Chip Cards Lead to 70% Drop in Counterfeit Fraud: Visa
26.2.2018 securityweek Crime

The adoption of chip-and-PIN card technology by an increasing number of merchants in the United States has led to a significant drop in cases of counterfeit card fraud, according to Visa.

The financial industry has been pushing for the adoption of EMV (Europay, MasterCard, Visa) card technology in the United States since 2011, and efforts were increased following the disclosure of the massive data breach suffered by Target in 2013.

However, according to Visa, by September 2015, only roughly 392,000 merchant locations had been accepting chip cards, and the number of Visa debit and credit cards using this technology was only at 159 million.

Data collected by Visa shows the number of storefronts that had migrated to EMV technology by December 2017 increased by more than 570%, with 2.7 million storefronts in the U.S., representing 59% of the total, accepting chip cards. The number of Visa cards using chip technology increased by 202% to 481 million, with 67% of Visa payment cards having chips.

Visa also reported that EMV cards accounted for 96% of the overall payment volume in the United States in December 2017, with chip payment volume reaching $78 billion.

As a result of U.S. merchants upgrading their payment systems for EMV cards, cases of counterfeit fraud had dropped by 70% in September 2017 compared to December 2015.

While the adoption of chip and PIN technology addresses the problem of counterfeit card fraud, it has not deterred fraudsters, who have simply shifted their focus to card-not-present (CNP) and other types of fraud.

A study released roughly one year ago by Forter showed that there had been a significant increase in CNP fraud and account takeover (ATO) attacks. Specifically, in the case of ATO, while the number of attacks targeting merchant sites had decreased, there had been a growing trend in ATO attacks on online payment accounts.

A study released in September 2017 by Vesta showed that CNP fraud had been a serious concern for 85% of merchants, with roughly one-third showing increased concern.

Torsten George, strategic advisory board member at vulnerability risk management firm NopSec, warned in a SecurityWeek column last year that EMV does not address more sophisticated cyber attacks that target backend systems storing cardholder data.

“Security is no longer just about protecting the network and endpoints, but must extend to the database and application layers to name a few,” George explained at the time. “That’s why, in addition to their work to advance EMV adoption, banks and payment processors should implement cyber risk management practices to identify their attack surface exposure and quickly prioritize remediation of the security gaps with the potential to have the biggest business impact if exploited.”

Pyeongchang – Russia’s GRU military intelligence agency hacked Olympics Computers
26.2.2018 securityaffairs BigBrothers

Pyeongchang – Russia’s GRU military intelligence agency hacked Olympics Computers conducted a false flag operation to make it appear the attack originated in North Korea.
On February 9, shortly before the Pyeongchang opening ceremonies on Friday, televisions at the main press centre, wifi at the Olympic Stadium and the official website were taken down.

According to The Washington Post, the incidents were caused by cyber attacks powered by hackers working at Russia’s GRU military intelligence agency that managed to take control in early February of 300 computers linked to the Olympic organization.

The cyber attacks were a retaliation against the International Olympic Committee for banning the Russian team from the Winter Games due to doping cases of Russian athletes.

“Analysts surmise the disruption was retaliation against the International Olympic Committee for banning the Russian team from the Winter Games due to doping violations. No officials from Russia’s Olympic federation were allowed to attend, and while some athletes were permitted to compete under the designation “Olympic Athletes from Russia,” they were unable to display the Russian flag on their uniforms and, if they won medals, their country’s anthem was not played.” reported The Washington Post.

“As of early February, the Russian military agency GRU had access to as many as 300 Olympic-related computers, according to an intelligence report this month.

The Office of the Director of National Intelligence declined to comment.”

Pyeongchang Olympic Games

The cyber attacks caused severe problems to the Olympic organization, many attendees were unable to print their tickets for the ceremony and were not able to participate the event.

According to the authorities, it is a sabotage, Russian cyber soldiers compromised South Korean computer routers and implanted a strain of “malware” that paralyzed the network.

In order to make hard the attribution of the attack, Russian hackers conducted a false flag operation to make it appear the attack originated in North Korea.

“Russian military spies hacked several hundred computers used by authorities at the 2018 Winter Olympic Games in South Korea, according to U.S. intelligence.” continues the Washington Post.

“They did so while trying to make it appear as though the intrusion was conducted by North Korea, what is known as a “false-flag” operation, said two U.S. officials who spoke on the condition of anonymity to discuss a sensitive matter.”

Data Keeper Ransomware – An unusual and complex Ransom-as-a-Service platform
26.2.2018 securityaffairs

The Data Keeper Ransomware that infected systems in the wild was generated by a new Ransomware-as-a-Service (RaaS) service that appeared in the underground recently.
A few days ago a new Ransomware-as-a-Service (RaaS) service appeared in the underground, now samples of the malware, dubbed Data Keeper Ransomware, generated with the platforms are have already been spotted in the wild.

The Data Keeper ransomware was discovered by researchers at Bleeping Computer last week.

View image on Twitter
View image on Twitter

Catalin Cimpanu
New Dark Web RaaS. Currently offline, but to keep an eye on.


4:24 PM - Feb 20, 2018
See Catalin Cimpanu's other Tweets
Twitter Ads info and privacy
“The service launched on February 12 but didn’t actually come online until February 20, and by February 22, security researchers were already reporting seeing the first victims complaining of getting infected.” reads the blog post published by Bleeping Computer.

Anyone can sign up for the RaaS service and activate his account for free and create their samples of the ransomware.

The ransomware encrypted the files with a dual AES and RSA-4096 algorithm, it also attempts to encrypt all networks shares. Once the files are encrypted, the malicious code will place a ransom note (“!!! ##### === ReadMe === ##### !!!.htm“) in each folder it will encrypt files.

The operators behind the Data Keeper RaaS request their users to generate their samples and distribute them, in turn, they offer a share of the ransom fee when victims pay the ransom. It is not clear the percentage of the ransom that is offered to the user.

Affiliates just need to provide the address of their Bitcoin wallet, generate the encryptor binary, and download the malware along with a sample decrypter.

According to the researchers at the MalwareHunterTeam who analyzed the ransomware, even if it is written in .NET language, its quality is high.

So, looked at DataKeeper ransomware...
Important / notable things:
- it's secure
- it's one of the few RWs that uses PsExec & it should be the 1st .NET RaaS that uses PsExec at all
- not seen any .NET ransomware before which was protected like this.@BleepinComputer @demonslay335

8:40 PM - Feb 22, 2018
29 people are talking about this
Twitter Ads info and privacy
22 Feb

So, looked at DataKeeper ransomware...
Important / notable things:
- it's secure
- it's one of the few RWs that uses PsExec & it should be the 1st .NET RaaS that uses PsExec at all
- not seen any .NET ransomware before which was protected like this.@BleepinComputer @demonslay335

The ITW sample we seen yesterday consists of 4 layers:
First layer is an exe, which will drop another exe to %LocalAppData% with random name & .bin extension, then executes it (WindowStyle.Hidden, Priority.BelowNormal).
That 2nd exe will load a dll, which will load another dll.

10:52 AM - Feb 23, 2018
See MalwareHunterTeam's other Tweets
Twitter Ads info and privacy
23 Feb

Replying to @malwrhunterteam
The ITW sample we seen yesterday consists of 4 layers:
First layer is an exe, which will drop another exe to %LocalAppData% with random name & .bin extension, then executes it (WindowStyle.Hidden, Priority.BelowNormal).
That 2nd exe will load a dll, which will load another dll.

All layers have a custom strings and resources protection. And then each layer are protected with ConfuserEx.
Sounds like someone is paranoid...

11:11 AM - Feb 23, 2018
See MalwareHunterTeam's other Tweets
Twitter Ads info and privacy

The Data Keeper ransomware is complex, it is one of the few ransomware strains that use the PsExec tool. The Data Keeper ransomware uses the PsExec to execute the malicious code on other machines on the victims’ networks.

An interesting characteristic implemented by the Data Keeper ransomware is that it doesn’t append an extension to the names of the encrypted files.

24 Feb


Data Keeper Ransomware Makes First Victims Two Days After Release on Dark Web RaaS - by @campuscodi …

To extend what mentioned on the screenshot, it not only not adds an extension, but when encrypting a file, it first reads the lastWriteTime value of it, and after encryption it sets back that value, so you can't even find encrypted files this way...

2:13 PM - Feb 24, 2018
View image on Twitter
See MalwareHunterTeam's other Tweets
Twitter Ads info and privacy
With this trick victims won’t be able to know if the files are encrypted unless they try to open one.

“This is actually quite clever, as it introduces a sense of uncertainty for each victim, with users not knowing the amount of damage the ransomware has done to their PCs.” continues Bleeping Computer.

Another singularity of this RaaS platform is the possibility for affiliates to choose what file types to encrypt, affiliated can also set amount of the ransom.

The platform uses a payment service hosted on the Tor network, it is a common option for many malware.

According to the researchers, many crooks have already signed up for the Data Keeper RaaS and are distributing weaponized binaries in the wild.

The experts at MalwareHunter told Bleeping Computer that one of the groups that is distributing the ransomware is hosting the malicious binaries on the server of a home automation system.

Further technical details and the Indicators of Compromise (IOCs) are included in the post published by Bleeping Computer

Recently other RaaS services were spotted by the experts in the underground, GandCrab and Saturn were discovered in the last weeks.

Russia Hacked Olympics Computers, Turned Blame on North Korea: Report
26.2.2018 securityweek BigBrothers

Russian military spies hacked hundreds of computers used by Winter Olympics organizers and tried to make it look like the work of North Korea, the Washington Post reported Sunday, quoting US intelligence sources.

South Korea had previously announced that it was investigating the failure of several Olympic-linked internet sites and broadcast systems just as the opening ceremonies were taking place on February 9.

The Post reported that Russia's GRU military intelligence agency managed to take control in early February of 300 computers linked to the Olympic organization.

As a result, many attendees were unable to print their tickets for the ceremony, leaving empty seats.

It said the Russians had hacked South Korean computer routers and inserted a form of "malware" that allowed them to gather data and paralyze the network.

The Russians used a North Korean internet provider to make it appear the attack originated in North Korea, in what is known as a "false flag" operation, the Post said.

While American officials quoted in the article were unable to say whether the hackers had activated the malware, they said the cyber attack against the Games -- from which Russia's team was excluded for doping -- was worrisome.

Some analysts believe the cyber attack was retribution for that ban. Some Russian athletes were allowed to compete, but only under the designation of "Olympic Athletes from Russia."

The Winter Games saw dramatic gestures aimed at easing the raw tensions dividing the two Koreas, as both countries' athletes marched together during the opening ceremonies, and they fielded a single women's ice hockey team.

The sister of North Korean leader Kim Jong-Un made several high-profile appearances in the early days of the Games, and a large squad of North Korean cheerleaders drew intense interest.

Finally, at the Games' closing ceremony Sunday, South Korean President Moon Jae-in and North Korean General Kim Yong Chol -- a man considered a "war criminal" by many in the South for his role in two deadly attacks on Southern targets -- exchanged a very public handshake.

Microsoft Data Warrant Case in Top US Court Has Global Implications
26.2.2018 securityweek BigBrothers

Microsoft faces off with the US government before the Supreme Court Tuesday over a warrant for data stored abroad that has important ramifications for law enforcement in the age of global computing.

The case, which dates back to 2013, involves a US warrant ordering Microsoft to turn over the contents of an email account used by a suspected drug trafficker, whose data is stored in a cloud computing center in Ireland.

It has been watched closely because of its implications for privacy and surveillance in the digital age, and specifically how law enforcement can reach across borders to obtain digital evidence that may be scattered across the globe.

Microsoft has maintained that US courts lack jurisdiction over the data stored in Ireland.

The US tech giant, backed by many firms in the sector and civil liberties groups, argues the case is critical in showing that American authorities cannot simply request such data via a warrant without going through the process set out in law enforcement treaties between countries.

- The Snowden effect -

Microsoft president Brad Smith told reporters last week the principle is especially relevant after former intelligence contractor Edward Snowden leaked details on global US surveillance programs in 2013.

"We've always said it was important to win this case to win the confidence of people around the world in American technology," Smith said in a conference call.

Smith said officials in Europe have been notably concerned about the implications of a decision in favor of the US government, and that was made clear during a discussion with a German official on the case after a lower judge ruled against Microsoft.

"He said that unless we persist with this lawsuit and turned it around, no German state would ever store data in a data center operated by an American company," Smith said.

Last year, a federal appeals court sided with Microsoft, overturning a district judge ruling.

Yet the case is complicated by the intricacies of cloud computing, which allow data to be split up and stored in multiple locations around the world even for a single user, and some analysts say the court has no good solution.

"The speed by which data can be moved about the globe, the fact of third-party control and the possibility of data being held in locations that have absolutely no connection to either the crime or target being investigated makes location of the 0s and 1s that comprise our emails a particularly poor basis for delimiting jurisdiction," American University law professor Jennifer Daskal wrote on the Just Security blog.

"Conversely, there is a real risk that a straight-up US government win will -- rightly or wrongly -- be perceived around the world as US law enforcement claiming the right to access data anywhere, without regard to the countervailing sovereign interests. This creates a precedent that foreign nations are likely to mimic."

- 'Larger problem' -

Both sides have said that any court decision may be flawed, and that Congress needs to address the issue by rewriting the 1986 Stored Communications Act at issue.

Microsoft's Smith said he was encouraged by a bill introduced this year called the CLOUD Act that would authorize cross-border data warrants with countries that meet certain standards for privacy and civil liberties.

The proposal has the backing of the tech sector, according to Smith, and respects the laws of each country where a request is made.

John Carlin, a former assistant US attorney general for national security, agreed that a legislative solution is preferable.

"Regardless of how this case turns out, it's not going to solve the larger problem," Carlin said.

Carlin said current law affecting crimes with cross-border components are not designed for the digital age.

"The problem now is there is a lack of clarity over how you can serve traditional legal process for what used to be local crimes," he added. Carlin said the CLOUD bill could address the issues because it "provides incentives for countries that have protections for civil liberties."

But some civil liberties activists have expressed concern the measure would expand US surveillance capabilities.

The measure "would give unlimited jurisdiction to US law enforcement over any data controlled by a service provider, regardless of where the data is stored and who created it," said Camille Fischer of the Electronic Frontier Foundation.

It also "creates a dangerous precedent for other countries who may want to access information stored outside their own borders, including data stored in the United States," she said.

Tax refund, or How to lose your remaining cash
25.2.2018 Kaspersky
Every year, vast numbers of people around the globe relish the delightful prospect of filling out tax returns, applying for tax refunds, etc. Given that tax authorities and their taxpayers are moving online, it’s no surprise to find cybercriminals hard on their heels. By spoofing trusted government agency websites and luring users onto them, phishers try to collect enough information to steal both money from victims’ accounts and their digital identity.

Attackers employ standard methods that basically center on creating phishing sites and web pages. Such resources can prompt for passwords to My Account areas on the websites of local tax services, answers to security questions, names and dates of birth of relatives, information about bank cards, and much more besides. In addition to information that users themselves unwittingly hand over, scammers often get hold of extra tidbits such as victim IP address and location, browser name and version, operating system. That is, anything that increases the chances of a successful bypass of the protection system into the victim’s accounts.

Phishing pages can also spread malware under various guises. Fraudsters don’t shy away from direct extortion under the cloak of tax agents — such attacks have occurred in the US, France, Canada, Ireland, and elsewhere. Let’s examine the most common tax-phishing schemes in more detail.

Canada (CRA)
In Canada, the body responsible for tax collection and administration is the Canadian Revenue Agency (CRA). The deadline for filing tax returns for the past financial year is April 30. The figure below shows phishing activity in 2016 spiking in the days leading up to this deadline, and only abating in May.

Number of Anti-Phishing triggers on user computers caused by attempts to redirect to phishing sites using the CRA brand, 2016

A slightly different picture is observed on the 2017 graph:

Number of Anti-Phishing triggers on user computers caused by attempts to redirect to phishing sites using the CRA brand, 2017

A surge came when many Canadians were expecting a tax refund of some sort. We registered a huge number of phishing pages informing people that they were entitled to receive a certain amount of money. It was mostly these messages that distributed links to fake CRA pages where victims were asked to fill out a web form.

Example of a phishing letter allegedly from the CRA with a fake notification about a potential refund.

Typically, such pages are almost a carbon copy of the official CRA site and request a large amount of personal information. If the user doesn’t doubt the site’s authenticity, he or she will have no qualms about filling in the many fields. As a result, the attackers get hold of valuable information, while users are notified of a two-day wait while their data is “processed.” For added plausibility, the victim can be redirected to the original CRA site.

Among the information that the fraudsters collect are bank card details (including PIN code), social security number, driver’s license number, address, telephone number, date of birth, mother’s maiden name, and employer. The attackers also retrieve the IP address and system information.

Example of a phishing page masquerading as a CRA site. When all personal information is entered and the form is submitted, the script generates an email with all the data input (as well as the victim’s IP address and data received from the User Agent) and sends it to the specified address

Criminals do not focus solely on tax declarations and refunds. They make repeated attempts throughout the year to extract data under the guise of the CRA. For example, one of the emails we found invited the recipient to view information about a “tax incident,” prompting them to enter a login and password for a Dropbox account, or provide email credentials. After that, the victim clicked a button to download a public PDF document with information about alleged changes to the tax legislation. The data entered was forwarded to the scammers.

Example of tax and CRA-themed phishing to get Dropbox and mail credentials

Scammers do not restrict themselves to fake sites and emails. They also send out SMS messages and even call victims pretending to be from the CRA, demanding urgent payment of debts by wiring money to a certain account. Such calls are often accompanied by intimidation (threats of penalties, fines, and even imprisonment are used).

Taxpayers in Canada should remember that the CRA never sends emails containing links or requests for personal data, except when an email is sent directly during a telephone conversation with a CRA agent.

CRA recommendations on how to avoid scams are available on its official site under Security.

United States (IRS)
In the US, the tax body is the Internal Revenue Service (IRS), and the tax return deadline is usually April 18 (the date may vary slightly from year to year). In 2016, as in Canada, a major fraud outbreak occurred in the run-up to the deadline:

Number of Anti-Phishing triggers on user computers caused by attempts to redirect to phishing sites using the IRS brand, 2016

However, we observed bursts of scamming activity throughout the year. That made it difficult to single out a specific moment in 2017, save for a notable pre-New Year spike:

Number of Anti-Phishing triggers on user computers caused by attempts to redirect to phishing sites using the IRS brand, 2017

Scammers use a range of topics to bait US taxpayers: tax refund, personal information update, account confirmation, etc.

Examples of fake IRS emails

Tax refund forms are a very popular tool for phishers in the US, and scam sites that exploit this method typically appear at the start of the tax return period. The amount of data they steal is staggering: anything they can and more besides. They exploit users’ very strong urge to claw back some of their hard-earned cash.

Fake IRS pages prompting users to fill out a tax refund form

An information leak on this scale might not only empty the victim’s bank accounts, but lead to a host of other problems, including targeted attacks and attempts to access other accounts. Whereas a compromised bank card is easily blocked and reissued, one’s address, social security number, date of birth, and mother’s maiden name are rather less flexible.

Another way to dupe victims is to send a fake tax service message containing a link to confirm their account, update personal information, or restore their password:

Examples of phishing pages using the IRS brand

After the data is forwarded to the scammers, the victim is usually redirected to the original site not to arouse suspicions:


Example of a phishing script sending user data to a fraudulent email address. If the information is successfully forwarded, the victim is redirected to the original tax service website

Besides the IRS brand, scammers use the name of Intuit, the developer of the TurboTax program, which helps fill out tax returns.


Example of a phishing email using the Intuit brand

Scammers try to get user credentials for the Intuit site, as well as email logins and passwords:


Examples of phishing pages using the Intuit brand

Links to phishing pages in the US are distributed not only by email, but by SMS and social media. Remember that the IRS doesn’t initiate contact with taxpayers through these channels to request personal information.

Official IRS anti-phishing recommendations are available on the department’s website..

United Kingdom (HMRC)
The UK tax (fiscal) year runs from April 6 through April 5 the following year. The PAYE (Pay As You Earn) system means that most taxpayers are not required to fill out any forms by a certain deadline (HMRC receives monthly data from the employer). However, if a taxpayer’s income changes, he/she must update their tax code in accordance with the new income level. And in the event that the taxpayer owes money or is due a reimbursement, HMRC (Her Majesty’s Revenue and Customs) will make contact to arrange payment. That’s where scammers set traps informing potential victims about a potential refund or (less often) monies owed.

In 2016, phishing activity in this segment in the UK was very high, rising toward the end of the calendar year:


Number of Anti-Phishing triggers on user computers caused by attempts to redirect to phishing sites exploiting the name of the UK’s HMRC, 2016

In 2017, phishers cast their nets in May (this month saw two major outbreaks of activity) and remained active pretty much until the end of the calendar year.


Number of Anti-Phishing triggers on user computers caused by attempts to redirect to phishing sites exploiting the name of the UK’s HMRC, 2017

Scam emails supposedly from HMRC are sent to UK residents via SMS, social media, and email, and contain links to phishing pages that strongly resemble the official website. To claim their “refund,” users are usually asked to enter bank card details and other important information.


Examples of phishing pages using the HMRC brand.

In addition, scammers try to steal credentials for other services. In the example below, the scammers sent an email seemingly from HMRC with a PDF attachment (in fact an HTML file). On opening it, the user is shown a page in the style of an Adobe online resource, and is prompted for an email login and password to view the PDF. These credentials are, of course, sent to the attackers.


A fake PDF directing victims to a page used by cybercriminals to steal email account credentials

Anti-phishing recommendations can be viewed on the official HMRC website.

France (DGFiP,
In France, tax collection is the responsibility of the General Directorate of Public Finance (La Générale des finances publique, DGFiP); the start of the fiscal year coincides with that of the calendar year. The French have no PAYE system (one is planned for implementation in 2019), and the deadline for tax returns is set by each individual département. Tax declarations can be filed in paper form (soon to be discontinued) and online. What’s more, the paper deadline is earlier than the electronic one. Generally, the submission deadlines fall in May-June.

As we can see on the graphs, phishing activity surged during this very period:

Number of Anti-Phishing triggers on user computers caused by attempts to redirect to fake DGFiP phishing sites, 2016

2017 saw two flashes of activity: during the filing period and at the end of the year:


Number of Anti-Phishing triggers on user computers caused by attempts to redirect to fake DGFiP phishing sites, 2017

The most popular topic for scammers, as before, is the offer of a refund:


Example of a phishing email exploiting the subject of tax refunds

Clicking on links in such messages takes users to phishing pages where they are prompted to enter bank card details and other personal information:


Examples of fake pages masquerading as the French tax service

Official warning about scammers on the DGFiP website.

Other countries
Taxes are a common scamming topic in other countries, too. Personal information is solicited for under various pretexts: tax return completion, account verification, tax refund, system registration, etc.


Example of a fake page of the Revenue Commissioners of the Republic of Ireland

Scammers not only target taxpayers’ personal data, but sometimes aim to install malware on their computers. For example, one spam mailing contained a link to a fake site of the Federal Tax Service (FTS) of the Russian Federation, where a Trojan was downloaded to the victim’s computer.


A spoof FTS site distributing malware

Not only taxes
Posing as the state, attackers have other topics than taxes up their sleeve. For example, scammers in Hungary held fake prize giveaways in the name of the government:


Smartphone giveaway by the “Hungarian government”

In Italy, fraudsters rather ingeniously extorted money under the guise of the Ministry of Defense. To conceal its real address, the site opened (if the user allowed it) in full-screen mode with the control elements and address bar hidden, and then proceeded to simulate these interface elements. Naturally, the fake address bar displayed the Ministry’s legitimate URL.


Fake Italian “Ministry of Defense” website

Scaring users into thinking they had distributed prohibited materials (pornography, pedophilia, zoophilia), the site blocked the computer and demanded a fine in the form of a €500 iTunes gift card to have it unblocked.

Trust in government websites is very high, and filing of tax returns always involves submitting large quantities of personal information. Therefore, if users are sure that they are on the official tax service website, they will not hesitate to share important details about themselves. Another important aspect is that many online tax return filers are not everyday netizens, and thus know little about online fraud and cannot recognize a scam when they see one. But even regular Internet users can be wrong-footed by a tempting (and often expected) tax refund notice. Scammers take full advantage of this. In sum, always treat monetary offers with a healthy dollop of skepticism, and bookmark the official site of your country’s tax service in your browser to help avoid getting hooked by phishers.

A Slice of 2017 Sofacy Activity
25.2.2018 Kaspersky
Phishing  APT
Sofacy, also known as APT28, Fancy Bear, and Tsar Team, is a highly active and prolific APT. From their high volume 0day deployment to their innovative and broad malware set, Sofacy is one of the top groups that we monitor, report, and protect against. 2017 was not any different in this regard. Our private reports subscription customers receive a steady stream of YARA, IOC, and reports on Sofacy, our most reported APT for the year.

This high level of cyber-espionage activity goes back years. In 2011-2012, the group used a relatively tiny implant (known as “Sofacy” or SOURFACE) as their first stage malware, which at the time had similarities with the old Miniduke implants. This made us believe the two groups were connected, although it looks they split ways at a certain point, with the original Miniduke group switching to the CosmicDuke implant in 2014. The division in malware was consistent and definitive at that point.

In 2013, the Sofacy group expanded their arsenal and added more backdoors and tools, including CORESHELL, SPLM (aka Xagent, aka CHOPSTICK), JHUHUGIT (which is built with code from the Carberp sources), AZZY (aka ADVSTORESHELL, NETUI, EVILTOSS, and spans across 4-5 generations) and a few others. We’ve seen quite a few versions of these implants, which were relatively widespread at some point or still are. In 2015 we noticed another wave of attacks which took advantage of a new release of the AZZY implant, largely undetected by antivirus products. The new wave of attacks included a new generation of USB stealers deployed by Sofacy, with initial versions dating to February 2015. It appeared to be geared exclusively towards high profile targets.

Sofacy’s reported presence in the DNC network alongside APT29 brought possibly the highest level of public attention to the group’s activities in 2016, especially when data from the compromise was leaked and “weaponized”. And later 2016, their focus turned towards the Olympics’ and the World Anti-Doping Agency (WADA) and Court of Arbitration for Sports (CAS), when individuals and servers in these organizations were phished and compromised. In a similar vein with past CyberBerkut activity, attackers hid behind anonymous activist groups like “anonpoland”, and data from victimized organizations were similarly leaked and “weaponized”.

This write-up will survey notables in the past year of 2017 Sofacy activity, including their targeting, technology, and notes on their infrastructure. No one research group has 100% global visibility, and our collected data is presented accordingly. Here, external APT28 reports on 2017 Darkhotel-style activity in Europe and Dealer’s Choice spearphishing are of interest. From where we sit, 2017 Sofacy activity starts with a heavy focus on NATO and Ukrainian partners, coinciding with lighter interest in Central Asian targets, and finishing the second half of the year with a heavy focus on Central Asian targets and some shift further East.

Dealer’s Choice
The beginning of 2017 began with a slow cleanup following the Dealer’s Choice campaign, with technical characteristics documented by our colleagues at Palo Alto in several stages at the end of 2016. The group spearphished targets in several waves with Flash exploits leading to their carberp based JHUHUGIT downloaders and further stages of malware. It seems that many folks did not log in and pull down their emails until Jan 2017 to retrieve the Dealer’s Choice spearphish. Throughout these waves, we observed that the targets provided connection, even tangential, to Ukraine and NATO military and diplomatic interests.

In multiple cases, Sofacy spoofs the identity of a target, and emails a spearphish to other targets of interest. Often these are military or military-technology and manufacturing related, and here, the DealersChoice spearphish is again NATO related:

The global reach that coincided with this focus on NATO and the Ukraine couldn’t be overstated. Our KSN data showed spearphishing targets geolocated across the globe into 2017.

DealersChoice emails, like the one above, that we were able to recover from third party sources provided additional targeting insight, and confirmed some of the targeting within our KSN data:

0day Deployment(s)
Sofacy kicked off the year deploying two 0day in a spearphish document, both a Microsoft Office encapsulated postscript type confusion exploit (abusing CVE-2017-0262) and an escalation of privilege use-after-free exploit (abusing CVE-2017-0263). The group attempted to deploy this spearphish attachment to push a small 30kb backdoor known as GAMEFISH to targets in Europe at the beginning of 2017. They took advantage of the Syrian military conflict for thematic content and file naming “Trump’s_Attack_on_Syria_English.docx”. Again, this deployment was likely a part of their focus on NATO targets.

Light SPLM deployment in Central Asia and Consistent Infrastructure
Meanwhile in early-to-mid 2017, SPLM/CHOPSTICK/XAgent detections in Central Asia provided a glimpse into ongoing focus on ex-Soviet republics in Central Asia. These particular detections are interesting because they indicate an attempted selective 2nd stage deployment of a backdoor maintaining filestealer, keylogger, and remoteshell functionality to a system of interest. As the latest revision of the backdoor, portions of SPLM didn’t match previous reports on SPLM/XAgent while other similarities were maintained. SPLM 64-bit modules already appeared to be at version 4 of the software by May of the year. Targeting profiles included defense related commercial and military organizations, and telecommunications.

Targeting included TR, KZ, AM, KG, JO, UK, UZ

Heavy Zebrocy deployments
Since mid-November 2015, the threat actor referred to as “Sofacy” or “APT28” has been utilizing a unique payload and delivery mechanism written in Delphi and AutoIT. We collectively refer to this package and related activity as “Zebrocy” and had written a few reports on its usage and development by June 2017 – Sofacy developers modified and redeployed incremented versions of the malware. The Zebrocy chain follows a pattern: spearphish attachment -> compiled Autoit script (downloader) -> Zebrocy payload. In some deployments, we observed Sofacy actively developing and deploying a new package to a much smaller, specific subset of targets within the broader set.

Targeting profiles, spearphish filenames, and lures carry thematic content related to visa applications and scanned images, border control administration, and various administrative notes. Targeting appears to be widely spread across the Middle East, Europe, and Asia:</p style=”margin-bottom:0!important”>

Business accounting practices and standards
Science and engineering centers
Industrial and hydrochemical engineering and standards/certification
Ministry of foreign affairs
Embassies and consulates
National security and intelligence agencies
Press services
Translation services
NGO – family and social service
Ministry of energy and industry
We identified new MSIL components deployed by Zebrocy. While recent Zebrocy versioning was 7.1, some of the related Zebrocy modules that drop file-stealing MSIL modules we call Covfacy were v7.0. The components were an unexpected inclusion in this particular toolset. For example, one sent out to a handful of countries identifies network drives when they are added to target systems, and then RC4-like-encrypts and writes certain file metadata and contents to a local path for later exfiltration. The stealer searches for files 60mb and less with these extensions:</p style=”margin-bottom:0!important”>

At execution, it installs an application-defined Windows hook. The hook gets windows messages indicating when a network drive has been attached. Upon adding a network drive, the hook calls its “RecordToFile” file stealer method.

Zebrocy spearphishing targets:

SPLM deployment in Central Asia
SPLM/CHOPSTICK components deployed throughout 2017 were native 64-bit modular C++ Windows COM backdoors supporting http over fully encrypted TLSv1 and TLSv1.2 communications, mostly deployed in the second half of 2017 by Sofacy. Earlier SPLM activity deployed 32-bit modules over unencrypted http (and sometimes smtp) sessions. In 2016 we saw fully functional, very large SPLM/X-Agent modules supporting OS X.

The executable module continues to be part of a framework supporting various internal and external components communicating over internal and external channels, maintaining slightly morphed encryption and functionality per deployment. Sofacy selectively used SPLM/CHOPSTICK modules as second stage implants to high interest targets for years now. In a change from previous compilations, the module was structured and used to inject remote shell, keylogger, and filesystem add-ons into processes running on victim systems and maintaining functionality that was originally present within the main module.

The newer SPLM modules are deployed mostly to Central Asian based targets that may have a tie to NATO in some form. These targets include foreign affairs government organizations both localized and abroad, and defense organizations’ presence localized, located in Europe and also located in Afghanistan. One outlier SPLM target profile within our visibility includes an audit and consulting firm in Bosnia and Herzegovina.

Minor changes and updates to the code were released with these deployments, including a new mutex format and the exclusive use of encrypted HTTP communications over TLS. The compiled code itself already is altered per deployment in multiple subtle ways, in order to stymie identification and automated analysis and accommodate targeted environments. Strings (c2 domains and functionality, error messages, etc) are custom encrypted per deployment.

Targets: TR, KZ, BA, TM, AF, DE, LT, NL

SPLM/CHOPSTICK/XAgent Modularity and Infrastructure
This subset of SPLM/CHOPSTICK activity leads into several small surprises that take us into 2018, to be discussed in further detail at SAS 2018. The group demonstrates malleability and innovation in maintaining and producing familiar SPLM functionality, but the pragmatic and systematic approach towards producing undetected or difficult-to-detect malware continues. Changes in the second stage SPLM backdoor are refined, making the code reliably modular.

Infrastructure Notes
Sofacy set up and maintained multiple servers and c2 for varying durations, registering fairly recognizable domains with privacy services, registrars that accept bitcoin, fake phone numbers, phony individual names, and 1 to 1 email address to domain registration relationships. Some of this activity and patterns were publicly disclosed, so we expect to see more change in their process in 2018. Also, throughout the year and in previous years, researchers began to comment publicly on Sofacy’s fairly consistent infrastructure setup.

As always, attackers make mistakes and give away hints about what providers and registrars they prefer. It’s interesting to note that this version of SPLM implements communications that are fully encrypted over HTTPS. As an example, we might see extraneous data in their SSL/TLS certificates that give away information about their provider or resources. Leading up to summer 2017, infrastructure mostly was created with PDR and Internet Domain Service BS Corp, and their resellers. Hosting mostly was provided at Fast Serv Inc and resellers, in all likelihood related to bitcoin payment processing.

Accordingly, the server side certificates appear to be generated locally on VPS hosts that exclusively are paid for at providers with bitcoin merchant processing. One certificate was generated locally on what appeared to be a HP-UX box, and another was generated on “8569985.securefastserver[.]com” with an email address “root@8569985.securefastserver[.]com”, as seen here for their nethostnet[.]com domain. This certificate configuration is ignored by the malware.

In addition to other ip data, this data point suggested that Qhoster at https://www.qhoster[.]com was a VPS hosting reseller of choice at the time. It should be noted that the reseller accepted Alfa Click, PayPal, Payza, Neteller, Skrill, WebMoney, Perfect Money, Bitcoin, Litecoin, SolidTrust Pay, CashU, Ukash, OKPAY, EgoPay, paysafecard, Alipay, MG, Western Union, SOFORT Banking, QIWI, Bank transfer for payment.

Sofacy, one of the most active APT we monitor, continues to spearphish their way into targets, reportedly widely phishes for credentials, and infrequently participates in server side activity (including host compromise with BeEF deployment, for example). KSN visibility and detections suggests a shift from their early 2017 high volume NATO spearphish targeting towards the middle east and Central Asia, and finally moving their focus further east into late 2017. Their operational security is good. Their campaigns appear to have broken out into subsets of activity and malware involving GAMEFISH, Zebrocy, and SPLM, to name a few. Their evolving and modified SPLM/CHOPSTICK/XAgent code is a long-standing part of Sofacy activity, however much of it is changing. We’ll cover more recent 2018 change in their targeting and the malware itself at SAS 2018.

With a group like Sofacy, once their attention is detected on a network, it is important to review logins and unusual administrator access on systems, thoroughly scan and sandbox incoming attachments, and maintain two factor authentication for services like email and vpn access. In order to identify their presence, not only can you gain valuable insight into their targeting from intelligence reports and gain powerful means of detections with hunting tools like YARA, but out-of-band processing with a solution like KATA is important.

Technical Appendix
Related md5

Related domains

Counterfeit Code-Signing certificates even more popular, but still too expensive
25.2.2018 securityafffairs  Krypto

Code-signing certificates are precious commodities in the criminal underground, they are used by vxers to sign malware code to evade detection.
Other precious commodities in the criminal underground are code-signing certificates, they allow vxers to sign the code for malware to evade detection. Operators of the major black markets in the darknets buy and sell code-signing certificates, but according to an interesting research conducted by threat intelligence firm Recorded Future, the prices for them are too expensive for most hackers.

Cybercriminals would use the Dark Web for selling high-grade code certificates -which they have obtained from trusted certificate authorities- to anyone that is interested in purchasing them.

Sales of code signing certificates have increased considerably since 2015 when experts from IBM X-Force researchers provided some best practice guides on checking for trusted certificates.

Digital certificates allow companies to trust the source code of a software and to check its integrity, The certificates are issued by the certificate authorities (CAs) and are granted to companies that generate code, protocols or software so they can sign their code and indicate its legitimacy and originality.

Using signing certificates is similar to the hologram seal used on software packages, assuring they are genuine and issued from a trusted publisher. Users would receive alerts in an attempt to install files that are not accompanied by a valid certificate. This is why cybercriminals aim to use certificates for legitimizing the malware code they make.

According to Andrei Barysevich, Director of Advanced Collection at Recorded Future, most of the code-signing certificates are obtained by hackers due to fraud and not from security breaches suffered by the CAs.

“Recorded Future’s Insikt Group investigated the criminal underground and identified vendors currently offering both code signing certificates and domain name registration with accompanying SSL certificates.” states the report published by Recorded Future.

“Contrary to a common belief that the security certificates circulating in the criminal underground are stolen from legitimate owners prior to being used in nefarious campaigns, we confirmed with a high degree of certainty that the certificates are created for a specific buyer per request only and are registered using stolen corporate identities, making traditional network security appliances less effective.”

Cybercriminals offer the precious commodity via online shops, when buyers place an order the shop’s operators used stolen identities from a legitimate company and its employees to request the certificate for a fake app or website to the CAs (i.e. Comodo, Thawte, and Symantec). The certificates are used to encrypt HTTPS traffic or sign apps.

Recorded Future’s Insikt Group investigated the criminal ecosystem and identified vendors currently offering both code signing certificates and domain name registration with accompanying SSL certificates.

The researchers identified four well-known vendors operating since 2011, only two vendors are currently still active in Russian-speaking crime forums.

“One of the first vendors to offer counterfeit code signing certificates was known as C@T, a member of a prolific hacking messaging board.” continues the report. “In March 2015, C@T offered for sale a Microsoft Authenticode capable of signing 32/64b versions of various executable files, as well as Microsoft Office, Microsoft VBA, Netscape Object Signing, and Marimba Channel Signing documents, and supported Silverlight 4 applications. Additionally, Apple code signing certificates were also available.”


Prices for code-signing certificates range from $299 to $1,799, most expensive items are the fully authenticated domains with EV SSL encryption and code signing capabilities.

“Standard code signing certificates issued by Comodo that do not include SmartScreen reputation rating cost $295. A buyer interested in the most trusted version of an EV certificate issued by Symantec would have to pay $1,599, a 230 percent premium compared to the price of the authentic certificate.” continues the report.

“For those seeking to purchase in bulk, fully authenticated domains with EV SSL encryption and code signing capabilities could also be arranged for $1,799”

code-signing certificates offer

According to recorded future, code signing certificates are not widespread among malware developers due to the high price.

Vxers prefer to pay less for other AV evasion tools, such as crypters (readily available at $10-$30)that represent an excellent compromise between cost and effectiveness

“Unlike ordinary crypting services readily available at $10-$30 per each encryption, we do not anticipate counterfeit certificates to become a mainstream staple of cybercrime due to its prohibitive cost.” concluded the report. “However, undoubtedly, more sophisticated actors and nation-state actors who are engaged in less widespread and more targeted attacks will continue using fake code signing and SSL certificates in their operations”

Dozen vulnerabilities discovered in Trend Micro Linux-based Email Encryption Gateway
25.2.2018 securityafffairs 

Security researchers at Core Security have discovered a dozen vulnerabilities in Trend Micro Linux-based Email Encryption Gateway.
Security researchers at Core Security have discovered a dozen flaws in Trend Micro Linux-based Email Encryption Gateway, some of them have been rated as critical and high severity. The flaws received the CVE identification numbers CVE-2018-6219 through CVE-2018-6230.

The most severe flaw could be exploited by a local or remote attacker with access to the targeted system to execute arbitrary commands with root privileges.

“Encryption for Email Gateway [1] is a Linux-based software solution providing the ability to perform the encryption and decryption of email at the corporate gateway, regardless of the email client, and the platform from which it originated. The encryption and decryption of email on the TMEEG client is controlled by a Policy Manager that enables an administrator to configure policies based on various parameters, such as sender and recipient email addresses,” states Core Security.

“Multiple vulnerabilities were found in the Trend Micro Email Encryption Gateway web console that would allow a remote unauthenticated attacker to gain command execution as root.”

Trend Micro Email Encryption Gateway

The most serious vulnerability is CVE-2018-6223, it is related to missing authentication for appliance registration. Administrators can configure the virtual appliance running Email Encryption Gateway during the deployment process upon deployment via a registration endpoint.

The researchers discovered that attackers can access the endpoint without authentication to set administrator credentials and make other changes to the configuration.

“The registration endpoint is provided for system administrators to configure the virtual appliance upon deployment. However, this endpoint remains accessible without authentication even after the appliance is configured, which would allow attackers to set configuration parameters such as the administrator username and password.” continues the analysis.

The experts also discovered two high severity cross-site scripting (XSS) vulnerabilities, an arbitrary file write issue that can lead to command execution, am arbitrary log file locations leading command execution, and unvalidated software updates.

Remaining flaws discovered by the researchers include SQL and XML external entity (XXE) injections.

Affected Packages are Trend Micro Email Encryption Gateway 5.5 (Build 1111.00) and earlier, Trend Micro addressed ten of the vulnerabilities with the version 5.5 build 1129.

According to the report timeline, Trend Micro spent more than six months to issue the patches.

2017-06-05: Core Security sent an initial notification to Trend Micro, including a draft advisory.
2017-11-13: Core Security asked again (4th time) for an ETA for the official fix. We stated we need a release date or a thorough explanation on why after five months there is still no date defined. If there is no such answer we will be forced to publish the advisory.
2018-02-21: Advisory CORE-2017-0006 published.
Trend Micro confirmed that a medium severity CSRF issue and a low severity SQL injection vulnerability have not been patched due to the difficulties of implementing a fix.

Czech President wants Russian hacker Yevgeni Nikulin extradited to Russia instead of US
25.2.2018 securityafffairs  BigBrothers

Czech President Milos Zeman wants the Russian hacker Yevgeni Nikulin to be extradited to Russia instead of the US, he is charged with hacking against social networks and frauds.
Yevgeni Nikulin (29) was requested by the US for alleged cyber attacks on social networks and by the Russian authorities that charged him with frauds.

According to US authorities, the man targeted LinkedIn and Formspring and hacked into the file hosting service Dropbox.

The Russian criminal was arrested in Prague in October 2016 in an international joint operation with the FBI.

The case in the middle of an arm wrestling between Moscow and Washington, the US Government are accusing Russia to have interfered with 2016 Presidential election through hacking.

Yevgeni Nikulin
Source: US Defense

In May, a Czech court ruled that Nikulin can be extradited to either Russia or the United States, leaving the final decision to the Justice Minister Robert Pelikan.

“It is true there have been two meetings this year where the president asked me not to extradite a Russian citizen to the United States but to Russia,” the website of the weekly newspaper Respekt quoted Pelikan as saying.

In 2016, Pelikan did not allow to extradite two Lebanese citizens charged by US court with several crimes, including the sale of ground-to-air missiles and cocaine trafficking.

“Respekt also quoted Babis, who professes a strong pro-EU and NATO stance, as saying earlier this month he would prefer Nikulin to be sent to the United States, but had no power over the decision. His spokeswoman declined comment.” reported the New York Times.

Zeman was re-elected in January, he is known for his pro-Russian line and its opposition to Western sanctions imposed on Russia over its 2014 annexation of Crimea.

The Respekt site said last week Pelikan received Vratislav Mynar, the head of Zeman’s office.

“It’s none of your business, but I have handed the minister a letter from the detained Nikulin’s mother,” Mynar told

Nikulin’s lawyer Martin Sadilek told AFP that Nikulin alleges that FBI investigators had tried twice to persuade him to confess to cyberattacks on the DNC.

Paypal issue allows disclosure of account balance and recent transactions
24.2.2018 securityaffairs Safety

Paypal issue allows for enumeration of the last four digits of payment method and for the disclosure of account balance and recent transactions of any given PayPal account.
This post details an issue which allows for enumeration of the last four digits of payment method (such as a credit or debit card) and for the disclosure of account balance and recent transactions of any given PayPal account.

This attack was submitted to PayPal’s bug bounty program where it was classified as being out of scope, which is something that would admittedly be unavailing to refute since their program scope does not mention anything about attacks on their interactive voice response system.

PayPal ticket

Prerequisites and Reconnaissance
In order to get started, the attacker would require knowledge of two pieces of information pertaining to an account, which would be the e-mail address and phone number linked to it.

Armed with knowledge of the e-mail address and phone number linked to an account, the attacker would visit the Forgot Password page on PayPal’s website, and enter the e-mail address associated with the targeted account.

The attacker would then be presented with the type of card linked to the account, as well as the last two digits of the same.

PayPal - Forgot Password

Attacking the Interactive Voice Response System
On first glance, the interactive voice response system on PayPal’s phone-based customer support seemingly allows for a maximum of three attempts at submitting the correct last four digits per phone call.

However, if the first attempt at submission is incorrect, the caller will not be notified of a successful submission in subsequent attempts made during the same phone call. This makes any additional attempts given to a caller during the same phone call completely cosmetic.

To get around this presumed limitation, the attacker would have to make only one attempt at submitting a possible combination of the last four digits per phone call.

PayPal - Customer Support

Additionally, limiting the number of attempts to one submission per phone call makes the task of enumerating the correct combination much more time-efficient, and not to mention, it allows for easily distinguishing between a correct attempt and an incorrect one.

Furthermore, upon have tested this theory with my own account, I have been able to conclude that there is no limit on the number of submission attempts which can be made in this manner, meaning that hypothetically, an attacker could call 100,000 times to enumerate the last four digits entirely on their own.

That would, however, be disregarding the last two digits retrieved from the Forgot Password page, the knowledge of which effectively makes the attack much more feasible–by reducing the number of possible combinations from 100,000 to just 100.

Once the correct combination of the last four digits has been found, the attacker would simply have to use the interactive voice response system to retrieve information about the account.

After having entered the correct last four digits, the account’s current balance will automatically read off by the machine.

Additionally, to retrieve information about recent transactions, an attacker would simply have to say “recent transactions”, and the same would then be read off.

Attack Efficacy and Efficiency
If the aforementioned prerequisites have been met, an attacker would without fail have the ability to enumerate the correct last four digits of the payment method linked to an account. This information could then further be used to retrieve the account’s current balance and recent transactions as well.

Moreover, after having timed various attempts at submission of the last four digits, it was found that an attempt at submission would on average take around 30 seconds. The fastest possible time would be 27 seconds per phone call.

If we take the fastest possible time as our average, enumerating all possible combinations from 00XX to 99XX would take at most around 45 minutes. This time could then be halved by adding another phone in the mix to consecutively make calls with.

Possible Fixes
Users should be allowed to opt for privacy settings which keep the amount of data revealed on the Forgot Password page to a minimum. This would be similar to how Twitter allows its users to hide information about the email address and/or phone number linked to their account when attempting to reset its password.

It would also be similar to how Facebook allows users to choose whether their full names show up or not when their e-mail address is entered on the password reset page.

Perhaps some measures could be deployed where the last two digits of credit or debit card, if they need to be shown at all, are only shown when the request matches a certain criteria, such as if/when the request has been made from a recognizable device or location.

This issue allows for enumeration of the last four digits of the payment method on an account, which then allows for the disclosure of the account’s current balance and recent transactions.

An attacker with knowledge of the targeted account’s email address and phone number would first use PayPal’s Forgot Password page to retrieve the last two digits of the payment method linked to the account.

The attacker would then be able to accurately enumerate the last four–or rather the first two of the last four digits–of the payment method on the account by making phone calls to PayPal’s phone-based customer support and interacting with the interactive voice response system.

Once the attacker has successfully enumerated the last four digits of credit/debit card or bank account linked to the account, they would then be able to query the current account balance and recent transaction information at will.

Lastly, I would like to note that since there is no human interaction required or involved in the attack, it would essentially be a backdoor into PayPal accounts–allowing attackers to query current account balance and recent transaction information of any given account, at any time.

Czech President Wants Hacker 'Extradited to Russia' Not US
24.2.2018 securityweek BigBrothers

The Czech Republic's pro-Moscow president has repeatedly lobbied for a Russian hacker held in Prague and wanted by the US to be extradited to Russia, the justice minister was quoted as saying Saturday.

Yevgeni Nikulin, sought by the US for alleged cyberattacks on social networks and also by his native Russia on fraud charges, has been in a Prague prison since he was arrested in the Czech capital in October 2016 in a joint operation with the FBI.

The case comes amid accusations by Washington that Russia tried to "interfere" through hacking in the 2016 US election won by Donald Trump, charges the Kremlin has dismissed.

Last May, a Prague court ruled that the 30-year-old Nikulin can be extradited to either Russia or the United States, with the final say left to Justice Minister Robert Pelikan.

"It's true that there have been two meetings this year at which the president (Milos Zeman) asked me to extradite a Russian citizen not to the United States, but to Russia," Pelikan told the news site.

The site said the meetings had taken place in January, while earlier this week Pelikan received Vratislav Mynar, the head of Zeman's office, who also lobbied for Nikulin's extradition to Russia.

"It's none of your business, but I have handed the minister a letter from the detained Nikulin's mother," Mynar told

Zeman's spokesman Jiri Ovcacek declined to comment on the matter when asked by AFP.

Following Nikulin's arrest, Moscow accused Washington of harassing its citizens and vowed to fight Nikulin's extradition.

It then issued a separate arrest warrant for him over alleged theft from the WebMoney settlement system.

The US has charged Nikulin with hacking into social networks LinkedIn and Formspring and into the file hosting service Dropbox, Nikulin's lawyer Martin Sadilek told AFP earlier.

He also said Nikulin alleges that FBI investigators had tried twice to persuade him to confess to cyberattacks on the US Democratic Party.

Zeman, a 73-year-old ex-communist with strong pro-Russian, pro-Chinese and anti-Muslim views, won a second five-year term in a presidential vote in January.

2,000 Computers at Colorado DOT were infected with the SamSam Ransomware
24.2.2018 securityaffairs

SamSam Ransomware hit the Colorado DOT, The Department of Transportation Agency Shuts Down 2,000 Computers after the infection.
SamSam ransomware made the headlines again, this time it infected over 2,000 computers at the Colorado Department of Transportation (DOT).

The DOT has shut down the infected workstations and is currently working with security firm McAfee to restore the ordinary operations. Officials confirmed the ransomware requested a bitcoin payment.

“The Colorado Department of Transportation has ordered an estimated 2,000 employees to shut down their computers following a ransomware attack Wednesday morning.” wrote the CBS Denver.

The CDOT spokesperson Amy Ford said employees were instructed to turn off their computers at the start of business Wednesday after ransomware infiltrated the CDOT network.

“We’re working on it right now,” added Ford.

The good news is that crucial systems at the Colorado DOT such as surveillance cameras, traffic alerts were not affected by the ransomware.

David McCurdy, OIT’s Chief Technology Officer, issued the following statement:

“Early this morning state security tools detected that a ransomware virus had infected systems at the Colorado Department of Transportation. The state moved quickly to quarantine the systems to prevent further spread of the virus. OIT, FBI and other security agencies are working together to determine a root cause analysis. This ransomware virus was a variant and the state worked with its antivirus software provider to implement a fix today. The state has robust backup and security tools and has no intention of paying ransomware. Teams will continue to monitor the situation closely and will be working into the night.”

The Colorado DOT officials confirmed that the agency will not pay the ransom and it will restore data from backups.

The SamSam ransomware is an old threat, attacks were observed in 2015 and the list of victims is long, many of them belong to the healthcare industry. The attackers spread the malware by gaining access to a company’s internal networks by brute-forcing RDP connections.

Among the victims of the Samsam Ransomware there is the MedStar non-profit group that manages 10 hospitals in the Baltimore and Washington area. Crooks behind the attack on MedStar requested 45 Bitcoins (about US$18,500) for restoring the encrypted files, but the organization refused to pay the Ransom because it had a backup of the encrypted information.

In April 2016, the FBI issued a confidential urgent “Flash” message to the businesses and organizations about the Samsam Ransomware.

Back to the present, the Samsam Ransomware made the headlines in the first days of 2018, the malicious code infected systems of some high-profile targets, including hospitals, an ICS firm, and a city council.

SamSam ransomware

Iran-linked group OilRig used a new Trojan called OopsIE in recent attacks
24.2.2018 securityaffairs BigBrothers  APT

According to malware researchers at Palo alto Networks, the Iran-linked OilRig APT group is now using a new Trojan called OopsIE.
The Iran-linked OilRig APT group is now using a new Trojan called OopsIE, experts at Palo Alto Networks observed the new malware being used in recent attacks against an insurance agency and a financial institution in the Middle East.

One of the attacks relied on a variant of the ThreeDollars delivery document, the same malicious document was sent by the threat actor to the UAE government to deliver the ISMInjector Trojan.

In the second attack detected by PaloAlto, the OilRig hackers attempted to deliver the malicious code via a link in a spear phishing message.

“On January 8, 2018, Unit 42 observed the OilRig threat group carry out an attack on an insurance agency based in the Middle East. Just over a week later, on January 16, 2018, we observed an attack on a Middle Eastern financial institution. In both attacks, the OilRig group attempted to deliver a new Trojan that we are tracking as OopsIE.” reads the analysis from Palo Alto Networks.

The first attack occurred on January 8, 2018, the hackers sent two emails to two different email addresses at the target organization within a six minutes time span. Attackers spoofed the email address associated with the Lebanese domain of a major global financial institution.

OilRig launched another attack on January 16, in this case, the attackers downloaded the OopsIE Trojan from the command and control (C&C) server directly. The same organization was hit by OilRig for the second time, the first attacks occurred in 2017.

The researchers explained that the malware is packed with SmartAssembly and obfuscated with ConfuserEx.

The hackers gain persistence by creating a VBScript file and a scheduled task to run itself every three minutes. The OopsIE Trojan communicates with the C&C over HTTP by using the InternetExplorer application object.

“By using the InternetExplorer application object, all C2 related requests will look as if they came from the legitimate browser and therefore will not contain any anomalous fields within the request, such as custom User-Agents. The OopsIE Trojan is configured to use a C2 server hosted at:

www.msoffice365cdn[.]com” states the analysis.

“The Trojan will construct specific URLs to communicate with the C2 server and parses the C2 server’s response looking for content within the tags <pre> and </pre>. The initial HTTP request acts as a beacon”


The Trojan can run a command, upload a file, or download a specified file.

Oilrig will continue to adapt its tactics, the experts believe that it will remain a highly active threat actor in the Middle East region.

“This group has repeatedly shown evidence of a willingness to adapt and evolve their tactics, while also reusing certain aspects as well. We have now observed this adversary deploy a multitude of tools, with each appearing to be some form of iterative variation of something used in the past. However, although the tools themselves have morphed over time, the plays they have executed in their playbook largely remain the same when examined over the attack life cycle,” Palo Alto concludes.

FBI warns of spike in phishing campaigns to gather W-2 information
24.2.2018 securityaffairs BigBrothers

The FBI is warning of a spike in phishing campaigns aimed to steal W-2 information from payroll personnel during the IRS’s tax filing season.
The FBI has observed a significant increase since January of complaints of compromised or spoofed emails involving W-2 information.

“Beginning in January 2017, IRS’s Online Fraud Detection & Prevention (OFDP), which monitors for suspected IRS-related phishing emails, observed an increase in reports of compromised or spoofed emails requesting W-2 information.” states the alert published by the FBI.

W-2 information is a precious commodity for crooks that are showing an increasing interest in tax data.

Law enforcement and security experts observed many variations of IRS and tax-related phishing campaigns, but most effective are mass data thefts, for example, campaigns targeting Human Resource (HR) professionals.

“The most popular method remains impersonating an executive, either through a compromised or spoofed email in order to obtain W-2 information from a Human Resource (HR) professional within the same organization.” continues the alert.

“Individual taxpayers may also be the targeted, but criminals have evolved their tactics to focus on mass data thefts.”

w-2 information

A separate warning od W-2 -related phishing campaigns was issued by the Internal Revenue Service.

“The Form W-2 scam has emerged as one of the most dangerous phishing emails in the tax community. During the last two tax seasons, cybercriminals tricked payroll personnel or people with access to payroll information into disclosing sensitive information for entire workforces.” reads the IRS’s advisory issued in January. “The scam affected all types of employers, from small and large businesses to public schools and universities, hospitals, tribal governments and charities.”

Once cyber criminal obtained the W-2 information, they will request a wire transfer, unfortunately, in the case of businesses and organizations the scam is not discovered for weeks or months.

“The initial email may be a friendly, “hi, are you working today” exchange before the fraudster asks for all Form W-2 information. In several reported cases, after the fraudsters acquired the workforce information, they immediately followed that up with a request for a wire transfer.” continues the advisory.

“In addition to educating payroll or finance personnel, the IRS and Security Summit partners also urge employers to consider creating a policy to limit the number of employees who have authority to handle Form W-2 requests and that they require additional verification procedures to validate the actual request before emailing sensitive data such as employee Form W-2s.”

Phishing scams related W-2 information have been increasing, the number of reports regarding this criminal practice from both victims and non-victims jumped from over 100 in 2016 up to roughly 900 in 2017, The IRS confirmed that more than 200 employers were victimized in 2017.

“Reports to from victims and nonvictims about this scam jumped to approximately 900 in 2017, compared to slightly over 100 in 2016. Last year, more than 200 employers were victimized, which translated into hundreds of thousands of employees who had their identities compromised.” continues the alert.

Let me close with recommendations published by the FBI to avoid being victims of W-2 phishing scams and BEC:

Limit the number of employees within a business who have the authority to approve and/or conduct wire transfers and handle W-2 related requests or tasks
Use out of band authentication to verify requests for W-2 related information or wire transfer requests that are seemingly coming from executives. This may include calling the executive to obtain verbal verification, establishing a phone Personal Identification Number (PIN) to verify the executive’s identity, or sending the executive via text message a one-time code and a phone number to call in order to confirm the wire transfer request
Verify a change in payment instructions to a vendor or supplier by calling to verbally confirm the request. The phone number should not come from the electronic communication, but should instead be taken from a known contact list for that vendor
Maintain a file, preferably in non-electronic form, of vendor contact information for those who are authorized to approve changes in payment instructions
Delay the transaction until additional verifications can be performed such as having staff wait to be contacted by the bank to verify the wire transfer
Require dual-approval for any wire transfer request involving one or more of the following:
A dollar amount over a specific threshold
Trading partners who have not been previously added to a “white list” of approved trading partners to receive wire payments
New trading partners
New bank and/or account numbers for current trading partners
Wire transfers to countries outside of the normal trading pattern

Disappearing bytes: Reverse engineering the MS Office RTF parser
24.2.2018 Kaspersky
Microsoft Office was a prime target for attacks in 2017. As well as the large number of vulnerabilities discovered and proof-of-concept exploits published, malware authors felt it necessary to prevent detection of ‘one-day’ and ‘old-day’ exploits by antivirus software. It also became clear that using RTF parsing features and peculiarities are no longer enough to effectively evade detection. Along with the rise of MS Office exploitation, when RTF is used as a container for an exploit, we encountered lots of samples that were ‘exploiting’ the implementation of Microsoft Word’s RTF parser to confuse all other third-party RTF parsers, including those used in AV software.

To achieve parsing exactly like that in MS Office, we needed to reverse-engineer it.

I decided to look first at MS Office 2010, because when it comes to parsing it’s better to look at an older implementation. I then compared my findings with those found in newer versions.

An RTF parser comprises a state machine with 37 states, 22 of which are unique:

We’ll look at the most significant states and those that have an influence on the parsing of \objdata, a destination control word that contains the object data. Microsoft OLE links, Microsoft OLE embedded objects, and Macintosh Edition Manager subscriber objects are represented in RTF as objects. These states are:












// …


Microsoft Office is shipped without debug symbols, meaning it wasn’t possible to recover the original state names. However, I believe I’ve chosen suitable names according to their underlying functionality.

The first state executed on an opened RTF file is PARSER_BEGIN. In most cases, it’s also executed after processing a control word. The main goal of this state is to determine the next state according to encountered char, destination, and other values stored in the ‘this’ structure and set by control word processors. By default the next state is PARSER_CHECK_CONTROL_WORD.


// … – checks that we dont need

while (data.pos != data.end)


byte = *(uint8_t*)data.pos;


if (this->bin_size > 0)


goto unexpected_char;


// …

if (byte == 9)


// …



if (byte == 0xA || byte == 0xD)


// …



if (byte == ‘\\’)


uint8_t byte1 = *(uint8_t*)data.pos;

if (byte1 == ‘\”)


if (this->destination == listname ||

this->destination == fonttbl ||

this->destination == revtbl ||

this->destination == falt ||

this->destination == leveltext ||

this->destination == levelnumbers ||

this->destination == liststylename ||

this->destination == protusertbl ||

this->destination == lsdlockedexcept)

goto unexpected_char;


// …



if (byte1 == ‘u’)


// …




// …



if (byte == ‘{‘)



// …



if (byte == ‘}’)






// it will set next state depending on destination / or go to unexpected_cmd to do more checks and magic

// …

if (this->destination == pict ||

this->destination == objdata ||

this->destination == objalias ||

this->destination == objsect ||

this->destination == datafield ||

this->destination == fontemb ||

this->destination == svb ||

this->destination == macro ||

this->destination == tci ||

this->destination == datastore ||

this->destination == mmconnectstrdata ||

this->destination == mmodsoudldata ||

this->destination == macrosig)






// …




PARSER_CHECK_CONTROL_WORD will check if the next char is the start of a control word or if it’s a control symbol, and will set the next state accordingly.


byte = *(uint8_t*)data.pos;

if ((byte >= ‘a’ && byte <= ‘z’) || (byte == ‘ ‘) || (byte >= ‘A’ && byte <= ‘Z’))



this->cmd_len = 0;





this->temp[0] = 1;

this->temp[1] = byte;

this->temp[2] = 0;


this->cmd_len = 1;



The states PARSER_PARSE_CONTROL_WORD and PARSER_PARSE_CONTROL_WORD_NUM_PARAMETER will store the null-terminated control word that is made up of ASCII alphabetical characters and a null-terminated numeric parameter (if it exists) in a temporary buffer of a fixed size.


pos = this->temp + 1;

parsed = this->temp + 1;

while (data.pos != data.end)


byte = *(uint8_t*)data.pos;

// length of null-terminated strings cmd + num should be <= 0xFF

if ((byte == ‘-‘) || (byte >= ‘0’ && byte <= ‘9’))


//if parsed == temp_end

// goto raise_exception

*parsed = 0;


pos = parsed;

if (parsed >= temp_end)


parsed = temp_end – 1;

*parsed = 0;


this->cmd_len = pos – (this->temp + 1);




this->cmd_len = pos – (this->temp + 1);

*parsed = byte;


pos = parsed;




if (byte == ‘ ‘)



if (parsed >= temp_end)


parsed = temp_end – 1;


*parsed = 0;


this->cmd_len = pos – (this->temp + 1);



if ((byte >= ‘a’ && byte <= ‘z’) || (byte >= ‘A’ && byte <= ‘Z’))


if (parsed – this->temp >= 0xFF)


if (parsed >= temp_end)


parsed = temp_end – 1;


*parsed = 0;


this->cmd_len = pos – (this->temp + 1);



//if parsed == temp_end

// goto raise_exception

*parsed = byte;


pos = parsed;





if (parsed >= temp_end)


parsed = temp_end – 1;


*parsed = 0;


this->cmd_len = pos – (this->temp + 1);






while (data.pos != data.end)


byte = *(uint8_t*)data.pos;

// length of null-terminated strings cmd + num should be <= 0xFF

if (byte == ‘ ‘)



if (parsed >= temp_end)


parsed = temp_end – 1;


*parsed = 0;




if (byte >= ‘0’ && byte <= ‘9’)


if (parsed – this->temp >= 0xFF)


if (parsed >= temp_end)


parsed = temp_end – 1;


*parsed = 0;




//if parsed == temp_end

// goto raise_exception

*parsed = byte;






if (parsed >= temp_end)


parsed = temp_end – 1;


*parsed = 0;














this->state = state;


state = this->state;


Then it is processed in the state PARSER_PROCESS_CMD that calls another function responsible for processing control words and control symbols. It takes into account the current state and sets the next state.

There are multiple states responsible for parsing hex-data. The most interesting for us is PARSER_PARSE_HEX_DATA – as you can see, it’s set in PARSER_BEGIN if the destination objdata is set.


parsed_data = this->temp;

if (this->bin_size <= 0)


while (data.pos != data.end)


byte = *(uint8_t*)data.pos;

if (byte == ‘{‘ || byte == ‘}’ || byte == ‘\\’)



if (parsed_data != this->temp)


push_data(parsed_data – this->temp);

parsed_data = this->temp;




if (this->flag & 0x4000)





if (byte >= ‘0’ && byte <= ‘9’)


val = byte – 0x30;


else if (byte >= ‘a’ && byte <= ‘f’)


val = byte – 0x57;


else if (byte >= ‘A’ && byte <= ‘F’)


val = byte – 0x37;


else if (byte == 9 || byte == 0xA || byte == 0xD || byte == 0x20)







// show message that there are not enough memory

this->flag |= 0x4000;




if (this->flag & 0x8000)


this->hex_data_byte = val << 4;

this->flag &= 0x7FFF;




if (parsed_data == temp_end)



parsed_data = this->temp;


this->hex_data_byte |= val;

*parsed_data = this->hex_data_byte;


this->flag |= 0x8000;







if (this->flag & 0x4000)


uint32_t size;

if (this->bin_size <= data.end – data.pos)


size = this->bin_size;




size = data.end – data.pos;


this->bin_size -= size;

data.pos += size;




while (this->bin_size > 0)


if (parsed_data == temp_end)



parsed_data = this->temp;


byte = *(uint8_t*)data.pos;

*parsed_data = byte;







if (parsed_data != this->temp)


push_data(parsed_data – this->temp);

parsed_data = this->temp;



This state will parse hexadecimal data and binary data if set.

The states PARSER_PARSE_HEX_NUM_MSB and PARSER_PARSE_HEX_NUM_LSB are used together to parse hex values (data of the \panose control word and \’ control symbol).


this->flag |= 0x8000;

this->hex_num_byte = 0;



// …

byte = *(uint8_t*)data.pos;


val = 0;

if (byte – ‘0’ <= 9)


val = byte – 0x30;


else if (byte – ‘a’ <= 5)


val = byte – 0x57;


else if (byte – ‘A’ <= 5)


val = byte – 0x37;


this->hex_num_byte |= val << ((this->flag >> 0xF) << 2);

this->flag = ((~this->flag ^ this->flag) & 0x7FFF) ^ ~this->flag;

if (this->flag & 0x8000)


// …








State reset
Looking at PARSER_PARSE_HEX_NUM_MSB, PARSER_PARSE_HEX_NUM_LSB and PARSER_PARSE_HEX_DATA, it is easy to spot a bug. Even if they use a different variable to store the decoded hex value, they use the same bit to determine which nibble is now decoded – high (most significant bits, or MSB) or low (less significant bits, or LSB). And PARSER_PARSE_HEX_NUM_MSB always resets this bit to MSB.

It is therefore possible to make bytes disappear in the PARSER_PARSE_HEX_DATA context by triggering a change of state to PARSER_PARSE_HEX_NUM_MSB.

For this to work it is enough to put \’XX in the data that comes after the \objdata control word. In this case, when the parser encounters \ in state PARSER_PARSE_HEX_DATA it will return to state PARSER_BEGIN and after that will go to state PARSER_PROCESS_CMD. The handler for the \’ control symbol will not change a destination, but will change the next state to PARSER_PARSE_HEX_NUM_MSB. After PARSER_PARSE_HEX_NUM_MSB and PARSER_PARSE_HEX_NUM_LSB control is transferred back to PARSER_BEGIN and eventually to PARSER_PARSE_HEX_DATA because the destination is still equal to objdata. After all that, the next byte will be decoded as a high nibble.

It is also worth noting that PARSER_PARSE_HEX_NUM_LSB does not check if the provided value is a valid hexadecimal; therefore, after \’ there could be absolutely any two bytes.

This behavior can be observed in the following example:


“f\’cc” will be removed from the final result

When control is transferred for the first time to the PARSER_PARSE_HEX_DATA state, after the \objdata control word is processed, the MSB bit is already set. Let’s look at how it happens and how this example will be processed:

After some reverse engineering of the keyword processing function, I found a list of all the control words and their corresponding structures:

With this information we can locate and look at the objdata constructor:

You can see it sets the MSB bit, allocates a new buffer and replaces the old pointer with a new one. Therefore, the data decoded between two \objdata control words is never used.


“d0cf11e0a1b11ae1” will be removed from the final result

Final destination
We know that if \’ or \objdata is put in data, it will change the output. What about other control words and control symbols? There are more than 1500 of them!

Mostly nothing.

As some control words represent a destination, they can’t be used – they change the objdata destination on their own, and to decode an object the objdata destination is needed.

Other control words do not affect objdata destination.

The only one way to change the destination so that it’s possible to return to the objdata destination without losing previously decoded data is to use special symbols – opening brace ({) and closing brace (}). These symbols indicate the start and end of a group.

When the parser encounters the end of a group in state PARSER_BEGIN, the destination that was set before the start of the group will be restored.

Therefore, by putting {\aftncn FF} after \objdata, FF will not get into the decoded data because FF now applies to the destination aftncn and will be handled according to this destination.

However, by using {\aftnnalc FF}, FF will get into the decoded data because the destination is still equal to objdata.

It is also worth noting that {\objdata FF} still can’t be used because the buffer will not be restored.

An accurate list of all destination control words was created with a simple fuzzer.

Fixed-size buffer
Another obfuscation technique that comes to mind while looking at the code of an RTF parser is not related to this ‘MSB’ bug, but can also be used to remove bytes from a hex-stream. The technique’s related to the temporary buffer size and how a control word and numeric parameter are parsed in the states PARSER_PARSE_CONTROL_WORD and PARSER_PARSE_CONTROL_WORD_NUM_PARAMETER. You can see an example of its use in the following screenshot.

In this example the size of the data that will be removed as part of the numeric parameter is calculated using the formula: 0xFF (size of temporary buffer) – 0xB (size of ‘oldlinewrap’) – 2 (null-terminator characters) = 0xF2.

Unnecessary data
While the techniques described above are related to general RTF parsing, the processing of some specific keywords conceals some further confusion.

According to the specification states, if \* was encountered right before a control word or control symbol that was not found in the lookup table, its considered an unknown destination group and all the data up to the closing brace } that closes this group should be discarded. The lookup table in MS Office contains control words that are not present in the specification and it raises concerns that it will be changed in future, affecting parsing of the same document on different versions of MS Office. When the function responsible for processing keywords encounters such cases or one of the specific control words (such as \comment, \generator, \nonshppict and so on), it will set the state PARSER_SKIP_DATA and the number for encountered opening braces { to 1.



// …


// …






// …


Kind of magic
During analysis of the PARSER_SKIP_DATA* states I found things that are the opposite not only to the specification but also to the rest of the parser code.

While looking for the \bin control word, this states will skip data, changing the number of encountered opening and closing braces until that number equals zero. The hidden catch lies in the way the numeric parameter is processed.

First of all, the maximum allowed length of the numeric parameter is increased up to 0xFF – it’s calculated without considering the length of the control word.

The second catch is that the numeric parameter is not numeric anymore! The parser allows not only decimal characters but also Latin characters to pass. Then this parameter is passed to custom strtol, making it possible to specify the length of data that should be skipped without considering opening and closing braces as a hexadecimal number.

Obfuscations with the use of these two primitives have not yet been encountered in the wild.

Reverse engineering has proved to be the most effective way to build a parser, and in the case of RTF it would most likely be impossible to achieve the desired behavior otherwise.

Exact parsing depends on small implementation details and algorithmic bugs rather than on a specification that could be confusing or state things that are not true.

Kaspersky Lab products detect all kinds of RTF obfuscation and perform the most correct processing of RTF files, providing the best protection to our end users.

Iranian Hackers Use New Trojan in Recent Attacks
23.2.2018 securityweek CyberSpy

The cyberespionage group known as OilRig and previously linked to Iran has been observed using a new Trojan in recent attacks, Palo Alto Networks reports.

A highly active group mainly targeting organizations in the Middle East, OilRig was attempting to deliver a Trojan called OopsIE in two attacks targeting an insurance agency and a financial institution in the Middle East. While one of the attacks relied on a variant of the ThreeDollars delivery document, the other attempted to deliver the malware to the victim directly, likely via a link in a spear phishing email.

The first attack occurred on January 8, 2018, and started with two emails being sent to two different email addresses at the same organization within a six minutes time span. Both messages originated from an email address associated with the Lebanese domain of a major global financial institution, but researchers from Palo Alto Networks believe the email address was spoofed.

On January 16, OilRig targeted an organization that it had also hit a year ago. The OopsIE Trojan was downloaded from the command and control (C&C) server directly, suggesting that the server was being used for staging as well. It also suggests that group might have changed tactics after the targeted organization took measures to counter known OilRig TTPs following last year’s incident.

The ThreeDollars samples collected in the new attacks were similar to those analyzed in October 2017, using the same lure image (albeit a cropped and edited version) that tricks users into enabling macros. While executing a malicious macro in the background, the malicious document displays a decoy image to lower suspicion, although it is a fake error message.

The macro creates a scheduled task that executes after one minute to decode base64 encoded data using the Certutil application, and another task that executes after two minutes, running a VBScript to execute the OopsIE Trojan and clean up the installation.

Packed with SmartAssembly, the Trojan is obfuscated with ConfuserEx and achieves persistence by creating a VBScript file. It also creates a scheduled task to run itself every three minutes. The malware communicates with the C&C over HTTP, using the InternetExplorer application object.

“The Trojan will construct specific URLs to communicate with the C2 server and parses the C2 server’s response looking for content within the tags <pre> and </pre>. The initial HTTP request acts as a beacon,” the researchers explain.

The Trojan extracts and loads an embedded assembly by concatenating the contents of two resources, a technique the OilRig group was already known to employ.

Based on responses received from the server, the Trojan can run a command, upload a file, or download a specified file.

In addition to the use of the ThreeDollars delivery document, the newly observed attacks overlap with previous incidents involving the OilRig group in that they use the C&C domain msoffice365cdn[.]com. The researchers also linked the domain’s registrant to the office365-management[.]com and office365-technical[.]info domains and believe the OilRig group is behind all of them. The IP msoffice365cdn[.]com resolves to was also associated with the group.

“This group has repeatedly shown evidence of a willingness to adapt and evolve their tactics, while also reusing certain aspects as well. We have now observed this adversary deploy a multitude of tools, with each appearing to be some form of iterative variation of something used in the past. However, although the tools themselves have morphed over time, the plays they have executed in their playbook largely remain the same when examined over the attack life cycle,” Palo Alto concludes.

Report Highlights Challenges of Incident Response
23.2.2018 securityweek Incindent

False Positives Lead to a Surprising Number of Incident Response Investigations

Helsinki, Finland-based security firm F-Secure has analyzed a random sample of incident response investigations conducted by its security consultants. The resulting report (PDF) cannot be considered a scientific analysis of incident response, but nevertheless provides useful observations.

Some of these observations could be expected; others are perhaps surprising. For example, successful attacks are fairly evenly split between opportunistic and targeted, F-Secure found. Since there are far more opportunistic attacks fueled by mass spam and phishing campaigns, the implication is that targeted attacks are, pro rata, very successful.

Within the industry sectors included in the analysis, there are interesting distinctions. For example, successful attacks against the financial and manufacturing sectors are evenly distributed between opportunistic and targeted. Successful attacks against the gaming and public sectors were (within the confines of this report) always targeted; but such attacks against the insurance, media and telecom sectors are always opportunistic.

It would be interesting to conjecture why this might be so. For example, gaming is almost continuously under one form or another of attack, while the public sector is highly regulated. It would be tempting to suggest that a solid security posture can effectively eliminate most opportunistic attacks.

The report notes that targeted attacks use social engineering to a greater extent than opportunistic attacks. This suggests that an important defense against targeted attacks will be user security awareness training.

Opportunistic attacks, however, are more likely to focus on external technology exploits via internet facing services.

"Opportunistic attacks," say the report's authors, "are often initiated with cost-effective target selection techniques, such as mass scanning the internet and attacking a vulnerable service when a new exploit comes out. This can be done in a matter of minutes using tools readily available on the internet." The implication here is that an effective early patching regime will reduce the success of opportunistic attacks.

Another surprise is the high number of insider-instigated successful attacks. While 'internet exploits' tops the list at 21%, this is closely followed by insiders at 20%. Malicious e-mail attachments and phishing attacks (often considered to be the major threats) are at 18% and 16% respectively.

However, one of the biggest surprises in this report is the number of incident response calls that are false positives. False positives are a common problem during network analysis and incident triaging, but it is surprising how many of these false positives result in a call to an incident response specialist firm like F-Secure.

Thirteen percent of F-Secure incident response investigations were false positives; that is, says the report, "were conducted due to IT problems or other issues being misunderstood as security incidents by the reporting organization."

This is nothing like the number of successful attacks that caused actual damage (79%), but more than the meager 8% of investigations into failed attacks.

These figures lead F-Secure to believe that many companies simply do not have adequate internal incident response capabilities, able to detect and stop an incident before it progresses. “Every incident response process begins with the same question: is it an incident? How fast a company can make that determination, how smooth and efficient their processes and procedures are, the quality of their forensics and technology, and how well-trained their staff is, defines the cost of the answer to that question,” says F-Secure principal security consultant Tom Van de Wiele. “Once an organization has the facts based on detection capabilities, and not rumors or assumptions, then the process can continue with the next step which is usually containment and eradication.”

In a related blog post, F-Secure's Adam Pilkey describes three incident response recommendations for companies. The first is that breach evidence can be found in the system logs. "You'll want to collect other evidence too, although exactly what will depend on your organization, infrastructure, threat model, and other factors."

The second is that a method of filtering the collected data will be necessary. Manually will be too time-intensive; and requires expensive expertise. As an example of the volumes to be expected, F-Secure's specialist sensors collected about 2 million events from one customer in one month. Correlation and analytics brought this number down to 25 genuinely suspicious events -- and manual analysis found they contained 15 actual threats.

The third requirement is knowing what to look for. "Anything out of the ordinary should be a potential concern," writes Pilkey. "You should also cross reference your logs against threat intelligence feeds to find any indicators of compromise (such as finding activity from known malicious IPs)."

GitLab Patches Domain Hijacking Vulnerability
23.2.2018 securityweek

Open source Git repository management system GitLab has addressed a security hole that could have been exploited to hijack users’ custom domains and point them to malicious content.

GitLab Pages is a feature that allows users to create websites for their projects, groups or user accounts, and then connect them to custom domains and TLS certificates.

White hat hackers noticed that no validation was being performed to ensure that the custom domain added to a user’s Pages site was actually theirs.

A custom domain can be added to GitLab Pages by creating a new DNS A record with an IP address for a Pages server. Since no validation was performed when adding custom domains, an attacker could have identified domains with DNS records pointing to the GitLab Pages server and hijack those domains. When users visited the hijacked domains, they would have been served content from the attacker’s repository.

The attack worked against custom domains that were deleted by users but still had the DNS records for the GitLab server active.

Two researchers reported variations of this issue to GitLab via the company’s bug bounty program on HackerOne. GitLab initially decided not to fix anything, but it started taking action after the second report was submitted.

“Attacker can create fake GitLab account(s) using the email(s) from temporary/anonymous email services. Configure fake email addresses with git for further code commits. Create multiple repositories and add domain name from the vulnerable list. The attacker can then: 1) use the static websites as Command and Control centers for their malware / for other malicious intents, 2) phish the customers / visitors of the legitimate domain owners,” one of the researchers explained in the report submitted via HackerOne.

Proof-of-concept (PoC) exploits created by the researchers revealed that there had been hundreds of vulnerable domains.

GitLab initially disabled the functionality for adding custom domains to GitLab Pages, and this week it rolled out a permanent fix by requiring users to verify ownership when adding a custom domain. Verification is done by adding a DNS TXT record containing a token provided by GitLab to the user’s domain.

Some users pointed out on Hacker News that the problem is similar to the issue that caused Let’s Encrypt last month to disable TLS-SNI-01 validation.

GitHub Enforces Stronger Encryption
23.2.2018 securityweek Safety

GitHub this week permanently disabled a series of weak cryptographic standards across its software development platform in an attempt to better protect users.

As of Feb. 22, 2018, the TLSv1/TLSv1.1 standard is no longer used on HTTPS connections to GitHub. The change affects all web, API, and git connections to and, Patrick Toomey, Application Security Engineer, GitHub, says.

The platform also retired the diffie-hellman-group1-sha1 and diffie-hellman-group14-sha1 encryption standards, a move that affects all SSH connections to This change follows the enabling of the diffie-hellman-group-exchange-sha256 standard on GitHub in September 2017.

The removal of these weak cryptographic standards was initially announced last year, and GitHub has since focused on ensuring that the change won’t have a major impact on its users. At the moment, only a small fraction of traffic uses the deprecated algorithms and clients are expected to automatically transition to the new ones, but some clients are expected to be impacted.

These include older systems that, although no longer maintained, continue to access Git/the GitHub API using the deprecated algorithms. To help mitigate this, the platform disabled support for the old algorithms for one hour on February 8, 2018. This provided a two week grace period for impacted systems to be upgraded.

“As noted above, the vast majority of traffic should be unaffected by this change. However, there are a few remaining clients that we anticipate will be affected. Fortunately, the majority of clients can be updated to work with TLSv1.2,” Toomey notes.

Impacted clients include Git Credential Manager for Windows prior to version 1.14.0, Git clients that shipped with Red Hat 5, 6, and 7 (updating to versions 6.8 and 7.2 or greater should resolve this), JDK releases prior to JDK 8, and Visual Studio (which ships with specific versions of Git for Windows and the Git Credential Manager for Windows).

Newer versions of these programs, however, include support for TLSv1.2 and updating ensures that clients continue to work properly with GitHub even after the deprecation.

Tech Giants Hit by Meltdown, Spectre Respond to Lawmakers
23.2.2018 securityweek

Intel, AMD, ARM, Apple, Amazon, Google and Microsoft have responded to lawmakers who raised questions last month about the disclosure of the CPU vulnerabilities known as Meltdown and Spectre.

The U.S. House Energy and Commerce Committee announced on January 24 that it had sent letters to the companies hit by the Meltdown/Spectre incident, inquiring about their disclosure process. The tech giants were instructed to respond by February 7 and their responses have now been made public.

The Meltdown and Spectre vulnerabilities, which allow malicious applications to access potentially sensitive data from memory, were discovered independently by researchers at Google and various universities and private companies. Affected vendors were first notified in June 2017 and the disclosure of the flaws was initially planned for January 9, but it was moved to January 3 after some experts figured out that operating system developers had been preparing patches for what appeared to be critical processor flaws.

The U.S. House Energy and Commerce Committee asked impacted vendors about why and who proposed an embargo, when were US-CERT and CERT/CC notified, the impact of the embargo on critical infrastructure and other technology firms, the resources and best practices used in implementing the embargo, and lessons learned regarding multi-party coordinated disclosure.

Overall, the companies said Google Project Zero, whose researchers discovered the vulnerabilities, set the embargo after consultations with affected firms. Project Zero typically gives vendors 90 days to release patches, but the deadline was significantly extended due to the “complex nature of the vulnerability and mitigations.”

None of the companies notified US-CERT and CERT/CC of Meltdown and Spectre prior to their public disclosure. The agencies learned about the flaws through the public disclosure on January 3, and US-CERT was contacted by Intel on that day and again two days later.

The companies told lawmakers that the embargo and the disclosure process were consistent with industry standard practices designed to protect the public against attacks exploiting unpatched vulnerabilities.

In response to questions regarding impact on critical infrastructure, Intel noted that “the generally understood characteristics of most [industrial control systems] suggest that risk to these systems is likely low.” Many of the major ICS vendors have published advisories to warn users of the risks associated with these attack methods.

As for lessons learned, the tech giants claim they are evaluating the situation in an effort to improve their process in the future, and many say they are open to discussions on this topic.

Use of Fake Code Signing Certificates in Malware Surges
23.2.2018 securityweek

There has been surge in the use of counterfeit code signing certificates to evade security detection solutions, despite the high cost such certificates come with, a new Recorded Future report shows.

Fake code signing certificates are used as a layered obfuscation technique in malware distribution campaigns, but these aren’t always stolen from legitimate owners, but rather issued upon request. The certificates are created for the specific buyer and registered using stolen corporate credentials, thus rendering traditional network defenses less effective, Recorded Future says.

Counterfeit certificates have been around for over half a decade, but the first offerings for such certificates were observed on the Dark Web only several years ago.

In March 2015, a user known as C@T offered on a prolific hacking messaging board a Microsoft Authenticode that could sign 32-bit/64-bit executable files, along with Microsoft Office, Microsoft VBA, Netscape Object Signing, and Marimba Channel Signing documents, and Silverlight 4 applications. Furthermore, Apple code signing certificates were also available, Recorded Future's researchers say.

The advertiser claimed the certificates were issued by Comodo, Thawte, and Symantec and registered under legitimate corporations. The seller also said each certificate was unique and would only be assigned to a single buyer. The seller suggested the certificates would increase the success rate of malware installations 30% to 50% and claimed to have sold over 60 certificates in less than six months.

What prevented C@T’s offer to appeal to a large client base was the prohibitive cost of certificates, which can surpass $1,000 per certificate in some instances.

Several years later, three new actors started offering such services, primarily in the Eastern European underground, and two remain active, providing counterfeit certificates to Russian-speaking individuals.

One of the actors specializes in Class 3 certificates (they do not include Extended Validation (EV) assurance) and offers them at $600. The other seller has a broad range of products in the offering, the researchers discovered.

Standard Comodo code signing certificates (without SmartScreen reputation rating) cost $295, while the most trusted EV certificates from Symantec cost $1,599 (a 230% premium over the authentic certificate). Buyers looking to make bulk purchases would pay $1,799 for fully authenticated domains with EV SSL encryption and code signing capabilities.

“According to the information provided by both sellers during a private conversation, to guarantee the issuance and lifespan of the products, all certificates are registered using the information of real corporations. With a high degree of confidence, we believe that the legitimate business owners are unaware that their data was used in the illicit activities,” Recorded Future notes.

All certificates are created per the buyer’s request, individually, and have an average delivery time of two to four days.

A trial one of the vendors conducted revealed that detection rate of the payload executable of a previously unreported Remote Access Trojan (RAT) decreased upon signing with a recently issued Comodo certificate. Testing a non-resident version of the payload revealed that only one security product recognized the file as malicious.

“Network security appliances performing deep packet inspection become less effective when legitimate (legitimate certificate) SSL/TLS traffic is initiated by a malicious implant. Netflow (packet headers) analysis is an important control toward reducing risk, as host-based controls may also be rendered ineffective by legitimate code signing certificates,” the security researchers note.

The counterfeit certificates might have experienced a surge, but they are not expected to become mainstream because of their prohibitive cost when compared to crypting services that are readily available at $10-$30 per each encryption. Nonetheless, more sophisticated attackers and nation-state actors will continue employing code signing and SSL certificates in their operations.

Dozen Flaws Found in Trend Micro Email Encryption Gateway
23.2.2018 securityweek

Researchers have discovered a dozen vulnerabilities in Trend Micro’s Email Encryption Gateway, including several issues rated critical and high severity. A majority of the flaws have been patched by the vendor.

Core Security revealed this week that its employees found several types of vulnerabilities in the Linux-based email encryption product. The most serious of the security holes can allow a local or remote attacker with access to the targeted system to execute arbitrary commands with root privileges.

Core Security has published an advisory detailing each of the vulnerabilities it has found. The flaws have been assigned the CVE identifiers CVE-2018-6219 through CVE-2018-6230.

The most serious of the flaws, rated critical based on its CVSS score, is CVE-2018-6223, an issue related to missing authentication. System admins can configure the virtual appliance running Email Encryption Gateway during the deployment process through a registration endpoint. The problem is that this endpoint can be accessed without authentication, allowing attackers to set administrator usernames and passwords and make other configuration changes.

Six of the flaws found in Email Encryption Gateway have been rated “high severity,” including an arbitrary file write issue that can lead to command execution, a couple of cross-site scripting (XSS) vulnerabilities, a command execution flaw related to arbitrary log file locations, and the lack of a validation mechanism for software updates.

Other flaws identified by Core Security researchers include SQL and XML external entity (XXE) injections.

Trend Micro informed customers that the vulnerabilities impact Email Encryption Gateway 5.5 build 1111 and earlier running on a virtual appliance. Patches for ten of the flaws are included in version 5.5 build 1129. It’s worth pointing out that it took the vendor more than half a year to release fixes.

A medium severity CSRF issue and a low severity SQL injection vulnerability have not been patched “due to the difficulties of implementing and the negative impact on critical normal product function of the proposed resolutions.” However, Trend Micro did provide some mitigations.

The company also pointed out that the Email Encryption Gateway will reach end of life (EOL) soon and advised customers to migrate to the InterScan Messaging Security product, which provides similar features and functionality.

This was not the first time Core Security researchers discovered vulnerabilities in a Trend Micro product. Back in December, the company disclosed the details of five security holes found in Trend Micro’s Smart Protection Server product.

U.S. Enters Final Stage of Net Neutrality Debate
23.2.2018 securityweek BigBrothers

The Federal Communications Commission (FCC) published its official order (PDF) repealing net neutrality rules in the Federal Register on Thursday. This follows the December vote by the commissioners -- 3-2 in support of Chairman Ajit Pai's campaign to abandon the Open Internet Order that began in 2005 and was finally approved by the FCC in 2010.

The basic tenet of net neutrality is that internet service providers may not favor one customer over another. ISPs contend that basic business principles should allow them to offer discounts to major customers. Neutrality supporters fear that this could only be achieved by charging small customers at a higher rate -- and that this would inevitably affect innovation by favoring the existing large customers. Side effects would include the ISPs effectively having the ability to block websites.

Although the FCC ruling is now official, it won't come into effect until April 23; that is, 60 days after publication in the Federal Register. It still has hurdles. Led by New York State attorney general Eric Shneiderman, 23 states have immediately petitioned (PDF) for a judicial review of the Order. The petition asks the court of appeals for the district of Columbia to determine that the order is "arbitrary, capricious, and abuse of discretion". They claim it violates both the Constitution and the Communications Act of 1934, and they "request that this Court hold unlawful, vacate, enjoin, and set aside the Order."

At the same time, several of the states are planning their own state-level net neutrality laws -- effectively telling the ISPs that if they operate the new FCC rules, they won't be allowed to do business in their states.

In San Francisco, Mayor Mark Farrell, who chairs the city's Blue Ribbon Panel on Municipal Fiber, released recommendations designed to stop ISPs compromising net neutrality principles. The plan is for San Francisco to own its own high-speed fiber network. "On the day the FCC is releasing its plan to repeal net neutrality and vital consumer protections, I am releasing San Francisco's plan to fight back against this misguided move that will dismantle the Internet as we know it," Farrell said in a statement.

Meanwhile, in January, Sen. Ed Markey, D-Mass. gathered the support of all his Democratic colleagues, plus one Republican (Sen. Susan Collins of Maine) seeking to kill the order under the Congressional Review Act. If the Democrats are able to gain one more vote in the Senate to overcome the Republican majority, they will be able to prevent the FCC repealing net neutrality both now and again in the future. In reality, this is unlikely since it will require the Senate Majority Leader and the House Speaker -- both Republicans -- to schedule a vote before April 23.

A Consumer Reports survey of more than 1000 Americans in 2017 showed consumer support for the existing net neutrality rules. "One main finding," says the report, "was that the majority of Americans -- 57 percent -- support the current net neutrality regulations that ban ISPs from blocking or discriminating against lawful content on the internet." Only 16% opposed the existing rules. "An even larger majority -- 67 percent -- said that ISPs shouldn't be allowed to choose which websites, apps, or streaming services their customers can access."

In a statement yesterday, the Consumers Union said, "We urge Senators to listen to the consumers they represent and vote to restore these critical net neutrality rules to ensure that internet service providers aren't the gatekeepers to the internet."

During the public comment period for the repeal of net neutrality, the FCC received millions of comments. The process was not without its critics. At one point, the FCC's website went off-line, supposedly either under the weight of comments being submitted or an unrelated DDoS attack. Neutrality activists, however, claimed that the FCC took the website offline to hinder the receipt of negative public comments.

Since then Schneiderman's office undertook its own investigation into the public comments. Among the millions received by the FCC, it concluded that around 2 million were fraudulent, being submitted by people posing to be others -- both living and dead.

This may be partly the motivation for FCC commissioner Jessica Rosenworcel's comments. Rosenworcel was one of two FCC commissioners to vote against the repeal. "This agency has failed the American public," she said. "It turned a blind eye to all kinds of corruption in our public record, from Russian intervention to fake comments to stolen identities in our files. As a result of the mess the agency created, broadband systems will now have the power to block websites, throttle services and censor online content. This is not right,"

America has entered the final stage of the net neutrality debate. Ajit Pai's new approach is in the driving seat -- but the next 60 days will decide whether he succeeds or not.

Chaos backdoor, a malicious code that returns from the past targets Linux servers
23.2.2018 securityaffairs

Security experts from GoSecure, hackers are launching SSH brute-force attacks on poorly secured Linux servers to deploy a backdoor dubbed Chaos backdoor.
“This post describes a backdoor that spawns a fully encrypted and integrity checked reverse shell that was found in our SSH honeypot,” states the report published by GoSecure.

“We named the backdoor ‘Chaos’, following the name the attacker gave it on the system. After more research, we found out this backdoor was originally part of the ‘sebd’ rootkit that was active around 2013.”

The Chaos backdoor was one of the components of the “sebd” Linux rootkit that appeared in the threat landscape back in 2013, researchers discovered a post on, where a user claims to know how the backdoor was made publicly available.

It seems that the source code of the backdoor was caught by a “researcher” that released it on the forum by changing the name of the backdoor in Chaos to trick members into believing that is was a new threat.

The malicious code is now being used by attackers in the wild to target Linux servers worldwide.

Researchers performed an Internet-wide scan using the handshake extracted from the client in order to determine the number of infected Linux servers and they discovered that this number is quite low, below the 150 marks.

chaos infection worldmap

The installation of the Chaos backdoor starts with the attacker downloading a file that pretended to be a jpg from

The file was currently a .tar archive containing the Chaos (ELF executable), the client (ELF executable), initrunlevels Shell script, the install Shell script.

“Chaos”, in the tar archive, is the actual backdoor that is installed on the victim’s system and the “Client” file is the client to connect to the installed backdoor.

The backdoor is not sophisticated is doesn’t rely on any exploits, it opens a raw socket on port 8338 on which it listens to commands.

“Any decent firewall would block incoming packets to any ports that have not explicitly been opened for operational purposes,” GoSecure experts say. “However, with Chaos using a raw socket, the backdoor can be triggered on ports running an existing legitimate service.”

To check if your system is infected experts suggest to run the following command as root:

1 netstat –lwp
and analyze the list the processes to determine which are legitimate ones that have listening raw sockets open.

“Because chaos doesn’t come alone but with at least one IRC Bot that has remote code execution capabilities, we advise infected hosts to be fully reinstalled from a trusted backup with a fresh set of credentials.” suggest experts to the owner of infected systems.

Cybersecurity – Tips to Protect Small Business from Cyber Attacks
23.2.2018 securityaffairs Cyber

Small Business is a privileged target of attackers, in fact, there is a high risk of having problems with hackers if you are a large company or even a media player.
Do you have a small company? If the answer is yes, and you think that no cyber attack will ever affect you, think again. Small Business is a privileged target of attackers, in fact, there is a high risk of having problems with hackers, if you are a large company or even a media player.

According to recent reports, more than 40% of cyber attacks are targeting companies with fewer than 500 employees. More disturbing studies show that hackers attack every fifth small company. In most cases, these companies shut down because their security plans do not exist or there is a huge gap in providing total protection.

Cybersecurity is the most important way to ensure that your business does not run the risk of malicious attacks, especially if the people behind them do not show up.

Therefore, it is essential to take strong security measures if you do not want to lose your job for life and trust of your valuable customers. Moreover, prominent organizations expect their confidential information to hide under any circumstances. If you find that this is not the case, your customers will turn to other companies.

To avoid this, we would like to share with you how you can protect your small business from cyber attacks or more simply, tips to protect small business from cyber attacks.

Make as Many Backups as Possible

The reserve is significant if you want to protect all confidential data from cyber attacks and hackers who create malicious software and send it to devices that are explicitly used by small employees are inexorable. If you create multiple backups, you can sleep well at night, knowing that these files, presentations, etc. are present safe and sound. It is important not to get stained forever when it comes to malware.

Application of the Most Powerful Antivirus Program

When using a reliable security solution, it is essential to keep your business altogether.

Do not forget to choose the one antivirus software that protects your computer against all types of malware; antivirus program that eventually needs to detect and eliminate spam, spyware, Trojans, phishing attacks, etc. after selecting the best option for your business, but don’t forget to update it regularly.

Training of Employees

The people who work for you need to know that by clicking on the random links that you received through your professional email can cause significant damages to the company and its secret and confidential information.

The same applies to connections to networks that do not use a secure password. These are just two of the most dangerous practices you should stop right away. How can this be done? For example, you can organize training programs or hold meetings, where safety experts advise, give to employees and safe practices in the workplace against cyber crimes discuss. A better option is to implement security policies and procedures regarding online ethics.

Using Different Terminals Networks Every time for Payments

Using the same network for a payment terminal is a practice that must stop. Never connect it to your business. Keep these two parts separately, because only a few authorized employees can contact them. Therefore, the computers in your network protect the confidential content of cyber attacks.

Using Cybersecurity Insurance Policy

We ensure our cars, our homes, etc. Why do not we do this for our company? Cybersecurity is very useful for cyber threats. How? If a malware attack occurs, your company is responsible.

There is demand, so you must pay a significant amount of money as compensation. With the help of cybersecurity insurance, you can guarantee full coverage of all court fees.

Change Passwords Every in Three Months

Many people use the same password on all our devices, social platforms, etc. More than a year ago, small businesses did the same and increased the risk of cyber attacks. We should Change passwords every three months and do not forget to create strong passwords every time you do so.

The most secure passwords consist of 8-16 characters, which contain special characters, numbers, and letters. If you know you do not have a right memory, the password manager simplifies your work.

OMG botnet, the first Mirai variant that sets up proxy servers on vulnerable devices
23.2.2018 securityaffairs BotNet

Researchers at Fortinet have discovered the OMG botnet, the first Mirai variant that sets up proxy servers on the compromised IoT devices.
A new variant of the infamous Mirai botnet appeared in the threat landscape, it was discovered by researchers at Fortinet that referred it as OMG because of strings containing “OOMGA” in the configuration table.

“For this reason, we decided to name this variant OMG.”“The table, originally encrypted, was decrypted using 0xdeadbeef as the cipher key seed, using the same procedure adopted for the original Mirai. The first thing we noticed are the strings /bin/busybox OOMGA and OOMGA: applet not found.” wrote Fortinet.

The name Mirai was given to the Mirai bot because of the strings /bin/busybox MIRAI and MIRAI: applet not found, which are commands to determine if it has successfully brute-forced its way into the targeted IoT device. These strings are similar with other variations such as Satori/Okiru, Masuta, etc.”

The Mirai botnet was first spotted in August 2016 by the security researcher MalwareMustDie, it was specifically designed to compromise vulnerable or poorly protected IoT. Once Mirai malware compromises an IoT device it recruits it into a botnet primarily used for launching DDoS attacks, such as the one that hit Dyn DNS service.

In October 2016, the Mirai source code was leaked and threat actors in the wild started customizing their Mirai botnet.

The OMG botnet includes most of Mirai’s features and modules, including the attack, killer, and scanner modules, but also adds new ones.

According to Fortinet its configuration includes two strings used to add a firewall rule to ensure traffic on two random ports is allowed.

“This variant also adds and removes some configurations that can be found in the original Mirai code. Two notable additions are the two strings that are used to add a firewall rule to allow traffic on two random ports, which we will discuss in the latter part of the article.” continues the analysis.

omg botnet

After initialization, OMG connects to the command and control (C&C) server, the configuration table analyzed in the post contains the CnC server string,, which resolves to

The malware connects to the C&C port 50023, then it sends a defined data message (0x00000000) to the server to identify itself as a new bot.

In response, the server sends a 5-byte long data string, where the first byte is a command on how the newly recruited device should be used as a proxy server, the two options are:

1 for attack
>1 to terminate the connection.
The OMG botnet leverages the open source software 3proxy as its proxy server and during the set up phase the bot adds firewall rules to allow traffic on the two random ports.

“This variant of Mirai uses 3proxy, an open source software, to serve as its proxy server. The set up begins by generating two random ports that will be used for the http_proxy_portand socks_proxy_port. Once the ports are generated, they are reported to the CnC.” continues the analysis.

“For the proxy to work properly, a firewall rule must be added to allow traffic on the generated ports. As mentioned earlier, two strings containing the command for adding and removing a firewall rule to enable this were added to the configuration table .”

Fortinet experts believe the operators behind the OMG botnet sell access to the IoT proxy server, they highlighted that this is the first Mirai variant that sets up proxy servers on vulnerable IoT devices.

“With this development, we believe that more and more Mirai-based bots are going to emerge with new ways of monetization,” concluded Fortinet.

Further details, including IoCs are reported in the blog post published by Fortinet.

Fraud Campaign Targets Accounts Payable Contacts at Fortune 500 Firms
23.2.2018 securityweek

A new business email compromise (BEC) campaign is targeting accounts payable personnel at Fortune 500 companies in an attempt to trick victims into initiating fraudulent wire transactions to attacker-controlled accounts, IBM warns.

As part of BEC scams, attackers take over or impersonate a trusted user’s email account to target other companies and divert funds to their accounts. Based on phishing and social engineering, such attacks are relatively simple to perform and are attractive to cybercriminals, IBM notes.

As part of the recently observed campaign, attackers used well-crafted social engineering tactics and phishing emails to obtain legitimate credentials from their targets. The emails appeared to come from known contacts and mimicked previous conversations, while in some cases the attackers managed to insert themselves into ongoing conversations between business users.

Posing as the known contact from a vendor or associated company, the attackers then requested that payments be sent to a new bank account number or beneficiary.

By creating mail filters, the attackers ensured they would communicate only with the victim. In some cases, they also found and filled out necessary forms or spoofed supervisor emails to provide victim with additional approval.

The group behind the attacks, IBM says, likely operates out of Nigeria, given the spoofed sender email addresses and IP addresses that were used. However, compromised servers and proxies are often used to hide the attackers’ location.

The actors created spoofed DocuSign login pages on over 100 compromised websites in various geographic locations. Targeted companies were identified in the retail, healthcare, financial and professional services industries, including Fortune 500 companies.

To harvest business user credentials, the attackers sent a mass phishing email to the user’s internal and external contacts, often to several hundreds of them. The message included a link supposedly leading to a business document, but instead redirecting the victim to a fraudulent “DocuSign” portal requesting authentication for download.

Next, the attackers filtered out the stolen credentials and only used those from companies that only require a username and password when employees access their email accounts.

“The attackers specifically targeted personnel involved in the organization’s accounts payable departments to ensure that the victim had access to the company’s bank accounts,” IBM notes.

Following a reconnaissance phase, the attackers engaged with the targeted employee and impersonated vendors or associated companies with established relations to the client. The attackers likely conducted extensive research on the target’s organizational structure and engaged into operations such as impersonating victims, finding and spoofing internal documents, and setting up multiple domains and emails to pose as higher-level authorities.

The attackers set up domains that resembled those of the target company’s vendors, either using a hard-to-identify typo change or registering the vendor’s name with a different top-level domain (TLD). They used these domain names to set up email accounts purporting to belong to known employees and used the accounts to send emails directly to the targets.

“Finally, although the attackers made some grammatical and colloquial mistakes, their English skills were proficient and the few mistakes they made could be easily overlooked by the target. The attackers created a false sense of reality around the target and imparted a sense of urgency to pay, resulting in successful scams involving millions of dollars,” IBM explains.

The attackers either created email rules or auto-deleted all emails delivered from within the user’s company to prevent victims from noticing fraudulent correspondence or unusual messages in their inbox. They also auto-forwarded email responses to different addresses to read them without logging into the compromised accounts.

The security researchers say the attackers had “more financial success using shell corporations and corresponding bank accounts based in Hong Kong or China rather than using consumer bank accounts, in which cases financial institutions were more likely to delay or block large or unusual transactions.”

The shell corporations involved in the BEC scams were registered within the past year, some on the same month payments were requested to the account. Wire transfers associated with BEC scams usually end up in accounts at banks located in China and Hong Kong, IBM notes.

Meltdown patch for OpenBSD is available … let’s wait for feedbacks
23.2.2018 securityaffairs

OpenBSD releases Version 11 code update that addresses the Meltdown vulnerability by implementing the separation between the kernel and the user memory pages.
OpenBSD addresses the Meltdown vulnerability with the release of a Version 11 code. The update implements the separation between the kernel and the user memory pages.

OpenBSD’s Phillip Guenther provided further details on the implementation.

“When a syscall, trap, or interrupt takes a CPU from userspace to kernel the trampoline code switches page tables, switches stacks to the thread’s real kernel stack, then copies over the necessary bits from the trampoline stack. On return to userspace the opposite occurs: recreate the iretq frame on the trampoline stack, switch stack, switch page tables, and return to userspace.” wrote Guenther.

“Per-CPU page layout mostly inspired by DragonFlyBSD.”

Guenther explained that Per-CPU page layout mostly implemented the approach used in DragonFly BSD.

According to Gunther the impact on performance would be reduced because the approach minimizes the overhead for the management of kernel code and data in the transitions to/from the kernel.

“On Intel CPUs which speculate past user/supervisor page permission checks, use a separate page table for userspace with only the minimum of kernel code and data required for the transitions to/from the kernel.” he added.

“When a syscall, trap, or interrupt takes a CPU from userspace to kernel the trampoline code switches page tables, switches stacks to the thread’s real kernel stack, then copies over the necessary bits from the trampoline stack. On return to userspace the opposite occurs: recreate the iretq frame on the trampoline stack, switch stack, switch page tables, and return to userspace.”Meltdown OpenBSD

A couple of weeks ago, DTrace expert Brendan Gregg developed a “microbenchmark” to measure the performance degradation introduced by the Linux kernel page table isolation (KPTI) patch for the Meltdown CPU vulnerability. The tests demonstrated a degradation between 0.1 per cent and 6 per cent.

Let’s wait for the tests on OpenBSD.

Further technical details on the approach implemented for OpenBSD are available here.

Hackers compromised a Tesla Internal Servers with a Cryptocurrency miner
23.2.2018 securityaffairs Hacking

Cloud security firm RedLock discovered that hackers have compromised the Tesla cloud computing platform to mine cryptocurrency.
Tesla has confirmed that hackers have compromised its cloud computing platform to mine cryptocurrency, after the incident was discovered by cloud security firm RedLock.

The hackers have breached the Tesla cloud servers and have installed a crypto currency miner, the company fixed the issue exploited by the hackers “within hours.”

The attackers gained access to the Tesla’s Amazon Web Services environment on a Kubernetes console that was reportedly not password-protected. The console is used by companies to manage the infrastructure deployed on the cloud hosting providers.

“According to RedLock, the hackers discovered log-in details to Tesla’s Amazon Web Services environment on a Kubernetes console – a system originally designed by Google to manage applications. The console was reportedly not password-protected.” states the BBC.

RedLock experts discovered a “pod” inside the Kubernetes console that stored login credentials for one of Tesla’s AWS cloud infrastructure.

The security breach happened in 2017, according to the company no customer data had been stolen.

“Our initial investigation found no indication that customer privacy or vehicle safety or security was compromised in any way,” said a Tesla spokesman.

According to RedLock, the exposed AWS buckets contained sensitive information, including telemetry data.

“The hackers had infiltrated Tesla’s Kubernetes console which was not password protected. Within one Kubernetes pod, access credentials were exposed to Tesla’s AWS environment which contained an Amazon S3 (Amazon Simple Storage Service) bucket that had sensitive data such as telemetry.” reads a blog post published by RedLock.

Tesla security breach

Tesla promptly fixed the problem once RedLock notified its discovery.

RedLock added that the security breach was caused by Tesla engineers that forgot to implement an authentication mechanism to the Kubernetes console.

Because they used a custom mining pool, it is unclear how much money this hacker group made.

RedLock confirmed that other companies left their bucket exposed online last year, including Aviva and Gemalto.

Drupal addressed several vulnerabilities in Drupal 8 and 7
23.2.2018 securityaffairs

The Drupal development team addressed many vulnerabilities in both Drupal 8 and 7, including some flaws rated as “critical”.
Drupal maintainers have fixed many vulnerabilities in Drupal 7 and 8, including some flaws rated as “critical.”

One of the critical security vulnerabilities is related to partial cross-site scripting (XSS) prevention mechanisms that was addressed with Drupal 8.4.5 and 7.57 versions. The popular CMS uses a JavaScript function that doesn’t completely sanitize the input

“Drupal has a Drupal.checkPlain() JavaScript function which is used to escape potentially dangerous text before outputting it to HTML.” reads the advisory. “This function does not correctly handle all methods of injecting malicious HTML, leading to a cross-site scripting vulnerability under certain circumstances.”

The second vulnerability rated as critical affects Drupal 8, it could be exploited by users who have permission to post comments to view content and comments they should not be able to access. The flaw could also allow users to add comments to the content that should not be able to access.

The Drupal team also fixed two moderately critical vulnerabilities in Drupal 7 and other two in Drupal 8. The flaws in Drupal 7:

A Private file access bypass – Drupal fails to check if a user has access to a file before allowing the user to view or download it when the CMS is using a private file system.
A jQuery cross site scripting vulnerability that is present when making Ajax requests to untrusted domains.
while the vulnerabilities in Drupal 8 are:

A Language fallback can be incorrect on multilingual sites with node access controls. Drupal marks the untranslated version of a node as the default fallback for access queries. This fallback is used for languages that do not yet have a translated version of the created node. This can result in an access bypass vulnerability.
A Settings Tray access bypass that could be exploited by users to update certain data that they do not have the permissions for.

Stinná stránka umělé inteligence, inteligentní stroje pomáhají kyberzločincům

22.2.2018 Novinky/Bezpečnost Bezpečnost
Mezinárodní experti bijí na poplach před možností zneužití umělé inteligence ze strany „kriminálníků, teroristů či zločineckých států”. Stostránkovou zprávu napsalo 26 odborníků na umělou inteligenci, kyberzločiny a robotiku včetně expertů z univerzit (Cambridge, Oxford, Yale, Stanford) a z neziskového sektoru (společnosti jako OpenAI, Středisko pro novou americkou bezpečnost či Electronic Frontier Foundation).

Ve zprávě píší, že v příštích deseti letech by mohla zvyšující se efektivnost umělé inteligence posílit počítačovou kriminalitu a teroristé by mohli více využívat drony či roboty. Odborníci také zmiňují možnost snadnější manipulace voleb na sociálních sítích prostřednictvím takzvaných internetových botů, což jsou počítačové programy, které pro svého majitele opakovaně vykonávají nějaké rutinní činnosti.

Tito odborníci vyzývají vlády a další vlivové skupiny k omezení těchto možných hrozeb. "Domníváme se, že útoky, které by snadnější přístup k umělé inteligenci mohl umožnit, budou obzvlášť účinné, přesně cílené a těžko odhalitelné," píše se ve zprávě.

Vyprovokované dopravní nehody
Odborníci zmiňují i některé "hypotetické možnosti" zneužití umělé inteligence. Teroristé by například mohli uzpůsobit systémy umělé inteligence používané třeba v dronech či samořiditelných dopravních prostředcích pro vyprovokování srážek a výbuchů.

Odborníci připomínají i možnost zneužití například úklidového robota v nějakém úřadu, který by se mohl dostal mezi jiné roboty, kteří připravují třeba jídlo. Takovýto robotí vetřelec by pak mohl pomocí výbušniny zaútočit na nějakého úředníka poté, co by jej identifikoval.

Podle jednoho z autorů zprávy a ředitele střediska z Cambridgeské univerzity Seána Ó hÉigeartaigha by se mohla "s větším zneužitím umělé inteligence zvýšit zejména počítačová kriminalita".

Větší záběr by mohly představovat i útoky pomocí tzv. spear phishingu, což je podvodná technika používaná na internetu k získávání citlivých údajů (útočník zasílá e-mail konkrétní osobě; pro tradiční phishing je typické rozeslání obrovského množství mailů).

Velké nebezpečí vidí Seán Ó hÉigeartaigh "v možném zneužití umělé inteligence v politice". "Již jsme zažili, jak se jednotlivci či skupiny snažili zasahovat pomocí internetu do demokratických voleb," připomíná a dodává: "Jestliže umělá inteligence umožní, aby byly tyto útoky silné, jednoduché na zopakování a složité na odhalení, mohlo by to znamenat velký problém pro politickou stabilitu."

Umělá inteligence by mohla sloužit třeba i k výrobě falešných a velmi realistických videí, která by pak mohla být použita k diskreditaci politických činitelů. Do rozvoje umělé inteligence by se mohly zapojit i některé autoritářské státy, které by pak mohly s její pomocí snadněji sledovat své občany.

Před zneužitím varoval i Hawking
Není to poprvé, co se upozorňuje na možné zneužití umělé inteligence. V roce 2014 před tím varoval známý astrofyzik Stephen Hawking, k němuž se v poslední době přidal třeba podnikatel Elon Musk a další. Zveřejněny byly také zprávy například o možném užívání zabijáckých dronů.

Tato nová zpráva přináší "nový pohled na část umělé inteligence, která by mohla přinést nové hrozby nebo změnit existující hrozby v oblastech počítačové, politické i lidské bezpečnosti".

Umělá inteligence, která se objevila v 50. letech 20. století, je obor informatiky zabývající se tvorbou strojů vykazujících známky inteligentního chování. V posledních letech bylo dosaženo pokroku v oblastech kupříkladu vnímání, hlasového rozeznávání či obrazové analýzy.

"V současnosti ještě existuje rozdíl mezi rychlostí výzkumu a možnými aplikacemi novinek. Ještě je čas jednat," říká vědec z Oxfordské univerzity Miles Brundage. Právě na jeho pracovišti začala tato zpráva vznikat.

"Na zmírnění těchto hrozeb by měli spolupracovat vědci na umělou inteligenci, vývojáři robotů a dronů i regulační orgány a politici," říká Seán Ó hÉigeartaigh.

Hackeři se dostali do cloudu Tesly běžícím na Amazonu a těžili kryptoměny
22.2.2018 Novinky/Bezpečnost

Hackeři se dostali do cloudu Tesly běžícím na Amazonu a těžili kryptoměnyHackeři se dostali do cloudu Tesly běžícím na Amazonu a těžili kryptoměnyHackeři se dostali do cloudu Tesly běžícím na Amazonu a těžili kryptoměnyHackeři se dostali do cloudu Tesly běžícím na Amazonu a těžili kryptoměnyHackeři se dostali do cloudu Tesly běžícím na Amazonu a těžili kryptoměny24 FOTOGRAFIÍ
zobrazit galerii
Bezpečnostní společnost RedLock, která se specializuje na kyberútoky a odhalení děr v systémech, objevila hacknutý účet na AWS (Amazon Wev Services) společnosti Tesla.

Tesla používá cloudovou platformu Amazonu na mnoho věcí, kromě sběru dat z automobilů i analýzu a podobně. RedLock odhalil, že jeden z administračních účtů neměl heslo a hackeři přes něj využívali výkon cloudu k těžení kryptoměn.

V rámci odměn za odhalení chyb Tesla vyplatila RedLocku pouze 3 tisíce dolarů, takže lze předpokládat, že nešlo o nějaký kritický účet, který by měl vliv na celou platformu či zabezpečení uživatelských dat. Ostatně podle vyjádření zástupců šlo pouze o testovací účet pro interní automobily Tesla.

Právě bezpečnost celé platformy je pro automobilový průmysl stále kritičtější. Obzvláště s příchodem autonomních systémů, které budou zpracovávat data z obrovského množství vozů a budou pochopitelně obsahovat i soukromá data o jednotlivých jízdách daných uživatelů. Pro hackery mají taková data jistě vysokou cenu a v nejhorším případě by případné hacknutí mohlo ovlivnit i samotnou funkčnost platformy, která bude v nějaké formě udržovat autonomní vozidla neustále připojená a kontrolovaná.

Rakousko chystá vlastního trojského koně. Bude pomáhat v boji s teroristy na internetu

22.2.2018 Novinky/Bezpečnost BigBrother
Rakouská vláda ve středu schválila balíček opatření umožňujících prostřednictvím sledování komunikace odhalovat závažnou kriminalitu a terorismus. Úřadům tak má být do budoucna umožněno nasazovat do počítačů státní sledovací software, neboli takzvaný „Bundestrojaner” (spolkový trojský kůň), informují rakouská média.

Nasazování špionážních programů do komunikačních aplikací jako jsou Skype nebo WhatsApp jsou jen jedním z opatření, která zahrnuje rozsáhlý balíček přijatý novou pravicovou vládou lidovců (ÖVP) a svobodných (FPÖ).

Zostřena má být celková kontrola veřejného prostoru. Úřady mají získat přístup k obrazovým a zvukovým záznamům z monitorovacích zařízení všech veřejných i soukromých subjektů, jako jsou dopravní podniky, letiště nebo nádraží.

Kromě toho bude systém na rozeznávání státních poznávacích značek evidovat údaje o řidiči, SPZ, značce, typu a barvě každého automobilu.

V případě počátečního podezření na trestný čin mohou úřady telekomunikačním společnostem nařídit uchovávání příslušných dat po dobu až jednoho roku.

Hackeři zneužili cloudový systém Tesly k těžbě kryptoměn

22.2.2018 Novinky/Bezpečnost Hacking
Cloudový systém amerického výrobce elektromobilů Tesla napadli hackeři a využili ho k těžbě kryptoměn. Podle sdělení společnosti RedLock, která se zaměřuje na kybernetickou bezpečnost, pronikli do administrativní konzole Kubernetes, která nebyla chráněna heslem. Dopad útoku na bezpečnost vozidel ani dat zákazníků Tesla zatím nezjistila. Jak uvedl server televize CNBC, ohroženy byly účty na úložišti Amazon Web Services (AWS).

Kubernetes je systém navržený společností Google, zaměřený na optimalizaci cloudových aplikací.

Společnost RedLock nesdělila, jaká kryptoměna byla těžena. Obdobné problémy podle ní měly i další přední firmy včetně britské pojišťovny Aviva a nizozemského výrobce SIM karet Gemalto. Průnik do systémů Tesly však byl sofistikovanější a používal několik různých strategií, aby zabránil odhalení hackerů.

Tesla problém po informaci RedLocku okamžitě vyřešila. Automobilka oznámila, že dopad na ochranu dat klientů ani na bezpečnost vozidel nezjistila. Podle mluvčího se kybernetický útok dotkl jen automobilů používaných zaměstnanci firmy.

Z analýz RedLocku je zřejmé, že poskytovatelé cloudových služeb jako Amazon, Microsoft a Google dělají, co mohou, a žádný z velkých útoků v loňském roce se nestal z důvodu jejich nedbalosti, prohlásil představitel společnosti Gaurav Kumar. "Bezpečnost je však společnou odpovědností. Organizace na všech úrovních jsou povinny sledovat infrastrukturu rizikových konfigurací, neobvyklých aktivit uživatelů a podezřelého síťového provozu," zdůraznil.

Kyberšpionážní skupina z KLDR rozšířila pole působnosti

22.2.2018 Novinky/Bezpečnost BigBrother
Severokorejská kyberšpionážní jednotka, která se v minulosti zaměřovala na jihokorejskou vládu a soukromý sektor, loni výrazně zdokonalila svou činnost a rozšířila pole působnosti do Japonska či na Blízký východ. Podle agentury Reuters to vyplývá ze studie americké společnosti FireEye, která se zabývá bezpečností v kybernetickém prostoru.
Kyberšpionážní jednotka ATP37 (Reaper) podle expertů dříve pracovala pod vedením skupiny Lazarus, která je údajně zodpovědná za kybernetické útoky na společnost Sony Pictures z roku 2014 nebo za šíření vyděračského viru WannaCry. Tím se loni infikovaly statisíce počítačů ve 150 zemích světa. Skupina ATP37 zřejmě funguje už od roku 2012, trvalou hrozbu však začala představovat až v loňském roce.

Jednotka ATP37 se dosud ve své činnosti soustřeďovala pouze na jihokorejskou vládu, armádu, média nebo organizace na ochranu lidských práv a severokorejské přeběhlíky. Podle expertů se však loni nově zaměřila i na japonské organizace spojené s misí OSN pro lidská práva a sankcemi vůči KLDR, vietnamské dopravní a obchodní firmy a finanční společnosti na Blízkém východě.

"Myslíme si, že primárním úkolem ATP37 je shromažďovat informace, které by podpořily strategické, vojenské, politické a ekonomické zájmy Severní Koreje," cituje britský list The Guardian závěry odborníků.

Kybernetické útoky, za nimiž podle expertů stojí severokorejský režim, byly v minulosti zaměřeny na letecké, telekomunikační a finanční podniky. Pchjongjang veškerá obvinění důrazně odmítl.

Google našel další díru ve Windows 10. Starší verze Windows nepostihuje

22.2.2018 Novinky/Bezpečnost Zranitelnosti
Microsoft si myslel, že chybu opravil, ale zřejmě se tak nestalo.

Byl to opět Google, kdo našel díru ve Windows a informace o ní zveřejnil. Shodou okolností je to druhý případ ve velmi krátkém období. Zatímco zmíněná díra v Edgi byla vyhodnocena jako střední hrozba, v tomto případě se budeme bavit o vysoké zneužitelnosti. To je hodnocení od Googlu, Microsoft pak díře přisoudil nálepku důležité, nikoli kritické.
V nově objeveném scénáři útoku dochází ke zneužití funkce SvcMoveFileInheritSecurity tak, že se vydává za uživatele či uživatelku. Pomocí funkce MoveFileEx se útočnice či útočník pokusí přesunout soubor do jiného umístění. Po vyvolání funkce dojde o opuštění modelu vydávání se za uživatele a k pokusu o resetování bezpečnostního popisovače nového souboru tak, aby odpovídal zděditelným oprávněním.

Chyba CVE-2018-0826
K problému dochází pouze při práci se soubory s pevnými odkazy. Pakliže je soubor přesunut do adresáře, jenž disponuje dědičnými položkami pro správu přístupu, je krátce řečeno možné, aby byl soubor díky zděděným oprávněním modifikován tím, kdo útok provádí. Podle Googlu byly dokonce nalezeny dvě velmi podobné chyby.

Jednu interně označil číslem 1427. Jedná se o chybu známou též pod označením CVE-2017-11783 a byla opravena na podzim. Týkala se přitom všech do té doby vydaných verzí Windows 10, ale také Windows 8.1. Druhý problém, na který Google upozornil po vypršení lhůty pro opravu, (Microsoft si vyžádal prodloužení oproti standardním 90 dnům, čemuž bylo vyhověno), viz výše, reklamní gigant interně označuje číslem 1428 a je známa též pod označením CVE-2018-0826.

Podle Microsoftu se tato chyba týká jen Windows 10. Výměna informací mezi Googlem a Microsoftem naznačuje, že si firmy zcela nerozumí. Redmondští tvrdí, že chybu opravili v aktualizacích, jež vydali v rámci únorového záplatovacího úterý. Chybu 1427 považovali za duplikát chyby 1428. Jenže podle Googlu byla ve skutečnosti opravena jen chyba 1427, zatímco chyba 1428 v systému zůstala.

Takže nejde o duplikát, jen o podobnou chybu. Zřejmě nás tedy čeká další oprava. Tato chyba by naštěstí neměla být snadno zneužitelná. Tedy, její zneužití je snadné, ale podmínky pro takový útok jsou jen obtížně splnitelné. Např. útok nelze provést vzdáleně, nelze jej provést ze sandboxu, který nabízí aplikace jako Chrome nebo Edge apod.

Google zveřejnil detaily k díře v prohlížeči Edge. Varoval Microsoft předem, ale ten chybu včas neopravil
22.2.2018 Živě.cz

Živě.cz v prohlížeči EdgeTmavé téma prohlížeče EdgePodporuje další technologie HTML5, třeba WebRTC 1.0, a jak vidíte, dokáže i takto zobrazit miniatury otevřených stránekKlepnutím na tlačítko nahoře vlevo můžete uložit otevřené panely na pozdějiEdge docela dobře zobrazuje PDF a nově se naučil i EPUB
Google zveřejnil detaily bezpečnostní chyby v prohlížeči Edge. Microsoft přitom o chybě věděl dopředu, ale ve stanovené lhůtě nedostatky neodstranil, informoval web

Tým Googlu prostřednictvím Projektu Zero odhalil v listopadu minulého roku zranitelnost prohlížeče Microsoft Edge a poskytl Microsoftu 90 dní na opravu. Pro složitost opravy lhůtu prodloužili o 14 dní, ale ani po tomto termínu chyba nebyla odstraněna.

Zranitelnost dovoluje útočníkovi obejít zabezpečení prohlížeče a vložit škodlivý kód do počítače oběti. Chyba byla označena jako středně závažná. Microsoft je přesvědčen, že tuto záležitost vyřeší do 13. března. Proč se tak nestalo doposud však blíže nevysvětlil.

Mirai Variant Sets Up Proxy Servers on Compromised Devices
22.2.2018 securityweek BotNet IoT

A newly observed variant of the infamous Mirai botnet is capable of setting up proxy servers on the infected Internet of Things (IoT) devices, Fortinet warns.

Mirai is a distributed denial of service (DDoS)-capable malware family that emerged in late 2016. Targeting IoT devices to add them to a botnet and launch powerful attacks, Mirai has been involved on some massive incidents right from the start.

Referred to as OMG because of strings containing "OOMGA" it its configuration table, the malware keeps most of Mirai’s capabilities, but also adds its own features to the mix.

Unlike Mirai, the OMG variant’s configuration includes two strings used to add a firewall rule to ensure traffic on two random ports is allowed, Fortinet discovered.

However, the new malware variation keeps Mirai’s original attack, killer, and scanner modules, which means that it is capable of performing all of the operations that Mirai could, such as killing processes (telnet, ssh, http, and other processes related to other bots), telnet brute-force login, and DDoS attacks.

After initialization, OMG connects to the command and control (C&C) server on port 50023. Once the connection has been established, the malware sends a defined data message to the server to identify itself as a new bot.

The server responds with a 5-byte long data string, where the first byte is a command on how the newly recruited device should be used: 0 if it should be used as a proxy server, 1 for attack, and >1 to terminate the connection.

OMG, the security researchers discovered, uses open source software 3proxy as its proxy server. During setup, it generates two random ports for the http_proxy_port and socks_proxy_port, reports them to the C&C, and adds a firewall rule to allow traffic on these ports.

After enabling the firewall rule, the malware sets up 3proxy with the predefined configuration embedded in its code. The researchers believe the attackers sell access to the IoT proxy server (because the C&C server wasn’t active during investigation, the researchers only performed static analysis).

“This is the first time we have seen a modified Mirai capable of DDOS attacks as well as setting up proxy servers on vulnerable IoT devices. With this development, we believe that more and more Mirai-based bots are going to emerge with new ways of monetization,” Fortinet concludes.

Several Vulnerabilities Patched in Drupal
22.2.2018 securityweek

Updates released on Wednesday for Drupal 7 and 8 patch several vulnerabilities, including issues rated “critical.” No bug fixes are included in the latest releases.

One of the critical security holes patched by Drupal 8.4.5 and 7.57 is related to incomplete cross-site scripting (XSS) prevention mechanisms.

“Drupal has a Drupal.checkPlain() JavaScript function which is used to escape potentially dangerous text before outputting it to HTML. This function does not correctly handle all methods of injecting malicious HTML, leading to a cross-site scripting vulnerability under certain circumstances,” Drupal said in its advisory.

Another critical flaw, which only affects Drupal 8, allows users who have permission to post comments to view content and comments they should not be able to access. The weakness can also be exploited to add comments to the supposedly restricted content.

While these issues are rated “critical,” it’s worth pointing out that Drupal developers use NIST’s Common Misuse Scoring System to determine the risk level, which means that “critical” is second on the severity scale, after “highly critical.”

The latest Drupal 7 update also patches two moderately critical vulnerabilities. One of them, which developers claim only occurs if a site’s configuration is unusual, is an access bypass issue that can allow users to view or download files on the private file system without Drupal checking if they have access to it.

The second moderately critical flaw in Drupal 7 is a jQuery XSS issue when making Ajax requests to untrusted domains. Drupal 8 is not affected as jQuery was updated to a newer version with the release of Drupal 8.4.0.

Two moderately critical security bugs have also been fixed in Drupal 8, including an access bypass vulnerability related to language fallback on multilingual sites, and an access bypass flaw in the Settings Tray module that could allow users to update certain data without having the necessary permissions.

Finally, Drupal 7 patches a “less critical” external link injection vulnerability that can allow an attacker to trick users into navigating to a malicious site.

Drupal developers informed users that version 8.4.5 is the last release of the 8.4.x series. Users will have to update to Drupal 8.5.0, expected to become available on March 7, to receive bug and security fixes.

Cisco Patches Critical Flaws in UCDM, ESC Products
22.2.2018 securityweek

Updates released by Cisco for its Unified Communications Domain Manager (UCDM) and Elastic Services Controller (ESC) products patch critical vulnerabilities that can be exploited by remote attackers.

According to Cisco, UCDM releases prior to 11.5(2) are affected by a flaw that allows a remote, unauthenticated attacker to bypass security protections, obtain elevated privileges, and execute arbitrary code.

“The vulnerability is due to insecure key generation during application configuration. An attacker could exploit this vulnerability by using a known insecure key value to bypass security protections by sending arbitrary requests using the insecure key to a targeted application,” Cisco said in its advisory.

The security hole is tracked as CVE-2018-0124 and it was discovered by Cisco itself during internal security testing.

A critical vulnerability was also discovered by Cisco during internal security testing in the company’s ESC product, specifically the authentication functionality of the web-based service portal.

The flaw, tracked as CVE-2018-0121, allows a remote attacker to bypass authentication and gain administrator privileges on the service portal. The authentication mechanism can be bypassed by submitting an empty value when prompted to enter an admin password.

The vulnerability affects ESC 3.0.0 and it has been addressed with the release of version 3.1.0. This version also patches a high severity unauthorized access vulnerability caused by the presence of default credentials for the service portal.

Cisco also informed customers on Wednesday of a high severity denial-of-service (DoS) vulnerability in the Interactive Voice Response (IVR) management connection interface of the company’s Unified Customer Voice Portal (CVP) product. A remote attacker can exploit this flaw to cause a DoS condition by initiating a specially crafted connection to the IP address of the targeted device.

Cisco says there is no evidence that any of these vulnerabilities have been exploited in malicious attacks.

Cisco on Wednesday also released advisories for cross-site scripting (XSS), cross-site request forgery (CSRF) and DoS flaws affecting its UCS Director and Integrated Management Controller Supervisor, Unified Communications Manager, Prime Service, Prime Collaboration, Jabber Client Framework, Data Center Analytics Framework, and Unity Connection products, but they have all been assigned a “medium” severity rating.

Do Business Leaders Listen to Their Own Security Professionals?
22.2.2018 securityweek Cyber

Survey Shows a Disconnect Between Business Leaders and Security Professionals

A new research report published this week claims, "A disconnect about cybersecurity is causing tension among leaders in the C-suite -- and may be leaving companies vulnerable to breaches as a result."

The specific disconnect is over the relative importance between anti-malware and identity control -- but it masks a more persistent issue: do business leaders even listen to their own security professionals?

The basis for this assertion comes from two sources: the Verizon 2017 Data Breach Investigations Report (DBIR), and the report's own research. DBIR states, "81% of hacking-related breaches leveraged either stolen and/or weak passwords." The new research (PDF), conducted by Centrify and Dow Jones Customer Intelligence shows that companies' security officers agree with the view, while their CEOs do not. Centrify surveyed 800 senior executives in November 2017.

According to the new research, 62% of CEOs consider malware to be the primary threat to cybersecurity, while only 35% of their technical officers agree. The technical officers agree with the DBIR that most breaches come through failures in identity and access control. "More than two-thirds (68%) of executives from companies that experienced at least one breach with serious consequences say it would most likely have been prevented by either privileged user identity and access management or user identity assurance. That compares with only 8% who point to anti-malware endpoint controls."

The report, published by Centrify (a firm that delivers Zero Trust Security through what it calls 'Next-Gen Access'), found this to be perhaps the most disturbing of a series of mismatches between the views of technical officers and their CEOs. Another example concerns strategy accountability: 81% of CEOs say they are most accountable for the company's security strategy; while 78% of the technical officers believe it is they who are most accountable.

These figures raise two questions: firstly, are the technical officers correct in their assertion that identity control is more important than anti-malware, or are CEOs correct in their insistence on anti-malware; and secondly, if the technical officers are correct, why do they fail to adequately communicate their views to senior management?

There is no simple answer. Not all practitioners accept the survey results. Steve Lentz, CSO and director of information security at Samsung Research America, doesn't automatically accept that identity is a bigger problem than malware. "I really believe it's the unknown malware that is on many employee PCs that leak info." He quoted an example of two employees visiting from abroad and connecting to his network. "Our network defenses immediately alerted my security team and quarantined the two PCs." One had a keylogger while the other had a password stealer. The implication is that since it is impossible to control all identities all the time it is necessary to have adequate anti-malware.

Martin Zinaich, information security leader at the City of Tampa, FL, believes the problem may stem from different priorities between Business and Security. Business leaders often have "a low user-friction tolerance combined with a high-risk appetite." At the same time, questioning whether malware or identity is the biggest problem is a mistake. "Wasn't last year's big breach at Equifax due to an unpatched Apache Struts vulnerability? Too often for security professionals it is the basics that get missed."

To a degree, the malware/identity issue is a chicken and egg problem. Drew Koenig, security solutions architect at Magenic, takes one view. If "you look at incidents in their entirety, malware is the result of identity security failures." While phishing and poor security behavior is one problem, poor password construction, account sharing, and over-privileged accounts are another. Compromised accounts are the delivery mechanism, he suggests, for the malware that accesses databases and steals sensitive data.

But Joseph Carson, chief security scientist at Thycotic, warns that attackers use social engineering to bypass initial identity controls. "One single click on a malicious link, can download malware onto your computer that can immediately lock up data in a 'ransomware' attack." In this scenario, identity controls won't protect you from the effects of malware.

Boris Vaynberg, co-founder and CEO at Solebit agrees. "Most attacks start with an attacker penetrating into the organization. These attackers use various techniques, most of them including use of malware to secure initial control inside the organization. Once the attacker gets control, the second step is lateral movement. Attackers will then attempt to secure the credentials they are seeking in order to obtain an organization's sensitive data."

Brian Kelly, chief information security leader at Quinnipiac University, accepts that malware may be the vector used to compromise the identity, but adds, "I really keep coming back to the idea that identity is the new perimeter. In a world full of clouds and ubiquitous mobile access, identity is the only thing between you and your data."

The implication is that identity control cannot stop malware. But since we know that anti-malware also cannot guarantee to stop all malware, identity and credential control becomes essential to prevent lateral movement and privilege escalation.

"It's overly simplistic to think that if the organization addresses one specific attack vector, it will prevent all major breaches," warns Lenny Zeltser, VP of products at Minerva Labs. "Attackers can follow different pathways to achieve their objectives. They can steal credentials, elevate access, and cause damage even if the company has strong identity management practices. Identity security is important, so is endpoint defense, so are network safeguards, etc. We cannot focus on a single security layer and neglect the others."

The second implication from the Centrify survey is that either security professionals are failing to deliver their message to business leaders, or business leaders are refusing to listen to their security professionals. Again, there is no simple answer.

Mike Weber, VP at Coalfire Labs, believes there is a business reason for business leaders to be reluctant to listen to their security professionals. "The security landscape changes constantly, and those dynamic changes rarely align with fiscal year planning cycles. To be able to quickly react to the latest threats, a CISO may need to resort to 'overselling' a particular need." The problem here is that business leaders face 'oversells' all the time, and are well-versed in ignoring them.

Brian Kelly suggests the basic problem comes from multiple sources of threat information. "The feeling that malware is the greatest risk may be driven more by media reports than the security team's failure to deliver the correct message. Information Security teams are competing for the CEO's attention, but are also struggling to craft a message that makes sense in context."

Perhaps one of the problems is a basic misunderstanding of the purpose of 'security'. Mike Smart, security strategist at Forcepoint, believes security is like the brake on a car. Business leaders think its purpose is to slow down the car; that is, security slows down business. "Innovators will tell you the opposite," he says. "It's there to give the driver the confidence to go as fast as possible." In this view, security is the enabler of agile business -- but the implication is that security leaders have failed to adequately explain this function to the business leaders.

Dr. Bret Fund, founder and CEO at SecureSet, suggests that most companies have failed to yet establish the partnership between business and security that is necessary for an agile but secure business. "Security managers need to do a better job understanding the business constraints and how, as a security team, they can provide meaningful solutions inside of those realities. Business managers need to do a better job of understanding that security is everyone's responsibility and NOT just the security teams."

There is little disagreement over a disconnect between business leaders and security professionals. Bridging that disconnect is the problem. Koenig believes that the security team needs to own the problem. "In security," he says, "you have to assume everyone outside your team distrusts you. That's an unfortunate reality. So, to improve your delivery, educate instead of present. Put context around what you are reporting. Help them understand that malware is a valid risk, but most breaches are the result of poor identity controls that allows for the delivery of malware. Ultimately for every security report that is delivered you have to answer the hardest question from a business, 'So What?'. Don't tell, explain."

Centrify's survey demonstrates this mismatch in cyber threat understanding between business leaders and security professionals. The report shows that most security professionals believe that 'identity' is the number one control, while business leaders concentrate on malware. It's a nuanced issue. Identity and credential control, such as that provided by Centrify, won't stop all malware -- but it may prevent a malware incident developing into a major breach. How to get business leaders to listen to security professionals remains a continuing problem.

WhatsApp Co-founder Invests $50 Million in Signal
22.2.2018 securityweek

Open Whisper Systems, the organization behind the privacy-focused messaging app Signal, announced on Wednesday the launch of the Signal Foundation, with an initial investment of $50 million from WhatsApp co-founder Brian Acton.

The Signal service is used by millions of people and the Signal protocol is used by billions through its integration into popular applications such as WhatsApp, Facebook Messenger and Google Allo.

Despite the success of its product, the Signal team has never had more than seven members and there have only been an average of 2.3 full-time developers.Signal Foundation launches with $50 million investment

With the launch of the Signal Foundation and the $50 million from Acton, Signal will have the resources necessary to expand and accelerate its mission to make private communications accessible to everyone.

“Starting with an initial $50,000,000 in funding, we can now increase the size of our team, our capacity, and our ambitions. This means reduced uncertainty on the path to sustainability, and the strengthening of our long-term goals and values,” said Moxie Marlinspike, founder of Open Whisper Systems and CEO of the Signal Foundation. “Perhaps most significantly, the addition of Brian brings an incredibly talented engineer and visionary with decades of experience building successful products to our team.”

The Signal Foundation is a 501(c)(3) nonprofit organization. Up until now, the Freedom of the Press Foundation acted as a fiscal sponsor for Signal.

Acton, who left WhatsApp and Facebook last year, will serve as executive chairman of the Signal Foundation and will be actively involved in operations and product development.

“After over 20 years of working for some of the largest technology companies in the world, I couldn’t be more excited for this opportunity to build an organization at the intersection of technology and the nonprofit world,” said Acton.

“In the immediate future we are focused on adding to our talented-but-small team and improving Signal Messenger. Our long-term vision is for the Signal Foundation to provide multiple offerings that align with our core mission,” he added.

The Global cost of cybercrime jumped up to $600 Billion
22.2.2018 securityaffairs CyberCrime

The tech giants McAfee and Cisco published to reports that providers further info about the global impact of cybercrime.
Which is the cost of cybercrime? It is hard to provide an effective a good estimation of the overall impact of the numerous phenomena that happen every day, including cyber attacks, data breaches, scams and so on.

The tech giants McAfee and Cisco published to reports that providers further info about the global impact of cybercrime.

According to the report was written by McAfee in collaboration with the Center for Strategic and International Studies (CSIS), the global cost is estimated at $600 billion annually, a disconcerting figure that corresponds to 0.8% of the global GDP. The value is jumped from $500 billion in 2014 to $600 billion (+20%).

“In 2014, taking into account the full range of costs, CSIS estimated that cybercrime cost the world between $345 billion and $445 billion. As a percentage of global GDP, cybercrime cost the global economy 0.62% of GDP in 2014. Using the same methods, CSIS now believe the range is now between $445 billion and $600 billion.” states the report.

The jump is mainly caused by the significant increase of theft of intellectual property and business confidential information, intellectual property theft accounts for at least 25% of overall cybercrime costs.

The cost of cybercrime is distributed among all the countries of the world, no one is immune. The report shows variations by region, that are linked to income levels and level of cybersecurity maturity, the countries with greater losses are the richest ones.

cost of cybercrime 2017

According to the report, Russia leads cybercrime activities worldwide, the reports also highlighted the thin line between crime rings and nation-state actors.

“CSIS believes that Russia leads overall in cybercrime, reflecting the skill of its hacker community and its disdain for western law enforcement. The complex and close relationship between the Russian state and Russian organized crime means that Russia provides a sanctuary for the most advanced cybercriminals, whose attention focuses on the financial sector.” continues the report.

Ransomware are a profitable business for the criminal ecosystem, currently, more than 6,000 black marketplaces offer for sale such kind of malware and related services, an overall offer of more than
45,000 different products.

The second report published by Cisco confirmed the worrisome trends for cybercrime activities, the document is based on interviews with 3,600 CISOs. According to Cisco almost any attack will cost to the victims at least $500,000. The cost dramatically increased for 8% of companies in the Cisco report that admitted that cyber attacks had cost them over $5 million, 11% the companies suffered economic losses between $2.5 million and $4.9 million.

Cisco highlighted the risk of attacks aimed to the supply chain of the companies. these attacks have increased in complexity and frequency.

Let me suggest reading both studies, they offer an interesting analysis of criminal ecosystem and of the overall cost of cybercrime.

Ohrožení podnikových sítí ze strany internetu věcí je realitou

22.2.2018 SecurityWorld IoT
V nedávném seriálu BBC zvaném McMafia převzal hacker vládu nad IT sítí bombajského přístavu pomocí prodejního automatu s jen několika málo bezpečnostními údaji. Ač se takový případ může zdát nepravděpodobný, je hrozba ze strany internetu věcí vůči kriticky důležité infrastruktuře velice reálná. Jak se stále více zařízení připojuje k síti a další a další senzory nachází využít napříč průmyslovými odvětvími, stává se zároveň ohrožení podnikových sítí skrze neaktualizovaná zařízení internetu věcí skutečnou hrozbou. Zprávu přináší server SC Magazine. Jaká jsou tedy fakta za obavami z hacknutí důležitých IT systémů skrze internet věcí?

Hrozba je reálná a nezmizí sama od sebe.

Celosvětově stoupá míra využití zařízení internetu věcí. Majorita sítí je ovšem nepřipravena na takto masivní příliv nových zařízení, a ještě méně jsou připraveny na hackery a další jednotlivce, kteří se pokusí získat přístup k podnikovým sítím a uživatelským datům pro zločinné úmysly.

Gartner předpokládá, že zde do konce roku 2020 bude kolem 20,4 miliard k síti připojených zařízení. Je evidentní, že počet propojených zařízení se bude i nadále zvyšovat. To sice přináší spoustu výhod, ale také vzrůstající bezpečnostní riziko. Jak se sítě stávají dynamičtějšími a neustále rostou, je těžší a těžší identifikovat a spravovat všechna zařízení k nim připojená.

Ta hrozba je tu a je velmi reálná. Rok 2016 přinesl jeden z největších DDoS útoků všech dob – botnet Mirai – který vyřadil z provozu mnoho webových stránek. Útok byl možný díky zařízením internetu věcí, unikátním IP adresám hostujícím malware. Zařízení nejvíce se podílející na útoku? Průmyslové kamery.

Nejnovější potomek botnetu Mirai se nazývá Satori a objevil se v letošním roce, specificky cílí na procesory ARC. Hlavním účelem je krást kryptoměnu Ethereum skrze hackování online těžařských hostů a tajnému nahrazení jejich peněženek.

Mirai a Satori plně odhalují potenciál kybernetických zločinců ozbrojených malwarem a velkým množstvím nezabezpečených zařízení internetu věcí. Jak se stále více zařízení dostává na síť, hrozeb bude přibývat. Více zařízení znamená více bodů, skrze které může útočník zařízení infikovat a následně je využívat při DDoS útocích.

Jak bohužel ukazuje výše zmíněný seriál McMafia, právě klíčová IT infrastruktura je obzvláště ohrožena. Některé příklady podobných útoků na nezbytné systémy ukazuje hned několik hacknutých vodních elektráren mezi roky 2011 a 2016 a také elektrárnu ve Spojených státech, která byla infiltrována hned sedmnáctkrát mezi roky 2013 a 2014. Co je horší: jaderná elektrárna částečně hacknutá v roce 2016.

Množství zařízení připojených k podnikové síti je nejen téměř nemožné spravovat, ale někdy ani nelze jejich počet vůbec zaznamenat. Princip BYOD (buy your own device, kdy zaměstnanec nedostane firemní notebook nebo mobil, ale koupí si vlastní) a zařízení internetu věcí vede k většímu rozšíření zařízení s vlastními IP adresami a výkonem – ale často bez pořádného zabezpečení. Právě tato zařízení se poté pro hackery stávají bodem vniku do podnikových sítí.

Nová chytrá zařízení se nyní zvládají na vaše sítě připojovat samy od sebe. Vše od chytrých telefonů až po bezpečnostní kamery. Tyto zařízení nejsou spravována a mohou se stát nezabezpečenými koncovými body, které výrazně zvýší šanci na hacknutí sítě. A právě tato zařízení se také stávají hlavním cílem hackerů a kybernetických zločinců. Ti díky nim mohou využít LAN přístup na servery nebo, ještě častěji, mohou podobná zařízení sloužit k manipulaci s daty a získání přístupu do sítě.

Většina organizací si nemyslí, že mají do své sítě připojena nějaká zařízení internetu věcí, ale dokud je nehledají, nemohou si být jistí.

Mnoho firem se nyní, oprávněně, obává útoků zvenčí, které by do jejich sítí pronikly. Nejnovější firewally, systémy na prevenci proti vniknutí, pokročilé ochranné systémy a další, to vše hraje roli v obraně. Jak se však k síti připojuje stále více zařízení, je nutné hledět i na hrozby z vnitřku.

Pokud společnosti nemají kvalitní infrastrukturu na podporu zařízení internetu věcí, riskují odhalení svých podnikových sítí zločinným aktivitám. To může vést k devastujícím výsledkům, obzvláště pokud hackeři odhalí zranitelnosti v zařízení internetu věcí s přístupem ke klíčové IT infrastruktuře.

Dobrým začátečním bodem pro firmy, které berou svou bezpečnost vážně v dnešním hyperpropojeném světě, je zvýšit povědomí o všech zařízeních v síti a implementovat centralizovaný systémy správy pro zajištění dodržování všech pravidel.

Najděte je, zhodnoťte je, spravujte je. To musí být nová mantra pro ochranu organizací od všech různých zařízení. Žijeme v časech jako z televize a v kybernetickém světě musíme chránit svá aktiva lépe než ti, kteří byli na televizních obrazovkách hacknuti.