Facebook and Cambridge Analytica – What's Happened So Far
25.3.2018 securityweek 
Social

Top Story— Facebook has just lost over $60 billion in market value over the past two days—that's more than Tesla's entire market capitalisation and almost three times that of Snapchat.
Facebook shares plunge over revelations that personal data of 50 million users was obtained and misused by British data analytics firm 'Cambridge Analytica,' who reportedly helped Donald Trump win the US presidency in 2016.
The privacy scandal that rocked the social media giant was revealed earlier this week when Chris Wylie, the 28-year-old data scientist who worked with a Cambridge University academic, turned into a whistleblower and leaked to the newspapers how poorly Facebook handles people's private information.
Wylie claims Cambridge Analytica created "Steve Bannon's psychological warfare mindf**k tool" that profiles citizens to predict their voting patterns based on the personal information gathered from a variety of sources and then helps political parties target voters with tailored advertisements and messages.
Since lots of things have happened since last week, we have compiled this brief article to explain what has happened so far in "Facebook and Cambridge Analytica" saga and how it keeps growing.
How Cambridge Analytica Collected 50 Million Facebook Users' Data
The story started four years ago when Cambridge psychologist Aleksandr Kogan approached researcher Michal Kosinski to get Facebook users data, which he had collected using a simple ‘online personality quiz’ app that requires users to log in using Facebook to participate.
While Kosinski refused to provide any data his app was used to collect, Cambridge paid Kogan over $800,000 to create a similar quiz app for him with an aim to collect Facebook users’ profile data, including the list of pages they have "liked."
Kogan's personality quiz app, dubbed “thisisyourdigitallife,” was a hit. Although it attracted 270,000 Facebook users to take part, Facebook's APIs at the time let the app also collect a wide range of information about each authorized user's friends.
Since an average Facebook user has hundreds of friends in his/her friend-list, Kogan was able to leverage his user base of 270,000 people to collect data for about 50 million Facebook users for use in its ad-targeting work.
Stop Third-Party Apps From Using Your Facebook Data
Not only Cambridge Analytica's quiz app, there are other thousands of other apps that you might have encountered on your Facebook timeline—such as "how you’ll look in your 80s," "which celebrity you look like," "who’ll be your Valentine this year"—that work on the same model.
All Facebook apps offer access using their Facebook account and ask you to grant the app’s developer a range of information from your Facebook profile, like your name, location, email, and friends list.
Besides this, ‘Login with Facebook’ option that you might have seen on hundreds of thousands of websites works similarly by allowing site admins to offer one-click login/signup for easy to verify your identity.
It would be a good time now to revisit those third-party apps you have granted permission to access your Facebook data and completely revoke them if you don't want them to use your data and limit an app's permissions without entirely revoking it.
To disable such apps from accessing your data, you can follow these steps:
On the desktop computer, click the downward arrow in the top-right corner and select Settings and Apps from the menu. Here you’ll see all the apps where you have logged into Facebook.
On mobile devices, open the menu(bottom-right for iOS, top-right for Android), and then select Settings → Account Settings → Apps → Logged in with Facebook.
For entirely revoking any app, just tap on the remove button (cross icon) next to that app. You can also limit any app's permission by clicking the edit button (pencil icon), next to the cross icon, to view each app’s settings.
From here, you can revoke specific permissions by de-selecting the checkmark next to each data point.
Facebook Founder Mark Zuckerberg Apologizes For the Cambridge Analytica Scandal
Today in an interview with CNN’s Laurie Segall, Facebook founder Mark Zuckerberg apologized for the social media giant’s failure to prevent privacy of its users.
"This was a major breach of trust, and I’m really sorry this happened," Zuckerberg told Laurie.
While addressing the Cambridge Analytica scandal, Zuckerberg acknowledged that it was a huge mistake to allow third-party developers to access users’ data and blindly trust that Cambridge Analytica and other companies involved in data harvesting would actually delete that data just because Facebook has asked them to.
"That ... is probably the biggest mistake that we made here,"
Zuckerberg pledged to solve all the problems and safeguard users’ privacy, explaining how the company has already changed its policies after 2014 to prevent abuse of Facebook's APIs.
"Our responsibility now is to make sure this doesn’t happen again," Zuck assured its customers and shareholders across the world who are furious after knowing about the Cambridge Analytica scandal.
During the interview, Zuckerberg promised to conduct a "full forensic audit" of the platform very soon to find which 3rd-party apps may have gained access to user data without their full consent and would notify everyone whose data was improperly used.
Mark Zuckerberg Says It's Time to Regulate Tech Firms
Some analysts believe that stricter government regulations are required to protect consumers’ privacy over social media companies.
Since social media is playing an essential role in the world, Zuckerberg says he believes it's time to impose more regulations on technology companies, but he also recommends Artificial Intelligence as a better tool to regulate such a rapidly growing community of 2 billion people all over the world
Besides this, Facebook has also planned to have more than 20,000 employees to closely monitor security and privacy operations by the end of this year.
Facebook Faces International Investigation Over Personal Data Use
Facebook is in trouble with governments across the world after this whole Cambridge Analytica mess.
Following reports of the transfer of personal information of over 50 million users from Facebook to data-mining firm Cambridge Analytica, Facebook is facing probes by some countries including the United States, European Union, UK, Israel, India, and Canada.
The United States’ Federal Trade Commission (FTC) has started investigating whether or not the use of personal data from over 50 million users by Cambridge Analytica violated a consent decree Facebook signed with the agency in 2011.
The European Commission has also asked data protection authorities to investigate Facebook's data leak to Cambridge Analytica, and if the commission finds Facebook in breach of data protection laws, it could levy fines on the company.
The social networking site is also facing a separate probe by the U.K. government, who is pursuing a warrant to conduct its on-site investigation to determine whether Cambridge Analytica still has the information, which the company said has been deleted.
Israeli Justice Ministry has also informed Facebook that it is opening an "administrative investigation" into Facebook "and the possibility of additional violations of Israelis’ personal information," the ministry said Thursday.
Cambridge Analytica CEO Suspended After Undercover Recordings Released
Cambridge Analytica has suspended its CEO from the research firm’s board of directors on Tuesday following an undercover video was aired which showed him discussing the use of bribes and prostitutes to sway political elections.
The board said that Alexander Nix would be suspended pending a "full, independent investigation," adding that "In the view of the Board, Mr. Nix’s recent comments secretly recorded by Channel 4 and other allegations do not represent the values or operations of the firm and his suspension reflects the seriousness with which we view this violation."
In an uncover video published by Channel 4 News in London on Monday, Nix found discussing how his firm is engaged in dirty tricks for political clients, like recording videos of operatives offering their opponents bribes.
Nix also told a journalist, who posed as a potential Sri Lankan client, that his firm could also send "some girls around to the candidate’s house" to put the candidate in a compromising position.
However, Cambridge has denied engaging in any of such tactics Nix described in the video.
Cambridge Analytica mess has become one of the biggest scandals in tech right now, and it is becoming messier with each passing day, which could have enormous implications not only for Facebook but for every other online company out there that sells user data for a living.
Facebook shares continued falling and dropped today by 2.66% to $164.89 as of the time of this writing.


The City of San Diego is suing the Experian credit agency for 2013 security breach
25.3.2018 securityaffairs  BigBrothers

According to the lawsuit filed by San Diego city attorney Mara Elliott the Experian credit agency never notified the 2013 security breach to the affected consumers as required under California law.
The City of San Diego, California is suing the Experian credit agency for the security breach that the company suffered in 2013.

“San Diego City Attorney Mara Elliott has filed a lawsuit against consumer credit giant Experian, contending the company suffered a massive data breach that affected 250,000 people in San Diego and millions more — but never told customers about it.” states a blog post published on The San Diego Union-Tribune.

“Elliott’s office cited the Internal Revenue Service in saying hackers filed more than 13,000 false returns using the hacked information, obtaining $65 million in fraudulent tax refunds.”

According to the lawsuit filed by San Diego city attorney Mara Elliott, the security breach that was first reported by the popular expert Brian Krebs, lasted for nine months ending in 2013. The company never notified it to the affected consumers as required under California law.

According to The San Diego Union-Tribune, the city attorney argued that data belonging to some 30 million consumers could have been stolen, including information for 250,000 people in San Diego.

According to Krebs, the Vietnamese man Hieu Minh Ngo ran an identity theft service (Superget[dot]info and Findget[dot]me) and gained access to sensitive consumer information by posing himself as a licensed private investigator in the United States.

The Identity theft service superget[]info was based on data from consumer databases maintained by a company that Experian purchased in 2012.

Source: Krebsonsecurity.com

The man was paying Experian thousands of dollars in cash each month for access to 200 million consumer records, then he was reselling them to more than 1,300 users of his ID theft service.

The man was arrested by US authorities and pleaded guilty to identity fraud charges, he was sentenced in July 2014 to 13 years in jail.

In December 2013, an executive from Experian told Congress that the company was not aware of any consumers that were a victim of a scam-related to the stolen data.

The court order is asking the company to formally notify consumers whose personal information was involved in the security theft and to pay costs for identity protection services for those people.

“The law carries penalties up to $2,500 for each violation, meaning the company could be facing potentially millions in fines.” The San Diego Union-Tribune added.


Thousands of etcd installs leak 750MB worth of passwords and keys
25.3.2018 securityaffairs Incindent

Thousands of etcd installations are currently leaking 750MB worth of passwords, keys, and sensitive data.
Thousands of servers belonging to private businesses and organizations are leaking credentials and potentially sensitive data.

It is quite easy for hackers to use the credentials to access the servers and steal sensitive data or use the machines to power cyber attacks.

According to the researcher Giovanni Collazo, querying the popular Shodan search engine he found almost 2,300 servers exposed online that were running etcd, which is a distributed key value store that provides a reliable way to store data across a cluster of machines.

This kind of database is usually used to store and distribute passwords and configuration settings among various servers and applications.

etcd implements a programming interface that could be queried and that by default return administrative login credentials without authentication.

Collazo wrote a simple script that ran through the 2,284 etcd servers he found open online by querying Shodan search engine and obtained all credentials stored on the servers.

“I did a simple search on shodan and came up with 2,284 etcd servers on the open internet. So I clicked a few and on the third try I saw what I was hoping not to see. CREDENTIALS, a lot of CREDENTIALS. Credentials for things like cms_admin, mysql_root, postgres, etc.” reads the post published by Collazo.

“In order to try to get a sense of the issue I downloaded the full shodan report and wrote a very simple script that basically called the etcd API and requested all keys. That’s basically equivalent to doing a database dump but over their very nice REST API.

GET http://<ip address>:2379/v2/keys/?recursive=true

This will return all the keys stored on the servers in JSON format.”

The expert stopped the script after it collected about 750 megabytes of data from 1,485 IPs. In the following table are reported the data retrieved by the researchers:

password 8781
aws_secret_access_key 650
secret_key 23
private_key 8
Collazo did not test the credentials but it is likely that many of them work and could be used to hack into the systems.

“Anyone with just a few minutes to spare could end up with a list of hundreds of database credentials which can be used to steal data, or perform ransomware attacks.” Collazo wrote.

In order to keep etcd installs secure it is necessary to enable authentication and get them offline if not required. Another mitigation consists of setting a firewall rule to avoid unauthorized people querying etcd server.


A new massive cryptomining campaign target Linux servers exploiting old flaw
25.3.2018 securityaffairs   Cryptocurrency

Trend Micro uncovered a new crypto mining campaign targeting Linux servers that exploit the CVE-2013-2618 flaw in Cacti’s Network Weathermap plug-in, which system administrators use to visualize network activity.
Security firm Trend Micro uncovered new crypto mining campaign, a cybercriminal gang has made nearly $75,000 by installing a Monero miner on vulnerable Linux servers.

The hackers are exploiting a five-year-old vulnerability in the Cacti “Network Weathermap” plugin and according to Trend Micro this campaign is linked to a previous cryptocurrency-mining campaign that used the JenkinsMiner malware.

In this last campaign that is targeting Linux servers, hackers exploited the CVE-2013-2618 vulnerability in Cacti plugin which is an open-source network monitoring and graphing tool.

“This campaign’s operators were exploiting CVE-2013-2618, a dated vulnerability in Cacti’s Network Weathermap plug-in, which system administrators use to visualize network activity.” reads the analysis pulished by Trend Micro.

“As to why they’re exploiting an old security flaw: Network Weathermap only has two publicly reportedvulnerabilities so far, both from June 2014. It’s possible these attackers are taking advantage not only of a security flaw for which an exploit is readily available but also of patch lag that occurs in organizations that use the open-source tool.”

The flaw could be exploited by attackers to execute arbitrary code on vulnerable systems, in this case, hackers downloaded and installed a customized version of XMRig, a legitimate Monero mining software (dada.x86_64 as of 01/28/2018, earlier named as xig or nkrb). XMRig supports both 32-bit and 64-bit Windows and Linux operating systems.

To gain persistence, hackers modified the local cron jobs to trigger a “watchd0g” Bash script every three minutes, the script checked if the Monero miner was still active and restarted it in case it was down.

“Code is written in /etc/rc.local, which means that each time a system is restarted, watchd0g.sh is executed. The modification of /etc/crontab results in watchd0g.sh being run every three minutes. It then modifies the Linux kernel parameter vm.nr_hugepages to the recommended value for mining Monero (XMR). It also ensures that the watchd0g.sh process runs or re-downloads and executes the file if it terminates.” continues the analysis.

The researchers analyzed five malware samples that led them to two unique login usernames, matching the Monero wallets where the mining pool payments are sent.

According to Trend Micro, hackers made approximately 320 XMR (roughly $75,000), most of the Linux servers were located in Japan (12%), China (10%), Taiwan (10%), and the US (9%).

weathermap cryptominer Linux servers

Trend Micro recommends keeping internal to the environment data from Cacti and also keeping systems updated with the latest patches.

“While this allows systems or network administrators to conveniently monitor their environments (with just a browser bookmark, for instance), it also does the same for threat actors.” concluded Trend Micro.


UK Regulators Search Cambridge Analytica Offices
24.3.2018 securityweek 
Social

British regulators on Friday began searching the London offices of Cambridge Analytica (CA), the scandal-hit communications firm at the heart of the Facebook data scandal, shortly after a judge approved a search warrant.

Around 18 enforcement agents from the office of Information Commissioner Elizabeth Denham entered the company's London headquarters at around 8:00pm (2000 GMT) to execute the warrant.

The High Court granted the raid request less than an hour earlier, as Denham investigates claims that Cambridge Analytica may have illegally harvested Facebook data for political ends.

A full explanation of the legal ruling by Judge Anthony James Leonard will be issued on Tuesday, according to the court.

"We're pleased with the decision of the judge," Denham's office said on Twitter.

"This is just one part of a larger investigation into the use of personal data and analytics for political purposes," it added in a statement.

"As you will expect, we will now need to collect, assess and consider the evidence before coming to any conclusions."

The data watchdog's probe comes amid whistleblower accusations that CA, hired by Donald Trump during his primary campaign, illegally mined tens of millions of users' Facebook data and then used it to target potential voters.

Fresh allegations also emerged Friday night about the firm's involvement in the 2016 Brexit referendum campaign.

Brittany Kaiser, CA's business development director until two weeks ago, revealed it conducted data research for Leave.EU, one of the leading campaign groups, via the UK Independence Party (UKIP), according to The Guardian.

'I was lying'

Kaiser, 30, told the newspaper she felt the company's repeated public denials it ever worked on the poll misled British lawmakers and the public.

"In my opinion, I was lying," she said. "In my opinion I felt like we should say, 'this is exactly what we did.'"

CA's suspended chief executive Alexander Nix told MPs last month: "We did not work for Leave.EU. We have not undertaken any paid or unpaid work for them, OK?"

Nix was suspended this week following the Facebook revelations and a further media sting in which he boasts about entrapping politicians and secretly operating in elections around the world through shadowy front companies.

He has already been called to reappear before British lawmakers to explain "inconsistencies" in past testimony about the firm's use of the data.

Meanwhile Facebook founder Mark Zuckerberg has been forced to issue a statement outlining his firm's role in the scandal and apologised Wednesday to its billions of users for the breach.

The company has seen its stock market value plunge by around $75 million amid the crisis, as shares closed the week down 13 percent -- their worst seven days since July 2012.

Cambridge Analytica denies any wrongdoing, and said Friday it was undertaking an independent third-party audit to verify that it no longer holds any of the mined data.

"As anyone who is familiar with our staff and work can testify, we in no way resemble the politically-motivated and unethical company that some have sought to portray," acting CEO Alexander Tayler said in a statement.

He apologised for the firm's involvement, but said it had licensed the data from a research company, led by an academic, that "had not received consent from most respondents".

"The company (CA) believed that the data had been obtained in line with Facebook's terms of service and data protection laws," Tayler said.

New review

Aleksandr Kogan, a University of Cambridge psychologist, created a personality prediction app that harvested the data of 270,000 people who downloaded it -- as well as scooping up the information of their friends.

That was possible under Facebook's rules at the time, and Kogan this week claimed he was being unfairly blamed.

"I'm being basically used as a scapegoat by both Facebook and Cambridge Analytica," he said in interviews Wednesday.

"We were assured by Cambridge Analytica that everything was perfectly legal and within the terms of service" of Facebook, he added.

However, Cambridge University announced Friday it was "undertaking a wide-ranging review" of the episode and had written to Facebook "to request all relevant evidence in their possession".

"Should anything emerge from this review, or from our request to Facebook, the University will take any action necessary in accordance with our policies and procedures," it said in a statement.


US imposes sanctions on nine Iranian hackers involved in a massive state-sponsored hacking scheme
24.3.2018 securityaffairs BigBrothers

The US DoJ and Department of the Treasury on Friday announced charges against nine Iranian hackers for alleged involvement in state-sponsored hacking activities.
The US Department of Justice and Department of the Treasury on Friday announced charges against nine Iranians for alleged involvement in a massive state-sponsored hacking scheme, the hackers hit more than 300 universities and tens of companies in the US and abroad and stole “valuable intellectual property and data.”

According to the Treasury Department, since 2013, the Mabna Institute hit 144 US universities and 176 universities in 21 foreign countries.

The hackers also targeted the US Department of Labor, the US Federal Energy Regulatory Commission, and many private and non-governmental organizations.

The sanctions also hit the Mabna Institute, an Iran-based company, that had a critical role in coordinating the attacks on behalf of Iran’s Revolutionary Guards.

The nine defendants are Gholamreza Rafatnejad, 38; Ehsan Mohammadi, 37; Abdollah Karima, aka Vahid Karima, 39; Mostafa Sadeghi, 28; Seyed Ali Mirkarimi, 34; Mohammed Reza Sabahi, 26; Roozbeh Sabahi, 24; Abuzar Gohari Moqadam, 37; and Sajjad Tahmasebi, 30, they are all residents of Iran.

Gholamreza Rafatnejad (38) and Ehsan Mohammadi (37) are the two founders of the Mabna Institute.

“The indictment alleges that the defendants worked on behalf of the Iranian government, specifically the Islamic Revolutionary Guard Corps,” said Deputy Attorney General Rod Rosenstein in prepared remarks illustrated at a press conference on Friday.

“They hacked the computer systems of approximately 320 universities in 22 countries. One-hundred forty-four of the victims are American universities. The defendants stole research that cost the universities approximately $3.4bn to procure and maintain.”

The US indictment revealed a coordinated effort from 2013 through the end of 2017 involving online cyber espionage on academics with the intent to discover their research interests.

Iranians hackers launched spear phishing attack using messages that would appear to be sent from another professor. The messages usually embedded a malicious link to a bogus domain using to steal victim’s login credentials.

Mabna Institute employees “engaged in the theft of valuable intellectual property and data from hundreds of US and third-country universities… for private financial gain.” said Deputy Attorney General Rod Rosenstein.

“For many of these intrusions, the defendants acted at the behest of the Iranian government and, specifically, the Iranian Revolutionary Guard Corps,”

Geoffrey Berman, US Attorney for the Southern District of New York revealed that the spear phishing campaign targeted more than 100,000 university professors worldwide and about 8,000 accounts were compromised.

The Iranian hackers exfiltrated 31 terabytes, roughly 15 billion pages of academic projects were stolen.

The stolen data included “research, and other academic data and documents, including, among other things, academic journals, theses, dissertations, and electronic books.”

One of the 10 Iranians subject to sanctions, Behzad Mesri was already known to the US authorities. In November 2017, the United States charged the Iranian computer expert Behzad Mesri of ‘Games of Thrones‘ HBO hack, the man was charged with stealing scripts and plot summaries for ‘Games of Thrones’.

The Manhattan US attorney Joon Kim said Mesri is “had previously hacked computer systems for the Iranian military”. The man threatened to release stolen data unless HBO paid a $6 million ransom in Bitcoin.

Prosecutors confirmed that the Iranian man was a member of the Iranian-based Turk Black Hat Security hacking group that targeted hundreds of websites in the United States and around the world.

Experts discovered that Masri and Charming Kitten were linked through the member of Turk Black Hat group “ArYaIeIrAN.” another member of Turk Black Hat.

Iranian hackers

Back to the present, the Justice Department said that besides targeting university professors in the United States, the hackers also compromised accounts in Australia, Canada, China, Denmark, Finland, Germany, Ireland, Israel, Italy, Japan, Malaysia, Netherlands, Norway, Poland, Singapore, South Korea, Spain, Sweden, Switzerland, Turkey and the United Kingdom.


Lone DNC Hacker Guccifer 2.0 is linked to the GRU, the Russian military intelligence agency
24.3.2018 securityaffairs BigBrothers

The US investigators concluded that the Russia-linked hacker Guccifer 2.0 is directly tied to the GRU, the Russian military intelligence agency.
Guccifer 2.0 is the alleged hacker behind the DNC hack that also released a huge trove of documents about House Democrats, including Nancy Pelosi’s sensitive data.

Guccifer 2.0

In February 2016, researchers from security company CrowdStrike, pointed out that the DNC attack wasn’t the result of the action of a lone wolf, instead, two sophisticated Russian espionage groups, COZY BEAR and FANCY BEAR were involved in the cyber espionage operation.

A portion of the intelligence community believes that the Russia-linked hacker Guccifer 2.0 is a Russian intelligence agent.

This week, The Daily Beast published a report that confirms that Guccifer 2.0 is linked to the GRU, Russia’s military intelligence agency.

“Guccifer 2.0, the “lone hacker” who took credit for providing WikiLeaks with stolen emails from the Democratic National Committee, was in fact an officer of Russia’s military intelligence directorate (GRU), The Daily Beast has learned.” reads the analysis published by The Daily Beast.

“It’s an attribution that resulted from a fleeting but critical slip-up in GRU tradecraft.”

In January 2017, the US intelligence linked the the DNC hack and the cyber attacks against the Hillary Clinton’s campaign to Russian intelligence groups.

Guccifer 2.0 took credit for some of the attacks denying any link with the Kremlin, by US authorities believe the hacker is a product of a Russian disinformation campaign.

The experts at cybersecurity firm ThreatConnect also determined that Guccifer 2.0 was linked to Russian intelligence. According to ThreatConnect, Guccifer 2.0 had been using a Virtual Private Network service, Elite VPN, to remain anonymous, but on one occasion he failed to activate the VPN client before logging on.

According to a source familiar with the government’s Guccifer investigation, the hacker was using a system having a Moscow-based IP address that was logged by an American social media company.

“Almost immediately various cyber security companies and individuals were skeptical of Guccifer 2.0 and the backstory that he had generated for himself,” said Kyle Ehmke, an intelligence researcher at the cyber security firm ThreatConnect. “We started seeing these inconsistencies that led back to the idea that he was created hastily… by the individual or individuals that affected the DNC compromise.”

“Working off the IP address, U.S. investigators identified Guccifer 2.0 as a particular GRU officer working out of the agency’s headquarters on Grizodubovoy Street in Moscow. (The Daily Beast’s sources did not disclose which particular officer worked as Guccifer.)” continues the report.

The GRU military agency is believed to run the dreaded Fancy Bear APT, that is behind the DNC hack, cyber espionage campaign against NATO and Obama’s White House and cyber attacks against the World Anti-Doping Agency, and numerous militaries and government agencies in Europe, Central Asia, and the Caucasus.

The special counsel Robert Mueller determined that Russia intelligence interfered with US elections in the attempt to boost Trump’s candidacy.

On July 22, 2016, WikiLeaks began releasing the documents stolen by Guccifer 2.0, a huge trove of approximately 19,000 emails and 8,000 attachments stolen by the hacker. Trump promptly promoted the leak on Twitter, while his adviser Roger Stone in an article written for Breitbart (a name familiar with Cambridge Analytica case too), sustained that Guccifer 2.0 was a Romanian hacktivist.

“Sometime after its hasty launch, the Guccifer persona was handed off to a more experienced GRU officer, according to a source familiar with the matter. The timing of that handoff is unclear, but Guccifer 2.0’s last blog post, from Jan. 12, 2017, evinced a far greater command of English than the persona’s earlier efforts.” concluded The Daily Beast.

“It’s obvious that the intelligence agencies are deliberately falsifying evidence,” the post read. “In my opinion, they’re playing into the hands of the Democrats who are trying to blame foreign actors for their failure.”


Ransomware Hits City of Atlanta
23.3.2018 securityweek
Ransomware

A ransomware attack -- possibly a variant of SamSam -- has affected some customer-facing applications and some internal services at the City of Atlanta. The FBI and incident response teams from Microsoft and Cisco are investigating. The city's police department, water services and airport are not affected.

The attack was detected early on Thursday morning. By mid-day the city had posted an outage alert to Twitter. In a press conference held Thursday afternoon, mayor Keisha Bottoms announced that the breach had been ransomware. She gave no details of the ransomware demands, but noticeably declined to say whether the ransom would be payed or refused.

Bottoms could not at this stage confirm whether personal details had also been stolen in the same breach, but suggested that customers and staff should monitor their credit accounts. Questions on the viability of data backups and the state of system patches were not clearly answered; but it was stressed that the city had adopted a 'cloud first' policy going forwards specifically to improve security and mitigate against future ransomware attacks.

A city employee obtained and sent a screenshot of the ransom note to local radio station 11Alive. The screenshot shows a bitcoin demand for $6,800 per system, or $51,000 to unlock all systems. It is suggested that the ransom note is similar to ones used by the SamSam strain of ransomware. Steve Ragan subsequently tweeted, "1 local, 2 remote sources are telling me City of Atlanta was hit by SamSam. The wallet where the ransom is to be sent (if they pay) has collected $590,000 since Jan 27."

SamSam ransomware infected two healthcare organizations earlier this year. SamSam is not normally introduced via a phishing attack, but rather following a pre-existing breach. This could explain the concern over data theft on top of the data encryption. It also raises the question over whether the initial breach was due to a security failure, an unpatched system, or via a third-party supplier.

Ransomware is not a new threat, and there are mitigations -- but it continues to cause havoc. Official advice is, wherever at all possible, refuse to pay. The theory is if the attackers cease getting a return on their attacks, they will turn to something easier with a better ROI on their time. This approach simply isn't working.

Sometimes payment can be avoided by recovering data from backups. But this isn't always possible with SamSam. In the Hancock Health SamSam incident earlier this year, the organization decided to pay the ransom "to expedite our return to full operations", despite having backups. In the event, the SamSam attackers had already closed this route. "Several days later," announced CEO Steve Long, "it was learned that, though the electronic medical record backup files had not been touched, the core components of the backup files from all other systems had been purposefully and permanently corrupted by the hackers."

It isn't yet known whether the City of Atlanta attack is definitely a SamSam attack, whether the system was breached prior to file encryption, nor whether backup files have been corrupted. These details should become clear over time. The fact that Hancock Health decided to pay the ransom, and had its systems back up and running within days, may become part of Atlanta's decision on whether to pay or not.

Apart from recovering from backups or paying the ransom, the only other option (assuming that there are no decryptors available from the NoMoreRansom project) is to stop the encryption the moment it starts. Traditional anti-malware perimeter detection will not stop modern malware. That means prevention requires very rapid and early detection.

"Ransomware spreads like wild fire, and is the most time critical of cyber threats," comments Matt Walmsley, EMEA Director at Vectra. "The ability to detect the pre-cursor behaviors of ransomware is the only way to get ahead of the attack. Unfortunately, that's almost impossible to do using traditional manual threat hunting techniques. That's why forward-thinking enterprises are increasingly using an automated approach, using AI-powered threat detection. You need to detect and respond at machine speed."

Timely patching is also vital, especially where the attacker breaches the system prior to encryption. "When you are told to patch months before and witness precursor warnings like WannaCry and NotPetya going by," exhorts Yonathan Klijnsma, threat researcher at RiskIQ, "well, you damn well better patch. If your organization's patch management is so problematic that it takes this long, you have to change it. Events of this potential magnitude and impact require management to respond by elevating maintenance and patching to mission critical status until they are resolved. The ROI is clear, consider the costs and material loss of your company going down for a day, versus shifting priorities to give your engineers more time to manage patches properly. It's not a good time to roll the dice."

Connected cities are becoming increasingly like large corporations. "A city has some hallmark characteristics of a large enterprise," suggests Rapid7's chief data scientist, Bob Rudis: "there are a large number of employees and contractors with a diverse array of operating systems, hardware and data types that all need protection. Beyond financial account information and general personally identifiable information (PII), city-related systems and networks can and do contain court and criminal records, tax records, non-public information on police and other protective services employees, department activities/plans and more. Much of this is extremely sensitive data and would be treasure trove of information, capable of being used in a diverse array of disruptive, targeted attacks against both individuals and entire departments."

What all this means is anti-ransomware preparations require at least three layers of defense: off-site backups; an efficient patch regime; and real-time anomaly detection. Relying on IT staff 'noticing something peculiar' (as happened with the City of Atlanta) is simply not good enough.


TrickBot Gets Computer Locking Capabilities
23.3.2018 securityweek BotNet

A recently observed variant of the TrickBot banking Trojan has added a new module that can lock a victim’s computer for extortion purposes, Webroot reports.

First observed in late 2016 and said to be the work of cybercriminals behind the notorious Dyre Trojan, TrickBot has seen numerous updates that expanded not only its capabilities, but also its target list.

Last year, the malware received an update that added worm-like capabilities, allowing it to spread locally via Server Message Block (SMB).

Webroot now says that the malware attempts to leverage NSA-linked exploits released by Shadow Brokers last year in order to move laterally within compromised networks.

The new TrickBot variant installs itself into the %APPDATA%\TeamViewer\ directory, and once up and running, creates a “Modules” folder to store encrypted plug and play modules and configuration files.

While many of the modules have been already documented, the new Trojan variant also includes a module internally called spreader_x86.dll that Webroot hasn’t seen before. Featuring a large rdata section that contains two additional files, the spreader module contains an executable called SsExecutor_x86.exe and an additional module named screenLocker_x86.dll.

Spreader_x86.dll, the security researchers have discovered, was clearly designed to allow the malware to spread laterally through an infected network by leveraging the NSA-linked exploits.

“This module appears to make use of lateral movement in an attempt to set up the embedded executable as a service on the exploited system. Additionally, the TrickBot authors appear to be still developing this module as parts of the modules reflective dll injection mechanism are stolen from GitHub,” Webroot notes.

The SsExecutor_x86.exe part of the new module is meant to be executed after exploitation, to achieve persistence by modifying registry to add a link to the copied binary to the start-up path of each user account.

Written in Delphi, ScreenLocker_x86.dll represents TrickBot’s first ever attempt at “locking” the victim’s machine. The module exports two functions: a reflective DLL loading function and MyFunction, which appears to be the work in progress.

Should TrickBot indeed gain the locking functionality, it would mean that its developers have decided to switch to a new business model, similar to that employed by ransomware operators.

Locking the computer before stealing the victim’s banking credentials would prevent the credit card or bank theft, which suggests that the cybercriminals might be planning to extort victims to unlock their computers.

The security researchers suggest that, in corporate networks where users are unlikely to be regularly visiting targeted banking URLs, TrickBot would find it difficult to steal banking credentials. Thus, the potential of locking hundreds of machines could prove a more successful money-making model.

“It is notable that this locking functionality is only deployed after lateral movement, meaning that it would be used to primarily target unpatched corporate networks. In a corporate setting (with unpatched machines) it is highly likely that backups would not exist as well. The authors appear to be getting to know their target audience and how to best extract money from them,” Webroot points out.


U.S. Imposes Sanctions on Iranians for Hacking
23.3.2018 securityweek BigBrothers

U.S. Charges Iranians in Massive Hacking Scheme

The United States unveiled charges on Friday against nine Iranians for their alleged involvement in a massive state-sponsored hacking scheme which targeted hundreds of universities in the US and abroad and stole "valuable intellectual property and data."

Ten Iranians were also hit with sanctions along with an Iranian company, the Mabna Institute, which engaged in computer hacking on behalf of Iran's Revolutionary Guards, the US Treasury Department said.

The two founders of the Mabna Institute, Gholamreza Rafatnejad, 38, and Ehsan Mohammadi, 37, were among the nine Iranians indicted in New York and whose assets are subject to US seizure.

Since 2013, the Mabna Institute carried out cyber intrusions into the computer systems of 144 US universities, the Treasury Department said, and 176 universities in 21 foreign countries.

Mabna Institute employees and contractors "engaged in the theft of valuable intellectual property and data from hundreds of US and third-country universities... for private financial gain," it said.

"For many of these intrusions, the defendants acted at the behest of the Iranian government and, specifically, the Iranian Revolutionary Guard Corps," Deputy Attorney General Rod Rosenstein said.

The US Department of Labor, the US Federal Energy Regulatory Commission, dozens of private firms and non-governmental organizations such as the United Nations Children's Fund were also allegedly targeted.

Geoffrey Berman, US Attorney for the Southern District of New York, said the Iranians conducted spearphishing attacks designed to steal passwords from email accounts in one of the "largest state-sponsored" hacking schemes ever uncovered.

- 8,000 accounts compromised -

The email accounts of more than 100,000 university professors worldwide were targeted, Berman said, and about 8,000 accounts were compromised.

He said 31 terabytes -- about 15 billion pages -- of academic data and intellectual property were stolen.

This included "research, and other academic data and documents, including, among other things, academic journals, theses, dissertations, and electronic books," the Justice Department said.

"The defendants targeted data across all fields of research and academic disciplines, including science and technology, engineering, social sciences, medical, and other professional fields," it said.

David Bowdich, deputy director of the FBI, said the defendants are in Iran and "apprehending these individuals presents a challenge."

"(But) the long arm of the law reaches worldwide," he said. "You cannot hide behind a keyboard half way around the world and expect not to be held to account," Berman said.

One of the 10 Iranians subject to sanctions, Behzad Mesri, was already indicted in November 2017 in connection with the theft of scripts and plot summaries for HBO's "Game of Thrones," and for trying to extort $6 million in Bitcoin out of the network.

The Justice Department said that besides targeting university professors in the United States, the hackers also compromised accounts in Australia, Canada, China, Denmark, Finland, Germany, Ireland, Israel, Italy, Japan, Malaysia, Netherlands, Norway, Poland, Singapore, South Korea, Spain, Sweden, Switzerland, Turkey and the United Kingdom.

Rafatnejad, Mohammadi and the seven other Mabna Institute employees or contractors were charged with identity theft, conspiracy to commit computer intrusions and other crimes.


Facebook as an Election Weapon, From Obama to Trump
23.3.2018 securityweek
Social

The use of Facebook data to target voters has triggered global outrage with the Cambridge Analytica scandal. But the concept is nothing new: Barack Obama made extensive use of the social network in 2008 and stepped up "micro-targeting" in his 2012 re-election effort.

The unauthorized gathering of data on 50 million Facebook users by a British consulting firm that worked for Donald Trump has sparked intense debate on how politicians and marketers -- appropriately or not -- use such personal information.

But Cambridge Analytica, the firm at the center of the firestorm, has stressed it is far from alone in using data gleaned online to precisely target voters.

"Obama's 2008 campaign was famously data-driven, pioneered micro-targeting in 2012, talking to people specifically based on the issues they care about," the British firm said on Twitter.

Former members of the Obama team fiercely dispute any comparison to the Cambridge Analytica case, in which an academic researcher is accused of scooping up a massive trove of data without consent using a Facebook personality quiz, and transferring it improperly to the firm.

"How dare you!" tweeted Michael Simon, who headed Obama's micro-targeting team in 2008, in response to the firm.

"We didn't steal private Facebook profile data from voters under false pretenses. OFA (Obama's campaign) voluntarily solicited opinions of hundreds of thousands of voters. We didn't commit theft to do our groundbreaking work."

Jeremy Bird, a member of the 2012 Obama team, echoed those sentiments, warning: "Do not use the Obama campaign to justify your shady business."

But while Cambridge Analytica's methods for acquiring data are in dispute, the underlying goal -- using social media to take the pulse of voters and find those who are persuadable -- was common to both campaigns.

So-called micro-targeting, which borrows techniques from the marketing world, is as much about mobilizing voters and getting them to the polls as about changing minds.

And micro-targeting long pre-dates the internet, with campaigns as early as 1976 using this method, according to Victoria Farrar-Myers, a political scientist and researcher at Southern Methodist University.

Everyone who uses social media makes a decision to share some personal information, she says, although they "may not be fully aware of how people can utilize that."

"Being able to micro-target a voter down to what magazine they read and what issues might make them turn out does have an advantage for a candidate when they're running for an election."

"The Trump campaign did quite a good job at micro-targeting," she said, noting that it put a heavy focus on seemingly marginal localities that were identified as potentially winnable thanks to socal media, and ended up tipping Republican.

According to documents released by the Federal Election Commission (FEC), Trump's new choice of national security advisor John Bolton also hired Cambridge Analytica to conduct profiling work for his Super PAC fundraising group in support of Republican congressional candidates.

Waking up to problem

What remains unclear is whether the techniques made a difference in the 2016 US election.

Chirag Shah, a Rutgers University professor of information and computer science, said the data gleaned could have been instrumental to Trump's campaign.

"We know from other applications, not just in the political domain, but also all kinds of marketing commercialization domains that these things are very, very instrumental," Shah said.

"It is however speculative to say this really change the outcome of the election. All we can say is that, yes there were people who were influenced or targeted using this data."

Experts also stress that neither the Obama nor the Trump campaign broke any laws on the protection of private data -- or even Facebook's internal rules -- which were tightened in 2015 to prevent developers from collecting people's data without explicit consent.

Shah noted the concerns about improper use of personal data are not new.

"The problem is once people access the data from Facebook, for which they often pay, that data is out of Facebook's hands and out of Facebook's users hands.

"And there's no way that Facebook will be able to track all of the data being shared by third parties, fourth parties."

Rayid Ghani, a University of Chicago researcher who was chief scientist for the 2012 Obama campaign, defended his team's use of Facebook data while arguing for a need for better information that would allow users to know when and how their personal information is collected.

"The public needs to be aware of what data is being collected about them, what it is being used for, who it is shared/sold to, and what they're doing with it," Ghani said in a Medium blog post.

"We need to push corporations to make their privacy policies and terms of use more human-friendly, and less fine-print. "


City of Atlanta paralyzed by a ransomware attack, is it SAMSAM?
23.3.2018 securityaffairs
Ransomware

Computer systems in the City of Atlanta were infected by ransomware, the cyber attack was confirmed by the City officials.
The city learned of the attack at around 5:40 am local time on Thursday.

On Thursday, Mayor Keisha Lance Bottoms announced on Thursday that a malware has taken in hostage some internal systems, city’s data were encrypted.


City of Atlanta, GA

@Cityofatlanta
Mayor @KeishaBottoms holds a press conference regarding the security breach. https://www.pscp.tv/w/bYQLUDEzMzg3MjU2fDFkakdYZFl3YUJQR1p9UR2Gex4Vh6trfD-S2987UbdZclhLRGq6anM2SGyFpQ== …

9:36 PM - Mar 22, 2018

City of Atlanta, GA @Cityofatlanta
‪Mayor @KeishaBottoms holds a press conference regarding the security breach.‬

pscp.tv
133
218 people are talking about this
Twitter Ads info and privacy
The ransomware infection has caused the interruption of several city’s online services, including “various internal and customer-facing applications” used to pay bills or access court-related information.

City of Atlanta ransomware
Source 11alive.com

It is still unclear the current extent of the infection, but security experts fear other consequences for the citizens. The mayor recommended the city’s employees and anyone who had conducted transactions with the city to monitor their bank accounts fearing a possible data breach.

“Yesterday morning, computer trouble started interfering with the normal computer operations on the Atlanta government network.” states Forbes.

“Later on, mayor Keisha Lance Bottoms called a press conference to clear the air. The source of the problem: a ransomware attack that had compromised multiple systems.”

“We don’t know the extent so we just ask that you be vigilant,” Bottoms explained in the news conference. “All of us are subject to this attack, if you will. Many of us pay our bills online, we have direct deposit, so go online and check your bank statements.”

Investigators believe that hackers initially compromised a vulnerable server, then the ransomware began spreading to desktop computers throughout the City network. Crooks demanded a payment of 6 Bitcoin, around $51,000 at the current rate,

New Atlanta Chief Operating Officer Richard Cox said that several departments have been affected.

“We don’t know the extent so we just ask that you be vigilant,” Bottoms said in a Thursday news conference. “All of us are subject to this attack, if you will. Many of us pay our bills online, we have direct deposit, so go online and check your bank statements.”

No critical infrastructure and services seem to be affected, the departments responsible for public safety, water, and airport services are operating as normal, however.


COA Procurement
@ATLProcurement
Please note our website http://procurement.atlantaga.gov was not affected by this outage and is accessable. https://twitter.com/Cityofatlanta/status/976864741145694208 …

4:08 PM - Mar 23, 2018
2
See COA Procurement's other Tweets
Twitter Ads info and privacy
In response to the attack, IT staff sent emails to city employees in multiple departments telling them to disconnect their computers from the network if they notice suspicious activity.

The news media 11Alive.com, cited the opinion of an expert that based on the language used in the message pointed out that the infection was caused by the SAMSAM ransomware.

In February, the SAMSAM Ransomware hit the Colorado DOT, The Department of Transportation Agency and shuts down 2,000 computers.

According to the U.S. Department of Justice, the SAMSAM strain was used to compromise the networks of multiple U.S. victims, including 2016 attacks on healthcare facilities that were running outdated versions of the JBoss content management application.

The SamSam ransomware is an old threat, attacks were observed in 2015 and the list of victims is long, many of them belong to the healthcare industry. The attackers spread the malware by gaining access to a company’s internal networks by brute-forcing RDP connections.

Among the victims of the Samsam Ransomware there is the MedStar non-profit group that manages 10 hospitals in the Baltimore and Washington area. Crooks behind the attack on MedStar requested 45 Bitcoins (about US$18,500) for restoring the encrypted files, but the organization refused to pay the Ransom because it had a backup of the encrypted information.

In April 2016, the FBI issued a confidential urgent “Flash” message to the businesses and organizations about the Samsam Ransomware.

The FBI and Department of Homeland Security are investigating the cyberattack.

The local news channel WXIA published a screenshot of an alleged ransom message, the note demands 0.8 bitcoin (roughly $6,800) per computer or 6 bitcoin ($50,000) for keys to unlock the entire network.

The mayor confirmed that the city would seek guidance from federal authorities on how to “navigate the best course of action”.


GitHub Security Alerts are keeping developers’ code safer
23.3.2018 securityaffairs Security

The code hosting service GitHub confirmed that the introduction of GitHub security alerts in November allowed to obtain a significant reduction of vulnerable code libraries on the platform.
Github alerts warn developers when including certain flawed software libraries in their projects and provide advice on how to address the issue.

Last year GitHub first introduced the Dependency Graph, a feature that lists all the libraries used by a project. The feature supports JavaScript and Ruby, and the company also plans to add the support for Python this year.

GitHub Security Alerts

The GitHub security alerts feature introduced in November is designed to alert developers when one of their project’s dependencies has known flaws. The Dependency graph and the security alerts feature have been automatically enabled for public repositories, but they are opt-in for private repositories.

The availability of a dependency graph allows notifying the owners of the projects when it detects a known security vulnerability in one of the dependencies and suggests known fixes from the GitHub community.

The new feature analyzes vulnerable Ruby gems and JavaScript NPM packages based on MITRE’s Common Vulnerabilities and Exposures (CVE) list, every time a new vulnerability is discovered is added to this list and all repositories that use the affected version are identified and their maintainers informed.

“Vulnerabilities that have CVE IDs (publicly disclosed vulnerabilities from the National Vulnerability Database) will be included in security alerts. However, not all vulnerabilities have CVE IDs—even many publicly disclosed vulnerabilities don’t have them.” states GitHub.

“This is the next step in using the world’s largest collection of open source data to help you keep code safer and do your best work. The dependency graph and security alerts currently support Javascript and Ruby—with Python support coming in 2018.”

Github Users can choose to receive the alerts via the user interface or via email.

An initial scan conducted by GitHub revealed more than 4 million vulnerabilities in more than 500,000 repositories. Github notified affected users by December 1, more than 450,000 of the vulnerabilities were addressed either by updating the affected library or removing it altogether.

According to GitHub, vulnerabilities are in a vast majority of cases addressed within a week by active developers.

“By December 1 and shortly after we launched, over 450,000 identified vulnerabilities were resolved by repository owners either removing the dependency or changing to a secure version.” GitHub said. “Additionally, 15 percent of alerts are dismissed within seven days—that means nearly half of all alerts are responded to within a week. Of the remaining alerts that are unaddressed or unresolved, the majority belong to repositories that have not had a contribution in the last 90 days.”


A “highly critical” flaw affects Drupal 7 and 8 core, Drupal security updates expected on March 28th
23.3.2018 securityweek
Vulnerebility

Drupal Security Team confirmed that a “highly critical” vulnerability affects Drupal 7 and 8 core and announced the availability of security updates on March 28th.
A “highly critical” vulnerability affects Drupal 7 and 8 core and Drupal developers are currently working to address it.

Drupal maintainers initially planned to issue a security release of Drupal 7.x, 8.3.x, 8.4.x, and 8.5.x on March 28th 2018 between 18:00 – 19:30 UTC.

The security team asked to reserve time for core updates fearing that threat actors could exploit the “highly critical security vulnerability.”

“There will be a security release of Drupal 7.x, 8.3.x, 8.4.x, and 8.5.x on March 28th 2018 between 18:00 – 19:30 UTC, one week from the publication of this document, that will fix a highly critical security vulnerability.” reads the advisory sent to the developers.

“The Drupal Security Team urges you to reserve time for core updates at that time because exploits might be developed within hours or days. “

Both Drupal 8.3.x and 8.4.x are not supported, but due to the severity of the flaw the Drupal Security Team decided to address it with specific security updates.

The Drupal CMS currently runs on over one million websites, it is the second most popular content management system behind WordPress.

“While Drupal 8.3.x and 8.4.x are no longer supported and we don’t normally provide security releases for unsupported minor releases, given the potential severity of this issue, we areproviding 8.3.x and 8.4.x releases that include the fix for sites which have not yet had a chance to update to 8.5.0.” continues the advisory.

The Drupal security team strongly recommends the following:

Sites on 8.3.x should immediately update to the 8.3.x release that will be provided in the advisory, and then plan to update to the latest 8.5.x security release in the next month.
Sites on 8.4.x should immediately update to the 8.4.x release that will be provided in the advisory, and then plan to update to the latest 8.5.x security release in the next month.
Sites on 7.x or 8.5.x can immediately update when the advisory is released using the normal procedure.


Google is distributing more Meltdown and Spectre Patches for Chrome OS devices
23.3.2018 securityweek
Vulnerebility

Google announced that mitigations for devices with Intel processors that are affected by the Spectre and Meltdown vulnerabilities will be available for latest stable channel update for Google’s Chrome OS operating system.
The Meltdown and Spectre attacks could be exploited by attackers to bypass memory isolation mechanisms and access target sensitive data.

The Meltdown attack could allow attackers to read the entire physical memory of the target machines stealing credentials, personal information, and more.

The Meltdown exploits the speculative execution to breach the isolation between user applications and the operating system, in this way any application can access all system memory.

The Spectre attack allows user-mode applications to extract information from other processes running on the same system. It can also be exploited to extract information from its own process via code, for example, a malicious JavaScript can be used to extract login cookies for other sites from the browser’s memory.

The Spectre attack breaks the isolation between different applications, allowing to leak information from the kernel to user programs, as well as from virtualization hypervisors to guest systems.

Meltdown attacks trigger the CVE-2017-5754 vulnerability, while Spectre attacks the CVE-2017-5753 (Variant 1) and CVE-2017-5715 (Variant 2). According to the experts, only Meltdown and Spectre Variant 1 can be addressed via software, while Spectre Variant 2 required an update of the microcode for the affected processors. Software mitigations include.

Google addressed the Meltdown issue in Chrome OS with the release of the version 63 in December, tens of days before researchers at Google Project Zero disclosure the flaws.

Chrome OS Spectre patches

Google rolled out the KPTI/KAISER patch to address the flaw in 70 Intel-based Chromebook models from various vendors, including Acer, ASUS, Dell, HP, Lenovo, and Samsung.

This week the company released Chrome OS 65 release that also includes the KPTI mitigation against Meltdown for a number of Intel-based systems that were not addressed in with version 3.14 of the kernel.

According to Google, all older Chromebooks with Intel processors should get the KPTI mitigation for Meltdown with the release of Chrome OS 66 that is scheduled for release on April 24.

“The Stable channel has been updated to 65.0.3325.167 (Platform version: 10323.58.0/1) for most Chrome OS devices. This build contains a number of bug fixes and security updates.” reads the Google announcement.

“Intel devices on 3.14 kernels received the KPTI mitigation against Meltdown with Chrome OS 65.

All Intel devices received the Retpoline mitigation against Spectre variant 2 with Chrome OS 65.”

Chrome OS 65 also includes the Retpoline mitigation for Spectre Variant 2 for all Intel-based devices. Google experts highlighted that for Spectre Variant 1 attack, hackers can abuse the eBPF feature in the Linux kernel, but Chrome OS disables eBPF.

Chrome OS devices running on ARM-based systems are not affected by Meltdown. Google is working to cover also Spectre issues.

“On ARM devices we’ve started integrating firmware and kernel patches supplied by ARM. Development is still ongoing so release timelines have not been finalized. ARM devices will receive updated firmware and kernels before they enable virtualization features.” concluded Google.


Apple Blocks Sites From Abusing HSTS Security Standard to Track Users
23.3.2018 thehackernews  Apple

If you are unaware, the security standard HTTP Strict Transport Security (HSTS) can be abused as a 'supercookie' to surreptitiously track users of almost every modern web browser online without their knowledge even when they use "private browsing."
Apple has now added mitigations to its open-source browser infrastructure WebKit that underpins its Safari web browser to prevent HSTS abuse after discovering that theoretical attacks demonstrated in 2015 were recently deployed in the wild against Safari users.
HSTS—HTTP Strict Transport Security—is a great feature that allows websites to automatically redirects user's web traffic to secure page connections over HTTPS if the user accidentally opens an insecure URL and then remembers to route that user to the secure connection always.
Since HSTS does not allow websites to store any information/value on users web browser except remembering the redirect information about turning it on/off for future use, using this information, someone interested in tracking web users can create a so-called supercookie that can then be read by cross-site tracking servers to mark users across websites.
Here's How HSTS-Based Tracking Works:
To understand how HSTS supercookie tracking works, here's a simple example:
To track each user, sites assign a unique random number to each visitor, for example, 909090, where 32 character binary conversion for 909090 is 00000000000011011101111100100010.
To set this binary number for a specific user, the site sets HSTS policy for its 32 subdomains (tr01.example.com, tr02.example.com......and tr32.example.com) accordingly, where if HSTS for a subdomain is enabled then the value is 1 and if not then the value is 0.
Now each time the user visits the same website, it silently opens invisible pixels from 32 of its subdomains in the background that represent the bits in the binary number, signalling the server which subdomains are opened via HTTPS (1) and which via HTTP (zero).
Voila! Combining the above value reveals the user's unique binary value to the server, helping websites/advertisers to mark users across sites.
However, Apple has now added two mitigations to its Safari's WebKit engine that addresses both sides of the attack: where tracking identifiers are created, and the subsequent use of invisible pixels to track users.
Mitigation One addresses the super cookie-setting problem, where attackers use long URLs that encode the digits in subdomains of the main domain name and the practice of setting HSTS across a wide range of sub-domains at once.
Safari will now limit the HSTS state to either the loaded Hostname, or the Top Level Domain plus one (TLD+1), and "WebKit also caps the number of redirects that can be chained together, which places an upper bound on the number of bits that can be set, even if the latency was judged to be acceptable."
"This prevents trackers from efficiently setting HSTS across large numbers of different bits; instead, they must individually visit each domain representing an active bit in the tracking identifier," says Brent Fulgham, a developer who works on Safari WebKit engine.
"While content providers and advertisers may judge that the latency introduced by a single redirect through one origin to set many bits is imperceptible to a user, requiring redirects to 32 or more domains to set the bits of the identifier would be perceptible to the user and thus unacceptable to them and content providers."
In Mitigation Two, Safari ignores HSTS State for Subresource Requests to Blocked Domains, where WebKit blocks things like invisible tracking pixels from forcing an HSTS redirect, causing HSTS supercookies to become a bit string of only zeroes.
However, Apple does not name any individual, organisation, or any advertising firm that was using HSTS supercookie tracking to target Safari users.


Windows Remote Assistance Exploit Lets Hackers Steal Sensitive Files
23.3.2018 thehackernews 
Exploit

You have always been warned not to share remote access to your computer with untrusted people for any reason—it's a basic cybersecurity advice, and common sense, right?
But what if, I say you should not even trust anyone who invites or offer you full remote access to their computers.
A critical vulnerability has been discovered in Microsoft's Windows Remote Assistance (Quick Assist) feature that affects all versions of Windows to date, including Windows 10, 8.1, RT 8.1, and 7, and allows remote attackers to steal sensitive files on the targeted machine.
Windows Remote Assistance is a built-in tool that allows someone you trust to take over your PC (or you to take remote control of others) so they can help you fix a problem from anywhere around the world.
The feature relies on the Remote Desktop Protocol (RDP) to establish a secure connection with the person in need.
However, Nabeel Ahmed of Trend Micro Zero Day Initiative discovered and reported an information disclosure vulnerability (CVE-2018-0878) in Windows Remote Assistance that could allow attackers to obtain information to further compromise the victim's system.
The vulnerability, which has been fixed by the company in this month's patch Tuesday, resides in the way Windows Remote Assistance processes XML External Entities (XXE).
The vulnerability affects Microsoft Windows Server 2016, Windows Server 2012 and R2, Windows Server 2008 SP2 and R2 SP1, Windows 10 (both 32- and 64-bit), Windows 8.1 (both 32- and 64-bit) and RT 8.1, and Windows 7 (both 32- and 64-bit).
Exploiting Windows Remote Assistance to Steal Files

Since a security patch for this vulnerability is now available, the researcher has finally released technical details and proof-of-concept exploit code for the flaw to the public.
In order to exploit this flaw, which resides in MSXML3 parser, the hacker needs to use "Out-of-Band Data Retrieval" attack technique by offering the victim access to his/her computer via Windows Remote Assistance.
While setting up Windows Remote Assistance, the feature gives you two options—Invite someone to help you and Respond to someone who needs help.
Selecting the first option helps users generate an invitation file, i.e. 'invitation.msrcincident,' which contains XML data with a lot of parameters and values required for authentication.

Since the parser does not properly validate the content, the attacker can simply send a specially crafted Remote Assistance invitation file containing a malicious payload to the victim, tricking the targeted computer to submit the content of specific files from known locations to a remote server controlled by the attackers.
"The stolen information could be submitted as part of the URL in HTTP request(s) to the attacker. In all cases, an attacker would have no way to force a user to view the attacker-controlled content. Instead, an attacker would have to convince a user to take action," Microsoft explains.
"This XXE vulnerability can be genuinely used in mass scale phishing attacks targeting individuals believing they are truly helping another individual with an IT problem. Totally unaware that the .msrcincident invitation file could potentially result in loss of sensitive information," Ahmed warns.
Among patching other critical vulnerabilities fixed this month, Windows users are highly recommended to install the latest update for Windows Remote Assistance as soon as possible.


Worried About Being on Facebook? Some Options Explained
22.3.2018 securityweek
Social

Managing Your Privacy with Facebook

A snowballing Facebook scandal over the hijacking of personal data from millions of its users has many wondering whether it's time to restrict access to their Facebook information or even leave the social network altogether, with the #deletefacebook movement gaining traction.

Here are some options open to the worried Facebook user.

Put it to sleep

Putting a Facebook account on hold used to be difficult but has become a lot easier.

To deactivate their account, users need to go on their "settings" page, then on to "manage account", where they can "deactivate" their account. Facebook defines this action as putting activity "on hold".

The move disables a user's profile and removes their name and pictures from most things they have shared.

Some information may still remain visible, like a user's name in a friend's list, or messages exchanged with friends.

If they have second thoughts, users can easily restore a de-activated profile.

Kill the account

Deleting an account is a more radical step, as users will not be able to access it again once they've gone for that option.

Facebook warns users that it can take up to 90 days to purge the network of a user's posts.

Even so, some information is likely to stay online, for example messages sent to friends.

According to French data expert Nathalie Devillier there is also a chance that Facebook holds on to information about some users if asked to by US authorities in the name of national security.

Be more alert

Facebook users can check with the network how much of their personal information is accessible on the network.

In "settings", the option "download a copy of your Facebook data" allows a user to do just that.

Once Facebook has double-checked a user's password, the site compiles and then e-mails a compressed file.

The file gives an overview of the pictures and videos a user has posted, their downloaded apps, message traffic with friends, their "likes", unfriended friends and ads clicked.

The information can be difficult to decrypt, as are some passages in Facebook's privacy rules.

It is possible to exercise some control over some ad preferences. This includes, for example, users deciding whether their relationship status can be used as a criterion for targeted ads.

- Go after Facebook -

Some experts and consumer rights organizations argue that rather than withdraw from Facebook, users should help shift the balance of power between the social network giant and individuals by legal means.

"We must be able to use the service without being under Facebook's surveillance," said Arthur Messaud at Quadrature du Net, a French organization that defends the rights of internet users.

The group is planning a class action suit against Facebook in France, based on a new set of EU data protection rules that come into force in May, Messaud said.

He said one aim of the lawsuit is to force Facebook to seek explicit user consent for the use of data by, for example, ticking a box.


Netflix Launches Public Bug Bounty Program
22.3.2018 securityweek
Vulnerebility

Netflix announced on Wednesday the launch of a public bug bounty program with rewards of up to $15,000, and Dropbox has made some changes to its vulnerability disclosure policy, promising not to sue researchers.

Netflix has had a vulnerability disclosure policy for the past 5 years and a private bug bounty program since September 2016. The company has now decided to make its bug bounty initiative public through the Bugcrowd platform.

Its vulnerability disclosure policy and private bug bounty have helped Netflix patch 190 vulnerabilities. The private program started with 100 of Bugcrowd’s top researchers, but more than 700 white hat hackers were later invited in preparation for the public program.

Researchers can earn between $100 and $15,000 for flaws affecting one of several Netflix domains and the mobile applications for iOS and Android. The company claims the highest reward paid out to date is $15,000 for a critical security hole.

The types of vulnerabilities that can be submitted include cross-site scripting (XSS), cross-site request forgery (CSRF), SQL injection, authentication and authorization, data exposure, remote code execution, redirection, business logic, MSL protocol, and mobile API issues. Netflix says it acknowledges vulnerability reports, on average, in less than 3 days.

“Engineers at Netflix have a high degree of ownership for the security of their products and this helps us address reports quickly,” Netflix said in a blog post. “Our security engineers also have the autonomy and freedom to make reward decisions quickly based on the reward matrix and bug severity. This ultimately helps create an efficient and seamless experience for researchers which is important for engagement in the program.”

Dropbox makes changes to vulnerability disclosure policy

Dropbox has not set a maximum amount of money that researchers can earn through its HackerOne-based bug bounty program. To date, the company has paid out more than $200,000 for over 220 vulnerabilities.

However, the changes made by the company are not related to bounty amounts and instead they focus on the vulnerability disclosure policy and assuring researchers that they will not get sued even if they accidentally violate terms of the program.

Several researchers have faced lawsuits recently over vulnerability disclosures, and Dropbox wants to help avoid such situations. The company has promised “to not initiate legal action for security research conducted pursuant to the policy, including good faith, accidental violations.”

Dropbox says it will allow researchers to publish the details of the vulnerabilities they find, and will not file Digital Millennium Copyright Act (DMCA) action against them as long as their activities are consistent with the company’s vulnerability disclosure policy.

The new policy includes a clear statement that research constitutes “authorized conduct” under the controversial Computer Fraud and Abuse Act (CFAA). Furthermore, as long as the researcher complies with Dropbox’s policy, the company will clearly state that their actions were authorized in case of a lawsuit initiated by a third party.

“We’re also happy to announce that all of the text in our VDP is a freely copyable template,” Dropbox said. “We’ve done this because we’d like to see others take a similar approach. We’ve put some effort in to this across our legal and security teams and if you like what you see, please use it.”


More Chrome OS Devices Receive Meltdown, Spectre Patches
22.3.2018 securityweek
Vulnerebility

The latest stable channel update for Google’s Chrome OS operating system includes mitigations for devices with Intel processors affected by the Spectre and Meltdown vulnerabilities.

Meltdown and Spectre attacks exploit design flaws in Intel, AMD, ARM and other processors. They allow malicious applications to bypass memory isolation mechanisms and gain access to sensitive data.

Meltdown attacks are possible due to CVE-2017-5754, while Spectre attacks are possible due to CVE-2017-5753 (Variant 1) and CVE-2017-5715 (Variant 2). While Meltdown and Variant 1 can be addressed with software updates, Variant 2 also requires microcode updates from the manufacturers of the impacted processors. Software mitigations include kernel page-table isolation (KPTI/KAISER) and a technique developed by Google called Retpoline.

Meltdown and Spectre were discovered independently by three teams of researchers. Google Project Zero researcher Jann Horn was one of the experts who found the flaws, which meant the company had enough time to work on patches before the details of the vulnerabilities were disclosed.

In the case of Chrome OS, Google rolled out the first Meltdown mitigations with the release of version 63 in mid-December, more than two weeks before public disclosure.

At the time, Google rolled out the KPTI/KAISER patch to roughly 70 Intel-based Chromebook models from Acer, ASUS, Dell, HP, Lenovo, Samsung and others.

Google released Chrome OS 65 on Monday and informed users that it includes the KPTI mitigation against Meltdown for additional Intel devices with version 3.14 of the kernel.

A status page created by Google to help users track the availability of Meltdown and Spectre patches for Chrome OS shows that all older Chromebooks with Intel processors, including with kernel versions 3.14 and 3.8, should get the KPTI mitigation for Meltdown with the release of Chrome OS 66, which is currently scheduled for release on April 24.

Chrome OS 65 also brings the Retpoline mitigation for Spectre Variant 2 to all devices with Intel processors. Google noted that Variant 2 can be exploited using virtualization, and while Chrome OS devices don’t use this type of feature, some measures have been taken to proactively protect users.

In the case of Spectre Variant 1, the eBPF feature in the Linux kernel can be abused for exploitation, but Chrome OS is not impacted as it disables eBPF, Google said.

The tech giant informs customers that Chrome OS devices with ARM processors are not affected by Meltdown. As for the Spectre vulnerabilities, Google says it has started integrating the firmware and kernel patches supplied by ARM, but release timelines have not been finalized.


Iran-linked Hackers Adopt New Data Exfiltration Methods
22.3.2018 securityweek CyberCrime

An Iran-linked cyber-espionage group has been using new malware and data exfiltration techniques in recent attacks, security firm Nyotron has discovered.

The threat actor, known as OilRig, has been active since 2015, mainly targeting United States and Middle Eastern organizations in the financial and government industries. The group has been already observed using multiple tools and adopting new exploits fast, as well as switching to new Trojans in recent attacks.

Nyotron now says that OilRig has used roughly 20 different tools it its latest campaign, including off-the-shelf, dual-purpose utilities and previously unseen malware. In addition to data exfiltration, the group has been heavily focused on bypassing network-level security products to establish a foothold into targeted environments.

Since November 2017, the notorious Iran-linked threat group has been targeting various organizations in the Middle East with evolved tactics, techniques and procedures (TTPs), including the abuse of Google Drive and SmartFile for command and control (C&C) purposes, Nyotron’s report (PDF) reveals.

After compromising a targeted network (phishing emails are likely used to steal login credentials), the group downloads necessary tools from public file sharing services such as Dropbox, Degoo, Files.fm, and File.ac, and from an attacker-controlled server.

The hackers used Windows shares to transfer tools to endpoints that did not have an Internet connection or had downloads blocked by firewalls. They also used web shells to upload and execute files on compromised servers.

For the attacks, the hacker(s) built a sophisticated Remote Access Trojan (RAT) that uses Google Drive for C&C purposes and which is deployed on the target systems as a file named Service.exe. The malware registers as a service to achieve persistence, receives commands from the attacker’s account on Google Drive, and sends files to it.

With no anti-virus programs in VirusTotal detecting the RAT, multiple organizations appear to have been compromised by the malware. The account used to control the malware was created in August 2015, but wasn’t used until recently.

Another tool employed in this campaign is SmartFile.exe, which includes functionality supposedly taken from a GitHub repository, but with expanded capabilities. The tool uses SmartFile as C&C and can download and upload files to the file sharing service, in addition to executing received commands.

In addition to these tools, the attackers also leveraged a scheduled task running PowerShell scripts using AutoIt to gain persistence on the targeted systems. The analysed code, Nyotron says, is almost identical to the one used in an OilRig attack back in 2016.

The security researchers also discovered two main .aspx files the attackers used to gain persistence on Internet Information Services (IIS) Web servers. One of the files allowed the attackers to upload files to the system and was tailored to fit the folder paths of each server. A web shell was used to execute an arbitrary command on the infected machine using cmd.exe.

The OilRig hackers used a malicious IIS ISAPI filter as a covert way to execute commands on the compromised machine, and also deployed Myrtille onto infected machines (a tool that provides access to remote desktops and applications), but haven’t used the utility yet. Additionally, they deployed rpc.exe, a Meterpreter payload to gain persistence and support for various commands.

For privilege escalation on the compromised environments, the attackers mainly used variations of Mimikatz, but also attempted to use ProcDump to dump lsass.exe process memory.

For internal reconnaissance, the attackers used both legitimate and specially crafted tools, including Port Scanner (PS) to scan internal networks and external addresses, NBTScan to scan for open NETBIOS Name Servers on local or remote TCP/IP networks, and a tool to scan for EternalBlue exploitability (taken from a GitHub repository and converted to an executable using PyInstaller).

The attackers mainly used the EternalBlue exploit for lateral movement in the compromised networks. The exploits were likely taken from GitHub as well, and transformed from Python files into executables using PyInstaller. PsExec was also used to launch arbitrary commands on remote hosts in the network.

“State attackers and advanced hacking groups are continually finding new approaches to augment previous successful attacks. This latest OilRig evolution serves as a reminder that security leaders need to strengthen their endpoint protection using the defense in depth approach to safeguard against malware adopting next-generation tools and techniques,” Nir Gaist, founder and CTO of Nyotron, said.


GitHub Security Alerts Lead to Fewer Vulnerable Code Libraries
22.3.2018 securityweek
Vulnerebility

GitHub says the introduction of security alerts last year has led to a significantly smaller number of vulnerable code libraries on the platform.

The code hosting service announced in mid-November 2017 the introduction of a new security feature designed to warn developers if the software libraries used by their projects contain any known vulnerabilities.

The new feature looks for vulnerable Ruby gems and JavaScript NPM packages based on MITRE’s Common Vulnerabilities and Exposures (CVE) list. When a new flaw is added to this list, all repositories that use the affected version are identified and their maintainers informed. Users can choose to be notified via the GitHub user interface or via email.

When it introduced security alerts, GitHub compared the list of vulnerable libraries to the Dependency Graph in all public code repositories.

The Dependency Graph is a feature in the Insights section of GitHub that lists the libraries used by a project. Since the introduction of security alerts, this section also informs users about vulnerable dependencies, including CVE identifiers and severity of the flaws, and provides advice on how to address the issues.

The initial scan conducted by GitHub revealed more than 4 million vulnerabilities in over 500,000 repositories. Affected users were immediately notified and by December 1, roughly two weeks after the launch of the new feature, more than 450,000 of the flaws were addressed either by updating the affected library or removing it altogether.

According to GitHub, vulnerabilities are in a vast majority of cases addressed within a week by active developers.

“Since [December 1], our rate of vulnerabilities resolved in the first seven days of detection has been about 30 percent,” GitHub said. “Additionally, 15 percent of alerts are dismissed within seven days—that means nearly half of all alerts are responded to within a week. Of the remaining alerts that are unaddressed or unresolved, the majority belong to repositories that have not had a contribution in the last 90 days.”

GitHub was recently hit by a record-breaking distributed denial-of-service (DDoS) attack that peaked at 1.3 Tbps, but the service was down for less than 10 minutes.


You Can DDoS an Organization for Just $10 per Hour: Cybercrime Report
22.3.2018 securityweek CyberCrime

The cost of having an organization targeted by a distributed denial of service (DDoS) attack for an hour is as low as $10, cybersecurity firm Armor says.

The low cost of launching such attacks results from the proliferation of cybercrime-as-a-service, one of the most profitable business models adopted by cybercriminals over the past years. It allows criminals-wannabe to employ the resources of established cybercriminals for their nefarious purposes, including malware distribution, DDoS-ing, spam, and more.

All that miscreants have to do is to access underground markets or forums and hire the desired cybercrime service to conduct the malicious actions for them. And while the incurred financial losses total billions or even more for affected organizations, the price of hiring such a service is highly affordable to anyone.

According to Armor’s The Black Market Report: A Look into the Dark Web (PDF), anyone can DDoS an organization for only $10 an hour or $200 per day. Remote Desktop Protocol (RDP) access for a system for three months costs only $35.

The data was collected through the analysis of dozens of online underground markets and forums during the fourth quarter of 2017 and reveals a slight increase in prices compared to a couple of years ago. Considering how powerful DDoS attacks have become lately, however, the cost of launching an attack remains incredibly low.

DDoS-for-hire services, however, are only one example of how cheap cybercrime services are on the dark web. The Disdain exploit kit could be rented for $80 a day, $500 a week or $1,400 a month, Armor has discovered. A botnet capable of webinject and other nefarious actions was available at $750 or $1,200 a month, with support available at an extra $100 or $150 a month.

“When source code is offered, there is a trend toward offloading risk by selling malware or exploit code to someone else and then selling support as well. In the spirit of helping others, some sellers have taken to hawking hacker tutorials and known exploits in bundles at relatively low cost, most likely to low-skill hackers known as script kiddies,” the security firm says.

Armor's researchers found a Microsoft Office exploit builder targeting the CVE-2017-0199 vulnerability available at $1,000. A banking Trojan license, on the other hand, was available at $3,000 to $5,000, while a remote access Trojan was seen selling for $200.

On underground forums, buyers can also find code-signing certificates (a Class 3 code-signing certificate was selling for $400, while an Extended Validation (EV) certificate was offered for $2,500), account hacking programs (for as low as $12.99), WordPress exploits (at $100), password stealers ($50), Android malware loader ($1,500), ATM skimmers ($700 - $1,500), and various other tools as well.

Credit card skimmers and magnetic stripe readers were found selling for as little as $700 and $450, respectively. Credit card data is available for purchase as well, with prices starting as low as $7 for US Visa cards.

Card numbers sold with additional identifying information are a bit more expensive: $18 vs $10-$12 at the same vendor. Customers looking to verify the bank information number (BIN) may be charged as much as $15 for the operation, Armor has discovered. American Express and Discover card numbers were available at $12 to $17 with BIN verification.

The cost of credit card information was also influenced by the credit limit on the card: one with a $10,000 limit was available at $800, while another with a $15,000 limit was $1,000. Access to bank accounts too is priced in line with the available balance, ranging from $200 to $1,000 for accounts at Wells Fargo, JPMorgan Chase and Bank of America with balances between $3,000 and $15,000.

PayPal accounts were also available for sale: $200 for a verified PayPal account with a balance of $3,000. Furthermore, the researchers found U.K. bank accounts up for sale, priced at 300 and 400 GBP, for accounts at Lloyds Bank with balances of 3,000 GBP and 5,000 GBP, respectively.

“Buying access to an account, however, is only part of a successful heist. From there, the buyer needs to be able to get their hands on the money. To accomplish this, cybercriminals traditionally have turned to money mules. Their role is to receive the funds from the compromised account, after which, they will be often tasked with transferring that money to another account overseas in exchange for a commission,” Armor notes.

The security researchers discovered that one can buy all kinds of compromised accounts on the dark web, not only finance-related accounts. One vendor offered 1,000 Instagram accounts for a price of $15, 2,500 for $25, 5,000 for $40 and 10,000 for $60. Another said they would hack into accounts for Facebook, Netflix, Twitter and other services for as low as $12.99.

Personally identifiable information (PII) and counterfeit documents are also available on underground markets and forums. The price for U.S. PII (name, address, phone number, SSN, DOB, bank account data, employment history, credit history, criminal history) was of $40 - $200, while U.S. green cards, driver’s license, Insurance, and Passport Visas (bundled) would cost $2,000.

Other data being sold on the dark web that attackers can turn into profit includes airline and hotel rewards points. A Southwest Airlines rewards account with at least 50,000 miles was being sold for $98.88, while a large international hotel chain rewards points account with at least 50,000 points was available at $74.99.

“Whether you are a small business owner, an enterprise executive or a private individual using a computer from the comfort of your home, there are attackers who are interested in your data. As long as these markets continue to thrive, cyberattacks will remain a constant threat, making it vital business leaders arm their security teams with the resources they need to keep information secure,” Armor concludes.

"A great wealth of Cybercrime-as-a-Service offerings have existed for a while already, let alone exploit, malware and stolen data markets that are more than fifteen years old," Ilia Kolochenko, CEO of web security company, High-Tech Bridg, adding that most of these publicly-traded goods and services are low quality. "Backdoors and trojans are usually based on the same engine, slightly modified or improved. Stolen data is a mix of several dumps from different data breaches or leaks," Kolochenko said. "Many fraudsters sell overt fakes or garbage. While professional cybercriminals usually deal via private channels, established for many years and very well camouflaged on legitimate systems, beyond cybersecurity companies and law enforcement's field of vision. With cryptocurrencies, money laundering problems virtually disappeared and cybercriminals may enjoy their growing wealth without fear."


Google is distributing more Meltdown and Spectre Patches for Chrome OS devices
22.3.2018 securityaffairs
Vulnerebility

Google announced that mitigations for devices with Intel processors that are affected by the Spectre and Meltdown vulnerabilities will be available for latest stable channel update for Google’s Chrome OS operating system.
The Meltdown and Spectre attacks could be exploited by attackers to bypass memory isolation mechanisms and access target sensitive data.

The Meltdown attack could allow attackers to read the entire physical memory of the target machines stealing credentials, personal information, and more.

The Meltdown exploits the speculative execution to breach the isolation between user applications and the operating system, in this way any application can access all system memory.

The Spectre attack allows user-mode applications to extract information from other processes running on the same system. It can also be exploited to extract information from its own process via code, for example, a malicious JavaScript can be used to extract login cookies for other sites from the browser’s memory.

The Spectre attack breaks the isolation between different applications, allowing to leak information from the kernel to user programs, as well as from virtualization hypervisors to guest systems.

Meltdown attacks trigger the CVE-2017-5754 vulnerability, while Spectre attacks the CVE-2017-5753 (Variant 1) and CVE-2017-5715 (Variant 2). According to the experts, only Meltdown and Spectre Variant 1 can be addressed via software, while Spectre Variant 2 required an update of the microcode for the affected processors. Software mitigations include.

Google addressed the Meltdown issue in Chrome OS with the release of the version 63 in December, tens of days before researchers at Google Project Zero disclosure the flaws.

Chrome OS Spectre patches

Google rolled out the KPTI/KAISER patch to address the flaw in 70 Intel-based Chromebook models from various vendors, including Acer, ASUS, Dell, HP, Lenovo, and Samsung.

This week the company released Chrome OS 65 release that also includes the KPTI mitigation against Meltdown for a number of Intel-based systems that were not addressed in with version 3.14 of the kernel.

According to Google, all older Chromebooks with Intel processors should get the KPTI mitigation for Meltdown with the release of Chrome OS 66 that is scheduled for release on April 24.

“The Stable channel has been updated to 65.0.3325.167 (Platform version: 10323.58.0/1) for most Chrome OS devices. This build contains a number of bug fixes and security updates.” reads the Google announcement.

“Intel devices on 3.14 kernels received the KPTI mitigation against Meltdown with Chrome OS 65.

All Intel devices received the Retpoline mitigation against Spectre variant 2 with Chrome OS 65.”

Chrome OS 65 also includes the Retpoline mitigation for Spectre Variant 2 for all Intel-based devices. Google experts highlighted that for Spectre Variant 1 attack, hackers can abuse the eBPF feature in the Linux kernel, but Chrome OS disables eBPF.

Chrome OS devices running on ARM-based systems are not affected by Meltdown. Google is working to cover also Spectre issues.

“On ARM devices we’ve started integrating firmware and kernel patches supplied by ARM. Development is still ongoing so release timelines have not been finalized. ARM devices will receive updated firmware and kernels before they enable virtualization features.” concluded Google.


TeleRAT, a new Android Trojan that uses Telegram for data exfiltration
22.3.2018 securityaffairs Android

Security experts at Palo Alto Networks discovered a new Android Trojan dubbed TeleRAT that uses Telegram Bot API to communicate with the command and control (C&C) server and to exfiltrate data.
TeleRAT appears to be originating from and/or to be targeting individuals in Iran, experts found similarities with another Android malware dubbed IRRAT Trojan, which also leverages Telegram’s bot API for C&C communication communications.

“Telegram Bots are special accounts that do not require an additional phone number to setup and are generally used to enrich Telegram chats with content from external services or to get customized notifications and news.” reads the analysis published by PaloAlto networks. “And while Android malware abusing Telegram’s Bot API to target Iranian users is not fresh news (the emergence of a Trojan using this method called IRRAT was discussed in June and July 2017), we set out to investigate how these Telegram Bots were being abused to command and control malicious Android applications.”

The IRRAT is able to steal contact information, a list of Google accounts registered on the devices, SMS history, it is also able to take a picture with the front-facing and back-facing cameras.

Stolen data are stored on a series of files on the phone’s SD card and then sent to an upload server. The IRRAT malware reports to a Telegram bot, hides its icon from the phone’s app menu and runs in the background waiting for commands.

The TeleRAT Android malware operates in a different way, it creates two files on the device, telerat2.txt containing device information (i.e. system bootloader version number, available memory, and a number of processor cores), and thisapk_slm.txt containing a Telegram channel and a list of commands.

Once installed, the malicious code informs attackers on this by sending a message to a Telegram bot via the Telegram bot API with the current date and time. The malware also starts a background service that listens for changes made to the clipboard, and finally, the app fetches updates from the Telegram bot API every 4.6 second listening for several commands written in Farsi (Persian).

The TeleRAT is able to receive commands to grab contacts, location, app list, or the content of the clipboard; receive charging information; get file list or root file list; download files, create contacts, set wallpaper, receive or send SMS; take photos; receive or make calls; turn phone to silent or loud; turn off the phone screen; delete apps; cause the phone to vibrate; and get photos from the gallery.

TeleRAT is also able of uploading exfiltrated data using Telegram’s sendDocument API method, in this way it evades network-based detection.

“TeleRAT is an upgrade from IRRAT in that it eliminates the possibility of network-based detection that is based on traffic to known upload servers, as all communication (including uploads) is done via the Telegram bot API.” continues the analysis.

“Aside from additional commands, this new family’s main differentiator to IRRAT is that it also uploads exfiltrated data using Telegram’s sendDocument API method”

The malware is able to get updates in two ways, namely the getUpdates method (which exposes a history of all the commands sent to the bot, including the usernames the commands originated from), and the use of a Webhook (bot updates can be redirected to a HTTPS URL specified by means of a Webhook).

The TeleRAT malware is distributed via seemingly legitimate applications in third-party Android app stores and also via both legitimate and nefarious Iranian Telegram channels. According to PaloAlto networks, a total of 2,293 users were apparently infected, most of them (82%) having Iranian phone numbers.

Telerat android malware

The campaign has a poor OPSEC, the experts have found an image of the botmaster testing out the malware, along with exfiltrated messages to confirm it. The analysis of the malicious code revealed that it contains the developer’s username in the code and reference to ‘vahidmail67’ Telegram channel that advertises applications to help users get likes and followers on Instagram, ransomware, and even the source code for an unnamed RAT.

“Aside from the Telegram channel, while looking for references to certain TeleRAT components we stumbled upon somethreads on an Iranian programmers’ forum advertising the sale of a Telegram bot control library. The forum is frequented by some of the developers whose code is heavily reused in a big portion of the TeleRAT samples we came across.” continues the analysis.

Experts pointed out that TeleRAT puts together code written by several developers, including freely available source code via Telegram channels and code offered for sale on several forums, making it difficult to attribute the malware to one single bad actor behind both IRRAT and TeleRAT.

The experts concluded that the malware could be the work of several actors possibly operating inside of Iran.


Google, Twitter Security Chiefs Leaving Companies
22.3.2018 securityweek
Social

Michael Coates, the chief information security officer (CISO) of Twitter, announced on Wednesday that he has decided to leave the social media giant. Google security chief Gerhard Eschelbeck has also announced his departure.

Coates, who joined Twitter in January 2015, says he will co-found a cybersecurity startup, but has not shared any details.

Twitter CISO Michael Coates leaves company

According to his LinkedIn profile, Coates has been working in cybersecurity since 2004, including at Motorola, Aspect Security and Shape Security. Between March 2010 and October 2013, he led Mozilla's Security Assurance program.

Until recently he was on the global board of directors of the OWASP Foundation, and is presently on the board of several organizations, including Comprehend Systems, Synack, and Vendor Security Alliance.

The Verge reported that Joseph Camilleri, a senior manager for information security and risk, will act as interim CISO at Twitter following Coates’ departure.

Eschelbeck, vice president of security and privacy engineering at Google, also announced his departure on Wednesday, but has not shared his plans for the future.

Icamtuf leaves Google

Eschelbeck, known online as lcamtuf, previously held leadership positions at McAfee, Qualys, Webroot and Sophos. He joined Google in October 2014.

The announcements made by Eschelbeck and Coates come just days after reports that Facebook CISO Alex Stamos is leaving the social media giant in the wake of internal clashes over how to deal with the platform being used to spread misinformation.

“Despite the rumors, I'm still fully engaged with my work at Facebook,” Stamos said in response to a New York Times article on his alleged departure from Facebook. “It's true that my role did change. I'm currently spending more time exploring emerging security risks and working on election security.”


Growing Mistrust Threatens Facebook After Data Mining Scandal
22.3.2018 securityweek
Social

As Facebook reels from the scandal over hijacked personal data, a movement to quit the social network gathered momentum Wednesday, portending threats to one of the most powerful internet firms.

In a sign of the mood, one of those calling it quits was a high-profile co-founder of the WhatsApp messaging service acquired by Facebook in 2014 for $19 billion.

"It is time. #deletefacebook," Brian Acton said in a tweet, using the hashtag protesting the handling of the crisis by the world's biggest social network.

The WhatsApp co-founder, who now works at the rival messaging application Signal, posted the comment amid a growing uproar over revelations that Facebook data was harvested by a British political consulting firm linked to Donald Trump's presidential campaign.

"Delete and forget. It's time to care about privacy," he said.

The huge social network also faces investigations on both sides of the Atlantic over its data practices, and a handful of lawsuits which could turn into class actions that may prove a costly distraction for Facebook.

It remains to be seen whether the uproar would lead to any significant departures, but the topic was active on social media, including on Facebook itself.

Donella Cohen, a Weather Channel product manager, posted on her Facebook page that she would be off the network by midnight.

"The latest revelations are showing just how corrupt and detrimental to society this particular platform is," she wrote.

"I hope that a new social network emerges. One that isn't so greedy as to corrupt the political process in the name of the almighty dollar."

- Fabric of internet -

Yet analysts noted Facebook is unlikely to fade quickly because of how it is woven into the fabric of the internet, with "like" buttons on websites, comments sections for news articles and an ad network that delivers messages to those who are not Facebook members.

The #deleteFacebook movement "is a social media feedback loop from the public -- we saw the same thing with #deleteUber," said Jennifer Grygiel, a communications professor at Syracuse University.

"Sure, some people will delete Facebook, but to truly delete Facebook would mean that users would need to delete Facebook, Instagram, WhatsApp, and Messenger. This is not realistic for most people given how social media has been integrated into everyday life."

Sandra Proske, head of communications for the Finland-based security firm F-Secure, said it's not easy to break up with Facebook.

"If this (scandal) makes you uncomfortable you can choose to not use the site, of course," Proske wrote in a blog post.

"But given how intertwined in our lives Facebook and the sites it has acquired, including Instagram and WhatsApp, have become, you may not consider this an option. And for some people and even some countries, Facebook is the internet."

Proske and others offer suggestions on how Facebook users can improve privacy by limiting what is shared and which apps have access to their data.

Several websites offered tips on how to quit Facebook, while noting that the process is more complicated than it appears.

Facebook offers users the option to "deactivate" an account for users who want to take a break and return later, or to "delete" the account and its data entirely.

But Facebook noted that some data such as posts on friends' timelines might remain in the system even after an account is deleted.

And longtime Facebook users could face complications on dealing with log-ins and authorizations to other websites and apps through the social network.

The tech website The Verge published a guide to deletion, advising users to download a copy of all personal data including photos and posts before quitting.

The website noted that it could take up to 90 days to fully delete an account, and that data may be inaccessible during that period.

It was unclear how many users were following through on plans to quit Facebook, which has more than two billion users worldwide.

But Roger McNamee, an early investor in Facebook, said the social network was losing the trust of its users.

"The issue is a callous disregard for the privacy rights of users and a lack of care with respect to data that had been entrusted to Facebook," McNamee told National Public Radio.

"I'm not sure exactly what's going on here, but I'm afraid there is a systemic problem with the algorithms and the business model of Facebook that allow bad actors to cause harm to innocent users of Facebook."


Zuckerberg on Cambridge Analytica case: we made mistakes
22.3.2018 securityaffairs
Social

Facebook CEO Mark Zuckerberg on Wednesday commented the Cambridge Analytica case, he admitted the company made mistakes.
Finally, Facebook CEO Mark Zuckerberg on Wednesday commented the Cambridge Analytica case, he admitted that his company has failed in protecting its users, but he pointed out that the company has already adopted necessary measures to prevent future abuses.

“we made mistakes” he said. “We have a responsibility to protect your data, and if we can’t then we don’t deserve to serve you,” reads a statement published by Zuckerberg on Facebook.

“I’ve been working to understand exactly what happened and how to make sure this doesn’t happen again. The good news is that the most important actions to prevent this from happening again today we have already taken years ago. But we also made mistakes, there’s more to do, and we need to step up and do it.”

A team of academics had collected a huge amount of user data and shared the information with Cambridge Analytica which is a commercial data analytics company that allegedly used it to target US voters in the 2016 Presidential election.

The news was confirmed by Facebook over the weekend, the researchers used an app developed by the University of Cambridge psychology lecturer Dr. Aleksandr Kogan to collect user data.

The app named “thisisyourdigitallife” is available to users since 2014, it was provided by Global Science Research (GSR) and asked users to take an online survey for $1 or $2. The app requested access to the user’s profile information, and over 270,000 users gave the app permission to use their personal details for academic research.

The app is a powerful tool to profile users by harvesting information on their network of contacts, its code allowed to collect data from over 50 million users.

Facebook confirmed to have “suspended” any business with Cambridge Analytica (CA) and its holding company.

Facebook discovered the activity in 2015 thanks to claims from its users and adopted the necessary measures to force the involved parties in deleting the data from their servers.

Zuckerberg highlighted that he was not aware of the activities conducted by Cambridge Analytica and that his company prompted interrupted business activities with the firm once discovered it has not deleted collected data.

“Last week, we learned from The Guardian, The New York Times and Channel 4 that Cambridge Analytica may not have deleted the data as they had certified. We immediately banned them from using any of our services.”

Zuckerberg

Mark Zuckerberg said he would take several measures to prevent threat actors from abusing Facebook users’ data.

The company will assess all apps that had access to large amounts of information before 2014, when the social network giant took the most important steps to prevent bad actors from accessing people’s data.

Facebook will restrict developers’ data access even further to prevent such kind of situation and it will show users a tool at the top of their News Feed to show the apps they used and revoke them permissions to access their data.

The company will ban any developer that does not agree to a thorough audit.

“We’ll require developers to not only get approval but also sign a contract in order to ask anyone for access to their posts or other private data. And we’ll have more changes to share in the next few days.” continues Zuckerberg while announcing more changes.

Below the complete statement published by Zuckerberg.

Mark Zuckerberg
před 12 h
I want to share an update on the Cambridge Analytica situation -- including the steps we've already taken and our next steps to address this important issue.

We have a responsibility to protect your data, and if we can't then we don't deserve to serve you. I've been working to understand exactly what happened and how to make sure this doesn't happen again. The good news is that the most important actions to prevent this from happening again today we have already taken years a...


Puerto Rico Electric Power Authority (PREPA) hacked over the weekend
22.3.2018 securityaffairs BigBrothers

Puerto Rico Electric Power Authority (PREPA) power utility confirmed early this week that it has been hacked over the weekend.
A few days ago, the US government issued an alert to warn of cyber attacks powered by Russian state-sponsored hackers against US critical infrastructure.

News of the day is that Puerto Rico power utility, aka Puerto Rico Electric Power Authority or PREPA, confirmed early this week that it has been hacked over the weekend.

Puerto Rico Electric Power Authority PREPA

Last year, PREPA filed a form of U.S. bankruptcy to shed some $9 billion in debt. Puerto Rico Governor Ricardo Rossello plans to privatize the Puerto Rico Electric Power Authority and to modernize the outdated infrastructure.

The bankrupt power utility confirmed that there is no risk for its customers because their data were not compromised by hackers.

The hackers did not access the customer service system at Puerto Rico power utility.

According to the Executive Director Justo Gonzalez Torres, on Sunday night, the computer infrastructure of PREPA suffered a security breach, he also added that an investigation is ongoing.

“In these moments we are protecting the systems and working to resolve the situation,” said Gonzalez.

At the time there is no evidence for the involvement of Russian hackers in the attack against the Puerto Rico Electric Power Authority.Anyway, the attribution of such kind of cyber attacks is very hard because threat actors adopt sophisticated techniques to remain stealth
“As of Monday evening, there was no indication that Russia was to blame for PREPA’s hack.” reported the Reuters.

“When asked about potential sources of the attack, a spokesman for PREPA said the matter was “being investigated and referred to the relevant authorities,” declining to say who those authorities were.”

In September, the PREPA grid was destroyed when Hurricane Maria that hit Puerto Rico, 3.4 million residents of the U.S. commonwealth went in the dark.


Android Trojan Leverages Telegram for Data Exfiltration
21.3.2018 securityweek Android

A newly discovered Android Trojan is abusing Telegram’s Bot API to communicate with the command and control (C&C) server and to exfiltrate data, Palo Alto Networks security researchers warn.

Dubbed TeleRAT, the malware appears to be originating from and/or to be targeting individuals in Iran. The threat is similar to the previously observed IRRAT Trojan, which uses Telegram’s bot API for C&C communication only.

Still active in the wild, IRRAT masquerades as applications supposedly informing users on the number of views their Telegram profile received (something that Telegram doesn’t actually allow for). After the app’s first launch, the malware creates and populates a series of files on the phone’s SD card, which it then sends to an upload server.

The files contain contact information, a list of Google accounts registered on the phone, SMS history, a picture taken with the front-facing camera, and a picture taken with back-facing camera. The malicious app reports to a Telegram bot, hides its icon from the phone’s app menu, and continues to run in the background, waiting for commands.

TeleRAT, on the other hand, creates two files on the device, one containing various device information (including system bootloader version number, available memory, and number of processor cores), and another containing a Telegram channel and a list of commands, Palo Alto Networks says.

After installation, the RAT informs attackers on this by sending a message to a Telegram bot via the Telegram bot API with the current date and time. It also starts a background service to listen for changes made to the clipboard, and fetches updates from the Telegram bot API every 4.6 seconds, listening for commands.

Based on the received commands, the malware can grab contacts, location, app list, or the content of the clipboard; receive charging information; get file list or root file list; download files, create contacts, set wallpaper, receive or send SMS; take photos; receive or make calls; turn phone to silent or loud; turn off the phone screen; delete apps; cause the phone to vibrate; and get photos from the gallery.

The new malware family is also capable of uploading exfiltrated data using Telegram’s sendDocument API method. By performing all communication via the Telegram bot API, it evades network-based detection.

The use of said API allows for getting updates in two manners, namely the getUpdates method (which exposes a history of all the commands sent to the bot, including the usernames the commands originated from), and the use of a Webhook (bot updates can be redirected to a HTTPS URL specified by means of a Webhook).

The researchers claim to have found an image of the botmaster testing out the RAT, along with exfiltrated messages to confirm it. The malware also appears to contain the developer’s username in the code, which lead researchers to the ‘vahidmail67’ Telegram channel, which advertises applications to help users get likes and followers on Instagram, ransomware, and even the source code for an unnamed RAT.

The researchers also found threads on an Iranian programmers’ forum advertising the sale of a Telegram bot control library and say that code from developers frequenting the forum was found in encountered TeleRAT samples. Although the forum claims all content is in accordance with Iran’s laws, the malicious use for some of the code advertised there is clear.

Because TeleRAT puts together code written by several developers, including freely available source code via Telegram channels and code sold on forums, this makes it difficult to point to one single actor commanding either IRRAT or TeleRAT. Thus, Palo Alto Networks says the malware could be the work of several actors possibly operating inside of Iran.

The malware is distributed via seemingly legitimate applications in third-party Android app stores and also distributed and shared via both legitimate and nefarious Iranian Telegram channels. A total of 2,293 users were apparently infected, based on the analyzed infrastructure, with 82% of the victims having Iranian phone numbers.


Firefox Fails at Keeping Passwords Secure, Developer Claims
21.3.2018 securityweek Safety

Recovering Encrypted Firefox Passwords via Brute Force Attacks is Easy, Developer Says

Firefox does a poor job at securing stored passwords even if the user has set up a master password, a software developer claims.

According to Wladimir Palant, author of the popular Adblock Plus extension, the password manager in Firefox and Thunderbird needs some major improvements in terms of security. The manager can spill out passwords in less than a minute, he says.

The issue, Palant claims, resides in the manner in which the manager converts a password into an encryption key. The operation is performed by the sftkdb_passwordToKey() function, which applies SHA-1 hashing to a string consisting of a random salt and the actual master password.

In the current implementation, the SHA-1 function has a very low iteration count of 1, meaning that it falls way behind what’s considered a minimum value in practice, namely 10,000. In fact, an iteration count of at least 1,000 was considered “modest” decades ago.

Because of that, recovering encrypted passwords via brute force attacks is not difficult at all, Palant says. In fact, he underlines that graphics processing units (GPUs) are great at calculating SHA-1 hashes. With some of them capable of calculating billions of SHA-1 hashes per second, it would not take more than a minute to crack the passwords encrypted and stored in Firefox.

This NSS bug was first reported about nine years ago, but remains unpatched. And it wouldn’t even be that difficult to address the issue, the developer says.

“NSS library implements PBKDF2 algorithm which would slow down bruteforcing attacks considerably if used with at least 100,000 iterations. Of course, it would be nice to see NSS implement a more resilient algorithm like Argon2 but that’s wishful thinking seeing a fundamental bug that didn’t find an owner in nine years,” Palant notes.

Robert Relyea, who has worked for over 20 years on NSS, notes that, while the iteration count could be increased, it would not affect the security of old databases, which would remain readable. Only changing the master password (even to the same password) for them would also increase the iteration count.

The issue was thought resolved in PKCS #12, but it wasn’t fixed for the NSS database password (Firefox Master Password) too. Thus, Relyea reopened the bug, so it could be properly addressed.

Mozilla is also working on a new password manager component for Firefox. Dubbed Lockbox and available as an extension, it might not solve the issue either, Palant says, pointing out that it relies on Firefox Accounts, which could prevent wide adoption.

Even if this issue still exists in Firefox, setting up a master password for Firefox’ manager is still better than using none. Of course, using a password manager that isn’t impacted by such bugs is even better, although cracking firms would say that the security of such tools is debatable.


AMD Chip Flaws Confirmed by More Researchers
21.3.2018 securityweek
Vulnerebility

Another cybersecurity firm has independently confirmed some of the AMD processor vulnerabilities discovered by Israel-based CTS Labs, but the controversial disclosure has not had a significant impact on the value of the chip giant’s stock.

CTS Labs last week published a brief description of 13 allegedly critical vulnerabilities and backdoors found in EPYC and Ryzen processors from AMD. The company says the flaws can be exploited for arbitrary code execution, bypassing security features (e.g. Windows Defender Credential Guard, Secure Boot), stealing data, helping malware become resilient against security products, and damaging hardware.

The flaws have been dubbed MASTERKEY, RYZENFALL, FALLOUT and CHIMERA, and exploiting them requires elevated privileges to the targeted machine — physical access is not required. The security firm will not disclose technical details any time soon in order to prevent abuse.

CTS Labs, which no one heard of until last week, came under fire shortly after its disclosure for giving AMD only a 24-hour notice before going public with its findings, and for apparently attempting to short AMD stock. The company later made some clarifications regarding the flaws and its disclosure method.

While initially many doubted CTS Labs’ claims due to the lack of technical information, an increasing number of independent researchers have confirmed that the vulnerabilities do in fact exist. Nevertheless, there are still many industry professionals who believe their severity has been greatly exaggerated.

Trail of Bits was the first to independently review the findings. The company, which has been paid for its services, has confirmed that the proof-of-concept (PoC) exploits developed by CTS Labs work as intended, but believes that there is “no immediate risk of exploitation of these vulnerabilities for most users.”

“Even if the full details were published today, attackers would need to invest significant development efforts to build attack tools that utilize these vulnerabilities. This level of effort is beyond the reach of most attackers,” Trail of Bits said in a blog post.

On Monday, Check Point also confirmed two of the RYZENFALL vulnerabilities following its own review. The security firm says it does not have any relationship with CTS Labs and it has not received any payment for its services. It also noted that it does not agree with the way CTS disclosed its findings, describing it as “very irresponsible.”

“In our opinion the original CTS Labs report might have been problematically phrased in a way that misrepresented the threat model and impact that the RYZENFALL-1 and RYZENFALL-3 vulnerabilities present,” Check Point said in a blog post. “However, problematic phrasing aside, after inspecting the technical details of the above, we can indeed verify that these are valid vulnerabilities and the risks they pose should be taken under consideration.”

Alex Ionescu, a reputable researcher and Windows security expert, also confirmed the findings and warned that “admin-level access and persistence are legitimate threats in multi-tenant IaaS and even things such as VTL0/1 (Credential Guard) when firmware and chipset trust boundaries are broken.”

AMD is investigating the claims, but it has yet to make any statement regarding the impact of the flaws.

Less than an hour after CTS Labs released its report, a controversial company named Viceroy Research published what it described as an “obituary” in hopes of leveraging the findings to short AMD stock. Since CTS’s report also included a disclaimer noting that the company had a financial interest, many assumed the two were working together to short AMD.

While CTS has avoided answering questions regarding its financial interests, Viceroy representatives told Vice’s Motherboard that the company obtained the report describing the vulnerabilities from an “anonymous tipster” and claimed to have no connection to the security firm.

Viceroy’s attempt has had an insignificant impact on AMD stock and experts doubt the situation will change. This is not actually surprising considering that Intel was hit the hardest by Meltdown and Spectre — critical vulnerabilities disclosed by reputable researchers — and still the impact on the company’s stock has been only minor and temporary.


Facebook Rocked by Data breach Scandal as Investigations Loom
21.3.2018 securityweek
Social

[UPDATE] Facebook shares plunged Monday as the social media giant was pounded by criticism at home and abroad over revelations that a firm working for Donald Trump's presidential campaign harvested and misused data on 50 million members.

Calls for investigations came on both sides of the Atlantic after Facebook responded to explosive reports of misuse of its data by suspending the account of Cambridge Analytica, a British firm hired by Trump's 2016 campaign.

Democratic Senator Amy Klobuchar and Republican John Kennedy called for Facebook chief Mark Zuckerberg to appear before Congress, along with Google and Twitter's CEOs.

The lawmakers said the companies "have amassed unprecedented amounts of personal data" and that the lack of oversight "raises concerns about the integrity of American elections as well as privacy rights."

Facebook's chief of security Alex Stamos said his role has shifted to focusing on emerging risks and election security at the global social network.

Stamos revealed the change after The New York Times reported that he was leaving Facebook in the wake of internal clashes over how to deal with the platform being used to spread misinformation.

"Despite the rumors, I'm still fully engaged with my work at Facebook," Stamos said in a message posted on his verified Twitter account.

"It's true that my role did change. I'm currently spending more time exploring emerging security risks and working on election security."

Stamos advocated investigating and revealing manipulation of news at the social network by Russian entities, to the chagrin of other top executives, the Times reported, citing unnamed current and former employees.

- Profiles weaponized? -

Senator Ron Wyden asked Facebook to provide more information on what he called a "troubling" misuse of private data that could have been used to sway voters.

Wyden said he wants to know how Cambridge Analytica used Facebook tools "to weaponize detailed psychological profiles against tens of millions of Americans."

In Europe, officials voiced similar outrage.

Vera Jourova, the European commissioner for justice, consumers and gender equality, called the revelations "horrifying, if confirmed," and vowed to address concerns in the United States this week.

According to a joint investigation by The New York Times and Britain's Observer, Cambridge Analytica was able to create psychological profiles on 50 million Facebook users through the use of a personality prediction app that was downloaded by 270,000 people, but also scooped up data from friends.

Cambridge Analytica denied misusing Facebook data for the Trump campaign.

Elizabeth Denham, Britain's Information Commissioner who regulates the sector in the country, announced her office would seek a court warrant on Tuesday to search Cambridge Analytica's computer servers.

She said the company had been "uncooperative" to requests for access to its records and missed a Monday deadline stipulated.

Meanwhile, Facebook said it has hired a digital forensics firm to examine how the data leak occurred and to ensure that any data collected had been destroyed.

Facebook shares skidded 6.8 percent by the close of the Nasdaq on concerns about pressure for new regulations that could hurt its business model.

Shares slipped another percent or so to $170 in after-market trades.

The sell-off spread to other technology giants on Wall Street including Apple, Google-parent Alphabet and Netflix. Asian markets extended the losses, with Tokyo-listed Sony down, Samsung falling in Seoul and Tencent retreating in Hong Kong.

'Self-regulation not working'

Jennifer Grygiel, a Syracuse University professor who studies social media, said the disclosures will increase pressure to regulate Facebook and other social media firms, already under scrutiny for allowing disinformation from Russian-directed sources to propagate.

"Self-regulation is not working," Grygiel said.

Daniel Kreiss, a professor of media and communications at the University of North Carolina, said Facebook failed to live up to its responsibilities on election ads.

"The fact that Facebook seems to make no distinction between selling sneakers and selling a presidential platform is a deep problem," Kreiss said.

Brian Wieser at Pivotal Research maintained that the revelations highlight "systemic problems at Facebook," but that they won't immediately impact the social network's revenues.

David Carroll, a media professor at the Parsons School of Design, said Facebook and others will soon be forced to live with new privacy rules such as those set to take effect in the European Union.

"Facebook and Google will have to ask users a lot more permission to track them," Carroll said. "Most people are going to say no, so I think it's going to have a huge impact on these companies."

Carroll has filed a legal action in Britain calling on Cambridge Analytica to disclose what data was gathered and used on him.

An undercover investigation of Cambridge Analytica by Britain's Channel 4 said executives boasted they could entrap politicians in compromising situations with bribes and Ukrainian sex workers, and spread misinformation online.

The executives claimed to have worked in more 200 elections across the world, including Argentina, the Czech Republic, India, Kenya and Nigeria.

The British firm said it "strongly denies" the claims from Channel 4 as well as reports on misuse of Facebook data.

"Facebook data was not used by Cambridge Analytica as part of the services it provided to the Donald Trump presidential campaign," a statement read.


Frost Bank Says Data Breach Exposed Check Images
21.3.2018 securityweek Incindent

Frost Bank, a subsidiary of Cullen/Frost Bankers, Inc., announced on Friday that it discovered the unauthorized access to images of checks stored electronically.

According to the company, it discovered last week that a third-party lockbox software program had been compromised, resulting in unauthorized users being able to view and copy images of checks stored electronically in the image archive. Frost Bank systems weren’t impacted in the incident, Frost says.

Customers can use lockbox services to send payments to a central post office box. The bank receives the payments and credits them directly to a business’s account.

The information that was accessed as part of the incident could be used to forge checks, the company says.

The company says it stopped the identified unauthorized access immediately after discovering it, and that it also launched an investigation into the matter. Frost says it is working with an unnamed cybersecurity firm to investigate the incident and that the law-enforcement authorities have been informed as well.

“At Frost, we care deeply about taking care of our customers and protecting their information, and we regret that this situation has occurred. We are working very hard to make things right,” Frost Chairman and CEO Phil Green said in a statement.

According to the company, the unauthorized access was limited to a software program serving around 470 commercial customers using the electronic lockbox. The fraction of impacted Frost customer base might experience forgeries on accounts or could be informed of compromised check images.


Facebook Security Chief Changes Role to Focus on Election Fraud
21.3.2018 securityweek
Social

Facebook's chief of security late Monday said his role has shifted to focusing on emerging risks and election security at the global social network, which is under fire for letting its platform be used to spread bogus news and manipulate voters.

Alex Stamos revealed the change in his role at work after a New York Times report that he was leaving Facebook in the wake of internal clashes over how to deal with the platform being used to spread misinformation.

"Despite the rumors, I'm still fully engaged with my work at Facebook," Stamos said in a message posted at his verified Twitter account.

"It's true that my role did change. I'm currently spending more time exploring emerging security risks and working on election security."

Stamos advocated investigating and revealing manipulation of news at the social network by Russian entities, to the chagrin of chief operating officer Sheryl Sandberg and other top executives, the Times reported, citing unnamed current and former employees.

Stamos reportedly decided in December he was done with Facebook, but remained at the social network as part of a plan to smoothly hand his job off to a successor. Neither Facebook nor Stamos directly commented on how long he intended to remain at the company, referring to his tweet in response to queries.

Word from Stamos came as the California-based social media giant faced an onslaught of criticism at home and abroad over revelations that a firm working for Donald Trump's presidential campaign harvested and misused data on 50 million members.

Calls for investigations came on both sides of the Atlantic after Facebook responded to the explosive reports of misuse of its data by suspending the account of Cambridge Analytica, a British firm hired by Trump's 2016 campaign.

Vera Jourova, the European commissioner for justice, consumers and gender equality, called the revelations "horrifying, if confirmed," and vowed to address concerns in the United States this week.

In Britain, parliamentary committee chair Damian Collins said both Cambridge Analytica and Facebook had questions to answer.

According to a joint investigation by the Times and Britain's Observer, Cambridge Analytica was able to create psychological profiles on 50 million Facebook users through a personality prediction app downloaded by 270,000 people, but also scooped up data from friends.

A Cambridge Analytica statement denied misusing Facebook data for the Trump campaign.

Facebook said it had hired a digital forensics firm to examine how the data leak occurred and to ensure that any data collected had been destroyed.

An undercover investigation of Cambridge Analytica by Britain's Channel 4 found executives boasted they could entrap politicians in compromising situations with bribes and Ukrainian sex workers, and spread misinformation online.

The executives claimed to have worked in more 200 elections across the world, including Argentina, the Czech Republic, India, Kenya and Nigeria. The British firm said it "strongly denies" the claims from Channel 4 as well as reports on misuse of Facebook data.


Coverity Scan Hacked, Abused for Cryptocurrency Mining
21.3.2018 securityweek Cryptocurrency

Coverity Scan, a free service used by tens of thousands of developers to find and fix bugs in their open source projects, was suspended in February after hackers breached some of its servers and abused them for cryptocurrency mining.

Synopsys, which acquired Coverity in 2014, started notifying Coverity Scan users about the breach on Friday. The company said malicious actors gained access to Coverity Scan systems sometime in February.

“We suspect that the access was to utilize our computing power for cryptocurrency mining,” Synopsys told users. “We have not found evidence that database files or artifacts uploaded by the open source community users of the Coverity Scan service were accessed. We retained a well-known computer forensics company to assist us in our investigation.”

Synopsys says the service is now back online and it believes the point of access leveraged by the attackers has been closed. In order to regain access to Coverity Scan, users will need to reset their passwords.

“Please note that the servers in question were not connected to any other Synopsys computer networks. This should have no impact on customers of our commercial products, and this event did not put any Synopsys corporate data or intellectual property at risk,” users were told.

Cybercriminals have become increasingly interested in making a profit by hacking PCs and servers and abusing them to mine cryptocurrencies. Cryptocurrency mining malware can target a wide range of devices, including industrial systems.

One recent high-profile victim was the carmaker Tesla, whose Kubernetes pods were compromised and used for cryptocurrency mining. According to RedLock, which discovered the breach, hackers gained access to Tesla’s Kubernetes console due to the lack of password protection.


Telegram Must Give FSB Encryption Keys: Russian Court
21.3.2018 securityweek BigBrothers 

Moscow - Russia's Supreme Court on Tuesday ruled the popular Telegram messenger app must provide the country's security services with encryption keys to read users' messaging data, agencies reported.

Media watchdog Roskomnadzor instructed Telegram to "provide the FSB with the necessary information to decode electronic messages received, transmitted, or being sent" within 15 days, it said on its website.

Telegram had appealed against an earlier ruling that it must share this information, but this appeal was rejected on Tuesday.

If it does not provide the keys it could be blocked in Russia.

The free instant messaging app, which lets people exchange messages, photos and videos in groups of up to 5,000 people, has attracted more than 100 million users since its launch in 2013.

Telegram's self-exiled Russian founder Pavel Durov said in September 2017 the FSB had demanded backdoor access.

When Telegram did not provide the encryption keys, the FSB launched a formal complaint.

Durov wrote last year that the FSB's demands are "technically impossible to carry out" and violate the Russian Constitution which entitles citizens to privacy of correspondence.

Tuesday's ruling is the latest move in a dispute between Telegram and the Russian authorities as Moscow pushes to increase surveillance of internet activities.

Last June, Russia's state communications watchdog threatened to ban the app for failing to provide registration documents. Although Telegram later registered, it stopped short of agreeing to its data storage demands.

Companies on the register must provide the FSB with information on user interactions.

From this year they must also store all the data of Russian users inside the country, according to controversial anti-terror legislation passed in 2016 which was decried by internet companies and the opposition.


Oil and Gas Sector in Middle East Hit by Serious Security Incidents
21.3.2018 securityweek Incindent

Many oil and gas companies in the Middle East reported suffering at least one serious security incident in the past year, according to a study conducted by Ponemon Institute on behalf of German industrial giant Siemens.

Nearly 200 individuals responsible for overseeing cybersecurity risk in oil and gas companies in the Middle East have taken part in the study and the results show that many organizations are unprepared to address the risks faced by their operational technology (OT) networks.

According to Siemens, three-quarters of respondents said their organizations had suffered at least one security incident that resulted in disruption to operations in their OT environment or loss of confidential information in the past 12 months. Eleven percent of respondents said they had experienced more than 10 OT network intrusions, and nearly half believe they may not be aware of all breaches.Oil and gas industry in Middle East not prepared for cyberattacks

Roughly two-thirds of the individuals who took part in the survey believe the risk of attacks on industrial control systems (ICS) has increased considerably over the past few years, and 60 percent say there is a greater risk to OT environments compared to IT.

Outdated and ageing control systems pose a serious risk, according to 42 percent of respondents. The areas most at risk in Middle Eastern oil and gas companies are believed to be exploratory information, production information, potential partners, financial and organizational reports, operational data, information on drilling sites, and field production data collected by sensors.

While insider threats are the main concern, only 21 percent of respondents are concerned about malicious insiders, while 68 percent are more worried about the cybersecurity impact of careless employees.

Companies appear aware of the risks, but many of them are not prepared to deal with them. Less than half of respondents say they continually monitor their entire infrastructure, and only a quarter are confident in their ability to address security risks and allocate the resources necessary for addressing them. On average, companies have allocated only a third of their cybersecurity budget to protecting OT environments, the report shows.

Siemens says many organizations are still attempting to air gap their ICS environments in an effort to mitigate threats, but only 39 percent plan on hardening endpoints, and 20 percent plan on adopting analytics solutions over the next year.

Cyberattacks on oil and gas and petrochemical companies can have a devastating impact. Researchers discovered recently a piece of malware that leveraged a zero-day vulnerability in Schneider Electric’s Triconex Safety Instrumented System (SIS). The attack is said to have targeted a petrochemical company in Saudi Arabia and one of the main suspects is Iran. According to some reports, the attackers may have been trying to trigger a deadly explosion at the targeted plant.


XM Cyber Unveils Automated Purple-Teaming at Speed and Scale
21.3.2018 securityweek APT

Israeli Cybersecurity Startup Launches Automated Advanced Persistent Threat (APT) Simulation Platform

Penetration testing is the most effective method of testing whether existing security policy stands up against advanced attackers, but it doesn't scale well to large, dynamic networks, and only provides a single conclusion at a specific point in time. The solution is clearly automation.

XM Cyber is an Israeli firm founded in 2016. Its three co-founders are Tamir Pardo (formerly head of Mossad); Boaz Gorodissky (formerly head of technology for the government of Israel); and Noam Erez (who spent 25 years in Israeli intelligence). Its headquarters are in Israel, but with a presence in the U.S. and Australia. It has customers in Israel, the U.S. and Europe.

Its primary product, an automated APT simulation platform called HaXM, is unveiled today. The product simulates the possible behavior of an attacker in order to locate potential weaknesses on the system; and then, using the data gathered, provides recommendations for the remediation of those weaknesses. In this manner it provides automated red teaming with blue teaming to produce purple teaming at speed, continuously, and at scale.

"The problem we solve," VP of Product Adi Ashkenazy told SecurityWeek, "is that when you look at modern organizations and you see the kind of security stack they have in place, you have to wonder if they are actually securing their critical assets. This is something the companies ask themselves as well. They spend a lot of money on different products and vendors; but at the end of the day, if you ask them, 'are your critical assets secure?', they may have hope and some belief, but they have no concrete evidence to support the idea."

Manual penetration testing to prove the hypothesis of security, he continued, makes no sense for the modern organization that may have tens of thousands of endpoints, and hundreds of subsystems; and is continuously evolving and changing.

"This is why we founded XM Cyber," commented Noam Erez: "to equip enterprises with a continuous 360-degree view of which critical assets are at risk, what security issues they should focus on, and how best to harness their resources to resolve them."

HaXM places sensors only on 'endpoints of interest'. "We don't have to map the entire network," said Ashkenazy. "We deploy our sensors on the endpoints of interest within the infrastructure that hackers are able or likely to use. We try to be almost religious in the way we mimic attacks -- we don't put sensors on every endpoint."

Nor does HaXM start with any preconceived idea of a potential attack. "We don't define the attack vectors in advance," he said. "We act like a virtual hacker. We start from points of likely breach -- which could be internet-facing servers, for example; or endpoints that receive external email. We place our virtual hacker in those starting points with a tool box that mimics the capabilities of an advanced attacker; and from that moment on the virtual hacker mimics the steps taken by a real hacker trying to find his way to critical assets. We never know in advance what will be found, but so far the virtual hacker has always eventually managed to compromise the entire network."

This is HaXM's simulation mode, where great care is taken not to trigger any alarms from the customer's existing security stack. It checks for the conditions that could be used by an attacker. "This is what we use for 24/7 testing. But we also have a validation mode," added Ashkenazy. "When you switch to validation mode, this is not continuous, but is a controlled mode, where you specify when and where you want to actually test a specific attack vector -- and then we conduct the malicious activities to their full extent so that you can check the security stack in its entirety."

HaXM provides a visualization of the route an aggressor can take from initial entry point on a network to the company's critical assets. In doing this, it definitively presents the existence or absence of sufficient security, highlighting if and where additional security is necessary. While many security products seek to find indications of actual compromise after an initial breach, XM Cyber's approach is to find routes of potential compromise irrespective of an existing breach. It will not locate an attacker; but it will tell the customer what an attacker could achieve.

XM Cyber has offices in Herzliya, Israel; New York; and Sydney, Australia. It has raised $15 million as initial funding in its first two years. The product will be demonstrated at the RSA Conference in San Francisco, California in April 16-19, 2018.


Apple Addresses HSTS User Tracking in WebKit
21.3.2018 securityweek Apple

Apple has added new protections to the WebKit framework to prevent possible abuse of the HTTP Strict Transport Security (HSTS) security standard to track users.

HSTS offers a mechanism through which web sites declare themselves accessible only via secure connections and direct browsers to where that secure version resides. Basically, when a user attempts to connect to the insecure version of a website, HSTS forces the browser to go to the HTTPS version of the site instead.

“This is a great feature that prevents a simple error from placing users in a dangerous state, such as performing financial transactions over an unauthenticated connection,” WebKit software engineer Brent Fulgham points out.

However, because HSTS tells web browsers to remember when redirected to a secure location and to automatically go there in the future, a “super cookie” can be created, and it can be read by cross-site trackers, Fulgham says.

An attacker could leverage the user’s HSTS cache to store one bit of information on the device. Through registering a large number of domains and forcing the loading of resources from controlled subset of domains, the attacker “can create a large enough vector of bits to uniquely represent each site visitor.”

The issue is described in the HSTS specs: “it is possible for those who control one or more HSTS Hosts to encode information into domain names they control and cause such UAs to cache this information as a matter of course in the process of noting the HSTS Host. This information can be retrieved by other hosts through cleverly constructed and loaded web resources, causing the UA to send queries to (variations of) the encoded domain names.”

According to Fulgham, mitigating such tracking attacks isn’t easy, as it requires balancing security and privacy goals. However, because the privacy risks of HSTS have been presented only as a theoretical tracking vector but evidence of actual malicious abuse of the protocol hasn’t been provided yet, browsers would honour all HSTS instructions provided by sites.

The engineer also reveals that Apple recently became aware that this theoretical attack has started being deployed against Safari users. This prompted the tech giant to create a solution to both protect secure web traffic and mitigate tracking.

Because the HSTS exploit requires creating an initial tracking identifier and then reading it, Apple proposes mitigations for both sides of the attack.

On the one hand, Apple revised the network stack to only permit HSTS state to be set for the loaded hostname or the Top Level Domain + 1. Thus, trackers can no longer efficiently set HSTS across large numbers of different bits, but need to individually visit each domain that has an active bit in the tracking identifier. WebKit also caps the number of redirects that can be chained together, thus limiting the number of bits that can be set.

On the other hand, Apple also modified WebKit to ignore HSTS upgrade requests (and use the original URL) when dynamic HSTS results in an insecure third-party subresource loaded from a domain with blocked cookies being upgraded to an authenticated connection.

“Telemetry gathered during internal regression testing, our public seeds, and the final public software release indicates that the two mitigations described above successfully prevented the creation and reading of HSTS super cookies while not regressing the security goals of first party content. We believe them to be consistent with best practices, and to maintain the important security protections provided by HSTS,” Fulgham concludes.


Orbitz Data Breach Impacts 880,000 Payment Cards
21.3.2018 securityweek Incindent

Expedia-owned travel website Orbitz announced on Tuesday that it has discovered and addressed a data security incident affecting hundreds of thousands of users.

In a statement provided to SecurityWeek and other news websites, Orbitz revealed that malicious actors apparently gained access to a legacy platform between October 1 and December 22, 2017. The attackers may have stolen personal and financial data from this platform, which stored both consumer and business partner information.

The breach was discovered on March 1 following an investigation conducted by Orbitz. The company said in contracted forensic investigation and other cybersecurity experts to help it analyze the incident and eliminate vulnerabilities. Law enforcement has also been notified.

Orbitz has highlighted that the hackers targeted a legacy platform and there is no evidence that the current Orbitz.com website is affected.

The investigation showed that the attackers may have accessed personal information submitted by consumers who made certain purchases between January 1 and June 22, 2016. Information on Orbitz partners who made purchases between January 1, 2016 and December 22, 2017 may have also been stolen.

The exposed information includes full name, gender, date of birth, phone number, email address, physical and billing address, and payment card data. The company said the breach impacted roughly 880,000 payment cards.

There is no evidence that passport and travel itinerary information has been compromised, and Orbitz does not store social security numbers (SSNs) for customers in the United States.

“We are working quickly to notify impacted customers and partners. We are offering affected individuals one year of complimentary credit monitoring and identity protection service in countries where available. Additionally, we are providing partners with complimentary customer notice support for partners to inform their customers, if necessary,” Orbitz stated.

“Anyone who is notified is encouraged to carefully review and monitor their payment card account statements and contact their financial institution or call the number on the back of their card if they suspect that their payment card may have been misused,” the company added.

Potentially impacted customers can obtain more information by calling 1-855-828-3959 (toll-free in the U.S.) or 1-512-201-2214 (international), or by visiting orbitz.allclearid.com.

Orbitz.com is used by millions of people to search for and book hotels, flights, cruises, cars and other vacation-related activities. The company was acquired by Expedia in 2015 for $1.6 billion.


Online Sandbox Services Used to Exfiltrate Data: Researcher
21.3.2018 securityweek
Virus

Attackers can use online sandbox services to exfiltrate data from an isolated network, a SafeBreach security researcher has discovered.

The new research is based on the discovery that cloud anti-virus programs can be exploited for data pilfering. Last year, SafeBreach Labs’ Itzik Kotler and Amit Klein demonstrated proof-of-concept (PoC) malware abusing this exfiltration method, and said it would work even on endpoints that have no direct Internet connection.

The technique, the researchers revealed, relied on packing data inside an executable created by the main malware process on the compromised endpoint. Thus, if the anti-virus program on the endpoint uploads the executable to the cloud for further inspection, data is exfiltrated even if the file is executed in an Internet connected sandbox.

Now, SafeBreach security researcher Dor Azouri says that online sandbox services can be used for the same purposes and in similar circumstances. However, the researcher notes in a report (PDF) that an attacker using this method would need technical knowledge about their target network.

Unlike the previous technique, the new one doesn’t rely on code that can actively communicate out of the sandbox, but uses the sandbox service database itself as an intermediary for transferring data. The attack method does require incorporating the desired data into an executable and retrieving it by querying the sandbox service’s databases.

The attack starts with malware infecting the endpoint, gathering sensitive information from the machine, and packing it inside a file that is written to disk and executed to trigger the anti-virus agent. Next, a sandbox site is used to inspect the file by executing it, and the analysis results are saved in the site’s database. Finally, the attackers use the site’s API to grab the file.

Unlike last year’s method, the new one does not require the created executable to emit outbound network traffic for data exfiltration. Moreover, it makes the attacker less visible and more difficult to track, given that they gather the data passively from the sandbox service database.

However, the new technique can only be used in networks where suspicious samples are sent to an online sandbox engine, and also requires the attacker to know which kind of sandbox service the organization is using. Furthermore, although hidden, the exfiltraded data remains public in the service’s online databases.

The attack can be used for data exfiltration when the target organization sends suspicious files to VirusTotal for analysis, the security researcher says. The service requires a subscription to access information about the analysed files, but an attacker could find the exact executable they are looking for in the database.

The researcher presents a couple of manners in which the attack can be performed, namely Magic String using spacebin (where the attackers could both encode and encrypt the data to be exfiltrated) and the embedding of data inside well-known malware.

“Public sandbox services that allow both upload and search capabilities may be used as a means for data exfiltration. The database for these services is an intermediary for transferring hidden data from a source machine to an attacker who is looking for the expected data. Many permutations of this exfiltration model may be created - each features a different stealth level, ease of implementation, accuracy, capacity etc. We only demonstrated a couple of them,” Azouri concludes.


Virsec Raises $24 Million in Series B Funding
21.3.2018 securityweek IT

Virsec, a cybersecurity company that protects applications from various attacks, today announced that it has closed a $24 million Series B funding round led by tech investment firm BlueIO.

This latest funding round brings the total amount raised to-date by the company to $32 million. The company previously raised $1 million in seed funding and $7 million in a Series A funding round.

Virsec explains that its technology can protect applications by protecting processes in memory and pinpointing attacks in real-time, within any application. In more detail, the company explains that its Trusted Execution technology “maps acceptable application execution, and instantly detects deviations caused by attacks.”

“The battleground has shifted in cybersecurity and the industry is not keeping up,” said Atiq Raza, CEO of San Jose, California-based Virsec. “With our deep understanding of process memory, control flow, and application context, we have developed a revolutionary solution that stops attacks in their tracks, where businesses are most vulnerable – within applications and processes.”

Additional investors participating in the round include Artiman Ventures, Amity Ventures, Raj Singh, and Boston Seed Capital.


AMD Says Patches Coming Soon for Chip Vulnerabilities
21.3.2018 securityweek
Vulnerebility

AMD Chip Vulnerabilities to be Addressed Through BIOS Updates - No Performance Impact Expected

After investigating recent claims from a security firm that its processors are affected by more than a dozen serious vulnerabilities, chipmaker Advanced Micro Devices (AMD) on Tuesday said patches are coming to address several security flaws in its chips.

In its first public update after the surprise disclosure of the vulnerabilities by Israeli-based security firm CTS Labs, AMD said the issues are associated with the firmware managing the embedded security control processor in some of its products (AMD Secure Processor) and the chipset used in some socket AM4 and socket TR4 desktop platforms supporting AMD processors.

Vulnerabilities found in Ryzen and other AMD processors

CTS Labs, which was unheard of until last week, came under fire shortly after its disclosure for giving AMD only a 24-hour notice before going public with its findings, and for apparently attempting to short AMD stock. The company later made some clarifications regarding the flaws and its disclosure method.

CTS Labs claimed that a number of vulnerabilities could be exploited for arbitrary code execution, bypassing security features, stealing data, helping malware become resilient against security products, and damaging hardware.

“AMD has rapidly completed its assessment and is in the process of developing and staging the deployment of mitigations,” the chipmaker wrote in an update on Tuesday. “It’s important to note that all the issues raised in the research require administrative access to the system, a type of access that effectively grants the user unrestricted access to the system and the right to delete, create or modify any of the folders or files on the computer, as well as change any settings.”

AMD said that patches will be released through BIOS updates to address the flaws, which have been dubbed MASTERKEY, RYZENFALL, FALLOUT and CHIMERA. The company said that no performance impact is expected for any of the forthcoming mitigations.

AMD attempted to downplay the risks, saying that any attacker gaining administrative access could have a wide range of attacks at their disposal “well beyond the exploits identified in this research.”

“Further, all modern operating systems and enterprise-quality hypervisors today have many effective security controls, such as Microsoft Windows Credential Guard in the Windows environment, in place to prevent unauthorized administrative access that would need to be overcome in order to affect these security issues,” the notice continued.

AMD also linked to a blog post from Trail of Bits, which was the first to independently review the findings from CTS. The company, which has been paid for its services, confirmed that the proof-of-concept (PoC) exploits developed by CTS Labs work as intended, but believes that there is “no immediate risk of exploitation of these vulnerabilities for most users.”

“Even if the full details were published today, attackers would need to invest significant development efforts to build attack tools that utilize these vulnerabilities. This level of effort is beyond the reach of most attackers,” Trail of Bits added.

Check Point has also confirmed two of the RYZENFALL vulnerabilities following its own review. The security firm says it does not have any relationship with CTS Labs and it has not received any payment for its services. It also noted that it does not agree with the way CTS disclosed its findings, describing it as “very irresponsible.”

Alex Ionescu, a reputable researcher and Windows security expert, also confirmed the findings and warned that “admin-level access and persistence are legitimate threats in multi-tenant IaaS and even things such as VTL0/1 (Credential Guard) when firmware and chipset trust boundaries are broken.”

“This company was previously unknown to AMD and we find it unusual for a security firm to publish its research to the press without providing a reasonable amount of time for the company to investigate and address its findings,” AMD stated last week.

Some have compared the recent AMD vulnerabilities to Meltdown and Spectre, which impact CPUs from Intel, AMD, ARM and others. However, some argued that the issues disclosed by CTS Labs are nowhere near as severe due to the fact that they mostly impact AMD’s Secure Processor technology rather than the hardware itself.

AMD did not provide specific dates that patches are expected to be released, but said it would provide additional updates on both its analysis of the issues and the related mitigation plans in the coming weeks.


U.S. Military Should Step Up Cyber Ops: General
21.3.2018 securityweek BigBrothers

Washington - US efforts to conduct offensive and defensive operations in cyberspace are falling short, a top general warned Tuesday amid ongoing revelations about Russian hacking.

General John Hyten, who leads US Strategic Command (STRATCOM), told lawmakers the US has "not gone nearly far enough" in the cyber domain, also noting that the military still lacks clear rules of cyber engagement.

"We have to go much further in treating cyberspace as an operational domain," Hyten told the Senate Armed Services Committee.

"Cyberspace needs to be looked at as a warfighting domain, and if somebody threatens us in cyberspace we need to have the authorities to respond."

Hyten noted, however, that the US had made some progress in conducting cyber attacks on enemies in the Middle East, such as the Islamic State group.

His testimony comes weeks after General Curtis Scaparrotti, commander of NATO forces in Europe, warned that US government agencies are not coordinating efforts to counter the cyber threat from Russia, even as Moscow conducts a "campaign of destabilization."

And last month, Admiral Michael Rogers, who heads both the NSA -- the leading US electronic eavesdropping agency -- and the new US Cyber Command, said President Donald Trump had not yet ordered his spy chiefs to retaliate against Russian interference in US elections.

The US has accused Russia of actively interfering in the 2016 presidential election, stealing Democratic party communications and pushing out disinformation through social media.

It also accuses Moscow of stealing hacking secrets of the US intelligence community -- while US cyber security investigators have accused the Russian government of a sustained effort to take control of critical US infrastructure systems including the energy grid.

Hyten added the military needs clear authorities and rules of engagement so operators know when and how to respond to attacks.

"We need to have specific rules of engagement in cyber that match the other domains that we operate in," Hyten said.

"We need to delegate that authority all the way down so we can deal with threats that exist that challenge the United States."


'Slingshot' Campaign Outed by Kaspersky is U.S. Operation Targeting Terrorists: Report
21.3.2018 securityweek CyberSpy

The Slingshot cyber espionage campaign exposed recently by Kaspersky Lab is a U.S. government operation targeting members of terrorist organizations, according to a media report.

Earlier this month, Kaspersky published a report detailing the activities of a threat actor targeting entities in the Middle East and Africa — sometimes by hacking into their Mikrotik routers. The group is believed to have been active since at least 2012 and its members appear to speak English, the security firm said.

The main piece of malware used by the group has been dubbed Slingshot based on internal strings found by researchers. Kaspersky identified roughly 100 individuals and organizations targeted with the Slingshot malware, mainly in Kenya and Yemen, but also in Afghanistan, Libya, Congo, Jordan, Turkey, Iraq, Sudan, Somalia and Tanzania.

CyberScoop claims to have learned from unnamed current and former U.S. intelligence officials that Slingshot is actually an operation of the U.S. military’s Joint Special Operations Command (JSOC), a component of Special Operations Command (SOCOM), aimed at members of terrorist organizations such as ISIS and al-Qaeda. SOCOM is well known for its counterterrorism operations, which can sometimes include a cyber component.

CyberScoop’s sources expressed concern that the exposure of the campaign may result in the U.S. losing a valuable surveillance program and it could even put the lives of soldiers at risk. The Slingshot infrastructure was likely already abandoned and “burned” following the disclosure, one former intelligence official told the publication.

Kaspersky has always insisted that its role is to protect customers against cyber threats, regardless of the source of an attack. The company typically refrains from attributing attacks, but it has exposed operations believed to be linked to Russia, China, the United States and others.

In the case of Slingshot, Kaspersky has not directly attributed the campaign to the United States, but it did note that the hackers appear to speak English. The company also pointed out that some of the techniques used by this actor are similar to ones leveraged by a group known as Longhorn and The Lamberts, which is believed to be associated with the U.S. Central Intelligence Agency (CIA).

It’s also worth noting that the WikiLeaks Vault7 files, which are believed to be tools developed and used by the CIA, describe a Mikrotik router exploit, although it is unclear if it’s the one used in Slingshot attacks.

Another clue that shows a potential connection between Slingshot and U.S. intelligence is the use of tools and code strings referencing “Lord of the Rings” characters, including Gollum, which is also the name of an implant referenced in NSA documents leaked by Edward Snowden.

Kaspersky’s products were recently banned in U.S. federal agencies due to the company’s alleged ties to Russian intelligence. The security firm has denied the accusations and it has taken legal action in hopes of overturning the ban.

If Slingshot really is a U.S. government operation, Kaspersky's disclosure of the campaign will likely not help its case. One senior U.S. intelligence official told CyberScoop it was unlikely that Kaspersky had been totally unaware of what it was dealing with. CyberScoop cited a source close to Kaspersky saying that researchers may have suspected a Five Eyes nation, but they couldn’t have known for sure.

“Kaspersky Lab does not know the identity of the attackers behind the Slingshot APT or the identity of its victims. As a result of anonymized data, it's impossible for us to tell who the specific targets are. All the company can state is that our users are protected against malicious software that can spy, steal or sabotage data from their computers,” Kaspersky Lab told SecurityWeek in an emailed statement.

“Kaspersky Lab has always been very clear about our policy concerning the detection of malware: we detect and remediate all forms of malicious programs, regardless of origin or purpose. Furthermore, the company does not 'whitelist' any malware samples, not even malware used for so called 'legal surveillance'. One can easily imagine the situation in which such malware falls into the wrong hands and can be used to launch attacks against law enforcement or just regular users,” the company added.

One of the incidents that led officials to believe Kaspersky may be linked to the Kremlin involved an NSA contractor from which Russian hackers allegedly stole information on how the U.S. penetrates foreign networks and how it defends against cyberattacks. Kaspersky’s analysis showed that its antivirus product did automatically upload some files related to the NSA-linked Equation Group from a user’s computer, but the company said the files were deleted from its systems after it noticed that they contained classified information.


Siemens Patches Flaws in SIMATIC Controllers, Mobile Apps
21.3.2018 securityweek
Vulnerebility

German industrial giant Siemens has released security patches for several of its SIMATIC products, including some controllers and a mobile application.

Organizations using SIMATIC products were informed by both Siemens and ICS-CERT this week of a denial-of-service (DoS) vulnerability that can be exploited by sending specially crafted PROFINET DCP packets to affected systems.

The flaw, tracked as CVE-2018-4843 and classified as medium severity, can be exploited by an attacker who has access to the network housing the targeted device. While DoS vulnerabilities are generally seen as less severe compared to code execution and other types of flaws, in the case of industrial control systems (ICS), they can have serious impact.

The security hole affects several SIMATIC central processing units (CPUs) and software controllers, SINUMERIK CNC automation solutions, and Softnet PROFINET IO controllers. Siemens has released patches for some of the impacted systems, and provided workarounds and mitigations for the rest.

Siemens also informed customers on Tuesday of an access control vulnerability affecting the Android and iOS versions of its SIMATIC WinCC OA UI mobile application. This app is designed to allow users to remotely access WinCC OA facilities from their mobile devices.

“The latest update for the Android app and iOS app SIMATIC WinCC OA UI fix a security vulnerability which could allow read and write access from one HMI project cache folder to other HMI project cache folders within the app’s sandbox on the same mobile device,” Siemens wrote in its advisory.

“This includes HMI project cache folders of other configured WinCC OA servers. Precondition for this scenario is that an attacker tricks an app user to connect to an attacker-controlled WinCC OA server,” it added.

The SIMATIC WinCC OA UI application vulnerability was discovered by experts at IOActive and Embedi as part of their research into SCADA mobile apps. They analyzed applications from 34 vendors and found security holes in a vast majority of them.


18.5 Million Websites Infected With Malware at Any Time
21.3.2018 securityweek
Virus

There are more than 1.86 billion websites on the internet. Around 1% of these -- something like 18,500,000 -- are infected with malware at a given time each week; while the average website is attacked 44 times every day.

Sitelock has published its Q4 2017 Website Security Insider analysis of malware and websites based on statistics from 6 million of its 12 million customers. All these customers use at least one of Sitelock's malware scanners, while a smaller subset also use the firm's cloud-based web application firewall (WAF). The WAF provides insight into DDoS attacks against websites, while the sca≈nners provide insight to the state of malware in websites.

The analysis shows an increase of around 20% in the number of infected websites over Q3 2017. "We went from about 0.8% of our user base in Q3 to a little over 1% in Q4," Sitelock research analyst Jessica Ortega told SecurityWeek. A 0.2% increase seems a small number, but it implies that up to 18.5 million websites worldwide may be infected with malware at any given time.

Despite the increase in infected sites, continued Ortega, "The total number of attacks or attempted attacks actually decreased by about 20% -- so what we're seeing is that it takes fewer attack attempts to compromise the websites. Attackers are becoming sneakier, and more difficult-to-decode malware is coming through."

The majority of Sitelock's customers are typically small businesses and blogs. "Many website owners remain unaware that website security is their responsibility and rely too heavily on popular search engines and other third parties to notify them when they've been compromised," said Ortega. This doesn't work -- less than 1 in 5 infected websites are blacklisted by the search engines.

Other owners rely on their CMS software provider to keep them secure with security updates. But according to Sitelock, 46% of WordPress sites infected with malware were up to date with the latest core updates. Those also using plug-ins were twice as likely to be compromised.

It is the sheer volume of both threats and compromises that is most surprising. During Q4 2017, Sitelock cleaned an average of 672,655 malicious files every week. It found an average of 309 infected files per site. Sixteen percent of malware results in site defacements, while more than 12% are backdoors facilitating the upload of thousands of other malicious files including exploit kits and phishing pages.

Jessica Ortega, research analyst at Sitelock, comments that the malicious files are often stored on websites in zip files. Even if active files are removed, the site can be compromised again, and the zip file extracted for the attacker to continue precisely as before.

One of the problems is that the average website is very easy to compromise. Sitelock's analysis in Q4 found an average of 414 pages per site containing cross-site scripting (XSS) vulnerabilities; 959 pages per site containing SQL injection (SQLi) vulnerabilities; and 414 pages per site containing cross-site request forgery (CSRF) vulnerabilities.

Even CSM security updates can be used against the website if they are not immediately installed. "Attackers can see what vulnerabilities have been patched in the latest update, and develop an exploit for those vulnerabilities. They then scan the internet for, for example, WordPress sites that haven't yet been updated, and compromise them."

Understanding the attackers' motives is key to understanding the threat to small business websites. "A lot of attackers go for the low-hanging fruit, and small business websites are among the softest and easiest targets because so many owners don't even realize they need security," explains Ortega. One of the primary motivations is to improve the search engine rankings of the attackers' own customers, by inserting backlinks to the customer website.

"Or they use it to attack the website's visitors -- for example, by phishing credentials," she continued; "and obviously the longer that a phishing site stays up, the greater the number of credentials it can potentially steal. Or they're just trying to further spread their malware to visitors via exploit kits."

Compromising small business websites is a numbers game for the criminals. Each site has a relatively small reach in the volume of visitors that can be exploited; but the sheer number of sites combined with the ease of compromise makes it worthwhile. And it is complicated by being perhaps the last refuge of the skiddie. As large companies improve their own security, small companies increasingly attract low-skilled skiddies who hack for personal aggrandizement -- those who do it because they can, and then boast about it.

Sixteen percent of infected sites were subsequently defaced, often with a political or religious message, often by such skiddies.


Code Execution Flaws Found in ManageEngine Products
21.3.2018 securityweek
Vulnerebility

Researchers at cybersecurity technology and services provider Digital Defense have identified another round of vulnerabilities affecting products from Zoho-owned ManageEngine.

ManageEngine provides network, data center, desktop, mobile device, and security solutions to more than 40,000 customers, including three out of every five Fortune 500 company.

Earlier this year, Digital Defense reported finding several potentially serious flaws in ManageEngine’s ServiceDesk Plus help desk software, and on Wednesday the company disclosed the details of six additional security holes found by its researchers in ManageEngine Log360, EventLog Analyzer, and Applications Manager products.

The vulnerabilities have been described by Digital Defense as file upload, blind SQL injection, local file inclusion, and API key disclosure issues that can be exploited without authentication for arbitrary code execution and obtaining potentially sensitive information.

According to the security firm, the Log360 and EventLog Analyzer log management products are affected by an unauthenticated file upload vulnerability that can be exploited to upload a JavaServer Pages (JSP) web shell to the root directory. This is possible due to the fact that a file upload feature’s security checks can be easily bypassed.

The rest of the flaws discovered by Digital Defense researchers impact ManageEngine Applications Manager and many of them can be exploited for arbitrary code execution.

Experts have identified several blind SQL injection flaws that can be leveraged by unauthenticated attackers to execute arbitrary code with SYSTEM privileges and gain complete control of the targeted host.

The list of security holes also includes a local file inclusion issue that can be exploited to download files that may contain sensitive information.

Researchers also discovered that an attacker can obtain an Applications Manager user’s API key by sending a specially crafted GET request.

“Depending on the privilege level of the compromised user, this could result in full compromise of both the Applications Manager web application and the host running it,” Digital Defense warned.

The vulnerabilities were reported to ManageEngine on February 12 and fixes were developed a few weeks later. Patches were made available to customers on March 7.


Fraud Prevention Firm Sift Science Raises $53 Million
21.3.2018 securityweek IT

Fraud prevention and risk management solutions provider Sift Science today announced that it has closed a $53 million Series D funding round, bringing the total raised to date by the company to $107 million.

The latest funding round was led by New York-based growth equity firm Stripes Group, with participation from SPINS, Remitly, Flatiron Health, Udemy, GrubHub, and previous investors Union Square Ventures, Insight Venture Partners, and Spark Capital.

Sift Science plans on using the newly acquired funds to expand its global footprint in the fraud detection and prevention market, which is estimated to reach roughly $42 billion by 2022.

Sift’s Digital Trust Platform relies on machine learning to protect businesses against fraud and abuse, including payment fraud, fake accounts, account hijacking, and abusive user-generated content.

The platform uses data from thousands of websites and apps to identify fraud patterns based on connections between users, behaviors, locations, devices and more. Sift says its customers include Airbnb, Twitter, Twilio, Shutterstock, Yelp, Wayfair and Jet.

“We believe Sift is uniquely positioned to leverage its best-in-class software platform and data network to fundamentally reshape the way businesses and consumers interact online – with more confidence, transparency and security. We are thrilled to be partnering with Sift as it accelerates its already exceptional growth trajectory,” said Ron Shah, partner at Stripes Group.


AMD will release the patches for the recently discovered flaws very soon
21.3.2018 securityaffairs 
Vulnerebility

AMD concluded its investigation on the vulnerabilities recently discovered by CTS Labs and announced that security patches will be released very soon.
AMD has finally acknowledged 13 critical vulnerabilities and exploitable backdoors in its Ryzen and EPYC processors that were first disclosed earlier March by the researchers at the security firm CTS Labs.

The CTS Labs researchers did not disclose any technical details about the vulnerabilities to avoid abuses in the wild.

The vendor plans to roll out firmware updates in the incoming weeks to address the flaws affecting millions of devices worldwide.

The flaws could be potentially exploited to steal sensitive data, install malicious code on AMD-based systems, and gain full access to the compromised systems. The flaws expose servers, workstations, and laptops running vulnerable AMD Ryzen, Ryzen Pro, Ryzen Mobile or EPYC processors to attacks.

CTS-Labs promptly reported the flaws to AMD, Microsoft and “a small number of companies that could produce patches and mitigations.”

The analysis conducted by the security experts revealed four classes (RYZENFALL, FALLOUT, CHIMERA, and MASTERKEY) of vulnerabilities affecting the AMD Zen architecture processors and chipsets that usually contain sensitive information such as passwords and encryption keys.

The flaw could allow to bypass AMD’s Secure Encrypted Virtualization (SEV) technology and also Microsoft Windows Credential Guard. AMD flaws

This week AMD published a press release trying to downplay the severity of the flaws.

“It’s important to note that all the issues raised in the research require administrative access to the system, a type of access that effectively grants the user unrestricted access to the system and the right to delete, create or modify any of the folders or files on the computer, as well as change any settings.” reads the press release published by AMD. “Any attacker gaining unauthorized administrative access would have a wide range of attacks at their disposal well beyond the exploits identified in this research.”

Differently from what has happened for Meltdown and Spectre attacks, AMD sustains that the patches it is going to release are not expected to impact system performance.

CTS Labs are skeptical about a rapid fix of the issues, they claimed that AMD could take several months to release patches for most of the flaws, even some of them could not be fixed.


Frost Bank announced it has suffered a data breach that exposed check images
21.3.2018 securityaffairs  Incindent
On Friday, Frost Bank announced that it has suffered a data breach that exposed check images, crooks could use them to forge checks.
Frost Bank announced on Friday that it has suffered a data breach that exposed check images.

The bank is a subsidiary of Cullen/Frost Bankers, Inc., its staff discovered an unauthorized access to its systems containing images of checks.

Attackers compromised a third-party lockbox software program, in this way they were able to access the images of checks stored electronically in the database.

“In March 2018, Frost detected unauthorized access into a third-party lockbox software program that allowed unauthorized users to view and copy images of checks stored electronically in the image archive.” reads the security advisory published by the company.

“The identified incident did not impact other Frost systems. We have stopped the unauthorized access, and have reported the incident to and are cooperating with law-enforcement authorities.”

The lockbox services are normally used by customers to send payments to a central post office box, once the bank will receive the payments it will credit them to a business’s account.

According to Frost Bank, its systems weren’t impacted by the security breach.

The bad news is that crooks once obtained the images could use them to forge checks.

“Information from the accessed images can be used to forge checks.” continues the advisory.

Frost Bank

According to Frost Bank, the unauthorized access was limited to one software program serving about 470 commercial customers who use the electronic lockbox,

The company confirmed it stopped the identified unauthorized access once discovered the breach.

Law enforcement is investigating the case, while Frost Bank hired an unnamed cybersecurity firm to investigate the security breach,

“At Frost, we care deeply about taking care of our customers and protecting their information, and we regret that this situation has occurred. We are working very hard to make things right,” Frost Chairman and CEO Phil Green said in a statement.


Uber Self-Driving Car struck and killed a woman in Tempe, Arizona
21.3.2018 securityaffairs IT
An Uber self-driving car has struck and killed a woman pedestrian in Tempe, Arizona. The incident raises questions about the safety and security of this kind of vehicles.
This is a sad page of the book of technology evolution, an Uber self-driving car has struck and killed a woman pedestrian in Tempe, Arizona.

The news was confirmed by the company, this is the first incident of this type.

Our hearts go out to the victim’s family. We’re fully cooperating with @TempePolice and local authorities as they investigate this incident.

— Uber Comms (@Uber_Comms) March 19, 2018

According to the media, the accident occurred while the car, a Volvo XC90 SUV, was in the self-driving mode.

“Tempe police are investigating a deadly crash involving a self-driving Uber vehicle overnight. The Uber vehicle was reportedly headed northbound when a woman walking outside of the crosswalk was struck.” states the TV station ABC15.

“Tempe Police says the vehicle was in autonomous mode at the time of the crash and the vehicle operator, 44-year-old Rafaela Vasquez, was also behind the wheel. No passengers were in the vehicle at the time. “

The victim Elaine Herzberg (49), the Uber self-driving car has struck the woman while she was crossing the street outside of a crosswalk.

The woman was transported to the hospital where she has died.

Uber Self-Driving Car accident - Source
Source USA Today

The company immediately suspended its service, all the self-driving cars in the US will be halted, below the message sent by the Uber CEO.

Some incredibly sad news out of Arizona. We’re thinking of the victim’s family as we work with local law enforcement to understand what happened. https://t.co/cwTCVJjEuz

— dara khosrowshahi (@dkhos) March 19, 2018

Uber launched the self-driving program in 2015, its vehicles since then are circulating in many US cities, including Phoenix, Pittsburgh, San Francisco, and Toronto.

The tests in Tempe, Arizona started in February 2017.

The National Transportation Safety Board announced an investigation and sent a team to the place of the accident.

NTSB sending team to investigate Uber crash in Tempe, Arizona. More to come.

— NTSB_Newsroom (@NTSB_Newsroom) March 19, 2018

The company suspended its self-driving program and withdrew all autonomous cars from US roads.

Even if this is an accident, we cannot forget the aspect safety and security when dealing with automotive. Are we really ready to make a self-driving car on the road?

When such kind of vehicle will crowd our cities the risks will be high and the cybersecurity aspects will be crucial.


Supreme Court in Russia ruled Telegram must provide FSB encryption keys
21.3.2018 securityaffairs BigBrothers
A Supreme Court in Russia ruled Telegram must provide the FSB with encryption keys to access users’ messaging data to avoid being blocked.
Bad news for Telegram, a Supreme Court in Russia ruled the company must provide the FSB with encryption keys to access users’ messaging data. If Telegram will refuse to comply the request the authorities will block the service in Russia.

Media watchdog Roskomnadzor asked Telegram to share technical details to access electronic messages shared through the instant messaging app.

Roskomnadzor requested to “provide the FSB with the necessary information to decode electronic messages received, transmitted, or being sent” within 15 days.

In June, Roskomnadzor, the Russian Government threatened to ban the popular instant messaging app because the company refused to be compliant with the country’s new data protection laws. In July, the company agreed to register with Russia authorities to avoid the local ban, but it did not share user data.

Telegram

Telegram appealed against the ruling, but the Supreme Court rejected the request of the company.

Telegram founder Pavel Durov labeled the FSB request as “technically impossible to carry out” and unconstitutional, then he left Russia in September 2017 in response to the request of the FSB.

In July, Russia’s Duma approved the bill to prohibit tools used to surf outlawed websites

Russian authorities requested private firms operating in the country to provide the FSB with information on user activities, all the data related to Russian users must be stored in local servers according to anti-terror legislation that passed in 2016.


Expedia-owned travel website Orbitz says 880,000 payment cards hit in data breach
21.3.2018 securityaffairs  Incindent
Orbitz, the travel website owned by Expedia announced on Tuesday that it has suffered a security breach that affected hundreds of thousands of users.
Orbitz.com has millions of users, it was acquired by Expedia in 2015 for $1.6 billion.

Orbitz confirmed that attackers gained access to a legacy platform between October 1 and December 22, 2017, and stole personal and financial data belonging to consumers and business partners.

The exposed data includes full name, date of birth, gender, phone number, email address, physical and billing address, and payment card data. According to Orbitz, the security breach affected roughly 880,000 payment cards.

There is no evidence that the current Orbitz.com website is affected, passport and travel itinerary information were not exposed in the incident.

The company discovered the breach on March 1 following an internal investigation, Orbitz hired security experts to investigate the issue and identify the flaws exploited by hackers.

The company also notified the incident to the law enforcement that is investigating the case too.

According to the investigators, the hackers may have accessed personal information of customers that made certain purchases between January 1 and June 22, 2016.

orbitz

Attackers may have obtained information on Orbitz partners who made purchases between January 1, 2016, and December 22, 2017.

“We are working quickly to notify impacted customers and partners. We are offering affected individuals one year of complimentary credit monitoring and identity protection service in countries where available. Additionally, we are providing partners with complimentary customer notice support for partners to inform their customers, if necessary,” reads the statement issued by the company.

“Anyone who is notified is encouraged to carefully review and monitor their payment card account statements and contact their financial institution or call the number on the back of their card if they suspect that their payment card may have been misused,”

Customers can contact the firm by calling 1-855-828-3959 (toll-free in the U.S.) or 1-512-201-2214 (international), or by visiting the website orbitz.allclearid.com.

Expedia’s shares fell as much as 1.9 percent to $108.99.

This is the last incident in order of time that affected the travel sector, other companies that suffered security breaches are the hotel chain InterContinental Hotels Group Plc and Hyatt Hotels Corp in 2017.


Windows Remote Assistance flaw could be exploited to steal sensitive files
21.3.2018 securityaffairs 
Exploit
A critical flaw in the Windows Remote Assistance tool allows someone you trust to take over your PC so they can help you fix a problem, and vice-versa.
A critical vulnerability in Microsoft’s Windows Remote Assistance (Quick Assist) feature affects all versions of Windows to date, including Windows 10, 8.1, RT 8.1, and 7. The flaw could be exploited by a remote attacker to steal sensitive files on the targeted machine.
Windows Remote Assistance tool allows someone you trust to take over your PC so they can help you fix a problem, and vice-versa.

The Windows Remote Assistance feature relies on the Remote Desktop Protocol (RDP) to establish a secure connection with the person in need.
Trend Micro Zero Day Initiative researchers Nabeel Ahmed discovered an information disclosure vulnerability in Windows Remote Assistance tracked as CVE-2018-0878. An attacker can trigger the flaw to obtain information to further compromise the victim’s system.
Microsoft fixed the vulnerability this month with the patch Tuesday, the issue resides in the way Windows Remote Assistance processes XML External Entities (XXE).

The CVE-2018-0878 vulnerability affects Microsoft Windows Server 2016, Windows Server 2012 and R2, Windows Server 2008 SP2 and R2 SP1, Windows 10 (both 32- and 64-bit), Windows 8.1 (both 32- and 64-bit) and RT 8.1, and Windows 7 (both 32- and 64-bit).

Nabeel has also released online technical details and a proof-of-concept exploit code for the vulnerability.

The attacker can use the “Out-of-Band Data Retrieval” attack technique to exploit this vulnerability that resides in MSXML3 parser. The attacker offers the victim access to his computer via Windows Remote Assistance.

To set up a Windows Remote Assistance connection the attacker can:

Invite someone to help him;
Respond to someone who needs help.
When you invite someone to help you, an invitation file is generated (i.e. ‘invitation.msrcincident’) which contains XML data used for authentication.

In the following table are reported the parameters included in the request.

Windows Remote Assistance 2

The expert started using the MSXML3 to parse the XML data and discovered it does not properly validate the content. This means that an attacker can send a specially crafted Remote Assistance invitation file containing a malicious code to the victim that instructs the target computer to submit the content of specific files from known locations to a remote server controlled by the attackers.

“To exploit this condition, an attacker would need to send a specially crafted Remote Assistance invitation file to a user. A attacker could then steal text files from known locations on the victim’s machine, under the context of the user, or alternatively, steal text information from URLs accessible to the victim.” reads the security advisory published by Microsoft.

“The stolen information could be submitted as part of the URL in HTTP request(s) to the attacker. In all cases an attacker would have no way to force a user to view the attacker-controlled content. Instead, an attacker would have to convince a user to take action.”

Windows Remote Assistance

The expert warns of mass scale phishing attacks that leverage on .msrcincident invitation files that could potentially result in loss of sensitive information.

“This XXE vulnerability can be genuinely used in mass scale phishing attacks targeting individuals believing they are truly helping another individual with an IT problem.” Ahmed concluded.
“Totally unaware that the .msrcincident invitation file could potentially result in loss of sensitive information. An attacker could target specific log/config files containing username/passwords. ,” Ahmed warns.

The expert developed a tool to automate XXE exfiltration of multiple files by brute-forcing certain directory locations, the software is available on GitHub.

Don’t waste time, install the latest update for Windows Remote Assistance as soon as possible.


A flaw in Ledger Crypto Wallets could allow to drain your cryptocurrency accounts. Fix it!
21.3.2018 securityaffairs 
Vulnerebility
Saleem Rashid, a 15-year-old researcher from the UK, has discovered a severe vulnerability in cryptocurrency hardware wallets made by the Ledger company.
Hardware wallets enable transactions via a connection to a USB port on the user’s machine, but they don’t share the private key with the host machine impossible malware to harvest the keys.

Saleem Rashid has found a way to retrieve the private keys from Ledger devices once obtained a physical access to the device.

The researchers discovered that a reseller of Ledger’s devices could update the devices with malware designed to steal the private key and drain the user’s cryptocurrency accounts when the user will use it.

Giving a close look at the Ledger’s hardware device, Saleem Rashid discovered that they include a secure processor chip and a non-secure microcontroller chip. The nonsecure chip is used for different non-security tacks such as displaying text on the display. The problem ties the fact that the two chips exchange data and an attacker could compromise the insecure microcontroller on the Ledger devices to run malicious code in stealth mode.

Even is Ledger devices implement a way to protect the integrity of the code running on them, the expert developed a proof-of-concept code to bypass it and run malicious code on the products.

nano s ledger wallet

The PoC code was published along with the official announcement from Ledger about the availability of a new firmware update that addresses the vulnerability.

“You’re essentially trusting a non-secure chip not to change what’s displayed on the screen or change what the buttons are saying,” Rashid told to the popular cyber security expert Brian Krebs. “You can install whatever you want on that non-secure chip, because the code running on there can lie to you.”

Rashid published a research paper on the flaw and a video PoC of the attack against a Nano-S device, one of the most popular hardware wallets sold by the company.

“This attack would require the user to update the MCU firmware on an infected computer. This could be achieved by displaying an error message that asks the user to reconnect the device with the le/ button held down (to enter the MCU bootloader). Then the malware can update the MCU with malicious code, allowing the malware to take control of the trusted display and confirmation buttons on the device.” wrote the researcher.
This attack becomes incredibly lucrative if used when a legitimate firmware update is released, as was the case two weeks ago.”

“As you can tell from the video above, it is trivial to perform a supply chain attack that modifies the generated recovery seed. Since all private keys are derived from the recovery seed, the attacker could steal any funds loaded onto the device.” continues the expert.

The Ledger MCU exploit relies on the fact that the process for generating a backup code for a user’s private key leverages on a random number generator that can be forced to work in a predictable way and producing non-random results.

Curiously, when Rashid first reported his findings to Ledger, the company dismissed them.

“the firmware update patches three security issues. The update process verifies the integrity of your device and a successful 1.4.1 update is the guarantee that your device has not been the target of any of the patched attack. There is no need to take any other action, your seed / private keys are safe.” reads the security advisory published by the French company.

“Thimotee Isnard and Sergei Volokitin followed the responsible disclosure agreement process and were awarded with a Bounty, while Saleem Rashid refused to sign the Ledger Bounty Program Reward Agreement.”

Rashid pointed out that Ledger doesn’t include anti-tampering protection to avoid that an attacker could physically open a device, but the company replied that such kind of measures is very easy to counterfeit.

In this case, let me suggest buying the devices directly from the official vendor and not from third-party partners and update them with the last firmware release.


F-Secure Looks to Address Cyber Security Risks in Aviation Industry
19.3.2018 securityweek Safety

Aviation Cybersecurity

Aviation, as part of the transportation sector, falls within the critical infrastructure. While it may not have the same security issues as ICS/SCADA-based manufacturing and utilities, it has certain conceptual similarities; including, for example, a vital operational technology infrastructure with increasing internet connectivity, and the associated cyber risks.

It also has one major difference -- the close physical proximity of its own customers. Catastrophic failure in the aviation industry has a more immediate and dramatic effect on customers -- and for this reason alone, a trusted brand image is an essential and fragile part of success in the aviation industry. Without customer trust, customers will not fly with a particular airline.

Historically, aviation security has primarily focused on physical safety, and has become highly efficient in this area. But in recent years, the customization of new aircraft to provide newer and unique passenger experiences -- such as the latest in internet-connected in-flight entertainment systems -- has added a new cyber risk.

Matthieu Gualino, deputy director of the International Civil Aviation Organization Aviation Security Training Center, described the three current areas of cyber risk as flight control (the critical systems needed to fly the aircraft -- high impact, low likelihood); the operational cabin (systems used to operate and maintain aircraft -- medium impact, medium likelihood); and passengers (systems with direct passenger interaction -- low impact, high likelihood).

The problem today is that aviation security is experienced in operational technology, security and safety; but less experienced in the rapidly evolving world of cyber security. To help counter this risk, Finland's F-Secure has launched its new Aviation Cyber Security Services to help secure not just aircraft, but the entire aviation industry: aircraft, infrastructure, data, and -- most importantly to F-Secure -- reputation. Customers are unlikely to fly with companies they do not trust; and successful cyber-attacks rapidly eliminate customer trust and confidence; even, suggests F-Secure, a minor breach of something like an in-flight entertainment system.

"Off-the-shelf communication technologies are finding their way into aircraft, which makes security much more complicated than in the past," said Hugo Teso, head of aviation cybersecurity services at F-Secure and a former pilot. "Because these off-the-shelf technologies weren't necessarily created to meet the rigorous safety requirements of airlines, the aviation industry is making cyber security a top priority. But they need a partner that understands both cyber security and the details of airline operations, because it's an industry where those details make a big difference."

The new service integrates security assessments of avionics, ground systems and data links, vulnerability scanners, security monitoring, incident response services, and specialized cyber security training for staff.

The primary problem is not unknown to the security industry -- the need to protect safety-critical systems from less significant but more exposed and vulnerable systems (such as those with an internet connection). "A key protection measure is separating systems into different 'trust domains'," explains F-Secure's head of Hardware Security Andrea Barisani, "and then controlling how systems in different domains can interact with one another. This prevents security issues in one domain, like a Wi-Fi service accessible to passengers, from affecting safety-critical systems, like aircraft controls or air to ground datalinks."

Data diodes are typically used for this type of system segmentation, because they provide unidirectional data flows where complete bidirectional isolation is not possible. "It is essential for any data diode to be implemented in a manner that allows no attack, parsing errors or ambiguities, failures to affect their correct operation," Barisani told SecurityWeek. "Our team is routinely involved in testing data diode security to provide assurance on their operation, improve their design and fix any issues well before their certification."

Diodes are part of the separation of the vulnerable passenger facilities from the critical flight operations. "In-flight entertainment and connectivity (IFE/IFC) are two of the most exposed systems in modern aircraft," explained Teso. "Facing directly the passengers, those systems are a major cyber security concern to any operator as any incident would have important brand damage for them. Not to safety though. Due to the way aircraft are designed, built and upgraded any incident involving or originating in the cabin of the airplane will be isolated from the most critical, and safety related, systems."

F-Secure is keen not to promote its new service with the 'fear factor'. The aviation industry already does an excellent job at maintaining the safety of its flights. The new cyber risk is currently primarily against aviation's brand reputation, and the threat of a cyber hijack taking over an aircraft in flight, is, suggests Teso, more likely in the movies than in reality.

But that doesn't mean it can be dismissed or forever ignored, or even limited to civil aviation. The aviation industry, including both civil and military aircraft, shares a common core of technologies, although the threat model differs between the two. Nevertheless, commented Teso, "F-Secure aviation cyber security services is not limited to any specific part of the aviation industry. If it's part of Aviation, our services have it covered."


US Accuses Russian Government of Hacking Infrastructure
19.3.2018 securityweek BigBrothers

The Russian government is behind a sustained hacking effort to take over the control systems of critical US infrastructure like nuclear power plants and water distribution, according to US cyber security investigators.

A technical report released by the Department of Homeland Security on Thursday singled out Moscow as directing the ongoing effort that could give the hackers the ability to sabotage or shut down energy and other utility plants around the country.

It was the first time Washington named the Russian government as behind the attacks which have been taking place for nearly three years.

The allegation added to a series of accusations of political meddling and hacking against Russia that led to Washington announcing fresh sanctions against the country this week.

"Since at least March 2016, Russian government cyber actors ... targeted government entities and multiple US critical infrastructure sectors, including the energy, nuclear, commercial facilities, water, aviation, and critical manufacturing sectors," the report from the DHS Computer Emergency Readiness Team said.

DHS, together with the Federal Bureau of Investigation, said the Russian hackers targeted two groups -- the infrastructure operators themselves, and also peripheral "staging targets" which could be used as stepping stone into the intended targets.

Staging targets included third party firms supplying services and support to the main targets but may have less secure networks. The hackers had a deep toolbox of methods to enter target systems, they said.

The hacking effort paralleled Russia's alleged operation to interfere with the 2016 US presidential election and continue with online media manipulation throughout 2017.

DHS did not identify specific targets which the Russians broke into. But it said they were able to monitor the behavior of control systems, install their own software, collect the credentials of authorized users, monitor communications, and create administrator accounts to run the systems.

- Sustained attack -

The government has been issuing warnings to operators of US infrastructure -- power producers and distributors, water systems, and others -- about foreign hacking since 2016.

In January a White House report said cyberattacks cost the United States between $57 billion and $109 billion in 2016, and warned that the broader economy could be hurt if the situation worsens. It pointed the finger mainly at attackers from Russia, China, Iran, and North Korea.

Last September the private security firm Symantec outlined hacking efforts focused against US and European energy systems by a high-skilled group it dubbed Dragonfly 2.0.

"The Dragonfly group appears to be interested in both learning how energy facilities operate and also gaining access to operational systems themselves, to the extent that the group now potentially has the ability to sabotage or gain control of these systems should it decide to do so."

Symantec did not name the origin of the group, but the DHS report included Symantec's Dragonfly analysis in its allegations against Russia.

On Thursday the government announced sanctions against Russia's top spy agencies and more than a dozen individuals, citing both the election meddling and cyberattacks.

"We will continue to call out malicious behavior, impose costs, and build expectations for responsible actions in cyberspace," said Rob Joyce, the cybersecurity coordinator on the White House's National Security Council.


California Bill Seeks to Adopt Strict Net Neutrality Despite FCC Ruling
19.3.2018 securityweek IT

As Americans wait to see whether net neutrality can gain enough support among lawmakers to invoke disapproval via the Congressional Review Act, individual states are not waiting -- several are working on state laws to maintain net neutrality within their own borders.

In December 2017, under the chairmanship of Ajit Pau, the FCC voted 3-2 to remove net neutrality protections by rolling back its earlier Obama-era classification of ISPs as telecommunications service providers (and therefor under FCC purview) to the common carriers as they had been previously classified. This has now happened. It simply means that existing FCC rules can no longer be applied to ISPs because they are not telecommunications services. This ruling won't come into effect until April 23; that is, 60 days after publication of the ruling in the Federal Register.

In the meantime, California has now joined the number of states attempting to preserve local net neutrality regardless of federal preferences. California state senator Scott Wiener has introduced SB 822, a comprehensive proposal that would prevent ISPs from blocking websites, throttling users' services or introducing paid priority services within California. In some ways this new bill imposes even stricter net neutrality than that being dismantled by the FCC, by, for example, imposing conditions on the practice of 'zero rating'.

Coincidentally, the communications regulator in the UK, OFCOM, this month announced investigations into service providers Vodafone and Three. Vodafone operates a zero rating option called Vodafone Passes. "Our Passes allow customers to access their favorite content without fear of running out of data or attracting out-of-bundle charges," says a Vodafone statement. "They are open to any content provider of video, music, chat and social. Twenty-two content providers have signed up so far, ensuring Vodafone customers can enjoy the widest selection of worry-free access to content across the industry."

Opponents of net neutrality claim this is good for the consumer, effectively providing free bandwidth to the user. Proponents suggest it can starve new and smaller websites of the visitors they need.

In the U.S., AT&T offers a sponsored data program that is similarly zero rated on data usage. It seems, however, that the only services actually zero rated are owned by AT&T -- such as DirecTV. This gives DirecTV a huge advantage over rival services such as Hulu and Sling, since potential customers are more likely to use the service that has a zero data cost to them.

This is the whole net neutrality argument writ small. Large, established organizations can afford to starve new innovative organizations of internet traffic by paying a premium to the service providers; and will always -- in a completely free market -- be able to buy more of the available bandwidth.

Knock-on concerns are that in order to guarantee bandwidth availability to the large premium-paying customers, it might be necessary to rein back availability to ordinary users -- and in order to encourage those ordinary users to pay more for their bandwidth, there will be a temptation for providers to throttle what is already available.

The difficulty in policing net neutrality is that lawmakers recognize that some lee-way for 'throttling' (in the form of traffic management) will always be necessary. Europe's net neutrality laws require that any such traffic management must be 'transparent, non-discriminatory and proportionate'.

OFCOM has promised an update of its investigation into Vodafone in June, and it's not possible to predict the outcome. Vodafone claims that its Passes service does not generate any bandwidth throttling, and indeed guarantees full service to the consumer. This may be true with just 22 signed up content providers; but may not necessarily be true with 200 signed up content providers.

In California, Senator Wiener's proposal solves this problem, not by banning zero-rating outright, but by allowing it only for whole classes of content provider. In the AT&T example, AT&T could continue to zero-rate DirecTV only if it also zero-rates all similar content providers including Hulu and Sling.

Without doubt, SB 822 is one of the strongest net neutrality bills yet seen; and it will undoubtedly be disliked by the ISP providers. Jamie Davies, writing in Telecoms.com, considers net neutrality to be a heavy-handed approach to bandwidth problems. "The telcos have to be given the opportunity to make money," he writes. "If the telcos are making less money, they are spending less on tackling the increased consumption of data. This is a net loss in the long-run and we do not think this is a nuance of the argument which has been considered by Weiner and his army of preachers."

SB 822 may never happen. It may not be necessary if the Congressional Review Act can be used to overturn the FCC decision; or it may fail to get enough votes in California. Ironically, however, the FCC won't be able to stop it. Back in December, the FCC barred states from adopting their own net neutrality rules -- however, it will not be able to enforce its own rule.

"While the FCC's 2017 Order explicitly bans states from adopting their own net neutrality laws," writes Barbara van Schewick, Professor of Law at Stanford Law School, "that preemption is invalid. According to case law, an agency that does not have the power to regulate does not have the power to preempt. That means the FCC can only prevent the states from adopting net neutrality protections if the FCC has authority to adopt net neutrality protections itself."


Facebook Suspends Trump Campaign Data Firm Cambridge Analytica
19.3.2018 securityweek
Social

Facebook says it has suspended the account of Cambridge Analytica, the data analysis firm hired by Donald Trump's 2016 presidential campaign, amid reports it harvested the profile information of millions of US voters without their permission.

According to the New York Times and Britain's Observer, the company stole information from 50 million Facebook users' profiles in the tech giant's biggest-ever data breach, to help them design software to predict and influence voters' choices at the ballot box.

Also suspended were the accounts of its parent organization, Strategic Communication Laboratories, as well as those of University of Cambridge psychologist Aleksandr Kogan and Christopher Wylie, a Canadian data analytics expert who worked with Kogan.

Cambridge Analytica was bankrolled to the tune of $15 million by US hedge fund billionaire Robert Mercer, a major Republican donor. The Observer said it was headed at the time by Steve Bannon, a top Trump adviser until he was fired last summer.

"In 2015, we learned that ... Kogan lied to us and violated our Platform Policies by passing data from an app that was using Facebook Login to SCL/Cambridge Analytica, a firm that does political, government and military work around the globe," Facebook said in a posting late Friday by its vice president and deputy general counsel Paul Grewal.

Kogan also improperly shared the data with Wylie, it said.

Kogan's app, thisisyourdigitallife, offered a personality prediction test, describing itself on Facebook as "a research app used by psychologists."

Some 270,000 people downloaded the app, allowing Kogan to access information such as the city listed on their profile, or content they had "liked."

"However, the app also collected the information of the test-takers' Facebook friends, leading to the accumulation of a data pool tens of millions-strong," the Observer reported.

Facebook later pushed back against the claim of a data breach, issuing a fresh statement on Saturday that suggested the misused data was limited to those who voluntarily took the test.

"People knowingly provided their information, no systems were infiltrated, and no passwords or sensitive pieces of information were stolen or hacked," Grewal said.

Cambridge Analytica meanwhile said it was in touch with Facebook "in order to resolve this matter as quickly as possible​."

It blamed the misuse of data on Kogan and said it has since deleted all the data it received from a company he founded, Global Science Research (GSR).

"No data from GSR was used by Cambridge Analytica as part of the services it provided to the Donald Trump 2016 presidential campaign," it said.

- 'Targeting their inner demons' -

But Wylie, who later became a whistleblower, told the Observer: "We exploited Facebook to harvest millions of people's profiles. And built models to exploit what we knew about them and target their inner demons. That was the basis that the entire company was built on."

Kogan legitimately obtained the information but "violated platform policies" by passing information to SCL/Cambridge Analytica and Wylie, according to Facebook.

Facebook said it removed the app in 2015 when it learned of the violation, and was told by Kogan and everyone who received the data that it had since been destroyed.

"Several days ago, we received reports that, contrary to the certifications we were given, not all data was deleted," Grewal wrote.

"We are moving aggressively to determine the accuracy of these claims. If true, this is another unacceptable violation of trust and the commitments they made.

"We are suspending SCL/Cambridge Analytica, Wylie and Kogan from Facebook, pending further information."

- British investigation -

Cambridge Analytica, the US unit of British behavioral marketing firm SCL, rose to prominence as the firm that the pro-Brexit group Leave.EU hired for data-gathering and audience-targeting.

The company is facing an investigation by Britain's parliament and regulators over its handling of information.

On Saturday, Britain's information commissioner Elizabeth Denham said: "We are investigating the circumstances in which Facebook data may have been illegally acquired and used.

"It's part of our ongoing investigation into the use of data analytics for political purposes which was launched to consider how political parties and campaigns, data analytics companies and social media platforms in the UK are using and analyzing people's personal information to micro-target voters."

The New York Times meanwhile reported that copies of the data harvested for Cambridge Analytica were still online and that its team had viewed some of the raw data.


Russian Cyberspies Hacked Routers in Energy Sector Attacks
19.3.2018 securityweek CyberSpy

A cyberespionage group believed to be operating out of Russia hijacked a Cisco router and abused it to obtain credentials that were later leveraged in attacks targeting energy companies in the United Kingdom, endpoint security firm Cylance reported on Friday.

The United States last week announced sanctions against Russian spy agencies and more than a dozen individuals for trying to influence the 2016 presidential election and launching cyberattacks, including the NotPetya attack and campaigns targeting energy firms. Shortly after, US-CERT updated an alert from the DHS and FBI to officially accuse the Russian government of being responsible for critical infrastructure attacks launched by a threat actor tracked as Dragonfly, Crouching Yeti and Energetic Bear.

A warning issued last year by the UK’s National Cyber Security Centre (NCSC) revealed that hackers had targeted the country’s energy sector, abusing the Server Message Block (SMB) protocol and attempting to harvest victims’ passwords.

An investigation conducted by Cylance showed that the attacks were likely carried out by the Dragonfly group. The security firm has observed a series of phishing attacks aimed at the energy sector in the UK using two documents claiming to be resumes belonging to one Jacob Morrison.

When opened, the documents fetched a template file and attempted to automatically authenticate to a remote SMB server controlled by the attackers. This template injection technique was detailed last year by Cisco Talos following Dragonfly attacks on critical infrastructure organizations in the United States.

When a malicious document is opened using Microsoft Word, it loads a template file from the attacker’s SMB server. When the targeted device connects to the SMB server, it will attempt to authenticate using the current Windows user’s domain credentials, basically handing them over to the attackers.

In a separate analysis of such attacks, Cylance noted that while the credentials will in most cases be encrypted, even an unsophisticated attacker will be able to recover them in a few hours or days, depending on their resources.

According to Cylance, Dragonfly used this technique to harvest credentials that were later likely used to hack the systems of energy sector organizations in the United Kingdom.

One interesting aspect noticed by Cylance researchers is that the IP address of the SMB server used in the template injection attack was associated with a major state-owned energy conglomerate in Vietnam. Specifically, the IP corresponded to a core Cisco router that had reached end-of-life.

“The use of compromised routing infrastructure for collection or command and control purposes is not new, but its detection is relatively rare,” Cylance researchers explained. “That’s because the compromise of a router very likely implicates the router’s firmware and there simply aren’t as many tools available to the forensic investigator to investigate them. Analysis is further challenged by the lack of system logs.”

“The fact that the threat actor is using this type of infrastructure is a serious and worrisome discovery, since once exploited, vulnerabilities in core infrastructure like routers are not easily closed or remediated,” they added.

Dragonfly is not the only cyberespionage group to abuse routers in its attacks. A threat actor named Slingshot, whose members appear to speak English, has targeted entities in the Middle East and Africa using hacked Mikrotik routers.


Cambridge Analytica: Firm at the Heart of Facebook Scandal
19.3.2018 securityweek
Social

At the center of a scandal over alleged misuse of Facebook users' personal data, Cambridge Analytica is a communications firm hired by those behind Donald Trump's successful US presidential bid.

An affiliate of British firm Strategic Communication Laboratories (SCL), Cambridge Analytica has offices in London, New York, Washington, as well as Brazil and Malaysia.

Cambridge Analytica

Here's the story behind the company using data to fuel political campaigns:

What does Cambridge Analytica do?

The company boasts it can "find your voters and move them to action" through data-driven campaigns and a team including data scientists and behavioural psychologists.

Cambridge Analytica"Within the United States alone, we have played a pivotal role in winning presidential races as well as congressional and state elections," with data on more than 230 million American voters, Cambridge Analytica claims on its website.

Speaking to TechCrunch in 2017, CEO Alexander Nix said the firm was "always acquiring more" data. "Every day we have teams looking for new data sets," he told the site.

Who are the company's clients?

As well as working on the election which saw Trump reach the White House, Cambridge Analytica has been involved in political campaigns around the world.

In the US, analysts harnessed data to generate thousands of messages targeting voters through their profiles on social media such as Facebook, Snapchat, or the Pandora Radio streaming service.

British press have credited Cambridge Analytica with providing services to pro-Brexit campaign Leave.EU, but Nix has denied working for the group.

Globally, Cambridge Analytica said it has worked in Italy, Kenya, South Africa, Colombia and Indonesia.

What has the company been accused of?

According to the New York Times and Britain's Observer newspapers, Cambridge Analytica stole information from 50 million Facebook users' profiles in the tech giant's biggest-ever data breach, to help them design software to predict and influence voters' choices at the ballot box.

University of Cambridge psychologist Aleksandr Kogan created a personality prediction test app, thisisyourdigitallife, which was downloaded by 270,000 people.

The tool allowed Kogan to access information such as content Facebook users had "liked" and the city they listed on their profile, which was then passed to SCL and Cambridge Analytica.

The Observer reported the app also collected information from the Facebook friends of people who had taken the test.

Christopher Wylie, a former Cambridge Analytica employee, worked with Kogan and told Canadian television channel CBC the company used "private data they acquired without consent".

Who else is involved?

US hedge fund billionaire Robert Mercer -- and major Republican party donor -- bankrolled Cambridge Analytica to the tune of $15 million (12 million euros).

The Observer said it was headed at the time by Steve Bannon, a top Trump adviser until he was fired last summer.

How has Facebook responded?

Facebook suspended SCL and Cambridge Analytica, as well as Kogan and Wylie. In explaining its decision on Friday, the social media giant said the thisisyourdigitallife app was legitimate, but accused Kogan of subsequently violating Facebook's terms by passing the data on to SCL/Cambridge Analytica.

Facebook said it found out what had happened in 2015 and was told all parties involved had deleted the data.

"The claim that this is a data breach is completely false," Facebook said in a new statement on Saturday, saying app users knowingly provided their information.


DHS and FBI accuse Russian Government of hacking US critical infrastructure
19.3.2018 securityaffairs BigBrothers

Department of Homeland Security and Federal Bureau of Investigation issued a joint technical alert to warn of attacks on US critical infrastructure powered by Russian
Last week, the Department of Homeland Security and Federal Bureau of Investigation issued a joint technical alert to warn of attacks on US critical infrastructure powered by Russian threat actors. The US-CERT blamed the APT group tracked as Dragonfly, Crouching Yeti, and Energetic Bear.

Last week the US-CERT updated its alert by providing further info that and officially linking the above APT groups to the Kremlin.

The Alert (TA18-074A) warns of “Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors,” it labels the attackers as “Russian government cyber actors.”

“This alert provides information on Russian government actions targeting U.S. Government entities as well as organizations in the energy, nuclear, commercial facilities, water, aviation, and critical manufacturing sectors.” reads the alert.

“It also contains indicators of compromise (IOCs) and technical details on the tactics, techniques, and procedures (TTPs) used by Russian government cyber actors on compromised victim networks.”

The analysis of indicators of compromise (IoCs), the Dragonfly threat actor is still very active and its attacks are ongoing.

“DHS and FBI characterize this activity as a multi-stage intrusion campaign by Russian government cyber actors who targeted small commercial facilities’ networks where they staged malware, conducted spear phishing, and gained remote access into energy sector networks.” continues the alert. “After obtaining access, the Russian government cyber actors conducted network reconnaissance, moved laterally, and collected information pertaining to Industrial Control Systems (ICS).”

On the other side, the Russian Government has always denied the accusations, in June 2017 Russian President Putin declared that patriotic hackers may have powered attacks against foreign countries and denied the involvement of Russian cyberspies.

According to the DHS, the Russi-linked APT groups targeted two groups. the infrastructure operators and also peripheral “staging targets” which could be used as stepping stone into the intended targets.

“This campaign comprises two distinct categories of victims: staging and intended targets. The initial victims are peripheral organizations such as trusted third-party suppliers with less secure networks, referred to as “staging targets” throughout this alert.” continues the alert.

“The threat actors used the staging targets’ networks as pivot points and malware repositories when targeting their final intended victims. NCCIC and FBI judge the ultimate objective of the actors is to compromise organizational networks, also referred to as the “intended target.“”

critical infrastructure Russia

The alert doesn’t include details of specific targets compromised by Russians hackers.

The Russian hackers were able to compromise the control systems by installing their custom malware to harvest credentials of authorized users, monitor communications, and gain control of the systems.

Only last week, the government announced sanctions against Russia’s top spy agencies and more than a dozen individuals.


Facebook confirms Cambridge Analytica stole its data and used it to influence US voters
19.3.2018 securityaffairs
Social
The commercial data analytics company Cambridge Analytica allegedly used data harvested by Facebook to target US voters in the 2016 Presidential election.
A team of academics had collected a huge amount of user data and shared the information with Cambridge Analytica which is a commercial data analytics company that allegedly used it to target US voters in the 2016 Presidential election.

The news was confirmed by Facebook over the weekend, the researchers used an app developed by the University of Cambridge psychology lecturer Dr. Aleksandr Kogan to collect user data.

The app named “thisisyourdigitallife” is available to users since 2014, it was provided by Global Science Research (GSR) and asked users to take an online survey for $1 or $2. The app requested access to the user’s profile information, and over 270,000 users gave the app permission to use their personal details for academic research.

Facebook confirmed to have “suspended” any business with Cambridge Analytica (CA) and its holding company.

“Aleksandr Kogan requested and gained access to information from users who chose to sign up to his app, and everyone involved gave their consent.” states the official statement released by Facebook.

“Like all app developers, Kogan requested and gained access to information from people after they chose to download his app. His app, “thisisyourdigitallife,” offered a personality prediction, and billed itself on Facebook as “a research app used by psychologists.” Approximately 270,000 people downloaded the app. In so doing, they gave their consent for Kogan to access information such as the city they set on their profile, or content they had liked, as well as more limited information about friends who had their privacy settings set to allow it.”

The app is a powerful tool to profile users by harvesting information on their network of contacts, its code allowed to collect data from over 50 million users.


Cambridge Analytica tried to clarify its position declaring that it has deleted all data received from GSR when discovered the way they were obtained.

“When it subsequently became clear that the data had not been obtained by GSR in line with Facebook’s terms of service, Cambridge Analytica deleted all data received from GSR,” CA said in a statement.

“No data from GSR was used by Cambridge Analytica as part of the services it provided to the Donald Trump 2016 presidential campaign.”

We refute these mischaracterizations and false allegations, and we are responding — watch our Twitter feed for more.

— Cambridge Analytica (@CamAnalytica) March 17, 2018

According to a report published by The Intercept exactly one year ago, the situation is quite different. The Intercept sustained that Kogan operated on behalf of Strategic Communication Laboratories (SCL), a military contractor that owns the Cambridge Analytics.

Facebook discovered the activity in 2015 thanks to claims from its users and adopted the necessary measures to force the involved parties in deleting the data from their servers.

“Although Kogan gained access to this information in a legitimate way and through the proper channels that governed all developers on Facebook at that time, he did not subsequently abide by our rules. By passing information on to a third party, including SCL/Cambridge Analytica and Christopher Wylie of Eunoia Technologies, he violated our platform policies.” continues the Facebook statement. “When we learned of this violation in 2015, we removed his app from Facebook and demanded certifications from Kogan and all parties he had given data to that the information had been destroyed. Cambridge Analytica, Kogan and Wylie all certified to us that they destroyed the data.”

Christopher Wylie, a Kogan’s collaborator, confirmed that data has been used in the US presidential election to profile individuals and influence the final vote. Wylie provided evidence to the New York Times and The Guardian that harvested data had not been destroyed.

Facebook also suspended Wylie’s account as confirmed by the whistleblower via Twitter on Sunday.

Suspended by @facebook. For blowing the whistle. On something they have known privately for 2 years. pic.twitter.com/iSu6VwqUdG

— Christopher Wylie (@chrisinsilico) March 18, 2018


Iran-linked group TEMP.Zagros now targets Asia and Middle East regions
19.3.2018 securityaffairs
Phishing
Experts at FireEye uncovered a new massive phishing campaign conducted by TEMP.Zagros group targeting Asia and Middle East regions from January 2018 to March 2018.
Iranian hackers are one of the most active in this period, researchers at FireEye uncovered a new massive phishing campaign targeting Asia and Middle East regions from January 2018 to March 2018.

The group behind the campaign is known as TEMP.Zagros, aka MuddyWater, and according to the experts it is now adopting new tactics, techniques, and procedures.

“We observed attackers leveraging the latest code execution and persistence techniques to distribute malicious macro-based documents to individuals in Asia and the Middle East. We attribute this activity to TEMP.Zagros (reported by Palo Alto Networks and Trend Micro as MuddyWater), an Iran-nexus actor that has been active since at least May 2017.” reads the analysis published by the experts at FireEye.

“This actor has engaged in prolific spear phishing of government and defense entities in Central and Southwest Asia. The spear phishing emails and attached malicious macro documents typically have geopolitical themes. When successfully executed, the malicious documents install a backdoor we track as POWERSTATS.”

The TEMP.Zagros was first spotted by researchers at PaloAlto Networks in 2017, the hackers targeted various industries in several countries with spear-phishing messages.

Attackers used weaponized documents typically having geopolitical themes, such as documents purporting to be from the National Assembly of Pakistan or the Institute for Development and Research in Banking Technology.

Last week expert at Trend Micro also attributed the new wave of attacks to the MuddyWater threat actor.

“We discovered a new campaign targeting organizations in Turkey, Pakistan and Tajikistan that has some similarities with an earlier campaign named MuddyWater, which hit various industries in several countries, primarily in the Middle East and Central Asia.” states the analysis published by Trend Micro.

According to FireEye report, TEMP.Zagros attackers are adopting a new backdoor dubbed POWERSTATS for backdoors and the reuse of a known technique for lateral movements.

Each of these macro-based documents used similar techniques for code execution, persistence, and communication with the command and control (C2) server.

Hackers re-used the AppLocker bypass and lateral movement techniques for the purpose of indirect code execution. The IP address in the lateral movement techniques was substituted with the local machine IP address to achieve code execution on the system.

“In this campaign, the threat actor’s tactics, techniques and procedures (TTPs) shifted after about a month, as did their targets.” continues FireEye.

TEMP.Zagros phishing

The campaign started on Jan. 23 involved a macro-based document that dropped a VBS file and an INI file containing a Base64 encoded PowerShell command.

The Base64 encoded PowerShell command will be decoded and executed by PowerShell using the command line generated by the VBS file on execution using WScript.exe.

Attackers used a differed VBS script for each sample, employing different levels of obfuscation and different ways of invoking the next stage of the process tree.

Starting from Feb. 27, 2018, hackers used a new variant of the macro that does not use VBS for PowerShell code execution. The new variant uses a new code execution techniques leveraging INF and SCT files.

Researchers at FireEye also found Chinese strings in the malicious code used by TEMP.Zagros that were left as false flags to make hard the attribution.

“During analysis, we observed a code section where a message written in Chinese and hard coded in the script will be printed in the case of an error while connecting to the C2 server:” states FireEye.

Indicators of compromise (IoCs) and other info are included in the report published by FireEye.


Cisco Meraki Offers Up to $10,000 in Bug Bounty Program
19.3.2018 securityweek Security

Cisco Meraki, a provider of cloud-managed IT solutions, announced last week the launch of a public bug bounty program with rewards of up to $10,000 per vulnerability.

Cisco Meraki, which resulted from Cisco’s acquisition of Meraki in late 2012, started with a private bug bounty program on the Bugcrowd platform. The private program led to the discovery of 39 flaws, for which the company paid out an average of roughly $1,100.

The firm has now decided to open its bug bounty program to all the white hat hackers on Bugcrowd and it’s prepared to pay them between $100 and $10,000 per flaw.Cisco Meraki

The initiative covers the meraki.com, ikarem.io, meraki.cisco.com and network-auth.com domains and some of their subdomains, the Meraki Dashboard mobile apps for Android and iOS, and products such as the Cisco Meraki MX Security Appliances, Meraki MS Switches, MR Access Points, MV Security Cameras, MC Phones, Systems Manager, and Virtual Security Appliances.

The highest rewards can be earned for serious vulnerabilities in websites (except meraki.cisco.com), and all hardware and software products. Researchers can receive between $6,000 and $10,000 for remote code execution, root logic, sensitive information disclosure, and device configuration hijacking issues.

There is a long list of security issues that are not covered by the program, including denial-of-service (DoS) attacks, SSL-related problems and ones that require man-in-the-middle (MitM) access, clickjacking, and classic self-XSS.

“We invest heavily in tools, processes and technologies to keep our users and their networks safe, including third party audits, features like two-factor authentication and our out-of-band cloud management architecture,” said Sean Rhea, engineering director at Cisco Meraki. “The Cisco Meraki vulnerability rewards program is an important component of our security strategy, encouraging external researchers to collaborate with our security team to help keep networks safe.”

Meraki says its wireless, switching, security, and communications products are used by more than 230,000 global customers for 3 million devices.


Hacker Adrian Lamo Dies at Age 37
19.3.2018 securityweek Crime

Adrian Lamo, the former hacker best known for breaching the systems of The New York Times and turning in Chelsea Manning to authorities, has died at age 37.

His passing was announced on Friday by his father, Mario Lamo, on the Facebook page of the 2600: The Hacker Quarterly magazine.Adrian Lamo dies

“With great sadness and a broken heart I have to let know all of Adrian's friends and acquaintances that he is dead. A bright mind and compassionate soul is gone, he was my beloved son…” he wrote.

Lamo had been living in Wichita, Kansas, and he was found dead in an apartment on Wednesday. The cause of death is not known, but representatives of local police said they had found nothing suspicious, The Wichita Eagle reported.

Lamo broke into the systems of companies such as Yahoo, AOL, Comcast, Microsoft and The New York Times in an effort to demonstrate that they had been vulnerable to hacker attacks.

He was arrested in 2003 and in early 2004 he pleaded guilty to computer crimes against Microsoft, The New York Times, and data analytics provider LexisNexis. He was sentenced to six months’ detention at the home of his parents.

Lamo drew criticism in 2010 after he reported Chelsea Manning (at the time U.S. Army intelligence analyst Bradley Manning) to the Army for leaking a massive amount of classified documents to WikiLeaks.


Experts discovered remotely exploitable buffer overflow vulnerability in MikroTik RouterOS
19.3.2018 securityaffairs APT
Security experts at Core Security have disclosed the details of a buffer overflow vulnerability that affects MikroTik RouterOS in versions prior to the latest 6.41.3.
MikroTik is a Latvian vendor that produce routers used by many telco companies worldwide that run RouterOS Linux-based operating system.

The vulnerability, tracked as CVE-2018-7445, could be exploited by a remote attacker with access to the service to execute arbitrary code on the system.

“A buffer overflow was found in the MikroTik RouterOS SMB service when processing NetBIOS session request messages. Remote attackers with access to the service can exploit this vulnerability and gain code execution on the system.” reads the advisory published by the company.

“The overflow occurs before authentication takes place, so it is possible for an unauthenticated remote attacker to exploit it.”

The researchers published a proof of concept exploit code that works with MikroTik’s x86 Cloud Hosted Router.

MikroTik routerOS

Core first reported the flaw to MikroTik on February 19, 2018. MikroTik planned to release a fix in the next release on March 1, 2018 and asked Core to do not reveal the details of the flaw. Even if MikroTik was not able to issue a fix for the estimated deadline 2018, Core waited for the release of the new version the occurred on Monday, March 12, 2018.

In case it is not possible to install an update, MikroTik suggested disabling SMB.

A few days ago, security experts at Kaspersky Lab announced to have spotted a new sophisticated APT group that has been operating under the radar at lease since at least 2012. Kaspersky tracked the group and identified a strain of malware it used, dubbed Slingshot, to compromise systems of hundreds of thousands of victims in the Middle East and Africa.

Slingshot

The researchers have seen around 100 victims of Slingshot and detected its modules, located in Kenya, Yemen, Afghanistan, Libya, Congo, Jordan, Turkey, Iraq, Sudan, Somalia and Tanzania.

Kenya and Yemen account for the largest number of infections to date. Most of the victims are individuals rather than organizations, the number of government organizations is limited.

The APT group exploited zero-day vulnerabilities (CVE-2007-5633; CVE-2010-1592, CVE-2009-0824.) in routers used by the Latvian network hardware provider Mikrotik to drop a spyware into victims’ computers.
The attackers first compromise the router, then replace one of its DDLs with a malicious one from the file-system, the library is loads in the target’s computer memory when the user runs the Winbox Loader software, a management suite for Mikrotik routers.

The DLL file runs on the victim’s machine and connects to a remote server to download the final payload, the Slingshot malware in the attacks monitored by Kaspersky.

It is not clear if the Slingshot gang also exploited the CVE-2018-7445 vulnerability to compromise the routers.

Now that a proof of concept exploit for vulnerability CVE-2018-7445 is available online customers need to upgrade RouterOS to version 6.41.3 to avoid problems.


Hackers tried to cause a blast at a Saudi petrochemical plant
18.3.2018 securityaffairs
Attack

A new cyber attack against a Saudi petrochemical plant made the headlines, hackers attempted to hit the infrastructure in August.
Do you remember the powerful cyber attack that in 2014 hit computers at Saudi Aramco?

A new cyber attack against a petrochemical plant in Saudi Arabia made the headlines, hackers attempted to hit the infrastructure in August.

The news was reported by the New York Times, hackers hit the petrochemical plant in Saudi Arabia with sabotage purposes, and fortunately, the attack failed only because of a code glitch.

“In August, a petrochemical company with a plant in Saudi Arabia was hit by a new kind of cyberassault. The attack was not designed to simply destroy data or shut down the plant, investigators believe. It was meant to sabotage the firm’s operations and trigger an explosion.” reported The New York Times.

Saudi petrochemical plant attack

The investigators did not attribute the attack to a specific threat actor, but people interviewed by the NYT under a condition of anonymity explained that the cyber attacks likely aimed to cause a blast that would have guaranteed casualties.

The cyberattack did not have dramatic consequences due to an error in the malicious code that shut down the system instead of destroying it.

The attack seems to be the result of an operation conducted by a foreign government, it is the evidence of a dangerous escalation in international hacking that could inflict serious physical damage.

The NYT said that sources declined to name the company operating the plant as well as the government suspected to have powered the cyber attack.

” the attackers were sophisticated and had plenty of time and resources, an indication that they were most likely supported by a government, according to more than a dozen people, including cybersecurity experts who have looked into the attack and asked not to be identified because of the confidentiality of the continuing investigation.” continues the newspaper.

“The only thing that prevented an explosion was a mistake in the attackers’ computer code, the investigators said.”

Security experts interviewed by the NYT said that due to the level of sophistication of the attack on the Saudi petrochemical plant only a few Government could have baked the offensive, including Iran, China, Russia, Israel and the United States.

The Saudi Arabian Government did not comment the event, its infrastructure is under incessant attacks.

Saudi Arabia was targeted several times by APT, the most clamorous attack was conducted with the Shamoon wiper in 2012 against computers in the Saudi energy sector in 2012.

Computers at Saudi Aramco, one of the world’s biggest oil companies, was disrupted by Shamoon in what is believed to be the country’s worst cyber attack yet.

In the attack against Saudi Aramco Shamoon wipe data on over 30,000 computers and rewrite the hard drive MBR (Master Boot Record) with an image of a burning US flag.

Early 2107, Saudi authorities warned of a new wave of attacks that leveraged the Shamoon 2 malware targeting the country.

In January 2017, the Saudi Arabian labor ministry had been attacked and also a chemical firm reported a network disruption.

On Nov. 2017, 2016, a cyberattack paralyzed a number of computers of Saudi government wiping their hard drives. According to the experts at the Saudi National Cyber Security Centre, the attackers aimed to disrupt government computers.

The attackers leveraged the Powershell, but at the time of writing Government experts it did not comment on the source of the attack.

A few days later, the same attack hit other Saudi targets with the same wiper.

According to the New York Times, the August attack was “much more dangerous” than Shamoon, according to The New York Times, and likely aimed to send a political message — investigators said the code had been custom-built with no obvious financial motive.

“The attack in August was not a Shamoon attack. It was much more dangerous.” continues NYT.

“Investigators believe a nation-state was responsible because there was no obvious profit motive, even though the attack would have required significant financial resources. And the computer code had not been seen in any earlier assaults. Every hacking tool had been custom built.”

The attribution of the attack in this phase is quite impossible, in recent years the tensions between Iran and Saudi Arabia have steadily escalated and the conflict shifted in the cyberspace.


Russia-linked Sofacy APT targets an unnamed European Government agency
18.3.2018 securityaffairs APT

While US-CERT warns of cyber attacks against critical infrastructure in the energy sectors, Russia-linked Sofacy APT is targeting a government agency in Europe.
Last week the US Government announced sanctions against five Russian entities and 19 individuals, including the FSB, the military intelligence agency GRU.

Despite the sanctions, Russian hackers continue to target entities worldwide, including US organizations.

The Russian spy agencies and the individuals are accused of trying to influence the 2016 presidential election and launching massive NotPetya ransomware campaign and other attacks on businesses in the energy industry.

Last year, the Department of Homeland Security and Federal Bureau of Investigation issued a joint technical alert to warn of attacks on US critical infrastructure powered by Russian threat actors. The US-CERT blamed the APT group tracked as Dragonfly, Crouching Yeti, and Energetic Bear.

Now the US-CERT updated its alert by providing further info that and officially linking the above APT groups to the Kremlin.

The Alert (TA18-074A) warns of “Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors,” it label the attackers as “Russian government cyber actors.”

“This alert provides information on Russian government actions targeting U.S. Government entities as well as organizations in the energy, nuclear, commercial facilities, water, aviation, and critical manufacturing sectors.” reads the alert.

“It also contains indicators of compromise (IOCs) and technical details on the tactics, techniques, and procedures (TTPs) used by Russian government cyber actors on compromised victim networks.”

According to the DHS, based on the analysis of indicators of compromise, the Dragonfly threat actor is still very active and its attacks are ongoing.

“DHS and FBI characterize this activity as a multi-stage intrusion campaign by Russian government cyber actors who targeted small commercial facilities’ networks where they staged malware, conducted spear phishing, and gained remote access into energy sector networks.” continues the alert. “After obtaining access, the Russian government cyber actors conducted network reconnaissance, moved laterally, and collected information pertaining to Industrial Control Systems (ICS).”

The Russian Government has always denied the accusations, in June 2017 Russian President Putin declared that patriotic hackers may have powered attacks against foreign countries and denied the involvement of Russian cyberspies.

A few days ago, cyber security experts at Palo Alto Networks uncovered hacking campaigns launched by Sofacy against an unnamed European government agency leveraging an updated variant of the DealersChoice tool.

“On March 12 and March 14, we observed the Sofacy group carrying out an attack on a European government agency involving an updated variant of DealersChoice.” reads the analysis published by PaloAlto Networks.

“The updated DealersChoice documents used a similar process to obtain a malicious Flash object from a C2 server, but the inner mechanics of the Flash object contained significant differences in comparison to the original samples we analyzed. One of the differences was a particularly clever evasion technique.”

The attacks uncovered by PaloAlto aimed at a government organization in Europe used a spear phishing email referencing the “Underwater Defence & Security” conference, which will take place in the U.K. later this month.

While previous versions of DealersChoice loaded a malicious Flash object as soon as the bait document was opened, the samples analyzed by PaloAlto that were related to the last attacks include the Flash object on page three of the document and it’s only loaded if users scroll down to it.

“The user may not notice the Flash object on the page, as Word displays it as a tiny black box in the document, as seen in Figure 1. This is an interesting anti-sandbox technique, as it requires human interaction prior to the document exhibiting any malicious activity.” states the analysis.

Early February, experts from Kaspersky highlighted a shift focus in the Sofacy APT group’s interest, from NATO member countries and Ukraine to towards the Middle East and Central Asia.


Unsecured AWS S3 bucket managed by Walmart jewelry partner exposes data of 1.3M customers
18.3.2018 securityaffairs Incindent

An unsecured Amazon S3 bucket, managed by a Walmart jewelry partner MBM Company Inc, left personal and contact information of 1.3 million customers exposed to the public internet.
A new case of an Amazon S3 bucket left open online, this time personal data belonging to 1.3 million customers of Walmart jewelry partner MBM Company have been exposed.

Experts at Kromtech Security discovered in February an Amazon S3 bucket named “walmartsql” containing an MSSQL database backup, named MBMWEB_backup_2018_01_13_003008_2864410.bak. The name suggests that the backup may have been public since January 13, 2018, some of the records included in the archive are dated back 2000.

The archive contained names, addresses, zip codes, phone numbers, e-mail addresses, IP addresses, and, most also plain text passwords of MBM Company. The archive contained internal MBM mailing lists, encrypted credit card details, payment details, promo codes, and item orders.

“On February 6th, 2018 researchers at Kromtech security came across another publicly accessible Amazon s3 bucket. This one contained a MSSQL database backup, which was found to hold the personal information, including names, addresses, zip codes, phone numbers, e-mail addresses, ip addresses, and, most shockingly, plain text passwords, for shopping accounts of over 1.3 million people (1,314,193 to be exact) throughout the US and Canada.” reads a blog post published by Kromtech.

“At first glance the data appeared to belong to Walmart as the storage bucket was named ‘walmartsql’, but upon further investigation by Kromtech researchers it was discovered that the MSSQL database backup inside actually belonged to MBM Company Inc., a jewelry company based in Chicago, IL, which operates mainly under the name Limogés Jewelry.”

Walmart jewelry partner MBM Company Inc data leak

This is another case of poor security, the IT staff that was managing the archive left the backup exposed online through an unsecured Amazon S3 bucket, and they did not adopt any further measure to protect information stored in the database.

“Passwords were stored in the plain text, which is great negligence, taking into account the problem with many users re-using passwords for multiple accounts, including email accounts.” said Bob Diachenko, head of communications for Kromtech.

Kromtech experts notified Walmart of the public Amazon S3 bucket, the company promptly secured the storage bucket but was unable to comment on MBM Company Inc.


Goodfellas, the Brazilian carding scene is after you
18.3.2018 Kaspersky CyberCrime
There are three ways of doing things in the malware business: the right way, the wrong way and the way Brazilians do it. From the early beginnings, using skimmers on ATMs, compromising point of sales systems, or even modifying the hardware of processing devices, Latin America has been a fertile ground for collecting credit and debit cards en masse.

Brazil started the migration to EMV cards in 1999 and nowadays almost all cards issued in the country are chip-enabled. A small Java-based application lives inside this chip and can be easily manipulated in order to create a “golden ticket” card that will be valid in most (if not all) point of sale systems. Having this knowledge has enabled the criminals to update their activities, allowing them to create their own cards featuring this new technology and keeping them “in the business.”

Enter the world of Brazilian malware development, incorporating every trick in the book and adding a custom made malware that can easily collect data from chip and PIN protected cards; all while offering a nicely designed interface for administering the ill-gotten information, validating numbers, and offering their “customers” an easy to use package to burn their cloned card.

“Seu cartão vou clonar”: not only a crime but a lifestyle
According to the 2016 Global Consumer Card Fraud: Where Card Fraud Is Coming From, “At this point in time, the assumption should be that almost all users’ credentials and/or card information has been compromised. The underground economy for user information has matured so much that it is indistinguishable from a legitimate economy.”

In addition, when we are faced with the current credit card fraud statistics, we found that in 2016, Mexico was in the lead with 56% of residents reporting experiencing card fraud in the past five years. Brazil comes in second at 49%, and the U.S. in third with 47%. It’s worth noting that approximately 65% of the time, credit card fraud results in a direct or indirect financial loss for the victim, with an average reported loss of $1,343 USD.

While traditional criminal activities in Brazil regarding computer crime have included banking trojans, boletos, and all sorts of different malware, cloning credit and debit cards for a living is more than a day job for some. With MCs rapping about the hardships of obtaining new plastic, and how easy the money starts flowing once they get in the game, there’s no shortage of options being offered for infecting ATMs, point of sales systems, or directly stealing credit card numbers from the users.

One of the many Youtube channels sharing tutorials and real life stories on being a Brazilian carder.

There are tutorials, forums, instant message groups, anything and everything as accessible as ever; making this industry a growing threat for all Brazilians. When it comes to Prilex, we are dealing with a complete malware suite that gives the criminal full support in their operations, all with a nicely done graphical user interface and templates for creating different credit card structures, being a criminal-to-criminal business. While cloning chip and PIN protected cards has already been discussed in the past, we found Prilex and its business model something worth sharing with the community; as these attacks are becoming easier to perform and the EMV standard hasn’t been able to keep up with the bad guys.

Anything they wanted was an ATM infection away
The first notable appearance of the Prilex group was related to an ATM attack targeting banks located primarily in the Brazilian territory. Back then, criminals used a black box device configured with a 4G USB modem in order to remotely control the machine. By opening a backdoor to the attacker, they could hijack the institution’s wireless connection and target other ATMs at their will.

At the time, the malware that was used to dispense money at will, was developed using Visual Basic version 6.0; a reasonably old programming language that is still heavily used by Brazilian criminals. The sample was using a network protocol tailored specifically to communicate to its C2 allowing the attacker to remotely dig deeper in the ATM system and collect all the necessary information in order to perform further attacks.

After obtaining initial access to the network, the attacker would run a network recognition process to find the IP address of each of the ATMs. With that information at hand, a lateral movement phase would begin, using default Windows credentials and then installing a custom crafted malware on the most promising systems. The backdoor would allow the attacker to empty the ATM socket by launching the malware interface and sending remote commands to dispense the money.

ATM version of Prilex patching legitimate software for jackpotting purposes.

The malware was developed to target not only the ATMs with the jackpotting functionality but also the bank’s customers due to a function which enables the malware to steal the magnetic stripe information once the client use the infected ATM: cloning and jackpotting on the same package.

Targeting point of sales systems and expanding functionality
While hunting new samples related to the ATM attack, we found a new sample matching the previously dissected communication protocol. In fact, the protocol (and code) used by this new sample had been updated a bit in order to support extended functionality.

Code similarity of the ATM and Point of Sale samples from the Prilex family.

The main module contains different functions that allow the attacker to perform a set of debugging operations on the victim’s machine as well as performing the attack itself.

Remote administration using “Ammyy Admin”.
Upload/download files from/to infected computer.
Capture memory regions from a process.
Execute shell commands.
Update main module.
Patch libraries in order to allow capturing card information.

Functions handled by the malware.

The main purpose of the malware is to patch the point of sales system libraries, allowing it to collect the data transmitted by the software. The code will look for the location of a particular set of libraries in order to apply the patch thus overwriting the original code.

Log strings referring the patch applied by the malware.

With the patch in place, the malware collects the data from TRACK2, such as the account number, expiration date, in addition to other cardholder information needed to perform fraudulent transactions. The PIN is never captured by the malware, since is not needed as we will see later.

Using DAPHNE and GPShell to manage your Smart Card
After the information is exfiltrated to the C2 server, it’s read to be sold in the blackmarket as a package. The criminals provide access to a tool called Daphne ,which is responsible for managing the credit card information acquired and ultimately writing it to the cloned cards.

The Daphne “client” has the option to choose which type of card it wants to write, debit or credit; then the information will be validated on the server only to be written to the card once all necessary tests are passed. The new card, which is connected to the smart card writer, will receive the new information via GPShell scripts in charge of setting up the card’s structure and creating the “golden card”.

Function to write the card data as credit or debit, or just copy the information to the clipboard.

After using the card, the criminal is able to keep track of how much money is possible to withdraw. While we are not sure how this information is being used, Prilex’s business model encourages users to register which cards are valid and the amount that they have paid off. This could enable reselling the cards in other venues and charging differential prices depending on their status.

After a card stops working (marked as “dead”), the criminal will fill the information about how much money was stolen from that card, if any.

Since Daphne is designed as a client/server application, several individuals can query the same information at once, and all modifications on the cards are synchronized with a central database. This behavior enables crews to work on the same set of information, allowing the connected user to create a new card directly from the interface and allowing the tool to decide the best template to use and how to preset the card.

Do not panic, but your credit card might be running Java
The EMV standard and supporting technology is in fact a robust framework that can provide much more security than the traditional magnetic stripe. Unfortunately, due to a bad implementation of such technology, it’s possible for criminals to abuse it and clone an EMV supported card with information stolen from the victim.

However, this technique is not entirely new and also not specific to Brazil. We have seen the same TTPs in other malware families, being sold on underground forums and targeting banks in Europe and other countries in Latin America such as Mexico and Argentina

In addition, the tool has an option to communicate with Smart Card devices by using GPshell in order to create a fake card with the stolen information.

Commands sent to GPshell in order to check for a Smart Card.

The commands above are responsible for checking if the Smart Card can be accessed, and if so it will enable the option to write the information to the fake card. Some commands used here are not generic and not usually found on a normal transaction.

Since they cannot manipulate all the information of the ‘chip and PIN’ technical standard, they need to modify the application responsible for validating the transaction. In order to do that, they install a modified CAP file (JavaCard applet) to the Smart Card, then when the PoS tries to validate the PIN, it will always accept as well as bypass all other validation processes. Due to the fact that most of the payment operators do not perform all validations as required by the EMV standard, the criminals are able to exploit this vulnerability within the process in advantage of their operation.

Commands used to install the malicious CAP file to the Smart Card.

Furthermore, GPshell sends commands to replace the PSE (Payment System Environment) by deleting the original one and installing a malicious counterpart. After that, the Smart Card just needs the stolen information to be written and it will be ready to use on PoS devices.

Commands sent to the card to write all data.

In this step, the script executed by GPShell contains all the necessary information in order for the point of sales terminal to perform the payment operation. The given script contains data extracted from original cards that are necessary to perform the authorization with the card operator.

One of the most relevant data written by this script is the Application Interchange Profile, changed in order to enable Static Data Authentication (SDA) and Signed Static Application Data (SSAD). This section contains the data signed by the card issuer that should be validated to guarantee that the information from the card was not counterfeited. However, the issuer has to decide which data should be protected by the signed information and based on our research, we found that most of the cards only have the Application Interchange Profile data signed, making the SSAD data valid even with a modified TRACK2 and a different cardholder’s name.

Getting the hardware and the blank cards is not as difficult as it sounds
Buying the equipment is quite cheap and surprisingly easy. To perform the attack, criminals just need to have a Smart Card Reader/Writer and some empty smart cards. Everything can be easily found online and since those tools can also be used in a legitimate way, there is no problem buying it.

JCop cards costing around $15 USD.

A basic reader/writer can be bought for less than $15 USD.

As we can see, the necessary equipment can be acquired by less than $30 USD, making it really affordable and easy for everyone to buy (not that anyone should!).

Smart Cards, the EMV standard, and the Brazilian carding scene
Industry reports, such as The Nilson Report, states that credit card fraud in 2016 has represented losses of $22.80 billion USD worldwide. And by 2020, card fraud worldwide is expected to total $31.67 billion USD.

Since that day in 1994, where Europay, MasterCard, and Visa developed this technology with the goal of ending fraud once and for all, several speed bumps have been found along the way, making theft and counterfeiting of payment card data more difficult for criminals in each iteration. It’s interesting to see how the liability of a fraud incident has been theoretically moved over the years from the customer, to the merchants, then to the bank; when in reality is the customer the one that always deals with the worst part of the story.

To be continued…
The crew behind the development of Prilex has demonstrated to be a highly versatile group, active since at least 2014 and still operating, targeting primarily Brazilian users and institutions. The motivation behind each of their campaigns has been repeatedly proven as solely monetary, given their preference for targets in the financial or retail industry.

Luckily, the banks and operators in Brazil have been investing a lot in technologies to improve their systems and avoid fraudulent transactions, allowing them to identify those techniques and preparing them for what’s to come. However, some countries in Latin America are not as evolved when it comes to credit card technologies and still rely on plain old magnetic stripe cards. Other countries are just starting to actively implement chip-and-pin authentication measures and have become a desirable target for criminals due to the overall lack of expertise regarding this technology.

The evolution of their code, while not technically notable, has been apparently sufficient in maintaining a constant revenue stream by slowly perfecting their business model and customer applications. The discovery of “Daphne”, a module to make use of the ill-gotten financial information and their affiliate scheme, suggests that this is a “customer oriented” group, with many levels in their chain of development; resembling what we have seen for example in the popular ATM malware Ploutus and other jackpotting operations.

This modularization, in their source code as well as their business model, constitutes Prilex as a serious threat to the financial industry, currently confined to the territory of Brazil with the uncertainty of how long it will take before it expands its operations to other regions.

IOCs
7ab092ea240430f45264b5dcbd350156 Trojan.Win32.Prilex.b
34fb450417471eba939057e903b25523 Trojan.Win32.Prilex.c
26dcd3aa4918d4b7438e8c0ebd9e1cfd Trojan.Win32.Prilex.h
f5ff2992bdb1979642599ee54cfbc3d3 Trojan.Win32.Prilex.f
7ae9043778fee965af4f8b66721bdfab Trojan.Win32.Prilex.m


Time of death? A therapeutic postmortem of connected medicine
18.3.2018 Kaspersky Incindent

#TheSAS2017 presentation: Smart Medicine Breaches Its “First Do No Harm” Principle

At last year’s Security Analyst Summit 2017 we predicted that medical networks would be a titbit for cybercriminals. Unfortunately, we were right. The numbers of medical data breaches and leaks are increasing. According to public data, this year is no exception.

For a year we have been observing how cybercriminals encrypt medical data and demand a ransom for it. How they penetrate medical networks and exfiltrate medical information, and how they find medical data on publicly available medical resources.

The number of medical data breaches and leaks per year (source: HIPAA Journal)

Opened doors in medical networks
To find a potential entry point into medical infrastructure, we extract the IP ranges of all organizations that have the keywords “medic”, “clinic”, “hospit”, “surgery” and “healthcare” in the organization’s name, then we start the masscan (port scanner) and parse the specialized search engines (like Shodan and Censys) for publicly available resources of these organizations.

Masscan report extract

Of course, medical perimeters contain a lot of trivial opened ports and services: like web-server, DNS-server, mail-server etc. And you know that’s just the tip of the iceberg. The most interesting part is the non-trivial ports. We left out trivial services, because as we mentioned in our previous article those services are out of date and need to be patched. For example, the web applications of electronic medical records that we found on the perimeters in most cases were out of date.

The most popular ports are the tip of the iceberg. The most interesting part is the non-trivial ports.

The most popular opened ports on medical perimeters (18,723 live hosts; 27,716 opened ports)

Using ZTag tool and Censys, we identify what kinds of services are hidden behind these ports. If you try to look deeper in the embedded tag you will see different stuff: for example printers, SCADA-type systems, NAS etc.

Top services on medical network perimeters

Excluding these trivial things, we found Building Management systems that out of date. Devices using the Niagara Fox protocol usually operate on TCP ports 1911 and 4911. They allow us to gather information remotely from them, such as application name, Java version, host OS, time zone, local IP address, and software versions involved in the stack.

Example of extracted information about Niagara Fox service

Or printers that have a web interface without an authentication request. The dashboard available online and allows you to get information about internal Wi-Fi networks or, probably, it allows you to get info about documents that appeared in “Job Storage” logs.

Shodan told us that some medical organizations have an opened port 2000. It’s a smart kettle. We don’t know why, but this model of kettle is very popular in medical organizations. And they have publicly available information about a vulnerability that allows a connection to the kettle to be established using a simple pass and to extract info about the current Wi-Fi connection.

Medical infrastructure has a lot of medical devices, some of them portable. And devices like spirometers or blood pressure monitors support the MQTT protocol to communicate with other devices directly. One of the main components of the MQTT communication – brokers (see here for detailed information about components) are available through the Internet and, as a result, we can find some medical devices online.

Not only Smart Home components, but also medical devices are available via MQTT Spirometer

Threats that affect medical networks
OK, now we know how they get in. But what’s next? Do they search for personal data, or want to get some money with a ransom or maybe something else? Money? It’s possible… anything is possible. Let’s take a look at some numbers that we collected during 2017.

The statistics are a bit worrying. More than 60% of medical organizations had some kind of malware on their servers or computers. The good news is that if we count something here, it means we’ve deleted malware in the system.

Attacks detected in medical organizations, 2017

And there’s something even more interesting – organizations closely connected to hospitals, clinics and doctors, i.e. the pharmaceutical industry. Here we see even more attacks. The pharmaceutical industry means “money”, so it’s another titbit for attackers.

Attacks detected in pharmaceutical organizations, 2017

Let’s return to our patients. Where are all these attacked hospitals and clinics? Ok, here we the numbers are relative: we divided the number of devices in medical organizations in the country with our AV by the number of devices where we detected malicious code. The TOP 3 were the Philippines, Venezuela and Thailand. Japan, Saudi Arabia and Mexico took the last three spots in the TOP 15.

So the chances of being attacked really depend on how much money the government spends on cybersecurity in the public sector and the level of cybersecurity awareness.

Attacked devices in medical organizations, TOP 15 countries

In the pharmaceutical industry we have a completely different picture. First place belongs to Bangladesh. I googled this topic and now the stats look absolutely ok to me. Bangladesh exports meds to Europe. In Morocco big pharma accounts for 14% of GDP. India, too, is in the list, and even some European countries are featured.

Attacked devices in pharmaceutical organizations, TOP 15 countries

On one in ten devices and in more than 25% of medical and 10% of pharmaceutical companies we detected hacktools: pentesting tools like Mimikatz, Meterpreter, tweaked remote administration kits, and so on.

Which means that either medical organizations are very mature in terms of cybersecurity and perform constant audits of their own infrastructure using red teams and professional pentesters, or, more likely, their networks are infested with hackers.

Hacktools: Powerpreter, Meterpreter, Remote admin, etc.

APT
Our research showed that APT actors are interested in information from pharmaceutical organizations. We were able to identify victims in South East Asia, or more precisely, in Vietnam and Bangladesh. The criminals had targeted servers and used the infamous PlugX malware or Cobalt Strike to exfiltrate data.

PlugX RAT, used by Chinese-speaking APT actors, allows criminals to perform various malicious operations on a system without the user’s knowledge or authorization, including but not limited to copying and modifying files, logging keystrokes, stealing passwords and capturing screenshots of user activity. PlugX, as well as Cobalt Strike, is used by cybercriminals to discreetly steal and collect sensitive or profitable information. During our research we were unable to track the initial attack vectors, but there are signs that they could be attacks exploiting vulnerable software on servers.

Taking into account the fact that hackers placed their implants on the servers of pharmaceutical companies, we can assume they are after intellectual property or business plans.

How to live with it
Remove all nodes that process medical data from public
Periodically update your installed software and remove unwanted applications
Refrain from connecting expensive equipment to the main LAN of your organization


VMware addresses a DoS flaw in Workstation and Fusion products
18.3.2018 securityaffairs
Vulnerebility

VMware has addressed a denial-of-service (DoS) vulnerability, tracked as CVE-2018-6957, in its Workstation 12.x and 14.x and Fusion 10.1.1. and 10.x on OS X products.
The affected VMware solutions can be attacked by opening a large number of VNC sessions. The DoS vulnerability was discovered by Lilith Wyatt of Cisco Talos, the flaw could be exploited on Workstation and Fusion only if the VNC has been manually enabled.

VNC implementation in VMware solutions is used for remote management purposes.

“VMware Workstation and Fusion contain a denial-of-service vulnerability which can be triggered by opening a large number of VNC sessions.” reads the security advisory published by VMware.

The company issued the security patches in Workstation 14.1.1 and Fusion 10.1.1., VMware also shared details about a workaround for Workstation 12.x and Fusion 8.x releases that involves setting a password for the VNC connection.

While VMware has classified the vulnerability as “important,” Cisco Talos has ranked it as a “high severity” flaw and assigned it a CVSS score of 7.5.

Experts at Cisco Talos confirmed that an attacker can trigger the flaw on a targeted server and cause the virtual machine to shut down by opening a large number of VNC sessions.

“Since the VMware VNC server is naturally multi-threaded, there are locks and semaphores and mutexes to deal with shared variables.” reads the advisory published by Talos.

“The VNC server also maintains a global variable that indicates the amount of locks that are currently used, that is incremented by certain events.”

VMware

Talos published the Proof-of-Concept exploit code:

# There are obviously better ways to do this
for x in `seq 0 $(( 0xffffff/2 ))`; do echo “doop” | ncat <targetIP> <VNCPort>; done
“Regardless, the important thing to note here is that the incrementing instruction (lock xadd cs:MxLockCounter, eax😉 is the only cross-reference to the MxLockCounter global variable, meaning it never gets decremented.” continues Talos.

“Thus, as long as and attacker can initiate a bunch of TCP connection to the VNC server (each successful connection increments it twice), without even sending any other datagrams, an attacker can eventually shutdown the connected virtual machine.”

Below the timeline for the flaw:

2017-07-13 – Vendor Disclosure
2018-03-15 – Public Release


Hackers awarded $267,000 at Pwn2Own 2018, was far less than in the past editions
18.3.2018 securityaffairs Congress

At Pwn2Own 2018 the hackers received a total of $267,000, it was far less than in the past editions, but the quality of research was amazing.
The popular hacking competition Pwn2Own is concluded, let’s see how much hackers earned and which applications they have successfully pwned.

White hat hackers have earned a total of $267,000 at Pwn2Own 2018 competition for exploits targeting Microsoft Edge, Apple Safari, Oracle VirtualBox and Mozilla Firefox.

This year the popular competition organized by TrendMicro Zero Day Initiative was sponsored by Microsoft and sponsor VMware.

The overall prize pool announced by ZDI was $2 million, but only a total of $267,000 was awarded by the hackers.

The overall amount was less than in the past years, in 2017 white hackers earned $833,000, $460,000 in 2016) and $552,500 in 2015.

“Overall, we awarded $267,000 over the two-day contest while acquiring five Apple bugs, four Microsoft bugs, two Oracle bugs, and one Mozilla bug.” states the organization.

“While smaller than some of our previous competitions, the quality of research was still extraordinary and highlights the difficulty in producing fully-functioning exploit for modern browsers and systems.”

On the first day, hackers earned a total of $162,000 USD and 16 points towards Master of Pwn. The white hat hacker Richard Zhu, aka fluorescence, failed to hack Safari, but he successfully used an exploit chain against Edge earning $70,000.

The hacker Niklas Baumstark from the Phoenhex team was awarded with $27,000 for hacking VirtualBox and the expert Samuel Groß, aka saelo, of Phoenhex received $65,000 for hacking Safari.

“The first day of Pwn2Own 2018 has come to a close, and so far, we’ve awarded $162,000 USD and 16 points towards Master of Pwn. Today saw 2 successful attempts, 1 partial success, and 1 failure. In total, we purchased 3 Apple bugs, 2 Oracle bugs, and 3 Microsoft bugs.” states the official site of the competition.

PWN2OWN 2018

On the second day, the hackers earned a total of $105,000 USD and 11 more Master of Pwn points awarded.

Richard Zhu earned $50,000 for hacking Firefox with a Windows kernel EoP. He chained an out-of-bounds (OOB) write in the browser followed by an integer overflow in the Windows kernel.

Zhu was the star of the Pwn2Own 2018, he won the Master of Pwn award this year receiving a total of $120,000 and 65,000 ZDI reward points worth roughly $25,000.

“The day started with the return of Richard Zhu (fluorescence), this time targeting Mozilla Firefox with a Windows kernel EoP. He eschewed all drama today and successfully popped Mozilla Firefox on his first attempt.” states the post published on Day 2 of the Pwn2Own 2018.

“He used an out-of-bounds (OOB) write in the browser followed by an integer overflow in the Windows kernel to earn himself another $50,000 and 5 more Master of Pwn points. This brings his event total to $120,000 and a commanding lead for Master of Pwn.”

On the same day, white hackers Markus Gaasedelen (gaasedelen), Nick Burnett (itszn13), and Patrick Biernat of Ret2 Systems, Inc. targeted Apple Safari with a macOS kernel EoP.

At the fourth attempt, they successfully demonstrated their exploit but Pwn2Own rules state that the exploit must be demonstrated in a maximum of three attempts.

They were not awarded but Zero Day Initiative (ZDI) did purchase the vulnerabilities and disclosed them to Apple.

The last entry for the day saw a team from MWR labs, composed of Alex Plaskett (AlaxJPlaskett), Georgi Geshev (munmap), and Fabi Beterke (pwnfl4k3s), successfully targeting Apple Safari with a sandbox escape.

The same team earned $55,000 for a Safari sandbox escape obtaining a heap buffer underflow in the browser and an uninitialized stack variable in macOS.


Chinese APT Group TEMP.Periscope targets US Engineering and Maritime Industries
18.3.2018 securityaffairs APT

The China-linked APT group Leviathan. aka TEMP.Periscope, has increased the attacks on engineering and maritime entities over the past months.
Past attacks conducted by the group aimed at targets connected to South China Sea issues, most of them were research institutes, academic organizations, and private firms in the United States.

The group has also targeted professional/consulting services, high-tech industry, healthcare, and media/publishing. Most of the identified victims were in the United States, some of them located in Europe and at least one in Hong Kong.

“The campaign is linked to a group of suspected Chinese cyber espionage actors we have tracked since 2013, dubbed TEMP.Periscope. The group has also been reported as “Leviathan” by other security firms.” reads the analysis published by security firm FireEye.

“The current campaign is a sharp escalation of detected activity since summer 2017. Like multiple other Chinese cyber espionage actors, TEMP.Periscope has recently re-emerged and has been observed conducting operations with a revised toolkit.”

The researchers confirmed that the tactics, techniques, and procedures (TTPs) and the targets of the TEMP.Periscope overlap with ones both TEMP.Jumper and NanHaiShu APT groups.

Researchers at FireEye observed a spike in the activity of TEMP.Periscope that was also associated with the use of a broad range of tools commonly used by other Chinese threat actors.

The arsenal of the crew includes backdoors, reconnaissance tools, webshells, and file stealers.

A first backdoor dubbed BADFLICK, could be used to modify the file system of the infected system, establish a reverse shell, and modifying the command-and-control configuration.

Another backdoor used by the group is dubbed Airbreak, which is a JavaScript-based backdoor (aks “Orz”) that retrieves commands from hidden strings in compromised webpages and actor controlled profiles on legitimate services.

TEMP.Periscope

Other malware is described in the post published by FireEye.

“PHOTO: a DLL backdoor also reported publicly as “Derusbi”, capable of obtaining directory, file, and drive listing; creating a reverse shell; performing screen captures; recording video and audio; listing, terminating, and creating processes; enumerating, starting, and deleting registry keys and values; logging keystrokes, returning usernames and passwords from protected storage; and renaming, deleting, copying, moving, reading, and writing to files.” continues the analysis.

“HOMEFRY: a 64-bit Windows password dumper/cracker that has previously been used in conjunction with AIRBREAK and BADFLICK backdoors. Some strings are obfuscated with XOR x56.”

The crews also used the Lunchmoney tool that exfiltrates files to Dropbox and the Murkytop command-line reconnaissance tool.

Recently the group used the China Chopper, a code injection webshell that executes Microsoft .NET code within HTTP POST commands.

The group targeted victims with spear-phishing messaged that use weaponized documents attempting to exploit the CVE-2017-11882 vulnerability to deliver malicious code.

“The current wave of identified intrusions is consistent with TEMP.Periscope and likely reflects a concerted effort to target sectors that may yield information that could provide an economic advantage, research and development data, intellectual property, or an edge in commercial negotiations,” FireEye concludes.

Further details, including the Indicators of Compromise are reported in the analysis published by FireEye.


Behavior monitoring combined with machine learning spoils a massive Dofoil coin mining campaign
17.3.2018 Microsoft
Computer Attack blog
in Windows, Windows Defender Advanced Threat Protection, Endpoint Security, Incident Response, Threat Protection, Research
Update: Further analysis of this campaign points to a poisoned update for a peer-to-peer (P2P) application. For more information, read Poisoned peer-to-peer app kicked off Dofoil coin miner outbreak.

Just before noon on March 6 (PST), Windows Defender Antivirus blocked more than 80,000 instances of several sophisticated trojans that exhibited advanced cross-process injection techniques, persistence mechanisms, and evasion methods. Behavior-based signals coupled with cloud-powered machine learning models uncovered this new wave of infection attempts. The trojans, which are new variants of Dofoil (also known as Smoke Loader), carry a coin miner payload. Within the next 12 hours, more than 400,000 instances were recorded, 73% of which were in Russia. Turkey accounted for 18% and Ukraine 4% of the global encounters.

Figure 1: Windows Defender ATP machine timeline view with Windows Defender Exploit Guard event

Figure 1: Windows Defender ATP machine timeline view with Windows Defender Exploit Guard event

Figure 1: Geographic distribution of the Dofoil attack components

Windows Defender AV initially flagged the attack’s unusual persistence mechanism through behavior monitoring, which immediately sent this behavior-based signal to our cloud protection service.

Within milliseconds, multiple metadata-based machine learning models in the cloud started blocking these threats at first sight.
Seconds later, our sample-based and detonation-based machine learning models also verified the malicious classification. Within minutes, detonation-based models chimed in and added additional confirmation.
Within minutes, an anomaly detection alert notified us about a new potential outbreak.
After analysis, our response team updated the classification name of this new surge of threats to the proper malware families. People affected by these infection attempts early in the campaign would have seen blocks under machine learning names like Fuery, Fuerboos, Cloxer, or Azden. Later blocks show as the proper family names, Dofoil or Coinminer.
Windows 10, Windows 8.1, and Windows 7 users running Windows Defender AV or Microsoft Security Essentials are all protected from this latest outbreak.

Figure 2. Layered machine learning defenses in Windows Defender AV

Figure 2. Layered machine learning defenses in Windows Defender AV

Artificial intelligence and behavior-based detection in Windows Defender AV has become one of the mainstays of our defense system. The AI-based pre-emptive protection provided against this attack is similar to how layered machine learning defenses stopped an Emotet outbreak last month.

Code injection and coin mining
Dofoil is the latest malware family to incorporate coin miners in attacks. Because the value of Bitcoin and other cryptocurrencies continues to grow, malware operators see the opportunity to include coin mining components in their attacks. For example, exploit kits are now delivering coin miners instead of ransomware. Scammers are adding coin mining scripts in tech support scam websites. And certain banking trojan families added coin mining behavior.

The Dofoil campaign we detected on March 6 started with a trojan that performs process hollowing on explorer.exe. Process hollowing is a code injection technique that involves spawning a new instance of legitimate process (in this case c:\windows\syswow64\explorer.exe) and then replacing the legitimate code with malware.

Figure 3. Windows Defender ATP detection for process hollowing (SHA-256: d191ee5b20ec95fe65d6708cbb01a6ce72374b309c9bfb7462206a0c7e039f4d, detected by Windows Defender AV as TrojanDownloader:Win32/Dofoil.AB)

The hollowed explorer.exe process then spins up a second malicious instance, which drops and runs a coin mining malware masquerading as a legitimate Windows binary, wuauclt.exe.

Figure 4. Windows Defender ATP detection for coin mining malware (SHA-256: 2b83c69cf32c5f8f43ec2895ec9ac730bf73e1b2f37e44a3cf8ce814fb51f120, detected by Windows Defender AV as Trojan:Win32/CoinMiner.D)

Even though it uses the name of a legitimate Windows binary, it’s running from the wrong location. The command line is anomalous compared to the legitimate binary. Additionally, the network traffic from this binary is suspicious.

Windows Defender ATP alert process tree showing anomalous IP communicationsFigure

5. Windows Defender ATP alert process tree showing anomalous IP communications

Windows Defender ATP showing suspicious network activity

Windows Defender ATP showing suspicious network activity

Figure 6. Windows Defender ATP showing suspicious network activity

Windows Defender ATP alert process tree

Windows Defender ATP alert process treeFigure 7. Windows Defender ATP alert process tree showing hollowed explorer.exe process making suspicious connections

Dofoil uses a customized mining application. Based on its code, the coin miner supports NiceHash, which means it can mine different cryptocurrencies. The samples we analyzed mined Electroneum coins.

Persistence
For coin miner malware, persistence is key. These types of malware employ various techniques to stay undetected for long periods of time in order to mine coins using stolen computer resources.

To stay hidden, Dofoil modifies the registry. The hollowed explorer.exe process creates a copy of the original malware in the Roaming AppData folder and renames it to ditereah.exe. It then creates a registry key or modifies an existing one to point to the newly created malware copy. In the sample we analyzed, the malware modified the OneDrive Run key.
Windows Defender ATP alert process tree showing creation of new malware process

Windows Defender ATP alert process tree showing creation of new malware process

Figure 8. Windows Defender ATP alert process tree showing creation of new malware process (SHA-256: d191ee5b20ec95fe65d6708cbb01a6ce72374b309c9bfb7462206a0c7e039f4d) and registry modification

Command-and-control communication
Dofoil is an enduring family of trojan downloaders. These connect to command and control (C&C) servers to listen for commands to download and install malware. In the March 6 campaign, Dofoil’s C&C communication involves the use of the decentralized Namecoin network infrastructure .

The hollowed explorer.exe process writes and runs another binary, D1C6.tmp.exe (SHA256: 5f3efdc65551edb0122ab2c40738c48b677b1058f7dfcdb86b05af42a2d8299c) into the Temp folder. D1C6.tmp.exe then drops and executes a copy of itself named lyk.exe. Once running, lyk.exe connects to IP addresses that act as DNS proxy servers for the Namecoin network. It then attempts to connect to the C&C server vinik.bit inside the NameCoin infrastructure. The C&C server commands the malware to connect or disconnect to an IP address; download a file from a certain URL and execute or terminate the specific file; or sleep for a period of time.

 Windows Defender ATP alert process tree showing creation of the temporary file, D1C6.tmp.exe

Figure 9. Windows Defender ATP alert process tree showing creation of the temporary file, D1C6.tmp.exe (SHA256: 5f3efdc65551edb0122ab2c40738c48b677b1058f7dfcdb86b05af42a2d8299c)

 

Figure 10. Windows Defender ATP alert process tree showing lyk.exe connecting to IP addresses

Stay protected with Windows 10
With the rise in valuation of cryptocurrencies, cybercriminal groups are launching more and more attacks to infiltrate networks and quietly mine for coins.

Windows Defender AV’s layered approach to security, which uses behavior-based detection algorithms, generics, and heuristics, as well as machine learning models in both the client and the cloud, provides real-time protection against new threats and outbreaks.

As demonstrated, Windows Defender Advanced Threat Protection (Windows Defender ATP) flags malicious behaviors related to installation, code injection, persistence mechanisms, and coin mining activities. Security operations can use the rich detection libraries in Windows Defender ATP to detect and respond to anomalous activities in the network. Windows Defender ATP also integrates protections from Windows Defender AV, Windows Defender Exploit Guard, and Windows Defender Application Guard, providing a seamless security management experience.

Windows 10 S, a special configuration of Windows 10, helps protect against coin miners and other threats. Windows 10 S works exclusively with apps from the Microsoft Store and uses Microsoft Edge as the default browser, providing Microsoft verified security.


Ex-Hacker Adrian Lamo Dies at Age 37
17.3.2018 thehackernews Crime

Adrian Lamo, the hacker who tipped off the FBI about Wikileaks whistleblower Chelsea Manning, dies at the age of 37, according to a Facebook post by his father Mario Lamo-Jiménez.
"With great sadness and a broken heart I have to let know all of Adrian's friends and acquaintances that he is dead. A bright mind and compassionate soul is gone, he was my beloved son..." he posted.
At this moment the cause of death is unknown, though reportedly Adrian was diagnosed with Asperger Syndrome in July 2010 and briefly hospitalized.
Adrian was a former hacker, threat analyst, and writer, who had previously been behind several high-profile security breaches but gained headlines after breaking into The New York Times computer systems in 2002.


Adrian was given the appellation "Homeless Hacker" by the media because once when he was unemployed he wandered the country by Greyhound bus and hacked corporations from inside abandoned buildings.
He spent almost six months on home detention and studied journalism before becoming a threat analyst.
When former US Army intelligence analyst Chelsea Manning (then Bradley Manning) read about his hacking profile in Wired magazine, Manning contacted him, and the pair started exchanging messages online.
Manning found Adrian a "kindred spirit" and told him about his role as an informer for WikiLeaks and how he leaked the most controversial combat video footage of a helicopter shooting unarmed Iraqi civilians and 260,000 classified diplomatic cables to the whistleblowing website.
However, Adrian then decided to report him and informed the US military of the breach. In an interview with the Guardian in 2013, Adrian defended his decision to turn Chelsea over to the FBI and said:
"There were no right choices that day, only less wrong ones. It was cold, it was needful, and it was no one's to make except mine. I couldn't just do anything, knowing lives were in danger, it's classified information, and when you play Russian roulette, how do you know there's not a bullet in the next chamber?"
"Choosing to interdict a man's freedom knowing it could mean his life, is something that's easy to judge but can only really be understood by living it."
Manning was arrested in May 2010 and sentenced to 35 years in prison for leaking classified documents, though her sentence was later reduced by President Barack Obama, and she was set free last year.


Trojanized BitTorrent Software Update Hijacked 400,000 PCs Last Week
17.3.2018 thehackernews
Virus

A massive malware outbreak that last week infected nearly half a million computers with cryptocurrency mining malware in just a few hours was caused by a backdoored version of popular BitTorrent client called MediaGet.
Dubbed Dofoil (also known as Smoke Loader), the malware was found dropping a cryptocurrency miner program as payload on infected Windows computers that mine Electroneum digital coins for attackers using victims' CPU cycles.
Dofoil campaign that hit PCs in Russia, Turkey, and Ukraine on 6th March was discovered by Microsoft Windows Defender research department and blocked the attack before it could have done any severe damages.


At the time when Windows Defender researchers detected this attack, they did not mention how the malware was delivered to such a massive audience in just 12 hours.
However, after investigation Microsoft today revealed that the attackers targeted the update mechanism of MediaGet BitTorrent software to push its trojanized version (mediaget.exe) to users' computers.
"A signed mediaget.exe downloads an update.exe program and runs it on the machine to install a new mediaget.exe. The new mediaget.exe program has the same functionality as the original but with additional backdoor capability," the researchers explain in a blog post published today.
Researchers believe MediaGet that signed update.exe is likely to be a victim of the supply chain attack, similar to CCleaner hack that infected over 2.3 million users with the backdoored version of the software in September 2017.

Also, in this case, the attackers signed the poisoned update.exe with a different certificate and successfully passed the validation required by the legitimate MediaGet.
"The dropped update.exe is a packaged InnoSetup SFX which has an embedded trojanized mediaget.exe, update.exe. When run, it drops a trojanized unsigned version of mediaget.exe."
Once updated, the malicious BitTorrent software with additional backdoor functionality randomly connects to one (out of four) of its command-and-control (C&C) servers hosted on decentralized Namecoin network infrastructure and listens for new commands.


It then immediately downloads CoinMiner component from its C&C server, and start using victims' computers mine cryptocurrencies for the attackers.
Using C&C servers, attackers can also command infected systems to download and install additional malware from a remote URL.
The researchers found that the trojanized BitTorrent client, detected by Windows Defender AV as Trojan:Win32/Modimer.A, has 98% similarity to the original MediaGet binary.
Microsoft says behavior monitoring and AI-based machine learning techniques used by its Windows Defender Antivirus software have played an important role to detect and block this massive malware campaign.


Warning – 3 Popular VPN Services Are Leaking Your IP Address
17.3.2018 thehackernews
Vulnerebility

Researchers found critical vulnerabilities in three popular VPN services that could leak users' real IP addresses and other sensitive data.
VPN, or Virtual Private Network, is a great way to protect your daily online activities that work by encrypting your data and boosting security, as well as useful to obscure your actual IP address.
While some choose VPN services for online anonymity and data security, one major reason many people use VPN is to hide their real IP addresses to bypass online censorship and access websites that are blocked by their ISPs.
But what if when the VPN you thought is protecting your privacy is actually leaking your sensitive data and real location?
A team of three ethical hackers hired by privacy advocate firm VPN Mentor revealed that three popular VPN service providers—HotSpot Shield, PureVPN, and Zenmate—with millions of customers worldwide were found vulnerable to flaws that could compromise user's privacy.
The team includes application security researcher Paulos Yibelo, an ethical hacker known by his alias 'File Descriptor' and works for Cure53, and whereas, the identity of third one has not been revealed on demand.
PureVPN is the same company who lied to have a 'no log' policy, but a few months ago helped the FBI with logs that lead to the arrest of a Massachusetts man in a cyberstalking case.
After a series of privacy tests on the three VPN services, the team found that all three VPN services are leaking their users' real IP addresses, which can be used to identify individual users and their actual location.
Concerning consequences for end users, VPN Mentor explains that the vulnerabilities could "allow governments, hostile organizations [sic], or individuals to identify the actual IP address of a user, even with the use of the VPNs."
The issues in ZenMate and PureVPN have not been disclosed since they haven't yet patched, while VPN Mentor says the issues discovered in ZenMate VPN were less severe than HotSpot Shield and PureVPN.
The team found three separate vulnerabilities in AnchorFree's HotSpot Shield, which have been fixed by the company. Here's the list:
Hijack all traffic (CVE-2018-7879) — This vulnerability resided in Hotspot Shield’s Chrome extension and could have allowed remote hackers to hijack and redirect victim's web traffic to a malicious site.
DNS leak (CVE-2018-7878) — DNS leak flaw in Hotspot Shield exposed users' original IP address to the DNS server, allowing ISPs to monitor and record their online activities.
Real IP Address leak (CVE-2018-7880) — This flaw poses a privacy threat to users since hackers can track user's real location and the ISP. the issue occurred because the extension had a loose whitelist for "direct connection." Researchers found that any domain with localhost, e.g., localhost.foo.bar.com, and 'type=a1fproxyspeedtest' in the URL bypass the proxy and leaks real IP address.
Here it must be noted that all the three vulnerabilities were in the HotSpot Shield's free Chrome plug-in, not in the desktop or smartphone apps.
The researchers also reported similar vulnerabilities in the Chrome plugins of Zenmate and PureVPN, but for now, the details of the bugs are being kept under wraps since both the manufacturers have not yet fixed them.
Researchers believe that most other VPN services also suffer from similar issues.


Pre-Installed Malware Found On 5 Million Popular Android Phones
17.3.2018 thehackernews Android

Security researchers have discovered a massive continuously growing malware campaign that has already infected nearly 5 million mobile devices worldwide.
Dubbed RottenSys, the malware that disguised as a 'System Wi-Fi service' app came pre-installed on millions of brand new smartphones manufactured by Honor, Huawei, Xiaomi, OPPO, Vivo, Samsung and GIONEE—added somewhere along the supply chain.
All these affected devices were shipped through Tian Pai, a Hangzhou-based mobile phone distributor, but researchers are not sure if the company has direct involvement in this campaign.
According to Check Point Mobile Security Team, who uncovered this campaign, RottenSys is an advanced piece of malware that doesn't provide any secure Wi-Fi related service but takes almost all sensitive Android permissions to enable its malicious activities.
"According to our findings, the RottenSys malware began propagating in September 2016. By March 12, 2018, 4,964,460 devices were infected by RottenSys," researchers said.
To evade detection, the fake System Wi-Fi service app comes initially with no malicious component and doesn’t immediately start any malicious activity.
Instead, RottenSys has been designed to communicate with its command-and-control servers to get the list of required components, which contain the actual malicious code.
RottenSys then downloads and installs each of them accordingly, using the "DOWNLOAD_WITHOUT_NOTIFICATION" permission that does not require any user interaction.
Hackers Earned $115,000 in Just Last 10 Days

At this moment, the massive malware campaign pushes an adware component to all infected devices that aggressively displays advertisements on the device’s home screen, as pop-up windows or full-screen ads to generate fraudulent ad-revenues.
"RottenSys is an extremely aggressive ad network. In the past 10 days alone, it popped aggressive ads 13,250,756 times (called impressions in the ad industry), and 548,822 of which were translated into ad clicks," researchers said.
According to the CheckPoint researchers, the malware has made its authors more than $115,000 in the last 10 days alone, but the attackers are up to "something far more damaging than simply displaying uninvited advertisements."
Since RottenSys has been designed to download and install any new components from its C&C server, attackers can easily weaponize or take full control over millions of infected devices.
The investigation also disclosed some evidence that the RottenSys attackers have already started turning millions of those infected devices into a massive botnet network.
Some infected devices have been found installing a new RottenSys component that gives attackers more extensive abilities, including silently installing additional apps and UI automation.
"Interestingly, a part of the controlling mechanism of the botnet is implemented in Lua scripts. Without intervention, the attackers could re-use their existing malware distribution channel and soon grasp control over millions of devices," researchers noted.
This is not the first time when CheckPoint researchers found top-notch brands affected with the supply chain attack.
Last year, the firm found smartphone belonging to Samsung, LG, Xiaomi, Asus, Nexus, Oppo, and Lenovo, infected with two pieces of pre-installed malware (Loki Trojan and SLocker mobile ransomware) designed to spy on users.
How to Detect and Remove Android Malware?
To check if your device is being infected with this malware, go to Android system settings→ App Manager, and then look for the following possible malware package names:
com.android.yellowcalendarz (每日黄历)
com.changmi.launcher (畅米桌面)
com.android.services.securewifi (系统WIFI服务)
com.system.service.zdsgt
If any of above is in the list of your installed apps, simply uninstall it.


Plugins for Popular Text Editors Could Help Hackers Gain Elevated Privileges
17.3.2018 thehackernews Hacking

Whether you're a developer, designer or a writer, a good text editor always help you save time and make you work more efficiently.
For example, I use Sublime a lot while programming because it includes some useful tools like 'syntax highlighting' and 'autocomplete' that every advanced text editor should have.
Moreover, these advanced text editors also offer users extensibility, allowing users to install and run third-party plugins to extend the editor's functionality and most importantly its scope.
However, it's a known fact that third-party plugins always pose a significant risk of hacking, whether it's about WordPress plugins or Windows' extensions for Chrome, Firefox or Photoshop.
SafeBreach researcher Dor Azouri analyzed several popular extensible text editors for Unix and Linux systems, including Sublime, Vim, Emacs, Gedit, and pico/nano, and found that except for pico/nano, all of them are vulnerable to a critical privilege escalation flaw that could be exploited by attackers to run malicious code on a victims’ machines.
"This method succeeds regardless of the file being opened in the editor, so even limitations commonly applied on sudo commands might not protect from it," the paper reads [pdf]
"Technical users will occasionally need to edit root-owned files, and for that purpose they will open their editor with elevated privileges, using ‘sudo.’ There are many valid reasons to elevate the privileges of an editor."
The issue resides in the way these text editors load plugins. According to the researcher, there's inadequate separation of regular and elevated modes when loading plugins for these editors.
Their folder permissions integrity is not maintained correctly, which opens the door for attackers with regular user permissions to elevate their privileges and execute arbitrary code on the user's machine.
A simple malvertising campaign could allow attackers spread malicious extension for vulnerable text editors, enabling them to run malicious code with elevated privileges, install malware and remotely take full control of targeted computers.
Azouri suggests Unix users can use an open-source host-based intrusion detection system, called OSSEC, to actively monitoring system activity, files integrity, logs, and processes.
Users should avoid loading 3rd-party plugins when the editor is elevated and also deny write permissions for non-elevated users.
Azouri advised developers of text editors to change the folders and file permission models to complete the separation between regular and elevated modes and if possible, provide a manual interface for users to approve the elevated loading of plugins.


China-linked Hackers Target Engineering and Maritime Industries
17.3.2018 securityweek  CyberSpy

A China-related cyberespionage group that has been active for half a decade has increased its attacks on engineering and maritime entities over the past months, FireEye reports.

Referred to as Leviathan or TEMP.Periscope, the group has been historically interested in targets connected to South China Sea issues, which hasn't changed in the recently observed attacks. Targets include research institutes, academic organizations, and private firms in the United States.

“The current campaign is a sharp escalation of detected activity since summer 2017. Like multiple other Chinese cyber espionage actors, TEMP.Periscope has recently re-emerged and has been observed conducting operations with a revised toolkit,” FireEye says.

Over the years, the group has also shown interest in professional/consulting services, high-tech industry, healthcare, and media/publishing. Most of the identified victims were in the United States, with some located in Europe and at least one in Hong Kong.

The group’s tactics, techniques, and procedures (TTPs), as well as its targets, overlap with those associated with the group called TEMP.Jumper, which in turn overlaps significantly with the NanHaiShu group.

The recently observed spike in activity also revealed the use of a broad range of malware that other suspected Chinese groups also use. These tools include backdoors, reconnaissance tools, file stealers, and webshells.

The first of the backdoors is Airbreak, a JavaScript-based tool that retrieves commands from hidden strings in compromised webpages and actor controlled profiles on legitimate services.

A second backdoor is Badflick, which can modify the file system, generate a reverse shell, and modify its command and control (C&C) configuration.

Another similar piece of malware is Photo, a DLL backdoor that gets directory, file, and drive listing; creates a reverse shell; records the screen, video, and audio; lists, terminates, and creates processes; creates and modifies registry keys and values; logs keystrokes, returns usernames and passwords from protected storage; and can read, create, and modify files.

The group also used Homefry, a 64-bit Windows password dumper/cracker previously used along with the first two backdoors. Based on received commands, it can either display cleartext credentials for each login session, or can display cleartext credentials, NTLM hashes, and malware version for each login session.

Other tools employed by the hackers include Lunchmoney (which can exfiltrate files to Dropbox) and Murkytop, a command-line reconnaissance tool (which can execute files; move and delete files; schedule remote AT jobs; perform host discovery; scan for open ports in a connected network; and retrieve information about the operating system, users, groups, and shares on remote hosts).

In recent attacks, the group was also observed employing the China Chopper code injection webshell capable of executing Microsoft .NET code within HTTP POST commands (thus, it can upload and download files, execute applications, list directory contents, access Active Directory, access databases, and more).

Previously, the group used the Beacon backdoor (commercially available as part of the Cobalt Strike software platform), and the Blackcoffee backdoor that hides C&C communication as traffic to legitimate websites such as Github and Microsoft's Technet portal.

The group has been also observed using spear phishing emails; lure documents attempting to exploit CVE-2017-11882 to drop malware; stolen code signing certificates to sign their malware; bitsadmin.exe and PowerShell to download additional tools; and Windows Management Instrumentation (WMI) and Windows Shortcut files (.lnk) for persistence.

“The current wave of identified intrusions is consistent with TEMP.Periscope and likely reflects a concerted effort to target sectors that may yield information that could provide an economic advantage, research and development data, intellectual property, or an edge in commercial negotiations,” FireEye concludes.


Hackers can elevate privileges by hacking into popular text editors
17.3.2018 securityaffairs Hacking

Following recent string of attacks that exploit flawed plugins, researchers at SafeBreach examined 6 popular extensible text editors for unix systems.
Most of the modern text editors allow users to extend their functionalities by using third-party plugins, in this way they are enlarging their attack surface.

Third-party plugins could be affected by vulnerabilities that could be exploited by hackers to target our systems.

The situation is particularly severe in case the flaw affects a plugin for popular software such as WordPress or Windows’ extensions for Chrome, Firefox or Photoshop.

Dor Azouri, a researcher at SafeBreach, has analyzed several popular extensible text editors for both Unix and Linux systems discovered that except for pico/nano all of them are affected by a critical privilege escalation flaw.

“We examined several popular editors for unix environments. Our research shows how these text editors with third-party plugins can be used as another way to gain privilege escalation on a machine. This method succeeds regardless of the file being opened in the editor, so even limitations commonly applied on sudo commands might not protect from it.” states the blog post published by SafeBreach.

“The set of editors that were put to the test include: Sublime, Vim, Emacs, Gedit, pico/nano.”

Emacs text editors

An attacker can exploit the flaw to run malicious code on a victims’ machines running the vulnerable text editor.

“This method succeeds regardless of the file being opened in the editor, so even limitations commonly applied on sudo commands might not protect from it,” reads the paper published by the company.

“Technical users will occasionally need to edit root-owned files, and for that purpose they will open their editor with elevated privileges, using ‘sudo.’ There are many valid reasons to elevate the privileges of an editor.”

The vulnerability ties the way these text editors load plugins because they don’t properly separate regular and elevated modes when loading plugins.

Attackers with regular user permissions can access the folder permissions to elevate their privileges and execute arbitrary code on the user’s machine.

Azouri suggests Unix users use an open-source host-based intrusion detection system called OSSEC. Of course, users should avoid loading 3rd-party plugins when the editor is elevated and also deny write permissions for non-elevated users.

Below the full list of mitigations provided by the experts:

implement OSEC monitoring rules
deny write permisions for non-elevated users
change folders and file permission models to ensure separation between regular and elevated modes.
Prevent loading of 3rd party plugins when an editor is elevated.
Provide a manual interface to approve the elevated loading of plugins.


Počet kybernetických útoků na finanční podniky se za pět let ztrojnásobil

16.3.2018 Novinky/Bezpečnost Počítačový útok
Ve finančních službách se za posledních pět let celosvětově ztrojnásobil počet kybernetických útoků, vyplývá ze studie společností Accenture a Ponemon Institute. Pojišťovny začaly firmám i obyčejným uživatelům nabízet speciální pojištění kybernetických rizik. Česká policie se loni zabývala 6424 případy kybernetické kriminality, což je o 1080 případů více než v roce 2016.

"I když náklady na řešení kyberkriminality se u společností poskytujících finanční služby stále zvyšují, náš průzkum zjistil, že mají významně vyváženější a přiměřenější úroveň výdajů na klíčové bezpečnostní technologie k potírání sofistikovaných útoků než společnosti z jiných sektorů," uvedl Chris Thompson, který v Accenture Security vede sekci bezpečnosti finančních služeb.

To podle něj platí zejména při využívání automatizace, umělé inteligence nebo technologií strojového učení, což by mohlo být pro budoucí úsilí v oblasti kyberbezpečnosti zásadní.

Vyděračské viry
Podle bezpečnostní společnosti Eset byl rok 2017 rokem takzvaného ransomwaru. Jde o vyděračský software, který blokuje operační systém nebo šifruje data v něm obsažená a po uživateli pak vyžaduje výkupné za obnovení systému. Běžní uživatelé, ale i nadnárodní organizace museli čelit masivním útokům, jakými byly NotPetya nebo WannaCry.

Ransomware se ale nezaměřuje pouze na klasické počítače. Zneužívají ho i útočníci, kteří chtějí vydělat na vysoké popularitě mobilních zařízení a nejrozšířenějšího operačního systému Android, vysvětlil analytik Esetu Lukáš Štefanko.


Populární přehrávač Flash Player je opět děravý. Chybu mohou zneužít hackeři

16.3.2018 Novinky/Bezpečnost Zranitelnosti
V pořadí již druhou kritickou bezpečnostní chybu oblíbeného internetového přehrávače Flash Player musí během jediného měsíce řešit společnost Adobe. Trhlina otevírá v podstatě zadní vrátka do celého operačního systému. S instalací opravy by tak uživatelé neměli otálet.

Jednu kritickou chybu operačního systému řešila společnost Adobe už na začátku března.  

Sotva se třetí měsíc roku přehoupnul do druhé půlky, je tu v podstatě ta samá situace v bledě modrém. Flash Player opět obsahuje kritickou bezpečnostní trhlinu. S využitím chyby mohou piráti propašovat do cizího počítače prakticky jakýkoli virus.

Právě proto by uživatelé neměli s instalací nejnovější verze otálet. Stahovat záplatu je možné prostřednictvím automatických aktualizací daného programu nebo prostřednictvím stránek společnosti Adobe.

Častý terč útoků
Flash Player používá na celém světě několik stovek miliónů lidí. Právě kvůli velké popularitě se na něj zaměřují kybernetičtí nájezdníci pravidelně. Podle analýzy bezpečnostní společnosti Record Future cílilo osm z deseti nejrozšířenějších hrozeb v roce 2015 právě na tento přehrávač videí.

To je i jeden z hlavních důvodů, proč se společnost Adobe rozhodla Flash Player sprovodit ze světa. Podle dřívějšího oznámení jej bude podporovat už jen dva roky.


Reagovat na kybernetické incidenty dělá firmám problémy

16.3.2018 SecurityWorld Incidenty
Třem čtvrtinám dotazovaných firem chybí plán, jak v případě incidentu reagovat a 69 % z nich uvádí, že na kybernetickou odolnost nemá vyčleněno dostatek peněz.

Institut Ponemon ve spolupráci s IBM zveřejnila výsledky globální studie, která se zabývá tím, co všechno musí společnosti řešit, pokud chtějí být kyberneticky odolné.

Celkem 77 % respondentů připustilo, že nemá oficiální plán (CSIRP) v případě kyberbezpečnostního incidentu, který by byl v celé firmě důsledně dodržován. Téměř polovina z 2 800 respondentů uvedla, že jejich plán reakce na incidenty vzniká ad hoc, není oficiální nebo vůbec neexistuje.

Navzdory chybějícím oficiálním plánům ale 72 % firem tvrdí, že se v současnosti cítí kyberneticky odolnější než v loňském roce. Organizace, které se považují za vysoce odolné (61 %), zakládají své přesvědčení na schopnosti najmout kvalifikované zaměstnance.

Ale kybernetická odolnost organizací stojí nejenom na lidech, ale také na technologii. Respondenti si to uvědomují a 60 % z nich považuje nedostatečné investice do umělé inteligence a strojového učení za největší překážku v dosažení kybernetické odolnosti.

Sebedůvěra firem tedy nemusí mít pevné základy, protože 57 % respondentů ve studii prohlásilo, že se incidenty dnes řeší déle a 65 % uvedlo, že se závažnost útoků zvyšuje. To jsou přitom klíčové faktory, které mají na celkovou kybernetickou odolnost zásadní dopad.

Tyto problémy ještě znásobuje fakt, že pouze 31 % dotázaných má na kybernetickou odolnost přidělený dostatečný rozpočet a 77 % respondentů má problém najít a udržet si odborníky na IT bezpečnost.

„Pokud se firmy dnes cítí více kyberneticky odolné, tak je to hlavně z důvodu toho, že mají kvalifikované zaměstnance,“ říká viceprezident pro produktový management a spoluzakladatel IBM Resilient Ted Julian.

„Mít ty správné lidi je samozřejmě zásadní, ale stejně tak důležité je dát jim k dispozici ty nejmodernější pracovní nástroje. Jediné, co bezpečnostním týmům umožní vypořádat se s případnou hrozbou a zvýšit celkovou kybernetickou bezpečnost, je reakční plán, který sladí lidskou a strojovou inteligenci.“

Neexistence důsledně používaného CSIRP se ve výsledcích objevuje každý rok, navzdory zjištěním studie IBM z roku 2017, kolik porušení zabezpečení dat stojí. Pokud firmy zvládly porušení zabezpečení dat vyřešit do třiceti dnů, stálo je to průměrně skoro o jeden milion dolarů méně. Proto je CSIRP tak důležitý a cenný.

Další závěry studie:

Personální zajištění aktivit spojených s kybernetickou odolností není dostatečné.
Druhou největší překážkou kybernetické odolnosti se ukázal být nedostatek kvalifikovaných zaměstnanců v oblasti kybernetické bezpečnosti.
29 % respondentů uvedlo, že k dosažení kybernetické odolnosti mají ty správné zaměstnance.
50 % říká, že jejich současný manažer informační bezpečnosti nebo osoba zodpovědná za bezpečnost jsou ve své funkci tři roky nebo méně.
23 % firem podle studie v současnosti nemá manažera informační bezpečnosti ani osobu zodpovědnou za bezpečnost.