Exclusive, CSE CybSec ZLAB Malware Analysis Report: The Italian Job – Android malware masqueraded as Fake Tre Updater
4.12.2017 securityaffairs  Android

The CSE CybSec Z-Lab Malware Lab analyzed a new strain of malware apparently developed to target the customers of the Italian telco operator “Tre”.
The malware researchers from ZLab analyzed a new strain of Android malware that appears as a fake 3MobileUpdater. The malware looks like a legitimate app used to retrieve the mobile system update, but it hides a powerful spyware which gathers user info from the smartphone.

In order to trick users, the malicious app pretends to be a software distributed by the Italian Telco company Tre H3G (see the app logo) to check and download smartphone updates.

Fake Tre Updater

Figure 1 – Fake Tre Updater – App logo and alert

When the user clicks on the “3 Mobile Updater”, the app shows the screen in the above picture, inviting the user to wait while the system configuration is updated.

In this way, the user will not remove the application waiting form the installation of the legitimate update, but in the background the malware is able to launch a service which periodically sends information and retrieves commands from a Command and Control available at the link “url[.]plus”.

The capabilities of this malicious app are enormous and include the information gathering from various sources, including the most popular social apps, including Whatsapp, Telegram, Skype, Instagram, Snapchat. It is able to steal picture from the gallery, SMS and calls registry apps. All this data is first stored in a local database, created by the malicious app, and later it is sent to the C2C.

Despite its capabilities, the app doesn’t appear well written. The DEBUG flag of the application is enabled, so many activities are logged on the Android logcat and are visible in a simple way.

The presence of the string “TEST” in many strings and some evident coding errors, along the absence of obfuscation mechanism, suggest the malicious app is not written by skilled developers.

The fake Tre updater is probably a “beta” release or in a test phase, this means that the application is not yet widespread.

Finally, it is interesting to highlight the fact that the malware authors used the Italian language, both in the logcat messages and in the code. This circumstance along with the fact that attackers masqueraded the malware as a a fake Tre updater suggest the vxers are Italian.

According to our analysis the fake Tre updater was developed by an Italian firm, targets and motivations are still not clear.

This report could be the starting point for an investigation of Italian law enforcement, it also includes Yara rules that could be used to detect the threat.

You can download the full ZLAB Malware Analysis Report at the following URL:

Malware Analysis Report: Fake 3MobileUpdater

RSA Authentication SDK affected by two critical vulnerabilities, patch it now!
4.12.2017 securityaffairs  Vulnerebility

Two different critical vulnerabilities were found in the RSA Authentication SDK (software development kit), patch them asap.
The first bug, tracked as CVE-2017-14377, is authentication bypass that affects the RSA Authentication Agent for Web for Apache Web Server. The flaw could be exploited by a remote unauthenticated user by sending a crafted packet that triggers a validation error, in this way it can gain access to resources on the target.

“Due to an improper input validation flaw in RSA Authentication Agent for Web for Apache Web Server, a remote malicious user can potentially bypass user authentication and gain unauthorized access to resources protected by the agent. The privilege level of an unauthorized user who gains access depends on the authorization policy set by the underlying application that is using the agent.” reads the security advisory.
This vulnerability is only present when the RSA Authentication Agent for Web for Apache Web Server is configured to use the TCP protocol to communicate with the RSA Authentication Manager server. UDP implementation, which is the default configuration, is not vulnerable. Please refer to the RSA Authentication Agent 8.x for Web for Apache Web Server Installation and Configuration Guide for configuration details.”

RSA Authentication sdk

It is possible to mitigate the issue by configuring the authentication agent to use UDP, RSA has already released a patch at the following address:


The second critical vulnerability tracked as CVE-2017-14378 affects the RSA Auth Agent SDK for C, this means that any other systems developed with the SDK would inherit it. The vulnerability doesn’t affect the Java version of the SDK.

The versions 8.5 and 8.7 of the RSA Authentication Agent SDK had an error handling flaw affecting TCP asynchronous mode implementations that could be exploited by an attacker to bypass the authentication in certain limited implementations.

“A security vulnerability in RSA Authentication Agent API/SDK for C versions 8.5 and 8.6 could potentially lead to authentication bypass in certain limited implementations.”

“RSA Authentication Agent API/SDK 8.5/8.6 for C has an error handling flaw that could lead to authentication bypass in certain limited implementations. This issue will occur when the API/SDK is used in TCP asynchronous mode and return codes from the API/SDK are not handled properly by the application.” reads the security advisory.

“Implementations handling the API/SDK return codes appropriately (per coding guidelines documented in the RSA Authentication Agent API for C Developer’s Guide) are not vulnerable.”

The patch for the C version of the SDK is available at the following URL:


Experts discovered a new variant of Shadow BTCware Ransomware Variant
4.12.2017 securityaffairs  Ransomware

The security expert Michael Gillespie discovered a new variant of the Shadow BTCware Ransomware which is manually installed on unsecured systems.
The security expert Michael Gillespie discovered a new variant of the BTCWare ransomware, the malicious code was spread by hacking into poorly protected remote desktop services and manually installed by crooks.

The new Shadow BTCware Ransomware variant appends the .[email]-id-id.shadow extension to the encrypted files, compared to previous versions it uses new email addresses a victim should contact to receive the instructions to pay the ransomware.

In the last version analyzed by the expert and reported by Bleeping Computer, the contact email address used by crooks is paydayz@cock.li.

Shadow BTCware Ransomware Ransom Note

The extension appended to encrypted files is also changed, the Shadow BTCware Ransomware variant appends the .[email]-id-[id].shadow extension to encrypted file’s name. (i.e. The file test.jpg is renamed to test.jpg.[paydayz@cock.li]-id-C0C.shadow).

“All your files have been encrypted!

All your files have been encrypted due to a security problem with your PC. If you want to restore them, write us to the e-mail paydayz@cock.li
You have to pay for decryption in Bitcoins. The price depends on how fast you write to us. After payment we will send you the decryption tool that will decrypt all your files.
Free decryption as guarantee
Before paying you can send us up to 3 files for free decryption. The total size of files must be less than 1Mb (non archived), and files should not contain valuable information. (databases,backups, large excel sheets, etc.)
How to obtain Bitcoins.” reads an excerpt of the ransom note

As usual, to protect your system you need a proper cybersecurity posture. You should have a reliable and tested backup of data and of course, you have to use behavioral detections security solutions.

As usual, let me suggest to do not open attachments coming with unsolicited email messages, malware scan attachments with security tools (i.e. VirusTotal), make sure the OS and all the software are up to date.

Use strong passwords to protect your web services and never reuse the same password at multiple sites.

Further details, including the IoCs, have been published by Bleeping Computer.

UK Warns Against Gov Use of Russia-based AV Companies
4.12.2017 securityweek BigBrothers
UK NCSC Chief Warns of Supply Chain Risk from Anti-Virus (AV) Software Products

The UK's National Cyber Security Center (NCSC) has warned against the use of UK government and government agencies using Kaspersky Lab products. The ban is not as forthright or as explicit as September's DHS ban on U.S. government agencies using Kaspersky; but it will, for the time being at least, have a similar effect in the UK.

On Friday, NCSC chief Ciaran Martin wrote to permanent secretaries (the most senior civil servants in a UK government ministry) warning about the issue of supply chain risk in cloud-based products. In this sense it is a general warning that all security officers would do well to heed. The NCSC is not a regulator and cannot insist -- but its guidance will undoubtedly be observed.

The warning focuses on Russia and explicitly calls out Kaspersky Lab.

"The NCSC advises that Russia is a highly capable cyber threat actor which uses cyber as a tool of statecraft. This includes espionage, disruption and influence operations. Russia has the intent to target UK central Government and the UK's critical national infrastructure," Martin wrote. "However," adds the letter, "the overwhelming majority of UK individuals and organisations are not being actively targeted by the Russian state, and are far more likely to be targeted by cyber criminals."

The unstated implication is that consumers can carry on using Kaspersky Lab, but that government -- or indeed any organization that processes information classified SECRET and above -- should never use a Russia-based AV provider. This idea is expanded in an associated blog post from Ian Levy, the NCSC technical director. He comments, "We see no compelling case at present to extend that advice to wider public sector, more general enterprises, or individuals." In fact, he goes further: "We really don't want people doing things like ripping out Kaspersky software at large, as it makes little sense."

However, there is also a silver lining for Kaspersky Lab in this warning. Kaspersky is specifically named only twice towards the end of the letter to the permanent secretaries. Firstly, the letter states that the NCSC is in discussion with the Russian firm "about whether we can develop a framework that we and others can independently verify, which would give the Government assurance about the security of their involvement in the wider UK market." Secondly, the letter adds that the NCSC will be transparent about the outcome of these discussions, and "will adjust our guidance if necessary in the light of any conclusions."

This is an approach that Kaspersky Lab has already offered to the U.S. government. In July 2017 Kaspersky Lab offered to give its source code to the U.S. government for analysis. "Anything I can do to prove that we don't behave maliciously I will do it," said CEO Eugene Kaspersky. There is precedent for such code review in the UK. In October, Kaspersky launched a Global Transparency Initiative whose goal is to help the company clear its name following the reports about its inappropriate ties to the Russian government.

Chinese firm Huawei's network products are effectively banned in the U.S. over fears that they could contain backdoors capable of leaking sensitive information back to China. These products are not banned in the UK -- largely down to the operations of a building, commonly known as The Cell, in the market town of Banbury. Here the NCSC has oversight of Huawei source code, and engineers reverse engineer the code looking for flaws and backdoors. Huawei has been given a green light in the UK.

If Kaspersky Lab and the NCSC can come to a similar arrangement with the anti-virus code, then a UK accommodation with Kaspersky Lab might be possible. Eugene Kaspersky is optimistic, tweeting on Saturday, "Let me stress: there is *no* ban for KL products in the UK. We are in touch with @NCSC regarding our Transparency Initiative and I am sure we will find the way to work together."

It will not be easy. Analyzing firmware in a hardware product is easier than analyzing the flow of traffic into and through the cloud; and it is noticeable that the NCSC's primary concern is "the issue of supply chain risk in cloud-based products."

"By definition," explains cyber security researcher and consultant Stewart Twyneham, "anti-virus software needs to have total access to a computer in order to prevent infection -- and modern quarantine mechanisms will often upload suspect viruses to the cloud so that researchers can learn more. This is alleged to have happened in the case of Nghia Hoang Pho back in 2015 -- who copied secret NSA security exploits onto his home computer, which was running Kaspersky's anti-virus."

Pho was charged and pleaded guilty late last week to removing and retaining top-secret documents from his employer, the NSA. The suggestion is that Russian intelligence learned of the presence of this data through automatic uploads of suspect malicious files to Kaspersky's cloud, and then hacked into Pho's computer. How Russian intelligence learned of the NSA files is what is unknown and is the cause for concern. But since this sort of knowledge cannot come from a code review, the possibility even if not the probability of a clandestine relationship between Kaspersky Lab and Russian intelligence can never be proven one way or the other.

If a Kaspersky Lab code review by NCSC finds no back doors or flaws in the software, it is still unlikely to change NCSC guidance over top secret documents. However, since there will be little interest from Russian intelligence in standard consumer computers, it could lead to a tacit acceptance guide for any user outside of government. Further, since the NCSC has promised to be transparent in any findings, that tacit acceptance could be interpreted as explicit acceptance for all users outside of government.

In March of this year, the NCSC warned about "the potential for hostile action against the UK political system." Without confirming that the main threat is from Russia, the letter makes it clear that the primary threat is considered to be that country.

Breach at PayPal Subsidiary Affects 1.6 Million Customers
4.12.2017 securityweek Incindent
PayPal informed customers on Friday that personal information for 1.6 million individuals may have been obtained by hackers who breached the systems of its subsidiary TIO Networks.

TIO is a publicly traded bill payment processor that PayPal acquired in July 2017 for roughly $230 million. The company is based in Canada and it serves some of the largest telecom and utility network operators in North America. TIO has more than 10,000 supported billers and it serves 16 million consumer bill pay accounts.

On November 10, PayPal announced that TIO had suspended operations in an effort to protect customers following the discovery of security vulnerabilities on the subsidiary's platform. PayPal said it had found issues with TIO’s data security program that did not adhere to its own standards.

An investigation conducted in collaboration with third-party cybersecurity experts revealed that TIO’s network had been breached, including servers that stored the information of TIO clients and customers of TIO billers. PayPal said the attackers may have obtained personally identifiable information (PII) for roughly 1.6 million customers.

Affected companies and individuals will be contacted via mail and email, and offered free credit monitoring services via Experian.

While it’s unclear exactly what type of data the hackers have gained access to, the information shared by PayPal and TIO suggests that payment card data and in some cases even social security numbers (SSNs) may have been compromised.

PayPal has highlighted that TIO’s systems have not been integrated into its own platform. “The PayPal platform is not impacted in any way, as the TIO systems are completely separate from the PayPal network, and PayPal’s customers’ data remains secure,” the company said.

The New York State Department of Financial Services (DFS), an agency responsible for regulating financial services and products, has also issued a statement on the incident.

“DFS is working with our regulated entity, PayPal, to investigate and address issues related to cybersecurity vulnerabilities identified at PayPal’s subsidiary, TIO Networks,” the DFS said. “We applaud PayPal’s rapid response to the matter, which put consumers and business clients first, and we appreciate their efforts to inform DFS, as required, in a timely manner. Events like these illustrate the necessity of DFS’s landmark cybersecurity regulation and underscore the strength and effectiveness of our strong state-based financial services regulatory framework, including for the fintech industry.”

TIO said services will not be fully restored until it’s confident that its systems and network are secure.

DHS Says Drone Maker DJI Helping China Spy on U.S.
4.12.2017 securityweek BigBrothers
A memo from the U.S. Department of Homeland Security (DHS) warns that China-based Da-Jiang Innovations (DJI), one of the world’s largest drone manufacturers, has been providing information on critical infrastructure and law enforcement to the Chinese government.

The Los Angeles office of Immigrations and Customs Enforcement (ICE), specifically its Special Agent in Charge Intelligence Program (SIP), issued an intelligence bulletin back in August claiming that DJI is helping China spy on the United States.

A copy of the memo, marked “unclassified / law enforcement sensitive,” was published recently by the Public Intelligence project. The document, based on information from open source reporting and a “reliable source” in the unmanned aerial systems industry, assesses with moderate confidence that DJI is providing data on U.S. critical infrastructure and law enforcement to the Chinese government. The authors of the memo provide several examples of law enforcement and critical infrastructure organizations using DJI drones.

The agency also assesses with high confidence that the company is targeting government and private entities in these sectors in an effort to “expand its ability to collect and exploit sensitive U.S. data.”DJI using drones to help China spy on US

ICE claims two of the Android applications provided by DJI for some of its drones automatically tag GPS imagery and location, register facial recognition data even when turned off, and access data in the user’s phone. The data, which the agency claims to include personal information and other sensitive data, such as power control panels and security measures for critical infrastructure sites, is allegedly stored on cloud servers to which the Chinese government “likely has access.”

“SIP Los Angeles assesses with high confidence the critical infrastructure and law enforcement entities using DJI systems are collecting sensitive intelligence that the Chinese government could use to conduct physical or cyber attacks against the United States and its population,” the memo reads. “Alternatively, China could provide DJI information to terrorist organizations, hostile non-state entities, or state-sponsored groups to coordinate attacks against U.S. critical infrastructure.”

The intelligence bulletin also points to a recent memo of the U.S. Army, which instructs units to stop using DJI drones due to cybersecurity vulnerabilities, and a U.S. Navy memo on the operational risks associated with the use of the Chinese firm’s products. DJI has taken some measures to improve privacy following the Army ban.

The ICE document also claims that DJI aggressively dropped drone prices in 2015 to force its main competitors out of the market.

“The bulletin is based on clearly false and misleading claims from an unidentified source,” DJI said in response to the ICE memo. “Several of the key claims made by this unnamed source show a fundamental lack of understanding of DJI, its technology and the drone market.”

The company claims its products are not capable of recognizing a person’s face for identification purposes – a feature exists for tracking the movement of the shape of a person or the shape of their face in order to control the drone, but DJI claims it only works when the system is powered on and the Active Track mode is enabled.

DJI also refutes claims that its pricing strategy has caused competitors to stop production, and denies selling its products cheaper in the U.S. than in China.

“DJI does strive to comply with local laws and regulations in each country where its drones operate and to facilitate compliance by our customers. To the extent that there are location-specific rules and policies within China, we ensure that our systems comply with these rules, including the need to register or include no-fly zones on board,” DJI stated.

“In compliance with the Chinese regulation, DJI utilizes the user’s IP address, GPS location, and MCC ID to determine if a drone is being operated in China. If so, DJI provides the customer with the features necessary to comply with Chinese regulations and policies. Otherwise, DJI provides no information about or data collected by the drone to the Chinese government,” the company added.

DJI has also shared some more information regarding a recent incident involving a researcher who took part in the company’s bug bounty program. The expert had been offered $30,000 after finding some serious vulnerabilities, but he walked away from the deal due to an agreement DJI had asked him to sign.

The accusations brought against DJI are similar to the allegations that Kaspersky Lab is spying for the Russian government. Kaspersky’s products have been banned in U.S. government agencies by the DHS after several media reports on the topic. However, no evidence has been provided to back the claims.

Here's the NSA Employee Who Kept Top Secret Documents at Home
3.12.2017 thehackernews BigBrothers
A former employee—who worked for an elite hacking group operated by the U.S. National Security Agency—pleaded guilty on Friday to illegally taking classified documents home, which were later stolen by Russian hackers.
In a press release published Friday, the US Justice Department announced that Nghia Hoang Pho, a 67-year-old of Ellicott City, Maryland, took documents that contained top-secret national information from the agency between 2010 and 2015.
Pho, who worked as a developer for the Tailored Access Operations (TAO) hacking group at the NSA, reportedly moved the stolen classified documents and tools to his personal Windows computer at home, which was running Kaspersky Lab software.
According to authorities, the Kaspersky Labs' antivirus software was allegedly used, one way or another, by Russian hackers to steal top-secret NSA documents and hacking exploits from Pho's home PC in 2015.
"Beginning in 2010 and continuing through March 2015, Pho removed and retained U.S. government documents and writings that contained national defense information, including information classified as Top Secret and Sensitive Compartmented Information," the DoJ said in disclosing Pho's guilty plea.
"This material was in both hard-copy and digital form, and was retained in Pho’s residence in Maryland."
For those unaware, the U.S. Department of Homeland Security (DHS) has even banned Kaspersky Labs' antivirus software from all of its government computers over suspicion of the company's involvement with the Russian intelligence agency and spying fears.
Kaspersky CEO Says He Would Leave If Russia Asked Him To Spy
Though there's no substantial evidence yet available, an article published by US news agency WSJ in October claimed that Kaspersky software helped Russian spies steal highly classified documents and hacking tools belonging to the NSA in 2015 from a staffer's home PC.
However, Kaspersky Labs has denied any direct involvement with the Russian spies in the alleged incident.
Just last month, Kaspersky claimed that its antivirus package running on the Pho's home PC detected the copies of the NSA exploits as malicious software, and uploaded them to its cloud for further analysis by its team of researchers.
According to the company, as soon as its analysts realized that its antivirus had collected more than malicious binaries, the company immediately deleted the copy of the classified documents, and also created a special software tweak, preventing those files from being downloaded again.
Even, when asked if Russian intel agency had ever asked him to help it spy on the West at a media briefing at the Kaspersky's offices in London on Tuesday, CEO Eugene Kaspersky said "They have never asked us to spy on people. Never."
Kaspersky further added that "If the Russian government comes to me and asks me to anything wrong, or my employees, I will move the business out of Russia."
NSA Hacker Faces A Prison Sentence Of Up To 10 Years
In Pho's plea deal with prosecutors, the NSA hacker admitted that he copied information from NSA computers multiple times between 2010 and 2015 and took it all home with him.
Taking classified documents at home is a clear violation of known security procedures—and in this process, Pho eventually exposed the top secret information to Russian spies.
Pho has pleaded guilty in a United States district court in Baltimore to one count of willful removal and retention of national defense information, with no other charges filed against him and there's no mention of Pho selling or passing off that confidential data.
The retention of national defense information offense carries a possible 10-year prison sentence.
Federal prosecutors said they would seek an eight-year sentence for Mr. Pho. However, his attorney can ask for a more lenient sentence.
Pho remains free while awaiting sentencing on 6th April next year.

Google to Block Third-Party Software from Injecting Code into Chrome Browser
3.12.2017 thehackernews Safety
To improve performance and reduce crashes caused by third-party software on Windows, Google Chrome, by mid-2018, will no longer allow outside applications to run code within its web browser.
If you are unaware, many third-party applications, like accessibility or antivirus software, inject code into your web browser for gaining more control over your online activities in order to offer some additional features and function properly.
However, Google notes that over 15 percent of Chrome users running third-party applications on their Windows machines that inject code into their web browsers experience crashes—and trust me it's really annoying.
But don't you worry. Google now has a solution to this issue.
In a blog post published Thursday on Chromium Blog, Google announced its plan to block third-party software from injecting code into Chrome—and these changes will take place in three steps:
April 2018 — With the release of Chrome 66, Google will begin informing users if code injection causes their browsers to crash, alerting them with the name of the responsible application and a guide to update or remove it.
July 2018 — Chrome 68 will start blocking third-party software from injecting code into Chrome processes. But if this blocking prevents Chrome from starting, the browser will restart and allow the injection. But it will also display a warning for guiding users to remove that particular software.
January 2019 — With no exception, starting with Chrome 72, Google will completely block code injection by any third-party software.
However, there will be some exceptions. Google Chrome will continue to allow Microsoft-signed code, accessibility software, and IME software to inject code into your browsers.
Today's blog post is an advance notification for all developers out there, whose applications rely on code injection to function properly, forcing them to use either Native Messaging API calls or Chrome extensions to add functionality to the web browser.
"With Chrome extensions and Native Messaging, there are now modern alternatives to running code inside of Chrome processes," Google said.
According to Google, both methods can be used by developers to retain their app features without having to risk browser crashes.
"Fewer crashes mean more happy users, and we look forward to continuing to make Chrome better for everyone," Google said while summing up its blog post.
So, companies have almost 13 months to remove the code injecting bits from their software. Google is encouraging developers to use Chrome Beta channel and test their code, though these changes will more likely take effect in the Dev or Canary channels even sooner.
Now, what you are waiting for? Get ready to start rewriting your code.

After 27-Year Sentence, Russian Hacker Faces Another 14 Years in Prison
3.12.2017 thehackernews Crime

Roman Valerevich Seleznev, the son of a prominent Russian lawmaker who's already facing a 27-year prison sentence in the United States, has been handed another 14-year prison sentence for his role in an "organized cybercrime ring" that caused $59 Million in damages across the US.
In April this year, Seleznev, the 33-year-old son of a Russian Parliament member of the nationalist Liberal Democratic Party (LDPR), was sentenced to 27 years in prison for payment card fraud, causing nearly $170 million in damages to small business and financial institutions in the US.
The sentence was so far the longest sentence ever imposed in the United States for a hacking-related case.
Now, after pleading guilty in two criminal cases stemming from a hacking probe in September, Seleznev Thursday received another 14-year prison sentence for racketeering in Nevada and another 14 years for conspiracy to commit bank fraud charges in Georgia.
The sentences will run concurrently to one another as well as to the previous 27-year prison sentence for 38 counts of payment card fraud, wire fraud, hacking, and identity theft.
Besides the prison sentence, Seleznev has also been ordered to pay almost $51 million in the Nevada case and more than $2.1 million in the Georgia case.
The Justice Department said that Seleznev admitted to helping run an identity theft and credit card fraud ring through the Carder.su website.
According to his plea agreement in the Nevada case, Seleznev admitted developing a website that allowed fraudsters and cybercriminals to easily purchase stolen credit card account data for roughly $20 per account number and advertised his site on Carder.su.
"The defendant's website had a simple interface that allowed members to search for the particular type of credit card information they wanted to buy, add the number of accounts they wished to purchase to their 'shopping cart' and upon check out, download the purchased credit card information," US prosecutors said on Thursday.
"Payment of funds was automatically deducted from an established account funded through L.R., an online digital currency payment system. The Carder.su organization's criminal activities resulted in loss to its victims of at least $50,893,166.35."
According to his guilty plea agreement in the Georgia case, Seleznev admitted that he acted as a "casher" who worked with other criminal hackers to withdraw cash using stolen bank account information.
This scheme defrauded an Atlanta-based company that processed credit and debit card transactions on behalf of banks and financial institutions.
Seleznev admitted that in pursuit of this scheme, hackers breached the company's systems in November 2008 and stole 45.5 million debit card numbers, which they used to fraudulently withdraw more than $9.4 million from 2,100 ATMs in 280 cities worldwide in less than 12 hours.
According to the Department of Justice, law enforcement authorities charged a total of 55 individuals in four separate indictments in their massive operation targeting the Carder.su organization, which they called Operation Open Market.
To date, 33 individuals of the charged individuals have been convicted, while the rest are either pending trials or on the run.
Seleznev, aka Track2, Bulba and Ncux, was arrested in 2014 while attempting to board a flight in the Maldives and then extradited to America. His arrest sparked an international dispute between the US and Russia, who characterized the extradition as a "kidnapping."
Seleznev, along with other cybercriminals, also developed a hacking scheme that leveraged automated techniques to hack into Point-of-Sale (POS) machines in retailers and install malware to steal copies of credit card numbers.
While his sentencing in April, Seleznev's father and Russian MP Valery Seleznev said that the sentence was "passed by man-eaters" and that his son was "abducted."
Russian MP also said that his "son was tortured because being in jail in a foreign country after abduction is torture in itself. He is innocent," and that he viewed the prison sentence as a life sentence as his son would never survive these much years in prison.

Cryptocurrency Mining Scripts Now Run Even After You Close Your Browser
3.12.2017 thehackernews Safety

Some websites have found using a simple yet effective technique to keep their cryptocurrency mining javascript secretly running in the background even when you close your web browser.
Due to the recent surge in cryptocurrency prices, hackers and even legitimate website administrators are increasingly using JavaScript-based cryptocurrency miners to monetize by levying the CPU power of their visitor's PC to mine Bitcoin or other cryptocurrencies.
After the world's most popular torrent download website, The Pirate Bay, caught secretly using Coinhive, a browser-based cryptocurrency miner service, on its site last month, thousands of other websites also started using the service as an alternative monetization model to banner ads.
However, websites using such crypto-miner services can mine cryptocurrencies as long as you're on their site. Once you close the browser window, they lost access to your processor and associated resources, which eventually stops mining.
Unfortunately, this is not the case anymore.
Security researchers from anti-malware provider Malwarebytes have found that some websites have discovered a clever trick to keep their cryptocurrency mining software running in the background even when you have closed the offending browser window.
How Does This Browser Technique Work?
According to a blog post published Wednesday morning by Malwarebytes, the new technique works by opening a hidden pop-under browser window that fits behind the taskbar and hides behind the clock on your Microsoft's Windows computer.
From there (hidden from your view), the website runs the crypto-miner code that indefinitely generates cryptocurrency for the person controlling the site while eating up CPU cycles and power from your computer until and unless you notice the window and close it.

Researchers say this technique is a lot harder to identify and able to bypass most ad-blockers because of how cleverly it hides itself. The crypto-miner runs from a crypto-mining engine hosted by Amazon Web Servers.
"This type of pop-under is designed to bypass adblockers and is a lot harder to identify because of how cleverly it hides itself," Jérôme Segura, Malwarebytes' Lead Malware Intelligence Analyst, says in the post. "Closing the browser using the "X" is no longer sufficient."
To keep itself unidentified, the code running in the hidden browser always takes care of the maximum CPU usage and maintains threshold to a medium level.
You can also have a look at the animated GIF image that shows how this clever trick works.
This technique works on the latest version of Google's Chrome web browser running on the most recent versions of Microsoft's Windows 7 and Windows 10.
How to Block Hidden Cryptocurrency Miners
If you suspect your computer CPU is running a little harder than usual, just look for any browser windows in the taskbar. If you find any browser icon there, your computer is running a crypto-miner. Now simply, kill it.
More technical users can run Task Manager on their computer to ensure there is no remnant running browser processes and terminate them.
Since web browsers themselves currently are not blocking cryptocurrency miners neither does the integrated Windows Defender antivirus software, you can use antivirus programs that automatically block cryptocurrency miners on web pages you visit.
For this, you can contact your antivirus provider to check if they do.
Alternatively, you can make use of web browser extensions, like No Coin, that automatically block in-browser cryptocurrency miners for you, and regularly update themselves with new mining scripts that come out.
Created by developer Rafael Keramidas, No Coin is an open source extension that blocks Coin Hive and other similar cryptocurrency miners and is available for Google Chrome, Mozilla Firefox, and Opera.
No Coin currently does not support Microsoft Edge, Apple Safari, and Internet Explorer. So, those using one of these browsers can use an antimalware program that blocks cryptocurrency miners.

HP Silently Installs Telemetry Bloatware On Your PC—Here's How to Remove It
3.12.2017 thehackernews Safety

Do you own a Hewlett-Packard (HP) Windows PC or laptop?
Multiple HP customers from around the world are reporting that HP has started deploying a "spyware" onto their laptops—without informing them or asking their permission.
The application being branded as spyware is actually a Windows Telemetry service deployed by HP, called "HP Touchpoint Analytics Client," which was first identified on November 15.
According to reports on several online forums, the telemetry software—which the HP customers said they never opted to have installed and had no idea was continually running in the background—was pushed out in a recent update.
However, it's not yet clear whether the software has come with the latest Microsoft's Windows updates, or via HP's support assistant processes.
An official description of the software says that the program "harvests telemetry information that is used by HP Touchpoint's analytical services."
HP Touchpoint Makes Your Computer Slow
HP customers also complained that the installation slowed down their system significantly.
On HP's customer forum, one user even reported that due to more than 95 percent CPU usage by the analytics service, his system anti-malware software started checking for suspicious activity.
Another user owning an HP laptop head on to Reddit and said:
"So today all of a sudden, I'm experiencing a considerable slowdown in my laptop (Pavilion P3V59PA). Once I look for the problem in Task Manager, I found out that the program called HP Touchpoint Analytics Client (and it's subsequent follow up) constantly jumping the memory usage (~300Mb at a minimum, ~nearly 2Mb at maximum)."
"I don't remember ever installing this program whatsoever, and in control panel, I found that for some reason this program was silently installed today, without my consent."
German blog reader Detlef Krentz contacted borncity this weekend and wrote:
"I noticed that HP secretly installed the program 'HP Touchpoint Analytics Client' on all my HP devices on November 20, 2017. The program connects every day to HP. The files sent can be found under 'Program Data/HP/HP Touchpoint Analytics Client/Transfer Interface.'"
The program seems to send data to the company's server once per day. If you own an HP PC or laptop, you can find this data under ProgramData\HP\HP Touchpoint Analytics Client\Transfer Interface on the Windows drive.
While responding to the allegations, HP said that the company has been shipping the same software on HP laptops since 2014 as part of its Support Assistant software and that it only collects anonymous information about the computer's hardware performance.
However, the only thing that the company has changed is the name.
"HP Touchpoint Analytics is a service we have offered since 2014 as part of HP Support Assistant. It anonymously collects diagnostic information about hardware performance. No data is shared with HP unless access is expressly granted. Customers can opt-out or uninstall the service at any time," HP said in a statement.
"HP Touchpoint Analytics was recently updated, and there were no changes to privacy settings as part of this update. We take customer privacy very seriously and act in accordance with a strict policy, available here."
Here’s How to Remove HP Touchpoint Analytics Client
If you don't want this application to send data from your computer to HP's servers, you can disable the service or uninstall the program completely, which is relatively quickly and easily.
To uninstall this service, go to Control Panel and right-click on the program name, and select Uninstall to remove it.
Alternatively, you can just press Windows+R, type "appwiz.cpl," and press Enter to load the Programs and Features control panel applet. Now, select "HP Touchpoint Analytics Client" from the list and click the "Uninstall/Change" to remove the service from your PC.
A few months ago, HP was caught using a built-in keylogger that silently spied on your all keystrokes, and stored every single key-press in a human-readable file located at the public folder, making it accessible to any user or 3rd party app installed on the PC.
Recently, Lenovo has also settled a massive $3.5 million fine from the Federal Trade Commission (FTC) for preinstalling spyware onto laptops without users' consent.

Halloware Ransomware, a new malware offered for sale on the Dark Web for Only $40
3.12.2017 securityaffairs Ransomware

The Halloware ransomware is a new malware offered for sale in the dark web, the author that goes online with the moniker Luc1F3R is selling it for just $40.
According to the experts at Bleeping Computer, Luc1F3R started selling the Halloware this week through a dedicated portal on the Dark web. Luc1F3R claims to be a 17-year-old college student from Northeast India.

“Currently, the malware dev is selling and/or advertising his ransomware on a dedicated Dark Web portal, on Dark Web forums, two sites hosted on the public Internet, and via videos hosted on YouTube.” reported Bleeping Computer.

“The sites are offering a lifetime license for the Halloware ransomware for only $40.”

The low price has made the researchers suspicious, so they decided to investigate the case suspecting a scam.

Operational mistakes in the websites used by to Luc1F3R to sell the ransomware allowed the expert from Bleeping Computer to track down a web page where Luc1F3R was hosting the index of Halloware files, The page included weaponized documents used to deliver the malware.

Halloware ransomware

One of the files in the list, hmavpncreck.exe, had the same SHA256 hash for which Luc1F3R included NoDistribute scan results in Halloware’s ad, confirming that it was the malware binary the experts were looking for.

Another file named ran.py seems to be Halloware’s source code.

“While the file was protected, Bleeping Computer managed to extract its source code, which will end up in the hands of other security researchers to create decrypters, in case someone buys this ransomware and uses it to infect real users.” continues the analysis from Bleeping Computer.

The researchers highlighted that Halloware is a working ransomware that encrypts files using a hardcoded AES-256 key and prepends the “(Lucifer)” string to encrypted file names. For example, once encrypted a file named image.png, it will appear as (Lucifer)image.png.

Once the Halloware ransomware has completed the encryption process it pops up a window showing a creepy clown with a ransom message containing the instruction to pay the ransom and decrypt the data. The victim’s desktop wallpaper, also displays a similar message, but experts noticed that Halloware ransomware does not drop text files with ransom notes on the infected PCs.

Halloware ransomware

Wannabe criminals that buy the ransomware can generate their own install by changing two images and adding their customized payment site URL.

Anyway the experts noticed that the ransomware uses a hardcoded AES key and does not save any information on a remote server, this characteristic makes the malware not useful for the criminal underground.

According to Bleeping Computer Luc1F3R is a novice without particular skills. His tutorials published on YouTube describe basic hacking techniques or promote unsophisticated malware.

Some of the video tutorials include a Luc1F3R’s GitHub account that hosts four malware strains:
A Batch-based ransomware.
A Windows keylogger.
A Linux keylogger.
A bulk spoofed email sender.
Further details, including IoCs are available on the Bleeping Computer website.

Europol and law enforcement agencies dismantled a criminal ring specialized in ATM attacks and payment Card Fraud
3.12.2017 securityaffairs CyberCrime

Law enforcement agencies dismantled a criminal ring and arrested four key members responsible for ATM attacks and performing illegal transactions.
European law enforcement agencies announced the success of an operation called “Neptune” that allowed to dismantle a criminal ring and arrest of four key members responsible for stealing payment card data and performing illegal transactions.

The investigation supported by the Europol, involved law enforcement agencies in Italy, Bulgaria, and the Czech Republic.

“The operation run by the Italian Carabinieri, in cooperation with the Bulgarian General Directorate of Combating Organised Crime, and the National Police of Czech Republic, supported by Europol’s European Cybercrime Centre (EC3) culminated today with the arrest of four Bulgarian citizens.” states the press release published by the Europol

“The leaders of the transnational criminal group actively supervised all stages of criminal activities, including placing technical equipment on ATMs in the central areas of European cities, producing counterfeit credit cards and subsequently cashing out money from ATMs in non-European countries, for example Belize, Indonesia and Jamaica.”

The four criminals were arrested on November 30, 2017, they are all Bulgarian citizens.

Crooks targeted ATMs in central areas of European cities to steal credit card data by placing skimmers and hidden cameras. The stolen data were used to clone the cards and use the fake cards to cash out money from ATMs in non-European countries, including as Belize, Indonesia and Jamaica.


Investigators identified dozens of ATMs that have been compromised by the crooks.

Law enforcement seized more than 1,000 counterfeit credit cards and collected of evidence of many fraudulent international transactions worth more than EUR 50,000.

“The coordination and exchange of intelligence has been supported by the Joint Cybercrime Action Taskforce (J-CAT) set up at Europol. Since most of the illegal transactions with counterfeit cards took place overseas, the cooperation through dedicated investigative networks set up by Europol has been instrumental.” continues the press release.

In September, a report published by the Europol warned of a rise of cyber attacks against ATM machines. Criminal organizations are targeting ATM machines through the banks’ networks, the operations involve squads of money mules for the cashout.

Earlier this week, Europol shared the results of the European Money Mule Action ‘EMMA3’, a global law enforcement operation against money mulling. The operation resulted in 159 arrested, 409 suspects interviewed, and 766 money mules and 59 money mule organizers identified.

Kaspersky case – Now we know who is the NSA hacker who kept Agency’s cyber weapons at home
3.12.2017 securityaffairs BigBrothers

A former NSA hacker pleaded guilty on Friday to illegally taking classified documents home, which were later stolen by Russian cyber spies.
A member of the US National Security Agency Tailored Access Operations hacking team, Nghia Hoang Pho (67) pleaded guilty in a US district court in Baltimore on Friday to one count of willful retention of national defense information.

The Vietnam-born American citizen, who lives in Ellicott City, Maryland, has been charged with illegally removing top secret materials.

The NSA hacker admitted taking home copies of classified NSA hacking tools and exploits with the knowledge that they were cyber weapons.

The tools were detected by the Kaspersky Lab software installed on the NSA hacker’s personal computer and were sent back to Kaspersky’s server for further analysis.

Kaspersky Lab, published recently a detailed report on how cyber spies could have easily stolen the software exploits from the NSA employee’s Windows PC.

According to the telemetry logs collected by the Russian firm, the staffer temporary switched off the antivirus protection on the PC, and infected his personal computer with a spyware from a product key generator while trying to use a pirated copy of Office.

On September 11, 2014, Kaspersky antivirus detected the Win32.GrayFish.gen trojan on the NSA employee’s PC, sometime later the employee disabled the Kaspersky software to execute the activation-key generator.

Then the antivirus was reactivated on October 4, it removed the backdoored key-gen tool from the NSA employee’s PC and uploaded it to Kaspersky’s cloud for further analysis.

Kaspersky published a second report that sheds the light on the investigation conducted by the firm on the NSA-linked Equation Group APT.

Kaspersky has begun running searches in its databases since June 2014, 6 months prior to the year the alleged hack of its antivirus, for all alerts triggered containing wildcards such as “HEUR:Trojan.Win32.Equestre.*”. The experts found a few test signatures in place that produced a LARGE number of false positives.

The analysis revealed the presence of a specific signature that fired a large number of times in a short time span on just one system, specifically the signature “HEUR:Trojan.Win32.Equestre.m” and a 7zip archive (referred below as “[undisclosed].7z”). This is the beginning of the analysis of the system that was found containing not only this archive, but many files both common and unknown that indicated this was probably a person related to the malware development.

The analysis of the computer where the archive was found revealed that it was already infected with malware. In October of that year the user downloaded a pirated copy of the Microsoft Office 2013, but the .ISO was containing the Mokes backdoor.

Kaspersky was able to detect and halt Mokes, but the user turned off the Russian software to execute the keygen.

Once the antivirus was turned on again, it detected the malware. Kaspersky added that over a two month its security software found 128 separate malware samples on the machine that weren’t related to the Equation Group.

Kaspersky found that the Mokes’ command and control servers were apparently being operated by a Chinese entity going by the name “Zhou Lou”, from Hunan, using the e-mail address “zhoulu823@gmail.com.”

The security firm explained that it’s also possible that the NSA contractor’s PC may have been infected with a sophisticated strain of malware developed by an APT that was not detected at the time.

NSA hacker

The NSA hacker Pho now faces roughly six to eight years in prison, with sentencing set for April 2017.

According to the plea deal, Pho broke federal law because he took the codes at home multiple times, he admitted that, over a five-year period starting in 2010, he copied the information from NSA machines and took it all home with him.

“Beginning in 2010 and continuing through March 2015, Pho removed and retained U.S. Government documents and writings that contained national defense information, including information classified as Top Secret and Sensitive Compartmented Information,” the US Department of Justice said in disclosing the guilty plea.

“This material was in both hard-copy and digital form, and was retained in Pho’s residence in Maryland.”

The positive aspect of the story is that Pho did act with cyber espionage purposes, he wasn’t charged to sell or pass off any of the data.

The fact that Pho was the third NSA employee charged in the past two years for taking home top-secret information is embarrassing and highlights the risk of insiders.

Anonymous launch Brazilian Corrupt Public Sector Entities Data Leak
3.12.2017 securityaffairs Cyber

In an astonishing move, Anonymous leak public sector entities infrastructure topology data for the people of Brazil in the midst of Lava Jato scandal.
The compromised data includes IP addresses from the public sector, ranging law enforcement agencies and local municipality. This data leak comes at a moment where a strong fight against corruption is taking place.

The data leak represents a lack of maturity in adopting a framework, like NIST, for maintaining the secret of information in today’s country information technology marketplace.

Nowadays, it may seem quite usual see these events take place in the evolving, and changing, the threat landscape of digital menaces, but it was expected to take place as hackers usually comes with new attacks as the year approaches its end.

The data reveal in high details, how is structured the network topology of critical services infrastructure including routers, firewalls and other open services.

Anonymous Brazil data leak

It is important to notice that all IP ranges from São Paulo military and civil police was leaked, including servers related to public identification and public safety. The compromised data also describes the police servers entirely exposing not only the identity of every police officer, but also the entire public security office.

As it is presented with a message, the intent of the hackers were in the fight against corruption in Brazil, where it took a new ground: the 5th domain. The cyber domain has reached the public opinion where the scrutinity of the society claiming for justice can be reached on the click of a mouse. These corrupt law enforcement agencies are globally known to be involved in extortion, drug traffic dealing, murdering, oppression, violation of the United Nations Human Rights and violence against minorities like black people and homosexuals alike.

The fight against corruption, abuse of power and authority can be a new front line to Lava Jato operation, including the police of the state of São Paulo, where the population lives as hostages to the public service colluding with the organized crime. As shown in the media outlets this week, a strong instance must be taken to reach out the public demands of justice and morality in the tax paid from every citizen.

This single event brings forth an important question: The importance of developing and implementing a security framework like NIST to address the cyber security on ICS/SCADA industrial control system. It is important to notice that the framework is structured in such way that it can be adapted to the existing current model in use. The critical infrastructure, in the face of today’s challenge of information security, must address rogue nation’s threat like North Korea and China.

The data leak is available at the following URL


At least six thousand Lantronix Serial-To-Ethernet devices are leaking Telnet passwords
3.12.2017 securityaffairs Safety

Security researcher discovered thousands of Lantronix Serial-to-Ethernet devices connected online that leak Telnet passwords.
The security researcher Ankit Anubhav, principal researcher at NewSky Security, has discovered thousands of Serial-to-Ethernet devices connected online that leak Telnet passwords.

Hackers can use the leaked passwords to launch cyber attacks against the equipment that is connected to them.

Serial-to-Ethernet “device servers” are used by companies to connect to remote equipment that only exposed a serial interfaces.

The flawed Serial-to-Ethernet “device servers” are manufactured by the US vendor Lantronix.

The products UDS and xDirect easily allow to manage the devices via a LAN or WAN connection, such type of devices allows to easily implement Ethernet connectivity to virtually any device or machine with a serial interface.
Lantronix Serial-To-Ethernet devices leakage
Users just need to connect the device RS-XXX serial connector to the product that exposes an RJ-45 Ethernet connector that can be used to control the device.
The “device servers” are widely adopted in to give connectivity to ICS (Industrial Control Systems), most of them are very old equipment that only comes with serial ports.

According to Ankit Anubhav, a half of Lantronix device servers are exposed online leaking their Telnet passwords. An attacker can take over the device via Telnet and use the privileged access to send serial commands to the connected devices.

“6,464 Lantronix device servers that may be connected to critical ICS-grade equipment are proudly exposing their passwords,” Anubhav told Bleeping Computer. “This accounts for 48% of the devices on Shodan.”

Imagine the potential dangers of a cyber attack against an ICS equipment exposed online through the vulnerable Lantronix device.

Anubhav explained that data exposure is an old flaw that could be exploited by attackers to retrieve the setup config of Lantronix devices by sending a malformed request on port 30718.

The Metaploit hacking platform includes a Lantronix “Telnet Password Recovery” module that could be exploited to retrieve the setup record from Lantronix serial-to-ethernet devices via the config port (30718/udp, enabled by default on old versions of Lantronix devices) and extracts the Telnet password in plain text.

Once again patch management is the root cause of the problem, vulnerable devices have not installed security updates to fix the issue.

Microsoft Office obsahuje 17 let starou chybu. Zneužívají ji hackeři

3.12.2017 Novinky/Bezpečnost Zranitelnosti
Populární kancelářský balík Office od společnosti Microsoft má kritickou bezpečnostní chybu. Americký softwarový gigant sice již vydal pro tuto trhlinu opravu, ale je takřka jisté, že ji nezanedbatelná část uživatelů ještě nenainstalovala. A právě na ně se nyní zaměřují počítačoví piráti, uvedl server The Hacker News.
Problém se týká kancelářských balíků Office 2007, 2010, 2013 a 2016.

Trhlina se týká editoru rovnic, který je nedílnou součástí balíku Office. Jde však o velmi starý program, který si odbyl premiéru už v roce 2000.

A po 17 letech v tomto modulu, který využívají velmi často studenti, byla nalezena kritická bezpečnostní chyba. Tu mohou počítačoví piráti zneužít k tomu, aby do PC nainstalovali prakticky jakýkoliv škodlivý kód, klidně mohou i počítač ovládnout na dálku.

Útočníci podstrčí speciálně upravený dokument
Stačí přitom, aby oběť otevřela speciálně upravený dokument, čímž kyberzločincům otevře zadní vrátka do operačního systému.

Bezpečnostní experti ze společnosti Fortinet nyní zachytili již několik škodlivých kódů, které se snaží tuto trhlinu zneužít. Útočníci sází na to, že celá řada uživatelů podceňuje zabezpečení svých PC a nestahuje pravidelně aktualizace. A to ani ty důležité – bezpečnostní.

Tito uživatelé tak dávají svůj počítač všanc počítačovým pirátům.

Nainstalovat aktualizace. Neprodleně
Trhlina se týká kancelářských balíků Office 2007, 2010, 2013 a 2016. Editor rovnic je v nich začleněn jako základní funkce. Teoreticky mohou být postiženi také majitelé balíků Office 2000 a 2003, v těchto verzích se však modul instaloval volitelně.

Uživatelé dotčených kancelářských balíků by měli neprodleně nainstalovat všechny bezpečnostní aktualizace, které jsou aktuálně k dispozici. Stahovat se dají přímo z prostředí Office, případně prostřednictvím služby Windows Update.

Researchers discover a vulnerability in the DIRTY COW original patch
2.12.2017 securityaffairs Vulnerebility

Researchers discovered that the original patch for the Dirty COW vulnerability (CVE-2016-5195) is affected by a security flaw.
The original patch for the Dirty COW vulnerability (CVE-2016-5195) is affected by a security flaw that could be exploited by an attacker to run local code on affected systems and exploit a race condition to perform a privilege escalation attack.

The vulnerability was rated as “Important” and it received a score 6.1 on the CVSS scale, it was patched in October 2016.

The name ‘Dirty COW‘ is due to the fact that it’s triggered by a race condition in the way the Linux kernel’s memory subsystem handles copy-on-write (COW) breakage of private read-only memory mappings.

According to the security advisory published by Red Had, the vulnerability, tracked as CVE-2016-5195, allows local attackers to modify existing setuid files.

Dirty Cow

Now the flaw in the original patch, tracked as CVE-2017-1000405, was identified by researchers at the security firm Bindecy.

” In the “Dirty COW” vulnerability patch (CVE-2016-5195), can_follow_write_pmd() was changed to take into account the new FOLL_COW flag (8310d48b125d “mm/huge_memory.c: respect FOLL_FORCE/FOLL_COW for thp“). We noticed a problematic use of pmd_mkdirty() in the touch_pmd() function. touch_pmd() can be reached by get_user_pages().” reads the advisory published by Bindecy.

“In such case, the pmd will become dirty. This scenario breaks the new can_follow_write_pmd()’s logic – pmd can become dirty without going through a COW cycle – which makes writing on read-only transparent huge pages possible.”

The new bug is not as severe as the original ‘Dirty cow’ vulnerability that affected many more Linux distributions and the Android operating system.

The current bug doesn’t affect Android and Red Hat Enterprise Linux, anyway millions of machines are vulnerable.

According to Red Hat, the vulnerability does not affect the Linux kernel packages shipped with Red Hat Enterprise Linux 5, 6, 7 and Red Hat Enterprise MRG 2.

The patch released in October 2016 patch addressed the Dirty COW vulnerability for both regular pages and transparent huge pages.

Eylon Ben Yaakov published a technical report on the flaw in the DIRTY COW patch.

The researchers reported the flaw to the Linux Kernel Organization on November 22, the patch was committed to the mainline kernel on November 27, the flaw was officially released on December 1.

Bindecy experts published a PoC code that overwrites the zero-page of the system.

The advisory published by Red Hat includes a mitigation suggestion that consists in disabling the use of “zero page”.

“It is possible to prevent the zero page from being mapped as a huge page, by modifying a configuration tunable in the /sys directory… This prevents the flaw from being exercised in this method. # echo 0 > /sys/kernel/mm/transparent_hugepage/use_zero_page Disabling huge pages: It is possible to mitigate this flaw by disabling hugepages on a system,” according to Red Hat.

Google Chrome will block code injection from third-party software within 14 months
2.12.2017 securityaffairs Safety

Google announced the block of code injection from third-party applications into the Chrome browser. Developers have 14 months to update their code.
Google continues to improve security of its product and services, the IT giant announced the for blocking third-party applications from injecting code into the Chrome browser.

The decision of the company will have a significant impact on many applications from third-party, including antivirus and security software that use to inject code into the browser processed to intercept cyber threats.

“Roughly two-thirds of Windows Chrome users have other applications on their machines that interact with Chrome, such as accessibility or antivirus software.” states the blog post published on Google Chromium.

“In the past, this software needed to inject code in Chrome in order to function properly; unfortunately, users with software that injects code into Windows Chrome are 15% more likely to experience crashes”

The tech giant will introduce the security improvements in three main phases over a 14-months plan.

Below the plan

Phase 1:
In April 2018, starting with Chrome 66 will begin showing users a warning after a crash, alerting them that third-party software attempted to inject code into the browser and providing suggestions on possible fixes or instructions to remove that software.

code injection

Phase 2:
Starting from July 2018, Chrome 68 will begin blocking third-party software from injecting into Chrome processes.

If this blocking prevents the Chrome browser from starting, it will restart and allow the injection. Google experts decided that in this scenario, the browser will show a warning that guides the user to remove the software.

Phase 3:
In January 2019, Chrome 72 will remove the warning and will block code injection by default.

Google will allow some exceptions for Microsoft-signed code, accessibility software, and IME (Input Method Editor) type-assist software.

“While most software that injects code into Chrome will be affected by these changes, there are some exceptions. Microsoft-signed code, accessibility software, and IME software will not be affected. As with all Chrome changes, developers are encouraged to use Chrome Beta for early testing.” continues Google.

According to the search giant, fewer crashes means more happy users and the company is committed in giving the users a better experience.

Developers of Windows software that works with Chrome are encouraged to switch Chrome channels and test their code through the Beta channel that allow to test it on next versions of the browser.

Developers can start using new modern Chrome features such as browser extensions or the Native Messaging API, instead of the code injection.

Russian cybercriminal Roman Seleznev gets another prison sentence
2.12.2017 securityaffairs CyberCrime

Seleznev gets another prison sentence. He received 14-year prison sentence for charge in Nevada and another 14 years for the second charge in Georgia.
In April, the Russian hacker Roman Seleznev, aka Track2, Bulba and Ncux, was sentenced to 27 years in prison, he was convicted of causing $170 million in damage by hacking into point-of-sale systems.

The 33-year-old was previously sentenced by a U.S. court to 27 years in prison for 38 counts of wire fraud, hacking, identity theft, and payment card fraud.

Seleznev was pleading guilty to racketeering and conspiracy to commit bank fraud charges on September 7, now he received further 14-year prison sentence for the first charge in Nevada and another 14 years for the second charge in Georgia.

Seleznev must pay roughly $51 million in the Nevada case and more than $2.1 million in the Georgia case.

The overall sentence is added to the previous 27-year sentence.

Seleznev was one of the members of the criminal ring known as Carder.su focused on identity theft and credit card fraud. The hackers advertised his website on Carder.su offering stolen payment card data.

According to the US prosecutors, activities conducted by members of Carder.su caused $50,893,166.35 losses, roughly the same amount that Seleznev has been ordered to pay.

Roman Seleznev

Authorities conducted a massive operation against members of the Carder.su community, they charged 55 individuals and 33 of them have already been convicted.

Seleznev admitted being a “casher” in the Georgia case, he withdrew cash using stolen bank account information. He was involved in a fraudulent activity against an Atlanta-based firm that processed credit and debit card transactions for financial institutions.

Crooks stole more than 45 million payment cards from the financial firm, then they used them to withdraw over $9.4 million from 2,100 ATMs in 280 cities worldwide in less than 12 hours.

Elite U.S. Government Hacker Charged With Taking Secret Information
2.12.2017 securityweek BigBrothers
A member of the US National Security Agency's elite hacking team has been charged with illegally removing top secret materials, in an embarrassing breach for the crucial electronic espionage body.

The Justice Department said Friday that Nghia Hoang Pho, 67, a 10-year veteran of the NSA's Tailored Access Operations unit, which broke into computer systems, agreed to plead guilty to a single charge of removing and retaining top-secret documents from the agency.

He kept the material at his Ellicott City, Maryland home.

According to The New York Times, it was Vietnam-born Pho's computer that apparent Russian hackers accessed via his use of Kaspersky software to steal files and programs the NSA developed for its own hacking operations.

The Justice Department said Pho had taken printed and digital copies of documents and writings labelled "secret," and containing sensitive "national defense information," and stored them in his home from 2010 until he was caught in 2015.

It gave no detail on why he did that, and did not say whether Pho had revealed or lost any of the information.

Pho faces up to 10 years in prison, though could negotiate a lighter punishment.

He was the third NSA employee charged in the past two years for taking home top-secret information.

The NSA declined to respond to questions on the case.

In October The Wall Street Journal reported that Russian hackers exploited anti-virus software made by Kaspersky Lab to steal top secret materials from an unnamed NSA employee.

The Journal said the 2015 hack led to the Russians obtaining information on how the NSA itself penetrates foreign computer networks and protects itself from cyberattacks.

The incident was a key reason why the US government earlier this year announced a ban on use of Kaspersky anti-virus software on government computers, warning that the Moscow-based company has suspect links to Russian intelligence.

Kaspersky denies any ties to the Russian government, but said its own forensic investigation did show that hackers made use of its software to break into the NSA worker's home computer.

Kaspersky said what was stolen included essential source code for so-called Equation Group hacking software from the NSA.

Siemens Patches Several Flaws in Teleprotection Devices
2.12.2017 securityweek ICS
Siemens has patched several vulnerabilities, including authentication bypass and denial-of-service (DoS) flaws, in its SWT 3000 teleprotection devices.

The SWT 3000 teleprotection devices are designed for quickly identifying and isolating faults in high-voltage power grids. This Siemens product is used in the energy sector worldwide.

According to advisories published by both Siemens and ICS-CERT, medium severity vulnerabilities have been found in the EN100 Ethernet module used by SWT 3000 devices running IEC 61850 and TPOP firmware.

The flaws can be exploited to bypass authentication to the web interface and perform administrative operations (CVE-2016-7112, CVE-2016-7114), and cause devices to enter a DoS condition by sending specially crafted packets (CVE-2016-7113).Siemens teleprotection device vulnerabilities

Flaws related to the product’s web server can be leveraged by a network attacker to obtain sensitive device information (CVE-2016-4784), and data from the device’s memory (CVE-2016-4785).

The security holes have been addressed in IEC 61850 firmware with the release of version 4.29.01. The TPOP firmware is affected by only three of the flaws. These have been fixed with the release of version 01.01.00.

As it’s apparent from the CVE identifiers, these vulnerabilities were actually discovered last year. They were reported to Siemens via ICS-CERT by researchers at HackerDom and Kaspersky Lab.

Siemens and ICS-CERT disclosed CVE-2016-4784 and CVE-2016-4785 in May 2016, when they warned that the flaws had affected SIPROTEC 4 and SIPROTEC Compact devices. An advisory published in September 2016 warned that the same products were also affected by CVE-2016-7112, CVE-2016-7114 and CVE-2016-7113.

In July 2017, Siemens informed customers that all five vulnerabilities also impacted Reyrolle devices, which provide a wide range of integrated protection, control, measurement, and automation functions for electrical substations.

Bitdefender Valued at $600 Million After Vitruvian Partners Investment
2.12.2017 securityweek IT
Home and enterprise security solutions provider Bitdefender has been valued at over $600 million after growth capital investment firm Vitruvian Partners acquired a stake of roughly 30 percent in the company from existing shareholder Axxess Capital.

Through the acquisition, Vitruvian has become the second-largest shareholder after co-founders Florin and Mariuca Talpes. A group of private investors holds a minority stake in Bitdefender.

Bitdefender valued at $600 million

“This transaction demonstrates the rapid growth and scale of our business as we are now valued at over $600 million,” said Florin Talpes, who also serves as the company’s CEO. “Vitruvian's extensive experience investing in high growth technology companies endorses our strategy for international growth and in particular the significant investment we are making in building our Enterprise Solutions offering and our presence in the United States.”

“We continue to operate with a sound financial footing - this enables us to further expand and broaden our product portfolio and so ensure we stay ahead of cyber criminals to protect better our customers,” he added.

A Bitdefender spokesperson told SecurityWeek that the deal was a secondary transaction between shareholders, so funds will not go into Bitdefender itself.

Axxess Capital sold its shares after an 8-year run. Deutsche Bank AG, London Branch acted as the financial advisor for the transaction, which is subject to regulatory approvals.

Bitdefender’s main office is in Romania and its enterprise solutions headquarters is located in the United States, in Santa Clara, California. The cybersecurity firm employs more than 1,300 people, and its products are said to be used by over 500 million users in 150 countries.

Vitruvian is an independent European private equity firm that specializes in investing in companies undergoing growth and change. The company provides operational support and assistance with acquisitions and other strategic initiatives.

Chrome to Block Apps from Injecting into Its Processes
2.12.2017 securityweek Safety
Google’s Chrome web browser will soon prevent third-party software from injecting code into its processes.

The search giant announced that the change is planned for Chrome 68 for Windows, which is currently on track to be released in July 2018. Before the switch, however, Chrome 66 will start warning users when other software is injecting code into one of its processes.

Around two thirds of Chrome users on Windows have other applications that interact with the browser, such as accessibility or antivirus software. While some of the software needed to inject code in Chrome to ensure proper functionality, this could lead to unexpected crashes.

“Users with software that injects code into Windows Chrome are 15% more likely to experience crashes,” Chris Hamilton of the Chrome Stability Team explains.

Hamilton also points out that Chrome extensions and Native Messaging provide new, modern alternatives to running code inside of Chrome processes.

This is why Chrome 68 will start blocking third-party software from injecting code into Chrome on Windows. Before that, however, Chrome 66 will start displaying a warning after a crash, informing users on other software injecting code into the browser.

The browser will also guide users into how to update or remove the third-party software responsible for the crash.

In July 2018, Chrome 68 will start blocking code injections only if the blocking won’t prevent the browser from starting. If it will, Chrome will restart and allow the injection, while also warning the users on the matter and providing guidance into removing the troubling software.

Starting in January 2019, when Chrome 72 is set to be released in the stable channel, the browser will always block code injection.

“While most software that injects code into Chrome will be affected by these changes, there are some exceptions. Microsoft-signed code, accessibility software, and IME software will not be affected,” Hamilton says.

System76 to Disable Intel ME on Laptops Due to Security Flaws
2.12.2017 securityweek Vulnerebility
Following the discovery of several potentially serious vulnerabilities in Intel’s Management Engine (ME), computer seller System76 announced its intention to disable the feature on its laptops with a future firmware update.

In the past months, Intel and third party security researchers discovered a significant number of flaws in ME and Active Management Technology (AMT), which allow users to remotely manage devices. The security holes can be exploited to execute arbitrary code without being detected by the user or the operating system, bypass security features, and crash systems.

Intel has released patches for these vulnerabilities and vendors such as Acer, Dell, Fujitsu, HPE, Lenovo, and Panasonic informed customers that they are also working on firmware updates that address the weaknesses.

System76, which provides Linux-powered laptops, desktops and servers, has decided to address the risks introduced by Intel ME by disabling the feature altogether.

The company has been working on a system that will allow it to automatically deliver firmware updates to computers in the same way software updates are currently being delivered through the operating system. The new update mechanism has been tested and it’s nearly ready for deployment on laptops.

System76 plans on delivering a firmware update that disables ME on laptops using 6th, 7th and 8th generation CPUs from Intel. This includes Bonobo, Gazelle, Kudu, Lemur, Oryx and Serval laptops.

Users will be informed of an update via email and prompted to install it – updates will not be conducted without user interaction. The automatic updates will work on laptops running Ubuntu 16.04 LTS, Ubuntu 17.04, Ubuntu 17.10, or version 17.10 of Pop!_OS, System76’s own Linux distribution.

ME will continue to be present on System76 desktop computers, but users will be provided firmware updates that patch the vulnerabilities disclosed by Intel.

“There is a significant amount of testing and validation necessary before delivering the updated firmware and disabled ME,” explained System76 CEO Carl Richell. “Disabling the ME will reduce future vulnerabilities and using our new firmware delivery infrastructure means future updates can roll out extremely fast and with a higher percentage of adoption (over listing affected models with links to firmware that most people don’t install).”

The company pointed out that disabling ME on laptops may no longer be possible at some point if Intel makes changes to the feature. “We implore Intel to retain the ability for device manufactures and consumers to disable the ME,” Richell said.

Industrial Cybersecurity Startup SCADAfence Secures $10 Million
2.12.2017 securityweek ICS
Israeli industrial cybersecurity startup SCADAfence has secured $10 million in funding through a recently announced Series A round.

The Tel Aviv-based company explains that it helps industrial network operators bridge the cybersecurity gap that comes when connecting operational technology (OT) and IT networks to ensure operational continuity and the security of valuable assets.

SCADAfence’s solutions provide visibility of day-to-day operations, detection of malicious cyber-attacks as well as non-malicious operational threats, and risk management tools.

According to the company, the funding will help support expansion of its R&D center in Tel-Aviv and global business development teams to meet growing demand across North America, Asia and Europe.

SCADAFence's customers include Global Fortune 500 companies in the automotive, pharmaceutical, chemical and energy industries.

Investors in the Series A round include JVP, NexStar Partners, 31Ventures Global Innovation Fund, GB-VI Growth Fund Investment Limited Partnership managed by Global Brain, iAngels and DS Strategic Partners.

SCADAFence is one of several security startups targeting the industrial space that have recently raised funding. Others include Dragos, Indegy, Bayshore Networks, CyberX, Claroty, and Nozomi Networks.Veteran industrial software firm PAS raised $40 million in April 2017. Darktrace, which has an offering targeted to the industrial sector, recently raised $75 million at a valuation of $825 million. All of these companies have participated in SecurityWeek’s ICS Cyber Security Conference series.

Four Arrested for ATM Skimming, Payment Card Fraud
2.12.2017 securityweek Crime
Law enforcement agencies in Europe this week announced the dismantling of a criminal network responsible for stealing payment card data and performing illegal transactions.

Called “Neptune,” the operation involved the arrest of four key members of the network on November 30, 2017. All four are Bulgarian citizens.

The group’s illegal activities included placing cameras and magnetic strip readers (skimmers) on ATMs in central areas of European cities, as well as producing counterfeit credit cards using the stolen data captured by the skimmers. The individuals used the fake cards to subsequently cash out money from ATMs in non-European countries, such as Belize, Indonesia and Jamaica.

As part of the operation, law enforcement agencies in Italy, Bulgaria, and the Czech Republic, supported by Europol, identified dozens of ATMs that have been tampered with by the cybercriminals.

The operation also resulted in the seizure of more than 1,000 counterfeit credit cards and in the collecting of evidence of many fraudulent international transactions worth more than EUR 50,000. The investigation started in late 2015.

“Since most of the illegal transactions with counterfeit cards took place overseas, the cooperation through dedicated investigative networks set up by Europol has been instrumental,” Europol noted in an announcement.

In September, Europol warned that cybercriminals are increasingly focused on accessing ATM machines through the banks' networks, while having squads of money mules standing by, ready to pick up the stolen cash.

At a cyberconference in Bucharest in early November, Kaspersky Lab security researchers presented the numerous methods cybercriminals use to compromise ATMs and also warned on how easy such machines can be ensnared into botnets.

Earlier this week, Europol announced the results of the European Money Mule Action ‘EMMA3’, a global law enforcement action week against money mulling (20 to 24 November). A joint effort of law enforcement from 26 countries, the operation resulted in 159 arrested, 409 suspects interviewed, and 766 money mules and 59 money mule organizers identified.

Last year, 178 individuals were arrested across Europe for acting as money mules, helping criminals move stolen money out of the country of theft to criminal bank accounts abroad.

New .NET-Based Ransomware Uses Open Source Code
2.12.2017 securityweek Ransomware
Two newly discovered .NET-based ransomware families are using open source repositories to encrypt users’ files, Zscaler security researchers say.

Dubbed Vortex and BUGWARE, the two ransomware families have been seen in live attacks carried out via spam emails containing malicious URLs. Both of the new malware families are compiled in Microsoft Intermediate Language (MSIL) and have been packed with the 'Confuser' packer.

The Vortex ransomware is written in Polish and makes use of the AES-256 cipher to encrypt image, video, audio, document, and other potentially important data files on the victim’s machine, Zscaler notes in an analysis report shared with SecurityWeek.

The same as other ransomware variants out there, the malware drops a ransom note once it has completed the encryption process, informing the victim on how they can restore their data and how to send the ransom money.

The malware allows users to decrypt two of their files for free and demands a $100 ransom, which supposedly increases to $200 in four days. Victims are encouraged to contact the attackers using the Hc9@2.pl or Hc9@goat.si email addresses.

After installation, the malware attempts to achieve persistence through creating a registry entry, as well as a registry key called “AESxWin.” The malware was also observed deleting shadow copies to prevent users from restoring their data without paying.

While analyzing the malware’s command and control (C&C) communication, the security researchers observed it sending system information and requesting a password API used for the encryption and decryption key.

Vortex is entirely based on AESxWin, a freeware encryption and decryption utility hosted on GitHub and created by Egyptian developer Eslam Hamouda. Thus, files can be decrypted using AESxWin, as long as the password used for encryption is known, Zscaler suggests.

BUGWARE, on the other hand, is based on the open source Hidden Tear code, which has been abused to create various ransomware families before.

The new threat also uses an invalid certificate pretending to be for GAS INFORMATICA LTDA and asks victims to pay the equivalent of a thousand Brazilian reals in Monero.

The malware creates a list of paths to encrypt and stores it in a file called Criptografia.pathstoencrypt. It also searches for all fixed, network, and removable drives and adds those paths to the list.

BUGWARE was observed generating the encryption key and using the AES 256-bit algorithm to encrypt users’ files, as well as renaming the encrypted files. The AES key is encrypted too, using a RSA public key, and the base64 encoded key is saved in the registry.

To achieve persistence, the malware creates a run key that ensures it is executed each time the user logs into the computer. If removable drives are detected, the threat drops a copy of itself on them, with the name “fatura-vencida.pdf.scr.”

The ransomware changes the victim’s desktop background using image files downloaded from “i[.]imgur.com/NpKQ3KZ.jpg."

Senators Propose New Breach Notification Law
2.12.2017 securityweek BigBrothers
Senators Propose New Data Protection Bill Following Equifax and Uber Breaches

Following the Equifax breach and the hidden Uber breach, three U.S. senators have introduced the Data Security and Breach Notification Act. Its purpose is to ensure better protection of personal information, and to provide a nationwide standard breach notification requirement. It is effectively a re-introduction of the 2015 bill of the same name.

The bill is sponsored by three Democrats: Sen. Bill Nelson of Florida, Sen. Richard Blumenthal of Connecticut, and Sen. Tammy Baldwin of Wisconsin. Statements from Nelson and Baldwin show clearly that the recent Uber and Equifax breaches are the specific catalysts.

"The recent data breaches, from Uber to Equifax, will have profound, long-lasting impacts on the integrity of many Americans' identities and finances, and it is simply unacceptable that millions of them may still not know that they are at risk, nor understand what they can and should do to help limit the potential damage," said Senator Baldwin.

"We need a strong federal law in place to hold companies truly accountable for failing to safeguard data or inform consumers when that information has been stolen by hackers," said Nelson. "Congress can either take action now to pass this long overdue bill or continue to kowtow to special interests who stand in the way of this commonsense proposal. When it comes to doing what's best for consumers, the choice is clear."

There are three noteworthy aspects to this bill: 30 days to disclose following a breach; up to five years in prison for failure to do so; and the FTC with NIST to draw up recommendations on the technology or methodologies necessary to avoid such sanctions.

Under this bill, customers affected by a breach must be informed within 30 days if they are at risk. "There shall be a presumption that no reasonable risk of identity theft, fraud, or other unlawful conduct exists following a breach of security if," says the bill, the data is adequately indecipherable, for example (although not specified), by encryption.

The FTC/NIST 'standards' requirement is in the bill to define how and with what technology personal data can be made indecipherable -- and is likely to dismay security officers with yet another standard that must be observed. The potential for regulatory confusion can be seen in a comparison between this data 'privacy' requirement and that of Europe's General Data Protection Regulation (GDPR).

Staying with the example of Uber and Equifax, both companies would be liable under both laws if they were already in force. The basic requirement under GDPR is notification within 72 hours to the regulator (Article 33), or without undue delay to customers (Article 34) if they are at risk from the breach. It is 30 days under the U.S. law.

Since many survey have repeatedly demonstrated that not all U.S. companies understand GDPR, or even know that they will be liable, it is possible that some will wrongly assume they have an additional four weeks before being required to disclose. Just as disconcerting would be for EU customers to learn of their danger before their American counterparts.

"It's surprising that U.S. still lacks a single federal regulation covering mandatory breach disclosures," Matt Lock, director of sales engineers at Varonis told SecurityWeek. "The proposed 30-day notification rule is a step in the right direction, but a far cry from the GDPR's 72-hour rule. If the U.S. legislation passed, it's not difficult to imagine a situation in which EU consumers would learn of a breach hitting a U.S. company long before U.S. consumers are notified."

Lock believes that best timescale would be something between the two. "U.S. lawmakers want to show their support of constituents and their distaste for companies that try to fly under the radar in the wake of a major breach," he said. "But they are also trying to be more realistic. Anyone who has spent time on an incident response team knows how chaotic the first 72-hours can be. Perhaps 30 days is a bit too lenient, but the GDPR 72-hour window may result in businesses scrambling and disclosing incomplete or inaccurate information."

There is one major difference between the U.S. bill and GDPR: GDPR has huge financial sanctions but no prison time, while Nelson's bill has no specified financial sanction, but up to five years in prison. "With this new legislation bill, companies providing services to both the US and EU citizens will have two major breach notification requirements that come with significant impact," Comments Thycotic's chief security scientist Joseph Carson. "From huge financial sanctions in the EU that could be as much as 4% of annual turnover globally, and -- if customers are not notified in 30 days -- a prison term in the U.S. These two major legal requirements could change the way companies approach and prioritize cybersecurity and risk meaning they could no longer ignore the need for better security."

Apple sice opravil chybu s přihlášením do systému bez hesla, ale okamžitě vytvořil novou
2.12.2017 Živě.cz Apple
Operační systém macOS, který běží v počítačích od Applu, se potýká s vážnými chybami. Platí to i o nejnovější verzi High Sierra.
Operační systém macOS, který běží v počítačích od Applu, se potýká s vážnými chybami. Platí to i o nejnovější verzi High Sierra. Na konci listopadu byla u operačního systému macOS High Sierra od Applu zjištěna chyba, která umožňovala administrátorské přihlášení i bez hesla.Chyba se týká sdílení souborů po síti a uživatelé ji mohou zaznamenat právě po rychlé bezpečnostní aktualizaci s označením „Security Update 2017-001 for macOS High Sierra 10.13.1“.V rámci domácí i podnikové sítě se tak uživatelé mohou setkat s tím, že se jim nepodaří dostat do sdílených složek v jiných počítačích na síti.Oprava je sice zcela jednoduchá, ale nikoli zrovna uživatelsky přívětivá.
Na konci listopadu byla u operačního systému macOS High Sierra od Applu zjištěna chyba, která umožňovala administrátorské přihlášení i bez hesla. Apple sice chybu rychle během jediného dne opravil, bohužel ale vytvořil novou.

Chyba se týká sdílení souborů po síti a uživatelé ji mohou zaznamenat právě po rychlé bezpečnostní aktualizaci s označením „Security Update 2017-001 for macOS High Sierra 10.13.1“. V rámci domácí i podnikové sítě se tak uživatelé mohou setkat s tím, že se jim nepodaří dostat do sdílených složek v jiných počítačích na síti.

Oprava je sice zcela jednoduchá, ale nikoli zrovna uživatelsky přívětivá. Jak Apple popisuje v návodu, je nutné otevřít aplikaci Terminál, napsat sudo /usr/libexec/configureLocalKDC poté dát Enter a zadat administrátorské heslo. Jak je vidět, rychlé záplaty znamenají i to, že se může přehlédnout něco dalšího, co má důležitou návaznost.

DDoS útok na Bitfinex, 31 milionů ukradených Tetherů a růst ceny Bitcoinu

2.12.2017 Lupa.cz Počítačový útok

Začátkem týdne se na twitterovém účtu největší světové bitcoinové burzy současnosti objevila zpráva o probíhajícím DDoS útoku.
Zdánlivě nevinný tweet z neděle večer rozproudil novou vlnu otázek kolem již tak kontroverzní tchajwanské bitcoinové burzy Bitfinex. DDoS útok začal během plánované pravidelné technické odstávky a přetrvával během celého pondělí, což pocítila řada uživatelů na vlastní kůži.

Burza k incidentu, jak je v poslední době jejím nedobrým zvykem, neposkytla žádné detailní informace. Útok samotný je sice (pravděpodobně) externí událostí, kterou burza nemohla nijak ovlivnit, představuje ale zároveň další článek v řetězci kontroverzních událostí, které jsou od loňského roku s burzou spojeny.

Bitfinex je pověstný dlouhou historií netransparentních operací a po celou svoji historii se důsledně vyhýbá poskytování informací o osobách, které jsou odpovědné za jeho provoz.

Manipulace s cenou?
Jaký je možný smysl útoku? DDoS útoky nikoho přímo neokrádají o peníze ani nezpůsobují úniky citlivých dat. Útoky na dostupnost služby (Distributed Denial of Service) mívají nejčastěji, podobně jako například blokáda komunikace ve fyzickém světě, nějaký aktivistický účel.

Ve světě kryptoměn, kde vznešené ideály často ustupují finančním zájmům úzké skupiny, plní ale ještě jiný účel: jsou nástrojem manipulace s cenou. Pokud obchodníkům zabráníte v přístupu na trh, objem obchodů výrazně klesne, tento umělý pokles se přímo promítne do umělého poklesu ceny a vy můžete například na jiné burze levně nakoupit či bezpečně uzavřít své shorty.

Svědkem podobného DDoS útoku směrovaného právě na Bitfinex jsme byli letos v červnu. V hlavní fázi aktuálního útoku ze začátku tohoto týdne klesla cena Bitcoinu z přibližně 9800 na 9300 amerických dolarů, brzy se ale opět vyšvihla k hranici 11 400 dolarů (než přišla středeční korekce ceny).

BTC burzy ve středu nestíhaly simultánní nápor uživatelů, kteří při nečekaném pohybu kurzu zadávali prodejní příkazy

Kdo za DDoS útoky stojí, lze vypátrat jen těžko, přesto je zarážející, že společnost, která má profit z transakčních poplatků přes milion dolarů denně, nevěnuje větší péči ochranně před podobným typem události. Obzvláště když připustíme, že má burza za sebou historii dvou bitcoinových krádeží v relativně krátkém časovém odstupu.

Kontroverzní Tether
Společnost nejprve přišla o 1500 bitcoinů (v tehdejší hodnotě asi 400 tisíc dolarů) v roce 2015 a jen o rok později se stala obětí krádeže 120 000 bitcoinů (96 000 000 dolarů při tehdejších cenách). Bitfinex tehdy rozdělil ztráty mezi všechny zákazníky, a to včetně těch, kteří v dané době na burze žádný bitcoin nedrželi. Z každého účtu burza odečetla 36 %, které zůstaly v podobě pohledávky – tzv. BFX tokenu s teoretickou hodnotou 1 BFX = 1 USD.

Bitfinex má ve světě kryptoměnových burz výjimečné postavení, a tak podobný útok rozhodně dává smysl. Za prvé se již dříve po odhalení falešných objemů na čínských bitcoinových burzách ukázalo, že jde pravděpodobně o největší subjekt co do bitcoinových obchodů na světě (viz data CoinMarketCap), za druhé dceřiná společnost Bitfinexu stojí za kontroverzním tokenem Tether a právě machinacím s Tetherem část komunity přisuzuje další významný vliv na manipulaci s cenou bitcoinu.

Cena jednoho Tetheru je víceméně fixní (vázána na americký dolar) a jeho účelem je pomáhat burzám, které Tether používají, obcházet přísný rámec ze strany amerických regulátorů (SEC, IRS, FED), který by na ně jinak dopadal skrze bankovní AML a KYC legislativu.

Skutečný problém, nebo kouřová clona?
Právě Tether byl v hledáčku bitcoinového světa celý uplynulý týden, a to zejména v souvislosti krádeží 30 950 010 tokenů z online peněženky společnosti Tether Limited. Události si všiml dokonce mainstreamový newyorský deník The New York Times.

Co je to Tether
Tether, neboli USDT (ačkoli v plánu je též euro a japonský jen) je digitální token běžící na bitcoinovém blockchainu prostřednictvím vrstvy Omni Layer Protocol (dříve Mastercoin). Každá jednotka USDT by měla být teoreticky podložena americkým dolarem, který je držen v rezervách společnosti Tether Limited a vykoupitelná prostřednictvím platformy Tether. USDT lze převádět, ukládat a utrácet podobně jako jiné kryptoměny, a to prostřednictvím všech peněženek, které podporují Omni Layer (například Ambisafe, Holy Transaction či Omni Wallet). Tether má v plánu postupně rozšířit svůj token také na platformu Ethereum, kde bude figurovat jako ERC20 token. S Tetherem se kromě Bitfinexu, odkud se většina tetherů dostává do oběhu, můžete setkat zejména na burzách Poloniex, Bittrex či Kraken.

Samotná krádež, kterou se podařilo vyřešit tzv. rollbackem transakční historie a zablokováním určitých adres, vyvolala řadu otázek. Jednak k jejímu zdárnému uskutečnění bylo zapotřebí získat přístup ke třem ze čtyř podpisových klíčů, které se měly nacházet na čtyřech různých místech odpojených od internetu, a existuje tak teorie, že šlo o „inside job“.

Druhým aspektem bylo samotné řešení problému. To sice není u centralizovaného projektu tak kontroverzní jako například nejistý komunitní konsensus při loňském hardforku Etherea, přesto však vyvolává různé pochybnosti. Pokud je možné u kryptoměny s kapitalizací 675 milionů dolarů v tichosti provést hardfork a zneplatnit tak libovolnou sérii adres a proběhlých operací, kdo vlastně kontroluje Omni ledger a za jakých okolností má právo takovéto operace provádět?

Podle jakého klíče byly konkrétní adresy trvale zablokovány a koho může potkat podobný osud? Takováto úroveň centralizace je totiž skvělým předpokladem pro manipulaci s celou dnes již celkem zajímavě kapitalizovanou sítí. Záznamy mohou být podobnými zásahy celkem snadno měněny a váš kapitál uložený v Tetheru tak zůstává poněkud nejistým dočasným záznamem v centralizované databázi soukromé společnosti.

To je hodně velký rozdíl oproti veřejnému blockchainu a tradičním decentralizovaným kryptoměnám (viz náš článek Jak porozumět blockchainu v deseti minutách aneb Jak funguje technicky a k čemu je). Pokud nebudeme hned myslet na nejhorší, může například tým Tetheru pod tlakem justičních autorit trvale zablokovat libovolné adresy s libovolnými Tether fondy.

Proč roste Bitcoin
Faktem také zůstává, že komunikace Tether Ltd. s veřejností není zrovna nejlepší a hlavní softwarové změny, záplaty chyb a dokonce i významnější forky protokolu jsou prováděny celkem netransparentně a s minimálním informováním. Zarážející jsou také některé komunikační praktiky, jako používání softwaru pro změnu hlasu při poskytování vyjádření pro veřejnost.

Do třetice je zde ještě jedna záležitost. Letos na jaře začal být na Twitteru velmi populární tajemný uživatel jménem Bitfinex'ed. Ten pravidelně přináší nejrůznější nepřímé důkazy, které nasvědčují tomu, že průběžně do oběhu uvolňovaná likvidita Tetheru ve skutečnosti vůbec nemusí být krytá skutečnými dolary na bankovních účtech společnosti, ale že jde o peníze tisknuté takříkajíc ze vzduchu.

Jedním z těchto důkazů mělo být i extrémně rychlé splacení závazků vůči uživatelům po loňském hacknutí burzy, při kterém zmizelo 120 000 bitcoinů. Závazky měly být podle všeho kryté právě ze vzduchu natištěným Tetherem. Na druhé straně je ale nutno dodat, že při obratu 1–1,5 milionu dolarů denně a prudkém nárůstu nových uživatelů počátkem letošního roku není předčasné splacení závazků až zase tak moc překvapivé.

Kdyby šlo do tuhého, půjde Tether vůbec vybrat a směnit zpátky na dolary? V podmínkách společnosti nalezneme mimo jiné toto:

Tether token nepředstavuje peníze ani jiný finanční instrument. Také není určen jako uchovatel hodnoty. Neexistuje žádné smluvní právo nebo jiný právní nárok proti nám umožnující vynutit si výměnu vašich Tetherů za peníze. Nezaručujeme žádné právo na vykoupení nebo výměnu Tetherů a neexistuje žádná záruka proti ztrátám při nákupu, obchodování, prodeji nebo jejich zpětném odkupu.

Takováto právní formulace může mít sice za účel se pouze vyhnout dosahu regulátorů, uživatelům Tetheru ale na klidu rozhodně nepřidává.

TIP: Tone Vays: 99 % kryptoměn nemá šanci přežít. Za hard forky je snaha o kontrolu peněz

Tak trochu konspirační teorie, kterou Bitfinex'ed razí, tvrdí, že nekrytý kvantitativně uvolňovaný Tether je přímou příčinou současného růstu ceny bitcoinu. Kampaň proti Tetheru se začala v posledních měsících stupňovat a komunita uživatelů kryptoměn se začala oprávněně ptát, jak to tedy s transparentností Tetheru ve skutečnosti je. Tether na toto konto slíbil celou věc znovu vyjasnit. Namísto toho přišel výše zmiňovaný hack a pozornost se přesunula právě k němu. Je tedy možné, že celá událost byla jen kouřová clona, která má odvrátit pozornost od skutečného problému?

Pravdou je, že již v září 2017 Bitfinex a Tether publikovali dokument, který měl rozehnat některé hlavní pochyby o tom, jak je Tether podložen. Podle nezávislého právníka Lewise Cohena je ale dokument formulován tak, že z něj podloženost Tetheru skutečnými dolary nelze ani potvrdit, ani vyvrátit.

Další souvislosti
Z toho mála, co o Bitfinexu víme, můžeme říci, že byl založen na Britských panenských ostrovech a je řízen Janem Ludovikem van der Velde (v roli ředitele) a Philem Potterem v roli CSO. Snaha držet navenek obě společnosti zdánlivě maximálně oddělené, ale přitom zároveň jako seismograf reagující na momentální potíže druhé firmy, budí pochopitelně oprávněná podezření.

Oba pány můžeme nalézt také na seznamu takzvaných Dokumentů z ráje, které představují databázi 13,4 milionu důvěrných finančních dokumentů, jež byly zveřejněny 5. listopadu 2017 a odhalují seznamy více než 120 000 jedinců (včetně Čechů) a společností a jejich masivní daňové úniky.

Nás by však měl zajímat nejvíce právě Potter, protože právě on zároveň představuje ředitele společnosti Tether. Potter má relativně kontroverzní historii. V 90. letech pracoval pro Morgan Stanley, ale byl propuštěn pro používání „agresivních technik“ vydělávání peněz. V Dokumentech z ráje je zmiňován mimo jiné v souvislosti se společností Appleby a projektem Tether, který tato společnost zakládá na Britských panenských ostrovech koncem roku 2014.

Místo, kde je společnost vedena, a její spolumajitel nejsou jedinými indiciemi úzké provázanosti mezi Bitfinexem a Tetherem. Většina Tetherů se totiž dostává do oběhu právě přes Bitfinex. Na druhé straně to samotné, ani pohyb se v šedé zóně americké a evropské legislativy, ještě není důvodem k vážným obavám.

Poněkud zarážející souvislostí, která by nahrávala teorii uživatele Bitfinex'ed, je, s jakou podivuhodnou lehkostí se burza vypořádala s odstřižením od svých účtů s milionovými klientskými deposity po zásahu regulátorů letos na jaře. Zde sehrál Tether, ať již podložený dolary z účtů Tether Ltd., či vytištěný takříkajíc „ze vzduchu“, zcela zásadní roli.

Tajná těžba kryptoměn v prohlížečích: Zavření okna s infikovaným webem už nepomůže
2.12.2017 Živě.cz Viry
Tajná těžba kryptoměn v prohlížečích: Zavření okna s infikovaným webem už nepomůže
Bezpečnostní experti odhalili nový způsob, jak záškodníci mohou zapojit do těžby kryptoměn návštěvníky webů prostřednictvím internetových prohlížečů. Útočníci tentokrát vytvořili sofistikovaný skript, který dokáže generovat kryptoměnu i po zavření záškodnického webu. Bližší informace o hrozbě zveřejnil Bleeping Computer.

Coinhive stále populární
Těžba virtuální měny v internetových prohlížečích se těší velké popularitě mezi různými skupinami útočníků. Díky známému open-source skriptu Coinhive může zisk generovat prakticky jakýkoliv web. Není přitom potřeba žádná interakce s uživatelem.

Výrazným problémem je však délka samotné těžby, která je přímo úměrná délce procházení webu. Pokud totiž uživatel stráví na webu se skrytou těžbou 60 sekund, tak je zřejmé, že jeho počítač bude generovat zisk pouze v průběhu jedné minuty. Není proto překvapením, že útočníci začali hledat způsob, jak délku těžby prodloužit na maximum.

Sekundární okno se schová za hodinami
Výzkumníci ze společnosti Malwarebytes upozornili na nový, v principu triviální trik, díky kterému bude těžba kryptoměny pokračovat i po opuštění záškodnického webu. Ten je založen na speciálním kódu v JavaScriptu, který vytvoří vyskakovací pop-up okno v definované velikosti. Jeho součástí je i vzorec určený pro dynamický výpočet pozice tohoto okna na obrazovkách uživatelů.

Výsledkem skriptu je miniaturní okno, které se na mnoha počítačích zobrazí skryté za panelem úloh systému Windows. Uvnitř ukrytého okna se nakonec spustí samotná těžba.

Klepněte pro větší obrázek

Je tam! Nenápadně schované dole za hodinami. Okno prohlížeče se skriptem na těžbu kryptoměn. K odhalení stačí trochu zvětšit hlavní panel.
Běžný uživatel si nemusí všimnout nic podezřelého. Okno je skutečně dobře schované a mechanismus navíc dokáže oklamat většinu nástrojů pro blokování reklam. Navíc útočníci nastavili maximální zátěž procesoru na nižší hodnoty, aby plně vytížený počítač nebudil podezření.

Pozor v sedmičkách i Windows 10
Tento trik v současnosti funguje v nejnovější verzi internetového prohlížeče Google Chrome v prostředí operačních systémů Windows 7 a Windows 10. Skript byl odhalen na pochybných internetových stránkách pro dospělé.

Schéma útoku dokáže prozradit ikona aktivního internetového prohlížeče v hlavním panelu. V případě, že nemáte otevřenou žádnou webovou stránku, tak by neměla být v hlavním panelu zobrazena ani zvýrazněna ikona prohlížeče. Pokud tam je, zřejmě je na pozadí skryté okno.

V rámci preventivních opatření by měl být v počítači nainstalován a řádně aktualizovaný antivirový software. Většina z bezpečnostních produktů už totiž dokáže zachytit i skripty pro těžbu virtuálních jmen.

V neposlední řadě existují různá rozšíření internetových prohlížečů, která dokáží zablokovat nežádoucí skripty. Nejznámějším je asi No Script, nebo relativně nový projekt NoCoin zaměřený právě na blokování těžebních skriptů.

Russian Cybercriminal Gets Another Prison Sentence
1.12.2017 securityweek CyberCrime
Roman Valeryevich Seleznev, the son of a Russian lawmaker, has been handed another prison sentence in the United States for his role in a massive cybercrime ring.

The 33-year-old, known online as Track2, Bulba and Ncux, was previously sentenced by a U.S. court to 27 years in prison for 38 counts of wire fraud, hacking, identity theft, and payment card fraud.

After pleading guilty to racketeering and conspiracy to commit bank fraud charges on September 7, he received another 14-year prison sentence for the first charge in Nevada and another 14 years for the second charge in Georgia. The sentences will run concurrently to each other and to the previous 27-year sentence.

Seleznev has also been ordered to pay nearly $51 million in the Nevada case and over $2.1 million in the Georgia case.

According to authorities, Seleznev admitted being part of Carder.su, an Internet-based organization that specialized in identity theft and credit card fraud. The Russian national created a website, which he advertised on Carder.su, to allow fraudsters to easily purchase stolen payment card data for roughly $20 per account number.

Authorities estimate that activities conducted by members of Carder.su resulted in victims losing a total of $50,893,166.35, the exact amount that Seleznev has been ordered to pay.

In the Georgia case, Seleznev admitted being a “casher” (i.e. an individual who withdraws cash using stolen bank account information) in a scheme targeting an Atlanta-based firm that processed credit and debit card transactions for financial institutions. Hackers breached the company’s systems and obtained more than 45 million payment cards, which they used to withdraw over $9.4 million from 2,100 ATMs in 280 cities worldwide. The money was withdrawn in less than 12 hours.

Law enforcement conducted a massive operation targeting Carder.su users and operators. A total of 55 individuals have been charged and 33 of them have already been convicted; the rest are either pending trial or are on the run.

Reading the NTT 2017 Global Threat Intelligence Center (GTIC) Quarterly Threat Intelligence Report
1.12.2017 securityaffairs Analysis

NTT Security, a company of the tech giant NTT Group focused on cyber security, has released its 2017 Global Threat Intelligence Center (GTIC) Quarterly Threat Intelligence Report.
The research includes data collected over the last three months from global
NTT Security managed security service (MSS) platforms and a variety of open-source intelligence tools and honeypots.

The report is very interesting and full of precious information, it is organized in the following sections:

Global Threat Visibility.
China’s Cybersecurity Position is More Complicated Than You Realize.
The Face of the Insider Threat
Let’s analyze in detail each session:

Global Threat Visibility
NTT Security Global Threat Intelligence Center observed significant increase (+24% from Q2 ‘17) in the number of security events during Q3 ’17, Finance was a privileged target of threat actors, experts observed a notable increment of detection of malicious activities in Q3 ’17 (+25%).

Global Threat Intelligence Center NTT Report

The experts observed a worrisome increase in the number of phishing campaigns and malware infections, up more than 40 percent since Q2 ‘17.

“Attack techniques have shifted from formal reconnaissance and exploitation to an increased dependency on botnet infrastructure, phishing campaigns, malicious attachments and links.” states the report.

Interesting the data related to the attack sources, China leads the Top Ten char, followed by China, the novelty is represented by India that made a huge jump from outside the number three.

NTT Global Threat Intelligence Center

China’s Cybersecurity Position is More Complicated Than You Realize
Attacks from China moved up from the number three spot in Q2 ’17 to number two in Q3 ’17.

The presence of China doesn’t surprise any more, but it is interesting to highlight that during Q3 ’17, finance and manufacturing were the most heavily targeted industries from Chinese attackers, with 40 percent and 31 percent, respectively.

NTT Security confirms that for the past five years IP addresses in China have ranked within the top three of all source countries (consider also that IP addresses within the United States have always been the number one source of attacks).

“It is important to note that the term “Chinese sources” does not imply attribution, necessarily, to any entity associated with China. Threat actors often route through several nodes, making it difficult to determine the true source of malicious activity” continues the report.

The Face of the Insider Threat
The report highlights the danger of insider threats, 30 percent of them will put an organization at risk, in most cases organizations totally ignore the risks.

The report distinguishes “Accidental Threat Facts” such as Accidental disclosure (e.g., unsecured databases, default internet-facing username and password logins), Improper or accidental disposal of physical records (e.g.,disposal of paper without shredding.), Accidental damage (e.g., accidental misconfiguration or command which results in loss of data or connectivity) from “Malicious Insider Threat.”

According to the experts, Insider threats cost organizations more than $30 million.

“In 2016, large organizations with more than 75,000 employees spent an average of $7.8 million to address and resolve a single insider threat incident, while small organizations of between 1,000 and 5,000 employees and contractors spent an average of $2 million per incident.” states the report.

Below a summary of other key findings in the Q3 Global Threat Intelligence Center Quarterly Threat Intelligence Report include:

A notable increase in the number of security events during Q3 ’17 – up 24 percent from Q2 ’17
The finance industry had the most detections for malicious activity in Q3 ’17 – representing 25% of all cybersecurity attacks
Rounding out the top five targeted industries were: manufacturing at 21%, business services at 16%, health care at 13% and technology at 12%
Phishing campaigns and malware infections both increased by more than 40% over Q2 ’17
Attacks from China moved up from the number three spot in Q2 ’17 to number two in Q3 ’17
As an attack source, India also made a huge jump from outside the top 10 up to number three, most likely due to outside actors leveraging vulnerable and/or compromised infrastructure.
The NTT Security Q3 Threat Report can be downloaded for free at www.nttsecurity.com/en-us/gtic-2017-q3-threat-intelligence-report.

Cryptocurrency Miners hidden in websites now run even after users close the browser
1.12.2017 securityaffairs Security

Some websites use a simple trick to keep their cryptocurrency miners scripts running in the background even when the user has closed the browser window.
Website administrators and crooks are looking with an increasing interest at JavaScript-based cryptocurrency miners due to rapid increase in cryptocurrency prices.

These scripts exploit the CPU power of their visitor’s PC to mine Bitcoin or other cryptocurrencies. Some websites use a simple technique to keep their cryptocurrency mining JavaScript under the radar and secretly running in the background even when the users close his web browser.

In many cases the scripts are used as an alternative monetization model to banner ads. Recently, the Pirate Bay was spotted using the Coinhive browser-based cryptocurrency miner service.

The scripts can mine cryptocurrencies as long as the visitors are on their site, they lost access to the computer processor and associated resources when the Window is closed.

Experts from security firm Malwarebytes have discovered that some websites use a simple trick to keep their cryptocurrency mining scripts running in the background even when the user has closed the browser window.

The technique leverages a hidden pop-under browser window that is opened by the mining window and that fits behind the taskbar and hides behind the clock on Microsoft’s Windows computer.

This hidden window is used to run the crypto-miner code consumes CPU cycles and power from visitor’s computer until he will not spot the window and close it.

“The trick is that although the visible browser windows are closed, there is a hidden one that remains opened. This is due to a pop-under which is sized to fit right under the taskbar and hides behind the clock.” reads the blog post published by MalwareBytes.

“The hidden window’s coordinates will vary based on each user’s screen resolution, but follow this rule:

Horizontal position = ( current screen x resolution ) – 100
Vertical position = ( current screen y resolution ) – 40
If your Windows theme allows for taskbar transparency, you can catch a glimpse of the rogue window. Otherwise, to expose it you can simply resize the taskbar and it will magically pop it back up:”

cryptocurrency miners
The technique is simple as efficient, it is difficult to identify and able to bypass most ad-blockers. Experts observed that the cryptocurrency miners run from a crypto-mining engine hosted by Amazon Web Servers.

“This type of pop-under is designed to bypass adblockers and is a lot harder to identify because of how cleverly it hides itself. Closing the browser using the “X” is no longer sufficient.” continues the post.

“The more technical users will want to run Task Manager to ensure there is no remnant running browser processes and terminate them. Alternatively, the taskbar will still show the browser’s icon with slight highlighting, indicating that it is still running.”

To remain under the radar, the code of cryptocurrency miners runs in the hidden browser maintains CPU usage threshold to a medium level.

These scripts work on the latest version of Google’s Chrome web browser running on the most recent versions of Microsoft’s Windows 7 and Windows 10.

cryptocurrency miners 2
cryptocurrency miners 3

Users can spot miner windows by looking for any browser windows in the taskbar or running the Task Manager on their computer to ensure there is no running browser processes that are consuming CPU resources.

Some antivirus software block cryptocurrency miners, an alternative is represented by web browser extensions, like No Coin, that automatically block in-browser cryptocurrency miners.

Unfortunately, No Coin still not support Microsoft Edge, Apple Safari, and Internet Explorer.

US Judge Orders Coinbase to hand over details of 14,355 US citizens to the IRS
1.12.2017 securityaffairs Crime

A federal judge in the California court has ruled that cryptocurrency exchange portal Coinbase must hand over details of over 14,000 users to the US IRS.
In November 2016, the US Internal Revenue Service (IRS) has filed a motion asking the US Federal Court of Northern California to force the US-based cryptocurrency exchange portal to hand over the personal details of all US users that have conducted Bitcoin trades between January 1, 2013, and December 31, 2015.

The motion is part of a tax evasion investigation launched by the US authorities and aimed to track people that currently maintains funds in Bitcoin or that were paid using the cryptocurrency to avoid paying US taxes.

Now a federal judge in the California Northern district court has ruled that US-based cryptocurrency exchange portal Coinbase must hand over details of over 14,000 users to the US Internal Revenue Service (IRS). Coinbase must provide personal and financial details of its US users, including names, birth dates, addresses, Bitcoin wallet ID, tax ID numbers.

According to the IRS, during the period under investigation, only about 900 US citizens paid taxes for Bitcoin-related operations, even if Coinbase was serving millions of users, most of them from US.


In a first time judge rejected the IRS filing because the huge audience and its potential impact, but the US agency filed a new motion earlier November and judged decided that Coinbase would have to hand over the personal details of all US Coinbase users that have at least one account used in Bitcoin transactions greater than $20,000 worth of Bitcoin between January 1, 2013, and December 31, 2015.

According to Coinbase, it was now forced to hand over data belonging to 14,355 users, a small fraction of the nearly 500,000 users covered by the first motion.

“The government initially sought private financial records of approximately 500,000 account holders. In response to Coinbase’s continuing fight, the IRS significantly reduced the scope of the summons to approximately 14,000 customers. Although this 97% reduction in impacted customers is a big win for our customers, the IRS still took Coinbase to court to obtain a sweeping set of customer records. Today we argued, even as narrowed, the summons is still unjustified and invasive to our customers.” reads a blog post published by the company.

The list of 14,355 US users will not include citizens for which Coinbase filed 1099-K tax forms and users who only bought Bitcoin storing it in their accounts and never used it.

The message is clear, US authorities will try to persecute any tax-evasion activities that leverage crypto currencies to avoid controls.

24 hours later, Apple fixes the bug in macOS High Sierra that allowed Root access with no password
1.12.2017 securityaffairs Apple

Just 24 hours later, Apple issued a security update for macOS High Sierra that addresses the bug that allowed Root access with no password
Yesterday I published a post on an embarrassing flaw affecting the macOS High Sierra, tracked as CVE-2017-13872, that that can be exploited to gain root access to a machine with no password.

The vulnerability is exploitable via the authentication dialog box in the Apple macOS High Sierra that asks for an administrator’s username and password when the user needs to do specific actions like configure privacy and network settings.

From the user login screen, if the user provides “root” as the username, leave the password box blank, hit “enter” and then click on unlock a few times, the prompt disappears and he gains admin rights.

D̒͂̕ă̋n̕ Ť̨̖̾̾̓͐͒͜͠ͅe̘͗̑́̋̂́͡ͅn̅̀̀͞t̾l̀̓̐͘e̓̒̂̚r

2:28 AM - Nov 29, 2017
41 41 Replies 361 361 Retweets 756 756 likes
Twitter Ads info and privacy
Initial reports suggested that the exploit works by entering the username “root” with a blank password, but the expert Tom Ervin discovered that it works with any password.

Tom Ervin
Everyone. Please, the MacOS “blank root password” vulnerability has nothing to do with a blank password. The first time someone tries to log in as root, whatever password they try becomes the password for root. DO NOT test with a blank password. SET A STRONG ROOT PASSWORD NOW.

10:32 AM - Nov 29, 2017
Replies 3 3 Retweets 5 5 likes
Twitter Ads info and privacy
The attack scenario needs physical access to the machine to log in, once inside the attacker can perform several malicious activities such as install a malware.

Even if the flaw was first reported on Apple developer forums on November 13 by a user, Apple only learned of it on Tuesday when the web developed Lemi Orhan Ergin tweeted about it.

Lemi Orhan Ergin
Dear @AppleSupport, we noticed a *HUGE* security issue at MacOS High Sierra. Anyone can login as "root" with empty password after clicking on login button several times. Are you aware of it @Apple?

7:38 PM - Nov 28, 2017
1,166 1,166 Replies 12,927 12,927 Retweets 15,519 15,519 likes
Twitter Ads info and privacy
The flaw affects macOS High Sierra 10.13 and macOS High Sierra 10.13.1, it doesn’t impact macOS Sierra 10.12.6 and earlier.

macOS High Sierra

Just 24 hours later, Apple announced the availability of a security update for macOS High Sierra that addresses the issue.

“An attacker may be able to bypass administrator authentication without supplying the administrator’s password,” the company said in its advisory.

“A logic error existed in the validation of credentials. This was addressed with improved credential validation.”

Experts noticed that If they have a root account enabled and a password for it set, the trick will not work, for this reason Apple has deactivated the root account by default.

Police vs Privacy: US Supreme Court Looks at Cell Phone Tracking
1.12.2017 securityweek Mobil
Where do we go? Who do we talk to? What do we read about?

Our mobile phones are troves of personal, private information, and the US Supreme Court weighed Wednesday how easily police should be able to get it.

In a case seen as a landmark for privacy protection in the digital age, the court heard arguments over whether, police have the right to obtain the location data of a person's phone from providers without a search warrant.

During the hearing, most of the high court's nine justices appeared deeply concerned about how phone companies can track a person's movements via their device and hand that information, sometimes going back years, to police when asked.

Civil libertarians say that information is protected by the US Constitution.

But law enforcement officials say the location data transmitted from a phone to a cell tower has been essentially made public and handed over to a third party, giving up any claim the owner might have to privacy.

The specific case involves Timothy Carpenter, who was tracked down and convicted of theft in 2011 after the police obtained some 12,898 cell tower location points for Carpenter's device over four months from phone companies.

Justice Sonia Sotomayor appeared to agree with the pro-privacy advocates.

The cell phone "is an appendage now for some people," she noted.

"Right now we're only talking about the cell site records, but as I understand it, a cell phone can be pinged in your bedroom. It can be pinged at your doctor's office. It can ping you in the most intimate details of your life -- presumably at some point even in a dressing room as you're undressing."

- Constitutional test case -

The US Constitution's Fourth Amendment guarantees the privacy of citizens from "unreasonable searches and seizures," and says police must obtain warrants based on "probable cause" if they want to search a suspect's "persons, houses, papers, and effects."

Parties on both sides of the case agree that the law did not anticipate an era in which everyone relies on a cell phone and technology providers can amass data on a person via those phones.

Nathan Wessler, an attorney with the American Civil Liberties Union representing Carpenter, said the police collection of the phone location data constituted a "search" that required a warrant.

"The concern here is with the privacy invasion, which is quite severe over the long term, over these more than four months of data," he told the court.

But the government argues that the location data is not like tapping a phone conversation, which is illegal without a warrant.

"We're dealing here with routing information. We're not dealing with the contents of communications," argued Michael Dreeben, deputy solicitor general for the Department of Justice.

He argued that giving up the information is a voluntary act by the cell phone user, and so it is not protected.

"There is an element here of voluntariness in deciding to contract with a cell company, just like there's an element of voluntariness in getting a landline phone and making a call," Dreeben told the court.

- Implications for private data -

The case has much broader implications than cell phone location data, experts say.

Today, a huge amount of information from people's lives is held by "third parties": personal files stored in the internet cloud, information from home electronics collected by the makers of those appliances, and communications sent via cell phones and the internet.

"The advance of technology means that information you used to store in your desk drawer is now stored somewhere with third parties," said Greg Nojeim of the Center for Democracy & Technology.

To get information in a drawer, he noted, police would have to ask the court for a warrant.

The Supreme Court will likely make a decision on the case before the end of its current term in June 2018.

Patch of Dirty COW Vulnerability Incomplete, Researchers Claim
1.12.2017 securityweek Vulnerebility
The “Dirty COW” vulnerability (CVE-2016–5195) discovered last year in Linux was incompletely patched, Bindecy researchers say.

The vulnerability was found to be caused by a race condition in the way the Linux kernel’s memory subsystem handles copy-on-write (COW) breakage of private read-only memory mappings. Discovered by Phil Oester, the bug could allow an unprivileged local attacker to escalate their privileges on a targeted system.

The vulnerability was found to impact Android as well, and could even escape containers. Soon after Google released a patch for the vulnerability, however, new attacks exploiting Dirty COW on Android were devised.

The most recent malware family to exploit the issue was observed in September of this year.

Although Dirty COW was one of the most hyped and branded vulnerabilities published, with every Linux version from the last decade affected, including Android, being vulnerable, the patch released for it stirred far little interest, Bindecy says. Because of that, over a year has passed since the patch was released, and no one noticed it was incomplete.

The original vulnerability impacted the get_user_pages function, which is used to get the physical pages behind virtual addresses in user processes. Basically, the bug would allow writing to the read-only privileged version of a page.

The fix for the vulnerability doesn’t reduce the requested permissions. Instead, “get_user_pages now remembers the fact the we went through a COW cycle,” the researchers explain.

Thus, on the next iteration, a read-only page is provided for a write operation only if FOLL_FORCE and FOLL_COW flags are specified, and the PTE is marked as dirty.

The problem, the security researchers say, is that the patch “assumes that the read-only privileged copy of a page will never have a PTE pointing to it with the dirty bit on.”

Bindecy discovered that the vulnerability can still be reproduced when Transparent Huge Pages (THP) and Page Medium Directory (PMD – one level above the PTE level), are involved.

While Linux usually uses 4096-bytes long pages, THPs can be even 2MB long, although they can be split into normal pages. Usually, the default THP support is for anonymous mapping only, but can be turned on or off while the system is running.

THP is implemented by turning on the _PAGE_PSE bit of the PMD, which results in PMD pointing to a 2MB physical page instead of a directory of PTEs.

What the researchers discovered was that Dirty COW patch code that deals with THP contains a function called can_follow_write_pmd that basically applies the same logic of can_follow_write_pte to huge PMDs.

According to the researchers, however, the issue is that, when it comes to huge PMD, “a page can be marked dirty without going through a COW cycle, using the touch_pmd function.” Each time get_user_pages tries to get a huge page, a called function results in the page being marked dirty without going through a COW cycle. Thus, can_follow_write_pmd’s logic is broken, the researchers say.

“At this point, exploiting the bug is straightforward — we can use a similar pattern of the original Dirty COW race. This time, after we get rid of the copied version of the page, we have to fault the original page twice — first to make it present, and then to turn on the dirty bit,” Bindecy notes.

The security researchers revealed information on a couple of exploit scenarios and also published a proof-of-concept to demonstrate the exploit. They reported the vulnerability (which was assigned CVE-2017–1000405) to the kernel and distros mailing lists last week and a patch was already committed to mainline kernel.

“This bug demonstrates the importance of patch auditing in the security development life-cycle. As the Dirty COW case and other past cases show, even hyped vulnerabilities may get incomplete patches. The situation is not reserved for closed source software only; open source software suffers just as much,” the researchers conclude.

Trust Your Security Vendor, 'They Have Access to Everything You Do,' Says F-Secure Research Chief
30.11.2017 securityweek  IT
The DHS ban on government agencies using Kaspersky Lab's security products has reverberated around the security industry. The concern is not simply whether the Moscow-based security firm has colluded with Russian intelligence, but how many other security firms could, through their own products, potentially collude with their own national intelligence agencies.

This is bad news for security since security is built on trust; and without trust there is no security. Kaspersky Lab has denied any collusion and has offered to do anything possible, from testifying before Congress to third-party code reviews, to prove its innocence. At the same time, there is no actual proof of collusion; just a statement that the possibility is a cause for concern.

On Tuesday, at a media briefing in London, Eugene Kaspersky said he had never been asked by Russia to spy on its behalf. "If the Russian government comes to me and asks me to (do) anything wrong, or my employees, I will move the business out of Russia. We never helped the espionage agencies, the Russians or any other nation."

The DHS statement bans government agencies from using Kaspersky Lab products, saying, "The risk that the Russian government, whether acting on its own or in collaboration with Kaspersky, could capitalize on access provided by Kaspersky products to compromise federal information and information systems directly implicates U.S. national security."

Herein lies the problem. Before developing anti-virus software and forming Kaspersky Lab, Eugene Kaspersky studied cryptology at a KGB and defense-funded school, and later worked at Russia's Ministry of Defense as a cryptologist. So the link -- and therefore the risk -- exists. At the same time, however, any glance through LinkedIn's staff profiles for U.S. security firms will return a large number of senior employees with an NSA, CIA, FBI or State Department background, with many U.S. security firms boasting about their former government and military hires. Connections alone do not necessarily imply collusion.

The Wall Street Journal (WSJ) separately published an unsubstantiated claim that an NSA employee had been breached by Russian state-backed hackers via a vulnerability in a Kaspersky Lab product; and that they targeted the employee "after identifying the files through the contractor's use of" Kaspersky Lab AV. No proof of this is provided, but the implication is that Kaspersky Lab did not pass confidential files directly to Russian intelligence, but merely informed them of their presence on the employee's computer.

However, if the Kaspersky-Russian intelligence link is a concern, then by implication users should consider the potential for a McAfee and Symantec link with the NSA, and a Sophos link with GCHQ. In an attempt to counter any potentially growing lack of trust in security products in general, F-Secure's Chief Research Officer, Mikko Hypponen, has talked today about how his own company handles confidential user information.

There are two riders to his comments. First of all, F-Secure is a competitor to Kaspersky Lab; and secondly, F-Secure is not Kaspersky Lab. Nevertheless, insights into how one major anti-virus firm operates will inevitably provide some insights into how any other major AV firm operates.

Hypponen avoids or obfuscates his response to any direct question of possible Kaspersky Lab collusion with Russia. For example, he says, "Let's just state for the record that it's a great company and a great security product. These are world class researchers."

Asked later if he thought Kaspersky Lab "colluded with Russian intelligence, do you think they were breached, hacked, infiltrated?", he replied, "I don't know. It's all speculation, as are all the stories on this. So far everything's been speculation." He notes, however, that links with law enforcement are commonplace. Law enforcement agencies (LEAs) frequently ask security firms for assistance in the fight against cybercrime, and researchers commonly pass back data on discovered C&C servers.

He does, however, explain how F-Secure treats information about user files. First of all, almost all security firms collect this data -- it's simply how they work. The amount of data that needs to be analyzed to keep users safe simply cannot bedone on a local machine without reducing its operation to a crawl. Anti-virus and network anomaly products tend to collect data and send it to cloud servers for analysis by powerful machine-learning algorithms.

But F-Secure, and most likely all other security vendors, go to great lengths to anonymize and protect the information they collect. First of all, this is good practice; but secondly, privacy regulations in many jurisdictions could cause serious complications. GDPR, for example, requires that only necessary data be collected; and personal data is not necessary for the analysis of executable files.

The files that are collected are analyzed for any indication of malware. If they are found to be benevolent, they are deleted. This resonates with Kaspersky Lab's comments following the WSJ report. Its software found the NSA files on the employee's computer, did not recognize them as good files and uploaded them for further analysis. Here they were analyzed and determined to be 'sensitive' -- at which point they were deleted.

Unfortunately, this cannot disprove the possibility that someone in Kaspersky Lab then sent a quiet word to Russian intelligence saying, 'Hey guys, you might want to take a close look at this guy's computer.' But for that to have happened, Kaspersky Lab will have had to collect personal data as well as anonymized files.

Hypponen cannot say that Kaspersky Lab didn't do it; but he makes his opinion clear. He does, however, agree with the DHS. "Would I recommend using a foreign security product in US agencies, especially a Russian product? Probably I wouldn't. But for home users and users like that, it is a great product."

In the end, it's a question of who do you trust the most: your own government or a security firm that can only exist through trust?

"Choose your vendors carefully, because, in theory, they have access to everything you do," Hypponen said, adding that "when you are running low level software, like security software, you do have to trust your vendor."

But he clearly does not personally believe that Kaspersky Lab is guilty of any malicious behavior. "Why? Because that would be so short-sighted. If you do that and you get caught, your company is toast, and it should be toast. That's a bad business decision. If it's the Russian government using a local security company as their way of gaining access to information, that's short-sighted too. Because Kaspersky Lab is the biggest software success story out of Russia since Tetris."

Should Social Media be Considered Part of Critical Infrastructure?
30.11.2017 securityweek  BigBrothers
Social Media Networks

Is Social Media a Critical Industry?

Russia interfered in the U.S. 2016 election, but did not materially affect it. That is the public belief of the U.S. intelligence community. It is a serious accusation and has prompted calls for additions to the official 16 critical infrastructure categories. One idea is that 'national elections' should be included. A second, less obviously, is that social media should be categorized as a critical industry.

The reason for the latter is relatively simple: social media as a communications platform is being widely used by adversary organizations and nations to disseminate their own propaganda. This ranges from ISIS using it as a recruitment platform, to armies of Russian state-sponsored trolls manipulating public opinion via Twitter.

Russian interference, or opinion manipulation, has not been limited to the U.S. Both France and Germany worried about it prior to their own national elections. On Nov. 3, this year, Damian Collins, Chair of the Digital Culture and Sport Select Committee in the UK wrote to Twitter's Jack Dorsey asking for information on the so-called Russian Internet Research Agency. He asked for a list of Russian accounts and posts linked to politics in the UK. Brexit is not mentioned, but interference in the UK Brexit referendum is clearly the concern.

One week later, CNN Money reported, "A network of Twitter accounts with ties to the Russian government-linked troll army that meddled in U.S. politics posted dozens of pro-Brexit messages on the day of the referendum on the United Kingdom's membership of the European Union in June 2016."

The assumed purpose of Russian interference in politics has been to promote extreme right-wing national populist movements that would weaken centrist governments. This is clearly an 'attack' against western nations, delivered primarily via social networks. It is noticeable that in both the US election and the Brexit referendum there was a late and in many ways unexpected shift to the right.

Nevertheless, the idea of social media as a critical industry is a difficult concept. Malcolm Harkins, chief security and trust officer at Cylance, doesn't think it is a great stretch. He points to the origins of the existing 16 industry sectors and notes that the primary motivation is to maintain their availability following the 9/11 attack.

The DHS introduces its definition of the critical infrastructure with, "There are 16 critical infrastructure sectors whose assets, systems, and networks, whether physical or virtual, are considered so vital to the United States that their incapacitation or destruction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof." These include 'energy', 'finance', 'transport', 'communications' and 'IT'. Maintaining the availability and continued operation of all of these sectors is clearly critical to the well-being of the nation. Maintaining the availability of social media does not seem so critical.

Harkins' argument, however, is that the world has changed since the origins of the critical infrastructure classification.

Business and society have gone through, and are still going through, a dramatic 'digitization' of their operations. The internet and all things cyber have become fundamental to the operation of the economy and society.

"Where cyber is concerned," Harkins told SecurityWeek, "the 'A' of 'CIA' is not enough. The Availability of the critical infrastructure must now be bolstered by the Integrity of the critical infrastructure."

This should not be considered a trivial concern. The manipulation of information has always been a part of warfare, usually as a precursor to a kinetic attack.

"There has always been the notion of information manipulation in warfare -- such as deception," says Harkins. "If you can manipulate your enemy prior to a kinetic event, then you would have advantage over them."

Alexander's victory over Porus in 326 BC through the Allied landings in Normandy in 1944, to Stormin Norman's Desert Storm in 1991 have all relied heavily on feeding the enemy misinformation.

"The world today," he continued, "is based on information with headlong digitization of both business and society. With everything now based on our reaction to and use of information, the integrity of that information has never been more vital."

The availability of the Communications and IT sectors is already considered critical, and social media is the most important and widespread platform that unites the communications and IT sectors. If the concept of the critical infrastructure is widened from availability to include integrity, then social media is already, de facto, part of the critical infrastructure. "At what point," asks Harkins, "does the integrity of the information flowing through the IT sector or the communications sector hit a significant and material risk that will force us to consider it critical?"

How this could work in practice is a different matter, for it couldn't be limited to integrity in social media platforms. Facebook is not the only advertising medium that could run propagandist advertising (some 3,000 Russia-linked advertisements were placed on Facebook in 2016 apparently designed to influence the presidential election). "My guess is that even well beyond social media, mainstream physical advertising has been bought and used for the purpose of manipulating national sentiment." If social media can be considered 'critical', then the whole concept of Fake News must be treated in the same way.

That would be a major task. Social media is perhaps the most pressing aspect of this, and could even prove a testbed for wider communications controls. ìI think the case increasingly can, and will be made that social media is a part of critical infrastructure in that Twitter, Facebook and other media channels have become the 'go-to' resources for a large percentage of Americans," comments Dan Lohrmann, CSO at Security Mentor. "Yes - social media is slowly becoming a critical part of critical infrastructure for our nation and other developed countries."

But Nathan Wenzler, chief security strategist at AsTech, is not sure we are ready for this. He takes the 'availability' view of critical infrastructure. "Even with the potential influence of the last U.S. presidential election, I do not believe we should be looking at these social media services in the same way we view power, water, and other utility services which are required for people's daily lives," he told SecurityWeek. "If social media services were disrupted... there would be some outrage by the users, but by and large, their lives would not be dramatically impacted from a health or well-being standpoint. For this reason alone, I don't see that we're quite at the point of considering social media to be the same as these other critical services."

He believes things may change in the future, but raises two of the many practical problems that will arise: accountability for users and attribution for attackers. Chris Roberts, chief security architect at Acalvio, takes a similar view. "We have little ability or success in being able to protect that which is already classified as critical infrastructure. The red tape is worn thin with excuses: the technology is not in place to deal with both 20 year old systems and modern insecure devices interconnected through a cloud-like pea-soup fog," he said.

"If you want to consider the core systems as critical infrastructure, then you have to be able to manage, control and understand the access permissions, uniquely identify individuals and put some controls into access and other areas. That both seems like a tall challenge (getting 300M Americans to agree to security controls for their social media) and also something that might eventually break the constitutional rights of those folks to actually speak freely. If you put controls in place, where does that end?"

But if Harkins is right and the concept of integrity will need to be added to the concept of availability for the critical infrastructure, then something will have to change. There are signs that governments are beginning to feel threatened and therefore concerned. The UK government has been particularly vociferous over the last year, telling the social tech giants that if they don't get their house in order, government will do it for them.

Indeed, the current government's manifesto (a pre-election statement of intent) contains a strong purpose to control social media. "Some people say that it is not for government to regulate when it comes to technology and the internet," it says. "We disagree... it is for government, not private companies, to protect the security of people and ensure the fairness of the rules by which people and businesses abide."

The clear implication is that the tech giants' protestations of: 'don't limit freedom of speech', 'legislation will stifle innovation', and 'it's not technologically possible' will not be accepted. Even U.S. lawmakers seem to be moving in a similar direction. On Tuesday, Nov. 21, counsels for Google, Facebook and Twitter were in Washington answering questions put at the Senate hearing on social media's role in the 2016 election.

At one point, Senator John Kennedy (R-LA) said, "I don't believe you have the ability to identify all your advertisers." The tech companies effectively admitted this -- although the reality is probably they cannot control advertising without losing some of it. But if government wishes to prevent foreign entities interfering in future elections, this quality of knowledge is essential. Social media should take note that there is precedent; government has enforced advertising control on new technology in the past. In the 1930s, new radio services carried misinformation and propaganda in the form of advertisements. The government cracked down on this with the 1934 Communications Act, placing greater responsibility on the medium to choose which advertisements it accepted. It could do similar with social media.

The likelihood of some legislative control over social media is growing. In the U.S. the primary concern seems to be its potential for foreign propaganda aimed at controlling national sentiment.

In the UK the primary concern is its use by terrorist groups and organized crime -- although there is now some concern that Russia may have attempted to influence the Brexit referendum.

If Harkins is right, then this is really the visible effect of an underlying need to add integrity to the availability of the critical infrastructure. And if that is correct, then the legislation will need to apply to the whole communications sector and not just the social media aspect. But it goes further. If the need to apply integrity has grown through the digitization of industry, then the implication is that it will require confidentiality as well as integrity and availability if its security is to be assured. Confidentiality is best applied through encryption; and we are seeing increasing interest by government in controlling encryption. That, however, is a different battle; and both would benefit from a national debate.

AWS Launches New Cybersecurity Services
30.11.2017 securityweek  Cyber
Amazon Web Services (AWS) announced this week at its AWS re:Invent conference the launch of several new cybersecurity services, including for threat detection, IoT security, and secure communications for Virtual Private Cloud.

Amazon GuardDuty

One of the new products is Amazon GuardDuty, an intelligent threat detection service that helps customers protect their AWS accounts and workloads by continuously looking for unauthorized and malicious activity.

Amazon GuardDuty, which can be enabled from the AWS Management Console, creates a baseline for normal account activity, and uses machine learning to identify any irregular behavior. If suspicious activity is detected, the AWS account owner is immediately notified.

The new service obtains threat intelligence from both AWS itself and third-party sources such as CrowdStrike and Proofpoint, it does not require any new hardware or software, and it can be integrated with products from Alert Logic, Evident.io, Palo Alto Networks, RedLock, Rapid7, Sumo Logic, Splunk and Trend Micro.

The list of organizations already using GuardDuty includes Autodesk, Netflix, Mapbox, GE, and the Financial Industry Regulatory Authority (FINRA).

AWS PrivateLink

Another new product launched this week is AWS PrivateLink, a managed service that allows developers to securely access third-party SaaS applications from their Virtual Private Cloud (VPC).AWS launches new security services

A majority of Amazon EC2 cloud instances run in VPCs these days, but using third-party SaaS applications can introduce security risks. With AWS PrivateLink, AWS allows users to initiate connections to third parties without exposing their VPC to the Internet, or connect their internal services across different VPCs and accounts.

The list of SaaS applications that support AWS PrivateLink can be found on the AWS Marketplace. Companies such as CA Technologies, Aqua Security, Dynatrace, Cisco and SigOpt have announced that they support PrivateLink.

AWS launches new security services

AWS also announced the launch of several new services designed for managing, protecting and monitoring Internet of Things (IoT) devices. These are AWS IoT 1-Click, IoT Device Management, IoT Device Defender, IoT Analytics, Amazon FreeRTOS, and Greengrass ML Inference.

Three of the new IoT services help improve security. AWS IoT Device Management, which is available immediately, allows organizations to securely onboard, manage and monitor IoT devices, including to apply patches and software updates.

AWS IoT Device Defender, expected to become available in the first half of 2018, monitors devices for any suspicious activity, such as traffic going to an unknown IP, and ensures that IoT systems are compliant with security policies.

Amazon FreeRTOS allows users to securely connect small, low-power devices that use the FreeRTOS operating system (e.g. light bulbs, motion sensors) to AWS cloud services. The list of microcontroller manufacturers that support Amazon FreeRTOS includes Microchip, NXP Semiconductors, STMicroelectronics, Texas Instruments, Arm, IAR, Percepio, and WITTENSTEIN.

Cisco Patches Critical WebEx Vulnerabilities
30.11.2017 securityweek  Vulnerebility
Updates released by Cisco for components of its online meetings and video conferencing platform WebEx patch nearly a dozen vulnerabilities, including critical flaws that can be exploited for remote code execution.

A total of six vulnerabilities affecting the WebEx Network Recording Player for Advanced Recording Format (ARF) and WebEx Recording Format (WRF) files have been classified as critical.

The impacted player is used to play back recorded WebEx meetings and it can be installed automatically when a recording file hosted on a WebEx server is opened.

The security holes affecting the Network Recording Player can be exploited by a remote attacker to cause a denial-of-service (DoS) condition in the software and possibly execute arbitrary code by getting the targeted user to open specially crafted ARF or WRF files. Cisco noted that the attacker can send the malicious files to victims via email or get them to open a web page hosting the files.

The vulnerabilities have been patched by Cisco in WebEx Business Suite meeting sites, WebEx Meetings sites, WebEx Meetings Server, and WebEx ARF and WRF Players. Cisco’s advisory provides detailed information on affected versions and the availability of fixes. The following CVE identifiers have been assigned: CVE-2017-12367, CVE-2017-12368, CVE-2017-12369, CVE-2017-12370, CVE-2017-12371 and CVE-2017-12372.

The flaws were reported to Cisco by Andrea Micalizzi (rgod) and Steven Seeley of Offensive Security via Trend Micro’s Zero Day Initiative (ZDI), Fortinet’s Kushal Arvind Shah, and Qihoo 360 researcher Yihan Lian. ZDI has yet to make the advisories for the flaws found by Seeley and Micalizzi public.

Cisco found no evidence that the vulnerabilities had been exploited in malicious attacks.

Lian also discovered a medium severity DoS vulnerability in the WebEx Network Recording Player. A remote attacker can cause the player to crash by getting the targeted user to open a malicious WRF file.

The networking giant published four other advisories detailing WebEx vulnerabilities on Wednesday. These weaknesses have also been rated “medium severity” and they include cross-site scripting (XSS) and URL redirection vulnerabilities in WebEx Meeting Center, an information disclosure bug in Event Center, and a flaw that can be exploited to modify the welcome message in Meeting Server.

Cryptocurrency Mining Scripts Now Run Even After You Close Your Browser
30.11.2017 thehackernews Security 

Some websites have found using a simple yet effective technique to keep their cryptocurrency mining javascript secretly running in the background even when you close your web browser.
Due to the recent surge in cryptocurrency prices, hackers and even legitimate website administrators are increasingly using JavaScript-based cryptocurrency miners to monetize by levying the CPU power of their visitor's PC to mine Bitcoin or other cryptocurrencies.
After the world's most popular torrent download website, The Pirate Bay, caught secretly using Coinhive, a browser-based cryptocurrency miner service, on its site last month, thousands of other websites also started using the service as an alternative monetization model to banner ads.
However, websites using such crypto-miner services can mine cryptocurrencies as long as you're on their site. Once you close the browser window, they lost access to your processor and associated resources, which eventually stops mining.
Unfortunately, this is not the case anymore.
Security researchers from anti-malware provider Malwarebytes have found that some websites have discovered a clever trick to keep their cryptocurrency mining software running in the background even when you have closed the offending browser window.
How Does This Browser Technique Work?
According to a blog post published Wednesday morning by Malwarebytes, the new technique works by opening a hidden pop-under browser window that fits behind the taskbar and hides behind the clock on your Microsoft's Windows computer.
From there (hidden from your view), the website runs the crypto-miner code that indefinitely generates cryptocurrency for the person controlling the site while eating up CPU cycles and power from your computer until and unless you notice the window and close it.

Researchers say this technique is a lot harder to identify and able to bypass most ad-blockers because of how cleverly it hides itself. The crypto-miner runs from a crypto-mining engine hosted by Amazon Web Servers.
"This type of pop-under is designed to bypass adblockers and is a lot harder to identify because of how cleverly it hides itself," Jérôme Segura, Malwarebytes' Lead Malware Intelligence Analyst, says in the post. "Closing the browser using the "X" is no longer sufficient."
To keep itself unidentified, the code running in the hidden browser always takes care of the maximum CPU usage and maintains threshold to a medium level.
You can also have a look at the animated GIF image that shows how this clever trick works.
This technique works on the latest version of Google's Chrome web browser running on the most recent versions of Microsoft's Windows 7 and Windows 10.
How to Block Hidden Cryptocurrency Miners
If you suspect your computer CPU is running a little harder than usual, just look for any browser windows in the taskbar. If you find any browser icon there, your computer is running a crypto-miner. Now simply, kill it.
More technical users can run Task Manager on their computer to ensure there is no remnant running browser processes and terminate them.
Since web browsers themselves currently are not blocking cryptocurrency miners neither does the integrated Windows Defender antivirus software, you can use antivirus programs that automatically block cryptocurrency miners on web pages you visit.
For this, you can contact your antivirus provider to check if they do.
Alternatively, you can make use of web browser extensions, like No Coin, that automatically block in-browser cryptocurrency miners for you, and regularly update themselves with new mining scripts that come out.
Created by developer Rafael Keramidas, No Coin is an open source extension that blocks Coin Hive and other similar cryptocurrency miners and is available for Google Chrome, Mozilla Firefox, and Opera.
No Coin currently does not support Microsoft Edge, Apple Safari, and Internet Explorer. So, those using one of these browsers can use an antimalware program that blocks cryptocurrency miners.

Hackers Exploit Recently Disclosed Microsoft Office Bug to Backdoor PCs
30.11.2017 thehackernews Exploit

A recently disclosed severe 17-year-old vulnerability in Microsoft Office that lets hackers install malware on targeted computers without user interaction is now being exploited in the wild to distribute a backdoor malware.
First spotted by researchers at security firm Fortinet, the malware has been dubbed Cobalt because it uses a component from a powerful and legitimate penetration testing tool, called Cobalt Strike.
Cobalt Strike is a form of software developed for Red Team Operations and Adversary Simulations for accessing covert channels of a system.
The vulnerability (CVE-2017-11882) that Cobalt malware utilizes to deliver the backdoor is a memory-corruption issue that allows unauthenticated, remote attackers to execute malicious code on the targeted system when opened a malicious file and potentially take full control over it.
This vulnerability impacts all versions of Microsoft Office and Windows operating system, though Microsoft has already released a patch update to address the issue. You can read more details and impact of the vulnerability in our previous article.

Since cybercriminals are quite quick in taking advantage of newly disclosed vulnerabilities, the threat actors started delivering Cobalt malware using the CVE-2017-11882 exploit via spam just a few days after its disclosure.
According to Fortinet researchers, the Cobalt malware is delivered through spam emails, which disguised as a notification from Visa regarding rule changes in Russia, with an attachment that includes a malicious RTF document, as shown.
The email also contains a password-protected archive with login credentials provided in the email to unlock it in order to trick victims into believing that the email came from the legitimate financial service.
"This is [also] to prevent auto-analysis systems from extracting the malicious files for sandboxing and detection," Fortinet researchers Jasper Manual and Joie Salvio wrote.
"Since a copy of the malicious document is out in the open... so it's possible that this is only to trick the user into thinking that securities are in place, which is something one would expect in an email from a widely used financial service."
Once the document is opened, the user has displayed a plain document with the words "Enable Editing." However, a PowerShell script silently executes in the background, which eventually downloads a Cobalt Strike client to take control of the victim's machine.
With control of the victim's system, hackers can "initiate lateral movement procedures in the network by executing a wide array of commands," the researchers said.
According to the researchers, cybercriminals are always in look for such vulnerabilities to exploit them for their malware campaigns, and due to ignoring software updates, a significant number of users out there left their systems unpatched, making them vulnerable to such attacks.
The best way to protect your computer against the Cobalt malware attack is to download the patch for the CVE-2017-11882 vulnerability and update your systems immediately.

The Shipping Giant Clarkson has suffered a security breach
30.11.2017 securityaffairs Incindent

Clarkson, one of the world’s largest providers of shipping services publicly disclosed a security breach.
Clarkson confirmed the hackers may release some of the stolen data, it hasn’t provided further details due to the ongoing law enforcement investigation.

The information disclosed by the company suggests cyber criminals blackmailed the company requesting the payment of a ransom in order to avoid having its data leaked online.

According to Clarkson, the hackers compromised a single user account to access the systems of the shipping giant.

“Clarkson PLC confirms that it was subject to a cybersecurity incident which involved unauthorised access to the Company’s computer systems.” Clarkson said in a statement.

“Our initial investigations have shown the unauthorised access was gained via a single and isolated user account which has now been disabled.”

The company has disabled the account after the incident and has started notifying affected customers and individuals.

The company had been expecting the cyber criminals to publish part of the stolen data on Tuesday, but nothing is still happening.

Clarkson Shipping

The company said it has been conducting a review of the security of its architecture and announced new IT security measures.

“As you would rightly expect, we’re working closely with specialist police teams and data security experts to do all we can to best understand the incident and what we can do to protect our clients now and in the future,” said Andi Case, CEO of Clarkson. “We hope that, in time, we can share the lessons learned with our clients to help stop them from becoming victims themselves. In the meantime, I hope our clients understand that we would not be held to ransom by criminals, and I would like to sincerely apologise for any concern this incident may have understandably raised.”

New variants of the UBoatRAT RAT hits targets in East Asia
30.11.2017 securityaffairs Apple

Palo Alto Networks discovered a custom RAT dubbed UBoatRAT that has been used in targeted attacks on personnel or organizations related to South Korea.
Security experts from Palo Alto Networks discovered custom remote access Trojan (RAT) dubbed UBoatRAT that has been used in targeted attacks on personnel or organizations related to South Korea and the video gaming industry.

The UBoatRAT has been distributed through Google Drive links, the malware obtains the address of the command and control (C&C) server from GitHub and uses Microsoft Windows Background Intelligent Transfer Service (BITS) to maintain persistence.


The address of the C&C and the destination port are hidden in a file hosted on GitHub, and the malware accesses the file using a specific URL. UBoatRAT communicates with the C&C served using a custom protocol.

Attackers used the GitHub account ‘elsa999’, according to the researchers the author has been frequently updating repositories since July.

UBoatRAT was first spotted on May 2017, at the time it was a simple HTTP backdoor leveraging a public blog service in Hong Kong and a compromised web server in Japan for C&C.

Across the months the authors added several new features to the RAT, the last variant was released during summer.

“Palo Alto Networks Unit 42 has identified attacks with a new custom Remote Access Trojan (RAT) called UBoatRAT.” reads the analysis published by Palo Alto Networks.

“The attacks with the latest variants we found in September have following characteristics.

Targets personnel or organizations related to South Korea or video games industry
Distributes malware through Google Drive
Obtains C2 address from GitHub
Uses Microsoft Windows Background Intelligent Transfer Service(BITS) to maintain persistence.”
The exact targets aren’t still clear at the moment, the experts speculate the hackers aimed to Korea or the video games industry, because Korean-language game titles, Korea-based game company names, and some words used in the video games business were used for delivery.

The UBoatRAT performs malicious activities on the infected machine only when joining an Active Directory Domain, this means that user systems that are not part of a domain would not be impacted.

Threat actors delivered the RAT through a ZIP archive hosted on Google Drive and containing a malicious executable file disguised as a folder or a Microsoft Excel spreadsheet. The latest variants of the UBoatRAT masquerade as Microsoft Word document files.

The RAT halts its execution when detects a virtualization software such as VMWare, VirtualBox, QEmu, when executed it attempts to obtain the Domain Name from network parameters. If it fails to get the domain name, it displays a fake error message and quits.

Otherwise, UBoatRAT copies itself as C:\programdata\svchost.exe, and creates and executes C:\programdata\init.bat, then it displays a specific message and quits.

Experts observed that the malware relies the Microsoft Windows Background Intelligent Transfer Service (BITS), a service for transferring files between machines, to maintain the persistence.

“Bitsadmin.exe is a command-line tool user can create and monitor BITS jobs. The tool provides the option, /SetNotifyCmdLine which executes a program when the job finishes transferring data or is in error. UBoatRAT takes advantage of the option to ensure it stays running on a system, even after a reboot.” continue the analysis.

Once established a covert channel with C&C, the malware waits following backdoor commands from the attacker.

Command Description
alive Checks if whether the RAT is alive
online Keeps the RAT online by sending the packets to C2 periodically
upfile Uploads file to compromised machine
downfile Downloads file from compromised machine
exec Executes process with UAC Bypass using Eventvwr.exe and Registry Hijacking
start Starts CMD shell
curl Downloads file from specified URL
pslist Lists running processes
pskill Terminates specified process
The researchers have identified fourteen samples of UBoatRAT, as well as one downloader associated with the attacks.

“Though the latest version of UBoatRAT was released in September, we have seen multiple updates in elsa999 accounts on GitHub in October. The author seems to be vigorously developing or testing the threat.” concluded Palo Alto Networks.