ISPs Caught Injecting Cryptocurrency Miners and Spyware In Some Countries
10.3.2018 thehackernews Cryptocurrency

Governments in Turkey and Syria have been caught hijacking local internet users' connections to secretly inject surveillance malware, while the same mass interception technology has been found secretly injecting browser-based cryptocurrency mining scripts into users' web traffic in Egypt.
Governments, or agencies linked to it, and ISPs in the three countries are using Deep Packet Inspection technology from Sandvine (which merged with Procera Networks last year), to intercept and alter Internet users' web traffic.
Deep packet inspection technology allows ISPs to prioritize, degrade, block, inject, and log various types of Internet traffic, in other words, they can analyze each packet in order to see what you are doing online.


According to a new report by Citizen Lab, Turkey's Telecom network was using Sandvine PacketLogic devices to redirect hundreds of targeted users (journalists, lawyers, and human rights defenders) to malicious versions of legitimate programs bundled with FinFisher and StrongPity spyware, when they tried to download them from official sources.

"This redirection was possible because official websites for these programs, even though they might have supported HTTPS, directed users to non-HTTPS downloads by default," the report reads.
A similar campaign has been spotted in Syria, where Internet users were silently redirected to malicious versions of the various popular application, including Avast Antivirus, CCleaner, Opera, and 7-Zip applications bundled with government spyware.
In Turkey, Sandvine PacketLogic devices were being used to block websites like Wikipedia, the sites of the Dutch Broadcast Foundation (NOS) and Kurdistan Workers' Party (PKK).
ISPs Injected Cryptocurrency Mining Scripts Into Users' Web Browsers

However, in Egypt, Sandvine PacketLogic devices were being used by a Telecom operator for making money by:
Secretly injecting a cryptocurrency mining script into every HTTP web page users visited in order to mine the Monero cryptocurrency,
Redirecting Egyptian users to web pages with affiliate ads.
In Egypt, these devices were also being used to block access to human rights, political, and news outlets like Al Jazeera, HuffPost Arabic, Reporters Without Borders, and Mada Masr, as well as NGOs like Human Rights Watch.


Citizen Lab researchers reported Sandvine of their findings, but the company called their report "false, misleading, and wrong," and also demanded them to return the second-hand PacketLogic device they used to confirm attribution of their fingerprint.
Citizen Lab started this investigation in September last year after ESET researchers published a report revealing that the downloads of several popular apps were reportedly compromised at the ISP level in two (unnamed) countries to distribute the FinFisher spyware.


Over 15,000 Memcached DDoS Attacks Hit 7,100 Sites in Last 10 Days
10.3.2018 thehackernews
Attack

Memcached reflections that recently fueled two most largest amplification DDoS attacks in the history have also helped other cybercriminals launch nearly 15,000 cyber attacks against 7,131 unique targets in last ten days, a new report revealed.
Chinese Qihoo 360's Netlab, whose global DDoS monitoring service 'DDosMon' initially spotted the Memcached-based DDoS attacks, has published a blog post detailing some new statistics about the victims and sources of these attacks.
The list of famous online services and websites which were hit by massive DDoS attacks since 24th February includes Google, Amazon, QQ.com, 360.com, PlayStation, OVH Hosting, VirusTotal, Comodo, GitHub (1.35 Tbps attack), Royal Bank, Minecraft and RockStar games, Avast, Kaspersky, PornHub, Epoch Times newspaper, and Pinterest.


Overall, the victims are mainly based in the United States, China, Hong Kong, South Korea, Brazil, France, Germany, the United Kingdom, Canada, and the Netherlands.

According to Netlab researchers, the frequency of attacks since 24th February has increased dramatically, as listed below:
Before 24th February, the day when Memcached-based DDoS attacks were first spotted, the daily average was less than 50 attacks.
Between 24th and 28th February, when Memcached as a new amplification attack vector was not publicly disclosed and known to a small group of people, the attacks raised to an average of 372 attacks per day.
Soon after the first public report came on 27th February, between 1st and 8th March, the total number of attacks jumped to 13,027, with an average of 1,628 DDoS attack events per day.
Netlab's 360 0kee team initially discovered the Memcached vulnerability in June 2017 and disclosed (presentation) it in November 2017 at a conference, but its researchers have hardly seen any Memcache DDoS attacks since then.


The maximum number of active vulnerable Memcached servers at a time that participated in the DRDoS attacks was 20,612.
I don't want to exaggerate this but expect hundreds of thousands of Memcached-based DDoS attacks in coming days, as hackers and researchers have now released multiple easy-to-execute exploits that could allow anyone to launch Memcached amplification attacks.
However, researchers have also discovered a 'kill-switch' technique that could help victims mitigate Memcached DDoS attacks efficiently.
Despite multiple warnings, over 12,000 vulnerable Memcached servers with UDP support enabled are still exposed on the Internet, which could fuel more cyber attacks.
Therefore, server administrators are strongly advised to install the latest Memcached 1.5.6 version which disables UDP protocol by default to prevent amplification/reflection DDoS attacks.


Windows 10 'S Mode' Coming Soon — For Security and Performance
10.3.2018 thehackernews Security

Microsoft has confirmed that the company is planning to convert Windows 10 S from a dedicated operating system to a special "S Mode" that will be available in all versions of Windows.
Windows 10 S, a new operating system designed for simplicity, security, and speed, was released by Microsoft last year. It locks a computer down to run applications only downloaded from official Windows Store, but the slimmed-down and restricted flavor of Windows did not exactly turn out to be a success.
Therefore, the company has now decided Windows 10 S be offered as an optional mode rather than a dedicated operating system.
Windows 10 S was developed to simplify administration for school or business sysadmins that want the 'low-hassle' guaranteed performance version. It has been designed to deliver predictable performance and quality through Microsoft-verified apps via the Microsoft Store.
However, in a blog post published Wednesday, the corporate VP of Microsoft's operating systems group, Joe Belfiore admitted that the naming for Windows 10 S "was a bit confusing for both customers and partners."
Microsoft, therefore, decided that the original version of Windows 10 S would disappear and become an S Mode in Windows.
"Starting with the next update to Windows 10, coming soon, customers can choose to buy a new Windows 10 Home or Windows 10 Pro PC with S mode enabled, and commercial customers will be able to deploy Windows 10 Enterprise with S mode enabled," Belfiore said.
"We expect the majority of customers to enjoy the benefits of Windows 10 in S mode," he added.
Previous rumors also suggested that Windows 10 Pro customers with S Mode enabled on their devices would have to pay $49 to disable the mode to get access to a full version of Windows 10 Pro, but these rumors were inaccurate.
No user, be it a Windows 10 Home, Enterprise, and Pro customer, has to pay anything to disable the S Mode, as Belfiore wrote that "if a customer does want to switch out of S mode, they will be able to do so at no charge, regardless of edition."
"We hope this new approach will simplify and make it possible for more customers to start using Windows in S mode: a familiar, productive Windows experience that is streamlined for security and performance across all our editions," Belfiore said.
S Mode is expected to with the next major Windows 10 update, thought to be called the Spring Creators Update, likely to arrive next month, and it is now up to PC makers to choose whether to enable the new S Mode or not.


New Cryptocurrency Mining Malware Infected Over 500,000 PCs in Just Few Hours
10.3.2018 thehackernews Cryptocurrency

Two days ago, Microsoft encountered a rapidly spreading cryptocurrency-mining malware that infected almost 500,000 computers within just 12 hours and successfully blocked it to a large extent.
Dubbed Dofoil, aka Smoke Loader, the malware was found dropping a cryptocurrency miner program as payload on infected Windows computers that mines Electroneum coins, yet another cryptocurrency, for attackers using victims' CPUs.
On March 6, Windows Defender suddenly detected more than 80,000 instances of several variants of Dofoil that raised the alarm at Microsoft Windows Defender research department, and within the next 12 hours, over 400,000 instances were recorded.


The research team found that all these instances, rapidly spreading across Russia, Turkey, and Ukraine, were carrying a digital coin-mining payload, which masqueraded as a legitimate Windows binary to evade detection.
However, Microsoft has not mentioned how these instances were delivered to such a massive audience at the first place in this short period.
Dofoil uses a customized mining application that can mine different cryptocurrencies, but in this campaign, the malware was programmed to mine Electroneum coins only.

According to the researchers, Dofoil trojan uses an old code injection technique called 'process hollowing' that that involves spawning a new instance of a legitimate process with a malicious one so that the second code runs instead of the original, tricking process monitoring tools and antivirus into believing that the original process is running.
"The hollowed explorer.exe process then spins up a second malicious instance, which drops and runs a coin mining malware masquerading as a legitimate Windows binary, wuauclt.exe."
To stay persistence on an infected system for a long time to mine Electroneum coins using stolen computer resources, Dofoil trojan modifies the Windows registry.
"The hollowed explorer.exe process creates a copy of the original malware in the Roaming AppData folder and renames it to ditereah.exe," the researchers say. "It then creates a registry key or modifies an existing one to point to the newly created malware copy. In the sample we analyzed, the malware modified the OneDrive Run key."
Dofoil also connects to a remote command and control (C&C) server hosted on decentralized Namecoin network infrastructure and listens for new commands, including the installation of additional malware.
Microsoft says behavior monitoring and Artificial intelligence based machine learning techniques used by Windows Defender Antivirus have played an important role to detect and block this massive malware campaign.


První DDoS útok z IPv6. Na obzoru jsou další

10.3.2018 SecurityWorld Počítačový útok
Poprvé na servery udeřil distribuovaný DoS útok pocházející z protokolu IPv6. Pocházel z více než 1 600 IPv6 adres rozprostřených na 650 různých sítí.

Slovníkový DNS útok proběhl na servery společnosti Neustar, která se věnuje například analytice a zároveň je také správcem některých internetových domén ve Spojených státech, popisuje server SC Magazine, který zprávu o útoku přinesl.

Distribuovaný útok ukázal, že hackeři využívají nové metody k vykonání IPv6 útoků a nejde o pouhou replikaci útoků IPv4 s použitím protokolů IPv6, věří Neustar.

„Už jsme něco podobného chvíli očekávali a nyní je to tu. Viděli jsme také v letošním roce nárůst IPv4 útoků – je téměř dvojnásobný oproti stejnému období v roce 2017 – ale IPv6 útoky přicházejí s novými problémy, které není snadné vyřešit. Jeden příklad za všechny je obrovské množství dostupných adres dostupných útočníkovi, které mohou přehltit paměť moderních bezpečnostních zařízení,“ popsal serveru SC Magazine šéf vývoje a výzkumu Neustaru Barrett Lyon.

Celkové množství adres IPv6 je nepředstavitelně vysoké – je jich 7.9x1028vícekrát než u IPv4. Stárnoucí protokol IPv4 poskytuje přibližně 4,3 miliardy 32bitových adres. Vlivem obrovského množství IPv6 adres je možný podstatně větší útok, a protože mnohé nové sítě mohou IPv6 podporovat, ale bezpečnostní nástroje zatím ne, představuje to pro útočníky lákavý cíl s vysokým potenciálem.

Wesley George, hlavní inženýr síťového zabezpečení Neustaru sdělil SC Magazinu: „Je to velká výzva, ale v posledních letech se věci posunuly dál. Dobré bezpečnostní rady už existují a je jasné, že protokol IPv6 je nutné vnímat jako velmi důležitý. V mnoha případech je problém ve viditelnosti – máme společnosti se skvělou telemetrií pro IPv4, a to samé se musí přesunout i k IPv6.“

UltraDNS služba Neustaru je odpovědná za 10 % veškerého internetového provozu, mezi zákazníky patří Tesco, Forbes nebo NetRefer. Z žebříčku Alexa Top 1000 webů je momentálně 26,9 % navštívitelných pomocí protokolu IPv6.


Kyberzločin zneužíval popularitu Bitcoinu a fotbalu

10.3.2018 SecurityWorld Kriminalita
V roce 2017 sledovali kyberzločinci aktuální světové dění a události, které se následně snažili využít k oklamání uživatelů. Podle reportu „Spam a phishing v roce 2017“ společnosti Kaspersky Lab mezi takové události patřilo například blížící se mistrovství světa ve fotbale nebo stoupající popularita Bitcoinu. Falešnými zprávami o těchto událostech se z uživatelů snažili vylákat peníze nebo osobní údaje.

Spammeři prokázali velkou míru přizpůsobivosti a mazanosti. V průběhu celého roku sledovali celospolečenská témata a významné události, jejich prostřednictvím chtěli upoutat pozornost uživatelů, od kterých by následně podvodně získali peníze či cenné informace.

Společnost Kaspersky Lab dlouhodobě pozoruje trendy v oblasti spamu a phishingu, a může bohužel potvrdit, že jsou tyto metody kyberzločinců velmi účinné. Je to způsobeno především klesající ostražitostí uživatelů a jejich bezvýhradnou důvěrou. Často se totiž řídí instrukcemi podvodníků, které od nich obdrží do svých e-mailových schránek. Zločinci je pak bez jejich vědomí okrádají o peníze nebo osobní údaje.

V minulém roce se pozornost velké části sportovních fanoušků upírala k probíhající kvalifikaci na nadcházející mistrovství světa ve fotbale, které proběhne letos v Rusku. Toho využili spammeři k rozesílání podvodných e-mailů. Uživatelům posílali falešné zprávy jménem organizátorů nebo sponzorů této akce, které obsahovaly i oficiální logo mistrovství. E-maily většinou upozorňovaly na výhry v loterii nebo dokonce slibovaly vstupenky na mistrovství zdarma.

Dalším velmi oblíbeným tématem objevujícím se v roce 2017 v phishingových zprávách byly kryptoměny. Hlavním důvodem pro to byla strmě stoupající cena Bitconu. Především ve třetím čtvrtletí roku 2017 zaznamenali odborníci Kaspersky Lab zvýšený výskyt podvodných e-mailů s tématikou blockchainu.

Jak zjistili odborníci z Kaspersky Lab, kyberzločinci využívali poměrně nové techniky, kdy například podvodné stránky maskovali jako kryptoměnovou burzu. V jiném případě zase nabízeli cloudové servery a služby pro těžbu kryptoměn. V podvodných e-mailech lákali uživatele, že si prostřednictvím jejich služeb vydělají velké peníze. Stal se ale pravý opak – z uživatelů se stali oběti. I v jiných, už osvědčených podvodných praktikám, jako jsou falešné loterie, využívali kyberzločinci Bitcoin jako návnadu. Ve spamech zacílených díky široké databázi adres podvodníci nabízeli k odkupu kryptoměny, které slibovaly velké zisky.

Zločinci navíc v e-mailových spamech šířili různé typy malwaru, které se tvářily jako nástroje pro získání Bitcoinu nebo jako návody, jak s kryptoměnami obchodovat. Dobrou zprávou ale je, že se ve spamu oproti roku 2016 méně často objevovaly známé Cryptlockery. Ty uzamkly obsah na uživatelově počítači, za jehož opětovné odemčení požadovaly výkupné v Bitcoinech.

Na jednu stranu se v roce 2017 oproti předchozímu roku snížil objem spamu o 1,68 procentního bodu na 56,63 %. Na druhou stranu se ale zvýšil počet phishingových útoků – systém Anti-Phishing společnosti Kaspersky Lab zaznamenal 246 231 645 útoků na počítače uživatelů těchto řešení, což je o 59 % více než v roce 2016.

„Letos očekáváme další nárůst a vývoj spamu i phishingu zaměřeného na kryptoměny. Kyberzločinci se na rozdíl od roku 2017 zaměří i na další kryptoměny než pouze Bitcoin a budou využívat techniky označované jako „pump and dump,“ říká Darya Gudková, spamová analytička ve společnosti Kaspersky Lab.

Mezi další zajímavá zjištění reportu „Spam a phishing v roce 2017“ patří:

Nejčastějším zdrojem spamu byly USA (13,21 %), Čína (11,25 %) a Vietnam (9,85 %). Zbývajícími státy v top 10 jsou Indie, Německo, Rusko, Brazílie, Francie a Itálie.
Nejvíce spamem zasažených cílů se naopak objevilo v Německu (16,25 %), kde počet obětí meziročně stoupl o 2,12 procentního bodu. Dalšími státy v top 10 jsou Čína, Rusko, Japonsko, Velká Británie, Itálie, Brazílie, Vietnam, Francie a Spojené arabské emiráty.
Největší zastoupení obětí phishingu zaznamenala Brazílie (29,02 %). Celosvětově bylo napadeno phishingem 15,9 % uživatelů produktů společnosti Kaspersky Lab.


North Korean Hidden Cobra APT targets Turkish financial industry with new Bankshot malware
10.3.2018 securityaffairs APT

McAfee Advanced Threat Research team discovered that the Hidden Cobra APT group is targeting financial organizations in Turkey.
North Korea-linked APT group Hidden Cobra (aka Lazarus Group) is targeting the Turkish financial system.

Experts from McAfee observed the hackers using the Bankshot implant in targeted attacks against the financial organizations in Turkey. The attack resembles previous attacks conducted by Hidden Cobra against the global payment network SWIFT.

Bankshot was first reported by the US DHS in December, now new variants of the malicious code were observed in the wild The sample analyzed by McAfee is 99% similar to the variants detected in 2017.

The hackers used spear-phishing messages with a weaponized Word document containing an embedded Flash exploit that triggers the CVE-2018-4878, Flash vulnerability that was disclosed in late January.

Adobe promptly patched the vulnerability with an emergency patch, but many computers are still vulnerable because the owners did not apply the patch,

According to McAfee, the implant’s first target was a major government-controlled financial organization that was targeted on March 2 and 3.

Later, the same malware implant infected a Turkish government organization involved in finance and trade and a large financial institution.

The implant has so far not surfaced in any other sector or country. This campaign suggests the attackers may plan a future heist against these targets by using Bankshot to gather information.

McAfee’s report on the campaign says that one government-controlled financial organization, a government organization involved in finance and trade, and three large financial organizations.

The attackers leveraged the Flash exploit to deliver the Bankshot RAT.

“Bankshot implants are distributed from a domain with a name similar to that of the cryptocurrency-lending platform Falcon Coin, but the similarly named domain is not associated with the legitimate entity.” reads the analysis published by McAfee.

“The malicious domain falcancoin.io was created December 27, 2017, and was updated on February 19, only a few days before the implants began to appear. These implants are variations of earlier forms of Bankshot, a remote access tool that gives an attacker full capability on a victim’s system. “

Spear phishing messaged used a Word document with the filename Agreement.docx, that appears as a template for Bitcoin distribution.

Hidden Cobra bait document

When the open it, the code it contains download malicious DLLs from falcancoin.io domain.

Experts discovered that the DLLs communicate with three control servers whom URLs are hardcoded in the implants’ code.

“The implants (DLLs) are disguised as ZIP files and communicate with three control servers, two of them Chinese-language online gambling sites. These URLs can be found hardcoded in the implants’ code” continues McAfee.

The malicious code is able to perform several malicious operations, including file deletion, process injection, and exfiltration over command and control channel.

Further details, included the Indicators of Compromise (IoCs) are included in the analysis.


Russian hackers stole 860,000 euros from 32 ATMs belonging to the Raiffeisen Romania in just one night
10.3.2018 securityaffairs
Virus

In just one night a Russian crime gang stole 3.8 million slopes (860,000 euros) from 32 ATMs belonging to the Raiffeisen Romania bank.
Cybercriminals stole 3.8 million slopes (860,000 euros) from 32 ATMs belonging to the Raiffeisen Romania bank using an infected RTF document. The criminal organization led by Dmitriy Kvasov operated in Romania, the gang stole the money in just one night in 2016.

“One night Raiffeisen Bank lost control of all ATMs in Romania • Although it seems impossible, the control of ATMs across the country was taken over by a group of Russian hackers • It is one of the biggest thefts of cash money in the history of Romania, and the authorities did not blow a word” reported the website bzi.ro.

The Organized Crime and Counterterrorism Office (DIICOT) who investigated the culprits managed to arrest the leader of the criminal organization.

The Russian hackers launched a spear-phishing attack against Raiffeisen Romania between August 9, 2016, and September 4, 2016, they sent email messaging using a weaponized RTF document.
The bait document that appeared as sent on behalf of the European Central Bank
contained the code to trigger a vulnerability in the target systems.
In this way the attackers took control over the whole network of the bank, then they were able to control the ATMs.

“The extremely well-coordinated criminal organization, wearing sunglasses and hooded anoraks waiting for the command, waited for bags and bags in their hands before the Raiffeisen Iasi, Bucharest, Suceava, Timeshare, Constanta, Plitvice, Saxon and Crevedia automats.” states the Maszol.ru. “At the hands of their leaders, at least a few buttons, 32 cars released them all the money. If more men had been involved with the criminal organization, they could have virtually eliminated all the automatons of the bank.”

Raiffeisen cyber heist

According to the report, the attackers were able to instruct the 32 ATMs to dispense the cash, the investigators highlighted that the attackers only targeted systems in Romania, but once compromised the network of the bank they were also able to control any ATM worldwide belonging to the financial institution.

The bank confirmed that hackers did not access the customers’ account after the security breach.


Sophisticated Cyberspies Target Middle East, Africa via Routers

9.3.2018 securityweek CyberSpy

CANCUN - KASPERSKY SECURITY ANALYST SUMMIT - A cyber espionage group whose members apparently speak English has been targeting entities in the Middle East and Africa by hacking into their routers.

Researchers at Kaspersky Lab have analyzed this threat actor’s operations and determined that it has likely been active since at least 2012, its most recent attacks being observed in February.

Roughly 100 Slingshot victims have been identified, a majority located in Kenya and Yemen, but targets have also been spotted in Afghanistan, Libya, Congo, Jordan, Turkey, Iraq, Sudan, Somalia and Tanzania. While the campaign seems to focus on individuals, the security firm has also observed attacks aimed at government organizations and, strangely, some internet cafés.

The main piece of malware used by this group — dubbed Slingshot based on internal strings found by researchers — is interesting due to the fact that it infects computers through compromised routers, specifically ones made by Latvia-based Mikrotik.

It’s unclear how the targeted routers get compromised, but Kaspersky pointed out that the WikiLeaks Vault7 files, which are believed to be tools developed and used by the CIA, do include a Mikrotik exploit. The vendor claims to have patched the vulnerability leveraged by the Vault7 exploit and it’s unclear if that is the initial vector used by the attackers.

Once they gain access to a router, hackers can abuse a legitimate piece of software called WinBox, a management tool provided by Mikrotik that downloads some DLL files from the router and loads them directly into the computer’s memory.

By abusing this functionality, the Slingshot hackers can deliver the malware to the targeted router’s administrator.

The malware is basically a first-stage loader that replaces legitimate DLL files in Windows with malicious versions that have the exact same size. The malicious DLLs are loaded by the services.exe process, which has SYSTEM privileges.

The main modules downloaded by Slingshot are called Cahnadr and GollumApp. Cahnadr, also known as Ndriver, is a kernel-mode payload and it provides all the capabilities required by user-mode modules, including anti-debugging, rootkit functionality, injecting modules into the services.exe process, network communications, and sniffing capabilities for various protocols.

GollumApp is the main user-mode module and it’s designed to manage other user-mode modules while constantly interacting with Cahnadr. It includes a wide range of spying-focused functionality that allows attackers to capture screenshots, log keystrokes, collect system and network data, harvest passwords, manipulate clipboard data, run new processes with SYSTEM privileges, and inject other malicious modules into a specified process.

Since it can run in kernel mode, a feature typically present in sophisticated threats, the malware allows attackers to take full control of the infected machine.

Slingshot attempts to evade detection by using various methods, including calling system services directly in an effort to bypass security product hooks, encrypting strings in its modules, and selectively injecting processes depending on what security product is present.

Slingshot also employs some clever techniques when it comes to command and control (C&C) communications – the malware hides its traffic in legitimate communication protocols, keeping an eye out for packets that contain a special mark.

As for who is behind Slingshot, Kaspersky says it bears the hallmarks of a state-sponsored cyber espionage campaign. Its level of sophistication rivals the one of actors such as ProjectSauron and Regin.

Researchers said most of the debug messages are written in perfect English and several strings in the code reference Lord of the Rings characters.

“Slingshot is a sophisticated threat, employing a wide range of tools and techniques, including kernel mode modules that have to date only been seen in the most advanced predators,” said Alexey Shulmin, lead malware analyst at Kaspersky Lab. “The functionality is very precious and profitable for the attackers, which could explain why it has been around for at least six years.”


Researchers Demonstrate Ransomware Attack on Robots
9.3.2018 securityweek
Ransomware

CANCUN - KASPERSKY SECURITY ANALYST SUMMIT - IOActive security researchers today revealed a ransomware attack on robots, demonstrating not only that such assaults are possible, but also their potential financial impact.

Ransomware incidents are usually associated with personal computers, servers, mobiles, healthcare systems, and even industrial systems, but IOActive researchers Cesar Cerrudo and Lucas Apa set out to prove that robots too are prone to such attacks.

According to them, over 50 vulnerabilities discovered last year in robots from several vendors could allow for a broad range of assaults, such as abusing a robot’s cameras and microphones for spying purposes, leaking data, or even causing physical harm.

With robots becoming increasingly popular, cyberattacks targeting them might soon become a common thing, with great financial losses and brand damage to businesses. Not only are robots expensive to purchase, but repairs aren’t usually easy to perform, and a hacking operation could result in a unit being taken offline for weeks, the researchers argue.

Cerrudo and Apa performed their attacks on commercially-available Pepper and NAO robots from SoftBank Robotics, which has already sold over 30,000 units worldwide.

A ransomware attack on a robot is different from that on a computer, mainly because the robot doesn’t usually store data, but only handles it. Regardless, such an attack could result in a business losing access to data, production being shut down, or weeks of interrupted operations until the robot is fixed.

The security researchers created their own ransomware to target the NAO robot model, which runs the same operating system as the Pepper model. The experts showed that by injecting custom code into any of the classes included in behavior files, they could cause the robot to behave maliciously.

An infected robot could be repurposed to display adult content to customers, to insult customers when interacting with them, or even perform violent movements. While unable to target valuable data, an attacker could target the robot’s components, thus interrupting its service until a ransom is paid.

“The infected robot could also be an entryway into other internal networks at a business, offering backdoor access to hackers and an entry point for layer penetration to steal sensitive data,” IOActive says.

The injected malicious code could also disable administration features and monitor the robot’s audio and video, directing data from these components to the attacker’s command and control (C&C) server. Changing SSH settings and passwords to prevent remote access to the robot and disabling the factory reset mechanism would also be possible.

“It’s no secret that ransomware attacks have become a preferred method for cybercriminals to get monetary profit by encrypting victim information and requiring a ransom to get the information back,” Apa said. “What we found was pretty astonishing: ransomware attacks could be used against business owners to interrupt their businesses and coerce them into paying ransom to recover their valuable assets.”

During their investigation, the security researchers also discovered that a malfunction in the robot is not as easy to fix, given that technicians aren’t always readily available. Their robot had to be sent back to the vendor for repairs, a process that took three weeks.

“The robots could also malfunction which may take weeks to return them to operational status. Unfortunately, every second a robot is non-operational, businesses and factories are losing lots of money,” Apa said.

The security researcher also argues that, while their ransomware targets SoftBank’s NAO and Pepper robots, any vulnerable robot is susceptible to this type of attack. Thus, vendors should focus on improving not only the security of their robots, but also the restore and update mechanisms in order to minimize the ransomware threat.

In their attack, the researchers exploited a vulnerability that was disclosed to SoftBank in January 2017, but which appears to have not been addressed as of now. An undocumented function allows for the remote execution of commands by “instantiating a NAOqi object using the ALLauncher module and calling the internal _launch function.”

IOActive is presenting a proof-of-concept on Friday at the 2018 Kaspersky Security Analyst Summit (SAS) in Cancun, Mexico. The company has also published a video demonstrating the attack.


Sofacy Attacks Overlap With Other State-Sponsored Operations
9.3.2018 securityweek BigBrothers  APT 
Attack

Kurt Baumgartner details latest Sofacy attacks at Kaspersky SAS

CANCUN - KASPERSKY SECURITY ANALYST SUMMIT - Attacks carried out by a Russian threat group appear to overlap with campaigns conducted by other cyberspies, including ones linked by researchers to China and the United States.

Kaspersky Lab revealed last month that the Russian threat actor known as Sofacy, APT28, Fancy Bear, Pawn Storm, Sednit and Strontium had shifted its focus from NATO member countries and Ukraine to Central Asia and further east, including China.

On Friday, at Kaspersky’s Security Analyst Summit (SAS), researcher Kurt Baumgartner revealed that the group appears to be particularly interested in military, defense and diplomatic entities in the far east.

Baumgartner also revealed that the attacks launched by Sofacy sometimes overlap with the operations of other state-sponsored cyberspies in terms of victims.

For instance, researchers discovered Sofacy’s Zerbrocy malware on machines that had also been compromised by Mosquito, a backdoor associated with Turla, a different threat actor linked to Russia. Shared victims include diplomatic and commercial organizations in Europe and Asia.

Sofacy’s SPLM malware (aka CHOPSTICK and X-Agent) was found on devices that had also been infected with other Turla malware, which often precedes SPLM.

SPLM has also been spotted on the same systems as malware known to have been used by a China-linked actor known as Danti.

According to Kaspersky, overlaps were generally found on systems belonging to government, technology, science, and military organizations in or based in Central Asia.

Another interesting overlap was between Sofacy and the English-speaking Lamberts group, which is also known as Longhorn. Security firms revealed last year that this cyber espionage group had been using some of the Vault 7 tools leaked by WikiLeaks. These tools are believed to have been developed and used by the U.S. Central Intelligence Agency (CIA).

Kaspersky said it had identified Sofacy backdoors and malware associated with the Lamberts, specifically Grey Lambert, on a server belonging to a military and aerospace conglomerate in China.

Researchers admit, however, that the presence of both Lamberts and Sofacy malware on the server could simply mean that the former planted a false flag, considering that the original delivery vector for the Sofacy tool remains unknown. It’s also possible that the Russian group exploited a previously unknown vulnerability, or that it somehow harnessed the Grey Lambert malware to download its own tools. The most likely scenario, according to experts, is that the Sofacy malware was delivered using an unknown PowerShell script or a legitimate app in which the attackers discovered a flaw.

“Sofacy is sometimes portrayed as wild and reckless, but as seen under our visibility, the group can be pragmatic, measured and agile. Their activity in the East has been largely under-reported, but they are clearly not the only threat actor interested in this region, or even in the same targets,” Baumgartner said. “As the threat landscape grows ever more crowded and complex, we may encounter more examples of target overlap and it could explain why many threat actors check victim systems for the presence of other intruders before fully launching their attacks.”

Kaspersky recently spotted the SPLM malware being used in an attack aimed at major air defense organization in China, while the Zebrocy tool has been used in high volume campaigns targeting entities in Armenia, Turkey, Tajikistan, Kazakhstan, Afghanistan, Mongolia, Japan and China.


New North Korea-linked Cyberattacks Target Financial Institutions
9.3.2018 securityweek APT

New North Korean Hidden Cobra / Lazarus Campaign Targets Financial Institutions in Turkey

Hidden Cobra, also known as the Lazarus Group from North Korea, is now targeting the Turkish financial system with a new and 'aggressive' operation that resembles earlier attacks against the global SWIFT financial network.

An analysis published by senior analyst of major campaigns, Ryan Sherstobitoff, says McAfee believes this operation is intended to gain access to specific Turkish financial organizations via targeted spear-phishing, using a weaponized Word document containing an embedded Flash exploit. The Flash vulnerability only surfaced at the end of January 2018, but is thought to have been exploited by North Korean actors since mid-November 2017. It was patched by Adobe within a week; but any computer that has not yet updated Flash to the latest version will remain vulnerable.

McAfee's report on the campaign says that one government-controlled financial organization, a government organization involved in finance and trade, and three large financial organizations are victims of the attack -- which occurred on March 2 and 3. In this attack, the Flash exploit drops the Bankshot implant, a RAT that gives the attacker full capability on a victim's system.

Nortk Korea FlagUS-CERT issued a malware analysis report (MAR) on Bankshot (PDF) in December 2017. It describes it as malware used by the North Korean government, whose cyber activity is conducted by actors it calls Hidden Cobra. McAfee says the variant it has analyzed "is 99% similar to the documented Bankshot variants from 2017."

In the spear-phishing campaign, the Bankshot implant was associated with a Word document with the filename Agreement.docx. It masquerades as an agreement template for Bitcoin distribution. Once activated, malicious DLLs are downloaded from falcancoin.io -- a lookalike domain name to the legitimate cryptocurrency-lending platform Falcon Coin.

The DLLs communicate with three control servers (the URLs are hardcoded in the implants' code), two of them Chinese-language online gambling sites. Based on the response received from the control server, the malware can carry out a wide range of malicious tasks centered on gathering system data and controlling system processes. It also contains two methods of file deletion capable of erasing evidence of presence and other destructive actions. After every action, the malware sends a response to the control server indicating whether the action was successful.

Hidden Cobra has been linked to several attacks against financial institutions. "This implant has been connected to a major Korean bank attack and is also known as Trojan Manuscript," writes Sherstobitoff. That variant contained the capability to search for hosts related to the SWIFT network and the same control server strings as the variant we found targeting the Turkish financial sector."

North Korean actors are credited with the 2015/2016 attacks on the SWIFT network. No evidence was found to suggest that this version is designed to conduct financial transactions; "rather," writes Sherstobitoff, "it is a channel into the victim's environment, in which further stages of implants can be deployed for financial reconnaissance."

McAfee is confident that it has uncovered a new Hidden Cobra (ie, North Korean government) reconnaissance campaign against Turkish financial institutions. In February, the Winter Olympic Games held in South Korea were hit by cyber-attacks dubbed Olympic Destroyer. Many commentators assumed the attacks came from North Korea -- an assumption supported by indicators within the malware.

By mid-February, Recorded Future warned against hasty attribution for Olympic Destroyer, despite the presence of code fragments previously used by North Korean actors. "The co-occurrence of code overlap in the malware," wrote Recorded Future, "may be indicative of a false flag operation, attempting to dilute evidence and confuse researchers."

More recently, Kaspersky Lab concluded that despite the presence of a unique fingerprint tying Olympic Destroyer to Lazarus (Hidden Cobra), there is other evidence suggesting the involvement of the Russian group known as Sofacy or APT28. One possible scenario is that the Russian hackers attempted to frame Lazarus for the attack after the North Korean group tried to pin one of its own campaigns on Russian actors.

Given the relative ease and increasing frequency of so-called 'false flag' cyber-attacks, SecurityWeek asked McAfee how certain it is that Hidden Cobra is the group behind the Turkish attacks. "McAfee takes attribution very seriously," relied Ryan Sherstobitoff. "As such, McAfee Advanced Threat Research analysis and conclusions are based on multiple indicators. While the private sector can rarely claim 100% confidence in attack attribution without access to the same resources possessed by government and law enforcement agencies, we can say that the code and target similarities between the malicious files uncovered in this campaign and earlier attacks publicly attributed to Hidden Cobra by the United States Government, are very strong indicators of the acting group."

"We have found," concludes McAfee, "what may be an early data-gathering stage for future possible heists from financial organizations in Turkey (and possibly other countries)." It warns that the attack has a high chance of success against victims with an unpatched version of Flash. "Documents with the Flash exploit managed to evade static defenses and remain undetected as an exploit on VirusTotal."


Mobile Malware Attacks Surged in 2017: Kaspersky
9.3.2018 securityweek Mobil 
Virus

The number of mobile malware attacks detected in 2017 has increased to 42.7 million, according to a new report from Kaspersky Lab.

The surge in attacks was in contradiction to evolution of detected mobile malicious installation packages, which amounted to 5,730,916 in 2017, almost 1.5 times lower than 2016.

The number of attacked users, however, increased 1.2 times compared to the previous year. According to Kaspersky, they protected 4,909,900 unique users of Android devices from the beginning of January until the end of December 2017.

The Moscow-based security firm also says that it detected 94,368 mobile banking Trojans in 2017, 1.3 times less than in the previous year. This type of malware attacked 259,828 users in 164 countries, with Russia, Australia, and Turkey being hit the most.

544,107 mobile ransomware Trojans were detected last year, twice as much as in 2016 and 17 times more than in 2015. Ransomware hit 110,184 Android users in 161 countries, with the United States, Kazakhstan and Belgium being hit the most.

The number of users attacked by rooting malware decreased last year, yet this type of malware continued to be popular, accounting for nearly half of the Trojans in the company’s Top 20 list. Such malware usually attempts to gain super-user rights by exploiting system vulnerabilities.

Their decline in popularity among cybercriminals can be explained mainly by the decline in the number of devices still running older Android versions. Android 5.0 or older was found on 57% of the devices in 2017, while Android 6.0 or newer doubled in 2017 compared to 2016.

“Newer versions of Android don’t yet have common vulnerabilities that allow super-user rights to be gained, which is disrupting the activity of rooting malware,” Kaspersky notes.

Despite that, rooting malware continues to be a major threat to Android users, as they are difficult to detect and pack a variety of capabilities. Rooting malware installs modules in system folders to ensure persistency and can sometimes even resist a reset to factory settings.

Notable mentions in the rooting malware category include Ztorg, which infected 100 apps in Google Play and was downloaded tens of thousands of times, and Dvmap, which was downloaded over 50,000 times from the official application store.

In 2017, Kaspersky also discovered new WAP Trojans, malware families that usually follow links received from the command and control (C&C) server and then ‘click’ on page elements using a specially created JS file. Such malware can visit regular advertising sites or pages with WAP subscriptions.

Mobile banking malware also evolved in 2017, “offering new ways to steal money,” Kaspersky says. A modification of FakeToken, for example, was observed targeting apps for booking taxis, hotels, tickets, and the like, in addition to the usually attacked financial apps. The malware overlays the legitimate applications with its phishing windows.

While the latest Android releases attempt to prevent malware from performing malicious actions, banking Trojans last year found new ways to bypass these protections. A Svpeng variant observed last year was abusing accessibility services to grant itself some permissions such as the ability to send and receive SMSs, make calls, and read contacts, in addition to adding itself to the list of device admins to prevent removal.

Last year, both Svpeng and Faketoken “acquired modifications capable of encrypting user files,” Kaspersky reports. However, the encryptor functionality wasn’t that popular among mobile Trojans.

Mobile ransomware Trojans were highly active last year and even registered massive growth during the first half of the year, when detections were up 1.6 times than the entire 2016. Starting June, however, the activity of these malware families returned to normal.

The segment, Kaspersky says, was dominated by the Congur ransomware, with over 83% of all installation packages in 2017 belonging to this family. This simple malware changes device’s PIN code and instructs the owner to contact the attackers via the QQ messenger.

Last year, Trojan-Ransom malware experienced the highest overall growth, followed by RiskTool threats. Trojan-SMS installation packages and Trojan-Dropper malware decreased.

Overall, users in over 230 countries and territories were targeted by malware in 2017, with Iran, Bangladesh, and Indonesia emerging as the top attacked countries.


Cisco Patches Hard-coded Password in PCP Software
9.3.2018 securityweek
Vulnerebility

Cisco this week announced the availability of software updates to address a hard-coded password vulnerability in Cisco Prime Collaboration Provisioning (PCP) Software.

Due to the existence of the hard-coded account password, an unauthenticated, local attacker could log into the underlying Linux operating system. The vulnerability can be abused to connect to the affected system via Secure Shell (SSH) using the hard-coded credentials.

According to Cisco, an attacker successfully exploiting the vulnerability could access the underlying operating system as a low-privileged user. However, the attacker could elevate privileges to root and take full control of the vulnerable system.

Because of the privilege escalation possibility, the vulnerability has a Security Impact Rating (SIR) of Critical, although it was also assessed with a Common Vulnerability Scoring System (CVSS) Base score of 5.9, which would normally come with a SIR of Medium.

The vulnerability impacts Cisco PCP Software release 11.6 only and no prior builds were found to be affected by it, Cisco notes in an advisory. Impacted customers should update to Cisco PCP releases 12.1 and later, as no workarounds that address this vulnerability exist.

The company also notes that it is not aware of “any public announcements or malicious use of the vulnerability.”

This week, the company also addressed CVE-2018-0147, a Critical (CVSS base score of 9.8) vulnerability in Java deserialization used by Cisco Secure Access Control System (ACS), which could allow an unauthenticated, remote attacker to execute arbitrary commands on an affected device.

“The vulnerability is due to insecure deserialization of user-supplied content by the affected software. An attacker could exploit this vulnerability by sending a crafted serialized Java object. An exploit could allow the attacker to execute arbitrary commands on the device with root privileges,” Cisco explains.

The company also addressed a High risk (CVSS base score of 7.3) bug in the FTP server of the Cisco Web Security Appliance (WSA). Due to incorrect FTP user credential validation, an unauthenticated, remote attacker could exploit the bug to log into the server without a valid password or username.

This security issue affects Cisco AsyncOS for WSA Software running any release of Cisco AsyncOS 10.5.1 for WSA Software. Cisco AsyncOS 10.5.2-042 or later releases address the flaw.

Multiple Medium severity bugs were addressed in other Cisco products.


Russian hackers stole 860,000 euros from 32 ATMs belonging to the Raiffeisen Romania in just one night
9.3.2018 securityweek
Virus

In just one night a Russian crime gang stole 3.8 million slopes (860,000 euros) from 32 ATMs belonging to the Raiffeisen Romania bank.
Cybercriminals stole 3.8 million slopes (860,000 euros) from 32 ATMs belonging to the Raiffeisen Romania bank using an infected RTF document. The criminal organization led by Dmitriy Kvasov operated in Romania, the gang stole the money in just one night in 2016.

“One night Raiffeisen Bank lost control of all ATMs in Romania • Although it seems impossible, the control of ATMs across the country was taken over by a group of Russian hackers • It is one of the biggest thefts of cash money in the history of Romania, and the authorities did not blow a word” reported the website bzi.ro.

The Organized Crime and Counterterrorism Office (DIICOT) who investigated the culprits managed to arrest the leader of the criminal organization.

The Russian hackers launched a spear-phishing attack against Raiffeisen Romania between August 9, 2016, and September 4, 2016, they sent email messaging using a weaponized RTF document.
The bait document that appeared as sent on behalf of the European Central Bank
contained the code to trigger a vulnerability in the target systems.
In this way the attackers took control over the whole network of the bank, then they were able to control the ATMs.

“The extremely well-coordinated criminal organization, wearing sunglasses and hooded anoraks waiting for the command, waited for bags and bags in their hands before the Raiffeisen Iasi, Bucharest, Suceava, Timeshare, Constanta, Plitvice, Saxon and Crevedia automats.” states the Maszol.ru. “At the hands of their leaders, at least a few buttons, 32 cars released them all the money. If more men had been involved with the criminal organization, they could have virtually eliminated all the automatons of the bank.”

Raiffeisen cyber heist

According to the report, the attackers were able to instruct the 32 ATMs to dispense the cash, the investigators highlighted that the attackers only targeted systems in Romania, but once compromised the network of the bank they were also able to control any ATM worldwide belonging to the financial institution.

The bank confirmed that hackers did not access the customers’ account after the security breach.


CIGslip attack could allow hacker to bypass Microsoft Code Integrity Guard
9.3.2018 securityaffairs
Attack

Security experts devised a stealth attack technique dubbed CIGslip that could be exploited by attackers to bypass Microsoft Code Integrity Guard (CIG)
Security researchers at Morphisec discovered a discovered stealth attack technique dubbed CIGslip that could be exploited by attackers to bypass Microsoft Code Integrity Guard (CIG) and inject malicious libraries into protected processes.

“Morphisec researchers Michael Gorelik and Andrey Diment have discovered CIGslip, a new method which can be exploited by attackers to bypass Microsoft’s Code Integrity Guard (CIG) and load malicious libraries into protected processes such as Microsoft Edge.” reads the analysis published by Morphisec.

“The new attack vector manipulates the way CIG works to circumvent its controls without any in-memory unsigned image codepage injection, a technique with destructive potential if becomes popular.”

CIGslip has a very low footprint on the targeted system and it is currently able to bypass almost all security mechanisms.

The researchers developed an attack POC that takes advantage of a non-CIG enabled process, that represents the majority of process on Windows, to enter a malicious code in any kind of DLL, including a malicious one.

Morphisec reported the issue to Microsoft, but according to the tech giant software giant responded that the technique is outside the scope of the for Mitigation Bypass and Bounty for Defense Terms.

According to Morphisec, the situation is dangerous for “Windows users [that] are vulnerable in multiple ways.”

“The attack POC takes advantage of a non-CIG enabled process, which is the most popular form of process on Windows, in order to sneak into a CIG-enabled target process, and uses it as an entry point to load any kind of DLL, including a malicious one,” continues the researchers.

The researchers explained that to compromise a targeted process, the attacker would have to perform a reflective memory based injection, but Microsoft added that generally this kind of attack can be detected and for this reason, it is out of the scope of bounty programs.

Researchers at Morphisec, however, are able to bypass Microsoft Code Integrity without any in-memory injection of unsigned image code pages, they demonstrated that it is possible to execute a non-protected CIG process that is used to inject back into the CIG protected process that launched it.

“Morphisec researchers identified a much easier method that breaks the CIG concept without any need for in-memory injection of unsigned image codepages.” continues the analysis. “The basic assumption is that we have the ability to execute a non-protected CIG process on disk. This assumption holds since there is no feasible way to protect all processes with CIG (e.g. Outlook would not load). Moreover, a CIG protected process may execute a non-CIG protected process, which will do the backward injection back into the CIG protected process.”

This means that an attacker would attempt to bypass the CIG verification in the backward injection when the section is created in the target process.

The attack is possible because section handlers that are managed by Kernel could be duplicated between processes.

“Since section handles are global objects managed by Kernel, handles could be duplicated between processes. Therefore, a section that correlated to a non-signed dll could be created within the context of the malicious process and then duplicated into the target process.” concluded the researchers.

“In-order to inject malicious dll (“non-signed”) into a target process, all we need to do is to hook the createsection method within the target process, so that it will not go down to Kernel and will return the duplicated section handle.”


Dofoil Trojan used to deploy cryptocurrency miner on more than 500,000 PCs in a few hours
9.3.2018 securityaffairs
Attack

Microsoft experts observed more than more than 500,000 computers infected with Dofoil Trojan used to download a cryptocurrency miner.
A few days ago, researchers at Microsoft announced that Windows Defender Antivirus blocked more than 80,000 instances of several malicious code that exhibited advanced cross-process injection techniques, persistence mechanisms, and evasion methods.

According to Microsoft, the malware were new variants of Dofoil (also known as Smoke Loader), a small application used to download other malicious codes, in these specific attacks a coin miner. The cryptocurrency miner payload was used to mine Electroneum coins.

In Just 12 hours from the discovery, the experts observed more than 400,000 instances, most of them in Russia (73%), Turkey (18%) and Ukraine (4%).
Totally more than 500,000 computers were infected within just 12 hours.
Dofoil

The Dofoil trojan uses an old code injection technique called ‘process hollowing’ that was recently observed by researchers at CSE CybSec implemented in evolutive versions by another malware.

“The trojans, which are new variants of Dofoil (also known as Smoke Loader), carry a coin miner payload. Within the next 12 hours, more than 400,000 instances were recorded, 73% of which were in Russia. Turkey accounted for 18% and Ukraine 4% of the global encounters.” reads the analysis published by Microsoft.

“The Dofoil campaign we detected on March 6 started with a trojan that performs process hollowing on explorer.exe. Process hollowing is a code injection technique that involves spawning a new instance of legitimate process (in this case c:\windows\syswow64\explorer.exe) and then replacing the legitimate code with malware.”

The analysis of the Dofoil malware revealed it uses a customized mining application that supports NiceHash allowing infected systems to mine different cryptocurrencies even if the samples Microsoft analyzed mined Electroneum coins.

The malware gain persistence on an infected system through the Windows registry, hollowed explorer.exe process creates a copy of the original malware in the Roaming AppData folder and renames it to ditereah.exe. The malicious code then creates/modifies a registry key to modify an existing one to point to the newly created malware copy.

Threat actors behind the Dofoil campaign used a command and control (C&C) server hosted on decentralized Namecoin network infrastructure.

“The C&C server commands the malware to connect or disconnect to an IP address; download a file from a certain URL and execute or terminate the specific file; or sleep for a period of time.” states Microsoft.

Microsoft confirmed that its Windows Defender Antivirus is a crucial component for detecting and blocking advanced threats.


New Attack Bypasses Microsoft's Code Integrity Guard
9.3.2018 securityweek
Attack

Morphisec security researchers warn of a newly discovered attack vector that allows attackers to bypass Microsoft’s Code Integrity Guard (CIG) in order to load malicious libraries into protected processes.

Dubbed CIGslip, the new attack vector relies on manipulating the manner in which CIG functions, thus bypassing its controls without the need to inject unsigned image code pages into memory. With a low footprint on the targeted system and likely to go unnoticed, the attack has great damaging potential.

The security researchers have already reported their findings to Microsoft, along with a proof-of-concept, but the software giant responded that the technique is outside the scope of CIG. Because of that, Morphisec believes that “Windows users are vulnerable in multiple ways.”

“The attack POC takes advantage of a non-CIG enabled process, which is the most popular form of process on Windows, in order to sneak into a CIG-enabled target process, and uses it as an entry point to load any kind of DLL, including a malicious one,” the researchers say.

By abusing CIGslip, an attacker could insert browser malware or adware, Morphisec claims, arguing that it is difficult for third-party security solutions to defend CIG protected process without Microsoft-signed DLLs.

Introduced in Windows 10 as an improved protection for Microsoft Edge, CIG would prevent the “injection of DLLs into the browser unless they are Windows components or signed device drivers.”

According to Morphisec, the mechanism is efficient at blocking malware and adware already on the computer, but also makes it “harder for third party security vendors to apply runtime protection for any CIG protected processes.”

In order to compromise a targeted process, one would have to perform reflective memory based injection, which works against CIG protected processes too, the security researchers say. This technique, however, can generally be detected and Microsoft does not consider it within the scope of bounty programs.

According to Morphisec, however, CIG can be bypassed without any in-memory injection of unsigned image code pages. The newly discovered method, the security firm says, mimics natural Windows DLL loading from disk.

The technique is based on the assumption that the attacker can execute a non-CIG protected process on disk, given that “there is no feasible way to protect all processes with CIG.” Since a CIG-protected process is able to execute a non-CIG protected process, the attacker would focus on backward injection, attempting to bypass “the CIG verification during the section create in the target process.”

“In order to detour the code integrity verification, we would need to hijack the control when the section is created within the targeted process,” Morphisec notes.

The section handlers are managed by Kernel and could be duplicated between processes, the researchers explain. Thus, “section that correlated to a non-signed DLL could be created within the context of the malicious process and then duplicated into the target process.”

Thus, Morphisec discovered that the injection of a malicious, non-signed DLL into a target process would require hooking the createsection method within the target process to return the duplicated section handle. Given that createsection returns an already existing verified section handle, the verification of the section is successful and the targeted process maps the DLL code page into its memory.

“The risks inherent in this new technique, which can be used or is possibly in use already, are high as the attack has very low footprint on the system and will go undetected by almost all security mechanisms,” Morphisec says.


Olympic Destroyer, alleged artifacts and false flag make attribution impossible
9.3.2018 securityaffairs
Attack  APT

According to Kaspersky Lab, threat actors behind the recent Olympic Destroyer attack planted sophisticated false flags inside their malicious code.
On February 9, shortly before the Pyeongchang opening ceremonies on Friday, televisions at the main press centre, wifi at the Olympic Stadium and the official website were taken down.

Hackers used the so-called Olympic Destroyer, a strain of malware that allowed the attackers to wipe files and make systems inoperable.

olympic destroyer

Experts discovered that the malware leverages the EternalRomance NSA exploit to spread via the SMB protocol.

Initially, experts blamed North Korea for the attack, later intelligence officers attributed the cyber attack to Russia.

According to Talos team, there are many similarities between the Pyeongchang attack, which they are dubbing ‘Olympic Destroyer”’, and earlier attacks such as BadRabbit and NotPetya. All of these attacks are focused on destruction and disruption of equipment not exfiltration of data or other, more subtle attacks. Using legitimate tools such as PsExec and WMI the attackers are specifically targeting the pyeongchang2018.com domain attempting to steal browser and system credentials to move laterally in the network and then wiping the victim computer to make it unusable.

“Disruption is the clear objective in this type of attack and it leaves us confident in thinking that the actors behind this were after embarrassment of the Olympic committee during the opening ceremony.” reads the analysis published by Talos.

Kaspersky experts found samples of the malware at several ski resorts in South Korea, even if they analyzed the malicious code they were not able to attribute the attack to a specific actor.

olympic destroyer 2

The experts identified a unique “fingerprint” associated with the North Korea-linked Lazarus APT, but other evidence collected by the experts revealed important inconsistencies suggesting a false flag operation.

“What we discovered next brought a big shock. Using our own in-house malware similarity system we have discovered a unique pattern that linked Olympic Destroyer to Lazarus. A combination of certain code development environment features stored in executable files, known as Rich header, may be used as a fingerprint identifying the malware authors and their projects in some cases. In case of Olympic Destroyer wiper sample analyzed by Kaspersky Lab this “fingerprint” gave a 100% match with previously known Lazarus malware components and zero overlap with any other clean or malicious file known to date to Kaspersky Lab.” reads the analysis published by Kaspersky.

Kaspersky also found evidence that would suggest the malicious code was developed by the Russia-linked Sofacy APT (aka Pawn Storm, Fancy Bear, APT28, Sednit, Tsar Team, and Strontium.).

“we have seen attackers using NordVPN and MonoVM hosting. Both services are available for bitcoins, which make them the perfect tool for APT actors. This and several other TTPs have in the past been used by the Sofacy APT group, a widely known Russian-language threat actor.” continues Kaspersky.

Is it possible that Russian APT attempted to frame Lazarus? Maybe.

Another possible scenario sees Lazarus using false flag in the Olympics attack.

“There are some open questions about the attacker’s motivation in this story. We know that the attackers had administrative accounts in the affected networks. By deleting backups and destroying all local data they could have easily devastated the Olympic infrastructure. Instead, they decided to do some “light” destruction: wiping files on Windows shares, resetting event logs, deleting backups, disabling Windows services and rebooting systems into an unbootable state.” concluded Kaspersky.

“When you add in the multiple similarities to TTPs used by other actors and malware, intentional false flags and relatively good opsec, it merely raises more questions as to the purpose of all this.”

This case demonstrates the difficulty in the attribution of APT attacks.


Group-IB supported law enforcement in dismantling Ukrainian DDoS crime gang
9.3.2018 securityaffairs
Attack

Ukrainian Police supported by security firm Group-IB and other security firms dismantled a DDoS crime gang that blackmailed numerous companies worldwide.
Another example of successful collaboration between law enforcement agencies and security firms in the fight against cybercrime, the case sees Ukrainian Police supported by security firm Group-IB and other security firms dismantling a DDoS crime gang that had been launching distributed denial-of-service (DDoS) attacks with extorsive intents against companies for over two years.
“The investigation department of Group-IB, an international company focused on cyber-attack prevention and data security products development, has helped to suppress the criminal activity of an organized group that had been involved in launching DDoS attacks and extortion for over two years.” reads the announcement published by Group-IB.
The investigation started in September 2015, after the group launched a DDoS attack on international online dating service AnastasiaDate demanding $10,000 for stopping the assault. The site of the company was taken down for hours.

“Other attacks targeted online stores, payment systems, as well as websites offering betting, lottery and gaming services.” continues Group-IB.

“In particular, the victims of the Ukrainian fraudsters included Stafford Associated, an American company leasing data center and hosting facilities, and PayOnline online payment service. The average ransom amount demanded by the criminals ranged from $1,000 to $10,000.”

The cybersecurity experts at Group-IB identified the attackers and linked the group to another attack powered by two Ukrainian individuals, Gayk Grishkyan and Inna Yatsenko. According to the investigators the duo had also previously targeted American leasing company Stafford Associated and the PayOnline payment service.

The two suspects later contacted the online dating service to demand ransom and threaten new DDoS attacks.

“In March 2017, the hackers’ apartments and offices were searched, and their computers and mobile phones confiscated. The forensic analysis that the data stored on the confiscated devices constituted an irrefutable evidence of Yatsenko and Grishkyan’s involvement in the extortion cases of 2015 and 2016.” concluded the announcement.

Now a court pleaded guilty to the crimes the two members of the DDoS crime gang and sentenced them to a five-year conditional sentence.

“We are satisfied with the successful outcome of the prosecution and the blow we have struck against cybercrime in Ukraine. The collaboration with our security partners has guaranteed the integrity of our services and helped reinforce our defenses for the future.” said AnastasiaDate’s US-based director, Lewis Ferro.

“It has been of the utmost importance to our international partners. It is another example of AnastasiaDate’s trustworthiness and diligence when it comes to member security, tackling fraud, and preventing criminal activity.”


Microsoft Detects Massive Dofoil Attack
8.3.2018 securityweek
Attack

Mid-day Tuesday (PST), Microsoft's Windows Defender blocked more than 80,000 instances of several new variants of the Dofoil (aka Smoke Loader) downloader. The signatureless machine learning capabilities of Defender detected anomalous behavior, and within minutes had protected Windows 10, 8.1 and 7 users from the outbreak.

Over the next 12 hours, more than 400,000 instances of this malware were recorded -- 73% of them in Russia, 18% in Turkey, and 4% in Ukraine.

Microsoft describes how the Dofoil downloader works, and how it was detected. Noticeably, it does not explain how the computers were compromised in the first place. The malware performs process hollowing, which involves spawning a new instance of a legitimate process -- in this case, explorer.exe -- and replacing the good code with malware. The hollowed explorer.exe then spins a second instance which drops and runs coin mining malware masquerading as the legitimate binary, wuauclt.exe.

Defender detected the issue, writes Microsoft, since, "Even though it uses the name of a legitimate Windows binary, it’s running from the wrong location. The command line is anomalous compared to the legitimate binary. Additionally, the network traffic from this binary is suspicious."

The downloader communicates with a C&C server, vinik.bit, inside the Namecoin distributed framework. Doctor Web researchers described Namecoin as, "a system of alternative root DNS servers based on Bitcoin technology.” Namecoin describes itself as a key/value pair registration and transfer system based on Bitcoin technology. "Bitcoin frees money -- Namecoin frees DNS, identities, and other technologies."

Fittingly, what Dofoil downloads is a cryptominer that supports NiceHash; allowing it to mine different cryptocurrencies. "The samples we analyzed mined Electroneum coins," writes Microsoft.

Electroneum is an interesting choice when most malware miners seem to go for Bitcoin and increasingly Monero. The criminals will always, however, go after maximum profit from minimum effort. On Monday this week, one day before the Dofoil outbreak, Jason Evangelho wrote in Forbes, "I'm enthusiastic about Electroneum and I've been diverting my mining rigs from Nicehash or Ethereum to this one because I believe it will explode in popularity by the end of 2018." This may be precisely the same reasoning as the criminals.

Natural price growth in any currency will likely be boosted by the number of operational miners. In a report titled Monero Mining Malware (PDF) published today, NTT researchers suggest that there is a symbiotic relationship between legal and malware-driven mining, with both processes driving the increase in value.

The decision to used Dofoil to drop Electroneum mining malware may be jointly driven by the apparent potential growth in the currency bolstered by a massive campaign trying to infect nearly half a million PCs specifically to drive up the value.

"As demonstrated," writes Microsoft, "Windows Defender Advanced Threat Protection (Windows Defender ATP) flags malicious behaviors related to installation, code injection, persistence mechanisms, and coin mining activities. Security operations can use the rich detection libraries in Windows Defender ATP to detect and respond to anomalous activities in the network."

This is true as far as it goes; but not everyone believes it goes far enough. All such reports are fundamentally marketing documents and will inevitably portray the company concerned in the best light possible. "The way I read it," comments ESET Senior Research Fellow David Harley, "Windows Defender did a good job of detecting this particular campaign, and deserve credit for it. As does any company that offers prompt/proactive detection of a sophisticated campaign, and there are several that do."

F-Secure security advisor Sean Sullivan agrees that many anti-malware products would have had a similar success in stopping the campaign. "Other antivirus products would also block this campaign," he told SecurityWeek. "Some of the details may differ, but the result would be similar."

Luis Corrons, technical director at PandaLabs, is more reserved. "If you read [the report] carefully, you see they have no clue on how the threat compromised those computers," he told SecurityWeek. "So, we are talking about an 'outbreak' (their own words) infecting thousands of computers protected by Microsoft."

Corrons' concern is that relying solely on behavioral patterns will only detect the malware after it has already infected the computer. This is true in this case since the downloaded malware, disguised as wuauclt.exe was detected because it was in the wrong location. "After being compromised they were able to detect it -- which is great, but it would have been better if they could have stopped the infection in the first place. The problem is," he continued, "that if they really have no idea of how the attack compromised those computers, the same attack could work against all Microsoft AV users leaving them just with the hope that their 'great' machine learning technology is able to detect it (once they have been infected)."

This last is an interesting comment, since reliance on machine learning algorithms can only be as effective as the algorithms and the data from which they learn. Almost two years ago there was a huge argument https://www.securityweek.com/virustotal-policy-change-rocks-anti-malware... between the original anti-virus industry and the evolving 'next-gen' machine learning endpoint protection systems -- with the former accusing the latter of frequently 'stealing' their malware intelligence via VirusTotal.

One of the figures in the Microsoft report depicts the 'alert process tree' used to determine the presence of the malware. Noticeably, this includes a VirusTotal hash with the comment, "VirusTotal detection ratio 38/67." Since more than half of the anti-malware engines supported by VirusTotal already classify the file as malware, it is a fair assumption that it really is malware.

A cynic might then wonder just how much of the 'Big Data Analytics' underpinning Defender's machine learning algorithms actually depends upon the opinions of other anti-malware researchers as displayed by VirusTotal.

Related: Windows Defender ATP Detects Spyware Used by Law Enforcement: Microsoft https://www.securityweek.com/windows-defender-atp-detects-spyware-used-law-enforcement-microsoft

Related: "Illusion Gap" Attack Bypasses Windows Defender https://www.securityweek.com/virustotal-policy-change-rocks-anti-malware-industry


Web App Security Firm Netsparker Raises $40 Million
8.3.2018 securityweek IT

Web application scanner company Netsparker announced on Thursday that it has raised $40 million from San Francisco-based growth and private equity firm Turn/River.

Netsparker was founded by Ferruh Mavituna, Peter Edgeler and Mark Lane in London, England in 2009, with Mavituna's working proof-of-concept for a new approach to finding web vulnerabilities without false positives. This involves first locating the vulnerability and then exploiting it to provide proof: it combines the related but different concepts of vulnerability scanning and penetration testing to eliminate false positives. The first commercial version of the product was launched in 2010.

Now with offices in London, Austin TX, and Turkey, Netsparker will use the new funding for further product development, sales growth and new marketing initiatives.

“Netsparker’s solution combines unique Proof-Based Scanning Technology with enterprise workflow tools, making it the only scalable web security solution on the market," comments Mavituna, now CEO at Netsparker. "With overwhelming market demand for this solution in the face of increasing security and compliance regulations, such as Europe’s GDPR, Netsparker aims to become the de facto solution for enterprises that need to secure thousands of web applications at scale.

"Turn/River Capital’s expertise in growing similar companies," he continued, "such as website security platform Sucuri, makes them a perfect match for this market expansion."

"Netsparker’s industry-leading vulnerability detection rates have won over a rapidly expanding, loyal base of thousands of enterprises that trust Netsparker with a mission-critical part of their security," added Dominic Ang, Turn/River Capital's founder and Managing Partner.

In January 2018, test results of independent researcher and analyst Shay Chen's Web Application Vulnerability Scanner Evaluation Project (WAVSEP) were published. "Netsparker was the only scanner that identified all the vulnerabilities and one of two that did not report any false positives," announced Netsparker.


Sophisticated False Flags Planted in Olympic Destroyer Malware
8.3.2018 securityweek
Virus  APT

Hackers Behind Olympic Destroyer Malware Used Sophisticated False Flag to Trick Researchers

CANCUN - KASPERSKY SECURITY ANALYST SUMMIT - The hackers behind the recent Olympic Destroyer attack planted sophisticated false flags inside their malware in an effort to trick researchers, Kaspersky Lab revealed on Thursday.

The Olympic Winter Games in Pyeongchang, South Korea, was hit by a cyberattack that caused temporary disruption to IT systems, including the official Olympics website, display monitors, and Wi-Fi connections. The attack involved Olympic Destroyer, a piece of malware designed to wipe files and make systems inoperable, and steal passwords from browsers and Windows. Compromised credentials are used to spread to other machines on the network.

Kaspersky has also spotted infections at several ski resorts in South Korea. The malware, which leverages a leaked NSA exploit known as EternalRomance to spread via the SMB protocol, temporarily disrupted ski gates and lifts at the affected resorts.

Several cybersecurity firms launched investigations into the Olympic Destroyer attack shortly after the news broke, and while they mostly agreed on the malware’s functionality, they could not agree on who was behind the operation. Some pointed the finger at North Korea, while others blamed China or Russia, leading some industry professionals to warn against this type of knee-jerk attribution.

Kaspersky researchers also analyzed the Olympic Destroyer worm in an effort to determine who was behind the attack. While they have’t been able to identify the culprit, experts have found some interesting clues.

The security firm has found a unique “fingerprint” associated with the notorious Lazarus Group, which has been linked to North Korea and blamed for high profile attacks such as the one on Sony, the WannaCry campaign, and various operations targeting financial organizations.

This fingerprint was a 100% match to known Lazarus malware components and it did not appear in any other files from Kaspersky’s database. While this piece of evidence and the type of attack suggested that Olympic Destroyer could be the work of North Korea, other data gathered by researchers as a result of an on-site investigation at a South Korean target revealed inconsistencies.

Experts determined that the unique fingerprint was likely a sophisticated false flag planted by the attackers to throw investigators off track.

“To our knowledge, the evidence we were able to find was not previously used for attribution. Yet the attackers decided to use it, predicting that someone would find it. They counted on the fact that forgery of this artifact is very hard to prove,” explained Vitaly Kamluk, head of the APAC research team at Kaspersky. “It’s as if a criminal had stolen someone else’s DNA and left it at a crime scene instead of their own. We discovered and proved that the DNA found on the crime scene was dropped there on purpose. All this demonstrates how much effort attackers are willing to spend in order to stay unidentified for as long as possible. We’ve always said that attribution in cyberspace is very hard as lots of things can be faked, and Olympic Destroyer is a pretty precise illustration of this.”

In addition to this apparent link to North Korea, Kaspersky has found evidence that would suggest the involvement of the notorious group known as Sofacy, Fancy Bear, APT28 and Pawn Storm, which is widely believed to be sponsored by the Russian government.

One possible scenario is that the Russian hackers attempted to frame Lazarus for the attack after the North Korean group tried to pin one of its campaigns on Russian actors. It’s also possible that the false flag used in the Olympics attack is part of the hackers’ efforts to improve their deception techniques.

Links to China have been found by Intezer, which specializes in recognizing code reuse. Its analysis led to the discovery of numerous code fragments uniquely linked to threat groups tracked as APT3, APT10 and APT12.


CCleaner Incident Investigation Reveals Possible Stage 3 Payload
8.3.2018 securityweek Incindent

CANCUN - KASPERSKY SECURITY ANALYST SUMMIT - The investigation into the September 2017 CCleaner incident has revealed what appears to be a stage three payload that attackers supposedly intended to deliver to infected users.

The attack was disclosed on September 18, when security firm Avast revealed that 2.27 million users worldwide had downloaded an infected CCleaner installation file between August 15 and September 12. Hackers had added a backdoor to the 32-bit CCleaner v5.33.6162 and CCleaner Cloud v1.07.3191 releases, Avast revealed.

What led to this was the compromise of the distribution servers of Piriform, the company developing CCleaner, in the months before Avast purchased the software firm. The code in the modified installers could collect non-sensitive information from the infected machines, and could also deliver a second stage binary.

This revealed that the incident was in fact a highly targeted attack, as the second-stage payload was delivered to only 40 computers out of the millions that downloaded stage one. While no stage three binary was found on the affected systems, Avast now says that the attackers, the Chinese hacking group Axiom (also known as APT17 or DeputyDog), apparently had plans to deliver such malware as well.

During its investigation of the Piriform infrastructure, the security firm discovered not only stage one and stage two binaries on the network, but also evidence of a third stage on four computers. Dubbed ShadowPad, this is a specialized tool that provides cybercriminals with remote control capabilities.

In an August 2017 report, Kaspersky revealed that the ShadowPad backdoor was found in NetSarang’s products, which are used by hundreds of companies in the financial, software, media, energy, electronics, insurance, industrial, construction, manufacturing, retail, telecoms, pharmaceutical, and transportation sectors.

“The tool was installed on the four Piriform computers on April 13h, 2017, while the preliminary version of the second stage had been installed on the computers March 12th, 2017,” Avast says.

The command and control (C&C) server the older second stage variant was attempting to connect to was no longer up during the investigation and the researchers don’t know exactly what it was supposed to download. However, given the timeline of events, they assume that it “had downloaded and installed ShadowPad on the four Piriform computers.”

The fact that ShadowPad is believed to have been developed by the Axiom group, the same actor behind the CCleaner attack, is also a strong indicator that this malware was intended to become the third stage payload, Avast says.

The ShadowPad version used in the attack was custom-built, leading investigators to suspect it was explicitly created for Piriform.

The security firm also discovered ShadowPad log files containing encrypted key strokes from a keylogger that became active on the infected machines on March 12, 2017. Other tools were also installed on the four computers, including a password stealer, along with tools that could install more software and plugins on the infected machines.

“While ShadowPad was installed on the Piriform network itself and, as far as we can tell through our investigations today, not on any of the CCleaner customers’ computers, we believe that this tool was the intended third stage for the CCleaner customers,” Avast says.

The second-stage malware deployed to only 40 computers of the millions that downloaded the infected CCleaner versions, but Avast couldn’t determine whether the third stage payload was meant for all of them or only a few, if any.


Cortana Can Expose Enterprises to Attacks, Researchers Warn
8.3.2018 securityweek
Attack

Malicious actors may be able to abuse voice-based virtual assistants to hack into enterprise systems and researchers proved it through an attack that targets Microsoft Cortana.

Independent researchers Amichai Shulman, former CTO and co-founder of Imperva, and Tal Be’ery, former VP of research at Microsoft-acquired security firm Aorato, have found a way to conduct an evil maid attack that abuses the Cortana voice assistant to install malware onto a locked computer. The researchers are detailing their findings on Friday at Kaspersky Lab’s Security Analyst Summit (SAS) in Cancun, Mexico.

In Windows 10, if default settings are not changed, any user can interact with Cortana by saying “Hey Cortana,” and it works even if the device is locked.

Shulman and Be’ery explained that when the device is locked, the screen is locked and the keyboard cannot be used to control applications, but apps can still run in the background.

In an attack scenario they described, an evil maid (i.e. a hacker who has physical access to the targeted machine) can install malware on a locked device by telling Cortana to access a website, intercepting traffic to that site using a device attached to the PC, and injecting malicious code into the connection.

One of the voice commands accepted by Cortana from the lock screen is “go to [website domain].” If the user tells Cortana to access any site, Windows launches a browser process and sends a query for the domain name to Bing. In the case of “privileged” websites, such as cnn.com, Windows would launch a browser process and navigate to the site directly. After being notified by the researchers of the potential for abuse, Microsoft has decided to make some changes and no longer allow direct browsing from a locked machine.

The first step in the attack scenario described by Shulman and Be’ery involves plugging in a rogue USB network card or network cable into the targeted machine. The attacker then instructs Cortana to access a privileged website that does not use a secure HTTPS connection (e.g. cnn.com).

Since the connection is not protected, the hacker’s network card can be used to conduct a man-in-the-middle (MitM) attack and replace normal traffic with malicious code, such as a web browser exploit designed to deliver a piece of malware. The malware then provides a remote backdoor to the compromised system.


If the attacker already had access to a system, they could have conducted a remote attack where a piece of malware played an audio file that instructed Cortana to navigate to an arbitrary website. This could have been used to hack other devices on the targeted enterprise network.

“The attacker uses the infected computer speakers to send the Cortana commands as before (plays ‘Go to CNN.com'). The attacker gets network access to the next victim computer (the equivalent of the network cable USB network card) through a known network attack (e.g. ARP poisoning) and replaces the content of cnn.com with malicious content,” Be’ery told SecurityWeek.

Microsoft made some server-side changes in August 2017 in order to prevent abuse, but Shulman and Be’ery believe there could be other Cortana commands that can be leveraged for similar attacks, and noted that the research can be extended to other voice assistants, such as Apple’s Siri.

As part of their research, the experts also developed a tool, named Newspeak, that acts as a proxy for communications between Cortana and Microsoft servers.

“The Newspeak tool enables its user to monitor Cortana requests (user says ‘go to cnn.com' and Cortana cloud sends that interpreted text back) and results (Cortana cloud commands the Cortana client to perform the action of ‘browse to cnn.com') and therefore create an audit log of Cortana. It can be used to detect malicious and abnormal usage and block/alert,” Be’ery explained.

“Another use of the Newspeak tool can be to alter the commands for fun/malicious purposes (user request cnn, let's give him fox news), or for defensive use cases (instead of going to the HTTP version of CNN go to the HTTPS version),” he added.

The researchers told SecurityWeek that they will make the Newspeak tool available at some point.

 


Smoke Loader Backdoor Gets Anti-Analysis Improvements
8.3.2018 securityweek
Virus

The infamous Smoke Loader backdoor now has more complex anti-analysis techniques that allow it to remain a potent malware delivery mechanism, PhishLabs security researchers warn.

Also known as Dofoil, Smoke Loader has been advertised on dark web forums since at least mid-2011. Packing a modular design, the malware can receive secondary execution instructions and/or download additional functional modules. Lately, the loader has been used in the distribution of malware such as the TrickBot banking Trojan and GlobeImposter ransomware.

The Smoke Loader installer, the security researchers explain, spawns an EnumTools thread to detect and evade analysis tools, and uses an API to enumerate running analysis utilities. The malware checks for twelve analysis processes via a hash-based method, and terminates itself if one is found running. As part of an anti-VM check, it also queries the name and the volume information of the infected machine, along with a registry key.

“There are two main paths of execution in Smoke Loader, the installer and the loader. The installer path runs prior to spawning and injects into a new instance of a Windows Explorer process. Post injection, the loader runs and executes the core functionality of the module. Before injection occurs, Smoke Loader performs several checks to determine information about the system on which it is running,” PhishLabs says.

Smoke Loader was observed leveraging the VirtualProtect API call to change the protection of the allocated memory region, the security researchers reveal. Toward the end of the loader execution path, the malware also checks whether injection should occur, and execution continues if injection has not yet been performed.

The malware was observed performing networking checks to ensure the loader has Internet access (it can generate fake traffic for that). The security researchers also noticed that, unlike previous versions, the latest Smoke Loader variant uses a custom XOR-based algorithm to decode strings within the sample. Previously, the strings weren’t encoded.

“While Smoke Loader’s distribution is not as wide spread as other malware families, it is under continued development and very effective at what it does. The loader’s longevity indicates that the developers are committed to persistence and protection of their loader from the latest analysis techniques. Even though it dates back to 2011, the loader has undergone several transformations that allow it to continue to be a potent malware delivery mechanism in 2017,” PhishLabs concludes.


Group-IB supported law enforcement in dismantling Ukrainian DDoS crime gang
8.3.2018 securityaffairs
Attack

Ukrainian Police supported by security firm Group-IB and other security firms dismantled a DDoS crime gang that blackmailed numerous companies worldwide.
Another example of successful collaboration between law enforcement agencies and security firms in the fight against cybercrime, the case sees Ukrainian Police supported by security firm Group-IB and other security firms dismantling a DDoS crime gang that had been launching distributed denial-of-service (DDoS) attacks with extorsive intents against companies for over two years.
“The investigation department of Group-IB, an international company focused on cyber-attack prevention and data security products development, has helped to suppress the criminal activity of an organized group that had been involved in launching DDoS attacks and extortion for over two years.” reads the announcement published by Group-IB.
The investigation started in September 2015, after the group launched a DDoS attack on international online dating service AnastasiaDate demanding $10,000 for stopping the assault. The site of the company was taken down for hours.

“Other attacks targeted online stores, payment systems, as well as websites offering betting, lottery and gaming services.” continues Group-IB.

“In particular, the victims of the Ukrainian fraudsters included Stafford Associated, an American company leasing data center and hosting facilities, and PayOnline online payment service. The average ransom amount demanded by the criminals ranged from $1,000 to $10,000.”
The cybersecurity experts at Group-IB identified the attackers and linked the group to another attack powered by two Ukrainian individuals, Gayk Grishkyan and Inna Yatsenko. According to the investigators the duo had also previously targeted American leasing company Stafford Associated and the PayOnline payment service.

The two suspects later contacted the online dating service to demand ransom and threaten new DDoS attacks.

“In March 2017, the hackers’ apartments and offices were searched, and their computers and mobile phones confiscated. The forensic analysis that the data stored on the confiscated devices constituted an irrefutable evidence of Yatsenko and Grishkyan’s involvement in the extortion cases of 2015 and 2016.” concluded the announcement.

Now a court pleaded guilty to the crimes the two members of the DDoS crime gang and sentenced them to a five-year conditional sentence.

“We are satisfied with the successful outcome of the prosecution and the blow we have struck against cybercrime in Ukraine. The collaboration with our security partners has guaranteed the integrity of our services and helped reinforce our defenses for the future.” said AnastasiaDate’s US-based director, Lewis Ferro.

“It has been of the utmost importance to our international partners. It is another example of AnastasiaDate’s trustworthiness and diligence when it comes to member security, tackling fraud, and preventing criminal activity.”


Hardcoded password and Java deserialization flaws found in Cisco products
8.3.2018 securityaffairs
Vulnerebility

The set of security updates recently released by Cisco also includes two advisories for critical vulnerabilities, a hardcoded password, and a Java deserialization flaw.
The lasters set of security updates released by Cisco also includes two advisories for critical vulnerabilities.

The first issue is a hardcoded password, tracked as CVE-2018-0141, that affects Cisco’s Prime Collaboration Provisioning (PCP) and that can be exploited by local attackers to gain full control over a vulnerable equipment.

The Cisco’s Prime Collaboration Provisioning application allows admins to remotely install and maintain Cisco voice and video solutions.

A local attacker just has to connect to the affected system via Secure Shell (SSH) using the hardcoded password, the

“A vulnerability in Cisco Prime Collaboration Provisioning (PCP) Software could allow an unauthenticated, local attacker to log in to the underlying Linux operating system.” reads the security advisory published by CISCO.

“The vulnerability is due to a hard-coded account password on the system. An attacker could exploit this vulnerability by connecting to the affected system via Secure Shell (SSH) using the hard-coded credentials. “

The hardcoded password can grant to a local attacker the access to a low-privileged user account, but chaining the vulnerability with other issues there is the risk that the attacker would elevate privileges to root.

The vulnerability has received a Common Vulnerability Scoring System (CVSS) Base score of 5.9, a score normally assigned to medium-severity flaws.

“Although this vulnerability has a Common Vulnerability Scoring System (CVSS) Base score of 5.9, which is normally assigned a Security Impact Rating (SIR) of Medium, there are extenuating circumstances that allow an attacker to elevate privileges to root. For these reasons, the SIR has been set to Critical.” continues Cisco.

Currently, there are no workarounds to address the vulnerability in PCP software, but Cisco has already released patches.

The second critical vulnerability, tracked as CVE-2018-0147, is a Java deserialization flaw that affects Cisco Access Control System (ACS) that can be exploited by an unauthenticated, remote attacker to execute arbitrary commands with root privileges on an affected device.

“A vulnerability in Java deserialization used by Cisco Secure Access Control System (ACS) could allow an unauthenticated, remote attacker to execute arbitrary commands on an affected device.” reads the security advisory.

“The vulnerability is due to insecure deserialization of user-supplied content by the affected software. An attacker could exploit this vulnerability by sending a crafted serialized Java object. An exploit could allow the attacker to execute arbitrary commands on the device with root privileges.”

Cisco has released software updates to fix the flaw.


Exploiting the User PII Held in Everyone's Web Browser
7.3.2018 securityweek 
Exploit

Browsers are the single most used application today. Everyone uses at least one browser, whether in the office or at home. But not everyone realizes just how much personal data is left hanging around inside their browsers; nor how easy it is for third-parties to extract it.

Ryan Benson, formerly a forensic analyst with both Mandiant and Stroz Friedberg and now senior threat researcher at San Mateo, CA-based Exabeam, decided to examine just how much data is available, and how readily it can be harvested.

Benson used a modified version of OpenWPM (a web privacy measurement framework) and Firefox to visit the Alexa Top 1000 websites, navigating to three links on each site to simulate normal user browsing. The purpose here was to look for evidence of device identification and geolocation — and Benson found evidence that 56 websites recorded geolocation details, and 56 websites recorded the user's IP address.

The second phase of the research involved interaction with websites. “In order to do this,” writes Benson in a blog account of the research, “we needed to create accounts on these sites, log in, perform a relevant action (e.g., send an email on a webmail server, view a document on a cloud storage platform, etc.), and see what traces could be found.”

The services chosen were typical of normal Internet usage — Google, Youtube, Facebook, Reddit, Amazon, Twitter, Live and so on — and did not seek to reflect any more exotic use of the Web. The results here become more interesting, because traces of the interactions were left within the browser. These include the browsing history (where and when different sites are visited), email addresses, search queries, and files viewed and downloaded.

This provides a rich source for both user identification and profiling that could be leveraged for targeted spear-phishing for more secure and confidential company accounts.

The picture gets worse with the details held by the browser for automatic form completion, and the passwords held in the browser's internal password manager. Both of these services offer huge productivity gains for the user; but huge PII value for the attacker.

The password manager stores passwords in encrypted form; but they are automatically decrypted for use, and can be easily accessed by software — such as the free NirSoft tool that dumps saved passwords — and various malwares. “The recent ‘Olympic Destroyer’ malware used to disrupt the Pyeongchang Olympic Games,” writes Benson, “reportedly took advantage of user credentials saved in the browser.”

The available data, unless direct action is taken to exclude it from the browser, can include passwords (including email passwords), location history, user interests, employer and company position, and device details.

All of this data is easily available to any attacker that has access — physical or virtual — to any desktop, laptop or mobile device that uses a browser. Anti-malware controls cannot prevent all malware, while malware detection systems often look for signs of large scale data exfiltration. It is easy to picture stealthy malware getting through defenses and lying almost totally dormant, just extracting small amounts of data from the user's browser.

A physical attack, using the evil maid scenario, is even simpler. “If a machine is unlocked,” warns Benson, “extracting browser data for analysis could be done in seconds with the insertion of a USB drive running specialized software or click of a web link to insert malware.”

Benson describes the data held by the browser as the user's 'web dossier,’ and describes ways in which it could be exploited; often by inferring extensions to the data discovered. “Criminals can learn who in a company has access to the financial or payroll application,” he warns, “and compile a list of usernames to use to break in.” Details surmised from the browsing history can help craft compelling phishing emails targeted at senior personnel, or designed to persuade users to reset company account passwords which can then be harvested.

The best way to prevent web dossier details being harvested by attackers is to exclude them from the browser. Methods could include increased use of the browser's incognito mode, which excludes session details from being saved and potentially exploited. The internal password manager should be abandoned and replaced by third-party separate managers.

In reality, even locking down the browser and using incognito browsing, will not prevent all access to personal data — much of it will still be available to ISPs. In some countries, such as the UK, this data can be accessed by a range of law enforcement and government offices. In other countries, including the U.S., third parties can buy this data from the ISPs.

The solution here depends upon both personal and company risk appetites. “If this is a concern,” Benson told SecurityWeek, “the solution is to use a VPN. Not only will the ISP not know where you are going, the website visited won't even know what country you come from.”

Exabeam raised $10 million in a Series A funding round led by Norwest Venture Partners, with participation from Aspect Ventures and angel investor Shlomo Kramer, in June 2014. This was followed by a further $25 million Series B in 2015, and $30 million Series C in 2017.


Memcached DDoS Attack 'Kill Switch' Found
7.3.2018 securityweek 
Attack

Corero Network Security says they have discovered a “kill switch” to counteract the Memcached vulnerability that recently fueled some of the largest distributed denial-of-service (DDoS) attacks in history.

The company says it has disclosed the kill switch to national security agencies and also claims that the issue is more extensive than originally believed: an attacker exploiting it can also steal or modify data from vulnerable Memcached servers.

Memcached is a free and open source memory caching system that can work with a large number of open connections. Memcached servers allow connections via TCP or UDP on port 11211, with access requiring no authentication, which is why the system wasn’t designed to be accessible from the Internet.

In late February, however, web protection companies warned that the protocol can be abused for DDoS amplification, after the first attacks using it started to emerge. Within days, record-setting 1.3Tbps and 1.7Tbs DDoS attacks were observed.

“The exploit works by allowing attackers to generate spoof requests and amplify DDoS attacks by up to 50,000 times to create an unprecedented flood of attack traffic,” Corero explains.

With over 95,000 servers worldwide allowing connections on TCP or UDP port 11211 from the Internet, the potential for abuse by attackers is significant.

In fact, Corero claims that vulnerable Memcached servers can also be coaxed into divulging data cached from the local network or host, including confidential database records, website customer information, emails, API data, Hadoop information and more.

With no authentication required, an attacker can issue a simple debug command to retrieve the data. What’s more, the weakness can also be exploited to maliciously “modify the data and reinsert it into the cache,” the security company says.

The ‘kill switch’ that Corero has discovered would send a command back to an attacking server to suppress the DDoS exploitation. The countermeasure, the company explains, invalidates a vulnerable server’s cache, meaning that any potentially malicious payload that attackers might have planted will become useless.

The security firm claims it has tested the countermeasure quench packet on live attacking servers and that it proved fully effective, without causing collateral damage.

“Ironically, the Memcached utility was intended to cache frequently-used web pages and data to boost legitimate performance. But this utility has now been weaponized to exploit its performance boosting potential for illegitimate purposes,” Ashley Stephenson, CEO at Corero Network Security, commented.

The root cause of the problem, of course, is the poor security practices when setting up Memcached servers. Exposing them to the Internet is like leaving the front door open and expecting burglars not to barge in.

In a blog post last week, DigitalOcean pointed out that one option to mitigate attacks is “to bind Memcached to a local interface, disable UDP, and protect your server with conventional network security best practices.”

According to Victor Gevers, chairman of the GDI Foundation, upgrading or firewalling vulnerable Memcached servers on port 11211 should also prevent attacks.

Poorly secured Memcached servers don’t represent a new problem and many security experts, Gevers included, have long issued warnings in this regard. And while the problem might have been ignored until now, it becomes imperative to address it, as proof-of-concept (PoC) code for Memcached-based DDoS attacks has already been published online.

One of them, supposedly released for “educational and/or testing purposes only,” ended up on Pastebin, along with a list of around 17,000 hosts that can be abused for amplification. Another is a Python script that can leverage Shodan to scan for IPs of vulnerable Memcached servers.


Corero Network discovered a Kill Switch for Memcached DDoS attacks
7.3.2018 securityaffairs
Attack

Corero network security discovers a “kill switch” for memcached DDoS attacks and also reveals memcached exploit can be used to steal or corrupt data
Memcached DDoS attacks made the headlines due to the magnitude observed in recent offensives. While two PoC exploits for Memcached DDoS attacks have been released online, experts at security firm Corero Network announced they have discovered a ‘kill switch’ to address the Memcached vulnerability.

The firm revealed that the exploitation of the issue in Memcached servers could also allow attackers to modify or steal data from (i.e. including confidential database records, website customer information, emails, API data, Hadoop information and more.).

The most interesting discovery made by the researchers is the kill switch, the company reported it to national security agencies.

We first read about memcached DDoS attacks when on February 28, 2018, the code hosting website GitHub was hit by the largest-ever DDoS attack that peaked at 1.3Tbps.

Memcached is a free and open source, high-performance, distributed memory caching system designed to speed up dynamic web applications by alleviating database load.

Clients communicate with memcached servers via TCP or UDP on port 11211.

The abuse of memcached servers in DDoS Attacks is quite simple, the attacker sends a request to the targeted server on port 11211 spoofing the IP address of the victim. In a memcached DDoS attack, the request sent to the server is composed of a few bytes, while the response can be tens of thousands of times bigger, resulting in an amplification attack.

Experts at Cloudflare dubbed this type of attack Memcrashed, according to the researcher the amplification technique could allow attackers to obtain an amplification factor of 51,200.

Arbor Networks reported that earlier this month a US service provider suffered a 1.7 Tbps memcached DDoS attack.

Memcached DDoS attacks

“Corero Network Security has today disclosed the existence of a practical “kill switch” countermeasure for the Memcached vulnerability, responsible for some of the largest DDoS attacks ever recorded, to national security agencies.” reads the announcement published by Corero Network Security.

“At the same time, the company has revealed that the vulnerability is more extensive than originally reported – and can also be used by attackers to steal or modify data from the vulnerable Memcached servers.”

According to the experts, there are currently over 95,000 servers worldwide allowing connections on TCP or UDP port 11211 from the internet, an army of machines that could be involved in memcached DDoS attacks.

“Ironically, the Memcached utility was intended to cache frequently-used web pages and data to boost legitimate performance. But this utility has now been weaponized to exploit its performance boosting potential for illegitimate purposes.” said Ashley Stephenson.

With over 95,000 servers worldwide allowing connections on TCP or UDP port 11211 from the Internet, the potential for abuse by attackers is significant.

Corero researchers pointed out that the Memcached protocol was designed to be used without logins or passwords, the attacker can trigger the vulnerability to “modify the data and reinsert it into the cache.”

The “flush_all” countermeasure invalidates a vulnerable servers’ cache, including the large, potentially malicious payload planted there by attackers, it is effective in any attack scenario.

The ‘kill switch’ discovered by Corero would allow sending a command back to an attacking server to halt the DDoS attack, no side effects have been observed.

“This week, Corero discovered an effective ‘kill switch’ to the Memcached vulnerability that sends a command back to an attacking server to suppress the current DDoS exploitation.” continues the Corero.

“The “flush_all” countermeasure has been disclosed to national security agencies for action. It invalidates a vulnerable servers’ cache, including the large, potentially malicious payload planted there by attackers. The countermeasure quench packet has been tested on live attacking servers and appears to be 100% effective. It has not been observed to cause any collateral damage.”

Cloudflare recommends disabling UDP support unless it’s needed and isolating memcached servers from the Internet. Internet service providers have to fix vulnerable protocols and prevent IP spoofing.

The popular expert Victor Gevers, chairman of the GDI Foundation, highlighted that firewalling flawed Memcached servers on port 11211 should repel the attacks.


Victor Gevers
@0xDUDE
Although there were 107,431 Memcached servers in Shodan this morning. The population Memcached is slowly but steadily shrinking. Servers which where vulnerable this morning are now closed 8 hours later. We still have a long way to go but progress is being made. 👍

11:39 PM - Mar 7, 2018 · The Hague, The Netherlands


Two PoC exploits for Memcached DDoS attacks have been released online
7.3.2018 securityaffairs
Attack  Exploit

Memcached DDoS attacks – A few days after the disclosure of the World’s largest DDoS attack record that peaked a 1.7Tbps, two PoC exploits code for Memcached amplification attacks have been released online.
The technique behind Memcached DDoS attacks, is one of the coolest topics in cybersecurity at this moment.

World’s largest DDoS attack record lasted just a few days, Arbor Networks reported that earlier this month a US service provider suffered a 1.7 Tbps memcached DDoS attack.

memcached DDoS attacks Mar2018

Now two distinct proofs-of-concept (PoC) exploits code for Memcached amplification attacks have been released online, this means that anyone can use them to launch memcached DDoS attacks

One of PoC code exploits is written in Python scripting language and relies on the Shodan search engine API to obtain update a list of vulnerable Memcached servers and then involve them in memcached DDoS attacks.

The second exploit code is written in C programming and uses a pre-compiled list of vulnerable Memcached servers. The author also published the file memecache-amp-03-05-2018-rd.list that is a list of vulnerable memcached servers as of 03-05-2018.

Bonus—its description already includes a list of nearly 17,000 potential vulnerable Memcached servers left exposed on the Internet.

22h

DΛNIΞL 🤖
@hypoweb
List of memcached servers as of 03-06-2018https://pastebin.com/raw/eSCHTTVu


DΛNIΞL 🤖
@hypoweb
Another memcached-poc https://pastebin.com/raw/ZiUeinae

11:06 AM - Mar 7, 2018
39
27 people are talking about this
Twitter Ads info and privacy
We first read about memcached DDoS attacks when on February 28, 2018, the code hosting website GitHub was hit by the largest-ever DDoS attack that peaked at 1.3Tbps.

Memcached is a free and open source, high-performance, distributed memory caching system designed to speed up dynamic web applications by alleviating database load.

Clients communicate with memcached servers via TCP or UDP on port 11211.

The abuse of memcached servers in DDoS Attacks is quite simple, the attacker sends a request to the targeted server on port 11211 spoofing the IP address of the victim. In a memcached DDoS attack, the request sent to the server is composed of a few bytes, while the response can be tens of thousands of times bigger, resulting in an amplification attack.

Experts at Cloudflare dubbed this type of attack Memcrashed, according to the researcher the amplification technique could allow attackers to obtain an amplification factor of 51,200.

We have no doubts, the situation will get worse due to the availability online of the PoC exploit codes.
Cloudflare recommends disabling UDP support unless it’s needed and isolating memcached servers from the Internet. Internet service providers have to fix vulnerable protocols and prevent IP spoofing.

“Internet Service Providers – In order to defeat such attacks in future, we need to fix vulnerable protocols and also IP spoofing. As long as IP spoofing is permissible on the internet, we’ll be in trouble.” concluded Cloudflare.

“Developers – Please please please: Stop using UDP. If you must, please don’t enable it by default. If you do not know what an amplification attack is I hereby forbid you from ever typing SOCK_DGRAM into your editor.”

The fear for this new kind of attack represents a good opportunity for cyber criminals, crooks already started to blackmail companies asking for a ransom demand in Monero cryptocurrency to avoid being attacked via Memcached servers.


Memcached DDoS Exploit Code and List of 17,000 Vulnerable Servers Released
7.3.2018 thehackernews
Attack  Vulnerebility

Someone has just released proof-of-concept (PoC) exploit code for amplification attack and a pre-compiled list of nearly 17,000 potential vulnerable Memcached servers on the Internet that could even allow script-kiddies to launch massive DDoS attacks using UDP reflections easily.
Last week we saw two record-breaking DDoS attacks—1.35 Tbps hit Github and 1.7 Tbps attack against an unnamed US-based company—which were carried out using a technique called amplification/reflection attack.
For those unaware, Memcached-based amplification/reflection attack amplifies bandwidth of the DDoS attacks by a factor of 51,000 by exploiting thousands of misconfigured Memcached servers left exposed on the Internet.
Memcached is a popular open source distributed memory caching system, which came into news earlier last week when researchers detailed how hackers could abuse it to launch amplification/reflection DDoS attack by sending a forged request to the targeted Memcached server on port 11211 using a spoofed IP address that matches the victim's IP.
A few bytes of the request sent to the vulnerable Memcached server can trigger tens of thousands of times bigger response against the targeted IP address, resulting in a powerful DDoS attack.

For a detailed explanation on how Memcached amplification attack works, you can head on to our previous article.
Since last week when Memcached has been revealed as a new amplification/reflection attack vector, some hacking groups started exploiting unsecured Memcached servers.

But now the situation will get worse with the release of PoC exploit code, allowing anyone to launch massive DDoS attacks, and will not come under control until the last vulnerable Memcached server is patched, or firewalled on port 11211, or completely taken offline.
Moreover, cybercriminals groups have already started weaponizing this new DDoS technique to threaten big websites for extorting money.
Following last week's DDoS attack on GitHub, Akamai reported its customers received extortion messages delivered alongside the typically "junk-filled" attack payloads, asking them for 50 XMR (Monero coins), valued at over $15,000.
Reflection/amplification attacks are not new. Attackers have previously used this DDoS attack technique to exploit flaws in DNS, NTP, SNMP, SSDP, Chargen and other protocols in order to maximize the scale of their cyber attacks.
To mitigate the attack and prevent Memcached servers from being abused as reflectors, the best option is to bind Memcached to a local interface only or entirely disable UDP support if not in use.


Qualcomm Requests National Security Review of Broadcom Bid
7.3.2018 securityweek  IT

US chipmaker Qualcomm postponed its annual shareholders' meeting after secretly requesting a national security review of Broadcom's bid to take over the company, the Singapore-based Broadcom announced Monday.

Qualcomm shareholders were due to meet Tuesday, but Broadcom said it was informed Sunday night that Qualcomm filed a voluntary request on January 29 for US regulators to investigate the deal, and was ordered to postpone the meeting for 30 days.

"It should be clear to everyone that this is part of an unprecedented effort by Qualcomm to disenfranchise its own stockholders," Broadcom said in a statement.

Qualcomm fired back accusing Broadcom of trying to mislead shareholders and 'trivialize' US regulatory and national security issues.

Broadcom"Broadcom's dismissive rhetoric notwithstanding, this is a very serious matter for both Qualcomm and Broadcom," the US chipmaker said.

The Committee on Foreign Investment in the United States (CFIUS) can review any acquisition by a foreign corporation of a US firm that may have an impact on national security, and can recommend the president block the deal. CFIUS has blocked some transactions, but frequently foreign companies withdraw once it appears a transaction will be prohibited.

CFIUS issued an order to Qualcomm for the shareholder meeting to be delayed for 30 days to allow time to fully investigate the proposed acquisition by Broadcom, according to a US Treasury Department.

Broadcom said it will fully cooperate with the review, but rejected any national security concerns since it is a US-controlled company, and is in the process of relocating its headquarters back to the United States.

- Board battle -

If finalized, the Broadcom-Qualcomm tie-up, estimated at $117 billion, would be the largest merger in a sector awash with consolidation amid the development of technologies for autonomous vehicles and 5G mobile services.

Qualcomm has repeatedly rejected multiple Broadcom offers that it says undervalue the company.

Shareholders at Qualcomm's annual meeting were to vote whether to replace six of the California company's 11 board members with candidates backed by Broadcom, essentially endorsing the merger deal.

Weeks of thrust and parry, along with tactical public statements, have left the companies' boards at odds over the unsolicited offer.

Qualcomm, which is the dominant maker of microprocessors for smartphones, says it has a bright future on its own, especially amid a transition to fifth-generation (5G) wireless communications networks.

The Qualcomm board has also expressed concern that any deal with Broadcom could be delayed or blocked by antitrust regulators around the world.

Broadcom has urged Qualcomm shareholders to elect all six of its nominees to the board, sending "a clear signal" supporting the takeover bid which would provide a handsome gain to shareholders of the US firm.

"This was a blatant, desperate act by Qualcomm to entrench its incumbent board of directors and prevent its own stockholders from voting for Broadcom's independent director nominees," Broadcom said of the delaying development.

- Coveted chip technology -

CFIUS last year opposed the takeover of US semiconductor manufacturer Lattice by a Chinese state group backed by a US investment fund, and President Donald Trump then blocked the deal.

In the semiconductor sector, the committee -- whose deliberations are secret -- in 2016 recommended that then-President Barack Obama oppose a deal between the German group Aixtron and Chinese fund Grand Chip because there was a US subsidiary of the German group.

Broadcom's initial offer already was tinged by politics, coming as it did the day after a White House meeting between Trump and Broadcom CEO Hock Tan, who promised to repatriate the company's headquarters.

Any tie-up of the two giants could reshape the fast-evolving sector of chips for smartphones and connected devices. But it would have to pass regulatory muster in several countries.

Analyst Patrick Moorhead of Moor Insights & Strategy questioned the wisdom of Broadcom buying Qualcomm.

The rival chip companies are very different in their approaches to the market, Moorhead said, comparing the tie-up to mixing "oil and water."

Qualcomm is known for mobile chip innovations that set industry standards, for example in new superfast 5G wireless connection technology, the analyst noted.

Meanwhile, Broadcom is adept at using intellectual property developed by others and making products at low cost, referring to them as "implementers."

Qualcomm, one of Apple's main suppliers, is currently engaged in the acquisition of the Dutch group NXP and has indicated the operation will proceed regardless of the outcome of discussions with Broadcom.

Broadcom shares lost 1.5 percent by the close of trading in New York, while Qualcomm fell 1.1 percent.


NSA Used Simple Tools to Detect Other State Actors on Hacked Devices
7.3.2018 securityweek  BigBrothers

NSA uses simple tools to detect friendly parties and adversaries on hacked devices

An analysis of leaked tools believed to have been developed by the U.S. National Security Agency (NSA) provides a glimpse into the methods used by the organization to detect the presence of other state-sponsored actors on hacked devices, and it could help the cybersecurity community discover previously unknown threats.

Over the past few years, a mysterious hacker group calling itself Shadow Brokers has been leaking tools allegedly created and used by the Equation Group, a threat actor widely believed to be linked to the NSA. The Shadow Brokers have been trying to sell Equation Group tools and exploits, but without much success. They say their main goal has been to make money, but many doubt their claims.

One of the sets of files leaked by the hackers last year, named “Lost in Translation,” includes a series of modules dubbed “Territorial Dispute.” Researchers at the Laboratory of Cryptography and System Security (CrySyS Lab) of the Budapest University of Technology and Economics in Hungary, who have been involved in the analysis of Duqu and other advanced persistent threats (APTs), have conducted an investigation and they determined that the Territorial Dispute tools are designed to detect the presence of other state-sponsored groups.

According to CrySyS, the tools are relatively simple; they search the targeted device for specific files, Windows registry entries, and other indicators of compromise (IoCs) associated with known APTs.

Other Equation Group tools leaked by the Shadow Brokers are designed to allow operators to check for the presence of more common malware, but the Territorial Dispute modules are more interesting as they focus on state-sponsored attacks. Researchers believe the goal of these tools is likely to avoid any conflict with friendly parties and also minimize the chances of the NSA’s own malware getting detected.

There are several aspects that make the Territorial Dispute tools interesting. One of them is the fact that while typically there are tens or hundreds of IoCs associated with state-sponsored threat groups, these tools only look for 1-5 indicators.

Experts speculate that the reason behind this decision is to provide operators as little information as possible and prevent them from knowing too much about an attack. This theory is reinforced by the fact that each of the 45 signatures used by the detection engine has a very generic name, specifically SIG1 through SIG45.

Researchers say that while this seems like a strange decision, they believe the NSA may have conducted an analysis and determined that there is a significant risk of misappropriation. Limiting the number of IoCs included in the tools could represent a way to lower the risk.

Experts also noticed that if certain files are identified, the operator of the Territorial Dispute tools is informed that the malware is friendly or receives instructions to pull back. The list of instructions and observations includes “seek help immediately,” “dangerous malware - seek help ASAP,” “friendly tool - seek help ASAP” and “unknown - please pull back.”

CrySyS has attempted to link the IoCs to known threat groups using public information available via Google and by comparing them to data from its own malware repository, which contains roughly 150 Tb of malicious binaries. This led to the discovery of thousands of malware samples.

The IoCs appear to target known APTs whose activities have been analyzed by the cybersecurity industry over the past decade, including APT28 (aka Sofacy and Fancy Bear), Turla (aka Snake and Uroburos), Animal Farm, Duqu, Stuxnet, Flame, TeamSpy, Elderwood Group (Operation Aurora), Iron Tiger, and Dark Hotel, which have been linked to Russia, France, the United States, Israel, South Korea, and China.

While many of the IoCs are associated with known groups, there are also some indicators that researchers have not been able to link to any threat actor. This suggests that the NSA may be aware of attacks and attackers that are not known to the public.

Boldizsár Bencsát, one of the experts involved in this research, told SecurityWeek that the threat corresponding to the SIG32 signature could be a previously unknown APT. Searching Google for one of the SIG32 indicators of compromise points to a Trend Micro threat encyclopedia entry for a piece of malware first detected in 2010. However, there is no indication that this malware has been known to be used by state-sponsored hackers.

“We think that careful analysis of the leaked material and cross-checking with public information and malware databases can reveal interesting, previously unknown information about the APT scene,” Bencsát said. “Also, we can possibly get a better understanding about the knowledge of governmental organizations on these attacks.”

CrySyS does not exclude the possibility that – since these tools have been publicly available for nearly a year – others used these indicators of compromise to uncover previously unknown APTs. Furthermore, while the IoCs are limited, they can turn out to be useful for obtaining more information on a threat group and making connections between attackers, their operations and their tools.

Bencsát will detail this research on Friday at Kaspersky Lab’s Security Analyst Summit (SAS) in Cancun, Mexico.


McAfee Launches Security Platform for Azure Cloud
7.3.2018 securityweek  Security

Migrating to the cloud is complex. One of the biggest concerns is a loss of visibility on data in the cloud; and this concern only grows with increasing regulatory requirements. GDPR, coming into force in less than 3 months time, is a case in point.

Cloud access security brokers (CASBs) can improve visibility and control, but aren't necessarily tailored to a specific cloud. Today, McAfee announced the first product resulting from its purchase of Skyhigh Networks, finalized in January 2018: the McAfee Skyhigh Security Cloud for Azure.

"Moving applications, data and workloads to the cloud exposes enterprises to new threats and risks," explains Rajiv Gupta, SVP of McAfee's cloud security business unit. "At the same time, the adoption of cloud allows organizations to transform their business. This is why we are on a mission to make cloud the most secure environment for business. The introduction of McAfee Cloud Security Platform for Microsoft Azure is an important step to fulfilling this mission for our customers."

The new product offers five particular use cases for Azure users: configuration and compliance audit, activity monitoring, threat protection, DLP, and account management.

The configuration element detects misconfigurations in any Azure account. AWS S3 bucket misconfigurations have exposed millions of sensitive records in recent years, and in some cases left the accounts vulnerable to a MITM attack dubbed GhostWriter.

Detected misconfigurations can be corrected using McAfee best practices; CIS benchmark recommendations for Azure; and compliance recommendations for HIPAA-HITECH, ISO, FedRAMP, ITAR, other regulations, or internal compliance policies. "The solution can help with an organization's attempts to meet the GDPR regulations -- that are coming into force in less than 50 working days," said Nigel Hawthorn, EMEA marketing director at McAfee.

The activity monitoring element provides the visibility that can otherwise be lost in the cloud. It monitors both managed and unmanaged subscriptions, and captures a full audit trail of all activity. "We now have the visibility and control we need to be able to allow access to the cloud-based tools our employees need to be competitive and efficient, without compromising our security standards," comments Rick Hopfer, CIO at Molina Healthcare.

Threat protection is provided by AI-based user behavior analytics and signature-less, advanced malware analysis. Anomalous user behavior can highlight insider threats and unwarranted privilege escalation; while McAfee anti-malware will detect malware traveling into the cloud, and identify behavior indicative of malware data exfiltration or ransomware activity.

Data loss prevention (DLP) will help prevent unauthorized regulated data from being stored in Azure storage services -- which will be critical to maintaining GDPR compliance. McAfee's content analytics engine can be used to discover sensitive data stored in Azure services, using keywords and phrases, alpha-numeric patterns, file metadata, and more. It "allows us to extend DLP outside the perimeter and into the cloud and the user experience is seamless," says Mike Benson, CIO at DirecTV.

Account management is provided by McAfee's central policy engine, which aids the development of policies that can be enforced on new and pre-existing content, user activity, and malware threats. Options include the use of pre-built templates, the ability to import policies from other McAfee customers or partners, and a policy creation wizard to create custom policies to conform with corporate or regulatory requirements.

Security in the cloud is a shared responsibility between the cloud provider and the customer. It is a common failure to recognize this that leads to the misconfigurations so commonly found in AWS S3 buckets. In reality, both AWS and Azure have multiple flexible options for file and folder access -- and data protection problems are often based on this flexibility. The new McAfee/Skyhigh Azure solution is designed to remove confusion and apply customer visibility and control into the Azure cloud.


Chrome 65 Patches 45 Vulnerabilities
7.3.2018 securityweek 
Vulnerebility

Released in the stable channel this week, Chrome 65 brings 45 security fixes, including 27 patches for vulnerabilities discovered by external researchers.

The browser also includes an updated JavaScript engine, namely V8 version 6.5. Announced in early February and initially made available in Chrome 65 Beta, the new V8 engine includes an untrusted code mode meant to mitigate the latest speculative side-channel attack called Spectre.

The 27 vulnerabilities reported by researchers include 9 security flaws assessed with a High severity rating, 15 bugs considered Medium risk, and 3 issues with a Low severity rating.

Google rewarded the researchers over $34,000 in bug bounties, but hasn’t provided details on all payouts in the published advisory.

The most important of the addressed bugs are two High risk use after free in Flash (CVE-2018-6058 and CVE-2018-6059). Both were reported by JieZeng of Tencent Zhanlu Lab in August 2017 and were awarded a $5,000 bounty each.

Google also addressed a Use after free in Blink (CVE-2018-6060) and a Race condition in V8 (CVE-2018-6061) – two High severity flaws awarded $3,000 each –, as well as a Heap buffer overflow in Skia (CVE-2018-6062) – awarded $1,000.

Other High risk issues resolved in Chrome 65 include two incorrect permissions on shared memory bugs, one Type confusion in V8, and one Integer overflow in V8.

The most important of the Medium risk issues was CVE-2018-6066, a Same Origin Bypass via canvas that was awarded a $4,000 bounty.

Other Medium severity issues addressed in this release include Buffer overflow in Skia, Object lifecycle issues in Chrome Custom Tab, Stack buffer overflow in Skia, CSP bypass through extensions, Heap buffer overflow in Skia, Integer overflow in PDFium, Heap buffer overflow in WebGL, and Mark-of-the-Web bypass.

Google also addressed an overly permissive cross origin download, incorrect handling of URL fragment identifiers in Blink, a timing attack using SVG filters, URL Spoof in OmniBox, Information disclosure via texture data in WebGL, and Information disclosure in IPC call.

The three Low risk bugs resolved in the browser include XSS in interstitials, circumvention of port blocking, and incorrect processing of AppManifests.

The new application release is available for download as version Chrome 65.0.3325.146 for Windows, Mac and Linux computers. Chrome for Android has been updated as well, now available as version 65.0.3325.109.


Gozi Banking Trojan Uses "Dark Cloud" Botnet for Distribution
7.3.2018 securityweek  BotNet 
Virus

The well-known Gozi ISFB banking Trojan recently started using the elusive "Dark Cloud" botnet for distribution, Talos warns.

Gozi has been around for several years and had its source code leaked online on two occasions over the past years, which led to the development of a new Trojan in 2016, GozNym. The malware has continued to remain active and even adopted new techniques in recent campaigns, such as the use of the Dark Cloud infrastructure.

The campaigns Talos has observed over the past few months are relatively low-volume, target specific organizations, and reveal significqant effort into the creation of convincing emails. Not only are the distribution and the command and control (C&C) infrastructure active for short periods of time only, but the actors behind them also move to new domains and IP addresses fast, even for individual emails sent as part of the same campaign.

The spam emails carry Microsoft Word documents as attachments. When opened, the files display a decoy image claiming that the document was created using Office 365 and that the user should "Enable Editing" and then "Enable Content" to view it. If the victim follows through, embedded macros are executed to download and run the malware.

The VBA macro is usually executed when the document is closed, in an attempt to bypass sandbox detection. The macro downloads an HTA file from a remote server, which is executed without alerting the user. The infection process continues with the execution of an obfuscated JavaScript script to run a PowerShell script to download and execute the final payload on the victim's machine.

The vast majority of the malicious documents used in campaigns in the fourth quarter of 2017 are individualized. Although they appear similar, differences exist in embedded macro, code, and even color of the decoy image.

Talos also discovered that the campaigns have been ongoing for a couple of years, and that the image in the documents has been changed from time to time, the same as the VBA code in the malicious macros. The researchers even observed localized documents in some cases, suggesting that “the separate attacks are highly customized and targeted.”

The final payload is usually a banking Trojan based on the Gozi ISFB code base, but other malware families (CryptoShuffler, Sennoma and SpyEye) were also observed.

The malware loader used in these attacks uses anti-virtualization and carries two versions of the same DLL, each targeting a different architecture. Depending on the victim machine, the loader injects either the 32-bit or the 64-bit DLL into the explorer.exe process.

The distribution infrastructure used in these campaigns overlaps with that of Dark Cloud, a botnet initially analyzed in 2016. The botnet, Talos notes, is used in the distribution and administration of various malware families, including Gozi ISFB and Nymaim.

In July 2016, a SentinelOne report on the Furtim-related SFG malware also revealed a connection between the Qbot (Qakbot or Quakbot) malware and Dark Cloud.

The botnet uses fast flux techniques to make the tracking of its backend infrastructure more difficult. “By frequently changing the DNS records associated with the malicious domains, attackers can make use of an extensive network of proxies, continuously changing the address of the IP being used to handle communications to the web servers the attacker controls,” Talos explains.

By looking at the domains and IP addresses associated with the infrastructure, the researchers discovered that it was serving a variety of cybercriminal activities, including carding forums, malware delivery and control, and spam.

Talos also discovered that the attackers aren’t using proxies and hosts in Western Europe, Central Europe, and North America, but mainly those located in Eastern Europe, Asia, and the Middle East.

“Gozi ISFB is a banking Trojan that has been used extensively by attackers who are targeting organizations around the world. It has been around for the past several years, and ongoing campaigns indicate that it will not be going away any time soon. Attackers are continuing to modify their techniques and finding effective new ways to obfuscate their malicious server infrastructure in an attempt to make analysis and tracking more difficult,” Talos concludes.


For the second time in two weeks CDOT shut down computers after a ransomware infection
7.3.2018 securityaffairs
Ransomware

For the second time in two weeks, the computers at the Colorado Department of Transportation Agency shut down 2,000 computers after a ransomware infection.
For the second time in a few days, a variant of the dreaded SamSam ransomware paralyzed the CDOT.
The second incident occurred while the agency was still in the process of recovering its systems from the first attack.

Exactly two weeks ago, the SamSam ransomware made the headlines because it infected over 2,000 computers at the Colorado Department of Transportation (DOT).

The investigation on the first wave of infections revealed that the infected systems were running Windows OS and McAfee anti-virus software.

“Eight days into a ransomware attack, state information technology officials detected more malicious activity on the Colorado Department of Transportation computer systems Thursday.” reads the post published on the website 9news.com.

“A spokeswoman for the Governor’s Office of Information Technology says this is a variation of the same ransomware that hit computers last week, when criminals demanded a Bitcoin payment in exchange for freeing up the software.”

Approximately 20% of the machines infected by the first wave of attacks had been restored when a variation of the original Samsam ransomware hit the Colorado Department of Transportation for the second time. All the infected systems were taken down once again.

“The variant of SamSam ransomware just keeps changing. The tools we have in place didn’t work. It’s ahead of our tools.” Brandi Simmons, a spokeswoman for the state’s Office of Information Technology, told the Denver Post.

CDOT SamSam ransomware note

The attack forced CDOT employees to stop using computers and input data using pen and paper.

According to CDOT spokeswoman Amy Ford, the ransomware attack did not affect construction projects, signs, variable message boards and “critical traffic operations,”.

The Colorado National Guard and the FBI are working to restore normal operations.

“Employees have been ordered to shut off their computers until the source of the problem has been found. The network has been disconnected from the internet for now, and many employees are working on a pen and paper system.” continues the website.

At the time of writing, it is still impossible to evaluate the impact of the attack.


Mining is the new black
7.3.2018 Kaspersky Cryptocurrency

Last year we published a story revealing the rise of miners across the globe. At the time we had discovered botnets earning millions of USD. We knew this was just the beginning of the story, which turned out to develop rapidly.

Together with the rest of the world, we have been watching the hike in cryptocurrency, for example, the price of Bitcoin and Altcoins continuously beat records throughout 2017.
 

Bitcoin and Altcoins prices growth in 2017

While some spend time talking about what’s good or bad for the market and the global economy, we’ve seen that such a spike in prices was definitely a call for threat actors, meaning there are good opportunities for cybercriminals to earn money.

As a result, many cybercriminal groups have switched to malicious miner distribution, and the number of users that have encountered cryptocurrency miners has increased dramatically. We have found, that by the end of 2017, 2.7 million users had been attacked by malicious miners – this is almost 1.5 times higher than in 2016 (1.87 mln).
 

Number of Kaspersky Lab users attacked by malicious miners in 2017

They become so active and popular that even ransomware – which has frightened the world for the last couple of years, seems to step aside for this threat.

Here are some reasons why:

Firstly, miners and ransomware both have a clear monetization model. In the case of ransomware, attackers infect PCs, decrypt files and earn money by receiving a ransom for users’ data. The miners model is similar in its simplicity: attackers infect victims, make coins using CPU or GPU power, and earn real money through legal exchanges and transactions.
 

Miners’ monetization scheme

Secondly, unlike ransomware, it is very hard for users to understand if they’ve been infected by miners or not. In general, users use their computer for Internet surfing. This activity is not high loaded for CPU. The other 70-80% of CPU power is used by mining programs, and some of them have special functions to reduce mining capacities or cancel the process at all, if another resource-demanding program (for example, a videogame) is executed.

Most importantly, it is now very easy to make your own miner. Those interested can get everything that they need:

Ready to use partner programs
Open mining pools
A lot of miner builders
We have found that the most popular miner pool used by threat actors is Nanopool.
 

Statistics for used legitimate pools

If actors use open pools, it’s possible to find out how much money threat actors could earn.
 

Example of wallet information

Also, according to our data, 80% of illegal miners contain the open source code of legal miners, or it is just a legal miner that has been packed.

Ways of spreading
Usually, threat actors collaborate with potentially unwanted application (PUA) partner programs to spread miners. However, some small criminal groups try to spread malware by using different social engineering tricks, such as fake lotteries, etc. Potential victims need to download a generator of random numbers from a file-sharing service and run this on a PC to participate. It’s a simple trick, but a very productive one.

Another popular method is web-mining through a special script being executed in browser. For example, in 2017 our security solutions stopped the launch of web miners on more than 70 million occasions. The most popular script used by cybercriminals is Coinhive, and usual cases of its use in the wild are websites with a lot of traffic. The longer the user session on those sites, the more money the site’s owner earned from mining. Major incidents involving Coinhive are hacked web pages, such as the Pirate Bay case, YouTube ads or UFC fight pass mining. However, other examples of its legal use are also known.

There are other groups, which do not need to spread miners to many people. Instead, their targets are powerful servers in big companies. Thus, for instance, Wannamine was spreading in internal networks using an EternalBlue exploit, and earned nine thousand Monero this way (approx. two million dollars). However, the first miner that used the EternalBlue exploit was Adylkuzz. In our previous research we described another miner family – Winder – that has used an extra service to restore a miner when it was being deleted by an AV product. That botnet earned a half million dollars.

Sophisticated techniques
This year we are observing the next trend – threat actors behind miners have begun to use malware techniques from targeted attacks. Our latest discovery is the “hollow” miner that uses a process-hollowing technique.

In this case the infection vector is a PUA module. A victim may have just wanted to download a legitimate application, but instead they downloaded a PUA with a miner installer inside. This miner installer drops the legitimate Windows utility msiexec with a random name, which downloads and executes a malicious module from the remote server. In the next step it installs a malicious scheduler task which drops the miner’s body. This body executes the legitimate system process and uses a process-hollowing technique (legitimate process code is changed to malicious). Also, a special flag, system critical flag, is set to this new process. If a victim tries to kill this process, the Windows system will reboot. So, it is a challenge for security solutions to deal with such malicious behavior and detect the threat properly.
 

Infection chain
 

Process hollowing example

Using such sophisticated technique, botnets earned over seven million dollars during the second half of 2017.

Also this year, we found one threat group that has been targeting big organizations with the main purpose to utilize their computer resources for mining. After getting into a corporate network they get access to the domain controller, and as a result they use domain policies to launch malicious code. In this particular case, actors executed malicious PowerShell script on each endpoint and server inside the corporate network.
 

Malicious powershell script

This script has the following logic:

After launching, it checks if this endpoint belongs to specific accounts, i.e. senior levels or information security officers. If it is true, then the script won’t execute the miner.
This script also checks current date and time information. It will execute the malicious miner in non-working time.
So what’s next?
Should we expect a further evolution in this class of malware? For sure. Moreover, we will see a spread in malware that uses new blockchain technologies. One of the recent and very promising technologies is the blockchain-based proof-of-space (PoSpace) concept.

Unlike proof-of-work (PoW) used in general mining botnets, a PoSpace algorithm needs a hard disk space. Therefore, a new type of miners based on this algorithm will be aiming first of all at big data servers.

On the one hand, monetization in this case is like that in usual malware miners with a PoW algorithm. On the other, this technology can provide cybercriminals with another profit. The blockchain on the PoS algorithm is a very big decentralized anonymous data center that can be used to spread malware or illegal content. As a result, it can bring more damage. Data will be encrypted and no one will know where it is physically stored.
 

Mining scheme based on proof-of-concept algorithm

To protect your network against such threats we advise you:

Conduct a security audit on a regular basis
Use security solutions on endpoints and servers
Kaspersky Lab products detect such threats with various verdicts.

PDM:Trojan.Win32.Generic
not-a-virus:RiskTool.Win32.BitCoinMiner
HEUR:Trojan.Win32.CoinMiner


RCE flaw in Exim MTA affects half of the email servers online
7.3.2018 securityaffairs
Vulnerebility

A critical RCE vulnerability in the Exim mail transfer agent (MTA), tracked as CVE-2018-6789, affects most of the email servers online.
A critical remote code vulnerability in the Exim mail transfer agent (MTA), tracked as CVE-2018-6789, affects most of the email servers online. It has been estimated that as in March 2017, the total number of Internet’s email servers running Exim was over 560,000, that corresponds to 56% of all Mail (MX) Server online.

“We reported an overflow vulnerability in the base64 decode function of Exim on 5 February, 2018, identified as CVE-2018-6789. This bug exists since the first commit of exim, hence ALL versions are affected.” reads the blog post published by security firm Devcore.

“According to our research, it can be leveraged to gain Pre-auth Remote Code Execution and at least 400k servers are at risk. Patched version 4.90.1 is already released and we suggest to upgrade exim immediately.”

According to Shodan, the number of Exim Servers exposed online is more than 4 million, most of them in the US.

Exim

The flaw was discovered by the security researcher Meh Chang, which reported it to the Exim maintainers on February 2.

On February 10, the Exim team released Exim version 4.90.1 that addresses the flaw.

The researchers developed an exploit targeting SMTP daemon of Exim leverages a one-byte buffer overflow in the base64 decode function of Exim by tricking memory management mechanism.

“There is a buffer overflow in base64d(), if some pre-conditions are met. Using a handcrafted message, remote code execution seems to be possible. A patch exists already and is being tested.” reads the security advisory published by the Exim team.

Exim server owners should install the Exim 4.90.1 update as soon as possible.

Below the vulnerability timeline (UTC)

2018-02-05 Report from Meh Chang <meh@devco.re> via exim-security mailing list
2018-02-06 Request CVE on https://cveform.mitre.org/ (heiko) CVE-2018-6789
2018-02-07 Announcement to the public via exim-users, exim-maintainers mailing lists and on oss-security mailing list
2018-02-08 16:50 Grant restricted access to the security repo for distro maintainers
2018-02-09 One distro breaks the embargo
2018-02-10 18:00 Grant public access to the our official git repo.
In November the Exim team warned of other flaws through the public bug tracker.


Leaked NSA Dump Also Contains Tools Agency Used to Track Other Hackers
7.3.2018 thehackernews  BigBrothers

A years ago when the mysterious hacking group 'The Shadow Brokers' dumped a massive trove of sensitive data stolen from the US intelligence agency NSA, everyone started looking for secret hacking tools and zero-day exploits.
A group of Hungarian security researchers from CrySyS Lab and Ukatemi has now revealed that the NSA dump doesn't just contain zero-day exploits used to take control of targeted systems, but also include a collection of scripts and scanning tools the agency uses to track operations of hackers from other countries.
According to a report published today by the Intercept, NSA's specialized team known as Territorial Dispute (TeDi) developed some scripts and scanning tools that help the agency to detect other nation-state hackers on the targeted machines it infects.
NSA hackers used these tools to scan targeted systems for 'indicators of compromise' (IoC) in order to protect its own operations from getting exposed, as well as to find out what foreign threat actors are stealing and which hacking techniques they are using.
"When the NSA hacks machines in Iran, Russia, China and elsewhere, its operators want to know if foreign spies are in the same machines because these hackers can steal NSA tools or spy on NSA activity in the machines," the publication reports.
"If the other hackers are noisy and reckless, they can also cause the NSA's own operations to get exposed. So based on who else is on a machine, the NSA might decide to withdraw or proceed with extra caution."
NSA's Territorial Dispute team maintains a database of digital signatures, like fingerprints for file and snippets from various hacking groups, to track APT operations for attribution.

According to the researchers, when the Shadow Brokers managed to hack the NSA networks and stole a collection of sensitive files in 2013, the agency was tracking at least 45 different state-sponsored APT groups.
It also appears that the NSA hackers were tracking some of the tools from Dark Hotel in 2011—that's about 3 years prior to the wider security community discovered the hacking group.
Dark Hotel is a sophisticated cyber espionage group believed to be from South Korea, well known for targeting hotel Wi-Fi networks to spy on senior-level executives at organisations in manufacturing, defense, investment capital, private equity, automotive and other industries.
The group of researchers has planned to release its findings of the NSA scripts and scanning tools this week at the Kaspersky Security Summit in Cancun, which would help other researchers to dig through the data and identify more of the APT groups the NSA is hunting.
"The team also hopes the information will help the community classify some malware samples and signatures that have previously been uncovered by the security community but remain unattributed to a specific threat group because researchers don’t know to which advanced hacking group they belong," the Intercept says.
Cryptography and System Security (CrySyS Lab) is best known for uncovering an Israeli spying tool called Duqu in 2011, which was believed to be developed by the same Israeli hackers who took the U.S. help to develop the infamous Stuxnet malware for sabotaging Iranian nuclear program.


600 Powerful Bitcoin-Mining Computers Worth $2 Million Stolen In Iceland
7.3.2018 thehackernews Cryptocurrency

Around 600 powerful devices specifically designed for mining bitcoin and other cryptocurrencies have been stolen from Icelandic data centers in what has been dubbed the "Big Bitcoin Heist."
To make a profit, so far criminals have hacked cryptocurrency exchanges, spread mining malware, and ransomware—and even kidnapped cryptocurrency investors for ransom and tried to rob a bitcoin exchange, but now the greed has reached another level.
The powerful computers are estimated to be worth around $2 million, Associated Press reports, and are used to generate cryptocurrency that at the time of this writing are worth $11,500 each.
The theft, which took place between late December and early January, is one of the biggest series of robberies Iceland has ever experienced, according to law enforcement.
"This is grand theft on a scale unseen before," said Police Commissioner Olafur Helgi Kjartansson of the southwestern Reykjanes peninsula.
There were four different burglaries (three in December and one in January) in total that took place at various locations, two of which went down on the southwestern Reykjanes peninsula.
The thefts, which also included burglary of 600 graphics cards, 100 processors, 100 power supplies, 100 motherboards and 100 sets of computer memory, were captured on CCTV cameras by Advania, the server company reportedly hit by two of the three thefts.
Although the stolen computers have not yet been found, police arrested 11 suspects as part of the investigation of the incident, one of whom worked as a security guard.
On Friday, the Reykjanes District Court expressed restraint, releasing nine people on bail and leaving only two people under arrest.
Iceland is home to the data centers of a number of the cryptocurrency mining companies because the mining process is extremely energy-intensive, and renewable energy is cheap there. Almost 100 percent of the power generated in the country comes from renewable sources.
The police are currently tracking high energy consumption areas across Iceland in hopes the thieves will turn the stolen servers on, which could potentially lead them back to the stolen servers' location.
The authorities are also contacting internet service providers (ISPs), electricians and storage units, asking them to report any sudden spike in power usage or other signs the stolen servers had been reconnected.
The police have currently held off from telling the public about the incident for a while, in order not to compromise their investigation.


1.7 Tbps DDoS Attack — ​Memcached UDP Reflections Set New Record
7.3.2018 thehackernews
Attack

The bar has been raised.
As more amplified attacks were expected following the record-breaking 1.35 Tbps Github DDoS attack, someone has just set a new record after only four days — 1.7 Tbps DDoS attack.
Network security and monitoring company Arbor Networks claims that its ATLAS global traffic and DDoS threat data system have recorded a 1.7Tbps reflection/amplification attack against one of its unnamed US-based customer's website.


Similar to the last week's DDoS attack on GitHub, the massive bandwidth of the latest attack was amplified by a factor of 51,000 using thousands of misconfigured Memcached servers exposed on the Internet.
Memcached, a popular open source distributed memory caching system, came into news earlier last week when researchers detailed how attackers could abuse it to launch amplification DDoS attack by sending a forged request to the targeted Memcached server on port 11211 using a spoofed IP address that matches the victim's IP.
A few bytes of the request sent to the vulnerable server can trigger tens of thousands of times bigger response against the targeted IP address, resulting in a powerful DDoS attack.

Meanwhile, researchers also noted that cybercriminals have started weaponizing the DDoS attacks through vulnerable memcached servers to extort money from victims.
Following last week's 1.3 Tbps DDoS attack against GitHub, Akamai said its customers have been receiving extortion messages delivered alongside the typically "junk-filled" attack payloads, asking them for 50 XMR (Monero coins), valued at over $15,000.
"While the internet community is coming together to shut down access to the many open memcached servers out there, the sheer number of servers running memcached openly will make this a lasting vulnerability that attackers will exploit," Arbor Networks said in a blog post.
Reflection/amplification attacks are not new. Attackers have previously used reflection/amplification DDoS attack techniques to exploit flaws in DNS, NTP, SNMP, SSDP, CLDAP, Chargen and other protocols in an attempt to maximize the scale of their cyber attacks.
However, the latest attack vector evolves thousands of misconfigured Memcached servers, many of which are still exposed on the Internet and could be exploited to launch potentially more massive attacks soon against other targets. So expect to see more such attacks in coming days.
To prevent Memcached servers from being abused as reflectors, we urge users to install a firewall that should provide access to memcached servers only from the local network.
Administrators should also consider avoiding external traffic to the ports used by memcached (for example 11211 port used by default), and block or rate-limiting UDP or completely disable UDP support if not in use


New 4G LTE Network Attacks Let Hackers Spy, Track, Spoof and Spam
7.3.2018 thehackernews Mobil 
Attack

Security researchers have discovered a set of severe vulnerabilities in 4G LTE protocol that could be exploited to spy on user phone calls and text messages, send fake emergency alerts, spoof location of the device and even knock devices entirely offline.
A new research paper [PDF] recently published by researchers at Purdue University and the University of Iowa details 10 new cyber attacks against the 4G LTE wireless data communications technology for mobile devices and data terminals.
The attacks exploit design weaknesses in three key protocol procedures of the 4G LTE network known as attach, detach, and paging.


Unlike many previous research, these aren't just theoretical attacks. The researchers employed a systematic model-based adversarial testing approach, which they called LTEInspector, and were able to test 8 of the 10 attacks in a real testbed using SIM cards from four large US carriers.
Authentication Synchronization Failure Attack
Traceability Attack
Numb Attack
Authentication Relay Attack
Detach/Downgrade Attack
Paging Channel Hijacking Attack
Stealthy Kicking-off Attack
Panic Attack
Energy Depletion Attack
Linkability Attack
Among the above-listed attacks, researchers consider an authentication relay attack is particularly worrying, as it lets an attacker connect to a 4G LTE network by impersonating a victim's phone number without any legitimate credentials.

This attack could not only allow a hacker to compromise the cellular network to read incoming and outgoing messages of the victims but also frame someone else for the crime.
"Through this attack the adversary can poison the location of the victim device in the core networks, thus allowing setting up a false alibi or planting fake evidence during a criminal investigation," the report said.
Other notable attacks reported by the researchers could allow attackers to obtain victim’s coarse-grained location information (linkability attack) and launch denial of service (DoS) attack against the device and take it offline (detach attack).
"Using LTEInspector, we obtained the intuition of an attack which enables an adversary to possibly hijack a cellular device’s paging channel with which it can not only stop notifications (e.g., call, SMS) to reach the device but also can inject fabricated messages resulting in multiple implications including energy depletion and activity profiling," the paper reads.
Using panic attack, attackers can create artificial chaos by broadcasting fake emergency messages about life-threatening attacks or riots to a large number of users in an area.
What's interesting about these attacks is that many of these can be carried out for $1,300 to $3,900 using relatively low-cost USRP devices available in the market.
Researchers have no plans to release the proof-of-concept code for these attacks until the flaws are fixed.
Although there are some possible defenses against these observed attacks, the researchers refrained from discussing one.
The paper reads: "retrospectively adding security into an existing protocol without breaking backward compatibility often yields band-aid-like-solutions which do not hold up under extreme scrutiny."
"It is also not clear, especially, for the authentication relay attack whether a defense exists that does not require major infrastructural or protocol overhaul," it adds. "A possibility is to employ a distance-bounding protocol; realization of such protocol is, however, rare in practice."
The vulnerabilities are most worrying that once again raise concerns about the security of the cell standards in the real world, potentially having an industry-wide impact.


Funny? Useful? Cool? Kali Linux natively on Windows 10
7.3.2018 securityaffairs  Safety

It’s funny, but it is true, the popular Kali Linux hacking distro is available for download on the official Microsoft App Store on Windows 10.
Kali Linux is now natively available on Windows 10, without requiring dual boot or virtualization.

Kali Linux isn’t the unique Linux distribution available on the Windows App Store, Windows users can download other popular distros, including as Ubuntu, Fedora, and OpenSUSE.

The Linux distribution can be used directly on Windows by exploiting the feature called Windows Subsystem for Linux (WSL)

“For the past few weeks, we’ve been working with the Microsoft WSL team to get Kali Linux introduced into the Microsoft App Store as an official WSL distribution, and today we’re happy to announce the availability of the ‘Kali Linux’ Windows application,” reads the announcement published on the Kali Linux website.

“For Windows 10 users, this means you can simply enable WSL, search for Kali in the Windows store, and install it with a single click. This is especially exciting news for penetration testers and security professionals who have limited toolsets due to enterprise compliance standards.”

To enable the WSL follow these steps:

Access the “Apps and features” menù item under the Control Panel
Select “Programs and Features” from the right panel
Click the “Turn Windows features on or off” from the left menu
Check the “Windows Subsystem for Linux”
Save the operation and Reboot the system
Kali Linux

Alternatively, users can open PowerShell as Administrator and run the following command before restarting the machine.
Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Windows-Subsystem-Linux
At this point, you can search for Kali Linux on Windows Store and download it.
Offensive Security has published a video to show how to use the distribution on Windows 10.

It is important to remind that the Kali Linux on Windows does not come with any hacking testing tools pre-installed, this means that you need to download them when needed.

Experts noticed that Antivirus software, including Windows Defender, can flag the distro’s packages as a malware.


BlackBerry Sues Facebook Over Messaging Apps
6.3.2018 securityweek
Social

Canadian telecommunications firm BlackBerry sued Facebook on Tuesday, accusing the American social media company of infringing on its patents for messaging apps.

BlackBerry is claiming infringement on patents it holds for message encryption and notifications, and is seeking an injunction as well as damages for lost profits, although no figure was given.

Facebook and its wholly-owned services Instagram and WhatsApp are named as defendants in the lawsuit.

"We have a lot of respect for Facebook and the value they've placed on messaging capabilities, some of which were invented by BlackBerry," BlackBerry spokeswoman Sarah McKinney said in a statement.

She said BlackBerry would like to partner with Facebrook "in our drive toward a securely connected future, and we continue to hold this door open to them."

"However, we have a strong claim that Facebook has infringed on our intellectual property, and after several years of dialogue, we also have an obligation to our shareholders to pursue appropriate legal remedies," McKinney added.

BlackBerry, after abandoning the manufacture of its once-popular smartphones, has refocused its core business on cybersecurity software and services.


World Economic Forum Announces New Fintech Cybersecurity Consortium
6.3.2018 securityweek Cyber

Following the announcement of a new Global Centre for Cybersecurity, the World Economic Forum (WEF) has today launched a new fintech-focused initiative: WEF's Fintech Cybersecurity Consortium. Its aim is to create a framework for the assessment of cybersecurity in financial technology firms and data aggregators.

The founding members of the new consortium include global bank Citigroup, insurance company Zurich Insurance Group, fintech lender Kabbage and financial infrastructure provider DTCC. Their intention is to develop common principles for cybersecurity assessments, guidance for implementation, a point-based scoring framework, and guidance on improving an organization's score.

"Cyber breaches recorded by businesses have almost doubled since 2013 and the estimated cost of cybercrime is $8 trillion over the next five years," said Mario Greco, Chief Executive Officer of Zurich Insurance Group, Switzerland, a participant in the consortium. "We expect the consortium to help adopt best cybersecurity practices and reduce the complexity of diverging cyber regulation around the world."

The $8 trillion figure comes from a May 2017 report from Juniper Research. More recently, McAfee reported that the cost of global cybercrime is $600 billion.

The new consortium will commence immediately, working closely with WEF's Global Centre for Cybersecurity being established in Geneva. It expects to draw upon a similar, domestic-focused project undertaken in 2017 by the US Chamber of Commerce on Critical Infrastructure Protection, Information Sharing and Cybersecurity. A detailed description is found in a separate whitepaper, Innovation-Driven Cyber-Risk to Customer Data in Financial Services (PDF).This paper makes it clear that the work will draw upon existing frameworks, with particular reference to NIST.

WEF spokesperson Georg Schmitt told SecurityWeek that the consortium is "doing this to step in where regulators might not (yet)." The paper makes it clear that recent cyber developments are considered to be a major threat to the financial sector. Two of these are the evolution of open banking driven by European finance legislation such as PSD2 ; and the customer privacy regulations, led perhaps by GDPR. The former increases fintech's attack surface, while rapid growth in the IoT and use of AI algorithms increases the amount of PII collected and stored.

"It's a smart move to highlight data aggregators as a point of cyber vulnerability," David Shrier, CEO of Distilled Analytics told SecurityWeek. "You have only to look at the Equifax hack to understand why this is important. And classically they are not considered fintechs, so it's worthwhile to call them out separately.

"Unknowingly," he adds, "in our race to adopt new technology over the past 20 years, we have ceded a massive amount of personal information to these third parties (data aggregator and fintech alike), and it has created gigantic cyber vulnerabilities."

Kabbage CEO Rob Frohwein explained: "Kabbage is joining the World Economic Forum consortium because cybersecurity is a never-ending, age-long issue that requires a long-lasting solution for tomorrow and not a Band-Aid for today. We need a living global standard that allows financial services companies to compete and work with incumbent institutions across borders and industries."

The Fintech Cybersecurity Consortium will develop a cybersecurity assessment framework for fintechs and data aggregators. This will, in theory, enable new firms to interconnect with fintech and aggregator firms with greater confidence.

Some firms will likely balk at yet another fintech framework-come-regulation, particularly since it will evolve from existing frameworks. "Unfortunately, this really doesn't change the game in any way (that I can tell)," comments Nathan Wenzler, chief security strategist at AsTech. "It is likely to get a, 'it's yet another regulation for us financial companies' kind of reaction. Yes, some financial firms might be interested. If this was any other industry besides finance, it might be something more significant. As it stands, they're pretty numb to all the regulatory requirements they deal with everywhere."

Shrier is more optimistic. "We have seen the WEF tackle other areas with paradigm-shifting thought leadership, so, provided they get the right experts in their working group, this could be additive to improving cybersecurity. While this new effort is not guaranteed to succeed, our problem today is too many headlines about cyber breaches and not enough systems thinking about cyber solutions. The WEF group has a chance to raise serious cyberthinking in the C-suite and board room proactively, instead of reactively after an incursion."


Two Scammers, Five Mules Arrested in BEC Bust
6.3.2018 securityweek
Spam

A criminal investigation commenced by the French National Gendarmerie in June 2016 led to the arrest of one French and one Belgian national on February 20, 2018 for their part in large scale CEO fraud (also known as business email compromise -- BEC).

According to Europol, "The criminals belonged to an organized crime group involved in at least 24 cases of CEO fraud causing €4.6 million worth of damage."

The investigation was launched when French law enforcement was informed that two companies had fallen victim to BEC fraud, with a total estimated cost of €1.2 million. Since then, the investigation has identified 15 alleged Romanian company managers living in France and Belgian involved in orchestrating BEC fraud and Forex scams. Money obtained from the BEC scams was sent via the Romanian company accounts to Hong Kong.

The two suspects arrested in France are thought to be recruiters and facilitators for the criminal gang; but not the masterminds. "The suspects arrested in Paris and Lille seem to be closely linked to the ring leader(s) most probably hiding in Israel, where computers and mobile phones have also been seized," announced Europol on Friday.

A further five individuals were arrested in Belgium, suspected of acting as money mules for the gang.

BEC fraud has become a major problem over the last few years. According to figures from the FBI, worldwide BEC fraud netted $2.3 billion from 17,642 victims in at least 79 countries from October 2013 through February 2016.

A typical BEC scam will persuade an authorized employee to wire money to an external account. It is a sophisticated version -- with much higher stakes -- of the pre-internet fax directory scam where a fake invoice is sent to a company because it often just gets paid. It is similar in operation to targeted spear-phishing using a disguised sender and social engineering to trick the target. Typically, it is an email disguised to appear as if it comes from the CEO (hence its common description as CEO fraud), asking the finance director to urgently mail funds to or for a supplier or partner.

In this instance, the two arrested in France helped people to establish firms with Romanian bank accounts. According to Europol these included law firms and notaries. An apparent email from the CEO asking for funds to be sent to a law firm in France acting on behalf of a known or fictitious supplier could appear both safe and compelling.

Unlike phishing, BEC carries no payload in the form of a malicious link or weaponized attachment. Without such a payload to detect, BEC emails are very difficult to flag with technology.

In February, Agari published a trends analysis (PDF) of BEC. It found that in the second half of 2017, an average of 45 BEC attacks per company bypassed secure email gateways (SEG), advanced threat protection systems (APT), and targeted attack protection (TAP); 96% or organizations had experienced BEC attacks; and one company had experienced 369 attacks.

DMARC can help prevent BEC, but is not foolproof. Furthermore, Agari points out that 67% of the Fortune 500 do not have a DMARC policy, and only 5% have a Reject (or “blocking”) policy on their corporate domain.

Because of the difficulties in detecting BEC attacks, there have been several major successful examples during 2017. In April 2017, the Justice Department disclosed that Google and Facebook lost a combined $100 million to BEC attacks impersonating their server hardware supplier Quanta. In June 2017, New York Judge Lori Sattler was duped into sending $1,057,500 to a scammer posing as her lawyer in a real estate deal. In August 2017, MacEwan University in Alberta, Canada was defrauded of $11.8 million in a BEC attack impersonating a vendor of the university.


Android's March 2018 Patches Fix Critical, High Risk Flaws
6.3.2018 securityweek Android

Google has released its March 2018 set of security updates for Android to address numerous Critical and High severity vulnerabilities in the popular mobile operating system.

The majority of the Critical vulnerabilities addressed this month could allow an attacker to execute code remotely on affected devices. Impacted components include media framework, system, and kernel, Nvidia, and Qualcomm components.

A total of 16 vulnerabilities were addressed as part of the 2018-03-01 security patch level: 8 rated Critical severity and 8 considered High risk. The most severe of these vulnerabilities could allow a remote attacker using a specially crafted file to run arbitrary code with high privileges.

Four of the Critical flaws (three remote code execution bugs and one elevation of privilege issue) and two High risk bugs (elevation of privilege) were addressed in media framework. The remaining four Critical vulnerabilities (all remote code execution) and six High risk issues (information disclosure bugs) were resolved in system.

The 2018-03-05 security patch level addressed 21 vulnerabilities, only three of which were rated Critical severity. All of the remaining bugs were assessed High risk, Google notes in an advisory.

The flaws affect Kernel components (two elevation of privilege and four information disclosure High risk issues), NVIDIA components (two High risk elevation of privilege bugs), Qualcomm components (two Critical – remote code execution – and nine High risk – six elevation of privilege, two information disclosure, and one denial of service – vulnerabilities), and Qualcomm closed-source components (one Critical and one High risk).

Google also addressed over 40 vulnerabilities impacting its Pixel / Nexus devices this month, most of them rated Moderate severity.

A Moderate risk elevation of privilege issue was patched in framework, 2 High severity denial of service bugs were resolved in Media framework, and 2 elevation of privilege and 2 information disclosure vulnerabilities were fixed in system, all four Medium risk.

Google also addressed 1 High risk information disclosure and 5 Moderate elevation of privilege issues in kernel components, 3 moderate information disclosure bugs in Nvidia components, and 18 elevation of privilege and 9 information disclosure issues in Qualcomm components (all Moderate severity).

Pixel 2 and Pixel 2 XL devices also received fixes for several functionality issues that were not related to the security of these devices. Instead, they improved screen wake performance with fingerprint unlock, audio performance when recording video, and crash reporting.


Kaspersky Lab Offers $100,000 for Critical Vulnerabilities
6.3.2018 securityweek
Vulnerebility

Just days before its annual Security Analyst Summit kicks off in Cancun, Mexico, Kaspersky Lab this week announced an extension to its bug bounty program and plans to pay rewards of up to $100,000 for severe vulnerabilities in some of its products.

Launched in August 2016, the HackerOne-powered bug bounty program initially promised a total of $50,000 in bounties and resulted in the discovery of more than 20 flaws in the first six months. To date, the program allowed Kaspersky to address more than 70 bugs in its products and services.

In April last year, the Moscow-based security firm announced the addition of Kaspersky Password Manager 8 to the bounty program, along with an increase in the maximum reward for remote code execution vulnerabilities from $2,000 to $5,000.

The newly announced larger payouts represent a 20-fold increase on existing rewards available to researchers who participate in the company’s bug bounty program, which is available to all members of the HackerOne platform.

The largest rewards will be offered for the discovery and coordinated disclosure of bugs that enable remote code execution via the product database update channel, Kaspersky says. Another requirement is that the launch of the code takes place in the product’s high privilege process and silently from the user, and that persistence is also achieved.

Security flaws leading to other types of remote code execution will receive rewards ranging from $5,000 to $20,000, depending on their complexity level. The company also announced it is willing to pay researchers who discover bugs allowing local privilege escalation or leading to sensitive data disclosure.

Only previously unknown vulnerabilities discovered in Kaspersky Internet Security 2019 (the most recent beta) and Kaspersky Endpoint Security 11 (the most recent beta) qualify for the bug bounties. Supported platforms include desktop Windows 8.1 and higher, with the most recent updates installed.

“Finding and fixing bugs is a priority for us as a software company. We invite security researchers to make sure there are no vulnerabilities in our products. The immunity of our code and highest levels of protection that we offer customers is a core principal of our business – and a fundamental pillar of our Global Transparency Initiative,” Eugene Kaspersky, CEO of Kaspersky Lab, said.

Announced in October 2017, the Global Transparency Initiative was meant to clear Kaspersky’s name after reports suggested it had ties to the Russian government and the Department of Homeland Security (DHS) ordered all government agencies to stop using the company’s products.


"ComboJack" Malware Steals Multiple Virtual Currencies
6.3.2018 securityweek Cryptocurrency

A newly discovered piece of malware is capable of stealing a variety of crypto-coins from its victims by replacing legitimate wallet addresses with that of the attacker.

Dubbed ComboJack, the malware performs its nefarious activity by monitoring the user clipboard and replacing targeted addresses there. This is the same technique that was recently observed being used by the Evrial Trojan and the CryptoShuffler malware, but the new threat targets multiple virtual currencies.

ComboJack, Palo Alto Networks has discovered, is targeting multiple crypto-currencies at the moment, including Bitcoin, Litecoin, Monero, and Ethereum.

The malware is being distributed through spam emails targeting users in Japan and America, carrying a malicious PDF that contains an embedded document. This is a RTF file attempting to exploit CVE-2017-8579, a vulnerability addressed in September 2017 after it was abused to spread the FinFisher spyware.

The RTF document references to an embedded remote object, an HTA file that contains encoded PowerShell commands. Once fetched from the remote server, the file executes the PowerShell to download and execute the final payload.

The downloaded file is an initial stage self-extracting executable (SFX) that extracts the second stage, a password protected SFX that has the password supplied by the first stage. Only after the second stage is executed, the ComboJack is extracted.

First, the malware copies itself to the ProgramData folder, and then leverages the attrib.exe built-in Windows tool to set the hidden and system attributes to itself. Next, the malware sets a registry key to achieve persistence.

Once the steps have been completed, ComboJack starts checking the contents of the clipboard every half second to determine if wallet information for different digital currencies has been copied there. When that happens, the malware replaces the information with hardcoded data in an attempt to divert funds to a presumably attacker-owned wallet.

“This tactic relies on the fact that wallet addresses are typically long and complex and to prevent errors, most users will opt to copy an exact string in order to prevent potential errors,” Palo Alto points out.

The malware can detect addresses of crypto-currencies such as Ethereum, Monero (erroneously, the replacement address is shorter), Bitcoin, Litecoin, Qiwi, WebMoney (Rubles), WebMoney (USD), Yandex Money, and a currently unknown virtual coin.

The fact that ComboJack is targeting WebMoney (USD, EUR, and RUB) and Yandex Money, which are popular digital payment systems, also sets the malware apart from other Trojans capable of stealing crypto-currencies by replacing wallet addresses that have been copied to the clipboard.

“By targeting multiple cryptocurrencies and web based wallets, the author of ComboJack appears to be hedging his or her bets on which currency will boom and which will bust. As the prices of cryptocurrencies continue to rise it is likely we will see more and more malware targeting cryptocurrencies, as it presents the fastest way to the highest profit,” Palo Alto concludes.


Researchers Devise New Attacks Against 4G LTE Mobile Networks
6.3.2018 securityweek Mobil 
Attack

A team of researchers from Purdue University and the University of Iowa have discovered 10 new attacks against the 4G LTE protocol, which could allow adversaries snoop on messages, deny service, and even track the location of users.

In a whitepaper (PDF), the team provides information on LTEInspector, the adversarial model-based testing approach they decided to adopt in this quest, and on the 10 new vulnerabilities they discovered in the protocol, alongside 9 previously known attacks.

LTEInspector, the researchers explain, was designed to analyze three critical procedures in the 4G LTE network, namely attach, detach, and paging. Designed to be tool-agnostic, the new approach can be “instantiated through any generic symbolic model checker and cryptographic protocol verifier,” the researchers say.

Using the new approach, the researchers discovered undocumented attacks on each of the critical procedures in the protocol. Four of the attacks affect the attach procedure, one affects the detach procedure, and five affect paging.

The first such attack is called Authentication Synchronization Failure and could disrupt the attach procedure, thus resulting in the victim experiencing service disruption.

A Traceability Attack can be abused to track a particular victim user equipment. “This attack can also be performed for a specific user with only the knowledge of victim’s phone number,” the researchers say.

The Numb Attack allows the adversary to inject an out-of-sequence control-plane protocol message and disrupt the service of a victim user device until restart. This issue can be chained with other types of assaults to impersonate the victim.

A Paging Channel Hijacking attack enables an adversary to hijack the victim device’s paging channel, thus preventing it from receiving legitimate paging messages, meaning that the victim does not receive service notifications such as incoming phone calls or SMS.

A Stealthy kicking-off Attack results in the user device disconnecting from the Evolved Packet Core (EPC) and can be used as a prerequisite of the Authentication Relay Attack.

As part of a Panic Attack, an adversary injects fake emergency paging messages to a large number of user devices, thus creating artificial emergency.

An adversary could also launch Energy Depletion Attacks to make user devices “perform expensive cryptographic operations,” by forcing them to repeatedly carry out the expensive attach procedure.

The Linkability Attack, the researchers say, would allow an adversary to trace a victim device in a cell area by broadcasting a paging with the victim’s IMSI and observing the received attach request.

The only attack against the detach procedure is the Detach/Downgrade Attack, where the adversary injects network initiated detach requests to disrupt the victim’s service.

The researchers also point out that it is possible to chain some of these attacks with previously known assault methods, as well as among them, which could have wider implications. One such attack is the Authentication Relay Attack, where the victim device is disconnected from the EPC and the adversary connects instead, impersonating it, despite the lack of proper credentials.

“In this attack the adversary, however, cannot decrypt or inject valid encrypted messages unless the operator uses a weak or no security context,” the researchers explain.


ComboJack Malware alters Windows clipboards to steal cryptocurrencies and payments
6.3.2018 securityweek Cryptocurrency

Palo Alto Networks discovered a malware dubbed ComboJack that is able of detecting when users copy a cryptocurrency address and alter clipboards to steal cryptocurrencies and payments.
Crooks continue to focus their interest in cryptocurrencies, security researchers at Palo Alto Networks have spotted a strain of malware dubbed ComboJack that is able of detecting when users copy a cryptocurrency address to the Windows clipboard. The malicious code then replaces the address in the clipboard with the author’s one.

“Unit 42 researchers have discovered a new currency stealer which targets cryptocurrencies and online wallets. “CryptoJack” functions by replacing clipboard addresses with an attacker-controlled address which sends funds into the attacker’s wallet.” reads the analysis published by PaloAlto. “This technique relies on victims not checking the destination wallet prior to finalizing a transaction.”

Unlike other similar threats, ComboJack supports multiple cryptocurrencies, including Bitcoin, Litecoin, Monero, and Ethereum and it is also able to target other digital payment systems such as Qiwi, Yandex Money, and WebMoney (USD and ruble payments).

In 2017, CryptoShuffler was the first malware to implement this technique to targets online Bitcoin wallets, in February 2018 researchers at ElevenPaths discovered a crypto coin malware stealer called Evrial which takes control of the clipboard to get “easy money”.

Experts from PaloAlto Networks, along with Proofpoint experts, were investigating a malspam campaign targeting Japanese and American users.

The spam messages attempt to trick victims into opening the PDF attachment by claiming a passport was lost and that the attached PDF contained a scanned copy of the document.

ComboJack malware

Attackers implemented an attack chain already observed for the distribution of the Dridex banking trojan and Locky ransomware in 2017.

When the user opens the PDF document, the file opens an RTF file that contains an embedded HTA object that attempts to exploit the CVE-2017-8579 DirectX flaw.

“This embedded remote object is an HTA file which was located at hXXps://a.doko[.]moe/tnejln which contains encoded PowerShell commands.” continues the analysis.

The SFX file downloads and runs a password-protected SFX that then finally delivers ComboJack.

Finally, the payload sets a registry key to ensure persistence.

Combojack

ComboJack checks the Windows clipboard every half-a-second for new content that matches a known pattern for a cryptocurrency or payment system address, then it replaces the address with one from an internal list.

The malicious code exploits the fact that walled addresses are difficult to remind and most users opt to copy an exact string in order to prevent potential errors.

Users are advised to carefully check that the cryptocurrency payment addresses they copy-pasted are identical in the source and destination locations.

“By targeting multiple cryptocurrencies and web based wallets, the author of ComboJack appears to be hedging his or her bets on which currency will boom and which will bust.” concludes PaloAlto Networks.

“As the prices of cryptocurrencies continue to rise it is likely we will see more and more malware targeting cryptocurrencies, as it presents the fastest way to the highest profit.”

Further details, including IOCs are available in the analysis.


World’s largest DDoS attack record broken by a new memcached DDoS attack
6.3.2018 securityweek
Attack

World’s largest DDoS attack record lasted just a few days, Arbor Networks reported that earlier this month a US service provider suffered a 1.7Tbps memcached DDoS attack.
On February 28, 2018, the code hosting website GitHub was hit by the largest-ever DDoS attack that peaked at 1.3Tbps. The powerful attack was abusing the memcached protocol to power so-called memcached DDoS attacks.

Memcached is a free and open source, high-performance, distributed memory caching system designed to speed up dynamic web applications by alleviating database load.

Clients communicate with memcached servers via TCP or UDP on port 11211.

Researchers from Cloudflare, Arbor Networks and security firm Qihoo 360 discovered that recently attackers are abusing the memcached for DDoS amplification attacks.

The abuse of memcached servers in DDoS Attacks is quite simple, the attacker sends a request to the targeted server on port 11211 spoofing the IP address of the victim. In a memcached DDoS attack, the request sent to the server is composed of a few bytes, while the response can be tens of thousands of times bigger, resulting in an amplification attack.

Experts at Cloudflare dubbed this type of attack Memcrashed, according to the researcher the amplification technique could allow attackers to obtain an amplification factor of 51,200.

Researchers predicted then that threat actors in the wild would abuse misconfigured Memcached servers in future attacks, and it is exactly what is happening.

Experts at Arbor Networks reported that earlier this month a US service provider suffered a 1.7Tbps DDoS attack. The service provider was able to repel the attack thanks to adequate countermeasures, but we can consider it an exception because a so huge volume of traffic is able to take off the majority of websites online.

The experts confirmed that also in this case attackers exploited unsecured memcached database servers to amplify attacks.

“Today, NETSCOUT Arbor can confirm a 1.7Tbps reflection/amplification attack targeted at a customer of a U.S. based Service Provider has been recorded by our ATLAS global traffic and DDoS threat data system.” reported Arbor Networks. “The attack was based on the same memcached reflection/amplification attack vector that made up the Github attack”

memcached DDoS attack Mar2018

The previous record DDoS attack was observed by ATLAS in 2016, it was a 650Gbps attack towards a target in Brazil.

Unfortunately the availability online of unsecured memcached servers will allow threat actors to power similar attacks in the future.

“While the internet community is coming together to shut down access to the many open mecached servers out there, the sheer number of servers running memcached openly will make this a lasting vulnerability that attackers will exploit,” continues the post published by Arbor Networks.

“It is critically important for companies to take the necessary steps to protect themselves.”

Cloudflare recommends disabling UDP support unless it’s needed and isolating memcached servers from the Internet. Internet service providers have to fix vulnerable protocols and prevent IP spoofing.

“Internet Service Providers – In order to defeat such attacks in future, we need to fix vulnerable protocols and also IP spoofing. As long as IP spoofing is permissible on the internet, we’ll be in trouble.” concluded Cloudflare.

“Developers – Please please please: Stop using UDP. If you must, please don’t enable it by default. If you do not know what an amplification attack is I hereby forbid you from ever typing SOCK_DGRAM into your editor.”

The fear for this new kind of attack represents a good opportunity for cyber criminals, crooks already started to blackmail companies asking for a ransom demand in Monero cryptocurrency to avoid being attacked via Memcached servers.

Let’s see how long the 1.7Tbps attack will remain the largest-ever DDoS attack …


Mobile Banking Trojans Targeting Crypto-Currencies
6.3.2018 securityweek Mobil  Android

Mobile malware is now targeting crypto-currencies with the intent of stealing victims’ funds, IBM says.

The immediate result of the massive increase in value that crypto-currencies have registered over the past year was the growth of malicious attacks attempting to steal coins from unsuspecting users. While most of these assaults involved PC malware so far, recent incidents have shown that mobile threats are picking up the pace as well.

Several weeks ago, IBM observed that the TrickBot Trojan was using webinjections to steal virtual coins from its victims by replacing legitimate addresses with those of the attacker. Working in a similar manner, mobile malware is now using screen overlays to trick victims into sending funds to the attacker instead, IBM's security researchers discovered.

According to IBM, mobile malware targeting crypto-coins usually leverages malicious miners to collect coins, but the practice isn’t that profitable, given the limited processing power a mobile device has. Furthermore, users are more likely to discover a mining operation on a mobile device when observing overheating, low performance and faster battery drain.

“Crooks operating mobile banking Trojans don’t install miners on the device. Rather, they typically steal existing coins from unsuspecting owners using mobile malware that creates the same effect as webinjections: cybercriminals trick users with fake on-screen information, steal their access credentials and take over accounts to empty coins into their own wallets,” IBM notes.

Some of the mobile malware families capable of detecting the application opened on a mobile device include ExoBot, BankBot, Marcher, and Mazar. Based on the launched application, these Trojans can display a hardcoded or dynamically fetched overlay and hide the legitimate app screen behind a fake one.

Thus, users end up revealing their credentials to the malware operators, which can then abuse them to access the victim’s account. If a second-factor authorization is required, the malware can hijack it from the compromised device without alerting the victim.

Usually employed in attacks targeting bank accounts, the method has been adapted for the theft of crypto-coins as well, the researchers discovered. Trojans such as BankBot and Marcher have been already packed with the necessary functionality to overlay a fake screen when the user opens relevant wallet apps.

The malware, IBM says, targets multiple virtual currencies, including Bitcoin, Bitcoin Cash, Ethereum, Litecoin, Monero, and other. Although basic-looking, the overlay screens are convincing and can trick users into unknowingly sending their access credentials to an attacker.

“The mobile malware arena already strives to emulate the success of PC banking Trojans and facilitate cross-channel fraud and identity theft. Cryptocurrency is just another target for malware operators looking to get in on the action. Given the rapid evolution of this threat, organizations should invest in mobile threat protection tools to minimize the risk posed by mobile banking Trojans,” IBM concludes.


Cisco Adds Vulnerability Identification to Tetration Platform
6.3.2018 securityweek
Vulnerebility

Cisco today announced the availability of identification of software vulnerabilities and exposures as part of the security capabilities of its Tetration platform.

Designed to offer workload protection for multi-cloud data centers through a zero-trust model that employs segmentation, the platform can now also detect vulnerabilities associated with software installed on servers.

With support for both on-premises and public cloud workloads, Tetration can now help identify security incidents faster, as well as contain lateral movement, in addition to reducing attack surface, Cisco says.

“Tetration is equipped to identify high severity security events such as Spectre and Meltdown using behavior-based anomalies,” Cisco notes.

The platform maintains an inventory of the software packages installed on the server, along with information on version and publisher. Leveraging the Common Vulnerabilities and Exposure (CVE) database, Tetration can detect packages with known CVEs.

The platform also offers a scorecard ranking the severity of specific vulnerabilities and reveals which servers might be affected, thus helping IT organizations proactively set up filters to find additional vulnerabilities.

Now, Tetration can also collect and maintain information about running processes on each server, on a real-time basis, Cisco announced. This should help IT managers find servers on which specific processes are running or have run. The collected information includes ID, parameters, duration, hash (signature), and the user running the process.

The identification of application behavior deviations from the baseline is also available on the platform, through the monitoring of workloads and networks for behavior that might be suspicious. Tetration first creates an application behavior baseline and then keeps an eye out for any deviations to identify attacks.

“For example, a process might seek to obtain privileged access that it should not have under normal behavior and use that privilege to execute a series of operations. Tetration can provide a time-series view of history to visualize process hierarchy and behavior information,” Cisco says.

The platform can search for specific process events and discover details such as privilege escalation, shell code execution, and side channel attacks.

According to Cisco, process behavior monitoring and identification of vulnerabilities allow Tetration to identify anomalies in minutes and reduce the attack surface up to 85%, while efficient application segmentation minimizes lateral movement. Furthermore, automation allows for a 70% reduction in human intervention to enable a zero-trust model.

“Tetration is powered by big data technologies to support the scale requirements of data centers. It can process comprehensive telemetry information received from servers in real-time (up to 25,000 servers per cluster). Tetration can enforce consistent policy across thousands of applications and tens of millions of policy rules,” Cisco notes.


Facebook improves link security infrastructure by implementing HSTS Preloading
6.3.2018 securityaffairs
Social

Facebook has implemented HSTS preloading that instructs a browser to always use SSL/TLS to communicate with eligible websites.
Facebook has upgraded its link security infrastructure to include HTTP Strict Transport Security (HSTS) preloading that instructs a browser to always use SSL/TLS to communicate with eligible websites.

Facebook and Instagram links will automatically update from HTTP to HTTPS for eligible websites.

“We have recently upgraded our link security infrastructure to include HSTS preloading, which automatically upgrades HTTP links to HTTPS for eligible websites. This will improve people’s security and will also often improve the speed of navigation to sites from Facebook.” reads the announcement published by Facebook.

According to Facebook, the modification aims to improve security and navigation speed for Facebook and Instagram links.
HSTS Preloading Facebook
Facebook determines the links that are eligible for HTTPS based on two sources:

The Chromium preload list, that is currently used in most major browsers;
Recording HSTS headers from sites shared on Facebook, in this case, the browser preload list is updated with any sites that serve HSTS with the preload directive.
Facebook invites websites to support HTTPs and sponsors Let’s Encrypt initiative which provides free TLS certificates and instructions on how to enable HTTPS for most common server software.


Triada Trojan Pre-Installed on Low Cost Android Smartphones
5.3.2018 securityweek Android

Security researchers have discovered the sophisticated Triada Trojan in the firmware of more than 40 low-cost Android smartphone models.

Discovered in early 2016 and considered one of the most advanced mobile threats out there, Triada stands out in the crowd because it abuses the Zygote parent process to inject its code in the context of all software on the device. The Trojan uses root privileges to replace system files and resides mainly in the device’s RAM, which makes it difficult to detect.

In April last year, security researchers discovered that Triada had adopted sandbox technology in an attempt to boost its detection evasion capabilities. Specifically, the malware was using the open source sandbox DroidPlugin, which allowed it to dynamically load and run code going through the installation process.

Several months later, in July 2017, Doctor Web reported that Triada was present in the firmware of several low-cost Android smartphones. At the time, the list of infected device models included Leagoo M5 Plus, Leagoo M8, Nomu S10, and Nomu S20.

Now, the security firm reveals that the Trojan comes pre-installed on a larger number of Android smartphone models, even on devices that were launched in December 2017. Overall, over 40 device models were found to be impacted, the security researchers say.

The specific malware variant found on these devices is detected as Android.Triada.231 and includes all of the capabilities a member of the Triada family comes with: it injects its module in the Zygote process to penetrate all running applications on the device.

This allows the Trojan to carry out a broad range of malicious activities without user interaction, such as covertly downloading and launching applications. Designed with a modular architecture, Triada can redirect financial SMS transactions to buy additional content or steal money from the user.

Because the malware authors managed to inject Android.Triada.231 into the libandroid_runtime.so system library, they are able to compromise a device’s firmware during the manufacturing process, and users end up receiving smartphones that have been already infected.

Doctor Web says they notified manufacturers who produced infected devices of the compromise last year, but infected models continue to be produced. One of these is the Leagoo M9 smartphone, which was announced in December 2017.

“Additionally, our analysts’ research showed that the Trojan’s penetration into firmware happened at request of the Leagoo partner, the software developer from Shanghai. This company provided Leagoo with one of its applications to be included into an image of the mobile operating system, as well as with an instruction to add third-party code into the system libraries before their compilation,” Doctor Web says.

Despite this controversial request, the manufacturer didn’t become suspicious and the Trojan ended up on the new smartphone model without any obstacles.

The security researchers also discovered that the malicious application was signed with the same certificate as Android.MulDrop.924, a Trojan discovered in 2016. This suggests that the developer requesting the addition of the code into the mobile operating system image might be involved in the distribution of Triada.

Doctor Web published a list of the 40 device models infected with Triada, but warns that the list might not be comprehensive, as other compromised smartphones could exist out there. Impacted manufacturers include Leagoo, ARK, Zopo, Doogee, Vertex, Advan, Cubot, Prestigio, Pelitt, and more.

“Such widespread distribution of Android.Triada.231 shows that many Android device manufacturers pay little attention to security questions and penetration of the Trojan code into system components. This can be due to error or malicious intent and is likely common practice,” the researchers point out.


Payment Card Breach Hits Some Applebee's Restaurants
5.3.2018 securityweek
Virus

RMH Franchise Holdings revealed on Friday that malware had been found on point-of-sale (PoS) systems at the Applebee’s restaurants it operates as a franchise.

RMH disclosed the incident on Friday afternoon, which often indicates an attempt to avoid the news cycle and fly under the radar. The company posted a link to the data breach notice on the homepage of its website, but it did not announce anything on social media.

According to the data breach notice, the incident affects more than 160 restaurants in Alabama, Arizona, Florida, Illinois, Indiana, Kansas, Kentucky, Missouri, Mississippi, Nebraska, Ohio, Pennsylvania, Texas and Wyoming. This represents nearly all the restaurants operated by RMH.

In a vast majority of cases, the malware was present on PoS systems between December 6, 2017 and January 2, 2018, but in a small number of restaurants the malware had been active since November 23 or December 5, 2017. The company said the breach does not impact payments made online or using self-pay tabletop devices.

The breach was discovered on February 13 and RMH launched an investigation in cooperation with cybersecurity experts and law enforcement.

The company said the malware was designed to collect names, credit or debit card numbers, expiration dates, and card verification codes.

RMH pointed out that its payment systems are isolated from the broader Applebee’s network, which is not affected by this incident.

“Moving forward, RMH is continuing to closely monitor its systems and review its security measures to help prevent something like this from happening again,” RMH said. “RMH is pleased to report that the incident has been contained and guests may use their cards with confidence at the RMH Applebee’s locations that were affected by this incident.”

Several major restaurant chains disclosed payment card breaches last year, including Arby’s, Chipotle, Sonic Drive-In, and Shoney’s. Amazon's Whole Foods Market also informed customers that taprooms and full table-service restaurants at nearly 100 locations were hit by a breach.


Largest Ever 1.3Tbps DDoS Attack Includes Embedded Ransom Demands
5.3.2018 securityweek
Attack

[UPDATED - New record set at 1.7Tbs] On Tuesday, February 27, three major DDoS mitigation service providers (Akamai, Cloudflare and Arbor) warned that they had seen spikes in a relatively rare form of reflection/amplification DDoS attack via Memcached servers. Each service provider warned that this type of reflection attack had the potential to deliver far larger attacks.

One day later, Wednesday, February 28, GitHub was hit by the largest DDoS attack that had ever disclosed -- more than twice the size of the Mirai attack of 2016, peaking at 1.3Tbps. And still the potential, in the short term at least, is for even larger attacks.

Amplification attacks are generated when a server can be 'tricked' into sending a larger response than the initial query. Reflection occurs when the requesting IP is spoofed. The result is that multiple servers can be tricked into sending large responses to a single target IP, rapidly overwhelming it with the volume sent.

Memcached servers are particularly vulnerable to such a use whenever they are left accessible from the public internet. In theory, this should never -- or at least very rarely -- happen; in practice there are various estimates of between 50,000 and more than 100,000 vulnerable servers. Because the service was designed for use internally within data centers, it has no inbuilt security and can be easily compromised by attackers.

The purpose of Memcached servers is to cache frequently used data to improve internal access speeds. Its default service is via UDP. Because it can be easily compromised, the data it caches can be configured by the attackers. The result is that small requests to the server can result in very large replies from the cache. Researchers suggest, in theory, the reply could be up to 51,000 times the size of the request. This is the amplification side of the attack -- the ability to amplify a 203-byte request into a 100-megabyte response.

If the requests include a spoofed IP address, the reply can be sent to a different target IP address. This is the redirection side of the attack. If successive requests are made to multiple compromised Memcached servers all delivered to a single target IP, the result is an amplification/redirection DDoS attack such as that delivered against GitHub on 28 February.

This attack was described by GitHub Engineering on Thursday. "The attack originated from over a thousand different autonomous systems (ASNs) across tens of thousands of unique endpoints." It started at 17.21 UTC when GitHub's network monitoring detected an anomaly in the ratio of ingress to egress traffic. Within 5 minutes GitHub decided to call on Akamai's DDoS mitigation service.

"At 17:26 UTC the command was initiated via our ChatOps tooling to withdraw BGP announcements over transit providers and announce AS36459 exclusively over our links to Akamai." Akamai took over mitigation, and by 17:30, GitHub had recovered. Akamai's own statistics show that the attack peaked at 1.35 Tbps before tailing off; and was followed by a smaller, yet still very large, attack of around 400 Gbps just after 18:00 UTC.

Akamai's own brief report on the incident comments, "Many other organizations have experienced similar reflection attacks since Monday, and we predict many more, potentially larger attacks in the near future. Akamai has seen a marked increase in scanning for open memcached servers since the initial disclosure."

Small DDoS attacks are often delivered as an extortion 'warning', with a demand for payment to prevent a larger attack. Cybereason has noticed that this process was reversed in the GitHub attack -- the attack itself contained the extortion demand: "the same memcached servers used in the largest DDoS attack to date are including a ransom note in the payload that they're serving," it reported on Friday.

The extortion note, which occurs in a line of Python code delivered by the compromised Memcached servers, demands payment of 50 XMR (the symbol for the Monero cryptocurrency). This would have been approximately $15,000.

"It is a pretty clever trick to embed the ransom demand inside the DOS payload," Nick Bilogorskiy, cybersecurity strategist at Juniper Networks, told SecurityWeek. "It is also fitting with the times that attackers are asking for Monero rather than Bitcoin because Monero disguises the origin, destination and amount of each transaction, making it more suitable for ransoms."

There is no way of knowing whether any of the recent Memcached DDoS victims have paid a Monero ransom.

Memcached attacks are not entirely new, but have been relatively rare before the last ten days. The DDosMon from Qihoo 360 monitors amplification attack vectors and its figures show generally less than 100 attacks per day since at least November 2017. On 24 February this spiked to more than 400 attacks, followed by an increase to more than 700 in the following days.

It is thought that until recently Memcached attacks were deployed manually by skilled attackers, but that the attack techniques have now been weaponized and made available to all skill-levels via so-called booter/stresser botnets. This is what makes it likely that there will be more and potentially larger Memcached attacks in the future.

But it's not all doom and gloom. The number of vulnerable servers is already decreasing as operators begin to secure their Memcached servers.

"Overall memcached is expected to top the DDoS charts for a relatively short period of time," Ashley Stephenson, CEO, Corero Network Security, told SecurityWeek by email. "Ironically, as we have seen before, the more attackers who try to leverage this vector the weaker the resulting DDoS attacks as the total bandwidth of vulnerable servers is fixed and is shared across the victims. If a single attack could reach 200G, then with only 10 bad actors worldwide trying to use this vector at the same time they may only get 20G each. If there are hundreds of potential bad actors jumping on the memcached bandwagon, this once mighty resource could end up delivering just a trickle of an attack to each intended victim."

UPDATE - New record set at 1.7Tbps - As predicted, the Memcached DDoS methodology has already created a new world record. Netscout Arbor has today confirmed a 1.7Tbps DDoS attack against the customer of a U.S.-based service provider. This attack was recorded by Netscout Arbor’s ATLAS global traffic and threat data system, and is more than 2x the largest Netscout Arbor had previously seen. No further details are yet available.


Critical flaw in Pivotal’s Spring Data REST allows to hack any machine that runs an application built on its components
5.3.2018 securityaffairs
Vulnerebility

A critical flaw in Pivotal’s Spring Data REST allows remote attackers to execute arbitrary commands on any machine that runs an application built using its components.
Pivotal’s Spring Data REST project is affected by a critical vulnerability, tracked as CVE-2017-8046, that was discovered by security researchers at Semmle/lgtm.

Pivotal’s Spring Framework a platform is widely used by development teams for building web applications.

Spring Data REST builds on top of Spring Data repositories, it allows to expose hypermedia-driven HTTP resources (collection, item, and association resources) representing your model) for aggregates contained in the model.

The components included in the Spring Data REST are used by developers to build Java applications that offer RESTful APIs to underlying Spring Data repositories.

The vulnerability is similar to the weaknesses found in Apache Struts that resulted in the Equifax data breach.

“Security researchers at lgtm.com have discovered a critical remote code execution vulnerability that affects various projects in Pivotal Spring, the world’s most popular framework for building web applications.” reads the security advisory published by Semmle/lgtm. “The vulnerability allows attackers to execute arbitrary commands on any machine that runs an application built using Spring Data REST.”

Pivotal's Spring Data REST

This flaw ties the way Spring’s own expression language (SpEL) is used in the Data REST component. The lack of validation of the user input allows the attacker to execute arbitrary commands on any machine that runs an application built using Spring Data REST.

“Virtually every modern web application will contain components that communicate through REST interfaces, ranging from online travel booking systems, mobile applications and internet banking services,” continues the advisory.

Pivotal issued a security patch for a vulnerability it refers to as DATAREST-1127 as part of its Spring Boot 2.0 update.

“Malicious PATCH requests submitted to spring-data-rest servers can use specially crafted JSON data to run arbitrary Java code.” reads the security advisory published by Pivotal.

Researchers from lgtm.com have worked closely with Pivotal to solve the issue and publicly disclose the issue, the intent was to give Spring Data REST users sufficient time to update their apps.

The experts urge to apply the fix because it allows remote attackers to execute arbitrary commands on any machine that runs an application built using Spring Data REST.

The exploitation of the flaw in RESTful APIs could allow hackers to easily gain control over production servers and access sensitive information.

“This vulnerability in Spring Data REST is unfortunately very easy to exploit. As it is common for RESTful APIs to be publicly accessible, it potentially allows bad actors to easily gain control over production servers and obtain sensitive user data.” explained Man Yue Mo, lgtm.com security researcher at Semmle who discovered the issue.

The affected Spring products and components are:

Spring Data REST components, versions prior to 2.5.12, 2.6.7, 3.0RC3
(Maven artifacts: spring-data-rest-core, spring-data-rest-webmvc, spring-data-rest-distribution, spring-data-rest-hal-browser)
Spring Boot, versions prior to 2.0.0M4
(when using the included Spring Data REST component: spring-boot-starter-data-rest)
Spring Data, versions prior to Kay-RC3
Hurry up, upgrade to the latest versions the aabove components.


New attacks on 4G LTE networks can allow to spy on users and spoof emergency alerts
5.3.2018 securityaffairs Mobil 
Attack

A group of researchers discovered a number of weaknesses in the 4G LTE networks that could be exploited by attackers to eavesdrop on phone calls and text messages, knock devices offline, track location, and spoof emergency alerts.
A group of researchers from Purdue and the University of Iowa have discovered a number of vulnerabilities affecting the 4G LTE networks that could be exploited by attackers to eavesdrop on phone calls and text messages, knock devices offline, track location, and spoof emergency alerts.

The experts detailed ten different attacks in a research paper, the experts leverage weaknesses in three critical protocol operations of the cellular network, such as securely attaching a device to 4G LTE networks and maintaining a connection to receive calls and messages.

“In this paper, we investigate the security and privacy of the three critical procedures of the 4G LTE protocol (i.e., attach, detach, and paging), and in the process, uncover potential design flaws of the protocol and unsafe practices employed by the stakeholders.” reads the paper published by the experts.”For exposing vulnerabilities, we propose a model based testing approach LTEInspector which lazily combines a symbolic model checker and a cryptographic protocol verifier in the symbolic attacker model.”

The researchers devised a testing framework dubbed LTEInspector that they used to detect vulnerabilities in LTE radios and networks.

The group tested eight of the ten attacks using SIM cards from four large US carriers.

The researchers demonstrated how to conduct authentication relay attacks that allow them to bypass the network authentication and masquerade as a victim’s device.

An attacker can access 4G LTE networks and impersonate the victim.

” Using LTEInspector, we have uncovered 10 new attacks along with 9 prior attacks, categorized into three abstract classes (i.e., security, user privacy, and disruption of service), in the three procedures of 4G LTE.” continues the paper.
“Notable among our findings is the authentication relay attack that enables an adversary to spoof the location of a legitimate user to the core network without possessing appropriate credentials. To ensure that the exposed attacks pose real threats and are indeed realizable in practice, we have validated 8 of the 10 new attacks and their accompanying adversarial assumptions through experimentation in a real testbed”

4G LTE networks

The researchers highlighted the dangers related to the exploitation of the flaws, an attacker can spoof the location of the victim device, which could lead to interference in criminal investigations by planting false location information, which could allow crooks to create fake evidence.

The weaknesses could be exploited by threat actors to cause the chaos by injecting warning messages, emergency notices, and Amber alerts in the 4G LTE networks.

One of the scenarios tested by the researchers, a major US carrier never used encryption for control plane messages allowing an attacker to exploit the issues to eavesdrop the SMS and other sensitive data. The good news is that the US carrier has promptly addressed the flaw and deployed a fix.

The scary aspect of this research is that a cheap equipment (common software-defined radio devices) and open source 4G LTE protocol software could be bought by anyone to carry out the attacks.

Anyone can build the equipment to power the attacks for as little as $1,300 to $3,900.

The researchers announced that they plan to release the proof-of-concept code once the vulnerabilities will be fixed.


Applebee restaurants suffered payment card breach
5.3.2018 securityaffairs
Virus

RMH Franchise Holdings revealed on Friday afternoon that PoS systems at the Applebee ’s restaurants were infected with a PoS malware.
Another week another data breach, RMH Franchise Holdings revealed last week that PoS systems at the Applebee’s restaurants were infected with malware.

The PoS malware was used to collect names, payment card numbers, expiration dates, and card verification codes.

On Friday afternoon, RMH Franchise Holdings published a link to the data breach notice on its website.

“RMH Franchise Holdings (“RMH”) recently learned about a data incident affecting certain payment cards used at RMH-owned Applebee’s restaurants that we operate as a franchisee.” states the notice of the data breach.

“We are providing this notice to our guests as a precaution to inform them of the incident and to call their attention to some steps they can take to help protect themselves. RMH operates its point-of-sale systems isolated from the broader Applebee’s network, and this notice applies only to RMH-owned Applebee’s restaurants.”

The security breach was discovered on February 13, the RMH promptly started an investigation with the help of and law enforcement.

The infection lasted between December 6, 2017, and January 2, 2018, is some cases the malware was present on the PoS systems of restaurants since November 23 or December 5, 2017.

Almost any restaurant operated by RMH was impacted, the incident affects more than 160 restaurants in Alabama, Arizona, Florida, Illinois, Indiana, Kansas, Kentucky, Missouri, Mississippi, Nebraska, Ohio, Pennsylvania, Texas, and Wyoming.

Applebees restaurants

The security breach does not affect online payments systems, clients using self-pay tabletop devices were not affected too.

RMH clarified that its payment systems are not affected by the incident because they are isolated from the payment network used Applebee.

“After discovering the incident on February 13, 2018, RMH promptly took steps to ensure that it had been contained. In addition to engaging third-party cyber security experts to assist with our investigation, RMH also notified law enforcement about the incident and will continue to cooperate in their investigation.”RMH added.

“Moving forward, RMH is continuing to closely monitor its systems and review its security measures to help prevent something like this from happening again.”


Windows Defender ATP Detects Spyware Used by Law Enforcement: Microsoft
5.3.2018 securityweek
Virus

Microsoft Dissects FinFisher’s Complex Infection Process

Windows Defender Advanced Threat Protection (Windows Defender ATP) is capable of detecting behavior associated with the sophisticated FinFisher spyware, Microsoft says, after performing an in-depth analysis of the malware’s infection process.

FinFisher is a lawful interception solution built by Germany-based FinFisher GmbH, which sells it exclusively to governments. Also referred to as FinSpy, the malware has been around for over half a decade and has been associated with various surveillance campaigns.

In September last year, after the malware was observed exploiting a .NET Framework zero-day (CVE-2017-8759) for infection, ESET warned that Internet service providers (ISPs) might be involved in FinFisher’s distribution process.

According to Microsoft, FinFisher is complex enough to require “special methods to crack it” but, despite its sophistication, the malware cannot go unnoticed by its security tools. These include Office 365 Advanced Threat Protection (Office 365 ATP) and Windows Defender ATP, which is set to arrive on Windows 7 and Windows 8.1 devices this summer.

Packed with various detection, evasion and anti-analysis capabilities, including junk instructions and “spaghetti code,” multi-layered virtual machine detection, and several anti-debug and defensive measures, FinFisher wasn’t easy to tear apart and analyze, Microsoft says.

Through the addition of continuous code jumps (spaghetti code), FinFisher’s authors ensured that the program flow is difficult to read and can confuse disassembly programs. While reversing plugins that may help in such situations exist, none was found to work with this malware, and Microsoft had to come up with their own.

The first thing the company discovered was an array of opcode instructions that a custom virtual machine program can interpret. 32 different routines were discovered, each implementing a different opcode and functionality that the malware program may execute.

Not only does the use of virtualized instruction blocks ensure that analysis using regular tools is not possible, but anti-debug and anti-analysis tricks in the virtualized code attempt to evade dynamic analysis tools as well.

“Each virtual instruction is stored in a special data structure that contains all the information needed to be properly read and executed by the VM. […] The VM handler is completely able to generate different code blocks and deal with relocated code due to address space layout randomization (ASLR). It is also able to move code execution into different locations if needed,” the software giant explains.

The first stage of FinFisher is a loader meant to detect sandbox environments. If it passes the initial set of checks, the loader reads four imported libraries from disk (ntdll.dll, kernel32.dll, advapi32.dll, and version.dll) and remaps them in memory, rendering debuggers and software breakpoints useless.

Next, the malware performs additional anti-sandbox checks, likely in an attempt to avoid specific sandbox or security products, and also checks for virtualized environments (VMWare or Hyper-V) and if it is running under a debugger.

Only if all these checks are passed, the loader moves to the next step, which represents a second multi-platform virtual machine.

“The 32-bit stage 2 malware uses a customized loading mechanism (i.e., the PE file has a scrambled IAT and relocation table) and exports only one function. For the 64-bit stage 2 malware, the code execution is transferred from the loader using a well-known technique called Heaven’s Gate,” Microsoft explains.

The 64-bit stage 2 implements another loader and virtual machine, featuring an architecture similar to those in the previous stage, but using slightly different opcodes (which Microsoft lists on their site). The virtual machine extracts and decrypts the stage 3 malware. After decryption, the payload is remapped and executed in memory.

Stage 3, which represents the installation and persistence stage of the malware, is the setup program for FinFisher and no longer employs a VM or obfuscation. The code can install the malware in a UAC-enforced environment with limited privileges, or with full-administrative privileges enabled. However, no privilege escalation code was found in the malware.

During this installation step, stage 4, stage 5, and stage 6 payloads, along with additional files, are potentially dropped under a folder located in C:\ProgramData or in the user application data folder. Stage 4 is a loader for UAC bypass or installation with admin rights, stage 5 is a payload injected into explorer.exe or winlogon.exe, while stage 6 is the main malware executable.

The stage 5 malware only provides one more layer of obfuscation for the final payload (through the VM) and sets up a special Structured Exception Hander routine to ensure stealthy operations. After checking the environment once again, it proceeds to extract and execute the final payload into the injected process (it uses RunDll to implement the spyware).


SgxPectre attack allows to reveal the content of the SGX enclave
5.3.2018 securotyaffairs
Attack

A group of researchers from the Ohio State University has discovered a new variation of the Spectre attack named SgxPectre that allows to reveal the content of the SGX enclave.
A group of researchers from the Ohio State University has discovered a new variation of the Spectre attack named SgxPectre.

Intel Software Guard eXtensions (SGX) is a technology for application developers that allows protecting select code and data from disclosure or modification. The Intel SGX allows application code executing within an Intel SGX enclave, which are protected areas of execution in memory.

We have a long debated both Spectre and Meltdown vulnerabilities in Intel processors and the way to exploit them.

The Meltdown attack could allow attackers to read the entire physical memory of the target machines stealing credentials, personal information, and more.

The Meltdown exploits the speculative execution to breach the isolation between user applications and the operating system, in this way any application can access all system memory.

The Spectre attack allows user-mode applications to extract information from other processes running on the same system. It can also be exploited to extract information from its own process via code, for example, a malicious JavaScript can be used to extract login cookies for other sites from the browser’s memory.

The Spectre attack breaks the isolation between different applications, allowing to leak information from the kernel to user programs, as well as from virtualization hypervisors to guest systems.

While the exploitation of Meltdown or Spectre doesn’t allow attackers to extract data from SGX enclaves, the SgxPectre attack exploits the bugs in Intel CPU to reveal the content of the SGX enclave.

“SGXPECTRE Attacks that exploit the recently disclosed CPU bugs to subvert the confidentiality of SGX enclaves. Particularly, we show that when branch prediction of the enclave code can be influenced by programs outside the enclave, the control flow of the enclave program can be temporarily altered to execute instructions that lead to observable cache-state changes.” reads the paper published by the researchers.

“An adversary observing such changes can learn secrets inside the enclave memory or its internal registers, thus completely defeating the confidentiality guarantee offered by SGX.”

According to the experts, almost any enclave program could be vulnerable to the SGXPECTRE attack.

SgxPectre Intel SGX enclave

The attack SgxPectre leverages on specific code patterns in software libraries that allow developers to add SGX support to their application. Desired code patterns are available in most SGX runtimes, including Intel SGX SDK, Rust-SGX, and Graphene-SGX.

Basically, the SgxPectre is a cache side-channel attack against enclave programs.

The researchers explained that their attack is based on the observation of the repetitive code execution patterns that the software development kits introduce in SGX enclaves and the associated variation in the cache size.

“In particular, because vulnerable code patterns exist in most SGX runtime libraries (e.g., Intel SGX SDK, Rust-SGX, Graphene-SGX) and are difficult to be eliminated, the adversary could perform SGXPECTRE Attacks against any enclave programs.” continues the paper.

“We demonstrate end-to-end attacks to show that the adversary could learn the content of the enclave memory, as well as its register values in such attacks”

Intel plans to address SgxPectre with a security update for the Intel SGX SDK that will be released on March 16.

Developers will need to update their application by using the new SDK version.

The experts released a video PoC of the attack while the PoC code was published on GitHub.


GCHQ fears energy smart meters could expose millions of Bretons to hack
4.3.2018 securityaffairs BigBrothers

In the United Kingdom, new smart energy meters that are set to be installed in 27 million homes were found vulnerable by GCHQ.
Unsecured IoT devices are a privileged target of hackers and unfortunately, smart energy meters belong to this category.

In the UK, new smart energy meters that are set to be installed in 27 million homes were found vulnerable by GCHQ.

According to the intelligence agency the vulnerabilities could be exploited by hackers to compromise the IoT devices posing a serious risk to the users.

In 2017, some energy providers in the UK, including British Gas, E.on, Npower, Scottish Power and EDF, started testing SMETS 2 smart energy meters, the successor of SMETS 1 meters.

The new model smart energy meters addressed several issues that affected the 8 million of SMETS 1 meters

SMETS 2 smart energy meters solved various problems that both consumers and energy firms faced with first-generation SMETS 1 meters. Unlike the older SMETS 1 meters, the UK, SMETS 2 could be used by energy suppliers to remotely receive meter readings electronically.


The SMETS 2 smart energy meters were also designed to interoperate with different suppliers, consumers can change the energy provider without needing to change the meters.

According to a post published by the Telegraph, the GCHQ has raised concerns over the security of the smart energy meters. Attackers hack them to steal personal details and defraud consumers by tampering with their bills.

“Cyber security experts say that making the meters universal will make them more attractive to hackers because the potential returns are so much greater if they can hack every meter using the same software.” states The Telegraph.

“The cyber criminals are able to artificially inflate meter readings, making bills higher.

They then try to intercept payments, and if they simply skim off the difference between the real reading and the false reading, energy companies will think the bill has been paid normally.”

The intelligence agency also warned attackers could use the devices as a “Trojan horse” to enter in the customers’ networks.

The UK Government also fears that nation-state actors could exploit the flaws in the energy smart meters to create a power surge that would damage the National Grid.

Security experts also warn of BlueBorne attacks that potentially expose smart meters to hack by leveraging Bluetooth connections.

Robert Cheesewright, of Smart Energy GB, the Government-funded agency promoting the smart meter roll-out, tried to downplay the risks explaining that no financial data is directly managed by the devices, but evidently, its explanation doesn’t consider different attack scenarios.

“Smart meters are one of the safest and most secure pieces of technology in your home.” said Robert Cheesewright.

“Only energy data is stored on a meter and this is encrypted. Your name, address, bank account or other financial details are not stored on the meter.”

Risks associated with vulnerable smart meters were already analyzed in the past, in 2014 the security researchers, Javier Vazquez Vidal and Alberto Garcia Illera discovered that millions of Network-connected electricity meters in Spain were are susceptible to cyberattack due to lack of proper security controls.


Bitcoin-linked heist: thieves stolen 600 powerful computers in Iceland
4.3.2018 securityaffairs Cryptocurrency

Thieves steal 600 powerful computers in a huge heist in Iceland with the intent to use them for mining Bitcoin.
Cyber criminal organization continue to show a great interest in cryptocurrencies, the number of crimes against cryptocurrency industry is on the rise.

News of the day is that crooks have stolen 600 powerful computers from data centers in Iceland to use in Bitcoin mining. At the time, the computers, that are worth almost $2 million, have not yet been found.

“Some 600 computers used to “mine” bitcoin and other virtual currencies have been stolen from data centers in Iceland in what police say is the biggest series of thefts ever in the North Atlantic island nation.” reads the post published by The Associated Press.

The thieves have stolen 600 graphics cards, 100 processors, 100 power supplies, 100 motherboards and 100 sets of computer memory to use in the proficuous activity.

The Icelandic media dubbed the crime the “Big Bitcoin Heist,” the authorities have arrested 11 people, including a security guard.

A judge at the Reykjanes District Court on Friday ordered two people to remain in custody.

“This is a grand theft on a scale unseen before,” Police Commissioner Olafur Helgi Kjartansson said. “Everything points to this being a highly organized crime.”


The thefts occurred between late December and early January, the members of the gang were identified thank the surveillance cameras used by the server company Advania.

Advania suffered two of the four thefts, the company had been offering its customers access to bitcoin-mining rigs, for this reason, crooks targeted the firm.

The police are searching any evidence to track the thieves, authorities are also tracking energy consumption across Iceland in case they turn on their computers. A spike in the energy consumption could reveal their location if the thieves don’t take measure to avoid being tracked.

“Police tracking the stolen computers are monitoring electric consumption across the country in hopes the thieves will show their hand, according to an industry source who spoke on condition of anonymity because he is not allowed to speak to the media.” concluded the Associated Press.

“Unusually high energy usage might reveal the whereabouts of the illegal bitcoin mine.”

Iceland is a good place where find cheap, renewable energy for crypto mining activities.


Kam kráčí šifrování?

4.3.2018 SecurityWorld  Kryptografie
Přechod od SHA-1 na SHA-2, kongresové vítězství nad zadními vrátky a vzestup šifrované komunikace nás vedou k bezpečnějšímu světu.

Vypadá to, jako by se vývoj technologií každý rok zrychloval. Je tu však vždy jeden opozdilec: šifrování. Proč tak rozvážné tempo? Protože jeden malý omyl dokáže zablokovat komunikaci a pohřbít firmu.

Nastávají však chvíle, kdy je potřebné zbystřit – například abyste zjistili, že se sféra šifrování prakticky přes noc změnila. Ten čas nastal nyní. Přestože v průběhu několika let docházelo ke změnám postupně, výsledný efekt je dramatický.

Některé z těchto změn začaly krátce po zveřejnění informací od Edwarda Snowdena o tom, jak rozsáhlý je sledovací program vlády USA. Další jsou přirozeným důsledkem kryptografických nápadů, které se dostávají na trh, vysvětluje Brent Waters z Texaské státní univerzity.

„Mnoho z těchto nových dostupných nástrojů a aplikací je založeno na výsledcích výzkumů z let 2005 a 2006,“ vysvětluje Waters. „Teprve si uvědomujeme, jaké typy šifrovacích funkcí jsou možné.“

O krok blíže

Šifrovaný webový provoz je prvním krokem směrem k bezpečnějšímu světu internetu, kde útočníci nebudou moci odposlouchávat privátní komunikace, finanční transakce ani obecné internetové aktivity.

Mnoho webů včetně služeb Google a Facebook zapnulo šifrování HTTPS ve výchozím stavu pro všechny uživatele. Pro většinu majitelů domén je však nákup a nasazení certifikátů SSL/TLS pro zajištění bezpečné komunikace s jejich weby drahým a komplikovaným úsilím.

Naštěstí iniciativa Let’s Encrypt (Pojďme šifrovat) a její bezplatné certifikáty SSL/TLS transformovaly celý ekosystém a dalay vlastníkům domén nástroje pro snadné zapnutí protokolu HTTPS na jejich webech.

Tato nezisková certifikační autorita provozovaná skupinou ISRG (Internet Security Research Group), Let’s Encrypt, je podpořenáa takovými velikány, jako jsou Mozilla, Electronic Frontier Foundation, Cisco nebo Akamai.

Jak všudypřítomným se protokol HTTPS stal? V říjnu loňského roku zveřejnil Josh Aas, šéf iniciativy Let’s Encrypt a bývalý zaměstnanec společnosti Mozilla, telemetrický graf Mozilly, který ukazuje, že protokol HTTPS využívá již více než 50 procent webů.

Přestože graf ukazuje jen uživatele prohlížeče Firefox, je toto číslo stále významné, protože poprvé počet šifrovaných stránek přerostl množství stránek nešifrovaných. Společnost NSS Labs očekává, že tento trend bude pokračovat, a předpovídá, že do roku 2019 bude šifrovaných 75 procent veškerého webového provozu.

Bezplatné nabídky certifikátů toto přijetí dále urychlí. Do příštího roku počet vydaných bezplatných veřejných důvěryhodných certifikátů pravděpodobně překročí množství certifikátů placených, prohlašuje Kevin Bocek, viceprezident strategie zabezpečení a threat intelligence ve společnosti Venafi, která se zabývá správou klíčů.

Mnoho podniků také začíná využívat bezplatné služby. Když už cena certifikátů nehraje žádnou roli, zaměří se certifikační autority na lepší nástroje pro bezpečnou správu certifikátů a na ochranu klíčů.

Když už mluvíme o správě certifikátů, je dobré připomenout, že po letech varování, že jsou certifikáty SHA-1 slabé a zranitelné vůči útokům, začaly podniky houfně upgradovat své certifikáty na takové, které využívají SHA-2, což je sada kryptografických hašovacích funkcí nahrazujících zastaralý algoritmus SHA-1.

Hlavní tvůrci prohlížečů, tedy firmy Google, Mozilla a Microsoft, se zavázali, že vyřadí SHA-1 počátkem letošního roku a začnou blokovat weby, které stále používají starší certifikáty.

Facebook přestal obsluhovat připojení SHA-1 a nezaznamenal „žádný měřitelný dopad“, tvrdí Wojciech Wojtyniak, produkční inženýr Facebooku.

Podle telemetrie Firefoxu kleslo od května do října 2016 použití SHA-1 na internetu ze 3,5 procenta na méně než procento. Podniky si nemohou dovolit samolibost, ale je pravda, že nedávné odhady společnosti Venafi naznačují, že cca 60 milionů webových stránek i nadále používá nedostatečně silný šifrovací algoritmus.

„Těšíme se na posun tohoto odvětví směrem k většímu využití silnějších certifikátů, jako je SHA-256,“ dodává Wojtyniak.

Šifrování je králem

Kryptografie dostala v posledních několika měsících několik ran, když výzkumníci vytvořili kryptografické útoky, jako je například Drown, který lze použít k dešifrování TLS spojení mezi uživatelem a serverem, pokud server podporuje SSLv2.

Další metodou je pak Sweet32, která umožňuje zaútočit na šifrovaná webová spojení vytvořením velkého množství webových přenosů.

Aktéři z řad státních zpravodajských služeb mají také šifrování ve svém hledáčku. Nedávno odhalila společnost Juniper Networks špionážní kód implantovaný v konkrétních modelech svého firewallu a v zařízeních VPN. Mnozí odborníci se domnívají, že v tom má prsty NSA.

Krátce poté, co si sada hackerských nástrojů, údajně patřící NSA, našla cestu na černé trhy, odhalilo Cisco chybu ve svém softwaru IOS, IOS XE a IOS XR, který se využívá v mnoha jejích síťových zařízeních.

Tato zranitelnost, kterou lze využít k získání citlivých informací z paměti zařízení, byla podobná jako zranitelnost zneužitelná uvedenými nástroji a souvisela s tím, jak tento operační systém zpracovává protokol výměny klíčů pro sítě VPN, uvedlo tehdy Cisco.

Dokonce i aplikace Apple iMessage, která je ukázkou, jak mohou firmy přinést kompletní šifrování masám, měla svůj podíl na problémech. Profesor kryptografie Matthew Green a jeho tým studentů na Univerzitě Johnse Hopkinse totiž dokázali vykonat adaptivní útok, který by za určitých okolností dokázal dešifrovat komunikaci iMessage a přílohy.

Tento tým také zjistil, že aplikace iMessage postrádá mechanismus FS (Forward Secrecy, dopředná bezpečnost), což znamená, že by útočníci mohli dešifrovat dříve zašifrované zprávy, například ty, které jsou uložené v iCloudu.

FS funguje tak, že se po uplynutí nastaveného časového intervalu vytváří nový klíč, takže i v případě, že útočníci získají originální klíč, není možné dříve zašifrované zprávy prolomit.

Jedna věc však navzdory všem špatným zprávám zůstává jasná: Kryptografie není prolomená. Matematika za kryptografickými výpočty zůstává silná a šifrování je stále nejlepší způsob, jak chránit informace.

„Poslední útoky se netýkaly matematiky, ale implementace,“ vysvětluje Waters. Ve skutečnosti šifrování funguje tak dobře, že na něj spoléhají také sami útočníci.

Zločinci dokážou získat klíče a certifikáty pro skrývání svých aktivit uvnitř šifrovaných přenosů. Skutečnost, že se tento vektor útoku rychle stává výchozím chováním zločinců, „téměř maří celý smysl přidávání většího množství šifrování“, uvádí Bocek.

Kyberzločinci používají šifrování také k zajištění velkého dopadu ransomwaru. Jakmile jsou soubory zašifrované, musejí oběti buď zaplatit, aby získaly klíč, nebo smazat své systémy a začít znovu.

Stejně jako se útočníci zaměřují na zranitelné implementace, bezpečnostní výzkumníci úspěšně vyvinuli dešifrovací nástroje pro ty varianty ransomwaru, které v sobě obsahovaly chyby ve svém šifrovacím kódu.


Zadní vrátka

Technologické firmy vždy musely vyvážit aspekty bezpečnosti a ochrany soukromí s faktem, že orgány činné v trestním řízení požadují přístup k informacím uživatelů. James Comey, šéf FBI, intenzivně usiloval o povinnost implementace zadních vrátek v technologických produktech využívajících šifrování a prohlašoval, že kódování dat maří vyšetřování zločinu.

Přestože společnosti často tiše spolupracovaly se zpravodajskými službami a s orgány činnými v trestním řízení, bezpříkladná konfrontace mezi FBI a společností Apple v minulých letech ukázala, že se podniky začínají bránit.

FBI v tomto boji ustoupila a došlo k vytvoření dvoustranné pracovní skupiny složené z komisí z oblasti justice, energií a komerce. Cílem této skupiny je studium problematiky šifrování. Pracovní skupina pro šifrování jednoznačně odmítla požadavky Comeye na zadní vrátka a radí zkoumat jiná řešení.

„Každé opatření, které oslabuje šifrování, pracuje proti národnímu zájmu,“ uvedla tato pracovní skupina ve své zprávě. „Kongres nemůže zabránit zločincům – doma ani v zahraničí – v používání šifrování. Proto by měly komise hledat další strategie, jak řešit potřeby komunity zástupců zákona.“

Oslabování šifrování tak, že by se policie dokázala prolomit do šifrovaných zařízení, by sice urychlilo vyšetřování zločinů, ale bylo by to krátkodobé vítězství s „dlouhodobým dopadem na národní zájmy“, varovala tato pracovní skupina.

Alternativní strategií je například poskytnutí legálních metod zástupcům zákona k přinucení podezřelých odemknout svá zařízení nebo zlepšování sběru metadat a analýz.

Zatímco zpráva pracovní skupiny naznačuje, že Kongres USA nebude usilovat o zákonná zadní vrátka, na obzoru se rýsují další bitvy související se šifrováním.

Tato zpráva totiž vytváří dojem, že podporuje možnost policie používat „zákonné hackování“ k prolomení do produktů s využitím zranitelností softwaru, které znají jen zástupci zákona a zpravodajské služby, což ale může mít bezpečnostní důsledky.

Technologický obor má zájem na oznamování zranitelností ihned po jejich zjištění, aby vláda neměla možnost si je hromadit bez dohledu.

Požadavek Comeye na úplnou kompromitaci tak bude podle slov skupiny realizován spíše v podobě různorodých forem.
Technologie pro všechny

Vlády se snažily roky stále omílat argument boje proti teroristům a vždy k tomu využívaly strašení, uvádí Mike Janke, šéf pro šifrovanou komunikaci ve společnosti Silent Circle. Změnou podle něj je, že podniky začínají brát vážněji zabezpečení své komunikace a jsou méně ochotné tyto funkce obětovat.

Mnoho organizací bylo šokováno rozsahem vládního dohledu odhaleného Edwardem Snowdenem z NSA. Zareagovaly integrací bezpečných nástrojů pro textovou a obrazovou komunikaci současně s šifrováním hlasových přenosů v rámci podnikové komunikace, popisuje Janke.

Šifrování nyní hraje větší roli v technologických diskusích, kdy se podniky ptají na dostupné funkce a možnosti. Oddělení IT už k šifrování nepřistupuje jako k přídavné funkci, za kterou se platí navíc, ale je to povinná vlastnost každého produktu a platformy, kterou používají.

I samotní spotřebitelé byli pobouřeni rozsahem sledovacích programů a neoficiální evidence ukazuje, že mnoho z nich začalo používat aplikace se šifrovaným obsahem, jako jsou WhatsApp nebo Signal. Ve většině případů však za bezpečné produkty neplatí, ani nemění své chování, aby zvýšili rozsah soukromí ve svém každodenním životě.

Změna přichází od šéfů zabezpečení, viceprezidentů technologií a dalších podnikových šéfů zaměřených na technologie, protože nesou odpovědnost za rozhodování v oblasti bezpečnosti a ochrany soukromí svých produktů a služeb.

Když společnost Tesla nyní digitálně podepisuje firmware pro každou svou jednotlivou interní komponentu pomocí kryptografického klíče, je jednodušší se ptát výrobců televizorů a hraček, proč to také nedělají, vysvětluje Janke.

Spotřebitelé jsou ti, kdo budou mít prospěch z integrace šifrování ve výchozím stavu, stejně jako když podniky mění svůj způsob myšlení o významu šifrování.


Osobní data v ohrožení – na co si dát nově pozor?

4.3.2018 SecurityWorld  BigBrother
Jen za poslední měsíc se objevilo několik nových překvapivých způsobů, jak pomocí internetu a chytrých telefonů krást a vyzrazovat osobní údaje. Následující trendy možná stojí za spuštění poplašných sirén.

Samozřejmě že tyto nové starosti lze přidat ke všem starým. Společnosti jako Google a Facebook vás stále sledují a dolují vaše osobní údaje. Hackeři neustále chtějí ukrást vaše data. Také vládní agentury, jako třeba NSA, nadále pracují podle svých zvyklostí.

Pět nových trendů nyní ukazuje, že vaši bezpečnost a soukromí lze ohrozit způsoby, které vás možná nikdy nenapadly.

1. Otisky prstů lze ukrást z fotky selfie.

Vědci z japonského Národního institutu informatiky (NII) nedávno oznámili, že otisky prstů je možné ukrást z fotografií vašich prstů. Lze jejich prostřednictvím vytvořit falešné prsty pro oklamání biometrických bezpečnostních systémů.

Fotoaparáty chytrých telefonů jsou už tak dobré a mají tak velké rozlišení, že lze z fotografií rozpoznat a zkopírovat reliéf otisků vašich prstů a použít ho k oklamání bezpečnostních systémů pracujících s otiskem prstů.

Největší hrozbou je to v Japonsku, kde se na fotografiích vystavovaných na webu hodně používá gesto V, tzv. znamení míru tvořené ukazováčkem a prostředníčkem.

Někteří lidé jsou skeptičtí. Například i proto, že „vědci“ nabízejí absurdní „řešení“ tohoto problému – čirou vrstvu oxidu titanu s natištěným speciálním vzorem, kterou byste si při focení selfie nasadili na prsty, aby zakryla vaše otisky.

Také okolnosti takové krádeže musejí být příznivé. Prsty je nutné mít zaostřené, osvětlení musí být perfektní, vzdálenost od kamery musí být asi tři metry a fotograf musí používat špičkový chytrý telefon. (A takové přístroje obvykle zaostřují na obličej, a ne na prsty.)

Verze fotografií s vysokým rozlišením, jako jsou tyto vlastní ruce autora, by bylo možné použít ke zkopírování otisků prstů.

Jiní ale zase tvrdí, že byste se měli skutečně bát. Zaprvé krádež otisku prstu z fotografie se už uskutečnila.

Před dvěma roky Němec Jan Krissler totiž získal kopii otisků prstů německé ministryně obrany Ursuly von der Leyenové z veřejně dostupných fotografií a udělal trojrozměrnou napodobeninu jejího prstu, který dokázal odemknout smartphone.

Zadruhé tato technologie již existuje. Není potřebný žádný další výzkum. Zatřetí otisky prstů jsou trvalé a nelze je změnit, takže se krádež otisků nepodobá ukradení hesla, které si můžete podle potřeby upravovat.

Začtvrté fotoaparáty smartphonů jsou stále lepší. Je jen otázkou času, než většina lidí bude mít fotoaparáty minimálně stejně dobré, jako jsou nyní ty nejlepší v chytrých telefonech typu iPhone 7 nebo Samsung Galaxy S7.

A konečně hackeři mohou používat on-line fotografie jako výchozí bod namísto toho, že by se nejprve zaměřili na konkrétní lidi. Mohlo by být obtížné soustředit se na určitou osobu, protože byste museli hledat vysoce kvalitní fotografie jejích prstů.

Pokud ale začnete u snímků obsahujících prsty s vysokým rozlišením, řekněme pomocí služby Obrázky Google, potom můžete efektivně získat stovky tisíc vhodných otisků.

Sám autor zkontroloval vlastní Fotky Google a našel hromadu fotografií vhodných pro získání otisků. Kdyby je vystavil veřejně, mohl by někdo se zlými úmysly a dostatečnými prostředky použít více fotografií k vytvoření jeho otisků prstů.

2. Političtí trolové útočí publikováním vašich osobních údajů.

V této náročné politické době se v diskuzích objevují jedovaté poznámky a sociálním sítím vládne jízlivost. Nejnovějším trendem v on-line politické argumentaci je tzv. doxnutí, což je čin on-line vyzrazení osobních informací nějakého člověka.

Některé typy informací jako telefonní čísla a domovní adresy lze snadno najít on-line, což napomáhá k obtěžování. Jeden nenávistník vás „doxne“ a sto dalších vyhrožuje smrtí či bombou nebo na vaši adresu prostřednictvím ohlášení vymyšlené hrozby nějakého údajně probíhajícího násilí pošle speciální zásahovou jednotku.

Tento problém se nedávno stal na webu Reddit natolik závažným, že raději vymazali a zakázali subreddity /r/altright a r/alternativeright. Web Reddit nedokázal běžnými způsoby zabránit doxování v subredditech, takže to vedlo k radikálnímu řešení v podobě jejich ukončení.

Bohužel doxnutelné osobní údaje lze na internetu najít velmi snadno.

3. Weby zabývající se genealogií zveřejnily vaše osobní údaje na internetu.

Weby zabývající se osobními údaji, včetně webů genealogie a webů pro vyhledávání osob, zde existují celá léta.

Obchodní model byl dlouho tvořen nabídkou zajímavých informací a požadavkem zaplatit za získání informací úplných. Nyní se však objevily dva trendy, které by vás měly vyděsit.

Prvním z nich je spuštění superwebu Family Tree Now obsahujícího osobní údaje. Ten bezplatně zveřejňuje údaje, za které si ostatní nechávali platit, a nedávno způsobil velký poprask, když na tento dříve neznámý web upozornila jedna žena na Twitteru.

Když totiž zadáte jméno a příjmení hledané osoby, vypíšou se vám osoby stejného a podobného jména s rokem narození a věkem. Po rozkliknutí se dozvíte i jména členů jejich rodiny s jejich rokem narození, věkem a se současnými a předchozími adresami.

Druhým trendem je, že některé weby pro „vyhledávání lidí“ využívají sociální inženýrství, aby vás přiměly ke sdělení informací namísto toho, že by vám informace naopak poskytly.

Například web TruthFinder během procesu klade otázky a tvrdí, že mu vaše odpovědi pomohou poskytnout vám lepší data. Ve skutečnosti získává TruthFinder informace od vás.

Některé weby pro hledání lidí předvádějí dramatickou podívanou vyhledávání v databázích, aby vám řekli o někom nějaké informace, ale přitom vás zasypávají otázkami, aby mohly vaše odpovědi zadat do svých databází.

4. Mobilní aplikace posílají osobní data pryč na vzdálený server.

Čínská aplikace s názvem Meitu určená pro úpravy selfie dokáže změnit vaši tvář na fantaskní komiksový obrázek. Přitom vybělí, zesvětlí a zvětší oči a přidá vizuální efekty.

Její popularita explozivně vzrostla, protože její efekty jsou velmi neobvyklé a přehnané. Změní váš obličej na pohádkovou postavičku z komiksu.

Přes noc se však ukázalo, že aplikace posílá zpět do Číny všechny druhy informací včetně vaší lokality, údaje o vašem poskytovateli mobilních služeb, IP adresy a IMEI čísla uživatelů na platformě Android. Firma reagovala na internetové pobouření prohlášením, že data neprodává a používá je pouze na vylepšení aplikace.

Tato kontroverze zvýšila povědomí o nepříjemné skutečnosti, že mnoho aplikací shromažďuje vaše údaje bez vašeho vědomí či výslovného souhlasu. Takže jaké je řešení? Bezpečnostní aplikace? Asi ne…

5. Dokonce i bezpečnostní aplikace mohou ohrozit vaši bezpečnost

Jedním z nejlepších způsobů, jak chránit něčí soukromí na internetu, je použití VPN neboli virtuální privátní sítě. VPN vám teoreticky umožňují použít veřejný internet, jako byste byli v privátní síti.

Můžete skrýt a zašifrovat svou on-line aktivitu dokonce i před svým poskytovatelem připojení k internetu. Umožní vám také podvrhnout lokalitu, takže můžete prohlásit, že jste připojeni k internetu v jiném městě či zemi.


Over 40 models of low-cost Android devices shipped with Triada banking Trojan
4.3.2018 securityaffairs Android

Security researchers at Dr.Web have discovered over 40 models of low-cost Android smartphones are shipped with the dreaded Android Triada banking malware.
Security researchers at Antivirus firm Dr.Web have discovered that 42 models of low-cost Android smartphones are shipped with the Android.Triada.231 banking malware.

“In the middle of 2017, Doctor Web analysts discovered a new Trojan Android.Triada.231 in the firmware of some cheap models of Android devices. Since this detection, the list of infected devices has been constantly increasing.” reads the blog post published by Dr-Web. “At the moment, the list contains over 40 models. Doctor Web specialists have monitored the Trojan’s activity and now we can publish the results of this investigation.”

The Triada Trojan was spotted for the first time in 2016 by researchers at Kaspersky Lab that considered it the most advanced mobile threat seen to the date of the discovery.

Triada was designed with the specific intent to implement financial frauds, typically hijacking the financial SMS transactions. The most interesting characteristic of the Triada Trojan apart is its modular architecture, which gives it theoretically a wide range of abilities.

The Triada Trojan makes use of the Zygote parent process to implement its code in the context of all software on the device, this means that the threat is able to run in each application.
The only way to remove the threat is to wipe the smartphone and reinstall the OS.

Researchers at Dr.Web discovered the Triada Trojan pre-installed on newly shipped devices several minor brands, including Advan, Cherry Mobile, Doogee, and Leagoo.

This isn’t the first time the company discovered a pre-installed malware on Android device, back in in July 2017 Dr..Web researchers discovered the many smartphone models were shipped with the dreaded Triada trojan such as Leagoo M5 Plus, Leagoo M8, Nomu S10, and Nomu S20.

Triada Trojan Android pre-installed malware

The researchers at Dr.Web who investigated the issue discovered that a software developer from Shanghai was responsible for the infection.

“For example, it was detected on the Leagoo M9 smartphone that was announced in December 2017. Additionally, our analysts’ research showed that the Trojan’s penetration into firmware happened at request of the Leagoo partner, the software developer from Shanghai.” continues the blog post.

“This company provided Leagoo with one of its applications to be included into an image of the mobile operating system, as well as with an instruction to add third-party code into the system libraries before their compilation. Unfortunately, this controversial request did not evoke any suspicions from the manufacturer. Ultimately, Android.Triada.231 got to the smartphones without any obstacles.”

The infected app found on the device was developed by a Chinese firm, the experts highlighted that the code was signed with the same certificate that was observed in 2016 infections.

“The analysis of this application showed it is signed with the same certificate as Android.MulDrop.924. Doctor Web previously wrote about this Trojan in 2016. We can presume the developer that requested adding the additional program into the mobile operating system image can be connected expressly or implicitly with the distribution of Android.Triada.231.” continues Dr.Web.

At the moment, the experts confirmed to have detected the Android.Triada.231 in the firmware of the following Android device models:

Leagoo M5
Leagoo M5 Plus
Leagoo M5 Edge
Leagoo M8
Leagoo M8 Pro
Leagoo Z5C
Leagoo T1 Plus
Leagoo Z3C
Leagoo Z1C
Leagoo M9
ARK Benefit M8
Zopo Speed 7 Plus
UHANS A101
Doogee X5 Max
Doogee X5 Max Pro
Doogee Shoot 1
Doogee Shoot 2
Tecno W2
Homtom HT16
Umi London
Kiano Elegance 5.1
iLife Fivo Lite
Mito A39
Vertex Impress InTouch 4G
Vertex Impress Genius
myPhone Hammer Energy
Advan S5E NXT
Advan S4Z
Advan i5E
STF AERIAL PLUS
STF JOY PRO
Tesla SP6.2
Cubot Rainbow
EXTREME 7
Haier T51
Cherry Mobile Flare S5
Cherry Mobile Flare J2S
Cherry Mobile Flare P1
NOA H6
Pelitt T1 PLUS
Prestigio Grace M5 LTE
BQ 5510

Unfortunately, the number of infected smartphones models could be much bigger.


Github hit by the biggest-ever DDoS attack that peaked 1.35 Tbs
4.3.2018 securityaffairs
Attack

On February 28, 2018, the popular GitHub’s code hosting website was hit by the largest-ever distributed denial of service (DDoS) attack that peaked at 1.35 Tbps
On February 28, 2018, the popular GitHub’s code hosting website was hit by the largest-ever distributed denial of service (DDoS) attack.

The DDoS attack peaked at record 1.35 Tbps by abusing the memcached protocol to power a so-called memcached DDoS attacks.

Memcached is a free and open source, high-performance, distributed memory caching system designed to speed up dynamic web applications by alleviating database load.

Clients communicate with memcached servers via TCP or UDP on port 11211.

Researchers from Cloudflare, Arbor Networks and security firm Qihoo 360 discovered that recently attackers are abusing the memcached for DDoS amplification attacks.

Chinese experts warned about abuses of memcached DDoS attacks in November.

The abuse of memcached servers in DDoS Attacks is quite simple, the attacker sends a request to the targeted server on port 11211 spoofing the IP address of the victim. In a memcached DDoS attack, the request sent to the server is composed of a few bytes, while the response can be tens of thousands of times bigger, resulting in an amplification attack.

Experts at Cloudflare dubbed this type of attack Memcrashed, according to the researcher the amplification technique could allow attackers to obtain an amplification factor of 51,200.

memcached DDoS attack

The Github website is protected by the anti-DDoS service provided by the firm Akamai that confirmed the impressive magnitude of the attack that hit its client.

“At 17:28 GMT, February 28th, Akamai experienced a 1.3 Tbps DDoS attack against one of our customers, a software development company, driven by memcached reflection. This attack was the largest attack seen to date by Akamai, more than twice the size of the September, 2016 attacks that announced the Mirai botnet and possibly the largest DDoS attack publicly disclosed.” reads the analysis published by Akamai.

“Because of memcached reflection capabilities, it is highly likely that this record attack will not be the biggest for long.”

Github largest DDoS memcached server

According to GitHub, the attack was widespread, it originated from over a thousand different autonomous systems (ASNs) across tens of thousands of unique endpoints.

“On Wednesday, February 28, 2018 GitHub.com was unavailable from 17:21 to 17:26 UTC and intermittently unavailable from 17:26 to 17:30 UTC due to a distributed denial-of-service (DDoS) attack.” states an advisory post published by GitHub.

“Between 17:21 and 17:30 UTC on February 28th we identified and mitigated a significant volumetric DDoS attack.

The attack originated from over a thousand different autonomous systems (ASNs) across tens of thousands of unique endpoints. It was an amplification attack using the memcached-based approach described above that peaked at 1.35Tbps via 126.9 million packets per second.”

Github routed the traffic to Akamai service to mitigate the ongoing DDoS attack.

“Given the increase in inbound transit bandwidth to over 100Gbps in one of our facilities, the decision was made to move traffic to Akamai, who could help provide additional edge network capacity. At 17:26 UTC the command was initiated via our ChatOps tooling to withdraw BGP announcements over transit providers and announce AS36459 exclusively over our links to Akamai.” continues Github.

“Routes reconverged in the next few minutes and access control lists mitigated the attack at their border. Monitoring of transit bandwidth levels and load balancer response codes indicated a full recovery at 17:30 UTC. At 17:34 UTC routes to internet exchanges were withdrawn as a follow-up to shift an additional 40Gbps away from our edge.”

GitHub confirmed that the first portion of the attack peaked at 1.35Tbps, while a second part peaked 400Gbps after 18:00 UTC.

Github largest DDoS pasted image 2

Github said it plans to expand its edge network and mitigate new attack vectors.

Researchers believe that threat actors in the wild will abuse misconfigured Memcached servers in future attacks, unfortunately, many of them are still exposed on the Internet.

Cloudflare recommends disabling UDP support unless it’s needed and isolating memcached servers from the Internet. Internet service providers have to fix vulnerable protocols and prevent IP spoofing.

“Internet Service Providers – In order to defeat such attacks in future, we need to fix vulnerable protocols and also IP spoofing. As long as IP spoofing is permissible on the internet, we’ll be in trouble.” concluded Cloudflare.

“Developers – Please please please: Stop using UDP. If you must, please don’t enable it by default. If you do not know what an amplification attack is I hereby forbid you from ever typing
SOCK_DGRAM
into your editor.”