Microsoft released Windows Updates that include Intel’s Spectre microcode patches
4.3.2018 securityaffairs
Vulnerebility

Microsoft announced this week the release of the microcode updates to address the Spectre vulnerability.
Last week Intel released microcode to address the CVE-2017-5715Spectre vulnerability for many of its chips, let’s this time the security updates will not cause further problems.

The Spectre attack allows user-mode applications to extract information from other processes running on the same system. It can also be exploited to extract information from its own process via code, for example, a malicious JavaScript can be used to extract login cookies for other sites from the browser’s memory.

The Spectre attack breaks the isolation between different applications, allowing to leak information from the kernel to user programs, as well as from virtualization hypervisors to guest systems.

Problems such as frequent reboots were related to the fix for the CVE-2017-5715 Spectre flaw (Spectre Variant 2) and affected almost any platform, including systems running on Broadwell Haswell CPUs, as well as Ivy Bridge-, Sandy Bridge-, Skylake-, and Kaby Lake-based platforms.

Microsoft is going to deliver microcode updates for Windows 10 version 1709 (Fall Creators Update) or Windows Server version 1709 (Server Core) running on devices with 6th Generation Intel Core (Skylake) processors.

“This update is a standalone update available through the Microsoft Update Catalog and targeted for Windows 10 version 1709 (Fall Creators Update) & Windows Server version 1709 (Server Core).” read the advisory published by Microsoft. “This update also includes Intel microcode updates that were already released for these Operating Systems at the time of Release To Manufacturing (RTM). We will offer additional microcode updates from Intel thru this KB Article for these Operating Systems as they become available to Microsoft.”

Microsoft confirmed that almost any Window devices now have compatible security products installed and all problems with patches have been fixed.

“We have also been working closely with our anti-virus (AV) partners on compatibility with Windows updates, resulting in the vast majority of Windows devices now having compatible AV software installed.” wrote John Cable, Director of Program Management, Windows Servicing and Delivery

“We will continue to require that an AV compatibility check is made before delivering the latest Windows security updates via Windows Update until we have a sufficient level of AV software compatibility.”


A flaw in HP Remote Management hardware Integrated Lights-Out 3 leaves expose servers to DoS
4.3.2018 securityaffairs
Vulnerebility

Hewlett Packard Enterprise issued a security patch to address a vulnerability (CVE-2017-8987) in HP remote management hardware Integrated Lights-Out 3.
Hewlett Packard Enterprise has issued a security patch to address a vulnerability (CVE-2017-8987) in its remote management hardware Integrated Lights-Out 3 that equip the family of HP ProLiant servers.

The Hewlett-Packard iLO is composed of a physical card with a separate network connection that is used for the remote management of the device.

HP Remote Management

The vulnerability could be exploited by a remote attacker to power a denial of service attack that could cause severe problems to datacenters under some conditions.

The vulnerability in the HP remote management hardware Integrated Lights-Out 3 was discovered by the researchers at Rapid7 researchers in September, the issue is rated “high severity” and it has received a CVSS base score of 8.6.

“This post describes CVE-2017-8987, an unauthenticated remote Denial of Service vulnerability in HPE iLO3 firmware version 1.88. This vulnerability can be exploited by several HTTP methods; once triggered, it lasts for approximately 10 minutes until the watchdog service performs a restart of the iLO3 device. CVE-2017-8987 is categorized as CWE-400 (Resource Exhaustion) and has a CVSSv3 base score of 8.6.” states Rapid7.

Once an attacker has compromised a network he can lock out an admin to restore the operations causing severe problems to a data center.

“Several HTTP request methods cause iLO3 devices running firmware v1.88 to stop responding in several ways for 10 minutes:

SSH: open sessions will become unresponsive; new SSH sessions will not be established
Web portal: users cannot log in to the web portal; the login page will not successfully load
” continues Rapid 7.

HPE publicly disclosed the vulnerability on Feb. 22.

“A security vulnerability in HPE Integrated Lights-Out 3 (iLO 3) allows remote Denial of Service (DoS).” reads the security advisory published by HPE.

“HPE has provided the following instructions to resolve the vulnerability in HPE Integrated Lights-Out 3 (iLO 3) version 1.88: Please upgrade to HPE Integrated Lights-Out 3 (iLO 3) 1.89 which is available on HPE Support Center:

https://support.hpe.com/hpesc/public/home“

HPE said that affected version is v1.88 firmware for HPE Integrated Lights-Out 3 (iLO3), newer versions of the firmware (1.8, 1.82, 1.85, and 1.87) along with firmware for iLO4 (v2.55) are not impacted.

According to Rapid7 iLO5 devices were not tested, the experts also observed that requests calling the following four methods, will also trigger the Denial of Service:

curl -X OPTIONS hp-ilo-3.testing.your-org.com
curl -X PROPFIND hp-ilo-3.testing.your-org.com
curl -X PUT hp-ilo-3.testing.your-org.com
curl -X TRACE hp-ilo-3.testing.your-org.com

Below the disclosure timeline:

Sept 2017: Issue discovered
Thurs, Oct 19, 2017: Vendor released v1.89 update to iLO3, which addresses CVE-2017-8987
Mon, Nov 6, 2017: Vendor notified; vendor assigned PSRT110615 to this vulnerability
Wed, Nov 15, 2017: Additional details sent to vendor
Wed, Jan 10, 2018: Disclosed to CERT/CC
Wed, Jan 31, 2018: Vendor reported that v1.89 is not vulnerable to R7-2017-27; Rapid7 confirmed this finding.
Thurs, Feb 22, 2018: Public disclosure; vendor published security bulletin and assigned CVE-2017-8987
Thurs, Mar 1, 2018: Rapid7 published this post


Flash Player má kritickou chybu. Masivně ji zneužívají kyberzločinci

3.3.2018 Novinky/Bezpečnost Zranitelnosti
Kyberzločinci si opět vzali na mušku oblíbený program Flash Player, který slouží k přehrávání videí na internetu a po celém světě jej používají milióny lidí. Zneužít se přitom snaží chybu, kterou tvůrci ze společnosti Adobe již dávno opravili. Útočníci ale sází na to, že celá řada uživatelů s instalací bezpečnostních aktualizací nijak zvlášť nepospíchá.
Před novou masivní vlnou počítačových útoků varoval český Národní bezpečnostní tým CSIRT.CZ.

„Útočníci využívají zranitelnost na neaktualizovaných systémech Adobe Flash Player k velké phisingové kampani,“ uvedl na dotaz Novinek Pavel Bašta, bezpečnostní analytik CSIRT.CZ, který je provozován sdružením CZ.NIC.

Mohou ovládnout počítač
Podle něj kyberzločinci rozesílají zprávy a pokouší se přimět uživatele, aby stáhli dokument Word. „Když oběť soubor otevře a povolí makra, nakažený soubor se pokusí zneužít chybu u Adobe Flash Player. V případě, že oběť nemá aktuální verzi aplikace, může útočník převzít kontrolu nad nakaženým systémem,“ zdůraznil bezpečnostní expert.

To jinými slovy znamená, že prostřednictvím chyb mohou kyberzločinci propašovat na cizí počítač prakticky jakýkoli škodlivý kód, případně jej zcela ovládnout na dálku. Mohli by se tak snadno dostat k uloženým datům, případně odchytávat přihlašovací údaje na různé webové služby.

Obrana je přitom velmi jednoduchá – stáhnout nejnovější verzi Flash Playeru, která již trhlinu neobsahuje. To je možné prostřednictvím automatických aktualizací daného programu nebo prostřednictvím stránek společnosti Adobe.

Častý terč útoků
„Společnost Adobe žádá uživatele, aby pravidelně prováděli aktualizace Adobe Flash Playeru a vyhnuli se tak možným útokům, které cílí na neaktuální systémy,“ uzavřel Bašta.

Flash Player používá na celém světě několik stovek miliónů lidí. Právě kvůli velké popularitě se na něj zaměřují kybernetičtí nájezdníci pravidelně. Podle analýzy bezpečnostní společnosti Record Future cílilo osm z deseti nejrozšířenějších hrozeb v roce 2015 právě na tento přehrávač videí.

To je i jeden z hlavních důvodů, proč se společnost Adobe rozhodla Flash Player sprovodit ze světa. Podle dřívějšího oznámení jej bude podporovat už jen dva roky.


Útok hackerů na Německo je jen špička ledovce, prohlásil bezpečnostní expert

3.3.2018 Novinky/Bezpečnost BigBrother
Hackerský útok na počítačové sítě německé vlády může být podle amerického experta Benjamina Reada součástí výrazně většího organizovaného útoku na evropské státy. Read, který pracuje pro americkou bezpečnostní firmu FireEye, to řekl německému listu Die Welt. V Berlíně se ve čtvrtek kvůli útoku, který podle německých odborníků přišel z Ruska, mimořádně sejde výbor Spolkového sněmu pro kontrolu tajných služeb i výbor pro digitalizaci.
"Několik měsíců pozorujeme, že (ruská skupina) APT28 cíleně napadá ministerstva zahraničí a obrany v Evropské unii a snaží se získat přístup do chráněných systémů," uvedl Read.

Právě dvojice těchto ministerstev se podle německých médií dotkl i útok na spolkovou republiku. Hackerům se při něm podařilo dostat do speciálně zabezpečené sítě německé vlády, která slouží k výměně informací mezi vládními i bezpečnostními úřady. Podle ministerstva vnitra se útok, který mohl trvat až rok, podařilo dostat pod kontrolu.

Útoky nejsou ojedinělé
Německé úřady – stejně jako instituce dalších zemí – čelily hackerským útokům i v minulosti. Například v roce 2015 se terčem stal Spolkový sněm. Za tímto i nynějším útokem podle německých bezpečnostních činitelů stojí nejspíš ruští hackeři ze skupiny APT28.

Americký expert Read je přesvědčen o tom, že APT28 není žádná běžná hackerská skupina, která si chce jen vydělat peníze. Výběr cílů, použité metody i výdrž skupiny jsou podle něj jasné indicie svědčící o tom, že je financována státem a spolupracuje se státními úřady. Jaká tajná služba za APT28 stojí, není ještě jasné, ale podíl ruských úřadů na její činnosti považuje Read za jistý. Ruští činitelé dlouhodobě takové aktivity popírají.

Spolková vláda registruje denně asi 20 vysoce specializovaných útoků na své počítače. Zhruba za jedním útokem týdně stojí podle ní tajné služby.


Stránky s lechtivým obsahem jako hrozba. Polovina Čechů si stáhla virus

3.3.2018 Novinky/Bezpečnost Viry
Nejrůznější erotické servery a porno stránky představují pro tuzemské uživatele bezpečnostní riziko. Dokládá to nový průzkum antivirové společnosti Kaspersky Lab, podle kterého si do svých počítačů a mobilů stáhla při návštěvě webů s lechtivou tematikou škodlivý kód polovina Čechů.
„Nejnovější průzkum odhalil, že polovina Čechů (49,7 %, pozn. red.) si do svého počítače, notebooku nebo chytrého telefonu stáhla během sledování porna na internetu virus. Zvýšenému riziku nákazy ‚digitální pohlavní nemocí‘ se vystavují i kvůli nedostatečné ochraně svých zařízení,“ prohlásil David Jacoby, bezpečnostní odborník z Kaspersky Lab.

Je přitom nutné zdůraznit, že nejrůznější virové hrozby se netýkají pouze klasických počítačů, ale také tabletů a chytrých telefonů. U těchto mobilních zařízení ale řeší ochranu málokdo, což kyberzločincům značně usnadňuje práci.

Falešný pocit bezpečí
„Alarmující zjištění je, že 7 % českých uživatelů na svých zařízeních surfuje bez ochrany. Nemají totiž nainstalováno žádné bezpečnostní řešení. Naopak 11 % se domnívá, že jsou v bezpečí, když sledují porno na chytrých mobilech a tabletech. Jsou totiž přesvědčeni, že se tato zařízení nemohou ničím nakazit,“ zdůraznil bezpečnostní expert.

Průzkum realizovaný na podzim loňského roku na vzorku pěti stovek Čechů také ukazuje, že se tuzemští uživatelé za sledování lechtivých videí a fotografií stydí. „Více než 17 % Čechů totiž vinu za infikování zařízení virem z pornografické stránky svádí na své blízké, ačkoliv vědí, že se tak stalo při jejich návštěvě těchto webů,“ konstatoval Jacoby.

Podle průzkumu Češi v průměru sledují porno na svých počítačích nebo tabletech čtyřikrát týdně, polovina (53 %) jich pak připouští, že se na porno kouká alespoň jednou denně. Během jedné návštěvy na těchto webech průměrně stráví 22 minut, což za celý rok dělá více než pět dnů strávených sledováním erotických fotografií či videí.

Češi a Němci jsou na tom podobně
„V této statistice se velmi blížíme Německu, kde se na stránky s obsahem pro dospělé dívá 51 % respondentů denně, v průměru pak čtyřikrát týdně,“ prohlásil bezpečnostní expert.

Každý pátý respondent z ČR (19,8 %) si navíc myslí, že je v bezpečí, pokud pro surfování na internetu využívá anonymní mód ve vyhledávači. To samé si o anonymním módu myslí 42 % Němců. 19 % Čechů také věří, že je jejich počítač v bezpečí před viry, pokud si vymažou historii prohlížeče. Němečtí uživatelé jsou o tom přesvědčeni ve 24 % případů.


Právo být zapomenut využilo na Googlu už téměř 2,5 miliónu lidí

3.3.2018 Novinky/Bezpečnost Zabezpečení
Americká internetová společnost Google dostala od poloviny roku 2014 bezmála 2,5 miliónu žádostí o vymazání odkazů z výsledků hledání v rámci „práva být zapomenut”. Jak podnik uvedl ve výroční zprávě, toho využívají politici, celebrity, ale například také úředníci. Upozornil na to server The Verge.
Firma s procesem výmazu dat začala v červnu 2014.

„Právo být zapomenut" ve výsledcích populárního vyhledávače Googlu lidem před lety přiznal Soudní dvůr Evropské unie. Stalo se tak v případu jednoho Španěla, který si stěžoval na údajné narušení soukromí v souvislosti s dražební vyhláškou na jeho opětovně nabytý dům, která se objevila ve výsledcích vyhledávání.  

Lidé, kteří se rozhodnou žádost podat, mimo jiné musejí předložit digitální kopii průkazu k ověření totožnosti, například platného řidičského průkazu, vybrat z nabídky 32 evropských zemí tu, jejíž zákony se na žádost vztahují, poskytnout internetovou adresu každého odkazu, jehož odstranění požadují, a vysvětlit, proč je tato adresa „ve výsledcích vyhledávání irelevantní, zastaralá nebo jiným způsobem nevhodná".

Žádost je možné podávat prostřednictvím tohoto internetového formuláře.

Kritici označují rozhodnutí soudu za cenzuru a snahu o vymazávání historie, jejímž důsledkem bude, že o vymazání nepohodlných údajů budou žádat politici a zločinci. To se do určité míry stalo, neboť zástupci Googlu přiznali, že například politici o výmaz skutečně žádají.

Zastánci verdiktu jej hájí tím, že soud vyňal ze svého rozhodnutí odkazy, u nichž právo veřejnosti na informace převažuje nad právem jednotlivce na soukromí.


Proti falešným zprávám chtějí vědci bojovat internetovou hrou

3.3.2018 Novinky/Bezpečnost Spam
Odolnost vůči falešným zprávám získáme nejlépe tak, když si je sami zkusíme vytvořit, tvrdí vědci z univerzity v Cambridgi. Ti kvůli tomu spolu s nizozemskými vývojáři jménem DROG vytvořili vlastní počítačovou hru Bad News. Vyzkoušet si ji může kdokoliv zdarma.
V nové hře se objevil i prezident Trunp – většina hráčů si patrně ani nevšimne, že jeho jméno není napsáno správně.

V nové hře se objevil i prezident Trunp – většina hráčů si patrně ani nevšimne, že jeho jméno není napsáno správně.

Vědci si díky hře mohou otestovat následující hypotézu: když je člověk vystaven očividné lži a je mu ukázáno, jak propaganda funguje, snadněji pak odhalí důmyslnější nepravdy a polopravdy.

„Když se vcítíte do někoho, kdo se vás snaží obelhat, lépe pak odhadnete toho, kdo se vás bude snažit podvést,“ říká Sander van der Linden, sociální psycholog pracující na univerzitě v Cambridgi. Hráč tak musí ve hře vytvářet falešné zprávy a manipulovat veřejným míněním.

Poplašné zprávy o mezinárodní politice
Vypouští na internet, pochopitelně pouze v rámci herního světa, poplašné zprávy o mezinárodní politice, globálním oteplování nebo o genetickém inženýrství, píše telegraph.co.uk.

V jednom z prvních úkolů například vypustí do světa zprávu pod účtem Donalda Trunpa ve znění: „Vyhlašuji válku Severní Koreji.“ Hráč, a možná i leckterý čtenář, si zprvu ani nevšimne drobného detailu ve jméně amerického prezidenta: Trunp místo Trump. Účet a zpráva jím zveřejněná vypadají na první pohled jako oficiální, ale ve skutečnosti jsou falešné. A podobných chytáků a triků pozná hráč celou řadu.

Hra Bad News je zatím jen v angličtině zdarma k vyzkoušení na fakenewsgame.org.


Za půl roku bylo v Česku zaznamenáno 1600 DDoS útoků, nejvíce jich je domácích
3.3.2018 Lupa
Počítačový útok
Kybernetické útoky DDoS jsou v Česku běžnou věcí, ukazují nová čísla společnosti net.pointers. Ta analyzovala situaci mezi srpnem loňského roku a letošním lednem. Za půl roku bylo zaznamenáno 1600 DDoS útoků, což je 51 útoků denně.

„Nejčastěji byly údery na české počítače a další zařízení vedeny z České republiky (27,32 % z celkového počtu útoků), z Velké Británie (26,12 %), z Číny (24,14 %) a Německa (22,41 %). Nejsilnější útok byl zaznamenán v polovině ledna: jeho intenzita dosáhla 14,4 Gb za sekundu. Vzhledem k tomu, že v posledních letech nejsou výjimkou ani napadení o síle přes 100 Gb za sekundu, jednalo se v globálním měřítku spíše o slabší případ,“ uvádí net.pointers.

Společnost také uvádí, že na sousedním Slovensku bylo za stejné období evidováno pouze 64 DDoS útoků.


Certifikát na tři roky už si nepořídíte, maximální platnost se zkrátila na dva
3.3.2018 Root
Zabezpečení

Počínaje dnešním dnem nesmí certifikační autority vydávat TLS certifikáty s délkou platnosti tři roky. Maximální délka platnosti DV a OV certifikátů se zkracuje na dva roky, stejně jako tomu je u EV.

Členové CA/Browser Fora už před rokem rozhodli, že se maximální doba platnosti Domain Validated (DV) a Organization Validated (OV) certifikátů k 1. březnu 2018 zkrátí z 39 měsíců na 825 dnů (přibližně 27 měsíců). Od dnešního dne tedy autority nevydávají nové certifikáty na tři roky, ale nejdéle na dva. Starší tříleté certifikáty samozřejmě existují dál a podle své životnosti běžným způsobem doběhnou.

Některé autority ke změně přistoupily s předstihem, například DigiCert vydával tříleté certifikáty do 20. února, následující den už platila nová pravidla a mohli jste pořídit jen dvouletý certifikát. Autorita o tom ovšem své zákazníky informovala s předstihem, takže pokud jste stihli certifikát získat dříve, máte jej vystavený až do roku 2021. Firma vydala ke změně infografiku, která vysvětluje, jak se platnost zkracuje a jak pak bude autorita přistupovat k vystavení duplikátů certifikátů:

DigiCert
Zkracování platnosti nových certifikátů

Průběžně zkracujeme
Potřebu zkracování platnosti certifikátů vysvětluje například autorita GlobalSign, která poukazuje na stále se měnící pravidla, která se musejí přizpůsobovat proměnlivé bezpečnostní situaci. Snížení maximální životnosti certifikátu ze tří na dva roky pomáhá omezovat přítomnost starších, zastaralých a možná i nebezpečných certifikátů, které vznikly před zavedením nových pravidel.

Když se například začalo s výměnou slabé hašovací funkce SHA1, umožňovala pravidla vydávat DV a OV certifikáty na pět let. To znamená, že některé z nich jsou stále ještě platné. Pět let je velmi dlouhá doba. Vzniká tak jakési šedivé období, ve kterém sice už neplatí stará pravidla, ale stále ještě platí staré certifikáty podle nich vydané.

Zkracování doby platnosti umožňuje omezit toto období a uvést nová pravidla do praxe výrazně rychleji. GlobalSign proto například změnu provedl o rok dříve a tříleté certifikáty přestal vydávat už 20. dubna 2017. Tlak na další zkracování platnosti tu stále je, takže se pravděpodobně za čas dočkáme dalších změn.

Od deseti let ke třem měsícům
Úpravou doby platnosti certifikátů se zabývá také známý bezpečnostní odborník Scott Hellme. Ten na svém webu podrobně vysvětluje, proč je potřeba ještě dále zkracovat. Před deseti lety, kdy ještě neexistovala žádná (samo)regulace, byla autorita GoDaddy schopna vydat certifikát třeba na deset let. Některé z nich stále ještě platí, jak se můžete přesvědčit v databázi Censys.

Certifikáty s platností 10 let

První nastavení hranice pak přišlo v roce 2012, kdy byla CA/Browser Fórem přijata první verze pravidel pro certifikační autority [PDF], která omezovala platnost certifikátů na 60 měsíců – tedy na pět let. Hned v roce 2015 ale byla maximální doba platnosti zkrácena na 39 měsíců – tedy na tři a čtvrt roku. To byl vlastně stav, který jsme tu měli až do včerejšího dne.

Další návrh přišel až v únoru roku 2017, kdy Ryan Sleevi z Google navrhoval razantní omezení na 398 dnů – tedy na pouhý rok. O návrhu hlasovalo 25 autorit, ale pro byla jen jediná: Let's Encrypt. Tato otevřená autorita totiž od začátku vydává certifikáty jen na tři měsíce a její názor je v tomto ohledu naprosto jasný.

V březnu 2017 byl pak předložen další návrh, který upravoval maximální platnost certifikátů na 825 dnů – tedy na dva a čtvrt roku. Pro tuto variantu naopak hlasovaly všechny zúčastněné strany. To je právě návrh, který dnes vstoupil v platnost. Můžeme předpokládat, že se za čas opět někdo pokusí předložit další návrh, třeba opět na už jednou probíraných 398 dnů.

Proč je to potřeba
Na první pohled se zdá, že zkrácení z 10 let na tři měsíce je šíleně otravné a jen přidělává spoustu práce. Ve skutečnosti existuje ale řada praktických důvodů, proč nechceme mít na internetu certifikáty s dlouhou dobou platnosti.

V první řadě: revokace nefungují. Pokud vám unikne privátní klíč (což se opravdu stává), chcete mít možnost starý certifikát zneplatnit ještě před jeho skutečným vypršením. V opačném případě se za vás držitel klíče může zbytek doby platnosti vydávat. V současné době bohužel nemáme rozumný a široce podporovaný způsob revokace. Klasické seznamy CRL jsou obrovské, alternativní OCSP je zase problémem pro soukromí. Navíc je tu otázka, co má prohlížeč dělat, když jsou servery autority nedostupné – přestává tu tedy fungovat hlavní výhoda certifikátů, tedy možnost jejich offline ověření.

Tvůrci prohlížečů proto přistoupili k vlastnímu řešení, kdy do instalace sami vkládají seznamy neplatných certifikátů. To má také několik na první pohled viditelných úskalí – seznamy jsou tvořeny centrálně, výběrově a každý prohlížeč si to dělá po svém. Jak tedy můžete stoprocentně zajistit, že váš kompromitovaný certifikát bude revokován u všech uživatelů? Nemůžete. Nejde to.

V takové situaci je velký rozdíl, jestli máte certifikát vystavený na tři měsíce nebo na tři roky. Certifikát s krátkou platností za pár dnů vyprší a nic dalšího se nestane, nedáváte útočníkovi do ruky bianco šek, který je možné třeba dva a půl roku zneužívat.

Od dubna také bude nutné, aby byl platný certifikát v logu Certification Transparency. Ve skutečnosti bude muset být alespoň ve třech databázích od tří různých organizací. V průběhu životnosti certifikátu se ale může stát, že některý z logů bude z nějakého důvodu z prohlížečů vyřazen a jeho hlas přestane platit. V takové situaci přestane být důvěryhodný i daný certifikát, protože naráz bude mít platné potvrzení jen od dvou logů. Certifikáty s kratší dobou platnosti budou mít výhodu – včas se protočí, získají jiná potvrzení a problém nevznikne.

Musíme začít automatizovat
Správci serverů si začínají v mnoha oblastech zvykat na automatizaci, což se čím dál více týká i certifikátů a autorit. Uživatelé autority Let's Encrypt jsou na automatizaci od začátku zvyklí, postupně bude pronikat i dalším autoritám. Jelikož je protokol ACME otevřený, je možné jej použít k obsluze vlastní autority.

Je tedy pravděpodobné, že se brzy i klasické komerční autority budou snažit nabídnout automatickou cestu k získání certifikátů. Registrujete se, nabijete kredit a budete mít přístup k API umožňujícímu vystavit nové certifikáty. Odstraní to otravné ruční obnovování a zabrání lidské chybě. Let's Encrypt už navíc v praxi ověřuje, že je to velmi pohodlná a bezproblémová cesta.


Windows 7 bez antiviru, ale také s některými antiviry nepřijímá aktualizace. Co s tím?

3.3.2018 CNEWS.cz Zabezpečení
Proč se v některých případech automaticky nestahují aktualizace pro Sedmičky? Co se s tím dá dělat?

Microsoft byl nucen zastavit distribuci letošních lednových a únorových opravných balíčků pro Windows 7. Situace je však dočasná a týká se jen některých zařízení, nejedná se o dlouhodobou paušální změnu politiky, jak by se mohlo zdát. Aktualizace aktuálně nepřijímají stroje s některými antiviry. Ve výsledku však aktualizace nepřijímají ani zařízení bez antivirových systémů.

Proč? To si hned vysvětlíme.

Dostupnost letošních aktualizací pro Windows 7
Byl identifikován problém s kompatibilitou s některými antiviry po aplikaci lednových, ale později také únorových opravných balíčků. Konkrétní jména nepadla, takže nevíme, jakých antivirů a v jakých verzích se jich situace týká. Některé antiviry provádí nepodporovaná volání do jádra Windows – jsme opět u problematiky, kdy mnohé antiviry vzhledem ke hlubokým a možná necitelným zásahům do systému působí potíže.

Tato volání mohou způsobovat pády operačního systému. Situace může eskalovat až do stavu, kdy systém není schopný nastartovat. Microsoft to přímo neuvádí, ale podobná situace nastala také ve Windows 10, přičemž nekompatibilita vznikla po implementaci ochranných opatřeních proti dírám Spectre a Meltdown.

Bezpečnost

Také v případě Desítek proto platí, že během ledna a února vydané aktualizace nemusí být nainstalovaný na systémech s nekompatibilními antiviry. Klíčová je otázka, jak se Microsoft rozhodl ověřit kompatibilitu. Pokud je antivirus kompatibilní, musí v registru provést určitou úpravu, jež slouží jako signál. Bez tohoto signálu je distribuce aktualizací pro daný počítač pozastavena, viz např. článek Únorové záplatovací úterý nabídlo dávku oprav pro Windows.

Ačkoli se jedná jen o můj odhad, řekl bych, že to stejné platí na sestavách s Windows 7. jinými slovy Microsoft kompatibilitu systému s novými aktualizacemi zatím ověřuje kontrolou příslušné hodnoty v registru. Pokud není nastavena antivirem, do systému nejsou vpuštěny nové aktualizace – aspoň ne automatizovaně skrze Windows Update.

Windows 7 bez antiviru
Patrně jste se dovtípili, kde leží zakopaný pes. Zatímco Desítky v základní výbavě obsahují antivirus Windows Defender, Windows 7 obsahuje jen antispyware Windows Defender. Ten se proměnil v plnohodnotný antivirový nástroj až ve Windows 8, přičemž byl odvozen ze samostatně stojícího produktu Microsoft Security Essentials mj. pro Sedmičky.

Redmondští tento antivirový systém zdarma ke stažení stále nabízí, jenže stažení je volitelné – ve výsledku základní instalace Windows 7 antivir neobsahuje. Je proto možná trochu zvláštní, že Microsoft kontrolu kompatibility s posledními systémovými aktualizacemi nastavil tak, že pokud nemáte antivirus žádný, nikdo příslušnou hodnotu v registru nenastaví a zařízení nebude přijímat aktualizace.

Řešení
Situace se může změnit, do té doby ale můžete podniknout kroky k nápravě. Pakliže jste si do Sedmiček žádný antivir nepřidali, můžete si nějaký stáhnout. Jak jsem již uvedl, např. Microsoft nabízí zdarma svůj Security Essentials. Pokud antivirus používáte, ujistěte se, že máte poslední verzi. Případně se informujte u výrobce, zda je produkt kompatibilní s posledními aktualizacemi pro Windows.

Pro Sedmičky platí stejné opatření jako pro Windows 10

Pakliže žádné antivirové řešení používat nechcete, je doporučeno, abyste manuálně vytvořili v registru příslušnou hodnotu, aby Windows mohl nadále automaticky přijímat aktualizace. V Editoru registru nastavte hodnotu:

Klíč: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\QualityCompat
Hodnota: cadca5fe-87d3-4b96-b7fb-a231484277cc
Typ: REG_DWORD
Data: 0x00000000 (Údaj hodnoty = 0)


Delta Patches Vulnerabilities in HMI, PLC Products
3.3.2018 securityweek
Vulnerebility

Taiwan-based Delta Electronics has patched several vulnerabilities in two of the company’s industrial automation products, including flaws that can be exploited for remote code execution.

A researcher who uses the online moniker “Axt” informed Delta via Trend Micro’s Zero Day Initiative (ZDI) and ICS-CERT that its WPLSoft product, a programming software for programmable logic controllers (PLCs), is affected by several types of vulnerabilities.

ICS-CERT’s advisory describes three types of flaws that can allow arbitrary code execution in the context of the current process or denial-of-service (DoS) attacks, specifically stack-based buffer overflow, heap-based buffer overflow, and out-of-bounds write issues. The security holes have been rated high severity and they are tracked as CVE-2018-7494, CVE-2018-7507 and CVE-2018-7509.

ZDI has published a total of nine advisories, one for each variation of these flaws. According to the company, the vulnerabilities are related to how the application parses .dvp files and they can be exploited by getting the targeted user to open a specially crafted file or webpage.

ZDI said it reported the security holes to Delta via ICS-CERT in February 2017. The company’s advisories suggest that the vendor attempted to release some patches last summer, but they did not properly fix the vulnerabilities. ZDI published its advisories in August 2017 with a “0Day” status.

ICS-CERT reported this week that the vulnerabilities were patched by Delta with the release of WPLSoft V2.46.0, which according to the vendor’s site was made available on February 2.

A separate advisory published this week by ICS-CERT describes a medium severity vulnerability found by researcher Ghirmay Desta in Delta’s DOPSoft human-machine interface (HMI) product.

The flaw, a stack-based buffer overflow, is related to the processing of .dop or .dpb files, and it can allow remote code execution. The issue affects DOPSoft 4.00.01 and prior, and it was patched with the release of version 4.00.04 on March 1.

This vulnerability was also reported to Delta via ZDI, but the company has yet to publish advisories. ZDI’s website shows a total of 17 upcoming advisories describing vulnerabilities found by Desta in the DOPSoft product in October 2017. Last year, the expert also found weaknesses in Delta’s PMSoft, a development tool for motion controllers.

ZDI was also recently informed by an anonymous researcher of four high severity flaws in an unnamed Delta product.

It’s not uncommon for ICS vendors to take hundreds of days to patch vulnerabilities. A report published last year by ZDI showed that the average patching time for SCADA flaws had been 150 days.


New Malware Used in Attacks Aimed at Inter-Korean Affairs

3.3.2018 securityweek Virus

A threat actor apparently interested in inter-Korean affairs continues to launch highly targeted attacks using new pieces of malware and decoy documents referencing North Korean political topics.

The cyber espionage group, which experts believe is sponsored by a nation state, has been active for several years, but it managed to stay under the radar until last year, when researchers analyzed two of its main tools, namely SYSCON and KONNI. These pieces of malware had been leveraged in attacks aimed at organizations linked to North Korea.

McAfee’s Advanced Threat Research team recently spotted a new campaign that appears to focus on North Korea, particularly humanitarian aid efforts. The security firm named this operation Honeybee based on the name of the user who created the malicious documents.

Previous research into this group’s activities and a new McAfee report claim the threat actor is likely a Korean speaker. In the past, some even suggested that the attacks may have been launched from South Korea.

However, McAfee told SecurityWeek that South Korea is most likely not behind the attacks. The security firm believes this is the work of an actor interested in inter-Korean affairs, specifically in English-language information.

The attack starts with a spear-phishing email carrying or linking to a malicious document. The document contains a macro designed to drop and execute a new version of the SYSCON backdoor. The malware allows attackers to upload files to a server, and download files to the compromised system and execute them.

The campaign appears to be mainly focused on North Korea, particularly humanitarian aid efforts, with primary targets located in Southeast Asia and the Americas. While many of the targeted entities are located in South Korea, some attacks are also aimed at users in Vietnam, Singapore, Japan, Indonesia, Canada and Argentina.

Some of the malicious documents used to deliver the malware reference North Korea – for example, one is named “International Federation of Red Cross and Red Crescent Societies – DPRK Country Office.”

Other documents, however, rely on a different approach. They display fake Google Docs or Microsoft Office messages that instruct recipients to enable editing and content in order to access the information. If users comply, malicious code is executed and malware is downloaded to their device.

Decoy document used in North Korea attacks

Some of the droppers used in the Honeybee campaign are only disguised as documents. One dropper, tracked by McAfee as MaoCheng, has a document icon, but it’s actually an executable file signed with a stolen Adobe certificate. Once executed, MaoCheng opens a decoy document that instructs users to enable content in order to access the information.

McAfee said the MaoCheng dropper was likely created specifically for the Honeybee campaign and it has only been spotted two times. A new variant of the SYSCON backdoor was first seen by researchers on January 17, but the operation has relied on new implants since at least November 2017. Experts say many components are loosely based on previous versions of SYSCON, but they are unique from a code perspective.

“The attacks used simplistic malware, but the speed to put the campaign into production indicates that this is a well-organized group, hence it has the traits of a nation state level group,” Ryan Sherstobitoff, McAfee Senior Analyst of Major Campaigns


Nuance Estimates NotPetya Impact at $90 Million
3.3.2018 securityweek
Ransomware

Nuance Communications, one of the companies to have been impacted by the destructive NotPetya attack last year, estimates the financial cost of the attack at over $90 million.

Initially believed to be a ransomware outbreak, NotPetya hit organizations worldwide on June 27, and was found within days to be a destructive wiper instead. Linked to the Russia-linked BlackEnergy/KillDisk malware, NotPetya used a compromised M.E.Doc update server as infection vector.

NotPetya affected major organizations, including Rosneft, AP Moller-Maersk, Merck, FedEx, Mondelez International, Nuance Communications, Reckitt Benckiser, and Saint-Gobain, causing millions in damages to every one of them.

Last year, Nuance estimated that NotPetya impacted its revenue for the third quarter of 2017 by around $15 million, but the total financial losses the attack incurred are of around $100 million, the company now says.

In its latest 10-Q filing with the Securities and Exchange Commission (SEC), Nuance reveals that, for the fiscal year 2017, NotPetya caused losses of around $68.0 million in revenues, and incurred incremental costs of approximately $24.0 million as result of remediation and restoration efforts.

“NotPetya malware affected certain Nuance systems, including systems used by our healthcare customers, primarily for transcription services, as well as systems used by our imaging division to receive and process orders,” Nuance says. The company’s Healthcare segment was hit the most.

The company also notes that, while the direct effects of the attack were remediated during fiscal year 2017, the effects will continue to impact the company for the first quarter of fiscal year 2018 as well. The incident also determined the company to spend more on improving and upgrading information security, during fiscal year 2018 and beyond.

Last month, Danish shipping giant A.P. Moller–Maersk said it had to reinstall software on nearly 50,000 devices following the NotPetya assault. In September 2017, FedEx revealed a negative impact of around $300 million on its profit as result of the attack.

In mid-February 2018, the United Kingdom officially accused the Russian government of being responsible for the NotPetya attack. The next day, United States, Canada, Australia, and New Zealand joined the U.K. and also blamed Russia for the incident.


Biggest-Ever DDoS Attack (1.35 Tbs) Hits Github Website
2.3.2018 thehackernews
Attack

On Wednesday, February 28, 2018, GitHub's code hosting website hit with the largest-ever distributed denial of service (DDoS) attack that peaked at record 1.35 Tbps.
Interestingly, attackers did not use any botnet network, instead weaponized misconfigured Memcached servers to amplify the DDoS attack.
Earlier this week we published a report detailing how attackers could abuse Memcached, popular open-source and easily deployable distributed caching system, to launch over 51,000 times powerful DDoS attack than its original strength.
Dubbed Memcrashed, the amplification DDoS attack works by sending a forged request to the targeted Memcrashed server on port 11211 using a spoofed IP address that matches the victim's IP.
A few bytes of the request sent to the vulnerable server trigger tens of thousands of times bigger response against the targeted IP address.
"This attack was the largest attack seen to date by Akamai, more than twice the size of the September 2016 attacks that announced the Mirai botnet and possibly the largest DDoS attack publicly disclosed," said Akamai, a cloud computing company that helped Github to survive the attack.
In a post on its engineering blog, Github said, "The attack originated from over a thousand different autonomous systems (ASNs) across tens of thousands of unique endpoints. It was an amplification attack using the memcached-based approach described above that peaked at 1.35Tbps via 126.9 million packets per second."
Expect More Record-Breaking DDoS Attacks
Though amplification attacks are not new, this attack vector evolves thousands of misconfigured Memcached servers, many of which are still exposed on the Internet and could be exploited to launch potentially more massive attacks soon against other targets.
To prevent Memcached servers from being abused as reflectors, administrators should consider firewalling, blocking or rate-limiting UDP on source port 11211 or completely disable UDP support if not in use.


Windows Updates Deliver Intel's Spectre Microcode Patches
2.3.2018 securityweek 
Vulnerebility

Microsoft announced on Thursday that Windows users will receive the microcode updates released by Intel to patch the notorious Spectre vulnerability.

Meltdown and Spectre attacks allow malicious applications to bypass memory isolation and access sensitive data. Meltdown attacks are possible due to a flaw tracked as CVE-2017-5754, while Spectre attacks are possible due to CVE-2017-5753 (Variant 1) and CVE-2017-5715 (Variant 2). Meltdown and Spectre Variant 1 can be addressed with software updates, but Spectre Variant 2 requires microcode patches.

Microsoft has provided users the necessary software updates and it has now started delivering microcode patches as well.

After the first round of Spectre microcode patches from Intel caused more frequent reboots and other instability problems, the company started releasing new updates. The first patches were for Skylake, then for Kaby Lake and Coffee Lake, and this week for Haswell and Broadwell processors.

Intel has provided the microcode updates to device manufacturers, which are expected to make them available to customers once they have been tested.

For the time being, Microsoft will deliver Intel’s microcode updates to devices with 6th Generation Intel Core (Skylake) processors if they are running Windows 10 version 1709 (Fall Creators Update) or Windows Server version 1709 (Server Core).

“We will offer additional microcode updates from Intel as they become available to Microsoft. We will continue to work with chipset and device makers as they offer more vulnerability mitigations,” said John Cable, director of Program Management, Windows Servicing and Delivery.

When it started releasing software mitigations for Spectre and Meltdown, Microsoft warned that some users may not receive the updates due to antivirus compatibility issues. Cable said a vast majority of Windows devices now have compatible security products installed so they should not experience any problems in getting the patches.

“We will continue to require that an AV compatibility check is made before delivering the latest Windows security updates via Windows Update until we have a sufficient level of AV software compatibility,” Cable explained.

After news broke that Intel’s first round of microcode updates caused instability issues, Microsoft released an update that allowed Windows users to disable the problematic Spectre Variant 2 mitigation.


Cyberattack 'Ongoing' Against German Government Network

2.3.2018 securityweek  BigBrothers

The German government's IT network is under an "ongoing" cyberattack", the parliamentary committee on intelligence affairs said Thursday, without confirming a media report that Russian hackers were behind the assault.

"It is a real cyberattack on parts of the government system. It's an ongoing process, an ongoing attack," said Armin Schuster, chairman of the committee, adding that no further details could be given to avoid passing crucial information on to the attackers.

Interior Minister Thomas de Maiziere said the hacking was "a technically sophisticated attack that had been planned for some time", adding that it had been brought under control.

The highly professional assault had been monitored by the security agencies in order to gain insights into the mode of attack and its targets, said de Maiziere.

German news agency DPA, which first reported the attack the previous day, said Thursday, citing unnamed security sources, that the likely authors were the Russian cyber espionage group "Snake".

DPA had earlier pointed at the Russian hacker group APT28, which has been accused of attacks on Hillary Clinton's 2016 presidential campaign as well as on Germany's parliamentary IT system in 2015.

German security authorities had only detected the online spying in December, DPA has reported, adding that it had infiltrated the systems of the foreign and interior ministries. Konstantin von Notz, deputy of the committee, complained it was "completely unacceptable" that members of the oversight body only learnt of the attack through the media.

- Russian hackers -

Top security officials had repeatedly warned during Germany's 2017 general election campaign that Russian hackers may seek to influence or disrupt the polls.

While authorities did not have concrete proof, they have blamed the malware attack that crippled the Bundestag parliamentary network in 2015 for days on the APT28, also known as "Fancy Bear" or "Sofacy".

The attack netted 17 gigabytes of data which, officials feared, could be used to blackmail MPs or discredit them.

In a separate assault, several German political parties were in September 2016 sent fake emails purporting to be from NATO headquarters which contained a link that installed spying software on victims' computers.

The emails affected party operations such as a regional network of Chancellor Angela Merkel's Christian Democratic Union and the federal offices of the far-left Die Linke party.

Amid the rising frequency of attacks, Germany's defence ministry in 2016 set up a cyber department to coordinate the response to online intrusions.

Merkel, seeking to prepare the German public for more online attacks, has said people should "not allow themselves to be irritated" by such rogue operations.


Python-Written CannibalRAT Used in Targeted Attacks
2.3.2018 securityweek 
Virus

A newly identified remote access Trojan (RAT) that has been written entirely in Python is being used in highly targeted attacks, Cisco Talos researchers say.

Dubbed CannibalRAT, the malware lacks sophistication but exhibits signs of code cannibalization. At least two variants (versions 3.0 and 4.0) have been already used in attacks, both with the usual RAT capabilities, but the latter lacking features to fit a campaign targeting users of a Brazilian public sector management school.

The malicious activity associated with the RAT has increased after the second variant (4.0) emerged on February 5, 2018 (the first variant was spotted on Jan. 8). The newer iteration also uses obfuscation to avoid detection: it was packed with UPX and has a function to generate random strings in memory.

Both variants use base16 encoding scheme to obfuscate command and control (C&C) hostnames and data exchanged with the server. Also, both use the "CurrentVersion\Run" registry key for persistence, along with the service name "Java_Update", Cisco reveals.

Once executed on the infected machine, version 4.0 creates a PDF file with HTML code embedded, designed to load an image hosted at imgur.com, and launches Chrome to open the PDF.

Both versions connect to the same C&C infrastructure, but the older one uses standard web requests, while the newer version uses a REST-based API. The latter method would send username, hostname, and capability related information to the server as part of the initial request.

The credential-stealer modules are copied from the Radium-Keylogger’s source code (available on Github), while the VM detection function was copied from a different Github repository.

This, the researchers say, shows the large amount of code that adversaries share among them, which makes attribution even more difficult.

The malware’s modules have self-explanatory names: runcmd, persistence, download, upload, screenshot, miner, DDoS, driverfind, unzip, ehidden, credentials, file, zip, python, update, and vm. All are present in version 3.0, while version 4.0 lacks the distributed denial of service, miner, Python and update modules, as well as the ability to steal credentials from Firefox (it only works with Chrome).

The latest version also drops the module approach and includes all code in the main script. Furthermore, it includes four possible C&C hostnames (version 3.0 only had two), and randomly chooses one upon execution.

The attackers use the fast flux technique to hide the infrastructure and change name servers with high frequency (120 seconds), but the end points tend to be the same, belonging to a telecom provider in Brazil, the researchers say.

One of the domains associated with the campaign (the malware was hosted on it) is inesapconcurso.webredirect.org, apparently specifically created for these attacks. The actor used social engineering for the name as well: inesapconcurso is the aggregation of inesap and concurso, representing the school name and the Portuguese word for “competition”.

“While the objective of this campaign is unclear, the adversaries went through some work in order to keep their RAT as unnoticed as possible. Both the campaign target and the command-and-control visibility show this campaign is active in Brazil, which our DNS data confirms, reflecting the highly targeted approach of this campaign,” Cisco concludes.


Philips Working on Patches for 35 Flaws in Healthcare Product
2.3.2018 securityweek 
Vulnerebility

Philips has informed customers that it’s working on patches for dozens of vulnerabilities affecting the company’s IntelliSpace Portal, a visualization and analysis solution designed for healthcare organizations.

According to Philips, versions 7.0.x and 8.0.x of the IntelliSpace Portal are affected by issues related to insecure Windows service permissions, legacy encryption, and remote desktop access functionality. A total of 35 CVE identifiers are associated with the vulnerabilities.

An advisory published by ICS-CERT describes the security holes as input validation flaws that allow remote code execution or denial-of-service (DoS) attacks, information exposure issues that allow unauthorized access to sensitive data, access control weaknesses that can be used for privilege escalation or code execution, local code execution and privilege escalation flaws, a code execution vulnerability that exists due to leftover debugging code, and multiple cryptographic issues. Serious vulnerabilities found in Philips IntelliSpace Portal

While some of these vulnerabilities appear to be specific to Philips’ product, many affect third-party components. For example, there are several remote code execution, information disclosure and DoS flaws related to Windows SMB, including the EternalBlue flaw exploited in the WannaCry ransomware attack.

Other flaws affect the Microsoft Remote Desktop Protocol (RDP) and Microsoft Office. The crypto-related weaknesses include POODLE, BEAST and other vulnerabilities disclosed in the past years, including one from 2004.

While exploits are publicly available for many of these vulnerabilities, they don’t specifically target Philips products, and the vendor claims it’s not aware of any attacks.

Philips will release patches in the coming months. The company says it’s also currently testing operating system updates, which cannot be installed without ensuring that they don’t impact the stability of the product. Until patches become available, customers have been provided a series of workarounds.

In January, Philips informed customers of an authentication issue affecting its IntelliSpace Cardiovascular (ISCV) cardiac image and information management system.

The company learned from a customer that when the ISCV system is used with an Electronic Medical Record (EMR) in Kiosk mode and configured with Windows authentication, users may not be properly logged out once they are done using the software.

The flaw allows a malicious actor that gains access to the system after it has been used by a legitimate EMR user to log in with that user’s credentials and obtain or modify sensitive information.

Philips said the security hole will be addressed with the release of version 3.1.0. In the meantime, users have been advised to close the browser after accessing the system. Changing the configuration so that Windows authentication is not used also addresses the problem.


Iran-Linked Chafer Group Expands Toolset, Targets List
2.3.2018 securityweek  APT
The Iran-based targeted attack group known as "Chafer" has been expanding its target list in the Middle East and beyond and adding new tools to its cyberweapon arsenal, Symantec warns.

Last year, the group engaged in a series of ambitious new attacks, hitting a major telecom companies in the Middle East and also attempting to attack a major international travel reservations firm. Active since at least July 2014 and already detailed a couple of years ago, Chafer is mainly focused on surveillance operations and the tracking of individuals.

During 2017, the group used seven new tools, rolled out new infrastructure, and hit nine new organizations in Israel, Jordan, the United Arab Emirates, Saudi Arabia, and Turkey. Targets included airlines, aircraft services, software and IT services firms serving the air and sea transport sectors, telecoms, payroll services, engineering consultancies, and document management software companies.

The group also targeted an African airline and attempted to compromise an international travel reservations firm, Symantec discovered.

Last year, Chafer compromised a telecoms services provider in the Middle East, a company that sells solutions to multiple telecom operators in the region. The compromise could have potentially allowed the attackers to carry out surveillance on a vast pool of end-users.

In attacks observed in 2015, the group was attacking the web servers of organizations, likely through SQL injection attacks. Last year, the group also started using malicious documents to drop malware, likely sent via spear-phishing emails to individuals working in targeted organizations.

Said documents were Excel spreadsheets carrying a malicious VBS file that would run a PowerShell script to execute a dropper on the compromised machine. In turn, the dropper would install an information stealer, a screen capture utility, and an empty executable.

The screen capture tool only had a role in the initial information gathering stage, the information stealer targeted the contents of the clipboard, took screenshots, recorded keystrokes, and stole files and user credentials. Next, the attackers would download additional tools onto the infected computer and attempted lateral movement on the victim’s network.

Recently, Chafer employed seven new tools in addition to the malware already associated with the group. Most of these tools, Symantec points out, are freely available, off-the-shelf tools that have been put to a malicious use.

These include Remcom, an open-source alternative to PsExec; Non-sucking Service Manager (NSSM), an open-source alternative to the Windows Service Manager; a custom screenshot and clipboard capture tool; SMB hacking tools, including the EternalBlue exploit; GNU HTTPTunnel, an open-source tool to create a bidirectional HTTP tunnel on Linux computers; UltraVNC, an open-source remote administration tool for Windows; and NBTScan, a free tool for scanning IP networks for NetBIOS name information.

Additionally, the group continued to use tools such as its own custom backdoor Remexi, PsExec, Mimikatz, Pwdump, and Plink.

Chafer apparently used the tools in concert to traverse targeted networks. NSSM was recently adopted for persistence and to install a service to run Plink, which opens reverse SSH sessions to presumably gain RDP access to the compromised computer. Next, PsExec, Remcom, and SMB hacking tools are leveraged for lateral movement.

The new infrastructure used in recent attacks included the domain win7-updates[.]com as a command and control (C&C) address, along with multiple IP addresses, though it’s unclear whether these were leased or hijacked. On a staging server apparently used by the attackers, the researchers found copies of many of the group’s tools.

According to Symantec, Chafer’s activities have some links to Oilrig, another Iran-based cyberespionage group. Both appear to be using the same IP address for C&C address, as well as a similar infection vector, an Excel document dropping a malicious VBS file referencing to the same misspelled file path.

While this could suggest that the two groups are one and the same, there isn’t enough evidence to support that hypothesis, Symantec says. More likely, the “two groups are known to each other and enjoy access to a shared pool of resources,” the researchers suggest.

Chafer’s recent activities show not only that the group remains highly active, but also that it has become more audacious in its choice of targets. Similar to other targeted attack groups, it has been relying on freely available software tools for malicious activities, and also moved to supply chain attacks, which are more time consuming and more likely to be discovered.

“These attacks are riskier but come with a potentially higher reward and, if successful, could give the attackers access to a vast pool of potential targets,” Symantec concludes.


Equifax Identifies 2.4 Million More Affected by Massive Hack
2.3.2018 securityweek  Hacking

US credit bureau Equifax said Thursday it identified an additional 2.4 million American consumers affected by last year's massive data breach that sparked a public outcry and a congressional probe.

The company's forensic investigation revealed the new identities on top of the 146 million affected in the attack that exposed victims' personal details, including names, birth dates and social security numbers.

"This is not about newly discovered stolen data," said Paulino do Rego Barros, who took over as interim chief executive last year at the scandal-hit credit agency.

"It's about sifting through the previously identified stolen data, analyzing other information in our databases that was not taken by the attackers, and making connections that enabled us to identify additional individuals."

Equifax said the newly identified consumers were not previously informed because their social security numbers -- which appeared to be the focus of the hackers -- were not stolen together with their partial driver's license information.

Equifax said it would notify these consumers and will offer identity theft protection and credit file monitoring services.

The Atlanta-based company, which tracks consumer financial data to help establish credit ratings, is now facing state and federal investigations as well as class-action lawsuits over the breach.

While the breach was not the largest in history, it has been considered among the most damaging because of the sensitive information held by Equifax and the potential for that data to be used in identity theft or other crimes.


CannibalRAT, a RAT entirely written in Python observed in targeted attacks
2.3.2018 securityaffairs
Virus

Security researchers from Cisco Talos discovered a new remote access Trojan (RAT) dubbed CannibalRAT that has been written entirely in Python.
The CannibalRAT RAT is being used in highly targeted attacks. the experts explained that even if it isn’t very sophisticated it exhibits signs of code cannibalisation from other open-source projects.

“The RAT itself is not very sophisticated, and exhibits signs of code cannibalisation from other open-source projects, which contrasts with the command-and-control, using fast flux to keep hidden, even if the endpoints are not very diversified.” reads the analysis published by Talos.

The researchers observed the involvement of at least two variants (versions 3.0 and 4.0) in targeted attacks.

cannibalrat activity

The two samples were written using Python and packed into an executable using the popular tool py2exe.

According to the researchers, the version 4.0 is a stripped-down version, this means that vxers removed from the main code some features, anyway authors have attempted to add obfuscation techniques in order to avoid detection.

The version 4.0 includes a function that will generate random strings in memory in the attempt to make memory string analysis harder.
“The malware main script bytecode is stored in a portable executable (PE) section called PYTHONSCRIPT, while the Python DLL is stored in a section called PYTHON27.DLL. All the remaining modules’ bytecode is compressed and stored in the executable overlay.” continues the analysis.

The first variant of the malware was spotted on Jan. 8, anyway, Cisco Talos observed a significant increase in the activities of the CannibalRAT after the variant 4.0 appeared in the wild on February 5, 2018

Both variants use base16 encoding scheme to obfuscate command and control (C&C) hostnames and data exchanged with the server, they gain persistence by using “CurrentVersion\Run” registry key with the service name “Java_Update“,

Once executed, the CannibalRAT version 4.0 creates a PDF file with HTML code embedded that loads an image hosted at imgur.com and launches Chrome to open the PDF.

The two versions share the same C&C servers, but while the variant 3.0 uses standard web requests, the newer version uses a REST-based API.

“The command-and-control infrastructure attempts to use the fast flux technique to hide, although the name servers are changing with high frequency, and the end points tend to be the same, all belonging to a telecom provider in Brazil with the autonomous system number AS 7738 and shared among all four command-and-control hostnames.” states Cisco Talos.

CannibalRAT borrows the credential-stealer modules form the Radium-Keylogger, which has the source code published on Github, the experts also noticed that the VM detection feature was copied from a different Github repository.

“The malware’s modules have self-explanatory names: runcmd, persistence, download, upload, screenshot, miner, DDoS, driverfind, unzip, ehidden, credentials, file, zip, python, update, and vm.” continues the analysis.”All are present in version 3.0, while version 4.0 lacks the distributed denial of service, miner, Python and update modules, as well as the ability to steal credentials from Firefox (it only works with Chrome).”

Experts noticed that the version 4.0 doesn’t use modules, instead, all the code is included in the main script. Furthermore.

Talos team provided details of a campaign involving the CannibalRAT Version targeting the INESAP, a Brazilian school for public administration

The campaign is highly targeted at this specific geographic region, attackers targeted only Chrome users.

“the RAT was hosted at inesapconcurso.webredirect.org and filebin.net, while the second domain is a popular file-sharing platform, the first domain was clearly created as part of the campaign.” continues the analysis.

“The subdomain inesapconcurso is the aggregation of two words; inesap and concurso. The first word is the school name, the second can be translated into competition, this is part of the social engineering of this campaign, as this Institute helps the management the application of workers to public sector vacancies.”
Further info about the malware including IoCs are reported in the analysis.


European Commission requests IT firms to remove ‘Terror Content’ within an hour
2.3.2018 securityaffairs Cyber

The UE issued new recommendations to tackle illegal content online, it asked internet companies to promptly remove terror content from their platforms within an hour from notification.
On Thursday, the UE issued new recommendations to internet companies to promptly remove “harmful content,” including terror content, from their platforms.

“As a follow-up, the Commission is today recommending a set of operational measures accompanied by the necessary safeguards – to be taken by companies and Member States to further step up this work before it determines whether it will be necessary to propose legislation.” reads the fact sheet published by the European Commission.

“These recommendations apply to all forms of illegal content ranging from terrorist content, incitement to hatred and violence, child sexual abuse material, counterfeit products and copyright infringement.”

It is a call to action for the tech firms and social media giants to take down “terrorist content” within an hour of it being reported, the recommendation is directed to major services including YouTube, Facebook, and Twitter.

These platforms are daily abused by terrorist organizations like Islamic State group, the EU’s recommendations follow the demands of the nations participant at the 2017 G7 Summit held in Taormina, Italy, that urged action from internet service providers and social media giants against extremist content online.

terror content

The European Commission is teaming up with a group of US internet giants to adopt additional measures to fight web extremism, but at the same time, it warned it would adopt consider legislation if the Internet firms will not follow the recommendations.

“While several platforms have been removing more illegal content than ever before — showing that self-regulation can work — we still need to react faster against terrorist propaganda and other illegal content,” said the commission’s vice-president for the Digital Single Market Andrus Ansip.

“This content remains “a serious threat to our citizens’ security, safety, and fundamental rights,”


Andrus Ansip

@Ansip_EU
What is illegal offline is also illegal online. Limited liability system under EU's #eCommerce law already works well – it should stay in place. My statement at press conference on fighting illegal content online: http://bit.ly/2oJGgTw

1:07 PM - Mar 1, 2018
11
See Andrus Ansip's other Tweets
Twitter Ads info and privacy
The European Commission recognized the results achieved by internet firms in combatting illegal content, but the adversaries are very active and there is still a lot of work to do.

“significant scope for more effective action, particularly on the most urgent issue of terrorist content, which presents serious security risks”.

The European Commission pretends that terrorist content should be taken down within one hour of being reported by the authorities, it also urges more strictly monitoring and proactive actions against the illegal content.

The EU suggests the adoption of automated detection systems that could support tech firms to rapidly identify harmful content and any attempt to re-upload removed illegal content.

The new recommendations specifically address also other types of harmful illegal content such as hate speech and images of child sexual abuse.

“Illegal content means any information which is not in compliance with EU law or the law of a Member State. This includes terrorist content, child sexual abuse material (Directive on combating sexual abuse of children), illegal hate speech (Framework
Decision on combating certain forms and expressions of racism and xenophobia by means of criminal law), commercial scams and frauds (such as Unfair commercial practices directive or Consumer rights directive) or breaches of intellectual property rights (such as Directive on the harmonisation of certain aspects of copyright and related rights in the information society).” continues the EC.
“Terrorist content is any material which amounts to terrorist offences under the EU Directive on combating terrorism or under national laws — including material produced by, or attributable to, EU or UN listed terrorist organisations.”

According to the commission, internet firms removed 70 percent of illegal content notified to them in the preceding few months.


Apple Moves iCloud Data and Encryption Keys for Chinese Users to China
2.3.2018 thehackernews Apple

Apple has finally agreed to open a new Chinese data center next month to comply with the country's latest controversial data protection law.
Apple will now move the cryptographic keys of its Chinese iCloud users in data centers run by a state-owned company called Cloud Big Data Industrial Development Co, despite concerns from human rights activists.
In 2017, China passed a Cybersecurity Law that requires "critical information infrastructure operators" to store Chinese users' data within the country's borders, which likely forced Apple to partner with the new Chinese data center.
And the icing on the cake is that Chinese government already has legislation called National Security Law, passed in 2015, which gives police the authority to demand companies help them bypass encryption or other security tools to access personal data.
This is the first time when Apple is going to store encryption keys required to unlock iCloud accounts of its users outside the United States.
In theory, Chinese law enforcement agencies won't have to ask US courts for compelling Apple to give them access to the Chinese users’ data.
Instead, they'll simply use their legal system to demand access to cryptographic keys required to unlock iCloud accounts stored within their nation, making it far easier to access users’ data, such as messages, emails, and photos.
However, Apple has said the company alone would have access to the iCloud encryption keys and that Chinese authorities will have no backdoor into its data troves.
Apple said the company had not given any of its customers account information to Chinese authorities despite receiving 176 requests from 2013 to 2017, Reuters reported, though all requests were made before the new cybersecurity laws took effect.
If Apple thinks it would comply with one law, i.e., storing users data in China, but could stand without complying with other stringent Chinese regulations, then the company should reconsider its decision.
The company has severely been implementing various aspects of Chinese laws in recent months for its regional operations in the most populated country.
Last year, Apple controversially removed VPN apps from its official App Store in China to comply with Chinese cyberspace regulations, making it harder for internet users to bypass its Great Firewall.
Earlier last year, Apple removed the New York Times (NYT) app from its Chinese App Store because the app was in "violation of local regulations."


A Simple Bug Revealed Admins of Facebook Pages — Find Out How

2.3.2018 thehackernews Social

Facebook Page admins are publicly displayed only if admins have chosen to feature their profiles.
However, there are some situations where you might want to contact a Facebook page admin or want to find out who is the owner of a Facebook page.
Egyptian security researcher Mohamed A. Baset has discovered a severe information disclosure vulnerability in Facebook that could have allowed anyone to expose Facebook page administrator profiles, which is otherwise not supposed to be public information.
Baset claimed to have discovered the vulnerability in less than 3 minutes without any kind of testing or proof of concepts, or any other type of time-consuming processes.

In a blog post, Baset said he found the vulnerability, which he described as a "logical error," after receiving an invitation to like a particular Facebook page on which he had previously liked a post.
Facebook has introduced a feature for page admins wherein they can send Facebook invitations to users asking them if they wished to like their page after liking a post, and a few days later, these interacted users may receive an email reminding them of the invitation.
After Baset received one such email invite, he simply opened "show original" drop-down menu option in email. Looking at the email's source code, he noticed that it included the page administrator's name, admin ID and other details.
The researcher then immediately reported the issue to the Facebook Security Team through its Bugcrowd bug bounty program. The company acknowledged the bug and awarded Baset $2,500 for his findings.
Though Facebook has now patched this information disclosure issue, people who have already received one such page invitation can still find out admin details from the invitation emails.
"We were able to verify that under some circumstances page invitations sent to non-friends would inadvertently reveal the name of the page admin which sent them," Facebook said. "We've address the root cause here, and future emails will not contain that information."
Facebook has now patched this information disclosure issue.


Bugcrowd Raises $26 Million to Expand Vulnerability Hunting Business
2.3.2018 securityweek 
Vulnerebility

Crowdsourced security testing company Bugcrowd announced today that it has closed $26 million in a Series C funding round led by Triangle Peak Partners.

The new funding brings the total amount raised by the company to $50 million, including $15 million raised in a Series B funding round in 2016.

The company’s flagship “Crowdcontrol” offering is software-as-a-service platform that allows organizations run their own customized bug bounty programs to uncover and resolve security vulnerabilities in their products.

The new funding will be used to support product innovation and program management, the company said.

Bugcrowd currently operates the rewards programs of more than 70 different companiesnincluding security firms BitDefender, Centrify, NETGEAR, 1Password, Okta, Cylance, LastPass. Industry customers include MasterClass, Fiat Chrysler, Square, Fitbit, Mastercard, Tesla and Western Union. A recently announced Samsung Electronics' Mobile Security program rewards security researchers up to $200,000 per vulnerability, depending on its severity.

Existing investors Blackbird Ventures, Costanoa Ventures, Industry Ventures, Paladin Capital Group, Rally Ventures, Salesforce Ventures and Stanford participated in the Series C round, along with new investors Hostplus and First State Super.


Remotely Exploitable Flaws Patched in DHCP
2.3.2018 securityweek 
Vulnerebility

Updates released by the Internet Systems Consortium (ISC) for the Dynamic Host Configuration Protocol (DHCP) software patch two remotely exploitable vulnerabilities discovered by a researcher at Google.

Felix Wilhelm of the Google Security Team found that the DHCP Client (dhclient), which provides a means for configuring network interfaces, is affected by a buffer overflow vulnerability that allows a malicious server to cause the client to crash.

In some cases, exploitation of the flaw could also lead to remote code execution, ISC said in an advisory. The security hole is tracked as CVE-2018-5732 and rated high severity.

“Where they are present, operating system mitigation strategies such as address space layout randomization (ASLR) should make it difficult to leverage this vulnerability to achieve remote code execution but we can not rule it out as impossible. The safest course is to patch dhclient so that the buffer overflow cannot occur,” ISC said.

The second vulnerability, CVE-2018-5733, is a medium severity issue that can be exploited to exhaust the memory available to the DHCP daemon (dhcpd), resulting in a denial-of-service (DoS) condition to clients.

“A malicious client which is allowed to send very large amounts of traffic (billions of packets) to a DHCP server can eventually overflow a 32-bit reference counter, potentially causing dhcpd to crash,” ISC said.

The flaws affect DHCP versions 4.1.0 through 4.1-ESV-R15, 4.2.0 through 4.2.8, 4.3.0 through 4.3.6, and 4.4.0. Fixes are included in versions 4.1-ESV-R15-P1, 4.3.6-P1 and 4.4.1.

ISC said there was no evidence that the vulnerabilities had been exploited for malicious purposes.

The organization has also informed customers of a vulnerability affecting BIND Supported Preview Edition, which is a customer-only, non-public version of BIND. The flaw, tracked as CVE-2018-5734 and rated high severity, can lead to an assertion failure, which typically causes the software to crash.


23,000 Digital Certificates Revoked in DigiCert-Trustico Spat
2.3.2018 securityweek Security

Digicert vs Trustico

Certificate Authority (CA) DigiCert on Wednesday announced the en-masse revocation of more than 23,000 HTTPS certificates after certificate reseller Trustico sent over the private keys for those certificates.

The keys are supposed to be secret and only in the possession of certificate owners, not in the hands of the certificate authority, the reseller or any other third party. With the private keys exposed, DigiCert was forced to revoke impacted certificates within 24 hours, thus affecting a large number of customers.

The revocation appears to be the result of a one-month feud between Trustico and DigiCert and might evolve into an even larger number of certificates being axed.

This all apparently started on February 2, 2018, when Trustico sent a request to DigiCert “to mass revoke all certificates that had been ordered by end users through Trustico,” Jeremy Rowley, Executive VP of Product at DigiCert, explains. The CA refused, given the large number of certificates it was asked to revoke at once (50,000).

In August last year, DigiCert announced plans to buy Symantec’s website security and related public key infrastructure (PKI) solutions, after Symantec ended up in the crosshairs for wrongfully issuing TLS certificates on several occasions. Since December 1, 2017, Symantec SSL certificates have been issued by DigiCert.

With major browsers already announcing plans to distrust older Symantec certificates, Trustico too decided to abandon those certificates, and announced in mid-February that it would cease to offer Symantec branded SSL Certificates: Symantec, GeoTrust, Thawte and RapidSSL.

“As a valued partner of Comodo, Trustico have updated their systems to minimize disruption to customers with their API and ordering processes by enabling the automatic selection and ordering of equivalent products from the Comodo range,” Trustico said at the time.

A couple of weeks later, on February 27, Trustico sent DigiCert a file with 23,000 private keys matching certificates issued to reseller’s customers, which triggered a 24-hour revocation process.

“Trustico’s CEO indicated that Trustico held the private keys for those certificates, and then emailed us approximately 20,000 certificate private keys. When he sent us those keys, his action gave us no choice but to act in accordance with the CA/Browser Forum Baseline Requirements, which mandate that we revoke a compromised certificate within 24 hours,” DigiCert said in a Wednesday statement.

Because of these actions, starting today, visitors of impacted websites will see in their browsers that the connection to the domain is untrusted, unless the revoked certificates have been replaced in the meantime.

Since the beginning of February, DigiCert and Trustico have been communicating with each other over this, but each company has a different side of the story.

According to DigiCert, Trustico informed them that the certificates had been compromised and that it was in the possession of said private keys. Thus, DigiCert requested proof of compromise and received said keys.

“At this time, Trustico has not provided any information about how these certificates were compromised or how they acquired the private keys. As is standard practice for a Certificate Authority, DigiCert never had possession of these private keys,” Rowley says.

In addition to revoking the certificates, DigiCert decided to email all impacted customers to inform them on its action: “Following our standard revocation process, we gave notice via email to each certificate holder whose private keys had been exposed to us by Trustico, so they could have time to get a replacement certificate.”

Trustico, on the other hand, claims that it never said the certificates had been compromised, but that it informed DigiCert that it believed “Symantec to have operated our account in a manner whereby it had been compromised.”

The reseller also says that it doesn’t believe it to be “ideal to have any active SSL Certificates on the Symantec systems,” especially with Chrome set to distrust of all Symantec SSL certificates.

“The same management team responsible for that situation is duly employed at DigiCert and are fully managing our account, causing grave concern on our part as it appears to be business as usual with a new name. We were also a victim whereby Symantec mis-issued SSL Certificates owned by us, subsequently we were asked to keep the matter quiet, under a confidentially notice,” the company claims.

Moreover, Trustico points out that it never authorized DigiCert to email its customers about the revocation, but adds that it too sent a notice to the impacted clients.

The bottom line here, however, is the fact that DigiCert ended up revoking 23,000 HTTPS certificates because their private keys were compromised. Even if the keys hadn’t been compromised when the spat started, the fact that the reseller sent those keys in an email represented a compromise in itself.

“In communications today, Trustico has suggested that this revocation is due to the upcoming Google Chrome distrust of Symantec roots. That is incorrect. We want to make it clear that the certificates needed to be revoked because Trustico sent us the private keys; this has nothing to do with future potential distrust dates,” DigiCert points out.

The fact that Trustico kept those private keys on their platform is also worrisome.

Both Trustico and DigiCert said they would be working with the impacted customers to replace the axed certificates and that free replacement certificates are available for those clients.


Russia-linked Hackers Directly Targeting Diplomats: Report
2.3.2018 securityweek  APT

The Russia-linked cyber espionage group Sofacy has been targeting foreign affairs agencies and ministries worldwide in a recently discovered campaign, Palo Alto Networks warns.

The hacking group, also known as APT28, Fancy Bear, Pawn Storm, Sednit, Tsar Team, and Strontium, has been highly active recently, and new evidence shows activity directly targeting diplomats in North America and Europe, including those at a European embassy in Moscow.

Sofacy was supposedly behind the attacks on the 2016 United States presidential election, but also hit Ukraine and NATO countries. In fact, the group heavily targeted NATO in early 2017, when it even used zero-day exploits, but then started to shift its focus towards the Middle East and Central Asia.

Palo Alto Networks has now uncovered two parallel efforts within a new Sofacy campaign, each using its own set of tools for attacks. One of the efforts was observed in the beginning of February 2018 to use phishing emails as the attack vector, to target an organization in Europe and another in North America.

The message spoofed the sender address of Jane’s by IHSMarkit, a well-known supplier of information and analysis. The email carried an attachment claiming to be a calendar of events relevant to the targeted organizations, but was a Microsoft Excel spreadsheet containing a malicious macro script.

The attackers used a white font color to hide the content of the document to the victim and lure them into enabling macros. Once that happens, the script changes the text color to black.

The macro also retrieves content from several cells to obtain a base64 encoded payload, writes it to a text file in the ProgramData folder, and leverages the command certutil -decode to decode the contents to an .exe file, which it runs after two seconds.

The executable is a loader Trojan that decrypts an embedded payload (DLL) and saves it to a file. Next, it creates a batch file to run the DLL payload, and writes the path to the batch file to a registry key, for persistence.

The installed malware is a variant of SofacyCarberp, which has been extensively used by the threat group in attacks. The malware performs initial reconnaissance by gathering system information, then sends the data to the command and control (C&C) server and fetches additional tools.

Both the loader and the SofacyCarberp variant used in the attack are similar to samples previously analyzed, yet they include several differences, such as a new hashing algorithm to resolve API functions and find browser processes for injection, and modified C&C communication mechanisms.

The security researchers also believe the group may have used the Luckystrike open-source tool to generate the malicious document and/or the macro, as the macro in the document closely resembles those found within the Microsoft PowerShell-based tool. The only difference between the two, besides random function name and random cell values, would be the path to the “.txt” and “.exe” files.

The security researchers also noticed that the Sofacy group registered new domains as part of the campaign, but that it used a default landing page they employed in other attacks as well. The domain used in this attack, cdnverify[.]net was registered on January 30, 2018.

“No other parts of the C&C infrastructure amongst these domains contained any overlapping artifacts. Instead, the actual content within the body of the websites was an exact match in each instance,” Palo Alto notes.

“The Sofacy group should no longer be an unfamiliar threat at this stage. They have been well documented and well researched with much of their attack methodologies exposed. They continue to be persistent in their attack campaigns and continue to use similar tooling as in the past. This leads us to believe that their attack attempts are likely still succeeding, even with the wealth of threat intelligence available in the public domain,” Palo Alto concludes.


Hundreds of Tim Hortons outlets across Canada closed after malware attack
2.3.2018 securityaffairs
Attack

Tim Hortons restaurants across Canada have been hit by a computer malware that forced some locations to shut down over the past week.
When dealing with cyber threats for the retail sector, Target in most prominent case of potential damages from a cyber attack.

Today I want to report you the case of a malware-based attack that hit payment systems of hundreds of Tim Hortons restaurants across Canada forcing many of them to close.

“The company told the Globe and Mail that the virus hit fewer than 100 locations, attacking the Panasonic cash registers that the chain uses.” reported the Huffington Post Canada.

“But a source close to the issue told HuffPost Canada that as many as 1,000 Tim Hortons locations may have been impacted, amounting to roughly a quarter of all Canadian locations. Some locations were forced to close, while others had to shut down their drive-throughs.”

At the time of writing, there are no details about the type of malware that infected the systems at Tim Hortons restaurants, CTVNews quoting sources close to the incident reported that the malicious code was specifically designed to target cash registers making them unusable.

“The cash registers just plain don’t work,” the source told the news station “Many or the stores had to close totally.”

The Great White North Franchisee Association (GWNFA) which represents Tim Hortons franchisees is expected to take legal action against the Restaurant Brands International (RBI), the operator of Tim Hortons.

GWNFA accuses them of loss of revenue and of course reputational damage.

Tim Hortons locations malware

In a letter obtained by the Globe and the Canadian Press, Tim Hortons franchisees belonging to the Great White North Franchisee Association asked head office for compensation for losses due to the virus.

“The business interruption includes inability to use some or all of the … issued cash registers and [point-of-sale] terminals, causing partial and complete store closures, franchisees paying employees not to work, lost sales and product spoilage,” the letter from law firm Himelfarb Proszanski reportedly stated.

The letter defined the incident “a failure” and noted that it comes “on the heels of the public relations debacle” from January when two Cobourg, Ont. franchises owned by Ron Joyce Jr. and Jeri Horton-Joyce, the children of the company’s billionaire co-founders, moved to offset the province’s minimum wage hike by cutting paid breaks and forcing workers to cover a bigger share of their benefits.

According to the CTVNews, RBI has declared that no financial (i.e. data credit card information) and sensitive data was stolen by hackers.


Financial Cyberthreats in 2017
2.3.2018 Kaspersky   FINANCIAL CYBERTHREATS IN 2017  Cyber
In 2017, we saw a number of changes to the world of financial threats and new actors emerging. As we have previously noted, fraud attacks in financial services have become increasingly account-centric. User data is a key enabler for large-scale fraud attacks, and frequent data breaches – among other successful attack types – have provided cybercriminals with valuable sources of personal information to use in account takeovers or false identity attacks. These account-centric attacks can result in many other losses, including those of further customer data and trust, so mitigation is as important as ever for both businesses and financial services customers.

Attacks on ATMs continued to rise in 2017, attracting the attention of many cybercriminals, with attackers targeting bank infrastructure and payment systems using sophisticated fileless malware, as well as the more rudimentary methods of taping over CCTVs and drilling holes. In 2017, Kaspersky Lab researchers uncovered, among other things, attacks on ATM systems that involved new malware, remote operations, and an ATM-targeting malware called ‘Cutlet Maker’ that was being sold openly on the DarkNet market for a few thousand dollars, along with a step-by-step user guide. Kaspersky Lab has published a report outlining possible future ATM attack scenarios targeting ATM authentication systems.

It is also worth mentioning that major cyber incidents continue to take place. In September 2017, Kaspersky Lab researchers identified a new series of targeted attacks against at least 10 financial organizations in multiple regions, including Russia, Armenia, and Malaysia. The hits were performed by a new group called Silence. While stealing funds from its victims, Silence implemented specific techniques similar to the infamous threat actor, Carbanak.

Thus, Silence joins the ranks of the most devastating and complex cyber-robbery operations like Metel, GCMAN and Carbanak/Cobalt, which have succeeded in stealing millions of dollars from financial organizations. The interesting point to note with this actor is that the criminals exploit the infrastructure of already infected financial institutions for new attacks: sending emails from real employee addresses to a new victim, along with a request to open a bank account. Using this trick, criminals make sure the recipient doesn’t suspect the infection vector.

Small and medium-sized businesses didn’t escape financial threats either. Last year Kaspersky Lab’s researchers discovered a new botnet that cashes-in on aggressive advertising, mostly in Germany and the US. Criminals infect their victims’ computers with the Magala Trojan Clicker, generating fake ad views, and making up to $350 from each machine. Small enterprises lose out most because they end up doing business with unscrupulous advertisers, without even knowing it.

Moving down one more step – from SMEs to individual users – we can say that 2017 didn’t give the latter much respite from financial threats. Kaspersky Lab researchers detected NukeBot – a new malware designed to steal the credentials of online banking customers. Earlier versions of the Trojan were known to the security industry as TinyNuke, but they lacked the features necessary to launch attacks. The latest versions however, are fully operable, and contain code to target the users of specific banks.

This report summarizes a series of Kaspersky Lab reports that between them provide an overview of how the financial threat landscape has evolved over the years. It covers the common phishing threats that users encounter, along with Windows-based and Android-based financial malware.

The key findings of the report are:

Phishing:
In 2017, the share of financial phishing increased from 47.5% to almost 54% of all phishing detections. This is an all-time high, according to Kaspersky Lab statistics for financial phishing.
More than one in four attempts to load a phishing page blocked by Kaspersky Lab products is related to banking phishing.
The share of phishing related to payment systems and online shops accounted for almost 16% and 11% respectively in 2017. This is slightly more (single percentage points) than in 2016.
The share of financial phishing encountered by Mac users nearly doubled, accounting for almost 56%.
Banking malware:
In 2017, the number of users attacked with banking Trojans was 767,072, a decrease of 30% on 2016 (1,088,900).
19% of users attacked with banking malware were corporate users.
Users in Germany, Russia, China, India, Vietnam, Brazil and the US were the most often attacked by banking malware.
Zbot is still the most widespread banking malware family (almost 33% of attacked users), but is now being challenged by the Gozi family (27.8%).
Android banking malware:
In 2017, the number of users that encountered Android banking malware decreased by almost 15% to 259,828 worldwide.
Just three banking malware families accounted for attacks on the vast majority of users (over 70%).
Russia, Australia and Turkmenistan were the countries with the highest percentage of users attacked by Android banking malware.


SecOps: The Roadkill Victim of DevOps' Need for Speed
1.3.2018 securityweek Security

DevSecOps Remains a Theory Not Often Implemented in Practice

DevOps was born from the understanding that greater efficiency comes from breaking down business silos (in this case, development and operations) and working as a single unit. With the increasing understanding and regulatory demands that security should be baked into new products during their development, the logical extension is that security should be included in a new combined working model: DevSecOps.

The potential advantages of DevSecOps are well understand and frequently urged -- but not so commonly implemented. A new survey and report (PDF) from threat detection firm Threat Stack demonstrates that DevSecOps remains a theory not often implemented in practice.

Threat Stack questioned more than 200 security, development and operations professionals working for firms ranging from SMBs to large corporations in North America, across multiple industry sectors. The response shows that DevSecOps is well-understood and frequently lauded by firms, but not so often enacted.

The primary reason appears to be not just a lack of support from the highest levels, but actual discouragement from business leaders. More than half of companies (52%) admit to cutting back on security measures to meet a business deadline or objective. "Since the directive for speed starts at the very top, it's hard to ignore;" comment the report's authors; "even if it means that security becomes roadkill in the process."

The demand for development speed from the business leaders then transfers to the existing DevOps team. Sixty-two percent of the responders said that DevOps push back against demands to deploy secure technology, and 57% push back on security best practices -- presumably because implementing security is seen as incompatible with the overriding need for speed.

This is a common perception. Mike Smart, security strategist at Forcepoint, believes security is like the brake on a car. Business leaders think its purpose is to slow down the car; that is, security slows down business and business development. "Innovators will tell you the opposite," he says. "It's there to give the driver the confidence to go as fast as possible." In this view, security is the enabler of agile business -- but the implication is that security leaders have failed to adequately explain this function to the business leaders.

Surprisingly, however, the theory of DevSecOps is well received. Eighty-five percent of the responding organizations claim that bridging the gap between DevOps and security is an important goal, while 62% of developer and operations professionals say it has become a bigger priority.

Threat Stack has isolated three key factors at play in this apparent contradiction. The first is that security is still siloed and considered a separate function. "A security specialist," notes the report, "is assigned to the operations team at only 27% of the organizations we surveyed, and security pros are on board with development teams in just 18% of cases. At 38% of organizations, security is a completely separate team that is only brought in 'when needed'."

The second is that development is separate from security. "Forty-four percent of developers aren't trained to code securely. Without this basic knowledge, coding is often done without security in mind. This forces security to become a bottleneck when they must inevitably step in and intervene."

Thirdly, operations is little different. "A full 42% of operations staff admit that they are not trained in basic security practices, which means that they can't configure servers securely. It also means that they don't see deploying security as part of the configuration management process, which allows security best practices to fall by the wayside. When ops pros aren't trained in security, there's no way SecOps can succeed."

At the same time, security cannot be absolved from all responsibility for the lack of progress in DevSecOps. Just as developers can't code securely, security teams can rarely code at all. Security teams, suggests Threat Stack, "need to learn how to code and integrate their efforts into continuous deployment cycles. Don't wait for this process to happen organically; you must make a conscious investment in alignment and education across teams."

"Businesses have grappled with the 'Speed or Security' problem for years but the emergence of SecOps practices really means that companies can achieve both," said Brian Ahern, Threat Stack chairman and CEO. "The survey findings show that the vast majority of companies are bought-in, but, unfortunately, a major gap exists between intent of practicing SecOps and the reality of their fast-growing businesses. It's important that stakeholders across every enterprise prioritize the alignment of DevOps and security."

The key to developing an efficient DevSecOps regime is to break down silos -- but that includes breaking down self-imposed as well as organizationally-imposed silos.

Boston, Mass.-based intrusion detection firm Threat Stack raised $45 million in a Series C funding in September 2017, bringing the total raised by the company to more than $70 million.


Fortinet Enhances Network Security OS, Adds AI-based Threat Detection
1.3.2018 securityweek Security

Two major new product announcements were made at Fortinet’s Accelerate 18 conference this week, including a new machine learning (ML) threat intelligence and detection offering, along with a major upgrade to the Fortinet Security Fabric (FortiOS).

Accelerate 18, held in Las Vegas, Nevada, is Fortinet's annual global partner and user conference, attended by around 2,000 Fortinet partners, customers, and industry and technical experts.

The new ML product is called FortiGuard AI. It emerges from five years of analyses by FortiGuard Labs' 215 researchers in 31 countries analyzing the threat data from a global network of more than 3 million security sensors. The analyses have been used, employing supervised learning techniques, to train the FortiGuard AI automatic detection engine.

Fortinet LogoMachine learning threat detection is currently the best option for detecting new and unknown malware. But the accuracy of machine learning detection systems depends on the volume and accuracy of the data from which it learns. By spending five years in the process, and using supervised learning (that is, under the control of human analysts), rather than unsupervised learning, the quality and accuracy of Fortinet's ML system should be high.

The system now analyzes millions of threat samples every week. More than 5 billion processing nodes identify both the clean and malicious features of the threat samples to generate threat intelligence. That intelligence then automatically updates defensive signatures across the entire Fortinet Security Fabric.

"Fortinet Labs' five-year investment in automated analysis and detection of polymorphic threats," comments CISO Phil Quade, "has resulted in FortiGuard AI, a giant leap towards [automatically detecting polymorphic and zero-day threats]. FortiGuard AI analyzes and identifies threats with speed, agility, and accuracy to provide proactive threat detection at machine speed and scale. This frees threat analysts and network operators to focus on critical threat research and higher-order problems, reduces exposure to zero-day attacks, and minimizes the risk to Fortinet customers while increasing the attacker's costs."

The firm also announced the inclusion ML-based User and Entity Behavior Analysis (UEBA) capabilities into its SIEM product (FortiSIEM). The solution 'learns' patterns of normal user or entity behavior, and will then automatically detect anomalies. Concurrent logins from separate locations, users accessing corporate data in the middle of the night, and excessive logins to rarely used servers will all send alerts to the security team for relevant action.

Fortinet has also announced version 6 of its Security Fabric. "FortiOS 6.0," says founder, president and CTO Michael Xie, "delivers hundreds of new features and capabilities that were designed to provide the broad visibility, integrated threat intelligence and automated response required for digital business."

The Security Fabric is based on the world's most deployed network security operating system. It was launched in 2016 to allow different segments of network security to integrate seamlessly and to cooperate actively under the management of a central control. FortiOS 6.0 is expected to be available before the end of March 2018.

Example enhancements include multi-cloud visibility, where cloud connectors provide visibility spanning private clouds (with support for VMware NSX, Cisco ACI and Nokia Nuage); public clouds (supporting AWS, Azure, Google Cloud and Oracle Cloud); and SaaS clouds with CASB connectors (supporting Salesforce.com, Office 365, Dropbox, Box, AWS and more).

FortiClient 6.0 includes expanded OS support for Linux, providing IoT endpoint security. Actionable insights from the IoT devices can be shared with the Security Fabric, while telemetry can provide a deeper insight on what is running on a network's endpoint devices to quickly identify vulnerabilities.

Other enhancements involve network security, advanced threat protection, email and web applications, security management and analytics, and unified access.

"Using a single partner for integrated protection across multiple threat vectors, from public cloud workloads to email SaaS applications, is a key priority for ShipServ," says Dominic Aslan, VP of IT operations at the online marketplace for the marine industry. "Fortinet is an all-in-one cyber security company with a common, intuitive security management interface across all the Fortinet Security Fabric solutions, making it much easier to support."


Russian Hackers Infiltrated German Ministries' Network: Report
1.3.2018 securityweek BigBrothers

Berlin - Russian hackers have infiltrated Germany's foreign and interior ministries' online networks, German news agency DPA reported Wednesday quoting unnamed security sources.

The hacker group known as APT28 -- which has been linked to Russia's GRU military intelligence and accused of attacks on Hillary Clinton's 2016 presidential campaign -- managed to plant malware in the ministries' networks for possibly as long as a year, the news agency said.

German security authorities only detected the online spying in December, it said, adding that an isolated government IT network had also been hit.

If confirmed, the attack would be the biggest to hit the German government.

Top security officials had repeatedly warned during Germany's 2017 general elections that Russia hackers may seek to disrupt the polls.

While authorities did not have concrete proof, they have pinned the malware attack that crippled the Bundestag parliamentary network in 2015 for days on the APT28, also known as "Fancy Bear" or "Sofacy".

The attack netted 17 gigabytes of data which, officials feared, could be used to blackmail MPs or discredit them.

Amid the rising frequency of attacks, Germany's defence ministry in 2016 set up a cyber department to coordinate a response to online intrusions.


"RedDrop" Mobile Malware Records Ambient Audio
1.3.2018 securityweek Android

A newly detailed mobile malware can do more than steal data from infected devices: it can also record ambient audio and send the recordings to cloud storage accounts controlled by attackers.

Dubbed RedDrop, the malware can also inflict financial costs on victims by sending SMS messages to premium services, security firm Wandera says. The U.K.-based company has discovered 53 malware-ridden apps that are exfiltrating sensitive data from infected devices.

RedDrop-infected applications are being distributed through a network of more than 4,000 domains and range from tools such as image editors and calculators to recreational apps. Every observed application offers the expected functionality, thus hiding the malicious content stored within.

Once the user installs an application from the RedDrop family, invasive permissions are requested, so that the next steps of the attack would be performed without additional user interaction, the security researchers reveal. The malware even asks for permissions that allow it to persist between reboots and to continuously communicate with its command and control (C&C) servers.

To lure victims to their malicious network, the attackers even display ads on the popular Chinese search engine Baidu. One such ad would take the user to huxiawang.cn, the primary distribution site for the attack, which encourages users to download one of the 53 malicious apps.

Once the user installs a RedDrop-infected application, 7 additional APKs are silently downloaded and executed on the device, each meant to enable additional malicious functionality. The downloaded components are stored dynamically into the device’s memory.

One of the observed applications (CuteActress) was designed to send an SMS message to a premium service each time the user would touch the screen to interact with the app’s legitimate functionality. The threat would also delete all of these messages, thus erasing any evidence of these premium SMS.

The RedDrop malware family also includes a set of spyware tools capable of extracting valuable and damaging data from the victim’s device. The Wandera researchers associated encrypted and unencrypted data, encoded data and TCP streams to RedDrop’s exfiltration activities.

Stolen data includes locally saved files (such as photos and contacts), device-related information (IMEI, IMSI, etc), SIM info (MNC, MCC, etc), application data, and information on nearby Wi-Fi networks. More disturbing is the fact that RedDrop can also record an audio of device’s surroundings.

According to Wandera, RedDrop is one of the most sophisticated Android malware families, given the range of functioning malicious applications it hides behind and its complex distribution network. The malware is expected to remain active even after the applications are flagged as malicious, and new variants are expected to emerge in the coming months.

“This multifaceted hybrid attack is entirely unique. The malicious actor cleverly uses a seemingly helpful app to front an incredibly complex operation with malicious intent. This is one of the more persistent malware variants we’ve seen,” Dr Michael Covington, VP of Product Strategy at Wandera, says.

According to Craig Young, computer security researcher for Tripwire, this is not the first time Android malware that includes such extensive spyware capabilities has been discovered and the research appears exaggerated.

“This looks more like a very amateur trial run of Android malware rather than “one of the most sophisticated pieces of Android malware” as claimed by Wandera,” Young told SecurityWeek in an emailed comment.

He also pointed out that the malware’s ability to record and upload calls “provides minimal value outside of targeted attacks and potentially makes the malware more apparent by draining a victim’s battery quickly.”

Young recommends paying extra attention to the permissions applications may request, as this is a great means to stay safe from infections.

“With Android 6 (released 2015), apps will request permissions at runtime which should make it abundantly obvious when a malicious app wants to do something like sending SMS or recording audio. Users of older Android releases must rely instead on reviewing the requested permissions at install time to confirm that they are appropriate for the app,” Young concluded.


Five Threat Groups Target Industrial Systems: Dragos
1.3.2018 securityweek ICS

There are at least five sophisticated threat groups whose activities focus on industrial control systems (ICS), according to a report published on Thursday by industrial cybersecurity firm Dragos.

While it’s not uncommon for non-targeted malware to make its way onto industrial systems, targeted attacks have also become increasingly common. Dragos currently tracks five threat actors that have either attacked ICS directly or have shown an interest in gathering information on these types of systems.

One of these groups is tracked by the security firm as Electrum. This is the actor behind the CRASHOVERRIDE/Industroyer malware used in December 2016 to cause a power outage in Ukraine. Electrum has been linked to Sandworm Team, which is believed to be responsible for a 2015 power outage in Ukraine. Russia has been accused for both attacks.

While it apparently hasn’t launched any major attacks since the 2016 campaign targeting Ukraine’s energy sector, Dragos says Electrum continues to be active, and evidence suggests it has expanded targets.Five threat groups target ICS

“While past ELECTRUM activity has focused exclusively on Ukraine, information from low- level ongoing events and the group’s link to SANDWORM Dragos assesses that ELECTRUM could be ‘re-tasked’ to other areas depending on the focus of their sponsor,” Dragos said in its report.

Another gang tracked by Dragos is Covellite, which has been linked to North Korea’s Lazarus group. Researchers started observing Covellite in September 2017, when it launched a highly targeted phishing campaign against a U.S. electric grid company. They later spotted attacks that may have been conducted by this group aimed at organizations in Europe, North America and East Asia.

Unlike Electrum, Covellite has yet to use malware specifically designed to target industrial systems in its campaigns.

Dragos’ report also summarizes the activities of Dymalloy, a group whose attacks came to light during an investigation into Dragonfly, an actor that is also known as Crouching Yeti and Energetic Bear. Dragonfly, which is believed to be operating out of Russia, is known for its sophisticated Havex malware, and it was recently observed targeting control systems in U.S. energy firms.

Dragos believes Dymalloy is not linked – at least not directly – to Dragonfly and its tools are not as advanced as Havex. However, the hackers did manage to breach ICS organizations in Turkey, Europe and North America, gaining access to HMI devices.

Experts say Dymalloy appears to have become less active since early 2017, possibly in response to attention from the media and security researchers.

Since mid-2017, Dragos has been tracking a group it has named Chrysene, whose activity focuses on North America, Western Europe, Israel and Iraq, particularly organizations in the electricity generation and oil&gas sectors.

Chrysene, which continues to be active, has used a unique variation of a framework associated with the Iran-linked cyber espionage groups known as OilRig and Greenbug.

“While CHRYSENE’s malware features notable enhancements over related threat groups using similar tools, Dragos has not yet observed an ICS-specific capability employed by this activity group. Instead, all activity thus far appears to focus on IT penetration and espionage, with all targets being ICS-related organizations,” Dragos said.

It’s worth noting that the recently uncovered piece of malware known as Trisis/Triton, which is the first threat specifically designed to disrupt safety instrumented systems (SIS), has also been linked by some researchers to Iran.

The last ICS-focused threat group monitored by Dragos is Magnallium, which has also been linked to Iran. The security firm started tracking this actor following a report from FireEye on the activities of APT33.

While some media reports portrayed APT33 as a serious threat to ICS and critical infrastructure, Dragos’ investigation showed that the group does not appear to possess any ICS-specific capabilities.

“While only one [of these groups] has demonstrated an apparent capability to impact ICS networks through ICS-specific malware directly, all have engaged in at least reconnaissance and intelligence gathering surrounding the ICS environment,” Dragos said.

“These groups have remained relatively constant regarding overall activity throughout the year, and Dragos is confident that additional unknown events have occurred,” the company added.


Public Advisories Fail to Convey True Impact of ICS Flaws
1.3.2018 securityweek ICS

Public advisories describing vulnerabilities in industrial control systems (ICS) often fail to convey the true impact of the flaws, according to a report published today by ICS cybersecurity firm Dragos.

An analysis of 163 advisories published last year by ICS-CERT and others – excluding reports on medical device flaws, which ICS-CERT regularly covers – allowed Dragos to compile some useful statistics.

The company determined that patches for nearly two-thirds of the security holes disclosed last year don’t fully eliminate the risk due to the fact that the affected systems had been insecure by design.

Another interesting point made by Dragos in its report is that 85% of the vulnerabilities can be exploited late in the kill chain and they are not useful for getting an initial foothold in the targeted organization’s network. This means that an attacker who manages to exploit the flaws has had access to the target’s network for some time.

Once exploited, one-third of the vulnerabilities lead to what Dragos describes as “loss of view,” which results in the victim not being able to monitor or read the state of the compromised system.

In 29% of cases, exploitation of the bugs leads to “loss of control,” preventing any modifications to the state of the system. In roughly the same percentage of cases, exploitation of a flaw leads to both loss of control and loss of view.

“Vulnerabilities which lead to both a loss of view and control occur in the core of traditional control networks affecting both field devices (PLCs, RTUs, etc.) as well as management such as human-machine interface (HMI) systems and engineering workstation (EWS) software,” Dragos explained in its report. “This means that a large percentage (61%) of ICS-related vulnerabilities will cause severe operational impact if exploited.”

Learn More at SecurityWeek’s ICS Cyber Security Conference

Many of the flaws covered by the advisories analyzed by Dragos affect products that are further away from the perimeter of the operational technology (OT) network, which makes them less likely to be exploited.

However, 15% of advisories describe vulnerabilities in components located very close to the network perimeter. Systems such as historians, OPC servers, firewalls, VPN products, and cellular gateways are often directly accessible from the business network and even from the Internet, which makes them more likely to be attacked.

Nearly one-quarter of the weaknesses impact field devices, while 31% affect HMIs.

ICS component vulnerabilities

“Most of the control system vulnerability patching focus should be placed on the 30% of vulnerabilities which impact exterior-facing systems,” Dragos said. “Since so many assets and interior control elements are nowhere near a network border, applying patches in the 85% of interior and none-to-medium proximity cases would likely have little to no reduction in risk for impact against attack.”

Dragos also busted a common myth claiming that most ICS vulnerabilities are found in demo or free software rather than actual control systems. However, the company found that 63% of all ICS-related flaws disclosed last year impacted software or hardware that could not have been obtained for free.

The security firm’s analysis also revealed that 72% of public advisories describing ICS flaws did not provide any alternative mitigations. According to Dragos, recommending the use of VPNs and trusted networks, which is included in most advisories, does not count as alternative mitigations.


RedDrop, a new Android Malware records ambient Audio and exfiltrate user’s data
1.3.2018 securityaffairs Android

RedDrop malware is a recently discovered mobile threat that can steal data from infected devices and also record ambient audio.
Security researchers at Wandera have spotted a new sophisticated family of mobile malware dubbed RedDrop that can steal data, record audio, and intercept SMS. All data stolen from infected systems is uploaded to remote file storage systems.

The malicious code was found in dozens of apparently innocuous apps, the researchers discovered RedDrop hidden in 53 Android applications, including image editors, calculators, language learning apps and space exploration apps.

The applications work as expected and the RedDrop malware is executed in the background.

“The latest zero-day threat to be discovered by Wandera’s mobile threat research team is RedDrop, a family of mobile malware inflicting financial cost and critical data loss on infected devices.” reads the analysis published by Wandera. “The most worrying part? The 53 malware-ridden apps are exfiltrating sensitive data – including ambient audio recordings – and dumping it in the attackers’ Dropbox accounts to prepare for further attacks and extortion purposes.”

Once an infected app is installed, it downloads at least seven more Android Application Packages (APKs) from a different command and control server, each of them implements a malicious functionality. The APKs are stored in the memory of the device, this trick allows to execute them without including the feature in the original malware sample.

The RedDrop malware could also send SMS message to a premium service and then instantly deletes the message to avoid detection by the user.

The researchers discovered that the malicious Apps are distributed from a complex network composed of more than 4,000 domains registered to the same underground group that might be operating out of China.

“Wandera’s machine learning detections first uncovered one of the RedDrop apps when a user clicked on an ad displaying on popular Chinese search engine Baidu.” continues the analysis. “The user was then taken to huxiawang.cn, the primary distribution site for the attack. The landing pages that follow host various content to encourage and incite the user to download one of the 53 apps within the RedDrop family of malicious apps.”

One of the applications observed by the researchers (CuteActress) was designed to send an SMS message to a premium service every time the user would use a functionality of the app. The threat would also delete all of these messages, thus erasing any evidence of these premium SMS.

reddrop malware cuteactress_v5

Currently, most of the infections were observed are in China, followed by Europe and America.

Android users that download apps from third-party sources and websites are most exposed to this threat, no instance of the RedDrop malware have been yet found on the Google Play store neither other official stores.


Hundreds of sites based on WordPress, Joomla and CodeIgniter infected by ionCube Malware
1.3.2018 securityaffairs
Virus

Security researchers at the firm SiteLock have discovered that hundreds of websites have been infected with the ionCube malware.
Security researchers at SiteLock have discovered that hundreds of websites have been infected with malware that masquerades as legitimate ionCube-encoded files.

ionCube is an encoding technology used to protect PHP software from being viewed, changed, and run on unlicensed computers.

The experts were analyzing an infected WordPress website when discovered a number of suspicious obfuscated files – such as “diff98.php” and “wrgcduzk.php” – appearing almost identical to legitimate ionCube-encoded files. Further analysis conducted revealed that hundreds of websites were infected by the same ionCube Malware.

“While reviewing an infected site, the SiteLock Research team found a number of suspiciously named, obfuscated files that appear almost identical to legitimate ionCube-encoded files. We determined the suspicious ionCube files were malicious, and found that hundreds of sites and thousands of files were affected.” reads the analysis published by SiteLock.

“Overall, our investigation found over 700 infected sites, totalling over 7,000 infected files.”

Further analysis revealed that attackers also compromised Joomla and CodeIgniter websites. Threat actors packed their malware in a manner that appears ionCube-encoded files.

The malicious code could theoretically infect any website based on a web server running PHP, once decoded, the fake ionCube files compose the ionCube malware.

“While there’s still some degree of obfuscation, the presence of the $_POST and $_COOKIE superglobals and the eval request at the end of the file reveal its true purpose: to accept and execute remotely supplied code.” continues the analysis. “It looks like the remote code supplied to this file is further obfuscated and there may be some sort of access control implemented, judging by the GUID-formatted string present.”

ionCube malware

The researchers also provided recommendations to mitigate the ionCube Malware, they suggest administrators check the presence of ionCube-encoded files as an indicator of compromise.

If an infection is detected, the scanning of the entire site is recommended, to completely eliminate the threat, the researchers also suggest the adoption of a web application firewall (WAF).

“If you find indicators of this infection, we strongly recommend having your site scanned for malware as soon as possible, as this malware seldom appears on its own.” concluded the analysis.

“This is especially important if you are using an ionCube-encoded application, as manually differentiating the malicious files from the legitimate ones is difficult, and it is common to see up to 100 slightly different variants of this malware on a single site. “


DPA Report: Russia-linked APT28 group hacked Germany’s government network
1.3.2018 securityaffairs APT  BigBrothers

Germany Government confirmed that hackers had breached its computer network and implanted a malware that was undetected for one year.
German news agency DPA reported that Russian hackers belonging to the APT28 group (aka Fancy Bear, Pawn Storm, Sednit, Sofacy, and Strontium) have breached Germany’s foreign and interior ministries’ online networks.

The agency, quoting unnamed security sources, revealed that the APT28 hackers planted malware in the ministries’ networks. The malicious code was undetected as long as a year.

“A Russian-backed hacker group known for many high-level cyber attacks was able to infiltrate the German government’s secure computer networks, the dpa news agency reported Wednesday.” reported the ABCnews.

The German Government discovered the intrusion in December but the experts believe that the hackers were inside the networks as long as a year. The DPA also added that hackers were able to penetrate an isolated government IT network.

“within the federal administration the attack was isolated and brought under control.” said the Interior Ministry that also confirmed an ongoing investigation.

“This case is being worked on with the highest priority and considerable resources,” the ministry added.

The hackers exfiltrated 17 gigabytes of data that could be used in further attacks against the German Government.

APT28 targets Germany

This isn’t the first time that Russia-linked APT28 was blamed for a cyber attack against Germany, in 2015 the APT group hacked into the systems of the German Parliament.

What will happen in the future?

Top German intelligence officials are requesting to the government to hack back attackers in case of a cyber attack from a foreign government


Victims of the GandCrab ransomware can decrypt their files for free using the decryptor
1.3.2018 securityaffairs
Ransomware

The GandCrab ransomware decryptor has been released by the Romanian Police (IGPR) under the supervision of the General Prosecutor’s Office (DIICOT) and in collaboration with the internet security company Bitdefender and Europol.
Bitdefender has teamed up with Europol, the Romanian Police, and the Directorate for Investigating Organized Crime and Terrorism (DIICOT) to release a free decryption tool for the infamous GandCrab Ransomware.
Early February experts at cyber security firm LMNTRIX have discovered a new ransomware-as-a-service dubbed GandCrab. advertised in Russian hacking community on the dark web.
GandCrab raas

The GandCrab was advertised in Russian hacking community, researchers noticed that authors leverage the RIG and GrandSoft exploit kits to distribute the malware.

Partners are prohibited from targeting countries in the Commonwealth of Independent States (Azerbaijan, Armenia, Belarus, Kazakhstan, Kyrgyzstan, Moldova, Russia, Tajikistan, Turkmenistan, Uzbekistan and Ukraine).

It has been estimated that the GandCrab ransomware has managed to infect approximately 50,000 computers, most of them in Europe, in less than a month asking from each victim for ransoms of $400 to $700,000 in DASH cryptocurrency.
“As of today, a new decryption tool for victims of the GandCrab ransomware is available on www.nomoreransom.org. This tool has been released by the Romanian Police (IGPR) under the supervision of the General Prosecutor’s Office (DIICOT) and in collaboration with the internet security company Bitdefender and Europol.” reads the announcement published by the Europol.“First detected one month ago, GandCrab has already made 50 000 victims worldwide, a vast number of which in Europe, making it one of the most aggressive forms of ransomware so far this year.”

Victims of GandCrab ransomware thanks to Bitdefender and the European law enforcement can recover files without paying the ransom.

“Ransomware has become a billion-dollar cash cow for malware authors, and GandCrab is one of the highest bidders,” Bitdefender’s Senior Director of the Investigation and Forensics Unit, Catalin Cosoi says.

“We are glad to provide our technical expertise in fighting cyber-crime as our long-standing mission is to protect the world’s Internet users and organizations. In the near future, we expect ransomware developers to migrate towards mining and stealing cryptocurrency”

GandCrab ransomware decrypter

The tool is available on Bitdefender’s website here, and through No More Ransom RansomFree.


Remotely Exploitable Flaws Patched in DHCP
1.3.2018 securityweek
Vulnerebility

Updates released by the Internet Systems Consortium (ISC) for the Dynamic Host Configuration Protocol (DHCP) software patch two remotely exploitable vulnerabilities discovered by a researcher at Google.

Felix Wilhelm of the Google Security Team found that the DHCP Client (dhclient), which provides a means for configuring network interfaces, is affected by a buffer overflow vulnerability that allows a malicious server to cause the client to crash.

In some cases, exploitation of the flaw could also lead to remote code execution, ISC said in an advisory. The security hole is tracked as CVE-2018-5732 and rated high severity.

“Where they are present, operating system mitigation strategies such as address space layout randomization (ASLR) should make it difficult to leverage this vulnerability to achieve remote code execution but we can not rule it out as impossible. The safest course is to patch dhclient so that the buffer overflow cannot occur,” ISC said.

The second vulnerability, CVE-2018-5733, is a medium severity issue that can be exploited to exhaust the memory available to the DHCP daemon (dhcpd), resulting in a denial-of-service (DoS) condition to clients.

“A malicious client which is allowed to send very large amounts of traffic (billions of packets) to a DHCP server can eventually overflow a 32-bit reference counter, potentially causing dhcpd to crash,” ISC said.

The flaws affect DHCP versions 4.1.0 through 4.1-ESV-R15, 4.2.0 through 4.2.8, 4.3.0 through 4.3.6, and 4.4.0. Fixes are included in versions 4.1-ESV-R15-P1, 4.3.6-P1 and 4.4.1.

ISC said there was no evidence that the vulnerabilities had been exploited for malicious purposes.

The organization has also informed customers of a vulnerability affecting BIND Supported Preview Edition, which is a customer-only, non-public version of BIND. The flaw, tracked as CVE-2018-5734 and rated high severity, can lead to an assertion failure, which typically causes the software to crash.


Emerson Patches Severe Flaw in ControlWave Controllers
1.3.2018 securityweek
Vulnerebility

Automation solutions provider Emerson has patched a potentially serious denial-of-service (DoS) vulnerability in its ControlWave Micro Process Automation Controller product.

ControlWave Micro Process Automation Controller is a hybrid remote terminal unit (RTU)/programmable logic controller (PLC) used around the world, particularly in the energy, and water and wastewater systems sectors.

According to an advisory published this week by ICS-CERT, this Emerson product is affected by a high severity stack-based buffer overflow vulnerability that can be exploited to force the device to enter “halt mode” by sending specially crafted packets on port 20547.Emerson fixes vulnerability in ControlWave Process Automation Controller

Emerson fixes vulnerability in ControlWave Process Automation Controller

“Exploitation may possibly cause a halt of Ethernet functionality, requiring a cold start to restore the system as well as communications related to ControlWave Designer access. This can possibly result in a loss of system availability and disruption in communications with other connected devices,” ICS-CERT said in its advisory.

The flaw, tracked as CVE-2018-5452, affects ControlWave Micro controllers running version 05.78.00 and prior of the firmware. Emerson patched the vulnerability with the release of version 05.79.00.

The security hole was reported to Emerson by Nozomi Networks, a company that specializes in cybersecurity and visibility solutions for industrial control systems (ICS). The firm, which recently raised $15 million in a Series B funding round, said it did not take long to find the flaw using a process it developed for testing ICS devices.

Moreno Carullo, co-founder and CTO of Nozomi, told SecurityWeek that the vulnerability can be exploited remotely over the Internet against devices that have port 20547 open. A Shodan search conducted by the company showed 163 potentially vulnerable devices, mainly in the United States, Canada and Mexico.

Carullo said the vulnerability was reported to Emerson in October 2017 and it was patched after roughly two months, which he described as “relatively fast compared to others.”


Podnikové systémy trpí pod těžbou kryptoměn

28.2.2018 SecurityWorld Rizika
Nejnovější Celosvětový index dopadu hrozeb uveřejnil Check Point. Podle něj na organizace po celém světě útočil malware zaměřený na těžbu kryptoměn, přičemž téměř čtvrtina organizací bylo ovlivněných variantou CoinHive.

V Top 10 škodlivých kódů nejčastěji použitých k útokům na organizace se umístily tři různé varianty malwaru těžícího kryptoměny, CoinHive se dokonce umístil na první příčce, když ovlivnil více jednu z pěti organizaci. CoinHive těží kryptoměnu Monero bez souhlasu uživatele a implantuje JavaScript, který využívá CPU koncových uživatelů a negativně ovlivňuje výkon stroje.

„Během uplynulých tří měsíců se malware těžící kryptoměny stal velmi vážnou hrozbou pro všechny organizace, protože kyberzločinci zde vidí lukrativní zdroj příjmů,“ říká Peter Kovalčík, SE Manager ve společnosti Check Point.

„Ochrana před malwarem těžícím kryptoměny je náročná, protože škodlivý kód je často ukrytý ve webových stránkách, což umožňuje hackerům zneužívat výkon procesorů nic netušících obětí. Je proto zásadní, aby organizace používaly taková řešení, která je ochrání i před těmito maskovanými kyberútoky.“

Check Point také zjistil, že 21 procent organizací stále úspěšně nevyřešilo problém se stroji infikovanými malwarem Fireball. Fireball může být použit jako plně funkční downloader malwaru, který je schopný spouštět jakýkoli kód na počítačích obětí. Poprvé byl objeven v květnu 2017 a masivně útočil na organizace během léta 2017.

Top 3 malware ve firmách

Jedničkou mezi škodlivými kódy nejčastěji použitými k útokům na organizace se stal i v lednu CoinHive, malware těžící kryptoměny, který ovlivnil 23 procent organizací. Na druhé místo poskočil Fireball a v Top 3 se udržel exploit kit Rig ek ovlivňující 17 procent společností.

↔ CoinHive –je navržen pro těžbu kryptoměny Monero bez souhlasu uživatele.
↑ Fireball –Převezme kontrolu nad prohlížečem a může ho změnit na plně funkční downloader malwaru. Je schopen spustit jakýkoli kód na počítačích obětí, takže může provádět nejrůznější škodlivé akce, od krádeží přihlašovacích údajů až po stažení dalšího malwaru.
↓ Rig ek – Exploit kit poprvé použitý v roce 2014. Rig zneužívá zranitelností ve Flashi, Javě, Silverlightu a Internet Exploreru. Infekce začíná přesměrováním na vstupní stránku obsahující JavaScript, který zjistí a umožní zneužití zranitelných plug-inů.

Top 3 - mobilní malware

Nejčastěji použitým škodlivým kódem k útokům na podniková mobilní zařízení byl v lednu bankovní trojan Lokibot, následovaly škodlivé kódy Triada a Hiddad.

Lokibot – Bankovní trojan pro Android a současně malware zaměřený na krádeže informací, který se může změnit také na ransomware. V případě odstranění administrátorských oprávnění zamkne telefon.
Triada – Modulární backdoor pro Android, který uděluje superuživatelské oprávnění pro stažení malwaru a pomáhá jej vložit do systémových procesů. Triada take umí zfalšovat URL odkazy uložené v prohlížeči.
Hiddad – Android malware, který přebaluje legitimní aplikace a pak je umísťuje do obchodů třetích stran. Jeho hlavní funkcí je zobrazování reklam, ale může také získat přístup ke klíčovým bezpečnostním informacím obsaženým v operačním systému, což umožňuje útočníkovi získat citlivá uživatelská data.

Check Point analyzoval i malware útočící na podnikové sítě v České republice. V žebříčku došlo k řadě změn, ale zcela nejvýraznějším trendem je vzestup škodlivých kódů těžících kryptoměny, což potvrzuje i první místo, kam se stejně jako ve světě posunul CoinHive.

Zároveň vydal i žebříček zemí, které jsou nejčastěji terčem kyberútoků. V žebříčku opět došlo k mnoha výrazným změnám a i Česká republika se tentokrát posunula o 15 míst mezi nebezpečnější země a v Indexu hrozeb jí patřilo 101. místo. Naopak Slovensko se posunulo o 24 míst mezi bezpečnější země a umístilo se na 116. pozici. Na prvním místě se v Indexu hrozeb nově umístila Botswana. Největší skok mezi nebezpečné země zaznamenal Mosambik (posun ze 123. pozice na 28. příčku). Naopak Lichtenštejnsko poskočila o 119 míst z 5. pozice na druhý konec žebříčku a bezpečnější 124. příčku.


Speciální antivirus pro chytré televize představil Eset

28.2.2018 SecurityWorld Zabezpečení
Smart TV Security, bezpečnostní aplikaci pro chytré televizory s Androidem, oznámil Eset. Novinka podle výrobce ochrání diváky před narůstajícími útoky pomocí malwaru včetně obrany před ransomwarem.

Prostřednictvím napadnutého chytrého televizoru mohou kyberzločinci proniknout i do jiných zařízení připojených do stejné domácí sítě, ale také provádět špionáž a shromažďovat citlivé osobní údaje. I kvůli tomu navrhnul Eset vlastní aplikaci na ochranu chytrých televizorů s operačním systémem Android TV.

„Vzhledem k rizikům, jež představují ohrožení bezpečnosti a soukromí, musí uživatelé řešit ochranu chytrých zařízení v domácnosti stejným způsobem, jako chrání své notebooky, tablety nebo mobilní telefony – nemohou k nim přistupovat jako k obyčejným televizím, varným konvicím nebo hodinkám,“ tvrdí Branislav Orlík, Mobile Security Product Manager společnosti Eset.

Chytré televizory s operačním systémem Android TV se podle něj stávají terčem nechvalně proslulého vyděračského ransomwaru určeného pro zařízení s Androidem, který se již řadu let zaměřuje na tablety a chytré mobilní telefony.

Hrozba se nyní rozšířila i na televizory s tímto operačním systémem, což vedlo k případům zašifrovaných obrazovek a požadavkům na výkupné za jejich odšifrování.

Aplikace Smart TV Security využívá při ochraně diváků různé bezpečnostní funkce, mezi něž patří:

Antivirová ochrana, jež brání v průniku rostoucímu počtu škodlivého softwaru určenému pro zařízení s Androidem.
Nástroj Anti-ransomware, který chrání před zašifrováním obrazovky. Pokud již do televizoru proniknul ransomware a zašifroval data, doporučuje se divákům vypnout a znovu zapnout chytrou televizi, provést aktualizaci virové databáze a spustit skenování malwaru. Pokud Smart TV Security detekuje ransomware, doporučí uživateli odinstalovat malware. Po potvrzení jeho odinstalování bude ransomware vymazán.
Skenování více zařízení na přítomnosti škodlivého softwaru, včetně těch, která se k chytré televizi připojují prostřednictvím USB.
Antiphishing na ochranu uživatelů před pokusy o krádež citlivých osobních dat. Tato funkce bude k dispozici pouze v prémiové verzi aplikace Smart TV Security.

Bezpečnostní aplikaci lze do televizoru stáhnout prostřednictvím obchodu Google Play.


Německá ministerstva obrany a zahraničí napadli ruští hackeři

28.2.2018 Novinky/Bezpečnost  BigBrother
Německé bezpečnostní zdroje přiznaly, že se ruským hackerům podařilo v prosinci nepozorovaně nabourat počítačové sítě ministerstev obrany a zahraničí. Zdroje podle stanice Deutsche Welle uvedly, že škodlivý malware byl do sítí nainstalován o rok dříve.

Německá vláda přiznala, že se útok povedl ruské skupině APT28 známé taky jako Fancy Bear, která je spojována s ruským vojenským zpravodajstvím. Zdroj agentury DPA uvedl, že se hackerům zřejmě podařilo do klíčové vládní sítě nasadit malware, který tam mohl být rok. Infiltrovaná byla vládní síť Informationsverbund Berlin-Bonn (IVBB), což je speciálně navržená platforma pro komunikaci kancléřství, federálních ministerstev a několika bezpečnostních institucí v Berlíně a v Bonnu. Z bezpečnostních důvodů je oddělená od veřejné sítě.

Německé úřady čelily útokům hackerů i v minulosti, kdy se internetovým útočníkům podařilo proniknout například do sítě parlamentu.

Za útokem na Bundestag z roku 2015 je také skupina APT28. Byl tak rozsáhlý, že po něm musela německá vláda vyměnit celou IT infrastrukturu.

Německá vláda uvádí, že eviduje dvacet hackerských útoků denně.


Hackeři ukradli přes 150 miliónů korun. Policie nakonec dopadla jejich šéfa

28.2.2018 Novinky/Bezpečnost  Kriminalita
Ukrajinská policie dopadla vůdce nebezpečné hackerské skupiny, která bankovním systémům po celém světě způsobila škody za stovky miliónů dolarů. Oznámila to agentura Unian. Úřady jméno zadrženého nezveřejnily, podle ukrajinských médií jde o šéfa skupiny Avalanche Gennadije Kapkanova.
družení hackerů Avalanche podle ukrajinských expertů organizuje kybernetické útoky sedm let, na dopadení jeho členů pracuje policie 30 zemí světa. Kapkanova už v listopadu 2016 zadrželi ukrajinští policisté v Poltavě jihovýchodně od Kyjeva, soud ale rozhodl o jeho stíhání na svobodě a hacker krátce nato zmizel.

Podle agentury Unian bude zatčený Kapkanov obviněn z kybernetických útoků, maření soudního rozhodnutí, praní špinavých peněz a finančních podvodů. Hrozí mu trest až patnácti let vězení. Členové skupiny Avalanche čelí trestnímu stíhání i v Německu, kde způsobili škody ve výši nejméně šesti miliónů eur (přes 150 miliónů korun).

Sdružení Avalanche se podle agentury AP specializovalo na metodu takzvaného phishingu, podvodné techniky používané na internetu k získávání citlivých údajů. V minulých letech byly phishingové útoky příčinou 95 procent všech neoprávněných čerpání peněz z účtů bankovních klientů přes kanály elektronického bankovnictví.


Hackeři široce zneužívají šifrované weby, i díky podvrženým certifikátům

28.2.2018 SecurityWorld Kryptografie
Důmyslnost hackerů stoupá nebývalým tempem -- ke svým útokům stále častěji využívají zašifrovanou webovou komunikaci i známé internetové služby jako jsou Dropbox či Google Docs. Více se zaměřují také na zařízení internetu věcí, které organizace často nechávají neaktualizovaná a zranitelná.

Tyto závěry přinesla studie Cisco 2018 Annual Cybersecurity Report. Ta dále říká, že nejčastější překážkou pro vybudování spolehlivé bezpečnostní architektury je nízký rozpočet, nekompatibilita jednotlivých bezpečnostních řešení a nedostatek IT specialistů na trhu.

Proto 74 % bezpečnostních profesionálů v obraně alespoň částečně spoléhá na umělou inteligenci a 83 % na automatizaci. Útoky jsou přitom stále ničivější. A tak zatímco dříve šlo útočníkům využívajícím vyděračský software (ransomware) především o zisk, dnes se stále častěji setkáváme s útoky, které se snaží napáchat maximální škody.

Letošní studie zjistila, že kybernetičtí útočníci stále častěji doručují škodlivý software prostřednictvím šifrované webové komunikace (typicky označované HTTPS). Jedním z klíčových faktorů, které nárůst ovlivňují, je snadné získání levných či dokonce bezplatných SSL certifikátů. Hackeři tak získávají mocný nástroj, jak doručit obětem škodlivý software.

„Šifrovaná komunikace na jedné straně představuje velmi dobrý způsob, jak ochránit soukromí uživatelů, avšak na té druhé otevírá útočníkům další možnosti, jak se vyhnout detekci. Proto podniky v dnešní době stále častěji vyhledávají bezpečnostní řešení, která využívají automatizaci a umělou inteligenci, neboť ta dokážou najít podobnosti mezi známým škodlivým softwarem a anonymním vzorkem dat,“ říká Milan Habrcetl, bezpečnostní expert společnosti Cisco.

Spam: útoky přichází ve vlnách

Nevyžádaná pošta (neboli spam) stále tvoří nejčastější způsob, jakým se útočníci snaží proniknout do zařízení. Z výzkumu škodlivých domén vyplynulo, že 60 % z nich je spojeno právě se spamovými kampaněmi.

Bez ohledu na to, jak se mění prostředí kybernetických hrozeb, zůstává email důležitým a mocným nástrojem útočníků. Počet doručovaných spamů není v průběhu času konstantní, ale přímo souvisí s aktivitou botnetů (internetoví roboti zasílající spamy), především pak botnetu Necurs, který je globálně hlavním šiřitelem infikovaných emailů.

Škodlivé přílohy emailů jsou nejčastěji ve formátu sady Office (.doc, .ppt, xls a další), a to v 37,7 % případů. Následují archivní formáty, tedy přílohy obsahující přípony .zip či .jar (36,8 %) a soubory s příponou .pdf (13,7 %).

Nové techniky hackerů

Kybernetičtí zločinci se, kromě šifrované komunikace, také stále častěji zaměřují na napadení uživatelů skrze známé a legitimní služby jako jsou například Google Docs, GitHub či Dropbox, jejichž prostřednictvím šíří command and control protokoly.

Zneužívání těchto legitimních aplikací souvisí s jejich velkou oblibou a mnoho zaměstnanců je využívá i přesto, že je podniková pravidla nepovolují. Navíc je velmi těžké, někdy až nemožné, takové útoky odhalit, neboť také využívají šifrovanou komunikaci.

Organizace podceňují aktualizace zařízení internetu věcí

Výzkumníci také zkoumali, jak se organizace zaměřují na zabezpečení svých zařízení internetu věcí a zjistili, že velmi podceňují aktualizování jejich softwaru. Test, ve kterém se zaměřili na citlivost na již známé typy malwaru, provedli na 7328 zařízeních internetu věcí, jako jsou požární alarmy, čtečky karet či senzory pro regulaci teploty.

Zkouška ukázala, že celých 83 % zařízení mělo kritickou zranitelnost a aktuální patch mělo nainstalováno pouze 17 % těchto zařízení. Infikovaná zařízení přitom mohou být využita nejen k napadení vlastní organizace, ale také k DDoS útokům.

V roce 2017 totiž kyberzločinci často využívali krátké (trvající v řádu sekund), ale intenzivní útoky a podle průzkumu se s nimi v loňském roce setkalo 42 % všech organizací.


Žák se naboural do systému školy a změnil známky

28.2.2018 Novinky/Bezpečnost  Kriminalita
Až roční vězení hrozí mladistvému, který se na Karlovarsku naboural do počítačového systému základní školy a změnil známky. Policisté ho zadrželi a upozornili, že učitelé měli slabá hesla. O případu ve čtvrtek informovala mluvčí policie Kateřina Böhmová.
„Když se pedagogové přihlásili k systému elektronické žákovské knížky, zjistili, že žákům byla změněna klasifikace či přidány různé poznámky,“ uvedla Böhmová.

Případ oznámili a policisté začali pátrat po hackerovi. Našli lokalizační údaje, které ukazovaly na konkrétního člověka. Při domovní prohlídce následně kriminalisté zajistili techniku, která k útoku na školu sloužila. Mladistvému, jehož věk policie nesdělila, nyní hrozí až roční vězení.

„Takový kybernetický útok by se mladému muži nepodařilo uskutečnit, pokud by zaměstnanci základní školy jednali v souladu se zásadami bezpečného užívání počítačového systému,“ shrnula mluvčí policie.


Když šifrování snižuje bezpečnost a banka vyzrazuje číslo karty
28.2.2018 Root.cz
Kryptografie

Šifrování je velmi užitečná věc, ale existují okrajové situace, kdy situaci zhoršuje. Příkladem je bankovní výpis, který je šifrovaný, což umožňuje zjistit téměř všechny informace o platební kartě.

Ne vždy je šifrování prospěšné, existuje malé množství případů, kdy je tomu přesně naopak. Takovým je třeba zabezpečení elektronických výpisů z účtu od české pobočky Raiffeisenbank. Začátek příběhu je už poměrně dávný:

🙋‍♂️
@denikembecka
Vrchol mé lenosti: Přišel mi výpis z banky, chráněný PINem. Než abych ho hledal, radši jsem bruteforcem uhádl heslo a nezvedl zadek z křesla

1:23 PM - Apr 22, 2017
168
55 people are talking about this
Twitter Ads info and privacy
Tento status proslavil Michal Špaček ve úvodu své přednášky o rizicích sdílení kódů, kterým nerozumíme. V tomto případě Tomáš Heřmanský, autor statusu, na snímku obrazovky sice rozmazal výsledné heslo, ale ponechal záhadné hexadecimální mezivýsledky, které, jak se později ukázalo, je možné použít k vypočítání hesla.

Na příběh jsem si vzpomněl v úterý, když mi poprvé přišel podobný výpis od téže banky. Vyzkoušel jsem tedy také nástroj pdfcrack, který čtyřmístné číselné heslo PDF souboru uhodl za desetinu sekundy. Co mě ale zarazilo, byl výběr číslic, které se banka rozhodla použít jako heslo.

E-mailová zpráva s popisem, jak se k heslu dobrat

Tím heslem totiž nejsou poslední čtyři číslice čísla karty, které se na mnoha místech zobrazují otevřeně za účelem určení konkrétní karty, ale naopak čtyři z šesti tajných číslic, které jsou v naprosté většině míst nahrazeny hvězdičkami či jinak. Jejich použití vypadá na první pohled logicky – zabezpečují, aby si výpis přečetl jen oprávněný držitel karty. Vezmeme-li ale v potaz fakt, že takto omezený prostor hesel je možné projít hrubou silou za desetinu sekundy, znamená to, že každý, kdo se takto šifrovanému PDF souboru dostane, okamžitě zjistí čtyři z šesti tajných číslic. Jak špatné to může být?

Co vytěžit z výpisu
Výpis ke kreditní kartě obsahuje všechny běžné náležitosti, mimo jiné:

datum výpisu
jméno držitele karty
jeho adresu
číslo karty bez šesti tajných číslic
přehled transakcí
stav konta bonusů za používání karty
předepsanou minimální splátku
číslo účtu a variabilní symbol, pod kterým lze úvěr splatit
úrokovou sazbu
Vžijeme-li se do role útočníka, který bude chtít nabyté údaje zneužít, musí znát minimálně číslo karty a datum konce platnosti. Většina obchodníků dnes také požaduje bezpečnostní kód z podpisového proužku karty či dodatečné ověření systémem 3-D Secure, ale stále je možné najít takové, kteří jej nepožadují.

Jedním z obchodů, které požadují minimum informací o kartě, je i gigant Amazon.

Začněme datem konce platnosti karty. To na výpisu sice není uvedeno, nicméně máme jako útočník několik možností, jak se k němu dobrat. Tou první může být už samotný způsob, jak jsme se k PDF souborům dostali. Pokud to bylo nabouráním se do něčí e-mailové schránky, pak zřejmě máme i informaci o tom, kdy byl doručen první výpis z účtu. Takový výpis také poznáme tak, že dluh z předchozího období bude nulový a nulový bude i stav bonusů, které se používáním kreditní karty sbírají. K vypočtení data konce platností tak stačí zjistit, na jak dlouho daná banka obvykle vydává platební karty, což je obvykle celistvý počet roků. Tato informace není nijak tajná a její zjištění nestojí velké úsilí.

Ze stovky na deset s Hansem Peterem Luhnem
Z šestnácti číslic čísla karty jich najdeme deset přímo na výpise, další čtyři jsou tvořeny uhodnutým heslem PDF souboru. K odhalení celého čísla karty tedy zbývá uhodnout dvě číslice, což dává prostor jedné stovky různých kombinací. Jako útočník ale máme velké štěstí – čísla karet jsou totiž zabezpečena Luhnovým algoritmem. Ten zajišťuje odolnost proti překlepům při opisování čísla karty přidáním kontrolní číslice tak, aby ciferný součet čísla karty (po určité transformaci sudých číslic zprava) byl beze zbytku dělitelný deseti.

Můžeme tedy jednoduše vytipovat, které dvojice hledaných čísel splňují podmínku Luhnova algoritmu, například tímto jednoduchým programem v Pythonu:

?
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
In [1]: import luhn

In [2]: for n in range(100):
...: ccnum = "531533{:02d}34567890".format(n)
...: if luhn.verify(ccnum):
...: print(ccnum)
...:
5315330134567890
5315331934567890
5315332734567890
5315333534567890
5315334334567890
5315335034567890
5315336834567890
5315337634567890
5315338434567890
5315339234567890
Máme tedy pouhých deset kandidátů na číslo karty, které můžeme postupně nebo lépe současně v různých obchodech vyzkoušet. Nepotřebovali jsme přitom nic jiného, než přístup k e-mailové schránce s výpisy z kreditní karty. Paradoxem je, že kdyby banka výpisy nešifrovala, nemá útočník jak zjistit čtyři tajné číslice a kandidátů by měl sto tisíc.

Zabezpečení čtyřmi číslicemi nedává smysl
Tohle je jeden z mála případů, kdy nějaké šifrování je prokazatelně horší než žádné šifrování. Použití čtyřmístného číselného hesla na místě, kde je možné provádět off-line neomezené množství pokusů o uhodnutí, je absolutní nesmysl, který odradí tak maximálně bankovního úředníka; ale jen takového, který se v práci nenudí natolik, aby všech deset tisíc kombinací vyzkoušel ručně. V kombinaci s použitím přísně tajného čísla v roli hesla pak jde o zbytečné hazardování s bezpečností.

Uvedený útok je naštěstí možné provést jen tam, kde obchodník nepožaduje zadání bezpečnostního kódu karty a/nebo potvrzení v systému 3-D Secure. Tím by mělo být pro případnou oběť snazší domoci se svých peněz zpět, neboť v případě nepoužití těchto doplňkových zabezpečení se zvyšuje obchodníkova odpovědnost za škody způsobené zneužitím platební karty. To ostatně ve své reakci (1, 2) tvrdí i přímo Raiffeisenbank:

Tato forma zabezpečení výpisu slouží především jako základní ochrana proti náhodnému přečtení. Velká většina obchodníků chrání transakce kartou na internetu pomocí CVC2 a 3DS kódu. Ano, existují i obchodníci, kde nakoupíte bez kódu, pokud by zde ke zneužití došlo, tak transakci vyreklamujeme zpět. Pokud hledáte jiný způsob zasílání výpisů, nabízíme možnost jeho stahování v rámci IB, které máte plně zabezpečené. K tomuto způsobu chceme do budoucna směřovat všechny klienty.

I tak je však na místě obezřetnost a rozumně nastavené limity. Stojí také za zvážení, zda nepožádat banku o nezasílání výpisů e-mailem; je možné je stáhnout nešifrované ze zabezpečeného webového bankovnictví.

Post scriptum: výpis obsahuje celé číslo karty

Andrei Badea
@0xabadea
Líný hacker si navíc všimne, že na první stránce výpisu je desetimístní variabilní symbol, který se nápadně shoduje s heslem výpisu (předposlední čtyřčíslí) a s posledním čtyřčíslím (obsaženým ve výpisu), takže ani nemusí nic hádat. https://twitter.com/Oskar456/status/966062292168269824 …

3:44 PM - Feb 21, 2018
20
See Andrei Badea's other Tweets
Twitter Ads info and privacy
Po napsání tohoto textu se ukázalo, že se zabezpečením čísla karty je to ještě horší a velká část předchozího textu přistupuje k problému až zbytečně složitě. V tomto konkrétním případě totiž všech šest tajných číslic z čísla karty je součástí variabilního symbolu, pod kterým je úvěr splácen. Hádat zbylé číslice tedy vlastně vůbec není nutné a vyzrazení čtyř číslic uhodnutím hesla je tedy vlastně jen podružný problém.


Ne, Elon Musk lidem neposílá ethereum. Je to podvod
28.2.2018 Živě.cz
Spam

Ne, Elon Musk lidem neposílá ethereum. Je to podvod
Podvodníci si zase našli způsob, jak z důvěřivých lidí vytáhnout peníze. Tentokrát k tomu použili osobu vizionáře Elona Muska, pod jehož jménem založili falešný účet na Twitteru a slíbili, že lidem rozdají ethereum v hodnotě 4 milionů dolarů. Stačí jen, když mu lidé pošlou nějaký malý obnos, aby získal adresu jejich peněženky. Samozřejmě je to nesmysl.

Skutečný Elon Musk ve středu na Twitteru informoval o plánovaném startu satelitů Starlink. Příspěvek byl relativně nadšený. Nějakého podvodníka tak napadlo, že toho využije a založil téměř totožný účet @elonhmusk, ve kterém na příspěvek navázal jednoduchým sdělením - k příležitosti úspěchu rozdá lidem 5000 kusů etherea. Pokud kryptoměnu lidé chtějí získat, mají poslat nějaký malý obnos, aby Musk získal adresu jejich peněženky.

Účet je už z Twitteru odstraněný, zpráva vypadala takto:

To celebrate this, I'm also giving awaу 5,000 ЕTH!

To identify your address, just sеnd 0.5-1.0 ЕTH to the address bеlow and gеt 5-10 ЕTH back to the address you used for the transaсtion. ЕТH Аddress: ...

If you are latе, yоur EТH will bе sent back.

— Еlon Мusk (@elonhmusk)

Zní to jako jasný podvod a podvod to také je. Už samotný princip nedává smysl, adresu peněženky stačí sdělit, není potřeba z ní něco posílat. Nicméně mnoho lidí se nachytalo a podle sledování v blockchainu je možné zjistit, že podvodníkovi už lidé poslali ethereum v hodnotě více než 16 tisíc dolarů.

Účet lze přitom velice jednoduše odhalit. Není verifikovaný a má jinou adresu. Hlavně je třeba říct, že i když je Elon Musk znám jako šílenec, určitě by jen tak lidem neposlal skoro 4,3 miliony dolarů. A určitě by nechtěl, aby mu lidé něco posílali.

Není to letos poprvé, co se něco podobného stalo. Twitter už musel zrušit účty @elonmus_ a @elonnmuusk, které se pokoušely o něco podobného.


Smart Life od Avastu ochrání IoT před malwarem. Pomůže mu A.I.
28.2.2018 Živě.cz
IoT
Smart Life od Avastu ochrání IoT před malwarem. Pomůže mu A.I.Smart Life od Avastu ochrání IoT před malwarem. Pomůže mu A.I.Smart Life od Avastu ochrání IoT před malwarem. Pomůže mu A.I.Smart Life od Avastu ochrání IoT před malwarem. Pomůže mu A.I.Smart Life od Avastu ochrání IoT před malwarem. Pomůže mu A.I.
Avast zprvu před malwarem chránil počítače, pak přibral chytré telefony a nyní se pokusí dohlédnout i na malou firemní a domácí síť s chytrými krabičkami IoT. Novou bezpečnostní platformu pojmenoval Smart Life.

Jak to bude fungovat v praxi? Vedle běžné detekce malwaru bude platforma pracovat i s prvky strojového učení a odhalování podezřelé aktivity. Když se tedy třeba chytrý termostat zapne v netradiční dobu, která neodpovídá dosavadnímu charakteru používání, a zároveň začne komunikovat s podezřelými IP adresami, Smart Life aktivitu vyhodnotí jako útok, zabrání pokračování a upozorní správce domácí sítě.

Podobným způsobem by měl bezpečnostní systém odhalit třeba podezřelou aktivitu chytrých televizorů, webkamer, všemožných přehrávačů a dalších prvků v domácím LANu, nebo v síti malé firmy. Ostatně jak upozorňuje sám Avast, hromadu podobných zařízení lze zneužít útočníkem třeba k těžbě kryptoměny Monero, kterou lze při větším množství napadených krabiček smysluplně těžit i na slabších armových čipsetech.

Smart Life je nicméně pouze software, takže aby mohl neustále skenovat vaši síť, musí běžet na nějakém železe. Tím bude buď přímo výkonnější Wi-Fi router některého ze smluvních partnerů, anebo dedikovaná krabička – sniffer – připojená do LANu. „Sniffer je v podstatě takové lepší Raspberry Pi postavené přímo pro nás,“ řekl nám bezpečnostní expert Avastu Filip Chytrý.

Internet věcí
Domácí IoT může vypadat všelijak počínaje komerčními krabičkami a konče DIY. Třeba takto, když si jej složíte a naprogramujete sami. Bezpečnostní a meteorologický systém autora článku obsahuje kameru s rybím okem, infračervený a mikrovlnný detektor pohybu, teploměr, vlhkoměr, tlakoměr, luxmetr, síť vnitřních i venkovních dálkových bezdrátových sond (868 MHz, LoRa), senzor CO2 a nakonec automatické spínání světel v bytě. Vše je postavené na Raspberry Pi Zero W, které může být také napadnutelné útočníky.

Klepněte pro větší obrázek
Bezpečnostní a meteorologická centrála postavená na Raspberry Pi Zero W
Samozřejmě jsme se Avastu zeptali i na to, jestli bude moci zkušenější uživatel nahodit celý systém i na některou z otevřených platforem – třeba na router s OpenWrt, kam patří i populární český router Turris. Ačkoliv se tomu Avast výhledově nebrání, zatím se bude soustředit pouze na železo od partnerů.

Pro Avast není Smart Life úplnou novinkou, podle Chytrého se totiž v podstatě jedná o evoluci platformy Chime, kterou vyvíjí AVG. No a AVG dnes patří pod křídla Avastu.


Siemens Releases BIOS Updates to Patch Intel Chip Flaws
28.2.2018 securityweek
Vulnerebility

Siemens has released BIOS updates for several of its industrial devices to patch vulnerabilities discovered recently in Intel chips, including Meltdown, Spectre and flaws affecting the company’s Management Engine technology.

Following the disclosure of the Meltdown and Spectre attack methods, industrial control systems (ICS) manufacturers immediately started analyzing the impact of the flaws on their products. Advisories have been published by companies such as Siemens, Rockwell Automation, Schneider Electric, ABB, and Pepperl+Fuchs.

Siemens has determined that the security holes expose many of its product lines to attacks, including RUGGEDCOM, SIMATIC, SIMOTION, SINEMA, and SINUMERIK.

The company informed customers recently that it has started releasing BIOS updates for some of its impacted products, including SIMATIC industrial PCs, SIMATIC field PG rugged laptops, SIMATIC industrial tablet PCs (ITP), and SINUMERIK panel control units (PCU). In addition to firmware patches, users have been advised to install operating system updates, which should mitigate the Meltdown flaw and one variant of Spectre.

The BIOS updates released by the company for the aforementioned SIMATIC and SINUMERIK devices also patch several vulnerabilities discovered last year by researchers in Intel’s Management Engine (ME), Server Platform Services (SPS), and Trusted Execution Engine (TXE) technologies.

The flaws impacting these Intel products can be exploited – in most cases locally, but at least one bug is remotely exploitable – for arbitrary code execution, privilege escalation, and denial-of-service (DoS) attacks.

The firmware updates from Siemens also fix a vulnerability affecting the Trusted Platform Module (TPM) in chips made by German semiconductor manufacturer Infineon.

The flaw, CVE-2017-15361, is related to the RSA library in TPM and it could allow a remote attacker who knows the public key to obtain the private RSA key. The security hole affects the products of several major tech firms, including Microsoft, Google, HP, Lenovo and Fujitsu.

Siemens has published separate advisories to inform users about the availability of patches for Meltdown/Spectre, Intel ME, and Infineon TPM vulnerabilities. ICS-CERT has so far published an advisory only for the Infineon issue.


Fake ionCube Malware Hits Hundreds of Sites
28.2.2018 securityweek
Virus

Hundreds of websites have been infected with malware that masquerades as legitimate ionCube-encoded files, SiteLock warns.

The malicious files were initially discovered in core directories of a WordPress site, featuring naming patterns usually associated with malware, namely “diff98.php” and “wrgcduzk.php.” Because the obfuscated files appear as if they had been encoded with ionCube, the researchers named the threat ionCube malware.

ionCube is an old and powerful PHP obfuscation technology that can be used to scramble text-based PHP files to hide the intellectual property. Due to licensing costs, ionCube isn’t usually used for malicious purposes.

Malicious attackers, however, found a way to pack their malware in a manner that resembles that of ionCube-encoded files, and started targeting various websites. Although the infection was initially spotted on a WordPress site, SiteLock's researchers discovered that Joomla and CodeIgniter sites have been infected as well.

According to SiteLock, the malware is likely to run on any web server running PHP, and could hide in plain sight by using filenames such as “inc.php” and “menu.php.” Overall, the researchers discovered over 7,000 infected files and say that over 700 sites were compromised.

Once decoded, the fake ionCube files turn into the malware itself, which still contains some obfuscation, along with some sort of access control, researchers discovered.

“While there’s still some degree of obfuscation, the presence of the $_POST and $_COOKIE superglobals and the eval request at the end of the file reveal its true purpose: to accept and execute remotely supplied code. It looks like the remote code supplied to this file is further obfuscated and there may be some sort of access control implemented, judging by the GUID-formatted string present,” SiteLock says.

Site administrators who haven’t specifically and intentionally installed ionCube-encoded files but do find such files on their servers were likely infected. If an infection is detected, the scanning of the entire site is recommended, to completely eliminate the threat.

According to SiteLock, differentiating between the fake and legitimate files can be very difficult as well, given the large number of malware variations out there. The researchers say it is common to see up to 100 slightly different variants of the malware on a single site.


Talos experts shared details of a remote code execution flaw in Adobe Acrobat Reader DC
28.2.2018 securityweek
Vulnerebility

Security experts at Cisco Talos disclosed details of a remote code execution flaw that affects Adobe Acrobat Reader DC versions 2018.009.20050 and 2017.011.30070 and earlier.
Security experts at Cisco Talos shared details of a remote code execution vulnerability tracked as CVE-2018-4901, that affects Adobe Acrobat Reader DC.

A remote attacker can exploit the vulnerability tricking the victim into opening a malicious file or visiting a specially crafted webpage.

The flaw affects Adobe Acrobat Reader versions 2018.009.20050 and 2017.011.30070 and earlier. The vulnerability was disclosed on Dec. 7 and Adobe addressed it a few days ago, on February 13.

“Adobe Acrobat Reader is the most popular and most feature-rich PDF reader. It has a big user base, is usually a default PDF reader on systems and integrates into web browsers as a plugin for rendering PDFs. As such, tricking a user into visiting a malicious web page or sending a specially crafted email attachment can be enough to trigger this vulnerability.” reads the analysis published by the Talos team.

Adobe classified the flaw with a “priority 2” level that equals to “important”, this means that there is an “elevated risk” of exploitation. The good news is that there are currently no known exploits in the wild.

The researchers explained that the flaw could be used by attackers to embed a malicious JavaScript code in a PDF file to use document ID to perform unauthorized operations to trigger a stack-based buffer overflow when opening a specially crafted PDF document.

“A specific Javascript script embedded in a PDF file can cause the document ID field to be used in an unbounded copy operation leading to stack-based buffer overflow when opening a specially crafted PDF document in Adobe Acrobat Reader,” continues Talos.

Researchers at Talos also released Snort rules 45102-3 that could be used by administrators to detect exploitation attempts.


Experts warn Memcached DDoS attacks could be soon a dangerous threat
28.2.2018 securityweek
Attack

Security experts started observing a dangerous trend in DDoS amplification technique, Memcached DDoS Attacks.
Security experts from some security firms have reported that threat actors have started abusing the memcached protocol to power distributed denial-of-service (DDoS) Attacks, so-called memcached DDoS attacks.

Memcached is a free and open source, high-performance, distributed memory caching system designed to speed up dynamic web applications by alleviating database load.

Clients communicate with memcached servers via TCP or UDP on port 11211.

Researchers from Cloudflare, Arbor Networks and security firm Qihoo 360 discovered that recently attackers are abusing the memcached for DDoS amplification attacks.

Chinese experts warned about abuses of memcached DDoS attacks in November.

Experts at Cloudflare dubbed this type of attack Memcrashed.

“Over last couple of days we’ve seen a big increase in an obscure amplification attack vector – using the memcached protocol, coming from UDP port 11211.” reads the analysis published by Cloudflare.

“An IP-spoofing capable attacker sends forged requests to a vulnerable UDP server. The UDP server, not knowing the request is forged, politely prepares the response. The problem happens when thousands of responses are delivered to an unsuspecting target host, overwhelming its resources – most typically the network itself.“

The involvement of memcached servers in DDoS Attacks is quite simple, the attacker sends a request to the targeted server on port 11211 spoofing the IP address of the victim. In a memcached DDoS attack, the request sent to the server is composed of a few bytes, while the response can be tens of thousands of times bigger, resulting in an amplification attack.

memcached DDoS attack

The researchers at Cloudflare observed a memcached DDoS attack that peaked at 260 Gbps while Arbor Networks reported observing attacks that peaked at 500 Gbps and even more.

“We have observed a considerable uptick in memcached reflection/amplification attacks ranging in size from a few hundred mb/sec up to 500gb/sec and larger. The amplified attack traffic is sourced from UDP/11211, with a packet size of 1428 bytes (1442 bytes with layer-2 Ethernet framing included), and no fragmentation (memcached segments large responses at layer-7, as does ntp).” reads the analysis published by Arbor Networks. “The attacker typically ‘primes’ a given set of memcached reflectors/amplifiers with arbitrary-length key/value pairs, and then issues memcached queries for those key/value pairs, spoofing the IP addresses of targeted hosts/networks.”

Researchers at Arbor Networks added that attackers can also send queries at TCP port 11211, but since TCP queries cannot be reliably spoofed, the hackers opted for UDP.

“I was surprised to learn that memcached does UDP, but there you go! The protocol specification shows that it’s one of the best protocols to use for amplification ever! There are absolutely zero checks, and the data WILL be delivered to the client, with blazing speed! Furthermore, the request can be tiny and the response huge (up to 1MB).” continues the analysis published by Cloudflare.

“Launching such an attack is easy. First the attacker implants a large payload on an exposed memcached server. Then, the attacker spoofs the “get” request message with target Source IP.”

According to Cloudflare, most of the memchached DDoS Attacks were launched from servers in North America and Europe, the majority of them is hosted by OVH, DigitalOcean, and Sakura.

memcached DDoS attack sources

The experts observed attacks from roughly 5,700 unique IPs associated with memcached servers.

The situation can rapidly get worse because the result of a simple Shodan query shows nearly 88,000 unsecured memchached servers, most of them in the United States, China and France.

Cloudflare recommends disabling UDP support unless it’s needed and isolating memcached servers from the Internet. Internet service providers have to fix vulnerable protocols and prevent IP spoofing.

“Internet Service Providers – In order to defeat such attacks in future, we need to fix vulnerable protocols and also IP spoofing. As long as IP spoofing is permissible on the internet, we’ll be in trouble.” concluded Cloudflare.

“Developers – Please please please: Stop using UDP. If you must, please don’t enable it by default. If you do not know what an amplification attack is I hereby forbid you from ever typing
SOCK_DGRAM
into your editor.”


Memcached Servers Abused for Massive Amplification DDoS Attacks
28.2.2018 thehackernews
Attack

Cybercriminals have figured out a way to abuse widely-used Memcached servers to launch over 51,000 times powerful DDoS attacks than their original strength, which could result in knocking down of major websites and Internet infrastructure.
In recent days, security researchers at Cloudflare, Arbor Networks, and Chinese security firm Qihoo 360 noticed that hackers are now abusing "Memcached" to amplify their DDoS attacks by an unprecedented factor of 51,200.
Memcached is a popular open-source and easily deployable distributed caching system that allows objects to be stored in memory and has been designed to work with a large number of open connections. Memcached server runs over TCP or UDP port 11211.
The Memcached application has been designed to speed up dynamic web applications by reducing stress on the database that helps administrators to increase performance and scale web applications. It's widely used by thousands of websites, including Facebook, Flickr, Twitter, Reddit, YouTube, and Github.
Dubbed Memcrashed by Cloudflare, the attack apparently abuses unprotected Memcached servers that have UDP enabled in order to deliver DDoS attacks 51,200 times their original strength, making it the most prominent amplification method ever used in the wild so far.
How Memcrashed DDoS Amplification Attack Works?

Like other amplification methods where hackers send a small request from a spoofed IP address to get a much larger response in return, Memcrashed amplification attack also works by sending a forged request to the targeted server (vulnerable UDP server) on port 11211 using a spoofed IP address that matches the victim's IP.
According to the researchers, just a few bytes of the request sent to the vulnerable server can trigger the response of tens of thousands of times bigger.
"15 bytes of request triggered 134KB of response. This is amplification factor of 10,000x! In practice we've seen a 15-byte request result in a 750kB response (that's a 51,200x amplification)," Cloudflare says.
According to the researchers, most of the Memcached servers being abused for amplification DDoS attacks are hosted at OVH, Digital Ocean, Sakura and other small hosting providers.
In total, researchers have seen only 5,729 unique source IP addresses associated with vulnerable Memcached servers, but they are "expecting to see much larger attacks in future, as Shodan reports 88,000 open Memcached servers." Cloudflare says.
"At peak we've seen 260Gbps of inbound UDP memcached traffic. This is massive for a new amplification vector. But the numbers don't lie. It's possible because all the reflected packets are very large," Cloudflare says.
Arbor Networks noted that the Memcached priming queries used in these attacks could also be directed towards TCP port 11211 on abusable Memcached servers.

But TCP is not currently considered a high-risk Memcached reflection/amplification vector because TCP queries cannot be reliably spoofed.
The popularly known DDoS amplification attack vectors that we reported in the past include poorly secured domain name system (DNS) resolution servers, which amplify volumes by about 50 times, and network time protocol (NTP), which increases traffic volumes by nearly 58 times.
Mitigation: How to Fix Memcached Servers?
One of the easiest ways to prevent your Memcached servers from being abused as reflectors is firewalling, blocking or rate-limiting UDP on source port 11211.
Since Memcached listens on INADDR_ANY and runs with UDP support enabled by default, administrators are advised to disable UDP support if they are not using it.
The attack size potentially created by Memcached reflection cannot be easily defended against by Internet Service Providers (ISPs), as long as IP spoofing is permissible on the internet.


Hacker Who Never Hacked Anyone Gets 33-Month Prison Sentence
28.2.2018 thehackernews Crime

A hacker who was arrested and pleaded guilty last year—not because he hacked someone, but for creating and selling a remote access trojan that helped cyber criminals—has finally been sentenced to serve almost three years in prison.
Taylor Huddleston, 26, of Hot Springs, Arkansas, pleaded guilty in July 2017 to one charge of aiding and abetting computer intrusions by building and intentionally selling a remote access trojan (RAT), called NanoCore, to hackers for $25.
Huddleston was arrested in March, almost two months before the FBI raided his house in Hot Springs, Arkansas and left with his computers after 90 minutes, only to return eight weeks later with handcuffs.
This case is a rare example of the US Department of Justice (DOJ) charging someone not for actively using malware to hack victims' computers, but for developing and selling it to other cybercriminals.
Huddleston admitted to the court that he created his software knowing it would be used by other cybercriminals to break the law.
He initially started developing NanoCore in late 2012 with a motive to offer a low-budget remote management software for schools, IT-conscious businesses, and parents who desired to monitor their children's activities on the web.

However, Huddleston marketed and sold the NanoCore RAT for $25 in underground hacking forums that were extremely popular with cybercriminals around the world from January 2014 to February 2016. He then sold ownership of NanoCore to a third-party in 2016.
NanoCore RAT happens to be popular among cybercriminals on underground hacking forums and has been linked to intrusions in at least ten countries. Among the victims was a high-profile assault on Middle Eastern energy firms in 2015.
Huddleston also agreed with prosecutors that NanoCore RAT and available third-party plugins offered a full set of features including:
Stealing sensitive information from victim computers, such as passwords, emails, and instant messages.
Remotely activating and controlling connected webcams on the victims' computers in order to spy on them.
Ability to view, delete, and download files.
Locking infected PCs and holding them to ransom.
Using infected PCs to launch distributed denial of service (DDoS) attacks on websites and similar services.
In July plea, Huddleston also took responsibility for creating and operating a software licensing system called "Net Seal" that was used by another suspect, Zachary Shames, to sell thousands of copies of Limitless keylogger.
Shames used Net Seal to infect 3,000 people that were, in turn, used it to infect 16,000 computers, according to the DoJ.
In his guilty plea, Huddleston admitted that he intended his products to be used maliciously.
Besides the 33-month prison sentence handed down by judges on Friday, Huddleston also gets two years of supervised release.


Intel Releases Spectre Patches for Broadwell, Haswell CPUs
28.2.2018 securityweek 
Vulnerebility

Intel has released new firmware updates for its Broadwell and Haswell processors to address the Spectre vulnerability.

After the first round of Spectre patches released by the company caused more frequent reboots and other instability problems, Intel started working on new microcode updates.

The company first released new firmware updates for its Skylake processors, and last week it announced the availability of patches for several other CPUs, including Kaby Lake and Coffee Lake.

This week, the company updated the list of available firmware patches to state that the fixes for Haswell and Broadwell processors are also ready for use in production environments.

As of February 28, patches that can be deployed in production environments are available for the following products: Anniedale/Moorefield, Apollo Lake, Avoton/Rangeley, Broadwell (except Server EX), Broxton, Cherry View, Coffee Lake, Cougar Mountain, Denverton, Gemini Lake, Haswell (except Server EX), Kaby Lake, Knights Landing, Knights Mill, Skylake, SoFIA, Tangier, Valleyview/Bay Trail, and XGold.

Beta patches have been provided to OEMs for validation for Gladden, some Ivy Bridge, Sandy Bridge, and Skylake Xeon E3 processors. The microcode updates for Broadwell and Haswell Server EX processors, specifically the Xeon E7v4 and E7v3 product families, are also in beta phase.

As for the remaining CPUs, updates are either in pre-beta or planning phase, but pre-mitigation microcode updates are available for many of these products.

The patches will be delivered as OEM firmware updates. Device manufacturers started releasing BIOS updates to patch the Meltdown and Spectre vulnerabilities shortly after their disclosure, but a majority of firms decided to halt the updates due to instability issues. Some vendors have now resumed the distribution of firmware updates.

Meltdown attacks are possible due to a vulnerability tracked as CVE-2017-5754, while Spectre attacks are possible due to flaws tracked as CVE-2017-5753 (Variant 1) and CVE-2017-5715 (Variant 2). Meltdown and Spectre Variant 1 can be patched with software updates, but Spectre Variant 2 requires microcode updates for a complete fix.

Intel and AMD claim they are working on processors that will have built-in protections against these types of exploits.

Intel faces more than 30 lawsuits, including ones filed by customers and shareholders, over the Meltdown and Spectre vulnerabilities.


CSE Malware ZLab – Malware Analysis Report: A new variant of Mobef Ransomware
28.2.2018 securityaffairs
Ransomware

Malware researchers at CSE Cybsec – ZLab have analyzed a new variant of Mobef ransomware, a malware that in the past mainly targeted Italian users.
Malware researchers at CSE Cybsec – ZLab have analyzed a new variant of Mobef ransomware, that was involved in past attacks against Italian users.

I personally obtained the sample by researchers at @MalwareHunterTeam and the Italian expert @Antelox and passed it to the experts at the ZLab.

24 Feb

MalwareHunterTeam
@malwrhunterteam
Thanks to @Antelox, we now have a sample for the ransomware that is targeting Italy (https://twitter.com/malwrhunterteam/status/967132494104530947 …): https://www.virustotal.com/en/file/aa2c9c02def2815aa24f5616051aa37e4ce002e62f507b3ce15aac191a36e162/analysis/1518986221/ …
Interesting packing/protection, maybe it's worth to dig into @hasherezade @VK_Intel.@BleepinComputer @demonslay335
cc @JAMESWT_MHT @forensico


MalwareHunterTeam
@malwrhunterteam
Seems it's a new version of Mobef (or maybe not even a new version, just a new note). Note that most of Mobef victims we seen in past year also were from Italy.
For this, we only seen victims from Italy till now. 1st on 16th this month.
The above sample also seen from Italy...

7:45 PM - Feb 24, 2018
7
See MalwareHunterTeam's other Tweets
Twitter Ads info and privacy
Like a classic ransomware, it encrypts all user files without changing the file extension and drops a file containing the instructions on how to pay the ransom.

Mobef ransomware
Mobef ransomware note

The analysis revealed that the ransomware was written in Delphi 4 and it doesn’t include useful strings. The Import Address Table is empty, this means that the malware isn’t as trivial as seems because it uses some technique to avoid the analysis.

After the execution, the ransomware creates three files:

4YOU: it contains the ransom note as shown in the popup window; it is stored in each folder in which there are encrypted files.
KEI: it contains the personal key used to identify the victim; it is stored in each folder in which there are encrypted files.
log: it contains the list of the encrypted files and it is stored in “C:\Windows”. This file represents also the kill-switch of the malware and the filename is the same for every infection.
Mobef ransomware
Mobef ransomware – List of encrypted files

Once the encryption phase is complete, the new variant of the Mobef ransomware will try to contact an external server “mutaween.sa”, to exfiltrate a series of information.

It is interesting to note that the domain “mutaween.sa” doesn’t exist, it isn’t currently resolved by the DNS servers.

A deep analysis of the Mobef ransomware revealed that it implements a number of functionalities, such as the capability to encrypt files, not only on the local drive but also on removable drives and network shares.

Further details on the Mobef ransomware and Yara Rules are included in the report published by researchers at ZLAb.


IoT hack: how to break a smart home… again
28.2.2018 Kaspersky  IoT
There can never be too many IoT gadgets – that’s what people usually think when buying yet another connected device with advanced functionality. From our perspective, we also think there can’t be too many IoT investigations. So, we have continued our experiments into checking and uncovering how vulnerable they are, and followed up our research focusing on smart home devices.

Researchers have already been analyzing connected devices for many years, but concerns around cybersecurity in the IoT world are still there, putting users under significant risk. In our previous analysis, possible attack vectors affecting both a device and a network to which it’s connected have been discovered. This time, we’ve chosen a smart hub designed to control sensors and devices installed at home. It can be used for different purposes, such as energy and water management, monitoring and even security systems.

This tiny box receives information from all the devices connected to it, and if something happens or goes wrong, it immediately notifies its user via phone, SMS or email in accordance with its preferences. An interesting thing is that it is also possible to connect the hub to local emergency services, thus alerts will be sent to them accordingly. So, what if someone was able to interrupt this smart home’s system and gain control over home controllers? It could turn life into a nightmare not only for its user, but also for the emergency services. We decided to check a hypothesis and as a result discovered logical vulnerabilities providing cybercriminals with several attack vectors opportunities.

Physical access
First, we decided to check what could be available for exploitation by an attacker being outside of the network. We discovered that the hub’s firmware is available publicly and can be downloaded without any subscription from the vendor’s servers. Therefore, once downloading it, anyone can easily revise the files inside it and analyze them.

We found that the password from the root account in the shadow file is encrypted with the Data Encryption Standard (DES) algorithm. As practice shows, this cryptographic algorithm is not considered to be secure or highly resistant to hacking, and therefore it is possible for an attacker to successfully obtain the hash through brute-force and find out the ‘root’ password.

To access the hub with ‘root’ rights and therefore modify files or execute different commands, physical access is needed. However, we don’t neglect the hardware hacking of devices and not all of them survive afterwards.
 

We explored the device physically, but of course not everyone would be able to do this. However, our further analysis showed there are other options to gain remote access over it.

Remote access
For hub control, users can either use a special mobile application or a web-portal through which they can set up a personal configuration and check all the connected systems.

To implement it, the owner sends a command for synchronization with the hub. At that moment, all settings are packed in the config.jar file, which the hub then downloads and implements.
 

But as we can see, the config.jar file is sent through HTTP and the device’s serial number is used as the device identifier. So, hackers can send the same request with an arbitrary serial number, and download an archive.

Some might think that serial numbers are very unique, but developers prove otherwise: serial numbers are not very well protected and can be brute-forced with a byte selection approach. To check the serial number, remote attackers can send a specially crafted request, and depending on the server’s reply, will receive information if the device is already registered in the system.

Moreover, our initial research has shown that users, without even realizing it, put themselves at risk by publishing their tech reviews online or posting photos of a hub in social networks and openly presenting devices’ serial numbers. And the security consequences will not be long in coming.
 

While analyzing the config.jar file archive, we found that it contains login and password details – all the necessary data to access a user’s account through the web-interface. Although the password is encrypted in the archive, it can be broken by hash decryption with the help of publicly available tools and open-sourced password databases. Importantly, during the initial registration of a user account in the system, there are no password complexity requirements (length, special characters, etc.). This makes password extraction easier.

As a result, we gained access to a user’s smart home with all the settings and sensor information being available for any changes and manipulations. The IP address is also listed there.
 

It is also possible that there might be other personal sensitive information in the archive, given the fact that users often upload their phone numbers into the system to receive alerts and notifications.

Thus, the few steps involved with generating and sending the right requests to the server can provide remote attackers with the possibility of downloading data to access the user’s web interface account, which doesn’t have any additional security layers, such as 2FA (Two Factor Authentication). As a result, attackers can take control over someone’s home and turn off the lights or water, or, even worse, open the doors. So, one day, someone’s smart life could be turned into a complete nightmare. We reported all the information about the discovered vulnerabilities to the vendor, which are now being fixed.

But there is always light at the end of the tunnel…
In addition to smart “boxes”, we had something smaller in our pocket – a smart light bulb, which doesn’t have any critical use, neither for safety or security. However, it also surprised us with a few – but still worrying – security issues.

The smart bulb is connected to a Wi-Fi network and controlled over a mobile application. To set it up a user needs to first download the mobile application (iOS or Android), switch on the bulb, connect to the Wi-Fi access point created by the bulb and provide the bulb with the SSID and password from a local Wi-Fi network.

From the application, users can switch it ON and OFF, set timers and change different aspect of the light, including its density and color. Our goal was to find out if the device might help an attacker in any way to gain access to a local network, from which it would eventually be possible to conduct an attack.

After several attempts, we were lucky to discover a way to get to the device’s firmware through the mobile application. An interesting fact is that the bulb does not interact with the mobile application directly. Instead, both the bulb and the mobile application are connected to a cloud service and communication goes through it. This explains why while sniffing the local network traffic, almost no interaction between the two were found.

We discovered that the bulb requests a firmware update from the server and downloads it through an HTTP protocol that doesn’t secure the communication with servers. If an attacker is in the same network, a man-in-the-middle kind of attack will be an easy task.
 

The hardware reconnaissance with flash dumping led us not only to the firmware, but to user data as well. With a quick look at the information shared with the cloud, no sensitive information seems to have been uploaded from the device or the internal network. But we found all the credentials of the Wi-Fi networks to which the bulb had connected before, which are stored in the device’s flash forever with no encryption – even after a “hard” reset of the device this data was still available. Thus, reselling it on online market places is certainly not a good idea.
 

Get ready
Our latest research has once again confirmed that ‘smart home’ doesn’t mean ‘secure home’. Several logical vulnerabilities (combined with an unconsciously published serial number) can literally open doors to your home and welcome in cybercriminals. Besides this, remote access and control over your smart hub can lead to a wide range of sabotage activities, which could cost you through high electricity bills, a flood or, even more importantly, your mental health.

But even if your smart hub is secure, never forget that the devil is in the details: a tiny thing such as a light bulb could serve as an entry-point for hackers as well, providing them with access to a local network.

That’s why it’s highly important for users to follow these simple cyber hygiene rules:

Always change the default password. Instead use a strict and complex one. Don’t forget to update it regularly.
Don’t share serial numbers, IP addresses and other sensitive information regarding your smart devices on social networks
Be aware and always check the latest information on discovered IoT vulnerabilities.
No less important is that vendors should improve and enhance their security approach to ensure their devices are adequately protected and, as a result, their users. In addition to a cybersecurity check, which is just as vital as testing other features before releasing a product, it is necessary to follow IoT cybersecurity standards. Kaspersky Lab has recently contributed to the ITU-T (International Telecommunication Union — Telecommunication sector) Recommendation, created to help maintain the proper protection of IoT systems, including smart cities, wearable and standalone medical devices and many others.


From IDF to Inc: The Israeli Cybersecurity Startup Conveyor Belt
28.7.2018 securityweek BigBrothers

Israeli Defense Force (IDF) Unit 820

Understanding Why Israel Produces Many Cybersecurity Firms Starts With Understanding the Talent That Israeli Defense Force (IDF) Unit 8200 Produces

One definition of 'entrepreneur' is "a person who organizes and manages any enterprise, especially a business, usually with considerable initiative and risk." If Israel were a business, then its founders were entrepreneurs; and there is little wonder that the nation is imbued with an entrepreneurial spirit.

This spirit shapes Israeli business. Peter Rousseau, now with The Hackett Group, wrote last year, "Seventy-six Israeli companies are currently traded on the NASDAQ, behind only the United States and China. Israel exports $1,246 worth of hi-tech goods and services per capita compared to $488 for the U.S. and $295 for the rest of the world."

Nowhere is the entrepreneurial spirit better demonstrated than in the quantity and quality of contemporary cybersecurity firms that have come from Israel -- starting, perhaps, with Check Point. Check Point was founded in 1993 by Gil Shwed, Shlomo Kramer, and Marius Nacht. Shwed and Kramer had served together in the Israeli Defense Force (IDF) Unit 8200. One of Check Point's earliest employees was Nir Zuk, who moved on to become the founder and CTO of Palo Alto Networks. Zuk also served in IDF Unit 8200 -- and Unit 8200 is a pervasive thread that dominates Israeli cybersecurity firms.

Unit 8200 is the signals intelligence (SIGINT) and web intelligence (WEBINT) unit of the Israeli military; and is generally considered among the elite of the world's intelligence agencies. It is not the only technology unit in the IDF; but it is the offensive or proactive unit. All young Israelis do between 32 and 36 months military service from the age of 18. Those with a particular aptitude for SIGINT are literally 'creamed off' into Unit 8200.

Development of Israel's SIGINT

Unit 8200 did not spring from nothing with the formation of Israel in 1948. Jewish intelligence groups had been working in Palestine both with the ruling British administration, and against the British and Arabs -- sometimes simultaneously -- for many years. After 1948, the Israeli military became the IDF and established a military intelligence group codenamed 'Rabbit'. Rabbit was charged with intercepting and decoding Arab communications; a charge born of necessity.

Unit 8200 evolved out of Rabbit. Initially with little budget and low manpower, it was forced to develop its own technology and techniques -- the entrepreneurial spirit of the nation co-existed within its intelligence agency from its very origins.

The modern Unit 8200, however, grew out of the Yom Kippur War in 1973. On that Atonement Day, Israel was simultaneously invaded by Egypt and Syria. Although Israel eventually defeated the invaders it was at heavy cost in both lives and finance. Subsequent analysis showed that a failure in intelligence had left the nation unprepared -- and subsequent Unit 8200 reorganization was designed to prevent this ever happening again. Part of this was the conscious encouragement of 'chutzpah', (or audacity) among its staff.

This is the basis of today's Unit 8200: the cream of youth, highly trained in signals intelligence, encouraged to be audacious in thought and action, and imbued with an entrepreneurial spirit. These young people are then released back into society following their required national service in their early twenties. This is a situation unique in the world.

Israeli Cybersecurity Startups

When talented youth join the NSA or FBI or GCHQ or any other national intelligence agency, they are expected to do so for life, not just for three years. No other nation has this constant stream of highly trained, audacious and entrepreneurial young people entering the job market every year. What else should the more entrepreneurial alumni do but start their own firms using the skills they have acquired; and what else should others do but work in the R&D departments of these firms?

IDF's cybersecurity training

SecurityWeek spoke to several founders of Israeli cybersecurity firms. All of them served in technology units, and most in Unit 8200. Other military units have their own technology sections; and these also lead to spin offs. Examples could include Yuval Diskin, former director of Shin Bet, who started the cyber-tech company Diskin Advanced Technologies LTD; and Haim Tomer, formerly head of the Mossad's Intelligence Division, who is now a cybersecurity consultant. Despite such examples, however, it is the alumni of 8200 that dominate the new start-ups.

Understanding why Israel produces so many cybersecurity firms starts with understanding the converyor belt of talent that 8200 produces. Lior Div (CEO), Yossi Nar (CVO), and Yonatan Striem-Amit (CTO) are the three ex-8200 co-founders of Cybereason. "It starts," explains Liv, "with how people are selected to get into 8200. The Unit interviews all new draftees, using a series of tests looking at background, math proficiency, programming capabilities and pure intelligence. 8200 gets 'first pick'."

Just two military units get the lion's share of the best of the best: pilots for the air force, and 8200 for cyber warriors. Draftees serve anything from three to five years. During this period, special talent is fast-tracked. "By the time I was 19, I already had 10 developers reporting to me," said Div.

But it is fast-tracking in a unique environment. In commercial terms, the 'projects' are now well-funded and manned. "You are taught one thing in particular," he continued: "there is no such thing as impossible -- there is no notion of what you can and cannot do. You are given a problem, you work like crazy and eventually you solve the problem. So by the time you are released, around age 22 or 23, you are trained to solve cybersecurity problems."

This training is unique. Having chosen its new intake, said Div, "the military undertakes intensive training. After six months, 'trainees' have learned what a traditional university would take four years to teach -- and they have learned the practice of their subject and not just the underlying theory. By the time they leave, they are trained and confident cybersecurity warriors with new ideas."

This is confirmed by Boris Vaynburg, co-founder and CEO of Solebit. He and his two co-founders, along with 95% of his R&D staff, are all IDF technology unit alumni. He points out that in order to stay one step ahead of Israel's adversaries, Unit 8200 must take advantage of all known and unknown vulnerabilities in order to get into target networks. In essence, 8200 members get constant on-the-job red team training; and by the time draftees leave the military, they have a thorough understanding -- through use -- of the techniques used by hackers.

Eddy Brobitsky, CEO and co-founder of Minerva Labs, did not serve in Unit 8200. "Neither I nor my 2 co-founders served with 8200," he said, "We served in the unit that builds defensive solutions for the IDF. IDF doesn't want to rely on off-the-shelf products only -- it's important to develop your own products, so nobody will know how they work. We were focused on developing scalable products for cybersecurity and IT." It's worth noting that the IDF is, in these terms, the largest company in Israel. Building security defenses suitable for the entire IDF and Israel government is equivalent to building a security product that will scale to the largest commercial organizations.

But it's not just the practical expertise of service that benefits budding entrepreneurs -- it is the whole culture. We've seen that 'nothing is impossible' and chutzpah is encouraged; but there is also a completely different 'product' development culture. "Inside the IDF," explained Brobitsky, "the motivation for developing new security is to save human life. It's not about financial profit. All I had to do was show that a vulnerability existed and that someone could be hurt if there was a compromise, and I would get the budget to execute the project and build a defense."

It's not the same in the commercial world. "Later, when I worked in a bank which was driven by money," he continued, "I needed to show that any investment in cybersecurity would not hurt income but actually increase income. Its a very different approach. For example, if you fail in the IDF, you don't get fired -- you're still in the army. The army is always encouraging you to try and not accept defeat in any project; so it encourages innovation." While serving in the IDF, Brobitsky was involved in the development of between 20 and 30 different cybersecurity solutions for the entire IDF and government.

"So the environment is to try and try again until you succeed. In the real world, if you fail you will sometimes lose your job; and if you've already lost one job through not succeeding, you're always a bit afraid to try a different approach to things wherever you go.

A second difference with the outside world is the extent of 'networking' within Israel's technology world. Although there are different technology units with different priorities, there is constant intercommunication between them. Everybody knows everybody, commented Amit Rahav, VP of business development at Secret Double Octopus, "with veterans of the Israeli intelligence units seeking to hire these young guys righty away, appreciating the pre-selection, training and experience of the units they themselves came out of. This is to some extent similar to what happens at Ivy league MBA programs in the US."

From new idea to new company

From here there is a well-trod path. Turning what has been learned into a new company requires funding. Early-stage venture capital is available in Israel for good ideas. Not all ideas are good; but Israeli investors have become savvy in technology. Nobody wanted to say that there is smart money and dumb money, but it was a common acknowledgment that Israeli money is smart. Good ideas get funded and dumb ideas never get off the ground.

"Israeli venture capital is available, but it is hard to get and getting harder," explained Solebit's Vaynburg. "Any new idea has to be disruptive and unique with a strong team behind it. It's easier to get VC outside of Israel," he continued, "because the Israeli VC firms have become very cybersecurity savvy, and there are so many approaches for what is already an overcrowded market."

At the same time, of course, the cost of getting a product presentation team together and flown to the U.S. to present to a U.S. venture capital firm is exorbitant for what is, at this stage, likely to be not much more than proof of concept on a new idea. Seed funding tends to come from Israel itself.

What this generally means is that when a new cybersecurity firm is ready to expand outside of Israel, it is already a fair bet. That expansion usually means a move to the U.S. rather than the UK or Europe. For this there are three motivations -- all of which SecurityWeek has already heard in different contexts . Firstly there is far more venture capital available in the US than elsewhere. It's just beginning in Europe: there's some in Berlin, but little in London.

Secondly, despite the European Union, there are at least six different cultures and different languages to understand within the member nations, as opposed to, basically, just one American culture and language. Thirdly, and perhaps most importantly, new technology early-adopters are more prevalent in America -- and especially on the West Coast -- than anywhere else.

The real decision is not America or Europe, but West Coast or East Coast. While the majority might be attracted to the entrepreneurial attitude of the West Coast, others are attracted by the big financial customers of the East Coast. Boston-based CyberArk is one. "We figured the biggest adoption for security would first come financial services firms, and that very much lent itself to the East Coast," commented CEO Udi Mokady, another 8200 alumni.

The path from concept to company is illustrated by Solebit itself. "Solebit was established 3 years ago," said Vaynburg. "R&D is based in Israel. Our headquarters, however, is currently relocating to the Bay Area. We raised our seed funding from an Israeli venture capital firm [$2 million from Glilot Capital Partners in 2015], and Round A funding from a U.S. venture capital firm." The Round A funding is so new that, although it has closed, it is yet to be announced.

Lessons from the Israeli cybersecurity model

The sad truth is that the IDF situation in Israel is unique, and could not be copied anywhere else in the world. It provides a constant source of technological competence trained to be audacious, persistent and positive. Other SIGINT organizations around the world do not release their staff on to the job market, preferring to keep them. Retired NSA, CIA and FBI staff tend to join the boards of existing large corporations; they do not tend to start new companies. In the UK, retired GCHQ and Ministry of Defence (MoD) officers might become private consultants, offering experience and expertise -- but rarely new ideas.

One idea alone could translate to other countries. The IDF, the largest company in Israel, funds the university fees for promising students, requiring only that they work for the IDF for a period after graduation. Large western organizations could do similar, finding and nurturing young talent. The idea of serious cybersecurity talent emerging with a sought-after degree and no student debt should be alluring to all sides.


Samsung Smartphones Get Encrypted Communications
28.7.2018 securityweek Krypto

KoolSpan this week announced a partnership with Samsung to implement secure communications on Samsung smartphones.

KoolSpan, a provider of encrypted secure voice and messaging solutions for mobiles, is already offering secure communications to enterprises. With support for mainstream phones, which are normally used within organizations, the solutions bring end-to-end encryption to all internal calls and texts within a company.

The end result of the partnership between KoolSpan and Samsung is TrustCall Native for Samsung, which provides native dialer integration on Samsung devices and which is being demonstrated at the Mobile World Congress in Barcelona.

The solution is aimed at tackling the rise in attacks on mobile communications, which normally consist of calls and messages being intercepted through the exploitation of vulnerabilities in mobile internetworking protocols.

Last year, the U.S. Department of Homeland Security (DHS) issued a report to underline some of the issues plaguing mobile communications, suggesting that both deliberate and accidental threats to mobile security continue to exist.

TrustCall Native for Samsung is focused on addressing such concerns by offering more secure communications on Samsung smartphones. To ensure ease-of-use, it integrates with Samsung native functionality for phone, messaging and contacts and applies encryption automatically.

KoolSpan’s solution is managed, deployed and configured across all smartphones within an organization by the IT department and is integrated with the phone’s native dialer and messenger. TrustCall Native Secure Communications for Samsung is available for customers with a Samsung Enterprise Alliance Program (SEAP) account and a subscription to KNOX Configure.

“We’re excited to partner with KoolSpan, which enables us to implement secure communications on Samsung smartphones. TrustCall Native, one of KoolSpan’s flagship products, is the best example of the universal understanding that security is only as good as it is easy to use,” Mike Kazmierczak, Samsung B2B Business Development Manager, Mobile B2B Team, EMEA, said.


Thanatos Ransomware Makes Data Recovery Impossible
28.7.2018 securityweek
Ransomware

A newly discovered ransomware family is generating a different encryption key for each of the encrypted files but saves none of them, thus making data recovery impossible.

Dubbed Thanatos, the malware was discovered by MalwareHunterTeam and already analyzed by several other security researchers.

When encrypting files on a computer, the malware appends the .THANATOS extension to them. After completing the encryption, the malware connects to a specific URL to report back, thus allowing attackers to keep track of the number of infected victims.

The malware also generates an autorun key to open the ransom note every time the user logs in. In that note, the victim is instructed to send $200 to a listed crypto-coin address. Victims are also instructed to contact the attackers via email to receive a decryption program.

Thanatos’ operators allow victims to pay the ransom in Bitcoin, Ethereum, or Bitcoin Cash, thus becoming the first ransomware to accept Bitcoin Cash payments, Bleeping Computer’s Lawrence Abrams points out.

The issue with the new ransomware is that it, because it doesn’t save the encryption keys, files cannot be decrypted normally. However, victims don’t know that and might end up paying the ransom in the hope they can recover their files.

The good news regarding Thanatos, however, is that there might be a way to brute force the encryption keys, at least this is what security researcher Francesco Muroni suggests. However, this process would take a long time and would require for it to be a common file type with a known magic header.

Because of the botched encryption process, it is recommended to avoid paying the ransom if infected with Thanatos. Of course, this applies to every ransomware infection. It is also recommended to always keep applications up to date, and to use a security program capable of preventing this type of malware from compromising your systems.


Memcached Abused for DDoS Amplification Attacks
28.7.2018 securityweek
Attack

Malicious actors have started abusing the memcached protocol to launch distributed denial-of-service (DDoS) attacks, Cloudflare and Arbor Networks warned on Tuesday.

Memcached is a free and open source distributed memory caching system designed to work with a large number of open connections. Clients can communicate with memcached servers via TCP or UDP on port 11211.

Cloudflare noticed in recent days that memcached has been abused for DDoS amplification attacks, and so have Arbor Networks and Chinese security firm Qihoo 360. Cloudflare has dubbed this type of attack Memcrashed.

Attackers are apparently abusing unprotected memcached servers that have UDP enabled. Similar to other amplification methods, the attacker sends a request to the targeted server on port 11211 using a spoofed IP address that matches the IP of the victim. The request sent to the server is just a few bytes, but the response can be tens of thousands of times bigger, resulting in a significant attack.

The largest memcached DDoS attack observed by Cloudflare peaked at 260 Gbps, but Arbor Networks reported seeing attacks that peaked at 500 Gbps and even more.

“I was surprised to learn that memcached does UDP, but there you go!” said CloudFlare’s Marek Majkowski. “The protocol specification shows that it's one of the best protocols to use for amplification ever! There are absolutely zero checks, and the data WILL be delivered to the client, with blazing speed! Furthermore, the request can be tiny and the response huge (up to 1MB).”

Arbor Networks noted that the type of queries used in these attacks can also be directed at TCP port 11211, but since TCP queries cannot be reliably spoofed, this protocol is less likely to be abused. The company pointed out that Chinese researchers warned about the possibility of attacks abusing memcached in November.

In the attacks seen by Cloudflare, attackers abused servers from all around the world, but mostly from North America and Europe. A majority of the servers are hosted by OVH, DigitalOcean and Sakura.

The attacks monitored by the content delivery network (CDN) came from roughly 5,700 unique IPs associated with memcached servers, but experts expect to see much larger attacks in the future considering that Shodan shows nearly 88,000 open servers. A majority of the exposed systems are in the United States, followed by China and France.

Location of exposed memcached servers

“Arbor’s current assessment is that, as with most other DDoS attack methodologies, memcached DDoS attacks were initially – and for a very brief interval – employed manually by skilled attackers; they have subsequently been weaponized and made available to attackers of all skill levels via so-called ‘booter/stresser’ DDoS-for-hire botnets,” Arbor Networks researchers said in a blog post. “The rapid increase in the prevalence of these attacks indicates that this relatively new attack vector was weaponized and broadly leveraged by attackers within a relatively short interval.”

Cloudflare recommends disabling UDP support unless it’s needed, and advised system administrators to ensure that their servers are not accessible from the Web. Internet service providers (ISPs) can also contribute to mitigating these and other types of amplification attacks by fixing vulnerable protocols and preventing IP spoofing.


Ad Network Performs In-Browser Cryptojacking
28.7.2018 securityweek CoinMine

An ad network provider is performing in-browser Coinhive cryptojacking on websites that use its service, 360 Netlab security researchers warn.

The practice has been ongoing since December 2017, several months after the ad network provider, a company called PopAds Publisher, started using domain generation algorithm (DGA) technology to bypass ad blockers, claiming it would allow customers to “monetize traffic that wasn’t monetized before.”

In mid-2017, the provider started to generate seemingly random domains that would ensure ads can reach end users. By the end of the year, however, these domains, which 360 Netlab refers to as DGA.popad, started participating in cryptojacking activities, all without end-users’ acknowledgement.

Given that many people use ad blockers to prevent sites from displaying ads to them, ad networks often attempt to bypass blockers, and this provider decided to use DGA domains to host its advertisements. With these domains changing daily, it becomes difficult to block the ads, the researchers point out.

What’s more, the ad network provider recently started using the DGA.popad domains to perform cryptojacking. These domains, the researchers discovered, have a strong connection with Coinhive family domains in DNS traffic and serve the coinhive.min.js web miner.

Some of the DGA.popad domains have a high ranking, with one of them found in the top 2000 sites on Alexa and several others in the top 3000 list.

Once a user accesses such a site, their computer’s CPU starts being used to the full. According to 360 Netlab, the favicon.ico on the DGA.popad sites was found to run as a web miner. Most of the sites that would redirect users to DGA.popad domains are providing adult content and downloading services.

Because the impacted sites contain advertisements from this ad network, the cryptojacking activities are performed regardless of whether the user has an ad blocker installed or not.

Normally, users would be sent to a standard domain (serve.popads.net) hosted by the provider. If an ad blocker is used, the standard domain is blocked, and the visitor is sent to one of the DGA.popad domains. Regardless of the delivery mechanism, both the ad and the cryptojacking script are served.

“We are not able to make a detailed assessment. This is because only part of all the traffic passing DGA.popad and serve.popads.net will be inserted a web miner, but we are not sure which part will be selected, for now,” the researchers note.


Trump Yet to Order Spies to Retaliate Against Russia: NSA Chief
28.7.2018 securityweek BigBrothers

President Donald Trump has not yet ordered his spy chiefs to retaliate against Russian interference in US elections, the head of the National Security Agency told lawmakers Tuesday.

"We have not opted to engage in some of the same behaviors we are seeing," said Admiral Michael Rogers, who heads both the NSA -- the leading US electronic eavesdropping agency -- and the new US Cyber Command, the military body charged with online combat.

Asked in a Senate Intelligence Committee hearing if he had received orders from Trump to fight back against Moscow's meddling, Rogers said: "No, I have not."

Rogers denied claims that the agency is doing nothing to push back against Russian hacking, theft of US cyber secrets and other activities.

However, he acknowledged: "They have not paid a price that is sufficient to change their behavior."

Rogers echoed the comments he and five other US intelligence chiefs made two weeks ago at the House Intelligence Committee, where all said they had not been ordered by Trump to counter the Russians.

The US has accused Russia of actively interfering in the 2016 presidential election, stealing Democratic party communications and pushing out disinformation through social media.

It also accuses Moscow of stealing hacking secrets of the US intelligence community.

Rogers said an order for Trump is needed before the US intelligence community and military can undertake offensive online operations against the Russians.

"What I see on the Cyber Command side leads me to believe that if we don't change the dynamic here, that this is going to continue, and 2016 won't be viewed as isolated," he said.

But he said that at a lower level, the NSA and Cyber Command could take some unspecified actions to rebuff attackers.

Asked about the exchange in Congress, White House spokeswoman Sarah Sanders suggested the president does not need to act.

"Nobody is denying him the authority," she said of Rogers.


A vulnerability in Facebook exposed email and details of page administrator
28.7.2018 securityaffairs
Social

The security researcher Mohamed Baset discovered a vulnerability in Facebook that exposed email and other details of a page administrator.
Facebook has recently addressed an information disclosure vulnerability discovered by the security researcher Mohamed Baset that exposed page administrator.

According to Baset, the flaw is a “logical error” that he discovered after receiving an invitation to like a Facebook page on which he had liked a post.

Facebook administrator page -Like-

“One day i liked one of the posts of a specific page but i didn’t liked or followed the page itself after a few days i got an email notification from facebook regarding an invitation to like the page that i did already liked one of its posts, I was amazed by the feature but i realized that this is a feature to target non-fans and i was wondering what could go wrong since this is a new feature ?” state the blog post published by the expert.

“From the investigations that i’m doing sometimes in the office of the fraud and phishing emails i’m always and blindly showing the “Original” of the message (that can be achieved by clicking on the little drop-down menu arrow beside the message reply button)”

The researchers analyzed the source code of the email sent by the social network and discovered it includes the name of the administrator of the page and other info.

Facebook page administrator data leak

The researcher reported the issue to Facebook that acknowledged it and decided to award the expert $2,500 as part of its bug bounty program.

Facebook announced to have paid out more than $880,000 for 400 vulnerability reports submitted by hackers.

Many of you may consider that the issue is not so serious, but this isn’t true because under certain circumstance the data exposure could represent a threat to the users’ privacy

In the case of business or community pages, revealing the identities of the administrators could get them targeted by messages and comments.

“For many individual Facebook pages, the administrator and the page will share an identity, so putting the admin’s name in the page’s email isn’t really giving away much. But for business or community pages, which might have a number of co-administrators, you wouldn’t expect Facebook to reveal anything more than the name of the page itself, at least not without asking.” reads the blog post published by Sophos. “If nothing else, this protects individual employees from getting bombarded with comments and questions – whether they’re praises or rants – in place of the account itself.”


Recently patched CVE-2018-4878 Adobe Flash Player flaw now exploited by cybercriminals
28.7.2018 securityaffairs
Vulnerebility

Security researchers at Morphisec have uncovered a massive hacking campaign that is exploiting the recently patched CVE-2018-4878 Adobe Flash Player vulnerability.
Threat actors are exploiting the use-after-free flaw to deliver malware.

The CVE-2018-4878 vulnerability was fixed by Adobe on February 6, after security experts discovered it was used by North Korea-linked APT37 group in targeted attacks against South Korea.

Now the same vulnerability has been exploited by other threat actors in the wild as confirmed by Morphisec. The company spotted a campaign on February 22, the attackers were using a version of the exploit similar to the one used by the APT37 group.

The campaign is attributed to a financially motivated threat actor that exploited the CVE-2018-4878 in a malspam campaign, another thing highlighted by the researchers is that this exploit did not have a 64-bit version like the original one.

The attackers used spam emails containing a link to a document stored on safe-storage[.]biz. Once downloaded and opened, the document tries to trick victims with social engineering. It notifies users that an online preview is not available and instructs them to enable editing mode in order to view the content.

If the user enables the editing mode, the CVE-2018-4878 Adobe vulnerability is exploited and the Windows command prompt is executed. The associated cmd[.]exe file is then injected with malicious shellcode that connects to the attacker’s domain.

Security researchers at Morphisec have uncovered a massive hacking campaign that is exploiting the recently patched CVE-2018-4878 Adobe Flash Player vulnerability.

Threat actors are exploiting the use-after-free flaw to deliver malware.

The CVE-2018-4878 vulnerability was fixed by Adobe on February 6, after security experts discovered it was used by North Korea-linked APT37 group in targeted attacks against South Korea.

Now the same vulnerability has been exploited by other threat actors in the wild as confirmed by Morphisec. The company spotted a campaign on February 22, the attackers were using a version of the exploit similar to the one used by the APT37 group.

The campaign is attributed to a financially motivated threat actor that exploited the CVE-2018-4878 in a malspam campaign, another thing highlighted by the researchers is that this exploit did not have a 64-bit version like the original one.

The attackers used spam emails containing a link to a document stored on safe-storage[.]biz.

The URLs included in the emails is generated with Google’s URL shortening service, this circumstance allowed the researchers to determine the number of victims that clicked it. According to Morphisec each of the different links used in this campaign had been clicked tens and even hundreds of times within 3-4 days of being created.

Once downloaded and opened, the document tries to trick victims with social engineering. It notifies users that an online preview is not available and instructs them to enable editing mode in order to view the content.

CVE-2018-4878 malspam

If the user enables the editing mode, the CVE-2018-4878 Adobe vulnerability is exploited and the Windows command prompt is executed. The associated cmd[.]exe file is then injected with malicious shellcode that connects to the attacker’s domain.

“On February 22, 2018, Morphisec Labs spotted several malicious word documents exploiting the latest Flash vulnerability CVE-2018-4878 in the wild in a massive malspam campaign.” states the analysis published by Morphisec.

“After downloading and opening the Word document, the attack exploits the Flash vulnerability 2018-4878 and opens a cmd[.]exe which is later remotely injected with a malicious shellcode that connects back to the malicious domain.”

Then the shellcode downloads a dll from the same domain, which is executed using Microsoft Register Server utility to bypass whitelisting solutions.

According to the experts, only a limited number of security solutions flag the bait documents as malicious.

“As expected and predicted, adversaries have quickly adopted the Flash exploit, which is easily reproducible. With small variations to the attack, they successfully launched a massive malspam campaign and bypassed most of the existing static scanning solutions once again.” concluded Morphisec.


Widespread Vulnerability Found in Single-Sign-On Products
27.7.2018 securityweek
Vulnerebility

A behavioral quirk in SAML libraries has left many single-sign-on (SSO) implementations vulnerable to abuse. It allows an attacker that has gained any authenticated access to trick the system into granting further access as a different user without knowledge of that user's password.

This could be used by an attacker who has compromised a low level limited access account to acquire access to third-party cloud services -- or it could be used by a malicious insider seeking access to reserved network areas (such as the payroll databases, or HR records).

The vulnerability was discovered by the research team of Duo Security, itself an SSO provider; and is described in a blog posted today. It affects many of the leading SSO providers, and probably affects the majority of proprietary company SSO developments.

Duo has confirmed the flaw in OneLogin - python-saml (CVE-2017-11427); OneLogin - ruby-saml (CVE-2017-11428); Clever - saml2-js (CVE-2017-11429); OmniAuth-SAML (CVE-2017-11430); Shibboleth (CVE-2018-0489); and Duo Network Gateway (CVE-2018-7340).

Security Assertion Markup Language (SAML) is the underlying protocol used by most SSO implementations. It is what allows authentication to be passed between a company's identity store and, for example, a third-party service. Typically, a user will log onto the identity store. This contains the credentials that will allow the same user to access other services.

SAML is used to pass authentication, via the browser, from the identity provider to the third-party service, granting access. The flaw lies in how authentication is encoded by SAML in the provider's 'response'.

The SAML authentication response contains two primary elements: the assertion and the signature. The assertion element says this NameID is authenticated. The signature element is designed to prevent the authenticated user NameID being changed at any point between the identity provider and the service being accessed. "If the attacker can modify the 'NameID' without invalidating the signature, that would be bad," suggest the Duo researchers; and then proceed to explain how it can be done.

"One of the causes of this vulnerability is a subtle and arguably unexpected behavior of XML libraries like Python’s 'lxml' or Ruby’s 'REXML'," write the blog's authors. Comments can be included in the signature, but the canonicalization process of the SAML libraries tend to drop all text after the first text node to isolate the NameID.

"So," explain the researchers, "as an attacker with access to the account 'user@user.com.evil.com', I can modify *my own* SAML assertions to change the NameID to 'user@user.com' when processed by the SP." The seven characters are <!----> inserted before .evil.com. This causes the canonicalization process to drop '.evil.com', leaving the authenticated account as 'user@user.com'.

Not all SSO implementations are vulnerable to this glitch; but Duo has demonstrated that many are. All that is required from the attacker is a genuine account that he can 'modify' to his attack target, plus the relatively minor technical savvy to intercept and edit the SAML authentication as it passes through the browser.

"Remediation of this issue," notes the report, "somewhat depends on what relationship you have with SAML." It gets a bit complicated. "Duo has released updates for the Duo Network Gateway in version? ?1.2.10?. If you use the DNG as a SAML Service Provider and are not at version 1.2.10 or higher (at the time of writing this, 1.2.10 is the latest version), we recommend upgrading."

Different affected SSOs will have different specific recommendations, and it would be best to refer to them for guidance. Similarly, there are different recommendations for maintainers of identity or service providers, maintainers of SAML processing libraries, and maintainers of XML parsing libraries. One thing that would help, suggest the authors, is the ability to enforce multi-factor authentication, "because this vulnerability would only allow a bypass of a user’s first factor of authentication." But the authors also warn, "if your IdP is responsible for both first factor and second factor authentication, it’s likely that this vulnerability bypasses both!"

Because multiple vendors are affected by this vulnerability, Duo Security worked with CERT/CC to co-ordinate disclosure. It provided the vulnerability information to CERT/CC on 18 December 2017. By 20 February 2018, all notified affected vendors had confirmed they were ready for disclosure; and Duo Security has disclosed the vulnerability details today.

Ann Arbor, Michigan-based Duo Security, a cloud-based provider of identity and access management solutions, announced a $70 million Series D funding round led by Meritech Capital Partners and Lead Edge Capital in October 2017. This brought the total amount raised to $119 million, and valued the company at $1.17 billion.


Industrial Cybersecurity Firm CyberX Raises $18 Million
27.7.2018 securityweek IT

Industrial cybersecurity startup CyberX announced today that it has raised $18 million in a Series B funding round, bringing the total amount received to date by the company to $30 million.

The latest funding round was led by Norwest Venture Partners, which also invested in FireEye and Symantec-acquired Fireglass, with participation from previous investors Glilot Capital Partners, Flint Capital, ff Venture Capital, and OurCrow.

CyberX says it plans on using the additional funding to continue its expansion in Europe and the United States, drive international growth, and expand its product development, research, and threat intelligence teams.

Founded in 2013 by military cyber experts Nir Giller and Omer Schneider, CyberX offers a platform that continuously monitors networks and collects data to help detect potentially malicious activity. The company also recently unveiled simulation technology designed to help predict breach and attack vectors.

CyberX says its product has been used by Global 2000 organizations across the energy and utilities, chemical, oil and gas, manufacturing, and other critical infrastructure sectors.

“There is a growing need in many enterprises to connect their IIoT and ICS networks to corporate IT networks for performance, monitoring, and manageability reasons. This trend creates a new security risk which requires a modern, IIoT-optimized, security solution.” said Dror Nahumi, general partner at Norwest Venture Partners. “We are extremely impressed with CyberX’s solution and its successful adoption with top-tier enterprise customers across multiple verticals.”

“We’re proud that our team has delivered a series of industry-firsts, including the first anomaly detection platform to incorporate ICS-specific threat intelligence, risk and vulnerability assessments, and automated threat modeling, as well as native integration with SOC tools,” said Giller. “By providing SOC teams with deeper visibility into Operational Technology (OT) assets, behaviors, and threats, we’re helping organizations implement a unified approach across IT and OT security and remove silos between IT and OT -- thereby improving their combined IT/OT risk posture.”

CyberX previously raised $20,000 in 2013, $2 million in 2014, and another $9 million in 2016, which, along with some add-on investments to the Series A round brought the total raised so far to $30 million. The company noted that its latest funding is the largest B round to date in industrial cybersecurity.


Facebook Flaw Exposed Page Administrators
27.7.2018 securityweek
Social

Facebook recently patched an information disclosure vulnerability that exposed page administrators, researcher Mohamed Baset reported this week.

Baset claimed he discovered the issue, which he described as a “logical error,” within a few minutes of receiving an invitation to like a Facebook page on which he had liked a post.

Looking at the email’s source code, the researcher noticed that it included the name of the page’s administrator and other details.

Facebook emails expose information on page admins

After being notified through its bug bounty program, Facebook acknowledged the vulnerability and decided to award the expert $2,500 for his findings.

Sophos’ Paul Ducklin has provided an explanation on why such an information disclosure flaw can pose a problem to Facebook page administrators.

“For many individual Facebook pages, the administrator and the page will share an identity, so putting the admin’s name in the page’s email isn’t really giving away much,” Ducklin said. “But for business or community pages, which might have a number of co-administrators, you wouldn’t expect Facebook to reveal anything more than the name of the page itself, at least not without asking.”

“If nothing else, this protects individual employees from getting bombarded with comments and questions – whether they’re praises or rants – in place of the account itself,” the expert added.

Baset, founder and lead penetration tester at Seekurity, said this was the second time he reported a vulnerability to Facebook without having to write any code to demonstrate his findings.

Facebook reported recently that last year it paid out more than $880,000 for 400 valid vulnerability reports submitted by white hat hackers.


Splunk to Acquire Security Orchestration Firm Phantom for $350 Million
27.7.2018 securityweek IT

Machine data solutions firm Splunk said on Tuesday that it has agreed to acquire Phantom Cyber, a provider of Security Orchestration, Automation and Response (SOAR) solutions.

Under the terms of the agreement, Splunk will pay approximately $350 million in cash and stock to acquire Palo Alto, Calif.-based Phantom.

Phantom, which has raised more than $23 million in funding, has developed a community-powered security automation and orchestration platform that currently has more than 200 “apps” which integrate with various security products. These apps are available for a wide range of security tools from partners including Cisco, McAfee, Palo Alto Networks, RSA Security, Symantec, Splunk, HPE, IBM and others.

By combining technologies from both companies, Splunk says that IT teams will be able to leverage automation capabilities to “help solve automation challenges in a widening range of use cases, including Artificial Intelligence for IT Operations (AIOps).”

Following the acquisition, Phantom founder and CEO Oliver Friedrichs will report to Haiyan Song, senior vice president and general manager of security markets at Splunk.

The acquisition is expected to close during the first half of 2018, subject to customary closing conditions and regulatory reviews.

“The majority of purchase price consideration will be paid from cash on our balance sheet. Total equity consideration plus Phantom employee retention incentives will result in less than one percent total dilution from this transaction,” said Dave Conte, chief financial officer, Splunk.

Investors in Phantom include, iconic Silicon Valley VC firm Kleiner Perkins, TechOperators Venture Capital, Blackstone, Foundation Capital, In-Q-Tel, Rein Capital, Zach Nelson, and John W. Thompson.


Changes in Apple’s iCloud Security Policies and Argument of China
27.7.2018 securityaffairs BigBrothers

Changes in Apple’s iCloud Security Policies – Apple announced to relocating the encryption key for users data in China; from the United States of America to some country in Asia!
The latest chaos in the digital world regarding Apple has stricken like a bullet, as the iPhone manufacturer announced to relocating the encryption key for users data in China; from the United States of America to some country in Asia!

Well, some security advocates argue that this is incorrect for the corporation itself as well as a privacy threat for users, but according to Apple Company; the codes are secure.
According to the reports, the users of iCloud in China are confused that in what way Apple will manage the confidentiality of their essential data.

Apple too fears that data protection employees have concerns about changing the privacy of iCloud users in China, as per two reports this week.
The classified data such as online emails, photographs, and messages stay protected from hackers by encryption. And now, Apple will store encryption keys in China instead of the United States of America (Reuters and the Wall Street Journal reports).

It means that the Chinese authorities do not need to go to USA law agencies to force Apple to provide the rights to the data. This step in reaction to newly introduced laws in China, according to which iCloud services offered to the citizens, should secure data within premises of the country and can be used by Chinese organizations.

By the end of the coming month, Apple is going to start transmitting coded information to China and will work closely with a Chinese government. Apple did not say when the encryption data keys would move abroad.

Data protection advocates said, “The change can cause problems for political and other dissidents”.
“Given that Apple is going to work in China, it is unlikely that government can get access to Apple’s data from the local community,” said the professor at the Toronto University, studying the actions of the Chinese government carefully.

Apple says, however, that the data keys stored in a secure place, still Apple will control them. Besides, Apple also claimed that it would provide data only on demand to China’s current legislative requirements and did not create loopholes for access.
Apple’s high-level officer said to news agencies that iCloud is a matter of concern for the recently introduced laws.

The spokeswoman also noted that Apple decision to break the service of iCloud in China would lead to reduced client’s interaction with Apple and would reduce the security and confidentiality of data for Chinese users.
Big multinationals like Microsoft and Amazon also work with Chinese companies to provide cloud storage service and use the vast Chinese market. Two technological giants of USA refused to inform the magazine, where the encryption keys of the company’s data store.
Apple informed the news agencies that they sent a warning about the transition to Chinese iCloud users, which will allow them to disable iCloud to avoid data storage in the country. Apple also told that no one will be touched before accepting new terms of use in China.
Users whose configurations allow another nation like Macao and Hong Kong have not registered their data on servers in China.

The Reuters also includes Taiwan in this list; the newspaper does not do this.
Apple Company and Amazon did not respond to our request for additional comments yet. Microsoft also denied giving any further comments.


Israeli mobile forensics firm Cellebrite can unlock every iPhone device on the market
27.7.2018 securityaffairs Apple

The Israeli mobile forensics firm Cellebrite has designed a technology that allows it to unlock almost any iPhone, including the latest iPhone X.
We have debated for a long time the legal dispute between Apple and the FBI for unlocking the San Bernardino shooter’s iPhone 5c.

The tech giant refused to help the US authorities to unlock the mobile device and the FBI paid over a million dollar to a third-party company to access data contained in the San Bernardino’s shooter’s iPhone.

cellebrite ufed-touch

Such kind of dispute would not happen in the future, the Israeli mobile forensics firm Cellebrite has designed a technology that allows it to unlock almost any iPhone, including the latest iPhone X.

The Israeli mobile forensics firm Cellebrite that is one of the leading companies in the world in the field of digital forensics. The company already works with the principal law enforcement and intelligence agencies worldwide.

Cellebrite provides the FBI with decryption technology as part of a contract signed in 2013, its technology allows investigators to extract information from mobile devices.

The company’s Advanced Unlocking and Extraction Services could be used to unlock every iPhone running iOS 11 and older versions.

“Cellebrite, a Petah Tikva, Israel-based vendor that’s become the U.S. government’s company of choice when it comes to unlocking mobile devices, is this month telling customers its engineers currently have the ability to get around the security of devices running iOS 11.” reads a post published by Forbes.

“That includes the iPhone X, a model that Forbes has learned was successfully raided for data by the Department for Homeland Security back in November 2017, most likely with Cellebrite technology.”

Cellebrite says it advanced services can hack into “Apple iOS devices and operating systems, including iPhone, iPad, iPad mini, iPad Pro and iPod touch, running iOS 5 to iOS 11.”

According to Forbes, anonymous sources confirmed that Cellebrite could also unlock the iPhone 8, and likely the iPhone X.

“a source in the police forensics community told Forbes he’d been told by Cellebrite it could unlock the iPhone 8. He believed the same was most probably true for the iPhone X, as security across both of Apple’s newest devices worked in much the same way.” continues Forbes.

Law enforcement agencies that need to unlock a device (iOS or Android) simply need to send it to the company Labs where a pool of experts will do the job, the service costs as little as $1,500 per unlock.

“In its labs, the company then uses whatever secret exploits it has to crack the lock and either hands it back to investigators so they can take data from the device, or Cellebrite can do that for them. As Forbes previously detailed, this can be relatively inexpensive, costing as little as $1,500 per unlock.” states Forbes.

It also appears the FBI has already tried out Cellebrite service on the latest Apple devices, the iPhone X. According to a warrant viewed by Forbes related to a suspect in an arms trafficking (Abdulmajid Saidi), his iPhone X was sent to a Cellebrite specialist at the DHS Homeland Security Investigations Grand Rapids labs and the data extracted on December 5.

Cellebrite hasn’t commented on the latest report.


Flaw in Popular μTorrent Software Lets Hackers Control Your PC Remotely
27.2.2018 thehackernews
Vulnerebility


If you have installed world's most popular torrent download software, μTorrent, then you should download its latest version for Windows as soon as possible.
Google's security researcher at Project Zero discovered a serious remote code execution vulnerability in both the 'μTorrent desktop app for Windows' and newly launched 'μTorrent Web' that allows users to download and stream torrents directly into their web browser.
μTorrent Classic and μTorrent Web apps run in the background on the Windows machine and start a locally hosted HTTP RPC server on ports 10000 and 19575, respectively, using which users can access its interfaces over any web browser.
However, Project Zero researcher Tavis Ormandy found that several issues with these RPC servers could allow remote attackers to take control of the torrent download software with little user interaction.
According to Ormandy, uTorrent apps are vulnerable to a hacking technique called the "domain name system rebinding" that could allow any malicious website a user visits to execute malicious code on user's computer remotely.

To execute DNS rebinding attack, one can simply create a malicious website with a DNS name that resolves to the local IP address of the computer running a vulnerable uTorrent app.
"This requires some simple DNS rebinding to attack remotely, but once you have the secret you can just change the directory torrents are saved to, and then download any file anywhere writable," Ormandy explained.
Proof-of-Concept Exploits for uTorrent Software Released Publicly

Ormandy also provided proof-of-concept exploits for μTorrent Web and μTorrent desktop (1 and 2), which are capable of passing malicious commands through the domain in order to get them to execute on the targeted computer.
Last month, Ormandy demonstrated same attack technique against the Transmission BitTorrent app.
Ormandy reported BitTorrent of the issues with the uTorrent client in November 2017 with a 90-days disclosure deadline, but a patch was made public on Tuesday—that's almost 80 days after the initial disclosure.
What's more? The re-issued new security patches the same day after Ormandy found that his exploits continued to work successfully in the default configuration with a small tweak.
"This issue is still exploitable," Ormandy said. "The vulnerability is now public because a patch is available, and BitTorrent have already exhausted their 90 days anyway."
"I see no other option for affected users but to stop using uTorrent Web and contact BitTorrent and request a comprehensive patch."
Patch your uTorrent Software NOW!
The company assured its users that all vulnerabilities reported by Ormandy it two of its products had been addressed with the release of:
μTorrent Stable 3.5.3.44358
BitTorrent Stable 7.10.3.44359
μTorrent Beta 3.5.3.44352
μTorrent Web 0.12.0.502
All users are urged to update their software immediately.


Phone-Cracking Firm Found a Way to Unlock Any iPhone Model
27.2.2018 thehackernews Apple

Remember the infamous encryption fight between Apple and the FBI for unlocking an iPhone belonging to a terrorist behind the San Bernardino mass shooting that took place two years ago?
After Apple refused to help the feds access data on the locked iPhone, the FBI eventually paid over a million dollar to a third-party company for unlocking the shooter's iPhone 5c.
Now, it appears that the federal agency will not have to fight Apple over unlocking iPhones since the Israeli mobile forensics firm Cellebrite has reportedly figured out a way to unlock almost any iPhone in the market, including the latest iPhone X.
Cellebrite, a major security contractor to the United States law enforcement agencies, claims to have a new hacking tool for unlocking pretty much every iPhone running iOS 11 and older versions, Forbes reports.
In its own literature [PDF] "Advanced Unlocking and Extraction Services," Cellebrite says its services can break the security of "Apple iOS devices and operating systems, including iPhone, iPad, iPad mini, iPad Pro and iPod touch, running iOS 5 to iOS 11."
Citing anonymous sources, the publication reported that Cellebrite could also unlock the iPhone 8, and since the security across Apple's newest iPhone devices worked in much the same way, the company can break the security of the iPhone X as well.
Besides Apple's devices, Cellebrite can also break into Google Android-powered smartphones from Samsung (Galaxy and Note series), Alcatel, Google Nexus, HTC, Huawei, LG, Motorola, ZTE and many more.
"Cellebrite Advanced Unlocking Services is the industry's only solution for overcoming many types of complex locks on market-leading devices," Cellebrite literature explains.
"This can determine or disable the PIN, pattern, password screen locks or passcodes on the latest Apple iOS and Google Android devices."
Last November, the Department of Homeland Security reportedly managed to get into an iPhone X owned by a suspect in an arms trafficking case, probably with the help of a Cellebrite-trained specialist.
However, a warrant discovered by Forbes does not mention the method or technology used by law enforcement to hack into the iPhone X.
Founded in 1999, Cellebrite provides digital forensics tools and software for mobile phones to its customers, which also includes the US government.
One of its main products is the Universal Forensic Extraction Device (UFED) that claims to help investigators extract all data and passwords from mobile phones.
While the Cellebrite's iPhone hacking tool has the potential to affect hundreds of millions of Apple users, Apple also rolls out software updates and patches on a regular basis.
So users are advised to keep their devices up-to-date, as its hard to say if the company's hacks work on the latest updates of iOS 11.
Neither Cellebrite nor Apple immediately commented on the latest report.


Android P Will Block Background Apps from Accessing Your Camera, Microphone
27.2.2018 thehackernews Android

Yes, your smartphone is spying on you. But, the real question is, should you care?
We have published thousands of articles on The Hacker News, warning how any mobile app can turn your smartphone into a bugging device—'Facebook is listening to your conversations', 'Stealing Passwords Using SmartPhone Sensors', 'Your Headphones Can Spy On You' and 'Android Malware Found Spying Military Personnel' to name a few.
All these stories have different objectives and targets but have one thing in common, i.e., apps running in the background covertly abuse ‘permissions’ without notifying users.
Installing a single malicious app unknowingly could allow remote attackers to covertly record audio, video, and taking photos in the background.
But, not anymore!
In a boost to user privacy, the next version of Google's mobile operating system, Android P, will apparently block apps idling in the background from accessing your smartphone's camera and microphone.
According to the Android Open Source Project (AOSP) commit, Google is working on two built-in features in Android P to protect its users from malicious apps spying on them using smartphones’ camera or microphone.
First spotted by XDA developers, the source code commit for both the camera and microphone changes notes that apps that are "idle" (aka running in the background) "for more than a certain amount of time" without specifying themselves will not be able to use the microphone or camera.
To do so, the Android P mobile operating system would target something known as an app's User ID (UID)—a unique ID assigned to an app when a user downloads it on his/her Android device that cannot be altered and are permanent until the app is uninstalled.
Android P would keep an eye on the app’s UID and block it from accessing the camera and microphone in any way whenever that UID is idle. Repeated attempts of requesting access to the camera would generate errors.
However, microphone-using apps will not be cut off from the microphone, but will "report empty data (all zeros in the byte array), and once the process goes in an active state, we report the real mic data."
It should also be noted that users talking on the smartphone while using other apps will not have to worry about these new features because the dialer application went into the background while active.
Imposing such limitations on apps would surely alleviate spying fears for Android users as of today when advertisers misuse such features to listen in on app users and Android malware capable of capturing audio, video, and images in the background are out there, for example, Skygofree and Lipizzan.
Android P is still in development and is not yet named. The company seems to release the next major version of Android in this year's Google I/O developer conference that will take place from May 8 to May 10 at the Shoreline Amphitheatre in Mountain View, California.


North Korea's Flash Player Flaw Now Exploited by Cybercriminals
27.2.2018 securityweek BigBrothers

Endpoint security firm Morphisec has spotted a massive campaign that exploits a recently patched Adobe Flash Player vulnerability to deliver malware.

The flaw in question, CVE-2018-4878, is a use-after-free bug that Adobe patched on February 6, following reports that North Korean hackers had been exploiting the vulnerability in attacks aimed at South Korea. The threat group, tracked as APT37, Reaper, Group123 and ScarCruft, has been expanding the scope and sophistication of its campaigns.

After Adobe patched the security hole, which allows remote code execution, other malicious actors started looking into ways to exploit CVE-2018-4878.

Morphisec said it spotted a campaign on February 22, which had been using a version of the exploit similar to the one developed by APT37. However, researchers pointed out that the exploit in the malspam campaign, unlike the one used in the original attacks, did not have a 64-bit version.

The attack starts with a spam email containing a link to a document stored on safe-storage[.]biz. Once downloaded and opened, the document informs users that an online preview is not available and instructs them to enable editing mode in order to view the content.

If users comply, the Flash vulnerability is exploited and the Windows command prompt is executed. The associated cmd.exe file is then injected with malicious shellcode that connects to the attacker’s domain.

A DLL file is then downloaded by the shellcode and executed using the Microsoft Register Server (regsvr32) utility. The legitimate tool is abused in an effort to bypass whitelisting products.

The malicious documents and the Flash exploit were only detected by a few security solutions based on their signature at the time of Morphisec’s analysis.

Since the URLs included in the spam emails were created using Google’s URL shortening service, researchers determined that each of the different links delivered in this campaign had been clicked tens and even hundreds of times within 3-4 days of being created. Users clicked on the links from various browsers and email services, including Outlook, Gmail and Aruba.it.

“As expected and predicted, adversaries have quickly adopted the Flash exploit, which is easily reproducible,” Morphisec’s Michael Gorelik explained in a blog post. “With small variations to the attack, they successfully launched a massive malspam campaign and bypassed most of the existing static scanning solutions once again.”


Evrial: The Latest Malware That Steals Bitcoins Using the Clipboard
27.2.2018 securityaffairs
Virus

Evrial is a cryptocoin malware stealer discovered by the researchers at ElevenPaths which takes control of the clipboard to get “easy money”.
Evrial is a cryptocoin malware stealer which takes control of the clipboard to get “easy money”.

ElevenPaths has taken a deep technical dive into the malware itself, to show how it technically works, with a quite self-explanatory video. Aside, we have followed the steps of its Russian creator and found that his scam has been targeting other scammers themselves.

Evrial

By the end of 2017, CryptoShuffle was a malware sample capable of reading the clipboard and modifying cryptocurrency addresses found there. Later, someone realized that there could be some business on providing these features as a service and started to sell the platform itself calling it “Evrial”. The product was formed by a .NET malware sample capable of stealing passwords from browsers, FTP clients, Pidgin and it could also modify the clipboard on the fly so as to change any copied cryptocurrency address to whatever address he wanted to.

Evrial allows the attacker to control it all from a comfortable panel where the stolen data can be easily explored. When the attacker buys the application, he can set his “name” for logging into the panel which will be hardcoded in the code, so that the shipped Evrial version is unique for him.

When you want to make a Bitcoin transfer, you usually copy and paste the destination address. In this sense, the attacker waits until the user, trusting in the clipboard action, sends a new transaction to the copied cryptocurrency address, without knowing that the recipient’s address has been silently modified to one that belongs to the attacker. The malware performs this task in the background for different types of address including Bitcoin, Litecoin, Ethereum and Monero addresses as well as for Steam identifiers and Webmoney WMR and WMZ units.

The author exposes his username in Telegram: @Qutrachka. The account is in the source code in order to be able to contact him. Using this information and some other analysed samples, it has been possible to identify users in different deep web forums under the name Qutra whose main objective: sell this malicious software. There are also evidences that CryptoSuffer malware was linked to the same threat actor after identifying a publication in Pastebin explaining the functionalities of this family and published under the same user.

We are able to guess how much it is in every wallet. He has received a total of 21 transactions into the Bitcoin wallet, supposedly from his victims, collecting approximately 0.122 BTC. If ransomware wallets usually receive the same amount from its victims, here the range is wider because the legitimate payments that the victim wants to do are, of course, of different amounts.


The attacker has moved all the money to several addresses to try to blur the trail of his payments. The attacker has received 0.0131 Litecoins as well, but this amount is still available in his wallet. On the other hand, it has not been possible to track any payments related to his Monero account because of how this technology works so as to hide the information of which parties have been involved in each operation. At the same time, we could not find out any additional information linked to his various Webmoney accounts (WMR and WMZ). Anyway, what is clear is that this type of malicious behavior is technically viable while it is being used in the wild.


Line Between Nation-State, Criminal Hackers Increasingly Blurred: Report
26.2.2018 securityweek Crime

The line between the level of sophistication typically exhibited by state-sponsored threat groups and cybercriminals became increasingly blurred in the past year, according to CrowdStrike’s 2018 Global Threat Report.

CrowdStrike has analyzed various aspects of the cybersecurity landscape in the past year, including targeted attacks launched by nation state actors, the tools and operations of cybercriminals, hacktivism, law enforcement campaigns, and the effectiveness of attacks and defense mechanisms.

According to the security firm, there are several factors that led to the leveling of the playing field, but one of the most significant is the so-called “trickle-down effect.” This product adoption model states that a product initially too expensive for the masses eventually gets cheap enough for the general public to acquire.

Applying this model to the cybersecurity scene, we have the EternalBlue exploit, which is believed to have been developed by the U.S. National Security Agency (NSA), getting leaked by a group named Shadow Brokers. This has allowed other state-sponsored attackers – including in the WannaCry and NotPetya attacks believed to have been launched by North Korea and Russia – and profit-driven cybercriminals to use the exploit to accomplish their own goals.

On one hand, attacks such as the ones involving NotPetya and WannaCry malware have inspired cybercriminals, giving them ideas on how to maximize profits. On the other hand, state-sponsored actors have also taken inspiration from cybercriminals – both the NotPetya and WannaCry attacks were made to appear as if they were ransomware campaigns launched by profit-driven criminals.

Sophisticated supply chain attacks have been typically used by nation state groups, but last year saw several incidents that did not appear to be the work of state-sponsored cyberspies.

One incident involved rogue Python libraries being uploaded to the Python Package Index (PyPI). While the libraries included malicious code, it actually turned out to be benign, which has led some experts to believe that it may have been the work of a grey hat hacker.

Other incidents involved a piece of macOS malware called ProtonRAT, which attackers managed to deliver last year on at least two occasions after compromising websites hosting popular video conversion and media player apps. Operation WilySupply analyzed by Microsoft also falls into this category.

The list of supply chain attacks attributed to state-sponsored groups last year included the CCleaner and NetSarang incidents, which some linked to China, and the NotPetya campaign, whose initial infection vector was an updater for a Ukrainian tax accounting application.

“CrowdStrike's report is just one more in a long line of publications that demonstrates the increasing futility of technical attribution. The largest detriment of this trend of nation states hiding in the hacking noise is that the security industry no longer can have confidence in its traditional technical attribution models. Relying on code usage and IPs in a world where we know tool kits and techniques are shared, stolen, and sold amongst hackers is a recipe for misattribution,” Ross Rustici, senior director of intelligence services at Cybereason, commented on the CrowdStrike report.

“Hackers, especially the higher tier have proven time and again that they are capable and willing to play on cybersecurity's habit of confirmation bias by using false flags to point the community in the direction of a particular nation state or criminal group that is either: 1) currently the most talked about group making which plays into the self interest of the company of finding something that already garners a lot of media and PR attention; or 2) plays to the nationalism of the victim,” Rustici added.


NanoCore RAT Creator Sentenced to Prison
26.2.2018 securityweek
Virus

A Hot Springs, Arkansas man who last year admitted in court to creating the NanoCore RAT (Remote Access Trojan) was sentenced to 33 months in prison.

Taylor Huddleston, 27, was sentenced on Friday for helping and assisting with computer intrusions through the development and marketing of malicious software, the Department of Justice announced. The programs he created were used to steal sensitive data from victims, spy on them, and conduct other illegal intrusions.

In addition to the 33 months in prison, Huddleston was ordered to serve two years of supervised release following his prison sentence.

Accused of developing, marketing, and distributing two malware families, Huddleston pleaded guilty in court in July 2017.

The first malicious program Huddleston developed is the NanoCore RAT, a backdoor that allows attackers to steal information from victim computers, including passwords, emails, instant messages, and other sensitive data. Used to infect and attempt to infect tens of thousands of systems, the RAT allows attackers to activate infected machines’ webcams to spy on victims.

NanoCore RAT was used in attacks targeting the finance departments of small and medium-sized businesses in the U.K., the U.S. and India, as well as in other global infection campaigns. Distribution methods included, among others, fileless tricks to the abuse of free Voice-over-IP (VoIP) service Discord.

Huddleston also admitted to creating Net Seal, licensing software that allowed him to distribute malware for co-conspirators for a fee. Huddleston is said to have used Net Seal to assist Zachary Shames in his attempt to infect 3,000 systems with malware that was in turn used to infect 16,000 computers.

Huddleston built Net Seal in 2012 and created NanoCore in 2014 (he marketed the RAT as a remote desktop management utility.

In his guilty plea last year, Huddleston admitted that he intended the programs to be used maliciously.


PhishMe Acquired at $400 Million Valuation, Rebranded as Cofense
26.2.2018 securityweek
Phishing

Private Equity Deal Values Cofense at $400 Million

PhishMe, a security awareness firm that focuses on training employees on how to recognize and report phishing attacks, has been acquired by a private equity consortium in a deal that valued the company at $400 Million.

The company has also re-branded and changed its name to Cofense.

“PhishMe was founded to challenge the cliché - human is the weakest link,” said Rohyt Belani, CEO and Co-Founder of Cofense. “The Cofense solution set leverages internal employee-generated attack intelligence in concert with purpose-built response technologies to break the attack kill chain at delivery. Cofense reflects the full breadth of our portfolio of enterprise-wide attack detection, response, and orchestration solutions.”

Cofense LogoThe company says it currently has more than 1700 customers globally and that its PhishMe Reporter is installed on more 10 million endpoints.

In a recent survey by the Financial Services Information Sharing and Analysis Center (FS-ISAC) that polled more than 100 of its 7,000 global members, thirty-five percent of CISOs in the financial sector consider staff training to be the top priority for cyber defense.

“With cybersecurity a top priority for organizations everywhere, our goal is to continue bringing innovative products to markets around the globe to help stop active attacks faster than ever,” Belani added.

Cofense says it has experienced roughly 80% CAGR over the last four years, and has new offices opening in Australia, Singapore, Dubai, and Saudi Arabia.

The company has previously raised a total of roughly $58 million, including a large $42.5 million funding round in July 2016. The company had raised $2.5 million in July 2012 in a Series A round, followed by $13 Million in a Series B funding round in March 2015.

Security awareness firms have been the subject of significant funding and M&A transactions in recent months.

Earlier this month, security awareness training firm Wombat Security agreed to be acquired by Proofpoint for $225 million in cash. In August 2017, Webroot acquired Securecast, an Oregon-based company that specializes in security awareness training. In October 2017, security awareness training and simulated phishing firm KnowBe4 secured $30 million in Series B financing, which brought the total amounbt raised by KnowBe4 to $44 million. Security awareness training firm PhishMe has raised nearly $58 million in funding, including a $42.5 million series C funding round in July 2016.


Researchers Propose Improved Private Web Browsing System
26.2.2018 securityweek Privacy

A group of researchers from MIT and Harvard have presented a new system designed to make private browsing even more private.

Dubbed Veil, the system proposes additional protections for people who share computers with other people at the office, in hotel business centers, or university computing centers. The new system, the researchers claim, can be used in conjunction with existing private-browsing systems and anonymity networks. The system works even if users don’t visit a page using a browser’s native privacy mode.

In a paper (PDF) describing Veil, Frank Wang – MIT Computer Science and Artificial Intelligence Laboratory (CSAIL), Nickolai Zeldovich – MIT CSAIL, and James Mickens – Harvard, explain that the system is meant to prevent information leaks “through the file system, the browser cache, the DNS cache, and on-disk reflections of RAM such as the swap file.”

The researchers explain that existing private-browsing sessions rely on retrieving data, loading it into memory, and attempting to erase it when the session is over. However, because of a complex memory management process, some data could end up on a hard drive, where it could remain for days, with the browser not knowing what happened to that data.

The newly proposed system keeps all the data that the browse loads into memory encrypted until it is displayed on the screen, the researchers say. Users no longer type a URL into the browser, but access the Veil website and enter the URL there. With the help of a blinding server, the Veil format of the requested page is transmitted.

While the Veil page can be displayed in any browser, there is a bit of code in the page that executes a decryption algorithm and all of the data associated with the page is unreadable until it goes through that algorithm, the researchers say.

The system would also add decoy, meaningless code to every served page, so that the underlying source file is modified without affecting the way the page looks to the user. With no two transmissions of a page by the blinding sever similar, an attacker capable of recovering snippets of decrypted code after a Veil session should not be able to determine what page the user had visited.

“The blinding servers mutate content, making object fingerprinting more difficult; rewritten pages also automatically encrypt client-side persistent storage, and actively walk the heap to reduce the likelihood that in-memory RAM artifacts will swap to disk in cleartext form. In the extreme, Veil transforms a page into a thin client which does not include any page-specific, greppable RAM artifacts,” the paper reads.

One other option would be to have the blinding server opening the requested page itself, taking a picture of it, and sending the picture to the user’s computer. Should the user click anywhere on the image, the browser records the position of the click and sends the data to the server, which processes it and returns an image of the updated page.

Veil uses an opt-in model, meaning that the use of the new private browsing system requires developers to create Veil versions of their sites. To help in this regard, the researchers built a compiler to help admins convert sites automatically and is also capable of uploading the converted version of a site to a blinding server.

“To publish a new page, developers pass their HTML, CSS, and JavaScript files to Veil’s compiler; the compiler transforms the URLs in the content so that, when the page loads on a user’s browser, URLs are derived from a secret user key. The blinding service and the Veil page exchange encrypted data that is also protected by the user’s key. The result is that Veil pages can safely store encrypted content in the browser cache; furthermore, the URLs exposed to system interfaces like the DNS cache are unintelligible to attackers who do not possess the user’s key,” the paper reads.

The blinding servers, however, require maintenance, either by a network of private volunteers or a for-profit company. However, site admins would also have the option to host Veil-enabled versions of their sites themselves.


Ukraine Arrests 'Avalanche' Cybercrime Organizer: Police
26.2.2018 securityweek CyberCrime

Ukraine has detained one of the organizers of the massive Avalanche cybercrime network, police said on Monday, over a year after the global ring was busted in an international raid.

"An organizer of the international crime platform known as 'Avalanche' which infected up to half a million computers in the world daily was detained in Kiev Sunday," Ukraine's cyber police said in a statement.

Avalanche was a criminal network providing infrastructure for malware and DDoS (distributed denial of service) spam attacks across the world before it was busted in an unprecedented global sting operation.

Speaking to AFP, a cyber police spokeswoman confirmed the arrested man was Gennadiy Kapkanov, a Ukrainian citizen who was using a passport with a different identity.

Police also searched his rented flat, seizing a laptop and memory storage devices, it said.

In November 2016, police from more than 25 countries smashed the network and arrested its top bosses following a four-year operation.

Hundreds of servers were shut down or seized and 800,000 internet domains were blocked, Europol said at the time, in one of the biggest takedowns to date.

During the operation, Kapkanov was also detained in the sting at his home in Poltava, a city in central Ukraine, but the local court did not formally arrest him and he disappeared, Ukrainian media said.

Later on Monday, the same court will have to rule again on whether to formally place Kapkanov under arrest.


VISA – The adoption of chip-and-PIN card technology lead to 70% Drop in Counterfeit Fraud
26.2.2018 securityaffairs Crime

VISA – The cases of counterfeit fraud had dropped by 70% in September 2017 compared to December 2015 thanks to the diffusion of the diffusion in the storefronts of payment systems for EMV cards.
The introduction of chip-and-PIN card technology in the United States improved in a significant way the security of merchants and has reduced payment card fraud.

The cases of counterfeit fraud had dropped by 70% in September 2017 compared to December 2015 thanks to the diffusion of the diffusion in the storefronts of payment systems for EMV cards.

“For merchants who have completed the chip upgrade, counterfeit fraud dollars
EMV chip cards and chip-activated merchants combat counterfeit fraud in the U.S.
December 2017 Visa Chip Card Update in September 2017 compared to December 2015″ states VISA.

The process started in 2011 with the introduction of EMV (Europay, MasterCard, Visa) card technology in the United States.

The process was very slow, according to Visa, by September 2015, only roughly 392,000 merchants were accepting payment card using the new technology. at the same period, the number of Visa debit and credit cards using the EMV technology was only at 159 million.

Now Visa has shared data related to the adoption of the EMV technology by December 2017. The number of storefronts that currently accept payments with chip cars has reached 2.7 million in the U.S. (+570%), representing 59% of the total.

VISA DATA

The number of Visa payment cards using EMV technology increased passed from 159 million to 481 million (202%), with 67% of Visa payment cards having chips.

It is an excellent result, according to VISA Chip transactions continue to increase in the US. EMV cards accounted for 96% of the overall payment volume in the United States in December 2017, with chip payment volume reaching $78 billion.

VISA data 3

Cybercriminals have responded to the adoption of EMV chip cards focusing their efforts on card-not-present (CNP) fraud had that is today a serious concern for merchants.