Philippine Bank Accuses Bangladesh of Heist 'Cover-Up'
13.12.2017 securityweek CyberCrime
A Philippine bank on Tuesday accused Bangladesh's central bank of a "massive cover-up" over an $81-million cyber-heist last year, as it rejected allegations it was mostly to blame.
Unidentified hackers shifted $81 million in February last year from the Bangladesh central bank's account with the US Federal Reserve in New York to a Manila branch of the Rizal Commercial Banking Corp (RCBC).
The money was quickly withdrawn and laundered through Manila casinos.
With only a small amount of the stolen money recovered and frustration building in Dhaka, Bangladesh's Finance Minister A.M.A Muhith said over the weekend he wanted to "wipe out" RCBC.
RCBC on Tuesday said Muhith's remarks were "extremely irresponsible".
"Last year's theft of $81 million of Bangladesh's Central Bank's (BB) funds was an inside job and BB is engaging in a massive cover-up by maligning RCBC and refusing to divulge its findings," the bank said in a statement on Tuesday.
Related: US Suspects North Korea in $81 Million Bangladesh Theft
"BB should stop making RCBC its scapegoat."
The Philippines last year imposed a record $21-million fine on RCBC after a "special examination" of the bank and its role in the audacious cyber heist.
Philippine authorities have filed money laundering charges against the RCBC branch manager.
On Tuesday RCBC said an "inside job" at Bangladesh Bank made the heist possible.
"If it was stolen by your own people, why ask us? We are actually a victim of BB's negligence," RCBC said.
Asked about the allegation of an inside job, Bangladesh Bank deputy governor Razee Hassan insisted RCBC was at fault for releasing the stolen money.
"(RCBC) did not do due diligence. Their central bank did not fine them without any reason," he told AFP.
Singapore Ministry of Defence Announces Bug Bounty Program
13.12.2017 securityweek BigBrothers
Singapore’s Ministry of Defence (MINDEF) has invited roughly 300 white hat hackers from around the world to take part in a two-week bug bounty program targeting eight of its Internet-facing systems.
The MINDEF Bug Bounty Programme, scheduled to run between January 15 and February 4, 2018 is powered by the HackerOne platform.
The initiative covers the Defence Ministry’s public website, its I-Net and email services, the Central Manpower Base site, the Defence Science and Technology Agency site, and the NS, eHealth, LearNet 2 and myOASIS portals. Some of the targeted systems belong to the Singapore Armed Forces (SAF).
Rewards will range between S$150 (USD110) and roughly S$20,000 (USD15,000), and the total amount paid out will depend on the number and quality of bug reports. However, the cost of running the bug bounty program is expected to be less than what a commercial cybersecurity company would charge for an assessment, the Ministry said.
“Singapore is constantly exposed to the increasing risk of cyberattacks, and MINDEF is an attractive target for malicious cyber activity,” MINDEF said. “It is not possible to fully secure modern day computer software systems, and new vulnerabilities are discovered every day. As hackers with malicious intent find new methods to breach networks, MINDEF must constantly evolve and improve its defences against cyber threats.”
The announcement comes just months after the Ministry admitted that hackers had managed to breach a military system that stored non-classified data and personal information on servicemen and employees.
Singapore announced last year its intention to block Internet access on government computers for security reasons, but officials later clarified that the goal was to segregate sensitive systems from other online activities.
Singapore is the home city for SecurityWeek’s 2018 Singapore ICS Cyber Security Conference, an event dedicated to serving critical infrastructure and industrial internet stakeholders in the APAC region. The conference will take place April 24-26, 2018 at the Fairmont Singapore.
Greek Court Orders Extradition of Russian Bitcoin Suspect to US
13.12.2017 securityweek Crime
Greece's Supreme Court on Wednesday ordered that a Russian accused of laundering $4 billion using bitcoin digital currency be extradited to the United States, a court source said.
Greece's justice minister will now have the final say on whether to extradite Alexander Vinnik, who headed BTC-e, an exchange for the cyber currency.
He was indicted by a US court in July on 21 charges ranging from identity theft and facilitating drug trafficking to money laundering.
Vinnik has been held in a Greek jail since his arrest on July 25 in the northern Greek tourist resort of Halkidiki. He denies the accusation.
Russia has also filed a demand to extradite Vinnik so he can stand trial on separate fraud charges.
Two Greek courts separately approved both extradition requests in October.
BTC-e, founded in 2011, became one of the world's largest and most widely used digital currency exchanges.
According to the US indictment, it was "heavily reliant on criminals".
In addition, BTC-e "was noted for its role in numerous ransomware and other cyber-criminal activity".
It allegedly received more than $4 billion (3.4 billion euros) worth of Bitcoin over the course of its operation.
Vinnik was also charged with receiving funds from the infamous hack of Mt. Gox -- an earlier digital currency exchange that eventually failed, in part due to losses attributable to hacking.
The US Treasury Department has slapped BTC-e with a $110 million fine for "wilfully violating" US anti-money laundering laws. Vinnik himself has been ordered to pay $12 million.
In Russia, Vinnik is wanted on separate fraud charges totalling 9,500 euros.
He has said he would accept extradition to his home country.
New Spider Ransomware Emerges
13.12.2017 securityweek Ransomware
A new ransomware family discovered when analyzing a mid-scale campaign that started over the weekend uses decoy documents auto-synced to enterprise cloud storage and collaborations apps, security researchers have say.
Dubbed Spider, the new threat was observed being distributed via an Office document supposedly targeting users in Bosnia and Herzegovina, Serbia, and Croatia. The spam emails suggest the sender is looking to collect some debt from the recipient in attempt to trick the user into opening the attached file.
Obfuscated macro code embedded in the Office document, however, launches a Base64 encrypted PowerShell script to download the malicious payload, Netskope’s Amit Malik says.
If the malware is able to successfully infect a system, it starts encrypting user’s files and adds the ‘.spider’ extension the affected files.
A decrypter was designed to display the user interface and allow users decrypt the files using a decryption key. It is executed alongside the encrypter but runs in the background until the encryption process has been completed, BleepingComputer’s Lawrence Abrams explains.
According to Malik, the Spider decrypter monitors system processes and prevents the launch of tools such as taskmgr, procexp, msconfig, regedit, cmd, outlook, winword, excel, and msaccess.
During encryption, the malware skips files in the following folders: tmp, Videos, winnt, Application Data, Spider, PrefLogs, Program Files (x86), Program Files, ProgramData, Temp, Recycle, System Volume Information, Boot, and Windows.
After completing the encryption process, the decrypter displays a warning (available in English and Croatian) informing users on how they can decrypt their files. A help section is also included, with links and references to the resources needed to make the payment.
The ransom payment demanded is roughly $120.
“As ransomware continues to evolve, administrators should educate employees about the impact of ransomware and ensure the protection of the organization’s data by making a regular backup of critical data. In addition to disabling macros by default, users must also be cautious of documents that only contain a message to enable macros to view the contents and also not to execute unsigned macros and macros from untrusted sources,” Netskope says.
ISIS & Al Qaeda: What’s Coming Down the Line for the U.S. in 2018
13.12.2017 securityaffairs Cyber
ISIS & Al Qaeda: What’s Coming Down the Line for the U.S. in 2018. From drones to chemical attacks, which are the major risks?
Last month, the Department of Homeland Security (DHS) warned that, “our enemies remain focused on attacking the United States, and they are constantly adapting. DHS and its partners are stepping up efforts to keep terrorists out of America and to prevent terrorist recruitment and radicalization here at home, and we urge the public to remain vigilant and report suspicious activity.”
The DHS also indicated the U.S. is facing a significant, ongoing terror threat and the agency’s website displayed an “Elevated” alert level (second from the most severe), which means a credible threat of terrorism against the U.S. exists.
Guess Who’s Back
Al Qaeda never really went away, of course. The 30-year-old terrorist organization had just, for the most part, receded to the background while the Islamic State took center stage. While ISIS has been driven out of Iraq and Syria, they are alive and well in Africa and Europe. ISIS supporters can be found in the U.S. as well, as evidenced by recent activity by the group’s devotees.
Al Qaeda has reemerged as stronger now than they were when Bin Laden was killed. While the world was focused on ISIS, al Qaeda was quietly amassing power, planning, strengthening alliances and fundraising.
Earlier in the year, Stratfor reported that some are concerned that al Qaeda and ISIS may reunite:
“The idea of the global jihadist movement’s two major poles joining forces is certainly a troubling one. The combined capabilities of the Islamic State and al Qaeda could pose a significant threat to the rest of the world, making them a much more dangerous enemy together than divided.”
Though both groups follow Salafist ideology, it might be difficult to merge the two groups’ divergent goals. The Islamic State seeks global conquest in the establishment of Caliphate, while Al Qaeda is focused on the demise of the United States. Al Qaeda boasts a sophistication gained from years of experience, selectivity in recruiting and an assortment of well-educated scholars, including scientists and engineers.
Viewed as crude, by al Qaeda, ISIS also lacks the restraint exercised by al Qaeda.
Some collaboration, between these two terrorist groups, has already occurred in Syria, where fighters with Hayat Tahrir al-Sham (HTS), also known as al Qaeda in Syria, and ISIS were found to have a somewhat cooperative relationship. Additionally, al Qaeda emir Ayman al Zawahiri has been attempting to build bridges among groups with similar enemies. And, al Zawahiri reiterated the fact that the U.S. is al Qaeda’s number one priority.
In comparing the two groups, Critical Threats points out that, “while ISIS had used conquest and bombastic proclamations to capture popular support and gain momentum, al Qaeda worked quietly with a softer approach to securing support.”
“The strengthening of al Qaeda is more dangerous than the success of ISIS. Al Qaeda’s softer approach to building popular support at the grassroots level evoked little, if any, reaction from the West. The West bought al Qaeda’s line that its local focus is a local issue. Al Qaeda further managed the reactions of the communities into which it was insinuating itself by permitting outbursts of local resistance and adjusting its time line to avoid generating backlash. ISIS’s conquest, by contrast, resulted in the West mobilizing a military effort against the group and harsh reaction from its conquered communities over time. ISIS’s coerced popular support in the Muslim world will collapse. Al Qaeda is positioned to absorb the remnants of ISIS, benefit from ISIS’s global mobilization, and sustain its own momentum within Sunni communities to strengthen the Salafi-jihadi movement.”
Al Qaeda does have sleeper cells, within the U.S., who are responsible for planning and launching attacks. But, there are also “lone wolf” supporters of Al Qaeda, in addition to ISIS proponents, in the U.S., who are preparing to launch attacks on their own.
There has also been found to be increasing collaboration among various terror groups in the Maghreb- particularly in Libya. They have been exchanging ideas for training, military tactics, PR, recruitment, and financing.
“Libya is a key node for the global Salafi-jihadi movement.7 The Libyan base provides the global movement with a destination for jihad, a transit and training zone, and a key node for global foreign fighter flows. It is already an important enabler for the global Salafi-jihadi threat against the United States, Europe, and American interests.
Al Qaeda and ISIS are consolidating a safe haven in Libya from which they will directly threaten the West over the long term.”
Add to that the fact that al Qaeda in the Maghreb (AQIM) has managed to turn a profit of around $100 million through ransom, drug trading, taxing locals and donations from around the world, according to a study by the Foundation for Defense of Democracies.
The global Salafi-jihadi movement was and remains more than just al Qaeda—or ISIS, however. The American Enterprise Institute cautions that, “the need is urgent. Al Qaeda, the Islamic State, and the global Salafi-jihadi movement together are stronger today than they have ever been.”
Holiday season threats have been issued primarily to Europe, but to New York City, also:
The Hill reports: “An ominous poster of Santa Claus standing next to a box of dynamite in Times Square appeared in a pro-ISIS forum earlier this week with the headline ‘we meet at Christmas in New York soon.’ A picture of a masked jihadi, with a rifle in the front seat of a car driving toward the Vatican marked with the banner ‘Christmas Blood so wait’ appeared a few days before that.”
A new series of threatening images posted on social media and messaging apps, with ISIS imagery, is being shared. These graphics call for terror attacks on New York City, Paris and London.
Other posters include images of London’s Regent Street and the Eiffel Tower in Paris, with images of jihadists and blood superimposed on them. A chilling message in English, German and French is included: ‘Soon on your holidays.’
According to Metro.co.uk, “a propaganda poster emerged showing a terrorist in the Vatican with a rocket launcher. The message warned that ‘the crusaders feast is approaching’, suggesting they are planning to attack the Catholic church’s holy city. Another was shared online showing a masked figure driving towards St Peter’s Basilica with a gun and a backpack inside his car, with the message ‘Christmas blood’ written in red underneath.”
Potential Terror Threats to the U.S. in 2018
Hezbollah – “While I’m not here today to speak publicly about any specific, or credible, or imminent threat to the homeland, we in the intelligence community do in fact see continued activity on behalf of Hezbollah here inside the homeland,” National Counterterrorism Center Director Nicholas Rasmussen said. Rasmussen went on to say that it is the center’s, “assessment that Hezbollah is determined to give itself a potential homeland option as a critical component of its terrorism playbook.” He pointed out the recent arrests of alleged Hezbollah operatives in Michigan and New York.
The two alleged operatives that were arrested are Ali Kourani and Samer el Debek. Charged with providing material support to Hezbollah’s Islamic Jihad Organization, Kourani described his role as a “sleeper.” And, according to the complaint, El Debek was trained in making landmines and other explosives.
Dirty Bombs – Terrorist could use drones to drop dirty bombs or poison on U.S. cities. Security officials have said that it may just be a matter of time before such schemes could come to fruition in America. In August, Australian federal police disrupted an ISIS plot to construct an “improvised chemical dispersion device,” which they planned to deploy in urban areas. Hydrogen sulfide, a poisonous gas, would have been spread over the urban areas had the plot not been foiled.
Possible Backlash – Some Muslim leaders have said they view the plan to move the U.S. Embassy to from Tel Aviv to Jerusalem as “a declaration of war.”
Also, Jihadists across the ideological spectrum have beseeched Muslims to take physical action instead of merely protesting the planned move of the U.S. Embassy to Jerusalem.
For its part, al-Qaeda has urged followers all around the world to target U.S. interests, its allies and Israel in response to the U.S. Embassy plan. “A statement posted Friday on al-Qaeda’s media arm as-Sahab, in both Arabic and English, urged holy war or jihad and described America as a modern-era ‘pharaoh’ oppressing Muslims. Branches of the global terror network, including the North Africa branch known as Al-Qaeda in the Islamic Maghreb and also al-Qaeda in the Arabian Peninsula, issued similar statements.”
Then too, Sheikh Hamza bin Laden, son of Osama bin Laden, has called for the group’s supporters to “embrace the kinds of ‘lone wolf attacks’ used by Islamic State, its bitter rival, in which jihadists execute terror operations acting largely on their own and without direction.”
Attacks on the US Government & Critical Infrastructure – Some experts anticipate that in 2018 a major attack on U.S. critical infrastructure will occur. “Additionally, tension between the U.S. and other countries could escalate to online cyberattacks. In October, the FBI and DHS warned of advanced persistent threat activity targeting energy, nuclear, water, aviation, construction, and critical manufacturing sectors. Critical infrastructure companies are behind in preparing their operational facilities to confront cyberattacks – making them an easy target for politically-motivated attackers – Adi Dar, CEO, Cyberbit”
On social media and encrypted messenger apps, training materials are being produced and shared at an alarming rate and volume. This includes an astonishing assortment of bomb-making instructions and recipes for a whole host of gases and volatile compounds.
Of late, in these online forums, a lot of emphasis is placed on bioterrorism, with detailed training materials being provided on how to execute attacks on “kuffars” using substances such as anthrax, ricin and botulism.
Regarding bioterrorism, former White House biodefense aide Robert Kadlec said that, “the trends indicate more terrorist groups are interested in conducting such attacks.”
In 2016, ISIS operatives planned to contaminate water sources in Turkey with bacteria causing tularemia, which is a potentially fatal human illness. In another ISIS-linked ploy, an anthrax attack in Kenya was thwarted by the police. And, in yet another instance in Nigeria, the army intercepted poisoned fish believed to have been brought into the country by Boko Haram operatives.
Both al Qaeda and ISIS have threatened public transportation in the U.S., but online, al Qaeda has been heavily promoting its train derailment tool, providing detailed instructions on how to use it and the best routes across the country to use it on.
On the Telegram app, there are channels in which collaboration among the supporters of ISIS, al Qaeda and other Salafist terrorist groups, such as Ansar al Sharia, is taking place. Shared on these channels is a seemingly endless array of tools for lone wolves, including remote control detonators, a device that explodes when one opens a door, car bombs, hidden bombs and much more. Very detailed instructions are given for all of these explosive devices. The channels generally have hundreds of participants and the channels get reported and shut down frequently, but are back up again shortly afterwards. Channel administrators simply continue distributing materials to those who desire to be a well-equipped, adequately trained lone wolf.
The massive cache of Islamic State propaganda videos found on the cellphone of Sayfullo Saipov, the man accused of using a truck to mow down pedestrians and cyclists recently in New York City, provided a glimpse of the vast amount of jihadist content on the internet.
Along with 90 videos and 3,800 images found,were depictions of beheadings and bomb-making instructions.
The amount of jihadist content on the internet is staggering. The efforts of law enforcement, intelligence agents and private intel agencies around the world are not sufficient to thwart every planned attack, though many have been thwarted.
One way individuals can help is by always being aware of their surroundings. People should report any suspicious behavior potentially related to terrorism to law enforcement.
And, since many terror attacks are closely linked to online activity such as planning attacks, garnering materials and instructions on how to carry out attacks, warnings about attacks and gloating immediately following an attack, be sure to also report suspicious behavior you see online.
Adobe Patch Tuesday only addressed a moderate severity regression issue affecting Flash Player
13.12.2017 securityaffairs Vulnerebility
Adobe released the Patch Tuesday, this month it only addressed a moderate severity regression issue affecting Flash Player tracked as CVE-2017-11305.
It was a poor Patch Tuesday this month for Adobe that only addressed a moderate severity regression issue affecting Flash Player tracked as CVE-2017-11305.
The vulnerability was described as a “business logic error,” that can cause the unintended reset of the global settings preference file.
“Adobe has released a security update for Adobe Flash Player for Windows, Macintosh, Linux and Chrome OS. This update addresses a regression that could lead to the unintended reset of the global settings preference file.” reads the Adobe Security Bulletin.
According to the company, there is no evidence of exploitation in the wild.
The regression issue affects version 18.104.22.168 and earlier of Flash Player on Windows, Mac, Linux and Chrome OS. Adobe patched the flaw with the release of version 22.214.171.124. Microsoft has also updated the Flash Player components used by its software in order to address this issue.
In November, Adobe addressed a total of 80 vulnerabilities across 9 products, most of which for Acrobat and Reader, including dozens of RCE issues.
A banking Trojan targeting the Polish banks was found in Google Play
13.12.2017 securityaffairs Android
It has happened again, several banking Trojan samples have been found on Google Play, this time the malicious code targeted a number of Polish banks.
The malware was disguised as seemingly legitimate apps “Crypto Monitor”, a cryptocurrency price tracking app, and “StorySaver”, a third-party tool for downloading stories from Instagram.
The malicious code is able to display fake notifications and login forms on the infected device to harvest login credentials used to access legitimate banking applications. The code is also able to intercept SMS messages to bypass two-factor authentication used by the financial institutions.
The same malware was discovered by experts at security firm RiskIQ in November.
According to researchers from ESET, the “Crypto Monitor” app was uploaded to the Play store on November 25 by the developer walltestudio, while the “StorySaver” app was uploaded by the developer kirillsamsonov45 on November 29.
“Together, the apps had reached between 1000 and 5000 downloads at the time we reported them to Google on December 4. Both apps have since been removed from the store.” states the analysis published by ESET.
When the user launches the malicious apps, they compare the apps installed on the infected device against a list of fourteen apps used by Polish banks and once found one of them, the malicious code can display fake login forms imitating those of the targeted legitimate apps.
App name Package name
Alior Mobile com.comarch.mobile
BZWBK24 mobile pl.bzwbk.bzwbk24
Getin Mobile com.getingroup.mobilebanking
Moje ING mobile pl.ing.mojeing
Bank Millennium wit.android.bcpBankingApp.millenniumPL
mBank PL pl.mbank
Nest Bank pl.fmbank.smart
Bank Pekao eu.eleader.mobilebanking.pekao
Mobile Bank eu.eleader.mobilebanking.raiffeisen
Citi Handlowy com.konylabs.cbplpat
In some cases the fake login form is displayed to the user only after he clicks on a fake notification presented by the malware imitated the ones used by the targeted bank app.
“ESET’s security systems detect the threat as Android/Spy.Banker.QL and prevent it from getting installed.” states ESET.
“ESET telemetry shows that 96% of the detections come from Poland (the remaining 4% from Austria), apparently due to local social engineering campaigns propagating the malicious apps.”
The experts noticed that it is very easy to remove the malicious apps by going to Settings > (General) > Application manager/Apps, searching for the malicious apps and uninstalling them.
“To avoid falling prey to mobile malware in the future, make sure to always check app ratings and reviews, pay attention to what permissions you grant to apps, and use a reputable mobile security solution to detect and block latest threats.” concluded ESET.
ESET, who credited Witold Precikowski for the discovery, included the IoCs for this specific threat in its report.
December Microsoft Patch Tuesday addresses 19 Critical browser issues
13.12.2017 securityaffairs Vulnerebility
Microsoft released Patch Tuesday updates for December 2017 that address more than 30 vulnerabilities, including 19 Critical browser issues.
Microsoft has released its Patch Tuesday updates for December 2017 that address more than 30 vulnerabilities, including 19 critical flaws affecting the Internet Explorer and Edge web browsers.
Microsoft addressed several memory corruption flaws that can be exploited for remote code execution. Most of the vulnerabilities reside in the browser’s scripting engine, an attack can trigger them by tricking the victim into visiting a specially crafted website or a site that serves malicious ads.
Microsoft acknowledged researchers from Google, Palo Alto Networks, McAfee and Qihoo 360 for finding the issues.
The list of vulnerabilities fixed this month includes “important” information disclosure flaw tracked as CVE-2017-11927. The vulnerability affects the Windows its:// protocol handler, where the InfoTech Storage Format (ITS) is the storage format used in CHM files.
“An information disclosure vulnerability exists when the Windows its:// protocol handler unnecessarily sends traffic to a remote site in order to determine the zone of a provided URL. This could potentially result in the disclosure of sensitive information to a malicious site.” read the security advisory published by Microsoft.
“To exploit the vulnerability an attacker would have to trick a user into browsing to a malicious website or to an SMB or UNC path destination. An attacker who successfully tricked a user into disclosing the user’s NTLM hash could attempt a brute-force attack to disclose the corresponding hash password.”
The list of flaws addressed by Microsoft also includes a collection of information disclosure issues in Office, a privilege escalation vulnerability affecting SharePoint, a spoofing issue in Exchange, and a remote code execution vulnerability in Excel.
The good news is that according to Microsoft, none of the vulnerabilities addressed with the December Patch Tuesday has been exploited in attacks or disclosed publicly before fixes were released.
Adobe has also published its December Patch Tuesday, this month the company only patched one moderate severity vulnerability in Flash Player.
ROBOT Attack: RSA TLS crypto attack worked against Facebook, PayPal, and tens of 100 top domains
13.12.2017 securityaffairs Krypto
ROBOT ATTACK – Security experts have discovered a 19-year-old flaw in the TLS network security protocol that affects many software worldwide.
The security researchers Hanno Böck and Juraj Somorovsky of Ruhr-Universität Bochum/Hackmanit, and Craig Young of Tripwire VERT, have discovered a 19-year-old vulnerability in the TLS network security protocol in the software several tech giants and open-source projects.
The flaw in RSA PKCS #1 v1.5 encryption affects the servers of 27 of the top 100 web domains, including Facebook and PayPal, it could be exploited by an attacker to decrypt encrypted communications.
The researchers dubbed the flaw ROBOT, which stands for Return Of Bleichenbacher’s Oracle Threat.
“ROBOT is the return of a 19-year-old vulnerability that allows performing RSA decryption and signing operations with the private key of a TLS server.” the researchers explained.
“In 1998, Daniel Bleichenbacher discovered that the error messages given by SSL servers for errors in the PKCS #1 1.5 padding allowed an adaptive-chosen ciphertext attack; this attack fully breaks the confidentiality of TLS when used with RSA encryption.
We discovered that by using some slight variations this vulnerability can still be used against many HTTPS hosts in today’s Internet.”
Today we are still discussing the ROBOT attack because the mitigations drawn up at the time were not enough and many software vendors did not properly implement these protections.
“The real underlying problem here is that the protocol designers decided (in 1999) to make workarounds for using an insecure technology rather than replace it with a secure one as recommended by Bleichenbacher in 1998.” said Young.
This ROBOT attack could allow attackers to decrypt RSA ciphertexts without recovering the server’s private key as explained in a security advisory published by CISCO.
“An attacker could iteratively query a server running a vulnerable TLS stack implementation to perform cryptanalytic operations that may allow decryption of previously captured TLS sessions.” states the advisory published by Cisco.
“To exploit this vulnerability, an attacker must be able to perform both of the following actions:
Capture traffic between clients and the affected TLS server.
Actively establish a considerable number of TLS connections to the vulnerable server. The actual number of connections required varies with the implementation-specific vulnerabilities, and could range from hundreds of thousands to millions of connections.”
Fortunately, the vulnerability affects only 2.8% of the top million websites, this small value is due to the fact that the affected library is mainly used for expensive commercial products that are often used to enforce security controls on popular websites.
As a proof-of-concept for the ROBOT attack, the experts have demonstrated practical exploitation by signing a message with the private key of facebook.com’s HTTPS certificate.
Facebook was using a patched version of OpenSSL for its vulnerable servers, according to the tech giant the issue was caused by custom patches applied by the company.
Facebook has patched its servers before the disclosure of the paper on the ROBOT attack.
Several vendors have fixes pending, the following list includes patches that are already available.
F5 BIG-IP SSL vulnerability CVE-2017-6168
Citrix TLS Padding Oracle Vulnerability in Citrix NetScaler Application Delivery Controller (ADC) and NetScaler Gateway CVE-2017-17382
Radware Security Advisory: Adaptive chosen-ciphertext attack vulnerability CVE-2017-17427
Cisco ACE End-of-Sale and End-of-Life CVE-2017-17428
Bouncy Castle Fix in 1.59 beta 9, Patch / Commit CVE-2017-13098
Erlang OTP 126.96.36.199, OTP 188.8.131.52, OTP 20.1.7 CVE-2017-1000385
WolfSSL Github PR / patch CVE-2017-13099
MatrixSSL Changes in 3.8.3 CVE-2016-6883
Java / JSSE Oracle Critical Patch Update Advisory – October 2012 CVE-2012-5081
According to Young, the most interesting attack scenarios see hackers having access to the target’s network traffic, a position that could be obtained by an attacker exploiting the KRACK attack to target a Wi-Fi connection.
The impact of ROBOT attacks is severe, an attacker can steal sensitive and confidential data, including passwords, credit card data, and other sensitive details.
The experts released a python tool to scan for vulnerable hosts so everyone can check his HTTPS server against ROBOT attack.
Researchers also included countermeasures in their paper, they recommend to deprecate the RSA encryption key exchange in TLS and the PKCS #1 v1.5 standard.
“We can therefore conclude that there is insufficient testing of modern TLS implementations for old vulnerabilities. The countermeasures in the TLS standard to Bleichenbacher’s attack are incredibly complicated and grew more complex over time. It should be clear that this was not a viable strategy to avoid these vulnerabilities.
The designers of TLS 1.3 have already decided to deprecate the RSA encryption
key exchange. However, as long as compatibility with RSA encryption
cipher suites is kept on older TLS versions these attacks remain a problem.” concludes the research paper.
“To make sure Bleichenbacher attacks are finally resolved we recommend to fully
deprecate RSA encryption based key exchanges in TLS. For HTTPS we believe
this can be done today”
ROBOT Attack: 19-Year-Old Bleichenbacher Attack Leaves Encrypted Web Vulnerable
12.12.2017 thehackernews Attack
A 19-year-old vulnerability has been re-discovered in the RSA implementation from at least 8 different vendors—including F5, Citrix, and Cisco—that can give man-in-the-middle attackers access to encrypted messages.
Dubbed ROBOT (Return of Bleichenbacher's Oracle Attack), the attack allows an attacker to perform RSA decryption and cryptographic operations using the private key configured on the vulnerable TLS servers.
ROBOT attack is nothing but a couple of minor variations to the old Bleichenbacher attack on the RSA encryption protocol.
First discovered in 1998 and named after Swiss cryptographer Daniel Bleichenbacher, the Bleichenbacher attack is a padding oracle attack on RSA-based PKCS#1 v1.5 encryption scheme used in SSLv2.
Leveraging an adaptive chosen-ciphertext attack which occurred due to error messages by SSL servers for errors in the PKCS #1 1.5 padding, Bleichenbacher attack allows attackers to determine whether a decrypted message is correctly padded.
This information eventually helps attackers decrypt RSA ciphertexts without recovering the server's private key, completely breaking the confidentiality of TLS when used with RSA encryption.
"An attacker could iteratively query a server running a vulnerable TLS stack implementation to perform cryptanalytic operations that may allow decryption of previously captured TLS sessions." Cisco explains in an advisory.
In 1998, Bleichenbacher proposed to upgrade encryption scheme, but instead, TLS designers kept the vulnerable encryption modes and added a series of complicated countermeasures to prevent the leakage of error details.
Now, a team of security researchers has discovered that these countermeasures were incomplete and just by using some slight variations, this attack can still be used against many HTTPS websites.
"We changed it to allow various different signals to distinguish between error types like timeouts, connection resets, duplicate TLS alerts," the researchers said.
"We also discovered that by using a shortened message flow where we send the ClientKeyExchange message without a ChangeCipherSpec and Finished message allows us to find more vulnerable hosts."
According to the researchers, some of the most popular websites on the Internet, including Facebook and Paypal, are affected by the vulnerability. The researchers found "vulnerable subdomains on 27 of the top 100 domains as ranked by Alexa."
ROBOT attack stems from the above-mentioned implementation flaw that only affects TLS cipher modes using RSA encryption, allowing an attacker to passively record traffic and later decrypt it.
"For hosts that usually use forward secrecy, but still support a vulnerable RSA encryption key exchange the risk depends on how fast an attacker is able to perform the attack," the researchers said.
"We believe that a server impersonation or man in the middle attack is possible, but it is more challenging."
The ROBOT attack has been discovered by Hanno Böck, Juraj Somorovsky of Ruhr-Universitat Bochum/Hackmanit GmbH, and Craig Young of Tripwire VERT, who also created a dedicated website explaining the whole attack, its implications, mitigations and more.
The attack affects implementations from several different vendors, some of which have already released patches and most have support notes acknowledging the issue.
You will find the list of affected vendors on the ROBOT website.
The researchers have also released a python tool to scan for vulnerable hosts. You can also check your HTTPS server against ROBOT attack on their website.
12.12.2017 Kaspersky Android
Two years ago in October 2015 we published a blogpost about a popular malware that was being distributed from the Google Play Store. Over the next two years we detected several similar apps on Google Play, but in October and November 2017 we found 85 new malicious apps on Google Play that are stealing credentials for VK.com. All of them have been detected by Kaspersky Lab products as Trojan-PSW.AndroidOS.MyVk.o. We reported 72 of them to Google and they deleted these malicious apps from Google Play Store, 13 other apps were already deleted. Furthermore, we reported these apps with technical details to VK.com. One of these apps was masquerading as a game and was installed more than a million times according to Google Play Store.
One of the apps detected as Trojan-PSW.AndroidOS.MyVk.o was distributed as a game.
There were some other popular apps among them too – seven apps had 10,000-100,000 installations from Google Play and nine apps had 1,000-10,000 installation. All other apps had fewer than 1,000 installations.
App detected as Trojan-PSW.AndroidOS.MyVk.o on Google Play Store
Most of these apps were uploaded to Google Play in October 2017, but several of them were uploaded in July 2017, so they were being distributed for as long as 3 months. Moreover, the most popular app was initially uploaded to the Google Play Store on March 2017, but without any malicious code—it was just a game. Cybercriminals updated this app with a malicious version only in October 2017, having waited more than 7 months to do so!
Most of these apps looked like apps for VK.com – for listening to music or for monitoring user page visits.
App detected as Trojan-PSW.AndroidOS.MyVk.o on Google Play Store
Sure, such apps need a user to login into an account – that’s why they didn’t look suspicious. The only apps whose functionality was not VK-related were game apps. Because VK is popular mostly in CIS countries, cybercriminals checked the device language and asked for VK credentials only from users with certain languages – Russian, Ukrainian, Kazakh, Armenian, Azerbaijani, Belarusian, Kyrgyz, Romanian, Tajik, and Uzbek.
Code where a Trojan checks the device language.
These cybercriminals were publishing their malicious apps on Google Play Store for more than two years, so they had to modify their code to bypass detection. In these apps they used a modified VK SDK with tricky code–users logged on to the standard page, but the cybercriminals used malicious JS code to get the credentials from the login page and pass them back to the app.
Malicious code where a Trojan executes JS code to get VK credentials.
Then the credentials are encrypted and uploaded to the malicious website.
Code where a Trojan decrypts a malicious URL, encrypts stolen credentials and uploads them.
The interesting thing is that although most of these malicious apps had a described functionality, a few of them were slightly different—they also used malicious JS code from the OnPageFinished method, but not only for extracting credentials but for uploading them too.
Malicious code where a Trojan executes JS code to get and upload VK credentials
We think that cybercriminals use stolen credentials mostly for promoting groups in VK.com. They silently add users to promote various groups and increase their popularity by doing so. We have reason to think so because there were complaints from some infected users that their accounts had been silently added to such groups.
Another reason to think so is that we were able to find several other apps on Google Play that were published by the same cybercriminals responsible for Trojan-PSW.AndroidOS.MyVk.o. They were published as unofficial clients for Telegram, a popular messaging app. All of them were detected by Kaspersky Lab products as not-a-virus:HEUR:RiskTool.AndroidOS.Hcatam.a. We notified Google about these apps too and they deleted them from Google Play Store.
App infected with not-a-virus:HEUR:RiskTool.AndroidOS.Hcatam.a on Google Play Store
These apps were not only masquerading as Telegram apps, they were actually built using an open source Telegram SDK and work almost like every other such app. Except one thing – they added users to promoted groups/chats. These apps receive a list with groups/chats from their server. What’s more, they can add users to groups anytime – to do so they steal a GCM token which allows cybercriminals to send commands 24/7.
We also discovered an interesting thing about the malicious website extensionsapiversion.space. According to KSN statistics, in some cases it was used for mining cryptocurrencies by using an API from http://coinhive.com.
Package name MD5
Cloud Security Startup ShieldX Networks Raises $25 Million
12.12.2017 securityweek IT
ShieldX Networks, a San Jose, Calif.-based cloud security company, announced that it has closed a $25 million Series B round of funding with participation from new investors including FireEye founder Ashar Aziz, Dimension Data and Symantec Ventures.
The company describes its flagship “APEIRO” platform as a solution that delivers Software-Defined Security through a containerized, microservices architecture that helps secure complex, multi-cloud environments.
The scalable cloud-based solution supports real-time threat prevention and helps detect and stop suspicious activities in cloud environments that see high-volume, lateral traffic.
“This funding will allow us to expand our marketing and sales efforts to meet increasing market demands while also keeping a strong focus on product development, including increased automation and intelligence across popular cloud environments that will meet customer demand,” said Dr. Ratinder Paul Singh Ahuja, CEO of ShieldX.
According to the company, its customer list includes organizations such as Alaska Airlines, Iowa State University and Park Holidays.
“Alaska Airlines is actively moving processes to next generation private and public cloud environments in an effort to support the rapid application development and innovation that really delights our guests. We were looking for a security and micro-segmentation solution that could scale and adapt with our new multi-cloud strategy with a comprehensive and consistent security policy across all environments,” said Brian Talbert, Director of Network and Connectivity Solutions at Alaska Airlines. “ShieldX has been an ideal partner throughout the development process by meeting our on premise and cloud needs, rapidly responding to our input, and by supporting our new Microsoft Azure requirements.”
Existing investors, Bain Capital Ventures, Aspect Ventures and FireEye also participated in the Series B round.
Did Major Cyberattacks of 2017 Impact Security Budgets?
12.12.2017 securityweek Cyber
The Effect of WannaCry and NotPetya Outbreaks on Corporate Security Budgets is...Complicated
Despite common perception, the WannaCry and NotPetya outbreaks of 2017 have not -- at least, not yet -- had any marked effect on security budgets.
AlienVault surveyed 233 IT professionals globally to see how roles have changed following the high profile attacks of 2017 that many commentators assumed would act as a wake-up call for senior management. The results disprove this. Just 14% of the respondents have had their budgets for cyber security increased, and only a fifth (20%) have been able to implement changes or projects that were previously put on hold.
"WannaCry and NotPetya are generally believed to have marked a turning point in cyber awareness, but the reality on the ground paints a different picture," comments AlienVault security advocate, Javvad Malik.
The questions posed by AlienVault can loosely be described as three categories: did you get more quantifiable support from senior management; have attitudes towards security changed since the outbreaks; and how has your company reacted to the outbreaks? For the first, 70% of the respondents replied that the outbreaks have made no difference financially to their role; that is, WannaCry and NotPetya have not resulted in the expected security budget increase.
Similarly, there has been little change in attitude towards the security function, either internally to the organization, or externally in the wider marketplace. For example, less than 10% of boards have shown any greater interest in the security role, while more than 60% of respondents replied that the outbreaks have made no difference to the way they are viewed within their organizations. And while 7% of respondents have noticed an increase in new job offers since the outbreaks, 90% say they have made no difference.
Of the questions posed in this survey, two, however, show the practical effect of WannaCry and NotPetya on patching and posture. Two-thirds of the respondents say they are now more up-to-date with patching than they were before the outbreaks, while just one-third say it has made no difference. Further, 58% of respondents carried out a review of their organizations' security posture following the outbreaks (41% did not).
What isn't clear, however, is whether these actions were the result of board pressure or support, or simply the respondents taking their own action from within their existing budgets. The latter is implied by the apparent lack of reaction by boards shown in the other questions -- and this is further supported by a recent PwC survey.
PwC's annual Global State of Information Security Surveys question around 10,000 security professionals in more than 100 different countries. The 2017 survey found that UK security budgets (where firms and especially the NHS were badly hit by WannaCry) stood at around £6.2 million (double the previous year's £3 million average). The latest 2018 survey, announced after the WannaCry and NotPetya outbreaks in October 2017, shows the UK slashing average budgets back down to £3.9 million.
Surprisingly, however, both of these surveys seem to be in contrast to Gartner published only last week. Gartner's Ruggero Contu commented, "Overall, a large portion of security spending is driven by an organization's reaction toward security breaches as more high profile cyberattacks and data breaches affect organizations worldwide. Cyberattacks such as WannaCry and NotPetya, and most recently the Equifax breach, have a direct effect on security spend, because these types of attacks last up to three years."
Noticeably, Gartner increased its global security spend prediction for 2018 by $3 billion over an earlier prediction in August 2017; apparently on the expected effect of WannaCry, NotPetya and the Equifax breach.
Three major firms have now commented on security budgets in the last two months; all of them after the WannaCry and NotPetya outbreaks (with two of them specifically referencing those outbreaks). One (Gartner) says that budgets will increase because of the outbreaks; another (AlienVault) implies 'no change' despite the outbreaks; while the third (PwC) indicates slashed budgets in a country that was severely hit by WannaCry.
This discrepancy highlights the problem with all surveys and predictions. Each one is accurate, but only within the context of its delivery. Gartner based its forecast on the results of a 2016 survey where the highest percentage of respondents said that a security breach is the main security risk influencing their security spending. On this basis, security spend will undoubtedly increase.
The PwC figures covering the UK show a decrease in budget, but only after the previous year's rather dramatic increase; which, according to PwC, took the UK to "over one and a half times more than their global counterparts."
The AlienVault survey questioned a relatively low number of "233 IT professionals." We don't know where they are located, what size company they work for, nor their specific cybersecurity role. AlienVault decided to press-headline the survey results with "Cyber Threats Are Still Being Brushed Aside, Even After WannaCry and NotPetya". (The associated blog title is less dramatic: "The Impact of NotPetya and WannaCry".)
When challenged by SecurityWeek, Malik suggested that the AlienVault and Gartner results may not be so very different. Despite the headline, he told SecurityWeek, "Our results are not based on our opinion, but are the aggregated results of a survey from the Spiceworks community -- which may or may not be representative of the wider market. So, while only 14% have claimed that their budgets for cybersecurity have increased, the broader survey does show that over half of organizations carried out a review of their cyber security posture, two thirds are more up-to-date with patching, and half are using threat intelligence more."
One thing is clear from these differences: if you want to get an accurate picture of what is really going on, you need to look beyond the individual headlines.
Millions Impacted by Credential-Stealers in Google Play
12.12.2017 securityweek Android
During October and November 2017, Kaspersky Lab researchers discovered 85 applications in Google Play that were designed to steal credentials for Russian social network VK.com. One of the malicious applications had more than a million downloads.
While most of the applications were listed in the marketplace in October and gathered fewer than 1,000 installations, some were uploaded in July and proved to be highly popular among users. Seven of the apps had between 10,000 and 100,000 downloads, while nine had between 1,000 and 10,000 installations.
The most popular of the apps masqueraded as a game. It was submitted to Google Play in April 2017 without malicious code in it, but an update in October 2017 added the information stealing capabilities. The game gathered more than 1 million downloads in the seven months it was active on Google Play.
Most of the offending applications were designed to look like apps for the VK.com social platform, supposedly allowing users to listen to music or monitor user page visits. Because apps of this type normally ask for the user to log into their account, they didn’t raise suspicion. Some of the programs were game apps.
The campaign was targeted at VK users only. The platform is highly popular in CIS countries, and the malicious apps first checked the device language and only asked for login credentials if Russian, Ukrainian, Kazakh, Armenian, Azerbaijani, Belarusian, Kyrgyz, Romanian, Tajik, and Uzbek were in use, Kaspersky has discovered.
The actors behind these apps had been publishing their malicious applications in Google Play for over two years, so they had to modify their code to bypass detection, Kaspersky's researchers say.
The recently observed apps used a modified VK SDK with tricky code, which served the standard login page to the user, relied on malicious JS code to steal credentials from the login page and pass them back to the app. The stolen credentials were encrypted and then uploaded to a remote server.
Most of the malicious apps had the described functionality, but some were slightly different: they also used malicious JS code from the OnPageFinished method for extracting credentials and for uploading them.
“We think that cybercriminals use stolen credentials mostly for promoting groups in VK.com. They silently add users to promote various groups and increase their popularity by doing so. We have reason to think so because there were complaints from some infected users that their accounts had been silently added to such groups,” Kaspersky says.
The researchers also note that other Google Play apps submitted by these miscreants were published as unofficial clients for popular messaging app Telegram. Built using an open source Telegram SDK, these apps would work just as any other such software, but they would also add users to promoted groups/chats (based on a list received from the server).
The credential-stealing apps are detected as Trojan-PSW.AndroidOS.MyVk.o. Kaspersky reported 72 of the apps to Google, all of which were removed (13 apps had been removed before). The malicious Telegram clients are detected as not-a-virus:HEUR:RiskTool.AndroidOS.Hcatam.a. They too were removed from Google Play.
Patchwork Cyberspies Adopt New Exploit Techniques
12.12.2017 securityweek CyberSpy
Malware campaigns attributed to the Patchwork cyberespionage group have been using a new delivery mechanism and exploiting recently patched vulnerabilities, Trend Micro warns.
Also known as Dropping Elephant or Chinastrats and believed to be operating out of the Indian subcontinent, the group is said to have been active since 2014. Initially focused on government-associated organizations that have connections to Southeast Asia and the South China Sea, the actor has expanded its target list to include entities in a broad range of industries.
In a new report (PDF) on Patchwork’s latest operations, Trend Micro says that the group has added businesses to its list of targets and that its use of numerous infection vectors and payloads makes it a credible threat.
Campaigns that security researchers have associated with the group over the course of 2017 revealed diverse methods (social engineering hooks, attack chains, and backdoors), along with the adoption of Dynamic Data Exchange (DDE), Windows Script Component (SCT), and exploits for recently reported vulnerabilities.
“These imply they’re at least keeping an eye on other threats and security flaws that they can repurpose for their own ends. Also of note are its attempts to be more cautious and efficient in their operations,” Trend Micro notes.
Targets and attack vectors
The observed campaigns focused on multiple sectors in China and South Asia, but also hit organizations in the U.K., Turkey, and Israel. Using spear-phishing emails, the cyberespionage group targeted high-profile personalities, business-to-consumer (B2C) online retailers, telecommunications and media companies, aerospace researchers, and financial institutions. The United Nations Development Programme was targeted as well.
The spear-phishing emails contained website redirects, direct links, or malicious attachments. Some emails contained direct links to malicious documents hosted on the attacker-owned servers. The group spoofed a news site and used it to divert visitors to socially engineered, malware-ridden documents and was also observed misusing email and newsletter distribution services.
A fake Youku Tudou website (a social video platform popular in China) was used for drive-by downloads. The victim was tricked into downloading and executing a fake Adobe Flash Player update that was, in fact, a variant of the xRAT Trojan.
Patchwork was also observed phishing for credentials to take over a target’s emails and other online accounts. One attack copied a webpage from a legitimate web development company and displayed the fake page to victims alone.
Using Rich Text Format (RTF) documents, the group exploited vulnerabilities such as CVE-2012-1856 – a remote code execution (RCE) in the Windows common control MSCOMCTL, or CVE-2015-1641 – a memory corruption in Microsoft Office. They also exploited the CVE-2014-4114 Sandworm RCE vulnerability in Windows’ Object Linking and Embedding (OLE) via PowerPoint (PPSX) files.
More recent vulnerabilities the actor has been abusing include CVE-2017-0199 – an RCE in Microsoft Office’s Windows OLE, patched in April 2017, and CVE-2017-8570 – an RCE in Microsoft Office patched in July 2017. They were exploited via PowerPoint (PPT) and PPSX files.
The malicious PPSX files exploiting CVE-2017-8570 downloaded a Windows Script Component (SCT) file from a Patchwork-owned server to eventually deliver the xRAT malware.
“Apart from exploit-laden documents, Patchwork also misused DDE to retrieve and execute xRAT in the infected machine. They also sent a document embedded with an executable, which downloads a decoy document and a backdoor, then executes the latter,” Trend Micro explains.
Malware and infrastructure
In addition to using a variety of malicious documents for their nefarious purposes, the Patchwork hackers also deployed a miscellany of backdoors and information stealers onto their victims’ machines. Some of these tools appear to be used solely by this group, the security researchers say.
The threat actor was observed dropping malware such as the NDiskMonitor custom backdoor (believed to be Patchwork’s own, it can list files and logical drives and download and execute files from specified URLs); and Socksbot, which can start Socket Secure (SOCKS) proxy, take screenshots, and run executables and PowerShell scripts.
Malware such as the xRAT remote access tool (its source code is available online) and the Badnews backdoor (potent information-stealing and file-executing malware) were also associated with the group’s activities, as well as a series of file stealers (Taskhost Stealer and Wintel Stealer targeting .doc, .docx, .xls, .xlsx, .ppt, .pptx, .pdf, and RTF files, along with .eml and .msg email messages; as well as versions of file stealers written in AutoIt).
Trend Micro has discovered 30 to 40 IP addresses and domain names used by the group in 2017 and says that each of the servers has had a different purpose. While some were only meant as command and control (C&C) servers that would collect data from the used stealers, others were used only to host phishing websites.
In some cases, the same server was being used for both C&C communication and to host distributing malware (or malicious documents) through hosting content copied from legitimate websites.
The group has been using publicly available PHP scripts for retrieving files from the server without disclosing their real paths, likely to prevent security researchers from finding open directories. Trend Micro also observed the group temporarily removing a file so it could not be retrieved or replacing it with a legitimate one. Sometimes they would display “a fake 302 redirection page to trick researchers into thinking the files are gone.”
“Patchwork is in a vicious cycle, given the group’s habit of rehashing tools and malware. The more those are used, the likelier that they’d be incorporated in the group’s arsenal. The takeaway for enterprises? The gamut of tools and techniques at Patchwork’s disposal highlights the significance of defense in depth: arraying proactive defense to thwart threats at each level—from the gateways, endpoints, and networks to servers,” Trend Micro notes.
Golduck Malware Infects Classic Android Games
12.12.2017 securityweek Android
Several classic game applications in Google Play have been silently downloading and installing a malicious APK file onto Android devices, Appthority reports.
The malicious code was downloaded from a "Golduck" server and installed on devices using a technique called Java reflection. The offending applications, the security company says, were also observed running shell commands and sending SMS messages.
Appthority describes the malicious applications as high quality classic games, including Tank and Bomber. Rated high on Google Play, the games had up to 10.5 million downloads when their nefarious behavior was exposed.
The extra APK was being fetched from hxxp://golduck.info/pluginapk/gp.apk, after which the original game app would load the downloaded code via the /system/bin/dex2oat command.
Appthority's security researchers discovered three folders inside the loaded gp.apk file, each featuring seemly benign names, such as “google.android”, “startapp.android.unity.ads,” and “unity.ads.” The malicious code was hidden inside the google.android folder.
By analyzing the content of the folders, Appthority found code (PackageUtils.class) designed to silently install applications using system permissions.
“These malicious apps seem to be at their initial stage and the code is not obfuscated,” the company notes.
The downloaded payload also contains code for sending SMS messages to users’ contacts. These messages contained game information, thus potentially increasing the chances that the malware would spread to other users.
The Golduck malware, the security company says, could allow attackers to completely compromise the infected device, especially if root is available. The threat also sets the stage for adware-related attacks.
Appthority found two Golduck-infected applications in Google Play and informed Google on the matter on Nov. 20, 2017. All of the offending applications have been taken down by the Android Security team.
To stay protected from the Golduck malware, users are advised to keep an eye on unusual activity on their mobile devices, such as the availability of root access without their intent. SMS charges from unknown sources would also indicate possible infection.
Users are also advised to avoid installing applications from unknown developers and from unofficial app stores.
The applications Appthority has found infected with Golduck include Classic Block Puzzle, Classic Bomber, and Classic Tank vs Super Bomber. Users are advised to uninstall these as soon as possible.
Adobe Patches 'Business Logic Error' in Flash Player
12.12.2017 securityweek Vulnerebility
The only security update released by Adobe this Patch Tuesday addresses a moderate severity regression issue affecting Flash Player.
The vulnerability, tracked as CVE-2017-11305 and described as a “business logic error,” can lead to the unintended reset of the global settings preference file.
There is no evidence of exploitation in the wild and Adobe appears to have discovered the bug on its own.
The flaw affects version 184.108.40.206 and earlier of Flash Player on Windows, Mac, Linux and Chrome OS, and it has been patched with the release of version 220.127.116.11. Microsoft has also updated the Flash Player components used by its software in order to address this issue.
Last month, Adobe addressed a total of 80 vulnerabilities across Flash Player, Photoshop, Connect, Acrobat and Reader, DNG Converter, InDesign, Digital Editions, Shockwave Player, and Experience Manager. Five of the security holes affected Flash.
In October, the company initially announced that it had no Patch Tuesday updates, but a few days later it was forced to release an out-of-band update for Flash Player after Kaspersky Lab researchers noticed that a Middle Eastern threat actor named BlackOasis had been exploiting a zero-day vulnerability to deliver spyware.
The number of flaws found in Flash Player in the past months has decreased considerably, which may be a result of the decision to kill Flash Player by 2020. Nevertheless, as long as the software is still widely utilized, zero-day exploits are highly valuable to malicious actors.
Collection of 1.4 Billion Plain-Text Leaked Passwords Found Circulating Online
12.12.2017 thehackernews Incindent
Hackers always first go for the weakest link to quickly gain access to your online accounts.
Online users habit of reusing the same password across multiple services gives hackers opportunity to use the credentials gathered from a data breach to break into their other online accounts.
Researchers from security firm 4iQ have now discovered a new collective database on the dark web (released on Torrent as well) that contains a whopping 1.4 billion usernames and passwords in clear text.
The aggregate database, found on 5 December in an underground community forum, has been said to be the largest ever aggregation of various leaks found in the dark web to date, 4iQ founder and chief technology officer Julio Casal noted in a blog post.
Though links to download the collection were already circulating online over dark-web sites from last few weeks, it took more exposure when someone posted it on Reddit a few days ago, from where we also downloaded a copy and can now verify its authenticity.
Researchers said the 41GB massive archive, as shown below, contains 1.4 billion usernames, email, and password combinations—properly fragmented and sorted into two and three level directories.
The archive had been last updated at the end of November and didn't come from a new breach—but from a collection of 252 previous data breaches and credential lists.
The collective database contains plain text credentials leaked from Bitcoin, Pastebin, LinkedIn, MySpace, Netflix, YouPorn, Last.FM, Zoosk, Badoo, RedBox, games like Minecraft and Runescape, and credential lists like Anti Public, Exploit.in.
"None of the passwords are encrypted, and what's scary is that we've tested a subset of these passwords and most of the have been verified to be true," Casal said. "The breach is almost two times larger than the previous largest credential exposure, the Exploit.in combo list that exposed 797 million records."
"This new breach adds 385 million new credential pairs, 318 million unique users, and 147 million passwords pertaining to those previous dumps."
The database has been neatly organized and indexed alphabetically, too, so that would-be hackers with basic knowledge can quickly search for passwords.
For example, a simple search for "admin," "administrator" and "root," returned 226,631 passwords used by administrators in a few seconds.
Although some of the breach incidents are quite old with stolen credentials circulating online for some time, the success ratio is still high for criminals, due to users lousy habit of re-using their passwords across different platforms and choosing easy-to-use passwords.
The most common yet worst passwords found in the database are "123456", "123456789", "qwerty," "password" and "111111."
It is still unclear who is responsible for uploading the database on the dark web, but whoever it is has included Bitcoin and Dogecoin wallets for any user who wants to donate.
To protect yourself, you are strongly advised to stop reusing passwords across multiple sites and always keep strong and complex passwords for your various online accounts.
If it's difficult for you to remember and create complex passwords for different services, you can make use of the best password manager. We have listed some good password managers that could help you understand the importance of such tool and choose one according to your requirement.
Newly Uncovered 'MoneyTaker' Hacker Group Stole Millions from U.S. & Russian Banks
12.12.2017 thehackernews CyberCrime
Security researchers have uncovered a previously undetected group of Russian-speaking hackers that has silently been targeting Banks, financial institutions, and legal firms, primarily in the United States, UK, and Russia.
Moscow-based security firm Group-IB published a 36-page report on Monday, providing details about the newly-disclosed hacking group, dubbed MoneyTaker, which has been operating since at least May 2016.
In the past 18 months, the hacking group is believed to have conducted more than 20 attacks against various financial organisations—stolen more than $11 Million and sensitive documents that could be used for next attacks.
According to the security firm, the group has primarily been targeting card processing systems, including the AWS CBR (Russian Interbank System) and SWIFT international bank messaging service (United States).
"Criminals stole documentation for OceanSystems’ FedLink card processing system, which is used by 200 banks in Latin America and the US." Group-IB says in its report.
Group-IB also warned that the MoneyTaker attacks against financial organizations appear to be ongoing and banks in Latin America could be their next target.
MoneyTaker: 1.5 Years of Silent Operations
Since its first successful attack in May last year, MoneyTaker has targeted banks in California, Illinois, Utah, Oklahoma, Colorado, South Carolina, Missouri, North Carolina, Virginia and Florida, primarily targeting small community banks with limited cyber defenses.
Even after a large number of attacks against so many targets, MoneyTaker group managed to keep their activities concealed and unattributed by using various publicly available penetration testing and hacking tools, including Metasploit, NirCmd, psexec, Mimikatz, Powershell Empire, and code demonstrated as proof-of-concepts at a Russian hacking conference in 2016.
"To propagate across the network, hackers used a legitimate tool psexec, which is typical for network administrators." Group-IB says in its report.
Besides using open-source tools, the group has also been heavily utilizing Citadel and Kronos banking trojans to deliver a Point-of-Sale (POS) malware, dubbed ScanPOS.
"Upon execution, ScanPOS grabs information about the current running processes and collects the user name and privileges on the infected system. That said, it is primarily designed to dump process memory and search for payment card track data. The Trojan checks any collected data using Luhn’s algorithm for validation and then sends it outbound to the C&C server."
"The group uses 'fileless' malware only existing in RAM and is destroyed after reboot. To ensure persistence in the system MoneyTaker relies on PowerShell and VBS scripts - they are both difficult to detect by antivirus and easy to modify. In some cases, they have made changes to source code 'on the fly' – during the attack,"
"To escalate privileges up to the local administrator (or SYSTEM local user), attackers use exploit modules from the standard Metasploit pack, or exploits designed to bypass the UAC technology. With local administrator privileges they can use the Mimikatz program, which is loaded into the memory using Meterpreter, to extract unencrypted Windows credentials."
Moreover, MoneyTaker also makes use of SSL certificates generated using names of well-known brands—including as Bank of America, Microsoft, Yahoo and Federal Reserve Bank—to hide its malicious traffic.
The hacking group also configure their servers in a way that malicious payloads can only be delivered to a predetermined list of IP addresses belonging to the targeted company. Also, it relies on PowerShell and VBS scripts to ensure persistence in the targeted system.
The very first attack, which Group-IB attributes to MoneyTaker was conducted in May 2016, when the group managed to gain access to First Data's STAR—the largest U.S. bank transfer messaging system connecting ATMs at over 5,000 organizations—and stole money.
In January 2017, the similar attack was repeated against another bank.
Here's how the attack works:
"The scheme is extremely simple. After taking control over the bank's network, the attackers checked if they could connect to the card processing system. Following this, they legally opened or bought cards of the bank whose IT system they had hacked," Group-IB explains.
"Money mules – criminals who withdraw money from ATMs – with previously activated cards went abroad and waited for the operation to begin. After getting into the card processing system, the attackers removed or increased cash withdrawal limits for the cards held by the mules."
The money mules then removed overdraft limits, which made it possible for them to overdraw cash even with debit cards. Using these cards, they "withdrew cash from ATMs, one by one."
According to the report, the average money stolen by MoneyTaker from United States banks alone was about $500,000, and more than $3 million was stolen from at least three Russian banks.
The report also detailed an attack against a Russian bank, wherein the MoneyTaker group used a modular malware program to target the AWS CBR (Automated Work Station Client of the Russian Central Bank)—a Russian interbank fund transfer system similar to SWIFT.
The modular tool had capabilities to search for payment orders and modify them, replace original payment details with fraudulent ones, and carefully erase malware traces after completing its tasks.
While it is still unclear how MoneyTaker managed to get its foothold in the corporate network, in one specific case, the entry point of compromise of the bank's internal network was the home computer of the bank's system administrator.
Group-IB believes that the hackers are now looking for ways to compromise the SWIFT interbank communication system, although it found no evidence of MoneyTaker behind any of the recent cyber attacks on SWIFT systems.
Google Researcher Releases iOS Exploit—Could Enable iOS 11 Jailbreak
12.12.2017 thehackernews Apple
As promised last week, Google's Project Zero researcher Ian Beer now publicly disclosed an exploit that works on almost all 64-bit Apple devices running iOS 11.1.2 or earlier, which can be used to build an iOS jailbreak, allowing users to run apps from non-Apple sources.
On Monday morning, Beer shared the details on the exploit, dubbed "tfp0," which leveraged double-free memory corruption vulnerabilities in the kernel, the core of the operating system.
Here, "tfp0" stands for "task for pid 0" or the kernel task port—which gives users full control over the core of the operating system.
The Project Zero researcher responsibly reported these vulnerabilities to Apple in October, which were patched by the company with the release of iOS 11.2 on 2nd December.
While Beer says he has successfully tested his proof of concept exploit on the iPhone 6s and 7, and iPod Touch 6G, he believes that his exploit should work on all 64-bit Apple devices.
Another security researcher confirmed that the exploit released by Beer also works on his Apple TvOS 11.x and TV 4K running iOS 11.1.2.
What's worse? Since Apple's iOS mobile operating system and macOS desktop operating system share the same code base, the kernel for macOS is also vulnerable to the bug, according to a report published by Project Zero on Google's Chromium Blog.
Beer said he has also successfully tested the vulnerability on macOS 10.13, running on a MacBook Air 5.2, which Apple patched in macOS 10.13.1.
Earlier versions of the operating systems are still vulnerable to the exploit, which basically grants complete core access to the operating system and that is really what the jailbreak community requires.
Although we have not heard any news about iOS jailbreaks from the jailbreak community from very long, Beer's exploit could be the basis for a future iOS 11 jailbreak, allowing iPhone and iPad users to install third-party OS customizations via apps that are restricted by Apple.
If iOS 11.1.2 jailbreak surfaces in upcoming days, you can still downgrade to iOS 11.1.2 using iTunes even if you have updated to iOS 11.2 because Apple is still signing the operating system.
Cybersecurity Incidents Hit 83% of U.S. Physicians: Survey
12.12.2017 securityweek Incindent
A majority of physicians in the United States have experienced a cybersecurity incident, and many are very concerned about the potential impact of a cyberattack, according to a study conducted by professional services company Accenture and the American Medical Association (AMA).
A survey of 1,300 doctors revealed that 83% of clinical practices experienced some type of cybersecurity incident. The most common is phishing (55%), followed by malware infections (48%), improper access to electronic protected health information, or ePHI (37%), network breaches (12%), and ransomware and other attacks involving ransom demands (9%).
More than half of respondents said they were either very concerned or extremely concerned about future cyberattacks, particularly that they may result in interruption to their business or electronic health records (EHR) getting compromised. Physicians are also worried about patient safety (53%), civil or criminal liability (36%), damage to reputation (34%), costs associated with incident response (32%), impact on revenue (30%), fines (25%), and medical device security (19%).
When asked about the impact of past cybersecurity incidents on their business, 64% of respondents said it had caused downtime of four hours or less, but in 12% of cases normal operations were suspended for 1-2 days, and in 4% of cases for more than two days.
In response to incidents, the most common actions were notification of the internal IT team (65%), notification or education of employees (61%), implementation of new policies and procedures (59%), and notification of the EHR or health IT vendor (56%).
While doctors are concerned about the security risks associated with the use of electronic systems, they also noted that the ability to share data with outside entities is in most cases very important.
The study also shows that physicians often trust third parties to keep their ePHI data secure. In many cases, they either get assurance from the vendor or simply trust that their data is being protected. Many also sign contracts or rely on their privacy officer to ensure that sensitive information is stored securely.
Nearly half of organizations have an in-house person responsible for cybersecurity and 17% said they are interested in appointing someone to such a position. Others either outsource security management (26%), or share security management with another practice (23%). Some physicians said they received donated cybersecurity software or hardware.
When it comes to security training, half of respondents named tips for good cyber hygiene as the factor that would boost their confidence in their security posture. Others named simplifying the legal language of HIPAA (47%), easily digestible summary of HIPAA (44%), explaining the more complex rules described by HIPAA (40%), and guidance on conducting risk assessments (38%).
Smart Shield Detector allows thieves to discover if the ATM is protected by anti-skimming technology
12.12.2017 securityaffairs CyberCrime
Crooks are now involving a small, battery-powered device dubbed Smart Shield Detector that is able to detect digital anti-skimming technology used by ATMs.
ATM skimmers are widely adopted by crooks to steal payment card data, in the last months, experts observed an increase in the number of cyber attacks against ATM involving so-called ‘insert skimmers.’
In response, financial institutions are adopting a variety of technological measures designed to defeat skimming devices, but crooks are now involving a small, battery powered device that is able to detect digital anti-skimming technology.
According to the popular investigator Brian Krebs, a well-known skimmer thief is marketing a product called ‘Smart Shield Detector’ claiming that this device is able to detect a variety of anti-skimming technology used by financial institutions.
“The device, which sells for $200, is called a ‘Smart Shield Detector,’ and promises to detect “all kinds of noise shields, hidden shields, delayed shields and others!”” wrote Krebs.
“It appears to be a relatively simple machine that gives a digital numeric indicator of whether an ATM uses any of a variety of anti-skimming methods.”
The device is able to determine if an ATM uses an anti-skimming method such as the “frequency jamming,” that relies on electronic signals to scramble both the clock (timing) and the card data itself in a bid to interfere with skimming devices.
“You will see current level within seconds!,” says the seller in an online ad for the Smart Shield Detector. “Available for sale after November 1st, market price 200usd. Preorders available at price 150usd/device. 2+ devices for your team – will give discounts.”
As you can see in the following video, low level (a score between 3-5) means that the ATM isn’t protected by any anti-skimmer shield, while a readout of 15 or higher indicates the presence of some type of electronic shield or jamming technology.
The following video was shared with Krebs by Alex Holden, founder of Hold Security.
The Smart Shield Detector is a very precious instrument for thieves that can avoid attacking protected ATM.
“KrebsOnSecurity shared this video with Charlie Harrow, solutions manager for ATM maker NCR Corp. Harrow called the device “very interesting” but said NCR doesn’t try to hide which of its ATM include anti-skimming technologies — such as those that claim to be detectable by the Smart Shield Detector.” continues Krebs.
“The bad guys are skilled, resourced and determined enough that sooner or later they will figure out exactly what we have done, so the ATM has to be safe against a knowledgeable attacker,” Harrow said. “That said, a little secret sauce doesn’t hurt, and can often be very effective in stopping specific attack [methods] in the short term, but it can’t be relied on to provide any long term protection.”
A good habit for bank customers while using ATM consist of covering the PIN pad with your hand while you enter your PIN, this precaution is effective against the majority of cases in which crooks use a skimmer and a tiny hidden camera to read the PIN while customers are entering it.
Users can also check the presence a fake keypad that could be placed over the top of the genuine keypad on an ATM as a means of stealing card data.
Another recommendation is to avoid using ATM located outside banks in not controlled places., be aware of your physical surroundings while using an ATM; you’re probably more apt to get mugged physically than virtually at a cash machine. Finally, try to stick to cash machines that are physically installed inside of banks, as these tend to be much more challenging for thieves to compromise than stand-alone machines like those commonly found at convenience stores.
If you are interested in skimming activity, give a look at the Krebs’s material about skimming scam
Firmy v Česku čelí novému typu podvodu, celá třetina jich naletěla
12.12.2017 Novinky/Bezpečnost Kriminalita
Firmy v Česku čelí novému typu podvodu, kdy účetní dostávají falešné e-maily od ředitelů s požadavkem na proplacení peněz do zahraničí. Takto oslovených bylo podle policie zhruba 200 firem, škoda je zatím vyčíslena na víc než 30 miliónů korun. Policisté to v úterý uvedli na tiskové konferenci.
Policisté řeší obdobné případy od května, první byl evidovaný na jihu Moravy. Pachatelé při nich využívají veřejně dostupných zdrojů, z nichž zjistí strukturu firmy včetně klíčových jmen a poté odešlou podvodný e-mail účetnímu či sekretářce, který se tváří jako e-mail od ředitele firmy.
Prvním e-mailem se dotazují, zda může být proplacena určitá suma do zahraničí, a to od 9000 eur (asi 230 tisíc korun) až do 140 tisíc eur (3,5 miliónu korun). Když účetní „řediteli” možnost převodu potvrdí, dostane druhý e-mail s pokynem o vyplacení peněz. Třetím e-mailem se pachatel následně dotazuje, zda platba byla provedena.
Naletěla asi třetina
„Ze zhruba 200 takto oslovených firem jich asi třetina peníze poslala. Výše škody je víc než 30 miliónů korun, v pokusu je dalších 150 miliónů korun, kdy firmy peníze neodeslaly," uvedl kriminalista Tomáš Němec.
Podvodné e-maily podle kriminalistů chodí ze zahraničí, kde končí i vylákané peníze. E-maily podle policistů vypadají věrohodně, jsou však psané pomocí internetového překladače takzvanou strojovou češtinou.
„Ochranou je především dobře nastavená komunikace uvnitř firmy. Je důležité věnovat pozornost obdobným požadavkům a při sebemenším podezření si ověřit, zda požadavek na proplacení přišel opravdu od vedení firmy,” řekl kriminalista. Podle něj je možné, že obdobným útokům mohou čelit i firmy v zahraničí.
Před vlnou podvodných útoků označovaných jako „falešný prezident“ letos v květnu varovala Komerční banka. Uvedla tehdy, že se šíří ve velké míře v okolních zemích i Česku. Jde zřejmě o totožné schéma - podvodníci se vydávali napodobením firemního e-mailu za vysoce postavené představitele firmy a nechávali si poslat peníze do daňových rájů.
A collection of 1.4 Billion Plain-Text leaked credentials is available online
12.12.2017 securityaffairs Incindent
A 41-gigabyte archive containing 1.4 Billion credentials in clear text was found in dark web, it had been updated at the end of November.
Another monster data dump was found online, the huge archive contains over 1.4 billion email addresses, passwords, and other credentials in clear text.
The huge trove of data, a 41-gigabyte archive, has been found online on December 5 by security shop @4iQ.
According to 4iQ founder and chief technology officer Julio Casal, the archive is the largest ever aggregation of various leaks found in the dark web to date.
“While scanning the deep and dark web for stolen, leaked or lost data, 4iQdiscovered a single file with a database of 1.4 billion clear text credentials — the largest aggregate database found in the dark web to date.” reads a post published by 4iQ on Medium.
“None of the passwords are encrypted, and what’s scary is the we’ve tested a subset of these passwords and most of the have been verified to be true.”
The 41-gigabyte file had been updated at the end of November, it aggregates data from a collection of 252 previous data breaches and credential lists.
It is still unclear who collected this data, the unique information we have at this time is the Bitcoin and Dogecoin wallet details left for donations.
Collector organized and indexed data alphabetically, the total amount of credentials is 1,400,553,869.
“The breach is almost two times larger than the previous largest credential exposure, the Exploit.in combo list that exposed 797 million records.” continues Julio Casal.
“This new breach adds 385 million new credential pairs, 318 million unique users, and 147 million passwords pertaining to those previous dumps.”
Digging the archive, it is possible to verify that users continue to use weak passwords, the top password is still 123456, followed by 123456789, qwerty, password and 111111.
Not only … the expert observed that users tend to reuse the same passwords for multiple online services.
“Since the data is alphabetically organized, the massive problem of password reuse — — same or very similar passwords for different accounts — — appears constantly and is easily detectable.” states the post.
The researchers highlighted that 14% of exposed credentials are new and in clear text.
“We compared the data with the combination of two larger clear text exposures, aggregating the data from Exploit.in and Anti Public. This new breach adds 385 million new credential pairs, 318 million unique users, and 147 million passwords pertaining to those previous dumps.” continues the expert.
As usual, let me suggest avoiding password reuse on multiple sites and of course use strong passwords.
Microsoft accidentally exposed Dynamics 365 TLS certificates exposing sandbox environments to MiTM attacks
12.12.2017 securityaffairs Krypto
Microsoft accidentally exposed a Dynamics 365 TLS certificate and private key for at least 100 days leaving the sandbox environments open to MiTM attacks.
Data leakage continues to represent a serious problem for organizations, now it’s up to Microsoft that accidentally exposed a Dynamics 365 TLS certificate and private key for at least 100 days.
The software developer Matthias Gliwka discovered the issue while working with the cloud version of the Microsoft ERP system.
Microsoft started offering the ERP product last year, it is SaaS solution hosted in Azure and accessible through a comprehensive control panel (Life Cycle Services).
According to Gliwka, the TLS certificate was exposed in the Dynamics 365 sandbox environment that is used for user acceptance testing (also referred to as “sandbox”) .
The user acceptance system mirrors the setup of the production environment with a single exception, it offers administrative RDP access.
The expert accessed a sandbox environment via RDP to learn how Microsoft would set up a server hosting such a business critical application.
“The hostname for a sandbox environment is customername.sandbox.operations.dynamics.com. A quick glance at the certificates inside the built-in “Certificate Manager” revealed something shocking” wrote Gliwka on Medium.
“Sitting there in plain sight was a valid TLS certificate for the common name *.sandbox.operations.dynamics.com and the corresponding private key — by the courtesy of Microsoft IT SSL SHA2 CA! This certificate is shared across all sandbox environments, even those hosted for other Microsoft customers.”
The certificate is used encrypt the web traffic between the users and the server, extracting the certificate an attacker could s access to any sandbox environment.
@msftsecresponse Reported a leaked TLS private key for a cloud product >45 days ago - still no response. Can you take a look? Case #40397
10:59 PM - Oct 4, 2017
1 1 Reply 2 2 Retweets 6 6 likes
Twitter Ads info and privacy
Gliwka reported the issue to Microsoft that took time to fix it, then he contacted German tech freelancer Hanno Böck to get coverage.
Böck tried filing a bug ticket with Mozilla’s bug tracker that triggered the Microsoft’s action.
The issue was solved on 5 December, months later it first notification on 17 August.
The OceanLotus MacOS Backdoor Transforms into HiddenLotus with a Slick UNICODE Trick
12.12.2017 securityaffairs Apple
Experts at Malwarebytes warns of a new variant of the macOS OceanLotus backdoor is using an innovative technique to avoid detection,
A few years ago the bad actors realized they could use UNICODE characters that looked like English characters to lead unsuspecting victims to malicious websites. Now, they have figured out how to use a similar trick to fool Apple computers too! Substitute a Roman d for a Latin d in .pdf and you might have a way to fool the computer and the user into running the OceanLotus backdoor.
Wikipedia tells us: UNICODE is an industry standard for “the consistent encoding, representation, and handling of text.” Or put another way, it tries to identify every unique character in all of the languages so we can recognize an English “A” and a Greek “A” as distinct.
The bad actors figured out that to humans, a URL in English characters ‘aaa.com‘ looks the same as ‘aaa.com‘ in Greek characters but computers recognize these as different and will take you to two different websites depending on which you choose.
In 2001, this became known as the internationalized domain name (IDN) homograph attack. Most browsers now have defenses against such attacks, and while there are some creative folks still finding new ways to exploit UNICODE attacks in browsers, it looks like some have moved onto creative file-based attacks.
To make life easier for users, operating systems (OSes) allow users to double-click on a file through the GUI and take it from there. If the file is a document, the appropriate application runs and the requested file is opened. If the file is an application, the OS runs the program. Windows operating systems simply look at the file extension to determine the file type. MacOS is more diligent after a series of cyber attacks in 2009 when bad actors renamed applications to have document file extensions getting through the security controls at the time.
In response, Apple implemented “File Quarantine” in a number of applications that download files from the Internet. Think: Safari, Messages, iChat, and mail. To identify applications, MacOS looks at the file extension, but also looks at the internal structure of files with known document extensions to determine if it is a renamed application. If it appears to be an application, the user receives a warning that the file is “an application downloaded from the Internet” and given the option to avoid opening it.
This all seems like a good plan until some crafty person leveraged the confusion that comes with UNICODE characters to create the OSX HiddenLotus. An attack. In this attack, the victim receives the file “Lê Thu Hà (HAEDC).pdf” which looks like a benign PDF document but MacOS knows better because the internal structure gives it away as an application that could contain malware. Following the File Quarantine procedure, the user will see the popup warning shown above. But wait, it doesn’t have an “unknown extension” it has a PDF extension, doesn’t it?
This is where the UNICODE magic comes in to fool the computer. The “d” in the .pdf file above isn’t from the LATIN character set, it is actually a Roman numeral “d” which looks the same to human eyes but is distinctive to computers. MacOS knows that the Adobe extension .pdf should be opened by a PDF reader like Adobe Reader, but the malware extension .pdf has no defined application. It is internally structured like an application so MacOS follows the procedures and asks the user.
Note: there is nothing magic about “pdf” in this case, other than it looks benign to humans and is unrecognized by MacOS.
“The HiddenLotus dropper is a folder with the proper internal bundle structure to be an application, and it uses an extension of .pdf, where the ‘d’ is a Roman numeral, not a letter. Although this extension looks exactly the same as the one used for Adobe Acrobat files, it’s completely different, and there are no applications registered to handle that extension. Thus, the system will fall back on the bundle structure, treating the folder as an application, even though it does not have a telltale .app extension.” reads the analysis published by MalwareBytes.
“There is nothing particularly special about this .pdf extension (using a Roman numeral ‘d’) except that it is not already in use. Any other extension that is not in use will work just as well”
Any unknown extension will have this behavior. But imagine what happens when the popup box warns that “Lê Thu Hà (HAEDC).pdf is an application downloaded from the Internet. Are you sure you want to open it?“
How many users will notice “application” in that popup box — which is the important part — or will they quickly scan the message and get “are you sure you want to open this PDF file from the Internet?”
Apple has updated the MacOS XProtect anti-malware system to watch for this specific attack and then provide a stronger message to the user. But there are a lot of characters beside the Roman “d” that can be leveraged for similar attacks. The game of cat and mouse continues.
Google Project Zero white hacker reveals Apple jailbreak exploit
12.12.2017 securityaffairs Apple
White hat hacker Ian Beer of Google Project Zero has revealed an Apple jailbreak exploit that relies on a kernel memory corruption vulnerability.
White hat hacker Ian Beer of Google Project Zero has revealed an Apple jailbreak exploit. The expert publicly disclosed the kernel memory corruption vulnerability after Apple addressed it with a fix.
Last week highlighted Beer announced an iOS 11.1.2 exploit called “tfp0,” which he believes could be the basis for a future iOS 11.1.2 jailbreak.
Today, Beer released the exploit and explained it should work on all iOS devices running iOS 11.1.2 or below, though he only tested it on iPhone 7, iPhone 6s, and a sixth-generation iPod touch.
Watch out, Beer doesn’t release a full iOS 11 jailbreak, but what could potentially be used to develop a working jailbreak.
The attack vector is the tfp0 (“task for pid 0”), the kernel task port.
iOS 11.1.2, now with more kernel debugging: https://bugs.chromium.org/p/project-zero/issues/detail?id=1417#c3 …
5:20 PM - Dec 11, 2017
171 171 Replies 805 805 Retweets 1,718 1,718 likes
Twitter Ads info and privacy
Beer started from his work with Apple’s Mach kernel implementation, and the Mach interface generator (MIG) made in September 2016.
“Userspace MIG services often use mach_msg_server or mach_msg_server_once to implent an RPC server. These two functions are also responsible for managing the resources associated with each message similar to the ipc_kobject_server routine in the kernel.” wrote Beer.
“Exploitability hinges on being able to get the memory reallocated in between the two vm_deallocate calls, probably in another thread.”
Beer published a proof-of-concept code to exploit a second bug that provided the vector to attack MIG.
The expert exploited “a recent addition to the kernel, presumably as a debugging tool to help enumerate places where the kernel is accidentally disclosing pointers to userspace. The implementation currently enumerates kqueues and dumps a bunch of values from them.”
“IOSurfaceRootUserClient external method 17 (s_set_surface_notify) will drop a reference on the wake_port (via IOUserClient::releaseAsyncReference64) then return an error code if the client has previously registered a port with the same callback function.” reads the security advisory published by Beer.
“The external method’s error return value propagates via the return value of is_io_connect_async_method back to the MIG generated code which will drop a futher reference on the wake_port when only one was taken. This bug is reachable from the iOS app sandbox as demonstrated by this PoC.”
Beer included a step-by-step explanation in the readme file included in the PoC code:
First, he used a proc_pidlistuptrs bug to disclose the address of arbitrary ipc_ports;
Second, he triggered an out-of-bounds read for “various kallocsizes” to identify “the most commonly-leaked kernel pointer”;
Next, he sent Mach messages to gather “a pretty large number of kalloc allocations;
With enough Mach port allocations, Beer gathered a page “containing only my ports”. The port address disclosure provided “a port which fits within particular bounds on a page. Once I’ve found it, I use the IOSurface bug to give myself a dangling pointer to that port”;
”I free the kalloc allocations made earlier and all the other ports then start making kalloc.4096 allocations (again via crafted mach messages);”
Careful reallocation (1 MB at a time) made garbage collection trigger and “collect the page that the dangling pointer points to”.
Beer explained that “the bsdinfo->pid trick” allowed him to build an arbitary read to find the kernel task’s vm_map and the kernel’s ipc_space, allowing him to reallocate the kalloc.4096 buffer with a fake kernel task port.
Jailbreaking iOS devices is no more so popular, especially after two major Cydia repositories shut down. Both ModMy and ZodTTD/MacCiti, which provided apps, themes, tweaks, and more for jailbroken iOS devices, shut down in November.
Google Researcher Releases iOS 11 Jailbreak Exploit
12.12.2017 securityweek Apple
Google Project Zero researcher Ian Beer has released a proof-of-concept (PoC) exploit that could pave the way for the first iOS 11 jailbreak.
The iOS vulnerabilities leveraged by Beer’s exploit are CVE-2017-13865, a kernel flaw that allows an application to read restricted memory, and CVE-2017-13861, a weakness in IOSurface that can be leveraged to execute arbitrary code with kernel privileges. Both security holes were patched by Apple in early December with the release of iOS 11.2.
When Beer announced his intention to release an iOS exploit a few days ago, some were hoping that the researcher would release a full jailbreak. Nevertheless, many iPhone fans anticipate that the exploit made available by the Google expert will allow someone to create a jailbreak by the end of the year.
Beer has released the exploit in an effort to help security researchers analyze Apple devices by running their own tools. The exploit has been tested on iPhone 7, iPhone 6s and iPod Touch 6G running iOS 11.1.2, but the expert believes support can easily be added for other devices.
The researcher’s exploit targets task_for_pid 0 (tfp0), a function that provides access to the kernel task port and which can be useful for jailbreaking, and a local kernel debugger. Technical details and PoC code are available via the Project Zero bug tracker.
The vulnerabilities necessary for a jailbreak have become increasingly difficult to find and Apple has implemented many of the features that in the past required third-party apps and jailbroken devices. This has led to fewer researchers trying to develop exploits and fewer users needing jailbroken devices.
However, there has been a lot of interest in Beer’s exploits – even before they were actually released – and many users are hoping to see an iOS 11 jailbreak in the coming weeks.
It’s worth pointing out that even if a jailbreak is released, it will only work on devices running iOS 11.1.2 – and possibly earlier versions of iOS 11 – as Apple has already patched the vulnerabilities in iOS 11.2.
macOS Backdoor Uses Innovative Disguise Technique
12.12.2017 securityweek Apple
A variant of the macOS-targeting OceanLotus backdoor is using an innovative technique to disguise the fact that it is an executable in order to avoid alerting users on its execution, Malwarebytes warns.
Dubbed HiddenLotus, the backdoor is distributed via an application named Lê Thu Hà (HAEDC).pdf, which masquerades as an Adobe Acrobat file. The app uses an old method for this behavior, one that inspired the file quarantine feature introduced in Leopard (Mac OS X 10.5), where files downloaded from the Internet are tagged as quarantined.
Should the downloaded file be an executable, such as an application, a pop-up notification warns the user on the fact when they attempt to open the file. The quarantine feature has been around for nearly a decade, but malware continues to masquerade as documents, Malwarebytes says.
HiddenLotus, a new variant of the OceanLotus backdoor that was last seen this summer posing as a Microsoft Word document and targeting users in Vietnam, takes the disguise to a new level. While older malware had a hidden .app extension to indicate that it was an application, HiddenLotus actually has a .pdf extension. There was no .app extension included.
This is possible because the threat uses a hidden extension, where the ‘d’ in .pdf is actually the Roman numeral ‘D’ (representing the number 500) in lowercase, as Arnaud Abbati has discovered.
“An application does not need to have a .app extension to be treated like an application. An application on macOS is actually a folder with a special internal structure called a bundle. A folder with the right structure is still only a folder, but if you give it an .app extension, it instantly becomes an application,” Malwarebytes explains.
Because of that, the Finder treats the folder as a single file and launches it as an application when double-clicked, instead of opening the folder.
When the user double-clicks a file or a folder, LaunchServices considers the extension first and opens the item accordingly, if it knows the extension. A file with a .txt extension will be opened with TextEdit by default. Thus, a folder with the .app extension will be launched as an application, should it have the right internal structure.
If the extension isn’t known, the user is consulted when attempting to open the file, and they can choose an application to open the file or search the Mac App Store.
When double-clicking a folder with an unknown extension, however, LaunchServices falls back on looking at the folder’s bundle structure.
This is the behavior that HiddenLotus’ author leverages: the dropper is a folder that has the internal bundle structure of an application. Because of the use of a Roman numeral in the .pdf extension and because there is no application registered to open it, the system treats it as an application even though it does not have a telltale .app extension.
“There is nothing particularly special about this .pdf extension (using a Roman numeral ‘d’) except that it is not already in use. Any other extension that is not in use will work just as well,” Malwarebytes says.
The security researchers also point out that there is an enormously large list of possible extensions that malicious actors could abuse, especially when using Unicode characters. Because of that, users could be tricked into opening files that mimic Word documents (.doc), Excel spreadsheets (.xls), Pages documents (.pages), and the like.
“This is a neat trick, but it’s still not going to get past file quarantine. The system will alert you that what you’re trying to open is an application. Unless, of course, what you are opening was downloaded via an application that does not use the APIs that properly set the quarantine flag on the file, as is the case for some torrent apps,” the researchers also note.
Event Logs Manipulated With NSA Hacking Tool Recoverable
12.12.2017 securityweek BigBrothers
Researchers at security firm Fox-IT have developed a tool that allows investigators to detect the use of specific NSA-linked malware and recover event log data it may have deleted from a machine.
The group calling itself Shadow Brokers has published several tools and exploits stolen from the Equation Group, cyberspies believed to be working for the U.S. National Security Agency (NSA). One of the tools leaked by the Shadow Brokers in April is DanderSpritz, a post-exploitation framework that allows hackers to harvest data, bypass and disable security systems, and move laterally within a compromised network.
An interesting DanderSpritz plugin is EventLogEdit, which is designed for manipulating Windows Event Log files to help attackers cover their tracks. While hacker tools that modify event logs are not unheard of, EventLogEdit is more sophisticated compared to others as it allows removal of individual entries from the Security, Application and System logs without leaving any obvious clues that the files had been edited.
“While we understand that event logs can be cleared and event logging stopped, surgically editing event logs is usually considered to be a very advanced capability (if possible at all),” Jake Williams, founder of Rendition Infosec and an expert in Shadow Broker leaks, said after news of the tool emerged. “Knowing that some attackers apparently have the ability to edit event logs can be a game changer for an investigation.”
Since the tool has been made public by the Shadow Brokers, it gives less sophisticated actors the opportunity to cover their tracks and hamper forensic investigations.
Fortunately, Fox-IT researchers have found a way to determine if EventLogEdit has been used on a system, and even recover the event log entries that it removed.
“When eventlogedit is used, the to-be-removed event record itself isn’t edited or removed at all: the record is only unreferenced. This is achieved by manipulation of the record header of the preceding record. Eventlogedit adds the size of the to-be-removed-record to the size of the previous record, thereby merging the two records. The removed record including its record header is now simply seen as excess data of the preceding record,” researchers explained. “You might think that an event viewer would show this excess or garbage data, but no. Apparently, all tested viewers parse the record binXml message data until the first end-tag and then move on to the next record.”
Experts pointed out that the removed records should be seen by organizations that send logs on the fly to a central server, but sophisticated attackers are likely to hijack that machine as well in an effort to hide their activities.
However, since the EventLogEdit tool leaves the removed record and record header in their original state, full recovery of the data is possible.
Fox-IT has released an open source Python script that identifies and exports removed event log records, allowing organizations to check if they have been targeted by the NSA or other threat actor that may be leveraging EventLogEdit. Users who don’t want to bother with compiling the code themselves can download a version of the tool provided as a Windows executable.
'MoneyTaker' Hackers Stole Millions from Banks: Report
12.12.2017 securityweek CyberCrime
A group of Russian-speaking cybercriminals has launched over 20 successful attacks against financial institutions and legal firms in the US, UK and Russia over the past two years, according to cybecrime research firm Group-IB.
Called “MoneyTaker” by Group-IB, the group has been focused on card processing systems, such as the AWS CBR (Russian Interbank System) and SWIFT (US). The fraudsters might soon switch interest to financial institutions in Latin America, given the wide usage of STAR in the region, Group-IB researchers believe.
The group has performed successful attacks on banks in different countries, as well as law firms and financial software vendors. In total 20 companies were hit, including 16 in the US, 3 banks in Russia, and one IT-company in the UK.
The attacks caused losses of roughly $500,000 per attack on average, according to Group-IB's analysis.
The hackers managed to fly under the radar for so long by constantly changing tools and tactics and carefully eliminating traces after completing their operations.
“MoneyTaker uses publicly available tools, which makes the attribution and investigation process a non-trivial exercise. In addition, incidents occur in different regions worldwide and at least one of the US banks targeted had documents successfully exfiltrated from their networks, twice. Group-IB specialists expect new thefts in the near future,” Dmitry Volkov, Group-IB Co-Founder and Head of Intelligence, says.
The first US attack attributed to the group was conducted in the spring of 2016. The hackers stole money by gaining access to First Data’s “STAR” network operator portal. Since then, MoneyTaker hit organizations in California, Utah, Oklahoma, Colorado, Illinois, Missouri, South Carolina, North Carolina, Virginia and Florida.
A total of 10 attacks were attributed to the group in 2016: 6 attacks on banks in the US, 1 attack on a US service provider, 1 attack on a company in the UK, and 2 attacks on Russian banks. In 2017, the group hit 8 US banks and 1 law firm and 1 bank in Russia.
Group-IB has discovered that the group is using specific withdrawal schemes, where a single account is employed for each transaction. After the theft, the hackers continue to monitor impacted banks, the security researchers say.
By continuously exfiltrating internal banking documentation (admin guides, internal regulations and instructions, change request forms, transaction logs, etc.), the group stays updated on bank operations and can prepare future attacks.
Tools associated with MoneyTaker include the infamous Citadel and Kronos banking Trojans, and the ScanPOS Point-of-Sale (POS) malware. The hackers also used privilege escalation utilities compiled based on codes presented at the Russian cybersecurity conference ZeroNights 2016.
The group uses both borrowed and self-written tools. They developed an app with screenshot and keylogger capabilities for spying purposes. Compiled in Delphi, the app can also steal clipboard contents and can disable itself. The app includes 5 timers and an anti-emulation function in the timer code.
An attack on a Russian bank employed MoneyTaker v5.0, a modular tool capable of searching for payment orders, modifying them, replacing original payment details with fraudulent ones, and erasing traces. After the transaction, a concealment module also replaces the fraudulent payment details with the original ones in a debit advice. Thus, the payment order is accepted with the fraudulent details, but the response comes with the initial details instead.
MoneyTaker uses a distributed infrastructure that features a persistence server designed to deliver payloads only to victims with IP addresses in MoneyTaker’s whitelist.
The hackers use a pentest framework server with Metasploit installed on it. The hackers compromise a computer at the targeted organization, then leverage the pentesting framework for network reconnaissance, finding vulnerable applications, exploiting flaws, escalating systems privileges, and information collection.
Courtesy of fileless malware, MoneyTaker can easily hide tracks. When persistence is needed, the group uses PowerShell and VBS scripts, which are difficult to detect and easy to modify. The researchers also observed the group making changes to source code ‘on the fly’ during the attack.
To protect communication with the command and control (C&C) server, the group uses SSL certificates generated using names of well-known brands: Bank of America, Federal Reserve Bank, Microsoft, Yahoo, etc. They also used the LogMeIn Hamachi solution for remote access.
In May 2016, MoneyTaker performed the first attack targeting card processing. Through the compromised network of a bank, the hackers gained access to First Data’s STAR network portal operators, which allowed them to make the necessary modifications and start withdrawing money.
After connecting to the card processing system, the group legally opened or bought cards of the hacked bank. Money mules with previously activated cards waited abroad for the operation to begin. The hackers then removed or increased cash withdrawal limits for the cards and removed overdraft limits, thus allowing the money mules to withdraw an excessive amount of cash from ATMs.
Group-IB says they provided the uncovered information on MoneyTaker to Europol and Interpol for further investigative activities.
Malware Isolation Firm Menlo Security Raises $40 Million
12.12.2017 securityweek IT
Menlo Security, a provider of malware isolation technology, announced on Monday that it has closed a $40 million Series C funding round, bringing the total amount raised by the company to $85 million.
Menlo Security LogoThe Menlo Park, Calif.-based company pushes the fact that its offerings do not provide malware detection or classification. Instead, the company’s cloud-based security platform takes all active content—including potentially malicious files—and executes it in the cloud, giving malware no path to reach an endpoint via compromised or malicious web sites, e-mail, or documents.
“Rather than try to distinguish between safe and risky content, the Menlo Security Isolation Platform acts like a digital partition, isolating and executing all web content, email links and documents in the cloud, then streaming a malware-free version of the content to employees’ computers,” the company explains.
Menlo says the additional funding will help support sales and marketing efforts.
American Express Ventures, Ericsson Ventures and HSBC, participated in the funding round as new investors. They join existing investors JPMorgan Chase, General Catalyst, Sutter Hill Ventures, Osage University Partners and Engineering Capital.
Synopsys Completes $550 Million Acquisition of Black Duck Software
12.12.2017 securityweek IT
Synopsys, a company that provides tools and services for designing chips and electronic systems, has completed its acquisition of Black Duck Software, a privately held company that offers solutions for securing and managing open source software.
The value of the cash transaction was approximately $547 million net of cash acquired, Synopsys said.
Black Duck's products help development and security teams automate the process of identifying and inventorying open source code, and help detect known security vulnerabilities. It also provides automated alerts for any newly discovered vulnerabilities affecting the open source code and assists with software license compliance.
In 2014, Synopsys acquired software testing firm Coverity for roughly $350 million. In November 2016, Synopsys announced its plans to acquire software security testing firm Cigital for an undisclosed sum.
Get the Ultimate 2018 Hacker Bundle – Pay What You Want
11.12.2017 thehackernews Security
Due to the growing number of threats in the computer world, ethical hackers have become the most important player for not only governments but also private companies and IT firms in order to safeguard their systems and networks from hackers trying to infiltrate them.
By 2020, employment in all information technology occupations is expected to increase by 22 percent, where demand for ethical hackers and IT security engineers will be the strongest. So, it's high time that you should start preparing yourself in the field of ethical hacking.
Although there are many popular and best online courses available in the market, you can't learn everything from a single book or a course.
Good news, we bring an amazing deal of this month for our readers, known as The Ultimate White Hat Hacker 2018 Bundle online hacking bundle, where you can get hacking courses for as little as you want to pay and if you beat the average price you will receive the fully upgraded hacking bundle!
You will get at least 4 hacking courses for less than the average price you pay (as little as $1), and all 8 online courses for the average price (which is $12.11 at the time of writing).
Here's the brief of all 8 courses which is included in this Pay What You Want deal and requires a minimum of the average price:
1. Learn Hacking Windows 10 Using Metasploit From Scratch
Hack Windows Like a Pro, Secure It Like an Expert, and Detect the Hacker
This online course helps you learn how black hat hackers hack Windows using advanced techniques while improving your knowledge on how to analyze and secure Windows and combat hackers.
2. Hack People, Systems, and Mobile Devices
Learn Advanced Social Engineering Techniques to Crack Mobile Devices
This course helps you learn ethical hacking techniques and methodology used in penetration systems to better protect yourself and those around you.
3. Web Application Penetration Testing Professional: WAPTP v3.1
Attack Web Apps with the Latest Professional Tools & Tricks
This online course helps you build towards mapping an application for insecurities, and understanding how to identify and mitigate threats, with WAPTP v3.1 which is a highly practical and hands-on training for web application penetration testing.
4. From Zero to Hero in Web, Network, and WiFi Hacking
Learn Basic to Advanced Web, Network, and WiFi Hacking
This online course helps you learn the essential elements of WiFi hacking so you can start applying them to a career in ethical hacking.
5. Ethical Hacking Using Kali Linux From A to Z
Discover the Power of Kali Linux, One of the Most Popular Ethical Hacking Tools
This course introduces you to the latest ethical hacking tools and techniques with the popular Kali Linux, using a testing lab for practicing different types of attacks.
6. Learn Website Hacking and Penetration Testing From Scratch
Learn How to Hack Sites Like A Black Hat Hacker and How to Protect Them Like A White Hat Hacker
This course helps you gain a complex understanding of websites, and then learn how to exploit them to carry out a number of powerful cyber attacks and test the security of websites and apps, and fix vulnerabilities.
7. Cyber Security Volume II: Network Security
Discuss Network Security, Firewalls, and Learn the Best Password Managers On the Market
This course helps you learn network hacking techniques and vulnerability scanning to discover security issues and risks across an entire network, learning skills for which big companies are willing to pay top dollar.
8. Ethical Hacking for Beginners
Hack Your Way to a Secure and Threat-Free Environment Using Best-in-Class Tools and Technique.
This course helps you learn ethical hacking and identify threats and vulnerabilities to secure your IT environment.
10 Biggest Cyber Espionage Cases
11.12.2017 securityaffairs CyberSpy
Cyber espionage is now becoming more sophisticated and widespread both on the international and domestic stages. These are 10 Biggest Cyber Espionage Cases.
Cyber spying is now becoming more sophisticated and widespread both on the international and domestic stages. Cyber terrorists can attack you from any place in the world at any time if you don’t secure your computer properly. What more embarrassing about cyber espionage is that victims don’t often know that they are under constant threat for years. In the case of increasing business competition, even the smallest companies have to consider options for cyber espionage prevention. If you still don’t believe in enormous capabilities of cyber attackers, let’s look at the list of 10 biggest cyber espionage cases that affected companies, governments, and even nations.
1. Moonlight Maze
In 1999, Newsweek revealed the first case of coordinated cyber espionage in the United States. A series of cyber attacks began in 1998 and resulted in thousands of stolen documents containing confidential information about American military technologies. Hackers broke into the network of Wright Patterson Air Force Base and then connected to military research institutions. The Russia was blamed in these attacks, but there was a lack of proves. The malware implemented during the Moonlight Maze operation is still widely used for modern attacks.
2. Titan Rain
Within two years from 2003 to 2005, the U.S. government computers were under constant threat arranged by Chinese military hackers. Titan Rain also included attacks on the UK defense and foreign ministries that continued till 2007. This was the first case of cyber espionage sponsored by a state. The hackers penetrated into the network computers using different methods and tried to steal away as much information as possible. The complicity of the Chinese government in this operation wasn’t proven, but countries became more cautious about cyber espionage attacks.
3. Gillette Industrial Espionage
In 1997, Gillette suffered from industrial espionage after its engineer disclosed corporate information to the company’s competitors. Steven Louis Davis worked on the development of a new razor, but then because of quarrels with his supervisor, the engineer stole the designed technology of the new shaver system and revealed it via email and fax to Gillette’s competitors. Davis was found guilty in industrial espionage and sentenced to 27 months in jail.
4. Office of Personnel Management Data Breach
Starting from 2012, Chinese government hackers allegedly attacked the U.S. Office of Personnel Management and stole personal information about 21 million Americans. As the result of this cyber espionage, perpetrators gained an access to the sensitive data about people who worked or applied for the federal government, including military service. The data leakage was discovered in June 2015 when OPM personnel detected a malware that built a backdoor into the network. A Chinese national suspected in the malware development was arrested only in 2017. Though OPM representatives assured that no one suffered because of hacker’s intrusion, the long-term results of this data breach are still unknown.
5. Operation Aurora
In the beginning of 2010, Google claimed that the company was attacked by of a series of cyber threats originated from China. Apart from Google, hackers also attacked more than 20 international companies, including Adobe Systems and Yahoo. Google said that its intellectual property was stolen and Gmail accounts were also under persistent threats. The company even considered stopping censoring its search results in China. Attacks were performed exploiting a vulnerability in Internet Explorer and combining stealth programming and encryption techniques.
In 2009, Canadian researchers revealed a large spy network called GhostNet that arranged an intrusion into more than one thousand computers in 103 countries. Perpetrators got unauthorized access to the network of the Dalai Lama offices and used it for compromising other computers. Besides, the attacks were also performed on the foreign ministers and embassies of Germany, Pakistan, India, Iran, South Korea, and Thailand. The Chinese government denied any involvement in the attacks.
7. Night Dragon
In 2011, McAfee reported about the Night Dragon operation initiated by Chinese hackers for attacking the largest European and American energy businesses, including Royal Dutch Shell and Baker Hughes. This was one of the biggest cyber espionage cases when intruders got an access to topographical maps with potential oil reserves. According to McAfee report, attackers used a range of unsophisticated hacking tools and techniques that were available on Chinese hacker websites.
8. Spying on the Obama and McCain Computers
Another case of cyber espionage infected the computers of John McCain and Barack Obama during their presidential campaigns in 2008. Chinese or Russian hackers allegedly installed spyware on the computers of these two presidential candidates and stole sensitive data related to foreign policy. The cyber attack was initially considered as a computer virus, but then technology experts discovered a leakage of the considerable amount of files. The data leakage was revealed only after the presidential election during the federal investigation.
9. Computer Spies Breach Fighter-Jet Project
In 2009, Pentagon reported that the Fighter-Jet Project came under assault from unknown intruders. This multi-billion project of the next generation fighter became a victim of coordinated cyber espionage attacks during two years. Attackers used computers located in China for stealing a massive volume of data about electronics and internal maintenance. Fortunately, the most sensitive information was kept offline and terrorists weren’t able to access it. Though, the U.S. officials suspected Chinese hackers, the true origin of the perpetrators remained undefined.
10. Operation Shady RAT
Operation Shady RAT is undeniably one of the biggest cyber espionage cases in the history, as it affected more than 70 companies and organizations in since 2006. Victims included the International Olympic Committee that was compromised during several months prior to the 2008 Olympic Games in Beijing. The United Nation and the World Anti-Doping Agency were also under the attack. McAfee identified previously unknown malware that was spread via e-mail with a link to a self-loading remote-access tool, or rat. Cyber terrorists got an authorized access to legal contracts, government secrets, and other sensitive data. Chinese hackers have allegedly arranged the operation, as all countries of Southeast Asia suffered from the attacks except China.
As you can see, cyber hackers can attack you either inside or outside the company, so you should always be ahead of the game. In order to protect your sensitive information against any unauthorized access, consider options for cyber espionage prevention that will ensure employee monitoring and external intrusion blocking.
Vietnamese hacker stole security details and building plans from an Australian airport
11.12.2017 securityaffairs CyberCrime
Hackers compromised computer systems at an Australian Airport and stole sensitive security details and building plans. The man was identified and arrested.
Hackers compromised computer systems at the Australian Perth Airport and stole sensitive security details and building plans.
The culprit has a name, he is the Vietnamese citizen Le Duc Hoang Hai (31) who accessed the systems in March last year using credentials of a third-party contractor.
“A skilled hacker in Vietnam stole sensitive security details and building plans from Perth Airport after breaking into its computer systems.” reported The West Australian.
“The West Australian can reveal Vietnamese man Le Duc Hoang Hai used the credentials of a third-party contractor to get access to the airport’s computer systems in March last year.”
According to Prime Minister Malcolm Turnbull’s cybersecurity adviser Alastair MacGibbon, the Hai stole “a significant amount of data” relating to the airport, including building schematics and details of physical security at airport buildings.
The man did not access systems linked to aircraft operations, it seems that the man was financially motivated, in fact, he was hacking into the system in the attempt to steal payment card data.
The investigation revealed that Hai also hacked infrastructure and websites in Vietnam, including banks, telecommunications, and an online military newspaper.
He has been jailed by the Vietnamese military court for four years for illegally accessing Perth Airport’s corporate network in 2016.
“We detected a cyber intrusion of one of our networks in 2016 and notified the Australian Cyber Security Centre and the Australian Federal Police.” Kevin Brown, Perth Airport CEO, told Nine.com.au
“The assistance and hard work of these two agencies has resulted in the successful identification and prosecution of the individual responsible for the cyber intrusion.”
“Based on evidence gathered by the Australian Federal Police, it appears that credit card theft was the motivation for the illegal accessing of our system.”
“No personal data of members of the public, such as details of credit card numbers, was accessed but other Perth Airport documents were taken.”
Brown also added that stolen data could not pose any risk or threat to the travelling public.
“At no time was the safety or security of the airport, its staff, passengers or partners compromised,” he added.
After the incident, the Perth Airport has added additional security measures investing $2 million.
Vulnerability Allows Modification of Signed Android Apps
11.12.2017 securityweek Android
One of the vulnerabilities patched by Google as part of the December 2017 Android security patches is a High severity bug that could result in tampering with applications’ code without altering their signature.
Discovered by GuardSquare security researchers and tracked as CVE-2017-13156, the security flaw is created by the fact that “a file can be a valid APK file and a valid DEX file at the same time.” Because of that, the researchers called the bug the Janus vulnerability (after the Roman god of duality).
The issue, the researchers say, is that extra bytes can be added to APK files and to DEX files. As ZIP archives, APK files can contain arbitrary bytes at the start, between its ZIP entries, which are the only ones the JAR signature scheme takes into account when verifying the application's signature (any extra bytes are ignored). DEX files, on the other hand, can contain arbitrary bytes at the end.
Another issue is that the Dalvik/ART virtual machine can load and execute both APK and DEX files. In theory, it loads the APK then extracts the DEX and runs it. In practice, it looks at the file’s header and, depending on how it interprets the information there, loads the APK either as a DEX file or as an APK file containing a ZIP entry with a DEX file.
“An attacker can leverage this duality. He can prepend a malicious DEX file to an APK file, without affecting its signature. The Android runtime then accepts the APK file as a valid update of a legitimate earlier version of the app. However, the Dalvik VM loads the code from the injected DEX file,” the security researchers explain.
By exploiting the vulnerability, an attacker could have malicious code running on an Android device with the same permissions as the targeted application, provided they trick the user into downloading and installing a fake update.
“An attacker can replace a trusted application with high privileges (a system app, for instance) by a modified update to abuse its permissions. Depending on the targeted application, this could enable the hacker to access sensitive information stored on the device or even take over the device completely,” the security researchers note.
An attacker could clone sensitive applications (such as banking or messaging apps) and deliver them as fake updates of legitimate software. Thus, the cloned application could look and behave the same as the original but inject malicious behavior.
Attack scenarios would require for the user to accept the malicious update from a source outside Google Play, which would prove relatively easy to pull off in some cases, considering that the application would still look exactly like the original.
The Janus vulnerability was found in Android 5.0 and newer. Applications signed with APK signature scheme v2 and running on Android 7.0 and newer platforms, which support the latest signature scheme, are protected. Apps using DexGuard's tamper detection mechanism are better hardened against the attack.
“Unlike scheme v1, this scheme v2 considers all bytes in the APK file. Older versions of applications and newer applications running on older devices remain susceptible. Developers should at least always apply signature scheme v2,” GuardSquare says.
Google was informed on the vulnerability on July 31, 2017, but only released a patch to its partners in November. A fix was included in the Android Security Bulletin released on December 4, 2017.
Google May Allow Innovative Use of Android Accessibility Service
11.12.2017 securityweek Android
After getting complaints from many developers, Google is evaluating whether it should continue allowing Android applications to use accessibility services for purposes other than assisting people with disabilities.
Many Android adware and malware families that make it onto Google Play abuse the BIND_ACCESSIBILITY_SERVICE permission to obtain administrator privileges and for other unauthorized activities.
As a result, Google informed application developers last month that they had 30 days to either demonstrate that the accessibility service is actually needed to help users with disabilities or remove the use of the permission from their product. The Internet giant warned that those who fail to comply would risk having their apps pulled from the official store.
The developers of several popular applications that use the accessibility service for various features that may otherwise be difficult to implement complained on various forums and reached out to Google with their concerns. The list of impacted apps includes the LastPass password manager and the Tasker automation app – the latter is not designed specifically for people with disabilities, but it is used by them.
In response to complaints, Google told developers, “We’re evaluating responsible and innovative uses of accessibility services. While we complete this evaluation, we are pausing the 30 day notice we previously contacted you about.”
In the meantime, developers whose Android applications require the BIND_ACCESSIBILITY_SERVICE permission must clearly inform users of why the service is needed before asking them to enable it. Developers must also convince Google that their app uses the permission for responsible and innovative purposes.
“Your disclosure must meet the following requirements: In all cases, you must have a disclosure to explain why you need to observe user actions in general using the Accessibility Service API. For each accessibility capability declared, you must have an accompanying disclosure to describe the app functionality that the Accessibility Service permission is enabling for your app. (The default disclosure tells us ‘what’, but you must disclose to the user ‘why’),” Google told developers.
The information provided by application developers on how they use the service will help Google make a decision regarding the use of the accessibility service.
Microsoft Says ERP Product Private Key Leak Posed Little Risk
11.12.2017 securityweek Krypto
It took Microsoft more than 100 days to address a problem related to the use of the same digital certificate for all installations of its Dynamics 365 enterprise resource planning (ERP) product, but the company said the issue posed little risk.
Dynamics 365, a product hosted on Microsoft’s Azure cloud platform, has three main components: a production system, a development system, and a user acceptance testing system. The user acceptance system, also known as a sandbox, is a test environment that mimics the production system and allows remote access via RDP.
Developer Matthias Gliwka accessed the sandbox via RDP and noticed in the application’s Certificate Manager that it included a wildcard TLS certificate for the *.sandbox.operations.dynamics.com domain, along with its private key. The certificate, shared across all sandbox environments, had been issued by Microsoft’s own certificate authority (CA).
Since the certificate – for which the expert easily extracted the private key – had been used to encrypt traffic between users and the server, a man-in-the-middle (MitM) attacker in possession of the key could have intercepted data without raising any suspicion.
“The users of this user acceptance (sandbox) systems are high-value targets,” Gliwka explained in a blog post. “They are usually in key positions at the respective organization and have access to valuable information. The sandbox system itself often also contains sensitive information to make the tests more realistic. There is even a feature to copy the production database into the sandbox environment to enable this use case.”
Further analysis showed that all production systems used a wildcard certificate for the *.operations.dynamics.com domain. However, RDP access to production environments is not possible, making it more difficult to extract the certificate’s private key and launch an attack. Nevertheless, Gliwka believes this could have been achieved if the attacker had managed to find a code execution vulnerability on the server.
Microsoft told SecurityWeek that it has decided to update all sandbox and production environments to use unique certificates, but the company has described it as a “defense-in-depth” measure, claiming that “controls exist in production environments that render the described technique ineffective.”
While the issue may not have posed a big risk to Dynamics 365 users, Gliwka claims it took a lot of time to get Microsoft to take action. The developer reported his findings to Microsoft in mid-August, but the exposed wildcard certificates were only revoked in early December after German researcher and journalist Hanno Böck got involved and a ticket was opened on Mozilla’s bug tracker. Certificates whose private key has been compromised should normally be revoked within 24 hours.
Gliwka claims that during communications with Microsoft support, he was provided a phone number for the Marine Spill Response Corporation (MSRC), an oil spill and emergency response organization in the U.S., instead of contact information for the Microsoft Security Response Center (MSRC).
Database of 1.4 Billion Credentials Found on Dark Web
11.12.2017 securityweek Incindent
Researchers have found a database of 1.4 billion clear text credentials in what appears to be the single largest aggregate database yet found on the dark web. These are not from a new breach, but a compilation of 252 previous breaches, including the previous largest combo list, Exploit.in.
The database was found by 4iQ on 5 December 2017. Announcing the discovery, the firm's founder and CTO Julio Casal, said, "This is not just a list. It is an aggregated, interactive database that allows for fast (one second response) searches and new breach imports... The database was recently updated with the last set of data inserted on 11/29/2017. The total amount of credentials (usernames/clear text password pairs) is 1,400,553,869."
It is a database designed to be used. It includes search tools and insert scripts explained in a README file. Another file called 'imported.log' lists the breach sources; for example '/inputbreach/linkedin110M_1 865M'. There are four such LinkedIn input files, in a total of 256 inputs.
The data is structured in an alphabetic directory tree fragmented in 1,981 pieces to allow fast searches. In a test, 4iQ notes, "searching for 'admin,' 'administrator' and 'root' returned 226,631 passwords of admin users in a few seconds." The combination of database structure and clear text credentials makes it an easy tool for bad actors to use for bad purposes. "Now even unsophisticated and newbie hackers can access the largest trove ever of sensitive credentials in an underground community forum," comments Casal. "Is the cyber crime epidemic about become exponentially worse?"
The raw data has probably been available to criminals on the dark web from soon after many of the breaches -- but this new database takes out much of the labor needed to use the stolen credentials.
"Large databases of passwords containing both hashed and clear text have been available for years, that are easy to download to use with password cracking software," Joe Carson, chief security scientist at password protection firm Thycotic, told SecurityWeek. "These password databases are available to both skilled hackers and script kiddies with basic knowledge that can be easily used with software that is easily downloadable from the internet. Today all you need is a computer and an internet connection to be a hacker."
But use of these databases still required effort. "In the past hackers would have accessed each breached database containing passwords, and correlated them on their own," he added; "but why do that when someone will do it for you and make it easy downloadable?"
Freelance security consultant and researcher Robin Wood (aka DigiNinja, author of the widely used Pipal password analyzer), explains how the database could be used by bad actors. "The most obvious," he says, "is to take large chunks of the files and spray them against popular sites to see which still work." This is basic 'credential stuffing'.
Carson notes that "previous research has found that at least 25 percent of leaked google passwords are still active and still work, which means that many people still fail to change their passwords even after a major data breach has occurred." The implication is that credential stuffing from this new database could prove very effective for the hackers.
Wood adds, "[The announcement] doesn't say whether the [discovery] lists which individual dump the creds came from, although it does say which sources were used to create the list; so that is a good list of targets to start with."
However, he also warns that the searchable nature of this database gives additional concerns. "It can also be used for more targeted attacks. Pick your target company and search for references to it in the list to find staff, contractors or suppliers. This could give both an initial foothold into the company, or -- if someone is already in -- to help move around if credentials have been reused internally."
What isn't clear is where this database has come from, nor why it has suddenly appeared on the dark web. Clearly, considerable time and effort has gone into its design and creation to make it large scale and easy to use; but it doesn't appear to have a direct monetization methodology for now. "There is not [sic] indication of the author of the database and tools," writes Casal, "although Bitcoin and Dogecoin wallets are included for donation." Of course, the author could be intending to 'charge' for future maintenance of the database with new additions as they become available.
"My first thought," comments Wood, "was whether this is the database that was behind the recently shut down LeakedBase site." LeakedBase was an online service that provided paid access to leaked credentials. It was shut down just days before 4iQ made its discovery. "Their database," continued Wood, "gave out clear text passwords, so it could be the same. Maybe the owners decided it was too risky running a site giving access to the creds but wanted to drop it out there and try to make some money off donations instead."
Whatever the reasons behind this database, its availability on the dark web provides an additional threat to users who don't change their passwords. "It is clear that people do not even change passwords after a major data breach," says Carson. "It is also poor hygiene that the companies impacted by these data breaches still do not force a password reset leaving many of their customers' accounts exposed and vulnerable to abuse by cybercriminals."
Dormant Keylogging Functionality Found in HP Laptops
11.12.2017 securityweek Hacking
A researcher has discovered that a touchpad driver present on hundreds of HP laptops includes functionality that can be abused for logging keystrokes. The vendor has released patches for a vast majority of affected devices.
Michael Myng was looking for ways to control the keyboard backlight functionality on HP laptops when he noticed that the driver from Synaptics (SynTP.sys) included keylogging functionality.
The problematic code is apparently part of a debugger implemented through the Windows software trace preprocessor (WPP). The feature is disabled by default, but a user with administrator privileges can enabled it by changing a value in the Windows registry, allowing them to log keystrokes to a local file.
Myng informed HP of his findings and the company released updates that remove the problematic debugging functionality for nearly all impacted products. However, devices from other vendors that use this Synaptics driver could be affected as well.
“A potential security vulnerability has been identified with certain versions of Synaptics touchpad drivers that impacts all Synaptics OEM partners,” HP said in its advisory. “A party would need administrative privileges in order to take advantage of the vulnerability. Neither Synaptics nor HP has access to customer data as a result of this issue.”
The vulnerability, classified by the vendor as “medium severity,” impacts more than 460 laptop models, including many EliteBook, mt, ProBook, Spectre Pro, Stream, ZBook, Envy, Pavilion, Split and Omen devices.
Some people have pointed out that an attacker who has the privileges required to activate the keylogger functionality could do anything on the system, including install a proper keylogger, and would not need to exploit this vulnerability. Others, however, believe it could still be useful for malicious actors since the keylogging mechanism is already in place.
This is not the first time keylogging functionality has been found in software shipped with HP laptops. Back in May, researchers discovered that a Conexant audio driver installed on some HP laptops had been logging keystrokes to a file.
MoneyTaker group: Group-IB uncovered a cyber gang attacking banks in the USA and Russia
11.12.2017 securityaffairs CyberCrime
Group-IB spotted the operations of a Russian-speaking cyber gang tracked as MoneyTaker group that stole as much as $10 million from US and Russian banks.
Researchers from security firm Group-IB has spotted the operations of a Russian-speaking cyber gang tracked as MoneyTaker that has stolen as much as $10 million from U.S. and Russian banks in the last 18 months,
According to the experts, in less than two years the MoneyTaker group conducted over 20 successful attacks on financial institutions and law firms in the USA, UK, and Russia.
The average amount of money stolen from U.S. banks was about $500,000, the hackers also stole over $3 million from three Russian lenders.
The group was primarily focused on card processing systems, including the AWS CBR (Russian Interbank System) and purportedly SWIFT (US). Experts believe that financial institutions in LATAM could have particularly exposed due to their usage of a STAR system.
The MoneyTaker group also targeted law firms and financial software vendors, Group-IB has confirmed that 20 companies were successfully hacked, with 16 attacks on US organizations, 3 attacks on Russian banks and 1 in the UK.
The researchers highlighted that the group remained under the radar by constantly changing their tools and switching tactics to evade detection.
“MoneyTaker uses publicly available tools, which makes the attribution and investigation process a non-trivial exercise,” explains Dmitry Volkov, Group-IB Co-Founder and Head of Intelligence. “In addition, incidents occur in different regions worldwide and at least one of the US Banks targeted had documents successfully exfiltrated from their networks, twice. Group-IB specialists expect new thefts in the near future and in order to reduce this risk, Group-IB would like to contribute our report identifying hacker tools, techniques as well as indicators of compromise we attribute to MoneyTaker operations”.
Group-IB first noticed the MoneyTaker group in 2016 when the hackers stole funds from a US bank by gaining access to First Data’s “STAR” network operator portal.
“In 2016, Group-IB identified 10 attacks conducted by MoneyTaker; 6 attacks on banks in the US, 1 attack on a US service provider, 1 attack on a bank in the UK and 2 attacks on Russian banks. Only one incident involving a Russian bank was promptly identified and prevented that is known to Group-IB.” reported the security firm.
“In 2017, the number of attacks has remained the same with 8 US banks, 1 law firm and bank in Russia being targeted. The geography, however, has narrowed to only the USA and Russia.”
The researchers at Group-IB discovered many similarities between 20 incidents throughout 2016 and 2017, hackers used same tools and shared the attack infrastructure. The attack infrastructure is complex and it was able to deliver payloads only to victims with IP addresses in group’s whitelist.
To evade detection, MoneyTaker employs SSL certificates generated using names of well-known brands such as Bank of America, Federal Reserve Bank, Microsoft, and Yahoo.
A look at the MoneyTaker arsenal reveals that the hackers use both borrowed and their custom tools, in one case they developed a keylogger that is also able to take ‘screenshots’ of the infected system.
In the arsenal of the group, there are ‘fileless’ malware whose persistence in the infected systems was obtained by using PowerShell and VBS scripts.
Experts observed the hackers using privilege escalation tools compiled based on codes presented at the Russian cybersecurity conference ZeroNights 2016. The group also used popular banking Trojans in their attacks such as Citadel and Kronos.
The Kronos malware was used to deliver the ScanPOS Point-of-Sale (POS) malware.
In an attack on a Russian bank through the AWS CBR, the MoneyTaker group used a tool called MoneyTaker v5.0 that has a modular structure that performs the following actions:
searches for payment orders and modifies them;
replaces original payment details with fraudulent ones;
Even after the attacks, the MoneyTaker group continues to spy on the victims, the group continuously exfiltrates internal banking documentation (admin guides, internal regulations and instructions, change request forms, transaction logs) to learn about bank operations in preparation for future attacks.
Experts from Group-IB also discovered MoneyTaker uses a Pentest framework Server and leverages Metasploit for the attacks.
“After successfully infecting one of the computers and gaining initial access to the system, the attackers perform reconnaissance of the local network in order to gain domain administrator privileges and eventually consolidate control over the network.” continues the firm.
Group-IB has already shared findings of its investigation with the Europol and Interpol.
Dark Web – The median price range for Android ransomware kits hits $200
11.12.2017 Securityaffairs Android
According to the firm Carbon Black, Android ransomware kits are very popular in the dark web, and the median price range for them hits $200.
According to the firm Carbon Black, Android ransomware kits are very popular in the dark web, more than 5,000 Android ransomware kit listings have been discovered in 2017.
Even if most ransomware kits are still focused on targeting Windows systems, Android ransomware kits are expected to grow in volume and price.
The median price range for Android ransomware kits hits $200, 20 times higher than the $10 median price of Windows ransomware kits.
Researchers at Carbon Black found 1,683 Android ransomware kits out of a total of 5,050, their price ranges from $250 up to $850.
The experts explicitly mentioned the case of the DoubleLocker ransomware for Android that was spotted early this year by security researchers from cybersecurity firm ESET. DoubleLocker is the first-ever ransomware to abuse the Android accessibility feature that implements alternative ways to interact with a mobile device, it was a new malware that not only encrypts the Android mobile devices but also changes PIN lock.
Well, experts at Carbon Black reported a case of a cybercriminal that wanted $854 for the Locker Android ransomware kit.
“We are already seeing an uptick in Android Ransomware kits in underground markets, selling for a much higher price. In our research, we discovered that the median price of ransomware targeting Windows OS is $10, whereas Android-capable ransomware has a median range of $200.” reads a report published by Carbon Black.
Rick McElroy, a Carbon Black security strategist, explained that there is a significant difference between typical iOS users and Android ones. Apple users have a tendency to buy new devices everytime a new model is on the market and update their applications and operating systems on a regular basis.
Android users being remiss in updating their devices, giving much more opportunities to the attackers.
“One of the most surprising things was how many Android devices are out there that have not been updated for two years now, and probably never will,” McElroy says. “Updates are usually simple to conduct, but many users simply don’t do them.”
Crooks choose to target Android users because Android holds the largest OS marketshare worldwide for smartphones, roughly 86% in the first quarter of Q1.
Another factor that influences the median price higher for Android ransomware kits is the level of coding sophistication that is needed to create these tools compared to the efforts necessary to develop similar kits for Windows.
“This speaks a bit to how easy it is to get ransomware onto a Windows system versus other operation systems,” McElroy says. “The longer a developer has to spend to get his ransomware to work effectively at scale the higher the price will be.”
The last catalyst that is driving the median price higher for Android ransomware kits is the spike in the value of Bitcoin. Bitcoin is the currency used for payments of the ransom, “with Bitcoin value increasing so quickly, the expansion of this space will likely be connected closely to the value of BTC.”
“However, as those attacks become tougher, and crypto-currency, such as Bitcoin, gains popularity; we believe ransom-based attacks such as screen-lock and file-encryption will gain popularity going forward.” concludes the report.
Severe flaws in most popular programming languages could expose to hack any secure application built on top of them
10.12.2017 securityaffairs Vulnerebility
Security expert discovered severe flaws in most popular programming languages that could expose to hack any secure application built on top of them.
Last week, IOActive Senior Security Consultant Fernando Arnaboldi presented at the Black Hat Europe 2017 security conference the results of an interesting research about vulnerabilities in several popular interpreted programming languages.
The idea behind this excellent study is that securely developed applications may be affected by unidentified vulnerabilities in the underlying programming languages that could be triggered by attackers.
Fuzzing or fuzz testing is an automated software testing technique that involves providing invalid, unexpected, or random data as inputs to a computer application. The experts then monitor for exceptions such as crashes or failing built-in code assertions or for finding potential memory leaks.
Using this technique, Google experts discovered many flaws in popular software OpenSSL and Linux components.
Below the list of Programming languages tested by the researcher with the fuzzing technique.
Arnaboldi developed a custom “differential fuzzer” XDiFF (Extended Differential Fuzzing Framework) that was specifically designed to test structure of programming languages.
The expert released XDiFF as an open source project on GitHub.
The experts identified most basic functions the programming languages and tested them with the XDiFF fuzzer.
“Before execution, the fuzzer generates all possible test cases by performing a
permutation between functions and payloads. The test cases combined one function of
the programming language at the time with different payloads” reads the research paper titled “Exposing Hidden Exploitable Behaviors in Programming Languages Using Differential Fuzzing.”
“Finding interesting vulnerabilities is entirely dependent on choosing the correct input,” Arnaboldi explained. “For this testing, less than 30 primitive values were used (i.e. a number, a letter, etc.) combined with special payloads. These special payloads were defined so as to help identify when the software attempted to access external resources.”
Before execution, the fuzzer generates all possible test cases by performing a
permutation between functions and payload that were tuned to expose vulnerabilities in the programming languages.
“The test cases combined one function of the programming language at the time with different payloads.” continues the paper.
Arnaboldi exposed severe vulnerabilities in all the programming languages he analyzed with his fuzzer, he discovered the following issues:
Python contains undocumented methods and local environment variables that can
be used for OS command execution.
Perl contains a typemaps function that can execute code like eval().
NodeJS outputs error messages that can disclose partial file contents.
JRuby loads and executes remote code on a function not designed for remote
PHP constant’s names can be used to perform remote command execution.
“Assuming no malicious intentions, these vulnerabilities may be the result of mistakes or attempts to simplify software development. The vulnerabilities ultimately impact regular applications parsed by the affected interpreters; however, the fixes should be applied to the interpreters,” says Arnaboldi.
According to Arnaboldi, an attacker can exploit these flaws to hack even the most secure applications built on top of these programming languages.
“Software developers may unknowingly include code in an application that can be used in a way that the designer did not foresee,” concludes the expert. “Some of these behaviors pose a security risk to applications that were securely developed according to guidelines.”
National Institute of Standards and Technology releases a second Draft of the NIST Cybersecurity Framework
10.12.2017 securityaffairs Safety
The National Institute of Standards and Technology (NIST) has published a second draft of a proposed update to the NIST Cybersecurity Framework.
“On December 5, 2017 NIST published the second draft of the proposed update to the Framework for Improving Critical Infrastructure Cybersecurity (a.k.a., draft 2 of Cybersecurity Framework version 1.1).” states the NIST.
“This second draft update aims to clarify, refine, and enhance the Cybersecurity Framework, amplifying its value and making it easier to use. The new draft reflects comments received to date, including those from a public review process launched in January 2017 and a workshop in May 2017.”
The NIST Cybersecurity Framework was first released in 2014, it aims to help organizations, particularly ones in the critical infrastructure sector, in managing cybersecurity risks.
At the time, the NIST published the Framework for Improving Critical Infrastructure Security, a document that proposed cybersecurity standards and practices to build out a security program.
Today the NIST Cybersecurity Framework is considered a best practice guide implemented by numerous organizations and business.
The Cybersecurity Framework was developed based on an executive order issued by former U.S. President Barack Obama and current Trump’s administration also considers the Framework a set of best practices to be implemented by government agencies and critical infrastructure operators.
A cybersecurity executive order issued by the current administration of Donald Trump also requires federal agencies and critical infrastructure operators to use the framework.
After four years since its first release, NIST is now working on an updated version. A first draft of the NIST Cybersecurity Framework was released in January and now the second draft is available since December 5.
Like previous Version 1.0 issued in February 2014, this second draft is the result of extensive consultation with the private and public sectors.
The changes are based on 120 comments submitted in response to the first draft and discussions between 500 individuals who attended a workshop back in May.
According to the summary the update:
Declares applicability of Cybersecurity Framework for “technology,” which is minimally composed of Information Technology, operational technology, cyber-physical systems, and Internet of Things;
Enhances guidance for applying the Cybersecurity Framework to supply chain risk management;
Summarizes the relevance and utility of Cybersecurity Framework measurement for organizational self-assessment;
Better accounts for authorization, authentication, and identity proofing; and
Administratively updates the Informative References.
The second draft was released along with an updated roadmap that details plans for advancing the framework’s development process.
Every comment on the second draft of the NIST Cybersecurity Framework can be sent to cyberframework(at)nist.gov until January 19, 2018.
The NIST plans to release the final V1.1 within this fall, likely in “early calendar year 2018.”
The organization aims to check if the revisions in version 1.1 reflect the changes in the current cybersecurity landscape. It is also important to evaluate the impact of the updated version on organizations currently implementing the version 1.0 of the framework.
Výdaje na IT bezpečnost porostou
10.12.2017 SecurityWorld Bezpečnost
Mezi respondenty nejnovějšího globálního průzkumu informační bezpečnosti (EY Global Information Security Survey; GISS) vyvolává hrozba kybernetických útoků značné obavy. EY se na nejpalčivější rizika a související protiopatření dotazovala více než dvanácti set odpovědných pracovníků a manažerů předních světových organizací.
Většina oslovených organizací tvrdí, že plánují výdaje na informační a kybernetickou bezpečnost zvýšit. Až 9 z 10 dotázaných očekává růst příslušných rozpočtů ještě v tomto roce. Téměř všichni zúčastnění (87 %) počítají se zvýšením výdajů až o polovinu, což by jim mělo umožnit reagovat na vývoj relevantních hrozeb.
Tři čtvrtiny dotázaných však zároveň pokládají za nejpravděpodobnější impuls k posílení těchto nákladů výskyt incidentu, který napáchá zjevné škody. Naproti tomu 64 % je přesvědčeno, že kvůli narušení kybernetické bezpečnosti bez prokazatelných dopadů by se příslušný rozpočet neměnil, přestože ve skutečnosti nebývají důsledky kybernetického napadení často bezprostředně očividné.
„Studie ukázala, že společnosti jsou stále ještě v reaktivním módu a nepřistupují ke kybernetickým hrozbám aktivně a strategicky,“ říká Petr Plecháček, ředitel oddělení IT poradenství EY v České republice. „S navýšením rozpočtu čekají na kybernetickou událost, která ohrozí celou společnost. Ani dramatický dopad útoků prostřednictvím tzv. ransomware v minulém roce není pro řadu společností motivací pro větší investice či revizi plánů obnovy,“ dodává.
Společnosti si přitom uvědomují, že nedostatek odpovídajících prostředků je vystavuje vyšší míře rizik a v 56 % případů proto hodlají svou strategii kybernetické bezpečnosti revidovat, resp. alokaci prostředků ověřit. Celá pětina však zároveň připouští, že pro podrobné vyhodnocení veškerých dopadů nemá k dispozici dostatek potřebných údajů.
„Dnes je potřeba lépe a rychleji chápat, co se děje a snažit se útoky předvídat. Patrně jedinou správnou cestou jsou investice do bezpečnostních nástrojů pro zrychlení a zkvalitnění datové analytiky a do konvergence bezpečnostních technologií,“ komentuje Plecháček.
Organizace se obávají především malware a nedbalého přístupu zaměstnanců
Malware (64 % oproti 52 % v roce 2016) a phishing (64 %, resp. 51 %) vycházejí z průzkumu jako hrozby, v jejichž důsledku expozice organizací vůči rizikům v uplynulých dvanácti měsících vzrostla nejvíce. Mezi nejpravděpodobnější příčiny, resp. původce kybernetických útoků se pak dle oslovených společností řadí nedbalý přístup pracovníků (77 %), organizovaní kyberzločinci (56 %) a záměrné jednání vlastních zaměstnanců (47 %).
„Zaměstnanci jsou svazováni bezpečnostními pravidly a mohou tím získat pocit falešného bezpečí,“ analyzuje výsledky studie Petr Plecháček, ředitel oddělení IT poradenství EY v České republice. „Kybernetické události jsou dnes častěji zmiňovány v mediích a je možné dojít k závěru, že se jedná o skutečnost, které nelze zabránit. Adaptace jedince, potažmo celé organizace na nové a měnící se vektory a formy útoků je však nikdy nekončící proces,“ dodává.
Vrcholovému managementu pravidelně reportuje zhruba polovina firem. Osoba odpovědná za kybernetickou bezpečnost je členem vedení ani ne ve čtvrtině případů a pouze 17 % řídících pracovníků má dostatečné odborné znalosti k tomu, aby účinnost preventivních bezpečnostních opatření dokázali náležitě posoudit.
Ve spojitosti s potlačováním pokročilých kybernetických útoků – tedy takových, které lze připisovat sofistikovaným útočníkům nebo organizovaným skupinám – si je mnoho organizací vědomo možných limitů vlastních bezpečnostních opatření. Tři čtvrtiny respondentů hodnotí účinnost metod, jejichž prostřednictvím by měl podnik případné slabiny odhalit, jako „velmi nízkou až střední“. Varovným signálem jsou i některé další výsledky: 12 % společností údajně nedisponuje žádným formalizovaným programem detekce bezpečnostních incidentů, 35 % aplikuje nedůsledné nebo vůbec žádné zásady ochrany dat, a 38 % nevyužívá řádné, resp. pouze případné procesy pro správu identity či řízení přístupu uživatelů.
Schopnost čelit kybernetickým útokům mají zajišťovat tzv. centra bezpečnostního provozu (SOC). Ty by zároveň měly fungovat jako centralizovaná, strukturovaná a koordinační střediska veškerých aktivit organizace v oblasti kybernetické bezpečnosti. Zhruba polovina respondentů nicméně přiznává, že žádné takové služby nevyužívají, ať už interně nebo formou outsourcingu. Celkem 57 % nevyužívá takřka žádné analytické nástroje pro odhalování relevantních hrozeb. Pouze desetina dotázaných se domnívá, že by dokázali odhalit důmyslný kybernetický útok na jejich organizaci.
Všudypřítomné volání po konektivitě a rozmach internetu věcí (IoT) poskytují stále sofistikovanějším pachatelům kybernetických útoků nové možnosti, jak tyto moderní technologie zneužít. Ve výrobní sféře je však využití propojení strojů a technologií za využití IoT stále ještě nedoceněno. Polovina respondentů uvádí, že hlavní brzdou pro širší využití IoT je nedostatek kvalifikovaných lidí a financí.
„Jako zásadní brzdu rozvoje IoT řešení ve výrobních firmách považujeme obavu z možného napadení technologií či zneužití dat uložených na cloudu. Firmy tak často volí přístup‚ lepší nedělat nic‘, než aby čelili hypotetické hrozbě,“ říká Jan Burian, senior manažer oddělení podnikového poradenství společnosti EY. „Přitom právě využití cloudových IoT platforem umožňuje efektivní sběr, analýzu a vizualizace komplexních dat v reálném čase napříč technologiemi či jinými datovými vstupy,“ dodává.
Podle respondentů GISS je největší výzvou v oblasti bezpečnosti IoT mít přehled o všech použitých aplikacích a zařízeních, a zajistit jejich pravidelnou aktualizaci.
„IoT hraje významnou roli v rámci vytváření nových obchodních modelů, zejména u firem vyrábějící technologie, které lze na dálku monitorovat, aktualizovat jejich software či dodávat nové služby v celém průběhu životního cyklu. Tento záměr však vede k uzavírání systémů jednotlivých výrobců technologií vůči jiným IoT platformám, což v důsledku zvyšuje nároky na orientaci mezi jednotlivými platformami a významně ztěžuje orientaci potenciálním zákazníkům či uživatelům,“ uzavírá Burian.
Linux.ProxyM IoT Botnet now used to launch hacking attacks against websites
10.12.2017 securityaffairs IoT
A new IoT botnet leveraging the Linux.ProxyM malware is currently being used by crooks in a campaign attempting to hack websites.
Security experts at Doctor Web discovered a new IoT botnet leveraging the Linux.ProxyM malware that is currently being used in a campaign attempting to hack websites.
Experts first analyzed the Linux.ProxyM in July, it was used to create a proxy network through SOCKS proxy server on infected devices that are used to relay malicious traffic, disguising his real source.
The Trojan has been noted since February 2017 but peaked in late May.
According to Dr. Web, the number of devices infected with Linux.ProxyM reached 10,000 units in July since its discovery in February 2017.
The malware is able to target devices based on different architectures including x86, MIPS, MIPSEL, PowerPC, ARM, Superh, Motorola 68000, and SPARC.
“Linux.ProxyM is a malicious program for Linux which launches a SOCKS proxy server on an infected device. Cybercriminals can use it to anonymously perform destructive actions.” wrote Dr Web.
“The known assembly of this Trojan exists for devices possessing the following architectures: x86, MIPS, MIPSEL, PowerPC, ARM, Superh, Motorola 68000, and SPARC. It means Linux.ProxyM can infect almost any Linux device, including routers, set-top boxes, and other similar equipment.”
The campaign observed in September was abusing the botnet to send out spam emails, experts estimated that with each infected device generated around 400 messages per day in September.
Later attacks used the botnet to send out phishing emails, the messages supposedly came from DocuSign, a company that provides electronic signature technology and digital transaction management services for facilitating electronic exchanges of contracts and signed documents.
The phishing messages included a link to a fake DocuSign website that featured an authorization form, the attackers used this schema to trick victims into entering their credentials. Then the victims were being redirected to the real DocuSign authorization page.
In December, crooks started using the Linux.ProxyM’s proxy server to hack websites through various methods, including SQL injections, XSS (Cross-Site Scripting), and Local File Inclusion (LFI).
“[the hacking methods] are SQL injections (an injection of a malicious SQL code into a request to a website database), XSS (Cross-Site Scripting)—an attack method that involves adding a malicious script to a webpage, which is then executed on a computer when this page is opened, and Local File Inclusion (LFI).” continues the analysis.
“This kind of attack allows attackers to remotely read files on an attacked server using specially crafted commands. Among the attacked websites were game severs, forums and resources on other topics, including Russian websites.”
On Dec. 7, researchers at Dr. Web observed 20,000 attacks launched by the Linux.ProxyM botnet. About a month ago, the bots were launching nearly 40,000 attacks per day.
“Although Linux.ProxyM has only one function—a proxy server—cybercriminals continue finding new opportunities to use it for illegal actions and showing increasing interest in the ‘Internet of things’,” concludes Doctor Web.
Android Flaw Lets Hackers Inject Malware Into Apps Without Altering Signatures
10.12.2017 thehackernews Android
Millions of Android devices are at serious risk of a newly disclosed critical vulnerability that allows attackers to secretly overwrite legitimate applications installed on your smartphone with their malicious versions.
Dubbed Janus, the vulnerability allows attackers to modify the code of Android apps without affecting their signature verification certificates, eventually allowing them to distribute malicious update for the legitimate apps, which looks and works same as the original apps.
The vulnerability (CVE-2017-13156) was discovered and reported to Google by security researchers from mobile security firm GuardSquare this summer and has been patched by Google, among four dozen vulnerabilities, as part of its December Android Security Bulletin.
However, the worrisome part is that majority of Android users would not receive these patches for next few month, until their device manufacturers (OEMs) release custom updates for them, apparently leaving a large number of smartphone users vulnerable to hackers.
The vulnerability affects apps using APK signature scheme v1 installed on devices running Android versions 5 (Lollipop) and 6 (Marshmallow).
Explained: How Android Janus Vulnerability Works?
The vulnerability resides in the way Android handles APK installation for some apps, leaving a possibility to add extra bytes of code to an APK file without affecting the application's signature.
Before proceeding further, you need to know some basics about an APK file.
A valid APK file is a type of archive file, just like Zip, which includes application code, resources, assets, signatures, certificates, and manifest file.
Earlier versions of Android operating system 5.0 (Lollipop) and 6.0 (Marshmallow) also support a process virtual machine that helps to execute APK archives containing a compiled version of application code and files, compressed with DEX (Dalvik EXecutable) file format.
While installing an Android app or its update, your device checks APK header information to determine if the archive contains code in the compressed DEX files.
If header says APK archive contains DEX files, the process virtual machine decompiles the code accordingly and executes it; otherwise, it runs the code as a regular APK file.
It turns out that an APK archive can contain DEX files as well as regular application code simultaneously, without affecting its validity and signatures.
Researchers find that this ability to add extra bytes of code due to lack of file integrity checking could allow attackers to prepend malicious code compiled in DEX format into an APK archive containing legitimate code with valid signatures, eventually tricking app installation process to execute both code on the targeted device without being detected.
In other words, the hack doesn't require attackers to modify the code of legitimate applications (that makes signatures invalid)—instead, the vulnerability allows malware authors to merely add some extra malicious lines of code to the original app.
After creating malicious but valid versions of legitimate applications, hackers can distribute them using various attack vectors, including spam emails, third-party app stores delivering fake apps and updates, social engineering, and even man-in-the-middle attacks.
According to the researchers, it may be "relatively easy to trick some users because the application can still look exactly like the original application and has the proper signature."
I find man-in-the-middle attack more interesting, as it could allow hackers to push malicious installation for the apps designed to receive its updates over an unencrypted HTTP connection.
"When the user downloads an update of an application, the Android runtime compares its signature with the signature of the original version. If the signatures match, the Android runtime proceeds to install the update," GuardSquare explains.
"The updated application inherits the permissions of the original application. Attackers can, therefore, use the Janus vulnerability to mislead the update process and get an unverified code with powerful permissions installed on the devices of unsuspecting users."
"For experts, the common reverse engineering tools do not show the injected code. Users should always be vigilant when downloading applications and updates," the security firm added.
Since this vulnerability does not affect Android 7 (Nougat) and latest, which supports APK signature scheme version 2, users running older Android versions are highly recommended to upgrade their device OS (if available).
It's unfortunate, but if your device manufacturer neither offers security patches nor the latest Android version, then you should not install apps and updates from outside of Google Play Store to minimise the risk of being hacked.
Researchers also advised Android developers always to apply signature scheme v2 in order to ensure their apps cannot be tampered with.
Pre-Installed Keylogger Found On Over 460 HP Laptop Models
10.12.2017 thehackernews Hacking
HP has an awful history of 'accidentally' leaving keyloggers onto its customers' laptops. At least two times this year, HP laptops were caught with pre-installed keylogger or spyware applications.
I was following a tweet made by a security researcher claiming to have found a built-in keylogger in several HP laptops, and now he went public with his findings.
A security researcher who goes by the name of ZwClose discovered a keylogger in several Hewlett-Packard (HP) laptops that could allow hackers to record your every keystroke and steal sensitive data, including passwords, account information, and credit card details.
The Keylogger was found embedded in the SynTP.sys file, a part of Synaptics touchpad driver that ships with HP notebook computers, leaving more than 460 HP Notebook models vulnerable to hackers.
Although the keylogger component is disabled by default, hackers can make use of available open source tools for bypassing User Account Control (UAC) to enable built-in keylogger "by setting a registry value."
Here’s the location of the registry key:
The researcher reported the keylogger component to HP last month, and the company acknowledges the presence of keylogger, saying it was actually "a debug trace" which was left accidentally, but has now been removed.
"A potential security vulnerability has been identified with certain versions of Synaptics touchpad drivers that impact all Synaptics OEM partners," HP says in its advisory, calling the keylogger as a potential, local loss of confidentiality.
"A party would need administrative privileges in order to take advantage of the vulnerability. Neither Synaptics nor HP has access to customer data as a result of this issue."
The company has released a Driver update for all the affected HP Notebook Models. If you own an HP laptop, you can look for updates for your model. The list of affected HP notebooks can be found at the HP Support website.
This is not the very first time when a keylogger has been detected in HP laptops. In May this year, a built-in keylogger was found in an HP audio driver that was silently recording all of its users' keystrokes and storing them in a human-readable file.
IoT Botnet Used in Website Hacking Attacks
9.12.2017 securityweek IoT BotNet
Embedded Malware Launches SOCKS Proxy Server on Infected IoT Devices
A botnet of Linux-based Internet of Things (IoT) devices is currently being used in a campaign attempting to hack websites, Doctor Web security researchers warn.
Called Linux.ProxyM, the malware has been around since February of this year, and was previously used in spam campaigns. The Trojan was designed to launch a SOCKS proxy server on infected devices and allows attackers to leverage the proxy to perform nefarious operations while hiding their tracks.
To date, the malware has been observed targeting devices with the following architectures: x86, MIPS, MIPSEL, PowerPC, ARM, Superh, Motorola 68000, and SPARC. Basically, it can infect “almost any Linux device, including routers, set-top boxes, and other similar equipment,” the researchers say.
Previous malicious campaigns leveraging the botnet were sending spam emails, with each infected device generating around 400 messages per day in September, Doctor Web says.
Soon after, the bot started sending phishing messages. The emails supposedly came from DocuSign, a service providing users with the possibility to download, view, sign, and track the status of electronic documents.
The phishing messages included a link to a fake DocuSign website that featured an authorization form, in an attempt to trick users into entering their credentials. After that, the victims were being redirected to the real DocuSign authorization page, while their login details had been sent to the attackers.
In December, Linux.ProxyM’s proxy server started being used to hack websites through various methods, including SQL injections, Cross-Site Scripting, and Local File Inclusion (LFI). The actors operating the botnet targeted game severs and forums, and resources on other topics, including Russian websites.
On Dec. 7, the security researchers observed 20,000 attacks launched by the botnet. About a month ago, the bots were launching nearly 40,000 attacks per day.
“Although Linux.ProxyM has only one function—a proxy server—cybercriminals continue finding new opportunities to use it for illegal actions and showing increasing interest in the ‘Internet of things’,” Doctor Web points out.