Former Yahoo CISO Bob Lord Joins DNC
26.1.2018 securityweek IT

Former Yahoo chief information security officer Bob Lord has been appointed chief security officer at the Democratic National Committee (DNC), the formal governing body for the United States Democratic Party.

The announcement was made on Thursday and Lord has already told his Twitter followers that he is looking to hire.

“Very honored to be able to work with [DNC CTO Raffi Krikorian], [DNC Chairman Tom Perez], and the rest of the amazing team at the DNC,” Lord said on Twitter.Bob Lord named CSO of DNC

Lord is the DNC’s first CSO. His hiring comes after the organization was the target of cyberattacks in the months leading up to the 2016 presidential election in the United States. Security firms and intelligence agencies attributed the attacks to threat groups previously linked to the Russian government.

Before joining the DNC, Lord was Yahoo’s CISO for nearly two years. While at the tech firm, he led the investigations into the massive data breaches suffered by the company in 2013 and 2014. He was lured by Yahoo after the company’s former security chief, Alex Stamos, joined Facebook as CSO.

A veteran with more than 20 years of experience in cybersecurity, Lord has held leadership positions at AOL, Red Hat, Twitter and Rapid7.

Information Disclosure, DoS Flaws Patched in libcurl
25.1.2018 securityweek

The developers of the popular multiprotocol data transfer library libcurl informed users on Wednesday that the latest version addresses two vulnerabilities.

Libcurl is a free and highly portable file transfer library that supports roughly two dozen protocols and various features. The libcurl website lists more than 250 organizations that use the library in their products, including Adobe, Apple, the BBC, BMW, Broadcom, Cisco, Electronic Arts, Facebook, Google, Intel, Mozilla, Samsung, Sony, VMware and several cybersecurity firms.

The latest Libcurl release, version 7.58.0, patches a total of 82 bugs, including two vulnerabilities that can lead to information disclosure or a denial-of-service (DoS) condition.

One of the security holes, tracked as CVE-2018-1000007, can lead to authentication data getting leaked to third parties.

“When asked to send custom headers in its HTTP requests, libcurl will send that set of headers first to the host in the initial URL but also, if asked to follow redirects and a 30X HTTP response code is returned, to the host mentioned in URL in the Location: response header value,” developers said in an advisory.

“Sending the same set of headers to subsequest hosts is in particular a problem for applications that pass on custom Authorization: headers, as this header often contains privacy sensitive information or data that could allow others to impersonate the libcurl-using client's request,” they added.

This vulnerability has existed in the libcurl code for a long time. “It existed in the first commit we have recorded in the project,” developers noted.

The second flaw, identified as CVE-2018-1000005, has been described as an out-of-bounds read issue that can lead to a DoS condition or information disclosure.

“The problem is that the code that creates HTTP/1-like headers from the HTTP/2 trailer data once appended a string like ‘:’ to the target buffer, while this was recently changed to ‘: ‘ (a space was added after the colon) but the associated math wasn't updated correspondingly,” developers explained. “When accessed, the data is read out of bounds and causes either a crash or that the (too large) data gets passed to the libcurl callback.”

This vulnerability only affects libcurl versions 7.49.0 through 7.57.0.

CVE-2018-1000007 was reported to cURL developers on January 18, while CVE-2018-1000005 was brought to their attention on January 10. Developers said they had not been aware of any attempts to exploit these flaws.

Various Linux distributions are also working on pushing out updates that patch the flaws.

Google Parent Alphabet Launches Cybersecurity Firm Chronicle
25.1.2018 securityweek Cyber

Google parent Alphabet on Wednesday announced a new standalone business dedicated to cybersecurity.

Called Chronicle, the newly unveiled company was born in 2016 as a project within X, Alphabet’s “moonshot” factory, with ambitions of analyzing massive amounts of data to provide security teams with insights into areas of “likely vulnerability” to help them protect their data.

“X, the moonshot factory, has been our home for the last two years while we figured out where we had the potential to make the biggest impact on this enormous problem,” Stephen Gillett, CEO of Chronicle, wrote in a blog post.

The new company, Gillett says, “will have two parts: a new cybersecurity intelligence and analytics platform that we hope can help enterprises better manage and understand their own security-related data; and VirusTotal, a malware intelligence service acquired by Google in 2012 which will continue to operate as it has for the last few years.”

“We want to 10x the speed and impact of security teams’ work by making it much easier, faster and more cost-effective for them to capture and analyze security signals that have previously been too difficult and expensive to find,” added Gillett, a former executive at Symantec, Best Buy and Starbucks. “We are building our intelligence and analytics platform to solve this problem.”

Few details have been provided, and many questions remain on exactly what Chronicle’s platform will bring to the table, and how it will be deployed in an enterprise. With that said, Google has been innovative with its own internal security tools and initiatives, and it’s likely that Chronicle’s offerings will be compelling.

In June 2017, Google shared details on the security infrastructure that protects its data centers. Late last year, Google also shared detailed information on how it protects service-to-service communications within its infrastructure at the application layer and the system it uses for data protection. The search giant also has provided technical details on how it uses a “Tiered Access” model to secure devices for its global workforce of more than 61,000 employees.

“Inspired by Google’s own security techniques, we’re advancing cybersecurity for enterprises of all sizes,” Chronicle’s website says.

Chronicle, says X’s Astro Teller, is starting “by trying to give organizations a much higher-resolution view of their security situation than they’ve ever had by combining machine learning, large amounts of computing power and large amounts of storage.”

According to Gillett, the company will have its own contracts and data policies with its customers, while also being able to tap expertise across the entire Alphabet ecosystem.

Mirai-Based Masuta Botnet Weaponizes Old Router Vulnerability
25.1.2018 securityweek BotNet 

A new Internet of Things-targeting piece of malware based on Mirai’s publicly released source code has been observed at large, ensnaring devices into a botnet.

Dubbed Masuta, the botnet has at least two variants at large, and is believed to be the work of a well-known IoT threat actor, NewSky Security says. What’s also unique to the botnet is that it exploits an old router vulnerability, being the first threat known to weaponize it in a botnet campaign.

Masuta (Japanese for “master”) botnet’s source code was found on an invite only dark forum. The malware’s configuration file, the researchers discovered, uses a different seed of the cipher key compared to Mirai, having the strings in the configuration files XORed by 0x45.

Thus, the researchers discovered that it uses the domain nexusiotsolutions(dot)net, the command and control (C&C) server that Nexus Zeta, the individual involved in the recent Satori attacks, uses. The domain was registered using the nexuszeta1337@gmail(.)com email address.

Thus, NewSky Security suggests that Nexus Zeta has been involved in the creation of the Masuta botnet, in addition to building Satori, the Mirai variant that has been wreaking havoc over the past couple of months.

In fact, Masuta isn’t new either, and attacks involving it have been steadily increasing since September, and the botnet’s standard variant has been observed using several known/weak/default credentials to compromise IoT devices.

An evolved variant of Masuta, called PureMasuta, contains the most typical of Mirai style code, and a list of weak credentials to use. What makes this malware variant stand out, however, is its usage of EDB 38722 D-Link exploit.

The exploit PureMasuta uses resides in the HNAP (Home Network Administration Protocol), which is based on the SOAP protocol. It is possible to craft a SOAP query to bypass authentication by using hxxp://, and improper string handling can lead to arbitrary code execution, and an attacker can abuse this combination of issues to run code on targeted devices.

What the botnet does is to download a shell script from the C&C server and run it. Thus, the malware author first bypasses authentication and then executes code on the targeted devices.

The PureMasuta variant uses the same C&C server ( as the original Masuta variant, which led the researchers to believe it is the evolved creation of the same threat actor.

“Nexus Zeta is no stranger when it comes to implementing SOAP related exploits. The threat actor has already been observed in implementing two other known SOAP related exploits, CVE-2014–8361 and CVE-2017–17215 in his Satori botnet project,” NewSky Security notes.

Thus, the TR-069 bug and EDB 38722 are the third and fourth SOAP related exploits abused by IoT botnets.

“Protocol exploits are more desirable for threat actors as they usually have a wider scope. A protocol can be implemented by various vendors/models and a bug in the protocol itself can get carried on to a wider range of devices,” the researchers conclude.

Lebanon Must Investigate Claims of Mass Spying: Rights Groups
25.1.2018 securityweek BigBrothers

Eight rights groups including Human Rights Watch called on Lebanese authorities Wednesday to investigate reports of a massive espionage campaign traced back to a government security agency.

Digital researchers last week said they had uncovered a hacking campaign using malware-infected messaging apps to steal smartphone data from people in more than 20 countries, including journalists and activists.

The report tracked the threat, which the researchers dubbed "Dark Caracal", to a building in Beirut belonging to the Lebanese General Security Directorate.

Eight rights groups and media organizations called on Lebanon's general prosecutor on Wednesday to investigate who was behind the campaign.

"If these allegations are true, this intrusive surveillance makes a mockery of people's right to privacy and jeopardises free expression and opinion," said Lama Fakih, deputy Middle East director at Human Rights Watch. "Lebanese authorities should immediately end any ongoing surveillance that violates the nation's laws or human rights, and investigate the reports of egregious privacy violations."

Other signatories included the Lebanese Center for Human Rights (CLDH), the SKeyes Center for Media and Cultural Freedom, and Lebanon's Social Media Exchange (SMEX).

Hundreds of gigabytes of data have been taken from thousands of victims in more than 21 countries, said the report, authored by digital rights group Electronic Frontier Foundation and mobile security firm Lookout.

They called Dark Caracal "one of the most prolific" mobile espionage campaigns to date. With fake versions of secure messaging services like WhatsApp and Signal, the scheme has enabled attackers to take pictures, capture audio, pinpoint locations, and mine handsets for private data.

According to the report, Dark Caracal used FinFisher, surveillance software used by governments around the world.

In 2015, Toronto-based research group Citizen Lab found that General Security and other Lebanese security forces have used FinFisher for surveillance in Lebanon.

General Security chief Abbas Ibrahim did not explicitly deny the report.

"The report is very, very, very exaggerated. We don't have these capabilities. I wish we had those abilities," he said.

In comments to the media, Interior Minister Nouhad Mashnuq also appeared to confirm there was at least some truth to the report. "It's not that it's not true, it's just very overblown," said Mashuq.

Lawmakers Raise Questions About Disclosure of CPU Flaws
25.1.2018 securityweek

The U.S. House Energy and Commerce Committee on Wednesday sent letters to several tech giants, raising questions about how the disclosure of the CPU vulnerabilities known as Spectre and Meltdown was handled.

Lawmakers have asked the CEOs of Intel, AMD, ARM, Apple, Google and Microsoft to answer a series of questions on how the disclosure of the flaws was coordinated.

Specifically, the tech giants have been asked about why an embargo was imposed and who proposed it, when were US-CERT and CERT/CC notified, the impact of the embargo on critical infrastructure and other technology companies, the resources and best practices used in implementing the embargo, and lessons learned. The targeted companies have been instructed to respond by February 7.

The Meltdown and Spectre vulnerabilities allow malicious applications to exploit weaknesses in CPU designs and bypass memory isolation mechanisms. An attacker can leverage the flaws to access data as it’s being processed, including passwords, photos, documents, and emails.

The vulnerabilities were discovered independently by researchers at Google and various universities and companies. Major vendors were first notified in June 2017 and the disclosure of the flaws was initially planned for January 9, but some experts figured out that Microsoft and Linux developers had been preparing patches for critical CPU flaws and the disclosure was moved to January 3.

The companies that were notified quickly rolled out patches after information on the Meltdown and Spectre attack methods was made public – some firms released fixes even before disclosure – but some organizations, such as Digital Ocean, were caught off guard by the news and complained about the embargo.

“While we acknowledge that critical vulnerabilities such as these create challenging trade-offs between disclosure and secrecy, as premature disclosure may give malicious actors time to exploit the vulnerabilities before mitigations are developed and deployed, we believe that this situation has shown the need for additional scrutiny regarding multi-party coordinated vulnerability disclosures,” the congressional committee wrote in its letter.

“As more products and services become connected, no one company, or even one sector, working in isolation can provide sufficient protection for their products and users,” the lawmakers added. “Today, effective responses require extensive collaboration not only between individual companies, but also across sectors traditionally siloed from one another. This reality raises serious questions about not just the embargo imposed on information regarding the Meltdown and Spectre vulnerabilities, but on embargos regarding cybersecurity vulnerabilities in general.”

While many companies have managed to quickly address the vulnerabilities, mitigations have been found to introduce performance penalties and cause systems to become unstable. Both software and microcode updates caused problems for users, and system manufacturers have decided to halt BIOS updates due to buggy patches provided by Intel.

Chrome 64 Brings Additional Mitigations for CPU Flaw
25.1.2018 securityweek

Google this week released Chrome 64 in the stable channel with fixes for 53 security flaws and with additional mitigations against the web-exploitable “Spectre” CPU vulnerability.

Made public in the beginning of this year along with a bug called Meltdown, Spectre is a speculative side-channel attack technique impacting modern processors from Intel, AMD, and ARM. Putting billions of devices at risk, the two vulnerabilities have fueled an industry-wide race to release patches and mitigations.

In early December 2017, Google added Site Isolation to Chrome 63 as the first step in its attempt to mitigate these attack methods. The new Chrome release, available for Windows, Mac, and Linux as version 64.0.3282.119, brings additional mitigations against the speculative side-channel attack techniques.

The new browser iteration also includes an improved pop-up blocker, capable of preventing sites that employ abusive experiences from opening tabs or windows. Some of these deceptive tactics include masquerading links to third-party websites as play buttons or other site controls, or using transparent overlays on websites that capture all clicks and open new tabs or windows.

Site owners can check whether their websites have been found to use such abusive experiences by using the Abusive Experiences Report in Google Search Console. Thus, they can improve their user experience, Google says.

In addition to security improvements and fixes, Chrome 64 also brings some new features for developers, Google revealed in a blog post.

Of the 53 vulnerabilities that Chrome 64 patches, nearly half were discovered by external researchers, most of which are Medium and Low severity bugs.

Three High risk issues were resolved in the application: CVE-2018-6031 (Use after free in PDFium), CVE-2018-6032 (Same origin bypass in Shared Worker), and CVE-2018-6033 (Race when opening downloaded files). Google awarded the reporting researchers $3000, $2000, and $1000, respectively.

The Medium severity bugs addressed in Chrome 64 include an integer overflow issue in Blink, several insufficient isolation of devtools from extensions flaws, integer underflow in WebAssembly, insufficient user gesture requirements in autofill, heap buffer overflow in WebGL, XSS in DevTools, content security policy bypass, URL spoof issues in Navigation and OmniBox, insufficient escaping with external URL handlers, and cross origin URL leak in WebGL.

Google also resolved a referrer policy bypass bug in Blink, URL spoofing in Omnibox, UI spoof flaws in Permissions and in OmniBox, referrer leak in XSS Auditor, incomplete no-referrer policy implementation, leak of page thumbnails in New Tab Page, and use after free in WebUI vulnerabilities.

Overall, the Internet giant paid over $20,000 in bug bounties to the researchers who reported these vulnerabilities. However, the company hasn’t revealed all of the paid rewards yet.

Railway Cybersecurity Firm Cylus Emerges From Stealth
25.1.2018 securityweek Cyber

Cylus Obtains $4.7 Million in Funding to Help Protect Rail Industry Against Cyberattacks

Cylus, an Israel-based startup that specializes in cybersecurity solutions for the rail industry, emerged from stealth mode on Thursday with $4.7 million in seed funding.

Researchers have warned on several occasions in the past years that modern railway systems are vulnerable to cyberattacks, and the rail industry has been targeted by both cybercriminals and state-sponsored cyberspies.

Cylus aims to address the challenges of securing railway systems by developing a solution that is specifically designed for this sector. The product relies on a set of non-intrusive sensors that provide deep visibility into operational networks and help detect malicious activities. Customers are provided an automated assessment and instructions on how to respond when a threat is detected.

Railway Cybersecurity Startup Cylus Emerges From Stealth

The sensors are deployed in control centers, train management systems, interlocking systems, rolling stock, and trackside components. Information collected by the sensors is fed to an on-premises server that aggregates data and generates alerts based on rules derived from machine learning algorithms and research conducted by Cylus.

A centralized dashboard provides a view of all components, and alerts users when suspicious activities are detected, including failed authentication attempts, abnormal signaling communications, and unauthorized communications between components.

In addition to step-by-step instructions on how to respond to a specific threat, Cylus’ product offers forensic analysis capabilities designed to allow railroad companies to investigate incidents.

Cylus has obtained $4.7 million in seed funding from Zohar Zisapel, Magma Venture Partners, Vertex Ventures, and the SBI Group.

“Current approaches to cybersecurity do not fit the architecture of railway networks today,” said Cylus CEO Amir Levintal. “Our team of world-class cyber specialists together with rail industry experts have tailored a solution to the industry’s unique requirements. Our solution enables rail companies to detect cyber-attacks in their operational network, including their signaling systems and rolling stocks, and block attackers before they can cause any damage. The automotive industry has woken up to the critical need for cyber protection– it’s time the railway industry got on board as well.”

Cylus told SecurityWeek that it’s currently in negotiations with several large national railways to test its product. Pricing is scalable and depends on the specific needs of each customer.

“Railway companies cannot compromise on passenger safety, and one of the pillars of passenger safety is cybersecurity,” said Boaz Zafrir, President of Cylus and former CEO of Israel Railways. “Railway executives are acutely aware of the dangers and are looking for answers. The extraordinary team at Cylus has rich experience creating effective cybersecurity solutions, and I am confident that the company's unique technology will help keep passengers safe all over the world.”

North Korea-linked Lazarus Hackers Update Arsenal of Hacking Tools
25.1.2018 securityweek BigBrothers

Recent cyberattacks associated with the North Korea-linked Lazarus group have used an evolved backdoor, along with a Remote Controller tool, Trend Micro reports.

Targeting financial institutions, the campaign employed watering hole attacks and an evolved variant of the Lazarus-linked RATANKBA Trojan, which is capable of delivering multiple payloads, including hacking tools and software targeting banking systems.

The Lazarus group has been active since at least 2009 and is believed to be backed by the North Korean government. The threat actor has targeted government, military, media, aerospace, financial and manufacturing organizations, and is believed to be the most serious threat against banks.

Servers the group used as part of the recently observed campaign for temporarily holding stolen data allowed security researchers to gain insight into attacks and victims. Thus, they discovered that around 55% of the victims were located in India and neighboring countries and that most of them didn’t use enterprise versions of Microsoft software.

In a December 2017 report, Proofpoint researchers revealed that Lazarus had started targeting individuals, and that a new Windows executable downloader and a new first-stage implant were being used in attacks.

“Less than 5% of the victims were Microsoft Windows Enterprise users, which means that currently, RATANKBA mostly affects smaller organizations or individual users, not larger organizations. It’s possible that Lazarus is using tools other than RATANKBA to target larger organizations,” Trend Micro says.

By looking at the victims’ IP addresses, the security researchers also determined that none can be associated with a large bank or a financial institution. However, victims that are likely employees of web software development companies in India and South Korea appear to have been targeted.

The hackers delivered the RATANKBA malware to their intended targets via malicious Office documents (containing topics related to software development or digital currencies), CHM files, and script downloaders. The goal of the attacks was to install the RATANKBA backdoor onto the victims’ machines to steal user information and execute commands on the system.

The hackers use a Remote Controller tool to send jobs to compromised endpoints. Through the controller, attackers queue tasks on the main server, and RATANKBA connects to this server to retrieve the tasks and execute it. This means that real-time communication between the backdoor and the attacker isn’t employed.

The controller provides a graphical UI interface and allows the attacker to both push code to the server and download victim profiles from it.

The RATANKBA variant used in these attacks was written in Powershell, an evolution from the original variant, which was in PE form. The new malware iteration is more difficult to detect.

The members of the Lazarus group, Trend Micro says, appear to be native Korean speakers, “or at least have Korean language proficiency that is at the near-native level.” At least one of them is believed to also understand Chinese. The group appears interested in crypto-currencies such as Bitcoin (BTC) and Ant Share (NEO).

“Given Lazarus’ use of a wide array of tools and techniques in their operations, it’s reasonable to assume that the group will continue to use ever-evolving tactics in their malicious activities. Overall, an organization will need multilayered security strategies, as Lazarus and other similar groups are experienced cybercriminals who employ different strategies to get past organizational defenses,” the researchers conclude.

New Targets, $2 Million in Prizes Announced for Pwn2Own 2018
25.1.2018 securityweek Congress

Trend Micro’s Zero Day Initiative (ZDI) announced on Thursday that this year’s Pwn2Own hacking competition offers $2 million in cash and prizes, with several new pieces of software added to the list of targets.

Pwn2Own 2018 is scheduled to take place on March 14-16 alongside the CanSecWest conference in Vancouver, Canada. This year, ZDI has partnered with Microsoft for the event, and VMware has been announced as a sponsor.

This year’s categories are virtualization, web browsers, enterprise applications, servers, and the Windows Insider Preview challenge.

In the virtualization category, Pwn2Own 2018 introduces a new target, namely Oracle VirtualBox. Researchers can earn $35,000 and a $30,000 bonus if they can execute a privilege escalation via a Windows kernel vulnerability on the host. The base prize for VMware Workstation is $70,000 and for Microsoft Hyper-V it’s $150,000.

All major web browsers are targeted at Pwn2Own 2018. A sandbox escape can earn contestants $60,000 if it works on Chrome or Edge, $55,000 on Safari, and $40,000 on Firefox. Hackers can earn a bonus of $50,000-$70,000 if they combine their exploit with a virtual machine escape via a kernel privilege escalation vulnerability.

The targeted apps in the enterprise category are Adobe Reader, with a maximum prize of $90,000, Office 365 ProPlus, with a maximum prize of $50,000, and Microsoft Outlook, for which organizers are prepared to pay out up to $100,000. This will be the first time Outlook is a target at Pwn2Own.

In the servers category, there are no less than three new targets, including NGINX, Microsoft Windows SMB, and OpenSSL. Apache Web Server, the only target in this category in last year’s event, will remain on the list. Vulnerabilities in each of these pieces of software can earn researchers up to $100,000.

Since Microsoft is a partner of Pwn2Own 2018, it has asked ZDI to introduce a special category for some of its flagship pre-release security technologies in the latest Windows Insider Preview for Business running on Surface Book 2 devices.

Targets include Windows Defender Application Guard for Edge, Windows SMB, and the Windows Hyper-V client. Prizes range between $10,000 and $250,000.

As always, the contestant or team with the highest number of Master of Pwn points will earn 65,000 ZDI reward points, which are worth roughly $25,000. In addition, the first-round winner for each category can win a laptop.

At Pwn2Own 2017, ZDI paid out a total of $833,000 for 51 vulnerabilities, nearly double than the $460,000 earned by hackers in the previous year for only 21 new flaws. Given that this year’s prize pool is $2 million, double than what organizers offered last year, we can expect some interesting exploits.

30 Million Possibly Impacted in Crypto-Currency Mining Operation
25.1.2018 securityweek

A large-scale crypto-currency mining operation active for over 4 months is believed to have impacted around 30 million systems worldwide, Palo Alto Networks security researchers say.

The campaign, which attempts to mine the Monero cryptocurrency using the open-source XMRig utility, has affected mainly users in South-East Asia, Northern Africa, and South America. The campaign employed VBS files and URL shortening services to install the mining tool and also used XMRig proxy services on the hosts to mask the used wallets.

Telemetry data from the URL shortening service suggested that at least 15 million people were impacted. However, with less than half of the identified samples using, the researchers speculate that the actual number of affected users could be upwards of 30 million.

The campaign employed over 250 unique Microsoft Windows PE files, over half of which were downloaded from online cloud storage provider 4sync. What the researchers couldn’t establish, however, was how the file downloads were initiated.

The attackers attempted to make their files appear to have both generic names and to originate from popular looking file sharing services.

The URL shortening service that pays users when their links are clicked was also used in this campaign. When users clicked on these URLs, they were redirected and ended up downloading the crypto-currency mining malware instead.

The malware used in this campaign was meant to execute the XMRig mining software via VBS files and uses XMRig proxy services to hide the ultimate mining pool destination. It also uses Nicehash, a popular marketplace that allows users to trade hashing processing power (it supports various crypto-currencies and sellers are paid in Bitcoin).

Before October 20, 2017, the attackers behind this campaign were using the Windows built-in BITSAdmin tool to download the XMRig mining tool from a remote location. The final payload was mainly installed with the filename ‘msvc.exe’.

After October 20, 2017, the attackers started experimenting with HTTP redirection services, but continued using SFX files to download and deploy their malware. They also started supplementing mining queries with a username and making obfuscation attempts within the VBS files to avoid detection.

Starting on November 16, 2017, the attackers dropped the SFX files and adopted executables compiled in Microsoft .NET Framework. These would write a VBS file to disk and modify Run registry keys to achieve persistence.

In late December, the dropper was compiled with Borland Delphi and would place the VBS file in the victim’s startup folder to achieve persistence. The latest samples using this dropper also switched to a new IP address for XMRig communication, namely 5.23.48[.]207.

The campaign, researchers say, affected most countries around the world. Based on telemetry data, the attacks appear to have hit Thailand (3,545,437 victims), Vietnam (1,830,065), Egypt (1,132,863), Indonesia (988,163), Turkey (665,058), Peru (646,985), Algeria (614,870), Brazil (550,053), Philippines (406,294), and Venezuela (400,661) the most.

“Monero mining campaigns are certainly not a new development, as there have been various reported instances recently. However, it is less common to observe such a large-scale campaign go relatively unnoticed for such a long period of time. By targeting random end-users via malicious advertisements, using seemingly innocuous names for the malware files, and using both built-in Windows utilities and scripting files, the attackers are able to gain a foothold on victim systems at large scale,” Palo Alto concludes.

Malware in 2017 Was Full of Twists and Turns
25.1.2018 securityweek

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering, and ups and downs in ransomware.

These conclusions come from the 'Cybercrime tactics and techniques: 2017 state of malware' report (PDF) published today by Malwarebytes.

"We look at our own detection telemetry and what we find in our honeypots to see what the criminals are pushing out," Malwarebytes director of malware intelligence, Adam Kujawa, told SecurityWeek, "and we see what trends are apparent." The report covers the period of January to November 2017 and compares it to the same period for 2016.

In some cases, those trends are surprising. Ransomware figured heavily in 2017; but with nuances. Over the year, detections for consumers increased by 93% over 2016, and by 90% for businesses. But those figures disguise a decline in consumer ransomware and an increase in business ransomware over the last few months of 2017.

It's not clear why this happened, but Kujawa conjectures that improving awareness of ransomware and better defenses is making it harder for the criminals to get a good return from consumers. At the same time, while succeeding against business is even more difficult than infecting consumers, the potential return is much higher per victim. Earlier this month, Hancock Health paid $55,000 to recover from a SamSam ransomware attack.

At the same time as ransomware declined at the end of the year, "We saw," said Kujawa, "a significant increase in spyware, banking trojans, hijackers and even adware." He also pointed to a one-month dramatic spike in ransomware detections in September coinciding with an equally dramatic dip in spyware detections. "It indicates that the same type of campaign was being used to distribute both spyware and ransomware," he suggested.

For consumers, adware is now the most-detected threat -- representing around 40% of all consumer detections (it's the second most-detected threat for businesses). Anti-malware firms have been increasingly active against all forms of unwanted apps; and Malwarebytes has been in the vanguard of this. In November it won a court case brought by Enigma Software, supplier of SpyHunter, which Malwarebytes it detects and blocks as unwanted software.

Concurrent with the adware market becoming more difficult, there has been a reduction in the number of players. But, commented Kujawa, "despite there being less players in the game, the attacks themselves are more sophisticated -- we see adware, something we regularly classify as a PUP, using root kit functionality to block security software from running, or just blocking the ability to remove it at all."

The report specifies Smart Service, which is bundled with adware and PUPs to prevent their removal. It hooks into the Windows CreateProcess function, so it can inspect new processes before they run. It also "protects certain processes from being terminated, and stops the user from removing critical files and registry keys."

Apart from adware, the decline in ransomware for business was replaced by an upsurge in spyware and banking trojans. For all malware, the primary tactics of infection changed from 2016 to 2017. "In 2016 we saw lots and lots of exploit kits (also in 2015)," said Kujawa. "Now suddenly spreading malware through email is popular again. It's based on tricking the user into opening something. There's less attacking the computer (exploit kits delivering malware without the user being aware) and more attacking the person (social engineering emails)."

For the consumer, the big growth malware in 2017 has been crypto-miners. Exploit kits, drive-by attacks, phishing and malicious spam attacks have all pushed miners. "We blocked one of the primary pushers of this technology, CoinHive," explained Kujawa, "and that turned out to be our #1 detection over many months. We're talking about multi-million detections per day -- averaging about 8 million per day, but I've seen it go up to 12 million and even 20 million on occasion."

One area that did not show an expected increase during 2017 was botnet activity. "The last year showed a steady decline in detections for botnet malware, a huge shift from what we saw in 2016," notes the report. "This aligns for both business and consumer customer telemetry."

There's likely little comfort in this. "Declines," adds the author, "are likely due to a shift in focus away from the desktop, aiming at IoT devices such as routers or smart appliances instead." We learned the potential for large IoT-based botnets at the end of 2016, with the Mirai attacks. "While there was a lack of massive IoT attacks in 2017, attackers have been spending their time focused on developing new tools to take advantage of IoT with cryptocurrency mining, spam-spreading botnets, and likely more DDoS attacks."

Ransomware is currently showing a downward trend. Crypto-mining may not survive the volatility in market prices (Bitcoin is currently trading at around $11,000; down from nearly $20,000 just a few weeks ago) and the likelihood of greater international cryptocurrency regulation. But Malwarebytes warns they could be replaced by something new and potentially more worrying.

"It is not farfetched," says the report, "to think we may see DDoS attacks against large organizations, like airline companies and power utilities, demanding a ransom payment to call off an army of botnet-infected IoT devices." Ransomware might decline, merely to be replaced by larger DDoS ransoms.

"Hide 'N Seek" IoT Botnet Ensnares 20,000 Devices in Days
25.1.2018 securityweek IoT  BotNet

An Internet of Things (IoT) botnet featuring a worm-like spreading mechanism managed to ensnare over 20,000 devices over the course of several days, Bitdefender reports.

Dubbed Hide ‘N Seek, the botnet was first spotted on January 10, when it focused on IP cameras manufactured by a Korean company, but vanished just days after. On January 20, however, the researchers observed a new, improved variant of the malware, which has ensnared more than 20,000 devices worldwide and continues to spread quickly.

The malware was designed to exfiltrate data, execute code, and interfere with the device operation. Employing a complex and decentralized communication technique and multiple anti-tampering methods to prevent hijacking, the botnet uses the same exploit as Reaper (CVE-2016-10401 and other vulnerabilities), Bitdefender says.

The bot’s worm-like spreading mechanism consists of randomly generating a list of IP addresses to target, and then initiating a raw socket SYN connection to each host on specific destination ports (23, 2323, 80, and 8080). After establishing a connection, the bot first looks for a specific banner (“buildroot login:”) and attempts log in via predefined credentials, or launches a dictionary attack if that fails.

Next, the malware attempts to properly identify the target device and select a compromise method, such as setting up a TFTP server if the target is on the same LAN, or a remote payload delivery method if the target is on the Internet.

These pre-configured exploitation techniques are located in a digitally signed memory location to prevent tampering and can be updated remotely and propagated among infected hosts. Targeting IoT devices, the botnet can’t achieve persistence, meaning that a device reboot would clear up the infection.

After Hajime, Hide ‘N Seek becomes the second known IoT botnet to use a decentralized, peer-to-peer architecture. The difference is that, while Hajime used p2p functionality based on the BitTorrent protocol, the new botnet uses a custom-built p2p communication mechanism.

“The bot opens a random port on the victim, and adds firewall rules to allow inbound traffic for the port. It then listens for connections on the open port and only accepts the specific commands described below,” Bitdefender Senior Threat Analyst Bogdan Botezatu explains.

To prevent infiltration or poisoning attempts, the malware uses an elliptic curve key within the file used to authenticate the command for updating the memory zone where configuration settings are stored.

The bot includes support for multiple commands for configuration updates, a data exfiltration mechanism, and a scanning component (which sends to a peer valid credentials found via dictionary attack). It also supports commands to add a new peer to the list and send a peer IP as a response.

“While IoT botnets have been around for years, mainly used for DDoS attacks, the discoveries made during the investigation of the Hide and Seek bot reveal greater levels of complexity and novel capabilities such as information theft – potentially suitable for espionage or extortion. It is also worth noting that the botnet is undergoing constant redesign and rapid expansion,” Botezatu concludes.

A recent NETSCOUT Arbor report on distributed denial of service attacks has revealed that compromised IoT devices can fuel new, complex assaults. The emergence of new IoT botnets such as Masuta or Satori has proved once again the need for improved security for Internet-connected devices.

“As IoT devices become increasing popularity in our modern lives, they also become more attractive to cybercriminals. In fact, in 2017 we recorded a record number of IoT vulnerabilities, with them more than doubling since 2016,” Nadav Avital, security research team leader at Imperva, told SecurityWeek in an emailed statement.

“This [Bitdefender] research also emphasizes the need for an account takeover solution which protects all devices with a network presence. Account takeover is a big problem, however it is not something which IoT vendors provide protection for. It is therefore a good idea for organizations to deploy an external solution for security,” Avital concluded.

A look into the cyber arsenal used by Lazarus APT hackers in recent attacks against financial institutions
25.1.2018 securityaffairs APT

Security experts at Trend Micro have analyzed malware and a tool used by the Lazarus APT group in the recent attacks against financial institutions.
Security experts at Trend Micro have analyzed the attacks conducted by the notorious Lazarus APT group against financial institutions.

The activity of the Lazarus Group surged in 2014 and 2015, its members used mostly custom-tailored malware in their attacks and experts that investigated on the crew consider it highly sophisticated.

This threat actor has been active since at least 2009, possibly as early as 2007, and it was involved in both cyber espionage campaigns and sabotage activities aimed to destroy data and disrupt systems. Security researchers discovered that North Korean Lazarus APT group was behind attacks on banks, including the Bangladesh cyber heist.

In the last campaigns against financial firms, the cyber spies launched watering hole attacks and leveraged a variant of the Lazarus-linked RATANKBA Trojan.

“The malware known as RATANKBA is just one of the weapons in Lazarus’ arsenal. This malicious software, which could have been active since late 2016, was used in a recent campaign targeting financial institutions using watering hole attacks. The variant used during these attacks (TROJ_RATANKBA.A) delivered multiple payloads that include hacking tools and software targeting banking systems.” reads the analysis published by Trend Micro.

“We analyzed a new RATANKBA variant (BKDR_RATANKBA.ZAEL–A), discovered in June 2017, that uses a PowerShell script instead of its more traditional PE executable form—a version that other researchers also recently identified.“

The researchers identified and hacked in some servers used by the cyber spies for temporarily storing stolen data, the analysis of the backend revealed that around 55% of the victims were located in India and neighboring countries.

The majority of the victims were not using enterprise versions of Microsoft software, less than 5% of the victims were Microsoft Windows Enterprise users.

The IP addresses of the victims don’t belong to a large bank or a financial institution, according to Trend Micro victims are likely employees of three web software development companies in India and one in South Korea.

The RATANKBA Trojan is delivered via weaponized Office documents (containing topics related to cryptocurrencies and software development), CHM files, and script downloaders.

Experts noticed that attackers don’t implement a real-time communication with the malware. Once compromised a target machine, the attackers will use a Remote Controller tool to send jobs to the system, the queue of jobs is then processed by RATANKBA.

“During our analysis, we collected a copy of the RATANKBA malware’s Lazarus Remote Controller tool. The remote controller provides a user interface that allows attackers to send jobs to any compromised endpoint. The controller gives the attackers the ability to manipulate the victims’ host by queueing tasks on the main server. RATANKBA retrieves and executes the tasks, and retrieves the collected information.” continues the analysis.

The controller tools used by the Lazarus APT implements a graphical UI interface that allows hackers to push code to the server and download victim profiles from it.


Trend Micro also provided a profile of the members of the Lazarus APT group, the hackers appear to be native Korean speakers and at least one of them is believed to also understand Chinese.

“Given Lazarus’ use of a wide array of tools and techniques in their operations, it’s reasonable to assume that the group will continue to use ever-evolving tactics in their malicious activities.” concluded Trend Micro.

Critical code execution flaw in Electron framework impacts popular Desktop apps such as Skype and Signal
25.1.2018 securityaffairs

A critical RCE vulnerability in the Electron framework impacts popular desktop applications, including Skype, Signal, Slack, GitHub Desktop, Twitch, and
A remote code execution vulnerability tracked as CVE-2018-1000006 was fixed in the Electron framework, which is used by popular desktop applications, including Skype, Signal, Slack, GitHub Desktop, Twitch, and

Electron is a node.js, V8, and Chromium open-source framework that allows developers to use web technologies such as JavaScript, HTML, and CSS to build desktop apps.

The framework is currently being developed by GitHub, the Electron dev team released the versions v1.8.2-beta.4, electron v1.7.11, and electron v1.6.16 to address the issue.

“A remote code execution vulnerability has been discovered affecting Electron apps that use custom protocol handlers. This vulnerability has been assigned the CVE identifier CVE-2018-1000006.” states the Electron team in a post.

“Electron apps designed to run on Windows that register themselves as the default handler for a protocol, like myapp://, are vulnerable.

Such apps can be affected regardless of how the protocol is registered, e.g. using native code, the Windows registry, or Electron’s app.setAsDefaultProtocolClient API.”


,Currently, more than 460 cross-platform desktop applications leverage the Electron framework, but the code execution flaw affects only that use custom protocol handlers, macOS and Linux are not vulnerable to the issue.

All three releases are available for download on GitHub.

The experts also provided a workaround to avoid the exploitation of the vulnerability.

“If for some reason you are unable to upgrade your Electron version, you can append “–“ as the last argument when calling app.setAsDefaultProtocolClient, which prevents Chromium from parsing further options. The double dash “–“ signifies the end of command options, after which only positional parameters are accepted,” Electron explains.

Electron developers are advised to update their application immediately.

“We’ve published new versions of Electron which include fixes for this vulnerability:
, and
. We urge all Electron developers to update their apps to the latest stable version immediately.” Electron team added.

New HNS botnet has already compromised more than 20,000 IoT devices
25.1.2018 securityaffairs BotNet  IoT

A new botnet called Hide ‘N Seek (HNS botnet) appeared in the threat landscape, the malware is rapidly spreading infecting unsecured IoT devices, mainly IP cameras.
The HNS botnet was first spotted on January 10th by malware researchers from Bitdefender, then it disappeared for a few days, and it has risen over the weekend.

The number of infected systems grew up from 12 at the time of the discovery up to over 20,000 bots, at the time of writing.


“Bitdefender researchers have uncovered an emerging botnet that uses advanced communication techniques to exploit victims and build its infrastructure. The bot, dubbed HNS, was intercepted by our IoT honeypot system following a credentials dictionary attack on the Telnet service.” states the analysis from Bitdefender.

“The samples identified in our honeypots on Jan. 10 revolved around IP cameras manufactured by a Korean company. These devices seemed to play a major role in the botnet as, out of the 12 IP addresses hardcoded in the sample, 10 used to belong to Focus H&S devices. The new version, observed on Jan. 20, dropped the hardcoded IPs.”

Recently security experts spotted other IoT botnets, most of them linked to the Mirai botnet, such as Satori, Okiru, and Masuta, but the HNS botnet has a different genesis and doesn’t share the source code.

Researchers at Bitdefender found similarities between the HNS and the Hajime botnets, unlike Mirai, Hajime doesn’t use C&C servers, instead, it implements a peer-to-peer network.

Hajime is more sophisticated than Mirai, it implements more mechanisms to hide its activity and running processes and its modular structure allows operators to add new capabilities on the fly.

“It is the second known IoT botnet to date, after the notorious Hajime botnet, that has a decentralized, peer-to-peer architecture,” states Bitdefender. “However, if in the case of Hajime, the P2P functionality was based on the BitTorrent protocol, here we have a custom-built P2P communication mechanism.”

The HNS malware is able to infect a series of IoT devices using the exploit as Reaper, the current version is able to receive and execute several types of commands, such as data exfiltration, code execution and interference with a device’s operation.

According to the experts, the botnet is still under development, it doesn’t include DDoS capabilities, a circumstance that suggests it is intended to be deployed as a proxy network.

“While IoT botnets have been around for years, mainly used for DDoS attacks, the discoveries made during the investigation of the Hide and Seek bot reveal greater levels of complexity and novel capabilities such as information theft – potentially suitable for espionage or extortion.” concluded Bitdefender.

“It is also worth noting that the botnet is undergoing constant redesign and rapid expansion.”

The bot spread by randomly generates a list of IP addresses that could be potentially compromised. It then initiates a raw socket SYN connection to each potential target and continues communication with those devices that answer the request on specific destination ports (23 2323, 80, 8080).

Once the bot has established a connection it will look for a specific banner (“buildroot login:”) presented by the victim. If it gets this login banner, it attempts to log in using a list of default credentials. If the credentials are not correct, the botnet launches a dictionary attack using a hardcoded list.

Once connected to the victim, the malware will run through a “state machine” to determine the type of target device and select the most suitable compromise method. Experts explained that if the device shares the same network with the bot, the bot sets up TFTP server to allow the victim to download the malicious code from the bot. If the victim is located on the internet, the bot will attempt to use a specific remote payload delivery method to get the target device to download and execute the sample.

“These exploitation techniques are preconfigured and are located in a memory location that is digitally signed to prevent tampering. This list can be updated remotely and propagated among infected hosts.” continues the analysis.

Experts observed that the HNS botnet cannot establish persistence on infected devices, once the device restart, the malware will be removed, this means that botnet operators have to continuously manage the HNS botnet.

Let’s monitor the growth of the new-born botnet.

libcurl has had authentication leak bug dated back to before September 1999
25.1.2018 securityaffairs

According to a security advisory, libcurl is affected by a couple of issues, one of them might cause the leakage of authentication data to third parties.
libcurl is a free and easy-to-use client-side URL transfer library, it builds and works identically on numerous platforms.

According to a security advisory, libcurl is affected by a couple of issues, one of them might cause the leakage of authentication data to third parties.

The problem is related to the way it handles custom headers in HTTP requests.

“When asked to send custom headers in its HTTP requests, libcurl will send that set of headers first to the host in the initial URL but also, if asked to follow redirects and a 30X HTTP response code is returned, to the host mentioned in URL in the `Location:` response header value.” states the advisory.

“Sending the same set of headers to subsequest hosts is in particular a problem for applications that pass on custom `Authorization:` headers, as this header often contains privacy sensitive information or data that could allow others to impersonate the libcurl-using client’s request. We are not aware of any exploit of this flaw.”

Applications that pass on custom authorization headers could leak credentials or information that could be abused by attackers to impersonate the libcurl-using client’s request.

This vulnerability tracked as CVE-2018-1000007 has been present since before curl 6.0, back to before September 1999. Affected versions are libcurl 7.1 to and including 7.57.0, later versions (7.58.0) are not affected, the patch was published on GitHub.

“In libcurl version 7.58.0, custom `Authorization:` headers will be limited the same way other such headers is controlled within libcurl: they will only be sent to the host used in the original URL unless libcurl is told that it is ok to pass on to others using the `CURLOPT_UNRESTRICTED_AUTH` option.” states the advisory.

“this solution creates a slight change in behavior. Users who actually want to pass on the header to other hosts now need to give curl that specific permission. You do this with [–location-trusted](–location-trusted) with the curl command line tool.”

libcurl is also affected by an “HTTP/2 trailer out-of-bounds read” vulnerability tracked as CVE-2018-1000005.

The issue is related to the code that creates HTTP/1-like headers from the HTTP/2 trailer data that appends a string like `”:”` to the target buffer (it was recently changed to `”: “` (a space was added after the colon) but the associated math wasn’t updated correspondingly.

“When accessed, the data is read out of bounds and causes either a crash or that the (too large) data gets passed to the libcurl callback. This might lead to a denial-of-service situation or an information disclosure if someone has a service that echoes back or uses the trailers for something.” reads the advisory.

The second issue, CVE-2018-1000005, is described as an “HTTP/2 trailer out-of-bounds read”. The advisory says “reading an HTTP/2 trailer could mess up future trailers since the stored size was one byte less than required.”

“When accessed, the data is read out of bounds and causes either a crash or that the (too large) data gets passed to the libcurl callback. This might lead to a denial-of-service situation or an information disclosure if someone has a service that echoes back or uses the trailers for something.”

Affected versions are libcurl 7.49.0 to and including 7.57.0, experts are not aware of any exploit of this vulnerability in the wild.

Spritecoin ransomware masquerades as cryptocurrency wallet and also harvests victim’s data
25.1.2018 securityaffairs

Fortinet discovered a strain of ransomware dubbed Spritecoin ransomware that only allows victims Monero payments and pretends to be a cryptocurrency-related password store.
Researchers from Fortinet FortiGuard Labs has discovered a strain of ransomware that only allows victims Monero payments and pretends to be a cryptocurrency-related password store.

The ransomware poses itself as a “spritecoin” wallet, it asks users to create their desired password, but instead of downloading the block-chain it encrypts the victim’s data files.

The malware asks for a 0.3 Monero ransom ($105 USD at the time of writing) and drops on the target system a ransom note of “Your files are encrypted.”


The malware includes an embedded SQLite engine, a circumstance that leads experts to believe it also implements a credentials harvesting feature for Chrome and Firefox credential store. The malicious code appends the .encrypted file extension to encrypted files (i.e. resume.doc.encrypted).

While decrypting the files, the Spritecoin ransomware also deploys another piece of malware that is able to harvest certificates, parse images, and control the web camera.

“In a cruel twist, if the victim decides to pay and obtain a decryption key they are then delivered a new malicious executable [80685e4eb850f8c5387d1682b618927105673fe3a2692b5c1ca9c66fb62b386b], detected as W32/Generic!tr.” reads the report.

“While have not yet fully analyzed this malicious payload, we can verify that it does have the capability to activate web cameras and parse certificates and keys that will likely leave the victim more compromised than before.”

The experts speculate the ransomware is being spread via forum spam that targets users interested in cryptocurrency.

“Ransomware is usually delivered via social engineering techniques, but can also be delivered without user interaction via exploits. These often arrive (but are not limited to) via email, exploit kits, malicious crafted Excel/Word/PDF macros, or JavaScript downloaders.” states the analysis published by Fortinet.

“The attacker often uses social engineering and carefully crafted malicious emails to trick and entice the victim to run these executables. These files are often seen using compelling file names to lure the victim into opening the file. Usually, the ransomware requires some user interaction to successfully compromise the victim’s machine.”

In this case, the threat arrives as a “SpriteCoin” package (spritecoind[.]exe) under the guise of a SpriteCoin crypto-currency wallet.”

Once installed on the victim’s machine, the malware will present a user with a prompt to “Enter your desired wallet password.”


When the victims provide their credentials the Spritecoin ransomware inform users it is downloading the blockchain, while it is actually encrypting the files.

The ransomware connects to a TOR site via an Onion proxy (http://jmqapf3nflatei35[.]*) that allows the victim to communicate with the attacker’s website without the need for a TOR connection.

Further details, including IoCs are included in the report.

Facebook Acquires ID Verification Startup Confirm
24.1.2018 securityweek

Facebook has acquired Confirm, a Boston-based startup that specializes in identity verification solutions. Financial terms of the deal have not been disclosed.

Confirm has developed APIs and SDKs that can be integrated into applications that require easy and secure authentication of driver’s licenses and other government IDs. The company’s product leverages advanced pattern analysis and forensic checks to determine if an ID is legitimate.

Before being acquired by Facebook, the company’s website said its products had been used by more than 750 organizations around the world to authenticate customer identity documents.

“When we launched Confirm, our mission was to become the market's trusted identity origination platform for which other multifactor verification services can build upon,” reads a message posted on the website following the acquisition. “Now, we're ready to take the next step on our journey with Facebook.”

Confirm has informed customers that it will wind down its existing ID authentication products. The company’s employees will join Facebook in Boston.

“We are excited to welcome the Confirm team to Facebook,” a Facebook spokesperson told SecurityWeek. “Their technology and expertise will support our ongoing efforts to keep our community safe.”

Facebook asks users to send a scan or photo of their ID to show account ownership or confirm their name. It is possible that the technology obtained as a result of the Confirm acquisition will be used to improve this system.

Confirm was founded by Walter Doyle, whose consumer mobile company was acquired by PayPal in 2011; mobile entrepreneur and venture capitalist Bob Geiman; and Ralph Rodriguez, founder of Delfigo Security, a multifactor authentication company acquired by IBM.

In January 2016, the company announced that it had raised $4 million in a seed funding round.

Bell Canada Hit by Data Breach
24.1.2018 securityweek Incindent

Bell Canada has started informing customers that their personal data has been compromised in a breach that reportedly affects up to 100,000 individuals.

Bell told customers that their names and email addresses were aaccessed by hackers, but the company said in an emailed statement that the attackers also obtained phone numbers, usernames and/or account numbers for a limited number of people. The telecoms company, however, says there is no evidence that credit card or banking information has been compromised.

In response to the incident, Bell has implemented additional authentication and identification requirements for accessing accounts. The company has also advised users to frequently change their password and security questions, and regularly review their financial and online accounts for unauthorized activity.

“The protection of consumer and corporate information is of primary importance to Bell,” John Watson, Executive Vice-President of Customer Experience at Bell Canada, told customers. “We work closely with the RCMP and other law enforcement agencies, government bodies and the broader technology industry to combat the growth of cyber crimes.”

Lisa Baergen, marketing director with Vancouver-based NuData Security, a Mastercard company, pointed out that even limited information such as names and email addresses can be useful to malicious actors.

“We all know bad actors are very talented at preparing fraud schemes with that information, such as phishing scams or dictionary attacks – where fraudsters try certain common passwords based on the user’s personal information,” Baergen said.

“Bell is doing the right thing by evaluating the extent of the damage and keeping customers updated,” she added. “However, to avoid damage after a breach, companies that share clients with Bell can consider applying multi-layered security solutions based on passive biometrics to protect their business and their customers from account takeover of another type of fraud. Online security technologies that evaluate a user or a transaction based on their behavior and not only on their – potentially stolen – static information, thwart all fraudulent attempts that inevitably come after a data breach.”

This is the second time Bell Canada has informed customers of a data breach. In May last year, the company admitted that approximately 1.9 million active email addresses and roughly 1,700 names and active phone numbers were accessed by a hacker.

Bell told SecurityWeek that the latest incident is unrelated to the cyberattack disclosed in May.

Apple Patches Meltdown Flaw in Older Versions of macOS
24.1.2018 securityweek Apple

Apple on Tuesday released security updates for a majority of its products, and it patched the vulnerability that allows Meltdown attacks in earlier versions of its Mac operating system.

Apple rolled out the first mitigations for the Meltdown attack before the flaws were disclosed, in early December, with the release of iOS 11.2, macOS 10.13.2 and tvOS 11.2. Protections against Spectre attacks were added on January 8 with the release of iOS 11.2.2, macOS High Sierra 10.13.2 Supplemental Update, and Safari 11.0.2.

The latest security updates released by the tech giant for Mac computers patch 17 vulnerabilities, including a kernel flaw that allows Meltdown attacks (CVE-2017-5754) in macOS Sierra 10.12.6 and OS X El Capitan 10.11.6.

The update for High Sierra also addresses several other kernel vulnerabilities that can be exploited to read restricted memory and execute arbitrary code with elevated privileges, including ones found by Jann Horn, the Google researcher who independently discovered the Meltdown and Spectre weaknesses.

Other macOS vulnerabilities patched on Monday affect the audio, cURL, LinkPresentation, QuartzCore, sandbox, security, WebKit and Wi-Fi components.

The updates for macOS High Sierra 10.13.2, macOS Sierra 10.12.6, and OS X El Capitan 10.11.6 also fix the IOHIDFamily local privilege escalation vulnerability disclosed by a researcher on New Year’s Eve. The expert disclosed the flaw without giving Apple the chance to release a patch, arguing that it’s not remotely exploitable and the PoC he made public is not stealthy.

iOS 11.2.5 patches 13 security holes, including in the audio, Bluetooth, kernel, LinkPresentation, QuartzCore, security, and WebKit components. Some of these flaws are the same ones that affect macOS.

Since watchOS and tvOS are also based on iOS, a majority of the vulnerabilities have also been patched in the Apple Watch and Apple TV operating systems.

The WebKit flaws have also been resolved by Apple in iCloud for Windows, iTunes for Windows, and Safari.

Despite being among the first vendors to start releasing patches, Apple is facing class action lawsuits over the Meltdown and Spectre CPU vulnerabilities. Apple’s processors are affected due to the fact that they use ARM technology.

Amazon Acquires Threat Hunting Firm Sqrrl
24.1.2018 securityweek Security

Sqrrl, a Cambridge, Mass.-based big data analytics startup that is commercializing NSA technology to help organizations detect threats lurking in their infrastructure, has been acquired by Amazon.

The company announced Tuesday that it has been acquired by Amazon and would be joining the Amazon Web Services (AWS) family.

Sqrrl Logo

Founded in 2012, Sqrrl has raised more than $28 million in funding, including $12.3 million in June 2017 and $7 million in February 2015.

At the core of Sqrrl Enterprise is Accumulo, a database project that began at the NSA in 2008 when the spy agency was searching for a platform that could meet its growing data challenges. In 2011, NSA open sourced Accumulo, which has since become a project at the Apache Foundation. Accumulo was inspired by Google's BigTable design and is built on top of Apache Hadoop, Zookeeper, and Thrift.

In the summer of 2012, a group of the core creators, committers, and contributors to the Accumulo project co-founded Sqrrl.

Built on top of Accumulo, Sqrrl’s software analyzes masses of data in order to uncover hidden patterns, trends, and links, and enables security analysts to visually navigate the relationships between assets and actors involved in a given event. As a result, security teams can detect and mitigate data breaches resulting from cyber-espionage, insider threats, and other types of hard-to-detect attacks.

Six of the seven original members of the Sqrrl had worked for the NSA.

The company did not provide details on how its technology would be integrated into AWS offerings, but it could be used to enhance Macie, a recently-launched security service that helps AWS users discover, classify and protect sensitive data. Amazon Macie uses machine learning to automatically identify and protect personally identifiable information (PII), intellectual property and other sensitive data, and informs users of how their data is being accessed or moved via dashboards and alerts.

“For now, it is business as usual at Sqrrl,” noted Mark Terenzoni, Sqrrl CEO. “We will continue to work with customers to provide advanced threat hunting capabilities. And, over time, we’ll work with AWS to do even more on your behalf.”

Terms of the acquisition were not disclosed, though Axios reported in December that talks were under way for Amazon to buy Sqrrl for "a bit north" of $40 million.

Sqrrl's financial backers include Spring Lake Equity Partners, Matrix Partners, Rally Ventures, Accomplice, and Atlas Venture.

Clothing Retailer Fallas Hit by Payment Card Breach
24.1.2018 securityweek Security

Clothing retailer National Stores, which operates 340 stores across the United States, informed customers this week that their payment card information may have been stolen by hackers.

Los Angeles, California-based National Stores, Inc. operates Fallas, Fallas Paredes, Fallas Discount Stores, Factory 2-U, Anna's Linens, and Falas stores in 22 U.S. states and Puerto Rico.

On December 22, the company learned from a third-party that its payment systems may have been breached by malicious hackers. An investigation launched by National Stores revealed that its point-of-sale (PoS) systems had been infected with malware.

According to the company, the malware may have stolen credit card information between July 16 and December 11, 2017. The compromised data includes names, payment card numbers, expiration dates, and security codes.

The list of potentially impacted stores includes more than 270 locations in California, New York, Nevada, Texas, Arizona, New Mexico, Illinois, Florida, Oklahoma, New Jersey, Massachusetts, Virginia, North Carolina, South Carolina, Maryland, Wisconsin, Michigan, Ohio, Georgia, and Puerto Rico. Over 90 of the affected stores are in California, followed by Texas, with 45 locations.

“We have been working closely with the FBI, cybersecurity experts, and payment card brands to contain the incident and protect our customers' payment cards,” said Michael Fallas, CEO of National Stores. “The malware has been removed from our system, and no customers will be responsible for any fraudulent charges to their accounts. We are in the process of strengthening the security of our point of sale systems to prevent this from happening in the future.”

The retailer has advised customers to keep a close eye on account statements and credit reports, and immediately notify their bank of any suspicious activity.

Fallas is not the only clothing retailer to suffer a payment card breach in recent years. The list also includes Brooks Brothers, Buckle, Forever 21 and Eddie Bauer.

World Economic Forum Announces Global Centre for Cybersecurity
24.1.2018 securityweek Cyber

The World Economic Forum (WEF) is establishing a new Global Centre for Cybersecurity "to help build a safe and secure global cyberspace."

This was announced at the 48th Annual Meeting currently taking place in Davos-Klosters, Switzerland. This year's WEF theme is Creating a Shared Future in a Fractured World. WEF's annual Global Risk Report for 2018 shows cyberattacks are now considered the third most serious global threat behind only extreme weather and natural disasters. Data fraud/theft is fourth.

World Economic Forum 2014
Aerial photo from the futuristic and stylish Intercontinental Hotel in Davos, Switzerland. The Annual Meeting of the World Economic Forum takes place in Davos-Klosters, Switzerland from January 23 to 26, 2018. (Image Credit: World Economic Forum)
The Global Centre for Cybersecurity is seen as providing a unique opportunity to promote a global public/private response to increasing cyber threats. Alois Zwinggi, managing director at the WEF and head of the new center said cybercrime is currently costing the world economy $500 billion annually and is still growing. "As such, addressing the topic is really important for us. The Forum sees a need for much greater collaboration in that space."

WEF describes five main areas of operation for the center: consolidating existing initiatives (such as its Cyber Resiliency Playbook); establishing a library of best practices; improving partners' understanding of cybersecurity; promoting a regulatory framework; and serving as a think tank for future cybersecurity scenarios (such as the fourth industrial revolution and the effect of quantum computing). Although not specified per se, a consistent theme for the new center will be global cybersecurity information sharing.

Rob Wainwright, Executive Director of Europol, said that the center has "absolutely full support from Europol." He explained that Europol, which includes the European Cybercrime Centre) can only function as well as it does because of the public/private networks it has established in Europe: "but it is not nearly enough... That's why I am so delighted that WEF, with its unique networking capability, is now establishing this Global Centre for Cybersecurity -- because it will interconnect a large, dynamic, a very important business community... and will take us to a new level of public/private cooperation."

The Global Centre for Cybersecurity will be located in Geneva, Switzerland, and will be operational in March 2018. Although under the umbrella of WEF, it will be autonomous. WEF spokesperson Georg Schmitt told SecurityWeek that it will be funded by members, with an initial investment of several million Swiss francs from the forum itself. Ongoing, he said in an email, "partner companies will have to pay a certain fee to join. Fees for governments, academia and civil society will be waived. We are planning to hire 20-30 staff this year alone."

It's not yet known how many 'government partners' will join the center. "We will be able to announce the government partners at a later stage, but to give you an impression: at our preparatory meeting in November representatives of almost 20 governments participated, including several G7 and G20 countries."

Effective threat information sharing between the public and private sectors is often seen as the holy grail of cybersecurity -- but has so far proved just as elusive. However, business, like cybercrime, is transnational; and if any organization is well-suited to tackle the problem it is a global business organization. "The announcement of the creation of a Global Security Centre at WEF is welcomed as a potentially hugely valuable way forward in coordinating the activities of nations against this scourge of modern times," Jim Palmer, CISO at ThinkMarble told SecurityWeek. "That said," he continued, "the proof of its effectiveness will be in the pudding -- adequate funding and the positive cooperation from all will be an essential enabler. As a cyber and information security company, we watch with interest."

Mark Noctor, VP EMEA at Arxan Technologies, is hopeful. "We are delighted to see a body with the global importance of the WEF addressing the growing sophistication of cyber threats," he told SecurityWeek. "This move by the WEF will help governments and international organizations to work more closely with industry, manufacturers and software providers to create safe environments and eliminate cyber threats."

But there are many who don't believe that WEF actually delivers on its potential. Bono famously described it as 'fat cats in the snow'. It has also been described as 'a mix of pomp and platitudes'. And there are many in the security industry who do not believe the new Center will achieve much.

"This is what happens when you get a bunch of politicians in a room who have no clear understanding on cybersecurity and the threats," comments Joseph Carson, Chief Security Scientist at Thycotic. "When the need to have a Global Centre for Cybersecurity is being discussed at the World Economic Forum it becomes a pointless political debate usually without industry experts' input."

Carson doesn't believe that centralizing the effort against cybercrime will be effective. "Cybersecurity is most effective when we work together collectively but decentralized. Being decentralized in cybersecurity is a strength as it reduces the risk. We have had this discussion for many years in the EU about a European Centre for Cybersecurity though in the EU, it has been important to be working as a collective and at the same time, being decentralized."

Nevertheless, the potential of a WEF-backed global cybersecurity center cannot be denied. "The Global Centre for Cybersecurity could ultimately become an organization that fosters industry change and helps to educate the market and reduce the success cybercriminals are having on a daily basis," said Sam Curry, chief security officer at Cybereason.

The question is whether the WEF can deliver. "It is premature to declare victory," he continued; "and ultimately whether or not this works is dependent upon the collaboration of enterprises and a focused and determined group of leaders. It is clear to me that there will be minimal success if the organization is filled with toothless sinecures for washed up security hacks."

Code Execution Flaw Impacts Popular Desktop Apps
24.1.2018 securityweek

A remote code execution vulnerability was addressed in the Electron framework, which powers highly popular desktop applications, including Slack, Skype, Signal, GitHub Desktop, Twitch,, and others.

Created in 2013, the framework allows developers to use web technologies such as JavaScript, HTML, and CSS to develop native desktop applications. An open source project maintained by GitHub and an active community of contributors, Electron uses Chromium and Node.js and supports Windows, macOS, and Linux platforms.

There are over 460 cross-platform desktop applications using Electron, but only those that use custom protocol handlers are impacted by the vulnerability. Only applications built for Windows are affected by the bug. macOS and Linux not vulnerable.

Tracked as CVE-2018-1000006, the flaw impacts Electron applications for Windows that register themselves as the default handler for a protocol, like myapp://.

According to Electron, these applications are vulnerable regardless of how the protocol is registered (using native code, the Windows registry, or Electron's app.setAsDefaultProtocolClient API).

The vulnerability was addressed with the release of electron v1.8.2-beta.4, electron v1.7.11, and electron v1.6.16. All three releases are available for download on GitHub.

“If for some reason you are unable to upgrade your Electron version, you can append “--“ as the last argument when calling app.setAsDefaultProtocolClient, which prevents Chromium from parsing further options. The double dash “--“ signifies the end of command options, after which only positional parameters are accepted,” Electron explains.

Although only Windows applications that register themselves as handlers are affected by the remote code vulnerability, all Electron developers are advised to update their software to the latest stable version as soon as possible.

Are you a Tinder user? Watch out, someone could spy on you
24.1.2018 securityaffairs

Experts at security firm Checkmarx discovered two security vulnerabilities in the Tinder mobile apps that could be exploited to spy on users.
Security experts at Checkmarx discovered two security vulnerabilities in the Tinder Android and iOS dating applications that could be exploited by an attacker on the same wi-fi network as a target to spy on users and modify their content.

Attackers can view a target user’s Tinder profile, see the profile images they view and determine the actions they take.

“The vulnerabilities, found in both the app’s Android and iOS versions, allow an attacker using the same network as the user to monitor the user’s every move on the app. It is also possible for an attacker to take control over the profile pictures the user sees, swapping them for inappropriate content, rogue advertising or other type of malicious content (as demonstrated in the research).” reads the analysis published by Checkmarx.

“While no credential theft and no immediate financial impact are involved in this process, an attacker targeting a vulnerable user can blackmail the victim, threatening to expose highly private information from the user’s Tinder profile and actions in the app.”

An attacker can conduct many other malicious activities, including intercepting traffic and launching DNS poisoning attacks.

The first issue is related to the fact that both the iOS and Android Tinder apps download profile pictures via insecure HTTP connections, this means that an attacker can access the traffic to determine which profiles are viewed by a Tinder user.


An attacker could also modify traffic for example to swap images.

“Attackers can easily discover what device is viewing which profiles,” continues the analysis. “Furthermore, if the user stays online long enough, or if the app initializes while on the vulnerable network, the attacker can identify and explore the user’s profile.” “Profile images that the victim sees can be swapped, rogue advertising can be placed and malicious content can be injected,”

Obviously, such kind of issue could be mitigated with the adoption of HTTPS.

Checkmarx also discovered another issue related to the use of HTTPS, the flaw was called “Predictable HTTPS Response Size”.

“By carefully analyzing the traffic coming from the client to the API server and correlating with the HTTP image requests traffic, it is possible for an attacker to determine not only which image the user is seeing on Tinder, but also which action did the user take.” states Checkmarx. “This is done by checking the API server’s encrypted response payload size to determine the action,”

An attacker that is in the position of analyzing the traffic can discover the user’s interest in a specific profile by detecting a 278-byte encrypted response that is delivered by the API server when he swipes left on a profile picture. Swiping right, the Tinder user likes a particular profile, in this case, the response generated is composed of 374 bytes.

The researchers also noticed that Tinder member pictures are downloaded to the app via HTTP connection, this makes possible for an attacker to view the profile images of those users being swiped left and right.

In order to mitigate this issue, researchers suggest padding requests, if the responses were padded to a fixed size, it would be impossible to discriminate the user’s action.

Checkmarx disclosed both vulnerabilities to Tinder.