Critical flaw leaves thousands of Cisco Switches vulnerable to remote hacking
8.4.2018 thehackernews
Vulnerebility

Security researchers at Embedi have disclosed a critical vulnerability in Cisco IOS Software and Cisco IOS XE Software that could allow an unauthenticated, remote attacker to execute arbitrary code, take full control over the vulnerable network equipment and intercept traffic.
The stack-based buffer overflow vulnerability (CVE-2018-0171) resides due to improper validation of packet data in Smart Install Client, a plug-and-play configuration and image-management feature that helps administrators to deploy (client) network switches easily.


Embedi has published technical details and Proof-of-Concept (PoC) code after Cisco today released patch updates to address this remote code execution vulnerability, which has been given a base Common Vulnerability Scoring System (CVSS) score of 9.8 (critical).
Researchers found a total of 8.5 million devices with the vulnerable port open on the Internet, leaving approximately 250,000 unpatched devices open to hackers.
To exploit this vulnerability, an attacker needs to send a crafted Smart Install message to an affected device on TCP port 4786, which is opened by default.
"To be more precise, the buffer overflow takes place in the function smi_ibc_handle_ibd_init_discovery_msg" and "because the size of the data copied to a fixed-size buffer is not checked, the size and data are taken directly from the network packet and are controlled by an attacker," Cisco explain in its advisory.
The vulnerability can also result in a denial-of-service condition (watchdog crash) by triggering indefinite loop on the affected devices.


Researchers demonstrated the vulnerability at a conference in Hong Kong after reporting it to Cisco in May 2017.
Video Demonstrations of the Attack:
In their first demonstration, as shown in the video below, researchers targeted Cisco Catalyst 2960 switch to reset/change the password and entered privileged EXEC mode:

 

In their second demo, researchers exploited the flaw to successfully intercept the traffic between other devices connected to the vulnerable switch and the Internet.

Affected Hardware and Software:
The vulnerability was tested on Catalyst 4500 Supervisor Engines, Cisco Catalyst 3850 Series Switches, and Cisco Catalyst 2960 Series Switches devices, as well as all devices that fall into the Smart Install Client type are potentially vulnerable, including:
Catalyst 4500 Supervisor Engines
Catalyst 3850 Series
Catalyst 3750 Series
Catalyst 3650 Series
Catalyst 3560 Series
Catalyst 2960 Series
Catalyst 2975 Series
IE 2000
IE 3000
IE 3010
IE 4000
IE 4010
IE 5000
SM-ES2 SKUs
SM-ES3 SKUs
NME-16ES-1G-P
SM-X-ES3 SKUs
Cisco fixed the vulnerability in all of its affected products on 28th March 2018, and Embedi published a blog post detailing the vulnerability on 29th March. So, administrators are highly recommended to install free software updates to address the issue as soon as possible.


How to Make Your Internet Faster with Privacy-Focused 1.1.1.1 DNS Service

8.4.2018 thehackernews Safety

Cloudflare, a well-known Internet performance and security company, announced the launch of 1.1.1.1—world's fastest and privacy-focused secure DNS service that not only speeds up your internet connection but also makes it harder for ISPs to track your web history.
Domain Name System (DNS) resolver, or recursive DNS server, is an essential part of the internet that matches up human-readable web addresses with their actual location on the internet, called IP addresses.
For example, when you try to open a website, say thehackernews.com, your DNS looks up for the IP address linked to this domain name and load the site.


Since the default DNS services provided by ISPs are often slow and insecure, most people rely on alternative DNS providers—such as OpenDNS (208.67.222.222), Comodo DNS (8.26.56.26) and Google (8.8.8.8), to speed up their Internet.
But if you use Cloudflare new 1.1.1.1 DNS service, your computer/smartphone/tablet will start resolving domain names within a blazing-fast speed of 14.8 milliseconds—that's over 28% faster than others, like OpenDNS (20.6ms) and Google (34.7ms).
Even if you are visiting websites over HTTPS, DNS resolvers log every site you visit, making your ISP or 3rd-party DNS services know about everything you do on the Internet.
"That means, by default, your ISP, every wifi network you’ve connected to, and your mobile network provider have a list of every site you’ve visited while using them," the company says.
However, Cloudflare has changed this game with its new free DNS service, which it claims, will be "the Internet's fastest, privacy-first consumer DNS service," promising to prevent ISPs from easily tracking your web browsing history.
Cloudflare public DNS resolvers, 1.1.1.1 and 1.0.0.1 (as alternate DNS server for redundancy), support both DNS-over-TLS and DNS-over-HTTPS to ensure maximum privacy.
The company has also promised not to sell users’ data, instead to wipe all logs of DNS queries within 24 hours. It's also working with auditors at KPMG to examine its systems and guarantee it's not actually collecting your data.
How to Change DNS Settings to Boost Internet Speed
For Mac PCs:
Open System Preferences.
Search for DNS Servers and tap it.
Click the + button to add a DNS Server and enter 1.1.1.1 and 1.0.0.1 (for redundancy).
Click Ok and then Apply.
For Windows Computers:
Tap Start and then click on Control Panel.
Click on Network and Internet, and then tap Change Adapter Settings.
Right-click on the Wi-Fi network you are connected to, then click Properties.
Select Internet Protocol Version 4 and click Properties, and then write down any existing DNS server entries for future reference.
Now tap Use The Following DNS Server Addresses, and replace those addresses with the 1.1.1.1 DNS addresses: For IPv4: 1.1.1.1 and 1.0.0.1; and For IPv6: 2606:4700:4700::1111 and 2606:4700:4700::1001
Click OK, then Close, and Restart your browser.
For Android Devices:
Connect to your preferred WiFi network.
Enter your router’s gateway IP address in your browser. Fill in your username and password, if asked.
In your router’s configuration page, locate the DNS server settings, and enter any existing DNS server entries for future reference.
Replace those addresses with the 1.1.1.1 DNS addresses: For IPv4: 1.1.1.1 and 1.0.0.1, and For IPv6: 2606:4700:4700::1111 and 2606:4700:4700::1001
Save your settings, then restart your browser.
Note: Android requires a static IP to use custom DNS servers. This setup requires additional setup on your router, affecting your network’s strategy for adding new devices to the network. Cloudflare recommends configuring your router’s DNS instead, which gives all devices on your network the full speed and privacy benefits of 1.1.1.1 DNS.
For iOS Devices (iPhone/iPad):
From your iPhone's home screen, open Settings.
Open Wi-Fi and then your preferred network in the list.
Tap Configure DNS, and then click on Manual.
If there are any existing entries, tap the - button, and Delete next to each one.
Now, add 1.1.1.1 and 1.0.0.1 (as alternate DNS server for redundancy) to the DNS address.
Now, tap the Save button on the top right.
You’re all set to go! Your device now has faster, more private DNS servers.
Well, I have already switched to Cloudflare DNS service. If you too, please tell me your experience in the comments below


Google Bans Cryptocurrency Mining Extensions From Chrome Web Store
8.4.2018 thehackernews Cryptocurrency

In an effort to prevent cryptojacking by extensions that maliciously mine digital currencies without users' awareness, Google has implemented a new Web Store policy that bans any Chrome extension submitted to the Web Store that mines cryptocurrency.
Over the past few months, we have seen a sudden rise in malicious extensions that appear to offer useful functionality, while embedding hidden cryptocurrency mining scripts that run in the background without the user's knowledge.
Last month, cryptocurrency miners were even found in a Russian nuclear weapons lab and on thousands of government websites. In January, cryptocurrency mining malware also infected more than half-million PCs.


Until now, only those cryptocurrency mining extensions were allowed on the Chrome Web Store that are solely intended for mining, and explicitly informed users about its working and revenue model.
If the company finds any mining extension developers submitted was not in compliance and secretly mines cryptocurrency using a victim device's computing power, it simply blocks the extension.

Since about 90 percent of the mining extensions developers submitted to the Chrome Web Store failed to comply with the rules, the tech giant decided to ban all browser extensions that mine cryptocurrency (even if it's used for legitimate purposes) from its Web Store.
"Starting today, Chrome Web Store will no longer accept extensions that mine cryptocurrency," Google says in its Chromium Blog. "Existing extensions that mine cryptocurrency will be delisted from the Chrome Web Store in late June."
However, the ban on cryptocurrency mining extensions will not impact other digital currency and blockchain-related extensions, such as Bitcoin price checkers, blockchain browsers, and cryptocurrency wallet managers.


Google noted that its new move is "another step forward in ensuring that Chrome users can enjoy the benefits of extensions without exposing themselves to hidden risks."
Though banning cryptocurrency mining extensions is definitely a great move, the ban may not eliminate the problem as a whole, since attackers have increasingly been developing ways to hide their mining functionality in an extension until after it gets Chrome Web Store approval.
The ban comes less than a month after Google announced its plans to ban advertisements related to cryptocurrency.
Google is not the first one to impose a ban on cryptocurrency-related abuses. Late last month, Twitter announced its plan to block cryptocurrency-related ads on its platform, and in January, Facebook banned all ads promoting cryptocurrencies, including Bitcoin and ICOs.


Apple Plans to Replace Intel Chips in Macs with its Custom Designed CPUs
8.4.2018 thehackernews IT

In a major blow to Intel, Apple is reportedly planning to use its custom-designed ARM chips in Mac computers starting as early as 2020, ultimately replacing the Intel processors running on its desktop and laptop hardware.
The company makes its own A-series custom chips for iPhones, iPads and other iThings, while the Mac devices use Intel x64 silicon. Now according to a report from Bloomberg, Apple plans to replace Intel's Mac chips with its own homegrown CPUs.


The report says Apple executives have a project, codenamed "Kalamata," that designs desktop-grade Arm-compatible processors, along with a macOS port, allowing the company to craft a uniform architecture across all of its product lines.
The report also says this changeover would be part of a "multi-step transition" to make iOS devices and Macs "work more similarly and seamlessly together," helping Apple's plan (project codename 'Marzipan') to bring iOS apps to Mac for software cross-compatibility.
The changeover is likely to be in the wake of recent high-profile security issues around Intel chip architecture and chips from other manufacturers. It is similar to the approach Apple has taken in the past by switching to PowerPC architecture in 1991 and to Intel in 2006.
With the changeover, Apple would not have to share 5% of its annual revenue with Intel and pay for exclusive deals to offer high-end processors first to its customers, and competitors would not be able to copy innovations so easily.
Switching to its own chips would also allow the company to control its own hardware roadmap better, and offer better performance to its users.


Bloomberg also notes that the revised Mac Pro laptops arriving next year will include an Apple-developed chip, and other Mac laptops will also receive Apple-developed chips this year.
Soon after the Bloomberg report was published, Intel’s stock price took a hit and dropped by 9.2 percent, the biggest intraday drop in over two years. They are down 6.07 percent at $48.92 at the time of writing.
Rumors of Apple ditching Intel and switching to its own custom silicon have been circulating for a decade. Last September, a report also claimed Apple was looking to cut back on its reliance on Intel, but nothing of that sort happened.
Both Apple and Intel did not yet respond to the report.


New Android Malware Secretly Records Phone Calls and Steals Private Data
8.4.2018 thehackernews Android

Security researchers at Cisco Talos have uncovered variants of a new Android Trojan that are being distributed in the wild disguising as a fake anti-virus application, dubbed "Naver Defender."
Dubbed KevDroid, the malware is a remote administration tool (RAT) designed to steal sensitive information from compromised Android devices, as well as capable of recording phone calls.
Talos researchers published Monday technical details about two recent variants of KevDroid detected in the wild, following the initial discovery of the Trojan by South Korean cybersecurity firm ESTsecurity two weeks ago.
Though researchers haven't attributed the malware to any hacking or state-sponsored group, South Korean media have linked KevDroid with North Korea state-sponsored cyber espionage hacking group "Group 123," primarily known for targeting South Korean targets.
The most recent variant of KevDroid malware, detected in March this year, has the following capabilities:
record phone calls & audio
steal web history and files
gain root access
steal call logs, SMS, emails
collect device' location at every 10 seconds
collect a list of installed applications
Malware uses an open source library, available on GitHub, to gain the ability to record incoming and outgoing calls from the compromised Android device.

Although both malware samples have the same capabilities of stealing information on the compromised device and recording the victim's phone calls, one of the variants even exploits a known Android flaw (CVE-2015-3636) to get root access on the compromised device.
All stolen data is then sent to an attacker-controlled command and control (C2) server, hosted on PubNub global Data Stream Network, using an HTTP POST request.
"If an adversary were successful in obtaining some of the information KevDroid is capable of collecting, it could result in a multitude of issues for the victim," resulting in "the leakage of data, which could lead to a number of things, such as the kidnapping of a loved one, blackmail by using images or information deemed secret, credential harvesting, multi-factor token access (SMS MFA), banking/financial implications and access to privileged information, perhaps via emails/texts," Talos says.
"Many users access their corporate email via mobile devices. This could result in cyber espionage being a potential outcome for KevDroid."
Researchers also discovered another RAT, designed to target Windows users, sharing the same C&C server and also uses PubNub API to send commands to the compromised devices.
How to Keep Your Smartphone Secure
Android users are advised to regularly cross-check apps installed on their devices to find and remove if any malicious/unknown/unnecessary app is there in the list without your knowledge or consent.
Such Android malware can be used to target your devices as well, so you if own an Android device, you are strongly recommended to follow these simple steps to help avoid this happening to you:
Never install applications from 3rd-party stores.
Ensure that you have already opted for Google Play Protect.
Enable 'verify apps' feature from settings.
Keep "unknown sources" disabled while not using it.
Install anti-virus and security software from a well-known cybersecurity vendor.
Regularly back up your phone.
Always use an encryption application for protecting any sensitive information on your phone.
Never open documents that you are not expecting, even if it looks like it's from someone you know.
Protect your devices with pin or password lock so that nobody can gain unauthorized access to your device when remains unattended.
Keep your device always up-to-date with the latest security patches.


Intel Admits It Won't Be Possible to Fix Spectre (V2) Flaw in Some Processors

8.4.2018 thehackernews Vulnerebility

As speculated by the researcher who disclosed Meltdown and Spectre flaws in Intel processors, some of the Intel processors will not receive patches for the Spectre (variant 2) side-channel analysis attack
In a recent microcode revision guidance (PDF), Intel admits that it would not be possible to address the Spectre design flaw in its specific old CPUs, because it requires changes to the processor architecture to mitigate the issue fully.
The chip-maker has marked "Stopped" to the production status for a total 9 product families—Bloomfield, Clarksfield, Gulftown, Harpertown Xeon, Jasper Forest, Penryn, SoFIA 3GR, Wolfdale, and Yorkfield.
These vulnerable chip families—which are mostly old that went on sale between 2007 and 2011—will no longer receive microcode updates, leaving more than 230 Intel processor models vulnerable to hackers that powers millions of computers and mobile devices.
According to the revised guidance, "after a comprehensive investigation of the microarchitectures and microcode capabilities for these products, Intel has determined to not release microcode updates for these products for one or more reasons."
Intel mentions three reasons in its documentation for not addressing the flaw in some of the impacted products:
Micro-architectural characteristics that preclude a practical implementation of features mitigating Variant 2 (CVE-2017-5715)
Limited Commercially Available System Software support
Based on customer inputs, most of these products are implemented as "closed systems" and therefore are expected to have a lower likelihood of exposure to these vulnerabilities.
Spectre variant 2 vulnerability (CVE-2017-5715) affects systems wherein microprocessors utilize speculative execution and indirect branch prediction, allowing a malicious program to read sensitive information, such as passwords, encryption keys, or sensitive information, including that of the kernel, using a side-channel analysis attack.
However, these processors can install pre-mitigation production microcode updates to mitigate Variant 1 (Spectre) and Variant 3 (Meltdown) flaws.
"We've now completed release of microcode updates for Intel microprocessor products launched in the last 9+ years that required protection against the side-channel vulnerabilities discovered by Google. However, as indicated in our latest microcode revision guidance, we will not be providing updated microcode for a select number of older platforms for several reasons, including limited ecosystem support and customer feedback." says an Intel spokesperson via email.
Besides Intel, AMD Ryzen and EPYC processors were also found vulnerable to 13 critical vulnerabilities that could allow an unauthorized attacker to access sensitive data, install persistent malware inside the chip, and gain full access to the compromised systems.
AMD has acknowledged reported vulnerabilities and promised to roll out firmware patches for millions of affected devices in the coming weeks.
However, CTS Labs, the security firm that discovered and disclosed the vulnerabilities, claimed that AMD could take several months to release patches for most of the security issues, where some of them cannot be fixed.


New Agent Tesla Spyware Variant Discovered
8.4.2018 securityweek
Virus

A new variant of the Agent Tesla spyware has been spreading via malicious Microsoft Word documents, Fortinet reports.

The malware was initially detailed last June, when security researchers discovered it was spreading via a Microsoft Word document containing an auto-executable malicious VBA Macro. When opening the document, users were asked to “enable content,” which resulted in the spyware being covertly installed if they did so.

The malicious documents observed in the recent campaign instead ask the victim to double click a blue icon to enable a “clear view.” This action, however, results in a POM.exe file being extracted from the embedded object, which is saved to the system’s temporary folder and executed.

The POM.exe executable is written in Visual Basic and acts as an installer, Fortinet’s Xiaopeng Zhang reveals.

The Agent Tesla spyware was designed to collect keystrokes, system clipboard, screenshots, and credentials from a variety of installed software. To perform its nefarious activities, the malware creates different threads and timer functions in the main function.

The new malware variant has the same capabilities as the previously observed version, but uses SMTPS to send the collected data to the attacker’s email box, instead of HTTP POST requests.

“Based on my analysis, the commands used in the SMTP method include ‘Passwords Recovered’, ‘Screen Capture’, and ‘Keystrokes’, etc. The commands are identified within the email’s ‘Subject’ field,” the security researcher explains.

To receive the stolen information, the attacker registered a free Zoho email account for this campaign. The email service provider has been informed on the abuse, Fortinet says.


After Cambridge Analytica Facebook COO Sandberg admits other possible misuses
8.4.2018 securityaffairs
Social

After the Cambridge Analytica privacy scandal, Facebook chief operating officer Sheryl Sandberg admitted that the company cannot rule out other cases of misuse.
In the wake of recent revelations about the Cambridge Analytica scandal, Facebook Chief operating officer Sheryl Sandberg doesn’t exclude other data misuse.

Sandberg gave two interviews last weeks to National Public Radio and NBC’s “Today Show during which she admitted the severe responsibility of the company. She pointed out that Facebook was not able to prevent third parties from abusing its platform, she said that the company should have taken further steps to protect the privacy of its users.

“We know that we did not do enough to protect people’s data,” Sandberg told NPR. “I’m really sorry for that. Mark is really sorry for that, and what we’re doing now is taking really firm action.”

“Safety and security is never done, it’s an arms race,” she said. “You build something, someone tries to abuse it.”

“But the bigger is, ‘Should we have taken these steps years ago anyway?'” Sandberg said. “And the answer to that is yes.”

“We really believed in social experiences, we really believed in protecting privacy, but we were way too idealistic,” she added.

“We did not think enough about the abuse cases and now we’re taking really firm steps across the board.”

One of the most debated aspects of the Cambridge Analytica scandal is that Facebook was aware of the misuses years before. Unfortunately, this is true and Sandberg confirmed it. She said that Facebook was first aware two and a half years ago that Cambridge Analytica had obtained user data in an illegal way.

“When we received word that this researcher gave the data to Cambridge Analytica, they assured us it was deleted,” she said. “We did not follow up and confirm, and that’s on us — and particularly once they were active in the election, we should have done that.”

Cambridge Analytica

When asked by journalists at “Today Show” if other cases of misuse of user data could be expected, Sandberg

Sandberg was asked by the “Today Show” if other cases of misuse of user data could be expected, she said it is possible and for this reason, the social media giant is doing an investigation.

“We’re doing an investigation, we’re going to do audits and yes, we think it’s possible, that’s why we’re doing the audit,” she told NPR..

“That’s why this week we shut down a number of use cases in other areas — in groups, in pages, in events — because those are other places where we haven’t necessarily found problems, but we think that we should be more protective of people’s data,”

Sandberg announced that from next week, the news feed will be integrated with a feature that will allow users to see all the apps they’ve shared their data with.

“a place where you can see all the apps you’ve shared your data with and a really easy way to delete them.”

Sandberg admitted that the Facebook should have detected the Russian interference in the 2016 presidential election, but this was a lesson for the company that in the future will not permit it again.

“That was something we should have caught, we should have known about,” she told NPR. “We didn’t. Now we’ve learned.”

“We’re going after fake accounts,” “A lot of it is politically motivated but even more is economically motivated.”

Zuckerberg will appear before a US congressional panel next week to address privacy issues.


Pocket cryptofarms

7.4.2018 Kaspersky Android  Cryptocurrency
Investigating mobile apps for hidden mining
In recent months, the topic of cryptocurrency has been a permanent news fixture — the value of digital money has been see-sawing spectacularly. Such pyrotechnics could hardly have escaped the attention of scammers, which is why cryptocurrency fluctuations have gone hand in hand with all kinds of stories. These include hacked exchanges, Bitcoin and Monero ransoms, and, of course, hidden mining. We’ve noticed that attackers no longer limit themselves to servers, desktops, and laptops. They are increasingly drawn to mobile devices, mainly Android. We decided to take a closer look to see which mobile apps stealthily mine digital coins on user devices and how widespread they are.

Primitive counterfeit apps
We found several types of malware posing as popular programs and games, but actually just showing ads and secretly mining cryptocurrencies using the CoinHive SDK. In particular, we unearthed counterfeit versions of Instagram, Netflix, Bitmoji, and others. The scammers had added the word “hack” to the original app names. These “hacked” apps were distributed through forums and third-party stores. Kaspersky Lab products detect such programs as RiskTool.AndroidOS.Miner.

Fragment of RiskTool.AndroidOS.Miner.a code that runs a hidden miner and displays an advertising page

Advertising page that RiskTool.AndroidOS.Miner.a shows to the user

Primitive miners based on web frameworks
There are a number of web frameworks that make it easy to create mobile apps, including miners. At the heart of such apps there lies a web page containing a JS script for mining cryptocurrency (for example, the CoinHive script). Most of the miners we found of this type were based on the Thunkable and Cordova frameworks. These apps are most commonly distributed through third-party sites, although one of them was found in the official Google Play store, where it was removed after we reported it.

Screenshot of a game in the Google Play store that mined cryptocurrency

We also found one app built on a different framework, Andromo. It looks like a discount aggregator at first glance, but instead of linking to sites with discounted products, it loads a page that mines cryptocurrency and doesn’t even try to hide it:

One more app caught our eye — Crypto Mining for Children. Based on the B4A framework, it was found in the official Google store (at the time of writing this article it had been deleted). Its stated goal was to mine cryptocurrency for charity. But the description contained no word about where or how the coins would be spent — something that any bona fide fundraising organization would publish. What’s more, the name of the developer bore a striking resemblance to that of a well-known mobile app (a cryptocurrency wallet), but with one letter missing. That’s a common trick used by phishers.

Useful apps infected with miners
This category is made of programs that Kaspersky Lab products detect as Trojan.AndroidOS.Coinge; they are popular apps in which cybercriminals have added malicious code for mining cryptocurrency.

Infected version of the TSF Launcher app

Interestingly, the cybercriminals added the malicious code to the code of other SDKs used by the app. That way, the app runs a library that does the mining. Not only that, we managed to detect a modification of this Trojan that does away with the need for a library: the malware adds its code to all web pages it opens. It’s worth noting that both methods of infection are similar to those used by Trojan-PSW.AndroidOS.MyVk to steal passwords.

A modification of Trojan.AndroidOS.Coinge adds mining code to all opened web pages

We managed to detect 23 different apps infected by Trojan.AndroidOS.Coinge.

Miners in apps for watching soccer
According to Kaspersky Security Network, the most common mining apps among those we found were connected to the topic of soccer. The name PlacarTV (placar means “account” in Portuguese) or something similar cropped up frequently. The main function of such apps was to show soccer videos while secretly mining cryptocurrency.

The PlacarTV app uses CoinHive for mining

The PlacarTV app interface

Our data shows that some of these apps were distributed through Google Play, with the most popular having been installed more than 100,000 times.

A modification of the PlacarTV app that was distributed through Google Play

The apps access the placartv.com server. This same domain is used in the developer’s email address specified in the Google Play store. Unbeknown to visitors, the site placartv.com runs a script that mines cryptocurrency.

Code of the placartv.com page used to mine cryptocurrency

Mobile clickers
Members of the Trojan.Clicker malware family typically open web pages and click them without the user noticing. Such pages can contain both adverts and subscriptions to WAP services. But having started to make easy money from unsuspecting users, the creators seemingly got greedy. And it wasn’t long before cryptocurrency mining was added to the feature set of some clickers. We already analyzed a similar case when a miner was caught lurking in the modules of the Loapi Trojan.

Another Trojan-turned-miner is Ubsob. This malware poses as a suite of useful apps. When started, it downloads and installs an app that it uses to mask itself. Its creators broadened their horizons by adding code borrowed from the app NeoNeonMiner for cryptomining.

Installation of the original app initialized by the Ubsob Trojan

Furthermore, the Trojan requests device administrator rights to establish a foothold in the system. This means that to delete it, it must first be removed from the list of device administrators. During the process, the malware displays a scary message – “These action can lead to data lost. Are you really wont to erase all your data?”

Message displayed by the Ubsob Trojan when attempting to deprive it of administrator rights

The Trojan mainly “resides” in CIS countries, above all Russia.

Other interesting finds
Fire-prevention miner
Probably the most interesting Trojan we analyzed is Trojan.AndroidOS.Coinge.j. It has no legitimate app functions at all and installs itself either as a porn app or as an Android system app. As soon as it starts, the malware requests device administrator rights to prevent its removal.

Trojan.AndroidOS.Coinge.j requests device administrator rights

The Trojan uses several layers of encryption and obfuscation to protect its code from analysis, but that’s not the only string to its bow. The malware monitors the device battery and temperature to mine cryptocurrency without posing a fire hazard. It seems the cybercriminals have no desire to repeat the “success” of Loapi, which incinerated our test phone.

Almost a third (29%) of the Trojan’s victims were in India. It is also active in the United States (8%), Britain (6%), Iran (5%), and Ukraine (5%). Like Ubsod, it uses the code of a legitimate app to mine cryptocurrencies.

VPN with undocumented features
We found another battery and temperature-monitoring miner in Google Play under the guise of the Vilny.net VPN app for establishing a VPN connection. By the time of detection, it had been installed more than 50,000 times. We reported it to Google.

Code of the Vilny.net VPN app

Information about the Vilny.net VPN app on Google Play

Conclusion
Keep in mind that mobile mining has a number of limitations:

First, mobile devices trail a long way behind desktop systems performance-wise, let alone dedicated mining farms, which eats into the profitability of cryptocurrency mining on mobile devices.
Second, heavy use of mobile devices causes them to heat up noticeably, alerting the user.
Lastly, smartphones’ relatively small battery power means they discharge quickly if used intensively, making mining more visible to the user and time-limited.
However, our study showed that cybercriminals are not put off by these limitations. We uncovered numerous mobile miners built on various frameworks and distributed in various ways, including through the official Google Play store. Perhaps cybercriminals are banking on compensating for smartphones’ poor performance and mobile miners’ easy detection through the sheer number of handheld devices out there and their high infectibility.

MD5
F9C4A28284CD7A4534A1102C20F04C9D
B32DBBFBB0D4EC97C59B50D29DDAAA2D
2D846265F6569547490FCB38970FC93E
6E1FDFBDAB69090FEA77B3F2F33098A8
5464647B09D5F2E064183A073AE97D7B
5B7324C165EE6AF26CDA55293DAEACDF
E771099ACA570F53A94BE713A3C2ED63
3062659C25F44EEA5FE8D3D85C99907D
AEBB87E9AEA464EFB6FCC550BF7D2D38
38CE6C161F87345B773795553AAE2C28
CA3E7A442D5A316DA9ED8DB3C4D913A7
34F43BAAFAEBDAC4CC582E1AAACF26BD
F8DE7065A7D9F191FD0A53289CDB959B
34EB1FFDC8D9D5DD3C32A0ACC4995E29
020A9064D3819A0293940A4F0B36DD2A
EE78507A293D007C47F3D2D471AAD013
0E129E2F4EA3C09BFB0C4841E173580C
50BF20954B8388FA3D5E048E6FA493A9


Facebook's Sandberg Says Other Cases of Data Misuse Possible
7.4.2018 securityweek 
Social

Facebook was aware more than two years ago of Cambridge Analytica's harvesting of the personal profiles of up to 87 million users and cannot rule out other cases of abuse of user data, chief operating officer Sheryl Sandberg said.

Sandberg, who joined Facebook in 2008 from Google, has been largely silent since the privacy scandal broke but she gave interviews on Thursday and Friday to National Public Radio and NBC's "Today Show."

"We know that we did not do enough to protect people's data," Sandberg told NPR. "I'm really sorry for that. Mark (Zuckerberg) is really sorry for that, and what we're doing now is taking really firm action."

"Safety and security is never done, it's an arms race," she said. "You build something, someone tries to abuse it."

"But the bigger (question) is, 'Should we have taken these steps years ago anyway?'" Sandberg said. "And the answer to that is yes.

"We really believed in social experiences, we really believed in protecting privacy, but we were way too idealistic," she said.

"We did not think enough about the abuse cases and now we're taking really firm steps across the board."

Facebook has been scrambling for weeks in the face of the disclosure of the hijacking of private data by the British consulting group working for Donald Trump's 2016 presidential campaign.

'That's on us'

Sandberg said Facebook was first aware two and a half years ago that Cambridge Analytica had obtained user data from a researcher who put up a poll on Facebook.

"When we received word that this researcher gave the data to Cambridge Analytica, they assured us it was deleted," she said. "We did not follow up and confirm, and that's on us — and particularly once they were active in the election, we should have done that."

Sandberg was asked by the "Today Show" if other cases of misuse of user data could be expected.

"We're doing an investigation, we're going to do audits and yes, we think it's possible, that's why we're doing the audit," she said.

"That's why this week we shut down a number of use cases in other areas — in groups, in pages, in events — because those are other places where we haven't necessarily found problems, but we think that we should be more protective of people's data," she told NPR.

Sandberg said that starting Monday, the social network will put on top ot its news feed "a place where you can see all the apps you've shared your data with and a really easy way to delete them."

Sandberg said Facebook also should have been more proactive in dealing with Russian interference in the 2016 presidential election.

"That was something we should have caught, we should have known about," she told NPR. "We didn't. Now we've learned."

"We're going after fake accounts," she told the "Today Show." "A lot of it is politically motivated but even more is economically motivated."

Zuckerberg accepted responsibility this week for the failure to protect user data but maintained he was still the best person to lead the network of two billion users.

He is to appear before a US congressional panel next week to address privacy issues.

Facebook shares were down slightly in mid-morning trading in New York on Friday.


Best Buy Impacted by Payment Card Breach
7.4.2018 securityweek  Incindent

After Delta Air Lines and Sears Holdings, Best Buy has also come forward to warn customers that their payment card information may have been compromised as a result of a breach suffered by online services provider [24]7.ai.

Similar to Delta and Sears, Best Buy contracted [24]7.ai for online chat/support services. The retailer says it will contact impacted customers and provide free credit monitoring if needed.

Best Buy has not specified exactly how many of its customers are impacted, but noted that “only a small fraction of our overall online customer population could have been caught up in this [24]7.ai incident, whether or not they used the chat function.”

San Jose, CA-based [24]7.ai provides customer acquisition and engagement solutions to organizations in a wide range of sectors and any of them could be impacted by this incident. Its website lists several major firms, but some of them apparently no longer do business with the company.

Delta has set up a dedicated page on its website and it has provided some new information regarding the incident. According to the airline, cybercriminals planted a piece of malware in [24]7.ai software, which captured some payment card data between September 26 and October 12, 2017.

“[The malware] made unauthorized access possible for the following fields of information when manually completing a payment card purchase on any page of the delta.com desktop platform during the same timeframe: name, address, payment card number, CVV number, and expiration date,” Delta explained.

The airline believes the incident may impact hundreds of thousands of customers, but it cannot say definitively whether any information has actually been stolen by the attackers.

It appears that the malware involved in this attack is capable of harvesting payment card information entered on websites that use the [24]7.ai chat software. Consumers may be impacted even if they have not directly used the chat functionality, which has only been leveraged as a point of entry to the websites of major organizations. These types of attacks have been common in the past years.

Sears Holdings, the company that owns the Sears and Kmart retail store brands, says the incident has impacted the credit card information of less than 100,000 customers.

Sears and Delta said they were only notified by [24]7.ai in mid and late March, several months after the breach had been supposedly contained.

Contacted by SecurityWeek, [24]7.ai said it could not provide any additional information about the breach, citing client confidentiality agreements.


New Strain of ATM Jackpotting Malware Discovered
7.4.2018 securityweek 
Virus

A new type of ATM jackpotting malware has been discovered. Dubbed ATMJackpot, the malware appears to be still under development, and to have originated in Hong Kong. There are no current details of any deployment or use.

ATMJackpot was discovered and analyzed by Netskope Threat Research Labs. It has a smaller footprint than earlier strains of jackpotting malware, but serves the same purpose: to steal money from automated teller machines (ATMs).

ATM jackpotting -- also known as a logical attack -- is the use of malware to control cash dispensing from individual ATMs. The malware can be delivered locally to each ATM via a USB port, or remotely by compromising the ATM operator network.

Jackpotting has become an increasing problem in recent years, originally and primarily in Europe and Asia. In 2017, Europol warned that ATM attacks were increasing. "The malware being used has evolved significantly and the scope and scale of the attacks have grown proportionately," said Steven Wilson, head of Europol's EC3 cybercrime center.

The first attacks against ATMs in the U.S. were discovered in January 2018 following an alert issued by the Secret Service. In March 2018, the alleged leader of the Carbanak group was arrested in Spain. Carbanak is believed to have stolen around $1.24 million over the preceding years. Its method was to compromise the servers controlling ATM networks by spear-phishing bank employers, and then use foot soldiers (mules) to collect money dispensed from specific ATMs at specific times.

It is not clear whether the ATMJackpot malware discovered by Netskope is intended to be manually installed via USB on individual ATMs, or downloaded from a compromised network. Physical installation on an ATM is not always difficult. In July 2017, IOActive described how its researchers could gain access to the Diebold Opteva ATM. It was achieved by inserting a metal rod through a speaker hole and raising a metal locking bar. From there they were able to reverse engineer software to get access to the money vault.

Jackpotting malware is designed to avoid the need to physically break into the vault. It can be transferred via a USB port to the computer part of the ATM that controls the vault. Most ATMs use a version of Windows that is well understood by criminals. ATMJackpot malware first registers the windows class name 'Win' with a procedure for the malware activity.

The malware then populates the options on the window and initiates a connection with the XFS manager. The XFS subsystem provides a common API to access and manipulate the ATM devices from different vendors. The malware then opens a session with the service providers and registers to monitor events. It opens a session with the cash dispenser, the card reader and the PIN pad service providers.

It is then able to monitor events and issue commands. It can read data from the PIN pad, dispense cash, and eject cards.

Whether ATMJackpot will be used in earnest is not yet known. Nevertheless, it is a new example of the malware used in a growing problem -- stealing money from the world's automated teller machines.

Los Altos, CA-based Netskope is a cloud access security broker (CASB). Founded in 2012, it announced an oversubscribed Series E funding round that raised $100 million in June 2017, bringing the total raised by the company to $231.4 million.


Critical Flaws Expose Natus Medical Devices to Remote Attacks
7.4.2018 securityweek 
Vulnerebility

Researchers at Cisco Talos have identified several critical vulnerabilities that expose Natus medical devices to remote hacker attacks. The vendor has released firmware updates that patch the flaws.

The vulnerabilities allow remote code execution and denial-of-service (DoS) attacks and they impact the Natus NeuroWorks software, which is used by the company’s Xltek electroencephalography (EEG) equipment to monitor and review data over the network.

According to Cisco, an attacker with access to the targeted network can remotely execute arbitrary code on the device or cause a service to crash by sending specially crafted packets. An attack does not require authentication.

“Vulnerable systems are searched for by attackers as points of ingress and persistence within computer networks. A vulnerable system can be compromised by threat actors, used to conduct reconnaissance on the network, and as a platform from which further attacks can be launched,” Talos warned.

Remote code execution on vulnerable Natus devices is possible due to four different functions that can cause a buffer overflow. All of the code execution flaws have been rated “critical” with CVSS scores of 9 or 10. The DoS vulnerability, rated “high severity,” is caused by an out-of-bounds read issue.

Cisco said it reported the vulnerabilities to Natus in July 2017, but the bugs were only confirmed in October. The flaws have been tested on Natus Xltek NeuroWorks 8 and they have been patched with the release of NeuroWorks 8.5 GMA2.

Healthcare facilities that use the affected products have been advised to install the update as soon as possible. The risk of attacks involving these vulnerabilities is relatively high considering that the devices are widely deployed – Natus was recently reported to have a 60 percent share in the global neurodiagnostic market. Furthermore, Cisco has made available technical information for each of the vulnerabilities.

The healthcare industry has been increasingly targeted by malicious actors, including in attacks involving ransomware and theft of sensitive information. The infosec community and authorities have issued numerous warnings, and recent reports show that there are plenty of healthcare product vulnerabilities that hackers could exploit in their operations.


Researchers Link New Android Backdoor to North Korean Hackers
7.4.2018 securityweek  Android

The recently discovered KevDroid Android backdoor is tied to the North Korean hacking group APT37, Palo Alto Networks researchers say.

Also tracked as Reaper, Group 123, Red Eyes, and ScarCruft, the threat group was observed earlier this year to be using a Flash Player zero-day vulnerability and has been expanding the scope and sophistication of its campaigns over the past months.

Recently, the group was said to have targeted victims with Android spyware via spear phishing emails. Cisco’s Talos security researchers analyzed the malware, which they called KevDroid, but weren’t able to find a strong connection with the group.

According to Palo Alto Networks, however, KevDroid is indeed part of APT37’s arsenal of mobile tools. Furthermore, the security researchers were able to find a more advanced version of the spyware, as well as Trojanized iterations of legitimate applications that are used as downloaders for the malware.

The Android spyware was initially found to be masquerading as an anti-virus app from Naver, a large search and web portal service provider in South Korea.

One version of the malware, Palo Alto’s Ruchna Nigam discovered, would call home to cgalim[.]com, a domain already associated with the Reaper group’s non-mobile attacks. Artefacts from the original malware variant eventually revealed a more advanced iteration of the malware, the security researcher notes.

The threat actor apparently uses two Trojanized application versions to distribute Android spyware variants. The legitimate applications – Bitcoin Ticker Widget and PyeongChang Winter Games – are distributed through Google Play, but the malicious variants never made it to the official app store.

The two Trojanized applications, which are signed with the same certificate, contact the same URL to fetch payloads, and were observed serving an advanced iteration of the Android spyware. Each of the malicious apps was created to “respectively download and drop one specific variant of Reaper’s Android spyware,” the Nigam says.

Once installed, the apps would display a message asking the user to update them. If the user accepts the update, however, the malicious payload is downloaded instead and saved as AppName.apk. Next, the payload is loaded and the user is asked to confirm the installation.

The spyware can record audio and video, capture screenshots, grab the phone’s file listing, fetch specific files, download a list of commands, get device info, and root the device. Additionally, it can steal voice recordings from incoming and outgoing calls, call logs, SMS history, contact lists, and information on registered accounts on the phone.

Unlike the previously detailed variants of the malware that used an open source library to record calls, the most recent – and more advanced – variant of the malware writes its own call recording library.

“The emergence of a new attack vector, followed by the appearance of new variants disguising themselves as currently relevant applications like the Winter Olympics, indicates expanding operations of the Reaper group that are actively in development,” Nigam concludes.


RSA to Acquire Behavioral Analytics Firm Fortscale
7.4.2018 securityweek  IT

RSA on Thursday announced that it has entered an agreement to acquire Fortscale, a company that provides behavioral analytics solutions. Financial terms of the deal have not been disclosed.

Fortscale’s technology is designed to identify threats using a combination of predictive, big data analytics and machine learning. It automatically identifies deviations from normal behavior and warns security teams of potential risks, such as shared user credentials, remote access anomalies, and abuse of privileged user accounts.RSA acquires Fortscale

As a result of the acquisition, RSA wants to provide customers new user and entity behavioral analytics (UEBA) capabilities through its NetWitness Platform.

RSA acquires Fortscale

“RSA NetWitness UEBA directly addresses and overcomes obstacles that standalone solutions have encountered due to their high cost and high touch requirements,” said Idan Tendler, CEO and co-founder of Fortscale. “RSA NetWitness UEBA requires minimal customization and no manual tuning. It is designed to detect unknown threats and to address malicious behavior in which exploits have received elevated permissions.”

Since its launch in 2013, Fortscale has raised a total of $23 million, including $7 million roughly one year ago.

RSA also announced a new version of its NetWitness Platform. Version 11.1 includes not only UEBA Essentials, but also Endpoint Insights, which helps organizations manage endpoints, and Dynamic Log Visibility, which uses dynamic parsing technology to provide instant access to log data.

Later this month, RSA will also make available NetWitness Orchestrator, a product powered by Demisto that should make it easier for security teams to investigate incidents. The NetWitness Orchestrator suggests analyst assignments, enhances playbooks, and identifies the best course of action for investigations, RSA said.


VirusTotal presents its new Android Droidy sandbox
7.4.2018 securityaffairs Android

VirusTotal announced on Thursday the launch of a new Android sandbox, named Droidy sandbox, that will replace the previous one that was designed in 2013.
“Recently we called out Additional crispinness on the MacOS box of apples sandbox, continuing with our effort to improve our malware behavior analysis infrastructure we are happy to announce the deployment of a new Android sandbox that replaces the existing system that was developed back in 2013.” reads the announcement published by Virus Total.

The Droidy sandbox was specifically designed to analyzed mobile threats, it can be used to obtain information on network communications and SMS-related activities, file system interactions, SQLite database usage, permissions, Java reflection calls, process and service actions, registered receivers, and crypto-related activity.

The Droidy sandbox is integrated with other services, such as VirusTotal Graph and VirusTotal Intelligence, the company aims to create a complete environment for malware analysis that helps professionals to analyzed the threats.

If you are interested in more info about the new Droidy sandbox just select it from the drop-down menu in the Behavior section, it also includes the Tencent HABO analysis system.

It is an important improvement for the VirusTotal platform, data from Droidy sandbox are complementary to the Tencent HABO.

The two sandboxes are part of a multisandbox project that aims to aggregate malware analysis sandbox reports.

“VirusTotal is much more than just an antivirus aggregator; we run all sorts of open source/private/in-house tools to further characterize files, URLs, IP addresses and domains in order to highlight suspicious signals.” states VirusTotal.

“Similarly, we execute a variety of backend processes to build relationships between the items that we store in the dataset, for instance, all the URLs from which we have downloaded a given piece of malware.“

Selecting Droidy sandbox from the behavior menu it is possible to see general information about the analyzed sample. Users can also go deeper in their analysis and “dig into the hooked calls and take a look at the screenshots generated when running the apps.”

Droidy sandbox

“To understand the extent to which this is an improvement with respect to the 2013 setup, you can take a look at the following report. It displays by default the output of the old sandbox. Use the selector to see the new report with VirusTotal Droidy:

https://www.virustotal.com/#/file/f1475147b50a2cc868e308d87457cebd35fd6443ef27adce67a6bb3e8b865073/behavior” continues VirusTotal.

“Wrapping up, don’t think of this as just new functionality to dissect individual threats. All of this data contributes to the bigger picture and increases the power of our telescope lens that sheds light into malicious behaviors on the Internet.” concluded VirusTotal.


A Remote Code Execution Vulnerability found in the Spring Framework. Upgrade it now!
7.4.2018 securityaffairs
Vulnerebility

Security experts have discovered a vulnerability in the Spring Framework that could be exploited by a remote attacker to execute arbitrary code on applications built with it.
Security researchers have discovered three vulnerabilities in the Spring Development Framework, one of them could be exploited by a remote attacker to execute arbitrary code on applications built with it.

Pivotal’s Spring is widely used open source framework for the development of web applications. Affected Spring Framework versions are 5.0 to 5.0.4, 4.3 to 4.3.14, and older versions.

The security advisory published by Pivotal includes technical details of the following three vulnerabilities;

CVE-2018-1270: Remote Code Execution with spring-messaging, it is rated as “Critical”.
“Spring Framework versions 5.0 to 5.0.4, 4.3 to 4.3.14, and older unsupported versions allow applications to expose STOMP over WebSocket endpoints with a simple, in-memory STOMP broker through the
spring-messaging
module.” reads the advisory.

An attacker can send specially crafted messages to the broker in order to trigger the remote code execution flaw.

CVE-2018-1271: Directory Traversal with Spring MVC on Windows, it is rated as “High”.
“Spring Framework versions 5.0 to 5.0.4, 4.3 to 4.3.14, and older unsupported versions allow applications to configure Spring MVC to serve static resources (e.g. CSS, JS, images).” reads the advisory.

An attacker can use a specially crafted URL to lead a directory traversal attack.

CVE-2018-1272: Multipart Content Pollution with Spring Framework, it is rated as “Low”.
“When Spring MVC or Spring WebFlux server application (server A) receives input from a remote client, and then uses that input to make a multipart request to another server (server B), it can be exposed to an attack, where an extra multipart is inserted in the content of the request from server A, causing server B to use the wrong value for a part it expects. This could to lead privilege escalation, for example, if the part content represents a username or user roles.” reads the advisory.

An attacker that is able to guess the multipart boundary value chosen by server A for the multipart request to server B could successfully exploit the issue. This means that the attacker needs to gain the control of the server or have to find a way to see the HTTP log of server A through a separate attack vector.

Pivotal's Spring framework Data REST

The above issued are addressed with the Spring Framework 5.0.5 and 4.3.15. Pivotal also released Spring Boot 2.0.1 and 1.5.11.0.

Development teams need to upgrade their software to the latest versions as soon as possible.


Best Buy Hit by [24]7.ai Payment Card Breach
6.4.2018 securityaffairs Incindent

After Delta Air Lines and Sears Holdings, Best Buy has also come forward to warn customers that their payment card information may have been compromised as a result of a breach suffered by online services provider [24]7.ai.

Similar to Delta and Sears, Best Buy contracted [24]7.ai for online chat/support services. The retailer says it will contact impacted customers and provide free credit monitoring if needed.

Best Buy has not specified exactly how many of its customers are impacted, but noted that “only a small fraction of our overall online customer population could have been caught up in this [24]7.ai incident, whether or not they used the chat function.”

San Jose, CA-based [24]7.ai provides customer acquisition and engagement solutions to organizations in a wide range of sectors and any of them could be impacted by this incident. Its website lists several major firms, but some of them apparently no longer do business with the company.

Delta has set up a dedicated page on its website and it has provided some new information regarding the incident. According to the airline, cybercriminals planted a piece of malware in [24]7.ai software, which captured some payment card data between September 26 and October 12, 2017.

“[The malware] made unauthorized access possible for the following fields of information when manually completing a payment card purchase on any page of the delta.com desktop platform during the same timeframe: name, address, payment card number, CVV number, and expiration date,” Delta explained.

The airline believes the incident may impact hundreds of thousands of customers, but it cannot say definitively whether any information has actually been stolen by the attackers.

It appears that the malware involved in this attack is capable of harvesting payment card information entered on websites that use the [24]7.ai chat software. Consumers may be impacted even if they have not directly used the chat functionality, which has only been leveraged as a point of entry to the websites of major organizations. These types of attacks have been common in the past years.

Sears Holdings, the company that owns the Sears and Kmart retail store brands, says the incident has impacted the credit card information of less than 100,000 customers.

Sears and Delta said they were only notified by [24]7.ai in mid and late March, several months after the breach had been supposedly contained.

Contacted by SecurityWeek, [24]7.ai said it could not provide any additional information about the breach, citing client confidentiality agreements.


Improved Visibility a Top Priority for Security Analysts
6.4.2018 securityweek  Security

Security Analysts Require Improved Visibility as well as Improved Threat Detection

Vendors listen to existing and potential customers to understand how to improve their products over time. At the smallest level, they use focus groups. At the largest level they employ market research firms to query thousands or more respondents from relevant employments and industry sectors. Some way in-between, they run their own relatively small-scale surveys primarily for their own benefit.

This is what Boston, MA-based next-gen endpoint protection firm Barkly did, querying some 70 IT and security professionals to understand what mid-market users look for and are not currently getting from their endpoint security controls. Not surprisingly, 60% of the respondents say that adding to or improving protection is their top priority -- possibly because 88% of them consider that there are types of attacks (for example, the growing practice of employing fileless attacks) that current security simply does not block.

More surprising, however, is that 40% of the respondents prioritize improving forensic and response capabilities as their current top priority. This may partly be driven by the new breed of regulations -- and in particular, GDPR -- that demand increasingly rapid incident disclosure, and remediation of the breach vector to prevent repeats.

Alternatively, this may simply be down to a high ratio of alerts (including both true-positives and false-positives) to human-resources with their current products. While the sample size of the survey is small, forty-five percent of the respondents, Barkly says, "admit they currently don’t have enough time to investigate and respond to the incidents they’re already seeing now. Adding to that workload with complex endpoint detection and response (EDR) solutions without considering current limitations is obviously not a productive answer."

The need for improved automation to reduce the time for manual involvement also shows in users' top frustrations with current solutions. Twenty-seven percent of the respondents are concerned with poor visibility into incidents, and 25% are concerned about limited investigative/response features. A further 18% find current solutions difficult and time-consuming to manage.

The need to make incident response faster and simpler is the driving force behind Barkly's new version 3.0 launched today. Rapid response comes from two new features: endpoint isolation; and file quarantine and delete. The first enables an administrator to instantly remove an affected device from the network while the incident is investigated.

This is a one-click operation via the Barkly CommandIQ management portal, and can be enacted from any location, on- or off-site at any time via any remote or mobile device with internet access. As soon as the affected device is cleaned or confirmed to be clean, it can just as easily be returned to the network. It means that both an alert and its response can be handled instantly without requiring the security administrator to be in his office or to return to his office first.

The second feature automatically quarantines a blocked malicious executable. This instantly contains the threat, but maintains administrative access to the file for further investigation before deletion. Again, this can be performed either from the administrator's office desktop, or remotely via a mobile device.

A further two new features help analysts to investigate incidents. The first provides an automated interactive method for users to provide context, which is fed back to the analyst, whenever a file or process is blocked. The second is Incident Path Visualization, enabling analysts to trace malicious processes back to their origins.

Together, these features provide rapid forensic insight into the cause of the incident, allowing the security team to leverage the insights gained to improve their security going forwards.

Barkly version 3.0 adds the ability for automated and rapid response to its existing machine-learning threat detection engine. Its ability to do this via any mobile device means there is no delay if an incident occurs while administrators are off-site. The intention is to enable existing staff levels to handle workloads more efficiently without being stretched too thin, and without requiring additional company manpower.


Intel Discontinues Keyboard App Affected by Critical Flaws
6.4.2018 securityweek 
Vulnerebility

Serious vulnerabilities have been found in Intel’s Remote Keyboard application, but the company will not release any patches and instead advised users to uninstall the app.

Introduced in June 2015, the Intel Remote Keyboard apps for Android and iOS allow users to wirelessly control their Intel NUC and Compute Stick devices from a smartphone or tablet. The Android application has been installed more than 500,000 times.

Researchers discovered recently that all versions of Intel Remote Keyboard are affected by three severe privilege escalation flaws.

The most serious of them, rated “critical” and identified as CVE-2018-3641, allows a network attacker to inject keystrokes as a local user. The vulnerability was reported to Intel by a UK-based researcher who uses the online moniker trotmaster.

Another vulnerability, tracked as CVE-2018-3645 and rated “high severity,” was reported to Intel by Mark Barnes. The researcher discovered that Intel Remote Keyboard is affected by a privilege escalation flaw that allows a local attacker to inject keystrokes into another keyboard session.

The third security hole is CVE-2018-3638, which allows an authenticated, local attacker to execute arbitrary code with elevated privileges. Intel has credited Marius Gabriel Mihai for finding this vulnerability.

Intel does not plan on releasing patches for these vulnerabilities. The company has decided to discontinue the product and advised users to uninstall the apps at their earliest convenience. Intel Remote Keyboard has been removed from both Google Play and the Apple App Store.

Intel also published a security advisory this week to warn customers of an important denial-of-service (DoS) vulnerability affecting the SPI Flash component in multiple processors. The flaw was discovered by Intel itself and mitigations are available.

The company also informed users of a privilege escalation flaw in 2G modems, including XMM71xx, XMM72xx, XMM73xx, XMM74xx, Sofia 3G, Sofia 3G-R, and Sofia 3G-RW. The issue impacts devices that have the Earthquake Tsunami Warning System (ETWS) feature enabled.

A network attacker can exploit the vulnerability to execute arbitrary code. “Devices equipped with an affected modem, when connected to a rogue 2G base station where non-compliant 3GPP software may be operational, are potentially at risk,” Intel said.

The company says it has developed patches for this vulnerability.

“External researchers reported a potential security vulnerability in the implementation of the Earthquake and Tsunami Warning System (ETWS) in certain Intel 2G modem firmware implementations. Intel has developed firmware updates that address the issue, and we have been working closely with our customers and partners to deploy the updates to affected products as soon as possible,” Intel told SecurityWeek in an emailed statement.


New macOS Backdoor Linked to Cyber-espionage Group
6.4.2018 securityweek  Apple  CyberSpy

A recently discovered macOS backdoor is believed to be a new version of malware previously associated with the OceanLotus cyber-espionage group, Trend Micro says.

Also known as APT 32, APT-C-00, SeaLotus, and Cobalt Kitty, OceanLotus is believed to be operating out of Vietnam and has been targeting high-profile corporate and government organizations in Southeast Asia. Well-resourced and determined, the group uses custom-built malware and already established techniques.

Some of the group’s targets include human rights organizations, media organizations, research institutes, and maritime construction firms.

The newly discovered macOS backdoor, which Trend Micro detects as OSX_OCEANLOTUS.D, has been observed on machines that have the Perl programming language installed.

The malware is being distributed via malicious documents attached to emails. The document masquerades as the registration form for an event with HDMC, an organization in Vietnam that advertises national independence and democracy.

The document contains malicious, obfuscated macros with a payload written in Perl. The macro extracts an XML file from the Word document. This file is an executable acting as the dropper for the final payload, which is the backdoor.

The dropper, which has all of its strings encrypted using a hardcoded RSA256 key, is also used to establish the backdoor’s persistence on the infected systems. The dropper checks whether it runs as root or not, and uses different path and filename based on that.

The dropper sets the backdoor’s attributes to “hidden” and uses random values for the file date and time, and deletes itself at the end of the process.

The backdoor has two main functions, which collect platform information and sending it to the command and control (C&C) server. It can also receive additional C&C communication information, which is encrypted before being sent.

“Malicious attacks targeting Mac devices are not as common as its counterparts, but the discovery of this new macOS backdoor that is presumably distributed via phishing email calls for every user to adopt best practices for phishing attacks regardless of operating system,” Trend Micro concludes.


Unprotected Switches Expose Critical Infrastructure to Attacks: Cisco
6.4.2018 securityweek 
Attack

Cisco has advised organizations to ensure that their switches cannot be hacked via the Smart Install protocol. The networking giant has identified hundreds of thousands of exposed devices and warned that critical infrastructure could be at risk.

The Cisco Smart Install Client is a legacy utility that allows no-touch installation of new Cisco switches. Roughly one year ago, the company warned customers about misuse of the Smart Install protocol following a spike in Internet scans attempting to detect unprotected devices that had this feature enabled. It also made available an open source tool for identifying devices that use the protocol.

Attackers can abuse the Smart Install protocol to modify the configuration file on switches running IOS and IOS XE software, force the device to reload, load a new IOS image, and execute high-privilege commands. These attacks rely on the fact that many organizations fail to securely configure their switches, rather than an actual vulnerability.

According to Cisco, sophisticated nation-state groups have also abused Smart Install in their campaigns, including the Russia-linked threat actor tracked as Dragonfly, Crouching Yeti and Energetic Bear, which has been known to target critical infrastructure.

Cisco has decided to once again warn organizations of the risks associated with Smart Install following the disclosure of a critical vulnerability discovered recently by researchers at Embedi.

The flaw, tracked as CVE-2018-0171, allows a remote and unauthenticated attacker to cause a denial-of-service (DoS) condition or execute arbitrary code by sending specially crafted Smart Install messages to an affected device on TCP port 4786. Researchers said they had identified roughly 250,000 vulnerable Cisco devices with TCP port 4786 open.

Cisco’s own Internet scans revealed 168,000 systems potentially exposed due to their use of the Cisco Smart Install Client. The company says the number of impacted devices has decreased considerably since 2016, when security firm Tenable identified more than 250,000 exposed systems.

Throughout the end of 2017 and early 2018, Cisco’s Talos group noticed attackers increasingly looking for misconfigured clients. Now that CVE-2018-0171 has been found, the risk of attacks has increased even more, especially since Embedi has released technical details and proof-of-concept (PoC) code.

There is no evidence that CVE-2018-0171 has been exploited in malicious attacks. Cisco also noted that much of the activity it has seen is likely not malicious, but the company says the sharp increase in scanning is noteworthy.

Cisco Smart Install scanning

The vendor has provided recommendations for preventing potential attacks and advised customers to remove the Smart Install Client from devices where it’s not needed. Smart Install is enabled by default on switches that have not received a recent update that automatically disables the feature when it’s not in use.

While it’s unclear if Smart Install was involved, Cylance reported recently that the Dragonfly cyberespionage group had hijacked a core Cisco router at a major state-owned energy conglomerate in Vietnam and abused it to obtain credentials that were later leveraged in attacks targeting energy companies in the United Kingdom.


Financial Services DDoS Attacks Tied to Reaper Botnet
6.4.2018 securityweek  BotNet

Recorded Future's "Insikt" threat intelligence research group has linked the Mirai variant IoTroop (aka Reaper) botnet with attacks on the Netherlands financial sector in January 2018.

The existence of IoTroop was first noted by Check Point in October 2017. At that point the botnet had not been used to deliver any known DDoS attacks, and its size was disputed. What was clear, however, was its potential for growth.

In January 2018, the financial services sector in the Netherlands was hit by a number of DDoS attacks. Targets included ABN Amro, Rabobank and Ing; but at that time the source of the attack was unknown.

Insikt researchers now report that at least one these financial services attacks -- and possibly more -- was the first known use of IoTroop to deliver a DDoS attack. "IoTroop is a powerful internet of things (IoT) botnet," reports Insikt, "primarily comprised of compromised home routers, TVs, DVRs, and IP cameras exploiting vulnerabilities in products from major vendors including MikroTik, Ubiquity and GoAhead."

The attack itself was not excessively high by modern standards. "The initial attack was a DNS amplification attack with traffic volumes peaking at 30Gb/s," reports Insikt -- far short of the 1.7Tb/s attack that occurred in February.

If the IoTroop assumption is correct, it is clear the botnet has evolved extensively since its discovery last year. Fortinet's SVP products and solutions reported last month, "the Reaper [IoTroop] exploit was built using a flexible Lua engine and scripts, which means that instead of being limited to the static, pre-programmed attacks of previous exploits, its code can be easily updated on the fly, allowing massive, in-place botnets to run new and more malicious attacks as soon as they become available."

Insikt reports that the malware can use at least a dozen vulnerabilities and can be updated by the attackers as new vulnerabilities are exposed. "Our analysis," it says, "shows the botnet involved in the first company attack was 80% comprised of compromised MikroTik routers with the remaining 20% composed of various IoT devices ranging from vulnerable Apache and IIS web servers to routers from Ubiquity, Cisco and ZyXEL. We also discovered Webcams, TVs and DVRs among the 20% of IoT devices, which included products from major vendors such as MikroTik, GoAhead, Ubiquity, Linksys, TP-Link and Dahua."

This list adds new devices now vulnerable to IoTroop in addition to those noted in the original October 2017 research -- which suggests, says Insikt, "a widespread and rapidly evolving botnet that appears to be leveraging publicly disclosed vulnerabilities in many IoT devices."

Insikt's research shows the January attack was delivered from 139 different countries, showing a widespread targeting of vulnerable IoT devices around the world. More than half of the attacking clients are located in the Russian Federation, Brazil, Ukraine, China and the U.S.; but this probably has no relevance other than popularity of MikroTik devices in those countries.

Insikt believes that its analysis of the January DDoS attacks makes it almost certain that at least one and probably more were delivered by IoTroop; but that the new devices included within the botnet show its continuing evolution. "The similarity in device composition with the IoTroop/Reaper botnet," it says, "suggest IoTroop has evolved to exploit vulnerabilities in additional IoT devices and is likely to continue to do so in the future in order to build up the botnet to facilitate larger DDoS attacks against the financial sector."

The research also found seven IP addresses that it believes are likely to be controllers for the botnet. Insikt urges industry to monitor these addresses for malicious activity since they "are likely to be engaged in aggressive scanning for new vulnerable IoT infrastructure to commandeer as well as be responsible for any Denial of Service, attack commands issued to the botnet clients."

Protecting consumer IoT devices is less simple, since consumers notoriously adopt an unpack, plug and play approach to new devices. Nevertheless, Recorded Future urges all users to immediately change default manufacturer passwords, to patch firmware wherever possible and required, to invest in a VPN for devices that have remote access (such as IP cameras), and -- perhaps less easily for consumers -- to disable unnecessary services such as Telnet.


Microsoft Adds New Security Features to Office 365
6.4.2018 securityweek  Safety

Microsoft today announced new protections for Office 365 Home and Office 365 Personal subscribers, aimed at helping them recover files, protect data, and defend against malware.

Courtesy of the newly announced protections, Office 365 Home and Office 365 Personal users can now recover their files after a malicious attack like ransomware, Kirk Koenigsbauer, Corporate Vice President for Office at Microsoft, says.

The new functionality is available through a Files Restore option that has been long available for OneDrive for Business customers. The feature is now available for personal OneDrive accounts and is enabled for both work and personal files.

With the help of Files Restore, users can restore their entire OneDrive to a previous point in time within the last 30 days. The feature should prove highly useful in a variety of situations, ranging from an accidental mass delete to file corruption, ransomware encryption, or another catastrophic event.

To further protect users, Microsoft is bringing ransomware detection and recovery features to Office 365. This feature ensures that ransomware attacks are detected and also helps users restore their OneDrive to a point before files were compromised.

“If an attack is detected, you will be alerted through an email, mobile, or desktop notification and guided through a recovery process where you’ll find the date and time of attack preselected in Files Restore, making the process simple and easy to use. As these threats evolve, we are continuously improving detection capabilities to help keep you safe from the most advanced ransomware,” Koenigsbauer notes.

Microsoft is also retrofitting Office 365 with adding three new capabilities meant to help users keep their data secure and private when sending confidential or personal information online, regardless of whether via email or through sharing a link.

For starters, the software giant is allowing users to set and require a password to access a shared file or folder in OneDrive, thus preventing unauthorized access to their files, provided that the link is accidentally shared with a third-party.

Microsoft is also providing email encryption in Outlook.com, for an added layer of protection. Through end-to-end encryption of messages, the company aims at preventing hackers from intercepting and reading users’ communication.

“Encryption is particularly useful in cases where it is unclear what level of security your intended recipients’ email providers offer. Recipients receive a link to a trusted Office 365 webpage where they can choose to receive a one-time passcode or re-authenticate with a trusted provider before viewing the email,” Koenigsbauer says.

Recipients viewing encrypted emails in Outlook.com, the Outlook for iOS and Android app, or the Windows Mail app do not need to engage in extra steps to read and reply to messages. Outlook.com can also detect sensitive information like social security numbers when a new email is composed, and can provide a suggestion to send with encryption.

Additionally, users can now restrict email recipients from forwarding or copying emails sent from Outlook.com. Moreover, all Office documents attached to these emails are now encrypted even after downloading, meaning that, if they are forwarded to a third party, the recipient won’t be able to open the attachment.

Later this year, Office 365 Home and Office 365 Personal subscribers will also be able to take advantage of advanced link checking in Word, Excel, and PowerPoint. The functionality follows the advanced link checking and attachment scanning added to Outlook.com in October last year in an attempt to keep users protected from previously unseen viruses and phishing scams in real-time.

“Starting later this year, links you click in Word, Excel, and PowerPoint will also be checked in real-time to determine if the destination website is likely to download malware onto your computer or if it’s related to a phishing scam. If the link is suspicious, you will be redirected to a warning screen recommending you don’t access the site,” Koenigsbauer notes.


Cisco Smart Install Protocol misuse could expose critical infrastructure to attacks
6.4.2018 securityaffairs
Attack

Cisco PSIRT has published a new security advisory for abuse of the Smart Install protocol, the IT giant has identified hundreds of thousands of exposed devices online.
Cisco is advising organizations that hackers could target its switches via the Smart Install protocol. The IT giant has identified hundreds of thousands of exposed devices and warned critical infrastructure using them of potential risks.

Smart Install is a legacy plug-and-play configuration and image-management feature that provides zero-touch deployment for new switches.

In February 2017, researchers from Cisco Talos observed a spike in Internet scans attempting to discover unprotected Cisco devices that had Smart Install feature enabled.

“Research has indicated that malicious actors may be leveraging detailed knowledge of the Smart Install Protocol to obtain copies of customer configurations from affected devices.” reported Cisco Talos last year.

“The attack leverages a known issue with the Smart Install protocol. Cisco PSIRT has published a security response to this activity. Abuse of the Smart Install protocol can lead to modification of the TFTP server setting, exfiltration of configuration files via TFTP, replacement of IOS image and potentially execution of IOS commands.”

The researchers also reported that attackers were using an open source tool to scan for affected systems, called the Smart Install Exploitation Tool (SIET),
Now Cisco PSIRT has published a new security advisory for abuse of the protocol.

“Cisco is aware of a significant increase in Internet scans attempting to detect devices where, after completing setup, the Smart Install feature remains enabled and without proper security controls. This could leave the involved devices susceptible to misuse of the feature. ” reads the new security advisory.

“Several researchers have reported on the use of Smart Install (SMI) protocol messages toward Smart Install clients, also known as integrated branch clients (IBC), allowing an unauthenticated, remote attacker to change the startup-config file and force a reload of the device, load a new IOS image on the device, and execute high-privilege CLI commands on switches running Cisco IOS and IOS XE Software.”

At the end of March, Cisco patched more than 30 vulnerabilities in its IOS software, including the CVE-2018-0171 flaw that affects the Smart Install feature of Cisco IOS Software and Cisco IOS XE Software. The flaw could be exploited by an unauthenticated, remote attacker to cause a reload of a vulnerable device or to execute arbitrary code on an affected device.

“The vulnerability is due to improper validation of packet data. An attacker could exploit this vulnerability by sending a crafted Smart Install message to an affected device on TCP port 4786.” reads the security advisory published by Cisco.

Cisco experts revealed they had identified roughly 250,000 vulnerable Cisco devices with TCP port 4786 open. A recent scan performed by Cisco revealed 168,000 systems are exposed online.

CISCO Smart Install scans

Since Embedi has released technical details and proof-of-concept (PoC) code for the exploitation of the CVE-2018-0171 vulnerability, risk of attacks has dramatically increased.

At the time, there is no evidence that CVE-2018-0171 has been exploited in attacks.

Cisco published recommendations for preventing such kind of attacks and urged customers to disable the feature if not needed.


Zuckerberg admitted public data of its 2.2 billion users has been scraped by Third-party entities
6.4.2018 securityaffairs
Social

Third-party scrapers have exploited an issue in the Facebook ’s search function that allows anyone to look up users via their email address or phone numbers.
Facebook revealed on Wednesday that 87 million users have been affected by the Cambridge Analytica case, much more than 50 million users initially thought.

Facebook is the middle of a storm, Mark Zuckerberg admitted public data of its 2.2 billion users has been compromised over the course of several years by third-party actors that gathered information on its users.

Third-party scrapers have exploited an issue in the Facebook’s search function that allows anyone to look up users via their email address or phone numbers.

Users name come up in Facebook searches is they don’t explicitly disable this security setting.

“Until today, people could enter another person’s phone number or email address into Facebook search to help find them. This has been especially useful for finding your friends in languages which take more effort to type out a full name, or where many people have the same name.” reads a blog post published by CTO Mike Schroepfer.

“However, malicious actors have also abused these features to scrape public profile information by submitting phone numbers or email addresses they already have through search and account recovery. Given the scale and sophistication of the activity we’ve seen, we believe most people on Facebook could have had their public profile scraped in this way. “

Schroepfer announced that Facebook has now disabled this feature and is changing the account recovery procedure to reduce the scraping activities.
Facebook
Zuckerberg confirmed the extent of the scraping activity during a call with the press:

“I would assume if you had that setting turned on that someone at some point has access to your public information in some way.” explained Zuckerberg.

Zuckerberg blamed himself for what has happened to his company and promtly announced further improvements in term of privacy and security.

When asked if he still considered himself the best person to run the company, he said, “Yes.”


OSX_OCEANLOTUS.D, a new macOS backdoor linked to APT 32 group
6.4.2018 securityaffairs APT  Apple

Security experts at Trend Micro have discovered a new macOS backdoor that they linked to the APT 32 (OceanLotus, APT-C-00, SeaLotus, and Cobalt Kitty) cyber espionage group.
The APT32 group has been active since at least 2013, according to the experts it is a state-sponsored hacking group. The hackers hit organizations across multiple industries and have also targeted foreign governments, dissidents, and journalists.

Since at least 2014, experts at FireEye have observed APT32 targeting foreign corporations with an interest in Vietnam’s manufacturing, consumer products, and hospitality sectors. The APT32 is also targeting peripheral network security and technology infrastructure corporations, and security firms that may have connections with foreign investors.

The APT32 group uses custom-built malware for its attacks, the newly discovered macOS backdoor was tracked by experts at Trend Micro as OSX_OCEANLOTUS.D.

The researchers found the backdoor on macOS systems that have the Perl programming language installed.

“We identified a MacOS backdoor (detected by Trend Micro as OSX_OCEANLOTUS.D) that we believe is the latest version of a threat used by OceanLotus (a.k.a. APT 32, APT-C-00, SeaLotus, and Cobalt Kitty).” reads the analysis published by Trend Micro.

“The attackers behind OSX_OCEANLOTUS.D target MacOS computers which have the Perl programming language installed.”

The hackers used spear-phishing messages as attack vectors, the backdoor is distributed via weaponized documents attached to emails. The bait document masquerades as the registration form for an event with HDMC, an organization in Vietnam that advertises national independence and democracy.

APT 32 _MacOS_backdoor

The malicious document contains an obfuscated macros with a Perl payload. The macro extracts an XML file (theme0.xml) from the document, it is a Mach-O 32-bit executable with a 0xFEEDFACE signature that acts as a dropper for the final OSX_OCEANLOTUS.D backdoor.

“All strings within the dropper, as well as the backdoor, are encrypted using a hardcoded RSA256 key. There are two forms of encrypted strings: an RSA256-encrypted string, and custom base64-encoded and RSA256-encrypted string.” continues the report.

“Using the setStartup() method, the dropper first checks if it is running as a root or not. Based on that, the GET_PROCESSPATH and GET_PROCESSNAME methods will decrypt the hardcoded path and filename where the backdoor should be installed.”

Once the dropper has installed the backdoor, it will set its attributes to “hidden” and set file date and time to random values using the touch command:

touch –t YYMMDDMM “/path/filename” > /dev/null.

It also changes the permissions to 0x1ed = 755, which is equal to u=rwx,go=rx.

The backdoor loops on two main functions, infoClient and runHandle; infoClient is used to collect platform information and send them to the command and control (C&C) server, meanwhile runHandle implements backdoor capabilities.

The discovery of a new backdoor linked to the APT32 group confirms that the state-sponsored crew was very active in the last months.


1.5 Billion Sensitive Documents on Open Internet: Researchers
5.4.2018 securityweek Incindent

Some 1.5 billion sensitive online files, from pay stubs to medical scans to patent applications, are visible on the open internet, security researchers said Thursday.

Researchers from the cybersecurity firm Digital Shadows said a scanning tool used in the first three months of 2018 found mountains of private data online from people and companies across the world.

The unprotected data amounted to some 12 petabytes, or four thousand times larger than the "Panama Papers" document trove which exposed potential corruption in dozens of countries.

"These are files that are freely available" to anyone with minimal technical knowledge, said Rick Holland, a vice president at Digital Shadows.

Holland told AFP his team scanned the web and found unsecured files, adding "we didn't authenticate to anything."

The availability of open data makes it easier for hackers, nation-states or rival companies to steal sensitive information, Holland said.

"It makes attackers' jobs much easier. It shortens the reconnaissance phase," he added.

The researchers said in the report that even amid growing concerns about hackers attacking sensitive data, "we aren't focusing on our external digital footprints and the data that is already publicly available via misconfigured cloud storage, file exchange protocols, and file sharing services."

A significant amount of the data left open was from payroll and tax return files, which accounted for 700,000 and 60,000 files respectively, Digital Shadows said.

It noted medical files and lists were also weakly protected, with some 2.2 million body scans open to inspection.

Many corporate secrets were also out in the open including designs, patent summaries and details of yet-to-be-released products.

"While organizations may consider insiders, network intrusions and phishing campaigns as sources of corporate espionage, these findings demonstrate that there is already a large amount of sensitive data publicly available," the report said.

The researchers said about 36 percent of the files were located in the European Union. The United States had the largest amount for a single country at 16 percent, but exposed files were also seen around the world including in Asia and the Middle East.

About seven percent of the data was in "misconfigured" cloud Amazon cloud computing storage. Holland said the main problem was not in the cloud computing itself but how users manage their data.

In some cases, users "are backing up their data to the (open) web without knowing it," Holland said.

The majority of the files found by Digital Shadows were exposed by poor security practices in servers and file-sharing protocols.

"Third parties and contractors were among the most common sources of sensitive data exposure," the report said.


Delta, Sears Hit by Card Breach at Online Services Firm
5.4.2018 securityweek Incindent

Delta Air Lines, Sears Holdings and likely other major companies have been hit by a payment card breach suffered last year by San Jose, CA-based online services provider [24]7.ai.

In a brief statement published on Wednesday, [24]7.ai revealed that it had notified a “small number” of client companies of a security incident impacting payment card information. According to the firm, the intrusion occurred on September 26 and it was contained on October 12, 2017.

“We have notified law enforcement and are cooperating fully to ensure the protection of our clients and their customers' online safety. We are confident that the platform is secure, and we are working diligently with our clients to determine if any of their customer information was accessed,” [24]7.ai said.

[24]7.ai provides customer acquisition and engagement solutions to organizations in a wide range of sectors, including agencies, education, financial services, healthcare, insurance, retail, telecom, travel and hospitality, and utilities. Its customers include Adobe, Copa Airlines, Duke Energy, Grainger, Merrill Lynch, Scotiabank, and Vodafone.

Two of [24]7.ai’s customers have come forward to date to inform customers that they have been hit by the security breach.

One of them is Delta, which told customers that their payment card information may have been compromised. The company said no other information, such as government IDs, passports, security or Skymiles details, was impacted.

“At this point, even though only a small subset of our customers would have been exposed, we cannot say definitively whether any of our customers' information was actually accessed or subsequently compromised,” Delta stated.

The airline, which used [24]7.ai’s online chat services, has promised to set up a dedicated page at delta.com/response where it will post updates regarding this incident.

Sears Holdings, the company that owns the Sears and Kmart retail store brands, says [24]7.ai has provided online support services. Sears believes the incident has impacted the credit card information of less than 100,000 customers.

“We believe the credit card information for certain customers who transacted online between September 27, 2017 and October 12, 2017 may have been compromised,” Sears stated. “Customers using a Sears-branded credit card were not impacted. In addition, there is no evidence that our stores were compromised or that any internal Sears systems were accessed by those responsible. [24]7.ai has assured us that their systems are now secure.”

Sears and Delta said they only learned of the data breach from [24]7.ai in mid and late March, respectively. SecurityWeek has reached out to the vendor to find out why it has waited so long to notify impacted companies.


North Korea-Linked Lazarus APT suspected for online Casino assault
5.4.2018 securityaffairs APT

The North Korea-linked APT group known as Lazarus made the headlines again for attacking an online casino in Central America and other targets.
The activity of the Lazarus Group (aka Hidden Cobra) surged in 2014 and 2015, its members used mostly custom-tailored malware in their attacks and experts that investigated on the crew consider it highly sophisticated.

This threat actor has been active since at least 2009, possibly as early as 2007, and it was involved in both cyber espionage campaigns and sabotage activities aimed to destroy data and disrupt systems. Security researchers discovered that North Korean Lazarus APT group was behind attacks on banks, including the Bangladesh cyber heist.

Now security experts from ESET uncovered a cyber attack against an online casino in Central America and on other targets, in all the assaults hackers used similar hacking tools, including the dreaded KillDisk disk-wiper.

The experts found several backdoors and a simple command line tool that was designed to inject into/kill processes, terminate/reinstall services, and drop/remove files.

Most of the tools were specifically designed to run as a Windows service and require administrator privileges for their execution.

ESET detailed a TCP backdoor dubbed Win64/NukeSped, a console application that is installed in the system as a service.

The backdoor implements a set of 20 commands whose functionality is similar to previously analyzed Lazarus samples.

“Win64/NukeSped.W is a console application that is installed in the system as a service. One of the initial execution steps is dynamically resolving the required DLL names, on the stack:” states the analysis published by ESET.

“Likewise, procedure names of Windows APIs are constructed dynamically. In this particular sample, they are visible in plaintext; in other past samples that we’ve analyzed they were base64-encoded, encrypted or resolved on the stack character by character”

Lazarus backdoor code

The backdoor allows attackers to gather information on the system, create processes, search for files, drop files on the infected systems, and inject code into processes, including Explorer.

Researchers from ESET also detailed session hijacker, dubbed Win64/NukeSped.AB, that is a console application capable of creating a process as another currently–logged-in user on the target system.

The session hijacker was spotted in the attack against the casino, researchers at ESET believe it is the same malware used in the attacks against Polish banks and Mexican entities.

ESET pointed out that at least two variants of the KillDisk malware were used in the attack that appear not linked to past wiper-based attacks, like the ones that hit Ukraine in December 2015 and December 2016.

“KillDisk is a generic detection name that ESET uses for destructive malware with disk wiping capabilities, such as damaging boot sectors and overwriting then deleting (system) files, followed by a reboot to render the machine unusable.” continues the report.

“Sub-family variants that do have strong code similarities, are sometimes seen separate cyberattacks and thus can help us make connections, as here. Other cases, for example the directed cyberattacks against high-value targets in Ukraine in December 2015 and December 2016, also employed KillDisk malware, but those samples were from different KillDisk sub-families, so are most likely unrelated to these attacks.”

According to ESET, more than 100 machines belonging to the Central American online casino were infected with the two variants of Win32/KillDisk.NBO.

It is still unclear if the attackers used the KillDisk wiper to cover the tracks of an espionage campaign, or if the malicious code was used in an extortion schema or sabotage.

The presence of the KillDisk wipers and various Lazarus-linked malware suggests that the APT group was responsible for the attack.

Experts also found that both variants present many similarities with the ones that previously targeted financial organizations in Latin America.

The attackers also used the Mimikatz tool to extract Windows credentials, a tool designed to recover passwords from major web browsers, malicious droppers and loaders to download and execute their tools onto the victim systems.

The hackers leveraged Radmin 3 and LogMeIn as remote access tools.

“This recent attack against an online casino in Central America suggests that hacking tools from the Lazarus toolset are recompiled with every attack (we didn’t see these exact samples anywhere else).” concluded ESET.

“The attack itself was very complex, consisted of several steps, and involved tens of protected tools that, being stand-alone, would reveal little from their dynamics.”


Facebook: Cambridge Analytica scandal affected 87 Million users
5.4.2018 securityaffairs
Social

Facebook revealed on Wednesday that 87 million users have been affected by the Cambridge Analytica case, much more than 50 million users initially thought.
The social network giant recently unveiled clearer terms of service to ensure transparency to its users about data sharing.

Facebook’s chief technology officer Mike Schroepfer provided further details on the case, including new estimations for the number of affected users.

“In total, we believe the Facebook information of up to 87 million people — mostly in the US — may have been improperly shared with Cambridge Analytica,” Schroepfer said.

The CTO also explained how Facebook is implementing new privacy tools for its users that would be available by next week.

“People will also be able to remove apps that they no longer want. As part of this process we will also tell people if their information may have been improperly shared with Cambridge Analytica,” he added.

“Overall, we believe these changes will better protect people’s information while still enabling developers to create useful experiences.”

Facebook- Cambridge Analytica

Next week, on April 11, Facebook founder Mark Zuckerberg would appear at the Congress to address privacy issues.

The hearing will “be an important opportunity to shed light on critical consumer data privacy issues and help all Americans better understand what happens to their personal information online,” said the committee’s Republican chairman Greg Walden and ranking Democrat Frank Pallone in a statement.

“We appreciate Mr. Zuckerberg’s willingness to testify before the committee, and we look forward to him answering our questions.”

The situation for Facebook could get worse after these last revelations, a few days ago Zuckerberg said it would take “a few years” to fix the problems uncovered by the revelations on data misuse.

Zuckerberg tried to reinforce the positive image of its firms, sustaining that one of the biggest error he made is that Facebook is “idealistic,” the

“Well, I don’t think it’s going to take 20 years. I think the basic point that you’re getting at is that we’re really idealistic. When we started, we thought about how good it would be if people could connect, if everyone had a voice. Frankly, we didn’t spend enough time investing in, or thinking through, some of the downside uses of the tools. So for the first 10 years of the company, everyone was just focused on the positive.” Zuckerberg told Vox.com

“I think now people are appropriately focused on some of the risks and downsides as well. And I think we were too slow in investing enough in that. It’s not like we did nothing. I mean, at the beginning of last year, I think we had 10,000 people working on security. But by the end of this year, we’re going to have 20,000 people working on security.”

In response to the Cambridge Analytica case, Facebook deleted dozens of accounts linked to Russia that were used to spread propaganda.

Facebook announced to have revoked the accounts of 70 Facebook and 65 Instagram accounts and removed 138 Facebook pages controlled by the Russia-based Internet Research Agency (IRA), also known as the Russian troll farm due to its misinformation campaigns.

The unit “has repeatedly used complex networks of inauthentic accounts to deceive and manipulate people who use Facebook, including before, during and after the 2016 US presidential elections,” explained Facebook chief security officer Alex Stamos.

Zuckerberg added that the Russian agency“has been using complex networks of fake accounts to deceive people.”

“While we respect people and governments sharing political views on Facebook, we do not allow them to set up fake accounts to do this. When an organization does this repeatedly, we take down all of their pages, including ones that may not be fake themselves.”


AWS Launches New Tools for Firewalls, Certificates, Credentials
5.4.2018 securityweek Safety

Amazon Web Services (AWS) announced on Wednesday the launch of several tools and services designed to help customers manage their firewalls, use private certificates, and safely store credentials.

Private Certificate Authority

One of the new services is called Private Certificate Authority (CA) and it’s part of the AWS Certificate Manager (ACM). The Private CA allows AWS customers to use private certificates without the need for specialized infrastructure.

Developers can now provision private certificates with just a few API calls. At the same time, administrators are provided central management and auditing capabilities, including certificate revocation lists (CRLs) and certificate creation reports. Private CA is based on a pay-as-you-go pricing model.

AWS Secrets Manager

The new AWS Secrets Manager is designed to make it easier for users to store, distribute and rotate their secrets, including credentials, passwords and API keys. The storage and retrieval of secrets can be done via the API or the AWS Command Line Interface (CLI), while built-in or custom AWS Lambda functions provide the capabilities for rotating credentials.AWS announces new security tools

“Previously, customers needed to provision and maintain additional infrastructure solely for secrets management which could incur costs and introduce unneeded complexity into systems,” explained Randall Hunt, Senior Technical Evangelist at AWS.

AWS Secrets Manager is available in the US East and West, Canada, South America, and most of the EU and Asia Pacific regions. As for pricing, the cost is $0.40 per month per secret, and $0.05 per 10,000 API calls.

AWS Firewall Manager

The new AWS Firewall Manager is designed to simplify administration of AWS WAF web application firewalls across multiple accounts and resources. Administrators can create policies and set up firewall rules and they are automatically applied to all applications, regardless of the region where they are hosted.

“Developers can develop and innovators can innovate, while the security team gains the ability to respond quickly, uniformly, and globally to potential threats and actual attacks,” said Jeff Barr, Chief Evangelist for AWS.

AWS Shield Advanced customers get the new Firewall Manager at no extra cost, while other users will be charged a monthly fee for each policy in each region.

Amazon EFS data encrypted in transit

Amazon also announced that it has added support for encrypting data in transit for the Amazon Elastic File System (EFS), a file system designed for cloud applications that require shared access to file-based storage. Support for encrypting data at rest has already been available.

The company has made it easier for users to implement encryption in transit with the launch of a new EFS mount helper tool.


Intel Will Not Patch Spectre in Some CPUs
5.4.2018 securityweek
Vulnerebility

Intel has informed customers that some of the processors affected by the Meltdown and Spectre vulnerabilities will not receive microcode updates due to issues related to implementation and other factors.

Two weeks after announcing that microcode updates have been made available for all recent processors vulnerable to speculative execution side-channel attacks, Intel updated its microcode revision guidance to say that some chips will not receive patches.

The list includes Core, Xeon, Celeron, Pentium, and Atom processors with Bloomfield (Xeon), Clarksfield, Gulftown, Harpertown Xeon, Jasper Forest, Penryn/QC, SoFIA 3GR, Wolfdale (Xeon) and Yorkfield (Xeon) microarchitectures. These products have been assigned a “stopped” status, which indicates they will not receive updates due to one or more reasons.

Intel says it has conducted a comprehensive investigation of the microarchitecture and microcode capabilities of these CPUs and determined that some of their characteristics prevent a practical implementation of mitigations for Spectre Variant 2 (CVE-2017-5715).

Other possible reasons for not releasing fixes include limited commercially available system software support and low risk of attacks.

“Based on customer inputs, most of these products are implemented as ‘closed systems’ and therefore are expected to have a lower likelihood of exposure to these vulnerabilities,” Intel explained.

Intel revealed recently that its upcoming processors for data centers and PCs will include built-in protections against Meltdown (Variant 3) and Spectre (Variant 2) attacks. The chip giant expects to roll out these protections in the second half of 2018.

“We have redesigned parts of the processor to introduce new levels of protection through partitioning that will protect against both Variants 2 and 3,” explained Intel CEO Brian Krzanich. “Think of this partitioning as additional ‘protective walls’ between applications and user privilege levels to create an obstacle for bad actors.”

Dozens of lawsuits have been filed against Intel by customers and shareholders over the disclosure and handling of Meltdown and Spectre.


Google Patches 9 Critical Android Vulnerabilities in April 2018 Update
5.4.2018 securityweek
Vulnerebility  Android

Google this week has released its April 2018 set of Android security patches which address more than two dozen Critical and High severity vulnerabilities.

19 vulnerabilities were found to affect components such as Android runtime, Framework, Media framework, and System. These include 7 issues rated Critical and 12 considered High risk. All of the flaws were patched as part of the 2018-04-01 security patch level.

Successful exploitation of these security bugs could result in elevation of privileges, information disclosure, remote code execution, and denial of service.

“The most severe vulnerability in this section could enable a remote attacker using a specially crafted file to execute arbitrary code within the context of a privileged process,” Google notes in its advisory.

Six of the Critical severity bugs were remote code execution vulnerabilities, while the seventh was an elevation of privilege flaw. Impacted platform versions include Android 6.0, 6.0.1, 7.0, 7.1.1, 7.1.2, 8.0, and 8.1.

Google also addressed 9 vulnerabilities as part of the 2018-04-05 security patch level, namely 2 Critical and 7 High severity. The issues impact Broadcom, Kernel, and Qualcomm components.

Both Critical bugs are remote code execution flaws, while the High severity issues include elevation of privilege and information disclosure vulnerabilities.

“The most severe vulnerability in this section could enable a proximate attacker using a specially crafted file to execute arbitrary code within the context of a privileged process,” Google notes.

The 2018-04-05 security patch level also includes patches for 34 vulnerabilities in Qualcomm closed-source components: 6 rated Critical and 28 assessed with a High risk severity level.

Google also included a Qualcomm closed-source components 2014-2016 cumulative update as part of its April 2018 Android security bulletin, although many devices have already addressed these issues in previous updates.

“These vulnerabilities affect Qualcomm components and were shared by Qualcomm with their partners through Qualcomm AMSS security bulletins or security alerts between 2014 and 2016. They are included in this Android security bulletin in order to associate them with a security patch level,” Google explains.

Over 250 vulnerabilities were included in the cumulative update, most rated High severity. One of the bugs was rated Critical risk and 9 were rated Moderate severity.

This month, Google also addressed over 40 vulnerabilities in the Nexus and Pixel devices, all rated Moderate severity (four of the flaws have a High severity rating on Android 6.0 and 6.0.1 devices). Impacted components include Framework, Media framework, System, and Broadcom, Kernel, and Qualcomm components.

On top of these security fixes, the Internet giant also included over 70 functional updates for Google devices as part of the April 2018 Pixel / Nexus Security Bulletin.


WAF Security Startup Threat X Raises $8.2 Million
5.4.2018 securityweek IT

Cybersecurity startup Threat X, which offers cloud-based web application firewall (WAF) solutions, today announced that it has closed an $8.2 million Series A funding round.

The Denver, Colorado-based company says the new funding will be used to fuel growth and support adoption of its WAF technology and managed security services.

The company explains that its SaaS-based solution “employs kill-chain based, progressive profiling to identify and neutralize threats."

“Our goal is to help organizations protect their applications with a SaaS based web application firewall that provides a holistic view of every attack, the techniques being utilized, and target vulnerabilities,” Bret Settle, Founder and CEO of Threat X, said. “Our behavioral profiling and correlation engine analyzes each attack and eliminates false positives by grading risk level and progress throughout the ‘kill-chain’. Our customers can also leverage our deep analytics and expert security team for greater threat intelligence and visibility into preventative measures.”

The funding round was co-led by Grotech Ventures and Access Venture Partners.


Breaches Increasingly Discovered Internally: Mandiant
5.4.2018 securityweek Cyber

Organizations are getting increasingly better at discovering data breaches on their own, with more than 60% of intrusions in 2017 detected internally, according to FireEye-owned Mandiant.

The company’s M-Trends report for 2018 shows that the global median time for internal detection dropped to 57.5 days in 2017, compared to 80 days in the previous year. Of the total number of breaches investigated by Mandiant last year, 62% were discovered internally, up from 53% in 2016.

On the other hand, it still took roughly the same amount of time for organizations to learn that their systems had been compromised. The global median dwell time in 2017 – the median time from the first evidence of a hack to detection – was 101 days, compared to 99 days in 2016.

Companies in the Americas had the shortest median dwell time (75.5 days), while organizations in the APAC region had the longest dwell time (nearly 500 days).

Dwell time data from Mandiant

Data collected by Mandiant in 2013 showed that more than one-third of organizations had been attacked again after the initial incident had been remediated. More recent data, specifically from the past 19 months, showed that 56% of Mandiant customers were targeted again by either the same group or one with similar motivation.

In cases where investigators discovered at least one type of significant activity (e.g. compromised accounts, data theft, lateral movement), the targeted organization was successfully attacked again within one year. Organizations that experienced more than one type of significant activity were attacked by more than one threat actor.

Again, the highest percentage of companies attacked multiple times and by multiple threat groups was in the APAC region – more than double compared to the Americas and the EMEA region.

When it comes to the most targeted industries, companies in the financial and high-tech sectors recorded the highest number of significant attacks, while the high-tech, telecommunications and education sectors were hit by the highest number of different hacker groups.

Last year, FireEye assigned names to four state-sponsored threat groups, including the Vietnam-linked APT32 (OceanLotus), and the Iran-linked APT33, APT34 (OilRig), and APT35 (NewsBeef, Newscaster and Charming Kitten).

“Iran-sponsored threat actors have compromised a variety of organizations, but recently they have expanded their efforts in a way that previously seemed beyond their grasp,” Mandiant said in its report. “Today they leverage strategic web compromises (SWC) to ensnare more victims, and concurrently maintain persistence across multiple organizations for months and sometimes years. Rather than relying on publicly available malware and utilities, they develop and deploy custom malware. When they are not carrying out destructive attacks against their targets, they are conducting espionage and stealing data like professionals.”


IoT Security Firm Red Balloon Raises $22 Million
5.4.2018 securityweek IoT

Red Balloon Security, a provider of embedded device security solutions, announced on Wednesday that it has secured $21.9 million through a Series A funding round led by Bain Capital Ventures.

This latest round of funding brings the company’s total funding to $23.5 million.

The company’s flagship Symbiote Defense technology helps customers to detect and defend against emerging threats targeting embedded devices. The technology behind Symbiote was originally developed within Columbia University’s Intrusion Detection Systems Lab, with support of the Defense Advanced Research Projects Agency (DARPA) and the Department of Homeland Security Science and Technology Directorate (DHS S&T).

Symbiote, Red Balloon explains, “defends devices without requiring changes to source code or hardware design, all without impacting the functionality or performance of the device,” adding that the solution has “demonstrated the ability to defend against both n-day and zero-day attacks on embedded devices, even if the attacker has succeeded in bypassing traditional cybersecurity measures.”

Red Balloon claims that Symbiote technology has operated for more than 15 billion continuous hours without a single failure, protecting millions of endpoints around the world.

“Symbiote Defense is a critically important technology for today’s businesses because it is able to prevent malware and other cyber attacks from hijacking, disrupting or corrupting any embedded device,” said Ang Cui, PhD, founder and CEO of Red Balloon Security. “This technology has considerable commercial potential because it is highly effective within any type of embedded device environment, from consumer electronics to factories, connected cars and even power plants. Thanks to the strong support of our investors, we will now be able to make this advanced technology more widely available to commercial users across all major industries.”

Greycroft, American Family Ventures and Abstract Ventures also participated in the funding round.


Critical Vulnerability Patched in Microsoft Malware Protection Engine
5.4.2018 securityweek
Vulnerebility

An update released this week by Microsoft for its Malware Protection Engine patches a vulnerability that can be exploited to take control of a system by placing a malicious file in a location where it would be scanned.

The Microsoft Malware Protection Engine provides scanning, detection and cleaning capabilities for security software made by the company. The engine is affected by a flaw that can be exploited for remote code execution when a specially crafted file is scanned.

The malicious file can be delivered via a website, email or instant messenger. The Malware Protection Engine will automatically scan the file (if real-time protection is enabled) and allow the attacker to execute arbitrary code in the context of the LocalSystem account, which can lead to a complete takeover of the targeted system.

On systems where real-time scanning is not enabled, the exploit will still get triggered, but only when a scheduled scan is initiated.

The vulnerability, tracked as CVE-2018-0986 and rated “critical,” affects several Microsoft products that use the Malware Protection Engine, including Exchange Server, Forefront Endpoint Protection 2010, Security Essentials, Windows Defender, and Windows Intune Endpoint Protection.

While the flaw is dangerous and easy to exploit, Microsoft believes exploitation is “less likely.” The company pointed out that the patch for this vulnerability will be automatically delivered to customers within 48 hours of release – users and administrators do not have to take any action.

Google Project Zero researcher Thomas Dullien, aka “Halvar Flake,” has been credited for finding CVE-2018-0986. The details of the vulnerability have yet to be disclosed, but considering that the patch is being delivered automatically to most systems, the information will likely become available soon.

This is not the first time Google Project Zero researchers have discovered critical vulnerabilities in Microsoft’s Malware Protection Engine. While Google may occasionally disclose flaws in Microsoft products before patches become available, in the case of the Malware Protection Engine, Microsoft typically releases patches within a few days or weeks.

A similar flaw in the Malware Protection Engine was also found recently by employees of UK's National Cyber Security Centre (NCSC).


North Korean Hackers Behind Online Casino Attack: Report
5.4.2018 securityweek BigBrothers

The infamous North Korean hacking group known as Lazarus is responsible for attacking an online casino in Central America, along with various other targets, ESET says.

The Lazarus Group has been active since at least 2009 and is said to be associated with a large number of major cyber-attacks, including the $81 million cyber heist from Bangladesh's account at the New York Federal Reserve Bank.

Said to be the most serious threat against banks, the group has shown increased interest in crypto-currencies and has recently updated its arsenal of tools.

ESET now reports that an attack on an online casino in Central America and assaults on various other targets last year are the doings of this group. The attackers used a similar toolset in all incidents, including the KillDisk wiping tool.

Also referred to as Hidden Cobra, the Lazarus Group is said to be backed by the North Korean government. The hackers use a broad range of custom tools, but also leverage various projects that are either available from GitHub or provided commercially.

In the attack against an online casino in Central America, the hackers used various tools alongside the destructive KillDisk disk-wiper. Almost all of the malicious tools were designed to run as a Windows service and require administrator privileges for that, meaning that the attackers expected such privileges, ESET points out.

Detected as NukeSped, one of the tools is a TCP backdoor. The malware dynamically resolves the required DLL names during initial execution, and also constructs dynamically the procedure names of Windows APIs. The backdoor listens to a specific port that it ensures is not blocked by the firewall.

Featuring support for 20 commands with functionality similar to previously analyzed Lazarus samples, the malware can be used to gather information on the system, search for files, create processes, drop files on the infected systems, and inject into Explorer or other processes.

ESET also stumbled upon a session hijacker, a console application capable of creating a process as another currently–logged-in user on the victim’s system, just as the TCP backdoor can upon receiving a specific command from the attackers.

Discovered on the compromised casino’s network, the malware is related to the session hijacker used in the Polish and Mexican attacks, ESET says.

On said network, the security researchers also found a simple command line tool accepting several switches, which was designed to inject into/kill processes, terminate/reinstall services, and drop/remove files.

Two variants of the KillDisk malware were used in the attack, likely unrelated to the iterations previously used in cyber-attacks against high-value targets in Ukraine in December 2015 and December 2016.

The disk wiper was found on over 100 machines in the casino’s network, either to cover an espionage operation, or to extort the victim or sabotage the systems. The use of KillDisk simultaneously with various Lazarus-linked malware suggests that it was this group of hackers who deployed the disk wiper.

Not only do these variants share many code similarities, but they are almost identical to the KillDisk variant that previously targeted financial organizations in Latin America.

ESET also discovered a series of format strings that allowed them to attribute the discovered malware samples and attacks to the Lazarus Group, and which represent a relevant, static characteristic of the group’s modus operandi, the researchers say.

As part of the attack against said online casino, the actor also used Mimikatz, which can extract Windows credentials, along with a tool designed to recover passwords from popular web browsers. Although dated December 2014, the tool remains efficient against Chrome (64.0.3282.186), Chromium (67.0.3364.0), Edge (41.16299.15.0) and Internet Explorer (11.0.9600.17843).

The attackers used malicious droppers and loaders to download and execute their tools onto the victim systems. Remote access tools such as Radmin 3 and LogMeIn were also used, to control machines remotely.

“This recent attack against an online casino in Central America suggests that hacking tools from the Lazarus toolset are recompiled with every attack (we didn’t see these exact samples anywhere else). The attack itself was very complex, consisted of several steps, and involved tens of protected tools that, being stand-alone, would reveal little from their dynamics,” ESET says.


Companies Have Little Control Over User Accounts and Sensitive Files: Study
5.4.2018 securityweek
Social

Lack of Control Over Sensitive Files Leaves Companies Open to GDPR Failure

Security teams are urged to assume intruders are already on their networks. The quantity and frequency of data loss breaches lends credence to that assumption. The implication is that perimeter defenses are insufficient, and that sensitive data needs to be locked down as far as possible within the networks. A new study shows, however, that 41% of companies have more than 1.000 sensitive files open to everyone with access to the network.

Each year, New York, NY-based data protection and governance firm Varonis analyzes the results of its risk assessments on new and potential customers. Its 2018 Global Data Risk Report (PDF) contains the findings of 130 corporate risk analyses conducted during 2017. It looks for free-form data at risk from existing intruders and potential malicious insiders; and the process examined more than 6 billion individual files from 30 different industries across more than 50 countries.

The results clearly show that companies are struggling to control sensitive data contained in free-form text documents. A common problem is leaving files open to global access groups. For example, 58% of companies have more than 100,000 folders open to everyone -- and the bigger the company, the worse the problem. Eighty-eight percent of companies with more than 1 million folders have more than 100,000 open folders.

The problem becomes more pressing when those files contain sensitive data -- defined here as information subject to regulations such as GDPR, PCI, and HIPAA. The Varonis platform works by looking at both the structure of the network, and the content of the files. In this study it found that 41% of companies have more than 1,000 sensitive files open to everyone.

For these companies any malicious insider or low-privileged intruder can simply access and potentially steal sensitive data, bringing the company into immediate compliance failure. Most regulations either require the principle of least privilege or imply its requirement.

The basis of protecting sensitive files requires two things in particular: the principle of least privilege to restrict access to sensitive documents to authorized persons only; and privileged account management to prevent attackers' access to and unauthorized use of privileged accounts to access restricted documents. However, the Varonis study shows that companies have as little control over their user accounts as they do over their sensitive files.

A common issue with account management is the failure to remove old accounts. This usually happens when the account is no longer necessary, or its owner leaves the organization's employment. These are variously known as 'stale' or 'ghost user' accounts. Varonis found that 65% of companies have more than 1000 stale user accounts. The study does not indicate how many of these stale accounts are also privileged accounts, but with so many sensitive documents open to everyone, an attacker's access to a privileged account isn't necessary.

"User and service accounts that are inactive and enabled (aka 'ghost users') are targets for penetration and lateral movement," warns the Varonis report. "If these accounts are left unmonitored, attackers can steal data or cause disruption without being detected."

The combination of open sensitive files and ghost accounts increases the likelihood of a data breach and compliance failure. The regulation top-of-mind with most security teams right now is the EU's General Data Protection Regulation (GDPR), with the potential for heavy fines, and due to come into force next month.

A common perception is that if a firm can demonstrate strong attempts to protect personal data, it will not be prosecuted to the full by European data regulators. Certainly, regulators will take account of any breached firm's attempts to conform -- but overexposed documents and ghost accounts are a de-facto failure.

Last month, the Irish data protection commissioner discussed how she intends to handle her GDPR remit. Ireland is particularly important because it is the European home of many large U.S. firms (such as Facebook, Google, Twitter, Pfizer, Boston Scientific and Johnson & Johnson) that have extensive offices and/or their European headquarters in what is sometimes known as Dublin's Silicon Docks.

Discussing whether 'state of the art security' would be a mitigating factor over any GDPR-relevant data breach, Ireland's Data Protection Commissioner Helen Dixon told Independent.ie, "it's a theoretical possibility that if they have applied objectively demonstrable state-of-the-art security and there really appears to have been nothing further they could have done, that would certainly be a mitigation criteria [sic]. But, we haven't come across it."

Regardless of all other security controls, if any firm investigated under GDPR has failed to operate least privilege for all documents containing personal data, it will likely be subject to the full sanction of the General Data Protection Regulation -- that is, 4% of global turnover.


Facebook Says 87 Million May be Affected by Data Breach
5.4.2018 securityweek
Social

Facebook said Wednesday personal data on as many as 87 million users was improperly shared with British political consultancy Cambridge Analytica.

The new figure eclipses a previous estimate of 50 million in a further embarrassment to the social network roiled by a privacy scandal.

The announcement came as Facebook unveiled clearer terms of service to enable users to better understand data sharing, and as a congressional panel said chief executive Mark Zuckerberg would appear next week to address privacy issues.

Facebook's chief technology officer Mike Schroepfer released the new figures on affected users as he discussed implementation of new privacy tools for users of the huge social network.

"In total, we believe the Facebook information of up to 87 million people -- mostly in the US -- may have been improperly shared with Cambridge Analytica," he said.

The new estimate could deepen the crisis for Facebook, which has been pressured by the disclosures on hijacking of private data by the consulting group working for Donald Trump's 2016 campaign.

Schroepfer said new privacy tools, which had been announced last month, would be in place by next Monday.

"People will also be able to remove apps that they no longer want. As part of this process we will also tell people if their information may have been improperly shared with Cambridge Analytica," he said.

"Overall, we believe these changes will better protect people's information while still enabling developers to create useful experiences."

Zuckerberg on the Hill

Earlier Wednesday, the House of Representatives' Energy and Commerce Committee announced what appeared to be the first congressional appearance by Zuckerberg since the scandal broke on the hijacking of data on tens of millions of users.

The April 11 hearing will "be an important opportunity to shed light on critical consumer data privacy issues and help all Americans better understand what happens to their personal information online," said the committee's Republican chairman Greg Walden and ranking Democrat Frank Pallone in a statement.

"We appreciate Mr. Zuckerberg's willingness to testify before the committee, and we look forward to him answering our questions."

Zuckerberg will likely face multiple congressional hearings as his social media giant battles a firestorm following revelations that the British consulting firm Cambridge Analytica obtained the data of 50 million Facebook users to try and manipulate US voters in the 2016 presidential election.

The Facebook co-founder has also been invited to appear before the Senate's Judiciary Committee on April 10, alongside Google chief Sundar Pichai and Twitter head Jack Dorsey.

His participation is yet unconfirmed but Senator Dianne Feinstein told the San Francisco Chronicle that Zuckerberg had agreed to attend that hearing.

Zuckerberg, who has been making a series of media appearances after staying silent for several days on the breach, said earlier this week it would take "a few years" to fix the problems uncovered by the revelations on data misuse.

He told Vox.com that one of Facebook's problems was that it was "idealistic," focusing on the positive aspects of connecting people and that "we didn’t spend enough time investing in, or thinking through, some of the downside uses of the tools."

The world's biggest social network faces probes on both sides of the Atlantic over the misuse of data, which Facebook attributed to a breach of terms of service by an academic researcher linked to the consulting firm working for Donald Trump's campaign.

Deleting Russian 'trolls'

Late Tuesday, Facebook said it deleted dozens of accounts linked to a Russian-sponsored internet unit which has been accused of spreading propaganda and other divisive content in the United States and elsewhere.

The social networking giant said it revoked the accounts of 70 Facebook and 65 Instagram accounts, and removed 138 Facebook pages controlled by the Russia-based Internet Research Agency (IRA).

The agency has been called a "troll farm" due to its deceptive post aimed at sowing discord and propagating misinformation.

The unit "has repeatedly used complex networks of inauthentic accounts to deceive and manipulate people who use Facebook, including before, during and after the 2016 US presidential elections," said a statement Facebook chief security officer Alex Stamos.

Zuckerberg said in a separate statement on his Facebook page that the Russian group "has been using complex networks of fake accounts to deceive people."

He added: "While we respect people and governments sharing political views on Facebook, we do not allow them to set up fake accounts to do this. When an organization does this repeatedly, we take down all of their pages, including ones that may not be fake themselves."


Facebook to Offer 'Clearer' Terms on Privacy, Data Use
5.4.2018 securityweek
Social

Facebook said Wednesday it is updating its terms on privacy and data sharing to give users a clearer picture of how the social network handles personal information.

The move by Facebook follows a firestorm over the hijacking of personal information on tens of millions of users by a political consulting firm which sparked a raft of investigations worldwide.

"We're not asking for new rights to collect, use or share your data on Facebook," said a statement by Facebook chief privacy officer Erin Egan and deputy general counsel Ashlie Beringer.

"We're also not changing any of the privacy choices you've made in the past."

Facebook is under intense pressure to fix the problems which led to the harvesting of some 87 million user profiles by Cambridge Analytica, a consulting firm working on Donald Trump's 2016 campaign.

The company has already unveiled several measures aimed at improving privacy and transparency, but chief executive Mark Zuckerberg has said it may take several years to address all the issues raised in the scandal.

Egan and Beringer said that with the new terms of service, "we explain how we use data and why it's needed to customize the posts and ads you see, as well as the groups, friends and pages we suggest."

They wrote that "we will never sell your information to anyone" and impose "strict restrictions on how our partners can use and disclose data."

The statement said the new terms will offer better information on how Facebook advertising operates as well.

"You have control over the ads you see, and we don't share your information with advertisers," the statement said.

"Our data policy explains more about how we decide which ads to show you."

Egan and Beringer said Facebook will go further in explaining how it gathers information from phones and other devices.

"People have asked to see all the information we collect from the devices they use and whether we respect the settings on your mobile device (the short answer: we do)," they wrote.

Users may offer feedback on the new policy for seven days before Facebook finalizes the new rules and asks its members to accept them.


KevDroid Android RAT can steal private data and record phone calls
5.4.2018 securityaffairs Android

Security researchers discovered a new Android Remote Access Trojan (RAT) dubbed KevDroid that can steal private data and record phone calls.
Security researchers at South Korean cybersecurity firm ESTsecurity have discovered a new strain of Android Trojan KevDroid that is being distributed disguised as a fake anti-virus application, dubbed “Naver Defender.”

“Spear phishing attacks targeting Android mobile devices have recently emerged. Portal site Naver sends emails related to personal information leakage prevention to induce malicious apps to be installed.” reads the analysis published by ESTsecurity.

“This malicious app impersonates Naver with the Naver logo and the app name “Naver Defender” and takes away sensitive information such as address book, call log, and text messages.”

KevDroid is a remote administration tool (RAT) designed to steal sensitive information from compromised Android devices and spy on its owners by recording phone calls.

After the initial discovery made by cybersecurity firm ESTsecurity, experts at Talos published a detailed analysis of two variants of RAT detected in the wild.

KevDroid

“Talos identified two variants of the Android Remote Administration Tool (RAT). Both samples have the same capabilities — namely to steal information on the compromised device (such as contacts, SMS and phone history) and record the victim’s phone calls.” reads the analysis published by Talos.

One of the variants exploits a known Android exploit (CVE-2015-3636) to get root access on the compromised device, this variant was dubbed KevDroid. Both variants sent data to the same command and control (C2) server through an HTTP POST.

Talos experts explained that the malicious code implemented the feature to record calls based on an open-source project available on GitHub.

The investigation about the infection vector revealed that attackers used a RTF file attempting to exploit the CVE-2017-11882 vulnerability in Office using an embedded Microsoft Equation object.

The bait document used by hackers is written in Korean and contains information on Bitcoin and China.

The second RAT is targeting Windows systems it specifically uses the PubNub platform as its C2 server. PubNub is a global data stream network (DSN). This malware uses the PubNub API in order to publish orders to the compromised systems, expert dubbed it “PubNubRAT.”

The most recent variant of KevDroid malware, detected a few weeks ago, implements the following capabilities:

record phone calls & audio
steal web history and files
gain root access
steal call logs, SMS, emails
collect device’ location at every 10 seconds
collect a list of installed applications
“If an adversary were successful in obtaining some of the information KevDroid is capable of collecting, it could result in a multitude of issues for the victim.” continues Talos. “Many users access their corporate email via mobile devices. This could result in cyber espionage being a potential outcome for KevDroid.”
South Korean media associated the KevDroid RAT with North Korea APT Group 123.

“We do not have a strong link between the two malware samples and Group 123. The TTP overlaps are tenuous — using public cloud infrastructure as a C2 server is something other malware has used before as a technique, not just Group 123. Additionally, the C2 server is hosted in Korea, and this malware has been known to target Korean users. However, this information cannot lead us to a strong link,” Talos concluded.
The analysis published by Talos also included indicators of compromise (IoCs).


Many natural gas pipeline operators in the U.S. Gas affected by cyberattack

5.4.2018 securityaffairs ICS

Natural gas pipeline operators in the United States have been affected by a cyber attack that hit a third-party communications system.
The hackers targeted the Latitude Technologies unit at the Energy Services Group, but the attack did not impact operational technology.

At least four US pipeline operators were affected by the attack on their electronic systems, the Energy Transfer Partners was the first company that reported problems with its Electronic Data Interchange (EDI) system.

The Electronic Data Interchange platform used by businesses to exchange sensitive documents, including invoices and purchase orders.

Latitude currently provides EDI services to more than 100 natural gas pipeline firms, storage facilities, utilities, law firms, and energy marketers across the US. The companies in the energy industry use it to manage key energy transactions.

According to a report published by Bloomberg, the attack against Latitude affected Boardwalk Pipeline Partners, Chesapeake Utilities Corp.’s Eastern Shore Natural Gas, and ONEOK, Inc.

“We do not believe any customer data was compromised,” Latitude Technologies unit of Energy Services Group told Bloomberg.

“We are investigating the re-establishment of this data,” Latitude said in a message to customers.”

natural gas pipeline operators

The Department of Homeland Security is investigating the incident, at the time of writing there are no details about the cyber attack.

On Tuesday, Latitude notified its customers that the restoration of EDI services had been completed.

“Monday 4/3/2018 7:49am We have completed the initial restoration of the system. We are now working towards increasing performance. While we believe things to be fully restored, we will continue to monitor for gaps in functionality.” states the advisory published by Latitude Technologies.

“Please notify us if you encounter any missing capabilities so we can address them ASAP. Please contact us with any questions at 972-519-5451. Thank you for your patience. Please check this web site for continuing updates”

Who is behind the attack?

At the time it is impossible to determine the nature of the attackers, financially motivated cybercrime gangs could be interested in stealing sensitive information and use them to blackmail firms. It is likely that crooks targeted the natural gas pipeline operators for extortion purposes.

Another scenario sees nation-state actors targeting critical infrastructure, in this case, EDI services are a mine of information for hackers that could use them to launch further attacks.

In October 2017, the US Department of Homeland Security (DHS) and the FBI have issued a warning that APT groups are actively targeting government departments, and firms working in the energy, nuclear, water, aviation, and critical manufacturing sectors.

“This isn’t the first time U.S. pipelines have been targeted. In 2012, a federal cyber response team said in a note that it had identified a number of “cyber intrusions” targeting natural gas pipeline sector companies.” concluded Bloomberg.

“The group, the Industrial Control Systems Cyber Emergency Response Team, is a division of Homeland Security.”


Microsoft issued out-of-band patch to fix CVE-2018-0986 Malware Protection Engine flaw

5.4.2018 securityaffairs Vulnerebility

On April 3, Microsoft Out-Of-Band Security Update to address the CVE-2018-0986 vulnerability affecting the Microsoft Malware Protection Engine (MMPE).
Microsoft Malware Protection Engine is the core component for malware detection and cleaning of several Microsoft anti-malware software. It is currently implemented in Windows Defender, Microsoft Security Essentials, Microsoft Endpoint Protection, Windows Intune Endpoint Protection, and Microsoft Forefront Endpoint Protection.

The CVE-2018-0986 flaw could be exploited by attackers to execute malicious code on a Windows system with system privileges to gain the full control of the vulnerable machine.

The CVE-2018-0986 vulnerability rated as ‘critical’ was discovered by Thomas Dullien, white hat hacker at the Google Project Zero.

“A remote code execution vulnerability exists when the Microsoft Malware Protection Engine does not properly scan a specially crafted file, leading to memory corruption. An attacker who successfully exploited this vulnerability could execute arbitrary code in the security context of the LocalSystem account and take control of the system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.“reads the security advisory published by Microsoft.

“To exploit this vulnerability, a specially crafted file must be scanned by an affected version of the Microsoft Malware Protection Engine,”

According to the experts, it is quite easy to exploit the flaw, an attacker can deploy the malicious code inside JavaScript files hosted on the website then it needs to trick the victim into visiting it. Another attack scenario sees the hackers send the malicious code as attachment of an email sent to the victim, or via an instant messaging client.

The attack doesn’t need user interaction because the Microsoft Malware Protection Engine automatically scans all incoming files.

Experts pointed out that Windows Defender is enabled by default on Windows 10.

Microsoft has addressed the flaw in MMPE version 1.1.14700.5, the security patch is going to be delivered without needing user interaction.

CVE-2018-0986

“For affected software, verify that the Microsoft Malware Protection Engine version is 1.1.14700.5 or later.

If necessary, install the update Administrators of enterprise antimalware deployments should ensure that their update management software is configured to automatically approve and distribute engine updates and new malware definitions. Enterprise administrators should also verify that the latest version of the Microsoft Malware Protection Engine and definition updates are being actively downloaded, approved and deployed in their environment.” states Microsoft.

“For end-users, the affected software provides built-in mechanisms for the automatic detection and deployment of this update. For these customers, the update will be applied within 48 hours of its availability. The exact time frame depends on the software used, Internet connection, and infrastructure configuration.”


Thousands of compromised Magento websites delivering Malware
5.4.2018 securityaffairs Cryptocurrency 
Virus

Hackers compromised hundreds of Magento e-commerce websites to steal credit card numbers and install crypto-mining malware.
According to the security firm Flashpoint, hackers launched brute-force attacks against Magento installs, they used a dictionary composed of common and known default Magento credentials.

“Ecommerce websites running on the popular open-source Magento platform are being targeted by attackers who are using brute-force password attacks to access administration panels to scrape credit card numbers and install malware that mines cryptocurrency.” reads the analysis published by Flashpoint.

“The Magento sites are being compromised through brute-force attacks using common and known default Magento credentials.”

The security firms revealed that at hackers already compromised at least 1,000 Magento admin panels, most of the victims are in the US and Europe and operate in the education and healthcare industries.

The threat actors behind this campaign are also targeting other popular e-commerce-processing CMS such as Powerfront CMS and OpenCarts.

According to the experts, it quite easy to find discussions on crime forums about how to compromise CMS platforms

The lack of proper security measures makes it easy for crooks to compromise websites, sometimes just using a simple script.

“Brute-force attacks such as these are simplified when admins fail to change the credentials upon installation of the platform. Attackers, meanwhile, can build simple automated scripts loaded with known credentials to facilitate access of the panels.” continues the post.

When hackers successfully compromised a Magento installation, they can inject malicious code into the core file to perform a wide range of malicious activities, such as stealing payment card data from the website.

The attackers can also use the compromised Magento installs to mine cryptocurrency by using a malware such as the Rarog cryptocurrency miner.

The compromised sites return an exploit masquerades as a phony Adobe Flash Player update, once the victims will launch it a malicious JavaScript is executed, its function is to download malware from attacker-controlled servers on GitHub and other compromised sites onto the victim’s computer.

“Analysts said the infection chain begins with the installation of data-stealing malware called AZORult from a binary hosted on GitHub. AZORult then downloads additional malware; in this campaign, the additional malware is the Rarog cryptocurrency miner.” continues the analysis.

“The attackers are keen on avoiding detection and update the malicious files daily in order to sidestep signature- and behavior-based detection. Flashpoint said the accounts hosting these files have been active since 2017.”

Magento Infographic-813x1024

Flashpoint, with the support of law enforcement, is notifying victims of the security breaches.

Magento admins are recommended to review CMS account logins and adopt mitigation measured against brute-force attacks, for example by limiting the number of attempts or enforcing two-factor authentication.


Several U.S. Gas Pipeline Firms Affected by Cyberattack
4.4.2018 securityweek Cyber

Several natural gas pipeline operators in the United States have been affected by a cyberattack that hit a third-party communications system, but the incident does not appear to have impacted operational technology.

Energy Transfer Partners was the first pipeline company to report problems with its Electronic Data Interchange (EDI) system due to a cyberattack that targeted Energy Services Group, specifically the company’s Latitude Technologies unit.

EDI is a platform used by businesses to exchange documents such as purchase orders and invoices. In the case of energy firms, the system is used to encrypt, decrypt, translate, and track key energy transactions. Latitude says it provides EDI and other technology services to more than 100 natural gas pipelines, storage facilities, utilities, law firms, and energy marketers across the U.S.US gas pipeline companies hit by cyberattack

Bloomberg reported that the incident also affected Boardwalk Pipeline Partners, Chesapeake Utilities Corp.’s Eastern Shore Natural Gas, and ONEOK, Inc. However, ONEOK clarified that its decision to disable the third-party EDI service was a “purely precautionary step.”

“There were no operational interruptions on ONEOK's natural gas pipelines,” the company stated. “Affected customers have been advised to use one of the alternative methods of communications available to them for gas scheduling purposes.”

Few details are known about the cyberattack, but Latitude did tell Bloomberg that it did not believe any customer data had been compromised and no other systems appeared to have been impacted. A status update provided by Latitude on its website on Tuesday informed customers that the initial restoration of EDI services had been completed and the company had been working on increasing performance.

SecurityWeek has reached out to Latitude Technologies and Energy Services Group for more information about the attack and will update this article if they respond.

“This looks like a financially-motivated cyberattack, likely by cybercriminals, but we've seen in the past that cybercriminals often collaborate with nation-states and share hacking tools with each other,” said Phil Neray, VP of Industrial Cybersecurity at CyberX, a critical infrastructure and industrial cybersecurity firm based in Boston. “It's easy to imagine a ransomware attack that uses nation-state tools to hijack ICS/SCADA systems and hold the pipeline hostage for millions of dollars per day.”

Bryan Singer, director of Security Services at IOActive, has described some worst-case scenarios that could result from attacks targeting pipeline operators.

“A lot of pipelines have 24-48 hour capacity within the pipelines. If hackers find a way to poison the product, you could have downstream impact for months or more. You could have gas compressors or lift stations where there’s a fire or explosion, and where you have to scramble to cap the ends before the fire spreads out. If it’s an oil rig, it could certainly be tougher to contain,” Singer told SecurityWeek.

“Hackers can cause some intermediate problems at first, but if they have access long enough, there’s a possibility that airports could go down (they often rely on fuel delivered directly) and gas stations could run out of gas. If they’re able to maintain an attack for a couple days, there can be very large downstream impact. We’re mostly out of winter, but if we don’t have power, we’re in need of that heat,” he added.

Back in 2012, the Department of Homeland Security (DHS) warned that malicious actors had been targeting the natural gas industry. While critical infrastructure operators in general have since become more aware of the risks posed by cyberattacks, many organizations are still unprepared.

In the case of the oil and gas industry in the United States, a study commissioned last year by German engineering giant Siemens showed that this sector is largely unprepared to address cybersecurity risks in operational technology (OT) environments.


Female Suspect Dead, Several Hurt in YouTube Shooting
4.4.2018 securityweek Incindent

Chaos Amid Shooting at YouTube Headquarters

[UPDATE] Gunfire erupted at YouTube's offices in California Tuesday, leaving at least three people injured and sparking a panicked escape before the suspected shooter -- a woman -- apparently committed suicide.

Amid a chaotic scene in the city of San Bruno, a woman believed to be the shooter was found dead at the scene of the Google-owned video sharing service.

"We have one subject who is deceased inside the building with a self-inflicted wound," San Bruno Police Chief Ed Barberini told reporters. "At this time, we believe it to be the shooter."

Barberini mentioned "four victims" but it was not immediately clear if that included the shooter.

There was no immediate word on any motive.

Shootings by women are an extremely rare occurrence in the United States where the overwhelming majority of gun violence is carried out by men.

According to an FBI study that looked at 160 incidents involving one or more shooters in public places between 2000 and 2013 -- just six of the people who opened fire were women, a share of 3.8 percent.

Amid conflicting reports on casualties, Barberini said the injured "have been transported and are being treated for injuries that are treatable."

He said police had sealed off the building as they pursued the investigation and searched for any additional possible victims.

- Frantic escape -

Employees recounted frantic scenes as they fled YouTube's headquarters near San Francisco, with one saying he saw blood on the floor as he escaped.

"We were sitting in a meeting and then we heard people running because it was rumbling the floor. First thought was earthquake," employee Todd Sherman tweeted.

Sherman said that as he headed for an exit "someone said that there was a person with a gun," and added "at that point every new person I saw was a potential shooter."

Sherman's tweets continued: "I looked down and saw blood drips on the floor and stairs. Peeked around for threats and then we headed downstairs and out the front."

One image posted by a Twitter user showed employees being led out of the building with their hands up, with no further explanation.

Another YouTube employee, Vadim Lavrusik, tweeted: "Active shooter at YouTube HQ. Heard shots and saw people running while at my desk. Now barricaded inside a room with coworkers."

Later, Lavrusik said he had escaped to safety.

Witnesses reported helicopters on the scene as well as police SWAT teams.

The White House said President Donald Trump had been briefed and that his administration was monitoring the ongoing situation in San Bruno.

Shortly afterward, Trump tweeted, "Our thoughts and prayers are with everybody involved. Thank you to our phenomenal Law Enforcement Officers and First Responders that are currently on the scene."

YouTube headquarters is located some 30 miles (50 kilometers) from the main Google campus in Mountain View.

The shooting, which follows a series of deadly gun incidents at schools and elsewhere, comes amid heated debate on gun control measures in the United States.

An estimated 1.5 million people participated in demonstrations March 24 calling for stricter firearms measures following a deadly shooting in Parkland, Florida.

Organizers of the March for Our Lives sent a message of solidarity to the employees hit by Tuesday's shooting, tweeting "Our hearts are with you, @YouTube."


Panera Bread left millions of customer records exposed online for months
4.4.2018 securityaffairs Incindent

The website belonging to the Panera Bread restaurant chain, Panerabread.com, exposed personal information in plain text for months.
The company has more than 2,100 retail locations in the United States and Canada, its customers could order food online for pickup in stores or for delivery.

Panera Bread exposed the data at least for eight months after the company was first notified of the data leak.

On Monday, the popular security expert Brian Krebs reported a bug affecting the Panera’s website that left millions of customer records exposed in plain text.

Exposed data included names, email addresses, physical addresses, birthdays, and the last four digits of their credit cards.

The company also exposed customer’s Panera loyalty card number, which could be used by scammers to spend prepaid accounts or to steal value from Panera customer loyalty accounts.

Panera Bread data breach

The disconcerting aspect of the story is that the issue was first notified to Panera Bread by the security researcher Dylan Houlihan on August 2, 2017.

In a first time the IT staff did not acknowledge the flaw, but after further investigation, the director of information technology Mike Gustavison told to the expert that the issue was fixed.

Houlihan verified that the issue was not fixed and on April 2nd reported it to Brian Krebs.

“Panerabread.com, the Web site for the American chain of bakery-cafe fast casual restaurants by the same name, leaked millions of customer records — including names, email and physical addresses, birthdays and the last four digits of the customer’s credit card number — for at least eight months before it was yanked offline earlier today, KrebsOnSecurity has learned.” states the blog post published by Krebs.

This incident is disconcerting for many aspects, such as the response of the company and the way it managed customers’ data.

Only after Brian Krebs contacted Panera Bread, the company took the website offline.

“It is not clear yet exactly how many Panera customer records may have been exposed by the company’s leaky Web site, but incremental customer numbers indexed by the site suggest that number may be higher than seven million.” continues Krebs.

“It’s also unclear whether any Panera customer account passwords may have been impacted.”

Panera told Fox Business that the data leak affected only about 10,000 records but experts at Hold Security estimated that the number of affected accounts is approximately 37 million.

In a written statement, Panera declared it had fixed the problem within less than two hours of being notified by Brian Krebs, but the expert correctly asked why Panera did not explain why it has taken eight months to fix the issue after Houlihan reported it.


New KevDroid Android Backdoor Discovered
3.4.2018 securityweek Android

Security researchers have discovered a new Android Remote Access Trojan (RAT) that can steal a great deal of information from infected devices.

Dubbed KevDroid, the mobile threat can steal contacts, messages, and phone history, while also able to record phone calls, Talos reports. Two variants of the malware have been identified so far.

One of the variants exploits CVE-2015-3636 to gain root access, but both implement the same call recording capabilities, taken from an open-source project on GitHub.

Once it has infected a device, the first KevDroid variant can gather and siphon information such as installed applications, phone number, phone unique ID, location, stored contacts information, stored SMS, call logs, stored emails, and photos.

Large in size, the second variant of the malware was hosted at the same URL in February, and has been observed using SQLite databases to store data. It includes the same data gathering capabilities, along with camera recording, audio recording, web history stealing, file stealing, and the ability to gain root on the device.

An ELF file embedded in the APK attempts to exploit the CVE-2015-3636 vulnerability using code available on GitHub to obtain root permission. By gaining higher privileges, the malware can perform more in-depth actions, including stealing files from other applications.

“If an adversary were successful in obtaining some of the information KevDroid is capable of collecting, it could result in a multitude of issues for the victim. The social aspect of a mobile device results in a large amount of data residing on the device. This can be sensitive data, such as photographs, passwords, banking information or social engineering,” Talos notes.

Attackers could also blackmail victims using images or information deemed secret, could steal credentials and multi-factor tokens (SMS MFA), and could also engage in banking/financial fraud using their access to privileged information. Should the infected device be used in corporate environments, a KevDroid attack could lead to cyber espionage, Talos says.

While analyzing the threat, the security researchers also discovered a Windows-targeting RAT hosted on the same C&C server. They called the malware PubNubRAT, because of it uses the PubNub global data stream network (DSN) as a C&C and leverages PubNub API to send orders to the compromised systems.

“Using legitimate services is always challenging for defenders. It's hard to identify malicious communications hidden in legitimate network flows (especially if the requests use encryption via HTTPS),” Talos notes.

A RTF file attempting to exploit the CVE-2017-11882 vulnerability in Office using an embedded Microsoft Equation object is used for infection. The document is written in Korean and contains information on Bitcoin and China.

Once it has infected a system, the malware can steal files, download files, execute commands, kill processes, and take screenshots.

According to Talos, they started the investigation into these malware families because of a possible link to Group 123, but the evidence they discovered was too weak to identify a clear connection with the group.

“We do not have a strong link between the two malware samples and Group 123. The TTP overlaps are tenuous — using public cloud infrastructure as a C2 server is something other malware has used before as a technique, not just Group 123. Additionally, the C2 server is hosted in Korea, and this malware has been known to target Korean users. However, this information cannot lead us to a strong link,” Talos concludes.


Software-defined Global Network as a Service Firm Meta Networks Emerges From Stealth
3.4.2018 securityweek Safety

Meta NaaS Provides a Software-defined Virtual 'Overlay' to Existing Disjointed Physical Networks

Emerging from stealth with $10 million in seed funding led by Vertex Ventures and the BRM Group, Tel Aviv-based Meta Networks has launched Meta NaaS -- a secure software-defined virtual private network aimed at redefining the concept of distributed, cloud-employing corporate networks.

The advent of public and private cloud services and offerings, together with the growth of mobile computing and remote working, plus the tendency for most companies to combine all of these with their own on-premise resources has had one major and well-recognized effect: there is no longer a physical network perimeter that can be defined and protected. Solutions generally require point products for every device, aimed at protecting the device and its communication to other parts of the network. This rapidly becomes very complex with multiple points of possible failure.

Meta Networks Meta NaaS provides a software-defined virtual 'overlay' to existing disjointed physical networks. It is user-centric, draws on the principle of zero-trust, and brings together all aspects of remote users, mobile devices, separate branch offices, on premise data centers and cloud apps within one single software-defined overlay. It creates a new perimeter in the cloud.

Like Google's BeyondCorp, the user is key. Every user device is given a unique permanent identity at the packet level, but is also given access to an always-on virtual private network (VPN). A global distribution of PoPs ensures high performance in accessing and using the VPN from any location, and all corporate traffic from corporate users is securely sent to the NaaS before being delivered to its destination. This includes both internal resources and internet traffic -- and security is handled in the NaaS rather than at the device.

"It's worldwide," Etay Bogner, CEO and founder of Meta Networks, told SecurityWeek. "You don't have to install any appliances. You connect separate offices through their existing routers. On top of the network we are deploying best network security. So instead of having the firewall deployed as an appliance in a specific physical location, we have the firewall functionality within the cloud in every one of the PoPs, and we apply security at those locations."

The effect is to provide security in even hostile environments -- mobile employees working in internet cafes or airport waiting lounges are as secure and productive as if they were still in the office.

Meta NaaS interoperates with other cloud-delivered security solutions, supporting a best-breeds security stack for the enterprise. It delivers identity-based policy routing and packet-level identity verification; and since it is cloud-based, it promises cloud advantages: agility, scalability and cloud economics.

"Meta NaaS is a new zero-trust paradigm for the 'virtual private network' that revolves around users rather than physical topology. This shift enables enterprises to effectively restore the perimeter by protecting all employee traffic -- both corporate and internet -- all of the time," said Bogner. "What elevates our technology is the cloud-native global backbone and the comprehensive, identity-based network security architecture designed to support millions of users efficiently."

"Meta NaaS is built around network users, not a physical business location," comments Ramon Snir, senior developer at Dynamic Yield, an existing customer. This is an advantageous approach for organizations like ours that have applications in data centers and clouds around the world, as well as an increasingly mobile workforce."

Bogner is keen to stress that this is not a new rip and replace technology. "Enterprises already have existing investment in on premise security. That doesn't have to be ripped out," he told SecurityWeek. But at the same time, when licenses lapse, they don't have to be replaced. Meta NaaS provides a road map towards a cloud-only security policy.

"Over time," added Amy Arie, Meta Networks' CMO, "the NaaS will offer greater security at lower cost."

The concept can be seen in its implementation by MyHeritage. The firm has 100 sales reps around the world, with applications housed in two data centers on different continents. Without Meta Naas, this required VPNs in each data center and an IT overhead in maintaining 100 clients -- and for the reps to understand which data center they needed. With Meta NaaS it is a single connection to the NaaS. The VPN is always operational, and access policies are maintained in the NaaS.

"Compared to managing VPNs in each of our data centers," said Moshe Magal, IT team leader at MyHeritage, "the Meta NaaS solution is much simpler and more convenient both for our IT team and our users."

Meta Networks is the fourth firm founded by serial entrepreneur, Etay Bogner. His first was SofaWare, a network security vendor that was ultimately acquired by Check Point Software. The second was Neocleus, a virtualization vendor acquired by Intel. The third is Stratoscale, an AWS compatible infrastructure and services firm.


Hacked Magento Sites Steal Card Data, Spread Malware
3.4.2018 securityweek
Virus

Cybercriminals are targeting websites running the Magento platform to inject them with code that can steal credit card data and infect visitors with malware, Flashpoint reports.

The open-source platform written in PHP has long stirred threat actors’ interest due to its popularity among online e-commerce sites. According to Flashpoint, members of entry-level and top-tier Deep & Dark Web forums have shown continued interest in the platform since 2016, and also targeted content management systems such as Powerfront CMS and OpenCart.

As part of the newly observed attacks, hackers are attempting to brute-force Magento administration panels. Once they gain access, malware capable of scraping credit card numbers is installed, along with crypto-currency miners.

At least 1,000 Magento admin panels have been compromised, Flashpoint says. The attackers attempt to log in using common and known default Magento credentials, once again proving that changing the credentials upon installation of the platform can prevent compromise.

After gaining control of the site’s Magento CMS admin panel, the attackers have unfettered access to the site and can inject any script they want. In this case, they injected malicious code in the Magento core file to access pages where payment data was processed. Because of that, they could intercept POST requests to the server containing sensitive data and redirect those to the attacker.

The compromised sites also revealed the use of an exploit masquerading as an Adobe Flash Player update. If launched, the fake update would run malicious JavaScript to download data-stealing malware called AZORult from GitHub. The malware then downloads the Rarog cryptocurrency miner.

The accounts hosting the malicious files have been active since 2017 and the security researchers observed that the attackers would update the files daily to avoid detection by signature- and behavior-based tools.

Most of the 1,000 compromised panels are in the education and healthcare industries in the United States and Europe. However, the researchers believe that the compromised sites they are aware of might be part of a larger sample of infected Magento panels.

To keep their sites and users protected, Magento admins are advised to review CMS account logins and enforce strong password-hygiene practices to mitigate their exposure to brute-force attacks. They should restrict the recycling of previously used passwords, enable two-factor authentication for sensitive systems and applications, and provide secure password managers to their users.

“The rash of attacks resurrects the epidemic of default credential usage among admins. Default credentials were at the core of the 2016 Mirai attacks where hackers were able to access connected devices such as security cameras, DVRs and routers using known and common default passwords,” Flashpoint notes.

Weak credentials in Internet of Things (IoT) devices have been long said to fuel botnets, but others where a good password hygiene isn’t enforced are as exposed as these devices. Even industrial control system (ICS) products contain default credentials and could be impacted.


New Monero-Mining Android Malware Discovered
3.4.2018 securityweek Android

A newly discovered malware family attempts to leverage the (limited) computing power of Android devices to mine for Monero crypto-currency, Trend Micro warns.

Dubbed HiddenMiner, the malware was developed with self-protection and persistence mechanisms that allow it to hide itself from the unwitting user and to abuse the Device Administrator feature to perform its nefarious activities.

The main issue with this threat, however, is the fact that it has no switch, controller, or optimizer in its code, meaning that it essentially continuously mines for Monero until all of the device’s resources are depleted. Because of that, the malware can cause the infected devices to overheat and potentially fail, Trend Micro's researchers point out.

HiddenMiner is used in an active campaign that has resulted in its operators already making several thousands of dollars as of last week (based on the known Monero mining pools and wallets connected to the malware).

HiddenMiner, Trend Micro says, is somehow similar to the Loapi Monero-mining Android malware, which has been previously observed causing a device’s battery to bloat. Furthermore, both Loapi and HiddenMiner use a similar technique to lock the device screen after revoking device administration permissions.

The new threat spreads via third-party application marketplaces and has been observed impacting only users in India and China so far. However, the security researchers say it might spread beyond these two countries as well.

The malware masquerades as a legitimate Google Play update application, featuring the Google Play icon and appearing on the Android device’s screen as com.google.android.provider. The miner then asks the user to activate it as a device administrator and continuously displays the pop-up window until the users grants it the requested permissions.

Once installed, HiddenMiner empties the app label and uses a transparent icon to hide itself from the user. As soon as the device administrator rights are enabled, it hides from the app launcher by calling setComponentEnableSetting() and starts the mining operation in the background.

The threat hides itself and automatically runs with administrator permissions until the next device boot, the same as the DoubleHidden Android adware does.

Furthermore, the malware includes anti-emulator capabilities that allow it to bypass detection and automated analysis. It leverages an Android emulator detector found on Github for that.

To prevent victims from removing the acquired device administrator privileges, HiddenMiner locks the device’s screen when the user attempts to perform this action. For that, it abuses a bug in Android releases prior to Android 7.0 Nougat, the security researchers say.

In newer Android releases, device admin applications can no longer lock the screen. This security improvement prevents other malware such as ransomware and information stealers from abusing the device admin privileges as well.

“HiddenMiner is yet another example of how cybercriminals are riding the cryptocurrency mining wave. For users and businesses, this reinforces the importance of practicing mobile security hygiene: download only from official app marketplaces, regularly update the device’s OS (or ask the original equipment manufacturer for their availability), and be more prudent with the permissions you grant to applications,” Trend Micro concludes.


Google Bans Crypto-Mining Chrome Extensions
3.4.2018 securityweek Cryptocurrency

Google on Monday announced that Chrome extensions designed to mine for crypto-currencies are no longer accepted in the Chrome Web Store.

While still focused on allowing the Chrome extensions ecosystem to evolve, Google also wants to keep users as safe as possible. Thus, a rise in the number of malicious Chrome extensions that mine for virtual coins without informing the users has sparked the Internet giant to ban all such extensions.

The scripts designed for mining purposes often require significant CPU power to perform their activity, and could result in severely diminished system performance or in increased power consumption. Called in-browser cryptojacking, such mining behavior is employed by many websites as well, often with heavy impact on user experience.

“Over the past few months, there has been a rise in malicious extensions that appear to provide useful functionality on the surface, while embedding hidden cryptocurrency mining scripts that run in the background without the user’s consent,” James Wagner, Extensions Platform Product Manager, says.

Starting Monday, Google no longer accepts extensions that mine crypto-currency in the Chrome Web Store. Furthermore, the company plans on removing all such extensions from the store in late June.

Extensions with blockchain-related purposes that do not attempt to mine for virtual coins will continue to be distributed through the Web Store.

Previously, Google allowed developers to submit for publication extensions designed for crypto-currency mining as long as the application was built for mining only and users were explicitly informed on this behavior.

However, the vast majority (90%) of the extensions containing mining scripts that were submitted for upload to the Chrome Web Store failed to comply with the company’s policies and ended up rejected or removed from the store.

“The extensions platform provides powerful capabilities that have enabled our developer community to build a vibrant catalog of extensions that help users get the most out of Chrome. Unfortunately, these same capabilities have attracted malicious software developers who attempt to abuse the platform at the expense of users,” Wagner points out.


Project Kalamata – Apple will replace Intel processors in Macs with its custom designed chips
3.4.2018 securityaffairs IT

In the wake of the discovery of severe flaws in Intel chips, so-called Meltdown andSpectre vulnerabilities, Apple announced it plans to use custom-designed ARM chips in Mac computers starting as early as 2020.
The move aims to replace the Intel processors running on its desktop and laptop systems like done for its own A-series custom chips that are used for iPhones and iPads.

“Apple Inc. is planning to use its own chips in Mac computers beginning as early as 2020, replacing processors from Intel Corp., according to people familiar with the plans.” states a report published by Bloomberg.

“The initiative, code named Kalamata, is still in the early developmental stages, but comes as part of a larger strategy to make all of Apple’s devices — including Macs, iPhones, and iPads — work more similarly and seamlessly together, said the people, who asked not to be identified discussing private information.”
According to Bloomberg, the Apple’s initiative was codenamed ‘Kalamata’ that was launched with the primary goal to have a uniform architecture across all of its product.

According to Bloomberg, the move is part of a larger initiative internally dubbed Marzipan to make Macs work more like iPhones and make iOS apps interoperable on Apple devices.

apple

Currently, Apple shares 5% of its annual revenue with Intel and pay for exclusive deals to offer to its customers, the changeover would allow the company to improve performance for its systems and keep secret its projects.

According to Bloomberg, the new models of Mac Pro laptops arriving next year will include a chip designed by Apple. After the publication of the Bloomberg report, Intel’s stock price took a hit and dropped by 9.2 percent.

“Apple plans to add that chip to a new version of its Mac Pro, to be released by next year, and new Mac laptops this year, according to a person familiar with the matter.” added Bloomberg.

“Intel shares dropped as much as 9.2 percent, the biggest intraday drop in more than two years, on the news. They were down 6.4 percent at $48.75 at 3:30 p.m. in New York.”

Both companies, Apple and Intel, did not yet comment the Bloomberg report.


Fin7 hackers stole 5 Million payment card data from Saks Fifth Avenue and Lord & Taylor Stores
3.4.2018 securityaffairs Hacking

FIN7 hackers stole credit and debit card information from millions of consumers who have purchased goods at Saks Fifth Avenue and Lord & Taylor stores.
A new data breach made the headlines, the victim is Saks Fifth Avenue and Lord & Taylor stores. According to the parent company Hudson’s Bay Company (HBC), the security breach exposed customer payment card data, customer payment card data at certain Saks Fifth Avenue, the discount store brand Saks Off 5TH and Lord & Taylor stores in North America are impacted.

“We recently became aware of a data security issue involving customer payment card data at certain Saks Fifth Avenue, Saks OFF 5TH, and Lord & Taylor stores in North America. We identified the issue, took steps to contain it, and believe it no longer poses a risk to customers shopping at our stores.” reads the official statement issued by Lord & Taylor.

“While the investigation is ongoing, there is no indication that this affects our e-commerce or other digital platforms,”

The hackers did not compromise the HBC’s e-commerce or other digital platforms, the company promptly informed authorities and hired security investigators to

“We are working rapidly with leading data security investigators to get our customers the information they need, and our investigation is ongoing. We also are coordinating with law enforcement authorities and the payment card companies,” continues the announcement.

The HBC issued the following statement:

“HBC has identified the issue, and has taken steps to contain it,” the company said in a statement. “Once the Company has more clarity around the facts, it will notify customers quickly and will offer those impacted free identity protection services, including credit and web monitoring. HBC encourages customers to review their account statements and contact their card issuers immediately if they identify activity or transactions they do not recognize.”

The data breach was first reported by threat intelligence firm Gemini Advisory, which noticed the offer for sale of over five million stolen credit and debit cards on a cybercrime marketplace called JokerStash.

Saks Fifth Avenue Lord & Taylor stores

The researchers linked the security breach to the financially-motivated FIN7 APT group also known as Carbanak or Anunak.

The group continuously changed attack techniques and implemented new malware obfuscation methods. The FIN7 group has been active since late 2015, it was highly active since the beginning of 2017.

Fin7 was spotted early 2017 when it targeted personnel involved with the United States Securities and Exchange Commission (SEC) filings at various organizations with a new PowerShell backdoor dubbed POWERSOURCE.

“On March 28, 2018, a notorious hacking JokerStash syndicate, also known as Fin7 announced the latest breach of yet another major corporation, with more than five million stolen payment cards offered for sale on the dark web. Several large financial institutions have confirmed that all tested records had been used before at Saks Fifth Avenue, Saks Fifth Avenue OFF 5TH, a discounted offset brand of luxury Saks Fifth Avenue stores, as well as Lord & Taylor stores.” the company said in a post.

“Several large financial institutions have confirmed that all tested records had been used before at Saks Fifth Avenue, Saks Fifth Avenue OFF 5TH, a discounted offset brand of luxury Saks Fifth Avenue stores, as well as Lord & Taylor stores,”

As of Sunday, only a small portion of compromised records have been offered for sale, crooks offered roughly 35,000 records for Saks Fifth Avenue and 90,000 records for Lord & Taylor.

“As of this writing, approximately 125,000 records have been released for sale, although we expect the entire cache to become available in the following months.” added Gemini.

At the time of writing HBC did not provide details on the extent of the security breach, it is still unclear how the hackers have stolen payment card data, experts believe hackers may have compromised point-of-sale systems.

“Based on the analysis of records that are currently available, it appears that all Lord & Taylor and 83 US based Saks Fifth Avenue locations have been compromised. In addition, we identified three potentially compromised stores located in Ontario, Canada. However, the majority of stolen credit cards were obtained from New York and New Jersey locations.” concluded Gemini.


Grindr shared people’ HIV status with other companies
3.4.2018 securityaffairs Security

An analysis conducted by the Norwegian research nonprofit SINTEF revealed that the popular Grindr gay dating app is sharing its users’ HIV status with two other companies.
Grindr gay-dating app made the headlines again, a few days ago an NBC report revealed that the app was affected by 2 security issues (now patched) that could have exposed the information of its more than 3 million daily users.

An attacker could have exploited the feature to access location data, private messages to other users, and profile information, even if they’d opted out of sharing such information.

The security issues were identified by Trever Faden, CEO of the property management startup Atlas Lane, while he was working at his website C*ckblocked that allowed users to see who blocked them on Grindr.

Faden discovered that once a Grindr logged in his service, it was possible to access to a huge quantity of data related to their Grindr account, including unread messages, email addresses, and deleted photos.

While the media were sharing the news, another disconcerting revelation was made by BuzzFeed and the Norwegian research nonprofit SINTEF, BuzzFeed and the Norwegian research nonprofit SINTEF.BuzzFeed and the Norwegian research nonprofit SINTEF.BuzzFeed and the Norwegian research nonprofit SINTEF, Grindr has been sharing data on whether its users have HIV with two outside companies, according to BuzzFeed and the Norwegian research nonprofit SINTEF.

“SVT and SINTEF conducted an experiment the 7th of February 2018 to analyse privacy leaks in the dating application Grindr. This was realised for the Sweedish TV program “Plus granskar“, that you may watch online.” reported SINTEF.

“We discovered that Grindr contains many trackers, and shares personal information with various third parties directly from the application.”

Grindr HIV data.jpg

Profiles include sensitive information such as HIV status, when is the last time a user got tested, and whether they’re taking HIV treatment or the HIV-preventing pill PrEP.

“It is unnecessary for Grindr to track its users HIV Status using third-parties services. Moreover, these third-parties are not necessarily certified to host medical data, and Grindr’s users may not be aware that they are sharing such data with them.” added SINTEF.

The disconcerting aspect of this revelation is that Grindr has been sharing users’ HIV statuses and test dates with two companies that help optimize the app, called Apptimize and Localytics.

“The two companies — Apptimize and Localytics, which help optimize apps — receive some of the information that Grindr users choose to include in their profiles, including their HIV status and “last tested date.” BuzzFeed reports

“Because the HIV information is sent together with users’ GPS data, phone ID, and email, it could identify specific users and their HIV status, according to Antoine Pultier, a researcher at the Norwegian nonprofit SINTEF, which first identified the issue.”

In some cases, this data was not protected by encryption.

Hours after BuzzFeed’s report, Grindr told Axios that it had made a change to stop sharing users’ HIV status. The company’s security chief, Bryce Case, told Axios that he felt the company was being “unfairly … singled out” in light of Facebook’s Cambridge Analytica scandal and said that the company’s practices didn’t deviate from the industry norm.

Grindr’s chief technology officer, Scott Chen, pointed out that data was shared “under strict contractual terms that provide for the highest level of confidentiality, data security, and user privacy.”

Anyway, Grindr doesn’t sell user data to third parties.

In a statement released Monday afternoon, Grindr confirmed that it would stop sharing the HIV data.

The company also confirmed to CNNMoney that it has already deleted HIV data from Apptimize, and is in the process of removing it from Localytics.


Google to banish cryptocurrency mining extensions from official Chrome Web Store
3.4.2018 securityaffairs Cryptocurrency

Google will ban cryptocurrency mining extensions from the official Chrome Web Store after finding many of them abusing users’ resources without consent.
The number of malicious extensions is rapidly increased over the past few months, especially those related to mining activities.

The company has introduced a new Web Store policy that bans any Chrome extension submitted to the Web Store that mines cryptocurrency.

“Until now, Chrome Web Store policy has permitted cryptocurrency mining in extensions as long as it is the extension’s single purpose, and the user is adequately informedabout the mining behavior.” reads a blog post published by Google.

“Unfortunately, approximately 90% of all extensions with mining scripts that developers have attempted to upload to Chrome Web Store have failed to comply with these policies, and have been either rejected or removed from the store.”

“Starting today, Chrome Web Store will no longer accept extensions that mine cryptocurrency,”

Until now, Google only allowed those cryptocurrency mining extensions that explicitly informed users about their mining activities.

The Mountain View firm announced it will block all mining extensions that are not in compliance and secretly mine cryptocurrency using devices’ resources.

cryptocurrency mining extensions

Google pointed out that the ban on cryptocurrency mining extensions will not affect blockchain-related extensions such as Bitcoin price checkers and cryptocurrency wallet managers.

“Existing extensions that mine cryptocurrency will be delisted from the Chrome Web Store in late June. Extensions with blockchain-related purposes other than mining will continue to be permitted in the Web Store.” continues the blog post.

Google ban is another step to protect its users from hidden risks, it follows the recent announcement to ban advertisements related to cryptocurrency.

“This policy is another step forward in ensuring that Chrome users can enjoy the benefits of extensions without exposing themselves to hidden risks.” concluded Google.

Google is not the unique media firm that imposed a ban on cryptocurrency-related abuses, Twitter recently announced the ban for cryptocurrency-related ads on its platform, in January, Facebook banned all ads promoting cryptocurrency-related initiatives, including Bitcoin and ICOs.


New Bill in Georgia Could Criminalize Security Research
3.4.2018 securityweek Cyber

A new bill passed by the Georgia State Senate last week deems all forms of unauthorized computer access as illegal, thus potentially criminalizing the finding and reporting of security vulnerabilities.

The new bill, which met fierce opposition from the cybersecurity community ever since it first became public, amends the Georgia code that originally considered only unauthorized computer access with malicious intent to be a crime.

“Any person who intentionally accesses a computer or computer network with knowledge that such access is without authority shall be guilty of the crime of unauthorized computer access,” the bill reads (Senate Bill 315).

“Any person convicted of computer password disclosure or unauthorized computer access shall be fined not more than $5,000.00 or incarcerated for a period not to exceed one year, or both punished for a misdemeanor of a high and aggravated nature,” the bill continues.

The original code only made a crime out of the access of a computer or computer network without authority and with the intention of tampering with applications or data; interfering with the use of a computer program or data; or causing the malfunction of the computer, network, or application.

The main issue with the bill is that it does little to protect security researchers who find and responsibly disclose vulnerabilities.

In fact, it is possible that the new bill was created because a security researcher discovered a vulnerability in the Kennesaw State University election systems last year. The flaw was reported ethically and the researcher came clean after being investigated by the FBI.

However, the breach made it to the news and, because the state felt very embarrassed by the incident, the attorney general’s office apparently asked for law that would criminalize so-called “poking around.”

“Basically, if you’re looking for vulnerabilities in a non-destructive way, even if you’re ethically reporting them—especially if you’re ethically reporting them—suddenly you’re a criminal if this bill passes into law,” Scott M. Jones from Electronic Frontiers Georgia pointed out.

The Electronic Frontier Foundation has already called upon Georgia Gov. Nathan Deal to veto the bill as soon as possible. The foundation also points out that S.B. 315 doesn’t ensure that security researchers aren’t targeted by overzealous prosecutors for finding vulnerabilities in networks or computer programs.

EFF also points out that, while Georgia has been a hub for cybersecurity research until now, that it all might change with the adoption of the new bill. Cyber-security firms and other tech companies might no longer find Georgia welcoming and could consider relocating to states that are less hostile to security research.

“S.B. 315 is a dangerous bill with ramifications far beyond what the legislature imagined, including discouraging researchers from coming forward with vulnerabilities they discover in critical systems. It’s time for Governor Deal to step in and listen to the cybersecurity experts who keep our data safe, rather than lawmakers looking to score political points,” EFF notes.

The infosec community has already reacted to the passing of the bill, calling for a veto and pointing out not only that search engines such as Shodan could become illegal in Georgia, but also that security talent is highly likely to migrate to other states.

Professor Andy Green
@secprofgreen
recruitment of georgia security talent to other states is already starting to happen.@GovernorDeal please veto #sb315#gapol https://twitter.com/alexhutton/status/980116433265987584 …

6:53 PM - Mar 31, 2018
9
See Professor Andy Green's other Tweets
Twitter Ads info and privacy

Stephen Gay
@redpalmetto
@secprofgreen - Will the automated scanning and inventory of vulnerable devices within the State of Georgia be illegal after #SB315 is signed into law? @shodanhq

12:30 PM - Mar 30, 2018
1
See Stephen Gay's other Tweets
Twitter Ads info and privacy
Others, however, suggest that some researchers could turn to “irresponsible disclosure” instead.

Robᵉʳᵗ Graham 🤔
@ErrataRob
30 Mar
So Georgia just passed a bill making unauthorized, but well meaning (no damage or theft) access to a computer illegal, meaning anybody noticing a vuln on a website can be sent to jail for up to a year.

Dodge This Security
@shotgunner101
All this will do is force those living in georgia who would have done responsible disclosure to do irresponsible disclosure under an alternative identity. It will still happen just not in the abobe board well structured way we see now.

8:45 AM - Mar 30, 2018
See Dodge This Security's other Tweets


Saks, Lord & Taylor Stores Hit by Data Breach
3.4.2018 securityweek CyberCrime

A data breach at Saks Fifth Avenue and Lord & Taylor stores in North America exposed customer payment card data, parent company Hudson's Bay Company (HBC) announced on Sunday.

The hack, which also impacted its discount store brand Saks OFF 5TH, did not appear to affect HBC’s e-commerce or other digital platforms.

“We identified the issue, took steps to contain it, and believe it no longer poses a risk to customers shopping at our stores,” the announcement said. “We are working rapidly with leading data security investigators to get our customers the information they need, and our investigation is ongoing. We also are coordinating with law enforcement authorities and the payment card companies,” it added.

According to cybersecurity research and threat intelligence firm Gemini Advisory, a cybercrime marketplace called JokerStash announced that over five million stolen credit and debit cards were for sale, which it says were likely stolen from HBC’s stores.

“In cooperation with several financial organizations, we have confirmed with a high degree of confidence that the compromised records were stolen from customers of Saks Fifth Avenue and Lord & Taylor stores,” Gemini said in a blog post, adding that the window of compromise was estimated to be May 2017 to present.”

As of Sunday, roughly 125,000 records had been released for sale so far, Gemini said, with the “entire cache” expected to become available in the following months.

HBC did not provide details on the number of customers/records impacted in the incident.

“The Company is working rapidly with leading data security investigators to get customers the information they need, and the investigation is ongoing. HBC is also coordinating with law enforcement authorities and the payment card companies,” HBC said.

“The details of how these cards were stolen remains unclear at this time, but it’s important that we learn what happened so that others can work to prevent similar breaches," commented Tim Erlin, VP, product management and strategy at Tripwire. "This appears to be the type of breach, through point-of-sale systems, that EMV is supposed to prevent, so we need to ask what happened here. Was EMV in use, and if so, how did the attackers circumvent it?

News of HBC’s breach comes days after sports gear maker Under Armour said that a data breach of its fitness application was hacked, affecting approximately 150 million user accounts.


njRAT Gets Ransomware, Crypto-Currency Stealing Capabilities
3.4.2018 securityweek Cryptocurrency

An updated version of the njRAT remote access Trojan (RAT) is capable of encrypting files and stealing virtual currencies from crypto-wallets, Zscaler warns.

Also known as Bladabindi, njRAT has been around since at least 2013 and is one of the most prevalent malware families. Built in .NET Framework, the malware provides attackers with remote control over the infected systems, utilizes dynamic DNS for command-and-control (C&C), and uses a custom TCP protocol over a configurable port for communication.

Dubbed njRAT Lime Edition, the new malware variant includes support for ransomware infection, Bitcoin grabber, and distributed denial of service (DDoS), while also being able to log keystrokes, spread via USB drives, steal passwords, and lock the screen.

The malware gets a list of running processes on the victim’s machine and uses it to track crypto wallets. Because these store digital currency and may also be connected to the users’ bank accounts, debit cards, or credit cards, it’s no surprise they are of interest to cybercriminals.

Once it has infected a system, the malware also checks for virtual machines and sandbox environments, Zscaler's researchers say. It also gathers large amounts of system information: system name, user name, Windows version and architecture, presence of a webcam, active window, CPU, video card, memory, volume information, installed antivirus, and infection time.

Additionally, the threat monitors the system for specific security-related processes and attempts to kill them to avoid detection.

The new njRAT iteration can also launch ARME and Slowloris DDoS attacks, the security researchers say. The Slowloris tool allows a single machine to take down a server with minimal bandwidth while attempting to keep many connections to the target web server open. ARME attacks also attempt to exhaust the server memory.

Upon receiving commands from the C&C, the malware can delete Chrome cookies and saved logins, turn off monitor, use TextToSpeech to announce text received from C&C, restore normal mouse button functionality, enable task manager, change wallpaper, log keystrokes from the foreground window, share, download files via torrent software, and start Slowloris attacks.

It can also drop and show a ransom note, restart the computer, disable command prompt, delete event logs, stop Bitcoin monitor thread, start the botkiller thread, send system information (CPU/GPU/RAM), check installed Bitcoin wallets and send the information to C&C, and load a plugin and configure it with the C&C server.

njRAT also includes worm-like spreading capabilities. It can monitor the system for connected USB drives and can copy itself to them, while also creating a shortcut to itself using the folder icon.

The malware’s ransomware functionality encrypts users’ files and adds the .lime extension to them. The malware uses the AES-256 symmetric algorithm for encryption, meaning that the same key can be used for decryption as well.

“When Lime is first launched, it will call a RandomString() function, which will attempt to generate an AES key. It generates a 50-byte array from the input string using a random index, and uses the random() function to fetch one character and stores it to the output string,” Zscaler explains.

The function to decrypt the files encrypted by the Lime ransomware is included in the malware itself, the security researchers have discovered.


HiddenMiner Android Cryptocurrency miner can brick your device
3.4.2018 securityaffairs Cryptocurrency

Researchers at Trend Micro recently discovered a new strain of Android miner dubbed ANDROIDOS HIDDENMINER that can brick infected devices
Crooks are looking with increasing interest cryptocurrency mining malware developed for mobile devices.

Researchers at Trend Micro recently discovered a new strain of Android malware dubbed ANDROIDOS HIDDENMINER that abuse device CPU to mine Monero cryptocurrency.

HiddenMiner also implements evasion techniques, it is able to bypass automated analysis by checking if it’s running in a virtualized environment by abusing an Android emulator detector found on Github.

“We uncovered a new Android malware that can surreptitiously use the infected device’s computing power to mine Monero. Trend Micro detects this as ANDROIDOS_HIDDENMINER.” reads the analysis published by Trend Micro.

“This Monero-mining Android app’s self-protection and persistence mechanisms include hiding itself from the unwitting user and abusing the Device Administrator feature (a technique typically seen in SLockerAndroid ransomware).”

The experts were able to find the Monero mining pools and wallets connected to the HiddenMiner malware, they learned that one of its operators withdrew 26 XMR (or US$5,360 as of March 26, 2018) from one of the wallets. This information suggests that the operators are currently active.

hiddenminer wallet activities

HiddenMiner abuse the device’s CPU power to mine Monero, unfortunately, the computational effort is so important that the CPU can overheat causing the device to lock, fail, and be permanently damaged.

“There is no switch, controller or optimizer in HiddenMiner’s code, which means it will continuously mine Monero until the device’s resources are exhausted.” continues the analysis.

“Given HiddenMiner’s nature, it could cause the affected device to overheat and potentially fail.”

This behavior was already observed in the past, the Loapi Monero-mining malware caused a device’s battery to bloat.

HiddenMiner, like Loapi, uses to lock the device screen after revoking device administration permissions.

The ANDROIDOS HIDDENMINER is currently being delivered through a fake Google Play update app, experts found it on third-party app marketplaces.

The miner is mainly affecting users in India and China, but experts fear it could rapidly target other countries.

Malware developers are abusing Device Administration Permission, experts pointed out that users can’t uninstall an active system admin package until device administrator privileges are removed first.

Victims of the HiddenMiner’s cannot remove the miner from device administrator as it employs a trick to lock the device’s screen when a user wants to deactivate its device administrator privileges. Experts explained that it exploits a vulnerability found in Android operating systems except for Nougat and later versions.

“Indeed, HiddenMiner is yet another example of how cybercriminals are riding the cryptocurrency mining wave.” concluded Trend Micro. “For users and businesses, this reinforces the importance of practicing mobile security hygiene: download only from official app marketplaces, regularly update the device’s OS (or ask the original equipment manufacturer for their availability), and be more prudent with the permissions you grant to applications.”


Would Facebook and Cambridge Analytica be in Breach of GDPR?
2.4.2018 securityweek Privacy

The Cambridge Analytica (CA) and Facebook accusations over the U.S. 2016 presidential election campaign, and to a lesser extent between CA and the UK's Brexit VoteLeave campaign, are -- if proven true -- morally reprehensible. It is not immediately clear, however, whether they are legally reprehensible. The matter is currently under investigation on both sides of the Atlantic.

On March 26, both Apple and IBM called for more regulatory oversight on the use of personal data. "I'm personally not a big fan of regulation because sometimes regulation can have unexpected consequences to it, however I think this certain situation is so dire, and has become so large, that probably some well-crafted regulation is necessary," said Apple chief Tim Cook on March 24, 2018.

"If you're going to use these technologies, you have to tell people you're doing that, and they should never be surprised," IBM chief executive Rometty said on March 26, 2018. "(We have to let) people opt in and opt out, and be clear that ownership of the data does belong to the creator," he said.

GDPR - European Data ProtectionSuch regulatory oversight already exists in Europe under national data protection laws, and this will potenyially become global when the European General Data Protection Regulation (GDPR) comes into effect on May 25, 2018. The question is whether Facebook and/or CA would have been in breach of GDPR were it already operational, and therefore whether GDPR will prevent any future repetitions of this sort.

"From Facebook's perspective," MacRoberts LLP senior partner David Flint told SecurityWeek, "the only good point is that the maximum fine under the [current UK] Data Protection Act is £500,000; after 25 May 2018 it would be 4% of Facebook worldwide turnover ($40bn in 2017) -- a potential $1.6bn fine! That's before damages claims."

Cambridge Analytica is an offshoot or SCL, formerly Strategic Communications Laboratories (a private British behavioral research and strategic communication company); and was specifically formed to target the U.S. presidential elections.

The user profile collection

At this stage we have to stress that everything is just a combination of accusation and denial, with nothing yet proven in a court of law. Nevertheless, the accusation is that a Cambridge University academic, Dr. Aleksandr Kogan, developed a Facebook personality quiz app (called 'thisisyourdigitallife') that collected data from some 270,000 app users on Facebook; and also collected their friends' data. Kogan's firm was known as Global Science Research (GSR).

Concerns about the relationship between Facebook user data, GSR, CA, and the U.S. presidential election are not new. In December 2015, the Guardian reported, "Documents seen by the Guardian have uncovered longstanding ethical and privacy issues about the way academics hoovered up personal data by accessing a vast set of US Facebook profiles, in order to build sophisticated models of users' personalities without their knowledge."

The user profiles were at least partly gathered through the process of 'turking' via the Amazon service, the Mechanical Turk. GSR reportedly paid Turkers $1 or $2 to install an app that would "download some information about you and your network … basic demographics and likes of categories, places, famous people, etc. from you and your friends."

An important element of the evolving story is that while it could be argued that the original turkers and anyone who installed Kogan's app had given implied consent to the collection of their personal data, their friends had almost certainly not; nor it seems did anyone give permission for that personal data to be used for political purposes in the presidential election via a third-party, namely Cambridge Analytica.

The scandal

The scandal did not reach public proportions until March 2018 following new reports from the New York Times and the Guardian, and a video interview between CA whistleblower Christopher Wylie and the Guardian. Wylie revealed that "personal information was taken without authorization in early 2014 to build a system that could profile individual US voters in order to target them with personalized political advertisements."

Public awareness was suddenly so high that Facebook -- the ultimate source of the user profiles -- saw an immediate and dramatic drop in its share value. Since March 16, Facebook has lost approximately $80 billion in value (at the time of writing), the FTC has announced an investigation into Facebook's privacy practices, Mark Zuckerberg, Facebook's co-founder and CEO, agreed to testify before Congress (but declined to appear in person before UK lawmakers), and the UK's data protection regulator (the Information Commissioner's Office) has raided CA's offices.

Incidentally, Facebook and CA are also included in an ongoing but lower profile investigation into possible manipulation of the Brexit referendum vote. Speaking before a UK parliamentary select committee this week, Wylie claimed that CA had been involved in the Brexit referendum and that, in his view, the result had been obtained by 'fraud' and 'cheating'.

Cambridge Analytica's alleged involvement in the U.S. election has been known since at least 2015. Facebook made some minor changes to its policies and requested that Kogan and CA delete all gathered user data. It says it believed that had happened -- but if Wylie's accusations are true, that could not have happened.

It is only in March 2018, following the dramatic drop in share value, that Facebook has responded seriously. On March 16, Facebook VP and deputy general counsel Paul Grewel announced, "We are suspending SCL/Cambridge Analytica, [whistleblower] Wylie and Kogan from Facebook, pending further information." One day later he added, "Aleksandr Kogan requested and gained access to information from users who chose to sign up to his app, and everyone involved gave their consent. People knowingly provided their information, no systems were infiltrated, and no passwords or sensitive pieces of information were stolen or hacked." The claim that 'everyone involved gave their consent' is open to debate.

On March 2, Facebook founder Mark Zuckerberg published a personal apology together with news that Facebook would dramatically rein in the amount of personal data that apps can collect. "We will reduce the data you give an app when you sign in -- to only your name, profile photo, and email address. We'll require developers to not only get approval but also sign a contract in order to ask anyone for access to their posts or other private data. And we'll have more changes to share in the next few days."

Nevertheless, two things stand-out. Facebook, CA and Aleksandr Kogan all claim they have done nothing illegal -- and it is only after the incident affected Facebook's bottom line that it has begun to take serious action. It is against this background that Tim Cook has called for "some well-crafted regulation".

GDPR

The EU's General Data Protection Regulation (GDPR) was drafted precisely to protect personal information from misuse. GDPR, is already enacted and due to come into force on May 25, 2018. The question is whether this regulation would provide the future oversight called for by Apple and IBM.

"Absolutely," says Thycotic's chief security scientist Joseph Carson. "This is exactly why EU GDPR has been put in place to protect EU citizens' personal information and ensure that companies have explicit consent to use personal data. Let's think about this - if only the data breach (aka trust) had occurred after May 25th, 2018, and if any of the 50 million impacted users had been EU citizens, Facebook would have been facing a potential whopping $1.6 billion financial penalty from the EU. I believe that would change Facebook's priority on ensuring data is not being misused. This is going to be an example on what could have been if GDPR was enforced."

It could be claimed that GDPR would still fail as a regulation because the impacted users are, ostensibly, all North American. "GDPR applies to the data for any EU resident," comments Nathan Wenzler, chief security strategist at AsTech. "For example, if a U.S. citizen was residing in an EU country, their data would be governed under GDPR when it goes into effect. Citizenship is not the criteria used to determine application of GDPR. Residency is, though, and that makes it far more complicated for companies to determine which of the individual records they have are or are not under the mandates of GDPR."

Dov Goldman, Vice President, Innovation and Alliances at Opus, is even more forthright. "The GDPR privacy rules do not protect non-EU citizens," he told SecurityWeek. "If Facebook can prove that the data released to Cambridge Analytica only contained PII of US persons, Facebook would likely not face any liability under GDPR. There are U.S. regulations that protect American's financial data, but not their personal data (PII), for now."

It's not that clear cut. While the common perception is that GDPR is designed to protect people within the EU (or perhaps the slightly larger European Economic Area), Recital 14 states: "The processing of personal data is designed to serve man; the principles and rules on the protection of individuals with regard to the processing of their personal data should, whatever the nationality or residence of natural persons, respect their fundamental rights and freedoms, notably their right to the protection of personal data."

GDPR is principal-based legislation. Interpretation of the details will be left to the courts to decide, based on their understanding of the intent of the lawmakers. It is, therefore, not entirely clear at this stage whether 'whatever the nationality' means European nationality or global nationality.

David Flint has no doubts. "GDPR would apply (were it in force) to any processing of data carried out by Cambridge Analytica, even if only of US nationals, by virtue of Article 3.1 of the GDPR (Data Controller / Processor based in EU)," he told SecurityWeek. "Article 2 (processing by automated means) would also be relevant." In this view, GDPR is about the processing of personal data, not the nationality of the data subject.

Under GDPR, responsibility is primarily with the data controller, and that responsibility cannot be off-loaded to the data processor. "It is difficult to see how Facebook would not be considered as a Data Controller (or perhaps Controller in Common with Cambridge Analytica)," continued Flint, "given that it collected the data, and/or permitted CA to do so, provided the platform APIs which allowed the data collection and mining; and carried out automatic mass profiling."

There is little doubt that Cambridge Analytica, as a UK company gathering and processing personal data from a firm (Facebook) that operates within the EU would be considered liable under GDPR. Key to this would be the consent issue. It will be argued that by downloading and installing Kogan's app, users gave consent for their data to be used and shared; and that in allowing their data to be shared among friends on Facebook, the friends also gave consent.

This argument won't pass muster. GDPR says, "'the data subject's consent' shall mean any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data relating to him being processed." It is unlikely that even the app downloaders were giving free and informed consent for their personal data to be profiled for political purposes in the U.S. presidential election.

As at least co-controllers with Cambridge Analytica, it is difficult then to see how Facebook would not also be drawn into the issue.

Will GDPR provide the regulation/oversight sought by Apple and IBM?

In the final analysis, Facebook's liability under GDPR for the misuse of users' personal data by Cambridge Analytica will partly come down to an interpretation of whether the legislation covers non-EU subjects. If a single affected user was living in or passing through the EU at the time, there would be no ambiguity. However, in the end, the interpretation will be done by the courts -- although it is worth noting that the European MEP who drove through GDPR as its rapporteur (Jan Philipp Albrecht) has made it clear that he sees GDPR as changing privacy practices throughout the world for all people.

Where there is little ambiguity, however, is that Facebook's processing and privacy practices fell short of that required by GDPR. These requirements do not rely on the nationality or residency of the data subject.

GDPR could well provide the basis of global oversight of large company privacy practices; but we may have to wait until the courts start to interpret the finer details. In the meantime, all companies should carefully consider what happens to the personal data they collect and share. It is possible that sharing or selling that data to a third-party not specified at the time of collection will prove a breach of GDPR.


Cloudflare Launches Free Secure DNS Service
2.4.2018 securityweek Safety

Cloudflare Launches Globally Available Secure Free DNS Resolver

Cloudflare launched a new free service, designed to improve both the speed and the security of the internet, on April Fool's Day (4/1/2018). But this is no joke. The idea is that 4/1 is geekery four ones, or 1.1.1.1 -- the name and heart of the new service.

1.1.1.1 (and 1.0.0.1) is the address of Cloudflare's new, globally available, free DNS resolver service. It is similar to -- but according to Cloudflare -- faster and more secure than, Google's 8.8.8.8 service. Both address speed and security issues in the standard internet DNS look-up process. The biggest problem is security because DNS lookups are primarily controlled by ISPs; and ISPs are commercial organizations seeking to monetize data; and are often heavily controlled or influenced by governments.

In the U.S., ISPs are allowed to sell customer data -- including website visits -- to marketing firms. In the UK, ISPs are required by law to record and hand over such customer data to law enforcement, intelligence and other government agencies. In Turkey, in 2014, the Turkish government censored Twitter by getting ISPs to block DNS requests for twitter.com -- and activists took to the streets to spray paint Google's 8.8.8.8 DNS service as a workaround. Turkey has a history of using the DNS system for censorship, including a block on Wikipedia in April 2017.

Google's service is good and fast, and bypasses ISP instigated blocks, but user data is still available to Google. Cloudflare wants to provide an even faster service, but one where no commercial entity can easily monetize the user data, nor government gain access without a court order. Since the firm is committed to never writing that data to disk, and to wiping all log records within 24 hours (to be independently audited by KPMG with a published public report) there will be little historical data available anyway.

"Cloudflare's business has never been built around tracking users or selling advertising," blogged Matthew Prince, co-founder and CEO of Cloudflare, on Sunday. "We don't see personal data as an asset; we see it as a toxic asset." Cloudflare retains the log data for a maximum of 24 hours for abuse prevention and debugging issues.

“We think it’s creepy that user data is sold to advertisers and used to target consumers without their knowledge or consent,” said Prince. “Frankly, we don’t want to know what people do on the Internet -- it’s none of our business -- and we’ve designed 1.1.1.1 to ensure that we, along with ISPs around the world, can’t.”

The insecurity of the DNS infrastructure struck the team at Cloudflare, he says, as a bug at the core of the Internet, "so we set out to do something about it." The firm decided to combine a DNS Resolver with its existing Authoritative DNS service across its worldwide network, but still needed some memorable IP addresses.

Little could be more memorable than 1.1.1.1. This address was held by the APNIC research group, which agreed to provide it to the new service. "We began testing and found that a resolver, running across our global network, outperformed any of the other consumer DNS services available (including Google's 8.8.8.8)," says Prince.

1.1.1.1 is primarily a consumer service (the IPv6 numbers are 2602:4700:4700::1111 and 2602:4700:4700::1001). Technical details are provided in a separate blog written by director of engineering, Olafur Gudmundsson. The service uses DNS Query Name Minimization defined in RFC7816 to minimize the data sent, and supports privacy-enabled TLS queries on port 853 (DNS over TLS), "so," he writes, "we can keep queries hidden from snooping networks."

Furthermore, he adds, "by offering the experimental DoH (DNS over HTTPS) protocol, we improve both privacy and a number of future speedups for end users, as browsers and other applications can now mix DNS and HTTPS traffic into one single connection."

Cloudflare is working with major browsers, operating systems, app manufacturers, cloud platforms, and router manufacturers to enable DNS over HTTPS. Mozilla is already working to integrate the standard into its Firefox browser:

“Like Cloudflare, Mozilla cares about making the Internet faster and more privacy-conscious so people have a better experience on the web,” says Selena Deckelmann, senior director of engineering, Firefox Runtime at Mozilla. “We are always looking for new technologies like DNS over HTTPS to ensure Firefox is at the cutting edge of speed, privacy and improving life online.”

The resolver is built on the fairly new open source Knot Resolver from CZ NIC -- whose original main developer has been working with Cloudflare for more than two years.

The service uses Cloudflare's 149 data centers distributed around the world. "In March alone, we enabled thirty-one new data centers globally," as far apart as Pittsburgh and Houston, Reykjavik and Tallinn, and Edinburgh and Bogota, notes Gudmundsson; "and just like every other city in our network, new sites run DNS Resolver, 1.1.1.1 on day-one!"

San Francisco, CA-based Cloudflare was founded in 2009. It has raised a total funding amount of $182,050,000 -- the most recent being $110 million Series D funding led by Fidelity Investments in September 2015. It routes traffic through its own global network, blocking DoS attacks, reducing spam and improving performance.


After Cambridge Analytica scandal Facebook announces Election security Improvements
2.4.2018 securityaffairs
Social

After Cambridge Analytica case, Facebook announced security improvements to prevent future interference with elections.
Facebook is under the fire after the revelation of the Cambridge Analytica case and its role in the alleged interference to the 2016 US presidential election.

While the analysts are questioning about the interference with other events, including the Brexit vote, Facebook is now looking to prevent such kind of operations against any kind of election.

Guy Rosen, Facebook VP of Product Management declared that everyone is responsible for preventing the same kind of attack to the democracy and announced the significant effort Facebook will spend to do it.

“By now, everyone knows the story: during the 2016 US election, foreign actors tried to undermine the integrity of the electoral process. Their attack included taking advantage of open online platforms — such as Facebook — to divide Americans, and to spread fear, uncertainty and doubt,” said Guy Rosen.

“Today, we’re going to outline how we’re thinking about elections, and give you an update on a number of initiatives designed to protect and promote civic engagement on Facebook.”

Facebook plans to improve the security of elections in four main areas: combating foreign interference, removing fake accounts, increasing ads transparency, and reducing the spread of false news.

Alex Stamos, Facebook’s Chief Security Officer, added that the company always fight “fake news,” explaining that the term is used to describe many malicious activities including:

Fake identities– this is when an actor conceals their identity or takes on the identity of another group or individual;
Fake audiences– so this is using tricks to artificially expand the audience or the perception of support for a particular message;
False facts – the assertion of false information; and
False narratives– which are intentionally divisive headlines and language that exploit disagreements and sow conflict. This is the most difficult area for us, as different news outlets and consumers can have completely different on what an appropriate narrative is even if they agree on the facts.
“When you tease apart the overall digital misinformation problem, you find multiple types of bad content and many bad actors with different motivations.” said Alex Stamos.

“Once we have an understanding of the various kinds of “fake” we need to deal with, we then need to distinguish between motivations for spreading misinformation. Because our ability to combat different actors is based upon preventing their ability to reach these goals.” said Stamos.

“Each country we operate in and election we are working to support will have a different range of actors with techniques are customized for that specific audience. We are looking ahead, by studying each upcoming election and working with external experts to understand the actors involved and the specific risks in each country.”

Stamos highlighted the importance to profile the attackers, he distinguished profit-motivated organized group, ideologically motivated groups, state-sponsored actors, people that enjoy causing chaos and disruption, and groups having multiple motivations such as ideologically driven groups.

Facebook is working to distinguish between motivations for spreading misinformation and implement the necessary countermeasures.

Facebook

Currently, Facebook already spends a significant effort in combatting fake news and any interference with elections.

Samidh Chakrabarti, Product Manager, Facebook, explained that the social media giant is currently blocking millions of fake accounts each day with a specific focus on those pages that are created to spread inauthentic civic content.

Chakrabarti explained that pages and domains that are used to share fake news is increasing, in response, Facebook doubles the number of people working on safety issues from 10,000 to 20,000. This hard job is mainly possible due to the involvement of sophisticated machine learning systems.

“Over the past year, we’ve gotten increasingly better at finding and disabling fake accounts. We’re now at the point that we block millions of fake accounts each day at the point of creation before they can do any harm.” said Chakrabarti.

“Rather than wait for reports from our community, we now proactively look for potentially harmful types of election-related activity, such as Pages of foreign origin that are distributing inauthentic civic content. If we find any, we then send these suspicious accounts to be manually reviewed by our security team to see if they violate our Community Standards or our Terms of Service. And if they do, we can quickly remove them from Facebook. “

But we all know that Facebook is a business that needs to increase profits, for this reason ads are very important for it.

Facebook is building a new transparency feature for the ads on the platform, dubbed View Ads, that is currently in testing in Canada. View Ads allows anyone to view all the ads that a Facebook Page is running on the platform.

“you can click on any Facebook Page, and select About, and scroll to View Ads.” explained Rob Leathern, Product Management Director.

“Next we’ll build on our ads review process and begin authorizing US advertisers placing political ads. This spring, in the run up to the US midterm elections, advertisers will have to verify and confirm who they are and where they are located in the US,”

This summer, Facebook will launch a public archive with all the ads that ran with a political label.


VPNs & Privacy Browsers leak users’ IPs via WebRTC
2.4.2018 securityaffairs Safety

The security researcher Dhiraj Mishra (@mishradhiraj_) has studied how VPNs & Privacy Browsers leak users’ IPs via WebRTC
Hi Internet,
You might have heard about VPN’s & Privacy Browsers leaking users’ IPs via WebRTC [1] [2]
Summary:
Got CVE-2018-6849 reserved, wrote a Metasploit Module for this issue which uses WebRTC and collects the leak private IP address, however this module may be implemented as a new library in (browser_exploit_server.rb) in MSF. #cheers What is WebRTC ?
WebRTC (Web Real-Time Communication) provides supports to web browser on a real-time communication via API.So let’s get started….There are “multiple” online services and JavaScript code available which uses WebRTC function. Even if you are using VPN’s or Privacy based browsers it leaks your actual public and private IP address.I think this is more of a privacy issue rather than security if we talk specifically in browser-based bug bounty, however, such information can help an attacker to do further recon/attack if they are in the same network.Most of the browser have WebRTC enabled by default,Mozilla Team says :This is a well-known property of webrtc – see the duplicate bug.
http://tools.ietf.org/html/draft-ietf-rtcweb-security-arch-07#section-5.4
Chrome Team says :
We’ve already done what we plan to do, following the guidelines in https://tools.ietf.org/html/draft-ietf-rtcweb-ip-handling-04. And we offer a “Network Limiter” extension (https://chrome.google.com/webstore/detail/webrtc-network-limiter/npeicpdbkakmehahjeeohfdhnlpdklia?hl=en) to turn on more restrictive modes.

Don’t forget Facebook even they have Webkits and it is vulnerable too.
Facebook Team says :

Hi Dhiraj,

Thank you for your report. We’ve looked into your finding but determined the information being leaked is not sensitive enough to warrant a bounty. We may consider leakage of a victims referrer header, but it would have to display a full and potentially sensitive path. However, we have protections in place which prevent this from happening. Although this finding doesn’t qualify we still appreciate your time and effort sending it in.

Okay if your an android lover, you would be aware with android webkit though, The android webkit also leaks IP address as well, I tested this on Nokia 8 android 8.1.0 and the issue still exists.

Android Team says:

The Android security team has conducted an initial severity assessment on this report. Based on our published severity assessment matrix (1) it was rated as not being a security vulnerability that would meet the severity bar for inclusion in an Android security bulletin.

Pheewww ! then what, I started targeting privacy browser and the very first browser came in my mind was DuckDuck Go which has 1,000,000+download rate in Android market and being an privacy based browser the WebRTC was enabled over there and it leaks your IP address, I reported the same to DD Go Security Team.

Duck Duck Go Team says:
Hi again Dhiraj,

Thank you for trying out the new browser and for sending this report,
including the security team. They’re currently looking into this and
I’ll let you know if any further information is needed.

There’s a similar discussion in the Firefox Focus for Android repository
on GitHub, so we’ll keep an eye on that too:
https://github.com/mozilla-mobile/focus-android/issues/609

Hmmmm cool, then CVE-2018-6849was assign for this issue, However I keep on taking follow up for them but they are taking too long time to patch. #Unpatched

Then I thought of creating module for this, many thanks to Brendan Coles who helped me in this and even suggested this can be used has a functionality to a HTTP library would be more useful, as it could be leveraged by existing exploits and info gathering modules.

WebRTC ip leak
Working of my MSF Module on DuckDuck Go Privacy Browser
In between RageLtMan also gave his thoughts that “I could actually see a benefit to this being in lib for use by things like #8648. I can inject the separate script ref in the response via the MITM mechanism, but would be cool to just generate and serve the JS directly (for any script we think will have more than 2 weeks of lifetime in browsers). Thanks for the PR”

Outcome:
So lets see, I started with private IP leak vulnerability which turned to CVE-2018-6849, which gave rise to a Metasploit module, which will in turn became a part of MSF library,

now that’s cool. Hope you like the read……
https://datarift.blogspot.it/p/private-ip-leakage-using-webrtc.html
About the Author: Security Researcher Dhiraj Mishra (@mishradhiraj_)


Philippine central bank has thrown an alert after SWIFT hackers hit Malaysia central bank
2.4.2018 securityaffairs Hacking

The Philippine central bank has thrown an alert to local financial institutions following a cyber attack against the SWIFT servers at the Malaysian central bank.
The Philippine central bank has thrown an alert to local financial institutions following a cyber attack against the Malaysian central bank.

According to Malaysian governor, the hackers attempted to steal money through fraudulent wire transfers, the good news is that the attack failed.

Bank Negara Malaysia confirmed that no funds were lost in the cyber attack, the hackers sent fake wire-transfer requests over the SWIFT bank messaging network to the target bank in order to trick it to transfer the money.

“We issued a general alert reminder as soon as we got BNM advisory to be extra careful over the long holiday. Although banks already do that as SOP (standard operating procedure),”Bangko Sentral ng Pilipinas Governor Nestor Espenilla said in a phone message.

“Information sharing is part of enhanced defensive protocols against cyber-crime,”.
At the time of writing is still unclear who is behind the attack or the way the hacker breached the SWIFT systems used by the bank.

“Bank Negara did not say who was behind the hack or how they accessed its SWIFT servers. The central bank, which supervises 45 commercial banks in Malaysia, said on Thursday there was no disruption to other payment and settlement systems the central bank operates because of the cyber attack.” reported the Straits Times.

SWIFT

Bank Negara said it had taken additional security measures to protect its stakeholders.

“All unauthorised transactions were stopped through prompt action in strong collaboration with SWIFT, other central banks and financial institutions,” it said in a statement.

The Philippine banks were also involved in the clamorous 2016 cyber heist when hackers stole US$81 million from the Bangladesh central bank, at the time the hackers transferred money into several accounts at Manila-based Rizal Commercial Banking Corp (RCBC) and then used them into the local casino industry.
The Philippine central bank fined RCBC a record one billion pesos (US$20 million) in 2016 for the failure to prevent the fraudulent transfers of money.

RCBC sustained that a rogue employee was responsible for the movement.

Mr Abu Hena Mohd. Razee Hassan, deputy governor of Bangladesh Bank, said the latest attack against the Malaysian central bank showed that the SWIFT platform remained vulnerable.

“After the attack on our central bank, SWIFT took several measures to protect the system globally but yet this is happening, meaning criminals have more ability and more capable weapons,” Mr Razee Hassan told Reuters in Dhaka.

“So this is the time to further improve the financial transfer system globally.”


Airbnb China will share hosts information with the government
2.4.2018 securityaffairs BigBrothers

Airbnb China announced that it will share user data belonging to Chinese users with the Government to comply with national laws and regulations.
Airbnb announced that it will share user data belonging to Chinese users with the Government. The company is notifying the Chinese users it will share guest’s information with local authorities to comply with national laws and regulations.

According to an email obtained by TechNode, Airbnb hosts with a listing in China were notified by the company by email that their information could be shared with Chinese authorities without further notice starting from 30 March 2018.

“Online short-term rental services operate in a gray area in China, which has strict regulations for hospitality businesses. Guests must check in with a valid ID such as Chinese identification cards or passports and their information are recorded by hotels in a central register operated by local police bureaus.” reads a blog post published by Technode.com.

“For foreign visitors, the rules are even stricter. They need to be registered within 24 hours of arrival into China. If international visitors are not staying at a hotel or guesthouse, they must report to the police and depending on the local regulation, provide documentation such as rental contracts or property titles.”

Airbnb China email-copy
Source Technode.com

Previously, the Airbnb hosts were submitting passport and other required traveler information.

Airbnb China implemented a “deactivate my China listing” button to allow hosts to remove their listing.

National laws and regulations require the hotel and lodging industry to share data with the government. The Chinese Government aims to automate the information sharing so that traveler’s data are directly available for government agencies.

“Like all businesses operating in China, Airbnb China must comply with local laws and regulations,” said Airbnb spokesman Jake Wilczynski. “The information we collect is similar to information hotels in China have collected for decades.”

In China, Airbnb faces tough competition from local companies Xiaozhu and Tujia, both complying with government laws.


Russian Hacker Who Allegedly Hacked LinkedIn and Dropbox Extradited to US
1.4.2018 thehackernews
Social

A Russian man accused of hacking LinkedIn, Dropbox, and Formspring in 2012 and possibly compromising personal details of over 100 million users, has pleaded not guilty in a U.S. federal court after being extradited from the Czech Republic.
Yevgeniy Aleksandrovich Nikulin, 30, of Moscow was arrested in Prague on October 5, 2016, by Interpol agents working in collaboration with the FBI, but he was recently extradited to the United States from the Czech Republic on Thursday for his first appearance in federal court.
Nikulin's arrest started an extradition battle between the United States and Russia, where he faces significantly lesser criminal charges of stealing $3,450 via Webmoney in 2009. But the Czech Republic ruled in favor of the United States.
In the U.S., Nikulin is facing:
3 counts of computer intrusion
2 counts of intentional transmission of information, code, or command causing damage to a protected computer
2 counts of aggravated identity theft
1 count of trafficking in unauthorized access devices
1 count of conspiracy
According to the maximum penalties for each count, Nikulin faces a maximum of 32 years in prison and a massive fine of more than $1 Million.
The U.S. Justice Department accused Nikulin of allegedly hacking into computers belonging to three American social media firms, including LinkedIn, the online cloud storage platform Dropbox and now-defunct social-networking firm Formspring.
Nikulin reportedly gained access to LinkedIn's network between March 3 and March 4, 2012, Dropbox between May 14 and July 25, 2012, and Formspring between June 13 and June 29, 2012.
The hacker allegedly stole accounts of more than 117 Million LinkedIn users and more than 68 Million Dropbox users. Authorities also say that after stealing data from the three companies, Nikulin worked with unnamed co-conspirators to sell the stolen data.
Besides hacking into the three social media firms, the Justice Department also accused Nikulin of allegedly gaining access to credentials belonging to LinkedIn and Formspring employees, which helped him carry out the computer hacks.
Nikulin appeared in Federal District Court in San Francisco on Friday and pleaded not guilty to the charges against him, the New York times reported.
"This is deeply troubling behavior once again emanating from Russia," said Attorney General Jeff Sessions in a statement. "We will not tolerate criminal cyber-attacks and will make it a priority to investigate and prosecute these crimes, regardless of the country where they originate."
Judge Jacqueline Scott Corley scheduled Nikulin's next court appearance for status on April 2, 2018, and scheduled a detention hearing for April 4, 2018.


Apple macOS Bug Reveals Passwords for APFS Encrypted Volumes in Plaintext
1.4.2018 thehackernews Apple

A severe programming bug has been found in APFS file system for macOS High Sierra operating system that exposes passwords of encrypted external drives in plain text.
Introduced two years ago, APFS (Apple File System) is an optimized file system for flash and SSD-based storage solutions running MacOS, iOS, tvOS or WatchOS, and promises strong encryption and better performance.
Discovered by forensic analyst Sarah Edwards, the bug leaves encryption password for a newly created APFS volume (e.g., encrypting USB drive using Disk Utility) in the unified logs in plaintext, as well as while encrypting previously created but unencrypted volumes.
"Why is this a big deal? Well, passwords stored in plaintext can be discovered by anyone with unauthorized access to your machine, and malware can collect log files as well and send them off to someone with malicious intent," Edwards said.

The password for an encrypted APFS volume can easily be retrieved by running following simple 'newfs_apfs' command in the terminal:
log stream --info --predicate 'eventMessage contains "newfs_"'
However, this bug is not as stupid as the previously disclosed root password bug wherein the password hint section was exposing the actual password in the plain text.
Though the exact reason of the programming error is not clear, the researcher believes "it was likely a result of other APFS encryption related bugs (or at least somehow related to it), so perhaps Apple felt it didn't need to provide the additional details."
It should be noted that you would not find the password in the plaintext when converting a non-APFS drive to APFS and then encrypting the drive.
Edwards tested and found the bug affects only macOS 10.13 and 10.13.1, while later versions of macOS High Sierra (including the latest one) have somehow reportedly fixed this loophole.
For more technical details of this bug, you can head on to the original blog post by Edwards.
This issue is the third APFS bug in past six months affecting Apple's latest macOS High Sierra version.
The operating system has seen a number of security issues since its release—from giving away root access to anyone without a password to revealing passwords in plaintext from the password hint feature.


Microsoft's Meltdown Patch Made Windows 7 PCs More Insecure
1.4.2018 thehackernews
Vulnerebility

Meltdown CPU vulnerability was bad, and Microsoft somehow made the flaw even worse on its Windows 7, allowing any unprivileged, user-level application to read content from and even write data to the operating system's kernel memory.
For those unaware, Spectre and Meltdown were security flaws disclosed by researchers earlier this year in processors from Intel, ARM, and AMD, leaving nearly every PC, server, and mobile phone on the planet vulnerable to data theft.
Shortly after the researchers disclosed the Spectre and Meltdown exploits, software vendors, including Microsoft, started releasing patches for their systems running a vulnerable version of processors.
However, an independent Swedish security researcher Ulf Frisk found that Microsoft's security fixes to Windows 7 PCs for the Meltdown flaw—which could allow attackers to read kernel memory at a speed of 120 KBps—is now allowing attackers to read the same kernel memory at a speed of Gbps, making the issue even worse on Windows 7 PCs and Server 2008 R2 boxes.
Frisk is the same researcher who previously discovered a way to steal the password from virtually any Mac laptop in just 30 sec by exploiting flaws in Apple's FileVault disk encryption system, allowing attackers to unlock any Mac system and even decrypt files on its hard drive.
The discovery is the latest issue surrounding Meltdown and Spectre patches that were sometimes found incomplete and sometimes broken, making problems such as spontaneous reboots and other 'unpredictable' system behavior on affected PCs.
According to Frisk, the problem with MS' early Meltdown fixes occurs due to a single bit (that controls the permission to access kernel memory) accidentally being flipped from supervisor-only to any-user in a virtual-to-physical-memory translator called PLM4, allowing any user-mode application to access the kernel page tables.
The PML4 is the base of the 4-level in-memory page table hierarchy that Intel's CPU Memory Management Unit (MMU) uses to translate the virtual memory addresses of a process into physical memory addresses in RAM.
The correctly set bit normally ensures the kernel has exclusive access to these tables.
"The User/Supervisor permission bit was set to User in the PML4 self-referencing entry. This made the page tables available to user mode code in every process. The page tables should normally only be accessible by the kernel itself," Frisk explains in his blog post.
To prove his claim, Frisk also provided a detailed breakdown and a proof-of-concept exploit. The issue only affects 64-bit versions of Windows 7 and Windows Server 2008 R2, and not Windows 10 or Windows 8.1 PCs, as they still require attackers to have physical access to a targeted system.
Buggy Patch Allows to Read Gigabytes of Data In a Second
Also since the PML4 page table has been located at a fixed memory address in Windows 7, "no fancy exploits" are needed to exploit the Meltdown vulnerability.
"Windows 7 already did the hard work of mapping in the required memory into every running process," Frisk said. "Exploitation was just a matter of read and write to already mapped in-process virtual memory. No fancy APIs or syscalls required - just standard read and write!"
Once read/write access has been gained to the page tables, it would be "trivially easy" to gain access to the entire physical memory, "unless it is additionally protected by Extended Page Tables (EPTs) used for Virtualization," Frisk said.
All attackers have to do is to write their own Page Table Entries (PTEs) into the page tables in order to access arbitrary physical memory.
Frisk said he has not been able to link the new vulnerability to anything on the public list of Common Vulnerabilities and Exposures. He also invited researchers to test the flaw using an exploit kit he released on GitHub.
UPDATE: Microsoft Releases Emergency Patch
In the wake of the researcher's finding, Microsoft released an emergency patch on Thursday for the vulnerability (CVE-2018-1038) introduced as a Meltdown patch issued by the company earlier this year.
The out-of-band security update for Microsoft Windows 7 and Windows Server 2008 R2 "addresses an elevation of privilege vulnerability in the Windows kernel in the 64-Bit (x64) version of Windows."
According to the Microsoft advisory, the elevation of privilege flaw occurs when the Windows kernel fails to handle objects in memory properly. Successfully exploitation of this flaw could allow an attacker to run arbitrary code in kernel mode.
"An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights," the advisory states.
No other Windows OS version is impacted, except Windows 7 Service Pack 1 (x64) and Windows Server 2008 R2 Service Pack 1 (x64).
So all admins and users of Windows 7 and Windows 2008R2 are strongly recommended to update their systems as soon as possible.


Russian hacker Yevgeni Nikulin was extradited to the United States
31.3.2018 securityaffairs BigBrothers 

Last week, the Czech Republic announced it had extradited the Russian hacker Yevgeni Nikulin (29) to the United States.
Yevgeni Nikulin was requested by the US for alleged cyber attacks on social networks and by the Russian authorities that charged him with frauds. According to US authorities, the man targeted LinkedIn and Formspring and hacked into the file hosting service Dropbox.

The Russian criminal was arrested in Prague in October 2016 in an international joint operation with the FBI.

The case is in the middle of an arm wrestling between Moscow and Washington, the US Government are accusing Russia to have interfered with 2016 Presidential election through hacking.

Yevgeni Nikulin

Source: US Defense Watch.com

In May 2017, a Czech court ruled that Nikulin can be extradited to either Russia or the United States, leaving the final decision to the Justice Minister Robert Pelikan.

The Czech justice ministry confirmed “the extradition of Russian citizen Yevgeni Nikulin to the United States,” ministry spokeswoman Tereza Schejbalova said on Twitter.

The extradition “took place overnight,” she added.

Nikulin was transferred via plane after midnight Thursday.

“We confirm extradition to the United States,” a spokeswoman said in a text message. “He has already flown out.”


Tens of thousands of misconfigured Django apps leak sensitive data
31.3.2018 securityaffairs Security

The security researcher Fábio Castro discovered tens of thousands of Django apps that expose sensitive data because developers forget to disable the debug mode.
Security researchers have discovered misconfigured Django applications that are exposing sensitive information, including passwords, API keys, or AWS access tokens.

Django is a very popular high-level Python Web framework that allows rapid development of Python-based web applications.

The researcher Fábio Castro explained that installs expose data because developers forget to disable the debug mode for the Django app.


@6IX7ine
28,165 thousand django running servers are exposed on the internet, many are showing secret API keys, database passwords, amazon AWS keys.

A small line http GET http://54.251.149.60:8081/ --body | grep 'DATABASE_URL\|Mysql\|AWS'#Shodan #django #hacking #cybersecurity #infosec

1:43 PM - Mar 27, 2018
278
226 people are talking about this
Twitter Ads info and privacy
Castro found 28,165 apps querying Shodan for Django installs that have debug mode enabled.

I made the same query a few hours later and I obtained 28,911 results.

Django apps

Many servers with debug mode enabled expose very, the experts discovered server passwords and AWS access tokens that could be used by hackers to gain full control of the systems.

“I found this as I was working with the Django framework on a small project,” Castro told Bleeping Computer “I noticed some error exception and then went searching on Shodan.”

“The main reason [for all the exposures] is the debug mode enabled,” Castro says. “This is not a failure from Django’s side. My recommendation is to disable debugging mode when deploying the application to production.”


Facebook Details Election Security Improvements

31.3.2018 securityweek  Social

While under heavy fire for the user privacy blunder involving U.K. firm Cambridge Analytica, Facebook took its time this week to present some of the steps it is taking to protect elections from abuse and exploitation on its platform.

The United States this month announced sanctions against Russia for supposed attempts to influence the 2016 US presidential election, after it charged 13 Russians for their role in a campaign supposedly aimed at tilting the vote.

The United States, however, wasn’t the only country hit by such attacks: Canada, France, and Germany (and possibly other countries too) were hit as well. These cyber-attacks prompted the launch of Google's election security solutions, but Facebook is now looking to strengthen protections against other types of election meddling.

“By now, everyone knows the story: during the 2016 US election, foreign actors tried to undermine the integrity of the electoral process. Their attack included taking advantage of open online platforms — such as Facebook — to divide Americans, and to spread fear, uncertainty and doubt,” Guy Rosen, VP of Product Management, notes.

There are four main election security areas Facebook plans to improve: combating foreign interference, removing fake accounts, increasing ads transparency, and reducing the spread of false news.

According to Alex Stamos, Facebook’s Chief Security Officer, the social platform will focus on tackling four major issues related to fake news, namely the use of false identities, fake audiences, false facts, and false narratives.

After understanding the various kinds of fake news the platform has to deal with, the next step is to distinguish between motivations for spreading misinformation, Stamos also points out. Successfully combating actors requires the ability to prevent them from reaching those goals.

Organized, professional groups are usually after the money, and the misinformation Facebook has encountered so far came from groups looking to gain financially by driving traffic to their sites. Thus, the goal is to increase the cost of such operations and decrease profitability.

Other organized actors focus on artificially influencing public debates. Ranging from private groups to state intelligence services, these actors have both foreign and domestic targets, meaning that an eye should be kept on domestic manipulation as well.

Less organized groups and individuals might spread misinformation as well, either because they like causing chaos and disruption (the so called Internet “trolls”) or because they don’t realize they are sharing false stories.

“Each country we operate in and election we are working to support will have a different range of actors with techniques are customized for that specific audience. We are looking ahead, by studying each upcoming election and working with external experts to understand the actors involved and the specific risks in each country,” Stamos says.

According to Samidh Chakrabarti, Product Manager, Facebook is currently blocking millions of fake accounts each day straight from the creation point, before they can do harm.

The platform looks into pages that attempt to distribute inauthentic civic content and removes them when that is the case, takes against Pages and domains that repeatedly share false news, is doubling the number of people working on safety issues from 10,000 to 20,000, and is partnering with third-party fact-checking organizations to prevent the spreading of fake news.

Facebook is also building a new transparency feature for the ads on the platform. Now in testing in Canada, a feature called View Ads allows anyone to view all the ads that a Facebook Page is running across the platform.

“Next we’ll build on our ads review process and begin authorizing US advertisers placing political ads. This spring, in the run up to the US midterm elections, advertisers will have to verify and confirm who they are and where they are located in the US,” Rob Leathern, Product Management Director, explains.

The process will involve a number of checks and steps and election-related ads will be clearly marked in people’s Facebook and Instagram feeds. The social network also plans the launch of a public archive with all the ads that ran with a political label.


20 Arrested in Italy and Romania for Spear Phishing Scam
31.3.2018 securityweek  Crime

Authorities this week arrested 20 individuals in Italy and Romania for their role in a banking phishing scam that defrauded bank customers of €1 million ($1.23 million).

The arrests were the result of a two-year long cybercrime investigation conducted by the Romanian National Police and the Italian National Police, with support from Europol, the Joint Cybercrime Action Taskforce (J-CAT), and Eurojust.

The arrests were made on March 28, following a series of coordinated raids. 9 of the individuals were arrested in Romania and 11 in Italy. The Romanian Police raided 3 houses, while the Italian authorities conducted 10 home and computer searches.

The hackers, Europol reveals, engaged in a banking fraud scheme that netted €1 million from hundreds of customers of 2 major banking institutions.

The group, mainly comprised of Italian nationals, sent spear phishing emails impersonating tax authorities to victims, in an attempt to harvest their online banking credentials.

Unlike common phishing scams, where millions of generic emails are sent to potential victims, spear phishing emails are highly personalized, featuring content that makes them appear as coming from a reputable source, such as the bank.

Since 2016, the investigators have been tracking the manner in which the arrested individuals have been using the stolen online banking credentials to log into their victims’ accounts and transfer funds to the attacker-controlled accounts.

Next, they would withdraw the funds from Automated Teller Machines (ATMs) in Romania, using credit/debit cards linked to the criminal accounts.

The highly organized hackers pursued their criminal activities using encrypted chat applications. They also used intimidating and punitive methods towards affiliates and competitors to establish power, Europol says.

Furthermore, authorities suspect the group of money laundering, as well as drug and human trafficking, prostitution, and participation in a criminal organization.

During the investigation, Eurojust ensured the coordination between the prosecuting and investigating authorities in Italy and Romania, while Europol provided tailored intelligence analysis and expertise.

Earlier this week, Europol announced that a Ukrainian national believed to be the leader of a hacking group that used Carbanak malware to steal money from banks worldwide was arrested in Spain. The cybercriminal group has caused losses totaling over €1 billion ($1.23 billion).


Apple Patches Dozens of Vulnerabilities Across Product Lines
31.3.2018 securityweek Apple

Apple this week released a new set of security patches to address tens of vulnerabilities impacting macOS, iOS, watchOS, and tvOS, as well as Windows software.

Over 40 security bugs were fixed with the release of iOS 11.3 on Thursday. The bugs affect iPhone 5s and later, iPad Air and later, and iPod touch 6th generation.

WebKit was affected the most, with a total of 19 issues resolved. Components such as CoreFoundation, CoreText, File System Events, iCloud Drive, Kernel, Mail, PluginKit, Safari, Security, and Storage were impacted as well.

Exploitation of these flaws could result in an attacker being able to run arbitrary code on the vulnerable device, in malicious applications elevating their privileges, user interface spoofing, data exfiltration, interception of encrypted email contents, denial of service, keylogging, the disabling of features on the device, or in causing device restarts.

Multiple memory corruption issues discovered in WebKit could lead to arbitrary code execution when processing maliciously crafted web content. The bugs, 16 in total, were addressed with improved memory handling.

Apple resolved 35 vulnerabilities with the release of macOS High Sierra 10.13.4, Security Update 2018-002 Sierra, and Security Update 2018-002 El Capitan. The issues impact OS X El Capitan 10.11.6, macOS Sierra 10.12.6, and macOS High Sierra 10.13.3.

Affected components include Admin Framework, APFS, CoreFoundation, CoreText, CoreTypes, Disk Images, Disk Management, File System Events, iCloud Drive, Intel Graphics Driver, Kernel, LaunchServices, Mail, Notes, PluginKit, Security, System Preferences, and Terminal.

Exploitation of these issues could lead to exposed passwords, disclosed user information, elevation of privilege, denial of service, arbitrary code execution, reading of restricted memory, code signing enforcement bypass, interception and exfiltration of encrypted email contents, arbitrary command execution spoofing, and keylogging.

Released on Thursday for OS X El Capitan 10.11.6, macOS Sierra 10.12.6, and macOS High Sierra 10.13.4, Safari 11.1 patches 23 flaws that could lead to address bar spoofing, exfiltration of autofilled data without explicit user interaction, arbitrary code execution, cross-site scripting, ASSERT failure, denial of service, and websites exfiltrating data cross-origin.

Of the 23 vulnerabilities, 2 were found in Safari, 1 in Safari Login AutoFill, while the remaining 20 impact WebKit.

A total of 28 bugs were resolved with the release of tvOS 11.3, impacting Apple TV 4K and Apple TV (4th generation). Affected components include WebKit, Kernel, CoreFoundation, CoreText, File System Events, NSURLSession, Quick Look, Security, and System Preferences.

watchOS 4.3 fixes 22 vulnerabilities in CoreFoundation, CoreText, File System Events, Kernel, NSURLSession, Quick Look, Security, System Preferences, and WebKit. All Apple Watch models are impacted by the bugs.

The tech giant also addressed multiple issues in LLVM with the release of Xcode 9.3. The bugs impact macOS High Sierra 10.13.2 or later.

iCloud for Windows 7.4 patches 20 vulnerabilities, 19 of which impact WebKit, the same as iTunes 12.7.4 for Windows does. The bugs could lead to arbitrary code execution, elevation of privileges, ASSERT failure, denial of service, or malicious websites exfiltrating data cross-origin.


VMware Acquires Threat Detection and Response Firm E8 Security
31.3.2018 securityweek IT

VMware announced this week that it has acquired threat detection and response company E8 Security, whose technology will be used to improve the Workspace ONE digital workspace platform. This is the third acquisition made by VMware in less than two months.

California-based E8 Security emerged from stealth mode in March 2015 and it has raised a total of nearly $22 million – more than $23 million if you count seed funding.

E8 Security has developed a platform that helps organizations detect malicious activity by monitoring user and device behavior. The product also improves incident response by providing the data needed to analyze threats.VMware acquires E8 Security

VMware plans on using E8 Security’s technology to improve its Workspace ONE product, specifically a recently announced intelligence feature that provides actionable information and recommendations, and automation for remediation tasks.

“By adding E8 Security’s user and entity behavior analytics capabilities to insights from VMware Workspace ONE Intelligence, our customers will be able to streamline management, remediation, and automation to improve the employee experience and the security of their digital workspace,” explained Sumit Dhawan, senior vice president and general manager of VMware’s End-User Computing (EUC) business.

VMware announced in February the acquisition of CloudCoreo, a Seattle-based cloud security startup launched less than two years ago. The company has created a product that allows organizations to identify public cloud risks and continuously monitor cloud infrastructure to ensure that applications and data are safe.

The virtualization giant plans on using the CloudCoreo technology and team to help customers secure their applications in the cloud.

Also in February, VMware announced its intent to buy CloudVelox, a company that specializes in providing workload mobility between the data center and public clouds. CloudVelox’s solutions also include data, system and application security capabilities.

Financial terms have not been disclosed for these recent acquisitions.


Prague Extradites Russian Hacker to US for Alleged Cyberattacks
31.3.2018 securityweek BigBrothers

The Czech Republic on Friday said it had extradited a Russian hacker to the United States where he is wanted for alleged cyberattacks on social networks.

Yevgeni Nikulin, who is also sought by his native Russsia on fraud charges, had been in a Prague prison since he was arrested in the Czech capital in 2016 in a joint operation with the FBI.

The case comes amid accusations by Washington that Russia tried to "interfere" through hacking in the 2016 US election won by Donald Trump, charges the Kremlin has dismissed.

The Czech justice ministry "confirms the extradition of Russian citizen Y. Nikulin to the United States," ministry spokeswoman Tereza Schejbalova said on Twitter.

The extradition "took place overnight," she added.

A US government plane left Prague soon after midnight Thursday and landed nine hours later near Washington, according to the website flightaware.com.

Following Nikulin's arrest, Moscow accused Washington of harassing its citizens and vowed to fight Nikulin's extradition.

It then issued a separate arrest warrant for him over alleged theft from the WebMoney settlement system.

The US has charged Nikulin with hacking into social networks LinkedIn and Formspring and into the file hosting service Dropbox, Nikulin's lawyer Martin Sadilek told AFP at the time.

He also said Nikulin alleges that FBI investigators had tried twice to persuade him to confess to cyberattacks on the US Democratic Party.

Last year, a Prague court ruled that Nikulin could be extradited to either Russia or the United States, with the final say left to the Czech justice minister.


Ensuring best website security through SSL Certificate updates.
31.3.2018 securityaffairs Safety

What are the advantages for adopting an SSL Certificates and why is it important to discover and analyze SSL Certificates online?
Secure Socket Layer (SSL) has gained weight with the increasing concern of security for all sensitive data online. In fact, it is the only reliable source for secure business and data handling. The entire information that travels between the computers all over the world is kept fully safe from potential dangers with the help of SSL. The business portals need high-level security to keep their own and their customers’ data away from malicious intentions.

Advantages of SSL Certificates
The safety of the data traveling across the World Wide Web is encrypted by SSL. Only the intended users like sender and receiver can understand it. Any third person involved in data handling cannot pick any of its information. Credit card details, usernames, passwords etc. stay secured identity thieves and hackers. Here are some vital benefits of using SSL:

SSL for Promoting Customers Trust and Business Dealings
A business thrives with its customers. That is why the valuable companies and entrepreneurs priorities to keep their customers satisfied and happy. One top important thing for a customer is his security and privacy. He does not want his sensitive personal details and data to get exposed to any other third person. Once a company ensures its customers that all their dealings are secured and data saved through proper encryption, the business prospers between the contractors.

Improving SEO with SSL Certificates
SSL certificate

Google has a strict stance policy for keeping the security and privacy of its consumers intact. To implement this modern security measure for consumers, Google has set HTTPS a ranking tool. The secure HTTPS/SSL version promises the business websites to operate securely and exchange the data between its partners and customers without any fear of loss, hacking or theft.

Meeting the Standards of Payment Card Industry with SSL
Online monetary dealings take place through credit cards and these cards carry highly sensitive and important information. The Credit Card Industry ensures the full protection of this valuable information through a setup standard. The companies can meet this standard of security by using SSL certificates only. A website passes some audits that declare that it is using SSL and complying with the Payment Card Industry standards.

SSL Certificates for Guarding against Scams

SSL certificates are actually procedures that encode a message between two parties: sender and receiver. No third party can snoop in. This cryptographic technology secures the link between a remote browser and a web server. This encrypted message is a hard nut for phishing proxies and hackers. They cannot make any use of the message in case they intercept it which is impossible for them. The coded message shows just like a string of random hash.

Importance of Discovering SSL Certificates
Most of the e-commerce websites operate through the main domain and several subdomains. Each of these is involved in a heavy online business. IT professionals manage these portals through a number of intricate jobs. This leaves the website vulnerable to threats, thus SSL certificates need to be renewed.

Analyzing and discovering SSL certificates at a website is highly important at this stage. There are many companies that provide discovery tools. There is Comodo Certificate Manager. This finds the location, expiry date, and other information on an SSL certificate. Another service is DigiCert which discovers SSL certificates in use, finds neglected or expired certificates and identifies vulnerabilities.

What is CertDB

CertDB, however, is a more comprehensive SSL and TLS certificate discovery service. It is a search engine which can operate throughout the internet and analyze the certificates in real time. This service helps the users to discover the modern information and historical data because it scans the most common ports of the entire IPv4 range. Here are the salient features of CertDB:

Absolutely Free
CertDB is absolutely free for users. Companies and websites owners need not worry about extra expenses for discovering certificates with the help of CertDB.

Comprehensive
CertDB is comprehensive in its search and findings. The different types of SSL certificates and their latest info are fully discovered by CertDB. Experts can find recently registered domains, geographic location, soon to expire certificates, company names and many more

Modern
CertDB scans the internet regularly for certificate-driven data about websites, organizations and certificate issuers. It is accurate and continuously updated. CertDB generates big amounts of data for analysis and discovery of statistical and detailed information about specific companies, their business objectives and integration between them.

Best UI
User-friendly interface makes CertDB easy and favorite for companies and organizations. Entrepreneurs, marketers, and business analysts prefer CertDB because it is trouble-free and does not need IT specialists only for working on it. Developed by skilled, IT specialists and analysts SP*SE team, CertDB is the latest forever-free tool for organizations, students, entrepreneurs, tech geeks and e-commerce owners.


European police agencies coordinated by Europol arrested 20 people for Spear Phishing scam
31.3.2018 securityaffairs 
Phishing

An international operation conducted by the Romanian National Police and the Italian National Police, with support from Europol, the Joint Cybercrime Action Taskforce (J-CAT), and Eurojust. led to the arrest of 20 individuals involved in a banking spear phishing scam.
According to the investigators, the banking phishing scam allowed crooks to defrauded bank customers of €1 million ($1.23 million).

The international investigation lasted two years, the police conducted a series of coordinated raids. 9 of the individuals were arrested in Romania and 11 in Italy.

The Romanian Police raided 3 houses in the country, while the Italian police raided 10 houses and conducted several computer searches.

“A two-year long cybercrime investigation between the Romanian National Police and the Italian National Police, with the support of Europol, its Joint Cybercrime Action Taskforce (J-CAT) and Eurojust, has led to the arrest of 20 suspects in a series of coordinated raids on 28 March. 9 individuals in Romania and 11 in Italy remain in custody over a banking fraud netted EUR 1 million from hundreds of customers of 2 major banking institutions.” reads the press release published by the Europol.

“The Romanian authorities have conducted 3 house searches, while the Italian National Police ordered the execution of 10 home and computer searches, involving more than 100 Italian policemen.”

According to the Europol, the banking fraud scheme netted €1 million from hundreds of customers of targeted 2 major banks.

Most of the members of the gang are Italians, they were using with spear phishing messages posing as tax authorities, in an attempt to harvest their online banking credentials.

“While the most common phishing scams blast out millions of generic e-mails, spear phishing emails are personally addressed to targeted stakeholders with content to make it appear from a reputable source, such as a bank. Recipients are encouraged to click on a link, which will lead to a fake version of a legitimate website where their account or contact details can be stolen.” continues the press release.

The authorities are monitoring the activity of the crime gang since 2016, once the attackers stole credentials through spear phishing message they log into their victims’ accounts and drained funds.

The gang made the cash out through ATMs in Romania, using payment cards associated with criminal accounts.

The crime gang was using encrypted chat applications for the communication and according to the police they also used intimidating and punitive methods towards affiliates and competitors to establish power.

The authorities suspect the group of other illegal activities, including money laundering, as well as drug and human trafficking, prostitution, and participation in a criminal organization.

This is the second successfully operation announced by the Europol in a few days, earlier this week, the agency announced the arrest of the head of the crime ring behind the Carbanak gang that since 2013 targeted banks worldwide.


Systems at a Power Company in India infected by a ransomware
31.3.2018 securityaffairs 
Ransomware

A ransomware infected systems at the Uttar Haryana Bijli Vitran Nigam power company in India, crooks demanded 10 million Rupees to get the data back.
The Uttar Haryana Bijli Vitran Nigam power company in India was hacked last week, attackers breached into its computer systems and stole the billing data of their customers.

The hackers demanded 10 million Rupees to get the data back (roughly $152,000 USD).

cerber ransomware

The intrusion occurred on March 21 night, a ransomware infected the systems and the day after the employees discovered that their data were encrypted.

“In a first of the kind of a case in the country, the hackers have stolen the billing data of the Uttar Haryana Bijli Vitran Nigam (UHBVN), one of the two power discoms of Haryana and have demanded Rs One crore in form of bitcoins from the state government to retrieve the data.” states the New Indian Express.

“Sources said that UHBVN which is monitoring electricity billings of nine districts of the state came under cyber attack at 12.17 AM after midnight on March 21 and thus the billing data of thousands of consumers had been hacked as the IT wing of the nigam was target.”

The Haryana Police launched an investigation trying to trace the IP address from where the attack was originated.

The officials at the company are uploading the billing data from the log books, anyway the incident could have a significant impact on the billing activities due to the difficulties to estimate current consumption in absence of data. The good news is that the billing of about 4,000 consumers has already started functioning normally.

“The Nigam had already taken steps much before to phase out the said system and to be replaced by latest, robust and technologically advanced system on cloud services which would be operational by the end of May 2018. The billing of about 4,000 consumers has already started functioning normally” added an official of the Nigam.


Fauxpersky Keylogger masqueraded as Kaspersky Antivirus and spreads via USB drives
31.3.2018 securityaffairs 
Virus

Security researchers at Cybereason recently discovered a credential-stealing malware dubbed Fauxpersky, that is masquerading as Kaspersky Antivirus and spreading via infected USB drives.
Fauxpersky was written in AutoIT or AutoHotKey, which respectively are a freeware BASIC-like scripting language designed for automating the Windows GUI and general scripting and a free keyboard macro program to send keystrokes to other applications.

The analysis of infected systems revealed the existence of four dropped files, attackers named them as Windows system files: Explorers.exe, Spoolsvc.exe, Svhost.exe, and Taskhosts.exe.

After initial execution, the Fauxpersky keylogger gathers the listed drives on the machine and starts replicating itself to them.

“This AHK keylogger utilizes a fairly straightforward method of self propagation to spread. After the initial execution, the keylogger gathers the listed drives on the machine and begins to replicate itself to them. Let’s examine the process:” reads the analysis.

“This allows the keylogger to spread from a host machine to any connected external drives. If the keylogger is propagating to an external drive, it will rename the drive to match it’s naming scheme.”

The malware renames the external drives to match its naming scheme, the new name is composed of the following convention:

original name:size:”Secured by Kaspersky Internet Security 2017”

it also creates an autorun.inf file to point to a batch script.

One of the dropper files, Explorers.exe, includes a function called CheckRPath() designed creates the files if they are not already present on the drive.

The keylogger created the files with attributes System and Hidden and also creates the necessary directories, with parameters of Read-Only, System, and Hidden.

“When starting the process of creating the component files (HideRFiles()) we begin by starting a loop. This loop allows the keylogger to iterate over the various output files it needs to write to disk in a structured way.” continues the analysis. “We can see that the link (a .lnk shourtcut file), text, and batch files will all be created for each disk to start. Then the value passed to the function gets incremented to allow the created directory to be moved as a whole once the files have been placed there. “

The files are stored in the source directory named Kaspersky Internet Security 2017 when it is copied to the new destination. The folder included a Kaspersky image named Logo.png and a text file containing instructions for users to disable their antivirus if execution fails. The instructions also include a list of security tools “incompatible with Kaspersky Internet Security 2017” (Kaspersky Internet Security included).

Fauxpersky monitors the currently active window using the AHK functions WinGetActiveTitle() and input(), Keystrokes are appended to the file Log.txt that is stored in %APPDATA%\Kaspersky Internet Security 2017.

The malware gains persistence by changing the working directory of the malware to %APPDATA% and creating the Kaspersky Internet Security 2017 folder. It checks that all the necessary files are created in %APPDATA% and copies them there if they aren’t.

The files Spoolsvc.exe is used to change the values of registry keys to prevent the system from displaying hidden files and to hide system files, then it verifies if explorers.exe is running and launches it if not.

Fauxpersky keylogger

Fauxpersky exfiltrates the keylogged data using a Google form.

“Exfiltrating data to a Google form is a very simple and clever way to overcome a lot of the “logistics” involved in data exfiltration. Using this technique means there’s no need to maintain an anonymized command and control server plus data transmissions to docs.google.com is encrypted and doesn’t look suspicious in various traffic monitoring solutions.” Cybereason concluded.


Grindr gay-dating app exposed millions of users’ private data, messages, locations
31.3.2018 securityaffairs  Incindent

According to an NBC report, the Grindr gay-dating app was affected by 2 security issues (now patched) that could expose the information of its more than 3 million daily users.
Every day we read of a new data breach, in some cases, exposed data could have a severe impact on the victim.

According to an NBC report, the Grindr gay-dating app was affected by 2 security issues (now patched) that could expose the information of its more than 3 million daily users.

An attacker could have exploited the feature to access location data, private messages to other users, and profile information, even if they’d opted out of sharing such information.

The security issues were identified by Trever Faden, CEO of the property management startup Atlas Lane, while he was working at his website C*ckblocked that allowed users to see who blocked them on Grindr.

Faden discovered that once a Grindr logged in his service, it was possible to access to a huge quantity of data related to their Grindr account, including unread messages, email addresses, and deleted photos.

NBC noted that C*ckblocked exploited a “similar security loophole” to one that was recently used by Cambridge Analytica to create a profile of more than 50 million Facebook users.

“Grindr makes public the location of many of its users, but allows for users to opt out of this feature. Faden found that he could find the location of users who had opted out if they connected their Grindr profiles through his third-party website.” reported NBC.

“One could, without too much difficulty or even a huge amount of technological skill, easily pinpoint a user’s exact location,” Faden explained.

Grindr gay-dating app

Grindr confirmed it was aware of the issue discovered by Faden and it had addressed them. Faden shut down his service after Grindr changed its policy on access to data on which users had blocked other users.

Grindr recommends its users to avoid using Grindr logins for other apps or web services.

“Grindr moved quickly to make changes to its platform to resolve this issue,” the company said in the statement. “Grindr reminds all users that they should never give away their username and password to any third parties claiming to provide a benefit, as they are not authorized by Grindr and could potentially have malicious intent.”

The company published the following statement on its official Twitter account:

Grindr

@Grindr
As a company that serves the LGBTQ community, we understand the delicate nature of our users’ privacy. Ensuring safety and security of our users is of paramount importance to us and will continue to be our top priority.

5:40 AM - Mar 29, 2018
88
23 people are talking about this
Twitter Ads info and privacy
In the past, other experts found similar issues in the Grindr service, in 2014 researchers at cybersecurity firm Synack found that it allowed any user see the profiles and locations of people. Unfortunately, the problems were not completely fixed and two years after Wired published an interesting article about the experiments of experts that were still able to figure out users’ locations.


Critical Flaw Exposes Many Cisco Devices to Remote Attacks
30.3.2018 securityweek 
Vulnerebility

Cisco has patched more than 30 vulnerabilities in its IOS software, including a critical remote code execution flaw that exposes hundreds of thousands – possibly millions – of devices to remote attacks launched over the Internet.

A total of three vulnerabilities have been rated critical. One of them is CVE-2018-0171, an issue discovered by researchers at Embedi in the Smart Install feature in IOS and IOS XE software.

An unauthenticated attacker can send specially crafted Smart Install messages to an affected device on TCP port 4786 and cause it to enter a denial-of-service (DoS) condition or execute arbitrary code.

Cisco pointed out that Smart Install is enabled by default on switches that have not received a recent update for automatically disabling the feature when it’s not in use.

Embedi has published a blog post detailing CVE-2018-0171 and how it can be exploited. Researchers initially believed the vulnerability could only be exploited by an attacker inside the targeted organization’s network. However, an Internet scan revealed that there are roughly 250,000 vulnerable Cisco devices that have TCP port 4786 open.

Furthermore, Embedi told SecurityWeek that it has identified approximately 8.5 million devices that use this port, but researchers have not been able to determine if the Smart Install technology is present on these systems.

Another IOS vulnerability patched by Cisco and rated critical is CVE-2018-0150, a backdoor that allows an attacker to remotely access a device. This security hole is introduced by the existence of an undocumented account with a default username and password. The credentials provide access to a device with privilege level 15, the highest level of access for Cisco network devices.

The last critical security hole is CVE-2018-0151, which affects the quality of service (QoS) subsystem of IOS and IOS XE software. The flaw can allow a remote an unauthenticated attacker to cause a DoS condition or execute code with elevated privileges by sending malicious packets to a device.

The networking giant has patched a total of 17 high severity flaws in IOS and IOS XE software. The list includes mostly DoS issues, but some of the vulnerabilities can be exploited for remote code execution and privilege escalation.

Cisco also patched over a dozen IOS vulnerabilities rated “medium severity.” A majority of the bugs were discovered by the company itself and there is no evidence that any of them have been exploited for malicious purposes.


"Fauxpersky" Credential Stealer Spreads via USB Drives
30.3.2018 securityweek  Safety

A recently discovered credential stealing malware is masquerading as Kaspersky Antivirus and spreading via infected USB drives, according to threat detection firm Cybereason.

Dubbed Fauxpersky, the keylogger was written in AutoIT or AutoHotKey, which are simple tools to write small programs for various automation tasks on Windows. AHK can be used to write code to send keystrokes to other applications, and to create a ‘compiled’ exe with their code in it.

On systems infected with Fauxpersky, the security researchers discovered four dropped files, each named similarly to Windows system files: Explorers.exe, Spoolsvc.exe, Svhost.exe, and Taskhosts.exe.

Once executed, the malware gathers a list of drives on the machine and starts replicating itself to them, which allows it to spread to any of the connected external drives.

Furthermore, the keylogger renames the external drives to match its naming scheme. Specifically, the drive’s new name would include its original name, its size, and the string “(Secured by Kaspersky Internet Security 2017)”.The malware also creates an autorun.inf file to point to a batch script.

Explorers.exe includes a function called CheckRPath() designed to check the connected drives for the aforementioned files and to create them if they are not already present on the drive. The malware sets the attributes System and Hidden to the files and also creates the necessary directories, with parameters of Read-Only, System, and Hidden.

The attackers use a fairly basic method to ensure that all the necessary files are present in the source directory (called Kaspersky Internet Security 2017) when it is copied to the new destination. A text file in the directory instructs users to disable their antivirus if execution fails and also includes a list of security tools “incompatible with Kaspersky Internet Security 2017” (Kaspersky Internet Security included).

To perform the keylogging activities, Fauxpersky (specifically, svhost.exe) monitors the currently active window using the AHK functions WinGetActiveTitle() and input() (monitors user keystrokes to the window). Keystrokes are appended to Log.txt, which is saved in %APPDATA%\Kaspersky Internet Security 2017.

For persistence, the malware changes the working directory of the malware to %APPDATA% and creates the Kaspersky Internet Security 2017 folder. It also checks that all the necessary files are created in %APPDATA% and copies them there if they aren’t.

Spoolsvc.exe changes the values of registry keys to prevent the system from displaying hidden files and to hide system files (this explains why it sets the attributes of its own files to both System and Hidden). Next, it verifies if explorers.exe is running and launches it if not, thus ensuring persistent execution of the malware.

The keylogger also creates shortcuts to itself in the start menu startup directory to ensure persistence.

To exfiltrate the keylogged data, the malware uses a Google form, freeing the attackers from having to maintain an anonymized command and control server.

“This malware is by no means advanced or even very stealthy. Its authors didn’t put any effort into changing even the most trivial things, such as the AHK icon that’s attached to the file. However, this malware is highly efficient at infecting USB drives and collecting data from the keylogger, exfiltrating it through Google Forms and depositing it in the attacker’s inbox,” Cybereason concludes.


Under Armour Says 150 Million Affected in Data Breach
30.3.2018 securityweek IT

Under Armour Data Breach Impacts 150 Million Users

Sports gear maker Under Armour said Thursday a data breach of its fitness application was hacked, affecting some 150 million user accounts.

The Baltimore, Maryland-based company said it had contacted law enforcement and outside consultants after learning of the breach.

Under Armour said it learned on March 25 of the breach of its MyFitnessPal application, which enables users to track activity and calorie intake using a smartphone.

It said an unauthorized party obtained usernames, email addresses, and "hashed" passwords, which make it harder for a hacker to ascertain.

The hack did not affect social security numbers, drivers licenses or credit card data, according to the company.

"The company's investigation is ongoing, but indicates that approximately 150 million user accounts were affected by this issue," a statement said.

Users were being notified by email and messaging to update settings to protect account information.

The attack is the latest affecting companies with large user bases such as Yahoo, retailer Target and credit reporting agency Equifax.


Foreign Companies in China Brace for VPN Crackdown
30.3.2018 securityweek  BigBrothers

Chinese people and foreign firms are girding for a weekend deadline that will curb the use of unlicensed software to circumvent internet controls, as the government plugs holes in its "Great Firewall".

A virtual private network (VPN) can tunnel through the country's sophisticated barrier of online filters to access the global internet.

VPNs give users a way to see blocked websites such as Facebook, Twitter, Google and Western news outlets, as well as certain business network tools such as timesheets, email and directories.

But new government regulations unveiled last year sent chills among users of the software, with a March 31 deadline for companies and individuals to only use government-approved VPNs.

Currently, many foreign companies have their own VPN servers in locations outside of China. But in the future, dedicated lines can only be provided by China's three telecom operators.

Critics have slammed the new policy as a revenue grab that will eliminate cheaper VPN options and make internet users more vulnerable to surveillance.

But some companies are still planning to comply.

"We will apply for a VPN line with (the government)," the chief executive of a foreign-owned technology company told AFP.

"As a company that is globally-focused based in Beijing, I think that's the best option... because we don't want to break the rules or have our VPN access disrupted," she said, requesting anonymity.

Some embassies in Beijing experienced disruptions to their communications due to restrictions on VPN usage late last year, prompting the European Union delegation to send a letter to the government to complain, diplomatic sources told AFP.

American Chamber of Commerce Shanghai President Kenneth Jarrett warned that foreign companies and their employees could "bear the brunt of the new policies".

"Foreign companies, especially entrepreneurs and smaller companies rely on overseas platforms such as Google Analytics and Google Scholar," Jarrett told AFP.

"Limiting access to affordable VPNs will make it harder for these companies to operate efficiently and just adds to the frustration of doing business in China."

The Ministry of Industry and Information Technology has dismissed concerns that using state-approved providers could jeopardise the security of private data, saying they "are not able to see information related to your business".

'At the mercy of regulators'

A member of China-based anti-censorship group GreatFire.org, which tracks internet restrictions, said the new rules are aimed at wiping out low-cost Chinese VPN providers and increasing control over access to information.

"Are foreign companies at the mercy of Chinese regulators? Yes, probably. Will there be more surveillance? Absolutely," said the member, who uses the alias Charlie Smith.

Under the new licensing regulations, it is unclear whether companies or individuals will be punished for using unauthorised VPNs, or if the software will be blocked.

But on December 21, Chinese citizen Wu Xiangyang from the south Guangxi Zhuang autonomous region was given a five-and-a-half-year prison sentence and 500,000 yuan ($76,000) fine.

Wu "illegally profited" from setting up VPN servers and selling software "without obtaining relevant business licenses", according to a news site managed by the Supreme People's Procuratorate.

It was the most severe known VPN-related conviction.

Last September, a 26-year-old man from Guangdong province was sentenced to nine months in prison in a similar case.

Samm Sacks, who researches China's technology policy at the US-based Center for Strategic and International Studies, said it is likely that China will be lenient to most foreign companies.

"We will probably see selective enforcement. So far, there have not been many foreign companies that have experienced problems with their company VPNs," Sacks said.

"It just adds a new layer of uncertainty at a time when foreign companies are already facing a host of challenges to doing business in China," she said.

In the European Chamber of Commerce in China's 2017 survey of its members, companies reported suffering from restricted internet and slow and unstable connections in China, before new VPN restrictions were announced.

"Poor internet connectivity not only damages China's efforts to portray itself as an innovative society, it also impacts overall productivity," chamber president Mats Harborn told AFP.

"Some reported losses of more than 20 percent of their annual revenue as a result."

'No, we don't sell VPNs'

Earlier this month, in the southern trade hub of Guangzhou, a small shop with the letters "VPN" painted in red on its wall said they no longer offered them.

"No, we don't sell VPNs," a Chinese shopkeeper said curtly, refusing to explain why.

But it was business as usual for a nearby store that was licensed to sell VPNs from state-owned telecommunications operator China Telecom.

"We've had no problems. Our clients are mostly Chinese and African traders who want to keep in touch using Whatsapp," a technician said. jch/lth/klm/aph


Microsoft Fixes Windows Flaw Introduced by Meltdown Patches
30.3.2018 securityweek 
Vulnerebility

Microsoft has released out-of-band updates for Windows 7 and Windows Server 2008 R2 to address a serious privilege escalation vulnerability introduced earlier this year by the Meltdown mitigations.

Researcher Ulf Frisk reported this week that the patches released by Microsoft in January and February for the Meltdown vulnerability created an even bigger security hole that allows an attacker to read from and write to memory at significant speeds.

Frisk disclosed details of the bug since Microsoft’s security updates for March appeared to have addressed the issue. However, an investigation conducted by the tech giant revealed that the flaw had not been properly fixed.

Microsoft informed customers on Thursday that a new patch has been released for Windows 7 x64 Service Pack 1 and Windows Server 2008 R2 x64 Service Pack 1 to fully resolve the problem. “Customers who apply the updates, or have automatic updates enabled, are protected.” a Microsoft spokesperson said.

The vulnerability, tracked as CVE-2018-1038 and rated “important,” has been patched with the KB4100480 update. Users are advised to install the update as soon as possible, particularly since some Microsoft employees believe it will likely be exploited in the wild soon.

“An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory. An attacker who successfully exploited this vulnerability could run arbitrary code in kernel mode. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights,” Microsoft said in an advisory.

Frisk explained in a blog post that while the Meltdown vulnerability allows an attacker to read megabytes of data per second, the new flaw can be exploited to read gigabytes of data per second. In one of the tests he conducted, the researcher managed to access the memory at speeds of over 4 Gbps. The security hole can also be exploited to write to memory.

Exploiting the flaw is easy once the attacker has gained access to the targeted system. A direct memory access (DMA) attack tool developed by Frisk can be used to reproduce the vulnerability.


Under Armour data breach affected about 150 million MyFitnessPal users
30.3.2018 securityaffairs Hacking

Under Armour became aware of a potential security breach on March 25, the company said an unauthorized party had accessed MyFitnessPal user data.
Under Armour learned of the data breach on March 25, it promptly reported the hack to law enforcement and hired security consultants to investigate the incident.

Attackers hacked the MyFitnessPal application that is used by its customers to track fitness activity and calorie consumption.

MyFitnessPal under armour

According to the firm, an unauthorized party obtained access to user data, including usernames, email addresses, and “hashed” passwords.

The good news is that hackers did not access financial data (i.e. payment card data) or social security numbers and drivers licenses.

“On March 25, the MyFitnessPal team became aware that an unauthorized party acquired data associated with MyFitnessPal user accounts in late February 2018. The company quickly took steps to determine the nature and scope of the issue and to alert the MyFitnessPal community of the incident.” reads a statement issued by the company.

“The affected data did not include government-issued identifiers (such as Social Security numbers and driver’s license numbers), which the company does not collect from users. Payment card data was also not affected because it is collected and processed separately. The company’s investigation is ongoing, but indicates that approximately 150 million user accounts were affected by this issue.”

The company notified de data breach by email and in-app messaging to update settings to protect account information.

“The notice contains recommendations for MyFitnessPal users regarding account security steps they can take to help protect their information. The company will be requiring MyFitnessPal users to change their passwords and is urging users to do so immediately.” continues the statement.


The latest variant of the Panda Banker Trojan target Japan
30.3.2018 securityaffairs
Virus

Security researchers at Arbor Networks have discovered a threat actor targeting financial institutions in Japan using the Panda Banker banking malware (aka Zeus Panda, PandaBot)
Panda Banker was first spotted 2016 by Fox-IT, it borrows code from the Zeus banking Trojan.

In November 2017, threat actors behind the Zeus Panda banking Trojan leveraged black Search Engine Optimization (SEO) to propose malicious links in the search results. Crooks were focused on financial-related keyword queries.

The main feature of the Panda Banker is the stealing of credentials and account numbers, it is able to steal money from victims by implementing “man in the browser” attack.

The Panda Banker is sold as a kit on underground forums, the variant used in the last attacks against Japan if the version 2.6.6 that implements the same features as the previous releases.

“A threat actor using the well-known banking malware Panda Banker (a.k.a Zeus Panda, PandaBot) has started targeting financial institutions in Japan.” reads the analysis published by Arbor Networks.

“Based on our data and analysis this is the first time that we have seen Panda Banker injects targeting Japanese organizations.”

An interesting aspect of this campaign targeting Japan is that none of the indicators of compromise (IOC) was associated with previous attacks.

The threat actor delivered the banking trojan through malvertising, victims were redirected to the domains hosting the RIG-v exploit kit.

Crooks leveraged on multiple domains and C&C servers, but at the time of the analysis, only one of them was active. The unique active domain hillaryzell[.]xyz was registered to a Petrov Vadim and the associated email address was yalapinziw@mail.ru.

The campaign that hit Japan also targeted websites based in the United States, search engines, and social media sites, an email site, a video search engine, an online shopping site, and an adult content hub.

“The threat actor named this campaign “ank”.” continues the analysis. “At the time of research, the C2 server returned 27 webinjects that can be broken down into the following categories:

17 Japanese banking web sites mostly focusing on credit cards
1 US based web email site
1 US based video search engine
4 US based search engines
1 US based online shopping site
2 US based social media sites
1 US based adult content hub”
The webinjects employed in this campaign leverage the Full Info Grabber automated transfer system (ATS) to capture user credentials and account information.

Panda Banker


CISCO addresses two critical remote code execution flaws in IOS XE operating system
30.3.2018 securityaffairs
Vulnerebility

This week Cisco patched three critical vulnerabilities affecting its operating system IOS XE, two of them are remote code execution flaws that could be exploited by an attacker to gain full control over vulnerable systems.
Cisco March 2018 Semiannual Cisco IOS and IOS XE Software Security Advisory Bundled Publication addressed 22 vulnerabilities, 3 of them rated as critical and 19 as high.

Let’s give a close look at the critical vulnerabilities.

The first issue. tracked as CVE-2018-0151, is an IOS and IOS XE Software Quality of Service Remote Code Execution Vulnerability.

“A vulnerability in the quality of service (QoS) subsystem of Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition or execute arbitrary code with elevated privileges.” reads the advisory published by Cisco.

“The vulnerability is due to incorrect bounds checking of certain values in packets that are destined for UDP port 18999 of an affected device. An attacker could exploit this vulnerability by sending malicious packets to an affected device”

IOS XE

The second vulnerability tracked as CVE-2018-0171 affects the Smart Install feature of Cisco IOS Software and Cisco IOS XE Software, it could be exploited by an unauthenticated, remote attacker to cause a reload of a vulnerable device or to execute arbitrary code on an affected device.

“The vulnerability is due to improper validation of packet data. An attacker could exploit this vulnerability by sending a crafted Smart Install message to an affected device on TCP port 4786.” reads the security advisory published by Cisco.

“A successful exploit could allow the attacker to cause a buffer overflow on the affected device, which could have the following impacts:

Triggering a reload of the device
Allowing the attacker to execute arbitrary code on the device
Causing an indefinite loop on the affected device that triggers a watchdog crash”
The third flaw affects the Cisco IOS XE Software is due to an undocumented user account “with privilege level 15” hat has a default username and password.

The issue tracked as CVE-2018-0150 could be exploited by an unauthenticated, remote attacker to log in to a device running an affected release of Cisco IOS XE Software with the default credentials.

“A vulnerability in Cisco IOS XE Software could allow an unauthenticated, remote attacker to log in to a device running an affected release of Cisco IOS XE Software with the default username and password that are used at initial boot.” reads the security advisory published by Cisco.

“The vulnerability is due to an undocumented user account with privilege level 15 that has a default username and password. An attacker could exploit this vulnerability by using this account to remotely connect to an affected device. A successful exploit could allow the attacker to log in to the device with privilege level 15 access.”


Drupal finally addressed the critical CVE-2018-7600 Drupalgeddon2 vulnerability
30.3.2018 securityaffairs
Vulnerebility

The Drupal development team has fixed the drupalgeddon2 vulnerability that could be exploited by an attacker to take over a website.
A few days ago, Drupal Security Team confirmed that a “highly critical” vulnerability, tracked as CVE-2018-7600, affects Drupal 7 and 8 core and announced the availability of security updates on March 28th.

The vulnerability was discovered by the Drupal developers Jasper Mattsson.

Both Drupal 8.3.x and 8.4.x are not supported, but due to the severity of the flaw the Drupal Security Team decided to address it with specific security updates.

Now the Drupal development team has fixed the vulnerability that could be exploited by an attacker to run arbitrary code on the CMS core component and take over a website just by accessing an URL.

The Drupal CMS currently runs on over one million websites, it is the second most popular content management system behind WordPress.

Website administrators should immediately upgrade their sites to Drupal 7.58 or Drupal 8.5.1.

The flaw was dubbed Drupalgeddon2 after the CVE-2014-3704 Drupalgeddon security vulnerability that was discovered in 2014 that was exploited in numerous successful attacks in the wild.

The good news is that at the time there is no public proof-of-concept code available online.

The Drupal security team declared that it was not aware of any attacks exploiting the Drupalgeddon2 vulnerability in the wild.
“A remote code execution vulnerability exists within multiple subsystems of Drupal 7.x and 8.x. This potentially allows attackers to exploit multiple attack vectors on a Drupal site, which could result in the site being completely compromised.” reads the security advisory published by Drupal.

“The security team has written an FAQ about this issue. Solution:

Upgrade to the most recent version of Drupal 7 or 8 core.

If you are running 7.x, upgrade to Drupal 7.58. (If you are unable to update immediately, you can attempt to apply this patch to fix the vulnerability until such time as you are able to completely update.)
If you are running 8.5.x, upgrade to Drupal 8.5.1. (If you are unable to update immediately, you can attempt to apply this patch to fix the vulnerability until such time as you are able to completely update.)”
Patching the websites it essential, the popular expert Kevin Beaumont noticed that the Drupal homepage was taken down for half an hour to address the Drupalgeddon2.

Kevin Beaumont, Actual Porg 👻

@GossiTheDog
The Drupal team took the site offline before the announcement to do a version upgrade, and now the site doesn’t work 😃💃🏽

9:52 PM - Mar 28, 2018 · Manchester, England
13
See Kevin Beaumont, Actual Porg 👻's other Tweets
Twitter Ads info and privacy
The Drupal team also issued security patches for the 6.x versions that were discontinued in February 2016.

“This issue also affects Drupal 6. Drupal 6 is End of Life. For more information on Drupal 6 support please contact a D6LTS vendor.” continues the advisory.


Panda Banker Trojan Goes to Japan
30.3.2018 securityweek
Virus

The banking Trojan known as Panda Banker is now targeting financial institutions in Japan for what appears to be first time.

Also known as Panda Zeus, the malware was first observed in 2016, based on the leaked source code of the infamous Zeus banking Trojan. The threat has been involved in multiple infection campaigns targeting users worldwide, including an attack that leveraged poisoned Google searches for malware delivery.

Designed to steal user credentials via man-in-the-browser and webinjects that specify what websites to target and how, Panda Banker has received consistent, incremental updates ever since its first appearance on the threat landscape.

The Trojan is being sold as a kit on underground forums, meaning that it has a large number of users. Cybercriminals using it target various countries, likely based on their ability to convert the stolen credentials into real money.

Since the beginning of 2016, Panda Banker has been observed in campaigns targeting financial institutions in Italy, Canada, Australia, Germany, the United States, and the United Kingdom, and now in attacks focusing on Japan as well.

The Panda Banker iteration observed in the new attacks is version 2.6.6, which features the same capabilities as the previous releases, without significant changes.

However, not only does the malware feature webinjects targeting Japan now, but Arbor Networks security researchers discovered that none of the indicators of compromise (IOC) in this campaign overlaps with IOCs from previous attacks.

For the distribution of the malware, the threat actors behind these attacks used malicious advertisements (malvertising) to redirect victims to the RIG-v exploit kit. The toolkit then attempts to exploit vulnerabilities on the victims’ systems to download and execute the Trojan.

The campaign operators used multiple domains as their command and control (C&C) servers, but only one of them was found to be operational. The domain was registered to a Petrov Vadim using the email address yalapinziw@mail.ru.

As part of the campaign, which the threat actor named ank, 27 webinjects were included in Panda Banker, 17 of which target Japanese banking websites. The remaining 10 target websites based in the United States: four search engines, 2 social media sites, an email site, a video search engine, an online shopping site, and an adult content hub.

The webinjects used in this campaign employ the Full Info Grabber automated transfer system (ATS) to capture user credentials and account information.

According to Arbor Networks, while this was the first time they encountered a Panda Banker variant targeting Japan, the country is no stranger to banking Trojans. Previously, it was hit by attacks that employed the Ursnif and Urlzone financial malware.


Microsoft Patches for Meltdown Introduced Severe Flaw: Researcher
30.3.2018 securityweek
Vulnerebility

Some of the Windows updates released by Microsoft to mitigate the Meltdown vulnerability introduce an even more severe security hole, a researcher has warned.

Microsoft has released patches for the Meltdown and Spectre vulnerabilities every month since their disclosure in January. While at this point the updates should prevent these attacks, a researcher claims some of the fixes create a bigger problem.

According to Ulf Frisk, the updates released by Microsoft in January and February for Windows 7 and Windows Server 2008 R2 patch Meltdown, but they allow an attacker to easily read from and write to memory.

He noted that while Meltdown allows an attacker to read megabytes of data per second, the new vulnerability can be exploited to read gigabytes of data per second – in one of the tests he conducted, the expert managed to access the memory at speeds of over 4 Gbps. Moreover, the flaw also makes it possible to write to memory.

Frisk says exploitation does not require any sophisticated exploits – standard read and write instructions will get the job done – as Windows 7 has already mapped the memory for each active process.

“In short - the User/Supervisor permission bit was set to User in the PML4 self-referencing entry. This made the page tables available to user mode code in every process. The page tables should normally only be accessible by the kernel itself,” the researcher explained. “The PML4 is the base of the 4-level in-memory page table hierarchy that the CPU Memory Management Unit (MMU) uses to translate the virtual addresses of a process into physical memory addresses in RAM.”

“Once read/write access has been gained to the page tables it will be trivially easy to gain access to the complete physical memory, unless it is additionally protected by Extended Page Tables (EPTs) used for Virtualization. All one have to do is to write their own Page Table Entries (PTEs) into the page tables to access arbitrary physical memory,” he said.

The researcher says anyone can reproduce the vulnerability using a direct memory access (DMA) attack tool he developed a few years ago. The attack works against devices running Windows 7 x64 or Windows Server 2008 R2 with the Microsoft patches from January or February installed. The issue did not exist before January and it appears to have been addressed by Microsoft with the March updates. Windows 10 and Windows 8.1 are not affected, Frisk said.

A Microsoft spokesperson told SecurityWeek that the company is aware of the report and is looking into it.

Frisk previously discovered a macOS vulnerability that could have been exploited to obtain FileVault passwords, and demonstrated some UEFI attacks.


Kaspersky Open Sources Internal Distributed YARA Scanner
30.3.2018 securityweek
Virus

Kaspersky Lab has released the source code of an internally-developed distributed YARA scanner as a way of giving back to the infosec community.

Originally developed by VirusTotal software engineer Victor Alvarez, YARA is a tool that allows researchers to analyze and detect malware by creating rules that describe threats based on textual or binary patterns.

Kaspersky Lab has developed its own version of the YARA tool. Named KLara, the Python-based application relies on a distributed architecture to allow researchers to quickly scan large collections of malware samples.

Looking for potential threats in the wild requires a significant amount of resources, which can be provided by cloud systems. Using a distributed architecture, KLara allows researchers to efficiently scan one or more YARA rules over large data collections – Kaspersky says it can scan 10Tb of files in roughly 30 minutes.

“The project uses the dispatcher/worker model, with the usual architecture of one dispatcher and multiple workers. Worker and dispatcher agents are written in Python. Because the worker agents are written in Python, they can be deployed in any compatible ecosystem (Windows or UNIX). The same logic applies to the YARA scanner (used by KLara): it can be compiled on both platforms,” Kaspersky explained.

KLara provides a web-based interface where users can submit jobs, check their status, and view results. Results can also be sent to a specified email address.

The tool also provides an API that can be used to submit new jobs, get job results and details, and retrieve the matched MD5 hashes.

Kaspersky Lab has relied on YARA in many of its investigations, but one of the most notable cases involved the 2015 Hacking Team breach. The security firm wrote a YARA rule based on information from the leaked Hacking Team files, and several months later it led to the discovery of a Silverlight zero-day vulnerability.

The KLara source code is available on GitHub under a GNU General Public License v3.0. Kaspersky says it welcomes contributions to the project.

This is not the first time Kaspersky has made available the source code of one of its internal tools. Last year, it released the source code of Bitscout, a compact and customizable tool designed for remote digital forensics operations.


GoScanSSH Malware Targets Linux Servers
30.3.2018 securityweek
Virus

A recently discovered malware family written using the Golang (Go) programming language is targeting Linux servers and using a different binary for each attack, Talos warns.

Dubbed GoScanSSH because it compromises SSH servers exposed to the Internet, the malware’s command and control (C&C) infrastructure leverages the Tor2Web proxy service to prevent tracking and takedowns.

The malware operators, Talos believes, had a list of more than 7,000 username/password combinations they would use to authenticate to the servers, after which they would create a unique GoScanSSH binary to upload and execute on the server.

The actors behind this threat would target weak or default credentials used across a variety of Linux-based devices. Usernames used in the attack include admin, guest, oracle, osmc, pi, root, test, ubnt, ubuntu, and user.

The credential combinations used in these attacks targeted Open Embedded Linux Entertainment Center (OpenELEC); Raspberry Pi; Open Source Media Center (OSMC); jailbroken iPhones; Ubiquiti device, PolyCom SIP phone, Huawei device, and Asterisk default credentials; and various keyboard patterns and well-known commonly used passwords.

Talos discovered over 70 unique GoScanSSH samples compiled to target multiple system architectures (x86, x86_64, ARM, and MIPS64).

Following infection, the malware attempts to determine how powerful the infected system is by determining how many hash computations it can perform within a fixed time interval. The malware sends the information to the C&C, along with basic information about the machine and a unique identifier.

The malware was designed to access Tor-hosted C&C domains using the Tor2Web proxy service, without the need of installing the Tor client on the compromised system. The communication between the bot and the server is authenticated to ensure it cannot be hijacked.

GoScanSSH can scan and identify vulnerable SSH servers exposed to the Internet. For that, it randomly generates IP addresses, but avoids special-use addresses, such as those assigned to the U.S. Department of Defense or to an organization in South Korea.

The malware attempts to establish a TCP connection to the selected IP address and, if that succeeds, it checks if the IP address resolves to a domain name. If that is true, it checks if the domain is related to a government or military entity and terminates the connection if that happens.

Before starting the SSH scanning activity, the malware waits for a response from the C&C server and activates a sleep function if that doesn’t happen.

Due to an increase in the number of attempts to resolve one of the C&C domains, Talos believes the number of compromised hosts is increasing. They also discovered some resolution attempts dating back to June 19, 2017, suggesting that the campaign has been ongoing for at least nine months.

The C&C with the largest number of requests had been seen 8,579 times. The security researchers discovered a total of 250 domains associated with the malware’s activity.

“These attacks demonstrate how servers exposed to the internet are at constant risk of attack by cybercriminals. Organizations should employ best practices to ensure that servers they may have exposed remain protected from these and other attacks that are constantly being launched by attackers around the world. Organizations should ensure that systems are hardened, that default credentials are changed prior to deploying new systems to production environments, and that these systems are continuously monitored for attempts to compromise them,” Talos concludes.


Fileless Crypto-Mining Malware Discovered
30.3.2018 securityweek
Virus

Malicious crypto-miners have invaded the threat landscape over the past year, fueled by a massive increase in the value of crypto-currency.

A recent attack discovered by security researchers from Minerva Lab used malware dubbed GhostMiner, which has adopted the most effective techniques used by other malware families, including fileless infection attacks.

Focused on mining Monero crypto-currency, the new threat used PowerShell evasion frameworks – Out-CompressedDll and Invoke-ReflectivePEInjection – that employed fileless techniques to hide the malicious code.

Each of the malware’s components was designed for a different purpose: one PowerShell script to ensure propagation to new machines, and another to perform the actual mining operations.

“This evasive approach was highly effective at bypassing many security tools: some of the payloads analyzed were fully undetected by all the security vendors,” Minerva Labs’ Asaf Aprozper and Gal Bitensky reveal.

The security researchers compared the detection of the malicious executable with and without the fileless method and discovered that, once the fileless module is removed, most of the VirusTotal vendors would detect the payload.

The PowerShell script in charge with infecting new victims targets servers running Oracle’s WebLogic (leveraging the CVE-2017-10271 vulnerability), MSSQL, and phpMyAdmin.

Despite that, however, the attack only attempts to exploit WebLogic servers, the security researchers say. For that, the malicious code randomly probes IP addresses, creating numerous new TCP connections per second, in an attempt to discover vulnerable targets.

Communication with the command and control (C&C) server is performed via HTTP through Base64-encoded requests and replies. The protocol the malware uses to exchange messages involves a simple hand shake followed by a request to perform various tasks. Once the task is completed, a new request is sent to the server.

Launched directly from memory, the mining component is a slightly customized version of the open source XMRig miner.

The mining operation, Minerva Labs researchers say, had been running for about three weeks by the time they discovered it, but the attackers have made only 1.03 Monero (around $200) to date, based on the employed wallet. However, the attackers might also be using addresses that the researchers haven’t detected yet.

“Another potential explanation for the low ‘revenues’ of the GhostMiner campaign is the aggressive rivalry between mining gangs. There are plenty of potential victims, but the exploits and techniques they use are public. The attackers are aware that their competitors share the same toolset and try to infect the same vulnerable machines,” the security researchers note.

The analysed sample itself contained a variety of techniques meant to kill the process of any other miner running on the targeted machine. These include PowerShell’s “Stop-Process -force” command, stopping blacklisted services and blacklisted scheduled tasks by name using exe, and stopping and removing miners by their commandline arguments or by looking at established TCP connections.

Minerva Labs security researchers also suggest that defenders use similar methods as these “competitor killers” to prevent malicious miners from running on endpoints. They even provide a killer script that can be modified for such purposes.


The Big Business of Bad Bots
30.3.2018 securityweek BotNet

Bad bots are big news largely because of the FBI investigation into Russia's involvement in the 2016 presidential election. But bad bots are a bigger problem than automated tweeting: 42.2% of all website traffic comes from bots; and 21.8% of it is down to bad bots.

Distil Networks' 2018 Bad Bot Report, based on an analysis of hundreds of billions of bad bot requests, shows that bad bot traffic increased by 9.5% in 2017. Bad bots differ from good bots, whose traffic also increased by 8.8% to 20.4%. It means that only -- on average -- 57.8% of visiting traffic comes from a genuine human being interested in the website content.

Good bots are those that all websites require. They include the search engine page indexing bots from Google and Bing, and they bring humans to the site. Bad bots, however, are secretive and nefarious. They come from outright criminals and commercial competitors; and their purpose is to detract and/or steal from the website.

Distil highlights eight different bad bot functions: price scraping, content scraping, account takeover, account creation, credit card fraud, denial of service, gift card balance checking, and denial of inventory. They fall into three primary categories: competitive, organized criminal, and nuisance.

Price scraping and content scraping are generally competitor attacks. Price scraping allows competitors to maintain price levels slightly lower to score more highly in search engine rankings. Content scraping is simply the theft of proprietary content to augment another site's own content.

Account takeover bots are automated attempts at illegal log-ins. They can deliver brute-force attacks cycling through the most popular passwords to see if one of them works, or they can use the process known as credential stuffing.

Distil reports a 300% increase in credential stuffing bad bots in the weeks following a new major credential theft. This involves the automatic application of stolen passwords on different websites. "Here," notes the report, "bot operators make two assumptions. The first is that people reuse their credentials on many websites. The second is that newly stolen credentials are more likely to still be active. This is why businesses should anticipate bad bots running those credentials against their website after every breach."

Account creation bad bots simply generate vast numbers of new accounts -- for example, on Twitter -- to spam out messages or amplify propaganda.

Credit card fraud bots test out credit card numbers, trying to identify missing information -- such as the expiry date and the CVV.

The denial of service bad bot can be either competitive or nuisance. It can be used to reduce the performance of a competitor, or to disrupt the service of a small website either because of a grudge, or simply because it is possible. It can be effected either from a small number of attacking IP addresses, or from a larger number of rotating addresses. Automated defenses often fail because the number of accesses from each IP address is below the warning threshold before it moves to other addresses, while manual whack-a-mole IP blocking simply cannot keep up.

Gift card balance checking bots are used to steal money from gift card accounts that contain a balance.

'Denial of inventory' is a relatively new competitor attack prompted by the growth of ecommerce. In this attack, bots place stock items in online shopping baskets, taking them out stock lists. If the item is no longer available, then visiting human buyers will go elsewhere to make the purchase.

Bad bots are a difficult problem. Many website owners are not aware of them, while common defenses have little effect. Geo-blocking, for example, is only somewhat effective. Many sites block all Russian traffic. While this will inevitably include some bad bot traffic, it may also exclude some genuine human traffic. Russia is, however, the most blocked country.

In reality, the greatest source of bad bot traffic is the U.S. (although the operators may be elsewhere). According to Distil, 45.2% of all bad bot traffic originates in the United States (China is second, but way down with just 10.5%). This is because nobody, anywhere in the world, is likely to block all traffic coming from the U.S.

"This year bots took over public conversation, as the FBI continues its investigation into Russia's involvement in the 2016 U.S. presidential election and new legislation made way for stricter regulations," said Tiffany Olson Jones, CEO of Distil Networks. "Yet, as awareness grows, bot traffic and sophistication continue to escalate at an alarming rate. Despite bad bot awareness being at an all-time high, this year's Bad Bot Report illustrates that no industry is immune to automated threats and constant vigilance is required in order to thwart attacks of this kind."


Facebook Limits App Access to Users Data
30.3.2018 securityweek
Social

Facebook has announced a series of changes to its developer platform to implement tighter user privacy controls and limit how apps can access to user data.

The changes were initially mentioned last week, when the social platform came under fire after reports emerged that millions of Facebook users' personal data was harvested by British firm Cambridge Analytica.

Facebook CEO Mark Zuckerberg apologized for the incident last week and said tighter controls would be coming. Also last week, Facebook paused app review in preparation for the upcoming changes to its developer platform.

The first of the announced privacy improvements have been already implemented, but more are planned for the near future.

“These are critical steps that involve reviewing developers' actions for evidence of misuse, implementing additional measures to protect data, and giving people more control of their information,” Facebook now says.

The first major change Facebook made toward improved user privacy was to prevent applications from “seeing” a person in one’s friends list unless both users have decided to share their list of friends with the app.

“In order for a person to show up in one person's friend list, both people must have decided to share their list of friends with your app and not disabled that permission during login. Also both friends must have been asked for user_friends during the login process,” Facebook explains.

Moving forth, the social platform plans investigating all apps that had access to large amounts of user data before that access was restricted in 2014. Facebook will ban developers from its platform if they are found to have misused personally identifiable information and will notify everyone who used the application.

The company will also require for developers who build applications for other businesses to comply with rigorous policies and terms that will be revealed within the following weeks.

Facebook also plans on encouraging people to manage the apps they use, making it easier for them to revoke apps’ ability to use their data. Users will find it easier to learn what apps are connected to their accounts and to control the data these apps have access to.

On top of that, Facebook also plans on expanding its bug bounty program to allow users file reports when data is misused by app developers, a move that many security experts approve of.

Craig Young, computer security researcher for Tripwire’s Vulnerability and Exposure Research Team, told SecurityWeek in an emailed comment that this move could “start a trend toward more policy-oriented bug bounties from social media platforms.”

“This move by Facebook really makes a lot of sense to me. By expanding their bounty program to include data misuse by app developers, Facebook may have found a way to mobilize their community to self-police. It will be interesting to see if this if spurs new bug bounty participation including people less technical than the typical bug hunter,” he said.

Ilia Kolochenko, CEO of web security company High-Tech Bridge, also believes that this step could determine other companies to start similar moves that would allow them to avoid severe sanctions for privacy violations.

“This is an exciting shift in the bug bounty industry, which untill now has focused on security vulnerabilities. Facebook is the first major company that is asking for researchers to identify data privacy issues. With the GDPR coming into force in a couple of months, data privacy is now high on many organizations’ agendas,” Kolochenko said.

Last week, Facebook said it would make its privacy tools more visible to its users, and today the company announced that it has already implemented the necessary changes.

The settings menu on mobile devices was redesigned, with all the necessary tools now available in a single place and cleared outdated settings to make it obvious what information can and can’t be shared with apps.

Facebook also implemented a new Privacy Shortcuts menu, where users can control their data with just a few taps, in addition to finding clearer explanations of how the controls work.

Now, users can add more layers of protection, such as two-factor authentication, can review the data they’ve shared and delete it, can manage the information the platform uses to show ads, and can also manage who sees their posts and the information included on their profiles.

Users can also find, download, and delete their Facebook data, via the Access Your Information option, where management of posts, reactions, comments, and things searched for is possible. Users can delete any information they no longer want on Facebook and can also download a copy of the data shared with Facebook.

Facebook also plans on updating its terms of service and data policy to make it clearer what data is collected and how it is used.

“These updates are about transparency – not about gaining new rights to collect, use, or share data,” Erin Egan, VP and Chief Privacy Officer, Policy and Ashlie Beringer, VP and Deputy General Counsel, Facebook, said.


macOS High Sierra Logs External Volume Passwords in Plaintext
30.3.2018 securityweek Apple

In macOS High Sierra, the passwords used for Apple File System (APFS)-encrypted external drives are logged and kept in on-disk log files, a security researcher has discovered.

The APFS file system was introduced by Apple with the release of macOS High Sierra and is automatically applied to the startup volume when the platform High Sierra is installed on a computer with a solid-state drive (SSD).

According to Apple, APFS provides strong encryption, fast directory sizing, space sharing, and improved file system fundamentals.

The newly discovered vulnerability, Sarah Edwards reveals, impacts macOS 10.13 platform versions. Initially found when creating a new APFS volume, the bug appears to occur when encrypting previously created but unencrypted volumes as well.

What the expert observed was that the password used for a newly created APFS-formatted FileVault Encrypted USB drive via Disk Utility could be found in unified logs in plaintext.

“The newfs_apfs command can take a passphrase as a parameter using the mostly undocumented “-S” flag. It is not documented in the man page. However when run without parameters, it will show it,” Edwards notes.

The vulnerability was initially discovered on a system running macOS High Sierra 10.13.1. To reproduce it, one would have to create a “clean” flash drive using Disk Utility.app.

The researcher formatted the drive “Mac OS Extended (Journaled),” but the issue appears with other base formats as well.

Next, one would have to create an Encrypted APFS volume on the drive, using the menu option “Erase” and wait for the process to complete.

Keeping an eye on the unified logs in the Terminal while the operation is being performed reveals the selected password in plaintext.

The issue appears to have been fixed in High Sierra 10.13.2, but only for newly created volumes. Thus, the vulnerability can still be triggered when encrypting an already existing unencrypted APFS volume in macOS 10.13.3, the researcher says.

By exploiting this issue, an attacker could view the encryption password of encrypted APFS external volumes on USB drives, portable hard disks, and other external drives.

In October last year, a developer in Brazil discovered that macOS High Sierra leaked the passwords for encrypted APFS volumes via the password hint. The developer discovered the bug after using the Disk Utility to add a new encrypted APFS volume to the container.


Drupalgeddon: Highly Critical Flaw Exposes Million Drupal Websites to Attacks
30.3.2018 securityweek
Vulnerebility

All versions of the Drupal content management system are affected by a highly critical vulnerability that can be easily exploited to take complete control of affected websites in what may turn out to be Drupalgeddon 2.0.

While analyzing the security of Drupal, Jasper Mattsson discovered a serious remote code execution flaw that impacts versions 6, 7 and 8. This represents more than one million websites that can be hacked by a remote and unauthenticated attacker.

The security hole, tracked as CVE-2018-7600 and assigned a risk score of 21/25, can be exploited simply by accessing a page on the targeted Drupal website. Once exploited, it gives the attacker full control over a site, including access to non-public data and the possibility to delete or modify system data, Drupal developers warned.

The vulnerability has been patched with the release of Drupal 7.58, 8.5.1, 8.3.9 and 8.4.6. While Drupal 6 has reached end of life and it’s not supported since February 2016, a fix has still been developed due to the severity of the flaw and the high risk of exploitation.

Besides updating their installations to the latest version, users can protect their websites against attacks by making some changes to the site’s configuration. However, the required changes are “drastic.”

“There are several solutions, but they are all based on the idea of not serving the vulnerable Drupal pages to visitors. Temporarily replacing your Drupal site with a static HTML page is an effective mitigation. For staging or development sites you could disable the site or turn on a ‘Basic Auth’ password to prevent access to the site,” Drupal developers said.

Cloudflare also announced that it has pushed out a rule to its Web Application Firewall (WAF) to block potential attacks.

While no technical details have been made public, Drupal believes that exploits targeting the vulnerability will be created within hours or days, which is why it alerted users of the flaw and an upcoming patch one week in advance. This appears to have been a good strategy, but many websites may still remain vulnerable for extended periods of time.

Drupal patches critical remote code execution vulnerability

In the case of the notorious Drupalgeddon vulnerability, hackers had used it to take control of websites nearly two years after a patch was released.

While there haven’t been many reports of Drupal flaws being exploited in the wild since Drupalgeddon, one of the vulnerabilities patched in June 2017 by the developers of the CMS had been leveraged in some spam campaigns.


Severe Vulnerabilities Expose MicroLogix PLCs to Attacks
30.3.2018 securityweek ICS

Rockwell Automation has released patches and mitigations for several potentially serious vulnerabilities discovered by Cisco Talos researchers in its Allen-Bradley MicroLogix 1400 programmable logic controllers (PLCs).

According to Cisco Talos, the vulnerabilities can be exploited for denial-of-service (DoS) attacks, modifying a device’s configuration and ladder logic, and writing or removing data on its memory module.

Since these controllers are typically used in industrial environments, including in critical infrastructure organizations, exploitation of the flaws could result in significant damage, Talos said.Vulnerabilities found in MicroLogix controllers

The most serious of the flaws, based on their CVSS score of 10, are a series of access control issues that have been assigned a dozen CVE identifiers. A remote and unauthenticated attacker can exploit these vulnerabilities to obtain sensitive information, modify a device’s settings, or change its ladder logic – all by sending specially crafted packets.

While exploiting many of these flaws requires that the controller’s keyswitch is in REMOTE or PROG position, reading the master password and the master ladder logic works regardless of the keyswitch setting.

Vulnerabilities found in MicroLogix controllers

Another potentially serious flaw is CVE-2017-12088, which allows a remote attacker to cause the controller to enter a fault state and potentially delete ladder logic by sending specially crafted packets to the Ethernet port.

DoS vulnerabilities also exist in the device’s program download and firmware update functionality, but these have been assigned only a “medium severity” rating.

Other issues considered less serious include a file-write vulnerability affecting a memory module, and a DoS flaw related to the session connection functionality.

While a CVE identifier has been assigned to the session communication bug, Rockwell says the system actually works as intended and no patches or mitigations are required.

Rockwell Automation has released firmware updates that address some of these flaws. The company has also proposed a series of mitigations that include migrating to more recent series of the MicroLogix 1400 controller, setting the keyswitch to “Hard Run” to prevent unauthorized changes to the device, and disabling impacted services.

Cisco has published technical details and proof-of-concept (PoC) code for each of the vulnerabilities. Rockwell Automation has also released an advisory, but it can only be accessed by registered users.

This is not the first time Cisco Talos researchers have found vulnerabilities in MicroLogix 1400 PLCs. In 2016, they reported discovering a weakness that could have been exploited to modify the firmware on these devices.


Crypto Mining Rampant in Higher Education
30.3.2018 securityweek Cryptocurrency

Figures from an analysis of 4.5 million monitored devices across 246 companies show that for every 10,000 devices and workloads, 165 contain active threats. The majority are given a low (113) or medium (18) threat priority; but 34 are ranked high or critical, requiring immediate attention.

Deeper analysis of these figures in Vectra's 2018 Attacker Behavior Industry Report (PDF) shows the different stages of the attackers' kill chain found within different vertical industry sectors. Overall, 37% of detections denote C&C activity, 31% denote reconnaissance activity, 24% denote lateral movement, and 6% actual exfiltration attempts. The reducing numbers seem to indicate analysts' success at mitigating the detections as they progress. The remaining 3% of detections indicate botnet activity.

Applied to the different vertical industries, the analysis shows the fewest threat detections are found in the technology sector (a total of 62 per 10,000 devices) the healthcare sector, (87 per 10,000), and in government (139 per 10,000). Standing out, however, is higher education -- with 542 detections per 10,000 devices. Most of these, 395, are considered low priority threats, and are related to crypto mining.

"The number of low alerts in higher education is over three-times the normal rate, which is indicative of attacker behaviors that are opportunistic," explains the report. "Inversely, the technology industry has a low volume of devices prioritized as high or critical, which indicates cyberattackers do not often progress deep into the attack lifecycle."

Other sectors that stop attacks in their early stages include government and healthcare -- indicating the presence of stronger policies, mature response capabilities and better control of the attack surface; possibly because of greater regulation and oversight in these sectors. The very high number of low priority threats in higher education is largely down to a spike in crypto mining.

Higher education is unlike any other industry sector. Its users are not employees and are traditionally averse to outside control -- they will not automatically accept the security controls that can be applied to direct employees, and security teams can rarely impose them. At the same time, the student environment is an attractive target, especially for crypto mining.

"Higher education has a large number of students who are not protected by universities with open networks," explains Vectra. These same students also engage in their own crypto mining because they get free electricity, which is the highest direct cost of crypto mining (crypto mining uses computer resources to convert electricity into money). Geographically, most of this mining activity is done in Asia (76%), with 20% in North America, and just 4% in Europe. Sixty percent of all crypto mining detections uncovered by Vectra occurred in higher education.

The breakdown between mining by malware and mining by choice is not clear. It's a mixture of both, Chris Morales, Vectra's head of security analytics told SecurityWeek. "It's more likely college students crypto mining from their dorm rooms with a dose of outside actors," he added. "For example, some students could be watching pirated movies from an untrusted website that is crypto mining throughout the entire watching session. It would go unnoticed. This movie watching example really happens and was described to me by a security director at a large university as a problem they have to handle.

"Students are more likely to perform crypto mining personally as they don't pay for power, the primary cost of crypto mining," continued Morales. "Universities also have high bandwidth capacity networks with a large volume of easy targets, especially as students are more likely to use untrusted sites (like illegal movies, music, and software) hosting crypto mining malware."

Higher education can only respond to students they discover engaged in crypto mining with a notice the activity is occurring. They can provide assistance in cleaning machines or in the case of the student being responsible, they can issue a cease and desist. Corporate enterprises can enforce strict security controls to prevent such behaviors; but universities do not have the same luxury with students. "They can at best," explains Morales, "advise students on how to protect themselves and the university by installing operating system patches and creating awareness of phishing emails, suspicious websites and web ads."

Vectra's Cognito platform -- the source for the analysis -- uses continuous AI-enhanced anomaly detection to uncover threat behavior from network logs. It applies a scoring system to flagged behavior to reduce the high number of detected events to a low number of actual threats. For example, in this study (and on average), 26,432 events were flagged in every 10,000 devices. These were distilled down through 1,403 detections to 818 devices (per 10,000) with detections.

San Jose, Calif-based Vectra Networks raised $36 million in a Series D funding in February 2018, bring the total raised to $123 million. The funds are earmarked for further development of the Cognito 'attack in progress' threat hunting platform, and to fund a new research-and-development (R&D) center in Dublin, Ireland.


Your new friend, KLara

29.3.2018 Kaspersky APT
GReAT’s distributed YARA scanner
While doing threat research, teams need a lot of tools and systems to aid their hunting efforts – from systems storing Passive DNS data and automated malware classification to systems allowing researchers to pattern-match a large volume of data in a relatively short period of time. These tools are extremely useful when working on APT campaigns where research is very agile and spans multiple months. One of the most frequently used tools for hunting new variants of malware is called YARA and was developed by Victor Manuel Alvarez while working for VirusTotal, now part of Alphabet.

In R&D we use a lot of open-source projects and we believe giving back to the community is our way of saying ‘Thank you’. More and more security companies are releasing their open-source projects and we would like to contribute with our distributed YARA scanner.

What is YARA?
YARA is defined as “a tool aimed at (but not limited to) helping malware researchers to identify and classify malware samples”. In other words, it is a pattern-matching tool, but on steroids. It can support complex matching rules as well as searching files with specific metadata (for example, it can search all files that use a certificate containing the string “Microsoft Corporation” but is not signed by “Microsoft”).

How can YARA help you find the next APT in your network?
YARA’s usefulness is amazing, especially given traditional protection measures are no longer enough in today’s complex threat landscape. Modern protection systems, combined with constant network monitoring and incident response have to be deployed in order to successfully protect equipment.

Protective measures that were effective yesterday don’t guarantee the same level of security tomorrow. Indicators of compromise (IoCs) can help you search for footprints of known malware or for an active infection. But serious threat actors have started to tailor their tools to fit each victim, thus making IoCs much less effective. Good YARA detection rules still allow analysts to find malware, exploits and 0-days which couldn’t be found any other way. The rules can be deployed in networks and on various multi-scanner systems.

That’s why, as part of our Threat Intelligence services, we offer a range of training courses, one of them being our world-famous YARA Training, held by our GReAT ninjas: Costin Raiu, Vitaly Kamluk and Sergey Mineev.

Finding exploits in the wild
One of the most remarkable cases in which Kaspersky Lab’s GReAT used YARA was the much publicized Silverlight 0-day. The team started hunting for it after Hacking Team, the Italian company selling “legal surveillance tools” for governments and LEAs, was hacked. One of the stories in the media attracted our researchers’ attention — according to the article, a programmer offered to sell Hacking Team a Silverlight 0-day, an exploit for an obsolete Microsoft plug-in which at one time had been installed on a huge number of computers.

GReAT decided to create a YARA rule based on this programmer’s older, publicly available proof-of-concept exploits. Our researchers found that he had a very particular style when coding the exploits, using very specific comments, shell code and function names. All of this unique information was used to write a YARA rule — the experts set it to carry out a clear task, basically saying “Go and hunt for any piece of malware that shows the characteristics described in the rule”. Eventually it caught a new sample, a 0-day, and the team immediately reported it to Microsoft.

KLara, GReAT’s distributed YARA scanner
As mentioned above, any team carrying out threat intelligence needs to have powerful tools in their arsenal in order to find the latest threats and detect attacks as soon as possible. Within our R&D department we have built a lot of tools internally, but we believe most progress is made when useful tools are shared with the community. As such, we are releasing our internal tool for running YARA rules over a large set of data (malware/virus collections).

What is KLara?
In order to hunt efficiently for malware, you need a large collection of samples to search through. Researchers usually need to fire a YARA rule over a collection/set of malicious files and then get the results back. In some cases, the rule needs adjusting. Unfortunately, scanning a large collection of files takes time. However, if a custom architecture is used instead, scanning 10TB of files can take around 30 minutes. Of course, if there are multiple YARA rules that need to be run simultaneously, it’s important the system is also distributed. And this is where KLara comes in. KLara is a distributed system written in Python, allowing researchers to scan one or more YARA rules over collections with samples, getting notifications by email and in the web interface when the scan results are ready. Systems like KLara are important when large collections of data are involved. Of course, researchers will have their own small virus collections on their computers in order to make sure their YARA rules are sound, but when searching for viruses in the wild, this task requires a lot of processing power and this can only be achieved with a cloud system.

Why is it important to have a distributed YARA scanner?
Attacks using APTs are extremely dangerous, regardless of whether the target belongs to the public, private or government sector. From our experience, constant monitoring of logs, netflow, alerts and any suspicious files helps mitigate an attack during reconnaissance stages. There are some projects similar to KLara that SOC teams can leverage, but most of them are private, meaning either the virus collection or rules exist somewhere in the cloud, outside the team’s direct control.

KLara, on the other hand, allows anyone running any kind of hardware to set up their own private YARA scanner, keeping TLP RED YARA rules local.

KLara under the hood
The project uses the dispatcher/worker model, with the usual architecture of one dispatcher and multiple workers. Worker and dispatcher agents are written in Python. Because the worker agents are written in Python, they can be deployed in any compatible ecosystem (Windows or UNIX). The same logic applies to the YARA scanner (used by KLara): it can be compiled on both platforms.

Jobs can be submitted and their status retrieved using a web-based portal, while each user has their own personal account allowing them to be part of a group, as well as share their KLara jobs with any other valid account.

Accounts have multiple properties that can be set by the administrator: what group they are part of, what scan repositories they can run their YARA rules over (based on group membership), if they can see other groups’ jobs, or the maximum number of jobs that can be submitted monthly (individual quotas).

By using the dashboard, authenticated users can submit jobs on the ‘Add a new job’ page:

And check their status on the ‘Current jobs’ page:

Once a user submits a task, they can view its status, resubmit it or delete it. One of the workers will fetch the job from the dispatcher and if it has eligible scan repositories on its file systems, will start the YARA scan. Once finished, the user is notified by email of the results.

Each job’s metadata consists of one or multiple YARA rules, the submitter’s account info and a set of scan repositories that can be selected:

On the main page, a summary is displayed:

Job status: New/Assigned/Finished/Error
Job management: Restart/Delete job
How many files have been matched
Name of the first rule in the rules set
The repository path over which YARA scanned for matches.
A more detailed status can be seen once we click on a job:

Any YARA results will be displayed at the bottom, as well as a list of matched MD5s.

Each user can have a search quota and be part of a group. Groups can choose to restrict users (preventing them from seeing what other jobs group members submit).

Finally, each user can change their email address if they want notifications to be sent to another email account.

API access
In order to facilitate automatic job submissions as well as automatic results retrieval, KLara implements a simple REST API allowing any valid account with a valid API Key to query any allowed job’s status. It allows scripts to:

Submit new tasks
Get the job results as well as job details (if it’s still scanning or assigned, finished or if there’s an unprocessed (new) job)
Get all the YARA results from a specific job.
Get all the matched MD5 hashes
More info about using the API can be found in the repository.

How can you get KLara?
The software was released on our official Kaspersky Lab GitHub account on 9 March, 2018.

We welcome anyone who wants to contribute to this project to submit pull requests. As we said before, we believe in giving back to the community the best tools we can provide in order to fight malware.

The software is open-sourced under GNU General Public License v3.0 and available with no warranty from the developers.


Boeing production plant infected with WannaCry ransomware
29.3.2018 securityaffairs
Ransomware

According to a report from the Seattle Times, the dreaded WannaCry ransomware hit a Boeing production plant in Charleston, South Carolina on Wednesday.
WannaCry is back, this time it infected some systems belonging to US aircraft manufacturer Boeing.

According to a report from the Seattle Times, the dreaded ransomware hit a Boeing production plant in Charleston, South Carolina on Wednesday.

“All hands on deck,” reads an internal memo issued by Mike VanderWel, the chief engineer at Boeing Commercial Airplane production engineering.

“It is metastasizing rapidly out of North Charleston and I just heard 777 (automated spar assembly tools) may have gone down,”

The executive was concerned about the impact of the infection on the equipment used to test airframes after they roll off the production line.

What about if the infection will spread to other systems?

VanderWel was scared by the possibility that the WannaCry ransomware could “spread to airplane software.”

Of course, this scenario seems not possible because the airplane software is no more connected to another network that could be hit by a malware. In the past, the in-flight entertainment systems were sharing the same network used by systems running airplane software making possible a cyber attack.

“We’ve done a final assessment,” said Linda Mills, the head of communications for Boeing Commercial Airplanes. “The vulnerability was limited to a few machines. We deployed software patches. There was no interruption to the 777 jet program or any of our programs.”

“It took some time for us to go to our South Carolina operations, bring in our entire IT team and make sure we had the facts,” she added.

On Wednesday afternoon, Mills provided further details on the WannaCry infection that hit the Boeing production plant:
“Our cybersecurity operations center detected a limited intrusion of malware that affected a small number of systems,” she said. “Remediations were applied and this is not a production and delivery issue.”

In May 2016, WannaCry ransomware infected systems in more than 150 countries worldwide relying upon the EternalBlue Windows exploit.

WannaCrypt Boeing production plant

WannaCry exploits a Microsoft Windows SMB vulnerability using an exploit stolen from the NSA arsenal and leaked by the Shadow Brokers hackers.

WannaCry, such as other wipers and ransomware, represents a serious threat to a manufacturing environment.


New ThreadKit exploit builder used to spread banking Trojan and RATs
29.3.2018 securityaffairs
Virus

A recently discovered Microsoft Office document exploit builder kit dubbed ThreadKit has been used to spread a variety of malware, including RATs and banking Trojans.
Security experts at Proofpoint recently discovered a Microsoft Office document exploit builder kit dubbed ThreadKit that has been used to spread a variety of malware, including banking Trojans and RATs (i.e. Trickbot, Chthonic, FormBook and Loki Bot).

The exploit kit was first discovered in October 2017, but according to the experts, crooks are using it at least since June 2017.

The ThreadKit builder kit shows similarities to Microsoft Word Intruder (MWI), it was initially being advertised in a forum post as a builder for weaponized decoy documents.

“In October 2017, Proofpoint researchers discovered a new Microsoft Office document exploit builder kit that featured a variety of recent exploits as well as a mechanism to report infection statistics.” reads the analysis published by ProofPoint. “While the documents produced by this kit exhibited some minor similarities to Microsoft Word Intruder (MWI), we determined that they were likely produced by a new exploit builder kit, which we started tracking as ThreadKit.”

Just after its appearance, documents created with the ThreadKit builder kit have been observed in several campaigns.

The decoy documents used in past campaigns performed an initial check-in to the command and control (C&C) server, a tactic also used by MWI.

The documents were triggering the CVE-2017-0199 vulnerability in Office to download and execute an HTA file that would then download the decoy and a malicious VB script to extract and run the embedded executable.

ThreadKit

The last step of the infection sees the execution of the Smoke Loader, a small application used to download other malicious codes, in these specific attacks a banking malware.

Starting from October 2017, researchers observed the ThreadKit triggering the CVE 2017-8759 vulnerability.

“In October 2017, we started observing corresponding campaigns utilizing CVE-2017-8759. This version of ThreadKit employed a similar infection statistic initial C&C check-in and HTA to execute the embedded executable. Other changes were made to the way the exploit documents operate, in addition to integrating the new vulnerabilities.” continues the analysis.

Since November, ThreadKit integrated the code for the exploitation of the CVE 2017-11882, a 17-Year-Old flaw in MS Officeexploited by remote attackers to install a malware without user interaction.

In the last weeks, the exploit kit included new exploits targeting vulnerabilities such as the CVE-2018-4878 Adobe Flash zero-day and several Microsoft office vulnerabilities (i.e. CVE-2018-0802 and CVE-2017-8570).

Proofpoint researchers observed numerous campaigns featuring ThreadKit-generated Office attachments packing exploits that were likely copied from PoC code available on a researcher’s GitHub repo.

“ThreadKit is a relatively new and popular document exploit builder kit that has been used in the wild since at least June, 2017, by a variety of actors carrying out both targeted and broad-based crimeware campaigns. This new document exploit builder kit makes the use of the latest Microsoft Office exploits accessible to even low-skilled malicious actors.” concluded Proofpoint.


Meltdown security patches issued by Microsoft exposed to severe attacks
29.3.2018 securityaffairs
Attack

A security researcher discovered that some of the Windows updates released by Microsoft to mitigate the Meltdown flaw introduce a severe bug.
Meltdown and Spectre security updates made the headlines again, according to the security researcher Ulf Frisk some of them issued for Windows introduce a severe flaw.

The Meltdown and Spectre security updates released by Microsoft in January and February for Windows 7 and Windows Server 2008 R2 patch Meltdown are affected by a vulnerability that could be exploited by attackers to easily read from and write to memory.

According to the expert, an attacker can exploit gigabytes of data per second by exploiting the vulnerability.

“Meet the Windows 7 Meltdown patch from January. It stopped Meltdown but opened up a vulnerability way worse … It allowed any process to read the complete memory contents at gigabytes per second, oh – it was possible to write to arbitrary memory as well.” wrote the expert.

“No fancy exploits were needed. Windows 7 already did the hard work of mapping in the required memory into every running process. Exploitation was just a matter of read and write to already mapped in-process virtual memory. No fancy APIs or syscalls required – just standard read and write! ”

In a test conducted by the experts, he successfully accessed the memory at speeds of over 4 Gbps.

The researcher pointed out that attacker doesn’t need sophisticated exploits because Windows 7 has already mapped the memory for each active process. The page tables are available to user mode code for each process, instead

“In short – the User/Supervisor permission bit was set to User in the PML4 self-referencing entry. This made the page tables available to user mode code in every process. The page tables should normally only be accessible by the kernel itself,” the researcher added. “

The PML4 is the base of the 4-level in-memory page table hierarchy that the CPU Memory Management Unit (MMU) uses to translate the virtual addresses of a process into physical memory addresses in RAM.”

Once the attacker obtained the access to the page tables it will gain full control over the memory and its content.

“Once read/write access has been gained to the page tables it will be trivially easy to gain access to the complete physical memory, unless it is additionally protected by Extended Page Tables (EPTs) used for Virtualization. All one have to do is to write their own Page Table Entries (PTEs) into the page tables to access arbitrary physical memory,” he added. meltdown patch issue

Frisk developed an attack tool dubbed PCILeech to trigger the flaw.

“PCILeech uses PCIe hardware devices to read and write from the target system memory. This is achieved by using DMA over PCIe. No drivers are needed on the target system.” reads the description of the tool.

“PCILeech supports multiple memory acquisition devices. Primarily hardware based, but also dump files and software based techniques based on select security issues are supported. USB3380 based hardware is only able to read 4GB of memory natively, but is able to read all memory if a kernel module (KMD) is first inserted into the target system kernel. FPGA based hardware is able to read all memory.”

“PCILeech is capable of inserting a wide range of kernel implants into the targeted kernels – allowing for easy access to live ram and the file system via a “mounted drive”.

The experts successfully tested the attack against systems running Windows 7 x64 or Windows Server 2008 R2 with the Microsoft patches from January or February installed. Windows 10 and Windows 8.1 are not affected by the issue.


Hackers took down Baltimore 911 system during the weekend
29.3.2018 securityaffairs Incindent

Another US city hit by hackers, over the weekend, a cyber attack took down part of Baltimore 911 system for seventeen hours.
Part of its 911 service at the US city of Baltimore was taken down during the weekend by a cyber attack. The attackers targeted a specific server and took down the CAD system from 8.30am Saturday until around 2 am Sunday.

“Baltimore’s 911 dispatch system was hacked by an unknown actor or actors over the weekend, prompting a temporary shutdown of automated dispatching and an investigation into the breach, Mayor Catherine Pugh’s office confirmed Tuesday.” reported the Baltimore Sun.

“James Bentley, a spokesman for Pugh, confirmed that the Sunday morning hack affected messaging functions within the computer-aided dispatch, or CAD, system, but said the mayor would not otherwise comment on the matter Tuesday.”

911

The cyber attack shut down the emergency service’s Computer Aided Dispatch (CAD) that is used by 911 operators. No systems beyond the one CAD server were hit in the cyber attack, according to the media no data was exposed.

The function of the 911 service is essential to respond to any emergency and to direct police, fire, and ambulance to the place of an emergency.

During the attack, the 911 operators were forced to manually dispatch responders. 911 and 311 “were temporarily transitioned to manual mode.”

The attack was launched while thousands of protesters were participating in the nationwide march against gun violence.

City personnel were able to “isolate and take offline the affected server, thus mitigating the threat” of the hack, said Frank Johnson, chief information officer in the Mayor’s Office of Information Technology.

No systems beyond the one CAD server were hit by the cyber attack, and no data was exposed or stolen.

A few days ago, the networks of another major US city, Atlanta, were infected with a variant of the SamSam ransomware.


QR Code Bug in Apple iOS 11 Could Lead You to Malicious Sites
29.3.2018 thehackernews iOS

A new vulnerability has been disclosed in iOS Camera App that could be exploited to redirect users to a malicious website without their knowledge.
The vulnerability affects Apple's latest iOS 11 mobile operating system for iPhone, iPad, and iPod touch devices and resides in the built-in QR code reader.
With iOS 11, Apple introduced a new feature that gives users ability to automatically read QR codes using their iPhone's native camera app without requiring any third-party QR code reader app.
You need to open the Camera app on your iPhone or iPad and point the device at a QR code. If the code contains any URL, it will give you a notification with the link address, asking you to tap to visit it in Safari browser.
However, be careful — you may not be visiting the URL displayed to you, security researcher Roman Mueller discovered.
According to Mueller, the URL parser of built-in QR code reader for iOS camera app fails to detect the hostname in the URL, which allows attackers to manipulate the displayed URL in the notification, tricking users to visit malicious websites instead.

For the demo, the researcher created a QR code (shown above) with the following URL:
https://xxx\@facebook.com:443@infosec.rm-it.de/
If you scan it with the iOS camera app, it will show following notification:
Open "facebook.com" in Safari
When you tap it to open the site, it will instead open:
https://infosec.rm-it.de/
I have tested the vulnerability, as shown in the screenshot above, on my iPhone X running iOS 11.2.6 and it worked.
QR (Quick Response) code is a quick and convenient way to share information, but the issue becomes particularly more dangerous when users rely on QR codes for making quick payments or opening banking websites, where they might end up giving their login credentials away to phishing websites.
The researcher had already reported this flaw to Apple in December last year, but Apple hasn’t yet fixed the bug to the date.


U.S. Charges 9 Iranians With Hacking Universities to Steal Research Data
29.3.2018 thehackernews BigBrothers

The United States Department of Justice has announced criminal charges and sanctions against 9 Iranians involved in hacking universities, tech companies, and government organisations worldwide to steal scientific research resources and academic papers.
According to the FBI officials, the individuals are connected to the Mabna Institute, an Iran-based company created in 2013 whose members were allegedly hired by the Iranian government for gathering intelligence.
Though the content of the papers is not yet known, investigators believe it might have helped Iranian scientists to develop nuclear weapons.
In past four years, the state-sponsored hacking group has allegedly infiltrated more than 320 universities in 22 countries—144 of which were in the United States—and stolen over 30 terabytes of academic data and intellectual property.
The group used spear-phishing attacks to target more than 100,000 e-mail accounts and computer systems of the professors around the world, and successfully compromised 7,998 of those accounts till last December—3,768 of them at US universities.

"Their primary goal was to obtain usernames and passwords for the accounts of professors so they could gain unauthorized access and steal whatever kind of proprietary academic information they could get their hands on," said the FBI agent who investigated the case.
According to the indictment unsealed today in a Manhattan federal court, Mabna Institute also shared stolen credentials with the Islamic Revolutionary Guard Corps (IRGC)—a branch of Iran's Armed Forces responsible for gathering intelligence.
The group then exfiltrated the academic data and sold the content via Megapaper.ir and Gigapaper.ir, Iranian websites "where customers could access the online library systems of the hacked universities."
Following are the names and roles of the nine Iranians who were charged by the U.S. federal court:
Gholamreza Rafatnejad — one of the founding members of the Mabna Institute.
Ehsan Mohammadi — another founding member of the Mabna Institute and responsible for organising hacking campaign along with Rafatnejad.
Seyed Ali Mirkarimi — a hacker and Mabna Institute contractor, who was engaged in crafting and sending malicious spear phishing emails to steal credentials belonging to university professors.
Mostafa Sadeghi — another hacker working with the Mabna Institute, who allegedly compromised more than 1,000 university professors’ accounts and exchanged their credentials with Iranian partners.
Sajjad Tahmasebi — a Mabna Institute contractor who was maintaining the list of stolen credentials and helped other hackers in reconnaissance process in order to prepare the list of targeted universities and professors to facilitate the spear phishing campaign.
Abdollah Karima — a businessman who owned and operated a website to sell stolen academic materials online.
Abuzar Gohari Moqadam — an Iranian professor who exchanged stolen credentials for compromised accounts with Mabna Institute founders.
Roozbeh Sabahi — another contractor for the Mabna Institute.
Mohammed Reza Sabahi — another Mabna Institute contractor, who assisted in making the lists of targeted university professors and academic databases.
"Although it is difficult to calculate a dollar loss amount, through the course of the conspiracy, U.S.-based universities spent approximately $3.4 billion to procure and access data that the Iranians accessed for free because of their criminal activity," FBI said.
Targeted countries include Japan, China, Australia, Canada, Denmark, Finland, Germany, Ireland, Israel, Italy, Malaysia, the Netherlands, Norway, Poland, Singapore, South Korea, Spain, Sweden, Switzerland, Turkey, and the United Kingdom.
The US also imposes sanctions on "Game of Thrones" hacker
Besides these 9 Iranian hackers, the U.S. Department of Treasury has also charged a 10th Iranian hacker, named Behzad Mesri, in connection with cyber attacks against HBO and with leaking "Game of Thrones" episodes last summer.
According to the authorities, Mesri compromised multiple user accounts belonging to HBO in order to "repeatedly gain unauthorized access to the company’s computer servers and steal valuable stolen data including confidential and proprietary information, financial documents, and employee contact information."
Mesri then attempted to extort HBO for $6 million to delete the stolen data.


Facebook Collected Your Android Call History and SMS Data For Years
29.3.2018 thehackernews
Social

Facebook knows a lot about you, your likes and dislikes—it's no surprise.
But do you know, if you have installed Facebook Messenger app on your Android device, there are chances that the company had been collecting your contacts, SMS, and call history data at least until late last year.
A tweet from Dylan McKay, a New Zealand-based programmer, which received more than 38,000 retweets (at the time of writing), showed how he found his year-old data—including complete logs of incoming and outgoing calls and SMS messages—in an archive he downloaded (as a ZIP file) from Facebook.
Facebook was collecting this data on its users from last few years, which was even reported earlier in media, but the story did not get much attention at that time.
Since Facebook had been embroiled into controversies over its data sharing practices after the Cambridge Analytica scandal last week, tweets from McKay went viral and has now fueled the never-ending privacy debate.
A Facebook spokesperson explained, since almost all social networking sites have been designed to make it easier for users to connect with their friends and family members, Facebook also uploads its users’ contacts to offer same.
As Ars reported, in older versions of Android when permissions were a lot less strict, the Facebook app took away contact permission at the time of installation that allowed the company access to call and message data automatically.
Eventually, Google changed the way Android permissions worked in version 16 of its API, making them more clear and granular by informing users whenever any app tries to execute permissions.
However, developers were able to bypass this change, and Facebook continued accessing call and SMS data until Google deprecated version 4.0 of the Android API in October last year.
Even you can check what data the social network has collected on you so far by going to your Facebook's Settings→Download a copy of your Facebook data→Start My Archive.
If you don't want Facebook to store or continuously upload your contacts to its server, you can turn off the continuous uploading setting in the Messenger app. This change will also delete all your previously uploaded contacts.
Facebook users on Apple devices are on the safer side, as iOS has never allowed silent access to call data.


Leader of Hacking Group Who Stole $1 Billion From Banks Arrested In Spain
29.3.2018 thehackernews CyberCrime

Spanish Police has arrested the alleged leader of an organised Russian cybercrime gang behind the Carbanak and Cobalt malware attacks, which stole over a billion euros from banks worldwide since 2013.
In a coordinated operation with law enforcement agencies across the globe, including the FBI and Europol, Police detained the suspected leader of Carbanak hacking group in Alicante, Spain.
Carbanak hacking group started its activities almost five years ago by launching a series of malware attack campaigns such as Anunak and Carbanak to compromise banks and ATM networks, from which they swiped millions of credit card details from US-based retailers.
According to the Europol, the group later developed a sophisticated heist-ready banking malware known as Cobalt, based on the Cobalt Strike penetration testing software, which was in use until 2016.
"The magnitude of the losses is significant: the Cobalt malware alone allowed criminals to steal up to EUR 10 million per heist," Europol said.
In order to compromise bank networks, the group sent malicious spear-phishing emails to hundreds of employees at different banks, which if opened, infected computers with Carbanak malware, allowing hackers to transfer money from the banks to fake accounts or ATMs monitored by criminals.
According to the authorities, the criminal profits were also laundered via cryptocurrencies, through prepaid cards linked to the cryptocurrency wallets, which were used to buy goods such as luxury cars and houses.
In early 2017, the gang of financially-motivated cybercriminals was found abusing various Google services to issue command and control (C&C) communications for monitoring and controlling the machines of its victims.

In separate news, Ukraine Police announced today the arrest of another member of Cobalt group in Kiev, for developing malware and selling personal data from citizens worldwide.

The suspect was working with Cobalt group since 2016 and also involved in cyber-espionage activities. He allegedly sold a variety of malicious software in underground markets that allows anyone to access and control victims' computers remotely.
"This global operation is a significant success for international police cooperation against a top-level cybercriminal organisation. The arrest of the key figure in this crime group illustrates that cybercriminals can no longer hide behind perceived international anonymity," said Steven Wilson, Head of Europol’s European Cybercrime Centre (EC3).
"This is another example where the close cooperation between law enforcement agencies on a worldwide scale and trusted private sector partners is having a major impact on top-level cyber criminality."


Intel CPUs Vulnerable to New 'BranchScope' Attack

28.3.2018 securityweek Attack

Researchers have discovered a new side-channel attack method that can be launched against devices with Intel processors, and the patches released in response to the Spectre and Meltdown vulnerabilities might not prevent these types of attacks.

The new attack, dubbed BranchScope, has been identified and demonstrated by a team of researchers from the College of William & Mary, University of California Riverside, Carnegie Mellon University in Qatar, and Binghamton University.

Similar to Meltdown and Spectre, BranchScope can be exploited by an attacker to obtain potentially sensitive information they normally would not be able to access directly. The attacker needs to have access to the targeted system and they must be able to execute arbitrary code.

Researchers believe the requirements for such an attack are realistic, making it a serious threat to modern computers, “on par with other side-channel attacks.” The BranchScope attack has been demonstrated on devices with three types of Intel i5 and i7 CPUs based on Skylake, Haswell and Sandy Bridge microarchitectures.

Experts showed that the attack works even if the targeted application is running inside of an Intel SGX enclave. Intel SGX, or Software Guard Extensions, is a hardware-based isolated execution system designed to prevent code and data from getting leaked or modified.

BranchScope is similar to Spectre as they both target the directional branch predictors. Branch prediction units (BPUs) are used to improve the performance of pipelined processors by guessing the execution path of branch instructions. The problem is that when two processes are executed on the same physical CPU core, they share a BPU, potentially allowing a malicious process to manipulate the direction of a branch instruction executed by the targeted application.

The BPU has two main components – a branch target buffer (BTB) and a directional predictor – and manipulating either one of them can be used to obtain potentially sensitive data from the memory. Intel recently published a video providing a high level explanation of how these attacks work.

Researchers showed on several occasions in the past how BTB manipulation can be used for attacks, but BranchScope involves manipulation of branch predictors.

“BranchScope is the first fine-grained attack on the directional branch predictor, expanding our understanding of the side channel vulnerability of the branch prediction unit,” the researchers explained in their paper.

The researchers who identified the BranchScope attack method have proposed a series of countermeasures that include both software- and hardware-based solutions.

Dmitry Evtyushkin, one of the people involved in this research, told SecurityWeek that while they have not been tested, the microcode updates released by Intel in response to Meltdown and Spectre might only fix the BTB vector, which means BranchScope attacks could still be possible. However, Intel told the researchers that software guidance for mitigating Spectre Variant 1 could be effective against BranchScope attacks as well.

“We have been working with these researchers and we have determined the method they describe is similar to previously known side channel exploits,” Intel said in an emailed statement. “We anticipate that existing software mitigations for previously known side channel exploits, such as the use of side channel resistant cryptography, will be similarly effective against the method described in this paper. We believe close partnership with the research community is one of the best ways to protect customers and their data, and we are appreciative of the work from these researchers.”

BranchScope is not the only CPU side-channel attack method uncovered following the disclosure of Meltdown and Spectre. One of them, dubbed SgxPectre, shows how Spectre can be leveraged to defeat SGX.

Researchers have also demonstrated new variants of the Meltdown and Spectre attacks, which they have named MeltdownPrime and SpectrePrime.

*Updated with statement from Intel


The Malicious Use of Artificial Intelligence in Cybersecurity
28.3.2018 securityweek Cyber

Artificial Intelligence Risks

Criminals and Nation-state Actors Will Use Machine Learning Capabilities to Increase the Speed and Accuracy of Attacks

Scientists from leading universities, including Stanford and Yale in the U.S. and Oxford and Cambridge in the UK, together with civil society organizations and a representation from the cybersecurity industry, last month published an important paper titled, The Malicious Use of Artificial Intelligence: Forecasting, Prevention, and Mitigation.

While the paper (PDF) looks at a range of potential malicious misuses of artificial intelligence (which includes and focuses on machine learning), our purpose here is to largely exclude the military and concentrate on the cybersecurity aspects. It is, however, impossible to completely exclude the potential political misuse given the interaction between political surveillance and regulatory privacy issues.

Artificial intelligence (AI) is the use of computers to perform the analytical functions normally only available to humans – but at machine speed. ‘Machine speed’ is described by Corvil’s David Murray as, “millions of instructions and calculations across multiple software programs, in 20 microseconds or even faster.” AI simply makes the unrealistic, real.

The problem discussed in the paper is that this function has no ethical bias. It can be used as easily for malicious purposes as it can for beneficial purposes. AI is largely dual-purpose; and the basic threat is that zero-day malware will appear more frequently and be targeted more precisely, while existing defenses are neutralized – all because of AI systems in the hands of malicious actors.

Current Machine Learning and Endpoint Protection
Today, the most common use of the machine learning (ML) type of AI is found in next-gen endpoint protection systems; that is, the latest anti-malware software. It is called ‘machine learning’ because the AI algorithms within the system ‘learn’ from many millions (and increasing) samples and behavioral patterns of real malware.

Detection of a new pattern can be compared with known bad patterns to generate a probability level for potential maliciousness at a speed and accuracy not possible for human analysts within any meaningful timeframe.

It works – but with two provisos: it depends upon the quality of the ‘learning’ algorithm, and the integrity of the data set from which it learns.

Potential abuse can come in both areas: manipulation or even alteration of the algorithm; and poisoning the data set from which the machine learns.

The report warns, “It has been shown time and again that ML algorithms also have vulnerabilities. These include ML-specific vulnerabilities, such as inducing misclassification via adversarial examples or via poisoning the training data… ML algorithms also remain open to traditional vulnerabilities, such as memory overflow. There is currently a great deal of interest among cyber-security researchers in understanding the security of ML systems, though at present there seem to be more questions than answers.”

The danger is that while these threats to ML already exist, criminals and nation-state actors will begin to use their own ML capabilities to increase the speed and accuracy of attacks against ML defenses.

On data set poisoning, Andy Patel, security advisor at F-Secure, warns, “Diagnosing that a model has been incorrectly trained and is exhibiting bias or performing incorrect classification can be difficult.” The problem is that even the scientists who develop the AI algorithms don’t necessarily understand how they work in the field.

He also notes that malicious actors aren’t waiting for their own ML to do this. “Automated content generation can be used to poison data sets. This is already happening, but the techniques to generate the content don't necessarily use machine learning. For instance, in 2017, millions of auto-generated comments regarding net neutrality were submitted to the FCC.”

The basic conflict between attackers and defenders will not change with machine learning – each side seeks to stay ahead of the other; and each side briefly succeeds. “We need to recognize that new defenses that utilize technology such as AI may be most effective when initially released before bad actors are building countermeasures and evasion tactics intended to circumvent them,” comments Steve Grobman, CTO at McAfee.

Put simply, the cybersecurity industry is aware of the potential malicious use of AI, and is already considering how best to react to it. “Security companies are in a three-way race between themselves and these actors, to innovate and stay ahead, and up until now have been fairly successful,” observes Hal Lonas, CTO at Webroot. “Just as biological infections evolve to more resistant strains when antibiotics are used against them, so we will see malware attacks change as AI defense tactics are used over time.”

Hyrum Anderson, one of the authors of the report, and technical director of data science at Endgame, accepts the industry understands ML can be abused or evaded, but not necessarily the methods that could be employed. “Probably fewer data scientists in infosec are thinking how products might be misused,” he told SecurityWeek; “for example, exploiting a hallucinating model to overwhelm a security analyst with false positives, or a similar attack to make AI-based prevention DoS the system.”

Indeed, even this report failed to mention one type of attack (although there will undoubtedly be others). “The report doesn’t address the dangerous implications of machine learning based de-anonymization attacks,” explains Joshua Saxe, chief data scientist at Sophos. Data anonymization is a key requirement of many regulations. AI-based de-anonymization is likely to be trivial and rapid.

Anderson describes three guidelines that Endgame uses to protect the integrity and secure use of its own ML algorithms. The first is to understand and appropriately limit the AI interaction with the system or endpoint. The second is to understand and limit the data ingestion; for example, anomaly detection that ingests all events everywhere versus anomaly detection that ingests only a subset of ‘security-interesting’ events. In order to protect the integrity of the data set, he suggests, “Trust but verify data providers, such as the malware feeds used for training next generation anti-virus.”

The third: “After a model is built, and before and after deployment, proactively probe it for blind spots. There are fancy ways to do this (including my own research), but at a minimum, doing this manually is still a really good idea.”

Identity
A second area of potential malicious use of AI revolves around ‘identity’. AI’s ability to both recognize and generate manufactured images is advancing rapidly. This can have both positive and negative effects. Facial recognition for the detection of criminal acts and terrorists would generally be consider beneficial – but it can go too far.

“Note, for example,” comments Sophos’ Saxe, “the recent episode in which Stanford researchers released a controversial algorithm that could be used to tell if someone is gay or straight, with high accuracy, based on their social media profile photos.”

“The accuracy of the algorithm,” states the research paper, “increased to 91% [for men] and 83% [for women], respectively, given five facial images per person.” Human judges achieved much lower accuracy: 61% for men and 54% for women. The result is typical: AI can improve human performance at a scale that cannot be contemplated manually.

“Critics pointed out that this research could empower authoritarian regimes to oppress homosexuals,” adds Saxe, “but these critiques were not heard prior to the release of the research.”

This example of the potential misuse of AI in certain circumstances touches on one of the primary themes of the paper: the dual-use nature of, and the role of ‘ethics’ in, the development of artificial intelligence. We look at ethics in more detail below.

A more positive use of AI-based recognition can be found in recent advances in speech recognition and language comprehension. These advances could be used for better biometric authentication – were it not for the dual-use nature of AI. Along with facial and speech recognition there has been a rapid advance in the generation of synthetic images, text, and audio; which, says the report, “could be used to impersonate others online, or to sway public opinion by distributing AI-generated content through social media channels.”

Synthetic image generation

Synthetic image generation in 2014 and 2017

For authentication, Webroot’s Lonas believes we will need to adapt our current authentication approach. “As the lines between machines and humans become less discernible, we will see a shift in what we currently see in authentication systems, for instance logging in to a computer or system. Today, authentication is used to differentiate between various humans and prevent impersonation of one person by another. In the future, we will also need to differentiate between humans and machines, as the latter, with help from AI, are able to mimic humans with ever greater fidelity.”

The future potential for AI-generated fake news is a completely different problem, but one that has the potential to make Russian interference in the 2016 presidential election somewhat pedestrian.

Just last month, the U.S. indicted thirteen Russians and three companies “for committing federal crimes while seeking to interfere in the United States political system.” A campaign allegedly involving hundreds of people working in shifts and with a budget of millions of dollars spread misinformation and propaganda through social networks. Such campaigns could increase in scope with fewer people and far less cost with the use of AI.

In short, AI could be used to make fake news more common and more realistic; or make targeted spear-phishing more compelling at the scale of current mass phishing through the misuse or abuse of identity. This will affect both business cybersecurity (business email compromise, BEC, could become even more effective than it already is), and national security.

The Ethical Problem
The increasing use of AI in cyber will inevitably draw governments into the equation. They will be concerned about more efficient cyber attacks against the critical infrastructure, but will also become embroiled over civil society concerns over their own use of AI in mass surveillance. Since machine learning algorithms become more efficient with the size of the data set from which they learn, the ‘own it all’ mentality exposed by Edward Snowden will become increasingly compelling to law enforcement and intelligence agencies.

The result is that governments will be drawn into the ethical debate about AI and the algorithms it uses. In fact, this process has already started, with the UK’s financial regulator warning that it will be monitoring the use of AI in financial trading.

Governments seek to assure people that its own use of citizens’ big data will be ethical (relying on judicial oversight, court orders, minimal intrusion, and so on). It will also seek to reassure people that business makes ethical use of artificial intelligence – GDPR has already made a start by placing controls over automated user profiling.

While governments often like the idea of ‘self-regulation’ (it absolves them from appearing to be over-proscriptive), ethics in research is never adequately covered by scientists. The report states the problem: “Appropriate responses to these issues may be hampered by two self-reinforcing factors: first, a lack of deep technical understanding on the part of policymakers, potentially leading to poorly-designed or ill-informed regulatory, legislative, or other policy responses; second, reluctance on the part of technical researchers to engage with these topics, out of concern that association with malicious use would tarnish the reputation of the field and perhaps lead to reduced funding or premature regulation.”

There is a widespread belief among technologists that politicians simply don’t understand technology. Chris Roberts, chief security architect at Acalvio, is an example. “God help us if policy makers get involved,” he told SecurityWeek. “Having just read the last thing they dabbled in, I’m dreading what they’d come up with, and would assume it’ll be too late, too wordy, too much crap and red tape. They’re basically five years behind the curve.”

The private sector is little better. Businesses are duty bound, in a capitalist society, to maximize profits for their shareholders. New ideas are frequently rushed to market with little thought for security; and new algorithms will probably be treated likewise.

Oliver Tavakoli, CTO at Vectra, believes that the security industry is obligated to help. “We must adopt defensive methodologies which are far more flexible and resilient rather than fixed and (supposedly) impermeable,” he told SecurityWeek. “This is particularly difficult for legacy security vendors who are more apt to layer on a bit of AI to their existing workflow rather than rethinking everything they do in light of the possibilities that AI brings to the table.”

“The security industry has the opportunity to show leadership with AI and focus on what will really make a difference for customers and organizations currently being pummeled by cyberattacks,” agrees Vikram Kapoor, co-founder and CTO at Lacework. His view is that there are many areas where the advantages of AI will outweigh the potential threats.

“For example,” he continued, “auditing the configuration of your system daily for security best practices should be automated – AI can help. Continuously checking for any anomalies in your cloud should be automated – AI can help there too.”

It would probably be wrong, however, to demand that researchers limit their research: it is the research that is important rather than ethical consideration of potential subsequent use or misuse of the research. The example of Stanford’s sexual orientation algorithm is a case in point.

Google mathematician Thomas Dullien (aka Halvar Flake on Twitter) puts a common researcher view. Commenting on the report, he tweeted, “Dual-use-ness of research cannot be established a-priori; as a researcher, one usually has only the choice to work on ‘useful’ and ‘useless’ things.” In other words, you cannot – or at least should not – restrict research through imposed policy because at this stage, its value (or lack of it) is unknown.

McAfee’s Grobman believes that concentrating on the ethics of AI research is the wrong focus for defending against AI. “We need to place greater emphasis on understanding the ability for bad actors to use AI,” he told SecurityWeek; “as opposed to attempting to limit progress in the field in order to prevent it.”

Summary
The Malicious Use of Artificial Intelligence: Forecasting, Prevention, and Mitigation makes four high-level recommendations “to better forecast, prevent, and mitigate” the evolving threats from unconstrained artificial intelligence. They are: greater collaboration between policymakers and researchers (that is, government and industry); the adoption of ethical best practices by AI researchers; a methodology for handling dual-use concerns; and an expansion of the stakeholders and domain experts involved in discussing the issues.

Although the detail of the report makes many more finely-grained comments, these high-level recommendations indicate there is no immediately obvious solution to the threat posed by AI in the hands of cybercriminals and nation-state actors.

Indeed, it could be argued that there is no solution. Just as there is no solution to the criminal use of encryption – merely mitigation – perhaps there is no solution to the criminal use of AI – just mitigation. If this is true, defense against the criminal use of AI will be down to the very security vendors that have proliferated the use of AI in their own products.

It is possible, however, that the whole threat of unbridled artificial intelligence in the cyber world is being over-hyped.

F-Secure’s Patel comments, “Social engineering and disinformation campaigns will become easier with the ability to generate ‘fake’ content (text, voice, and video). There are plenty of people on the Internet who can very quickly figure out whether an image has been photoshopped, and I’d expect that, for now, it might be fairly easy to determine whether something was automatically generated or altered by a machine learning algorithm.

“In the future,” he added, “if it becomes impossible to determine if a piece of content was generated by ML, researchers will need to look at metadata surrounding the content to determine its validity (for instance, timestamps, IP addresses, etc.).”

In short, Patel’s suggestion is that AI will simply scale, in quality and quantity, the same threats that are faced today. But AI can also scale and improve the current defenses against those threats.

“The fear is that super powerful machine-learning-based fuzzers will allow adversaries to easily and quickly find countless zero-day vulnerabilities. Remember, though, that these fuzzers will also be in the hands of the white hats… In the end, things will probably look the same as they do now.”


Microsoft Patches for Meltdown Introduced Severe Flaw: Researcher
28.3.2018 securityweek
Vulnerebility

Some of the Windows updates released by Microsoft to mitigate the Meltdown vulnerability introduce an even more severe security hole, a researcher has warned.

Microsoft has released patches for the Meltdown and Spectre vulnerabilities every month since their disclosure in January. While at this point the updates should prevent these attacks, a researcher claims some of the fixes create a bigger problem.

According to Ulf Frisk, the updates released by Microsoft in January and February for Windows 7 and Windows Server 2008 R2 patch Meltdown, but they allow an attacker to easily read from and write to memory.

He noted that while Meltdown allows an attacker to read megabytes of data per second, the new vulnerability can be exploited to read gigabytes of data per second – in one of the tests he conducted, the expert managed to access the memory at speeds of over 4 Gbps. Moreover, the flaw also makes it possible to write to memory.

Frisk says exploitation does not require any sophisticated exploits – standard read and write instructions will get the job done – as Windows 7 has already mapped the memory for each active process.

“In short - the User/Supervisor permission bit was set to User in the PML4 self-referencing entry. This made the page tables available to user mode code in every process. The page tables should normally only be accessible by the kernel itself,” the researcher explained. “The PML4 is the base of the 4-level in-memory page table hierarchy that the CPU Memory Management Unit (MMU) uses to translate the virtual addresses of a process into physical memory addresses in RAM.”

“Once read/write access has been gained to the page tables it will be trivially easy to gain access to the complete physical memory, unless it is additionally protected by Extended Page Tables (EPTs) used for Virtualization. All one have to do is to write their own Page Table Entries (PTEs) into the page tables to access arbitrary physical memory,” he said.

The researcher says anyone can reproduce the vulnerability using a direct memory access (DMA) attack tool he developed a few years ago. The attack works against devices running Windows 7 x64 or Windows Server 2008 R2 with the Microsoft patches from January or February installed. The issue did not exist before January and it appears to have been addressed by Microsoft with the March updates. Windows 10 and Windows 8.1 are not affected, Frisk said.

SecurityWeek has reached out to Microsoft for comment and will update this article if the company responds.

Frisk previously discovered a macOS vulnerability that could have been exploited to obtain FileVault passwords, and demonstrated some UEFI attacks.


Kaspersky Open Sources Internal Distributed YARA Scanner
28.3.2018 securityweek Security

Kaspersky Lab has released the source code of an internally-developed distributed YARA scanner as a way of giving back to the infosec community.

Originally developed by VirusTotal software engineer Victor Alvarez, YARA is a tool that allows researchers to analyze and detect malware by creating rules that describe threats based on textual or binary patterns.

Kaspersky Lab has developed its own version of the YARA tool. Named KLara, the Python-based application relies on a distributed architecture to allow researchers to quickly scan large collections of malware samples.

Looking for potential threats in the wild requires a significant amount of resources, which can be provided by cloud systems. Using a distributed architecture, KLara allows researchers to efficiently scan one or more YARA rules over large data collections – Kaspersky says it can scan 10Tb of files in roughly 30 minutes.

“The project uses the dispatcher/worker model, with the usual architecture of one dispatcher and multiple workers. Worker and dispatcher agents are written in Python. Because the worker agents are written in Python, they can be deployed in any compatible ecosystem (Windows or UNIX). The same logic applies to the YARA scanner (used by KLara): it can be compiled on both platforms,” Kaspersky explained.

KLara provides a web-based interface where users can submit jobs, check their status, and view results. Results can also be sent to a specified email address.

The tool also provides an API that can be used to submit new jobs, get job results and details, and retrieve the matched MD5 hashes.

Kaspersky Lab has relied on YARA in many of its investigations, but one of the most notable cases involved the 2015 Hacking Team breach. The security firm wrote a YARA rule based on information from the leaked Hacking Team files, and several months later it led to the discovery of a Silverlight zero-day vulnerability.

The KLara source code is available on GitHub under a GNU General Public License v3.0. Kaspersky says it welcomes contributions to the project.

This is not the first time Kaspersky has made available the source code of one of its internal tools. Last year, it released the source code of Bitscout, a compact and customizable tool designed for remote digital forensics operations.


Facebook Announces New Steps to Protect Users' Privacy
28.3.2018 securityweek
Social

Facebook Revamps Privacy Settings Amid Data Breach Outcry

Facebook on Wednesday unveiled new privacy settings aiming to give its users more control over how their data is shared, following an outcry over hijacking of personal information at the giant social network.

The updates include easier access to Facebook's user settings and tools to easily search for, download and delete personal data stored by Facebook.

Facebook said a new privacy shortcuts menu will allow users to quickly increase account security, manage who can see their information and activity on the site and control advertisements they see.

"We've heard loud and clear that privacy settings and other important tools are too hard to find and that we must do more to keep people informed," chief privacy officer Erin Egan and deputy general counsel Ashlie Beringer said in a blog post.

"We're taking additional steps in the coming weeks to put people more in control of their privacy."

The new features follow fierce criticism after it was revealed millions of Facebook users' personal data was harvested by a British firm linked to Donald Trump's 2016 presidential campaign -- although Facebook said the changes have been "in the works for some time."

Earlier this month, whistleblower Christopher Wylie revealed political consulting company Cambridge Analytica obtained profiles on 50 million Facebook users via an academic researcher's personality prediction app.

The app was downloaded by 270,000 people, but also scooped up their friends' data without consent -- as was possible under Facebook's rules at the time.

Egan and Beringer also announced updates to Facebook's terms of service and data policy to improve transparency about how the site collects and uses data.

Deepening tech crisis

Facebook's move comes as authorities around the globe investigate how Facebook handles and shares private data, and with its shares having tumbled more than 15 percent, wiping out tens of billions in market value.

The crisis also threatens the Silicon Valley tech industry whose business model revolves around data collected on internet users.

On Tuesday, tech shares led a broad slump on Wall Street, with an index of key tech stocks losing nearly six percent.

The US Federal Trade Commission this week said it had launched a probe into whether the social network violated consumer protection laws or a 2011 court-approved agreement on protecting private user data.

US lawmakers were seeking to haul Facebook CEO Mark Zuckerberg to Washington to testify on the matter.

Authorities in Britain have seized data from Cambridge Analytica in their investigation, and EU officials have warned of consequences for Facebook.

Facebook has apologized for the misappropriation of data and vowed to fix the problem. Facebook took out full-page ads in nine major British and US newspapers on Sunday to apologize to users.

"We have a responsibility to protect your information. If we can't we don't deserve it," Zuckerberg said in the ads.


Critical Flaws Found in Siemens Telecontrol, Building Automation Products
28.3.2018 securityweek
Vulnerebility

Siemens informed customers this week that critical vulnerabilities have been found in some of its telecontrol and building automation products, and revealed that some SIMATIC systems are affected by a high severity flaw.

One advisory published by the company describes several critical and high severity flaws affecting Siveillance and Desigo building automation products. The security holes exist due to the use of a vulnerable version of a Gemalto license management system (LMS).

The bugs affect Gemalto Sentinel LDK and they can be exploited for remote code execution and denial-of-service (DoS) attacks.

The vulnerabilities were discovered by researchers at Kaspersky Lab and disclosed in January. The security firm warned at the time that millions of industrial and corporate systems may be exposed to remote attacks due to their use of the vulnerable Gemalto product.

Siemens warned at the time that more than a dozen versions of the SIMATIC WinCC Add-On were affected. The company has now informed customers that some of its building automation products are impacted as well, including Siveillance Identity and SiteIQ Analytics, and Desigo XWP, CC, ABT, Configuration Manager, and Annual Shading.

The German industrial giant has advised customers to update the LMS to version 2.1 SP4 (2.1.681) or newer in order to address the vulnerabilities.

A separate advisory published by Siemens this week informs customers of a critical vulnerability affecting TIM 1531 IRC, a communication module launched by the company nearly a year ago. The module connects remote stations based on SIMATIC controllers to a telecontrol control center through the Sinaut ST7 protocol.

“A remote attacker with network access to port 80/tcp or port 443/tcp could perform administrative operations on the device without prior authentication. Successful exploitation could allow to cause a denial-of-service, or read and manipulate data as well as configuration settings of the affected device,” Siemens explained.

The company said there had been no evidence of exploitation when it published its advisory on Tuesday.

A third advisory published by Siemens this week describes a high severity flaw discovered by external researchers in SIMATIC PCS 7, SIMATIC WinCC, SIMATIC WinCC Runtime Professional, and SIMATIC NET PC products.

The vulnerability allows an attacker to cause a DoS condition on the impacted products by sending specially crafted messages to their RPC service. Patches or mitigations have been made available by Siemens for each of the affected systems.


jRAT Leverages Crypter Service to Stay Undetected
28.3.2018 securityweek
Virus

In recently observed attacks, the jRAT backdoor was using crypter services hosted on the dark web to evade detection, Trustwave security researchers have discovered.

Also known as Adwind, AlienSpy, Frutas, Unrecom, and Sockrat, the jRAT malware is a Windows-based Remote Access Trojan (RAT) discovered several years ago that has already infected nearly half a million users between 2013 and 2016. The threat has been hitting organizations all around the world and was recently spotted as part of an ongoing campaign.

jRAT allows its operators to control it remotely to achieve complete control of the infected system. With the help of this backdoor, attackers can capture keystrokes, exfiltrate credentials, take screenshots, and access the computer’s webcam, in addition to executing binaries on the victim’s system.

“It is highly configurable to whatever the attacker's motive may be. jRAT has been commercially available to the public as a RAT-as-a-service business model for as little as $20 for a one-month use,” Trustwave notes.

Starting early this year, Trustwave security researchers observed a spike in spam messages delivering the malware and also noticed that security reports tend to misclassify the Java-based RAT due to the use of said crypter service.

The malware was being distributed through malicious emails carrying either an attachment or a link. The emails would pose as invoices, quotation requests, remittance notices, shipment notifications, and payment notices.

The recently analyzed samples, the researchers say, revealed that the same tool or service was used to obfuscate all of them. Furthermore, all of them attempted to download a JAR file from a Tor domain that turned out to be a service hosted by QUAverse.

QUAverse (QUA) is linked to QRAT, a RAT-as-a-service platform developed in 2015 which is seen as one of jRAT's competitors. The presence of these artifacts were able to set investigators on the wrong path, but the de-obfuscated and decrypted samples were found to be indeed jRAT samples.

What Trustwave discovered was that jRAT uses a service from QUAverse called Qrypter. This is a Crypter-as-a-Service platform that makes Java JAR applications fully undetectable by morphing variants of the same file. For a certain fee, the service morphs a client's JAR file periodically to avoid being detected by antivirus products.

“We believe that the service monitors multiple AV products pro-actively and once it determines that the malware variant is being detected, it then re-encrypts the file thus producing a new mutant variant that is undetectable for a certain time period,” Trustwave notes.

When executed, jRAT downloads a new, undetectable copy of itself from the service and drops it on the infected machine's %temp% directory. The malware then executes and installs the newly crypted jar file.

By using the Qrypter service, the backdoor leverages a third-party crypter feature that should allow it to become fully undetectable, the security researchers point out.

“While jRAT actors have been actively spamming malicious JAR files for several months, one of the hurdles in infecting their target is how easily they are being detected. Perhaps using the Qrypter service makes it easier for them to evade email gateways and antivirus engines,” Trustwave notes.


Pink-haired Whistleblower at Heart of Facebook Scandal
28.3.2018 securityweek
Social

Instantly recognizable with his pink hair and nose ring, Christopher Wylie claims to have helped create data analysis company Cambridge Analytica before turning whistleblower and becoming "the face" of the crisis engulfing Facebook.

Carole Cadwalladr, the Guardian journalist who worked with Wylie for a year on the story, described him as "clever, funny, bitchy, profound, intellectually ravenous, compelling. A master storyteller. A politicker. A data science nerd."

The bespectacled 28-year-old describes himself as "the gay Canadian vegan who somehow ended up creating Steve Bannon's psychological warfare tool," referring to Trump's former adviser, whom the report said had deep links with Cambridge Analytica (CA).

With Wylie's help, Cadwalladr revealed how CA scooped up data from millions of Facebook users in the US.

They then used the information to build political and psychological profiles, in order to create targeted messages for voters.

Facebook insists it did not know the data taken from its site were being used, but the revelations have raised urgent questions over how data of 50 million users ended up in CA's hands.

Shares of the tech giant have since tumbled, with $70 billion (56 billion euros) wiped off in 10 days.

- 'Walter Mitty' -

Wylie studied law and then fashion, before entering the British political sphere when he landed a job working for the Liberal Democrats.

Former Lib Dem colleague Ben Rathe had a less complementary description of Wylie, tweeting that he "thinks he's Edward Snowden, when he's actually Walter Mitty" -- a reference to a fictional character with a vivid fantasy life.

Wylie became a research director for Strategic Communication Laboratories (SCL), the parent company of CA, in 2014.

"I helped create that company," he said of CA in an interview with several European newspapers.

"I got caught up in my own curiosity, in the work I was doing. It's not an excuse, but I found myself doing the research work I wanted to do, with a budget of several million, it was really very tempting," he told French daily Liberation.

Initially, he enjoyed the globetrotting lifestyle, meeting with ministers from around the world.

But the job took a dark turn when he discovered that his predecessor had died in a Kenyan hotel. He believes the victim paid the price when a "deal went sour".

"People suspected poisoning," he told a British parliamentary committee investigating "fake news" on Tuesday.

- 'Repair Facebook!' -

His appearance before MPs saw him swap his usual loud T-shirts for a sober suit and tie, producing hours of testimony against the firm that he left in 2014.

He said he eventually decided to speak out after US President Donald Trump's shock election victory, which he partly attributed to the misuse of personal data for political purposes.

Cambridge Analytica vigorously denies the charges levelled against it, saying that Wylie was merely "a part-time employee who left his position in July 2014" and had no direct knowledge of how the firm had operated since.

Wylie urged British MPs to dig deeper into the story, insisting that his concern was not political and was focussed on abuses in the democratic process -- including during the Brexit referendum campaign.

"I supported Leave, despite having pink hair and my nose ring," he said.

He claimed that various pro-Brexit organisations worked together to get around campaign finance rules, using the services of Aggregate IQ, a Canadian company linked to the SCL group.

Wylie believes that it is "very reasonable" to say that CA's activities may have swung the Brexit vote, although he stressed he was not anti-Facebook, anti-social media or anti-data.

"I don't say 'delete Facebook', but 'repair Facebook'," he told the European newspapers.

However, he admitted to MPs that he had "become the face" of the scandal.


Mozilla Isolates Facebook with New Firefox Extension
28.3.2018 securityweek
Social

Mozilla today unveiled the "Facebook Container Extension", a new browser extension designed to help Firefox users reduce the ability of Facebook to track their activity across other web sites.

The new extension, Mozilla says, will help users gain more control over their data on the social platform by isolating their identity into a separate container. Because of that, Facebook would find it more difficult to track users’ activity on other websites via third-party cookies.

The Facebook Container Add-On was launched in the light of news that Facebook at one point allowed applications to harvest large amounts of data on users and their friends and follows Mozilla’s announcement that it has paused Facebook advertising until the social network improves the privacy of its users.

The privacy scandal started with reports that Cambridge Analytica, the data analysis firm hired by Donald Trump's 2016 presidential campaign, harvested 50 million Facebook users’ profiles without their permission.

The social network has been under heavy fire since last week, when the news broke, despite suspending the firm’s account. Many are losing trust in the platform and the use of Facebook data to target voters triggered global outrage.

This is what determined Mozilla last week to pause Facebook advertising, despite Mark Zuckerberg’s assurance that steps will be taken to ensure a situation like the Cambridge Analytica one won’t happen again.

“Facebook knows a great deal about their two billion users — perhaps more intimate information than any other company does. They know everything we click and like on their site, and know who our closest friends and relationships are,” Mozilla said last week.

Now, the browser maker says that users can enjoy both their time on Facebook and navigating on other websites they like. For that to happen, users should have tools that limit the data that others can collect on them, Mozilla included. Because of that, the browser won’t collect data from the use of the Facebook Container extension, except for information on how many times the extension is installed or removed.

The new extension, Mozilla claims, should provide users with the means to protect themselves from any side effects of usage.

“The type of data in the recent Cambridge Analytica incident would not have been prevented by Facebook Container. But troves of data are being collected on your behavior on the internet, and so giving users a choice to limit what they share in a way that is under their control is important,” the browser maker notes.

When installed, the extension deletes the user’s Facebook cookies and logs them out of the social platform. The next time they visit Facebook, the website will open in a new blue-colored browser tab (a container tab).

Users will be able to log into Facebook and use it like they would normally do. When clicking on a non-Facebook link or navigating to a non-Facebook website in the URL bar, those pages load outside of the container.

When clicking on Facebook Share buttons on other browser tabs, the extension loads them within the Facebook container. However, when the buttons are clicked, Facebook receives information on the website that the user shared from.

“If you use your Facebook credentials to create an account or log in using your Facebook credentials, it may not work properly and you may not be able to login. Also, because you’re logged into Facebook in the container tab, embedded Facebook comments and Like buttons in tabs outside the Facebook container tab will not work,” Mozilla explains.

Because of that, Facebook can’t associate information about the activity of the user on websites outside of the platform to their Facebook identity. Thus, the social network won’t be able to use the activity collected off Facebook to send ads and other targeted messages.

“There’s a lot of value in your social data. It’s important to regularly review your privacy settings on all sites and applications that use it. The EFF has useful advice on how to keep your data where you want it to be, under more of your control,” Mozilla notes.

Facebook isn’t the only firm to collect data from user’s activity outside of the core service, but this is a problem that can be solved quickly. Thus, users are advised to review their privacy settings for each app they use regularly.


A flaw in the iOS camera QR code URL parser could expose users to attacks
28.3.2018 securityaffairs iOS

A vulnerability in the iOS Camera App could be exploited by hackers to redirect users to a malicious website, the issue affects the built-in QR code reader.
The iOS Camera App is affected by a bug that could be exploited by hackers to redirect users to a malicious website, the issue resides in the built-in QR code reader.

The flaw affects the latest Apple iOS 11 for iPhone, iPad, and iPod touch devices.

The problem ties a new feature that was implemented in iOS 11 to allow users to automatically read QR codes while using the camera app without requiring any third-party QR code reader app.

To read a QR code, users need to open the Camera app on their Apple devices and point the iPhone or the iPad at a QR code, in this way if the code an URL, the system will give the users a notification with the link address. Tapping the notification the users can visit the URL in Safari browser, but according to the security researcher Roman Mueller who discovered the vulnerability, the URL visited could be changed.

The expert discovered that the URL parser of built-in QR code reader for iOS camera app doesn’t correctly detect the hostname in the URL making it possible to change the displayed URL in the notification and hijacking to users to malicious websites.

“The URL parser of the camera app has a problem here detecting the hostname in this URL in the same way as Safari does.” wrote the expert in a blog post.

“It probably detects “xxx\” as the username to be sent to “facebook.com:443”.
While Safari might take the complete string “xxx\@facebook.com” as a username and “443” as the password to be sent to infosec.rm-it.de.”
“This leads to a different hostname being displayed in the notification compared to what actually is opened in Safari.”

Mueller created a QR code containing the following URL:

https://xxx\@facebook.com:443@infosec.rm-it.de/

When he scanned it he noticed that the device was showing the following notification:

Open “facebook.com” in Safari

Once tapped it opened https://infosec.rm-it.de/ instead Facebook.

The expert successfully tested the issue on his iPhone X running iOS 11.2.6.

QR code hack

The researcher had already reported this flaw to Apple in December last year, but Apple hasn’t yet fixed the bug to the date.

The bug is very dangerous and opens the doors to numerous attack scenarios.

Mueller reported the vulnerability to the Apple security team on 2017-12-23, but at the time I was writing the flaw is still present.


VPN leaks users’ IPs via WebRTC. I’ve tested seventy VPN providers and 16 of them leaks users’ IPs via WebRTC (23%)
28.3.2018 securityaffairs Cyber

Cyber security researcher Paolo Stagno (aka VoidSec) has tested seventy VPN providers and found 16 of them leaks users’ IPs via WebRTC (23%)
You can check if your VPN leaks visiting: http://ip.voidsec.com
Here you can find the complete list of the VPN providers that I’ve tested: https://docs.google.com/spreadsheets/d/1Nm7mxfFvmdn-3Az-BtE5O0BIdbJiIAWUnkoAF_v_0ug/edit#gid=0
Add a comment or send me a tweet if you have updated results for any of the VPN which I am missing details. (especially the “$$$” one, since I cannot subscribe to 200 different paid VPN services :P)
Some time ago, during a small event in my city, I’ve presented a small research on “decloaking” the true IP of a website visitor (ab)using the WebRTC technology.

What is WebRTC?
WebRTC is a free, open project that provides browsers and mobile applications with Real-Time Communications (RTC) capabilities via simple APIs.

It includes the fundamental building blocks for high-quality communications on the web, such as network, audio and video components used in voice and video chat applications, these components, when implemented in a browser, can be accessed through a JavaScript API, enabling developers to easily implement their own RTC web app.

STUN/ICE
Is a component allowing calls to use the STUN and ICE mechanisms to establish connections across various types of networks? The STUN server sends a pingback that contains the IP address and port of the client

These STUN (Session Traversal Utilities for NAT) servers are used by VPNs to translate a local home IP address to a new public IP address and vice-versa. To do this, the STUN server maintains a table of both your VPN-based public IP and your local (“real”) IP during connectivity (routers at home replicate a similar function in translating private IP addresses to public and back.).

WebRTC allows requests to be made to STUN servers which return the “hidden” home IP-address as well as local network addresses for the system that is being used by the user.

The results of the requests can be accessed using JavaScript, but because they are made outside the normal XML/HTTP request procedure, they are not visible in the developer console.

The only requirement for this de-anonymizing technique to work is WebRTC and JavaScript support from the browser.

VPN and WebRTC
This functionality could be also used to de-anonymize and trace users behind common privacy protection services such as: VPN, SOCKS Proxy, HTTP Proxy and in the past (TOR users).

Browsers that have WebRTC enabled by default:

Mozilla Firefox
Google Chrome
Google Chrome on Android
Internet (Samsung Browser)
Opera
Vivaldi
23% of the tested VPNs and Proxies services disclosed the real IP address of the visitors making the users traceable.

The following providers leaks users’ IP:

BolehVPN (USA Only)
ChillGlobal (Chrome and Firefox Plugin)
Glype (Depends on the configuration)
hide-me.org
Hola!VPN
Hola!VPN Chrome Extension
HTTP PROXY navigation in browser that support Web RTC
IBVPN Browser Addon
PHP Proxy
phx.piratebayproxy.co
psiphon3 (not leaking if using L2TP/IP)
PureVPN
SOCKS Proxy on browsers with Web RTC enabled
SumRando Web Proxy
TOR as PROXY on browsers with Web RTC enabled
Windscribe Add-ons
VPN

You can find the complete spreadsheet of tested VPN providers here: https://docs.google.com/spreadsheets/d/1Nm7mxfFvmdn-3Az-BtE5O0BIdbJiIAWUnkoAF_v_0ug/edit#gid=0

Add a comment or send me a tweet if you have updated results for any of the VPN which I am missing details. (especially the “$$$” one, since I cannot subscribe to 200 different paid VPN services :P)

Stay anonymous while surfing:
Some tips to follow in order to protect your IP during the internet navigation:

Disable WebRTC
Disable JavaScript (or at least some functions. Use NoScript)
Disable Canvas Rendering (Web API)
Always set a DNS fallback for every connection/adapter
Always kill all your browsers instances before and after a VPN connection
Clear browser cache, history, and cookies
PoC:
You can check if your VPN leaks through this POC: http://ip.voidsec.com

PoC Code:
I’ve updated Daniel Roesler code in order to make it works again and you can find it on Github.

Original post:

VPN Leak

TL:DR: VPN leaks users’ IPs via WebRTC. I’ve tested seventy VPN providers and 16 of them leaks users’ IPs via WebRTC (23%) You can check if your VPN leaks visiting: http://ip.voidsec.com Here you can find the complete list of the VPN providers that I’ve tested: https://docs.google.com/spreadsheets/d/1Nm7mxfFvmdn-3Az-BtE5O0BIdbJiIAWUnkoAF_v_0ug/edit#gid=0 Add a comment or send me a tweet if …


Statistics Say Don't Pay the Ransom; but Cleanup and Recovery Remains Costly
27.3.2018 securityweek
Ransomware

Businesses have lost faith in the ability of traditional anti-virus products to detect and prevent ransomware. Fifty-three percent of U.S companies infected by ransomware in 2017 blamed legacy AV for failing to detect the ransomware. Ninety six percent of those are now confident that they can prevent future attacks, and 68% say this is because they have replaced legacy AV with next-gen endpoint protection.

Thes details come from a February 2018 survey undertaken by Vanson Bourne for SentinelOne, a next-gen provider, allowing SentinelOne to claim, "This distrust in legacy AV further confirms the required shift to next-gen endpoint protection in defending against today's most prominent information security threats." This is a fair statement, but care should be taken to not automatically confuse 'legacy AV' with all traditional suppliers -- many can also now be called next-gen providers with their own flavors of AI-assisted malware detection.

SentinelOne's Global Ransomware Report 2018 (PDF) questioned 500 security and risk professionals (200 in the U.S., and 100 in each of France, Germany and the UK) employed in a range of verticals and different company sizes.

The result provides evidence that paying a ransom is not necessarily a solution to ransomware. Forty-five percent of U.S. companies infected with ransomware paid at least one ransom, but only 26% had their files unlocked. Furthermore, 73% of those firms that paid the ransom were targeted at least once again. Noticeably, while defending against ransomware is a security function, responding to it is a business function: 44% of companies that paid up did so without the involvement or sanction of the IT/security teams.

The attackers appear to have concluded that U.S. firms are the more likely to pay a ransom, and more likely to pay a higher ransom. While the global average ransom is $49,060, the average paid by U.S. companies was $57,088. "If the cost of paying the ransomware is less than the lost productivity caused by downtime from the attack, they tend to pay," SentinelOne's director of product management, Migo Kedem, told SecurityWeek. "This is not good news, as it means the economics behind ransomware campaigns still make sense, so attacks will continue."

This is in stark contrast to the UK, where the average payment is almost $20,000 lower at $38,500. It is tempting to wonder if this is because UK companies just don't pay ransoms. In 2016, 17% of infected UK firms paid up; now it is just 3%. This may reflect the slightly different approaches in law enforcement advice. While LEAs always say it is best not to pay, the UK's NCSC says flatly, 'do not pay', while the FBI admits that it is ultimately the decision of each company.

Paying or not paying, is, however, only a small part of the cost equation; and the UK's Office for National Statistics (ONS) provides useful figures. According the SentinelOne, these figures show that in a 12-month period, the average cost of a ransomware infection to a UK business was £329,976 ($466,727). With 40% of businesses with more than 1000 employees being infected, and 2,625 such organizations in the UK, the total cost of ransomware to UK business in 12 months was £346.4 million ($490.3 million).

Clearly, although the number of UK companies actually paying the ransom is low, the cost of cleanup and recovery remains very high; making prevention a more important consideration than whether to pay or not.

"Attackers are continually refining ransomware attacks to bypass legacy AV and to trick unwitting employees into infecting their organization. Paying the ransom isn't a solution either -- attackers are treating paying companies like an ATM, repeating attacks once payment is made," said Raj Rajamani, SentinelOne VP of products. "The organizations with the most confidence in stopping ransomware attacks have taken a proactive approach and replaced legacy AV systems with next-gen endpoint protection. By autonomously monitoring for attack behaviors in real-time, organizations can detect and automatically stop attacks before they take hold."

In 2016, SentinelOne began to offer a ransomware guarantee . "We're proud to have been the first," said chief security consultant Tony Rowan (now lead security architect at Cyberbit), "and still only, next generation endpoint protection company to launch a cyber security guarantee with our $1,000 per endpoint, or $1 million per company pay out in the event they experience a ransomware attack after installing our product."

"We offered that program for the last two years and I am glad to share we were never required to pay," Kedem told SecurityWeek. "SentinelOne products successfully protected our customers against even the WannaCry campaign that hit the UK pretty hard."

Mountain View, Calif-based SentinelOne raised $70 million in a Series C funding round announced in January 2017, bringing the total amount of funding to $109.5 million.


Axonius Uses Existing Tools to Find, Secure Devices
27.3.2018 securityweek Safety

Axonius emerged from stealth mode on Tuesday with a platform designed to help organizations identify and secure all the devices on their network by leveraging existing security and management tools.

The company aims to bridge the gap between device discovery and vulnerability assessment products with a solution that combines data from existing tools in an effort to provide a centralized view of all devices and help enterprises ensure that all their systems are patched.

Vulnerability assessment tools may be efficient in identifying and prioritizing systems that need patching, but they often don’t have access to all devices due to the fragmented nature of corporate environments.

Axonius says its Cybersecurity Asset Management Platform can leverage combinations of nearly 30 tools from various vendors in order to discover all the devices on a network, obtain information about those systems, and ensure that they are not neglected by vulnerability scanners.Axonius emerges from stealth mode

The company has created what it calls “adapters” to integrate tools from Microsoft, Amazon, Cisco, enSilo, ESET, Forcepoint, Fortinet, IBM, Juniper, McAfee, ManageEngine, Qualys, Rapid7, Splunk, Symantec, VMware and others into its platform.

New adapters will be added in the future based on customers’ needs – the company is currently working on integrating tools from Carbon Black, Cylance, ObserveIT, CrowdStrike and others. Adding new adapters is in most cases an easy task given that most vendors provide APIs.

The company told SecurityWeek that it’s unlikely for an organization that has a problem with fragmentation and visibility not to have at least some of the supported tools – for example, Microsoft’s Active Directory can be found in most companies.

Security teams can manually query devices to ensure that they adhere to their organization’s policies, but they can also configure the platform to automatically alert them via email or syslog whenever a device that fits specified criteria is detected.

In addition to helping organizations gain full visibility into the devices on their network, Axonius says its platform can also be used to enforce policies. Employees can manually choose to either block a device, scan it, or deploy an agent, but they can also automate various tasks using plugins.

Since it does not require the deployment of an agent, Axonius says its platform can be deployed quickly and easily once it has access to all the credentials and third-party tools. The company claims it has deployed its solution in an afternoon at an organization with roughly 10,000 endpoints, and the job has never taken more than a couple of days.

“Since we do connect to the security and management systems a customer already has, there's no custom work to do, no professional services, and we're able to start showing value immediately,” Nathan Burke, CMO of Axonius, told SecurityWeek. “At most organizations, security teams are swamped and time is their scarcest resource. The last thing they want to do is spend time on a lengthy and complicated deployment.”

Deploying the solution only requires a VMware ESXi machine that has inbound and outbound access to all managed adapters. Pricing for the product is based on an annual subscription and it depends on the number of devices.

Axonius’ headquarters is in New York and its research and development department is located in Israel. The company received $4 million in seed funding in September 2017 and it has now announced the general availability of its product, which it claims is already used by very large companies around the world to manage more than 100,000 endpoints.


The Top Vulnerabilities Exploited by Cybercriminals
27.3.2018 securityweek
Vulnerebility

Cybercriminals are shifting their focus from Adobe to Microsoft consumer products, and are now concentrating more on targeted attacks than on web-based exploit kits.

Each year, Recorded Future provides an analysis of criminal chatter on the dark web in its Top Ten Vulnerabilities Report. It does this because it perceives a weakness in traditional vulnerability databases and scanning tools -- they do not indicate which vulnerabilities are currently being exploited, nor to what extent. Reliance on vulnerability lists alone cannot say where patching and remediation efforts should be prioritized.

"We do this analysis because the sale and use of exploits is a for-profit industry," Recorded Future's VP of technical solutions, Scott Donnelly told SecurityWeek. This means that exploit developers have to sell their products, while other criminals have to buy them -- and this leads to the chatter that Recorded Future analyzes.

"If you're a cybercriminal trying to make money, you have to discuss it. If you hold back too much you're not going to make any money; so, there's a necessity for the criminals to stick their heads up a little bit -- and we can take advantage of that and call out some of the big conversations." It assumes a correlation between chatter about a vulnerability with active exploitation of that vulnerability -- an assumption that common sense rather than science suggests is reasonable.

Donnelly is confident that his firm's knowledge of and access to the dark web is statistically valid. Nation-state activity is specifically excluded from this analysis, because, he says, "If you're a nation-state with an exploit, or if you're a third-party supplier of exploits to a nation state, you're less likely to talk about it in a general criminal forum."

At the macro level, this year's analysis highlights a move away from Adobe vulnerabilities towards Microsoft consumer product vulnerabilities. While Flash exploits have dominated earlier annual reports, seven of the top ten (including the top five) most discussed vulnerabilities are now Microsoft vulnerabilities. "As Adobe Flash Player has begun to see its usage significantly drop, this year we find that it's a lot of Microsoft consumer products that are seeing heavy exploitation," says Donnelly.

The three most used vulnerabilities are CVE-2017-0199 (which allows attackers to download and execute a Visual Basic script containing PowerShell commands from a malicious document), CVE-2016-0189 (which is an old Internet Explorer vulnerability that allows attackers to use an exploit kit to drop malware, such as ransomware), and CVE-2017-0022 (which enables data theft).

A second major takeaway from the analysis is that 2017 has seen a significant drop in the development of new exploit kits. "This has been noticed before," Donnelly told SecurityWeek, "but mainly because researchers simply haven't seen them in action. This is now evidence that the criminals themselves aren't talking about or trying to sell that many new kits."

In raw numbers, Recorded Future's analysis noted 26 new kits in 2016, but only 10 new kits in 2017 (from a total list of 158 EKs). "The observed drop in exploit kit activity," suggests Donnelly, "overlaps with the rapid decline of Flash Player usage. Users have shifted to more secure browsers, and attackers have shifted as well. Spikes in cryptocurrency mining malware and more targeted victim attacks have filled the void."

At the micro level, the big takeaway from this report is the anomalous position of CVE-2017-0022. It is the third most discussed vulnerability on the dark web forums, yet in relation to just two pieces of malware: exploit kits Astrum (aka Stegano) and Neutrino. This is the lowest number of associated malware in the top ten vulnerabilities -- both of the two more popular vulnerabilities are associated with ten different peices of malware. CVE-2017-0199 is associated with malware including Hancitor, Dridex and FinFisher, while CVE-2016-0189 is associated with nine different exploit kits and the Magniber ransomware.

But it's not just in malware associations that CVE-2017-0022 is anomalous. It has a Common Vulnerability Scoring System (CVSS) rating of just 4.3. The next lowest rating in the top ten vulnerabilities is 7.6, while the top two are rated at 9.3 and 7.6. CVSS defines a 4.3 score as medium risk; and yet Recorded Future's research shows it to be the third most exploited vulnerability, commenting, "'In the wild' severity does not always correlate with the Common Vulnerability Scoring System (CVSS) score."

This is a prime example of the reason for the analysis. Security teams could check the CVSS score and conclude on this evidence alone that the vulnerability does not require expedited remediation or patching. As the third most exploited vulnerability, Recorded Future's latest threat analysis suggests otherwise.

Boston, Mass.-based Recorded Future raised $25 million in a Series E funding round led by Insight Venture Partners in October 2017 -- bringing the total funding raised to $57.9 million.


New "ThreadKit" Office Exploit Builder Emerges
27.3.2018 securityweek
Vulnerebility

A newly discovered Microsoft Office document exploit builder kit has been used for the distribution of a variety of malicious payloads, including banking Trojans and backdoors, Proofpoint reports.

The exploit builder kit was initially discovered in October 2017, but Proofpoint's researchers have linked it to activity dating back to June 2017. The builder kit shows similarities to Microsoft Word Intruder (MWI), but is a new tool called ThreadKit.

In June 2017, the kit was being advertised in a forum post as being able to create documents with embedded executables and embedded decoy documents, and several campaigns featuring such documents were observed that month. The documents would perform an initial check-in to the command and control (C&C) server, a tactic also used by MWI.

The documents were targeting CVE-2017-0199 and were focused on downloading and executing a HTA file that would then download the decoy and a malicious VB script to extract and run the embedded executable. The payload was Smoke Loader, which in turn downloaded banking malware.

In October, ThreadKit started targeting CVE 2017-8759 as well, but continued to use the initial C&C check-in and the HTA file to execute the embedded executable, Proofpoint says. However, changes were made to the manner in which the exploit documents operate and new exploits were integrated as well.

In November, ThreadKit was quick to incorporate exploits for new Microsoft Office vulnerabilities, and started being advertised as capable of targeting CVE 2017-11882 too. Soon after, campaigns that featured the previously observed check-in already started to emerge.

In February and March 2018, the kit was embedding new exploits, targeting vulnerabilities such as an Adobe Flash zero-day (CVE-2018-4878) and several new Microsoft office vulnerabilities, including CVE-2018-0802 and CVE-2017-8570.

At the same time, the researchers noticed a large spike in email campaigns featuring ThreadKit-generated Office attachments packing these exploits. The exploits appear copied from proofs of concept available on a researcher’s GitHub repo.

As part of these attacks, the attachments would drop the contained packager objects into the temp folder, then the exploits would execute the dropped scriptlet file, thus leading to the execution of the dropped batch files, which in turn run the executable.

Proofpoint found that not all ThreadKit documents contain a valid URL for the statistics check-in (some contain placeholder URLs). Furthermore, not all documents followed the same execution chain, with some scripts modified to perform other actions, a customization that may be provided as a service by the kit author.

“In 2017, several new vulnerabilities entered regular use by threat actors and the first months of 2018 have added to that repertoire. Document exploit builder kits like ThreadKit enable even low-skilled threat actors to take advantage of the latest vulnerabilities to distribute malware. Organizations and individuals can mitigate the risk from ThreadKit and other document exploit-based attacks by ensuring that clients are patched for the latest vulnerabilities in Microsoft office and other applications,” Proofpoint concludes.


First OpenSSL Updates in 2018 Patch Three Flaws
27.3.2018 securityweek
Vulnerebility

The first round of security updates released in 2018 for OpenSSL patch a total of three vulnerabilities, but none of them appears to be serious.

OpenSSL versions 1.1.0h and 1.0.2o patch CVE-2018-0739, a denial-of-service (DoS) vulnerability discovered using Google’s OSS-Fuzz service, which has helped find several flaws in OpenSSL in the past period.

The security hole, rated “moderate,” is related to constructed ASN.1 types with a recursive definition.

“Constructed ASN.1 types with a recursive definition (such as can be found in PKCS7) could eventually exceed the stack given malicious input with excessive recursion,” the OpenSSL Project said in its advisory.

Another moderate severity flaw, which only affects the 1.1.0 branch, is CVE-2018-0733. This is an implementation bug in the PA-RISC CRYPTO_memcmp function, and it allows an attacker to forge authenticated messages easier than it should be.

The OpenSSL Project learned about this vulnerability in early March from IBM. Only HP-UX PA-RISC systems are impacted.

Finally, OpenSSL 1.1.0h fixes an overflow bug that could allow an attacker to access TLS-protected communications. The vulnerability, CVE-2017-3738, was first disclosed in December 2017, but since an attack is not easy to carry out the issue has been assigned a low severity rating and it has only been patched now.

Four rounds of security updates were released for OpenSSL last year, and only one of the eight fixed vulnerabilities was classified as high severity.


Threat Landscape for Industrial Automation Systems in H2 2017
27.3.2018 Kaspersky  Analysis  ICS
For many years, Kaspersky Lab experts have been uncovering and researching cyberthreats that target a variety of information systems – those of commercial and government organizations, banks, telecoms operators, industrial enterprises, and individual users. In this report, Kaspersky Lab Industrial Control Systems Cyber Emergency Response Team (Kaspersky Lab ICS CERT) publishes the findings of its research on the threat landscape for industrial automation systems conducted during the second half of 2017.

The main objective of these publications is to provide information support to global and local incident response teams, enterprise information security staff and researchers in the area of industrial facility security.

Overview of ICS vulnerabilities identified in 2017
The analysis of vulnerabilities was performed based on vendor advisories, publicly available information from open vulnerability databases (ICS-CERT, CVE, Siemens Product CERT), as well as the results of Kaspersky Lab ICS CERT’s own research. Vulnerability data published on the ICS-CERT website in 2017 was used to create statistical diagrams.

Vulnerabilities in various ICS components
Number of vulnerabilities identified
In 2017, the total number of vulnerabilities identified in different ICS components and published on the ICS-CERT website was 322. This includes vulnerabilities identified in general-purpose software and in network protocols that are also relevant to industrial software and equipment. These vulnerabilities are discussed in this report separately.

Analysis by Industry
The largest number of vulnerabilities affect industrial control systems in the energy sector (178), manufacturing processes at various enterprises (164), water supply (97) and transportation (74).

Number of vulnerable products used in different industries
(according to ICS-CERT classification)
vulnerabilities published in 2017

Severity levels of the vulnerabilities identified
More than half (194) of the vulnerabilities identified in ICS systems were assigned CVSS v.3.0 base scores of 7 or higher, corresponding to a high or critical level of risk.

Table 1 – Distribution of published vulnerabilities by risk level

Severity score
9 to 10 (critical) 7 to 8.9 (high) 4 to 6.9 (medium) 0 to 3.9 (low)
Number of vulnerabilities 60 134 127 1
The highest severity score of 10 was assigned to vulnerabilities identified in the following products:

iniNet Solutions GmbH SCADA Webserver,
Westermo MRD-305-DIN, MRD-315, MRD-355, and MRD-455,
Hikvision Cameras,
Sierra Wireless AirLink Raven XE and XT,
Schneider Electric Modicon M221 PLCs and SoMachine Basic,
BINOM3 Electric Power Quality Meter,
Carlo Gavazzi VMU-C EM and VMU-C PV.
All vulnerabilities that were assigned the severity rating of 10 have much in common: they have to do with authentication issues, can be exploited remotely and are easy to exploit.

In addition, the highest severity rating was assigned to a vulnerability in the Modicon Modbus Protocol, which is discussed below.

It should be noted that the CVSS base score does not account for the aspects of security that are specific to industrial automation systems or for the distinctive characteristics of each organization’s industrial processes. This is why, when assessing the severity of a vulnerability, we recommend keeping in mind, in addition to the CVSS score, the possible consequences of its exploitation, such as the non-availability or limited availability of ICS functionality that affects the continuity of the industrial process.

Types of vulnerabilities identified
The most common types of vulnerabilities include buffer overflow (Stack-Based Buffer Overflow, Heap-Based Buffer Overflow) and improper authentication (Improper Authentication).

At the same time, 23% of all vulnerabilities identified are web-related (Injection, Path Traversal, Cross-Site Request Forgery (CSRF), Cross-Site Scripting) and 21% are associated with authentication issues (Improper Authentication, Authentication Bypass, Missing Authentication for Critical Function) and with access control problems (Access Control, Incorrect Default Permissions, Improper Privilege Management, Credentials Management).

Most common vulnerability types

Exploitation of vulnerabilities in various ICS components by attackers can lead to arbitrary code execution, unauthorized control of industrial equipment and that equipment’s denial of service (DoS). Importantly, most vulnerabilities (265) can be exploited remotely without authentication and exploiting them does not require the attacker to have any specialized knowledge or superior skills.

Exploits have been published for 17 vulnerabilities, increasing the risk of their exploitation for malicious purposes.

Vulnerable ICS components
The largest number of vulnerabilities were identified in:

SCADA/HMI components (88),
networking devices designed for industrial environments (66),
PLCs (52),
and engineering software (52).
Vulnerable components also include protection relays, emergency shutdown systems, environmental monitoring systems and industrial video surveillance systems.

Distribution of vulnerabilities identified by ICS components

Vulnerabilities in industrial protocols
An important part of ICS software security research in 2017 was identifying serious vulnerabilities in implementations of industrial protocols. Specifically, vulnerabilities were identified in the implementation of the Modbus Protocol in Modicon series controllers (that vulnerability was assigned a CVSS v. 3 base score of 10), as well as in implementations of the OPC UA protocol stack and in an implementation of the PROFINET Discovery and Configuration Protocol. The security issues identified affect entire product families.

Impact of vulnerabilities in ‘traditional’ technologies on industrial systems
In addition to ICS-specific vulnerabilities, a number of serious flaws were identified in H2 2017 in software platforms and network protocols that can be exploited to attack industrial systems.

The vulnerabilities in the WPA2 protocol unexpectedly turned out to be relevant to industrial solutions. They were found to affect equipment from several vendors, including Cisco, Rockwell Automation, Sierra Wireless, ABB and Siemens. Industrial control systems were also affected by multiple vulnerabilities in the Dnsmasq DNS server, Java Runtime Environment, Oracle Java SE, and Cisco IOS and IOS XE.

Vulnerabilities in Intel products can also affect the security of industrial equipment. In the second half of 2017, information on several vulnerabilities in Intel products (ME, SPS and TXE) was published. These vulnerabilities affect mainly SCADA server hardware and industrial computers that use vulnerable CPUs. These include, for example, Automation PC 910 by B&R, Nuvo-5000 by Neousys and the GE Automation RXi2-XP product line. As a rule, vendors do not consider it necessary to release public advisories on vulnerabilities of this type (derived from using third-party technologies). Of course, there are some positive exceptions. For example, Siemens AG has released an advisory stating that these vulnerabilities affect a range of the company’s products. Earlier, the company published information about similar vulnerabilities in Intel technologies affecting its products.

IoT device vulnerabilities
2017 was marked by a growing number of vulnerabilities being identified in internet of things (IoT) devices. As a consequence, such vulnerabilities were increasingly often exploited to create botnets. The activity of three new botnets was uncovered in the last two months of 2017 only. These included the Reaper botnet and new Mirai variants, including the Satori botnet.

Multiple vulnerabilities were identified in Dlink 850L routers, WIFICAM wireless IP cameras, Vacron network video recorders and other devices.

On top of the new IoT device flaws, some old vulnerabilities are still not closed, such as CVE-2014-8361 in Realtek devices and the vulnerability dating back to 2012 that can be exploited to get the configuration of Serial-to-Ethernet converters, including the Telnet password, by sending a request on port 30718. The vulnerability in Serial-to-Ethernet converters directly affects the industrial internet of things (IIoT), since many systems that enable the operators of industrial equipment to remotely control its status, modify its settings and control its operation are based on serial interface converters.

The security of IoT devices is also affected by issues relating to the security of traditional information technology. Specifically, vulnerabilities in implementations of the Bluetooth protocol led to the emergence of the new attack vector, BlueBorne, which poses a threat to mobile, desktop and IoT operating systems.

Vulnerabilities identified by Kaspersky Lab ICS CERT
In 2017, Kaspersky Lab ICS CERT experts not only analyzed the security issues associated with different vendors’ ICS components, but also focused on the common ICS components, platforms and technologies used in different vendors’ solutions. This type of research is important because vulnerabilities in such components significantly increase the number of potential attack victims. Research in this area continues in 2018.

Number of vulnerabilities identified
Based on its research, Kaspersky Lab ICS CERT identified 63 vulnerabilities in industrial and IIoT/IoT systems in 2017.

Distribution of vulnerabilities identified by Kaspersky Lab ICS CERT in 2017
by types of components analyzed

Every time we identified a vulnerability, we promptly notified the respective product’s vendor.

Number of CVE entries published
During 2017, 11 CVE entries were published based on information about vulnerabilities identified by Kaspersky Lab ICS CERT. It should be noted that some of these CVE entries were published after vendors closed vulnerabilities information on which had been provided to them in 2016.

Information on other vulnerabilities identified by Kaspersky Lab ICS CERT experts will be published after these vulnerabilities are closed by the respective vendors.

Capabilities provided by the vulnerabilities identified
The largest number of vulnerabilities identified (29) could allow an attacker to cause denial of service (DoS) remotely. 8% of the vulnerabilities identified could allow an attacker to execute arbitrary code remotely on the target system.

Distribution of vulnerabilities identified by Kaspersky Lab ICS CERT in 2017
by capabilities provided

Vulnerabilities in ICS components
In 2017, Kaspersky Lab ICS CERT experts identified 30 vulnerabilities in ICS products from different vendors. These are mainly large automation system vendors, such as Schneider Electric, Siemens, Rockwell Automation, Emerson, and others.

Severity ratings of the vulnerabilities identified
To assess the severity of vulnerabilities identified in ICS components, Kaspersky Lab ICS CERT used its own vulnerability rating system based on the metrics defined in CVSS v3.0 (Common Vulnerability Scoring System) standard, with the following vulnerability severity levels identified:

least severe: CVSS v3.0 base score of 5.0 or less,
medium severity: CVSS v3.0 base score of 5.1 to 6.9 (inclusive),
most severe: CVSS v3.0 base score of 7.0 or more.
The absolute majority of vulnerabilities identified are in the most severe group. These include the XXE vulnerability in industrial solutions that use the Discovery Service of the OPC UA protocol stack.

Vulnerabilities in OPC UA implementations
One of the research areas involved searching for vulnerabilities in different implementations of the OPC UA technology. This type of research is needed to improve the overall security level of products from different vendors that use the technology in their solutions. Vulnerabilities in such technologies are a Swiss army knife of sorts for attackers, enabling them to hack industrial systems from different vendors.

A total of 17 critical denial-of-service vulnerabilities were identified during the period.

Some of the vulnerabilities were identified in sample software implementations of various OPC UA functions available in the official Github repository. In the process of communicating to several vendors of industrial automation systems, we found out that many of them had used code from such samples in their product code. This means that the vulnerabilities identified may affect complete product lines from different vendors.

Vulnerabilities in third-party hardware-based and software solutions
Kaspersky Lab ICS CERT experts have also analyzed third-party hardware-based solutions that are widely used in industrial automation systems.

Specifically, experts analyzed the SafeNet Sentinel hardware-based solution by Gemalto. As a result of the research, 15 vulnerabilities were identified in the software part of the solution (11 in December 2016 and 4 in 2017). These flaws affect a large number of products that use the vulnerable software, including solutions by ABB, General Electric, HP, Cadac Group, Zemax and other software developers, the number of which may reach 40 thousand, according to some estimates.

Vulnerabilities in internet of things (IoT and IIoT) components
Another area of research was the assessment of the information security status of internet of things (IoT), components, including industrial internet of things (IIoT) components.

Kaspersky Lab experts are working with vendors to improve the security of their solutions with respect to 11 vulnerabilities identified. Vulnerabilities were found in the following components and solutions:

smart cameras,
hardware-based IIoT solutions.
It should be noted that vulnerabilities in implementations of OPC UA standards, which are discussed above, also directly affect IIoT security.

Vulnerabilities in industrial routers
In the past year, 18 vulnerabilities were identified in industrial networking equipment from different vendors. Typical vulnerabilities: information disclosure, privilege escalation, arbitrary code execution, denial of service.

Working with software vendors
With respect to information on the vulnerabilities identified, Kaspersky Lab follows the principle of responsible information disclosure, promptly reporting vulnerabilities to the respective software vendors.

In 2017, Kaspersky Lab ICS CERT researchers actively collaborated with various companies to ensure that the vulnerabilities identified would be closed.

Of the 63 vulnerabilities identified by Kaspersky Lab ICS CERT in 2017, vendors closed 26. Vulnerabilities were closed by Siemens, General Electric, Rockwell Automation, Gemalto and the OPC Foundation industrial consortium.

It should be noted that most vendors of software for industrial automation systems that we have worked with have lately been devoting much more care and resources to the task of closing the vulnerabilities identified and fixing information security issues in their products, including their earlier versions.

At the same time, the issue of closing vulnerabilities in industrial automation systems remains relevant. In many cases, it takes large vendors a long time to close vulnerabilities in their products. Sometimes software vendors decide to patch only new versions of a vulnerable product, which they are planning to release in the future.

In addition, some vendors still need to improve the organizational and technical aspects of the procedures they use to inform customers about the vulnerabilities patched. Even after an update has been released, many users are unaware of the relevant security issue and use vulnerable versions of the product. This is particularly important for embedded software, as well as the technologies and specific program modules used by numerous third-party vendors (one example can be found here).

Positive examples include Siemens and the OPC Foundation, which have quickly closed the vulnerabilities identified and released public advisories on existing vulnerabilities.

Malware in industrial automation systems
As we have mentioned before, many industrial companies use modern networking technologies that improve the transparency and efficiency of enterprise management processes, as well as providing flexibility and fault tolerance for all tiers of industrial automation. As a result, industrial networks are increasingly similar to corporate networks – both in terms of use case scenarios and in terms of the technologies used. The unfortunate flip side of this is that internet threats, as well as other traditional IT threats, increasingly affect the industrial networks of modern organizations.

In the second half of 2017, Kaspersky Lab security solutions installed on industrial automation systems detected over 17.9 thousand different malware modifications from about 2.4 thousand different malware families.

Accidental infections
In the vast majority of cases, attempts to infect ICS computers are accidental and are not part of targeted attacks. Consequently, the functionality implemented in malware is not specific to attacks on industrial automation systems. However, even without ICS-specific functionality, a malware infection can have dire consequences for an industrial automation system, including an emergency shutdown of the industrial process. This was demonstrated by the WannaCry outbreak in May 2017, when several enterprises in different industries had to suspend their industrial processes after being infected with the encryption malware. We wrote about encryption malware-related threats in our previous report and several articles (see here and here).

Unexpected consequences of the WannaCry outrbreak
It is important to note that some IT threats can do much more significant harm in an industrial network than in an office network. To demonstrate this, we look at two incidents investigated by the Kaspersky Lab ICS-CERT team.

In H2 2017, we were approached by several industrial enterprises at once, where mass infections of industrial networks with WannaCry encryption malware had been detected. It was later determined that the initial infections of office networks at the victim companies had in all the cases taken place back in the first half of 2017, at the height of the WannaCry outbreak. However, the infections were not noticed until the malware propagated to the enterprises’ industrial networks. As it turned out during investigation, encryption functionality in the malware samples was damaged and the infected systems on corporate networks continued to operate normally, without any failures. However, the infection of industrial networks in these cases had unexpected negative consequences.

At one of the enterprises infected by WannaCry, the workstations used by operators started to bring up the Blue Screen of Death all the time, leading to emergency reboots. The reason for this unexpected consequence of infection was that the machines ran Windows XP. It is a well-known fact that the DoublePulsar exploit used by WannaCry to propagate causes WindowsXP to crash, resulting in a Blue Screen of Death and a reboot. In cases when numerous machines in the industrial segment of an organization’s network are infected, WindowsXP machines are often attacked and go into emergency reboots. As a result, operators are rendered incapable of monitoring and controlling the industrial process. This makes WannaCry a denial-of-service attack tool of sorts.

In another incident, the propagation of WannaCry caused some of the devices on an enterprise’s industrial network to become temporarily unavailable during periods when the network activity of the malware coincided with certain stages in the industrial process. This resulted in emergency interruptions of an industrial process that was critical for the enterprise for an average of 15 minutes.

Cryptocurrency miners in industrial network infrastructure
According to Kaspersky Lab ICS CERT data, cryptocurrency mining programs attacked 3.3% of industrial automation system computers during the period from February 2017 to January 2018.

Up to August 2017, the percentage of ICS computers attacked by cryptocurrency miners did not exceed 1%. This figure grew in September and did not go back to less than 1% for the rest of 2017. In October, cryptocurrency miner attacks against ICS computers peaked, with 2.07% of ICS computers being attacked.

Percentage of ICS computers attacked by cryptocurrency mining malware

Like other malware infecting systems at industrial enterprises, cryptocurrency miners can pose a threat to industrial process monitoring and control. In the process of its operation, malware of this type creates a significant load on the computer’s computational resources. An increased load on processors can negatively affect the operation of the enterprise’s ICS components and threaten their stability.

According to our assessments, in most cases cryptocurrency miners infect ICS computers accidentally. There is no reliable information on machines that are part of the industrial network infrastructure being infected as a result of targeted attacks the goal of which is to mine cryptocurrencies, with the exception of cases when miners are installed by unscrupulous employees of victim enterprises. The cryptocurrency mining malware typically enters the industrial network infrastructure from the internet or, less commonly, from removable media or network shares.

Sources of ICS computer infections with cryptocurrency miners
Percentage of systems attacked, February 2017 – January 2018

Cryptocurrency miners have infected numerous websites, including those of industrial companies. In such cases, cryptocurrencies are mined on the systems of users who visit infected web resources. This technique is called cryptojacking.

Screenshot showing a fragment of code found on a web resource infected with mining malware

Botnet agents in the industrial network infrastructure
In most cases, the functionality of botnet agents includes searching for and stealing financial information, stealing authentication data, brute forcing passwords, sending spam, as well as conducting attacks on specified remote internet resources, including denial-of-service (DDoS) attacks. In addition, in cases where a botnet agent attacks third-party resources (such cases have been detected), the companies that own the IP addresses from which the attacks are launched may face certain reputational risks.

Although the destructive activity of botnet agents is not specifically designed to disrupt the operation of any industrial system, an infection with this type of malware may pose a significant threat to a facility that is part of the industrial infrastructure. Malware of this type can cause network failures, denial of service (DoS) of the infected system and other devices on the network. It is also common for malware to contain errors in its code and/or be incompatible with software used to control the industrial infrastructure, potentially resulting in the disruption of industrial process monitoring and control.

Another danger associated with botnet agents is that malware of this type often includes data collection functionality and, like backdoor malware, enables the attackers to control the infected machine surreptitiously. System data collected by bots by default is sufficient for accurately identifying the company that owns the system and the type of the infected system. What’s more, access to machines infected with botnet agents is often put up for sale at specialized exchanges on the Darknet. Consequently, threat actors interested in infected industrial control systems can gain access to a victim company’s sensitive data and/or systems used to control the industrial infrastructure.

In 2017, 10.8% of all ICS systems were attacked by botnet agents. Moreover, botnet agent attack statistics show that 2% of ICS systems were attacked by several malicious programs of this type at once.

Percentage of ICS computers attacked by botnet agents in 2017

The main sources of botnet agent attacks on ICS systems in 2017 were the internet, removable media and email messages.

Sources of ICS infection with botnet agents, percentage of ICS computers attacked, 2017

This once again demonstrates the need for access control to ensure that information is exchanged securely between an enterprise’s industrial network and other networks, as well as the need to block unauthorized removable media from connecting to ICS systems and to install tools designed to detect and filter malicious objects from email messages.

Top 5 botnet agent most commonly found on ICS systems in 2017,
percentage of ICS computers attacked

Nearly two percent of all systems analyzed were attacked with Virus.Win32.Sality malware. In addition to infecting other executable files, this malware includes the functionality of resisting antivirus solutions and downloading additional malicious modules from the command-and-control server. The most widespread Sality modules are components for sending spam, stealing authentication data stored on the system and downloading and installing other malware.

The Dinihou botnet agent, which attacked 0.9% of ICS systems analyzed, is in second position. The malware includes functionality that enables the attackers to upload an arbitrary file from an infected system, creating the threat of sensitive data leaks for victim organizations. In addition, both Worm.VBS.Dinihou and Virus.Win32.Nimnul, which is in third place with 0.88%, can be used to download and install other malware on infected systems.

Most modifications of Trojan.Win32.Waldek are distributed via removable media and include functionality to collect information on infected systems and send it to the attackers. Based on the system data collected, the attackers create packages of additional malware to be installed on the infected system using the relevant Waldek functionality.

The fifth position is taken up by Backdoor.Win32.Androm, which ranked highest based on the number of attacks on ICS systems in H2 2016. The malware provides the attackers with a variety of information on the infected system and enables them to download and install modules for performing destructive activities, such as stealing sensitive data.

Targeted attacks
2017 saw the publication of information on two targeted attacks on systems that are part of the industrial infrastructure – Industroyer and Trisis/Triton. In these attacks, for the first time since Stuxnet, threat actors created their own implementations of industrial network protocols, gaining the ability to communicate with devices directly.

Trisis/Triton
In December 2017, researchers reported discovering previously unknown malware that targeted critical infrastructure systems. The discovery was made as a result of investigating an incident at an unnamed industrial enterprise. The malicious program was dubbed Triton or Trisis.

The malware is a modular framework that can automatically find Triconex Safety Controllers on the enterprise network, get information on their operating modes and plant malicious code on these devices. Trisis/Triton embeds a backdoor in the device’s firmware, enabling the attackers to remotely read and modify not only the code of the legitimate control program, but also the code of the compromised Triconex device’s firmware. With such capabilities, attackers can do serious damage to the enterprise’s industrial process. The least harmful of possible negative consequences is the system’s emergency shutdown and interruption of the industrial process. It was this type of event that caused a victim organization to launch an investigation, which resulted in the attack being detected.

It remains unknown how the attackers penetrated the enterprise’s infrastructure. What is known is that they must have been inside the compromised organization’s network for a sufficiently long time (several months) and used legitimate software and ‘dual-use’ utilities for lateral movement and privilege escalation.

Although the attack was designed to modify code on Triconex devices, the code that the attackers were apparently trying to inject in the last stage of the attack has never been found, so it is currently impossible to determine the final objective of the attack.

Spear phishing — Formbook spyware
Spear phishing attacks on industrial organizations continued in the second half of 2017. We have already written about spear phishing used by threat actors in Business Email Compromise (BEC) attacks. Compared to attacks described earlier, the attackers’ tactics have not changed significantly. However, in addition to known Trojan-Spy malware sent in phishing emails to global industrial and energy companies (FareIT, HawkEye, ISRStealer, etc.), a new representative of this malware class – Formbook – gained popularity in the second half of 2017.

Formbook attacks involve sending phishing emails with malicious Microsoft Office documents attached. To download and install malware on target systems, these documents exploit the CVE-2017-8759 vulnerability or use macros. Some phishing emails include attached archives of different formats containing the malicious program’s executable file. Examples of attached file names:

RFQ for Material Equipment for Aweer Power Station H Phase IV.exe
Scanned DOCUMENTS & Bank Details For Confirmation.jpeg (Pages 1- 4) -16012018. jpeg.ace
PO & PI Scan.png.gz
zip
QUOTATION LISTS.CAB
shipping receipts.ace

Sample phishing email used to distribute Formbook

In terms of implementation and the techniques used to obfuscate the code and encrypt the payload, Formbook differs from its ‘peers’ in that its functionality is more extensive. In addition to standard spyware features, such as making screenshots, capturing keypresses and stealing passwords stored in browsers, Formbook can steal sensitive data from HTTP/HTTPS/SPDY/HTTP2 traffic and web forms. Additionally, the malware implements remote system control functionality and uses an unusual technique to resist the analysis of network traffic. The Trojan generates a set of URLs to which it is going to connect, using a list of legitimate domains stored in its body. It then adds one URL for its command-and-control server. In this way, the malware attempts to mask its connections to the malicious domain by sending numerous requests to legitimate resources, making its detection and analysis more difficult.

Threat statistics
All statistical data used in this report was collected using the Kaspersky Security Network (KSN), a distributed antivirus network. The data was received from those KSN users who gave their consent to have data anonymously transferred from their computers. We do not identify the specific companies/organizations sending statistics to KSN, due to the product limitations and regulatory restrictions.

Methodology
The data was received from ICS computers protected by Kaspersky Lab products that Kaspersky Lab ICS CERT categorizes as part of the industrial infrastructure at organizations. This group includes Windows computers that perform one or several of the following functions:

supervisory control and data acquisition (SCADA) servers,
data storage servers (Historian),
data gateways (OPC),
stationary workstations of engineers and operators,
mobile workstations of engineers and operators,
Human Machine Interface (HMI).
The statistics analyzed also include data received from computers of industrial control network administrators and software developers who develop software for industrial automation systems.

For the purposes of this report, attacked computers are those on which our security solutions have been triggered at least once during the reporting period. When determining percentages of machines attacked, we use the ratio of unique computers attacked to all computers in our sample from which we received anonymized information during the reporting period.

ICS servers and stationary workstations of engineers and operators often do not have full-time direct internet access due to restrictions specific to industrial networks. Internet access may be provided to such computers, for example, during maintenance periods.

Workstations of system/network administrators, engineers, developers and integrators of industrial automation systems may have frequent or even full-time internet connections.

As a result, in our sample of computers categorized by Kaspersky Lab ICS CERT as part of the industrial infrastructure of organizations, about 40% of all machines have regular or full-time internet connections. The remaining machines connect to the Internet no more than once a month, many less frequently than that.

Percentage of computers attacked
In the second half of 2017, Kaspersky Lab products blocked attempted infections on 37.8% of ICS computers protected by them, which is 0.2 percentage points more than in the first half of 2017 and 1.4 percentage points less than in the second half of 2016.

June – August 2017 saw a decline in the number of attacked computers. However, in September there was a notable increase in cybercriminal activity, with the proportion of attacked machines rising to 20% and not falling below that level again for the rest of the year.

Percentage of ICS computers attacked globally by month, 2017

When comparing these values with the same period in 2016, we see that the July numbers are practically identical. However, for all other months the percentage of attacked machines in 2016 was higher than in 2017.

Percentage of ICS computers attacked globally by month, H2 2017 vs H2 2016

A certain decrease in the percentage of computers attacked can be attributed to several factors. It is likely that one has to do with industrial enterprises paying more attention to the security of industrial segments on their networks. According to our experts’ assessments, changes for the better may be largely due to simple measures: enterprises have begun to conduct audits of the industrial segments of their networks, train employees in the principles of cyber-hygiene, more properly differentiate access rights between the corporate and the industrial segments of their network, etc.

Percentage of ICS computers attacked in different industries
According to our assessment, medium-size and large companies with mature IT security processes tend to use Kaspersky Lab corporate solutions (mainly Kaspersky Industrial CyberSecurity and Kaspersky Endpoint Security) to safeguard their ICS infrastructure. Many smaller organizations and individual engineers, along with companies whose IT and OT cybersecurity still leaves much to be desired, may rely on Kaspersky Lab consumer solutions to protect their ICS computers. The percentage of such computers attacked by malware during the reporting period is significantly higher compared to the corresponding figures for computers protected by corporate products.

We intentionally excluded statistics coming from our consumer solutions when analyzing attacks on industrial facilities in different industries, using only telemetry data coming from Kaspersky Lab products for corporate users. This resulted in lower average attacked computers percentage values than for the rest of the analysis results presented in this report, where both Kaspersky Lab corporate and consumer product statistics were used.

Percentage of ICS computers attacked in different industries*, H2 2017 vs H1 2017

*In this report, unlike our previous reports, we calculated the percentage of attacked ICS computers for each industry (the percentage of ICS computers attacked in an industry to all ICS computers in that industry).
In previous reports, we included the distribution of attacked ICS computers by industry (the percentage of computers attacked in a given industry to all attacked computers in our sample).

According to statistics on attacks against facilities in different industries, nearly all industries demonstrate similar percentages of attacked ICS computers, which are in the range from 26 to 30 percent. We believe this may be due to the similarity of ICS architectures used to automate industrial processes at enterprises in various industries and, possibly, similarities in the processes used by enterprises to exchange information with external entities and inside the enterprises themselves.

Two industries were attacked more than others during the reporting period: the figures for Energy (38.7%) and Engineering & ICS Integrators (35.3%) are above 35%.

We believe that the high percentage of attacked ICS systems in the energy sector may be explained, on the one hand, by the greater network connectivity of electric power sector facilities (compared to facilities in other industries) and, on the other hand, perhaps by the fact that, on average, more people have access to the industrial control systems of energy sector facilities that to those at enterprises in other industries.

The supply chain attack vector has infamously been used in some devastating attacks in recent years, which is why the high percentage of attacked ICS computers in Engineering and ICS Integration businesses is a problem that is serious enough to be noticed.

The only industry whose figures showed a significant growth in the six months (+ 5.2 p.p.) is Construction (31.1%). The reason for the high percentage of ICS computers attacked in construction organizations could be that, for enterprises in the industry, industrial control systems often perform auxiliary functions, were introduced a relatively short time ago and are consequently at the periphery of company owners’ and managers’ attention. The upshot of this may be that objectives associated with protecting these systems from cyberthreats are regarded as having a relatively low priority. Whatever the reason for the high percentage of attacks reaching industrial control systems in construction and engineering, the fact seems sufficiently alarming. Construction is known to be a highly competitive business and cyberattacks on industrial organizations in this industry can be used as a means of unfair competition. So far, cyberattacks have been used in the construction industry mainly for purposes associated with the theft of commercial secrets. Infecting industrial control systems may provide threat actors with a new weapon in their fight against competitors.

The three least attacked industries are Mining (23.5%), Logistic & Transportation (19.8%) and ICS Software Development (14.7%).

ICS vendor infections might be very dangerous, because the consequences of an attack, spread over the infected vendor’s partner ecosystem and customer base, could be dramatic, as we saw in the recent wide-scale incidents, such as the exPetr malware epidemic.

This report includes information on ICS computers at educational facilities. These figures include not only ICS systems used in demonstration stands and labs performing instructional and research functions, but also in industrial automation systems of various facilities that are part of the infrastructure of educational establishments, such as power supply systems (including power generation and distribution), utilities, etc., as well as ICS used in pilot production facilities.

The figure for educational establishments can be regarded as representing the “background level” of accidental threats affecting ICS systems, considering systems at educational establishments to be as insecure as such systems can get. This is because ICS systems at educational establishments are usually connected to the respective organizations’ general-purpose networks and are less isolated from the outside world than the systems of industrial facilities.

At the same time, we believe that attacks on ICS systems at educational establishments can also pose a significant threat to enterprises in different real-sector industries – primarily because universities/colleges maintain working contacts and engage in collaboration with industrial enterprises. This includes joint research labs, engineering and development centers, personnel training and career development centers, etc.

In addition, such ICS systems can be used by attackers to test and debug malicious code and refine attacks against real-sector enterprises.

Education demonstrates the greatest difference between the H1 and H2 percentages of ICS systems attacked. The high figure for H1 was due to the large number of internet-borne attacks, as well as attacks by malware belonging to the Trojan.Multi.Powercod family. That malware uses techniques that are similar to those described by our colleagues here. In H1 2017, 9.8% of ICS computers in educational establishments from our sample were attacked by Powercod Trojans. In H2, the corresponding figure was 0.7%.

Main sources of threats blocked on ICS computers,
percentage of ICS computers attacked, H2 2017 vs H1 2017

In the second half of 2017, most of the numbers for the main infection sources remained at H1 2017 levels.

For computers that are part of the industrial infrastructure, the internet remains the main source of infection. Contributing factors include interfaces between corporate and industrial networks, availability of limited internet access from industrial networks, and connection of computers on industrial networks to the internet via mobile phone operator networks (using mobile phones, USB modems and/or Wi-Fi routers with 3G/LTE support). Contractors, developers, integrators and system/network administrators that connect to the control network externally (directly or remotely) often have unrestricted internet access. Their computers are in the highest-risk group and can be used by malware as a channel for penetrating the industrial networks of the enterprises they serve. As we mentioned above, about 40% of computers in our sample connect to the internet on a regular basis. It should be noted that, in addition to malicious and infected websites, the “Internet” category includes phishing emails and malicious attachments opened in web-based email services (in browsers).

Experts from Kaspersky Lab ICS-CERT note that malicious programs and scripts built into email message bodies are often used in targeted attacks on industrial enterprises. In most cases, the attackers distribute emails with malicious attachments in office document formats, such as Microsoft Office and PDF, as well as archives containing malicious executable files.

There has also been a 1.7 p.p. decrease in the proportion of threats detected while scanning removable media. This is an important indicator, because such devices are often used to transfer information in industrial networks.

The other figures did not change appreciably.

Classes of malware

Trojan malware, which is designed to penetrate the systems being attacked, deliver and launch other malware modules, remains relevant to ICS computers. The malicious code of o these programs was most commonly written in scripting languages (Javascript, Visual Basic Script, Powershell, AutoIt in the AutoCAD format) or took the form of Windows shortcuts (.lnk) that pointed to the next malicious modules.

These Trojans most often tried to download and execute the following malware as main modules:

spyware Trojans (Trojan-Spy and Trojan-PSW)
ransomware (Trojan-Ransom)
backdoors (Backdoor)
remote administration tools installed without authorization (RAT)
Wiper type programs (KillDisk) designed to delete (wipe) data on the hard drive and render the computer unusable
Malware infections of computers on an industrial network can result in the loss of control or the disruption of industrial processes.

Platforms used by malware
In the second half of 2017, we saw a significant increase in the percentage of ICS computers affected by malware written for the JavaScript platform.

Platforms used by malware, percentage of ICS computers attacked, H2 2017 vs H1 2017

The main reason for growing figures for the JavaScript platform is the increase in the number of phishing emails that include a loader for Trojan-Ransom.Win32.Locky.

In the latest versions of such emails, the attackers used a fax-received notification template.

The phishing emails include an attachment – an obfuscated loader written in JavaScript and designed to download and execute the main malicious module from servers controlled by the attackers.

It is important to note that threat actors often attack legitimate websites in order to host malware components on these sites. Threat actors do this to hide malicious traffic behind legitimate domains to mask the traces of an attack.

Cryptocurrency miners also made a small contribution to the increase in the share of the JavaScript platform – both the versions for browsers and the script-based loaders of miners for the Windows platform.

Geographical distribution of attacks on industrial automation systems
The map below shows the percentages of industrial automation systems attacked to the total number of such systems in each country.

Geographical distribution of attacks on industrial automation systems, H2 2017
Percentage of attacked ICS computers in each country

TOP 15 countries by percentage of ICS computers attacked:

Country* % of systems attacked
1 Vietnam 69.6
2 Algeria 66.2
3 Morocco 60.4
4 Indonesia 60.1
5 China 59.5
6 Egypt 57.6
7 Peru 55.2
8 Iran 53.0
9 India 52.4
10 Kazakhstan 50.1
11 Saudi Arabia 48.4
12 Mexico 47.5
13 Russia 46.8
14 Malaysia 46.7
15 Turkey 44.1
*Countries in which the number of ICS computers monitored by Kaspersky Lab ICS CERT was insufficient to obtain representative data sets were excluded from the ranking.

The Top 5 has remained unchanged since H1 2017.

The least affected countries in this ranking are Israel (8.6%), Denmark (13.6%), the UK (14.5%), the Netherlands (14.5%), Sweden (14.8%) and Kuwait (15.3%).

Egypt has moved from ninth place to sixth – the percentage of attacked ICS machines in that country grew by 6.1 p.p. This is the most significant growth among all countries of the world. Internet threats accounted for most of the growth in the percentage of attacked ICS computers in Egypt. Among the internet threats detected, the most common were sites infected with script-based cryptocurrency miners and attempts to download malware by following URL links.

Main sources of threats blocked on ICS computers in Egypt
percentage of ICS computers attacked, H2 2017 vs H1 2017

Malware distributed via removable media is also a real problem for many ICS in Egypt. Malware loaders distributed on removable media are disguised as existing user files on the removable drive, increasing the chances of a successful attack.

Examples of names used for loaders of malware distributed via removable media that were blocked on ICS computers in Egypt in H2 2017

In most cases, the loaders that we detected were designed to launch the malware module responsible for infecting the system, including downloading the main module, infecting removable media and network shares and propagating via email/instant messengers to an existing list of contacts.

Malicious code for the AutoIt platform, launched by a malicious .lnk loader
blocked on an ICS computer in Egypt in H2 2017

In Russia during H2 2017, 46.8% of ICS computers were attacked at least once – a 3.8 p.p. rise on H1 2017. This saw Russia move up from 21st to 13th.

The proportions of attacked ICS machines vary greatly between different regions of the world.

Percentage of ICS systems attacked in regions of the world, H2 2017 vs H1 2017

All regions can be assigned to one of three groups according to the percentage of attacked ICS machines:

Proportion of attacked ICS systems below 30%. This group includes North America and Europe, where the situation looks the most peaceful. Kaspersky Lab ICS CERT specialists say this does not necessarily mean that industrial enterprises in these regions are less frequently attacked by cybercriminals; rather, it could be that more attention is paid to ensuring information security at industrial enterprises in these regions, which results in fewer attacks reaching their targets.
Proportion of attacked ICS systems between 30% and 50%. This group includes Latin America, Russia and the Middle East.
Proportion of attacked ICS systems above 50%. The situation is most acute in Africa and the Asia-Pacific region.
It should be noted that values may differ significantly between countries within the same region. This may be due to different practices and approaches to ICS information security in those countries.

In particular, the Asia-Pacific region includes Vietnam with the highest global proportion of attacked ICS systems (69.6%) alongside countries such as Japan (25%), Australia (24.1%) and Singapore (23.2%), where figures did not exceed 25%.

Percentage of attacked ICS computers in Asia-Pacific countries, H2 2017 vs H1 2017

In Europe, Denmark’s score (13.6%) was not only the lowest in the region but also one of the lowest globally, while the proportions of attacked ICS systems in Belarus (41%), Portugal (42.5%) and Ukraine (41.4%) were all above 40%.

Percentage of attacked ICS computers in Europe, H2 2017 vs H1 2017

Let’s now look at the sources of attacks that affected ICS systems in different regions.

Main sources of threats blocked on ICS computers in different regions, H2 2017

In all regions of the world, the internet remains the main source of attacks. However, in Europe and North America, the percentage of blocked web-borne attacks is substantially lower than elsewhere. This may be because most enterprises operating in those regions adhere to information security standards. In particular, internet access is restricted on systems that are part of industrial networks. The situation is similar for infected removable devices: the highest numbers are seen in Africa and the Asia-Pacific region, while the lowest are in Europe and North America. These figures also reflect the level of compliance with information security standards and, in particular, whether restrictions are in place to prevent the connection of unauthorized removable media to industrial infrastructure systems.

Curiously, in spite of the sufficiently high overall percentage of attacks that reached ICS systems, the percentages of ICS computers attacked via removable media and email clients in Russia were relatively small – 4.4% and 1.4% respectively. One possible explanation is that risks associated with these attack vectors are largely mitigated through organizational measures, as well as removable media and email handling practices established at industrial enterprises. This interpretation is reassuring, since removable media and email are often used as penetration vectors in sophisticated targeted and APT attacks.

For countries of the Middle East, email was a significant (5%) source of infection, with the region leading the ranking based on this parameter.

Our recommendations
To prevent accidental infections in industrial networks, we recommend taking a set of measures designed to secure the internal and external perimeters of these networks.

This includes, first and foremost, measures required to provide secure remote access to automation systems and secure transfer of data between the industrial network and other networks that have different trust levels:

Systems that have full-time or regular connections to external networks (mobile devices, VPN concentrators, terminal servers, etc.) should be isolated into a separate segment of the industrial network – the demilitarized zone (DMZ);
Systems in the demilitarized zone should be divided into subnets or virtual subnets (VLAN), with restricted access between subnets (only the communications that are required should be allowed);
All the necessary communication between the industrial network and the outside world (including the enterprise’s office network) should be performed via the DMZ;
If necessary, terminal servers that support reverse connection methods (from the industrial network to the DMZ) can be deployed in the DMZ;
Thin clients should be used whenever possible to access the industrial network from the outside (using reverse connection methods);
Access from the demilitarized zone to the industrial network should be blocked;
If the enterprise’s business processes are compatible with one-way communication, we recommend that you consider using data diodes.
The threat landscape for industrial automation systems is continually changing, with new vulnerabilities regularly found both in application software and in industrial software. Based on the threat evolution trends identified in H2 2017, we recommend placing special emphasis on the following security measures:

Regularly updating the operating systems, application software and security solutions on systems that are part of the enterprise’s industrial network;
Installing firmware updates on control devices used in industrial automation systems in a timely manner;
Restricting network traffic on ports and protocols used on the edge routers between the organization’s network and those of other companies (if information is transferred from one company’s industrial network to another company);
An emphasis on account control and password policies is recommended. Users should have only those privileges that are required for them to perform their responsibilities. The number of user accounts with administrative privileges should be as limited as possible. Strong passwords (at least 9 characters, both upper and lower case, combined with digits and special characters) should be used, with regular password changing enforced by the domain policy, for example, every 90 days.
To provide protection from accidental infections with new, previously unknown malware and targeted attacks, we recommend doing the following on a regular basis:

Taking an inventory of running network services on all hosts of the industrial network; where possible, stopping vulnerable network services (unless this will jeopardize the continuity of industrial processes) and other services that are not directly required for the operation of the automation system; special emphasis should be made on services that provide remote access to file system objects, such as SMB/CIFS and/or NFS (which is relevant in the case of attacks on systems running Linux).
Auditing ICS component access control; trying to achieve maximum access granularity.
Auditing the network activity in the enterprise’s industrial network and at its boundaries. Eliminate any network connections with external and other adjacent information networks that are not required by industrial processes.
Verifying the security of remote access to the industrial network; placing a special emphasis on whether demilitarized zones are set up in compliance with IT security requirements. To the fullest extent possible, minimizing or completely eliminating the use of remote administration tools (such as RDP or TeamViewer). More details on this are provided above.
Ensuring that signature databases, heuristics and decision algorithms of endpoint security solutions are up-to-date. Checking that all the main protection components are enabled and running and that ICS software folders, OS system folders or user profiles are not excluded from the scope of protection. Application startup control technologies configured in whitelisting mode and application behavior analysis technologies are particularly effective for industrial enterprises. Application startup control will prevent cryptomalware from running even if it finds its way on to the computer, while application behavior analysis technologies are helpful for detecting and blocking attempts to exploit vulnerabilities (including unknown) in legitimate software.
Auditing policies and practices related to using removable media and portable devices. Blocking devices that provide illegitimate access to external networks and the Internet from being connected to industrial network hosts. Wherever possible, disabling the relevant ports or controlling access to these ports using properly configured dedicated tools.
In addition, to provide protection from targeted attacks directed at the enterprise’s industrial network and its main industrial assets, we recommend deploying tools that provide network traffic monitoring and detection of cyberattacks on industrial networks. In most cases, such measures do not require any changes to ICS components or their configuration and can be carried out without suspending their operation.

Of course, completely isolating the industrial network from adjacent networks is virtually impossible, since transferring data between networks is required to perform a variety of important functions – controlling and maintaining remote facilities, coordinating sophisticated industrial processes, parts of which are distributed between numerous workshops, lines, plants and support systems. We hope, however, that our recommendations will help you provide maximum protection for your industrial networks and automation systems against existing and future threats.

Kaspersky Lab Industrial Control Systems Cyber Emergency Response Team (Kaspersky Lab ICS CERT) is a global project of Kaspersky Lab aimed at coordinating the work of industrial automation system vendors, owners and operators of industrial facilities and IT security researchers in addressing issues associated with protecting industrial enterprises and critical infrastructure facilities.


Intel CPUs Vulnerable to New 'BranchScope' Attack
27.3.2018 securityweek
Attack

Researchers have discovered a new side-channel attack method that can be launched against devices with Intel processors, and the patches released in response to the Spectre and Meltdown vulnerabilities might not prevent these types of attacks.

The new attack, dubbed BranchScope, has been identified and demonstrated by a team of researchers from the College of William & Mary, University of California Riverside, Carnegie Mellon University in Qatar, and Binghamton University.

Similar to Meltdown and Spectre, BranchScope can be exploited by an attacker to obtain potentially sensitive information they normally would not be able to access directly. The attacker needs to have access to the targeted system and they must be able to execute arbitrary code.

Researchers believe the requirements for such an attack are realistic, making it a serious threat to modern computers, “on par with other side-channel attacks.” The BranchScope attack has been demonstrated on devices with three types of Intel i5 and i7 CPUs based on Skylake, Haswell and Sandy Bridge microarchitectures.

Experts showed that the attack works even if the targeted application is running inside of an Intel SGX enclave. Intel SGX, or Software Guard Extensions, is a hardware-based isolated execution system designed to prevent code and data from getting leaked or modified.

BranchScope is similar to Spectre as they both target the directional branch predictors. Branch prediction units (BPUs) are used to improve the performance of pipelined processors by guessing the execution path of branch instructions. The problem is that when two processes are executed on the same physical CPU core, they share a BPU, potentially allowing a malicious process to manipulate the direction of a branch instruction executed by the targeted application.

The BPU has two main components – a branch target buffer (BTB) and a directional predictor – and manipulating either one of them can be used to obtain potentially sensitive data from the memory. Intel recently published a video providing a high level explanation of how these attacks work.

Researchers showed on several occasions in the past how BTB manipulation can be used for attacks, but BranchScope involves manipulation of branch predictors.

“BranchScope is the first fine-grained attack on the directional branch predictor, expanding our understanding of the side channel vulnerability of the branch prediction unit,” the researchers explained in their paper.

The researchers who identified the BranchScope attack method have proposed a series of countermeasures that include both software- and hardware-based solutions.

Dmitry Evtyushkin, one of the people involved in this research, told SecurityWeek that while they have not been tested, the microcode updates released by Intel in response to Meltdown and Spectre might only fix the BTB vector, which means BranchScope attacks could still be possible. However, Intel told the researchers that software guidance for mitigating Spectre Variant 1 could be effective against BranchScope attacks as well.

BranchScope is not the only CPU side-channel attack method uncovered following the disclosure of Meltdown and Spectre. One of them, dubbed SgxPectre, shows how Spectre can be leveraged to defeat SGX.

Researchers have also demonstrated new variants of the Meltdown and Spectre attacks, which they have named MeltdownPrime and SpectrePrime.


McAfee Enhances Product Portfolio, Unveils New Security Operations Centers
27.3.2018 securityweek Safety

Since emerging from Intel as a standalone cybersecurity company in April 2017, McAfee has consistently made multiple new product announcements simultaneously. It has continued that model this week with a new version of the Enterprise Security Manager (ESM 11), and enhancements to Behavioral Analytics, Investigator, Advanced Threat Defense, and Active Response.

Significantly, it has also unveiled two new security operation centers (SOCs) that combine physical and cybersecurity into the McAfee Security Fusion Centers, located in Plano, Texas and Cork, Ireland. This is McAfee using its own products for its own organization: McAfee 'eating its own dog food' as its own Customer Zero.

McAfee LogoThe SOCs have a triple purpose -- to protect McAfee; to use McAfee products in a live scenario to provide practical feedback to the developers; and to provide an educational environment for customers to see McAfee SOC products in live action rather than choreographed simulation. The 'practical feedback' also provides an illustration of a key principle in McAfee's product philosophy: man and machine integration, each learning from and benefiting the other.

"The big deal for the McAfee Security Fusion Centers," writes McAfee CISO Grant Bourzikas in an associated blog, "is that they have a dual mission: 1) to protect McAfee, and; 2) help us build better products. And for myself, I would add a third objective: help our customers to learn from our experiences protecting McAfee. We want to help them build better reference architectures, learn how to communicate with boards of directors and become more innovative in solving cybersecurity problems." The Fusion Centers also, of course, demonstrate McAfee's faith in its own products.

The new ESM 11 architecture shares large volumes of raw, parsed and correlated security events to allow threat hunters to quickly search recent events, while storing the data for future forensic and compliance requirements. The architecture is horizontally scalable with active/active availability through the addition of extra ESM appliances or virtual machines.

Behavioral Analytics provides machine learning technology to discover high risk events that might otherwise be missed by human hunters. It distills billions of events down to hundreds of anomalies and then to 'a handful of prioritized threat leads' -- highlighting the signal in the noise -- and integrating with the McAfee product portfolio and other third-party SIEMs.

Investigator shares data with open source and third-party tools to streamline workflows and improve collaboration.

Active Response has been enhanced by integration with Investigator to help analysts scope the impact of a threat across endpoints in real-time. Integration with Advanced Threat Protection also allows analysts to view sandbox reports and IoCs from a single workspace; while allowing the detection of PowerShell exploits and their remediation by isolating any affected host.

"Existing tools and approaches are too reliant on human expertise" says Jason Rolleston, VP of security analytics, commenting on the product announcements. "The answer is human-machine teaming, where analytics- and machine learning-powered solutions augment the security team to detect more threats, faster and with fewer people."

ESM 11 and Behavioral Analytics are available now. Investigator will be available in April, and the enhancements to Advanced Threat Defense and Active Response will be available in May.


Grey Heron, the new Co in the surveillance industry that promises to spy on Signal and Telegram
27.3.2018 securityaffairs
Hacker techniques

Who is behind the newborn Grey Heron surveillance company? According to an investigation conducted by Motherboard, the firm is linked to the Italian surveillance firm Hacking Team.
The development and sale of surveillance software is a profitable business, many government agencies use spyware for different purposes, in some their involvement is very questionable.

Early this month, the journalist Joseph Cox from Motherboard wrote an interesting post on a mysterious surveillance firm called Grey Heron.

The company was advertising a spyware that is able to spy on Signal and Telegram communications.

The name Grey Heron was unknown also among the security community, but the investigation conducted by Motherboard linked the company to the controversial Italian surveillance firm Hacking Team,

Motherboard obtained a brochure of the company that uses the following statement to describe its mission:

“Grey Heron’s mission is to provide to law enforcement the strong tools to balance the capabilities of those who wish to do harm,”

Grey Heron spyware
Source Motherboard

According to a source familiar with the company, Grey Heron was formed from several players surveillance industry.

In 2015, the company suffered a major data breach, the hacker known as Phineas Fisher exfiltrated more than 400 gigabytes of internal data from company servers.

The hackers stole company’s emails, customer records, and the source code for hacking tools and exploits.

In 2017, the company was bought by an entity linked to the Saudi Government bought.

A new post written by Joseph Cox along with the colleague Lorenzo Franceschi-Bicchierai, cited a former Hacking Team employee, who speaking on condition of anonymity, confirmed the link between Hacking Team and Grey Heron.

“[it would] make sense to use a different name to continue to sell to those clients who weren’t happy after the hack.” said the former employee.
“Except those customers who don’t care because they buy spyware without thinking twice,” “I imagine that there’s a lot of them who don’t see Hacking Team favorably anymore, including the reselling partners, perhaps even more so than the final customers.”

The interesting news is that Grey Heron has confirmed privately that the Italian Government has given it the permission to export its products throughout the European Union.

Grey Heron is looking with great interest at both the European and North American markets.


Experts uncovered a watering hole attack on leading Hong Kong Telecom Site exploiting CVE-2018-4878 flaw
27.3.2018 securityaffairs
Vulnerebility

Researchers at Morphisec have uncovered a watering hole attack on leading Hong Kong Telecom website exploiting the CVE-2018-4878 flash vulnerability.
Security experts at Morphisec have discovered a watering hole attack on leading Hong Kong Telecom website exploiting the CVE-2018-4878 flash vulnerability.

In a watering hole attack, hackers infect the websites likely to be visited by their targeted victims, this technique requires more effort than common spear-phishing attack and it is usually associated with APT groups.

watering hole HonkKong hacked site-blanked

Early February, Adobe rolled out an emergency patch that fixed two critical remote execution vulnerabilities, including the CVE-2018-4878, after North Korea’s APT group was spotted exploiting it in targeted attacks.

At the time, South Korea’s Internet & Security Agency (KISA) warned of a Flash zero-day vulnerability (CVE-2018-4878) that has reportedly been exploited in attacks by North Korea’s hackers.

By the end of February, the researchers at Morphisec reported that threat actors were exploiting the use-after-free flaw to deliver malware.

“On March 21,2018, Morphisec Labs began investigating the compromised website of a leading Hong Kong Telecommunications company after being alerted to it by malware hunter @PhysicalDrive0.” reads the analysis published by Morphisec.

“The investigation, conducted by Morphisec researchers Michael Gorelik and Assaf Kachlon, determined that the Telecom group’s corporate site had indeed been hacked. Attackers added an embedded Adobe Flash file that exploits the Flash vulnerability CVE-2018-4878 on the main home.php page. The attack is a textbook case of a watering hole attack.”

Threat actors behind the attack uncovered by the experts adopted advanced evasive techniques, they used a purely fileless malicious code, without persistence or any trace on the disk. It is interesting to note also the usage of a custom protocol over the 443 port.

The Flash exploit used in this attack was similar to the one involved in the attacks involving the CVE-2018-4878 vulnerability, but it employs a different shellcode executed post exploitation.

“Generally, this advanced type of watering hole attack is highly targeted in nature and suggests that a very advanced group is behind it,” continues the post.

“The Flash exploit that was delivered has a high degree of similarity to the previously published analysis of the CVE-2018-4878. The major difference in this exploit is in the shellcode that is executed post exploitation”

The shellcode executes rundll32.exe and overwrites the content of the memory with a malicious code that was designed to download additional code directly into the memory of the rundll32 process.

The additional code downloaded directly into the memory of the rundll32 process includes Metasploit Meterpreter and Mimikatz modules.

The analysis of the modules revealed that were compiled on February 15, a few days before the attack.

“As our analysis shows, this watering hole attack is of advanced evasive nature. Being purely fileless, without persistence or any trace on the disk, and the use of custom protocol on a non-filtered port, makes it a perfect stepping stone for a highly targeted attack chain. This clearly suggests that very advanced threat actors are responsible for it,” Morphisec says.

The experts noticed that despite the advanced evasive features, the attack used basic Metasploit framework components that were compiled just before the attack and did not show any sophistication, obfuscation or evasion.

At this time, the company hasn’t attributed the attack to a specific threat actor, it is still investigating the incident.


Canadian Firm Linked to Cambridge Analytica Exposed Source Code

27.3.2018 securityweek Social

Source code belonging to Canada-based digital advertising and software development company AggregateIQ has been found by researchers on an unprotected domain. The exposed files appear to confirm reports of a connection between AggregateIQ and Cambridge Analytica, the controversial firm caught in the recent Facebook data scandal.

On March 20, Chris Vickery of cyber risk company UpGuard stumbled upon an AggregateIQ subdomain hosting source code for the company’s tools. The files, stored using a custom version of the code repository GitLab, were accessible simply by providing an email address.

The exposed information included the source code of tools designed for organizing information on a large number of individuals, including how they are influenced by ads, and tracking their online activities. The files also contained credentials that may have allowed malicious actors to launch damaging attacks, UpGuard said.

The nature of the exposed code is not surprising considering that the firm is said to have developed tools used in political campaigns around the world, including in the United States and United Kingdom.

AggregateIQ has been linked by the press and a whistleblower to Cambridge Analytica, a British political consulting and communications firm said to be involved in the presidential campaigns of Donald Trump and Ted Cruz, and the Brexit “Vote Leave” campaign.

Cambridge Analytica recently came under fire after it was discovered that it had collected information from 50 million Facebook users' profiles and used it to create software designed to predict and influence voters. Facebook has suspended the company’s account after news broke, but the social media giant has drawn a lot of criticism, both from customers and authorities.

According to some reports, AggregateIQ was originally launched with the goal of helping Cambridge Analytica and its parent company SCL Group. In a statement published on its website over the weekend, AggregateIQ denied reports that it’s part of Cambridge Analytica or SCL. It has also denied signing any contracts with the British firm and being involved in any illegal activity.

However, there appears to be some evidence that Cambridge Analytica owns AggregateIQ’s intellectual property, and the files discovered by UpGuard also seem to show a connection.

For example, two of the AggregateIQ projects whose source code was exposed contained the string “Ripon,” which is the name of Cambridge Analytica’s platform. The code also included a piece of text that may have been used in phone calls made by Ted Cruz supporters during his presidential campaign.

Researchers also noticed that one of the user accounts mentioned in the exposed files was named “SCL,” which could be a reference to Cambridge Analytica’s parent company.

“Taken in full, it remains unclear why what resembles a version of the app Cambridge Analytica promised would be ‘revolutionary’ for the Cruz campaign would be found in the development repository of AggregateIQ,” said UpGuard, which plans on publishing follow-up reports on this story.


FTC to Probe Facebook Over Privacy Practices
27.3.2018 securityweek
Social

A US consumer protection agency said Monday it has opened an investigation into Facebook's privacy practices, another blow to the social network, which is struggling to deal with a growing crisis on misuse of private data.

The Federal Trade Commission (FTC) confirmed news reports from last week that it had opened an inquiry over the harvesting of data on tens of millions of Facebook users by the British consulting group Cambridge Analytica.

While the FTC normally refuses to comment on its probes, it took the unusual step of confirming a "non-public investigation" into Facebook over whether it mishandled private data or violated a 2011 agreement which settled an earlier probe.

Acting FTC consumer protection chief Tom Pahl said the agency will look into whether Facebook violated its privacy promises or failed to comply with the US-EU agreement on data protection known as the Privacy Shield.

The agency also will also determine if Facebook engaged "in unfair acts that cause substantial injury to consumers in violation of the FTC Act."

The FTC suggested that Facebook could face new legal problems if it violated the consent decree with the consumer agency in 2011 settling charges that it deceived consumers on how it handled private data.

"Companies who have settled previous FTC actions must also comply with FTC order provisions imposing privacy and data security requirements," Pahl said in the statement.

"Accordingly, the FTC takes very seriously recent press reports raising substantial concerns about the privacy practices of Facebook."

Facebook shares reversed early losses and closed up 0.42 percent on Monday, after having lost some 14 percent last week.

Separately, Senate Judiciary Committee chairman Charles Grassley said he had asked Facebook CEO Mark Zuckerberg to appear at a hearing on April 10 "to discuss Facebook's past and future policies regarding the protection and monitoring of consumer data."

Grassley said he also invited Google CEO Sundar Pichai and Twitter CEO Jack Dorsey "to discuss the future of data privacy in the social media industry."

- Germany to boost oversight -

Germany's justice minister meanwhile said Monday that Facebook should face "stricter" oversight and be more transparent with its users.

Speaking after a meeting with European Facebook executives in Berlin, Justice Minister Katarina Barley said the firm's assurances that it had already cracked down on the misuse of personal data were "not enough."

"In future we will clearly have to monitor companies like Facebook more strictly and punish data protection violations severely and quickly," she told reporters.

The world's biggest social network is facing calls on both sides of the Atlantic for more information on how its user data was leaked. Several US states have opened investigations.

A public apology by Zuckerberg has failed to quell outrage over the hijacking of personal data.

Separately, Facebook disputed reports that it had been logging call and text data surreptitiously from its users.

A Facebook statement said call and text history logging "is part of an opt-in feature" for those using Messenger or Facebook Lite on Android.

"This helps you find and stay connected with the people you care about, and provides you with a better experience across Facebook," the statement said, while pointing to ways users can turn off the feature.

In London, authorities said they were assessing data seized in a raid on the offices of Cambridge Analytica as part of their investigation.

About 18 enforcement agents from the Information Commissioner's Office participated in the raid late Friday after getting a court order.

"This is one part of a larger investigation by the ICO into the use of personal data and analytics by political campaigns, parties, social media companies and other commercial actors," the UK agency said.

Cambridge Analytica, which worked on US President Donald Trump's election campaign, has been accused of illegally mining tens of millions of users' Facebook data and using it to target potential voters.

Facebook took out full-page ads in nine major British and US newspapers on Sunday to apologize to users.

"We have a responsibility to protect your information. If we can't we don't deserve it," Zuckerberg said in the ads.


GoScanSSH Malware spread avoiding Government and Military networks
27.3.2018 securityaffairs BigBrothers

Security experts at Cisco Talos discovered a new piece of malware dubbed GoScanSSH that was being used to compromise SSH servers exposed online.
Security researchers at Cisco Talos have discovered a new piece of malware dubbed GoScanSSH that was being used to compromise SSH servers exposed online.

The malicious code was written in Go programming language, uncommon for malware development, and implements several interesting features, for example, it tries to avoid infecting devices on government and military networks.

“Talos identified a new malware family that was being used to compromise SSH servers exposed to the internet. This malware, which we have named GoScanSSH, was written using the Go programming language, and exhibited several interesting characteristics.” reads the analysis published by Talos.

The attacker created unique malware binaries for each infected system, researchers also reported that the GoScanSSH command and control (C2) infrastructure was leveraging the Tor2Web proxy service making hard the tracking of the C&C infrastructure and resilient to takedowns.

GoScanSSH conducted brute-force attack against publicly accessible SSH servers that allowed password-based SSH authentication. The hackers are leveraging a word list containing more than 7,000 username/password combinations. When GoScanSSH discovered a valid credential set, a unique GoScanSSH malware binary is then created and uploaded to the compromised SSH server and executed.

While scanning for vulnerable SSH servers, GoScanSSH randomly generates IP addresses, avoiding special-use addresses. the malware then compares each IP address to a list of CIDR blocks that the malicious code will not attempt to scan because they are network ranges primarily controlled by various government and military entities.

The malware specifically avoids ranges assigned to the U.S. Department of Defense, experts also noticed that one of the network ranges in the list is assigned to an organization in South Korea.

The researchers detected more than 70 unique malware samples associated with the GoScanSSH malware family, the experts observed samples that were compiled to support multiple system architectures including x86, x86_64, ARM and MIPS64.

The experts also observed multiple versions (e.g, versions 1.2.2, 1.2.4, 1.3.0, etc.) of the malware in the wild, a circumstance that suggests the threat actors behind the malicious code is continuing to improve the malware.

GoScanSSH malware dns queries
According to the researchers, threat actors are likely trying to compromise larger networks, experts believe attackers are well resourced and with significant skills.

They are being active since June 2017 and already deployed 70 different versions of the GoScanSSH malware using over 250 distinct C&C servers.

The analysis of passive DNS data related to all of the C2 domains collected from all of the samples Talos analyzed confirmed that the number of infected systems is low.

“In analyzing passive DNS data related to all of the C2 domains collected from all of the samples Talos analyzed, resolution attempts were seen dating back to June 19, 2017, indicating that this attack campaign has been ongoing for at least nine months. Additionally, the C2 domain with the largest number of resolution requests had been seen 8,579 times.” states the analysis published by Talos.

Further details on the GoScanSSH malware, including IoCs, are reported in the analysis published by Talos.


Ukrainian Suspected of Leading Carbanak Gang Arrested in Spain
26.3.2018 securityweek CyberCrime

A Ukrainian national suspected of being the leader of a gang that used Carbanak malware to steal a significant amount of money from banks worldwide has been arrested in Spain, Europol and the Spanish government announced on Monday.

According to authorities, the man is believed to be the mastermind of an operation that resulted in losses totaling over €1 billion ($1.24 billion). The hackers targeted over 100 financial organizations in more than 40 countries around the world, stealing up to €10 million ($12.4 million) in a single heist.

The suspect was arrested in Alicante, Spain, following an investigation conducted by the Spanish National Police and supported by Europol, private cybersecurity firms, and law enforcement agencies in the United States, Romania, Belarus and Taiwan.

Spain’s interior ministry identified the suspect as Ukrainian national “Denis K” and noted that he ran the operation with help from three Russian and Ukrainian nationals. The mastermind of the operation had been working from Spain, and he found his accomplices online, but they never met in person.

The gang targeted ATMs in Spain’s capital city of Madrid in the first quarter of 2017, stealing half a million euros.

Police seized computers, jewelry worth €500,000 ($620,000), documents, and two luxury vehicles following Denis K’s arrest. Bank accounts and two houses valued at roughly €1 million ($1.24 million) were also blocked.

The cybercrime group, tracked as Carbanak, Anunak and Cobalt, has been around since at least 2013 and its activities were first detailed in 2014. According to Spain’s interior ministry, investigations into the group started in 2015.

According to Europol, the cybercriminals started out by using a piece of malware they had dubbed Anunak. They later improved their malware, a version that the cybersecurity industry has dubbed Carbanak. Starting with 2016, they launched more sophisticated attacks using a custom version of the penetration testing tool Cobalt Strike. It’s worth noting that this is not the only cybercrime group known to use the Carbanak malware.

The hackers delivered their malware to bank employees using spear-phishing emails. Once the malware was deployed, it gave attackers access to the compromised organization’s internal network, including servers controlling ATMs.

The cybercriminals used their access to these servers to remotely instruct ATMs to dispense cash at a predetermined time, when the group’s mules would be nearby to collect the money. They also transferred funds from the targeted bank to their own accounts, and modified balances to allow members of the gang to withdraw large amounts of money at cash machines.

Authorities said the group worked with the Russian and Moldovan mafia, which were responsible for the money mules involved in the operation. The criminal proceeds were often laundered using bitcoins – the gang is said to have acquired 15,000 bitcoins, currently worth more than $118 million.

“It appears that the ultimate downfall was spurred on by what ends up bringing down most organized crime groups: accounting. This reinforces the need for law enforcement organizations to continue focusing on traditional 'follow the money angles' as much as cyber forensic capabilities. As long as you cannot make major purchases with cryptocurrencies, the Achilles heel of any organized crime activity will be laundering money and taxes,” commented Ross Rustici, senior director of intelligence services at Cybereason.

“Pinching these types of actors from both a prevention of movement in cyberspace and a reduced ability to enjoy their illicit gains often results in the largest successes for law enforcement,” Rustici added. “What remains to be seen is whether this arrest will result in a serious degradation of Carbanak’s capabilities or merely a short-term hindrance while the group refocuses its activity.”


Drupal to Patch Highly Critical Vulnerability This Week
26.3.2018 securityweek
Vulnerebility

Drupal announced plans to release a security update for Drupal 7.x, 8.3.x, 8.4.x, and 8.5.x on March 28, 2018, aimed at addressing a highly critical vulnerability.

The Drupal security team hasn’t provided information on the vulnerability and says it won’t release any details on it until the patch arrives. An advisory containing all the necessary information will be published on March 28.

Before that, however, the team advises customers to be prepared for the update’s release and to apply it immediately after it is published, given its high exploitation potential.

“The Drupal Security Team urges you to reserve time for core updates at that time because exploits might be developed within hours or days,” Drupal announced.

The highly popular content management system (CMS) powers over one million sites and is used by a large number of e-commerce businesses.

Due to the widespread use of Drupal, currently the second most used CMS after WordPress, the security update will be released for Drupal versions 8.3.x and 8.4.x as well, although they are no longer supported.

“While […] we don't normally provide security releases for unsupported minor releases, given the potential severity of this issue, we are providing 8.3.x and 8.4.x releases that include the fix for sites which have not yet had a chance to update to 8.5.0,” Drupal says.

The Drupal security team urges customers to update to the appropriate release for their CMS version as soon as it is made available on March 28.

Thus, sites on 8.3.x should be updated to the upcoming 8.3.x iteration and then to the latest 8.5.x security release in the next month, while sites on 8.4.x should apply the next 8.4.x release and then upgrade to 8.5.x as well.

All sites on Drupal versions 7.x or 8.5.x should immediately apply the update when the advisory is released, using the normal update methods.

All of the appropriate version numbers for the impacted Drupal 8 branches will be listed in the upcoming advisory.

“Your site's update report page will recommend the 8.5.x release even if you are on 8.3.x or 8.4.x, but temporarily updating to the provided backport for your site's current version will ensure you can update quickly without the possible side effects of a minor version update,” Drupal also notes.


Energy Sector Most Impacted by ICS Flaws, Attacks: Study
26.3.2018 securityweek ICS

The energy sector was targeted by cyberattacks more than any other industry, and many of the vulnerabilities disclosed last year impacted products used in this sector, according to a report published on Monday by Kaspersky Lab.

The security firm has analyzed a total of 322 flaws disclosed in 2017 by ICS-CERT, vendors and its own researchers, including issues related to industrial control systems (ICS) and general-purpose software and protocols used by industrial organizations.

Of the total number of security holes, 178 impact control systems used in the energy sector. Critical manufacturing organizations – this includes manufacturers of primary metals, machinery, electrical equipment, and transportation equipment – were affected by 164 of these vulnerabilities.

Other industries hit by a significant number of vulnerabilities are water and wastewater (97), transportation (74), commercial facilities (65), and food and agriculture (61).

Many of the vulnerabilities disclosed last year impacted SCADA or HMI components (88), industrial networking devices (66), PLCs (52), and engineering software (52). However, vulnerabilities in general purpose software and protocols have also had an impact on industrial organizations, including the WPA flaws known as KRACK and bugs affecting Intel technology.

As for the types of vulnerabilities, nearly a quarter are web-related and 21 percent are authentication issues.

A majority of the flaws have been assigned severity ratings of medium or high, but 60 weaknesses are considered critical based on their CVSS score. Kaspersky pointed out that all vulnerabilities with a CVSS score of 10 are related to authentication and they are all easy to exploit remotely.

Kaspersky said 265 of the vulnerabilities can be exploited remotely without authentication and without any special knowledge or skills. It also noted that exploits are publicly available for 17 of the security holes.

The company has also shared data on malware infections and other security incidents. In the second half of 2017, Kaspersky security products installed on industrial automation systems detected nearly 18,000 malware variants from roughly 2,400 families. Malware attacks were blocked on almost 38 percent of ICS computers protected by the company, which was slightly less than in the second half of the previous year.

Again, the energy sector was the most impacted. According to the security firm, roughly 40 percent of the devices housed by energy organizations were targeted.

ICS devices attacked in various industries in 2017

“In the vast majority of cases, attempts to infect ICS computers are accidental and are not part of targeted attacks,” Kaspersky said. “Consequently, the functionality implemented in malware is not specific to attacks on industrial automation systems. However, even without ICS-specific functionality, a malware infection can have dire consequences for an industrial automation system, including an emergency shutdown of the industrial process.”

One example was the WannaCry attack, which, according to Kaspersky, in some cases resulted in temporary disruptions to industrial processes.

Researchers noted that botnet agents can also pose a significant threat, including by stealing sensitive data and by causing disruptions to industrial processes as a side effect of coding errors and incompatibility. Kaspersky reported that last year more than 10 percent of the systems it monitored were targeted by botnet agents.


Pentagon Looks to Counter Ever-stealthier Warfare
26.3.2018 securityweek BigBrothers

The US military has for years enjoyed a broad technological edge over its adversaries, dominating foes with superior communications and cyber capabilities.

Now, thanks to rapid advances by Russia and China, the gap has shrunk, and the Pentagon is looking at how a future conflict with a "near-peer" competitor might play out.

Air Force Secretary Heather Wilson recently warned that both Russia and China are experimenting with ways to take out the US military's satellites, which form the backbone of America's warfighting machine.

"They know that we are dominant in space, that every mission the military does depends on space, and in a crisis or war they are demonstrating capabilities and developing capabilities to seek to deny us our space assets," Wilson said.

"We're not going to let that happen."

The Pentagon is investing in a new generation of satellites that will provide the military with better accuracy and have better anti-jamming capabilities.

Such technology would help counter the type of "asymmetric" warfare practised by Russia, which combines old-school propaganda with social media offensives and cyber hacks.

Washington has blamed Moscow for numerous cyber attacks, including last year's massive ransomware attack, known as NotPetya, which paralyzed thousands of computers around the world.

US cyber security investigators have also accused the Russian government of a sustained effort to take control of critical US infrastructure systems, including the energy grid.

Russia denies involvement and so far, such attacks have been met with a muted US military response.

- Public relations shutdown -

General John Hyten, who leads US Strategic Command (STRATCOM), told lawmakers the US has "not gone nearly far enough" in the cyber domain.

He also warned that the military still does not have clear authorities and rules of engagement for when and how it can conduct offensive cyber ops.

"Cyberspace needs to be looked at as a warfighting domain, and if somebody threatens us in cyberspace, we need to have the authorities to respond," Hyten told lawmakers this week.

Hyten's testimony comes after Admiral Michael Rogers, who heads both the NSA -- the leading US electronic eavesdropping agency -- and the new US Cyber Command, last month said President Donald Trump had not yet ordered his spy chiefs to retaliate against Russian interference in the 2016 US election.

Russia has also been blamed for the March 4 poisoning of former spy Sergei Skripal and his daughter Yulia, who were found unconscious on a bench outside a shopping center in England.

NATO countries are working to determine when a cyber attack might trigger the alliance's Article 5 collective defense provision, General Curtis Scaparrotti, the commander of NATO forces in Europe, said this month.

NATO "recognizes the difficulty in indirect or asymmetric activity that Russia is practising, activities below the level of conflict," Scaparrotti said.

In 2015, the Air Force opened the highly secretive National Space Defense Center in Colorado, where airmen work to identify potential threats to America's satellite network.

After officials told a local newspaper, The Gazette, that the center had started running on a 24-hour basis, Air Force higher ups grew alarmed that too much information had been revealed.

In an example of how sensitive the issue of cybersecurity now is, the Air Force reacted by putting its entire public operations department on a "stand down" while it reviews how it interacts with journalists.


One Year Later, Hackers Still Target Apache Struts Flaw
26.3.2018 securityweek
Vulnerebility

One year after researchers saw the first attempts to exploit a critical remote code execution flaw affecting the Apache Struts 2 framework, hackers continue to scan the Web for vulnerable servers.

The vulnerability in question, tracked as CVE-2017-5638, affects Struts 2.3.5 through 2.3.31 and Struts 2.5 through 2.5.10. The security hole was addressed on March 6, 2017 with the release of versions 2.3.32 and 2.5.10.1.

The bug, caused due to improper handling of the Content-Type header, can be triggered when performing file uploads with the Jakarta Multipart parser, and it allows a remote and unauthenticated attacker to execute arbitrary OS commands on the targeted system.

The first exploitation attempts were spotted one day after the patch was released, shortly after someone made available a proof-of-concept (PoC) exploit. Some of the attacks scanned servers in search of vulnerable Struts installations, while others were set up to deliver malware.

Guy Bruneau, researcher and handler at the SANS Internet Storm Center, reported over the weekend that his honeypot had caught a significant number of attempts to exploit CVE-2017-5638 over the past two weeks.

The expert said his honeypot recorded 57 exploitation attempts on Sunday, on ports 80, 8080 and 443. The attacks, which appear to rely on a publicly available PoC exploit, involved one of two requests designed to check if a system is vulnerable.

Bruneau told SecurityWeek that he has yet to see any payloads. The researcher noticed scans a few times a week starting on March 13, coming from IP addresses in Asia.

“The actors are either looking for unpatched servers or new installations that have not been secured properly,” Bruneau said.

The CVE-2017-5638 vulnerability is significant as it was exploited by cybercriminals last year to hack into the systems of U.S. credit reporting agency Equifax. Attackers had access to Equifax systems for more than two months and they managed to obtain information on over 145 million of the company’s customers.

The same vulnerability was also leveraged late last year in a campaign that involved NSA-linked exploits and cryptocurrency miners.

This is not the only Apache Struts 2 vulnerability exploited by malicious actors since last year. In September, security firms warned that a remote code execution flaw tracked as CVE-2017-9805 had been exploited to deliver malware.


Watering Hole Attack Exploits North Korea's Flash Flaw
26.3.2018 securityweek
Exploit

An attack leveraging the compromised website of a Hong Kong telecommunications company is using a recently patched Flash vulnerability that has been exploited by North Korea since mid-November 2017, Morphisec warns.

The targeted vulnerability, CVE-2018-4878, first became public in early February, after South Korea’s Internet & Security Agency (KISA) issued an alert on it being abused by a North Korean hacker group. Adobe patched the flaw within a week.

By the end of February, cybercriminals were already abusing the vulnerability. The newly observed incident, Morphisec notes, is a textbook case of a watering hole assault. As part of such attacks, which are mainly focused on cyber-espionage, actors plant malware on websites their victims are likely to visit.

The newly observed incident revealed advanced evasive characteristics, as it was purely fileless, without persistence or any trace on the disk. Furthermore, it used a custom protocol on a non-filtered port.

“Generally, this advanced type of watering hole attack is highly targeted in nature and suggests that a very advanced group is behind it,” the security researchers note.

The Flash exploit used in this assault was highly similar to the one detailed in the previous analysis of the CVE-2018-4878 vulnerability, albeit it employs a different shellcode executed post exploitation.

The shellcode executes rundll32.exe and overwrites its memory with malicious code. This malicious code was designed to download additional code directly into the memory of the rundll32 process.

The security researchers also discovered that the command and control (C&C) server uses a custom protocol over the 443 port to communicate with the victim.

The additional code downloaded into the memory of rundll32 includes Metasploit Meterpreter and Mimikatz modules. Most of the modules were compiled on February 15, less than a week before the attack.

“As our analysis shows, this watering hole attack is of advanced evasive nature. Being purely fileless, without persistence or any trace on the disk, and the use of custom protocol on a non-filtered port, makes it a perfect stepping stone for a highly targeted attack chain. This clearly suggests that very advanced threat actors are responsible for it,” Morphisec says.

Despite these advanced evasive features, the attack used basic Metasploit framework components that were compiled just before the attack and lacked any sophistication, obfuscation or evasion, which creates confusion and makes it difficult to pinpoint the attack to an actor.

According to Morphisec, this attack, the exploit kits that were updated to target CVE-2018-4878, the campaign observed a few weeks ago, the vulnerability’s abuse by nation-based groups, all creates a certain sense of déjà vu.

“It is like the anarchy of 2-3 years ago when we had new exploits targeting a particular vulnerability discovered every week. Each one different enough to evade detection for those crucial first moments and security solutions always racing to catch up,” the security firm concludes.


Former Barclays CISO to Head WEF's Global Center for Cybersecurity
26.3.2018 securityweek Cyber

Troels Oerting to Head the Global Centre for Cybersecurity

The 48th annual meeting of the World Economic Forum (WEF) at Davos, Switzerland, in January announced the formation of a new Global Centre for Cybersecurity. Today it announced that Troels Oerting will be its first Head, assuming the role on April 2, 2018.

Oerting has been the group chief information security officer (CISO) at Barclays since February 2015. Before that he was head of the European Cybercrime Centre (EC3) -- part of Europol formed in 2013 to strengthen LEA response to cross-border cybercrime in the EU -- and head of the Europol Counter Terrorist and Financial Intelligence Center (since 2012). He also held several other law enforcement positions (such as Head of the Serious Organised Crime Agency with the Danish National Police), and also chaired the EU Financial Cybercrime Coalition.

Oerting brings to WEF's Global Center for Cybersecurity a unique combination of hands-on cybersecurity expertise as Barclay's CISO, together with experience of and contacts within European-wide cyber intelligence organizations, and a deep knowledge of the financial crimes that will be of particular significance to WEF's members. It is a clear statement from the WEF that the new center should be taken seriously.

“The Global Centre for Cybersecurity is the first global platform to tackle today’s cyber-risks across industries, sectors and in close collaboration with the public sector. I’m glad that we have found a proven leader in the field who is keen and capable to help us address this dark side of the Fourth Industrial Revolution,” said Klaus Schwab, founder and executive chairman of the World Economic Forum.

WEF's unique position at the heart of trans-national business, with the ear of governments, provides the opportunity to develop a truly global approach to cybersecurity. Most current cybersecurity regulations and standards are based on national priorities aimed against an adversary that knows no national boundaries. The aims of the new center are to consolidate existing WEF initiatives; to establish an independent library of best practices; to work towards an appropriate and agile regulatory framework on cybersecurity; and to provide a laboratory and early-warning think tank on cybersecurity issues.


Law enforcement arrested the head of the Carbanak gang that stole 1 billion from banks
26.3.2018 securityaffairs
Virus

The head of the crime ring behind the Carbanak gang that since 2013 targeted banks worldwide has been arrested in Spain.
The mastermind suspected of stealing about £870m (€1bn) in a bank cyber heist has been arrested in Spain.

The man is suspected to be the kingpin of the crime ring behind the Carbanak gang that since 2013 targeted banks worldwide with the homonym malware and the Cobalt malicious code.

“The leader of the crime gang behind the Carbanak and Cobalt malware attacks targeting over a 100 financial institutions worldwide has been arrested in Alicante, Spain, after a complex investigation conducted by the Spanish National Police, with the support of Europol, the US FBI, the Romanian, Belarussian and Taiwanese authorities and private cyber security companies.” reads the official announcement from the Europol. “Since 2013, the cybercrime gang have attempted to attack banks, e-payment systems and financial institutions using pieces of malware they designed, known as Carbanak and Cobalt. The criminal operation has struck banks in more than 40 countries and has resulted in cumulative losses of over EUR 1 billion for the financial industry. The magnitude of the losses is significant: the Cobalt malware alone allowed criminals to steal up to EUR 10 million per heist.”

The operation that allowed to arrest the head of the gang was conducted by the Europol, the FBI, along with cyber-security firms and law enforcement agencies in Spain, Romania, Belorussia and Taiwan.
In early 2016, the Carbanak gang target banks and financial institutions, mainly in the US and the Middle East.The Carbanak gang was first discovered by Kaspersky Lab in 2015. the group has stolen arounbd 1 billionn from 100 financial institutions.

In November 2016, experts at Trustwave uncovered a new campaign launched by the group targeting organizations in the hospitality sector.

In January 2017, the Carbanak gang started using Google services for command and control (C&C) communication.


The arrest was the result of one of the most important investigations conducted by the European authorities.

“This global operation is a significant success for international police cooperation against a top level cybercriminal organisation. The arrest of the key figure in this crime group illustrates that cybercriminals can no longer hide behind perceived international anonymity.” said Steven Wilson, Head of Europol’s European Cybercrime Centre (EC3). “This is another example where the close cooperation between law enforcement agencies on a worldwide scale and trusted private sector partners is having a major impact on top level cybercriminality.”

Which is the Carbanak modus operandi?

The infection started with a classic spear phishing attack that allowed Carbanak cybergang to compromise banks’ computer systems. The malicious emails included a link that once clicked triggered the download of the malware.

The malicious code was used by the hackers of the Carbanak cybergang to gather information on the targeted bank, for example, to find employees who were in charge of cash transfer systems or ATMs. In a second phase of the attacks, the hackers installed a remote access tool (RAT) to control the machines of those employees. With this tactic the Carbanak cybergang collected imagines of victims’ screens and study what their daily activity in the bank. At this point, the hackers were able to remotely control the ATMs to dispense money or transfer money to fake accounts.

Carbanak cybergang NYT

“The bank’s internal computers, used by employees who process daily transfers and conduct bookkeeping, had been penetrated by malware that allowed cybercriminals to record their every move. The malicious software lurked for months, sending back video feeds and images that told a criminal group — including Russians, Chinese and Europeans — how the bank conducted its daily routines, according to the investigators.

Then the group impersonated bank officers, not only turning on various cash machines, but also transferring millions of dollars from banks in Russia, Japan, Switzerland, the United States and the Netherlands into dummy accounts set up in other countries.” reported the New York Times


Facebook collected call and SMS data from Android users if not explicitly forbidden
26.3.2018 securityaffairs
Social

After the Cambridge Analytica scandal, Facebook made the headlines again, the company collected users’ Android call and SMS metadata for years.
The Cambridge Analytica case it raised the discussion about the power of social networks and the possibility of their abuse for the conditioning of political activities.
The non-professionals have discovered how important their digital experience is and how companies specialized in data analysis operate without their knowledge.

Social network platforms have an impressive quantity of information about and are able not only to profile us but also to influence our choice.
Six years ago I was banned by the “democratic” Wikipedia because I coined a term that described how it is possible to manipulate social network, the voice “Social network poisoning,” was deleted by Wikipedia English but it is still present in Wikipedia Italian version.
Give a look at the translated version … and if you have friends at Wikipedia tell them that was an error to ban me

https://translate.google.it/translate?sl=it&tl=en&js=y&prev=_t&hl=it&ie=UTF-8&u=https%3A%2F%2Fit.wikipedia.org%2Fwiki%2FSocial_Network_Poisoning&edit-text=

Back to the present, many of you probably still don’t know that if you have installed Facebook Messenger app on your Android device, there are chances that the social network giant had been collecting your data (the start time for each call, the duration, and the contact’s name), including contacts, SMS data but not the text, and call history data at least until late last year.

The Facebook Messenger app logged phone call data only related to numbers saved in the phone’s address book. Facebook was collecting such kind of data, this is not a surprise for tech-savvy people because we have discussed it in the past.

In January, the popular Italian expert Simone Margaritelli wrote a blog post (Italian) on Medium inviting users to uninstall Facebook and Whatsapp.

The programmer Dylan McKay was able to find data, including logs of calls and SMS messages, in an archive he downloaded (as a ZIP file) from Facebook.

Mat Johnson, a Professor at the University of Houston Creative Writing Program, also made the same disturbing discovery.


Mat Johnson

@mat_johnson
Oh wow my deleted Facebook Zip file contains info on every single phone cellphone call and text I made for about a year- cool totally not creepy.

12:54 AM - Mar 24, 2018
3,066
2,072 people are talking about this
Twitter Ads info and privacy
The Cambridge Analytica case has is giving users another point of view regarding the collection of such kind of data made by Facebook and the real way they are using for.

A Facebook spokesperson explained that the platform collects this data to improve the users’ experience.

http://securityaffairs.co/wordpress/wp-content/uploads/2018/03/Facebook collection data.png

“This [above] screen in the Messenger application offers to conveniently track all your calls and messages. But Facebook was already doing this surreptitiously on some Android devices until October 2017, exploiting the way an older Android API handled permissions.” wrote Sean Gallagher, Ars Technica’s IT and National Security Editor.

“Facebook began explicitly asking permission from users of Messenger and Facebook Lite to access SMS and call data to “help friends find each other” after being publicly shamed in 2016 over the way it handled the “opt-in” for SMS services. That message mentioned nothing about retaining SMS and call data, but instead it offered an “OK” button to approve “keeping all of your SMS messages in one place.””

Facebook denied to collect call data surreptitiously with an official blog post, the social network giant highlighted that it never commercialized the data and that users are in total control of the data uploaded to the platform.

“When you sign up for Messenger or Facebook Lite on Android, or log into Messenger on an Android device, you are given the option to continuously upload your contacts as well as your call and text history.” reads the blog post published by Facebook. “For Messenger, you can either turn it on, choose ‘learn more’ or ‘not now’. On Facebook Lite, the options are to turn it on or ‘skip’. If you chose to turn this feature on, we will begin to continuously log this information, which can be downloaded at any time using the Download Your Information tool.”

Users can check data collected by Facebook going to your Facebook Settings→Download a copy of your Facebook data→Start My Archive.

Facebook collection data

“Call and text history logging is part of an opt-in feature for people using Messenger or Facebook Lite on Android. This helps you find and stay connected with the people you care about, and provide you with a better experience across Facebook. People have to expressly agree to use this feature. If, at any time, they no longer wish to use this feature they can turn it off in settings, or here for Facebook Lite users, and all previously shared call and text history shared via that app is deleted. While we receive certain permissions from Android, uploading this information has always been opt-in only.” continues Facebook.

If you want to stop Facebook from continuously upload your contacts to its server, you can turn off the uploading feature in the Messenger app. In this way, all previously uploaded contacts will be deleted.

iOS users are not affected by this issue.

Lesson leaned … every time we use an app it is essential to carefully read the documentation that details its work.


The Internet Engineering Task Force has finally announced the approval of TLS 1.3
26.3.2018 securityaffairs Safety

The Internet Engineering Task Force (IETF) has finally announced the approval of TLS 1.3, the new version of the Transport Layer Security traffic encryption protocol.
It was a long journey, the IETF has been analyzing proposals for TLS 1.3 since April 2014, the final release is the result of the work on 28 drafts.

The TLS protocol was designed to allow client/server applications to communicate over the Internet in a secure way preventing message forgery, eavesdropping, and tampering.

TLS 1.2 and TLS 1.3 are quite different, the new version introduces many major features to improve performance and to make the protocol more resilient to certain attacks such as the ROBOT technique.

Below the description of one of the most important changes introduced with TLS 1.3:

The list of supported symmetric algorithms has been pruned of all algorithms that are considered legacy. Those that remain all use Authenticated Encryption with Associated Data (AEAD) algorithms. The ciphersuite concept has been changed to separate the authentication and key exchange mechanisms from the record protection algorithm (including secret key length) and a hash to be used with the key derivation function and HMAC.
A 0-RTT mode was added, saving a round-trip at connection setup for some application data, at the cost of certain security properties.
Static RSA and Diffie-Hellman cipher suites have been removed; all public-key based key exchange mechanisms now provide forward secrecy.
All handshake messages after the ServerHello are now encrypted. The newly introduced EncryptedExtension message allows various extensions previously sent in clear in the ServerHello to also enjoy confidentiality protection from active attackers.
The key derivation functions have been re-designed. The new design allows easier analysis by cryptographers due to their improved key separation properties. The HMAC-based Extract-and-Expand Key Derivation Function (HKDF) is used as an underlying primitive.
The handshake state machine has been significantly restructured to be more consistent and to remove superfluous messages such as ChangeCipherSpec (except when needed for middlebox compatibility).
Elliptic curve algorithms are now in the base spec and new signature algorithms, such as ed25519 and ed448, are included. TLS 1.3 removed point format negotiation in favor of a single point format for each curve.
Other cryptographic improvements including the removal of compression and custom DHE groups, changing the RSA padding to use RSASSA-PSS, and the removal of DSA.
The TLS 1.2 version negotiation mechanism has been deprecated in favor of a version list in an extension. This increases compatibility with existing servers that incorrectly implemented version negotiation.
Session resumption with and without server-side state as well as the PSK-based ciphersuites of earlier TLS versions have been replaced by a single new PSK exchange.
TLS 1.3

TLS 1.3 deprecates old cryptographic algorithms entirely, this is the best way to prevent the exploiting of vulnerabilities that affect the protocol and that can be mitigated only when users implement a correct configuration.

In the last few years, researchers discovered several critical issues in the protocol that have been exploited in attacks.

In February, the OpenSSL Project announced support for TLS 1.3 when it unveiled OpenSSL 1.1.1, which is currently in alpha.

One of the most debated problems when dealing with TLS is the role of so-called middleboxes, many companies need to inspect the traffic for security purposes and TLS 1.3 makes it very hard.

“The reductive answer to why TLS 1.3 hasn’t been deployed yet is middleboxes: network appliances designed to monitor and sometimes intercept HTTPS traffic inside corporate environments and mobile networks. Some of these middleboxes implemented TLS 1.2 incorrectly and now that’s blocking browsers from releasing TLS 1.3. However, simply blaming network appliance vendors would be disingenuous.” reads a blog post published by Cloudflare in December that explained the difficulties of mass deploying for the TLS 1.3.

According to the tests conducted by the IETF working group in December 2017, there was around a 3.25 percent failure rate of TLS 1.3 client connections.


IETF Approves TLS 1.3
26.3.2018 securityweek Safety

The Internet Engineering Task Force (IETF) last week announced the approval of version 1.3 of the Transport Layer Security (TLS) traffic encryption protocol. The Internet standards organization has been analyzing proposals for TLS 1.3 since April 2014 and it took 28 drafts to get it to its current form.

TLS is designed to allow client and server applications to communicate over the Internet securely. It provides authentication, confidentiality, and integrity mechanisms that should prevent eavesdropping and tampering, even by an attacker who has complete control over the network.IETF approves TLS 1.3

There are nearly a dozen major functional differences between TLS 1.2 and TLS 1.3, including ones that should improve performance and eliminate the possibility of certain types of attacks, such as the recently disclosed ROBOT method. The most important changes have been described by the IETF as follows:

The list of supported symmetric algorithms has been pruned of all algorithms that are considered legacy. Those that remain all use Authenticated Encryption with Associated Data (AEAD) algorithms. The ciphersuite concept has been changed to separate the authentication and key exchange mechanisms from the record protection algorithm (including secret key length) and a hash to be used with the key derivation function and HMAC.
A 0-RTT mode was added, saving a round-trip at connection setup for some application data, at the cost of certain security properties.
Static RSA and Diffie-Hellman cipher suites have been removed; all public-key based key exchange mechanisms now provide forward secrecy.
All handshake messages after the ServerHello are now encrypted. The newly introduced EncryptedExtension message allows various extensions previously sent in clear in the ServerHello to also enjoy confidentiality protection from active attackers.
The key derivation functions have been re-designed. The new design allows easier analysis by cryptographers due to their improved key separation properties. The HMAC-based Extract-and-Expand Key Derivation Function (HKDF) is used as an underlying primitive.
The handshake state machine has been significantly restructured to be more consistent and to remove superfluous messages such as ChangeCipherSpec (except when needed for middlebox compatibility).
Elliptic curve algorithms are now in the base spec and new signature algorithms, such as ed25519 and ed448, are included. TLS 1.3 removed point format negotiation in favor of a single point format for each curve.
Other cryptographic improvements including the removal of compression and custom DHE groups, changing the RSA padding to use RSASSA-PSS, and the removal of DSA.
The TLS 1.2 version negotiation mechanism has been deprecated in favor of a version list in an extension. This increases compatibility with existing servers that incorrectly implemented version negotiation.
Session resumption with and without server-side state as well as the PSK-based ciphersuites of earlier TLS versions have been replaced by a single new PSK exchange.
The most controversial of these changes is related to the introduction of the 0-RTT (zero round trip time resumption) mode. This feature brings significant improvements in terms of speed, particularly in the case of resumed connections, but it makes the connection slightly less secure.

The main concern are replay attacks, but experts believe the risk is manageable and website administrators should not have anything to worry about. However, some members of the IETF believe there are bound to be successful attacks against existing mitigations in the future. Cloudflare published a blog post last year detailing 0-RTT benefits and risks.

Cloudflare announced support for TLS 1.3 in September 2016, but the company reported in late December 2017 that major web browsers had yet to enable the new version of the protocol by default, with only 0.06% of the traffic passing through its network leveraging TLS 1.3.

Cloudflare has blamed this delay on network appliances that need to intercept HTTPS traffic on corporate networks, and the original design of TLS 1.3. Poor implementation of TLS 1.3 has been known to cause serious problems.

The OpenSSL Project announced support for TLS 1.3 in February when it unveiled OpenSSL 1.1.1, which is currently in alpha.


Reddit banned the biggest Darknet markets subreddit /R/DarkNetmarkets
26.3.2018 securityaffairs CyberCrime

Recently Reddit decided to ban the biggest darknet subreddit, /r/darknetmarkets, used by crime communities to discuss producta and services in the most popular darknet markets.
Darknet markets have a crucial role in the cybercrime underground, they are excellent places of aggregation for the demand and the offer of illegal products and services.

Communities around principal Darknet markets use to exchange information about products and services also on the clear web, for example using the Reddit social media platform.

Now Reddit decided to ban the biggest darknet subreddit, /r/darknetmarkets, used for darknet-related conversation.

Officially, Reddit maintainers banned the subreddit because the community violated Reddit’s illegal transaction rules.

“this subreddit was banned due to a violation of Reddit’s policy against transactions involving prohibited goods or services.” states Reddit,

Reddit darknet markets ban

Reddit forbids direct deals related to illegal products and services, in the specific case, subreddit violated rules about the sourcing of illegal drugs.

The moderators initially deleted posts containing drug sourcing. but the subreddit was considered a source of darknet drug market addresses.

This isn’t the first ban related to darknet markets, Reddit banned in 2015 the subreddit Evolution and the recent ban of the DNM UK and DNM OZ subreddits.

“In addition to the main subreddit, Reddit banned two subreddits for sourcing research chemicals (r/EU_RCSources and RCSources); a second UK darknet market subreddit (r/DarknetUK); and subreddits specific to individual darknet markets (r/RaptureMarket, r/dreammarket2, and r/dream_dnm).” states a blog post published on deepdotweb.com

“The era of discussing darknet markets on the clearnet has likely ended.”

Even if Reddit has banned the subreddit, operators of the black markets will simply migrate to other platforms to share their content.

If you are searching for more info on Darknet markets and cyber criminal communities in the dark web give a look at my new book, titled ‘Digging the Deep Web: Exploring the dark side of the web“.


Page - 0  1  2  3  4  5  6  7  8  9  10  11  12  13  14  15  16  17  18  19  20  21  22  23  24  25  26  27  28  29  30  31  32  33  34  35  36  37  38  39  40  41  42  43  44  45  46  47  48  49  50