code execution vulnerabilities affecting version 5 of the popular vBulletin forum CMS were disclosed by researchers last week via Beyond Security’s SecuriTeam Secure Disclosure program.

vBulletin is currently used by over 100,000 sites, including Fortune 500 and Alexa Top 1M companies websites and forums.

The flaws were discovered by an expert at the Italy-based security firm TRUEL IT and an expert who has not been named.

The vulnerabilities are still unpatched, but the vBulletin development team is going to fix them as soon as possible.

The first vulnerability was reported by an independent security researcher, it is described as an unauthenticated file inclusion issue and could lead to remote code execution.

An attacker can include malicious PHP code into a file on the server, for example the access.log, and then include that file by manipulating the routestring= parameter in a specifically crafted request that can result in the attacker’s code getting executed.

“vBulletin contains a vulnerability that can allow a remote attacker to include any file from the vBulletin server and execute arbitrary PHP code.

An unauthenticated user is able to send a GET request to /index.php which can then trigger the file inclusion vulnerability with parameter routestring=.” reads the security advisory.

“The request allows an attacker to create a crafted request to Vbulletin server installed on Windows OS and include any file on the web server.”

The second vulnerability, tracked as CVE-2017-17672, has been described as an unauthenticated deserialization flaw.

The flaw, reported by a security researcher from, TRUEL IT ( @truel_it ), can be exploited by an unauthenticated attacker to delete arbitrary files and possibly even execute arbitrary code.

“Unsafe usage of PHP’s unserialize() on user-supplied input allows an unauthenticated attacker to delete arbitrary files and, under certain circumstances, execute arbitrary code on a vBulletin installation.” states the security advisory.

“vB_Library_Template’s cacheTemplates() function, which is an publicly exposed API which allows to fetch information on a set of given templates from the database in order to store them inside a cache variable.”

For both vulnerabilities, the researchers released proof-of-concept (PoC) codes.

Beyond Security claims it has first reported the issues to the vBulletin development team on November 21, but has not received any response.

According to SecurityWeek, the development team has already developed a patchand it is testing it.

“vBulletin, on the other hand, told SecurityWeek that it received no email into its ticket system regarding the vulnerabilities until last week. A patch has already been developed and it will be released once it’s tested.” reported SecurityWeek.

BGP hijacking – Traffic for Google, Apple, Facebook, Microsoft and other tech giants routed through Russia
18.12.2017 securityaffairs Attack

Traffic for Google, Apple, Facebook, Microsoft and other tech giants routed through Russia, experts believe it was an intentional BGP Hijacking.
Last week a suspicious event routed traffic for major tech companies (i.e. Google, Facebook, Apple, and Microsoft) through a previously unknown Russian Internet provider. The event occurred on Wednesday, researchers who investigated it believe the traffic was intentionally hijacked.

The incident involved the Internet’s Border Gateway Protocol that is used to route traffic among Internet backbones, ISPs, and other large networks.
Example of a @facebook prefix briefly routed towards AS39523 DV-LINK-AS … …

12:27 AM - Dec 13, 2017
Replies 48 48 Retweets 46 46 likes
Twitter Ads info and privacy
A similar incident occurred eight months when a huge amount of traffic belonging to MasterCard, Visa, and more than two dozen other financial services was briefly routed through a telecom operator controlled by the Russian Government.

“Early this morning (UTC) our systems detected a suspicious event where many prefixes for high profile destinations were being announced by an unused Russian Autonomous System. Starting at 04:43 (UTC) 80 prefixes normally announced by organizations such Google, Apple, Facebook, Microsoft, Twitch, NTT Communications and Riot Games were now detected in the global BGP routing tables with an Origin AS of 39523 (DV-LINK-AS), out of Russia.” states a blog post published by Internet monitoring service BGPMon.
“Looking at timeline we can see two event windows of about three minutes each. The first one started at 04:43 UTC and ended at around 04:46 UTC. The second event started 07:07 UTC and finished at 07:10 UTC.
Even though these events were relatively short lived, they were significant because it was picked up by a large number of peers and because of several new more specific prefixes that are not normally seen on the Internet. So let’s dig a little deeper. “

BGPMon observed two distinct events for a total of six minutes that affected 80 separate address blocks.

bgp hijack 1

Another monitoring service, Qrator Labs, stated the event lasted for two hours during which the number of hijacked address blocks varied from 40 to 80.

bgp hijack 2

BGPMon experts consider the incident as suspicious for the following reasons:

The rerouted traffic belonged to big tech companies.
Hijacked IP addresses belong to small and specific blocks that aren’t’ normally seen on the Internet.
“What makes this incident suspicious is the prefixes that were affected are all high profile destinations, as well as several more specific prefixes that aren’t normally seen on the Internet. This means that this isn’t a simple leak, but someone is intentionally inserting these more specific prefixes, possibly with the intent the attract traffic.” continues the analysis from BGPMon.

The BGP hijacking was caused by an autonomous system located in Russia that added entries to BGP tables claiming it was the legitimate origin of the 80 affected prefixes. This assertion caused large amounts of traffic sent to and received by the affected companies to pass through the Russian AS 39523 before being routed to its final destination.

Below the list of ISPs that picked up the new route:

xx 6939 31133 39523 (path via Hurricane Electric)
xx 6461 31133 39523 (path via Zayo)
xx 2603 31133 39523 (path via Nordunet)
xx 4637 31133 39523 (path via Telstra)
AS39523 is a previously unused autonomous system that hasn’t been active in years, but he made the headlines in August when it was involved in another BGP incident that involved Google.

“Whatever caused the incident today, it’s another clear example of how easy it is to re-route traffic for 3rd parties, intentionally or by accident. It also is a good reminder for every major ISP to filter customers. ” concluded BGPMon.

“This hijack highlights a common problem that arises due to lack of route filtering. We can blame AS39523 for the accident, but without proper filters at the intermediate transit providers boundaries we are doomed to see similar incidents again and again. We’d like to encourage all networks involved in this incident to review their route filtering strategy, and at the very least implement prefix-based BGP filters on all interconnections towards their customers.” concluded Qrator Labs.

The Russian pipeline giant Transneft infected with a Monero cryptocurrency miner
18.12.2017 securityaffairs Virus

The Russian pipeline giant Transneft admitted its computers were used for mining Monero cryptocurrency, the company removed the malware from its computers.
The Russian pipeline giant Transneft announced its systems were infected with a Monero cryptocurrency miner. The company confirmed it has successfully removed the threat from its systems, the company spokesman Igor Demin told Reuters the cryptomining software was automatically downloaded by a Transneft computer and was later erased.

“[Demin ] noted that the company now has programmes to block such downloads and prevent similar incidents in the future.” reported IBTimes.

Transneft infected miners

The news of the security breach was reported to the company by Transneft vice president and former interior minister Vladimir Rushailo.

“Incidents where the company’s hardware was used to manufacture cryptocurrency have been found. It could have a negative impact on the productivity of our processing capacity,” he explained during a meeting without providing further details on the infection.

The spike in the values for some cryptocurrencies such as Bitcoin and Monero is attracting crooks that are spending a lot of efforts in the attempt to steal funds stored in the wallets used for these two cryptocurrencies or to abuse resources to mine crypto coins.

The company now announced that it has improved its systems to prevent similar security breach will happen again.

A growing number of businesses were caught running cryptomining scripts on their websites to secretly generate digital currencies as an alternative to online advertising.

The list of websites running cryptominins code includes The Pirate Bay, Politifact, Showtime, Starbucks, and UFC.

The Russian Government is planning to create a specific legislative framework to address the regulation of virtual currencies, the authorities will allow purchasing cryptocurrencies but the new legislation aim to make mining illegal.

“The penalties will be different, mostly administrative, but if someone created the cryptocurrency for the purpose of settlements, then there will be a criminal punishment,” explained the Deputy Finance Minister Aleksey Moiseev.

New PRILEX ATM Malware used in targeted attacks against a Brazilian bank
18.12.2017 securityaffairs Virus

PRILEX is a new ATM malware analyzed by researchers at Trend Micro that was used in high-targeted attacks against a Brazilian bank.
Security researchers from Trend Micro recently discovered a strain of ATM malware dubbed PRILEX that was involved in targeted attacks in Brazil.

PRILEX is written in Visual Basic 6.0 (VB6), it was specifically designed to hijack a banking application and steal information from ATM users.

he first PRILEX attack was spotted in October 2017 by Kaspersky Lab, but the analysis conducted by Trend Micro revealed very atypical behavior. The ATM malware works by hooking certain dynamic-link libraries (DLLs), replacing it with its own application screens on top of others. These DLLs targeted by the malicious code are:

Further investigation allowed the researcher to determine that the DLLs belong to the ATM application of a bank in Brazil.

The atypical behavior along with the fact that the malware only affects a specific brand of ATMs, suggests the malware was designed for high-targeted attacks.

Once infected an ATM, the PRILEX malware starts interfering with the banking application, it displays its own fake screen requesting the user to provide their account security code. The code is delivered to the user as part of a two-factor authentication process and the malware captures and stores it.

One of the aspects that caught the attention of the researchers is that the ATM malware tries to send data back to a C&C server, a behavior very uncommon for ATM malware. It is likely that this bank’s ATMs are connected and the attackers seem to be very familiar with these specific machines.

“In our analysis of the code, we noticed something interesting that happens at some point after it steals data: The malware tries to communicate with a remote command-and-control (C&C) server and upload both credit card data and the account security code.” reads the analysis published by Trend Micro.

“To our knowledge, this is the first ATM malware that assumes it is connected to the internet. It is likely that this bank’s ATMs are connected, since the attackers seem to be very familiar with this particular bank’s methods and processes.”

Another element that makes this attack singular is that attackers aim to steal user information instead of jackpotting the ATM, a circumstance that suggests the criminal gang behind the attack deals with bulk credit card credentials.

“There is something more important to be learned from Prilex, though. Any bank is subject to have their methods and processes analyzed by criminals and then later abused with highly targeted attacks. It’s concerning, and something that is worth looking into if you’re trying to defend your ATM infrastructure. Jackpotting attacks are very notorious, but a silent attack like this can go unnoticed for months, if not years.” continues the analysis.

“A targeted malware likely took significant time and resources to develop. This shows that in today’s world, criminals consider that a worthwhile investment.”


The researchers at Trend Micro also analyzed the recently discovered CUTLET MAKER ATM malware that was offered for sale on the Dark Web for around $5000.

The crimeware kit was discovered in October by Kaspersky, it is designed to target various Wincor Nixdorf ATM models using a vendor API, without interacting with ATM users and their data.

However, it seems that competitors have already managed to crack its code, allowing anyone to use it for free.

“Careful examination reveals that the license code is not time-based, it’s just an algorithm. This is a fancy way of saying that the same input would yield the same output. Some other criminal realized this and, at some point, created a standalone program that’s similar to a classic key generator or ‘keygen’ that automatically calculates the return code.” reads the analysis.

“The code is available on the internet and relatively easy to find. This means that anybody can start victimizing ATMs without having to pay for the program—or at least ATMs with an accessible USB port.”

Other crooks have started selling the malware along with the keygen for much lower prices compared to the original. Till now, the legitimate author hasn’t released a new version to solve the problem.

Zealot Campaign leverages NSA exploits to deliver Monero miners of both Windows and Linux servers
18.12.2017 securityaffairs BigBrothers

Security researchers spotted a sophisticated malware campaign, tracked as Zealot campaign targeting Linux and Windows servers to install Monero miners.
Security researchers from F5 Networks spotted a sophisticated malware campaign, tracked as Zealot campaign (after the name, one of the files dropped on targeted servers), targeting Linux and Windows servers to install Monero cryptocurrency miners.

The campaign was detected by security researchers from F5 Networks, who named it Zealot, after, one of the files dropped on targeted servers.

Hackers are using a wide arsenal of exploits to compromise the servers and install the malware, including the same code used in the Equifax hack

F5 Networks experts observed threat actors scanning the Internet for particular unpatched servers and hack them with two exploits, one for Apache Struts (CVE-2017-5638) and one for the DotNetNuke ASP.NET CMS (CVE-2017-9822).

“F5 threat researchers have discovered a new Apache Struts campaign. This new campaign is a sophisticated multi-staged attack targeting internal networks with the NSA-attributed EternalBlue and EternalSynergy exploits.” states the analysis from F5 Networks.

“We have dubbed the campaign “Zealot” based on the name of the zip file containing the python scripts with the NSA-attributed exploits. As we continue to research this campaign, we will update this publication.”

The exploit for the Struts vulnerability includes malicious code for targeting both Linux and Windows machines at the same time.

Once the hackers infected a Windows machine, they used the EternalBlue and EternalSynergy exploits (both exploits belong to the huge trove of data belonging to the NSA that was leaked by the Shadow Brokers earlier this year) for lateral movements in the target network.

In the last stage of the attack, threat actors would use PowerShell to download and install the Monero miner.

The attack against Linux servers sees attackers using Python scripts that appear to be taken from the EmpireProject post-exploitation framework, to install the same Monero miner.

“Zealot seems to be the first Struts campaign using the NSA exploits to propagate inside internal networks. There were other malware campaigns like NotPetya and WannaCry ransomware, and also Adylkuzz cryptominer launching attacks by directly scanning the Internet for SMBs to exploit with the NSA tools the ShadowBrokers released.” continues the analysis.

“The Zealot campaign, however, seems to be opening new attack vector doors, automatically delivering malware on internal networks via web application vulnerabilities.”

The researchers reported that the amount that was paid for the miner address associated with the Zealot campaign was approximately $8,500 USD, we cannot exclude that crooks also used other Monero wallets.

Zealot campaign
The researchers warned of the possible change for the final-stage payload, they could use the same campaign to deliver ransomware.

Another curiosity emerged from the analysis it that the attackers appear to be big fans of the legendary StarCraft game, in fact, many of the terms and file names used for this campaign are characters of the game (i.e. Zealot, Observer, Overlord, Raven).

“The level of sophistication we are currently observing in the Zealot campaign is leading us to believe that the campaign was developed and is being run by threat actors several levels above common bot herders,” concluded the analysis.

Google Researcher Finds Critical Flaw in Keeper Password Manager
18.12.2017 securityweek Vulnerebility
Google Project Zero researcher Tavis Ormandy recently discovered that the Keeper password manager had been affected by a critical flaw similar to one he identified just over one year ago in the same application.

Ormandy found the security hole after noticing that Keeper is now installed by default in Windows 10. He remembered a vulnerability he reported last year and managed to reproduce the same attack with only a few minor modifications.

“I've heard of Keeper, I remember filing a bug a while ago about how they were injecting privileged UI into pages,” the researcher said. “I checked and, they're doing the same thing again with this version.”

The vulnerability affects the Keeper browser extensions, which, unless users opt out, are installed alongside the Keeper desktop application. The security hole allows attackers to steal passwords stored by the app if they can convince an authenticated user to access a specially crafted website.

Keeper released a patch within 24 hours of being notified by Ormandy. The fix has been rolled out with version 11.4.4 and it has already been delivered to Edge, Chrome and Firefox users via the browsers’ automatic extension update process. Safari users will need to manually update the extension.

“This potential vulnerability requires a Keeper user to be lured to a malicious website while logged into the browser extension, and then fakes user input by using a clickjacking and/or malicious code injection technique to execute privileged code within the browser extension,” Keeper said in a blog post informing customers of the vulnerability and the patch.

The company said there had been no evidence of exploitation in the wild, and pointed out that the mobile and desktop apps were not affected by the flaw.

Ormandy has made available a proof-of-concept (PoC) exploit that steals a user’s Twitter password from Keeper.

Tavis Ormandy finds critical vulnerability in Keeper password manager

Tavis Ormandy finds critical vulnerability in Keeper password manager

Microsoft Disables Dynamic Update Exchange Protocol in Word
18.12.2017 securityweek Vulnerebility
In an attempt to prevent cybercriminals from abusing the Dynamic Update Exchange protocol (DDE) for nefarious operations, Microsoft has disabled the feature in all supported versions of Word.

The DDE protocol was designed to allow Windows applications to transfer data between each other and consists of a set of messages and guidelines.

Using shared memory to exchange data between Office applications, the DDE protocol has been replaced in Office with Object Linking and Embedding (OLE), but DDE is still supported in the popular productivity suite.

Abusing DDE to deliver malware via Office documents isn’t alwasys easy. In addition to creating a malicious document, an attacker would also need to convince the victim to disable Protected Mode and click through a series of prompts referencing linked files and remote data.

Regardless, security researchers stumbled upon numerous malware infection campaigns abusing DDE, ranging from DNSMessenger malware attacks orchestrated by the FIN7 hacking group, to Hancitor infections, and to Necurs-fueled Locky ransomware campaigns.

The Russia-linked cyber espionage group known as Fancy Bear has been seen leveraging DDE for malware infection purposes.

This prompted Microsoft to publish a security advisory in early November to inform users on how to protect themselves from such attacks. The tech giant also underlined that the Attack Surface Reduction (ASR) mitigation included in Windows Defender Exploit Guard as part of the Windows 10 Fall Creators Update keeps users protected from such attacks.

Previous mitigations against such attacks included setting specific registry keys to disable automatic data updates from linked fields, and Microsoft previously provided detailed information on how users could perform the action for Excel, Outlook, Publisher and Word.

Now, the company has decided to completely disable DDE in all supported versions of Word. The change was made as part of the December 2017 Patch Tuesday.

In a security advisory, the Microsoft said that it continues to investigate this issue and that further updates will be provided if necessary.

Users unable to install the newly released Office security update or looking to disable the DDE protocol in other Office applications such as Excel, can do so manually by applying previously announced mitigations.

To change DDE functionality in Word after installing the update, users should navigate to:

\HKEY_CURRENT_USER\Software\Microsoft\Office\version\Word\Security AllowDDE(DWORD)

Next, users should set the DWORD value based on their requirements: 0 to disable DDE; 1 to allow DDE requests to an already running program (but prevent requests that launch another executable program); or 2 to fully allow DDE requests.

French Aerospace Giant Thales Acquires SIM Maker Gemalto
18.12.2017 securityweek Mobil
French aerospace and defence group Thales said Sunday it has bought European SIM manufacturer Gemalto in a bid to become a global leader in digital security.

The aerospace giant paid 51 euros ($60) a share for Gemalto, a premium of 57 percent over the closing price on December 8, Thales said in a statement.

The price was also higher than a 46-euro a share bid offer from French tech firm Atos which Gemalto rejected on Wednesday.

The Thales offer showed that it valued the world-leading chipmaker at about 4.8 billion euros.

Gemalto chief executive Philippe Vallee said in the statement that favouring Thales over Atos was "the best and the most promising option for Gemalto and the most positive outcome for our company, employees, clients, shareholders and other stakeholders".

"We share the same values and Gemalto will be able to pursue its strategy, accelerate its development and deliver its digital security vision, as part of Thales."

Thales CEO Patrick Caine said the merger marked "a key milestone" in implementing the firm's digital security strategy, in which it has invested one billion euros in the past three years and acquired three other companies.

"Together with Gemalto's management, we have big ambitions based on a shared vision of the digital transformation of our industries and customers."

The French company, which is worth about 18 billion euros, said that with the merger, the Thales group will rank among the top three players worldwide, with 3.5 billion euros in revenue in the fast growing digital security market.

The new division will focus on security software, biometrics, multifactor authentication and issuing secure electronic and physical ID cards.

The deal is expected to close in the second half of 2018, but can be terminated before then if Gemalto receives a bid that is at least nine percent higher than Thales's offer price.

vBulletin to Patch Disclosed Code Execution, File Deletion Flaws
18.12.2017 securityweek Vulnerebility
The details of two potentially serious vulnerabilities affecting version 5 of the vBulletin forum software were disclosed by researchers last week. The flaws are currently unpatched, but vBulletin developers have promised to release fixes soon.

The security holes were disclosed via Beyond Security’s SecuriTeam Secure Disclosure program by a researcher from Italy-based security firm TRUEL IT and an expert who has not been named.

One of the vulnerabilities has been described as a file inclusion issue. The flaw affects vBulletin installations that use a Windows-based server, and an unauthenticated attacker can exploit it by sending a specially crafted GET request to index.php.

An attacker can inject malicious PHP code into a file on the server (e.g. access.log) and then “include” that file by manipulating the routestring= parameter in the request. This results in the attacker’s code getting executed.

The second vulnerability, tracked as CVE-2017-17672, has been described as a deserialization issue that can be exploited by an unauthenticated attacker to delete arbitrary files and possibly even execute arbitrary code.

“vB_Library_Template’s cacheTemplates() function is a publicly exposed API which allows to fetch information on a set of given templates from the database in order to store them inside a cache variable,” Beyond Security’s advisory explains. “The $temnplateidlist variable, which can come directly from user-input, is directly supplied to unserialize(), resulting in an arbitrary deserialization primitive.”

Detailed technical information and proof-of-concept (PoC) code have been made available for both vulnerabilities.

Beyond Security claims it has been trying to report the vulnerabilities to vBulletin developers since November 21, but has not received any response. vBulletin, on the other hand, told SecurityWeek that it received no email into its ticket system regarding the vulnerabilities until last week. A patch has already been developed and it will be released once it’s tested.

Malicious actors exploiting vBulletin vulnerabilities in the wild is not unheard of. A couple of years ago, researchers had started seeing thousands of daily attempts to exploit a critical flaw less than two weeks after it was patched.

Ruská cenzura nedokáže blokovat produkci trollů

18.12.2017 Novinky/Bezpečnost BigBrother
Hlavní ruský cenzurní orgán nemá v nejbližší době možnost omezit aktivitu takzvaných internetových trollů, tedy osob šířících za úplatu internetem dezinformace a falešné zprávy. Na moskevském semináři o internetové bezpečnosti to prohlásil šéf komunikační dozorové agentury Roskomnadzor Alexandr Žarov.

"Žádná regulace neexistuje, možná se objeví za půldruhého roku. Jaká bude, mi není známo," řekl Žarov, jehož organizace v posledních pěti letech zablokovala přes 275 000 ruských webových stránek. Šlo zejména o servery zprostředkující údajně šíření narkotik nebo dětské pornografie, ilegální herní a sázkové weby a on-line loterie.

"Upřímně řečeno, způsoby zásahu žádné nevidím," konstatoval šéf Roskomnadzoru, který k zákroku proti webům nemusí mít soudní příkaz. Žarov podle agentury Interfax dodal, že "není stoupencem omezování a totálních zákazů".

V Rusku podle místních médií existuje několik "trollích farem", tou nejznámější je petrohradská instituce zvaná Agentura pro výzkum internetu, která je považována za prodlouženou ruku ruské vlády. V holdingu pracuje kolem 250 lidí, ročně provoz firmy stojí údajně kolem 270 miliónů rublů (přes 100 miliónů korun).

Hackeři to budou mít těžší. Nová služba má zamezit masivním útokům

18.12.2017 Novinky/Bezpečnost Zabezpečení
Sdružení CZ.NIC, které má na starosti českou národní doménu, spustilo tento týden novou službu. Ta má zajistit funkčnost internetových služeb i v případě masivního hackerského útoku. Prvními společnostmi, které se k aktivitě sdružení přidaly, jsou a Vodafone.
Služba zvaná ISP DNS Stack má zabránit útokům na DNS servery. Ty standardně překládají webové adresy na číselné adresy fyzických počítačů (IP adresy). Ve chvíli, kdy je hackeři vyřadí z provozu – což se už v minulosti stalo několikrát – jeví se uživateli webové stránky jako nedostupné.

Tím, že nefunguje překladač (DNS servery), webové prohlížeče po zadání adresy totiž nevědí, kam se mají připojit. Zákazníků s ISP DNS Stackem se ale případný útok nijak nedotkne a internetové služby v doméně .CZ pro ně zůstanou plně dostupné.

Budování spolehlivých datových služeb
„Pro jako poskytovatele obsahu, informací a zábavy, je naprosto klíčová dobře fungující internetová infrastruktura. DNS je její nepostradatelnou součástí a z historie víme, jak vysoce nepostradatelnou,” říká Vlastimil Pečínka, technický ředitel společnosti

Ten zároveň dodal, že česká internetová jednička nedávno investovala do zrobustnění DNS služeb používaných v obou svých datových centrech. „Nabídka sdružení CZ.NIC na hostování DNS stacku tuto naši investici posouvá o úroveň výše. Navíc velmi oceňuji snahu sdružení CZ.NIC hledat další cesty, jak pomoci službám a uživatelům na internetu. Jsem tak rád, že mohu jejich snahy podpořit konkrétními kroky,” uzavřel Pečínka.

„Spolupráce s CZ.NIC je součástí naší dlouhodobé strategie budování spolehlivých datových služeb. Služba ISP DNS Stack představuje kopii DNS serveru pro doménu .CZ přímo v síti Vodafone. Zákazníkům tak zajistíme správné fungování DNS pro české domény i v případě útoků na servery CZ.NIC,” vysvětlil Milan Zíka, technický ředitel společnosti Vodafone.

Klíčový systém pro fungování internetu
Službu ISP DNS Stack provozuje výhradně sdružení CZ.NIC. Správce české národní domény se podílí na fungování operačního systému a všech na něm běžících služeb. Zapojené organizace zajišťují nákup potřebného hardware, jeho umístění v datacentru a následný provoz ve vlastní síti.

„Systém DNS je klíčový pro fungování internetu a služeb, které jsou na něm závislé. V případě, že by došlo k jeho napadení nebo výpadku, stal by se internet pro většinu lidí prakticky nepoužitelný. Velice si vážím přístupu společností a Vodafone, které tímto dávají najevo především svým zákazníkům, že je pro ně dostupnost internetu za jakékoliv situace klíčová,“ prohlásil Ondřej Filip, výkonný ředitel sdružení CZ.NIC.

Vyděračské viry napadly více než čtvrtinu firem

18.12.2017 Novinky/Bezpečnost Viry
Počet útoků vyděračských programů na firmy letos vzrostl. Podíl napadených podniků se meziročně zvýšil o čtyři procentní body na 26 procent. Na vině jsou především tři nebývale mohutné útoky na firemní sítě, které zásadním způsobem změnily prostředí firemních počítačových sítí. Uvedla to antivirová firma Kaspersky Lab.
Firmy celosvětově napadly postupně vlny škodlivých programů WannaCry v květnu, ExPetr na konci června a BadRabbit v říjnu. Všechny se zaměřovaly na korporátní sítě. Na podniky útočily i jiné tzv. ransomwary, které dohromady stály za 240 000 útoky.

"Tyto známé útoky z průběhu celého roku jsou extrémním důkazem toho, že se kyberzločinci čím dál více zajímají o firemní cíle. Tento trend jsme ale zaznamenali už v roce 2016. Letos však nabral na obrátkách a zatím se nezdá, že by nějak polevoval," uvedl analytik Kaspersky Lab Fedor Sinitsyn. "Děje se tak především proto, že jsou firmy velmi zranitelné, schopné zaplatit vyšší výkupné než jednotlivci a většinou jsou k tomu i ochotnější, aby udržely v chodu svoji výrobu," dodal.

Letos výrazně klesl počet nově detekovaných vyděračských programů. Jejich počet klesl z loňských 62 na 38 v roce letošním. O to víc se ale zvýšil počet nově detekovaných verzí existujícího ransomwaru, a to na 96 000 proti loňským 54 000. Navýšení je zřejmě výsledkem snahy útočníků skrýt programy před stále lepšími technikami detekce.

Zhruba 65 procent společností, které byly letos ransomwarem napadeny, tvrdí, že přišly o přístup k většině nebo dokonce ke všem datům. Každá šestá firma, která zaplatila výkupné, se ke svým datům už nedostala. Tato čísla se v podstatě shodují s údaji za rok 2016.

Rok 2017 ve znamení ransomwaru

18.12.2017 SecurityWorld Viry
Poměr firem napadených ransomwarem v roce 2017 stoupl na 26,2 %. V předchozím roce bylo na firmy zacíleno o necelá 4 procenta všech ransomwarových útoků méně – 22,6 %. Na vině jsou především tři doposud nebývale mohutné útoky na firemní sítě, které zásadním způsobem změnily prostředí firemních počítačových sítí.

Rok 2017 se do historie kybernetické bezpečnosti zapíše především kvůli ransomwarovým útokům. Ty udeřily na společnosti po celém světě nečekaně prostřednictvím útoků s počítačovými červy. Hlavní motiv zatím zůstává nejasný. Jde o WannaCry z 12. května, ExPetr z 27. června a BadRabbit, který byl aktivní v druhé polovině října.

Všechny využily exploity navržené pro nabourání do korporátních sítí. Na podniky útočily i jiné ransomwary, které dohromady stály za 240 000 útoky. Tolika ransomwarovým infekcím zabránily v napadení korporátních počítačů po celém světě produkty Kaspersky Lab.

„Tyto známé útoky z průběhu celého roku jsou extrémním důkazem toho, že se kyberzločinci čím dál více zajímají o firemní cíle. Tento trend jsme ale zaznamenali už v roce 2016. Letos však nabral na obrátkách a zatím se nezdá, že by nějak polevoval. Děje se tak především proto, že jsou firmy velmi zranitelné, schopné zaplatit vyšší výkupné než jednotlivci a většinou jsou k tomu i ochotnější, aby udržely v chodu svoji výrobu. Není proto překvapením, že se objevují noví útočníci zaměření na firmy, kteří k útokům využívají vzdálené desktopové systémy,“ říká Fedor Sinitsyn, Senior Malware Analyst ze společnosti Kaspersky Lab.

Další trendy spojené s ransomwarem v roce 2017

V roce 2017 bylo celkem napadeno bezmála 950 000 unikátních uživatelů, zatímco v roce 2016 jich bylo 1,5 milionu. Tento markantní rozdíl je způsoben změnou v detekční metodologii. Například downloadery, které jsou běžně spojovány s krypto-malwarem, jsou nyní detekovány heuristickými technologiemi. Telemetrie Kaspersky Lab je už neklasifikuje jako ransomware.
Tři nejznámější útoky, ale i ransomwarové rodiny AES-NI nebo Uiwix, využívaly sofistikované exploity. Ty na veřejnost unikly na jaře 2017, když je zveřejnila skupina známá jako Shadow Brokers.
Došlo k výraznému poklesu nově detekovaných ransomwarových rodin. Jejich počet klesl z 62 v roce 2016 na 38 v roce letošním. O to víc se ale zvýšil počet nově detekovaných verzí existujícího ransomwaru – více než 96 000 v roce 2017 oproti loňským 54 000. Toto navýšení je zřejmě výsledkem snahy útočníků skrýt svůj ransomware před stále lepšími technikami detekce.
Ve druhém čtvrtletí letošního roku řada skupin své ransomwarové aktivity ukončila a klíče potřebné pro dešifrování dat zveřejnila. Pařily mezi ně AES-NI, xdata, Petya/Mischa/GoldenEye a Crysis. Crysis se následně opět objevil, nejspíše v režii jiné skupiny.
Kyberzločinci se stále větší oblibou využívali k infikování firem metodu vzdálených desktopových systémů. Ta se stala hlavním nástrojem mnoha skupin jako jsou Crysis, Purgen/Globelmposter a Cryakl.
65 % společností, které byly letos ransomwarem napadeny, tvrdí, že přišly o přístup k většině nebo dokonce ke všem datům. Každá šestá firma, která zaplatila výkupné, se ke svým datům už nedostala. Tato čísla se v podstatě shodují s údaji za rok 2016.

Velmi úspěšná je iniciativa No More Ransom, která byla spuštěna v červenci 2016. Ta spojuje orgány činné v trestním řízení a soukromé společnosti. Ty společně vyhledávají a následně zneškodňují velké ransomwarové rodiny. Snaží se tak pomoci koncovým uživatelům získat svá data zpět, a zároveň tím narušují lukrativní způsob výdělku kyberzločinců.

Pre-Installed Keeper Password Manager on Windows 10 exposes systems to passwords stealing
17.12.2017 securityaffairs Vulnerebility

White hat hacker discovered some Windows 10 versions come with a pre-installed version of Keeper Password Manager that exposes systems to passwords stealing.
I was reading Tweets when I noticed the following post:

15 Dec

Tavis Ormandy

I created a new Windows 10 VM with a pristine image from MSDN, and noticed a third party password manager is now installed by default. It didn't take long to find a critical vulnerability. …

Tavis Ormandy

I don't want to hear about how even a password manager with a trivial remote root that shares all your passwords with every website is better than nothing. People really tell me this. 🙄

5:47 PM - Dec 15, 2017
353 353 likes 96 people are talking about this
Twitter Ads info and privacy
Some Windows 10 versions come with a pre-installed 3rd-party password manager app that could allow hackers to steal users credentials remotely.

Starting from Windows 10 Anniversary Update (Version 1607), Microsoft included in its OS a new feature called Content Delivery Manager that silently installs new “suggested apps” without notifying it to the users.

The hidden password manage was reported months ago by several Reddit users.

The presence of the password manager called Keeper was confirmed by the popular Google Project Zero hacker Tavis Ormandy who found the application pre-installed on his new Windows 10 system.

“I recently created a fresh Windows 10 VM with a pristine image from MSDN, and found that a password manager called “Keeper” is now installed by default. I’m not the only person who has noticed this:

I assume this is some bundling deal with Microsoft.” wrote Ormandy in a blog post published on Chromium Blog.

“I’ve heard of Keeper, I remember filing a bug a while ago about how they were injecting privileged UI into pages ( issue 917 ). I checked and, they’re doing the same thing again with this version. I think I’m being generous considering this a new issue that qualifies for a ninety day disclosure, as I literally just changed the selectors and the same attack works”

Ormandy decided to analyze the Keeper password manager searching for vulnerabilities to exploit to compromise the Windows installation.

After a few tests, Ormandy discovered a critical vulnerability in the Keeper Password Manager that could be exploited by attackers to “complete compromise of Keeper security, allowing any website to steal any password.”

The security vulnerability was quite identical to another issue discovered in August 2016 by Ormandy in the non-bundled version of the Keeper plugin that allowed malicious websites to steal passwords.

Ormandy also published proof-of-concept (PoC) exploit code that steals a user’s Twitter password if it is stored in the Keeper app.

Windows 10 users wouldn’t be affected unless they open Keeper password manager and enable the software to store their passwords.

Keeper password manager flaw
Ormandy reported the flaw to the Keeper development team that addressed it in the released version 11.4.

Keeper declared it has not news of attacks exploiting the security vulnerability in the wild.

There is anyway a thing that the great Ormandy hasn’t discovered … why the Keeper password manager was pre-installed without users’ knowledge.

To disable the Content Delivery Manager it is possible to use these registry settings.