VMware addresses a DoS flaw in Workstation and Fusion products
18.3.2018 securityaffairs

VMware has addressed a denial-of-service (DoS) vulnerability, tracked as CVE-2018-6957, in its Workstation 12.x and 14.x and Fusion 10.1.1. and 10.x on OS X products.
The affected VMware solutions can be attacked by opening a large number of VNC sessions. The DoS vulnerability was discovered by Lilith Wyatt of Cisco Talos, the flaw could be exploited on Workstation and Fusion only if the VNC has been manually enabled.

VNC implementation in VMware solutions is used for remote management purposes.

“VMware Workstation and Fusion contain a denial-of-service vulnerability which can be triggered by opening a large number of VNC sessions.” reads the security advisory published by VMware.

The company issued the security patches in Workstation 14.1.1 and Fusion 10.1.1., VMware also shared details about a workaround for Workstation 12.x and Fusion 8.x releases that involves setting a password for the VNC connection.

While VMware has classified the vulnerability as “important,” Cisco Talos has ranked it as a “high severity” flaw and assigned it a CVSS score of 7.5.

Experts at Cisco Talos confirmed that an attacker can trigger the flaw on a targeted server and cause the virtual machine to shut down by opening a large number of VNC sessions.

“Since the VMware VNC server is naturally multi-threaded, there are locks and semaphores and mutexes to deal with shared variables.” reads the advisory published by Talos.

“The VNC server also maintains a global variable that indicates the amount of locks that are currently used, that is incremented by certain events.”


Talos published the Proof-of-Concept exploit code:

# There are obviously better ways to do this
for x in `seq 0 $(( 0xffffff/2 ))`; do echo “doop” | ncat <targetIP> <VNCPort>; done
“Regardless, the important thing to note here is that the incrementing instruction (lock xadd cs:MxLockCounter, eax😉 is the only cross-reference to the MxLockCounter global variable, meaning it never gets decremented.” continues Talos.

“Thus, as long as and attacker can initiate a bunch of TCP connection to the VNC server (each successful connection increments it twice), without even sending any other datagrams, an attacker can eventually shutdown the connected virtual machine.”

Below the timeline for the flaw:

2017-07-13 – Vendor Disclosure
2018-03-15 – Public Release

Hackers awarded $267,000 at Pwn2Own 2018, was far less than in the past editions
18.3.2018 securityaffairs Congress

At Pwn2Own 2018 the hackers received a total of $267,000, it was far less than in the past editions, but the quality of research was amazing.
The popular hacking competition Pwn2Own is concluded, let’s see how much hackers earned and which applications they have successfully pwned.

White hat hackers have earned a total of $267,000 at Pwn2Own 2018 competition for exploits targeting Microsoft Edge, Apple Safari, Oracle VirtualBox and Mozilla Firefox.

This year the popular competition organized by TrendMicro Zero Day Initiative was sponsored by Microsoft and sponsor VMware.

The overall prize pool announced by ZDI was $2 million, but only a total of $267,000 was awarded by the hackers.

The overall amount was less than in the past years, in 2017 white hackers earned $833,000, $460,000 in 2016) and $552,500 in 2015.

“Overall, we awarded $267,000 over the two-day contest while acquiring five Apple bugs, four Microsoft bugs, two Oracle bugs, and one Mozilla bug.” states the organization.

“While smaller than some of our previous competitions, the quality of research was still extraordinary and highlights the difficulty in producing fully-functioning exploit for modern browsers and systems.”

On the first day, hackers earned a total of $162,000 USD and 16 points towards Master of Pwn. The white hat hacker Richard Zhu, aka fluorescence, failed to hack Safari, but he successfully used an exploit chain against Edge earning $70,000.

The hacker Niklas Baumstark from the Phoenhex team was awarded with $27,000 for hacking VirtualBox and the expert Samuel Groß, aka saelo, of Phoenhex received $65,000 for hacking Safari.

“The first day of Pwn2Own 2018 has come to a close, and so far, we’ve awarded $162,000 USD and 16 points towards Master of Pwn. Today saw 2 successful attempts, 1 partial success, and 1 failure. In total, we purchased 3 Apple bugs, 2 Oracle bugs, and 3 Microsoft bugs.” states the official site of the competition.

PWN2OWN 2018

On the second day, the hackers earned a total of $105,000 USD and 11 more Master of Pwn points awarded.

Richard Zhu earned $50,000 for hacking Firefox with a Windows kernel EoP. He chained an out-of-bounds (OOB) write in the browser followed by an integer overflow in the Windows kernel.

Zhu was the star of the Pwn2Own 2018, he won the Master of Pwn award this year receiving a total of $120,000 and 65,000 ZDI reward points worth roughly $25,000.

“The day started with the return of Richard Zhu (fluorescence), this time targeting Mozilla Firefox with a Windows kernel EoP. He eschewed all drama today and successfully popped Mozilla Firefox on his first attempt.” states the post published on Day 2 of the Pwn2Own 2018.

“He used an out-of-bounds (OOB) write in the browser followed by an integer overflow in the Windows kernel to earn himself another $50,000 and 5 more Master of Pwn points. This brings his event total to $120,000 and a commanding lead for Master of Pwn.”

On the same day, white hackers Markus Gaasedelen (gaasedelen), Nick Burnett (itszn13), and Patrick Biernat of Ret2 Systems, Inc. targeted Apple Safari with a macOS kernel EoP.

At the fourth attempt, they successfully demonstrated their exploit but Pwn2Own rules state that the exploit must be demonstrated in a maximum of three attempts.

They were not awarded but Zero Day Initiative (ZDI) did purchase the vulnerabilities and disclosed them to Apple.

The last entry for the day saw a team from MWR labs, composed of Alex Plaskett (AlaxJPlaskett), Georgi Geshev (munmap), and Fabi Beterke (pwnfl4k3s), successfully targeting Apple Safari with a sandbox escape.

The same team earned $55,000 for a Safari sandbox escape obtaining a heap buffer underflow in the browser and an uninitialized stack variable in macOS.

Chinese APT Group TEMP.Periscope targets US Engineering and Maritime Industries
18.3.2018 securityaffairs APT

The China-linked APT group Leviathan. aka TEMP.Periscope, has increased the attacks on engineering and maritime entities over the past months.
Past attacks conducted by the group aimed at targets connected to South China Sea issues, most of them were research institutes, academic organizations, and private firms in the United States.

The group has also targeted professional/consulting services, high-tech industry, healthcare, and media/publishing. Most of the identified victims were in the United States, some of them located in Europe and at least one in Hong Kong.

“The campaign is linked to a group of suspected Chinese cyber espionage actors we have tracked since 2013, dubbed TEMP.Periscope. The group has also been reported as “Leviathan” by other security firms.” reads the analysis published by security firm FireEye.

“The current campaign is a sharp escalation of detected activity since summer 2017. Like multiple other Chinese cyber espionage actors, TEMP.Periscope has recently re-emerged and has been observed conducting operations with a revised toolkit.”

The researchers confirmed that the tactics, techniques, and procedures (TTPs) and the targets of the TEMP.Periscope overlap with ones both TEMP.Jumper and NanHaiShu APT groups.

Researchers at FireEye observed a spike in the activity of TEMP.Periscope that was also associated with the use of a broad range of tools commonly used by other Chinese threat actors.

The arsenal of the crew includes backdoors, reconnaissance tools, webshells, and file stealers.

A first backdoor dubbed BADFLICK, could be used to modify the file system of the infected system, establish a reverse shell, and modifying the command-and-control configuration.

Another backdoor used by the group is dubbed Airbreak, which is a JavaScript-based backdoor (aks “Orz”) that retrieves commands from hidden strings in compromised webpages and actor controlled profiles on legitimate services.


Other malware is described in the post published by FireEye.

“PHOTO: a DLL backdoor also reported publicly as “Derusbi”, capable of obtaining directory, file, and drive listing; creating a reverse shell; performing screen captures; recording video and audio; listing, terminating, and creating processes; enumerating, starting, and deleting registry keys and values; logging keystrokes, returning usernames and passwords from protected storage; and renaming, deleting, copying, moving, reading, and writing to files.” continues the analysis.

“HOMEFRY: a 64-bit Windows password dumper/cracker that has previously been used in conjunction with AIRBREAK and BADFLICK backdoors. Some strings are obfuscated with XOR x56.”

The crews also used the Lunchmoney tool that exfiltrates files to Dropbox and the Murkytop command-line reconnaissance tool.

Recently the group used the China Chopper, a code injection webshell that executes Microsoft .NET code within HTTP POST commands.

The group targeted victims with spear-phishing messaged that use weaponized documents attempting to exploit the CVE-2017-11882 vulnerability to deliver malicious code.

“The current wave of identified intrusions is consistent with TEMP.Periscope and likely reflects a concerted effort to target sectors that may yield information that could provide an economic advantage, research and development data, intellectual property, or an edge in commercial negotiations,” FireEye concludes.

Further details, including the Indicators of Compromise are reported in the analysis published by FireEye.

Behavior monitoring combined with machine learning spoils a massive Dofoil coin mining campaign
17.3.2018 Microsoft
Computer Attack blog
in Windows, Windows Defender Advanced Threat Protection, Endpoint Security, Incident Response, Threat Protection, Research
Update: Further analysis of this campaign points to a poisoned update for a peer-to-peer (P2P) application. For more information, read Poisoned peer-to-peer app kicked off Dofoil coin miner outbreak.

Just before noon on March 6 (PST), Windows Defender Antivirus blocked more than 80,000 instances of several sophisticated trojans that exhibited advanced cross-process injection techniques, persistence mechanisms, and evasion methods. Behavior-based signals coupled with cloud-powered machine learning models uncovered this new wave of infection attempts. The trojans, which are new variants of Dofoil (also known as Smoke Loader), carry a coin miner payload. Within the next 12 hours, more than 400,000 instances were recorded, 73% of which were in Russia. Turkey accounted for 18% and Ukraine 4% of the global encounters.

Figure 1: Windows Defender ATP machine timeline view with Windows Defender Exploit Guard event

Figure 1: Windows Defender ATP machine timeline view with Windows Defender Exploit Guard event

Figure 1: Geographic distribution of the Dofoil attack components

Windows Defender AV initially flagged the attack’s unusual persistence mechanism through behavior monitoring, which immediately sent this behavior-based signal to our cloud protection service.

Within milliseconds, multiple metadata-based machine learning models in the cloud started blocking these threats at first sight.
Seconds later, our sample-based and detonation-based machine learning models also verified the malicious classification. Within minutes, detonation-based models chimed in and added additional confirmation.
Within minutes, an anomaly detection alert notified us about a new potential outbreak.
After analysis, our response team updated the classification name of this new surge of threats to the proper malware families. People affected by these infection attempts early in the campaign would have seen blocks under machine learning names like Fuery, Fuerboos, Cloxer, or Azden. Later blocks show as the proper family names, Dofoil or Coinminer.
Windows 10, Windows 8.1, and Windows 7 users running Windows Defender AV or Microsoft Security Essentials are all protected from this latest outbreak.

Figure 2. Layered machine learning defenses in Windows Defender AV

Figure 2. Layered machine learning defenses in Windows Defender AV

Artificial intelligence and behavior-based detection in Windows Defender AV has become one of the mainstays of our defense system. The AI-based pre-emptive protection provided against this attack is similar to how layered machine learning defenses stopped an Emotet outbreak last month.

Code injection and coin mining
Dofoil is the latest malware family to incorporate coin miners in attacks. Because the value of Bitcoin and other cryptocurrencies continues to grow, malware operators see the opportunity to include coin mining components in their attacks. For example, exploit kits are now delivering coin miners instead of ransomware. Scammers are adding coin mining scripts in tech support scam websites. And certain banking trojan families added coin mining behavior.

The Dofoil campaign we detected on March 6 started with a trojan that performs process hollowing on explorer.exe. Process hollowing is a code injection technique that involves spawning a new instance of legitimate process (in this case c:\windows\syswow64\explorer.exe) and then replacing the legitimate code with malware.

Figure 3. Windows Defender ATP detection for process hollowing (SHA-256: d191ee5b20ec95fe65d6708cbb01a6ce72374b309c9bfb7462206a0c7e039f4d, detected by Windows Defender AV as TrojanDownloader:Win32/Dofoil.AB)

The hollowed explorer.exe process then spins up a second malicious instance, which drops and runs a coin mining malware masquerading as a legitimate Windows binary, wuauclt.exe.

Figure 4. Windows Defender ATP detection for coin mining malware (SHA-256: 2b83c69cf32c5f8f43ec2895ec9ac730bf73e1b2f37e44a3cf8ce814fb51f120, detected by Windows Defender AV as Trojan:Win32/CoinMiner.D)

Even though it uses the name of a legitimate Windows binary, it’s running from the wrong location. The command line is anomalous compared to the legitimate binary. Additionally, the network traffic from this binary is suspicious.

Windows Defender ATP alert process tree showing anomalous IP communicationsFigure

5. Windows Defender ATP alert process tree showing anomalous IP communications

Windows Defender ATP showing suspicious network activity

Windows Defender ATP showing suspicious network activity

Figure 6. Windows Defender ATP showing suspicious network activity

Windows Defender ATP alert process tree

Windows Defender ATP alert process treeFigure 7. Windows Defender ATP alert process tree showing hollowed explorer.exe process making suspicious connections

Dofoil uses a customized mining application. Based on its code, the coin miner supports NiceHash, which means it can mine different cryptocurrencies. The samples we analyzed mined Electroneum coins.

For coin miner malware, persistence is key. These types of malware employ various techniques to stay undetected for long periods of time in order to mine coins using stolen computer resources.

To stay hidden, Dofoil modifies the registry. The hollowed explorer.exe process creates a copy of the original malware in the Roaming AppData folder and renames it to ditereah.exe. It then creates a registry key or modifies an existing one to point to the newly created malware copy. In the sample we analyzed, the malware modified the OneDrive Run key.
Windows Defender ATP alert process tree showing creation of new malware process

Windows Defender ATP alert process tree showing creation of new malware process

Figure 8. Windows Defender ATP alert process tree showing creation of new malware process (SHA-256: d191ee5b20ec95fe65d6708cbb01a6ce72374b309c9bfb7462206a0c7e039f4d) and registry modification

Command-and-control communication
Dofoil is an enduring family of trojan downloaders. These connect to command and control (C&C) servers to listen for commands to download and install malware. In the March 6 campaign, Dofoil’s C&C communication involves the use of the decentralized Namecoin network infrastructure .

The hollowed explorer.exe process writes and runs another binary, D1C6.tmp.exe (SHA256: 5f3efdc65551edb0122ab2c40738c48b677b1058f7dfcdb86b05af42a2d8299c) into the Temp folder. D1C6.tmp.exe then drops and executes a copy of itself named lyk.exe. Once running, lyk.exe connects to IP addresses that act as DNS proxy servers for the Namecoin network. It then attempts to connect to the C&C server vinik.bit inside the NameCoin infrastructure. The C&C server commands the malware to connect or disconnect to an IP address; download a file from a certain URL and execute or terminate the specific file; or sleep for a period of time.

 Windows Defender ATP alert process tree showing creation of the temporary file, D1C6.tmp.exe

Figure 9. Windows Defender ATP alert process tree showing creation of the temporary file, D1C6.tmp.exe (SHA256: 5f3efdc65551edb0122ab2c40738c48b677b1058f7dfcdb86b05af42a2d8299c)


Figure 10. Windows Defender ATP alert process tree showing lyk.exe connecting to IP addresses

Stay protected with Windows 10
With the rise in valuation of cryptocurrencies, cybercriminal groups are launching more and more attacks to infiltrate networks and quietly mine for coins.

Windows Defender AV’s layered approach to security, which uses behavior-based detection algorithms, generics, and heuristics, as well as machine learning models in both the client and the cloud, provides real-time protection against new threats and outbreaks.

As demonstrated, Windows Defender Advanced Threat Protection (Windows Defender ATP) flags malicious behaviors related to installation, code injection, persistence mechanisms, and coin mining activities. Security operations can use the rich detection libraries in Windows Defender ATP to detect and respond to anomalous activities in the network. Windows Defender ATP also integrates protections from Windows Defender AV, Windows Defender Exploit Guard, and Windows Defender Application Guard, providing a seamless security management experience.

Windows 10 S, a special configuration of Windows 10, helps protect against coin miners and other threats. Windows 10 S works exclusively with apps from the Microsoft Store and uses Microsoft Edge as the default browser, providing Microsoft verified security.

Ex-Hacker Adrian Lamo Dies at Age 37
17.3.2018 thehackernews Crime

Adrian Lamo, the hacker who tipped off the FBI about Wikileaks whistleblower Chelsea Manning, dies at the age of 37, according to a Facebook post by his father Mario Lamo-Jiménez.
"With great sadness and a broken heart I have to let know all of Adrian's friends and acquaintances that he is dead. A bright mind and compassionate soul is gone, he was my beloved son..." he posted.
At this moment the cause of death is unknown, though reportedly Adrian was diagnosed with Asperger Syndrome in July 2010 and briefly hospitalized.
Adrian was a former hacker, threat analyst, and writer, who had previously been behind several high-profile security breaches but gained headlines after breaking into The New York Times computer systems in 2002.

Adrian was given the appellation "Homeless Hacker" by the media because once when he was unemployed he wandered the country by Greyhound bus and hacked corporations from inside abandoned buildings.
He spent almost six months on home detention and studied journalism before becoming a threat analyst.
When former US Army intelligence analyst Chelsea Manning (then Bradley Manning) read about his hacking profile in Wired magazine, Manning contacted him, and the pair started exchanging messages online.
Manning found Adrian a "kindred spirit" and told him about his role as an informer for WikiLeaks and how he leaked the most controversial combat video footage of a helicopter shooting unarmed Iraqi civilians and 260,000 classified diplomatic cables to the whistleblowing website.
However, Adrian then decided to report him and informed the US military of the breach. In an interview with the Guardian in 2013, Adrian defended his decision to turn Chelsea over to the FBI and said:
"There were no right choices that day, only less wrong ones. It was cold, it was needful, and it was no one's to make except mine. I couldn't just do anything, knowing lives were in danger, it's classified information, and when you play Russian roulette, how do you know there's not a bullet in the next chamber?"
"Choosing to interdict a man's freedom knowing it could mean his life, is something that's easy to judge but can only really be understood by living it."
Manning was arrested in May 2010 and sentenced to 35 years in prison for leaking classified documents, though her sentence was later reduced by President Barack Obama, and she was set free last year.

Trojanized BitTorrent Software Update Hijacked 400,000 PCs Last Week
17.3.2018 thehackernews

A massive malware outbreak that last week infected nearly half a million computers with cryptocurrency mining malware in just a few hours was caused by a backdoored version of popular BitTorrent client called MediaGet.
Dubbed Dofoil (also known as Smoke Loader), the malware was found dropping a cryptocurrency miner program as payload on infected Windows computers that mine Electroneum digital coins for attackers using victims' CPU cycles.
Dofoil campaign that hit PCs in Russia, Turkey, and Ukraine on 6th March was discovered by Microsoft Windows Defender research department and blocked the attack before it could have done any severe damages.

At the time when Windows Defender researchers detected this attack, they did not mention how the malware was delivered to such a massive audience in just 12 hours.
However, after investigation Microsoft today revealed that the attackers targeted the update mechanism of MediaGet BitTorrent software to push its trojanized version (mediaget.exe) to users' computers.
"A signed mediaget.exe downloads an update.exe program and runs it on the machine to install a new mediaget.exe. The new mediaget.exe program has the same functionality as the original but with additional backdoor capability," the researchers explain in a blog post published today.
Researchers believe MediaGet that signed update.exe is likely to be a victim of the supply chain attack, similar to CCleaner hack that infected over 2.3 million users with the backdoored version of the software in September 2017.

Also, in this case, the attackers signed the poisoned update.exe with a different certificate and successfully passed the validation required by the legitimate MediaGet.
"The dropped update.exe is a packaged InnoSetup SFX which has an embedded trojanized mediaget.exe, update.exe. When run, it drops a trojanized unsigned version of mediaget.exe."
Once updated, the malicious BitTorrent software with additional backdoor functionality randomly connects to one (out of four) of its command-and-control (C&C) servers hosted on decentralized Namecoin network infrastructure and listens for new commands.

It then immediately downloads CoinMiner component from its C&C server, and start using victims' computers mine cryptocurrencies for the attackers.
Using C&C servers, attackers can also command infected systems to download and install additional malware from a remote URL.
The researchers found that the trojanized BitTorrent client, detected by Windows Defender AV as Trojan:Win32/Modimer.A, has 98% similarity to the original MediaGet binary.
Microsoft says behavior monitoring and AI-based machine learning techniques used by its Windows Defender Antivirus software have played an important role to detect and block this massive malware campaign.

Warning – 3 Popular VPN Services Are Leaking Your IP Address
17.3.2018 thehackernews

Researchers found critical vulnerabilities in three popular VPN services that could leak users' real IP addresses and other sensitive data.
VPN, or Virtual Private Network, is a great way to protect your daily online activities that work by encrypting your data and boosting security, as well as useful to obscure your actual IP address.
While some choose VPN services for online anonymity and data security, one major reason many people use VPN is to hide their real IP addresses to bypass online censorship and access websites that are blocked by their ISPs.
But what if when the VPN you thought is protecting your privacy is actually leaking your sensitive data and real location?
A team of three ethical hackers hired by privacy advocate firm VPN Mentor revealed that three popular VPN service providers—HotSpot Shield, PureVPN, and Zenmate—with millions of customers worldwide were found vulnerable to flaws that could compromise user's privacy.
The team includes application security researcher Paulos Yibelo, an ethical hacker known by his alias 'File Descriptor' and works for Cure53, and whereas, the identity of third one has not been revealed on demand.
PureVPN is the same company who lied to have a 'no log' policy, but a few months ago helped the FBI with logs that lead to the arrest of a Massachusetts man in a cyberstalking case.
After a series of privacy tests on the three VPN services, the team found that all three VPN services are leaking their users' real IP addresses, which can be used to identify individual users and their actual location.
Concerning consequences for end users, VPN Mentor explains that the vulnerabilities could "allow governments, hostile organizations [sic], or individuals to identify the actual IP address of a user, even with the use of the VPNs."
The issues in ZenMate and PureVPN have not been disclosed since they haven't yet patched, while VPN Mentor says the issues discovered in ZenMate VPN were less severe than HotSpot Shield and PureVPN.
The team found three separate vulnerabilities in AnchorFree's HotSpot Shield, which have been fixed by the company. Here's the list:
Hijack all traffic (CVE-2018-7879) — This vulnerability resided in Hotspot Shield’s Chrome extension and could have allowed remote hackers to hijack and redirect victim's web traffic to a malicious site.
DNS leak (CVE-2018-7878) — DNS leak flaw in Hotspot Shield exposed users' original IP address to the DNS server, allowing ISPs to monitor and record their online activities.
Real IP Address leak (CVE-2018-7880) — This flaw poses a privacy threat to users since hackers can track user's real location and the ISP. the issue occurred because the extension had a loose whitelist for "direct connection." Researchers found that any domain with localhost, e.g., localhost.foo.bar.com, and 'type=a1fproxyspeedtest' in the URL bypass the proxy and leaks real IP address.
Here it must be noted that all the three vulnerabilities were in the HotSpot Shield's free Chrome plug-in, not in the desktop or smartphone apps.
The researchers also reported similar vulnerabilities in the Chrome plugins of Zenmate and PureVPN, but for now, the details of the bugs are being kept under wraps since both the manufacturers have not yet fixed them.
Researchers believe that most other VPN services also suffer from similar issues.

Pre-Installed Malware Found On 5 Million Popular Android Phones
17.3.2018 thehackernews Android

Security researchers have discovered a massive continuously growing malware campaign that has already infected nearly 5 million mobile devices worldwide.
Dubbed RottenSys, the malware that disguised as a 'System Wi-Fi service' app came pre-installed on millions of brand new smartphones manufactured by Honor, Huawei, Xiaomi, OPPO, Vivo, Samsung and GIONEE—added somewhere along the supply chain.
All these affected devices were shipped through Tian Pai, a Hangzhou-based mobile phone distributor, but researchers are not sure if the company has direct involvement in this campaign.
According to Check Point Mobile Security Team, who uncovered this campaign, RottenSys is an advanced piece of malware that doesn't provide any secure Wi-Fi related service but takes almost all sensitive Android permissions to enable its malicious activities.
"According to our findings, the RottenSys malware began propagating in September 2016. By March 12, 2018, 4,964,460 devices were infected by RottenSys," researchers said.
To evade detection, the fake System Wi-Fi service app comes initially with no malicious component and doesn’t immediately start any malicious activity.
Instead, RottenSys has been designed to communicate with its command-and-control servers to get the list of required components, which contain the actual malicious code.
RottenSys then downloads and installs each of them accordingly, using the "DOWNLOAD_WITHOUT_NOTIFICATION" permission that does not require any user interaction.
Hackers Earned $115,000 in Just Last 10 Days

At this moment, the massive malware campaign pushes an adware component to all infected devices that aggressively displays advertisements on the device’s home screen, as pop-up windows or full-screen ads to generate fraudulent ad-revenues.
"RottenSys is an extremely aggressive ad network. In the past 10 days alone, it popped aggressive ads 13,250,756 times (called impressions in the ad industry), and 548,822 of which were translated into ad clicks," researchers said.
According to the CheckPoint researchers, the malware has made its authors more than $115,000 in the last 10 days alone, but the attackers are up to "something far more damaging than simply displaying uninvited advertisements."
Since RottenSys has been designed to download and install any new components from its C&C server, attackers can easily weaponize or take full control over millions of infected devices.
The investigation also disclosed some evidence that the RottenSys attackers have already started turning millions of those infected devices into a massive botnet network.
Some infected devices have been found installing a new RottenSys component that gives attackers more extensive abilities, including silently installing additional apps and UI automation.
"Interestingly, a part of the controlling mechanism of the botnet is implemented in Lua scripts. Without intervention, the attackers could re-use their existing malware distribution channel and soon grasp control over millions of devices," researchers noted.
This is not the first time when CheckPoint researchers found top-notch brands affected with the supply chain attack.
Last year, the firm found smartphone belonging to Samsung, LG, Xiaomi, Asus, Nexus, Oppo, and Lenovo, infected with two pieces of pre-installed malware (Loki Trojan and SLocker mobile ransomware) designed to spy on users.
How to Detect and Remove Android Malware?
To check if your device is being infected with this malware, go to Android system settings→ App Manager, and then look for the following possible malware package names:
com.android.yellowcalendarz (每日黄历)
com.changmi.launcher (畅米桌面)
com.android.services.securewifi (系统WIFI服务)
If any of above is in the list of your installed apps, simply uninstall it.

Plugins for Popular Text Editors Could Help Hackers Gain Elevated Privileges
17.3.2018 thehackernews Hacking

Whether you're a developer, designer or a writer, a good text editor always help you save time and make you work more efficiently.
For example, I use Sublime a lot while programming because it includes some useful tools like 'syntax highlighting' and 'autocomplete' that every advanced text editor should have.
Moreover, these advanced text editors also offer users extensibility, allowing users to install and run third-party plugins to extend the editor's functionality and most importantly its scope.
However, it's a known fact that third-party plugins always pose a significant risk of hacking, whether it's about WordPress plugins or Windows' extensions for Chrome, Firefox or Photoshop.
SafeBreach researcher Dor Azouri analyzed several popular extensible text editors for Unix and Linux systems, including Sublime, Vim, Emacs, Gedit, and pico/nano, and found that except for pico/nano, all of them are vulnerable to a critical privilege escalation flaw that could be exploited by attackers to run malicious code on a victims’ machines.
"This method succeeds regardless of the file being opened in the editor, so even limitations commonly applied on sudo commands might not protect from it," the paper reads [pdf]
"Technical users will occasionally need to edit root-owned files, and for that purpose they will open their editor with elevated privileges, using ‘sudo.’ There are many valid reasons to elevate the privileges of an editor."
The issue resides in the way these text editors load plugins. According to the researcher, there's inadequate separation of regular and elevated modes when loading plugins for these editors.
Their folder permissions integrity is not maintained correctly, which opens the door for attackers with regular user permissions to elevate their privileges and execute arbitrary code on the user's machine.
A simple malvertising campaign could allow attackers spread malicious extension for vulnerable text editors, enabling them to run malicious code with elevated privileges, install malware and remotely take full control of targeted computers.
Azouri suggests Unix users can use an open-source host-based intrusion detection system, called OSSEC, to actively monitoring system activity, files integrity, logs, and processes.
Users should avoid loading 3rd-party plugins when the editor is elevated and also deny write permissions for non-elevated users.
Azouri advised developers of text editors to change the folders and file permission models to complete the separation between regular and elevated modes and if possible, provide a manual interface for users to approve the elevated loading of plugins.

China-linked Hackers Target Engineering and Maritime Industries
17.3.2018 securityweek  CyberSpy

A China-related cyberespionage group that has been active for half a decade has increased its attacks on engineering and maritime entities over the past months, FireEye reports.

Referred to as Leviathan or TEMP.Periscope, the group has been historically interested in targets connected to South China Sea issues, which hasn't changed in the recently observed attacks. Targets include research institutes, academic organizations, and private firms in the United States.

“The current campaign is a sharp escalation of detected activity since summer 2017. Like multiple other Chinese cyber espionage actors, TEMP.Periscope has recently re-emerged and has been observed conducting operations with a revised toolkit,” FireEye says.

Over the years, the group has also shown interest in professional/consulting services, high-tech industry, healthcare, and media/publishing. Most of the identified victims were in the United States, with some located in Europe and at least one in Hong Kong.

The group’s tactics, techniques, and procedures (TTPs), as well as its targets, overlap with those associated with the group called TEMP.Jumper, which in turn overlaps significantly with the NanHaiShu group.

The recently observed spike in activity also revealed the use of a broad range of malware that other suspected Chinese groups also use. These tools include backdoors, reconnaissance tools, file stealers, and webshells.

The first of the backdoors is Airbreak, a JavaScript-based tool that retrieves commands from hidden strings in compromised webpages and actor controlled profiles on legitimate services.

A second backdoor is Badflick, which can modify the file system, generate a reverse shell, and modify its command and control (C&C) configuration.

Another similar piece of malware is Photo, a DLL backdoor that gets directory, file, and drive listing; creates a reverse shell; records the screen, video, and audio; lists, terminates, and creates processes; creates and modifies registry keys and values; logs keystrokes, returns usernames and passwords from protected storage; and can read, create, and modify files.

The group also used Homefry, a 64-bit Windows password dumper/cracker previously used along with the first two backdoors. Based on received commands, it can either display cleartext credentials for each login session, or can display cleartext credentials, NTLM hashes, and malware version for each login session.

Other tools employed by the hackers include Lunchmoney (which can exfiltrate files to Dropbox) and Murkytop, a command-line reconnaissance tool (which can execute files; move and delete files; schedule remote AT jobs; perform host discovery; scan for open ports in a connected network; and retrieve information about the operating system, users, groups, and shares on remote hosts).

In recent attacks, the group was also observed employing the China Chopper code injection webshell capable of executing Microsoft .NET code within HTTP POST commands (thus, it can upload and download files, execute applications, list directory contents, access Active Directory, access databases, and more).

Previously, the group used the Beacon backdoor (commercially available as part of the Cobalt Strike software platform), and the Blackcoffee backdoor that hides C&C communication as traffic to legitimate websites such as Github and Microsoft's Technet portal.

The group has been also observed using spear phishing emails; lure documents attempting to exploit CVE-2017-11882 to drop malware; stolen code signing certificates to sign their malware; bitsadmin.exe and PowerShell to download additional tools; and Windows Management Instrumentation (WMI) and Windows Shortcut files (.lnk) for persistence.

“The current wave of identified intrusions is consistent with TEMP.Periscope and likely reflects a concerted effort to target sectors that may yield information that could provide an economic advantage, research and development data, intellectual property, or an edge in commercial negotiations,” FireEye concludes.

Hackers can elevate privileges by hacking into popular text editors
17.3.2018 securityaffairs Hacking

Following recent string of attacks that exploit flawed plugins, researchers at SafeBreach examined 6 popular extensible text editors for unix systems.
Most of the modern text editors allow users to extend their functionalities by using third-party plugins, in this way they are enlarging their attack surface.

Third-party plugins could be affected by vulnerabilities that could be exploited by hackers to target our systems.

The situation is particularly severe in case the flaw affects a plugin for popular software such as WordPress or Windows’ extensions for Chrome, Firefox or Photoshop.

Dor Azouri, a researcher at SafeBreach, has analyzed several popular extensible text editors for both Unix and Linux systems discovered that except for pico/nano all of them are affected by a critical privilege escalation flaw.

“We examined several popular editors for unix environments. Our research shows how these text editors with third-party plugins can be used as another way to gain privilege escalation on a machine. This method succeeds regardless of the file being opened in the editor, so even limitations commonly applied on sudo commands might not protect from it.” states the blog post published by SafeBreach.

“The set of editors that were put to the test include: Sublime, Vim, Emacs, Gedit, pico/nano.”

Emacs text editors

An attacker can exploit the flaw to run malicious code on a victims’ machines running the vulnerable text editor.

“This method succeeds regardless of the file being opened in the editor, so even limitations commonly applied on sudo commands might not protect from it,” reads the paper published by the company.

“Technical users will occasionally need to edit root-owned files, and for that purpose they will open their editor with elevated privileges, using ‘sudo.’ There are many valid reasons to elevate the privileges of an editor.”

The vulnerability ties the way these text editors load plugins because they don’t properly separate regular and elevated modes when loading plugins.

Attackers with regular user permissions can access the folder permissions to elevate their privileges and execute arbitrary code on the user’s machine.

Azouri suggests Unix users use an open-source host-based intrusion detection system called OSSEC. Of course, users should avoid loading 3rd-party plugins when the editor is elevated and also deny write permissions for non-elevated users.

Below the full list of mitigations provided by the experts:

implement OSEC monitoring rules
deny write permisions for non-elevated users
change folders and file permission models to ensure separation between regular and elevated modes.
Prevent loading of 3rd party plugins when an editor is elevated.
Provide a manual interface to approve the elevated loading of plugins.

Počet kybernetických útoků na finanční podniky se za pět let ztrojnásobil

16.3.2018 Novinky/Bezpečnost Počítačový útok
Ve finančních službách se za posledních pět let celosvětově ztrojnásobil počet kybernetických útoků, vyplývá ze studie společností Accenture a Ponemon Institute. Pojišťovny začaly firmám i obyčejným uživatelům nabízet speciální pojištění kybernetických rizik. Česká policie se loni zabývala 6424 případy kybernetické kriminality, což je o 1080 případů více než v roce 2016.

"I když náklady na řešení kyberkriminality se u společností poskytujících finanční služby stále zvyšují, náš průzkum zjistil, že mají významně vyváženější a přiměřenější úroveň výdajů na klíčové bezpečnostní technologie k potírání sofistikovaných útoků než společnosti z jiných sektorů," uvedl Chris Thompson, který v Accenture Security vede sekci bezpečnosti finančních služeb.

To podle něj platí zejména při využívání automatizace, umělé inteligence nebo technologií strojového učení, což by mohlo být pro budoucí úsilí v oblasti kyberbezpečnosti zásadní.

Vyděračské viry
Podle bezpečnostní společnosti Eset byl rok 2017 rokem takzvaného ransomwaru. Jde o vyděračský software, který blokuje operační systém nebo šifruje data v něm obsažená a po uživateli pak vyžaduje výkupné za obnovení systému. Běžní uživatelé, ale i nadnárodní organizace museli čelit masivním útokům, jakými byly NotPetya nebo WannaCry.

Ransomware se ale nezaměřuje pouze na klasické počítače. Zneužívají ho i útočníci, kteří chtějí vydělat na vysoké popularitě mobilních zařízení a nejrozšířenějšího operačního systému Android, vysvětlil analytik Esetu Lukáš Štefanko.

Populární přehrávač Flash Player je opět děravý. Chybu mohou zneužít hackeři

16.3.2018 Novinky/Bezpečnost Zranitelnosti
V pořadí již druhou kritickou bezpečnostní chybu oblíbeného internetového přehrávače Flash Player musí během jediného měsíce řešit společnost Adobe. Trhlina otevírá v podstatě zadní vrátka do celého operačního systému. S instalací opravy by tak uživatelé neměli otálet.

Jednu kritickou chybu operačního systému řešila společnost Adobe už na začátku března.  

Sotva se třetí měsíc roku přehoupnul do druhé půlky, je tu v podstatě ta samá situace v bledě modrém. Flash Player opět obsahuje kritickou bezpečnostní trhlinu. S využitím chyby mohou piráti propašovat do cizího počítače prakticky jakýkoli virus.

Právě proto by uživatelé neměli s instalací nejnovější verze otálet. Stahovat záplatu je možné prostřednictvím automatických aktualizací daného programu nebo prostřednictvím stránek společnosti Adobe.

Častý terč útoků
Flash Player používá na celém světě několik stovek miliónů lidí. Právě kvůli velké popularitě se na něj zaměřují kybernetičtí nájezdníci pravidelně. Podle analýzy bezpečnostní společnosti Record Future cílilo osm z deseti nejrozšířenějších hrozeb v roce 2015 právě na tento přehrávač videí.

To je i jeden z hlavních důvodů, proč se společnost Adobe rozhodla Flash Player sprovodit ze světa. Podle dřívějšího oznámení jej bude podporovat už jen dva roky.

Reagovat na kybernetické incidenty dělá firmám problémy

16.3.2018 SecurityWorld Incidenty
Třem čtvrtinám dotazovaných firem chybí plán, jak v případě incidentu reagovat a 69 % z nich uvádí, že na kybernetickou odolnost nemá vyčleněno dostatek peněz.

Institut Ponemon ve spolupráci s IBM zveřejnila výsledky globální studie, která se zabývá tím, co všechno musí společnosti řešit, pokud chtějí být kyberneticky odolné.

Celkem 77 % respondentů připustilo, že nemá oficiální plán (CSIRP) v případě kyberbezpečnostního incidentu, který by byl v celé firmě důsledně dodržován. Téměř polovina z 2 800 respondentů uvedla, že jejich plán reakce na incidenty vzniká ad hoc, není oficiální nebo vůbec neexistuje.

Navzdory chybějícím oficiálním plánům ale 72 % firem tvrdí, že se v současnosti cítí kyberneticky odolnější než v loňském roce. Organizace, které se považují za vysoce odolné (61 %), zakládají své přesvědčení na schopnosti najmout kvalifikované zaměstnance.

Ale kybernetická odolnost organizací stojí nejenom na lidech, ale také na technologii. Respondenti si to uvědomují a 60 % z nich považuje nedostatečné investice do umělé inteligence a strojového učení za největší překážku v dosažení kybernetické odolnosti.

Sebedůvěra firem tedy nemusí mít pevné základy, protože 57 % respondentů ve studii prohlásilo, že se incidenty dnes řeší déle a 65 % uvedlo, že se závažnost útoků zvyšuje. To jsou přitom klíčové faktory, které mají na celkovou kybernetickou odolnost zásadní dopad.

Tyto problémy ještě znásobuje fakt, že pouze 31 % dotázaných má na kybernetickou odolnost přidělený dostatečný rozpočet a 77 % respondentů má problém najít a udržet si odborníky na IT bezpečnost.

„Pokud se firmy dnes cítí více kyberneticky odolné, tak je to hlavně z důvodu toho, že mají kvalifikované zaměstnance,“ říká viceprezident pro produktový management a spoluzakladatel IBM Resilient Ted Julian.

„Mít ty správné lidi je samozřejmě zásadní, ale stejně tak důležité je dát jim k dispozici ty nejmodernější pracovní nástroje. Jediné, co bezpečnostním týmům umožní vypořádat se s případnou hrozbou a zvýšit celkovou kybernetickou bezpečnost, je reakční plán, který sladí lidskou a strojovou inteligenci.“

Neexistence důsledně používaného CSIRP se ve výsledcích objevuje každý rok, navzdory zjištěním studie IBM z roku 2017, kolik porušení zabezpečení dat stojí. Pokud firmy zvládly porušení zabezpečení dat vyřešit do třiceti dnů, stálo je to průměrně skoro o jeden milion dolarů méně. Proto je CSIRP tak důležitý a cenný.

Další závěry studie:

Personální zajištění aktivit spojených s kybernetickou odolností není dostatečné.
Druhou největší překážkou kybernetické odolnosti se ukázal být nedostatek kvalifikovaných zaměstnanců v oblasti kybernetické bezpečnosti.
29 % respondentů uvedlo, že k dosažení kybernetické odolnosti mají ty správné zaměstnance.
50 % říká, že jejich současný manažer informační bezpečnosti nebo osoba zodpovědná za bezpečnost jsou ve své funkci tři roky nebo méně.
23 % firem podle studie v současnosti nemá manažera informační bezpečnosti ani osobu zodpovědnou za bezpečnost.