Vyděračské viry ještě neřekly poslední slovo. Nová verze straší neuhrazenými pohledávkami
20.9.2016 Novinky/Bezpečnost Viry
Různé verze vyděračských virů, které jsou souhrnně označovány jako ransomware, terorizují uživatele už několik let. Na řadu z nich sice bezpečnostní experti našli lék, kyberzločinci však stále vytvářejí nové a nové verze. Škodlivé kódy, které tahají z uživatelů nemalé peníze, tak rozhodně ještě neřekly poslední slovo.
Ukazuje to například vylepšená verze ransomwaru RAA, před kterou v úterý varovali bezpečnostní experti antivirové společnosti Kaspersky Lab.
Tento nezvaný návštěvník začal kolovat internetem už v polovině letošního roku. Jeho nová verze je však výrazně schopnější. Dokáže totiž zašifrovat data i na počítačích, které nemají přístup k internetu. Dříve přitom museli samotný útok spustit kyberzločinci na dálku – přednastaveným příkazem uloženým na serveru.
Vylepšená varianta se zároveň snaží oklamat různé bezpečnostní aplikace v počítači. Šíří se totiž nejčastěji jako příloha nevyžádaného e-mailu. Tu útočníci zaheslují a uživatel ji musí sám otevřít pomocí přístupového kódu, který je napsán v samotné zprávě. Na zaheslované archivy je totiž většina antivirových programů krátká.
Kvůli heslu se mohou příjemci nevyžádané zprávy navíc milně domnívat, že nejde o žádný podvod. Zaheslované archivy jsou totiž například v podnicích běžně používány k tomu, aby se k datům nedostal nikdo neoprávněný.
Právě na podniky nová verze ransomwaru RAA cílí. Příjemce nevyžádaných e-mailů se totiž snaží vyděsit tím, že mají nezaplacené platby dodavatelům. Dokument v příloze má dokazovat, že je tomu skutečně tak.
Pokud archiv uživatelé skutečně otevřou, pustí si tím nevědomky do svého počítače nezvaného návštěvníka. Samotný útok pak již probíhá podle tradičního scénáře. Nejprve začne RAA šifrovat obsah počítače a uživateli zobrazí oznámení, že za dešifrování dat musí zaplatit, jinak se ke svým datům údajně již nikdy nedostane.
Ani po zaplacení výkupného ale nemají uživatelé jistotu, že se ke svým datům skutečně dostanou. Virus je nutné z počítače odinstalovat a data následně pomocí speciálního programu odšifrovat. V některých případech to ale není možné.
Za odšifrování chtějí 14 000 Kč
Vyděrači navíc nejsou žádní troškaři, za odšifrování požadují jeden bitcoin, což představuje při aktuálním kurzu více než 14 000 korun. Znovu je ale nutné zdůraznit, že zmiňovanou částku by lidé v žádném případě platit neměli. Útočníci jen shrábnou peníze a pak zmizí.
Kromě vyděračského viru RAA se v archivu ukrývá zároveň také trojský kůň Pony. Ten dokáže krást hesla prakticky ze všech e-mailových klientů. Podvodníci se pak s pomocí tohoto nezvaného návštěvníka snaží šířit vyděračský virus jménem postiženého uživatele i na další jeho známé.
Z řádků výše vyplývá, že před strašícím e-mailem o nezaplacených pohledávkách by se měli mít uživatelé na pozoru i v případě, kdy přijde od skutečně známých uživatelů. Ve skutečnosti se za něj totiž mohou vydávat počítačoví piráti.
Cisco finds new Zero-Day Exploit linked to NSA Hackers
20.9.2016 THEHACKERNEWS Vulnerebility
Network equipment vendor Cisco is finally warning its customers of another zero-day vulnerability the company discovered in the trove of NSA's hacking exploits and implants leaked by the group calling itself "The Shadow Brokers."
Last month, the Shadow Brokers published firewall exploits, implants, and hacking tools allegedly stolen from the NSA's Equation Group, which was designed to target major vendors including, Cisco, Juniper, and Fortinet.
A hacking exploit, dubbed ExtraBacon, leveraged a zero-day vulnerability (CVE-2016-6366) resided in the Simple Network Management Protocol (SNMP) code of Cisco ASA software that could allow remote attackers to cause a reload of the affected system or execute malicious code.
Now Cisco has found another zero-day exploit, dubbed "Benigncertain," which targets PIX firewalls.
Cisco analyzed the exploit and noted that it had not identified any new flaws related to this exploit in its current products.
But, further analysis of Benigncertain revealed that the exploit also affects Cisco products running IOS, IOS XE and IOS XR software.
Benigncertain leveraged the vulnerability (CVE-2016-6415) that resides in the IKEv1 packet processing code and affects several Cisco devices running IOS operating system and all Cisco PIX firewalls.
IKE (Internet Key Exchange) is a protocol used for firewalls, to provide virtual private networks (VPNs), and even manage industrial control systems.
A remote, unauthorized attacker could use this vulnerability to retrieve memory contents from traffic and disclose critical information such as RSA private keys and configuration information by sending specially crafted IKEv1 packets to affected devices.
"The vulnerability is due to insufficient condition checks in the part of the code that handles IKEv1 security negotiation requests. An attacker could exploit this vulnerability by sending a crafted IKEv1 packet to an affected device configured to accept IKEv1 security negotiation requests," Cisco said in its advisory.
Cisco's IOS operating system XR versions 4.3.x, 5.0.x, 5.1.x and 5.2.x, as well as PIX firewalls versions 6.x and earlier, are vulnerable to this flaw, though the company has not supported PIX since 2009.
Neither Cisco has developed a patch for the flaw, nor any workarounds are available.
The company said the vulnerability is currently under exploit, advising its customers to employ intrusion detection system (IDS) and intrusion prevention systems (IPS) to help stop the attacks.
Cisco promised to release software updates to patch CVE-2016-6415 but did not specify a time frame.
How an insecure messaging app led to fall of a terrorist organization in Turkey?
20.9.2016 securityaffairs Cyber
MIT (Turkish Intelligence Agency) has hacked one-single server of a messaging app in Lithuania in order to identify members of an Islamic terrorist group.
Within the harshness of political controversies turned up in Turkey with the recent coup attempt at July of 15th , it seems that a cyberwar between MIT  (Turkish National Intelligence Agency) and FETO  ended up revealing all key member names to the government authorities.
It all started with the release of a mobile messaging app called ByLock which seemed as a simple, ordinary messaging solution with offline mail and online voice calling capabilities developed by a guy named David Keynes from Oregon. But later on, it is understood that there is no one named as mentioned and it was a work of an illegal organization to move its whole daily communication to the underground.
Despite the “next generation of secure communication” slogan on the homepage of ByLock -which is still live at https://bylockapp.wordpress.com/- after months of the release of the application it took attention of MIT due to popularity among FETO members and it was easily decompiled into the pieces and pointed out to a server in Lithuania that all messages, passwords and ip addresses stored in plaintext.
After the hack of a server in Lithuania, security experts downloaded nearly 3.5 million messages revealing ~53000 thousand people relating to the illegal organization. It was a breach which gave a big advantage to the Turkish authorities in the mid of 2015 and after the failed coup attempt.
But this is not the end of the story. Recently, the head of “Ministry of Science, Technology and Industry”, Faruk Ozlu has revealed that there were suspicions that ByLock was the product of the secret members of FETO who were working in TUBITAK  (The Scientific And Technological Research Council Of Turkey). “Our investigations are still ongoing in TUBITAK and we are categorizing suspected people in 5 categories. We have taken out their jobs whom are found within 4. and 5. Category by others in 3 categories are getting checked out for evidences.” said Ozlu in September 9 to AA (Anatolian News Agency).
These news with TUBITAK are revealed footprints about another struggle which has been resulted with the wiretaps leaked in 2013 containing Tayyip Erdogan’s conversations  on crypto-phones developed by TUBITAK which later denied and called ‘fake’ by the authorities.
OpenSSL will patch this week high severity vulnerability
20.9.2016 securityaffairs Vulnerebility
The OpenSSL Project announced early this week that it will release as soon as possible updates to that patch multiple vulnerabilities.
One of the flaws that affect the popular toolkit has a “high” severity.
The Project plans to release OpenSSL versions 1.1.0a, 1.0.2i and 1.0.1u next Thursday. The OpenSSL Project confirmed that the security updates that will be released on September 22 will fix a flaw having a high severity, one having a moderate severity, meanwhile, the remaining ones have all low severity.
The time to fix a flaw depends on its severity, usually high severity issues are fixed within a month by experts at the OpenSSL Project, meanwhile, critical issues are fixed as soon as possible to avoid exploitation in the wild.
The OpenSSL Project has once again reminded users that support for version 1.0.1 will end on December 31. The 1.1.0 branch was launched on August 25.
The OpenSSL Project has already issued three security patches this year that addressed a total of 16 vulnerabilities.
In May, the OpenSSL project fixed the CVE-2016-2107 flaw that affected the open-source cryptographic library and could be exploited to launch a man-in-the-middle attack leveraging on the ‘Padding Oracle Attack’ that can decrypt HTTPS traffic if the connection uses AES-CBC cipher and the server supports AES-NI.
According to the experts, the flaw was affecting the OpenSSL cryptographic library since 2013, when maintainers of the project fixed another Padding Oracle flaw called Lucky 13.
“A MITM attacker can use a padding oracle attack to decrypt traffic when the connection uses an AES CBC cipher and the server support AES-NI.” states the advisory issued by the OpenSSL. “This issue was introduced as part of the fix for Lucky 13 padding attack (CVE-2013-0169). The padding check was rewritten to be in constant time by making sure that always the same bytes are read and compared against either the MAC or padding bytes. But it no longer checked that there was enough data to have both the MAC and padding bytes.”
According to the security firm High-Tech Bridge, on May 31th many of the Alexa Top 10,000 websites were still vulnerable to the OpenSSL flaw CVE-2016-2107 despite the OpensSSL Project issued the fix on May 1st.
CVE-2016-2107 OpenSSL Flaw
Earlier this year the OpenSSL Project released versions 1.0.2f and 1.0.1r to fix a high-severity vulnerability (CVE-2016-0701) that allows attackers to decrypt secure traffic. The developers also patched two separate vulnerabilities in the toolkit, the most severe affected the implementations of the Diffie-Hellman key exchange algorithm presents only in OpenSSL version 1.0.2.
Another round of security updates released in March fixed vulnerabilities, including the DROWN flaw that could be exploited by attackers to access users’ sensitive data over secure HTTPS communications. In March, security experts estimated that the DROWN vulnerabilities affected a quarter of the top one million HTTPS domains and one-third of all HTTPS websites at the time of disclosure.
Vawtrak v2, a close look at the cybercriminal groups behind the threat
19.9.2016 securityaffairs Crime
Security experts from the cyber threat intelligence firm Blueliv have published a report on the banking Trojan Vawtrak v2 its criminal ecosystem.
Security experts from the cyber threat intelligence firm Blueliv have conducted a technical investigation on the banking Trojan Vawtrak v2 and activities of the cybercriminal groups behind the threat.
Vawtrak is a threat that has been in the wild since 2014 when experts at Trend Micro spotted the threat that was targeting Japanese Internet users. The first variant of BKDR_VAWTRAK abused a Windows feature called Software Restriction Policies (SRP) to prevent victims’ systems from running a wide range of security programs
We saw several versions of the malware over the years, the last variant of Vawtrak was discovered this summer by experts from Fidelis firm. The new version of the Vawtrak banking Trojan included significant improvements such as the SSL pinning.
Researchers from Blueliv now have conducted a reverse engineering of the Vawtrak banking Trojan that confirmed the presence of two clearly differentiated infrastructures. One infrastructure dedicated exclusively to malware distribution (primarily spam), and a second one used for maintenance, control and the reporting of stolen data.
The analysis of the Vawtrak v2 revealed a complex infrastructure used to deliver the malware as well as other Trojans. Blueliv named the cybercriminal group behind this infrastructure Moskalvzapoe.
Moskalvzapoe uses several servers hosting command and control (C2) for Vawtrak and other Trojans (i.e. Pony credential stealer). The threat is primary spread through spamming and drive-by download mechanisms that involved Exploit Kits (mostly Nuclear EK).
The Moskalvzapoe infrastructure presents an unusual network topology in terms of the way crooks have set up C&C servers and how they rotate their domains and exposed IPs.
“All these hosts forward all the incoming connections towards the back-end.” reads the analysis from BlueLiv. “The Trojans dropped by the loaders are usually found in compromised servers which share multiple characteristics including geolocation. Most of the compromised hosts can be found in Russia. Usually these hosts are compromised using security vulnerabilities found in commonly used software such as WordPress, Joombla, or Bitrix. Furthermore, the deployment of Pony Grabber, the credential-stealing malware, enables them access to other hosts and services.”
The Vawtrak V2 is able to implement further actions by using additional modules, significantly expanding its capabilities. These most common modules used by the banking Trojan are:
Steal credentials from various applications installed in the host.
Provide the attackers with remote access.
Use the host as a proxy.
Log the user´s keystrokes.
The largest number of Vawtrak v2 infections was observed US (69,010), followed by Canada (6,777) and UK (969), meanwhile, the impact on Europe was minimal.
“The total amount of data exfiltrated by the botnet is more than 2,500,000 credentials. The fact that U.S. is the most affected country is also reflected in the most affected services.” reads the report published by BlueLiv.
The analysis published by BlueLive revealed the use of large-scale communication networks that increased in a significant way the level of sophistication of the criminal infrastructures to support the distribution of Vawtrak V2 worldwide.
The data emerged from the report shows the amazing abilities of cybercrime groups which have complex hierarchies and the availability of an efficient business model.
I suggest the reading of the report titled “Chasing cybercrime: Network insights into Vawtrak v2” that is full of interesting data on the malware and the threat actors behind it.
Blueliv also provided Indicators of Compromise (IOCs) that could be used by organizations to detect the threat.
Boffins analyzed EXIF metadata in photos on principal blackmarkets
19.9.2016 securityaffairs Crime
Two researchers have analyzed images Exif metadata included in the photos used by crooks to advertise their products on black marketplaces in the dark web.
Darknets are a privileged environment for crooks that intend to develop a prolific business protecting their anonymity, anyway, there are several aspects that they need to consider in order to leave tracks that could allow their identification.
In the past the analysis of EXIF metadata allowed law enforcement and intelligence agencies to track suspects, but now cyber criminals, including sellers in the principal black markets, have started to metadata the photos they posted. The trend was confirmed by a study conducted by two students at the Harvard University, Paul Lisker and Michael Rose.
“Our goal was to leverage a longitudinal archive of dark net markets (DNMs) to collect and analyze sale listing images with metadata containing location data.” the students explained in a post.
What is EXIF metadata?
“Exchangeable image file format (officially Exif, according to JEIDA/JEITA/CIPA specifications) is a standard that specifies the formats for images, sound, and ancillary tags used by digital cameras (including smartphones), scanners and other systems handling image and sound files recorded by digital cameras.” reads Wikipedia.
Basically, every image took with a digital camera or a mobile device includes information, in the EXIF standard, such as the device used and the location of the shot. That data are written in the “exchangeable image file format” (EXIF) standard.
Paul Lisker and Michael Rose analyzed images of drugs and weapons used by crooks to advertise their product and services on black marketplaces in the dark web and saved them to a data repository maintained by an independent security researcher Gwern Branwen.
The archive is very interesting for security experts that intend to study the activities in the dark web, it includes data from some 83 dark markets and 40 associated forums. Information was collected from 2013 to 2015, totalling 44 million files or 1.5Tb of data.
“From 2013-2015, I scraped/mirrored on a weekly or daily basis all existing English-language DNMs as part of my research into their usage, lifetimes/characteristics, & legal riskiness; these scrapes covered vendor pages, feedback, images, etc. In addition, I made or obtained copies of as many other datasets & documents related to the DNMs as I could. This uniquely comprehensive collection is now publicly released as a 50GB (~1.6TB uncompressed) collection covering 89 DNMs & 37+ related forums, representing <4,438 mirrors, and is available for any research. This page documents the download, contents, interpretation, and technical methods behind the scrapes.” wrote Branwen.
The experts used bash scripts to search for EXIF data including longitude and latitude data among the images in the archive.
“In order to analyze the listing images inside each archive, we first searched for and compiled a list of the file path of all JPEG images to ensure that no file went untested. (Images used for listings were only in the JPEG format; any other image formats — PNG, GIF, etc. — were used for website graphics.) Then, using Python and bash scripts, we checked each image’s EXIF data for longitude or latitude data, saving the coordinates for each geotagged photo and its file path to a text file.” explained the student.
The experts found 229 unique images that contained geolocation data that would reference the location of the shot within a range of two kilometres.
The duo analysed roughly 223,471 unique dark market images, the vast majority don’t include the EXIF data.
“Out of these markets and forums, we located 2,276 total geotagged images, which after eliminating duplicates available over multiple days, gave 229 total unique images with associated coordinates. The coordinates—with decimals removed from the numbers to protect privacy—can be seen plotted in the map below. (The coordinates may be up to about one mile away from their true location.)” states the duo.
Data from lisker.silk.co
“In total, we analyzed 7,522,284 images from the entire DNM archive, representing 223,471* unique photos. Table 1 presents a summary of markets containing geotagged images:”
Most popular black markets like Agora stripped metadata from images published in the adv. In the case of Agora, the researchers noticed that EXIF metadata was absent on all images after 18 March 2014.
Below the conclusions of the study, the researchers highlighted that sellers and dark market websites are failing to remove EXIF metadata from images.
“First, it was common in many cases to observe sites, typically residential, surrounded by 5–10 tagged images separated by a few meters,” the students explained in a post.
“This suggests the behavior of sellers who are careless on a regular basis, rather than the occasional forgetfulness of not stripping data or purposeful manipulation.
“We also found several instances of these clusters incorporating listings on multiple sites, pointing to sellers with activities across the darknet and failing to strip their products’ location on any of the sites up.”
Firefox Browser vulnerable to Man-in-the-Middle Attack
19.9.2016 thehackernews Vulnerebility
A critical vulnerability resides in the fully-patched version of the Mozilla's Firefox browser that could allow well-resourced attackers to launch man-in-the-middle (MITM) impersonation attacks and also affects the Tor anonymity network.
The Tor Project patched the issue in the browser's HTTPS certificate pinning system on Friday with the release of its Tor Browser version 6.0.5, while Mozilla still has to patch the critical flaw in Firefox.
Attackers can deliver Fake Tor and Firefox Add-on Updates
The vulnerability could allow a man-in-the-middle attacker who is able to obtain a forged certificate for addons.mozilla.org to impersonate Mozilla servers and as a result, deliver a malicious update for NoScript, HTTPS Everywhere or other Firefox extensions installed on a targeted computer.
"This could lead to arbitrary code execution [vulnerability]," Tor officials warned in an advisory. "Moreover, other built-in certificate pinnings are affected as well."
Although it would be challenging to obtain a fraudulent certificate for addons.mozilla.org from any one of several hundred Firefox-trusted certificate authorities (CAs), it is within reach of powerful nation states attackers.
The vulnerability was initially discovered Tuesday by a security expert that goes by the name of @movrcx, who described the attacks against Tor, estimating attackers would need US$100,000 to launch the multi-platform attacks.
Actual Issue resides in Firefox's Certificate Pinning Procedure
However, according to a report posted Thursday by independent security researcher Ryan Duff, this issue also affects Firefox stable versions, although a nightly build version rolled out on September 4 is not susceptible.
Duff said the actual problem resides in Firefox's custom method for handling "Certificate Pinning," which is different from the IETF-approved HPKP (HTTP Public Key Pinning) standard.
Certificate Pinning is an HTTPS feature that makes sure the user's browser accepts only a specific certificate key for a particular domain or subdomain and rejects all others, preventing the user from being a victim of an attack made by spoofing the SSL certs.
While not very popular, HPKP standard is often used on websites that handle sensitive information.
"Firefox uses its own static key pinning method for its own Mozilla certifications instead of using HPKP," says Duff. "The enforcement of the static method appears to be much weaker than the HPKP method and is flawed to the point that it is bypassable in this attack scenario."
Mozilla is scheduled to release Firefox 49 on September 20, so the team has enough time to deliver a fix. The Tor Project took just one day to address the flaw after the bug's disclosure went online.
Users of Tor Browser should update to version 6.0.5, while Firefox users should disable automatic add-on updates, a default feature in the browser, or should consider using a different browser until Mozilla releases the update.
CVE-2016-6415 – CISCO confirms a new Zero-Day linked to Equation Group hack
19.9.2016 securityaffairs Vulnerebility
Cisco revealed the existence of another zero-day vulnerability, tracked as CVE-2016-6415, in the Equation Group archive leaked by the Shadow Broker hackers.
This summer a group of hackers known as Shadow Brokers hacked into the arsenal of the NSA-linked group Equation Group and leaked roughly 300 Mb of exploits, implants, and hacking tools.
The existence of the Equation Group was revealed in February 2015 by security researchers at Kaspersky. The alleged nation-state actor has been operating since 2001 and targeted practically every industry with sophisticated zero-day exploits.
According to a report from Kaspersky Lab, the Equation Group combined sophisticated and complex Tactics, Techniques, and Procedures. The experts at Kaspersky speculated that the Equation Group had interacted with operators behind Stuxnet and Flame. Based on the elements collected in the various cyber espionage campaigns across the years, the experts hypothesized that the National Security Agency (NSA) could be linked to the Equation Group.
After Shadow Brokers leaked the archive online, major vendors like CISCO, Juniper, and Fortinet analyzed their systems in order to find the vulnerabilities exploited by the Equation Group’ exploits and fix them.
CISCO, for example, discovered in the arsenal a tool dubbed EXTRABACON that was able to hack into CISCO ASA boxes.
The EXTRABACON tool exploits the CVE-2016-6366 vulnerability to allow an attacker who has already gained a foothold in a targeted network to take full control of a CISCO ASA firewall. The EXTRABACON tool leverages on a flaw that resides in the Simple Network Management Protocol (SNMP) implemented by the ASA software.
“A vulnerability in the Simple Network Management Protocol (SNMP) code of Cisco Adaptive Security Appliance (ASA) Software could allow an authenticated, remote attacker to cause a reload of the affected system or to remotely execute code.” states the advisory published by CISCO.
At the end of August CISCO started releasing patches for its ASA software to address the Equation Group’s EXTRABACON exploit included in the NSA data dump leaked online.
The analysis of material leaked online revealed the existence of another exploit dubbed BENIGNCERTAIN that allows the extraction of VPN passwords from certain Cisco devices.
The expert Mustafa Al-Bassam who analyzed the data dump has called the attack “PixPocket” after the name of the Cisco products hacked by the tool, the Cisco PIX.
The CISCO PIX product family was declared phase out back in 2009, but it is widely adopted by government entities and enterprises.
According to the expert, the tool works against the CISCO PIX versions 5.2(9) up to 6.3(4). According to Cisco, the exploit does not affect PIX versions 7.0 and later, the IT giant confirmed on August 19 that it had not identified any new flaws linked to the BENIGNCERTAIN exploit.
Unfortunately, further analysis revealed that the flaw exploited by the BENIGNCERTAIN, tracked as CVE-2016-6415, also affects products running IOS, IOS XE and IOS XR software.
The CVE-2016-6415 resides in the IKEv1 packet processing code. A remote, unauthenticated attacker could exploit it retrieve memory contents.
“The vulnerability is due to insufficient condition checks in the part of the code that handles IKEv1 security negotiation requests. An attacker could exploit this vulnerability by sending a crafted IKEv1 packet to an affected device configured to accept IKEv1 security negotiation requests,” reads the security advisory published by Cisco.
The flaw affects Cisco IOS XR versions 4.3.x, 5.0.x, 5.1.x and 5.2.x – versions 5.3.0 and later are not impacted. All IOS XE releases and various versions of IOS are affected.
CISCO confirmed that all the firewalls belonging to the PIX family and all the products running affected versions of IOS, IOS XE and IOS XR are vulnerable if they are configured to use IKEv1.
The bad new is CISCO is aware of cyber attacks against some customers trying to exploit the vulnerability.
Waiting for security patches for CVE-2016-6415, CISCO has published indicators of compromise (IoC) and urge its customers to protect vulnerable products with IPS and IDS solutions.
“This vulnerability can only be exploited by IKEv1 traffic being processed by a device configured for IKEv1. Transit IKEv1 traffic can not trigger this vulnerability. IKEv2 is not affected,” Cisco said. “Spoofing of packets that could exploit this vulnerability is limited because the attacker needs to either receive or have access to the initial response from the vulnerable device.”
NIST issues the Baldrige Cybersecurity Excellence Builder cybersecurity self-assessment tool
19.9.2016 securityaffairs Security
The National Institute of Standards and Technology (NIST) has issued a draft of a self-assessment tool named Baldrige Cybersecurity Excellence Builder.
The tool is based on the Baldrige Performance Excellence Program and the risk management mechanisms of NIST cybersecurity framework.
The Baldrige Cybersecurity Excellence Builder was designed to help enterprises to measure the effectiveness of their implementation of the cybersecurity framework and improve the risk management.
“The builder will strengthen the already powerful cybersecurity framework so that organizations can better manage their cybersecurity risks,” said Commerce Deputy Secretary Bruce Andrews that presented the tool at an Internet Security Alliance conference.
The development of the draft of the Baldrige Cybersecurity Excellence Builder is the result of a the collaboration between NIST and the Office of Management and Budget(link is external)’s Office of Electronic Government and Information Technology(link is external), with input from private sector representatives.
The Baldrige Cybersecurity Excellence Builder tool was devised to help organizations ensure that their cybersecurity program (systems and processes) supports their activities and functions.
“These decisions around cybersecurity are going to impact your organization and what it does and how it does it,” says Robert Fangmeyer, director of the Baldrige Performance Excellence Program. “If your cybersecurity operations and approaches aren’t integrated into your larger strategy, aren’t integrated into your workforce development efforts, aren’t integrated into the results of the things you track for your organization and overall performance, then they’re not likely to be effective.”
The NIST explained that the use of the Baldrige Cybersecurity Excellence Builder tool allows organizations of any size and type to:
Identify cybersecurity-related activities that are critical to business strategy and the delivery of critical services;
Prioritize investments in managing cybersecurity risk;
Assess the effectiveness and efficiency in using cybersecurity standards, guidelines and practices;
Evaluate their cybersecurity results; and
Identify priorities for improvement.
The Builder guides users through a process that details their organization’s distinctive characteristics and strategic situations related to cybersecurity. Then, a series of questions helps define the organization’s current approaches to cybersecurity in the areas of leadership, strategy, customers, workforce and operations, as well as the results achieved with them.
The approach behind the Baldrige Cybersecurity Excellence Builder is simple, the tool uses a series of questions that help the organizations assess their strategies tied to the cybersecurity. The areas assessed by the survey leadership, strategy, customers, workforce, and operations.
As a last step of the assessment, a rubric lets users evaluating the cybersecurity maturity level of their organization.
“The tool’s assessment rubric helps users determine whether their organization’s cybersecurity maturity level is reactive, early, mature or a role model, according to NIST. The completed evaluation can lead to an action plan for upgrading cybersecurity practices and management and implementing those improvements.” reads the announcement published by the NIST. “It also can measure the progress and effectiveness of the process. NIST recommends organizations use the builder periodically so they can maintain the highest level of cybersecurity readiness.”
Podvodníci se vydávají za pracovníky ČNB. Z důvěřivců lákají informace i peníze
19.9.2016 Novinky/Bezpečnost Phishing
Kyberzločinci v posledních dnech zkoušejí nový trik, jak vylákat z důvěřivců citlivé informace a v některých případech dokonce i peníze. Vydávají se za zástupce České národní banky (ČNB) a prostřednictvím nevyžádaných e-mailů oslovují náhodné uživatele. Před tzv. phishingovými zprávami varovali v pondělí zástupci ČNB.
Podobný trik přitom podvodníci nezkoušejí poprvé. Podvodné phishingové zprávy, které byly rozesílány pod hlavičkou ČNB, se objevily již v minulosti.
„V této souvislosti zdůrazňujeme, že se nejedná o autentickou komunikaci České národní banky, ale o phishingové útoky směřující k vylákání osobních údajů dané osoby. Na jejich základě pak mohou být z bankovních účtů daných osob zcizeny finanční prostředky,“ stojí v prohlášení ČNB.
S ohledem na možné riziko by na podobné e-mailové zprávy neměli uživatelé vůbec reagovat. Samozřejmostí by mělo být, že lidé nebudou nikomu sdělovat autentizační údaje, jako jsou například přihlašovací hesla či PIN.
„Dále rozhodně doporučujeme neotvírat případné přílohy podezřelých e-mailových zpráv ani nespouštět v nich uvedené odkazy na webové stránky,“ konstatovali zástupci banky.
Číhají i na sociálních sítích
Podobné nebezpečí nečíhá na důvěřivce pouze v e-mailové schránce. Vylákat z důvěřivců přihlašovací údaje a potažmo i finanční prostředky se počítačoví piráti snaží také prostřednictvím sociálních sítí. [celá zpráva]
Podvodná nabídka na Facebooku
Například v minulém týdnu varovala Česká spořitelna před falešnými nabídky na Facebooku. V nich podvodníci slibují za použití nové verze internetového bankovnictví finanční bonus ve výši 1000 Kč. Pokud ale na to uživatelé přistoupí, zadělají si na velké problémy.
Ve skutečnosti totiž samozřejmě o žádnou novou verzi internetové bankovnictví nejde. Kyberzločinci se pouze touto nabídkou na sociální síti snaží vylákat z důvěřivců jejich přihlašovací údaje. Poté jsou jen krůček od toho, aby lidem vybílili účet nebo si jeho prostřednictvím sjednali nějakou půjčku.
Lovci chyb se mohou stát milionáři. Stačí najít jen jednu kritickou trhlinu
19.9.2016 Novinky/Bezpečnost Zranitelnosti
V minulém týdnu odstartovala soutěž zvaná Project Zero. V ní mohou změřit síly hackeři z celého světa, kteří se specializují na operační systém Android. Za nalezení chyb v této platformě totiž mohou získat v přepočtu několik miliónů korun. Upozornil na to server Tech Crunch.
Soutěž se týká výhradně chytrých telefonů Nexus 6P a Nexus 5X, na kterých běží čistá verze operačního sytému Android. Právě v tom je soutěž pro jednotlivé účastníky složitější, nemohou totiž využít trhlin v programech třetích stran, aby se do přístrojů snadno dostali.
Podle pravidel musí hackeři objevit kritickou bezpečnostní chybu, kterou bude možné zneužít na dálku. V praxi to tedy znamená, že musejí být schopni proniknout do přístroje například pomocí textové zprávy nebo e-mailu, a následně v něm spustit libovolný škodlivý kód.
Útočníci mohou znát pouze telefonní čísla a e-mailové adresy uživatelů.
Natalie Silvanovichová, organizátorka soutěže
„Cílem této soutěže je najít zranitelnosti a chyby, které umožňují vzdálené spuštění kódu na zařízeních se systémem Android. Útočníci v tomto případě mohou znát pouze telefonní čísla a e-mailové adresy uživatelů,“ prohlásila Natalie Silvanovichová, která má celou soutěž na starosti.
Kdo takový způsob objeví jako první, získá odměnu 200 000 dolarů, tedy v přepočtu více než 4,8 miliónu korun. Druhý úspěšný řešitel se pak může těšit na pomyslný honorář ve výši 100 000 dolarů (2,4 miliónu korun). Třetí v pořadí pak získá 50 000 dolarů, tedy více než 1,2 miliónu korun.
Zmiňované částky skutečně platí pro objevení jedné jediné chyby. Honorář za práci úspěšného lovce chyb je tak doslova pohádkový.
Velké firmy lákají také na odměny
Lákat na podobné odměny se snaží hackery i řada dalších společností. Stejnou strategii již například několik let razí společnosti Facebook a Microsoft. Letos začala odměňovat lovce chyb také společnost Apple, i u ní si hackeři mohou vydělat klidně několik miliónů korun.
Odměny u Applu jsou odstupňované podle závažnosti a podle toho, jakého operačního systému se týkají. Hledat trhliny totiž hackeři mohou například v mobilní platformě iOS, ale stejně tak v operačním systému Mac OS X.
Americký počítačový gigant slibuje odměny ve výši až 200 tisíc dolarů v případě těch nejkritičtějších chyb, které budou vystavovat velké množství uživatelů útokům. V přepočtu na koruny si tak bezpečnostní experti budou schopni vydělat bezmála pět miliónů korun za odhalení jedné jediné chyby.
Zero day pro MySQL
19.9.2016 Root.cz Zranitelnosti
Dawid Golunski objevil dvě kritické chyby v MySQL (a jeho klonech: MariaDB, PerconaDB) umožňující změnu konfiguračního souboru a tím vzdálené spuštění kódu a eskalaci oprávnění. Postižené jsou verze <= 5.7.14, 5.6.32, 5.5.51 a Dawid informoval projekty o zranitelnostech již 29. července. CVE-2016–6662 umožňuje vzdálenou změnu konfigurace MySQL (my.cnf). K tomu vám stačí oprávněný účet, nebo využití SQL Injection chyby webové aplikace používající postiženou verzi MySQL. Využitím této chyby je možné spustit vlastní kód s oprávněním roota. Před zneužitím chyby vás neochrání ani standardní politiky SELinux, či AppArmor.
Každá instalace MySQL obsahuje mysqld_safe script sloužící pro inicializaci databáze a aktivaci základních bezpečnostních prvků. Tento script ale obsahuje SUID (Set owner User ID up on execution) bit a kdokoliv script spustí, tak běží s oprávněním roota. To není nic neobvyklého, ale je dobrým zvykem držet počet takových programů na naprostém minimu. Sami si to můžete ověřit na vlastním systému a odebrat SUID/SGID s root oprávněním kde je to jen možné.
find / ! \( -wholename '/proc/*' -prune \) -perm -u=s -o -perm -g=s ! -type d
Script dále obsahuje parametr umožňující načíst knihovnu před spuštěním MySQL daemona a to je ta kritická část, protože pak tato knihovna bude spuštěna s oprávněním roota při dalším restartu databáze/systému. Cílem je spuštění mysqld_safe s parametrem –malloc-lib nebo změnit jeden z konfiguračních souborů a přidat parametr malloc_lib s cestou ke knihovně útočníka. Pokud tedy útočník bude mít dostatečné oprávnění (FILE) v MySQL prostředí a bude schopen vložit do systému vlastní kód, tak mu tato chyba umožní plně ovládnout celý systém. První omezení oprávnění by měla řešit druhá chyba (CVE-2016–6663), která se týká zmíněné eskalace oprávnění. Detaily nejsou známy, ale Dawid by je měl (včetně PoC kódu) zveřejnit během několika dnů.
Jeden z příkladů změny konfiguračního souboru:
mysql> set global general_log_file = '/var/lib/mysql/my.cnf';
mysql> set global general_log = on;
mysql> select '
'> ; injected config entry
1 row in set (0.00 sec)
mysql> set global general_log = off;
Podobná chyba se objevila již v roce 2003 a tento vektor útoku od té doby neměl být možný, avšak Dawid svým PoC kódem dokázal, že tato zranitelnost stále existuje. Především na sdíleném webhostingu je pravděpodobnost zneužití a ovládnutí celých serverů velmi vysoká.
MariaDB a PerconaDB již vydali opravu, Oracle (MySQL) však stále ne (očekává se až 18. října). Dawid doporučuje jako dočasnou ochranu změnit vlastníka konfiguračních souborů MySQL na roota a vytvořit prázdné my.cnf konfigurační soubory ve všech cestách kde je MySQL očekává při startu. Vzhledem ke kompatibilitě klonů s MySQL, jednoduché migraci, použití nejmodernějších technologií, rychlejšímu vydávání oprav, otevřenosti a mnohem vyššímu výkonu (např. XtraDB, Galera) možná bude nejlepším doporučením přejít z MySQL na Mariu, či Perconu.
Hacking industrial processes with and undetectable PLC Rootkit
19.9.2016 securityaffairs Virus
Two security researchers have developed an undetectable PLC rootkit that will present at the upcoming Black Hat Europe 2016.
The energy industry is under unceasing attack, cyber criminals, and state-sponsored hackers continue to target the systems of the companies in the sector.
The Stuxnet case has demonstrated to the IT community the danger of cyber attacks, threat actors could spread a malicious code to interfere with processes inside a critical infrastructure.
A new attack to be revealed at Black Hat Europe conference silently overtakes industrial network processes.
The security researcher Ali Abbasi, a Ph.D. candidate in the distributed and embedded system security group at University of Twente, Netherlands, and Majid Hashemi, an independent security researcher, have developed an undetectable PLC rootkit. The security duo will present the undetectable PLC rootkit at the upcoming Black Hat Europe, that will be held in London in November.
The security duo will also present a version of the PLC attack that leverages shellcode. The title of the presentation if Ghost In The PLC: Designing An Undetectable Programmable Logic Controller Rootkit.
The researchers believe that their PLC rootkit could be dangerous more than Stuxnet because it is stealth and affects directly the PLC differently from Stuxnet that was designed to target SCADA systems running on Windows architecture.It’s much less likely to be discovered because it sits at the lower-level of the system.
The PLC rootkit was developed to compromise the low-level components of a PLC system, it could be considered a cross-platform PLC threat because it is able to infect PLC manufactured by almost any vendor.
“It’s a race to the bottom” Abbasi told DarkReading. “Everybody has access to higher-level [SCADA operations]. Attackers in the future will go to lower level assaults” such as this to evade detection, he says.
Hacking a PLC system directly could more simple for Vxers because such kind of devices don’t implement many detection mechanisms, this means that a PLC running a real-time operating system could me more exposed to cyber attacks.
In August, a group of researcher presented at the Black Hat USA presented a PLC worm that spreads among PLCs, it was dubbed by the creator PLC-Blaster.
Abbasi and Hashemi explained their PLC rootkit doesn’t target the PLC logic code like other similar threats making hard its detection.
Furthermore, the researchers explained that the activity of the PLC rootkit will go unnoticed even to systems that monitor the power consumption of the PLC.
“The overhead imposed of our attack outside of kernel is below one percent, which means even those approaches which monitor the power usage of PLC for attack detection will be useless,” explained Abbasi.
The malware interferes with the connection between PLC runtime and logic with the I/O peripherals. The malware resides in the dynamic memory of the industrial component and manipulates the I/O and PLC process, while the PLC is communicating with I/O block composed of output pins that handle the physical control of the process.
The PLC receives signals from the field from the input PINs (i.e. level of the liquid in a pipe) and controls the process through actuators that receive instructions from the output PINs of the PLC (i.e. control of a valve).
Clearly manipulating the I/O signals it is possible to interfere with industrial process in a stealthy way, and this is what the PLC rootkit does.
“Our attack instead targets the relation between PLC runtime and logic with the I/O peripherals of it. In our attack, the PLC logic and PLC runtime remain intact,” said Abbasi. ” “in PLCs, the I/O operations are one of the most important tasks.”
As explained by the duo, the attack is feasible due to lack of hardware interrupt on the PLC’s SoC and intensified by Pin Control subsystem inability for hardware level Pin Configuration detection.
Abbasi and Hashemi are currently studying defensive countermeasures to detect and protect PLCs from such kind of threats.
Mozilla will fix the cross-platform RCE flaw that threatened Tor anonymity
18.9.2016 securityaffairs Vulnerebility
Mozilla plans to fix the cross-platform RCE flaw that threatened Tor anonymity. The flaw affects certificate pinning protections implemented by Mozilla.
Mozilla plans to release a Firefox update to address the cross-platform remote code-execution vulnerability recently patched in the Tor browser.
The tor is inviting its users to install the security update urgently, and Mozilla follows close behind as soon as possible.
Mozilla will release the fix next Tuesday, the flaw could be exploited by attackers to launch a man-in-the-middle attack by impersonating Mozilla servers through forged certificate.
According to the TorProject, once the attacker is in the position to launch a MiTM and he is able to forge a single TLS certificate for addons.mozilla.org, he could inject in the traffic malicious update for NoScript or many other Firefox extensions installed on a targeted computer.
“I spent a decent portion of my day looking into the claim by the Tor-Fork developer that you could get cross-platform RCE on Tor Browser if you’re able to both MitM a connection and forge a single TLS certificate for addons.mozilla.org. This is well within the capability of any decently resourced nation-state.” wrote the researcher Ryan Duff.
The fake certificate would have to be issued by any one of several Firefox-trusted certificate authorities (CA).
Such kind of attack is not easy to carry on for a common attacker that would be able to forge a certificate for addons.mozilla.org.
Anyway, there is the concrete risk that a nation-state actor or a persistent attacker could exploit the vulnerability to launch an attack and eavesdrop protected traffic or de-anonymize Tor users.
Persistent attackers could target a CA with the specific intent of forging counterfeit digital certificates. In 2011, hackers alleged linked to the Iranian Government hacked the Dutch CA DigiNotar and issued forged certificates for more hundred of domains, including the Mozilla add-ons subdomain
The security researcher Ryan Duff explained that production versions of Firefox are affected by the flaw, anyway, a nightly build version released on September 4 is not vulnerable.
“Firefox uses its own static key pinning method for it’s own Mozilla certs instead of using HPKP. The enforcement of the static method appears to be much weaker than the HPKP method and is flawed to the point that it is bypassable in this attack scenario. The bug appears to be fixed as of the September 4th nightly build of Firefox but is obviously still unpatched in both the current production versions of Firefox and Tor Browser.” added Duff.
Duff analyzed the cross-platform RCE and reproduced the hack described by the researcher @movrcx, which define himself as and “anti-torcorp insurgent.” @movrcx explained in his analysis titled “Tor Browser Exposed: Anti-Privacy Implantation at Mass Scale” that the “certificate pinning” mechanism implemented by Firefox was ineffective against the attack described in this post.
Duff highlighted that the problem is related the implementation of a static key pinning that is not based on the HTTP Public Key Pinning protocol.
“We investigated this and a fix will be issued in the next Firefox release on Tuesday, September 20. We had fixed an issue with the broken automation on the Developer Edition on September 4, but a certificate pinning had expired for users of our Release and Extended Support Release versions.” reads a statement issued by Mozilla. “We will be turning on HPKP on the addons.mozilla.org server itself so that users will remain protected once they have visited the site even if the built-in pins expire. We will be changing our internal processes so built-in certificate pins do not expire prematurely in future releases.”
Waiting for an update, users should consider stopping automatically accepting extension updates.
GCHQ plans to protect the country with a national firewall
18.9.2016 securityaffairs Security
The British intelligence agency GCHQ is planning to create to protect the country from cyber attacks by creating a national firewall.
The news was announced, during the Billington CyberSecurity Summit held in Washington DC, by the GCHQ director general of cyber security Ciaran Martin.
The British GCHQ recently created the National Cyber Security Centre, led by Martin, that has the task to protect national infrastructure from attacks originated on the Internet.
“The NCSC will be based in London and will open in October. Ciaran Martin, currently Director General Cyber at GCHQ will lead it. Dr Ian Levy, currently Technical Director of Cyber Security at GCHQ, will join the organisation as Technical Director.” reads a press release issued by the UK Government.
“The UK faces a growing threat of cyber-attacks from states, serious crime gangs, hacking groups as well as terrorists. The NCSC will help ensure that the people, public and private sector organisations and the critical national infrastructure of the UK are safer online.”
gchq MPs emails
In March 2016, then Minister for the Cabinet Office, Matt Hancock highlighted the importance of the Centre.
“It will be the authoritative voice on information security in the UK and one of its first tasks will be to work with the Bank of England to produce advice for the financial sector for managing cyber security effectively.” said Hancock.
“Martin used the term “flagship project” while he was describing the plans of the GCHQ about the national firewall. The infrastructure will protect government websites and national security agencies from hackers.
The national firewall would be used by government agencies and internet service providers to repel cyber threats.
“What better way of providing automated defences at scale than by the major private providers effectively blocking their customers from coming into contact with known malware and bad addresses?” Martin said during his speech
The National Cyber Security Centre will start its activities next month, it represent of the pillars of the cyber strategy of the UK Government as announced last year by the former Chancellor Mr Osborne.
Osborne also announced the plans of the Government to almost double the cybersecurity budget to £1.9 billion for the years 2016 – 2021.
The UK Government will also add 1,900 new professionals to the National intelligence agencies.
“In the Spending Review, I have made a provision to almost double our investment to protect Britain from cyber attack and develop our sovereign capabilities in cyberspace, totalling £1.9 billion over five years. If you add the spending on core cyber security capabilities government protecting our own networks and ensuring safe and secure online services, the government’s total cyber spending will be more than £3.2 billion.” said Osborne.
Cyber security is crucial for any government, the number of “national security level cyber incidents” in the last year is almost doubled, the intelligence agency now detects about 200 serious incidents every month aimed to disrupt national infrastructure and services.
Cyber attacks are asymmetric and instantaneous, difficult to repel without the aid of a new generation of tools.
The National Cyber Security Centre also has plans to design a new generation of automated defense systems to neutralise a large number of attacks having a low level of sophistication, such as phishing attacks spoofing government email addresses to target members of the public.
“We trialled it, and whoever was sending 58,000 malicious emails per day from email@example.com isn’t doing it anymore,” added Martin.
Hacking Facebook pages? Hackers demonstrated how to do it in 10 secs
18.9.2016 securityaffairs Hacking
Hacking Facebook – An Indian researcher discovered a critical vulnerability in the Facebook business manager that could be exploited to hack any Page.
The Indian security researcher Arun Sureshkumar reported a critical vulnerability in the Facebook business manager that could be exploited by attackers to hack any Facebook page.
The Business Manager is the component that allows businesses to share and control access to assets on Facebook, including Pages and Ad accounts.
Facebook Business Manager also allows administrators to share access to Pages and ad accounts without being friends with coworkers on Facebook.
Before analyze the technique devised by the researcher let me introduce you the concept of Insecure Direct Object Reference.
According to the definition provided by the OWASP project, the Insecure Direct Object References occur when an application provides direct access to objects based on user-supplied input. As a result of this vulnerability, an attacker can bypass authorization and access resources in the system directly.
“Insecure Direct Object References allow attackers to bypass authorization and access resources directly by modifying the value of a parameter used to directly point to an object. Such resources can be database entries belonging to other users, files in the system, and more. This is caused by the fact that the application takes user supplied input and uses it to retrieve an object without performing sufficient authorization checks.” reads the OWASP.
Sureshkumar exploited an IDOR vulnerability in the Facebook Business Manager that allowed him to take over any Facebook page in less than 10 seconds.
Sureshkumar used his Facebook business account (ID =907970555981524) to add a partner. He used as a partner a test account with ID 991079870975788.
The hacker used Burp Suite to capture the request using Burp Suite, the tool allowed him to modify the request.
Below the request published by the hacker in a blog post:
POST /business_share/asset_to_agency/?dpr=2 HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/52.0.2743.116 Safari/537.36
Accept-Encoding: gzip, deflate, br
Cookie: rc=2; datr=AWE3V–DUGNTOAy0wTGmpAXb; locale=en_GB; sb=BWE3V1vCnlxJF87yY9a8WWjP; pl=n; lu=gh2GPBnmZY1B1j_7J0Zi3nAA; c_user=100000771680694; xs=25%3A5C6rNSCaCX92MA%3A2%3A1472402327%3A4837; fr=05UM8RW0tTkDVgbSW.AWUB4pn0DvP1fQoqywWeORlj_LE.BXN2EF.IL.FfD.0.0.BXxBSo.AWXdKm2I; csm=2; s=Aa50vjfSfyFHHmC1.BXwxOY; _ga=GA1.2.1773948073.1464668667; p=-2; presence=EDvF3EtimeF1472469215EuserFA21B00771680694A2EstateFDutF1472469215051CEchFDp_5f1B00771680694F7CC; act=1472469233458%2F6
What about hacking Facebook? How?
He changed the ‘asset id’ value with the one of the target page to hack, and also interchanged the ‘parent_business_id’ value with ‘agency_id’. He also changed the role value to ‘MANAGER’.
With this simple trick, Sureshkumar demonstrated that hacking Facebook Pages was possible. He obtained admin rights on the business page.
Sureshkumar also published a video PoC of the attack.
The security expert reported the flaw to Facebook on August 29, 2016. Facebook investigated the problem and discovered also another flaw in its platform.
The giant of the social networks awarded Sureshkumar with 16,000 USD as part of its bug bounty program.
Instead of spending $1.3 million, FBI could have Hacked iPhone in just $100
17.9.2016 thehackernews Apple
Do you remember the infamous encryption fight between the FBI and Apple for unlocking an iPhone 5C belongs to a terrorist?
Yes, you got it right, the same Apple vs. FBI case where the FBI paid almost $1.3 Million to a group of hackers to unlock that iPhone.
However, if the agency had shown some patience to explore more ways to get into that iPhone, then it might have cost them nothing less than US$100.
Yes, you heard that right. Now anyone can unlock an iPhone for less than $100, for which the FBI paid more than $1 million.
Cheap Method to Unlock iPhone 5C
Cambridge University security researcher Sergei Skorobogatov has published a new research paper detailing a technique that would have helped the FBI bypass the iOS passcode limit on the shooter's iPhone 5C.
Dubbed NAND Mirroring, the technique was proposed to the FBI earlier this year, but the agency claimed that the method would not work. "It does not work," FBI Director James Comey said back in March, and instead paid a hefty amount to a contractor.
In his research paper published on Thursday, Skorobogatov says that the FBI was just wrong in its assessment of NAND Mirroring, but also spent $1 million of taxpayers' funds on a case that could have been solved for a few hundred dollars.
Here's How the Researcher Unlocked iPhone 5C:
NAND Mirroring technique "does not require any expensive and sophisticated equipment. All needed parts are low cost and were obtained from local electronics distributors," writes Skorobogatov.
During his test, Skorobogatov used store-bought equipment, stripped down an iPhone 5C running iOS 9.3, carefully removed the NAND memory chip from the phone’s circuit board, and copied its data to a special test board many times over.
The researcher then used an automated software to brute force the passcode until he found the correct code and said it takes around 20 hours to brute-force a four-digit passcode, while few weeks with a six-digit one.
"This is the first public demonstration of…the real hardware mirroring process for iPhone 5C," Skorobogatov writes. "Any attacker with sufficient technical skills could repeat the experiments."
So far, the FBI and Apple have not commented on Skorobogatov's research.
The Method Works on iPhone 5S and iPhone 6 Devices
Besides iPhone 5C, his attack also works on iPhone 5S as well as iPhone 6 devices using the same type of NAND Flash memory. The attack can also be adapted on other iPhones using different NANDs.
For more technical details about this technique to bypass iPhone's passcode security limit, you can head onto his research paper.
You can also watch the video demonstration, where Skorobogatov explained the NAND Mirroring technique.
Fooling the ‘Smart City’
17.9.2016 Kaspersky Security
The concept of a smart city involves bringing together various modern technologies and solutions that can ensure comfortable and convenient provision of services to people, public safety, efficient consumption of resources, etc. However, something that often goes under the radar of enthusiasts championing the smart city concept is the security of smart city components themselves. The truth is that a smart city’s infrastructure develops faster than security tools do, leaving ample room for the activities of both curious researchers and cybercriminals.
Smart Terminals Have Their Weak Points Too
Parking payment terminals, bicycle rental spots and mobile device recharge stations are abundant in the parks and streets of modern cities. At airports and passenger stations, there are self-service ticket machines and information kiosks. In movie theaters, there are ticket sale terminals. In clinics and public offices, there are queue management terminals. Even some paid public toilets now have payment terminals built into them, though not very often.
Ticket terminals in a movie theater
However, the more sophisticated the device, the higher the probability that it has vulnerabilities and/or configuration flaws. The probability that smart city component devices will one day be targeted by cybercriminals is far from zero. Сybercriminals can potentially exploit these devices for their ulterior purposes, and the scenarios of such exploitation come from the characteristics of such devices.
Many such devices are installed in public places
They are available 24/7
They have the same configuration across devices of the same type
They have a high user trust level
They process user data, including personal and financial information
They are connected to each other, and may have access to other local area networks
They typically have an Internet connection
Increasingly often, we see news on another electronic road sign getting hacked and displaying a “Zombies ahead” or similar message, or news about vulnerabilities detected in traffic light management or traffic control systems. However, this is just the tip of the iceberg; smart city infrastructure is not limited to traffic lights and road signs.
We decided to analyze some smart city components:
Touch-screen payment kiosks (tickets, parking etc.)
Infotainment terminals in taxis
Information terminals at airports and railway terminals
Road infrastructure components: speed cameras, traffic routers
Smart City Terminals
From a technical standpoint, nearly all payment and service terminals – irrespective of their purpose – are ordinary PCs equipped with touch screens. The main difference is that they have a ‘kiosk’ mode – an interactive graphical shell that blocks the user from accessing the regular operating system functions, leaving only a limited set of features that are needed to perform the terminal’s functions. But this is theory. In practice, as our field research has shown, most terminals do not have reliable protection preventing the user from exiting the kiosk mode and gaining access to the operating system’s functions.
Exiting the kiosk mode
Techniques for Exiting the Kiosk Mode
There are several types of vulnerabilities that affect a large proportion of terminals. As a consequence, there are existing attack methods that target them.
The sequence of operations that can enable an attacker to exit the full-screen application is illustrated in the picture below.
Methodology for analyzing the security of public terminals
The tap fuzzing technique involves trying to exit the full-screen application by taking advantage of incorrect handling when interacting with the full-screen application. A hacker taps screen corners with his fingers and tries to call the context menu by long-pressing various elements of the screen. If he is able to find such weak points, he tries to call one of the standard OS menus (printing, help, object properties, etc.) and gain access to the on-screen keyboard. If successful, the hacker gets access to the command line, which enables him to do whatever he wants in the system – explore the terminal’s hard drive in search of valuable data, access the Internet or install unwanted applications, such as malware.
Data fuzzing is a technique that, if exploited successfully, also gives an attacker access to the “hidden” standard OS elements, but by using a different technique. To exit the full-screen application, the hacker tries filling in available data entry fields with various data in order to make the ‘kiosk’ work incorrectly. This can work, for example, if the full-screen application’s developer did not configure the filter checking the data entered by the user properly (string length, use of special symbols, etc.). As a result, the attacker can enter incorrect data, triggering an unhandled exception: as a result of the error, the OS will display a window notifying the user of the problem.
Once an element of the operating system’s standard interface has been brought up, the attacker can access the control panel, e.g., via the help section. The control panel will be the starting point for launching the virtual keyboard.
Yet another technique for exiting the ‘kiosk’ is to search for external links that might enable the attacker to access a search engine site and then other sites. Due to developer oversight, many full-screen applications used in terminals contain links to external resources or social networks, such as VKontakte, Facebook, Google+, etc. We have found external links in the interface of cinema ticket vending machines and bike rental terminals, described below.
One more scenario of exiting the full-screen application is using standard elements of the operating system’s user interface. When using an available dialog window in a Windows-based terminal, an attacker is sometimes able to call the dialog window’s control elements, which enables him to exit the virtual ‘kiosk’.
Exiting the full-screen application of a cinema ticket vending terminal
Bike Rental Terminals
Cities in some countries, including Norway, Russia and the United States, are dotted with bicycle rental terminals. Such terminals have touch-screen displays that people can use to register if they want to rent a bike or get help information.
Status bar containing a URL
The application includes other links, as well: for example, when viewing some locations on the map, you can tap on the “More Info” button and open a web page in the browser.
The Internet Explorer opens not only a web page, but also a new opportunity for the attacker
It turned out that calling up the virtual keyboard is not difficult either. By tapping on links on help pages, an attacker can access the Accessibility section, which is where the virtual keyboard can be found. This configuration flaw enables attackers to execute applications not needed for the device’s operation.
Running cmd.exe demonstrates yet another critical configuration flaw: the operating system’s current session is running with administrator privileges, which means that an attacker can easily execute any application.
The current Windows session is running with administrator privileges
In addition, an attacker can get the NTLM hash of the administrator password. It is highly probable that the password used on this device will work for other devices of the same type, as well.
Note that, in this case, an attacker can not only obtain the NTLM hash – which has to be brute-force cracked to get the password – but the administrator password itself, because passwords can be extracted from memory in plain text.
An attacker can also make a dump of the application that collects information on people who wish to rent a bicycle, including their full names, email addresses and phone numbers. It is not impossible that the database hosting this information is stored somewhere nearby. Such a database would have an especially high market value, since it contains verified email addresses and phone numbers. If it cannot be obtained, an attacker can install a keylogger that will intercept all data entered by users and send it to a remote server.
Given that these devices work 24/7, they can be pooled together to mine cryptocurrency or used for hacking purposes seeing as an infected workstation will be online around the clock.
Particularly audacious cybercriminals can implement an attack scenario that will enable them to get customer payment data by adding a payment card detail entry form to the main window of the bike rental application. It is highly probable that users deceived by the cybercriminals will enter this information alongside their names, phone numbers and email addresses.
Terminals at Government Offices
Terminals at some government offices can also be easily compromised by attackers. For example, we have found a terminal that prints payment slips based on the data entered by users. After all fields have been filled with the relevant data, the user taps the “Create” button, after which the terminal opens a standard print window with all the print parameters and control tools for several seconds. Next, the “Print” button is automatically activated.
A detail of the printing process on one of the terminals
An attacker has several seconds to tap the Change [printer] button and exit into the help section. From there, they can open the control panel and launch the on-screen keyboard. As a result, the attacker gets all the devices needed to enter information (the keyboard and the mouse pointer) and can use the computer for their own mercenary purposes, e.g., launch malware, get information on printed files, obtain the device’s administrator password, etc.
Public Devices at Airports
Self-service check-in kiosks that can be found at every modern airport have more or less the same security problems as the terminals described above. It is highly probable that they can be successfully attacked. An important difference between these kiosks and other similar devices is that some terminals at airports handle much more valuable information that terminals elsewhere.
Exiting the kiosk mode by opening an additional browser window
Many airports have a network of computers that provide paid Internet access. These computers handle the personal data that users have to enter to gain access, including people’s full names and payment card numbers. These terminals also have a semblance of a kiosk mode, but, due to design faults, exiting this mode is possible. On the computers we have analyzed, the kiosk software uses the Flash Player to show advertising and at a certain point an attacker can bring up a context menu and use it to access other OS functions.
It is worth noting that web address filtering policies are used on these computers. However, access to policy management on these computers was not restricted, enabling an attacker to add websites to the list or remove them from it, offering a range of possibilities for compromising these devices. For example, the ability to access phishing pages or sites used to distribute malware potentially puts such computers at risk. And blacklisting legitimate sites helps to increase the chances of a user following a phishing link.
List of addresses blocked by policies
We also discovered that configuration information used to connect to the database containing user data is stored openly in a text file. This means that, after finding a way to exit kiosk mode on one of these machines, anyone can get access to administrator credentials and subsequently to the customer database – with all the logins, passwords, payment details, etc.
A configuration file in which administrator logins and password hashes are stored
Infotainment Terminals in Taxicabs
In the past years, Android devices embedded in the back of the front passenger seat have been installed in many taxicabs. Passengers in the back seat can use these devices to watch advertising, weather information, news and jokes that are not really funny. These terminals have cameras installed in them for security reasons.
The application that delivers the content also works in kiosk mode and exiting this mode is also possible.
Exiting the kiosk mode on a device installed in a taxi makes it possible to download external applications
In those terminals that we were able to analyze, there was hidden text on the main screen. It can be selected using standard Android tools using a context menu. This leads to the search option being activated on the main screen. As a result, the shell stops responding, terminates and the device is automatically restarted. While the device is starting, all the hacker needs to do is exit to the main menu at the right time and open the RootExplorer – an Android OS file manager.
Android interface and folder structure
This gives an attacker access to the terminal’s OS and all of its capabilities, including the camera. If the hacker has prepared a malicious application for Android in advance and hosted it on a server, that application can be used to remotely access the camera. In this case, the attacker can remotely control the camera, making videos or taking photos of what is going on in the taxi and uploading them to his server.
Exiting the terminal’s full-screen application in a taxi gives access to the operating system’s functions
A successful attack can disrupt a terminal’s operation and cause direct financial damage to its owners. Additionally, a hacker can use a compromised terminal to hack into others, since terminals often form a network. After this, there are extensive possibilities for exploiting the network – from stealing personal data entered by users and spying on them (if the terminal has a camera or document scanner built into it) to stealing money (if the terminal accepts cash or bank cards).
To prevent malicious activity on public devices that have a touch interface, the developers and administrators of terminals located in public places should keep the following recommendations in mind:
The kiosk’s interactive shell should have no extra functions that enable the operating system’s menu to be called (such as right mouse click, links to external sites, etc.)
The application itself should be launched using sandboxing technology, such as jailroot, sandbox, etc. This will help to keep the application’s functionality limited to the artificial environment
Using a thin client is another method of protection. If a hacker manages to ‘kill’ an application, most of the valuable information will be stored on the server rather than the compromised device if the device is a thin client
The current operating system session should be launched with the restricted privileges of a regular user – this will make installing new applications much more difficult
A unique account with a unique password should be created on each device to prevent attackers who have compromised one of the terminals from using the password they have cracked to access other similar devices
Elements of the Road Infrastructure
The road infrastructure of modern cities is being gradually equipped with a variety of intelligent sensors, regulators, traffic analyzers, etc. All these sensors collect and send traffic density information to data centers. We looked at speedcams, which can be found everywhere these days.
We found speedcam IP addresses by pure chance, using the Shodan search engine. After studying several of these cameras, we developed a dork (a specific search request that identifies the devices or sites with pinpoint accuracy based on a specific attribute) to find as many IP addressed of these cameras as possible. We noticed a certain regularity in the IP addresses of these devices: in each city, all the cameras were on the same subnet. This enabled us to find those devices which were not shown in Shodan search results but which were on the same subnets with other cameras. This means there is a specific architecture on which these devices are based and there must be many such networks. Next, we scanned these and adjacent subnets on certain open ports and found a large number of such devices.
After determining which ports are open on speed cameras, we checked the hypothesis that one of them is responsible for RTSP – the real-time streaming protocol. The protocol’s architecture enables streaming to be either private (accessible with a login and password) or public. We decided to check that passwords were being used. Imagine our surprise when we realized there was no password and the entire video stream was available to all Internet users. Openly broadcast data includes not only the video stream itself, but additional data, such as the geographical coordinates of cameras, as well.
Direct broadcast screenshot from a speed camera
We found many more open ports on these devices, which can also be used to get many interesting technical details, such as a list of internal subnets used by the camera system or the list of camera hardware.
We learned from the technical documentation that the cameras can be reprogrammed over a wireless channel. We also learned from documentation that cameras can detect rule violations on specified lanes, making it possible to disable detection on one of the lanes in the right place at the right time. All of this can be done remotely.
Let’s put ourselves in criminals’ shoes and assume they need to remain undetected in the car traffic after performing certain illegal actions. They can take advantage of speed camera systems to achieve this. They can disable vehicle detection on some or all lanes along their route or monitor the actions of law-enforcement agents chasing them.
In addition, a criminal can get access to a database of vehicles registered as stolen and can add vehicles to it or remove them from it.
We have notified the organizations responsible for operating speed cameras in those countries where we identified the above security issues.
We also analyzed another element of the road infrastructure – the routers that transfer information between the various smart city elements that are part of the road infrastructure or to data centers.
As we were able to find out, a significant part of these routers uses either weak password protection or none at all. Another widespread vulnerability is that the network name of most routers corresponds to their geographic location, i.e., the street names and building numbers. After getting access to the administration interface of one of these routers, an attacker can scan internal IP ranges to determine other routers’ addresses, thereby collecting information on their locations. After this, by analyzing road load sensors, traffic density information can be collected from these sensors.
Such routers support recording traffic and uploading it to an FTP server that can be created by an attacker. These routers can also be used to create SSH tunnels. They provide access to their firmware (by creating its backup copy), support Telnet connections and have many other capabilities.
These devices are indispensable for the infrastructure of a smart city. However, after gaining access to them, criminals can use them for their own purposes. For example, if a bank uses a secret route to move large amounts of cash, the route can be determined by monitoring information from all sensors (using previously gained access to routers). Next, the movements of the vehicles can be monitored using the cameras.
To protect speed cameras, a full-scale security audit and penetration testing must first be carried out. From this, well-thought-out IT security recommendations be prepared for those who provide installation and maintenance of such speed monitoring systems. The technical documentation that we were able to obtain does not include any information on security mechanisms that can protect cameras against external attacks. Another thing that needs to be checked is whether such cameras are assigned an external IP address. This should be avoided where possible. For security reasons, none of these cameras should be visible from the Internet.
The main issue with routers used in the road infrastructure is that there is no requirement to set up a password during initial loading and configuration of the device. Many administrators of such routers are too forgetful or lazy to do such simple things. As a result, gaining access to the network’s internal traffic is sufficiently easy.
The number of new devices used in the infrastructure of a modern city is gradually growing. These new devices in turn connect to other devices and systems. For this environment to be safe for people who live in it, smart cities should be treated as information systems whose protection requires a custom approach and expertise.
This article was prepared as part of the support provided by Kaspersky Lab to “Securing Smart Cities”, an international non-profit initiative created to unite experts in smart city IT security technologies. For further information about the initiative, please visit securingsmartcities.org
Cisco releases multiple Security Updates, it fixed a nasty RCE in WebEx Meetings servers
16.9.2016 securityaffairs Vulnerebility
Cisco has released several Security Updates to fix many vulnerabilities in its products, including a nasty RCE in WebEx Meetings servers.
Cisco has issued a patch to address the remote code execution flaw (CVE-2016-1482) that affects company WebEx Meetings servers.
The remote code execution flaw (CVE-2016-1482) could be exploited by remote, unauthenticated attackers to execute arbitrary commands on WebEx Meetings servers.
It is crucial for system administrators to apply the patch before hackers would exploit the vulnerability in attacks against their systems, Cisco highlighted that there is no workaround to mitigate the issue.
“A vulnerability in Cisco WebEx Meetings Server could allow an unauthenticated, remote attacker to bypass security restrictions on a host located in a DMZ and inject arbitrary commands on a targeted system,” Cisco reported in a security advisory.
As explained by the company the vulnerability in WebEx servers is the result of an insufficient sanitization of the user data. The attackers can exploit it to inject arbitrary commands into application scripts and compromise WebEx Meetings servers.
“The vulnerability is due to insufficient sanitization of user-supplied data processed by the affected software. An attacker could exploit this vulnerability by injecting arbitrary commands into existing application scripts running on a targeted device located in a DMZ [and] could allow an attacker to execute arbitrary commands on the device with elevated privileges.”
According to the advisory published by the company, Cisco WebEx Meetings Server version 2.6 is vulnerable to attacks that trigger the flaw.
Cisco also addressed other security issues in its products, including Denial of service flaws that affect Cisco’s Web Security Appliance, WebEx Meetings server, IOS XE software, and carrier routing system.
Another vulnerability affects that WebEx server, tracked as CVE-2016-1483 and rated as “high,” it is the result of the improper validation of user accounts by specific services.
“An unauthenticated, remote attacker could exploit this vulnerability by repeatedly attempting to access a specific service, causing the system to perform computationally intensive tasks and resulting in a denial of service attack condition.”
The US-CERT has published a warning of Cisco Releases Security Updates, inviting users to apply the necessary updates.
Below the complete list published by the US-CERT:
Cisco Web Security Appliance HTTP Load Denial of Service Vulnerability cisco-sa-20160914-wsa(link is external)
Cisco WebEx Meetings Server Denial of Service Vulnerability cisco-sa-20160914-wms(link is external)
Cisco WebEx Meetings Server Remote Command Execution Vulnerability cisco-sa-20160914-wem(link is external)
Cisco Unified Computing System Command Line Interface Privilege Escalation Vulnerability cisco-sa-20160914-ucs(link is external)
Cisco Fog Director for IOx Arbitrary File Write Vulnerability cisco-sa-20160914-ioxfd(link is external)
Cisco IOS XR for NCS6000 Series Devices OSPF Packet Processing Denial of Service Vulnerability cisco-sa-20160914-iosxr(link is external)
Cisco IOS and IOS XE Software Data in Motion Denial of Service Vulnerability cisco-sa-20160914-ios-xe(link is external)
Cisco IOS and IOS XE Software IOx Local Manager Cross-Site Scripting Vulnerability cisco-sa-20160914-ios(link is external)
Cisco Carrier Routing System IPv6 Denial of Service Vulnerability cisco-sa-20160914-crs
Hurry up, update your system now!
Akamai Q2 2016 report, the number of DDoS attacks has doubled in one year
16.9.2016 securityaffairs Attack
According to the Akamai Q2 2016 report, the number of distributed denial of service attacks has doubled over the last 12 months.
The DDoS attacks continue to be privileged attack vectors for crooks, according to the last report published by Akamai (Akamai Q2 2016 report) the number of distributed denial of service attacks has doubled over the last 12 months.
In Q2 Akamai experts have observed a 129 per cent year-on-year increase in total DDoS attacks, the company has mitigated in Q2 a total of 4,919 attacks.
One of these DDoS attacks hit a media company and reached a 363 Gbps, anyway 10 attacks reached out over 100 Gbps.
A close look at the type of attacks reveals that NTP reflection attacks almost quadrupled, increasing 276 percent over the same time frame.
Companies in the gaming and software industries are privileged targets of hackers that leverage on DDoS as an attack vector.
Another worrisome trend is related to web application attacks that increased of 14 percent in Q2 2016 over Q1. SQL injection (44 per cent) and Local File Inclusion (45
The Akamai experts observed that retail industry was mostly targeted (40 per cent) with web application attacks in Q2 2016.
The Top 10 source countries for DDoS Attacks is Q2 2016 is led by China, with a considerable increase in frequency compared with Q1 2016, followed by the US.
“This quarter we saw Turkey end its streak as a top 10 source country for DDoS attacks, a trend that began in Q4 2015. After the US, in second place at 17%, the rest of the top 10 list was populated by countries seldom seen as DDoS sources. Taiwan (5%), Canada (4%), and Vietnam (4%) rounded out the top five. Canada appeared for the first time this quarter.” reads the report.
Below the Key findings of the Akamai Q2 2016 report, enjoy it!
DDoS attacks, Q2 2016 vs. Q2 2015
129% increase in total DDoS attacks
151% increase in infrastructure layer (layers 3 & 4) attacks
276% increase in NTP reflection attacks (a record high)
70% increase in UDP flood attacks
DDoS attacks, Q2 2016 vs. Q1 2016
9% increase in total DDoS attacks
10% increase in infrastructure layer (layers 3 & 4) attacks
47% increase in UDP flood attacks
37% decrease in attacks > 100 Gbps: 12 vs.
Web application attacks, Q2 2016 vs. Q1 2016
14% increase in total web application attacks
197% increase in attacks sourcing from Brazil (new top source country)
13% decrease in attacks sourcing from United States (previous top source country)
7% increase in SQLi attacks
Mamba: The new Full Disk Encryption Ransomware Family Member
16.9.2016 securityaffairs Virus
A Brazilian Infosec research group, Morphus Labs, just discovered a new Full Disk Encryption (FDE) Ransomware this week, dubbed Mamba.
Mamba, as they named it, uses a disk-level encryption strategy instead of the conventional file-based one. This may be just the beginning of a new era for the Ransomwares.
In this article, Renato Marinho (@renato_marinho), the researcher responsible for the finding, explains more about this new threat .
“You are Hacked ! H.D.D Encrypted, Contact Us For Decryption Key (firstname.lastname@example.org) YOURID: 123152”. This message is all that remains for the victims of this new Ransomware. To get the decryption key, it’s necessary to contact somebody through the informed e-mail address, give the ID and pay 1 BTC per infected host. Without that, the system even starts. For the matter of this article, we will call this Ransomware “Mamba”, a snake with a paralyzing poison.for the victims of this new Ransomware. To get the decryption key, it’s necessary to contact somebody through the informed e-mail address, give the ID and pay 1 BTC per infected host. Without that, the system even starts. For the matter of this article, we will call this Ransomware “Mamba”, a snake with a paralyzing poison..for the victims of this new Ransomware. To get the decryption key, it’s necessary to contact somebody through the informed e-mail address, give the ID and pay 1 BTC per infected host. Without that, the system even starts. For the matter of this article, we will call this Ransomware “Mamba”, a snake with a paralyzing poison.
It seems that the disk level Ransomware family is growing. A similar Ransomware, called Petya, got famous march this year because of the disk encryption strategy, although some analysis  says that the malware encrypts the master file table (MFT) and not the data itself. But Mamba Ransomware differs from Petya exactly at this point. It uses a full disk encryption open source tool called DiskCryptor  to strongly encrypt the data.disk encryption strategy, although some analysis  says that the malware encrypts the master file table (MFT) and not the data itself. But Mamba Ransomware differs from Petya exactly at this point. It uses a full disk encryption open source tool called DiskCryptor  to strongly encrypt the data..disk encryption strategy, although some analysis  says that the malware encrypts the master file table (MFT) and not the data itself. But Mamba Ransomware differs from Petya exactly at this point. It uses a full disk encryption open source tool called DiskCryptor  to strongly encrypt the data..disk encryption strategy, although some analysis  says that the malware encrypts the master file table (MFT) and not the data itself. But Mamba Ransomware differs from Petya exactly at this point. It uses a full disk encryption open source tool called DiskCryptor  to strongly encrypt the data..disk encryption strategy, although some analysis  says that the malware encrypts the master file table (MFT) and not the data itself. But Mamba Ransomware differs from Petya exactly at this point. It uses a full disk encryption open source tool called DiskCryptor  to strongly encrypt the data.
We found Mamba last September 7, during an incident response procedure for a multinational company that had some servers compromised by this malware in Brazil, EUA and India subsidiaries.
The goal of this article is to share some Mamba analysis results and to get some collaboration to better understand this threat and its intrusion vectors.
The ransom message
As stated in the introduction of this article, the ransomware hinders the operating system to boot up. It overwrites the boot disk master boot record (MBR) by a custom one that shows the ransom message and asks for the password like you can see in the Figure 1.ransomware hinders the operating system to boot up. It overwrites the boot disk master boot record (MBR) by a custom one that shows the ransom message and asks for the password like you can see in the Figure 1.1.ransomware hinders the operating system to boot up. It overwrites the boot disk master boot record (MBR) by a custom one that shows the ransom message and asks for the password like you can see in the Figure 1.1.ransomware hinders the operating system to boot up. It overwrites the boot disk master boot record (MBR) by a custom one that shows the ransom message and asks for the password like you can see in the Figure 1.1.1.ransomware hinders the operating system to boot up. It overwrites the boot disk master boot record (MBR) by a custom one that shows the ransom message and asks for the password like you can see in the Figure 1.
Figure 1: The ransom message at the beginning of the boot process
It’s not clear, but this new MBR also prompts the user for the decryption password.
Looking for the malware sample
As the whole data of the compromised servers HDD ware encrypted, including the Ransomware itself, we started to look for more information about it somewhere else.
The first strategy was looking for some parts of the ransom message in the Web. For our surprise, putting the text in the Web. For our surprise, putting the text in the Web. For our surprise, putting the text in the Web. For our surprise, putting the text “contact us for decryption key” YOURID, we received just one result from Google. It pointed to an analysis made using Malwr  sandbox on Aug/29. This result gave us some important information, like the file name (141.exe) and the hashes.Malwr  sandbox on Aug/29. This result gave us some important information, like the file name (141.exe) and the hashes..Malwr  sandbox on Aug/29. This result gave us some important information, like the file name (141.exe) and the hashes..Malwr  sandbox on Aug/29. This result gave us some important information, like the file name (141.exe) and the hashes..Malwr  sandbox on Aug/29. This result gave us some important information, like the file name (141.exe) and the hashes.
Figure 2: Google results for parts of the ransom message
Searching the “141.exe” file hash at VirusTotal, we found some AV engines linking the sample to a Ransomware malware, like TrendMicro calling it a “Ransom_HDDCRYPTOR.A”.engines linking the sample to a Ransomware malware, like TrendMicro calling it a “Ransom_HDDCRYPTOR.A”.engines linking the sample to a Ransomware malware, like TrendMicro calling it a “Ransom_HDDCRYPTOR.A”.engines linking the sample to a Ransomware malware, like TrendMicro calling it a “Ransom_HDDCRYPTOR.A”.engines linking the sample to a Ransomware malware, like TrendMicro calling it a “Ransom_HDDCRYPTOR.A”.engines linking the sample to a Ransomware malware, like TrendMicro calling it a “Ransom_HDDCRYPTOR.A”.
Figure 3: TrendMicro’s analysis for the “141.exe” sample
At the same time, we started to seek for the malware on other hosts of the company’s network. After some effort, using an anti-malware solution, we started to find out a malicious file in some different hosts. The file name was “152.exe”.of the company’s network. After some effort, using an anti-malware solution, we started to find out a malicious file in some different hosts. The file name was “152.exe”..of the company’s network. After some effort, using an anti-malware solution, we started to find out a malicious file in some different hosts. The file name was “152.exe”..of the company’s network. After some effort, using an anti-malware solution, we started to find out a malicious file in some different hosts. The file name was “152.exe”..of the company’s network. After some effort, using an anti-malware solution, we started to find out a malicious file in some different hosts. The file name was “152.exe”.
Conducting some dynamic analysis of “152.exe” with the TIV and Hybrid-Analysis  sandboxes, we started to find some similarities between the Mamba’s memory dump strings and the ransom message. To say the truth, we found exactly the message “You are Hacked ! H.D.D Encrypted, Contact Us For Decryption Key (email@example.com) YOURID: 123152” – even the “YOURID” was the same! ! H.D.D Encrypted, Contact Us For Decryption Key (firstname.lastname@example.org) YOURID: 123152” – even the “YOURID” was the same!
By the way, we found it very curious the fact that the “YOURID” information in the sandbox analysis be the same as the company’s compromised hosts. In other words, it seems like this is a static code.be the same as the company’s compromised hosts. In other words, it seems like this is a static code..be the same as the company’s compromised hosts. In other words, it seems like this is a static code..be the same as the company’s compromised hosts. In other words, it seems like this is a static code..be the same as the company’s compromised hosts. In other words, it seems like this is a static code.
Mamba’s initial analysis
To better understand how Mamba works, we started to perform some tests with it in our lab. In a first test, we basically ran the sample in a Windows 8.1 VM, but, unfortunately nothing happened unless a log file in the directory “C:\DC22” saying the password wasn’t informed.
On a second try, we gave a password as a parameter and the result was different. Some other files were created in the “C:\DC22”, as can be seen in the image below.
Figure 4: files created as the result of 152.exe execution with a password argument
After a few seconds, the Windows restarted and, when returned, the operating system was apparently normal and these were the messages found in the “log_file.txt”:
installing driver successfully..
getting share drive information…
Trying to create service…
creating service successfully. rebooting windows…
From this messages we got some more information:
– A new service was created – it doesn’t mention the name;
– They are apparently using the tool DiskCryptor;
– Maybe they intend to get some credentials from the machine using “netpass.exe”;
– The “netuse.txt” lists the shared folders mapped by the user;
So, we used Regshot to discover some more information about the changes caused by the malware in the SO, including the new service created by the malware. As the result, we discovered that one of the new services was called “DefragmentService”. We also discovered that the malware created a new user in the machine called “mythbusters” with the password “123456”.
These are the new service information:
Figure 5: Fake DefragmentService created by Mamba
So, according to this service, after the machine reboot, “152.exe” was expected to be called with the same parameters we give in the first run. We follow watching the machine process, but no 152.exe was running.
Then, we tried to reboot the machine again to check if the ransom message should appear, but the system booted up normally again.
Performing some analysis on “dcrypt.exe” and “dccon.exe”, the DiskCryptor GUI and command like, respectively, we found that the password parameter is preceded by a “-p”. So, we tried run “152.exe” with this parameter before diving into the reverse engineering job.
For our surprise, this time the encryption process worked and the ransom message was shown during the boot. The only thing to note here is that the password was the “-p” itself and not the password given by the following parameter as we expected. So, the thing is, Mamba was expecting a second argument to run properly.
The process that encrypted the disk was the “dccon.exe”, called by the “152.exe”. During the process, it was possible to follow the encryption with the command “dccon -info pt0” and the result was like follows:
Figure 6: Full disk encrypted by the Mamba Ransomware.
After the reboot, that didn’t occur automatically, the ransom message was shown exactly the same as the company’s compromised machines.
Figure 7: Lab machine compromised
At this stage, the log file looks like that:
installing driver successfully..
getting share drive information…
Trying to create service…
creating service successfully. rebooting windows…
Checking resources existence. They are OK…
driver installed before…
ServiceMain: Performing Service Start Operations
ServiceMain: Waiting for Worker Thread to complete
Starting Mount app…
Checking resources existence. They are OK…
driver installed before…
mount:mounting share drive…
mount:OS is win2003 or lower…
mount:share drive not found …
start hard drive encryption…
Checking resources existence. They are OK…
driver installed before…
Trying to create service…
As we can see, at some moment, the password used to encrypt the disk was printed to the log file.
We’ve found some good information about this threat until now, but we didn’t find the infection vector yet. We know that the password used to encrypt the disk is given as a parameter, so, there may exists some script or other binary that calls the “152.exe” code giving it the clear text password that will be used. We also think that the password is the same for all the victims or may be something related to the victims’ environment, like the hostname, or something like that.
The actors in charge of this campaign seems to making some money. We contacted the e-mail address and they asked 1 BTC per infected machine.
This is the reply message we received:
Your HDD Encrypted By AES 2048Bit
send 1BTC Per HOST to My Bitcoin Wallet , then we give you Decryption key For Your Server HDD!!
My Bitcoin Wallet Address : 1NLnMNMPbxWeMJVtGuobnzWU3WozYz86Bf
We Only Accept Bitcoin , it’s So easy!
you can use Brokers to exchange your money to BTC ASAP
it’s Fast way!
if You Don’t Have a Account in Bitcoin , Read it First :
bitcoin Market :
One point that caught our attention was the mention to “server” in the message reply. Would their strategy be to compromise just servers? Corroborates to that hypothesis the fact that the other machines with the “152.exe” file weren’t compromised.
The bitcoin wallet given by the cybercriminal received 4 BTC by the time of this writing.
Figure 8: Cybercriminal bitcoin wallet balance
As Renato Marinho has stated, Morphus Labs is open to collaborate with the information security community finding more information about this threat. They have other samples of Mamba.