The authors of the Orcus RAT target Bitcoin investors
9.12.2017 securityaffairs Virus
According to Fortinet, the authors of the Orcus RAT have started targeting Bitcoin investors with their malicious software.
Crooks always follow money trying to catch any opportunity, such as the recent spike in the value of Bitcoin. According to the experts from Fortinet, the authors of the Orcus RAT have started targeting Bitcoin investors with their malicious software.
The attack chain starts with phishing messages advertising a new Bitcoin trading bot application called “Gunbot” developed by GuntherLab.
The malicious emails come with a .ZIP attachment that includes a simple VB script that acts as a downloader, the script downloads a binary masquerading as a JPEG image file.
The downloaded binary is a Trojanized version of an open source inventory system tool named TTJ-Inventory System. The malicious code uses a hardcoded key to decrypt encoded code into another .NET PE executable that is loaded and executed directly to memory.
The malicious code verifies that it is the only instance running on the infected machine checking the presence of a mutex named “dgonfUsV”.
This binary contains three embedded PE executables in its resource, including the actual Orcus RAT server.
The three embedded PE executables are:
M – Orcus RAT server
PkawjfiajsVIOefjsakoekAOEFKasoefjsa – persistence watchdog
R – RunPE module
Experts discovered a RunPE module can execute modules without writing them to the system, and can also execute them under legitimate executables by running applications in suspended mode and then replacing the process’ memory with the malicious code.
“The RunPE module is not only able to execute other modules without writing their physical files in the system, but also to execute them under legitimate executables. This is usually done by executing an application in suspended mode, and then replacing the new process’ memory with the malicious code before resuming. It’s a common stealth technique. In this case, it uses components of the Microsoft .NET framework, MSBuild.exe and RegAsm.exe, as shells to hide their malicious processes.” reads the analysis published by Fortinet.
“The module from the PkawjfiajsVIOefjsakoekAOEFKasoefjsa resource acts as a watchdog to keep the malware running by repeatedly executing it unless the client decides to stop it by dropping ”stop.txt” in its directory.”
The Orcus RAT is around since early 2016, it implements common RAT features and it is also able to load plugins and execute C# and VB.net code on the remote machine in real-time.
“Orcus has been advertised as a Remote Administration Tool (RAT) since early 2016. It has all the features that would be expected from a RAT and probably more.” continues the analysis.
“The long list of the commands is documented on their website. But what separates Orcus from the others is its capability to load custom plugins developed by users, as well as plugins that are readily available from the Orcus repository. In addition to that, users can also execute C# and VB.net code on the remote machine in real-time.”
The Orcus RAT is a powerful spyware, it can disable the light indicator on webcams to spy on the victims without raising suspicion.
The malware can also implement a watchdog that restarts the server component and If the someone tries to kill its process it can trigger a Blue Screen of Death (BSOD).
Orcus also includes a plugin that can be used to power Distributed Denial of Service (DDoS) attacks.
Fortinet warns that the actors behind the Orcus RAT implemented some changes to the malware download site. (bltcointalk.com, which attempts to imitate Bitcoin forum bitcointalk.org).
“It is obvious that the malware download site https://bltcointalk.com is trying to imitate the bitcoin forum bitcointalk.org. When accessed, the website is just an open directory containing the previously mentioned as well as an archive with the filename. Unfortunately, in the middle of writing this article, the contents of the website changed before we could download an updated copy.” state the analysis published by Fortinet.
The researchers observed several websites that attempt to clone legitimate domains by changing a single letter in the URL, the overall domains belong to a pool used by crooks for different campaigns.
“It was no surprise, therefore, that we found other domains that use similar domain names with replaced letters. When accessed, most of the sites display the “We’ll be back soon!”message, which is the same page that is displayed when “index.phptopic=3D1715214.0/” is accessed in “bltcointalk.com”.” states the analysis.
“In our investigation of Orcus RAT, we have again proven again that its capabilities go beyond the scope of a harmless administration tool. Regardless of the developer’s claim and defense, the reality is that the application is being used in cybercrime campaigns.”
Technical details, including IoC are available in the blog post published by Fortinet.
Expert discovered a Keylogger component in HP notebook keyboard driver
9.12.2017 securityaffairs Hacking
A security researcher discovered that hundreds of notebook models contain a debugging code that could be abused by attackers as a keylogger component.
Hundreds of notebook models contain a debugging code that could be abused by attackers as a keylogger component. The code was discovered by a security researcher that goes online with the moniker ZwClose, the list of affected models and security patch are available at the following URL:
The list of affected notebooks includes 475 models, 303 consumer notebooks and 172 commercial notebooks, mobile thin clients, and mobile workstations. Affected model families include HP’s 25*, mt**, 15*, OMEN, ENVY, Pavilion, Stream, ZBook, EliteBook, and ProBook series, along with several Compaq models.
Oh well. Keylogger in HP's SynTP.sys. Off by default. Vendor contacted. Fix released and pushed. Blog post is on the way.
11:28 AM - Dec 6, 2017
Replies 2 2 Retweets 5 5 likes
Twitter Ads info and privacy
HP has released security updates for its drivers in order to remove the debugging code that was present in the SynTP.sys file, which is part of the Synaptics Touchpad driver.
HP customers know that the Synaptics Touchpad driver is shipped with many HP notebook models.
“HP had a keylogger in the keyboard driver. The keylogger saved scan codes to a WPP trace. The logging was disabled by default but could be enabled by setting a registry value (UAC required). ” reads the blog post published by the expert.
That registry key is:
The Windows software trace preprocessor (WPP) technique is used by developers for debugging code.
“WPP software tracing supplements and enhances WMI event tracing by adding ways to simplify tracing the operation of the trace provider. It is an efficient mechanism for the trace provider to log real-time binary messages. The logged messages can subsequently be converted to a human-readable trace of the operation of the trace provider.” states Microsoft.
Of course, the risk is that this debugging feature could be abused by vxers to enable the keylogging feature present in the code and spy on HP users. The native code runs at kernel level and is to detectable by security software.
Malware developers only need to bypass the UAC prompt when changing the registry key, and there are many ways to do it.
HP admitted the presence of keylogging code confirming it was used for debugging purposed and accidentally and left because of a forgetfulness, for this reason, the tech giant “released an update that removes the trace.”
The researcher that uses the Twitter handles THS explained that HP did not remove the keylogger functions in the new version, the company simply turn it on by setting SeeScanCode and EnableLog = 1 in Windows Registry.
#HP did not remove the #keylogger functions in new version. Simply turn it on by setting SeeScanCode and EnableLog = 1 in Windows Registry.
10:26 AM - May 13, 2017
22 22 Replies 662 662 Retweets 475 475 likes
Twitter Ads info and privacy
In May, the security researcher Thorsten Schroeder of security firm Modzero discovered that a Conexant audio driver shipped with many HP laptops and tablet PCs was logging keystrokes. The expert discovered that MicTray64.exe application, which is installed with the Conexant audio driver package, is registered as a scheduled task in Windows systems and is able to monitor keystrokes to determine if the user has pressed any audio-related keys (e.g. mute/unmute).
Android Janus vulnerability allows attackers to inject Malware into legitimate apps avoiding detection
9.12.2017 securityaffairs Android
Google fixed a bug dubbed Janus that could be exploited by attackers to inject malicious code into Android apps without affecting an app’s signature.
Google fixed four dozen vulnerabilities this week, including a bug dubbed Janus that could be exploited by attackers to inject malicious code into Android apps without affecting an app’s signature verification certificates.
Millions of Android devices are at risk of a cyber attack due to this flaw (CVE-2017-13156), that allows attackers to secretly overwrite legitimate applications installed on victims’ mobile devices with a malware.
The vulnerability was reported to Google by security researchers from mobile security firm GuardSquare this summer and has been fixed now as part of the December Android Security Bulletin.
The attack technique discovered by Guardsquare allows by bypass anti-malware protection mechanisms and escalate privileges on targeted devices using signed apps that appear to be from trusted publishers.
“A serious vulnerability (CVE-2017-13156) in Android allows attackers to modify the code in applications without affecting their signatures. The root of the problem is that a file can be a valid APK file and a valid DEX file at the same time. We have named it the Janus vulnerability, after the Roman god of duality.” states the analysis published by Guardsquare.
The vulnerability affects in the way Android handles APK installation for some apps, allowing to add extra bytes of code to an APK file without modifying the app’s signature.
An APK file is an archive, just like Zip, that includes application code, resources, assets, signatures, certificates, and manifest file.
Earlier versions of Android (5.0 Lollipop and Marshmallow 6.0) also support a process virtual machine that helps to execute APK archives containing a compiled version of application code and files, compressed with DEX (Dalvik EXecutable) file format.
While installing an app, the OS checks APK header information to determine if the archive contains code in the compressed DEX files. If the APK archive contains DEX files, the process virtual machine decompiles the code accordingly and executes it; otherwise, it runs the code as a regular APK file.
It turns out that an APK archive can contain DEX files as well as regular application code simultaneously, without affecting its validity and signatures.Researchers discovered that it is possible to add extra bytes of code to the archive due to lack of file integrity checking.
“The Janus vulnerability stems from the possibility to add extra bytes to APK files and to DEX files. On the one hand, an APK file is a zip archive, which can contain arbitrary bytes at the start, before its zip entries (actually more generally, between its zip entries). The JAR signature scheme only takes into account the zip entries. It ignores any extra bytes when computing or verifying the application’s signature.” continue the analysis.
“On the other hand, a DEX file can contain arbitrary bytes at the end, after the regular sections of strings, classes, method definitions, etc. A file can, therefore, be a valid APK file and a valid DEX file at the same time.”
Attackers can prepend malicious code compiled in DEX format into an APK archive containing legitimate code with valid signatures, tricking app installation process to execute both codes on the device avoid detection.
The researchers developed a simple tool to create Janus applications as a proof of concept, the good news is that according to the experts, at this time, there are similar applications in the wild.
The Janus tool allows an attacker to inject an APK file with a malicious DEX (Dalvik Executable) file. DEX files make up the code inside Android programs that are zipped into single APKs.
The researchers described also possible attack scenarios, for example, an attacker can replace a trusted application with high privileges (i.e. a system app) by a modified update to abuse its permissions. Another attack scenario sees a hacker passing a modified clone of a sensitive application as a legitimate update, for instance in the context of banking or communications.
Android versions older than Nougat (7.0) and any Android devices that support the APK signature scheme v1 are affected by the Janus vulnerability.
The Android devices updated to support APK signature scheme v2, introduced in July 2016, are not impacted.
Unfortunately, most of Android users would not receive these patches for the next month, until their device manufacturers (OEMs) release custom updates for them.
Onapsis Helps SAP Customers Check GDPR Compliance
9.12.2017 securityweek Privacy
Onapsis, a company that specializes in securing SAP and Oracle business-critical applications, announced this week that it has added automated GDPR compliance capabilities to the Onapsis Security Platform.
The new functionality allows organizations using SAP products to quickly determine if they meet data protection requirements. The system is capable of identifying SAP systems that need to be compliant with the General Data Protection Regulation (GDPR), specifically systems that process or store user data. Onapsis believes a majority of SAP systems fall into this category.
Non-compliant systems are flagged by the Onapsis Security Platform and users are provided guidance on how to address the issue. Newly added systems that need to be GDPR compliant are automatically included in the next audit.
“In speaking to our customers, we know that GDPR is a complicated mandate and many organizations are struggling to determine if or how their SAP landscapes are relevant,” said Alex Horan, Director of Product Management at Onapsis. “With this in mind, Onapsis’s newly released audit policy within the Onapsis Security Platform (OSP) automatically evaluates any SAP system through the lens of the data protection requirements of GDPR. This includes both data at rest, data in transit and the assessment of data access or authorizations.”
GDPR, expected to come into effect in May 2018, requires businesses to protect the personal data and privacy of EU citizens. While the regulation is designed to protect the data of EU citizens, it affects organizations worldwide. Failure to comply can result in penalties of up to €20 million or 4% of global profit.
A study conducted earlier this year by the UK & Ireland SAP User Group showed that 86% of SAP customers did not fully understand the implications of GDPR. More than half of respondents said the increasing use of cloud technology and workforce mobility increased their compliance challenges.
SAP recommends its GRC (Governance, Risk, Compliance) solutions for ensuring GDPR compliance, and nearly half of the respondents taking part in the SAP User Group study had been leveraging SAP GRC. Many of those who had not used it believed GRC was either too expensive or too complicated.
IT Security Spending to Reach $96 Billion in 2018: Gartner
9.12.2017 securityweek IT
Gartner is predicting that worldwide security spend will reach $96 billion dollars in 2018. This is up 8% from the 2017 spend of $89 billion. Interestingly, the latest 2017 and 2018 figures show substantial increases over similar predictions made in August of this year. The earlier prediction has 2017 figures at $86.4 billion with 2018 figures at $93 billion.
Gartner suggests that organizations are spending more on security as a result of regulations, shifting buyer mindset, awareness of emerging threats and the evolution to a digital business strategy.
"Overall, a large portion of security spending is driven by an organization's reaction toward security breaches as more high profile cyberattacks and data breaches affect organizations worldwide," said Ruggero Contu, research director at Gartner. "Cyberattacks such as WannaCry and NotPetya, and most recently the Equifax breach, have a direct effect on security spend, because these types of attacks last up to three years."
A 2016 survey -- that questioned 512 respondents from eight countries: Australia, Canada, France, Germany, India, Singapore, the U.K. and the U.S. -- showed a direct link between security risks and security spend. Gartner believes that the breaches of 2017 will influence the spend in 2018. "As a result," it suggests, "security testing, IT outsourcing and security information and event management (SIEM) will be among the fastest-growing security subsegments driving growth in the infrastructure protection and security services segments."
This is likely to be bolstered by the effect of compliance concern. Regulations are increasing in number, scope, and the size of sanctions; and are getting personal. Europe's General Data Protection Regulation (GDPR) coming into effect in May 2018 can impose fines of up to 4% of global turnover. In the U.S., the newly introduced Data Security and Breach Notification Act proposes jail terms of up to five years for those who fail to comply. As the effect of these regulations on individual business leaders as well as the company filter through -- which can no longer be satisfied by a simple tick-box approach to security -- there is likely to be a knee-jerk reaction leading to increased security spend.
Some of this effect can be discounted. "Regulatory compliance and data privacy have been stimulating spending on security during the past three years, in the US (with regulations such as the Health Insurance Portability and Accountability Act, National Institute of Standards and Technology, and Overseas Citizenship of India) but most recently in Europe around the General Data Protection Regulation coming into force on 28th May 2018, as well as in China with the Cybersecurity Law that came into effect in June 2016. These regulations translate into increased spending, particularly in data security tools, privileged access management and SIEM."
However, since numerous surveys and analyses have demonstrated that many firms simply do not understand GDPR, are still far from being ready for GDPR, or don't (yet) believe it applies to them, there is likely to be sudden increased spending following the first legal actions against non-compliance. Any belief that European regulators might allow a 'bedding in' period should not be taken for granted.
At the end of November, three European activists (Max Schrems, whose action against Facebook ultimately led to the collapse of the EU/US Safe Harbor agreement; Paul Nemitz, director for fundamental rights and Union citizenship in the European Commission's Directorate-General for Justice; and Jan Philippe Albrecht, justice and home affairs spokesperson of the European Greens and the rapporteur for the GDPR) got together to announce 'NOYB [none of your business] -- European Center for Digital Rights'.
The purpose of NOYB is to close the gap between the public perception of privacy and the reality of corporate practice, including bringing cases to court. Since these are activists rather than regulators, they are likely to take private action where regulators may hesitate. In its August prediction, Gartner commented, "The EU General Data Protection Regulation (GDPR) has created renewed interest, and will drive 65 percent of data loss prevention buying decisions today through 2018." This could prove to be a conservative estimate.
Skills shortages, technical complexity and the threat landscape will continue to drive the move to automation and outsourcing, says Gartner. "Skill sets are scarce and therefore remain at a premium, leading organizations to seek external help from security consultants, managed security service providers and outsourcers," said Contu. "In 2018, spending on security outsourcing services will total $18.5 billion, an 11% increase from 2017. The IT outsourcing segment is the second-largest security spending segment after consulting."
This migration to service providers and outsourcers leads Gartner to predict that by 2019, total enterprise spending on security outsourcing services will be 75% of the spending on security software and hardware products, up from 63% in 2016.
"For the most part, I agree with Gartner's assessment that spending is likely to continue to grow overall in 2018," Nathan Wenzler, chief security strategist at AsTech, told SecurityWeek; "especially in identifying that the overall skills shortage will ultimately drive more companies to spend more in security services."
He believes that companies are "reaching something of a saturation point for security software, as they've been spending for the last several years to buy products that can protect their environments in different ways." But they don't have and cannot get "experienced security professionals who can deploy, use and maintain those products effectively in order to put the tools to work. Organizations will have little choice but to shift their spending to services in order to secure their networks and protect critical data."
But is 'more spending' necessarily 'better security'? Ilia Kolochenko, CEO of High-Tech Bridge, warns that it isn't necessarily so. He believes that a more coherent risk-based security approach could lead to improved security without necessarily increasing spend. "Many companies can even reduce their current budgets by implementing a risk-based approach to mitigate appropriate threats and vulnerabilities; and by rigorously selecting vendors based on technology and not marketing claims."
#OpUSA – OpIsrael – Anonymous hit Israel and threatens cyberattack on US Govt
9.12.2017 securityaffairs BigBrothers
#OpUSA – OpIsrael – The hacker collective Anonymous threatens cyber attacks on US Government and launched the offensive against the Israeli targets.
In the last hours, the hacktivists leaked online names, emails, and passwords of Israeli public employees and shared a list of US government sites to target, calling on action against them.
Anonymous leaked data belonging to only a handful of the sites, this is the retaliation of the collective against the US Government for its politics in the Middle East.
Anonymous operation aims to protect Palestine and protest against Donald Trump’s choice to recognize Jerusalem as the capital of Israel.
Below the message published on the blog of the website cyberguerilla.com:
“Anonymous OpUSA – OpIsrael: Israeli Gov’t hacked and dumped. Download link!
This Hack is part of the Operation US + Israel. #OpUSA – OpIsrael
The end of 2017 #Anonymous
Israel Gov’t hacked and dumped.
Download dump: https://mega.nz/#!ZWByDAbT
Decryption Key: !-Yvx4-wlzWEV5gagusHKcDF4eYeABfJxgDh_foO-D20
“Government of Israel and United State, our patience is exhausted!
No more words! Now only acts.
Anonymous can’t be silent when we see your actions.
Now its Anonymous time.“
We Are Anonymous,
We Are Legion,
We do not forgive,
We do not forget
Government of USA and Israel,
Anonymous is calling for action against websites included in the United State and Israel Government Target list, the collective is inviting its members to hit in any way (i.e. Data Dump, Government Breach, Defacing, DDoSing ) these sites:
https://www.usa.gov/ = USA
https://www.gov.il/ = Israel
https://www.state.gov/ = USA
http://www.president.gov.il/ = Israel
https://www.whitehouse.gov/ = USA
http://itrade.gov.il/ = Israel
https://www.ssa.gov/ = USA
http://www.investinisrael.gov.il/ = Israel
https://www.data.gov/ = USA
http://www.antitrust.gov.il/ = Israel
https://www.irs.gov/ = USA
http://www.boi.org.il/en/ = Israel
https://www.federalreserve.gov/ = USA
http://www.space.gov.il/ = Israel
https://www.shabak.gov.il/ = Israel
The hackers aim to spread the #OpUSA and #OpIsrael by defacing any .us and .il domains, it is using the hashtags #OpUSA, #OpIsrael and #FreedomInWorld to make easy for sympathizers to see all the Anonymous posts on social media.
Anonymous shared the code for the main deface page for OpUSA – OpIsrael here: https://ghostbin.com/paste/o3o88
Anonymous OpIsrael Israeli-US-hacking-2
The dump leaked by Anonymous is circulating online, it is a huge trove of data apparently containing the names and email addresses of government employees and alleged Mossad agents.
More news about the campaign is expected to be published on the Cyberguerrilla website.
Orcus RAT Campaign Targets Bitcoin Investors
8.12.2017 securityweek Virus
In an attempt to benefit from the recent spike in the value of Bitcoin, the authors of a remote access Trojan have started targeting Bitcoin investors with their malicious software, Fortinet has discovered.
The attack starts with phishing emails marketing a relatively new Bitcoin trading bot application called "Gunbot" developed by GuntherLab or Gunthy. However, the email actually delivers the Orcus RAT to the Bitcoin investors instead.
The phishing emails contain a .ZIP attachment that includes a simple VB script designed to download a binary masquerading as a JPEG image file. According to Fortinet, the attackers made no attempt in hiding their intentions, either because they didn’t want to or because they lack the technical knowledge to do so.
The downloaded executable is a Trojanized version of an open source inventory system tool named TTJ-Inventory System. A hardcoded key is used to decrypt encoded code into another .NET PE executable that is loaded and executed directly to memory.
The malware ensures it is the only instance running on the infected machine by checking for the existence of a mutex named “dgonfUsV”.
Fortinet has discovered that a RunPE module can execute modules without writing them to the system, and can also execute them under legitimate executables by running applications in suspended mode and then replacing the process’ memory with the malicious code. The persistence watchdog keeps the malware running by repeatedly executing it.
Advertised as a Remote Administration Tool since early 2016, Orcus has all the features such an application should include, but can also load plugins and can execute C# and VB.net code on the remote machine in real-time.
“Basically, if a server component gets ‘installed’ to your system, the person on the other side is practically in front of your machine while seeing and hearing you at the same time – yes, it can activate your microphone and webcam even without you knowing,” Fortinet notes.
The threat can also disable the light indicator on webcams, meaning that it can be used to spy on users, can implement a watchdog that restarts the server component and can also trigger a Blue Screen of Death (BSOD) if the user attempts to kill its process.
The malware also includes password retrieval and key logging functionality, the same as other RATs out there. Orcus also offers a plugin that can be used to perform Distributed Denial of Service (DDoS) attacks.
During their analysis, the security researchers also noticed that the actors behind the attack made some changes to the contents of the site distributing the malware (bltcointalk.com, which attempts to imitate Bitcoin forum bitcointalk.org). They also removed the aforementioned image file from the site and posted a ZIP file instead.
Fortinet's security researchers also discovered additional websites that attempt to imitate legitimate domains by changing a single letter in the URL. Thus, they believe that the actor cycles between the websites when switching to a new campaign.
“In our investigation of Orcus RAT, we have again proven again that its capabilities go beyond the scope of a harmless administration tool. Regardless of the developer’s claim and defense, the reality is that the application is being used in cybercrime campaigns,” Fortinet concludes.
NIST Publishes Second Draft of Cybersecurity Framework
8.12.2017 securityweek Safety
Framework for Improving Critical Infrastructure Cybersecurity 2.0
The National Institute of Standards and Technology (NIST) announced this week that it has published a second draft of a proposed update to the “Framework for Improving Critical Infrastructure Cybersecurity,” better known as the NIST Cybersecurity Framework.
Introduced in 2014, the framework is designed to help organizations, particularly ones in the critical infrastructure sector, manage cybersecurity risks. Some security firms and experts advise businesses to use the NIST Cybersecurity Framework as a best practice guide. Others, however, believe such static guidelines cannot keep up with the constantly evolving threat landscape, and malicious actors may even use it to devise their attack strategy.NIST updates Cybersecurity Framework
The Cybersecurity Framework was developed based on an executive order issued by former U.S. president Barack Obama. A cybersecurity executive order issued by the current administration of Donald Trump also requires federal agencies and critical infrastructure operators to use the framework.
Nearly four years have passed since the Cybersecurity Framework was released and NIST is now working on an updated version. A first draft was released in January and a second draft was made available on December 5.
According to NIST, the second draft for version 1.1 of the Cybersecurity Framework “focuses on clarifying, refining, and enhancing the Framework – amplifying its value and making it easier to use.”
The second draft also comes with an updated roadmap that details plans for advancing the framework’s development process.
The modifications are based on 120 comments submitted in response to the first draft and discussions between 500 individuals who attended a workshop back in May.
Comments and feedback on the second Cybersecurity Framework draft can be sent to NIST (cyberframework(at)nist.gov) until January 19, 2018. The organization has fallen behind on the development of the updated framework – it had initially anticipated that the final V1.1 would be published this fall, but it now hopes to have it done in “early calendar year 2018.”
NIST is particularly interested in learning if the revisions in version 1.1 reflect the changes in the current cybersecurity ecosystem, and the impact of the updated version on organizations currently using version 1.0 of the framework.
Microsoft Patches Critical Vulnerability in Malware Protection Engine
8.12.2017 securityweek Vulnerebility
Microsoft this week released an update for the Microsoft Malware Protection Engine (MPE) to address a critical severity remote code execution (RCE) vulnerability in it.
The flaw could lead to memory corruption and allow an attacker to execute arbitrary code to take control over a vulnerable machine. Discovered by UK's National Cyber Security Centre (NCSC), the bug is tracked as CVE-2017-11937.
Because code can be executed in the security context of the LocalSystem account, the attacker could take control of the system and install programs; view, change, or delete data; or create new accounts with full user rights.
Exploitation is possible if a specially crafted file is scanned by an affected version of the Microsoft Malware Protection Engine (the last vulnerable version is 1.1.14306.0).
There are multiple ways an actor could launch an attack leveraging the bug, Microsoft says. An attacker could lure the victim to a website containing the specially crafted file, or they could send the malicious file via email or instant messaging. They could also load the file to a site that accepts or hosts user-provided content, in a shared location.
“If the affected antimalware software has real-time protection turned on, the Microsoft Malware Protection Engine will scan files automatically, leading to exploitation of the vulnerability when the specially crafted file is scanned. If real-time scanning is not enabled, the attacker would need to wait until a scheduled scan occurs in order for the vulnerability to be exploited,” Microsoft explained.
The software giant also notes that all systems running an affected version of antimalware software are primarily at risk.
The company has issued an update to correct the manner in which the Microsoft Malware Protection Engine scans specially crafted files.
The update will be delivered automatically to the affected systems and no action is required of enterprise administrators or end users. The update should reach all impacted software within 48 hours of release.
Impacted applications include Microsoft Forefront and Microsoft Defender on Windows 7 SP1, Windows 8.1, Windows RT 8.1, Windows 10 Gold, 1511, 1607, and 1703, 1709 and Windows Server 2016, Windows Server version 1709, Microsoft Exchange Server 2013 and 2016, Microsoft Security Essentials, and Windows Intune Endpoint Protection.
Microsoft Malware Protection Engine version 1.1.14405.2 resolves the vulnerability.
The Indian Intelligence warns China is spying through 42 mobile apps
8.12.2017 securityaffairs BigBrothers
The Indian Intelligence warns China is spying its troops through 42 mobile apps, for this reason, the Intelligence Bureau asked soldiers to delete them.
The Indian Intelligence Bureau (IB) has warned that Chinese cyber spies are collecting confidential information about the Indian security installations through its popular mobile phone apps and devices.
The Intelligence Bureau issued an advisory to the troops posted at the international border.
Many Indian cybersecurity experts have raised concerns about the possible espionage attempts by the Chinese military intelligence agencies.
“According to reports, the advisory issued by the DIG (Intelligence) has directed the troops posted along the Line of Actual Control (LAC) to either delete a number of mobile applications from their smartphones or reformat the devices altogether to guard against online espionage attempts from across the border.” reported the website Zeenews.india.com.
The advisory includes a list of about 42 popular Chinese mobile apps, including WeChat, Truecaller, Weibo, UC Browser and UC News, that according to the Indian intelligence pose a serious threat to the security of the state.
The Indian intelligence suspect that these apps transmitting sensitive personal data to the Chinese Government.
The fresh advisory was issued while the troops from both sides continue to maintain high alertness levels along the LAC.
The intelligence agencies regularly warn the armed forces to avoid using Chinese apps to avoid the leakage of confidential information to a hostile state like China.
The IAF, for example, suggested its staff and their families to avoid using Chinese Xiaomi smartphones.
“The Army, as well as the central armed police forces like the Indo-Tibetan Border Police, are deployed along the 4,057km LAC, which stretches from Ladakh to Arunachal Pradesh.” continues the Zee Media Bureau.
“The IAF, for instance, had earlier asked all its officers and airmen as well as their families to avoid using Chinese Xiaomi smartphones and notebooks on the ground that they could transfer user data to remote servers located in China.”
The warning from IB is related to Chinese mobile apps for both Android and IoS OSs.
Hackerem, který Uberu ukradl data, byl dvacetiletý mladík z Floridy
8.12.2017 Idnes.cz Kriminalita
Za masivní únik dat společnosti Uber v říjnu 2016 byl zodpovědný dvacetiletý mladík z Floridy. Společnost mu zaplatila za to, že ukradené informace následně zničil. Snaha incident utajit stála Uber sto tisíc dolarů (přes dva miliony Kč). Nakonec však firma sama o průšvihu promluvila.
V listopadu oznámila společnost Uber, že jí v říjnu 2016 byla odcizeny data celkem 57 milionů zákazníků, která obsahovala jejich jména, adresy, telefonní čísla a e-mailové adresy.
Součástí přiznání alternativní taxislužby byla i jedna zajímavá skutečnost. Hacker, který informace ukradl, dostal zaplaceno 100 000 dolarů (téměr 2,2 milionu korun), aby svou kořist zničil, a celý incident tak zůstal v tajnosti.
Avšak detaily o hackerovi, ani o způsobu vyplacení těchto peněz firma neposkytla. Až nyní podrobnosti zjistila agentura Reuters. Tři lidé spojeni s touto aférou potvrdili agentuře, že šlo o dvacetiletého muže z Floridy, který dostal zaplaceno prostřednictvím programu „bug bounty“ (odměna za chybu), jenž se normálně využívá pro odhalení menších slabin v kódu.
Tento program je primárně určen pro bezpečnostní analytiky, kteří jsou odměňovaní za odhalené chyby ve firemním softwaru, uvedly pro Reuters tři zmiňované zdroje. Agentuře se ale nepodařilo zjistit identitu dotyčného hackera.
Nový generální ředitel Uberu Dara Khosrowshahi uvedl v prohlášení o úniku dat, že propustil dva vysoce postavené zaměstnance bezpečnostního oddělení, kteří tento incident v říjnu 2016 řešili.
Není jasné, kdo udělal konečné rozhodnutí v otázce výkupného hackerovi, aby únik dat zůstal utajený, ale zdroje citované agenturou Reuters potvrzují, že tehdejší generální ředitel Travis Kalanick o incidentu a následné platbě hackerovi věděl.
Security Flaw Left Major Banking Apps Vulnerable to MiTM Attacks Over SSL
8.12.2017 thehackernews Vulnerebility
A team of security researchers has discovered a critical implementation flaw in major mobile banking applications that left banking credentials of millions of users vulnerable to hackers.
The vulnerability was discovered by researchers of the Security and Privacy Group at the University of Birmingham, who tested hundreds of different banking apps—both iOS and Android—and found that several of them were affected by a common issue, leaving their users vulnerable to man-in-the-middle attacks.
The affected banking apps include HSBC, NatWest, Co-op, Santander, and Allied Irish bank, which have now been updated after researchers reported them of the issue.
According to a research paper [PDF] published by researchers, vulnerable applications could have allowed an attacker, connected to the same network as the victim, to intercept SSL connection and retrieve the user's banking credentials, like usernames and passwords/pincodes—even if the apps are using SSL pinning feature.
SSL pinning is a security feature that prevents man-in-the-middle (MITM) attacks by enabling an additional layer of trust between the listed hosts and devices.
When implemented, SSL pinning helps to neutralize network-based attacks wherein attackers could attempt to use valid certificates issued by rogue certification authorities.
"If a single CA acted maliciously or were compromised, which has happened before, valid certificates for any domain could be generated allowing an attacker to Man-in-the-Middle all apps trusting that CA certificate," the researchers wrote in their paper.
However, there are two key parts to verify an SSL connection—the first (authentication) is to verify whether the certificate is from a trusted source and the second (authorization) is to make sure the server you are connecting to presents the right certificate.
Researchers found that due to lack of hostname verification, several banking applications were not checking if they connected to a trusted source.
Verifying a hostname ensures the hostname in the URL to which the banking app connects matches the hostname in the digital certificate that the server sends back as part of the SSL connection.
"TLS misconfiguration vulnerabilities are clearly common; however none of the existing frameworks will detect that a client pins a root or intermediate certificate, but fails to check the hostname in the leaf," the paper reads.
Besides this issue, the researchers also detailed an "in-app phishing attack" affecting Santander and Allied Irish Banks, which could have allowed attackers to hijack part of the victim's screen while the app was running and use it to phish for the victim's login credentials.
To test this vulnerability in hundreds of banking apps quickly and without requiring to purchase certificates, researchers created a new automated tool, dubbed Spinner.
Spinner leverages Censys IoT search engine for finding certificate chains for alternate hosts that only differ in the leaf certificate.
"Given the certificate for a target domain, the tool queries for certificate chains for alternate hosts that only differ in the leaf certificate. The tool then redirects the traffic from the app under test to a website which has a certificate signed by the same CA certificate, but of course a different hostname (Common Name)," the researchers explain.
"If the connection fails during the establishment phase then we know the app detected the wrong hostname. Whereas, if the connection is established and encrypted application data is transferred by the client before the connection fails then we know the app has accepted the hostname and is vulnerable."
The trio, Chris McMahon Stone, Tom Chothia, and Flavio D. Garcia, worked with the National Cyber Security Centre (NCSC) to notify all affected banks, which then resolved the issues before they publicly disclosed their research this week.
Microsoft Issues Emergency Windows Security Update For A Critical Vulnerability
8.12.2017 thehackernews Vulnerebility
If your computer is running Microsoft's Windows operating system, then you need to apply this emergency patch immediately. By immediately, I mean now!
Microsoft has just released an emergency security patch to address a critical remote code execution (RCE) vulnerability in its Malware Protection Engine (MPE) that could allow an attacker to take full control of a victim's PC.
Enabled by default, Microsoft Malware Protection Engine offers the core cybersecurity capabilities, like scanning, detection, and cleaning, for the company's antivirus and antimalware programs in all of its products.
According to Microsoft, the vulnerability affects a large number of Microsoft security products, including Windows Defender and Microsoft Security Essentials along with Endpoint Protection, Forefront Endpoint Protection, and Exchange Server 2013 and 2016, impacting Windows 7, Windows 8.1, Windows 10, Windows RT 8.1, and Windows Server.
Tracked as CVE-2017-11937, the vulnerability is a memory corruption issue which is triggered when the Malware Protection Engine scans a specially crafted file to check for any potential threat.
Flaw Lets Hackers Take Full Control of Your Computer
Successful exploitation of the flaw could allow a remote attacker to execute malicious code in the security context of the LocalSystem account and take control of the target's computer.
Microsoft said an attacker could place a specially crafted malicious file in a location that is scanned by the Malware Protection Engine to exploit the memory corruption flaw which eventually leads to remote code execution.
"There are many ways that an attacker could place a specially crafted file in a location that is scanned by the Microsoft Malware Protection Engine. For example, an attacker could use a website to deliver a specially crafted file to the victim's system that is scanned when the website is viewed by the user," the report from Microsoft explained.
Other ways to deliver a specially crafted file could be via emails or Instant Messenger services. The attacker could also "take advantage of websites that accept or host user-provided content, to upload a specially crafted file to a shared location that is scanned by the Malware Protection Engine running on the hosting server," the report said.
Patch! Patch! Patch!
Microsoft assured its customers that the vulnerability was fixed before any misuses in the wild.
The company has released an out-of-band critical update for the flaw and advised users to install it as soon as possible. Most home users and many enterprise customers will get the emergency patch automatically over the air.
The security vulnerability was discovered and reported to Microsoft by the UK's National Cyber Security Centre (NCSC), a cyber defense organization of Britain's signals intelligence and cybersecurity agency, known as GCHQ.
The emergency fix comes just days before Microsoft is scheduled to roll out its December Patch Tuesday updates.
Rockwell Automation Patches Serious Flaw in FactoryTalk Product
8.12.2017 securityweek Vulnerebility
ICS-CERT informed organizations this week that Rockwell Automation has patched a high severity denial-of-service (DoS) vulnerability in one of its FactoryTalk products.
The vulnerability affects version 2.90 and earlier of FactoryTalk Alarms and Events (FTAE), a FactoryTalk Services Platform component installed by the Studio 5000 Logix Designer PLC programming and configuration tool, and the FactoryTalk View SE HMI software.
FTAE provides a consistent view of alarms and events via a View SE HMI system. The product is used worldwide in sectors such as critical infrastructure, entertainment, automotive, food and beverage, and water and wastewater.
The security hole, reported to Rockwell Automation by an unnamed company in the oil and gas sector, is tracked as CVE-2017-14022 and it has been assigned a CVSS score of 7.5. It allows an unauthenticated attacker with remote access to the product to cause its history archiver service to stall or terminate by sending specially crafted packets to TCP port 403.
“The history archiver service of FactoryTalk Alarms and Events is used to archive alarms and events to a Microsoft SQL Server database. Disrupting this capability can result in a loss of information, the criticality of which depends on the type of environment that the product is used in. The service must be restarted in order to restore operation,” Rockwell Automation said in an advisory published last month.
The vulnerability was addressed with the release of a patch for FactoryTalk Alarms and Events 2.90. Users of version 2.81 and earlier have been advised to update to version 2.90 and then apply the patch.
Alternatively, attacks can be mitigated by disabling TCP port 403. This port is typically used to log alarms and events via the historian service to a specified SQL Server database. However, if the historian and the FTAE services are on the same machine, port 403 is not needed as the information is logged to the local host. If the two services are on different machines, port 403 is needed and the mitigation cannot be applied.
Fighting Back Against the Cyber Mafia
8.12.2017 securityweek CyberCrime
Four distinct groups of cybercriminals have emerged, serving as the new syndicates of cybercrime: traditional gangs, state-sponsored attackers, ideological hackers and hackers-for-hire. This is the central thesis of a new report titled 'The New Mafia: Gangs and Vigilantes'. In this report, the gangs are the criminals and the vigilantes are consumers and businesses -- and the vigilantes are urged to 'fight back'.
The report (PDF) is compiled by endpoint protection firm Malwarebytes. It is designed to explain the evolution of cybercrime from its earliest, almost innocuous, beginnings to the currently dangerous 'endemic global phenomenon'; and to suggest to consumers and businesses they don't need to simply accept the current state. They can fight back.
Fighting back, however, is not hacking back -- or in the more politically acceptable euphemism, active defense.
"This is not what was meant in our report," Jerome Segura, Malwarebytes' lead malware intelligence analyst told SecurityWeek. "Fighting back means being proactive and reporting scams or malware in order to help out the community at large. We need users to leverage their experiences in order to gain insights into the criminal rings operating with impunity."
The report explains the evolution and operational context of the four 'mafia' gangs. It should be noted, however, that this is a broad brush view -- the lines of distinction between the different groups is often and increasingly blurred.
Traditional gangs co-opt hackers-for-for hire and are behind cybercrime-as-a-service. State actors can sub-contract traditional gangs to hide behind plausible deniability. And state actors and law enforcement are not beyond using hacktivists for their own ends; for example, the FBI's alleged use of Hector Monsegur (aka Sabu) to convict Jeremy Hammond for and following the LulzSec hack of Stratfor in 2011.
Traditional gangs "have taken the motivations and acts of traditional organized crime gangs, theft and the sale of drugs, guns and stolen goods, to the online world." This is organized cybercrime: organized street crime co-opting tech savvy hackers. "The people at the top may be the same individuals leading drug cartels or pre-existing gangs," suggests the report; "or new kingpins that have risen to the top of organizations as the internet has grown." These people remain invisible -- if anything, it is the hackers who get caught.
State-sponsored attackers are not new, but have become more active, more subtle and more destructive in recent years. "Russian interference in the US Election and widespread hacks from North Korea are prominent examples," says the report. But it is not limited to 'rogue' states. Stuxnet "was deployed by Western nations to cause Iran's nuclear centrifuges to spin too quickly, destroying the centrifuges, and infecting 200,000 computers." The effect of state-sponsored hacking could "suggest a potential blurring of the distinction between cybercrime and cyberwarfare."
Ideological hackers are more commonly called hacktivists -- and perhaps Anonymous is the best known instance. But it is a much wider concern. Russian President Vladimir Putin suggested that Russian ideological hackers could have been behind the DNC hacks. Edward Snowden would be classified as an ideological hacker. "In this context," warn the reports authors, "groups at political extremes are more likely to firstly, disagree ideologically with political and business developments and secondly, attack the online presences of those they disagree with."
The fourth 'gang', hackers-for-hire, is in part the personification of the evolving service economy for cybercrime services. Ransomware-as-a-service is a visible and virulent example. "Interestingly," say the authors, hackers-for-hire "operate in a highly retail-oriented manner with an emphasis on customer service and reliability." Interestingly, this is the area of cybercrime that particularly worries Steve Durbin, managing director of the Information Security Forum. His concern is that cybercrime-as-a-service is introducing a large-scale unpredictable element of almost script kiddie wannabees -- the opposite, in fact, of 'organized crime'.
The Malwarebytes authors hope that by understanding the nature of cybercrime and cybercriminals, the fear-factor can be removed from consumers and businesses. Just as the criminals have become very organized in their sharing of information on the dark web, Malwarebytes believes that law-abiding citizens can fight back "by sharing their collective experiences to build knowledge and awareness. Creating an environment where the risks are better communicated and understood will enable individuals and businesses alike to better identify and ward off threats."
This proposal is not, however, limited to sharing information between businesses, and between business and government. The key is a better communication of risk within each organization. Underlying this is the need for business leaders to recognize that cybercrime is also a business, and not just a technological issue. This does not yet seem to be happening.
The report's authors point to the disparity between business leaders' perception of cybercrime, and their technologists' perception. According to PwC's global economic crime survey, say the authors, 74% of surveyed business stakeholders reported that they were not, or did not know if they were, victims of cybercrime. Malwarebytes' own research concentrating on technologists, however, indicated that less than 35% had not experienced cybercrime. The implication is that business leaders are still unaware of the extent of cybercrime even within their own organizations, and therefore unaware of the need to more proactively defend their business.
Malwarebytes believes that with better business understanding of the threat posed by cybercrime, and better sharing of threat information within and between businesses, consumers and government, the fight against cybercrime and cybercriminals will be strengthened.
"Knowledge, awareness and intelligence are our best weapons against the new gangs of cybercrime," says the report. "Given the fragmented, global nature of cybercrime, individuals and businesses have to play an important role alongside law enforcement agencies governments and other bodies in thwarting this activity."
Marcin Kleczynski, CEO of Malwarebytes, summarizes, "Through greater vigilance and a comprehensive understanding of the cybercrime landscape, businesses can support the efforts of legislators and law enforcement, while also taking action into their own hands."
Malwarebytes raised $50 million in a Series B funding round from Fidelity Management and Research Company in January 2016.
CVE-2017-11937 | Microsoft releases an emergency update to fix a flaw in Malware Protection Engine
8.12.2017 securityaffairs Vulnerebility
Microsoft issued an emergency Windows Security Update to address a critical flaw, tracked as CVE-2017-11937, that affects the Malware Protection Engine.
Microsoft issued an emergency Windows Security Update to address a critical vulnerability, tracked as CVE-2017-11937, that affects the Malware Protection Engine (MPE).
The emergency fix comes a few days before Microsoft is scheduled to roll out its December Patch Tuesday updates.
The critical RCE flaw could be exploited by an attacker to take full control of a victim’s PC. The Malware Protection Engine (MPE) is the main component of the Windows defense system and it implements basic features like scanning, detection, and cleaning.
The Windows Malware Protection Engine is enabled by default and it is used by Microsoft antivirus and antimalware software implemented in its solutions, including Windows Defender and Microsoft Security Essentials along with Endpoint Protection, Forefront Endpoint Protection, and Exchange Server 2013 and 2016, impacting Windows 7, Windows 8.1, Windows 10, Windows RT 8.1, and Windows Server.
The CVE-2017-11937 flaw is a memory corruption vulnerability that is triggered when the Malware Protection Engine scans a specially crafted file for a malicious code.
Triggering the flaw, the attacker can execute malicious code in the security context of the LocalSystem account and take full control of the target’s computer, this means that it could install further malicious code and create accounts with maximum privileges.
“A remote code execution vulnerability exists when the Microsoft Malware Protection Engine does not properly scan a specially crafted file, leading to memory corruption. An attacker who successfully exploited this vulnerability could execute arbitrary code in the security context of the LocalSystem account and take control of the system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.” reads the security advisory published by Microsoft.
“To exploit this vulnerability, a specially crafted file must be scanned by an affected version of the Microsoft Malware Protection Engine.”
To trigger the flaw, a remote attacker could place a specially crafted malicious file in a location that is scanned by the Malware Protection Engine and this is possible to do in many ways. An attacker, for example, could set up a website to deliver a specially crafted file that is scanned when the victim visits the site.
Another possible attack vector is represented by email, the attacker could deliver a specially crafted file via emails, it is also possible to exploit Instant Messenger services for the same purpose.
“There are many ways that an attacker could place a specially crafted file in a location that is scanned by the Microsoft Malware Protection Engine.” continues Microsoft.
“For example, an attacker could use a website to deliver a specially crafted file to the victim’s system that is scanned when the website is viewed by the user. An attacker could also deliver a specially crafted file via an email message or in an Instant Messenger message that is scanned when the file is opened. In addition, an attacker could take advantage of websites that accept or host user-provided content, to upload a specially crafted file to a shared location that is scanned by the Malware Protection Engine running on the hosting server.”
Microsoft has released an out-of-band critical update to address the vulnerability is urging users to install it as soon as possible.
For enterprise deployments as well as end users, the default configuration in Microsoft antimalware software helps ensure that malware definitions and the Microsoft Malware Protection Engine are kept up to date automatically
The critical CVE-2017-11937 vulnerability was reported to Microsoft by the UK’s National Cyber Security Centre (NCSC), a division of the UK GCHQ intelligence agency.
Microsoft assured that the vulnerability was not exploited in attacks in the wild.
OpenSSL patches for the fourth time in 2017 its library, and it will likely be the last one
8.12.2017 securityaffairs Vulnerebility
The OpenSSL Project released the OpenSSL 1.0.2n version that addresses two vulnerabilities discovered by the Google researcher David Benjamin.
Benjamin discovered the vulnerabilities using the OSS-Fuzz fuzzing service.
The first “moderate severity” issue, tracked as CVE-2017-3737, is related to an “error state” mechanism implemented since OpenSSL 1.0.2b.
“OpenSSL 1.0.2 (starting from version 1.0.2b) introduced an “error state” mechanism. The intent was that if a fatal error occurred during a handshake then OpenSSL would move into the error state and would immediately fail if you attempted to continue the handshake.” reads the security advisory.
“This works as designed for the explicit handshake functions (SSL_do_handshake(), SSL_accept() and SSL_connect()), however due to a bug it does not work correctly if SSL_read() or SSL_write() is called directly.”
“If SSL_read()/SSL_write() is subsequently called by the application for the same SSL object then it will succeed and the data is passed without being decrypted/encrypted directly from the SSL/TLS record layer,” OpenSSL said in its advisory.
The flaw has been rated “moderate severity” because the targeted application would need to be affected by a bug that causes a call to SSL_read() or SSL_write() after getting a fatal error.
This issue was reported to OpenSSL on 10th November 2017 by David Benjamin that also proposed a fix that was implemented by Matt Caswell of the OpenSSL.OpenSSL
The second flaw tracked as CVE-2017-3738 is an overflow vulnerability that could be exploited by an attacker to access TLS-protected communications. The flaw was rated as “low severity” because it is very difficult to trigger in a real attack scenario.
“There is an overflow bug in the AVX2 Montgomery multiplication procedure used in exponentiation with 1024-bit moduli. No EC algorithms are affected. Analysis suggests that attacks against RSA and DSA as a result of this defect would be very difficult to perform and are not believed likely.” continues the advisory. “Attacks against DH1024 are considered just feasible, because most of the work necessary to deduce information about a private key may be performed offline. The amount of resources required for such an attack would be significant.”
The OSS-Fuzz tool also allowed Google researchers to find two low and medium severity, tracked CVE-2017-3736 and CVE-2017-3732, vulnerabilities in early November.
This is the fourth OpenSSL security update in 2017, and it will likely be the last one.
NiceHash: security breach leads to 60 million lost – Iceman is behind?
8.12.2017 securityaffairs Incindent
NiceHash has been hacked, roughly to 60$ million (4,736.42 BTC) have been stolen while the bitcoin is crossing the 14k$ mark for the first time.
A dark day for cryptocurrency miners, NiceHash has been hacked. Closely to 60$ millions (4,736.42 BTC) have been stolen while the bitcoin is crossing the 14k$ mark for the first time.
The hacker’s bitcoin address cleary shows the steal of 4,736.42 BTC in a window of 48 hours:https://bitinfocharts.com/bitcoin/address/1EnJHhq8Jq8vDuZA5ahVh6H4t6jh1mB4rq
NiceHash users are furious by the time of reaction of the team. It took about 24 hours to realize that big amounts have been stolen.
I’ve contacted a member of Iceman and knowing this security breach for some reason he explained that NiceHash actually owned their users’ bitcoin wallets in order to save transactions fees and collect unclaimed BTC. This issue leads to a massive security breach which allows access to all NiceHash wallets. He claimed that by reverse engineering of their miner client, Iceman group was able to access their API.
Is Iceman really behind this attack?
About the Author: Marc Miller
Marc Miller is a web journalist, focused on cybercrime.
He started a blog called: THE PURPLE HAT – Cyber Gangs NAKED, dedicated to exposing the methods and works of cybercrime gangs such as “CARBANAK” or similar sophisticated syndicated Cybercrime organizations.
In the past. he worked as a web front-end programmer. Also, he is passionate about hardware, hacking, security and marketing.
Major Banking Applications were found vulnerable to MiTM attacks over SSL
8.12.2017 securityaffairs Mobil
Security experts discovered a critical vulnerability in major mobile banking applications that left banking credentials vulnerable to hackers.
A group of security researchers has discovered a critical vulnerability in major mobile banking applications that left banking credentials vulnerable to hackers.
The vulnerability was discovered by researchers of the Security and Privacy Group at the University of Birmingham, who analyzed hundreds of iOS and Android banking apps.
The experts discovered that several of them were vulnerable to man-in-the-middle attacks.
The list of affected banking apps includes Allied Irish bank, Co-op, HSBC, NatWest, and Santander.
An attacker sharing the same network segment of the victim could intercept SSL connection and retrieve the user’s banking credentials even if the apps are using SSL pinning feature.
The SSL pinning provides an additional level of protection against man-in-the-middle attacks, the certificate pinning is implemented to avoid detection of security solutions that use their own certificates to inspect the traffic.
“If a single CA acted maliciously or were compromised, which has happened before (see e.g. DigiNotar in 2011 ), valid certificates for any domain could be generated allowing an attacker to Man-in-the-Middle all apps trusting that CA certificate.” states the research paper.
Researchers found that due to the wrong implementation of the authentication process the apps were vulnerable to MITM attacks. The lack of hostname verification left many banking applications open to attacks because they were not able to check if they connected to a trusted source.
The apps fail to check that they connect to a URL having the hostname that matches the hostname in the digital certificate that the server exposes.
“Automated tools do exist to test a variety of TLS flaws. Lack of certificate signature verification can be tested for by serving the client a self-signed certificate, lack of hostname verification by serving a valid certificate for a different hostname, and lack of certificate pinning can be checked for by adding a custom CA to the device’s trust store. ” continues the paper.
“These tests have been shown to be effective at finding vulnerabilities in apps  and poor TLS certificate validation . However, none of these tools can detect the possibility that an app will pin to the root or intermediate certificate used but fail to validate the hostname”
The experts created a new automated tool, dubbed Spinner, to test hundreds of banking apps quickly and without requiring purchasing certificates.
The tool leverages Censys IoT search engine for finding certificate chains for alternate hosts that only differ in the leaf certificate.
“Given the certificate for a target domain, the tool queries for certificate chains for alternate hosts that only differ in the leaf certificate. The tool then redirects the traffic from the app under test to a website which has a certificate signed by the same CA certificate, but of course a different hostname (Common Name),” continues the paper.
“If the connection fails during the establishment phase then we know the app detected the wrong hostname. Whereas, if the connection is established and encrypted application data is transferred by the client before the connection fails then we know the app has accepted the hostname and is vulnerable.”
The security experts with the help of the National Cyber Security Centre (NCSC) notified all affected banks that addressed the issues before they publicly disclosed their findings.
Organizations Getting Better at Detecting Breaches: Report
8.12.2017 securityweek Virus
Organizations have become slightly better at detecting cyber intrusions, but malicious actors are constantly working on improving their tactics and techniques, according to CrowdStrike’s 2017 Cyber Intrusion Services Casebook.
The report is based on data collected by the security firm from more than 100 investigations. Four of these cases are analyzed in detail in the report, including a SamSam ransomware attack on a commercial services organization, a cybercrime operation aimed at a manufacturer’s e-commerce application, a PoS malware incident targeting a large retailer, and a NotPetya infection.
CrowdStrike has determined that organizations continue to improve their ability to detect intrusions on their own. The percentage of firms that self-detected a breach increased to 68 percent, up from 57 percent in the previous year.
As for dwell time, which is the number of days between the initial intrusion and detection, the average has decreased slightly to 86 days. CrowdStrike pointed out that it still takes some organizations as much as 800 to 1,000 days to detect a breach, but these cases are an exception.
“Regardless of dwell time duration, automated systems may eventually detect an intrusion, but by the time human staff is alerted and aware it’s often too late: the attackers must be stopped before they can achieve their objectives,” CrowdStrike said in its report.
Of the attacks analyzed by CrowdStrike, the most prevalent were aimed at stealing intellectual property, stealing money, stealing personally identifiable information (PII), and ransom or extortion.
In more than one-third of attacks, hackers gained access to the targeted organization’s systems using web server, web application or web shell exploits, or file uploaders. Other commonly seen attack vectors were remote access via RDP or VPN (23%), supply chain compromise (12%), social engineering and phishing (11%), and cloud-based service exploits (11%).
Roughly two-thirds of the attacks analyzed by the security firm were fileless – they involved malicious code being written to and executed from memory, harvesting credentials via phishing or social engineering, remote logins via stolen credentials, and exploits targeting web applications.
CrowdStrike also noticed that tactics and techniques typically used by nation-state actors have been increasingly leveraged by cybercrime groups.
“These include fileless malware and ‘living off the land’ techniques involving processes native to the Windows operating system, such as PowerShell and WMI (Windows Management Instrumentation),” CrowdStrike said. “Many also employ anti-forensics tools and methods in an effort to erase signs of their presence and increase dwell time. Brute-force attacks on RDP (remote desktop protocol) servers are also prevalent in these cases.”
Attackers are also increasingly turning to self-propagating malware, particularly in the case of ransomware such as the notorious WannaCry. These attacks are often successful due to organizations failing to update critical systems and deploying comprehensive security technologies.
Process Doppelgänging: New Malware Evasion Technique Works On All Windows Versions
8.12.2017 thehackernews Virus
A team of security researchers has discovered a new malware evasion technique that could help malware authors defeat most of the modern antivirus solutions and forensic tools.
Dubbed Process Doppelgänging, the new fileless code injection technique takes advantage of a built-in Windows function and an undocumented implementation of Windows process loader.
Ensilo security researchers Tal Liberman and Eugene Kogan, who discovered the Process Doppelgänging attack, presented their findings today at Black Hat 2017 Security conference held in London.
Process Doppelgänging Works on All Windows Versions
Apparently, Process Doppelgänging attack works on all modern versions of Microsoft Windows operating system, starting from Windows Vista to the latest version of Windows 10.
Tal Liberman, the head of the research team at enSilo, told The Hacker New that this malware evasion technique is similar to Process Hollowing—a method first introduced years ago by attackers to defeat the mitigation capabilities of security products.
In Process Hollowing attack, hackers replace the memory of a legitimate process with a malicious code so that the second code runs instead of the original, tricking process monitoring tools and antivirus into believing that the original process is running.
Since all modern antivirus and security products have been upgraded to detect Process Hollowing attacks, use of this technique is not a great idea anymore.
On the other hand, Process Doppelgänging is an entirely different approach to achieve the same, by abusing Windows NTFS Transactions and an outdated implementation of Windows process loader, which was originally designed for Windows XP, but carried throughout all later versions of Windows.
Here's How the Process Doppelgänging Attack Works:
Before going further on how this new code injection attack works, you need to understand what Windows NTFS Transaction is and how an attacker could leverage it to evade his malicious actions.
NTFS Transaction is a feature of Windows that brings the concept of atomic transactions to the NTFS file system, allowing files and directories to be created, modified, renamed, and deleted atomically.
NTFS Transaction is an isolated space that allows Windows application developers to write file-output routines that are guaranteed to either succeed completely or fail completely.
According to the researcher, Process Doppelgänging is a fileless attack and works in four major steps as mentioned below:
Transact—process a legitimate executable into the NTFS transaction and then overwrite it with a malicious file.
Load—create a memory section from the modified (malicious) file.
Rollback—rollback the transaction (deliberately failing the transaction), resulting in the removal of all the changes in the legitimate executable in a way they never existed.
Animate—bring the doppelganger to life. Use the older implementation of Windows process loader to create a process with the previously created memory section (in step 2), which is actually malicious and never saved to disk, "making it invisible to most recording tools such as modern EDRs."
Process Doppelgänging Evades Detection from Most Antiviruses
Liberman told The Hacker News that during their research they tested their attack on security products from Windows Defender, Kaspersky Labs, ESET NOD32, Symantec, Trend Micro, Avast, McAfee, AVG, Panda, and even advance forensic tools.
In order to demonstrate, the researchers used Mimikatz, a post-exploitation tool that helps extract credentials from the affected systems, with Process Doppelgänging to bypass antivirus detection.
When the researchers ran Mimikatz generally on a Windows operating system, Symantec antivirus solution caught the tool immediately, as shown below:
However, Mimikatz ran stealthy, without antivirus displaying any warning when executed using Process Doppelgänging, as shown in the image at top of this article.
Liberman also told us that Process Doppelgänging works on even the latest version of Windows 10, except Windows 10 Redstone and Fall Creators Update, released earlier this year.
But due to a different bug in Windows 10 Redstone and Fall Creators Update, using Process Doppelgänging causes BSOD (blue screen of death), which crashes users' computers.
Ironically, the crash bug was patched by Microsoft in later updates, allowing Process Doppelgänging to run on the latest versions of Windows 10.
I don't expect Microsoft to rush for an emergency patch that could make some software relying on older implementations unstable, but Antivirus companies can upgrade their products to detect malicious programs using Process Doppelgänging or similar attacks.
This is not the very first time when enSilo researchers have discovered a malware evasion technique. Previously they discovered and demonstrated AtomBombing technique which also abused a designing weakness in Windows OS.
In September, enSilo researchers also disclosed a 17-year-old programming error in Microsoft Windows kernel that prevented security software from detecting malware at runtime when loaded into system memory.
Massive Breach Exposes Keyboard App that Collects Personal Data On Its 31 Million Users
8.12.2017 thehackernews Mobil
In the digital age, one of the most popular sayings is—if you're not paying, then you're not the customer, you're the product.
While downloading apps on their smartphones, most users may not realize how much data they collect on you.
Believe me; it’s way more than you can imagine.
Nowadays, many app developers are following irresponsible practices that are worth understanding, and we don't have a better example than this newly-reported incident about a virtual keyboard app.
A team of security researchers at the Kromtech Security Center has discovered a massive trove of personal data belonging to more than 31 million users of the popular virtual keyboard app, AI.type, accidentally leaked online for anyone to download without requiring any password.
Founded in 2010, Ai.type is a customizable and personalizable on-screen keyboard for mobile phones and tablets, with more than 40 million users worldwide.
Apparently, a misconfigured MongoDB database, owned by the Tel Aviv-based startup AI.type, exposed their entire 577 GB of the database online that includes a shocking amount of sensitive details on their users, which is not even necessary for the app to work.
"...they appear to collect everything from contacts to keystrokes."
The leaked database of over 31 million users includes:
Full name, phone number, and email address
Device name, screen resolution and model details
Android version, IMSI number, and IMEI number
Mobile network name, country of residence and even user enabled languages
IP address (if available), along with GPS location (longitude/latitude).
Links and the information associated with the social media profiles, including birth date, emails, photos.
"When researchers installed Ai.Type they were shocked to discover that users must allow 'Full Access' to all of their data stored on the testing iPhone, including all keyboard data past and present," the researchers say.
Moreover, the leaked database also reveals that the virtual keyboard app is also stealing users' contact books, including the contacts' names and phone numbers—and already scraped more than 373 million records.
"There was a range of other statistics like the most popular users’ Google queries for different regions. Data like average messages per day, words per message, the age of users, words_per_day': 0.0, 'word_per_session and a detailed look at their customers," the researchers say.
Researchers go on to raise a question that "why would like a keyboard, and emoji application need to gather the entire data of the user's phone or tablet?"
Even the recent data breaches have taught us that once our personal data gets in the hands of cybercriminals, it makes us vulnerable forever.
Therefore, the best defense to protect yourself is always—awareness.
New TeamViewer Hack Could Allow Clients to Hijack Viewers' Computer
8.12.2017 thehackernews Hacking
Do you have remote support software TeamViewer installed on your desktop?
If yes, then you should pay attention to a critical vulnerability discovered in the software that could allow users sharing a desktop session to gain complete control of the other's PC without permission.
TeamViewer is a popular remote-support software that lets you securely share your desktop or take full control of other's PC over the Internet from anywhere in the world.
For a remote session to work both computers—the client (presenter) and the server (viewer)—must have the software installed, and the client has to share a secret authentication code with the person he wants to share his desktop.
However, a GitHub user named "Gellin" has disclosed a vulnerability in TeamViewer that could allow the client (sharing its desktop session) to gain control of the viewer's computer without permission.
TeamViewer Hack Could Be Used By Anyone—Server Or Client
Gellin has also published a proof-of-concept (PoC) code, which is an injectable C++ DLL, which leverages "naked inline hooking and direct memory modification to change TeamViewer permissions."
The injectable C++ DLL (hack) can be used by both, the client and the server, which results as mentioned below:
If exploited by the Server—the hack allows viewers to enable "switch sides" feature, which is only active after the server authenticated control with the client, eventually allowing the server to initiate a change of control/sides.
If exploited by the Client—the hack allows the client to take control of the mouse and keyboard of the server "with disregard to servers current control settings and permissions."
This vulnerability impacts TeamViewer versions running on Windows, macOS as well as Linux machines.
A Reddit user "xpl0yt," who first publicized this vulnerability, claimed to have been in contact with the TeamViewer security team, who confirmed him the existence of the vulnerability in its software and released a patch for Windows.
A TeamViewer spokesperson told The Hacker News, "We are patching versions 11-13. Windows is already available, whereas MacOS and Linux are expected later today."
TeamViewer users are recommended to install the patched versions of the software as soon as they become available. Patches will be delivered automatically to those users who have configured their TeamViewer software to receive automatic updates.
Largest Crypto-Mining Exchange Hacked; Over $70 Million in Bitcoin Stolen
8.12.2017 thehackernews Hacking
Bitcoin is breaking every record—after gaining 20% jump last week, Bitcoin price just crossed the $14,800 mark in less than 24 hours—and there can be no better reason for hackers to put all of their efforts to steal skyrocketing cryptocurrency.
NiceHash, the largest Bitcoin mining marketplace, has been hacked, which resulted in the theft of more than 4,700 Bitcoins worth over $57 million (at the time of breach).
And guess what? You'll be surprised to know that the stolen BTC now worth over $70 million—in less than 24 hours.
Founded in 2014, NiceHash is a cloud-based crypto-mining marketplace that connects people from all over the world to rent out their spare computing power to other in order to create new coins.
On Wednesday, several NiceHash users reported that their BTC wallets had been emptied, which was later confirmed by NiceHash after its service went offline claiming to be undergoing maintenance.
At the time of writing, the NiceHash service is still offline with a post on its website, confirming that "there has been a security breach involving NiceHash website," and that hackers stole the contents of the NiceHash Bitcoin wallet.
The company did not provide any further details about the security incident, but it did say that NiceHash has paused its operations for next 24 hours while it figures out exactly how many numbers of BTC were swiped from its website and how it was taken.
Although NiceHash has not confirmed the number of bitcoins stolen from its virtual wallet, some of its customers have circulated a wallet address that suggests around 4,736 BTC—worth more than $70 million based on today's price—in total were drained from the company's wallet.
NiceHash has initiated an investigation into the matter, and has reported the incident to the "relevant authorities and law enforcement" and has been "co-operating with them as a matter of urgency."
The company also assured its customers that it is "fully committed to restoring the NiceHash service with the highest security measures at the earliest opportunity," but it's still unclear how the company will manage to settle everything if it is unable to compensate the total loss.
"We understand that you will have a lot of questions, and we ask for patience and understanding while we investigate the causes and find the appropriate solutions for the future of the service. We will endeavor to update you at regular intervals," the company says.
Following the security incident, NiceHash is recommending its customers to change their passwords—both on NiceHash and other services, if they are using the same credentials.
NiceHash is the latest cryptocurrency company to suffer a significant blow in recent months. Another major hack took place last month due to a flaw in Parity's wallet that caused over $160 million in ETH (Ether) to be frozen, while nearly $32 million in ETH was stolen by hackers in July.
Critical Flaw in Major Android Tools Targets Developers and Reverse Engineers
8.12.2017 thehackernews Vulnerebility
Finally, here we have a vulnerability that targets Android developers and reverse engineers, instead of app users.
Security researchers have discovered an easily-exploitable vulnerability in Android application developer tools, both downloadable and cloud-based, that could allow attackers to steal files and execute malicious code on vulnerable systems remotely.
The issue was discovered by security researchers at the Check Point Research Team, who also released a proof of concept (PoC) attack, which they called ParseDroid.
The vulnerability resides in a popular XML parsing library "DocumentBuilderFactory," used by the most common Android Integrated Development Environments (IDEs) like Google's Android Studio, JetBrains' IntelliJ IDEA and Eclipse as well as the major reverse engineering tools for Android apps such as APKTool, Cuckoo-Droid and more.
The ParseDroid flaw, technically known as XML External Entity (XXE) vulnerability, is triggered when a vulnerable Android development or reverse engineering tool decodes an application and tries to parse maliciously crafted "AndroidManifest.xml" file inside it.
In order words, all an attacker need to trigger the vulnerability is trick the developers and reverse engineers into loading a maliciously crafted APK file.
"By simply loading the malicious 'AndroidManifest.xml' file as part of an Android project, the IDEs starts spitting out any file configured by the attacker," the researchers said.
Demonstration: XML External Entity (XXE) to Remote Code Execution
Besides this, the XXE vulnerability can also be used to inject arbitrary files anywhere on a targeted computer to achieve full remote code execution (RCE), which makes the attack surface-wide and various.
Moreover, the attacker doesn't require to target their victims directly, as the researchers suggest "another attack scenario that can be used in the wild to attack a massive range of Android developers by injecting a malicious AAR (Android Archive Library) containing our XXE payload into repositories."
For educational and demonstration purpose, researchers have also created an online APK decoder tool that can extract the malicious file from an APK (in this case they used a PHP web shell), allowing the attacker to execute system commands on the web application server, as shown in the video.
"The way we chose to demonstrate this vulnerability, of course, is just one of many possible attack methods that can be used to achieve full RCE," the Check Point researchers wrote. "Indeed, the Path Traversal method lets us copy any file to any location on the file system, making the attack surface-wide and various."
Check Point researchers Eran Vaknin, Gal Elbaz, Alon Boxiner and Oded Vanunu discovered this issue in May 2017 and reported them to all major IDEs and tools developers, including Google, JetBrains, Eclipse and APKTool owner.
Most of the developers, including Google, JetBrains and APKTool owner, have since fixed the issue and released patched versions.
Since all the attack methods demonstrated by the researchers are cross-platform, developers and reverse engineers are highly recommended to update their tools, if they haven't yet.
Uber Paid 20-Year-Old Florida Hacker $100,000 to Keep Data Breach Secret
8.12.2017 thehackernews Crime
Last year, Uber received an email from an anonymous person demanding money in exchange for the stolen user database.
It turns out that a 20-year-old Florida man, with the help of another, breached Uber's system last year and was paid a huge amount by the company to destroy the data and keep the incident secret.
Just last week, Uber announced that a massive data breach in October 2016 exposed personal data of 57 million customers and drivers and that it paid two hackers $100,000 in ransom to destroy the information.
However, the ride-hailing company did not disclose identities or any information about the hackers or how it paid them.
Now, two unknown sources familiar with the incident have told Reuters that Uber paid a Florida man through HackerOne platform, a service that helps companies to host their bug bounty and vulnerability disclosure program.
So far, the identity of the Florida man was unable to be obtained or another person who helped him carry out the hack.
Notably, HackerOne, who does not manage or plays any role in deciding the rewards on behalf of companies, receives identifying information of the recipient (hackers and researchers) via an IRS W-9 or W-8BEN form before payment of the award can be made.
In other words, some employees at Uber and HackerOne definitely knows the real identity of the hacker, but choose not to pursue the case, as the individual did not appear to pose any future threat to the company.
Moreover, the sources also said that Uber conducted a forensic analysis of the hacker's computer to make sure that all the stolen data had been wiped, and had the hacker also sign a nondisclosure agreement to prevent further wrongdoings.
Reportedly, the Florida man also paid some unknown portion of the received bounty to the second person, who was responsible for helping him obtain credentials from GitHub for access to Uber data stored elsewhere.
Originally occurred in October 2016, the breach exposed the names and driver license numbers of some 600,000 drivers in the United States, and the names, emails, and mobile phone numbers of around 57 million Uber users worldwide, which included drivers as well.
However, other personal details, like trip location history, dates of birth, credit card numbers, bank account numbers, and Social Security numbers, were not accessed in the attack.
Former Uber CEO Travis Kalanick learned of the cyber attack in November 2016 and chose not to involve authorities, believing the company can easily and more effectively negotiate directly with the hackers to limit any harm to its customers.
However, this secret dealing with the hackers eventually cost Uber security executives their jobs for handling the incident.
Now Uber CEO Dara Khosrowshahi has reportedly fired Uber Chief Security Officer Joe Sullivan, and one of his deputies, Craig Clark, who worked to keep the data breach quiet.
"None of this should have happened, and I will not make excuses for it. While I cannot erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes," Khosrowshahi said.
"We are changing the way we do business, putting integrity at the core of every decision we make and working hard to earn the trust of our customers."
Last week, three more top Uber security managers resigned, including Sullivan's chief of staff Pooja Ashok, senior security engineer Prithvi Rai, and physical security chief Jeff Jones.
Chrome obsahuje kritickou chybu. V ohrožení jsou milióny uživatelů
8.12.2017 Novinky/Bezpečnost Zranitelnosti
Kritická bezpečnostní trhlina byla odhalena v oblíbeném internetovém prohlížeči Chrome od společnosti Google. Vzhledem k tomu, že zranitelnost se týká všech podporovaných operačních systémů, v ohrožení jsou desítky miliónů uživatelů z celého světa.
Chrome je aktuálně nejpopulárnějším webovým prohlížečem, což dokazuje i početná skupina uživatelů, která se podle nejstřízlivějších odhadů počítá na desítky miliónů. Právě proto se ale na něj vcelku pravidelně zaměřují počítačoví piráti.
Kritické zranitelnosti, které mohou zneužít hackeři, tak u tohoto internetového browseru bývají odhaleny zpravidla alespoň jednou měsíčně. Koneckonců v ohrožení byli uživatelé Chromu již v listopadu.
Oprava je již k dispozici
A jak je nyní zřejmé, ani v prosinci tomu nebude jinak. Tvůrci totiž tento týden ohlásili, že prohlížeč obsahuje kritickou bezpečnostní chybu. To jinými slovy znamená, že je počítačoví piráti mohou zneužít k tomu, aby do počítače propašovali prakticky libovolný škodlivý kód. Stejně tak ale mohou přistupovat k nastavení napadeného stroje či uloženým datům na pevném disku.
Ohroženi jsou majitelé prakticky všech aktuálně dostupných operačních systémů. Chyba se totiž týká verzí tohoto browseru pro operační systémy Windows, Mac OS a Linux.
Google naštěstí již trhlinu v nejnovější verzi opravuje, stejně jako řadu dalších chyb. Ty však již nemají nálepku „kritické“, ale pouze „důležité“. Pro uživatele by tak neměly představovat žádné velké bezpečnostní riziko, jsou určeny spíše ke zlepšení funkčnosti jednotlivých součástí internetového prohlížeče.
S instalací neotálet
V každém případě není příliš rozumné s instalací updatu otálet. V případě, že uživatelé nemají nastavenou automatickou instalaci aktualizací, neměli by s jejich stažením otálet. V opačném případě nechávají pro počítačové piráty otevřena zadní vrátka do svých počítačů.
Nainstalovat aktualizaci manuálně je možné prostřednictvím nápovědy, konkrétně v části „O aplikaci Chrome“. Po rozkliknutí této nabídky se uživateli automaticky nabídne instalace nejnovější verze.
Chrome není jediným prohlížečem, který trápí nebezpečné chyby. Tento týden byla kritická zranitelnost opravena například také ve Firefoxu.
Two Vulnerabilities Patched in OpenSSL
8.12.2017 securityweek Vulnerebility
The OpenSSL Project announced on Thursday the availability of OpenSSL 1.0.2n, a version that patches two vulnerabilities discovered by a Google researcher.
The flaws were identified by Google’s David Benjamin using the search giant’s OSS-Fuzz fuzzing service.
One of the security holes, CVE-2017-3737, is related to an “error state” mechanism introduced with OpenSSL 1.0.2b. The mechanism is designed to trigger an immediate failure if there is an attempt to continue a handshake after a fatal error has occurred. The problem is that if the SSL_read() or SSL_write() functions are called directly, the mechanism doesn’t work properly.
“If SSL_read()/SSL_write() is subsequently called by the application for the same SSL object then it will succeed and the data is passed without being decrypted/encrypted directly from the SSL/TLS record layer,” OpenSSL said in its advisory.
While this vulnerability could have serious implications, it has only been rated “moderate severity” due to the fact that the targeted application would need to have a bug that causes a call to SSL_read() or SSL_write() after getting a fatal error.
Another vulnerability reported to the OpenSSL Project by Benjamin is CVE-2017-3738, an overflow bug that could allow an attacker to access TLS-protected communications. However, an attack is very difficult to carry out, which is why the issue has been classified as “low severity.”
CVE-2017-3738 is similar to CVE-2017-3736 and CVE-2017-3732, two other vulnerabilities discovered using the OSS-Fuzz tool and patched last month, and CVE-2015-3193, an issue fixed in December 2015.
CVE-2017-3738 affects both the 1.0.2 and 1.1.0 branches of OpenSSL. However, because it’s low severity, OpenSSL 1.1.0 has not been updated on this occasion. The vulnerability will be patched in OpenSSL 1.1.0h when it becomes available.
This is the fourth OpenSSL update from 2017 that patches security bugs and, unless a critical issue is discovered, it will likely be the last. OpenSSL security updates were also announced in January and February.
Chrome Improves Security for Enterprise Use
8.12.2017 securityweek Security
Chrome's Site Isolation Feature Renders Each Web Site in a Separate Process
Google is boosting the security of its browser with the release of Chrome 63, which brings a host of enhancements aimed at enterprises and also addresses 37 vulnerabilities.
The new browser iteration, Google says, can better protect enterprises from potential dangers like ransomware, malware, and other vulnerabilities. This is possible because of better process isolation, support for more advanced security standards, and the adoption of new policies.
One of the major enhancements Chrome 63 introduces is Site Isolation, where content for each open website is rendered in a separate process, isolated from the processes of other websites. The browser already includes sandboxing technology, but the new feature should deliver stronger security boundaries between websites.
Now, Chrome also allows IT admins to configure a new policy and restrict access to extensions based on the permissions required. Thus, they can block all extensions that require the use of a webcam or microphone, or those that want to access and modify data on the websites visited.
In an attempt to ensure more secure communication, the new browser release also enables Transport Layer Security (TLS) 1.3 for Gmail. TLS 1.3 support will be expanded to the broader web in 2018, Google reveals.
While Chrome browser users should not be impacted, IT admins can post feedback on any systems that are not interoperable with TLS 1.3. “As admins prepare for the wider use of TLS 1.3, they can configure this policy for network software or hardware that will not transit TLS 1.3 connections,” Google notes.
For the next year, the Internet giant also plans support for the NTLMv2 authentication protocol in Chrome 64, including Extended Protection for Authentication (EPA) on Mac, Android, Linux and Chrome OS. Thus, the same level of security as in Chrome on Windows will be available on all platforms performing NTLM authentication.
IT admins can already enable the feature in chrome://flags/#enable-ntlm-v2, but Google plans on making NTLMv2 the default NTLM protocol starting with Chrome 65. The update makes Chrome the only browser to support NTLMv2 with EPA on non-Windows platforms.
The Internet search company also plans on improving the browser’s stability by blocking third-party software from injecting code into Chrome on Windows.
Because some businesses rely on code injection, however, a new policy set to be introduced in the coming months should provide admins with extended support for critical apps. To check whether their software is injecting into Chrome, admins can visit chrome://conflicts.
Google also included patches for 37 vulnerabilities in Chrome 63, including 19 security flaws reported by external researchers. These include 1 Critical severity, 6 High risk, 7 Medium severity, and 5 Low risk bugs.
The company paid over $46000 to the reporting researchers. The highest bounties were paid for a Critical Out of bounds write in QUIC ($10500), a Heap buffer overflow in PDFium ($6337), two Use after free in PDFium issues ($5000 each), an Out of bounds write in Skia ($5000), and a Use after free in libXML ($3500).
Iranian Cyberspies Exploit Recently Patched Office Flaw
8.12.2017 securityweek CyberSpy
A cyber espionage group linked to Iran has been using a recently patched Microsoft Office vulnerability to deliver malware to targeted organizations, FireEye reported on Thursday.
The threat actor, tracked as APT34 by FireEye and OilRig by other companies, has been active since at least 2014, targeting organizations in the financial, government, energy, telecoms and chemical sectors, particularly in the Middle East.
Back in April, researchers noticed that APT34 had started exploiting an Office vulnerability (CVE-2017-0199) in attacks aimed at Israeli organizations shortly after Microsoft released a patch.
The cyberspies have now also started leveraging CVE-2017-11882, an Office vulnerability patched by Microsoft on November 14. FireEye said it had spotted an attack exploiting this flaw less than a week after the fix was released.
The remote code execution vulnerability affects the Equation Editor (EQNEDT32.EXE) component of Office and it has been around for 17 years. Some believe Microsoft may have addressed the security hole by directly modifying the executable, suggesting that the company may have lost its source code.
Proof-of-concept (PoC) exploits were made available for CVE-2017-11882 shortly after Microsoft released a patch and, in late November, researchers reported that a cybercrime group tracked as Cobalt had started exploiting the vulnerability.
However, FireEye saw the first attempt to exploit CVE-2017-11882 less than a week after Microsoft released a fix. The attack was aimed at a government organization in the Middle East.
In July 2017, FireEye observed an APT34 attack using CVE-2017-0199 to deliver a backdoor tracked by the company as POWRUNER, and a downloader with DGA (domain generation algorithm) functionality named BONDUPDATER. In November, the group switched to using CVE-2017-11882 to deliver these PowerShell-based pieces of malware.
The attackers used specially crafted RTF documents delivered to targeted users via spear phishing emails. When opened, the file triggers the Office vulnerability and initiates an infection process that ends with the execution of the backdoor and the downloader.
POWRUNER allows attackers to collect information about the infected machine, download and upload files, and capture screenshots. Once it receives commands from its command and control (C&C) server, the malware stops running.
The BONDUPDATER downloader is APT34’s first attempt at implementing a DGA for generating subdomains that are used for C&C communications.
“We assess that APT34’s efforts to continuously update their malware, including the incorporation of DGA for C2, demonstrate the group’s commitment to pursuing strategies to deter detection,” FireEye said in a blog post. “We expect APT34 will continue to evolve their malware and tactics as they continue to pursue access to entities in the Middle East region.”
This is not the first time FireEye has analyzed APT34’s activities. In May 2016, the security firm published a report detailing some of its attacks on banks in the Middle East, but at the time it did not attribute the operation to any group.
Palo Alto Networks reported in October that OilRig had started using a new Trojan in attacks aimed at entities in the Middle East.
Keylogger Found on 5,500 WordPress Sites
8.12.2017 securityweek Virus
Thousands of WordPress sites have been infected with a piece of malware that can log user input, Sucuri warns.
The infection is part of a campaign the security researchers detailed in April, when they revealed that websites were being infected with a piece of malware called cloudflare.solutions. The malware packed cryptominers at the time, and is now adding keyloggers to the mix as well.
At the moment, the cloudflare.solutions malware is present on 5,496 websites, and the number appears to be going up.
The injected Cloudflare[.]solutions scripts are added to a queue to WordPress pages using the theme’s function.php, and a fake CloudFlare domain is used in the URLs. One of the URLs loads a copy of a legitimate ReconnectingWebSocket library.
The main page of the domain claims “the server is part of an experimental science machine learning algorithms project,” the researchers reveal.
A cors.js script used there loads the Yandex.Metrika (Yandex’s alternative to Google Analytics), most likely to track the infected sites.
The researchers also discovered two cdnjs.cloudflare.com URLs with long hexadecimal parameters, with both of them belonging to CloudFlare. However, they are not legitimate and one doesn’t even exist, but link to payloads delivered in the form of hexadecimal numbers after the question mark in the URLs.
The script was designed to decode the payloads and inject the result into web pages, which results in the aforementioned keylogger.
“This script adds a handler to every input field on the websites to send its value to the attacker (wss://cloudflare[.]solutions:8085/) when a user leaves that field,” Sucuri explains.
The keylogger allows the actors behind this campaign to steal payment details, if the WordPress site has some ecommerce functionality and embeds a checkout form, as well as login credentials, given that the cloudflare[.]solutions keylogger is injected to login pages as well.
Because the malicious code resides in the function.php file of the WordPress theme, removing the add_js_scripts function and all the add_action clauses that mention add_js_scripts should prevent the attack.
“Given the keylogger functionality of this malware, you should consider all WordPress passwords compromised so the next mandatory step of the cleanup is changing the passwords (actually it is highly recommended after any site hack),” Sucuri notes.
Because the cloudflare.solutions malware also injects coinhive cryptocurrency miner scripts, site admins are also advised to check their websites for other infections as well.
'Process Doppelgänging' Helps Malware Evade Detection
7.12.2017 securityweek Virus
Researchers at enSilo have identified a new method that can be used by hackers to execute a piece of malware on any supported version of Windows without being detected by security products.
The new technique, dubbed “Process Doppelgänging,” is similar to process hollowing, a code injection method that involves spawning a new instance of a legitimate process and replacing the legitimate code with malicious one. This technique has been used by threat actors for several years and security products are capable of detecting it.
enSilo says it has now come up with a similar but more efficient method for executing malicious code, including ransomware and other types of threats, in the context of a legitimate process. Process Doppelgänging abuses the Windows loader to execute code without actually writing it to the disk, which makes it more difficult to detect an attack.
According to researchers, when Process Doppelganging is used, the malicious code is correctly mapped to a file on the disk, just like in the case of a legitimate process – modern security solutions typically flag unmapped code. The method can also be leveraged to load malicious DLLs.
Experts have successfully tested the technique on Windows 7, Windows 8.1 and Windows 10 against security products from Microsoft, AVG, Bitdefender, ESET, Symantec, McAfee, Kaspersky, Panda Security and Avast.
Doppelganging relies on transactional NTFS, which is designed to make it easier for app developers and administrators to handle errors and preserve data integrity. enSilo has found a way to make changes to an executable file via NTFS transactions without actually committing those modifications to the disk. Undocumented functionality of the Windows process loader is then abused to load the modified executable. The changes made to the original file are reverted in order to avoid leaving any trace.
“We overwrite a legitimate file in the context of [an NTFS transaction],” enSilo said. “We then create a section from the modified file (in the context of the transaction) and create a process out of it. It appears that scanning the file while it's in transaction is not possible by the vendors we checked so far (some even hang) and since we rollback the transaction, our activity leaves no trace behind.”
“There are a lot of technical challenges involved in making it work,”researchers explained. “One of the hardest challenges is that in order to run a process out of a section (not a file on disk) the process needs to be created using NtCreateProces, which means that most of the initialization must be done manually, which requires knowing a lot of undocumented details on process creation.”
enSilo says its products can detect such an attack, which means other vendors can implement detection mechanisms as well, especially if the technique will be exploited in the wild. However, since the method abuses legitimate features, experts say it cannot be patched.
The security firm disclosed its findings this week at the Black Hat Europe conference in London. Technical details and proof-of-concept (PoC) code will be made available shortly.
The Worst Password Offenders of 2017
7.12.2017 securityweek Security
Password management firm Dashlane has published a list of what it believes are the top ten password offenders for 2017. It comprises six 'government' entries (including the President of the United States and the entire UK Government), and four organizations. Topping the list is Donald Trump, joined by Paul Manafort at #9 and Sean Spicer at #10.
To be fair, it is as much Trump the administration as it is Trump the person that is being called out. Dashlane points to a Channel 4 News investigation in January 2017 that said "Passwords used by Donald Trump's incoming cyber security advisor Rudy Giuliani and 13 other top staff members have been leaked in mass hacks."
In reality, the majority of people have had at least one password exposed by the many mass hacks that have plagued the internet this decade, so the biggest problem is not whether a password appears in the dark web listings, but whether it is still being used by the user of that password. Dashlane comments, "many of the top staff members Trump handpicked, including multiple cabinet secretaries, senior policy directors -- even cybersecurity advisor Rudy Giuliani -- were reusing insecure, simple passwords."
Paul Manafort, who was indicted in October by a federal grand jury as part of Robert Mueller's investigation into the Trump campaign, had been using 'Bond007' as his password for multiple personal accounts, including Dropbox and Adobe. Sean Spicer makes the list at #10 because, says Dashlane, "the former Press Secretary sent numerous Tweets of what appeared to be his very own passwords."
While the Democratic Party experienced several cybersecurity incidents last year, other U.S. government entities that made Dashlane's 2017 list include the Department of Defense (DOD at #4) and the Republican Party (at #5). For the DOD, Dashlane comments, "Defense contractor Booz Allen Hamilton left the Pentagon severely exposed by leaving critical files on a non-password protected Amazon server. Included in the exposed data were several unencrypted passwords that could have been used to access classified D.O.D. information."
The Republican Party is included for a similar reason: the exposure of sensitive data (by one of its analytics firms) of 198 million U.S. voters on an unprotected Amazon server.
Related: Clinton Email Server Vulnerable for 3 Months
It's not just U.S. political entities in the list, however. Coming in at #3 is the entire 'UK Government'. In March, the National Cyber Security Center (NCSC) chief executive Ciaran Martin wrote to political parties warning, "This is not just about the network security of political parties' own systems. Attacks against our democratic processes go beyond this and can include attacks on Parliament, constituency offices, think tanks and pressure groups and individuals' email accounts."
In June, the Times reported, "Passwords belonging to British cabinet ministers, ambassadors and senior police officers have been traded online by Russian hackers, an investigation by The Times has found." Again, the lists of passwords were probably aggregated from numerous earlier mass hacks -- but disturbingly, the most common password was 'password'.
Following these events it would be logical for members of parliament and IT administrators to have tightened password management. But in early December, several members tweeted that they routinely share their work computer password with staff, including interns http://www.securityweek.com/uk-members-parliament-share-passwords-staff .
Four commercial organizations make Dashlane's worst offenders list: Equifax (#2), Google (#6), HBO (#7) and Imgur (#8). Equifax is included not because of its loss of the personal details of 145.5 million people (basically a patching issue http://www.securityweek.com/equifax-confirms-apache-struts-flaw-used-hack rather than a password issue), but because of what appears to be a generally lax attitude towards password hygiene. A smaller and less well known Equifax breach this year occurred -- in Equifax's own disclosure letter to the Attorney General of New Hampshire -- because "unauthorized third-party(ies) gained access to the accounts primarily by successfully answering personal questions about the affected employees in order to reset the employees' PINs (i.e., the password to access the online portal)."
Compounding this, researchers discovered that an Equifax server in Argentina was protected by 'admin/admin'. Anyone guessing these credentials would be able to access the server and find and modify employees' user accounts. Obscured, but not encrypted, the user's credentials were a plain text user name with a password comprising the user's surname.
Google makes the list because of the May phishing attack http://www.securityweek.com/google-tightens-oauth-rules-combat-phishing that compromised an unknown number of Google users' login credentials.
HBO http://www.securityweek.com/hbo-hackers-demand-millions-ransom-note is included because following a series of hacks and breaches in 2017, "employees came forward with reports of terrible cybersecurity practices, including the reuse of passwords for personal and work accounts." One stolen and leaked Word document actually contains the personal email address and passwords of an HBO SVP.
Imgur is included because of a breach that occurred in 2014 but was only discovered this year. "The company admitted that at the time of the hack it was using an outdated algorithm to encrypt its users' passwords," explains Dashlane. "Although it updated its encryption last year, the damage was already done as 1.7 million user passwords were potentially compromised."
What is clear from this list is that despite all of the warnings and breaches, people and organizations who should be setting an example for everyone else are still demonstrating very poor password hygiene for both themselves and their users. Multi-factor authentication wherever possible will certainly help users protect themselves; but the first and primary line of defense is to use and never reuse very strong unique passwords -- and to hope that the service that requires them will never store them in plaintext.
Apple Patches Vulnerabilities in macOS, watchOS, and tvOS
7.12.2017 securityweek Apple
Apple this week released security updates for macOS, watchOS, and tvOS, as well as updated versions of the Safari browser and the iTunes for Windows application.
The company addressed a total of 22 vulnerabilities with the release of macOS High Sierra 10.13.2 this week (some of the patches were also included in Security Update 2017-002 Sierra and Security Update 2017-005 El Capitan).
Affected components included apache, curl, Directory Utility, Intel Graphics Driver, IOAcceleratorFamily, IOKit, Kernel, Mail, Mail Drafts, OpenSSL, and Screen Sharing Server. Kernel was impacted the most, with 8 bugs addressed in it.
Many of these flaws could result in attackers or malicious applications executing arbitrary code with either kernel or system privileges. Other vulnerabilities, however, could result in disclosure of process memory, administrator authentication bypass, and system termination, or could allow applications to read restricted memory.
Impacting macOS High Sierra 10.13.1, the flaw in Mail could result in an S/MIME encrypted email being inadvertently sent unencrypted if the receiver's S/MIME certificate was not installed, Apple notes in an advisory.
A total of 9 vulnerabilities were addressed with the release of watchOS 4.2. One of the bugs impacts IOSurface, another affects Wi-Fi, while the remaining 7 were resolved in Kernel. Most of the bugs could result in an application executing arbitrary code with kernel privileges or reading restricted memory.
Affecting Apple Watch (1st Generation) and Apple Watch Series 3, the Wi-Fi bug allowed an attacker in Wi-Fi range to force nonce reuse in WPA multicast/GTK clients.
The issue, known as Key Reinstallation Attacks or KRACK, was discovered earlier this year in the Wi-Fi standard itself, thus impacting all implementations, industrial networking devices included. Apple addressed the bug in most of its products in late October.
Released on Monday, tvOS 11.2 resolves 10 vulnerabilities: one in IOSurface, another in Wi-Fi, and 8 in Kernel. Essentially, it fixes the 9 bugs addressed with watchOS 4.2, along with one other issue in Kernel.
These 10 security vulnerabilities, along with 4 others (one in IOKit, one in IOMobileFrameBuffer, one in Mail, and another in Mail Drafts), were also addressed in iOS with the release of iOS 11.2 on December 2.
On Wednesday, December 6, Apple also released Safari 11.0.2 and iTunes 12.7.2 for Windows, but hasn’t provided information on the security content of these updates.
In late November, Apple released a security update for macOS High Sierra in an effort to patch a critical authentication bypass vulnerability that can be easily exploited to gain root access to a system.
Thousands of WordPress sites infected with a Keylogger and cryptocurrency miner scripts
7.12.2017 securityaffairs Virus
Nearly 5,500 WordPress websites are infected with a malicious script that logs keystrokes and in some loads a cryptocurrency miner in the visitors’ browsers.
The experts from security firm Sucuri observed that that malicious script is being loaded from the “cloudflare.solutions” domain, that anyway is not linked with Cloudflare.
According to PublicWWW, this malicious script version is currently active on 5,496 sites.
The script running on compromised WordPress websites logs anything that visitors type inside form fields.
“We also mentioned a post written back in April that described the cloudflare.solutionsmalware, which came along with the cryptominers. At this moment, PublcWWW reports there are 5,482 sites infected with this malware. It seems that this evolving campaign is now adding keyloggers to the mix.” reads the analysis published by Sucuri.
The script is a serious threat especially for WordPress installs configured to run as online stores, in these cases attackers can log credit card data and personal user details.
“This script adds a handler to every input field on the websites to send its value to the attacker (wss://cloudflare[.]solutions:8085/) when a user leaves that field.” continues the analysis.
According to Sucuri experts, the threat actors behind this hacking campaign are active at least since April 2017. Sucuri has tracked at least three different malicious scripts hosted on the same cloudflare.solutions domain across the months.
Back to the present, the script that was discovered on the compromised WordPress sites still includes in-browser cryptocurrency miner abilities and it also includes the keylogger component.
The malicious script resides in the function.php file of the WordPress theme, this means that it is possible to neutralize it by removing the add_js_scripts function and all the add_action clauses that refer add_js_scripts.
“As we already mentioned, the malicious code resides in the function.php file of the WordPress theme. You should remove the add_js_scripts function and all the add_action clauses that mention add_js_scripts.” concludes the anaysis.
“Given the keylogger functionality of this malware, you should consider all WordPress passwords compromised so the next mandatory step of the cleanup is changing the passwords (actually it is highly recommended after any site hack).”
Process Doppelgänging Attack allows evading most security software on all Windows Versions
7.12.2017 securityaffairs Attack
Experts devised a new attack technique dubbed Process Doppelgänging, that could be implemented by vxers to bypass most antivirus solutions.
A group of security researchers from Ensilo discovered a new malware evasion technique, dubbed Process Doppelgänging, that could be implemented by vxers to bypass most antivirus solutions and security software.
The technique is a fileless code injection method that exploits a built-in Windows function and an undocumented implementation of the Windows process loader.
The Process Doppelgänging technique works on almost any Windows version starting from Windows Vista to the latest version of Windows 10.
The security duo from Ensilo, Tal Liberman and Eugene Kogan, presented the Process Doppelgänging at Black Hat 2017 Security conference held in London.
Process Doppelgänging presents similarities to another technique dubbed Process Hollowing, but it relies upon the Windows mechanism of NTFS Transactions.
The Process Hollowing could be used by attackers to replace the memory of a legitimate process with a malicious code, in this way security software are tricked into believing that the legitimate process is running.
Fortunately, all modern security software are able to detect Process Hollowing attacks.The Process Doppelgänging leverages the Windows NTFS Transactions and an outdated implementation of Windows process loader originally designed for Windows XP to carry on the attack.
NTFS Transaction is a Windows feature that was implemented to integrate transactions into the NTFS file system, allowing it easier for application developers to handle errors and preserve data integrity, and of course to manage files and directories.
The NTFS Transaction is an isolated space that allows Windows application developers to write file-output routines which result could be always reconducted to a failure or success state.
The Process Doppelgänging fileless attack works in four steps that are:
Transact—process a legitimate executable into the NTFS transaction and then overwrite it with a malicious file.
Load—create a memory section from the modified (malicious) file.
Rollback—rollback the transaction (deliberately failing the transaction), resulting in the removal of all the changes in the legitimate executable in a way they never existed.
Animate—bring the doppelganger to life. Use the older implementation of Windows process loader to create a process with the previously created memory section (in step 2), which is actually malicious and never saved to disk, “making it invisible to most recording tools such as modern EDRs.”
“The goal of the technique is to allow a malware to run arbitrary code (including code that is known to be malicious) in the context of a legitimate process on the target machine,” said the security duo.
“Very similar to process hollowing but with a novel twist. The challenge is doing it without using suspicious process and memory operations such as SuspendProcess, NtUnmapViewOfSection.”
“In order to achieve this goal we leverage NTFS transactions. We overwrite a legitimate file in the context of a transaction. We then create a section from the modified file (in the context of the transaction) and create a process out of it. It appears that scanning the file while it’s in transaction is not possible by the vendors we checked so far (some even hang) and since we rollback the transaction, our activity leaves no trace behind.”
According to the tests conducted by the researchers, which used Process Doppelgänging to run the well-known password-stealing utility Mimikatz without being detected, the technique evades detection from most antiviruses as reported in the following table:
Liberman explained that the Process Doppelgänging works on even the latest version of Windows 10, except Windows 10 Redstone and Fall Creators Update, both released earlier this year. On these later releases, the attack triggers a BSOD (blue screen of death) condition.
Fortunately, it is technically challenging to power Process Doppelgänging attacks due to the need to know “a lot of undocumented details on process creation.”
The bad news is that the attack “cannot be patched since it exploits fundamental features and the core design of the process loading mechanism in Windows.”
Česko patří mezi nejbezpečnější země. Na Slovensku se počítačové viry šíří více
7.12.2017 Novinky/Bezpečnost Bezpečnost
Česko je z pohledu kybernetických hrozeb jednou z nejbezpečnějších zemí na světě. Podstatně horší je situace například v sousedním Slovensku, které podle počtu počítačových útoků naopak patří spíše mezi nebezpečné země. Vyplývá to z analýzy antivirové společnosti Check Point.
„Česká republika patřila i v říjnu mezi nejbezpečnější země, když se v Indexu hrozeb podruhé za sebou umístila na 119. příčce,“ uvedl Peter Kovalčík, SE Manager ve společnosti Check Point.
Podle něj se naopak Slovensko posunulo o kousek mezi nebezpečnější země a z 90. místa poskočilo na 75. pozici. U našich východních sousedů je tedy riziko nákazy nějakým škodlivým kódem citelně vyšší než u nás.
Zcela nejhorší je ale situace v Dominikánské republice, které patří ve sledovaném období naprosté prvenství. Mezi pět nejnebezpečnějších míst s ohledem na počet kybernetických útoků patří také Indie, Čína, USA a Hongkong.
„Největší skok mezi nebezpečné země zaznamenali Nová Kaledonie, Tanzanie a Kuvajt. Naopak Uruguay se posunula z 53. příčky na bezpečnější 118. pozici,“ doplnil Kovalčík.
Viry těží kybernetické mince
Při šíření virů jde přitom počítačovým pirátům stále častěji o zisk. Do cizích počítačů se snaží podstrčit podvodné aplikace, s jejichž pomocí budou moci těžit kybernetické mince, které pak smění za skutečné peníze.
„V říjnu se škodlivý kód CoinHive vyhoupl na 6. místo mezi nejpoužívanějším malwarem, což potvrzuje trend, na který upozornil nedávný výzkum společnosti Check Point, podle kterého mohou útočníci využít pro těžbu kryptoměn až 65 % celkových zdrojů CPU koncového uživatele, aniž by o tom věděl,“ uvedl bezpečnostní expert.
„Vzestup škodlivého kódu CoinHive znovu ukazuje na nutnost pokročilých preventivních bezpečnostních technologií při ochraně sítí před kyberzločinci. Těžba kryptoměn je nová, tichá a sílící hrozba, která je pro útočníky velmi výnosná a způsobuje významný pokles výkonu koncových zařízení a sítí,“ uzavřel Kovalčík.
Těžařský gigant NiceHash přišel o 1,3 miliardy korun. Ukradli je hackeři
7.12.2017 Novinky/Bezpečnost Hacking
Těžařský gigant NiceHash, který sdružuje statisíce novodobých zlatokopů těžících virtuální měny, se stal terčem hackerů. Ti vysáli všechny uložené peníze. A jde o pořádný balík – 60 miliónů dolarů, tedy v přepočtu zhruba o 1,3 miliardy korun. Informovali o tom zástupci uskupení NiceHash.
Virtuální měny se těší tak velké popularitě především pro své vysoké a rychle rostoucí kurzy. Například jedna mince bitcoinu, což je aktuálně nejpopulárnější kryptoměna, má nyní hodnotu 14 300 dolarů (310 500 Kč).
Popularitě nicméně nahrává také fakt, že za pořízení virtuálních mincí nemusí uživatelé zaplatit ani korunu. Pokud mají dostatečně výkonný počítač, mohou si nainstalovat speciální software a s jeho pomocí kryptoměny doslova těžit – tento program totiž používá předem nastavené výpočty, jejich výsledkem je zisk virtuálních mincí. Za ty je pak možné nakupovat prakticky cokoliv.
A právě proto vzniklo uskupení NiceHash. Jde v podstatě o těžební gigant, do kterého se dobrovolně přihlašují lidé a nabízejí výkon svých počítačů pro těžbu bitcoinů. Zisk si pak spravedlivě rozdělují mezi sebe.
Zmizely všechny bitcoiny
Jenže jak teď vedení uskupení NiceHash sdělilo, nyní si nebude co rozdělovat. Počítačoví piráti doslova vybílili úplně celou virtuální peněženku tohoto těžařského gigantu. Jak již bylo uvedeno výše, šlo v přepočtu o rekordních 1,3 miliardy korun.
Zločinci a počítačoví piráti se na virtuální měny, především tedy populární bitociny zaměřují velmi často. Využívají totiž toho, že transakce v této měně nejsou jakkoli vystopovatelné. A proto je velmi nepravděpodobné, že by se podařilo dopadnout kyberzločince, kteří stojí za tímto útokem na NiceHash.
Vedení těžařského gigantu zatím mlčí o tom, jak bude celou situaci řešit. Plány prý budou jednotlivým uživatelům oznámeny později.