- Computer Attack -

Last update 09.10.2017 12:41:24

Home  Analysis  Android  Apple  APT  Attack  BigBrothers  BotNet  Congress  Crime  Crypto  Cryptocurrency  Cyber  CyberCrime  CyberSpy  CyberWar  Exploit  Forensics  Hacking  ICS  Incindent  iOS  IT  IoT  Mobil  OS  Phishing  Privacy  Ransomware  Safety  Security  Social  Spam  Vulnerebility  Virus  EN  List  Czech Press  Page

Introduction  List  Kategorie  Subcategory  0  1  2  3  4  5  6 


De-DOSfuscation Example




Shamoon Reappears, Poised for a New Wiper Attack

Attack  Virus



Phishing Attack Through Non-Delivery Notification

Attack  Phishing


12.12.18Windows Kernel Vulnerability Exploited in AttacksAttack  VulnerebilitySecurityweek


Will sophisticated attacks dominate in 2019?




Italian Oil Services Company Saipem Hit by CyberattackAttackSecurityweek


California Man Gets 26-Month Prison Sentence for DDoS AttacksAttackSecurityweek


Netbooks, RPis, & Bash Bunny Gear - Attacking Banks from the InsideAttackBleepingcomputer
6.12.182 Iranian Men Face New Charges Over Atlanta CyberattackAttackSecurityweek
2.12.18Cyberattacks on financial sector worries Americans mostAttack blogEset
30.11.18Zoom Conferencing App Exposes Enterprises to AttacksAttackSecurityweek

Hackers Breach Dunkin’ Donuts Accounts in Credential Stuffing Attack




Threat Actor Targets Middle East With DNS Redirections


28.11.18Sennheiser Headset Software Could Allow Man-in-the-Middle SSL AttacksAttackBleepingcomputer


ECC Memory Vulnerable to Rowhammer Attack




Active XSS Attacks Targeting Amp for WP WordPress Plugin




Cryptojacking Attack Targets Make-A-Wish Foundation Website




Hacker Say They Compromised ProtonMail. ProtonMail Says It's BS.



State-Sponsored Actors Focus Attacks on Asia



Emoji Attack Can Kill Skype for Business Chat



15.11.18Boffins discovered seven new Meltdown and Spectre attacksAttackPBWCZ.CZ
9.11.18Man Behind DDoS Attacks on Gaming Companies Pleads GuiltyAttackPBWCZ.CZ
9.11.18Default Account Exposes Cisco Switches to Remote AttacksAttackPBWCZ.CZ
6.11.18Flaws in several self-encrypting SSDs allows attackers to decrypt data they containAttack  Crypto  VulnerebilityPBWCZ.CZ
3.11.18CISCO warn of a zero-day DoS flaw that is being actively exploited in attacksAttack  VulnerebilityPBWCZ.CZ
2.11.18Cyberattacks Against Energy Sector Are Higher Than Average: ReportAttackPBWCZ.CZ
2.11.18DDoS Attacks in Q3 18AttackPBWCZ.CZ
28.10.18A few dollars to bring down sites with new Bushido-based DDoS-for-hire serviceAttackPBWCZ.CZ
27.10.18BA Says 185,000 More Customers Affected in Cyber AttackAttack  IncindentPBWCZ.CZ
21.10.18Server With National Guard Personnel Data Target of AttackAttackPBWCZ.CZ
19.10.18NFCdrip Attack Proves Long-Range Data Exfiltration via NFCAttackPBWCZ.CZ
18.10.18Feds Investigate After Hackers Attack Water UtilityAttackPBWCZ.CZ
11.10.18Magecart Attack Hits 'Shopper Approved'AttackPBWCZ.CZ
10.10.18Researchers presented an improved version of the WPA KRACK attackAttackPBWCZ.CZ
10.10.18Researchers KRACK Wi-Fi Again, More Efficiently This TimeAttackPBWCZ.CZ
5.10.18Google Turns on G Suite Alerts for State-Sponsored AttacksAttackPBWCZ.CZ
2.10.18RDP Increasingly Abused in Attacks: FBIAttackPBWCZ.CZ
2.10.18FCA fines Tesco Bank £16.4m over 2016 cyber attackAttackPBWCZ.CZ
28.9.18Port of San Diego hit by a cyber attack a few days after the attack on the Port of BarcelonaAttackPBWCZ.CZ
28.9.18Man Sentenced to Prison for ATM JackpottingAttackPBWCZ.CZ
25.9.18Akamai Report: Credential stuffing attacks are a growing threatAttackPBWCZ.CZ
24.9.18Credential Stuffing Attacks Are Reaching DDoS ProportionsAttackPBWCZ.CZ
20.9.18Click2Gov Attacks on U.S. Cities Attributed to Previously Unknown GroupAttackPBWCZ.CZ
20.9.18Critical Vulnerability Impacts Hundreds of Thousands of IoT CamerasAttackPBWCZ.CZ
17.9.18Cyber attack took offline flight display screens at the Bristol AirportAttackPBWCZ.CZ
14.9.18Flaws in firmware expose almost any modern PC to Cold Boot AttacksAttackPBWCZ.CZ
14.9.18New Firmware Flaws Resurrect Cold Boot AttacksAttackPBWCZ.CZ
14.9.18One Year Later, Over 2 Billion Devices Still Exposed to BlueBorne AttacksAttackPBWCZ.CZ
14.9.18Multi-Stage Malware Heavily Used in Recent Cobalt AttacksAttack  VirusPBWCZ.CZ

Thousands of 3D Printers Exposed to Remote Attacks
4.9.18 securityweek  Attack

Malicious actors could take control of thousands of 3D printers that can be accessed directly from the Internet without requiring any authentication.

According to the SANS Internet Storm Center, a Shodan search reveals over 3,700 instances of OctoPrint interfaces exposed to the Web, including nearly 1,600 in the United States.

Exposed 3D printers

OctoPrint is a free and open source web interface for 3D printers that allows users to monitor and control every aspect of their device and printing jobs. OctoPrint can be used to start, stop or pause a print job, it provides access to the printer’s embedded webcam, it supplies information on the progress of a print job, and monitors the temperature of key components.

While it may seem that failure to protect a 3D printer against unauthorized access cannot pose a major risk, SANS’s Xavier Mertens warns that an attacker can conduct a wide range of malicious activities.

For instance, they can access G-code files, which are text files that contain the instructions needed to print a 3D object. In the case of organizations, these files could store valuable trade secrets.

“Indeed, many companies’ R&D departments are using 3D printers to develop and test some pieces of their future product,” Mertens noted.

The researcher pointed out that an attacker could also upload specially crafted G-code files to an unprotected printer. They could instruct the device to start printing when nobody is around, or they could make small changes to the code.

“By changing the G-code instructions, you will instruct the device to print the object but the altered one won’t have the same physical capabilities and could be a potential danger once used,” Mertens explained. “Think about 3D-printed guns but also 3D-printed objects used in drones. Drone owners are big fans of self-printed hardware.”

3D printers have been known to catch fire and it’s not implausible that an attacker may be able to intentionally start a fire given the high temperatures during operation of the system.

Finally, an attacker could be able to spy on the vulnerable printer’s owner through the embedded webcam.

These attacks are possible not due to some serious vulnerabilities in OctoPrint, but due to the failure of users to securely configure their devices.

OctoPrint developers advise users to enable the Access Control feature and take additional steps to secure the device if remote access is required. If Access Control is disabled, anyone can remotely gain full control over the printer.

“If you plan to have your OctoPrint instance accessible over the internet, always enable Access Control and ideally don’t make it accessible to everyone over the internet but instead use a VPN or at the very least HTTP basic authentication on a layer above OctoPrint,” OctoPrint documentation reads. “A physical device that includes heaters and stepper motors really should not be publicly reachable by everyone with an internet connection, even with access control enabled.”

USBHarpoon a look-like charging cable that can hack into your computer
26.8.18 securityaffairs Attack

A team of security experts has devised a rogue USB charging cable named USBHarpoon that can be used to compromise a computer in just a few seconds.
The team was composed of Olaf Tan and Dennis Goh of RFID Research Group, Vincent Yiu of SYON Security, and the popular Kevin Mitnick.

The USBHarpoon takes inspiration on the BadUSB project built by researchers at Security Research Labs lead by Karsten Nohl.

Nohl demonstrated that to turn one device type into another, USB controller chips in peripherals need to be reprogrammed. Unfortunately, many USB controller chips, including those in thumb drives, have no protection from such reprogramming.

USBHarpoon leverages on a charging cable instead of a USB drive to make the dirty job and hack into a computer.

The cable was modified to allow both data and power to pass through, in this way it is impossible for a victim to note any suspicious behavior.

A weaponized charging cable is not a novelty, a security researcher that goes online with the Twitter handle MG posted two videos that show the BadUSB cables he has built. The cable allows MD to carry out HID attacks when plugged into a computer’s USB port.

HID attacks via USB drives have become too suspicious. What about embedding the attack inside a USB cable?

Just a quick test for a few things I'm hoping to make over the next month.

8:40 AM - Jan 1, 18
3,002 people are talking about this
Twitter Ads info and privacy
BadUSB Cable #2. HID attack through an Apple MacBook USB-C charger. Great for shared workspaces!

Build info coming this month. Still working out some things. These cables work on just about any device with a USB port (Mac/Win/Linux, phones too)

6:51 PM - Jan 6, 18
3,710 people are talking about this
Twitter Ads info and privacy
MG demonstrated that his BadUSB cable would work with a 24-pin USB-C connector which is used in MacBook chargers. MG added that it “work on just about any device with a USB port,” including mobile devices.
Mitnick asked MG to build a cable for him to use in a keynote speech to demonstrate new attack methods, but he did not receive it in time for his speech.


Mitnick contacted the researcher Dennis Goh to build a cable to use in the attack, then Goh accepted and worked with Olaf Tan to build the USBHarpoon.

Once MG has seen the USBHarpoon, commented that the cable is the same he designed which images he shared with Mitnick.

· Aug 21, 18
Replying to @kevinmitnick
@_MG_ @LucaBongiorni @P4wnP1

Heh, looks like the same boots I showed Kevin earlier this year, but with tape holding together? Just use some potting compound to seal it!
Hey @vysecurity did you do anything besides adding 2 resistors for charge pass through? That seems to work fine. Data passthrough though... pic.twitter.com/69slNg2U0O

12:30 AM - Aug 21, 18

See MG's other Tweets
Twitter Ads info and privacy
Yiu confirmed that his cable was not inspired by the MG’s research, anyway he credited the original work from MG once he learned about it.

The USBHarpoon works on unlocked machines, it allows the attackers to launch commands that download and execute a malicious code.

Yiu published a short video to show how USBHarpoon works. The video PoC shows a drone connected to a Windows PC and sends it commands to list content in a folder on the system drive.

Experts noticed that on Windows, the commands are launched within the Run prompt, while on Mac and Linux they are launched from a terminal.

The attack is any way visible to the owner of the machine, for this reason, to make the attack stealth it is necessary to devise a method to hide the interaction with the system, for example, to run the attack when the victim is not around the machine.

The team of researchers is currently searching for methods to trigger the attack in a stealthy way, for example, involving as attack vectors Bluetooth and radio signals.

As mitigation, the experts suggest the adoption of USB condoms, also known as data-blocking device that works by blocking the data pins on a USB cable.

Anyway, MG published a video PoC that shows how USB condoms can be bypassed as well.

#3 - BadUSB Cables wouldn't be complete without BadUSB Condoms.

Tempted to get a run of these made for the vendor area at the next security con.

3:19 AM - Jan 13, 18
165 people are talking about this
Twitter Ads info and privacy
USBHarpoon is the demonstration that USB devices can be used as attack vectors difficult to detect.

Attack on DNC Part of Simulated Phishing Test

23.8.18 securityaffairs Attack

A recent phishing attack aimed at the Democratic National Committee’s voter database was actually part of a simulation, researchers and representatives of the Democratic Party confirmed.

Cybersecurity firm Lookout this week came across a custom phishing website apparently aimed at the Democratic National Committee (DNC), specifically its VoteBuilder service.

The phishing site mimicked a login page of NGP VAN, a technology provider for the Democratic Party, and was hosted by DigitalOcean.

Lookout immediately notified the DNC, NGP VAN and DigitalOcean, and the phishing page was removed within hours, before any credentials were compromised. The FBI was also informed and an investigation was launched.

However, after further analysis, the DNC now believes the fake website was actually created by a third-party as part of a “simulated phishing test on VoteBuilder.”

“The test, which mimicked several attributes of actual attacks on the Democratic party's voter fil­e, was not authorized by the DNC, VoteBuilder nor any of our vendors,” explained Bob Lord, the DNC’s chief security officer.

“There are constant attempts to hack the DNC and our Democratic infrastructure, and while we are extremely relieved that this wasn't an attempted intrusion by a foreign adversary, this incident is further proof that we need to continue to be vigilant in light of potential attacks,” Lord added.

Mike Murray, who leads Lookout’s intelligence team, confirmed that it was a false alarm.

“The thing about ‘false alarms’ is that you don’t know that they’re false until you’ve showed up to investigate,” Murray said on Twitter. “All the folks who pulled together on this were amazing, and had this been a real attack, would have stopped something terrible.”

According to PCMag tech reporter Michael Kan, the phishing test was actually commissioned by the Michigan Democratic Party, but without authorization from the DNC.

SecurityWeek has reached out to the Michigan Democratic Party for comment and will update this article if the organization responds.

“I would [...] not call this a TEST as the phishing attempt was being conducted on a live production system against real people,” Joseph Carson, chief security scientist at Thycotic, told SecurityWeek. “The positive side is that newer technology is helping organizations identify such threats earlier however, this did raise a major issue to attribution and the source of the hacks because as we know, many cyberattacks utilize third party vendors,”

“I would actually handle this incident as an attempted cyberattack since the DNC has confirmed it was not authorized or approved so therefore a full incident and digital forensics process should be carried out even though it was a so-called test,” Carson said.

Google Warns Thousands Each Month of State-Sponsored Attacks
22.8.18 securityweek Attack

Each month, Google sends thousands of warnings to users who might have been targeted in government-backed attacks, even if the attempts have been blocked.

Highly targeted and more sophisticated when compared to typical phishing attempts, which are mainly focused on financial fraud, these state-sponsored attacks come from dozens of countries worldwide, Google says.

Only an extremely small fraction of Google’s users have received such an alert, and they don’t necessarily mean that accounts have been compromised, but the search giant urges all of those who receive the notification to take immediate action.

“We hope you never receive this type of warning, but if you do, please take action right away to enhance the security of your accounts,” Google says.

Users are also provided with guidance on how to improve the security of their accounts, but they can choose to dismiss the warning.

The Internet company has been issuing such alerts since 2012, and recently also brought the warnings to G Suite. Thus, administrators receive an alert when the company detects a possible government-backed phishing attempt targeting a user in the admin’s corporate network.

The warnings themselves have evolved over time from simple text messages displayed at the top of recipient’s Gmail page to more prominent banners.

Such warnings don’t arrive immediately after the phishing attempt was detected, but are sent periodically, to ensure that the attackers can’t determine the technology that allows Google to detect the attacks.

“We intentionally send these notices in batches to all users who may be at risk, rather than at the moment we detect the threat itself, so that attackers cannot track some of our defense strategies. We have an expert team in our Threat Analysis Group, and we use a variety of technologies to detect these attempts,” Google reveals.

In addition to alerting the user, the web search company informs the law enforcement on the detected attempts, so they can investigate the incidents on their own.

To improve the security of their accounts, all users are advised to enable two-step verification in Gmail. Those who believe they might be targeted by government-backed phishing should also consider enrolling in the Advanced Protection Program, Google underlines.

NCC Group Releases Open Source DNS Rebinding Attack Tool
21.8.18 securityweek Attack

Cyber security and risk mitigation company NCC Group has released a new open source tool designed to make it easier for penetration testers and others to perform DNS rebinding attacks.

DNS rebinding, an attack method that has been known for more than a decade, can allow a remote hacker to abuse a targeted entity’s web browser to directly communicate with devices on the local network. DNS rebinding can be leveraged to exploit vulnerabilities in services the targeted machine has access to.

Getting the target to access a malicious page or view a malicious ad is often enough to conduct an attack that can lead to theft of sensitive information or taking control of vulnerable systems.

NCC Group on Friday announced the availability of Singularity of Origin, an open source tool designed for conducting DNS rebinding attacks.

“During recent security assessments, we’ve seen applications running on the localhost interface or exposing services on an internal network without authentication. This includes Electron-based applications or applications exposing Chrome Developer Tools and other various debuggers,” NCC Group Senior Security Consultant Roger Meyer said in a blog post.

“Exploiting such services is typically straight forward, but it takes a substantial effort to implement an attack in the context of a security assessment. There are tools available to exploit DNS rebinding vulnerabilities but they pose a number of challenges including the lack of support or documentation. They sometimes do not even work, are very specific and/or do not provide a full exploitation stack, requiring much effort to assemble and integrate all the missing bits and pieces,” Meyer noted.

According to NCC, Singularity provides a complete exploitation stack, including a custom DNS server that allows rebinding the DNS name and IP address of the attacker’s server to the targeted machine, an HTTP server for serving HTML and JavaScript code to targeted users, and various attack payloads. The payloads, which include grabbing an app’s homepage and remotely executing code, can be adapted for new and custom attacks.

NCC Group Senior Security Consultant Gerald Doussot told SecurityWeek that the purpose of Singularity is to provide penetration testers “a simple tool that rapidly exploits a DNS rebinding attack finding and illustrates graphically its potential impact, including remote code execution.”

Singularity also aims to increase awareness of DNS rebinding attacks among application developers and security teams.

“We wanted to increase awareness that DNS rebinding attacks are easy to exploit and damaging but can be remediated with appropriate controls,” Doussot explained.

Singularity source code is available on GitHub, where users can also find detailed instructions on how the tool can be set up and utilized. For demo purposes, NCC Group is also temporarily offering a test instance of the tool.

Singularity of Origin

Google Project Zero researcher Tavis Ormandy earlier this year put the spotlight on DNS rebinding attacks after finding serious vulnerabilities in some popular BitTorrent apps and Blizzard games.

Tripwire researcher Craig Young showed recently how the technique can be used against Google Home and Chromecast devices to reveal a user’s precise physical location. A study published in July by IoT security firm Armis showed that DNS rebinding exposes nearly half a billion devices used by enterprises to attacks.

Industry Reactions to Foreshadow Flaws: Feedback Friday
17.8.18 securityweek Attack

Researchers and several major tech companies this week disclosed the details of three new speculative execution side-channel vulnerabilities affecting Intel processors.

The flaws, tracked as Foreshadow and L1 Terminal Fault (L1TF), are CVE-18-3615, which impacts Intel’s Software Guard Extensions (SGX); CVE-18-3620, which impacts operating systems and System Management Mode (SMM); and CVE-18-3646, which affects virtualization software and Virtual Machine Monitors (VMM).

Industry professionals comment on Foreshadow/L1TF

A piece of malware installed on a system can exploit the flaws to gain access to potentially sensitive data stored in supposedly protected memory.

Industry professionals have commented on various aspects of Foreshadow/L1TF, including its impact on various types of systems, difficulty of exploitation, and performance issues introduced by mitigations.

And the feedback begins…

Tod Beardsley, research director, Rapid7:

“The L1TF / Foreshadow vulnerability announced today should be of particular interest to enterprises which run virtual computers in a shared hosting environments. Customers of this kind of cloud computing service should keep an eye out for communications from their hosting providers, which will tell them if they need to do anything special with their guest operating systems. In many cases, hosting providers already provide a reasonable mitigation by ensuring that virtual machines run by different customers are isolated from each other, and don't intermingle different processes on the same CPU core.

So, while it's likely that virtual machine users need to update their own guest operating systems, they should be rolling out security patches routinely anyway. If you're a VM customer and haven't yet heard anything from your provider, a call to their tech support is in order to make sure they're aware of the issue, since the host operating systems need to be updated as well.

All that said, home users generally do not need to worry too much about these issues; all of these speculative execution bugs are pretty exotic, and unlikely to be used against individual end users anytime soon. Cryptojacking and ransom-based malware are still pretty effective mechanisms that criminals employ to extract money out of victims, so they don't need to go to the trouble of setting up and executing a complicated attack using Foreshadow.”

Ken Spinner, VP of Field Engineering, Varonis:

“Cloud providers of virtual servers are more susceptible than on-premises networks in this instance because that's the most likely place you'd have one physical server housing dozens of virtual machines run by different companies. If the vulnerability could be successfully exploited, attackers could hit the jackpot. However, a data centre could hold literally hundreds of thousands of servers and potentially millions of VMs. Hackers would be conducting an unfocused attack, rather than focusing on exploiting a target organisation. It would be a shot in the dark.

These vulnerabilities are the latest in a long line of exploits. While the approaches change, the goal often stays the same – to grab your company’s data. To complicate matters, most companies are dealing with hybrid data stores with some of their data on-premises and some in the cloud, which creates challenges and potential risk from a security and data governance standpoint. Never assume your data is safe in the cloud. If your cloud environment isn’t secure, your data won’t just be in danger of being exposed to your entire organisation – it could be accessible to hackers or even the world.”

Roi Panai, Senior Engineering Manager for Research at Mimecast and Director of Research at Solebit:

“The rising number of hardware vulnerabilities should concern us, the defenders, since these kind of exploits are much more difficult to patch and thus very difficult to be protected.

Following other Intel CPU vulnerabilities such as "Melt-Down", Foreshadow proves that protecting an essential data (i.e. kernel space) with strong confidentiality and integrity security methods is not enough.

The attack exploits instructions execution cache methods designed for processing optimization in order to extract information from privileged locations using different methods (i.e. covert-channel). Together with "Foreshadow-NG" variations, these kind of attacks proved to be very effective against "isolated" sections by exposing cached physical memory data which is widely used by virtual entities for example, giving the attacker full information about running virtual machines which was considered to be unreachable before.

Some strong and important modules, such as optimization processes, may compromise other security methods leaving some holes for attackers to be exploited, thus proving that the trade-off between security and advanced processing might be dangerous.”

Heather Paunet, Vice President of Product Management, Untangle:

“Foreshadow allows hackers to read the enclave memory without penetrating the enclave from the outside. This essentially allows hackers to make a shadow copy of the data and place it in a different unprotected location, causing speculative execution to revert all data to the new unprotected location. While this new vulnerability can be critically damaging to a device, the researchers and Intel have worked together to release patches to fix the underlying issues.

While Foreshadow is threatening, exploiting those vulnerabilities in practice is very difficult. However, there are certain scenarios that may warrant immediate action and concern. Data centers and cloud providers with highly virtualized environments are particularly at risk. Administrators must be vigilant to ensure that all environments take advantage of the latest available patches on an ongoing basis. Intel is working with some of its partners to address this scenario which could impact performance and resource utilization.

One key takeaway from the Foreshadow announcement is that Intel is working with both the research community as well as the security community at large, expanding its bug bounty program. Industry partnerships with researchers and wider security community are critical. Closed-source companies are sometimes reluctant to embrace these partnerships when compared to open-source companies, so it's a positive step overall to see more collaboration. Cybersecurity changes in real time, so vendors, researchers and the community must continue to work together to stay one step ahead of potential exploit vectors to head off future attacks.”

Abhishek Iyer, Technical Marketing Manager, Demisto:

“There are a few menacing projections that we can draw from the Foreshadow vulnerability, and these projections are not new. Firstly, a base exploitation technique like L1TF can lead to many derivative attack methods, each affecting a separate user base in different ways. The variants of L1TF that have been discovered so far affect isolated systems, virtualized systems, and cloud-hosted systems on multi-tenant environments. While the microcode updates and OS patches supplied so far can stop these attacks, the likelihood of other attack derivatives that bypass these safeguards is real and present.

The other interesting pattern to note is how attackers piggyback on computing advancements and exploit the fact that there’s often a lag between performance improvements and corresponding security improvements. The Intel SGX brought an innovation to market – the Abort Page Semantics that allowed increased performance through speculative execution while thwarting Spectre and Meltdown attacks – but the Foreshadow (L1TF) attack explicitly misused that innovation and resulted in the minor performance hit that comes with microcodes and patches. This balance between improving performance and maintaining security is something that organizations will continue to explore gingerly with attackers waiting in the sidelines.”

Jeff Ready, CEO, Scale Computing:

“The design flaw in Intel chips has left Windows and Linux systems vulnerable. Any device or services connected to the chips is essentially left at risk – especially after the latest flaw that was revealed – Foreshadow. The main focus is working in real time to identify the issues and look at what needs to be patched. Performance impacts will be seen across the industry. Systems that utilize software defined storage via a mid-layer filesystem will likely experience the most impact. Many software-defined storage solutions, which use a mid-layer filesystem will likely have a much larger performance impact as a result of these fixes. After the patches and fixes roll out, we will be able to see the true extent of the impact.”

Setu Kulkarni, VP of corporate strategy, WhiteHat Security:

“Unlike application security vulnerabilities where the remediation/mitigation is increasingly ‘centralized’ with cloud-based, multi-tenant systems, the same cannot be said about chip vulnerabilities. It’s getting to be a zero-sum game, as infosecurity teams are dealing with an increasing variety of security issues... the more they protect, the more there is to protect. There is a revolution waiting to happen in the way security teams will respond to the increasing variety and volume of security challenges – and it’s going to be based in automation, data science and shifting from ‘what we need to protect’ to ‘who we need to protect.’

The universal backward compatibility for the internet may also be subject to future change. Just as old versions of TLS and SSL can never be secure again, Foreshadow’s use of speculative execution has the potential capacity to break down the barriers between virtual machines – which may also impact cloud service providers and eHosting. The demand for speed of web page loading may yet prove our undoing, and the web may see an adjustment of expectations in the name of security rather than expedience.”

Bill Conner, CEO, SonicWall:

“Once again, relentless researchers are demonstrating that cyber criminals can use the very architecture of processor chips to gain access to sensitive and often highly valued information. Like its predecessors Meltdown and Spectre, Foreshadow is attacking processor, memory and cache functions to extract sought after information. Once gained, side-channels can then be used to ‘pick locks’ within highly secured personal computers or even third-party clouds undetected.

This class of attack is something that will not dissipate. Instead, attackers will only seek to benefit from the plethora of malware strains available to them and which they can formulate like malware cocktails to divert outdated technologies, security standards and tactics.”

PhishPoint Phishing Attack – A new technique to Bypass Microsoft Office 365 Protections
16.8.18 securityweek Attack 

Security experts from the cloud security firm Avanan have discovered a new technique dubbed PhishPoint, that was used by hackers to bypass Microsoft Office 365 protections.
PhishPoint is a new SharePoint phishing attack that affected an estimated 10% of Office 365 users over the last 2 weeks.

The experts are warning of the new technique that was already used in attacks by scammers and crooks to bypass the Advanced Threat Protection (ATP) mechanism implemented by most popular email services, Microsoft Office 365.

“Over the past two weeks, we detected (and blocked) a new phishing attack that affected about 10% of Avanan’s Office 365 customers. We estimate this percentage applies to Office 365 globally. PhishPoint marks an evolution in phishing attacks, where hackers go beyond just email and use SharePoint to harvest end-users’ credentials for Office 365.” reads the analysis published by Avanan.

“Essentially, hackers are using SharePoint files to host phishing links. By inserting the malicious link into a SharePoint file rather than the email itself, hackers bypass Office 365 built-in security. “

In a PhishPoint attack scenario, the victim receives an email containing a link to a SharePoint document. The content of the message is identical to a standard SharePoint invitation to collaborate.

phishpoint attack

Once the user clicked the hyperlink included in the fake invitation, the browser automatically opens a SharePoint file.

The SharePoint file content impersonates a standard access request to a OneDrive file, with an “Access Document” hyperlink that is actually a malicious URL that redirects the victim to a spoofed Office 365 login screen.

This landing page asks the victim to provide his login credentials.

Experts highlighted that Microsoft protection mechanisms scan the body of an email, including the links provided in it, but since the URL points to an actual SharePoint document, the protections fail in identifying the threat.
“To protect against potential threats, Office 365 scans links in email bodies to look for blacklisted or suspicious domains. Since the link in the email leads to an actual SharePoint document, Microsoft did not identify it as a threat.” the researchers said.“The crux of this attack is that Microsoft link-scanning only goes one level deep, scanning the links in the email body, but not within files hosted on their other services, such as SharePoint. In order to identify this threat, Microsoft would have to scan links within shared documents for phishing URLs. This presents a clear vulnerability that hackers have taken advantage of to propagate phishing attacks. In order to identify this threat, Microsoft would have to scan links within shared documents for phishing URLs. This presents a clear vulnerability that hackers have taken advantage of to propagate phishing attacks,”


The problem is that Microsoft cannot blacklist links associated with SharePoint documents.

“Even if Microsoft were to scan links within files, they would face another challenge: they could not blacklist the URL without blacklisting links to all SharePoint files. If they blacklisted the full URL of the Sharepoint file, the hackers could easily create a new URL.”

Experts recommend being suspicious of the URLs in the email body if it uses URGENT or ACTION REQUIRED in the subject line.
Every time a login page is displayed it is necessary to double check the address bar in the web browser to discover if the link points to a legitimate resource, and of course, always use two-factor authentication (2FA).

If you are interested in other attack techniques discovered in the last months by Avanan give a look at the post titled “Five Techniques to Bypass Office 365 Protections Used in Real Phishing Campaigns”

Foreshadow Attacks – experts found 3 new Intel CPU side-channel flaws
15.8.18 securityaffairs Attack

Foreshadow Attacks – Security researchers disclosed the details of three new speculative execution side-channel attacks that affect Intel processors.
The new flaws, dubbed Foreshadow and L1 Terminal Fault (L1TF), were discovered by two independent research teams.

An attacker could exploit the Foreshadow vulnerabilities attacks to gain access to the sensitive data stored in a computer’s memory or third-party clouds.

The flaws affect the Intel’s Core and Xeon processors, they were reported to Intel in January, shortly after the disclosure of Spectre and Meltdown attacks.

The three Foreshadow vulnerabilities are:

CVE-18-3615 that affects the Intel’s Software Guard Extensions (SGX);
CVE-18-3620 that affects operating systems and System Management Mode (SMM);
CVE-18-3646 that affects virtualization software and Virtual Machine Monitors (VMM).
“Today, Intel and our industry partners are sharing more details and mitigation information about a recently identified speculative execution side-channel method called L1 Terminal Fault (L1TF). This method affects select microprocessor products supporting Intel® Software Guard Extensions (Intel® SGX) and was first reported to us by researchers at KU Leuven University*, Technion – Israel Institute of Technology*, University of Michigan*, University of Adelaide* and Data61.” reads the post published by Intel

“Further research by our security team identified two related applications of L1TF with the potential to impact other microprocessors, operating systems and virtualization software.”.

Security researchers initially discovered the SGX vulnerability, meanwhile, Intel experts found other two other issues while analyzing the cause of Foreshadow.

“All previously known attacks against Intel SGX rely on application-specific information leakage from either sidechannels [30, 39, 45, 51, 57, 58, 60] or software vulnerabilities [38, 59]. It was generally believed that well-written enclaves could prevent information leakage by adhering to good coding practices, such as never branching on secrets, prompting Intel to state that “in general, these research papers do not demonstrate anything new or unexpected about the Intel SGX architecture.” states the research paper.

“[Foreshadow-NG] attacks can potentially be used to read any information residing in the L1 cache, including information belonging to the System Management Mode (SMM), the Operating System’s Kernel, or Hypervisor. Perhaps most devastating, Foreshadow-NG might also be used to read information stored in other virtual machines running on the same third-party cloud, presenting a risk to cloud infrastructure. Finally, in some cases, Foreshadow-NG might bypass previous mitigations against speculative execution attacks, including countermeasures to Meltdown and Spectre,”

The good news for end users is that the patches released for these vulnerabilities don’t have a significant impact on the performance of PCs and workstations.

“Once systems are updated, the expected risk to consumer and enterprise users running non-virtualized operating systems will be low. This includes most of the data center installed base and the vast majority of PC clients. In these cases, there has been no meaningful performance impact observed as a result of mitigations applied. For a portion of the market – specifically a subset of those running traditional virtualization technology, and primarily in the data center – it may be advisable that customers or partners take additional steps to protect their systems.” said Intel.

Intel is not aware of the public exploitation of the vulnerabilities.

Major tech companies have already rolled out security updates that the Foreshadow flaws, Microsoft, Cisco, Oracle, VMware, Linux kernel developers, the Xen Project, Red Hat, SUSE have published technical details for the vulnerabilities.

AMD systems are not affected by Foreshadow or Foreshadow-NG due to the implementation of “hardware paging architecture protections.

Further info was shared by the researchers through on a dedicated website that includes the research paper and a demo.

“Foreshadow enables an attacker to extract SGX sealing keys, previously sealed data can be modified and re-sealed,” the researchers wrote. “With the extracted sealing key, an attacker can trivially calculate a valid Message Authentication Code (MAC), thus depriving the data owner from the ability to detect the modification.”

DDoS Attacks Less Frequent But Pack More Punch: Report
8.8.18 securityweek Attack

There were seven times more distributed denial (DDoS) attacks larger than 300 Gbps (gigabit per second) observed during the first six months of 18 compared to the first half of 2017, NETSCOUT Arbor reveals.

According to the security company’s latest threat intelligence report, the number of large DDoS attacks jumped from 7 to 47 year-over-year in the first half of 18, and the average DDoS attack size grow 174% during that period. The overall frequency of attacks, however, went down 13%.

The overall assault size was driven by novel techniques and has seen an increase of 37% since memcached appeared (memcached amplification fueled a 1.7 Tbps attack earlier this year). Between March and June 18, the number of vulnerable (and accessible) memcached servers dropped from 17,000 to 550.

Although it has been used for reflection/amplification for years, Simple Service Discovery Protocol (SSDP) has received increased attention this year, when it was used to deliver traffic from ephemeral source ports. There are around 33,000 SSDP reflectors that could be abused in attacks, the report reveals (PDF).

The rise of Internet of Things (IoT) devices, most of which lack proper protection, use default credentials and are plagued with both known and unknown software vulnerabilities, is expected to continue to fuel a growth in IoT botnets such as Mirai, which has spawned numerous variants over the past two years.

Attack targets have diversified, with verticals such as finance, gaming, and e-commerce being most likely to be targeted. Telecommunications providers observed the largest number of incidents, and data hosting services were also targeted.

“Today, any organization, for any real or perceived offense or affiliation, can become a target of a DDoS attack,” NETSCOUT Arbor says.

In addition to DDoS attacks, cybercrime and nation-state espionage attacks represent other types of threats posing high risks to organizations and consumers alike.

“Over the past 18 months, internet worms, supply chain attacks, and customer premises equipment (CPE)/IoT compromises have opened up internetscale threat activity. Nation-state APT groups continue to develop globally, used as another means of state-craft and often targeting governments and institutions of geo-strategic relevance,” the report reads.

Targeting newly discovered vulnerabilities in Office, the Iran-based threat actor OilRig has been highly active over the past year. Russian-linked cyber-group Fancy Bear wasn’t dormant either, with the most noteworthy attack recently attributed to it being the VPNFilter malware campaign.

Hidden Cobra, the North Korean threat actor also known as the Lazarus Group, has been observed targeting crypto-currency exchanges, as well as Central and South American banks. Operating out of Vietnam, Ocean Lotus has been actively targeting government and finance sectors over the past year.

The crimeware sector too remains robust and NETSCOUT Arbor expects it to spread beyond its traditional attack methods. There’s an increase in the use of auto-propagation methods, which have already fueled massive malware distribution campaigns such as last year’s WannaCry and NotPetya.

“The hunger for exploitation of new vectors will also continue, as we have seen in the immense DDoS attack impact created by Memcached earlier this year,” NETSCOUT Arbor says.

The security firm also expects an increase in SSDP abuse for internal intrusion, as well as growth in the “use of legitimate software programs by espionage groups and the addition of secondary tactics such as adding crypto-currency mining by crimeware actors.”

SegmentSmack' Flaw in Linux Kernel Allows Remote DoS Attacks
7.8.18 securityweek  Attack

A vulnerability in the Linux kernel can allow a remote attacker to trigger a denial-of-service (DoS) condition by sending specially crafted packets to the targeted system. The flaw could impact many companies.

The security hole, classified as high severity, has been named SegmentSmack and is tracked as CVE-18-5390. The issue was discovered by Juha-Matti Tilli of Aalto University and Nokia’s Bell Labs.

The vulnerability exists due to the way versions 4.9 and later of the Linux kernel handle specially crafted TCP packets. Linux kernel developers have released a patch that should address the problem.

“A remote attacker could use this flaw to trigger time and calculation expensive calls to tcp_collapse_ofo_queue() and tcp_prune_ofo_queue() functions by sending specially modified packets within ongoing TCP sessions which could lead to a CPU saturation and hence a denial of service on the system,” Red Hat explained in an advisory for SegmentSmack. “Maintaining the denial of service condition requires continuous two-way TCP sessions to a reachable open port, thus the attacks cannot be performed using spoofed IP addresses.”

Red Hat says all its products with moderately new Linux kernel versions are affected. The company has not identified any workarounds or mitigations besides the kernel patches.

CERT/CC has also published an advisory for SegmentSmack. The organization believes the vulnerability could impact tens of major vendors, including Amazon, Apple, BlackBerry, Cisco, Dell, Google, HP, IBM, Lenovo, Microsoft and several cybersecurity and networking solutions providers.

Amazon Web Services (AWS) says it has launched an investigation into the impact of the flaw on its products.

“AWS is aware of a recently-disclosed security issue, commonly referred to as SegmentSmack, which affects the TCP processing subsystem of several popular operating systems including Linux,” AWS said. “AWS services are operating normally. We will post a further update as soon as one is available.”

SUSE Linux has also released patches, but the organization says the vulnerability only affects SUSE Linux Enterprise 15.

Dept. of Energy announced the Liberty Eclipse exercise to test electrical grid against cyber attacks
6.8.18 securityaffairs Attack

DoE announced the Liberty Eclipse exercise to test the electrical grid ‘s ability to recover from a blackout caused by cyberattacks.
This is the first time the Department of Energy will test the electrical grid’s ability to recover from a blackout caused by cyberattacks.

We have discussed many times the effects of a cyber attack against an electrical grid, the most scaring scenario sees wide power outage bringing population in the dark.

Is this a feasible scenario for the US critical infrastructure?

The Department of Energy wants to test the resilience of an electrical grid to a cyber attack, so it’s going to launch the first hands-on exercise to test the ability of the operators of such infrastructure in recovering from a blackout caused by a cyber attack.

According to the E&E News website, the Department of Energy plans to conduct a weeklong experiment, dubbed ‘Liberty Eclipse,’ that will take place starting Nov. 1 on a restricted area off the cost of New York called Plum Island.

“The Department of Energy is planning an unprecedented, “hands-on” test of the grid’s ability to bounce back from a blackout caused by hackers, E&E News has learned.” reported the E&E News website.

“The “Liberty Eclipse” exercise will simulate the painstaking process of re-energizing the power grid while squaring off against a simultaneous cyberattack on electric, oil and natural gas infrastructure. The weeklong stress test is scheduled to take place this November on Plum Island, a restricted site off the coast of New York that houses a Department of Homeland Security animal disease center.”

This is the first time that the Department of Energy is planning such kind of “hands-on” test of the grid’s ability to restore operations from a blackout caused by a cyber attack. The “Liberty Eclipse” exercise aims at evaluating the response of the infrastructure to coordinated attacks against an electric, oil and natural gas infrastructure. The DOE wants to prepare the infrastructure of the country for threats.

“It’s in our national security interest to continue to protect these sources of energy and to deliver them around the world,” Energy Secretary Rick Perry said at a cybersecurity conference in New York last week.

“Taking care of that infrastructure, from the standpoint of protecting it from cyberattacks — I don’t think it’s ever been more important than it is today.”

electrical grid

The goal of the Liberty Eclipse exercise is to prepare the response to a major incident caused by cyber attacks, that could be frequent events in a short future. Utilities that have to restore electricity following massive blackouts first need to provide initial jump of electricity before they can start generating it.

This operation is done by the operators by using diesel generators and other blackstart sources to choreograph “cranking paths” for restoring the functions of the electrical grid.

“Utilities can’t just flip a few switches to bring the lights on following a major shutdown. In fact, power plants typically need an initial jump of electricity before they can start generating it.” continues the E&E News website. Power companies rely on diesel generators and other blackstart sources to choreograph “cranking paths” for bringing the grid on its feet. Once enough pockets of electricity have been brought online, operators can sync up the islands with the wider grid.”

The entire process is time-consuming and can take many hours to be completed, even under the most favorable circumstances.

The DOE aims at speed up the restoration of the electrical grid by incorporating simulated cranking paths, provided by the Defense Advanced Research Projects Agency, that were designed for this reason.

“Together, [participants] will work to energize a blackstart cranking path by detecting the attack, cleaning malicious influence, and restoring crank path digital systems to operation,” the DOE states in a planning memo from last month.

This is the first exercise that is going to test the “blackstart” cranking paths that were excluded from previous simulations.

Google Offers G Suite Alerts for State-Sponsored Attacks
3.8.18 securityweek  Attack

Google this week announced that it can now alert G Suite admins when it believes users have been targeted by government-backed attackers.

The search company has been notifying users on what it believes might be state-sponsored attacks for over six years, and reaffirmed its commitment to continue alerting users on such incidents last year.

The Internet giant is now providing G Suite admins with the option to receive alerts whenever attacks appearing to be coming from a state-sponsored actor are targeting their users. The feature will show up in the G Suite Admin console as soon as it becomes available.

“If an admin chooses to turn the feature on, an email alert (to admins) is triggered when we believe a government-backed attacker has likely attempted to access a user’s account or computer through phishing, malware, or another method,” Google explains.

As usual, such alerts don’t necessarily imply that the account has been compromised or that the organization has been hit with a larger attack.

The new feature is turned off by default, but admins can easily enable or disable it in Admin Console > Reports > Manage Alerts > Government backed attack.

The feature also allows admins to set who is being notified when such attacks are detected (by default, super admins receive the notification via email).

Once an attack has been detected, admins can choose to secure the account suspected to have been targeted, and can also opt to alert the user on both the attack and the security measures taken.

The feature is set to gradually roll out to all G Suite editions and should be available for all admins within the next 15 days, Google said.

Companies such as Microsoft, Facebook, and Twitter are also warning users when detecting attacks believed to have been performed by a government-backed actor.

Google introduced G Suite alerts for state-sponsored attacks
3.8.18 securityaffairs  Attack

Google announced that has implemented an alerting system for G Suite admins when users have been targeted by state-sponsored attacks.
Google announced it will alert G Suite admins when state-sponsored hackers will target their users.

The new feature will be available in the G Suite Admin console very soon, it confirms the effort spent by the tech giant of protecting its users.

“We’re adding a feature in the Admin console that can alert admins if we believe a user’s account has been targeted by a government-backed attack. If an admin chooses to turn the feature on, an email alert (to admins) is triggered when we believe a government-backed attacker has likely attempted to access a user’s account or computer through phishing, malware, or another method.” reads the security advisory published by Google.

“It does not necessarily mean that the account has been compromised or that there was a widespread attack on an organization.”

In June 2012, for the first time, the company announced it was going to offer a specific protection service for a restrict number of users that could be the target of state-sponsored attacks.

Google is now implementing the new protection feature within the G Suite Admin console, admins will have the opportunity to receive alerts whenever attacks could be attributed to a nation-state actor.

Every time an attack will be detected, admins can choose to secure the account hit by the hackers and can also opt to alert the victim.

The alerts don’t necessarily imply that the account has been hacked or that the organization has been compromised in a massive attack.

G Suite state sponsored attacks

Google pointed out the alerts will be turned off by default, admins can choose to turn them on in the Admin Console > Reports > Manage Alerts > Government backed attack.

According to Google, the new feature is set to gradually roll out to all G Suite editions, the tech giant plans to make it available for all admins within the next 15 days.

Attacks on industrial enterprises using RMS and TeamViewer
3.8.18 Kaspersky Attack

Main facts
Kaspersky Lab ICS CERT has identified a new wave of phishing emails with malicious attachments targeting primarily companies and organizations that are, in one way or another, associated with industrial production.

The phishing emails are disguised as legitimate commercial offers and are sent mainly to industrial companies located in Russia. The content of each email reflects the activity of the organization under attack and the type of work performed by the employee to whom the email is sent.

According to the data that we have collected, this series of attacks started in November 2017 and is currently in progress. Notably, the first similar attacks were recorded as far back as 2015.

The malware used in these attacks installs legitimate remote administration software – TeamViewer or Remote Manipulator System/Remote Utilities (RMS). This enables the attackers to gain remote control of infected systems. The threat actor uses various techniques to mask the infection and the activity of malware installed in the system.

According to the data available, the attackers’ main goal is to steal money from victim organizations’ accounts. When attackers connect to a victim’s computer, they search for and analyze purchase documents, as well as the financial and accounting software used. After that, the attackers look for various ways in which they can commit financial fraud, such as spoofing the bank details used to make payments.

In cases where the cybercriminals need additional data or capabilities after infecting a system, such as privilege escalation and obtaining local administrator privileges, the theft of user authentication data for financial software and services, or Windows accounts for lateral movement, the attackers download an additional pack of malware to the system, which is specifically tailored to the attack on each individual victim. The malware pack can include spyware, additional remote administration utilities that extend the attackers’ control on infected systems, malware for exploiting operating system and application software vulnerabilities, as well as the Mimikatz utility, which provides the attackers with Windows account data.

Apparently, among other methods, the attackers obtain the information they need to perpetrate their criminal activity by analyzing the correspondence of employees at the enterprises attacked. They may also use the information found in these emails to prepare new attacks – against companies that partner with the current victim.

Clearly, on top of the financial losses, these attacks result in leaks of the victim organizations’ sensitive data.

Phishing emails
In most cases, the phishing emails have finance-related content; the names of attachments also point to their connection with finance. Specifically, some of the emails purport to be invitations to tender from large industrial companies (see below).

Malicious attachments may be packed into archives. Some of the emails have no attachments – in these cases, message text is designed to lure users into following links leading to external resources and downloading malicious objects from those resources.

Below is a sample phishing email used in attacks on some organizations:

Screenshot of a phishing email

The above email was sent on behalf of a well-known industrial organization. The domain name of the server from which the message was sent was similar to the domain name of that organization’s official website. The email had an archive attached to it. The archive was protected with a password that could be found in the message body.

It is worth noting that the attackers addressed an employee of the company under attack by his or her full name (this part of the email was masked in the screenshot above for confidentiality reasons). This indicates that the attack was carefully prepared and an individual email that included details relevant to the specific organization was created for each victim.

As part of the attacks, the threat actor uses various techniques to mask the infection. In this case, Seldon 1.7 – legitimate software designed to search for tenders – is installed in infected systems in addition to malware components and a remote administration application.

To keep users from wondering why they didn’t get information on the procurement tender referred to in the phishing email, the malicious program distributes a damaged copy of Seldon 1.7 software.

Window of legitimate software Seldon 1.7

In other cases, the user is shown a partially damaged image.

Image opened by malware

There is also a known case of malware being masked as a PDF document containing a bank transfer receipt. Curiously, the receipt contains valid data. Specifically, it mentions existing companies and their valid financial details; even a car’s VIN matches its model.

Screenshot of a bank transfer receipt displayed by malware

The malware used in these attacks installs legitimate remote administration software – TeamViewer or Remote Manipulator System/Remote Utilities (RMS).

Attacks using RMS
There are several known ways in which the malware can be installed in a system. Malicious files can be run either by an executable file attached to an email or by a specially crafted script for the Windows command interpreter.

For example, the archive mentioned above contains an executable file, which has the same name and is a password-protected self-extracting archive. The archive extracts the files and runs a script that installs and launches the actual malware in the system.

Contents of the malware installation file

It can be seen from the commands in the screenshot above that after copying the files the script deletes its own file and launches legitimate software in the system – Seldon v.1.7 and RMS, – enabling the attackers to control the infected system without the user’s knowledge.

Depending on the malware version, files are installed in %AppData%\LocalDataNT folder %AppData%\NTLocalData folder or in %AppData%\NTLocalAppData folder.

When it launches, legitimate RMS software loads dynamic libraries (DLL) required for the program’s operation, including the system file winspool.drv, which is located in the system folder and is used to send documents to the printer. RMS loads the library insecurely, using its relative path (the vendor has been notified of this vulnerability). This enables the attackers to conduct a DLL hijacking attack: they place a malicious library in the same directory with the RMS executable file, as a result of which a malware component loads and gains control instead of the corresponding system library.

The malicious library completes malware installation. Specifically, it creates a registry value responsible for automatically running RMS at system startup. Notably, in most cases of this campaign the registry value is placed in the RunOnce key, instead of the Run key, enabling the malware to run automatically only the next time the system starts up. After that, the malware needs to create the registry value again.

It is most likely that the attackers chose this approach to mask the presence of malware in the system as well as possible. The malicious library also implements techniques for resisting analysis and detection. One such technique involves dynamically importing Windows API functions using their hashes. This way, the attackers do not have to store the names of these functions in the malicious library’s body, which helps them to conceal the program’s real functionality from most analysis tools.

Part of a malicious code fragment implementing the dynamic import of functions

The malicious dynamic library, winspool.drv, decrypts configuration files prepared by the attackers, which contain RMS software settings, the password for remotely controlling the machine and the settings needed to notify the attackers that the system has been successfully infected.

One of the configuration files contains an email address to which information about the infected system is sent, including computer name, user name, the RMS machine’s Internet ID, etc. The Internet ID sent as part of this information is generated on a legitimate server of the RMS vendor after the computer connects to it. The identifier is subsequently used to connect to the remotely controlled system located behind NAT (a similar mechanism is also used in popular instant messaging solutions).

A list of email addresses found in the configuration files discovered is provided in the indicators of compromise section.

A modified version of RC4 is used to encrypt configuration files. Configuration files from the archive mentioned above are shown below.

Decrypted contents of InternetId.rcfg file

Decrypted contents of notification.rcfg file

Decrypted contents of Options.rcfg file

Decrypted contents of Password.rcfg file

After this, the attackers can use the system’s Internet ID and password to control it without the user’s knowledge via a legitimate RMS server, using the standard RMS client.

Attacks using TeamViewer
Attacks using legitimate TeamViewer software are very similar to those using RMS software, which are described above. A distinguishing feature is that information from infected systems is sent to malware command-and-control servers, rather than the attackers’ email address.

As in the case of RMS, malicious code is injected into the TeamViewer process by substituting a malicious library for system DLL. In the case of TeamViewer, msimg32.dll is used.

This is not a unique tactic. Legitimate TeamViewer software has been used in APT and cybercriminal attacks before. The best-known group to have used this toolset is TeamSpy Crew. We believe that the attacks described in this document are not associated with TeamSpy and are the result of known malware being re-used by another cybercriminal group. Curiously, the algorithm used to encrypt the configuration file and the password for decrypting it, which were identified in the process of analyzing these attacks, are the same as those published last April in a description of similar attacks.

It is common knowledge that legitimate TeamViewer software does not hide its startup or operation from the user and, specifically, notifies the user of incoming connections. At the same time, the attackers need to gain remote control of the infected system without the user’s knowledge. To achieve this, they hook several Windows API functions.

The functions are hooked using a well-known method called splicing. As a result, when legitimate software calls one of the Windows API functions, control is passed to the malicious DLL and the legitimate software gets a spoofed response instead of one from the operating system.

Windows API function hooked by the malware

Hooking Windows API functions enables attackers to hide TeamViewer windows, protect malware files from being detected, and control TeamViewer startup parameters.

After launching, the malicious library checks whether an internet connection is available by executing the command “ping” and then decrypts the malicious program’s configuration file tvr.cfg. The file contains various parameters, such as the password used for remotely controlling the system, URL of the attackers’ command-and-control server, parameters of the service under whose name TeamViewer will be installed, the User-Agent field of the HTTP header used in requests sent to the command-and-control server, VPN parameters for TeamViewer, etc.

Screenshot of decrypted contents of the malware configuration file

Unlike RMS, Team Viewer uses a built-in VPN to remotely control a computer located behind NAT.

As in the case of RMS, the relevant value is added to the RunOnce registry key to ensure that the malware runs automatically at system startup.

The malware collects data on the infected machine and sends it to the command-and-control server along with the system’s identifier needed for remote administration. The data sent includes:

Operating system version
User name
Computer name
Information on the privilege level of the user on whose behalf the malware is running
Whether or not a microphone and a webcam are present in the system
Whether or not antivirus software or other security solutions are installed, as well as the UAC level
Information about security software installed in the system is obtained using the following WQL query:

root\SecurityCenter:SELECT * FROM AntiVirusProduct

The information collected is sent to the attackers’ server using the following POST request:

POST request used to send encrypted data to the command-and-control server

Another distinguishing feature of attacks that involve the TeamViewer is the ability to send commands to an infected system and have them executed by the malware. Commands are sent from the command-and-control server using the chat built into the TeamViewer application. The chat window is also hidden by the malicious library and the log files are deleted.

A command sent to an infected system is executed in the Windows command interpreter using the following instruction:

cmd.exe /c start /b

The parameter “/b” indicates that the command sent by the attackers for execution will be run without creating a new window.

The malware also has a mechanism for self-destructing if the appropriate command is received from the attackers’ server.

The use of additional malware
In cases where attackers need additional data (authorization data, etс.), they download spyware to victim computers in order to collect logins and passwords for mailboxes, websites, SSH/FTP/Telnet clients, as well as logging keystrokes and making screenshots.

Additional software hosted on the attackers’ servers and downloaded to victims’ computers was found to include malware from the following families:

Babylon RAT
AZORult stealer
Hallaj PRO Rat
In all probability, these Trojans were downloaded to compromised systems and used to collect information and steal data. In addition to remote administration, the capabilities of malware from these families include:

Logging keystrokes
Making screenshots
Collecting system information and information on installed programs and running processes
Downloading additional malicious files
Using the computer as a proxy server
Stealing passwords from popular programs and browsers
Stealing cryptocurrency wallets
Stealing Skype correspondence
Conducting DDoS attacks
Intercepting and spoofing user traffic
Sending any user files to the command-and-control server
In other cases observed, after an initial analysis of an infected system, the attackers downloaded an additional malware module to the victim’s computer – a self-extracting archive containing various malicious and legitimate programs, which were apparently individually selected for each specific system.

For example, if the malware had previously been executed on behalf of a user who did not have local administrator privileges, to evade the Windows User Account Control (UAC), the attackers used the DLL hijacking technique mentioned above, but this time on a Windows system file, %systemdir%\migwiz\migwiz.exe, and a library, cryptbase.dll.

Additionally, another remote administration utility, RemoteUtilities, which provides a more extensive feature set for controlling an infected machine than RMS or TeamViewer, has been installed in some systems. Its capabilities include:

Remotely controlling the system (RDP)
Transferring files to and from the infected system
Controlling power on the infected system
Remotely managing the processes of running application
Remote shell (command line)
Managing hardware
Capturing screenshots and screen videos
Recording sound and video from recording devices connected to the infected system
Remote management of the system registry
The attackers use a modified build of RemoteUtilities, which enables them to perform the above operations without the user’s knowledge.

In some cases, the Mimikatz utility was installed in addition to cryptbase.dll and RemoteUtilities. We believe that the attackers use Mimikatz in cases when the first system infected is not one that has software for working with financial data installed on it. In these cases, the Mimikatz utility is used to steal authentication data from the organization’s employees and gain remote access to other machines on the enterprise’s network. The use of this technique by the attackers poses a serious danger: if they succeed in obtaining the account credentials for the domain administrator’s account, this will give them control of all systems on the enterprise’s network.

Attack targets
According to KSN data, from October 2017 to June 18, about 800 computers of employees working at industrial companies were attacked using the malware described in this paper.

Number of computers attacked by month. October 2017 – June 18

According to our estimate, at least 400 industrial companies in Russia have been targeted by this attack, including companies in the following industries:

Oil and gas
Based on this, it can be concluded that the attackers do not concentrate on companies in any specific industry or sector. At the same time, their activity clearly demonstrates their determination to compromise specifically systems belonging to industrial companies. This choice on the part of the cybercriminals could be explained by the fact that the threat awareness and cybersecurity culture in industrial companies is inferior to that in companies from other sectors of the economy (such as banks or IT companies). At the same time, as we have noted before, it is more common for industrial companies than for companies in other sectors to conduct operations involving large amounts of money on their accounts. This makes them an even more attractive target for cybercriminals.

This research demonstrates once again that even when they use simple techniques and known malware, threat actors can successfully attack many industrial companies by expertly using social engineering and masking malicious code in target systems. Criminals actively use social engineering to keep users from suspecting that their computers are infected. They also use legitimate remote administration software to evade detection by antivirus solutions.

This series of attacks targets primarily Russian organizations, but the same tactics and tools can be used in attacks against industrial companies in any country of the world.

We believe that the threat actor behind this attack is highly likely to be a criminal group whose members have a good command of Russian. This is indicated by the high level at which texts in Russian are prepared for phishing emails used in the attack, as well as the attackers’ ability to make changes to organizations’ financial data in Russian. More data about the research on the infrastructure and language used by the attackers is available in the private version of the report on the Treat Intelligence portal.

Remote administration capabilities give criminals full control of compromised systems, so possible attack scenarios are not limited to the theft of money. In the process of attacking their targets, the attackers steal sensitive data belonging to target organizations, their partners and customers, carry out surreptitious video surveillance of the victim companies’ employees, and record audio and video using devices connected to infected machines.

The various malware components used in this attack are detected by Kaspersky Lab products with the following verdicts:


DDoS attacks in Q2 18
2.8.18 Kaspersky  Attack

News overview
Q2 18 news includes: non-standard use of old vulnerabilities, new botnets, the cutthroat world of cryptocurrencies, a high-profile DDoS attack (or not) with a political subtext, the slashdot effect, some half-baked attempts at activism, and a handful arrests. But first things first.

Knowing what we know about the devastating consequences of DDoS attacks, we are not inclined to celebrate when our predictions come true. Alas, our forecast in the previous quarter’s report was confirmed: cybercriminals continue to seek out new non-standard amplification methods. Even before the panic over the recent wave of Memcached-based attacks had subsided, experts discovered an amplification method using another vulnerability—in the Universal Plug and Play protocol, known since 2001. It allows garbage traffic to be sent from several ports instead of just one, switching them randomly, which hinders the blocking process. Experts reported two attacks (April 11 and 26) in which this method was likely used; in the first instance, the DNS attack was amplified through UPnP, and in the second the same was applied to an NTP attack. In addition, the Kaspersky DDoS Protection team observed an attack that exploited a vulnerability in the CHARGEN protocol. A slightly weaker attack using the same protocol to amplify the flood (among other methods) targeted the provider ProtonMail, the reason for which was an unflattering comment made by the company’s executive director.

New botnets are causing more headaches for cybersecurity specialists. A noteworthy case is the creation of a botnet formed from 50,000 surveillance cameras in Japan. And a serious danger is posed by a new strain of the Hide-n-Seek malware, which was the first of all known bots to withstand, under certain circumstances, a reboot of the device on which it had set up shop. True, this botnet has not yet been used to carry out DDoS attacks, but experts do not rule out such functionality being added at a later stage, since the options for monetizing the botnet are not that many.

One of the most popular monetization methods remains attacking cryptocurrency sites and exchanges. What’s more, DDoS attacks are used not only to prevent competitors from increasing their investors, but as a way of making a big scoop. The incident with the cryptocurrency Verge is a case in point: in late May, a hacker attacked Verge mining pools, and made off with XVG 35 million ($1.7 million). In the space of two months, the currency was hacked twice, although the preceding attack was not a DDoS.

Not only that, June 5 saw cybercriminals bring down the Bitfinex cryptocurrency exchange, with the system crash followed by a wave of garbage traffic, pointing to a multistage attack that was likely intended to undermine credibility in the site. It was probably competitive rivalry that caused the renowned online poker site, Americas Cardroom, to suffer a DDoS attack that forced first the interruption and then cancellation of a tournament. That said, it was rumored that the attack could have been a political protest against the in-game availability of Donald Trump and Kim Jong Un avatars.

As always, the most media hype in the past quarter was generated by politically motivated DDoS attacks. In mid-April, British and US law enforcement bodies warned that a significant number of devices had been seized by Russian (supposedly Kremlin-sponsored) hackers in the US, the EU, and Australia with a view to carrying out future attacks. Then just a few days later, in late April, it was a Russian target that got hit: the site of the largest Russian political party, United Russia, was down for two whole days, yet there was precious little public speculation about the masterminds behind the DDoS campaign.

An attack on the Danish railway company DSB, which struggled to serve passengers for several days as a result, was also alleged to be politically motivated. Some see it as a continuation of the attack on Swedish infrastructure last fall.

At the end of the quarter, attention was focused on the Mexican elections and an attack on an opposition party website hosting materials about the illegal activities of a rival. According to the victim, the attack began during a pre-election debate when the party’s candidate showed viewers a poster with the website address. However, it was immediately rumored that DDoS was not the culprit, but the Slashdot effect, which Reddit users also call “the hug of death.” This phenomenon has been around since the dawn of the Internet, when bandwidth was a major issue. But it’s still encountered to this day when a small resource suffers a major influx of legitimate web traffic on the back of media hype.

The Slashdot effect was also observed by the Kaspersky DDoS Protection team in early summer. After a press conference by the Russian president, a major news outlet covering the event experienced a powerful wave of tens of thousands of HTTP GET requests all sent simultaneously. The size of the supposed botnet suggested a new round of attacks involving IoT devices, but further analysis by KDP experts showed that all suspicious queries in the User Agent HTTP header contained the substring “XiaoMi MiuiBrowser”. In fact, owners of Xiaomi phones with the browser app installed received a push notification about the outcome of the conference, and it seems that many took an interest and followed the link, causing a glut of requests.

Meanwhile, law enforcement agencies have been making every effort to prevent organized attacks: in late April, Europol managed to shut down Webstresser.org, the world’s largest DDoS-for-hire service. When it was finally blocked, the portal had more than 136,000 users and had served as the source of more than 4 million DDoS attacks in recent years. After the fall of Webstresser, conflicting trends were reported: some companies observed a significant decline in DDoS activity in Europe (although they warned that the drop was going to be relatively short-lived); others, however, pointed to a rise in the number of attacks across all regions, which may have been the result of attackers seeking to compensate by creating new botnets and expanding old ones.

On top of that, several DDoS attack masterminds were caught and convicted. German hacker ZZboot was sentenced for attacking major German and British firms with ransom demands. However, he avoided jail time, receiving 22 months of probation. At the other end of the Eurasian continent, in Taipei, a hacker named Chung was arrested for allegedly attacking the Taiwan Bureau of Investigation, the Presidential Administration, Chungwa Telecom, and the Central Bank. In the other direction, across the pond, a self-proclaimed hacktivist was arrested in the US for obstructing the work of police in Ohio.

Another, less significant, but more curious arrest took place in the US: an amateur hacker from Arizona was arrested, fined, and jailed after an online acquaintance posted a tweet with his name. Despite his rudimentary skills, the cybercriminal, calling himself the “Bitcoin Baron,” had terrorized US towns for several years, crashing the websites of official institutions and demanding ransoms; in one incident, his actions seriously hindered emergency response services. He too tried to position himself as a cyberactivist, but his bad behavior ruined any reputation he might have had, especially his alleged (only by himself, it should be said) attempt to bring down the site of a children’s hospital by flooding it with child pornography.

Quarter trends
In H1 18, the average and maximum attack power fell significantly compared to H2 2017. This can be explained by the seasonal slowdown that is usually observed at the start of the year. However, a comparison of H1 indicators for 2017 and 18 shows a measurable rise in attack power since last year.

Change in DDoS attack power, 2017-18

One way to increase the attack power is third-party amplification. As mentioned in the news overview, hackers continue to look for ways to amplify DDoS attacks through new (or well-forgotten old) vulnerabilities in widely popular software, not without success, unfortunately. This time, the KDP team detected and repelled an attack with a capacity in the tens of Gbit/s that exploited a vulnerability in the CHARGEN protocol—an old and very simple protocol described in RFC 864 way back in 1983.

CHARGEN was intended for testing and measurement purposes, and can listen on both the TCP and UDP sockets. In UDP mode, the CHARGEN server responds to any request with a packet with a string length from 0 to 512 random ASCII characters. Attackers use this mechanism to send requests to the vulnerable CHARGEN server, where the outgoing address is substituted by the address of the victim. US-CERT estimates the amplification factor at 358.8x, but this figure is somewhat arbitrary, since the responses are generated randomly.

Despite the protocol’s age and limited scope, many open CHARGEN servers can be found on the Internet. They are mainly printers and copying devices in which the network service is enabled by default in the software.

The use of CHARGEN in UDP attacks, as reported by KDP and other providers (Radware, Nexusguard), may indicate that attacks using more convenient protocols (for example, DNS or NTP) are becoming less effective, since there exist well-developed methods to combat this kind of UDP flooding. But the simplicity of such attacks makes cybercriminals unwilling to abandon them; instead they hope that modern security systems will not be able to resist antiquated methods. And although the search for non-standard holes will doubtless continue, CHARGEN-type amplification attacks are unlikely to take the world by storm, since vulnerable servers lack a source of replenishment (how often are old copiers connected to the Internet?).

If cybercriminals are going retro in terms of methods, when it comes to targets they are breaking new ground. DDoS attacks against home users are simple, but not profitable, whereas attacks on corporations are profitable, but complex. Now DDoS planners have found a way to get the best of both worlds—in the shape of the online games industry and streamers. Let’s take as an example the growing popularity of e-sports tournaments, in which the victors walk away with tens—sometimes hundreds—of thousands of dollars. The largest events are usually held at special venues with specially setup screens and stands for spectators, but the qualifying rounds to get there often involve playing from home. In this case, a well-planned DDoS attack against a team can easily knock it out of the tournament at an early stage. The tournament server might also be targeted, and the threat of disruption could persuade the competition organizers to pay the ransom. According to Kaspersky Lab client data, DDoS attacks on e-sports players and sites with the goal of denying access are becoming increasingly common.

Similarly, cybercriminals are trying to monetize the market of video game streaming channels. Streaming pros show live playthroughs of popular games, and viewers donate small sums to support them. Naturally, the larger the audience, the more money the streamer gets for each broadcast; top players can earn hundreds or thousands of dollars, which basically makes it their job. Competition in this segment is fierce and made worse by DDoS attacks with the capacity to interfere with livestreams, causing subscribers to look for alternatives.

Like e-sports players, home streamers have virtually no means of protection against DDoS attacks. They are essentially reliant on their Internet provider. The only solution at present could be to set up specialized platforms offering greater protection.

Kaspersky Lab has extensive experience of combating cyber threats, including DDoS attacks of all types and complexity. Company experts monitor the actions of botnets using the Kaspersky DDoS Intelligence system.

The DDoS Intelligence system is part of the Kaspersky DDoS Protection solution, and intercepts and analyzes commands sent to bots from C&C servers. What’s more, the system is proactive, not reactive—there’s no need to wait for a user device to get infected or a command to be executed.

This report contains DDoS Intelligence statistics for Q2 18.

In the context of this report, it is assumed that an incident is a separate (single) DDoS-attack if the interval between botnet activity periods does not exceed 24 hours. For example, if the same web resource was attacked by the same botnet with an interval of 24 hours or more, then this incident is considered as two attacks. Bot requests originating from different botnets but directed at one resource also count as separate attacks.

The geographical locations of DDoS-attack victims and C&C servers used to send commands are determined by their respective IP addresses. The number of unique targets of DDoS attacks in this report is counted by the number of unique IP addresses in the quarterly statistics.

DDoS Intelligence statistics are limited to botnets detected and analyzed by Kaspersky Lab. Note that botnets are just one of the tools for performing DDoS attacks, and that the data presented in this report do not cover every single DDoS attack that occurred during the period under review.

Quarter results
The stormiest period for DDoS attacks was the start of the quarter, particularly mid-April. By contrast, late May and early June were fairly quiet.
Top spot in terms of number of attacks was retained by China (59.03%), with Hong Kong (17.13%) in second. It also entered the Top 3 by number of unique targets with 12.88%, behind only China (52.36%) and the US (17.75%).
The attacks were quite evenly distributed across the days of the week. The most and least popular were Tuesday and Thursday, respectively, but the difference is slight.
The share of SYN attacks rose sharply to 80.2%; second place went to UDP attacks with 10.6%.
The share of attacks from Linux botnets increased significantly to 94.47% of all single-family attacks.
Geography of attacks
The latest quarter threw up a number of surprises. The leader by number of attacks is still China, with its share practically unchanged (59.03% against 59.42% in Q1). However, for the first time since monitoring began, Hong Kong broke into the Top 3, rising from fourth to second: its share increased almost fivefold, from 3.67% to 17.13%, squeezing out the US (12.46%) and South Korea (3.21%), whose shares declined by roughly 5 p.p. each.

Another surprise package in the territorial ranking was Malaysia, which shot up to fifth place, now accounting for 1.30% of all DDoS attacks. It was joined in the Top 10 by Australia (1.17%) and Vietnam (0.50%), while the big-hitters Japan, Germany, and Russia all dropped out. Britain (0.50%) and Canada (0.69%) moved into eighth and seventh, respectively.

The Top 10 in Q2 also had a greater share of the total number of attacks than in Q1: 96.44% compared with 95.44%.

Distribution of DDoS attacks by country, Q1 and Q2 18

The territorial distribution of unique targets roughly corresponds to the distribution of the number of attacks: China has the largest share (52.36%), a rise of 5 p.p. against the previous quarter. Second place belongs to the US (17.5%) and third to Hong Kong (12.88%), up from fourth, replacing South Korea (4.76%) (note that in Hong Kong the most popular targets are now Microsoft Azure servers). Britain fell from fourth to eighth, now accounting for 0.8% of unique targets.

The Top 10 said goodbye to Japan and Germany, but welcomed Malaysia (2.27%) in fourth place and Australia (1.93%) just behind in fifth. This quarter’s Top 10 accounted for slightly more of the total number of unique attacks, reaching 95.09% against 94.17% in Q1.

Distribution of unique DDoS-attack targets by country, Q1 and Q2 18

Dynamics of the number of DDoS attacks
Peak activity in Q2 18 was observed in mid-April: a significant increase in the number of attacks was registered in the middle third of this month, with two large spikes occurring just days apart: April 11 (1163) and April 15 (1555). The quarter’s deepest troughs came in the second half and at the end: the calmest days were May 24 (13) and June 17 (16).

Dynamics of the number of DDoS attacks, Q2 18

In Q2 18, Sunday went from being the quietest day for cybercriminals to the second most active: it accounted for 14.99% of attacks, up from 10.77% in the previous quarter. But gold in terms of number of attacks went to Tuesday, which braved 17.49% of them. Thursday, meanwhile, went in the opposite direction: only 12.75% of attacks were logged on this day. Overall, as can be seen from the graph, in the period April-June the attack distribution over the days of the week was more even than at the beginning of the year.

Distribution of DDoS attacks by day of the week, Q1 and Q2 18

Duration and types of DDoS attacks
The longest attack in Q2 lasted 258 hours (almost 11 days), slightly short of the previous quarter’s record of 297 hours (12.4 days). This time, the focus of persevering hackers was an IP address belonging to China Telecom.

Overall, the share of long-duration attacks fell by 0.02 p.p. to 0.12%. Whereas the share of attacks lasting from 100 to 139 hours remained the same, the share of attacks from 10 to 50 hours almost doubled (from 8.28% to 16.27%); meanwhile, the share of attacks lasting from five to nine hours increased nearly by half (from 10.73% to 14.01%). The share of short-duration attacks (up to four hours) fell sharply from 80.73% in January to 69.49% in March.

Distribution of DDoS attacks by duration (hours), Q1 and Q2 18

All other types of attacks decreased in share; UDP attacks are in second place (10.6%), while TCP, HTTP, and ICMP constitute a relatively small proportion.

Distribution of DDoS attacks by type, Q2 18

Correlation between Windows- and Linux-based botnet attacks, Q2 18

Geographical distribution of botnets
The Top 10 regions by number of botnet C&C servers underwent some significant changes. Top spot went to the US with almost half of all C&C centers (44.75% against 29.32% in Q1). South Korea (11.05%) sank from first to second, losing nearly 20 p.p. China also dropped significantly (from 8.0% to 5.52%). Its place was taken by Italy, whose share climbed from 6.83% in the previous quarter to 8.84%. The Top 10 saw the departure of Hong Kong, but was joined—for the first time since our records began—by Vietnam, whose 3.31% was good enough for seventh place.

Distribution of botnet C&C servers by country, Q2 18

In Q2 18, cybercriminals continued the above-outlined trend of searching for exotic holes in UDP transport protocols. It surely won’t be long before we hear about other sophisticated methods of attack amplification.

Another technical discovery of note is the potential for creating botnets using the UPnP protocol; although evidence for them exists, they are still extremely rare in the wild, fortunately.

Windows botnet activity decreased: in particular, Yoyo activity experienced a multifold drop, and Nitol, Drive, and Skill also declined. Meanwhile, Xor for Linux significantly increased its number of attacks, while another infamous Linux botnet, Darkai, scaled back slightly. As a result, the most popular type of attack was SYN flooding.

The total attack duration changed little since the previous quarter, but the share of medium-duration attacks increased, while the share of shorter ones decreased. The intensity of attacks also continues to grow. The most lucrative targets for cybercriminals seem to be cryptocurrencies, but we can soon expect to see high-profile attacks against e-sports tournaments as well as relatively small ransoms targeting individual streamers and players. Accordingly, there will be market demand for affordable individual anti-DDoS protection.

Microsoft Uncovers Multi-Tier Supply Chain Attack
28.7.18 securityweek Attack

Microsoft has shared details of a new attack that attempted to spread crypto-mining malware to a large number of users by compromising the software supplying partner of an application developer.

The multi-tier attack relied on compromising the shared infrastructure between a PDF editor vendor and one of its partners that provided additional font packages for the application: the attackers aimed at the supply chain of the supply chain.

Limited in nature, Microsoft said the compromise appeared to be active between January and March 18, and could have impacted six other vendors working with the font package provider.

Carried out silently, the attack initially appeared as a typical infection and was automatically blocked, but the same infection pattern was observed across a large number of machines.

Windows Defender APT eventually alerted on nearly 70,000 cases incidents involving a coin mining process masquerading as pagefile.sys, which was launched by a service named xbox-service.exe, Microsoft’s Windows Defender ATP Research team explains.

Microsoft's investigation revealed that a malicious installer package (MSI) was being downloaded by a PDF editor during installation, along with other legitimate installers. It was then discovered that the application vendor itself hadn’t been compromised, but the malicious package was served by a partner that creates and distributes additional font packages used by the app.

The attackers discovered a weakness in the interactions between the app vendor and its partner and also found a way to leverage it to hijack the installation chain of the MSI font packages, thus turning the PDF editor into the unexpected carrier of the malicious payload.

Microsoft discovered that the attackers had created a replica of the software partner’s infrastructure on their own server and copied and hosted all MSI files, including font packages, there. They only modified an Asian fonts package to add the malicious payload to it.

The attackers also managed to influence the download parameters used by the PDF app so as to point to their server, which resulted in the download of MSI font packages from the rogue server. Thus, users ended up installing the coin miner malware along with the legitimate application.

At device restart, the malicious MSI file would be replaced with the legitimate version. Microsoft also discovered hardcoded PDF app names in the malicious package and concluded that at least six additional vendors might have been targeted by the attackers.

“While we were not able to find evidence that these other vendors distributed the malicious MSI, the attackers were clearly operating with a broader distribution plot in mind,” Microsoft says.

Detected as Trojan:Win64/CoinMiner, the malicious miner would hide behind the name xbox-service.exe and use the infected machine’s resources to mine for Monero. The malware also attempts to prevent remote cleaning and remediation by blocking communication with the update servers of certain PDF apps.

The threat also hinted at browser scripts as an alternative form of coin mining, but it’s unclear whether this was a secondary plan or work in progress.

“This new supply chain incident did not appear to involve nation-state attackers or sophisticated adversaries but appears to be instigated by petty cybercriminals trying to profit from coin mining using hijacked computing resources,” Microsoft’s says.

A CrowdStrike report published earlier this week highlighted the increasing number of cyberattacks targeting the software supply chain. Some of the largest such incidents include the NotPetya and CCleaner incidents last year, which impacted millions.

Remote Spectre Attack Allows Data Theft Over Network
28.7.18 securityweek Attack

A team of researchers from the Graz University of Technology in Austria has demonstrated that Spectre attacks can be launched remotely without the need to execute code on the targeted machine.

The researchers, some of which were also involved in the discovery of the original Meltdown and Spectre vulnerabilities, have dubbed the new attack NetSpectre as it allows a remote attacker to read arbitrary memory data over the network.

NetSpectre attacks have been successfully conducted by the experts both in a local area network (LAN) and between virtual machines in Google Cloud.

While NetSpectre attacks can in theory pose a significant risk, data can only be leaked very slowly. Researchers achieved an exfiltration rate of 15 bits per hour over a local network, and 60 bits per hour by using a new AVX-based covert channel instead of a cache covert channel. This is the first Spectre attack that does not use a cache covert channel.NetSpectre - Spectre attacks can be launched remotely

In experiments conducted using Google Cloud, researchers managed to leak data from an independent virtual machine at a rate of 3 bits per hour.

The Spectre and Meltdown speculative execution vulnerabilities impact processors from Intel, AMD, ARM and other companies, and they allow malicious applications to bypass memory isolation mechanisms and gain access to sensitive data. There are several variants of each flaw, but the original vulnerabilities are Spectre (Variant 1 and Variant 2) and Meltdown (Variant 3).

Exploitation of these flaws has required executing arbitrary code on the targeted system, but NetSpectre, which is related to Variant 1, shows that remote attacks are possible without executing code on the victim’s device.

Researchers also demonstrated that this remote attack method can also be used to break the address-space layout randomization (ASLR) mitigation even if no data is leaked.

Fortunately, NetSpectre attacks can be prevented using the mitigations recommended for the original Spectre. In addition, since this is a network-based attack, network-layer countermeasures can also be efficient in blocking threats.

“A trivial NetSpectre attack can easily be detected by a DDoS protection, as multiple thousand identical packets are sent from the same source,” researchers explained. “However, an attacker can choose any trade-off between packets per second and leaked bits per second. Thus, the speed at which bits are leaked can simply be reduced below the threshold that the DDoS monitoring can detect. This is true for any monitoring which tries to detect ongoing attacks, e.g., intrusion detection systems. Although the attack is theoretically not prevented, at some point the attack becomes infeasible, as the time required to leak a bit increases drastically.”

However, experts warned that new methods may be found in the future that bypass current protections and mitigations.

Intel has updated its whitepaper titled “Analyzing potential bounds check bypass vulnerabilities” to include NetSpectre attacks.

Jon Masters, Chief Arm Architect and Computer Microarchitecture Lead at Red Hat, says his company has “not identified any viable userspace spectre gadget attacks but are actively auditing all of the daemons that listen over the network and the rest of the stack.”

Microsoft revealed details of a supply chain attack at unnamed Maker of PDF Editor
28.7.18 securityaffairs Attack

Microsoft revealed that hackers attempted to compromise the supply chain of an unnamed maker of PDF software.
The attackers compromised a font package installed by a PDF editor app and used it to spread a crypto-mining malware on victims’ machines.

The attack was discovered by the experts from Microsoft that received alerts via the Windows Defender ATP.

Microsoft discovered that attackers compromised the cloud server infrastructure of a software company that provides font packages for other software firms.

The packages are distributed as MSI files and experts revealed that one of the companies using these packages was the firm that developed the PDF editor application.

The compromise lasted between January and March 18, according to the tech giant the hackers compromised only a small number of machines, this could indicate that the hacked companies working with the font package provider have a small market share.

This is a multi-tier attack in which the attackers compromised the supply chain of the supply chain.

“A new software supply chain attack unearthed by Windows Defender Advanced Threat Protection (Windows Defender ATP) emerged as an unusual multi-tier case.” reads the analysis published by Microsoft.

“Unknown attackers compromised the shared infrastructure in place between the vendor of a PDF editor application and one of its software vendor partners, making the app’s legitimate installer the unsuspecting carrier of a malicious payload.”

Supply chain attack-diagram-3

The hackers cloned the infrastructure of the company that develops the PDF Editor, they set up a server containing all MSI files, including font packages, all clean and digitally signed.

The hackers poisoned an MSI file associated with an Asian fonts pack with a crypto miner, then devised a technique to influence the download of the font by the PDF Editor from the attackers’ server.

Once the victims have installed the PDF editor app, the application will install the font packages from the cloned server managed by the attackers, including the tainted one.

Below the multi-tier attack described by Microsoft:

Attackers recreated the software partner’s infrastructure on a replica server that the attackers owned and controlled. They copied and hosted all MSI files, including font package, all clean and digitally signed, in the replica sever.
The attackers decompiled and modified one MSI file, an Asian fonts pack, to add the malicious payload with the coin mining code. With this package tampered with, it is no longer trusted and signed.
Using an unspecified weakness (which does not appear to be MITM or DNS hijack), the attackers were able to influence the download parameters used by the app. The parameters included a new download link that pointed to the attacker server.
As a result, for a limited period, the link used by the app to download MSI font packages pointed to a domain name registered with a Ukrainian registrar in 2015 and pointing to a server hosted on a popular cloud platform provider. The app installer from the app vendor, still legitimate and not compromised, followed the hijacked links to the attackers’ replica server instead of the software partner’s server.
The attackers have targeted the supply chain by hiding the miner in an installer to have full elevated privileges (SYSTEM) on a machine.

The crypto-mining malware would create a process named xbox-service.exe that abuses the computational resources of the victims to mine Monero coins.

The malware also tries to modify the Windows hosts file so that the victim’s machine can’t communicate with the update servers of certain PDF apps and security software. The trick would prevent remote cleaning and remediation of affected machines.

US-CERT warns of ongoing cyber attacks aimed at ERP applications
28.7.18 securityaffairs Attack

US-CERT warns of cyber attacks on ERP applications, including Oracle and SAP, and refers an interesting report published by Digital Shadows and Onapsis.
US-CERT warns of cyber attacks on Enterprise resource planning (ERP) solutions such as Oracle and SAP, both nation-state actors and cybercrime syndicates are carrying out hacking campaign against these systems.
The report published by the US-CERT reference analysis conducted by Digital Shadows and Onapsis, titled “ERP Applications Under Fire.“

“Digital Shadows Ltd. and Onapsis Inc. have released a report describing an increase in the exploitation of vulnerabilities in Enterprise Resource Planning (ERP) applications. ERP applications help organizations manage critical business processes—such as product lifecycle management, customer relationship management, and supply chain management.” reads the US-CERT bulletin.

“An attacker can exploit these vulnerabilities to obtain access to sensitive information.”

Unfortunately, there is an impressive number of systems exposed online without necessary security measures, it is quite easy for attackers to find online exploits that could be used to hack them.

“The findings shed light into how nation-state actors, cybercriminals and hacktivist groups are actively attacking these applications and what organizations should
do to mitigate this critical risk.” states the report.

“We observed detailed information on SAP hacking being exchanged at a major Russian-speaking criminal forum, as well as individuals interested in acquiring SAP HANA-specific exploits on the dark web. This goes in hand with an observed 100% increase of public exploits for SAP and Oracle ERP applications over the last three years, and a 160% increase in the activity and interest in ERP-specific vulnerabilities from 2016 to 2017.”

Below the key findings of the report:

Hacktivist groups are actively attacking ERP applications to disrupt critical business operations and penetrate target organizations.

The experts uncovered at least nine operations carried out by hacktivist groups that targeted ERP applications, including SAP and Oracle ERP. The attackers aimed at sabotaging of the applications and compromising business-critical applications.

Cybercriminals have evolved malware to target internal, “behind-the-firewall” ERP applications.

Malware authors have improved their code to target ERP applications to steal SAP user credentials and use them in cyber espionage campaigns.

Nation-state sponsored actors have targeted ERP applications for cyber espionage and sabotage.

Experts collected captured evidence of cyberattacks attributed to nation-state actors.

There has been a dramatic increase in the interest in exploits for SAP
applications, including SAP HANA, in dark web and cybercriminal forums.

Experts observed a spike in the interest in exploits for SAP applications in the Dark Web.

Attacks vectors are evolving, still mainly leveraging known ERP vulnerabilities vs. zero-days.

Threat actors leverage continues to prefer well-known vulnerabilities instead of using zero-day exploits for their attacks.

Cloud, mobile and digital transformations are rapidly expanding the ERP attack surface, and threat actors are taking advantage.

Researchers have identified more than 17,000 SAP and Oracle ERP applications exposed on the internet, most of them operated by world’s largest commercial and government organizations.

ERP applications security report

“Many of these exposed systems run vulnerable versions and unprotected ERP components, which introduce a critical level of risk.” states the report.

Leaked information by third parties and employees can expose internal ERP applications.
Researchers discovered over 500 SAP configuration files on insecure file repositories exposed online, as well as employees sharing ERP login credentials in public forums. Such kind of information is a precious gift for hackers.

Experts recommend organizations to carefully review configurations for known vulnerabilities, change default passwords and enforce strong passwords for users.

SpectreRSB – new Spectre CPU side-channel attack using the Return Stack Buffer
24.7.18 securityaffairs Attack

Researchers from the University of California, Riverside (UCR) have devised a new Spectre CPU side-channel attack called SpectreRSB.
SpectreRSB leverage the speculative execution technique that is implemented by most modern CPUs to optimize performance.

Differently, from other Spectre attacks, SpectreRSB recovers data from the speculative execution process by targeting the Return Stack Buffer (RSB).

“rather than exploiting the branch predictor unit, SpectreRSB exploits the return stack buffer (RSB), a common predictor structure in modern CPUs used to predict return
addresses.” reads the research paper.

“We show that both local attacks (within the same process such as Spectre 1) and attacks on SGX are possible by constructing proof of concept attacks”

The experts demonstrated that they could pollute the RSB code to control the return address and poison a CPU’s speculative execution routine.

The experts explained that the RSB is shared among hardware threads that execute
on the same virtual processor enabling inter-process, or even inter-vm, pollution of the RSB

The academics proposed three attack scenarios that leverage the SpectreRSB attack to pollute the RSB and gain access to data they weren’t authorized to view.

In two attacks, the experts polluted the RSB to access data from other applications running on the same CPU. In the thirds attack they polluted the RSB to cause a misspeculation that exposes data outside an SGX compartment.

“an attack against an SGX compartment where a malicious OS pollutes the RSB
to cause a misspeculation that exposes data outside an SGX compartment. This attack bypasses all software and microcode patches on our SGX machine” continues the paper.

Researchers said they reported the issue to Intel, but also to AMD and ARM. Researchers only tested the attack on Intel CPUs, but it is likely that both AMD and ARM processors are affected because they both use RSBs to predict return addresses.

According to the researchers, current Spectre patches are not able to mitigate the SpectreRSB attacks.

“Importantly, none of the known defenses including Retpoline and Intel’s microcode patches stop all SpectreRSB attacks,” wrote the experts.

“We believe that future system developers should be aware of this vulnerability and consider it in developing defenses against speculation attacks. “

The good news is that Intel has already a patch that stops this attack on some CPUs, but wasn’t rolled out to all of its processors.

“In particular, on Core-i7 Skylake and newer processors (but not on Intel’s Xeon processor line), a patch called RSB refilling is used to address a vulnerability when the RSB underfills” continues the researchers.

“This defense interferes with SpectreRSB’s ability to launch attacks that switch into the kernel. We recommend that this patch should be used on all machines to protect against SpectreRSB.”

A spokesperson for Intel told El Reg the Xeon maker believes its mitigations do thwart SpectreRSB side-channel shenanigans:

“SpectreRSB is related to Branch Target Injection (CVE-2017-5715), and we expect that the exploits described in this paper are mitigated in the same manner. We have already published guidance for developers in the whitepaper, Speculative Execution Side Channel Mitigations. We are thankful for the ongoing work of the research community as we collectively work to help protect customers.”

CredSSP Flaw Exposes Pepperl+Fuchs HMI Devices to Attacks
18.7.18 securityweek  Attack 

A vulnerability in the Credential Security Support Provider (CredSSP) authentication protocol has been found to impact several human-machine interface (HMI) products from Germany-based industrial automation firm Pepperl+Fuchs.

The flaw, tracked as CVE-18-0886, affects all supported versions of Windows and it was fixed by Microsoft with its March 18 Patch Tuesday updates.

The vulnerability was discovered by security firm Preempt, which has classified it as critical, but Microsoft, which believes exploitation is “less likely,” has assigned it only an “important” severity rating.

CredSSP processes authentication requests for applications such as the Remote Desktop Protocol (RDP) and Windows Remote Management (WinRM). A man-in-the-middle (MitM) attacker can exploit this vulnerability to remotely execute arbitrary code and move laterally within the targeted organization’s network.

Microsoft says any application using CredSSP for authentication could be vulnerable to this type of attack.

According to an advisory published by Germany’s CERT@VDE, an organization that focuses on industrial cybersecurity, CVE-18-0886 affects Pepperl+Fuchs’ VisuNet RM, VisuNet PC, and Box Thin Client BTC human-machine interface products.

“A successful vulnerability exploitation enables an attacker to execute arbitrary code and get access to sensitive data, e.g. passwords of the compromised system. The vulnerability allows the attacker to intercept the initial RDP connection between a client and a remote-server. Then an attacker can relay user credentials to a target system and thus get complete Man in the Middle control over a session. A stolen session can be abused to run arbitrary code or commands on the target server on behalf of the user,” CERT@VDE said in its advisory.

Pepperl+Fuchs has advised owners of devices running RM Shell 4 and RM Shell 5 HMI software to install the security patches provided by the company. Users of devices running Windows 7 or Windows 10 can patch the vulnerability by updating Windows.

The advisory from CERT@VDE says Preempt reported the vulnerabilities to Pepperl+Fuchs, but the security firm told SecurityWeek that it did not explicitly reach out to any ICS vendor.

“CredSSP is a broadly used protocol and we worked with Microsoft, since it was in their software that we found these vulnerabilities,” said Ajit Sancheti, co-founder and CEO at Preempt. “It is quite likely that Pepperl+Fuchs uses the MSFT version and hence may have been informed by them.”

Products from other ICS vendors are likely also affected by the CredSSP vulnerability, but to date no other company has published security advisories.

Ticketmaster Breach: Tip of the Iceberg in Major Ongoing Magecart Attacks
12.7.18 securityweek  Attack

In June 18, Ticketmaster UK warned that some of its customers -- which it put at less than 5% of its global customer base -- may have had their payment information accessed by an unknown third-party. Ticketmaster laid the blame on third-party provider Inbenta, who laid the blame on Ticketmaster, who in turn had been warned by online bank Monzo in April that they might have been breached. Clearly, there was more to this story than was being told at the time.

RiskIQ researchers Yonathan Klijnsma and Jordan Herman have now filled in some of the gaps. An analysis of the events suggests that the breach was bigger and over a longer period than previously thought -- but it is only one part of a much larger and ongoing campaign to steal users' payment details. The researchers go further -- naming the unknown third-party culprit as the Magecart actors.

RiskIQ has been monitoring Magecart since 2015, and produced a report in 2016. Magecart uses a form of virtual card skimming, scraping payment details during online transactions and sending the card details to the criminals. Originally, the Magecart actors hacked retail stores directly. Now it seems to have evolved to breaching the suppliers of widely used third-party components.

This is what seems to have happened with Ticketmaster UK and Inbenta. Inbenta code was compromised with the addition of Magecart skimming software. "Inbenta explained that the module was custom built for Ticketmaster," write the researchers. "To modify the source of this module, the attackers would have needed access to Inbenta's systems in some way or form. We believe that Inbenta was breached, but there another possibility a Ticketmaster developer account was breached to access Inbenta. Unless the companies provide more transparency into the event, we will never know."

Ticketmaster UK has said that the Inbenta breach led to subsequent 'breaches' at their Ticketmaster International, Ticketmaster UK, GETMEIN!, and TicketWeb websites. RiskIQ research say this list should include at least Ticketmaster New Zealand and Ticketmaster Ireland as well; and adds that Ticketmaster Germany, Ticketmaster Australia, and Ticketmaster International were compromised by Magecart via a different third-party supplier of functionality -- in this case SociaPlus.

The Magecart campaign spreads far beyond just Ticketmaster and Inbenta and SociaPlus. "While Ticketmaster received the publicity and attention, the Magecart problem extends well beyond Ticketmaster," said Klijnsma. "We believe it's cause for far greater concern -- Magecart is bigger than any other credit card breach to date and isn't stopping any day soon."

The report highlights three other major component suppliers that it claims are currently breached by Magecart. The first, PushAssist, provides web analytics similar to Google Analytics. "Their server has been breached and is still serving analytics with the Magecart skimmer. The service boasts having over 10 thousand websites using its analytics platform... This means any website performing payment processing on their website that uses PushAssist is, right now, within reach of the Magecart skimmer."

The second is Clarity Connect, which provides a CMS for company owners to create an online presence with a website or web store. The Magecart actors have even left a message in the compromised code: 'If you will delete my code one more time I will encrypt all your sites: you very bad admins.' It seems, suggest the researchers, "the Magecart actors have broad access that they aren't afraid to use if the administrator removes their skimmer again. Clarity Connect's customers are affected by this injected skimmer code."

The third example is Annex Cloud, another analytics provider currently compromised by Magecart -- and again it appears as if the actors have broad access to the Annex Cloud servers.

"It appears that Magecart was able to access hundreds of other high-profile ecommerce sites during its credit card skimming campaign, which means the scale of this breach looks set to be unprecedented," comments Ross Brewer, VP & MD EMEA at LogRhythm. He notes that like many other hackers, the Magecart actors have switched their attention to the supply chain. They are, he says, "redirecting their attention to smaller, third party suppliers that can act as a gateway to more lucrative targets. As the saying goes, you're only as strong as your weakest link, which means if one of your third-party partners doesn't have the same commitment to data protection, any tools you have in place are essentially rendered useless."

Magecart, warn the RiskIQ researchers, "is an active threat that operates at a scale and breadth that rivals -- or possibly surpasses -- the recent compromises of point-of-sale systems of retail giants such as Home Depot and Target. The Magecart actors have been active since 2015 and have never retreated from their chosen criminal activity. Instead, they have continually refined their tactics and targets to maximize the return on their efforts."

San Francisco, Calif-based RiskIQ raised $30.5 million in a Series C funding round led by Georgian Partners in November 2016. This brought the total funding raised by the firm to $65.5 million.

Researchers Create Attacks That Compromise LTE Data Communication
2.7.18 securityweek Attack

Newly devised attacks on the Long Term Evolution (LTE) high-speed wireless standard break the confidentiality and privacy of communication, a team of researchers claim.

In a newly published paper (PDF), researchers from Ruhr-University Bochum and New York University Abu Dhabi present a set of attacks against LTE’s data link layer (layer two) protocols, which could be used to identify mobile users within a cell, learn what websites the user visits, and even modify the message payload.

A stealthy attacker, the researchers say, could perform an identity mapping attack and map the user’s temporary network identity (TMSI) to the temporary radio identity (RNTI). Both pieces of information are previously unknown to the attacker but are both contained in the radio packets.

“More specifically, we demonstrate how an attacker can precisely localize and identify a user within the cell, distinguish multiple transmission streams, and use this information as a stepping stone for subsequent attacks,” the researchers note.

Using common paging techniques, the researchers were also able to identify and localize specific users for a pre-known TMSI within the cell. This, however, requires the use of an active interface, meaning that the attack becomes detectable.

The researchers also demonstrate that, even for encrypted transmissions, plaintext information up to the Packet Data Convergence Protocol (PDCP) can be accessed, thus de-anonymizing connections otherwise considered secure due to encryption.

Targeting TOR with their website fingerprinting attack, the researchers revealed that information leaks in the metadata of a connection could be used to distinguish between different websites. They also demonstrated how website fingerprinting can be mapped to LTE layer two attacks.

Although they achieved a high success rate with such an attack, the researchers explain that the experiments were performed on a closed LTE network completely under their control and on a small set of websites.

In addition to these passive attacks, the researchers devised an active attack on LTE’s layer two protocols. Called ALTER, it “exploits the missing integrity protection of LTE user data to perform a chosen-ciphertext attack,” affects all LTE devices and has implications up to the application layer, the research paper reads.

For this attack scenario, the researchers used a malicious relay within the vicinity of the user, which intercepts DNS requests from the mobile device and uses a manipulation mask to change the original IP address to that of the malicious DNS server.

The request is then forwarded to the commercial network, which sends it to the malicious server, and an additional manipulation in the downlink path ensures that the source IP address matches the target, thus rendering the attack undetected.

The attack, however, poses several challenges, such as luring the user into connecting to the malicious relay and maintaining a stable radio connection, and identifying the DNS requests and responses among the transmitted packets. Packet manipulation is another issue an attacker would face.

After testing the ALTER attack in a real-world setup, the researchers determined it is a feasible assault scenario. By forwarding all messages between the user device and the network, the malicious relay remains undetectable. The attack, the researchers claim, is possible despite the LTE Authentication and Key Agreement (AKA) being formally proven secure.

“While lots of research effort in LTE security focuses on the physical and network layers, the data link layer has remained unexplored until now. […] Based on our findings, we urgently demand the implementation of effective countermeasures in the upcoming 5G specification to assure the security and privacy of future mobile communication,” the paper concludes.

Security issues in the LTE standard expose billions on mobile users to attacks
1.7.18 securityaffairs Attack

Security issues in the LTE mobile device standard could be exploited by persistent attackers to spy on users’ cellular networks and hijack data traffic.
A team of from Ruhr-Universität Bochum and New York University Abu Dhabi has discovered some security issues in the LTE mobile device standard that could be exploited by persistent attackers (i.e. intelligence agencies, well-funded groups) to spy on users’ cellular networks, eavesdrop communications, hijack their data traffic.

LTE mobile telephony standard is currently used by billions of people worldwide, compared to other standards it includes many security improvements.

The experts devised surveillance techniques that allowed them to identify people within a phone tower radio cell, spy on their traffic, and redirect them to rogue websites by tampering with DNS lookups.

The researchers demonstrated three attack scenarios that target the data link layer of Long-Term Evolution networks, also known as LTE or 4G.

“Our security analysis of the mobile communication standard LTE ( Long-Term Evolution, also know as 4G) on the data link layer (so-called layer two) has uncovered three novel attack vectors that enable different attacks against the protocol.” reads the analysis published by the experts.

“On the one hand, we introduce two passive attacks that demonstrate an identity mapping attack and a method to perform website fingerprinting. On the other hand, we present an active cryptographic attack called aLTEr attack that allows an attacker to redirect network connections by performing DNS spoofing due to a specification flaw in the LTE standard.”

This data link layer lies on top of the physical channel, that maintains the wireless transmission of information between the users and the network. Layer two define the way multiple users can access the resources of the network, helps to correct transmission errors, and implement data protection through encryption.

Researchers distinguished between passive and active attack techniques, the former include identification and website snooping techniques, the latter is the webpage redirection attack.

The identification and website snooping techniques could allow attackers to spy on users by listening to what’s going out over the airwaves from phones, whereas the webpage redirection attack could be conducted by an attacker that sets up a malicious cell tower to tamper with transmissions.

The experts dubbed the DNS spoofing attack “aLTEr” and described it with this statement.

“The aLTEr attack exploits the fact that LTE user data is encrypted in counter mode (AES-CTR) but not integrity protected, which allows us to modify the message payload: the encryption algorithm is malleable, and an adversary can modify a ciphertext into another ciphertext which later decrypts to a related plaintext,” reads the research paper published by the experts.

“the adversary sends signals to the network or to the device by using a specific device that is capable of simulating the legitimate network or user device. In our case, the adversary does both and intercepts all transmissions between Bob and the network. Thus, Bob perceives the adversary as his usual network provider and connects to the simulation device. Towards the real network, the adversary acts like she was Bob.”

LTE active attack

The experts conducted the attacks in a controlled environment and highlighted that the requirements are, at the moment, hard to meet in real LTE networks, anyway persistent attackers can replicate them in the wild.

The researchers used a shielding box to stabilize the radio layer and prevent inference during the tests.

The team set up two servers, a DNS server and an HTTP server, to shows how an attacker can hijack connections (see PoC attack video).

The experts published a paper with all the technical details of the aLTEr attack and a video PoC of the attack:

The attack also requires equipment (USRP) that goes for about $4,000 to emulate the behavior of spying boxes such as IMSI catchers or Stingray.

The researchers also described countermeasures to adopt in order to mitigate the attacks. The researchers already shared findings of their study with telco institutions, including the GSM Association (GSMA) and the 3rd Generation Partnership Project (3GPP), and telephone companies.

According to the experts, forthcoming 5G networks may also be vulnerable to these attack techniques because the 5G standard supports authenticated encryption.

“The use of authenticated encryption would prevent the aLTEr attack, which can be achieved through the addition of message authentication codes to user plane packets,” the experts said.

“However, the current 5G specification does not require this security feature as mandatory, but leaves it as an optional configuration parameter.”

The researchers will share full details about their researcher during the 2019 IEEE Symposium on Security and Privacy.

Researchers Devise Rowhammer Attacks Against Latest Android Versions
29.6.18 securityweek  Android  Attack 

A team of researchers from universities worldwide have devised a new set of DMA-based Rowhammer attacks against the latest Android OS, along with a lightweight defense to prevent such attacks on ARM-based devices.

Rowhammer is a vulnerability impacting dynamic random-access memory (DRAM) chips that can be abused to gain kernel privileges on Linux systems. Discovered in 2012 but documented only in 2014, the bug can also be exploited remotely using JavaScript or via graphics processing units (GPUs).

Last year, researchers from Graz University of Technology, the University of Pennsylvania (and University of Maryland), and University of Adelaide revealed a series of attack methods able to bypass existing defenses against Rowhammer.

Now, eight researchers from Vrije Universiteit Amsterdam, Amrita University India, UC Santa Barbara, and EURECOM propose RAMpage, a set of attacks that target the latest Android versions with a root exploit and app-to-app exploits that bypass all defenses.

In a research paper (PDF), they also propose GuardION, lightweight defenses that mitigate Rowhammer exploitation on ARM systems by isolating DMA buffers with DRAM-level guard rows.

Furthermore, the researchers claim that re-enabling higher order allocations, which Google disabled to prevent attacks, would improve system performance.

Rowhammer is a hardware bug that “consists of the leakage of charge between adjacent memory cells on a densely packed DRAM chip.” This means that, when a row of bits in the DRAM module is used, the neighboring rows are slightly affected, and attackers can abuse this to completely subvert a system’s security.

The issue is particularly serious on mobile devices, where hardware upgrades are not possible, the security researchers argue. They also note that existing software defenses are not effective and present attacks can circumvent all currently proposed and implemented defense techniques.

To exploit Rawhammer, an attacker needs to land a security-sensitive page into a vulnerable physical memory location and also needs to access the DRAM chip fast enough to hit the same rows before they are refreshed. They also have to determine the virtual addresses that map to the two physical rows adjacent to the victim row.

To mitigate the risks, Google disabled the contiguous heap, but left the system heap available. The company also reduced internal system heap pools to two and enforced that the system heap only returns memory pages from highmem.

By exhausting the system heap, the researchers were able to get contiguous pages and find exploitable bit flips via double-sided Rowhammer. The researchers then tricked the system into releasing pre-allocated cached memory, including the row with the vulnerable page, and developed a root exploit leveraging this attack technique.

The researchers also say it is possible to corrupt buffers belonging to another app or process, an attack scenario that could abuse privileged apps for increased damage. They also argue that an attacker could try to exhaust the Contiguous Memory Allocator (CMA) bit map, or to corrupt system memory from CMA-allocated memory. Such attacks, however, are technically challenging, the experts admit.

GuardION, the newly proposed mitigation against DMA-based Rowhammer exploits on mobile devices, focuses on limiting the capabilities of an attacker’s uncached allocations. Expensive fine-grained isolation can be applied for each DMA allocation, and GuardION isolates buffers with two guard rows: one at the ‘top’ and another at the ‘bottom’.

“This enforces a strict containment policy in which bit flips that are triggered by reading from uncached memory cannot occur outside the boundaries of that DMA buffer. In effect, this design defends against Rowhammer by eradicating the ability of the attacker to inject bit flips in sensitive data,” the researchers claim.

The mitigation, however, is based on the premises that bit flips don’t occur in memory pages physically located more than one row away from the aggressor rows. Such flips have never been reported before and the Rowhammer attack itself makes such incidents unlikely to ever occur.

According to the research paper, not only is GuardION’s performance impact negligible, but its integration with the current Android code base is rather easy. A prototype implementation contains only 844 lines of code and touches only 9 files in the Android source code. The researchers are in the process of submitting the patch to Google for adoption.

Apophis Squad hacker group is the alleged responsible for the DDoS attack against ProtonMail
29.6.18 securityaffairs Attack

A massive DDoS attack hit encrypted email provider ProtonMail, experts believe it was powered by Russian hackers.
On Wednesday morning, ProtonMail informed customers that its systems were under attack that was causing a delay in the delivery of the messages.


Our network is under attack again. No data is breached or lost, but emails will be delayed. We are working with our upstream providers to halt the attack as soon as possible. Here are the details of yesterday's attack: https://old.reddit.com/r/ProtonMail/comments/8u6k0k/protonmail_hard_down_right_now/e1ddek7/ … Thank you for your understanding.


We had an incident with the network earlier today. Service has been restored and no emails were lost. https://twitter.com/ProtonMail/status/1011858507879145473 …

10:03 AM - Jun 28, 18
312 people are talking about this
Twitter Ads info and privacy
Anyway, the company highlighted that the emails systems did not suffer further problems, such as the data leak.

Some users faced problems while using the ProtonVPN service.

The experts sustained that the attack was prolonged and the operations were restored roughly three hours after the announcement.

“The attacks went on for several hours, although the outages were far more brief, usually several minutes at a time with the longest outage on the order of 10 minutes,” reported ProtonMail.

DDoS attacks are ordinary problems for ProtonMail, but according to the company, this attack was exceptional.

DDoS protection service Radware took more time to completely repel the DDoS that according to ProtonMail peaked at 500 Gbps. Another detail shared by Radware is that the massive DDoS leveraged multiple vectors, including several UDP refection attacks, multiple TCP bursts, and Syn floods.

“The attacks went on for several hours, although the outages were far more brief, usually several minutes at a time with the longest outage on the order of 10 minutes.”ProtonMail explained on Reddit.

“While we don’t yet have our own measurement of the attack size, we have traced the attack back to a group that claims to have ties to Russia, and the attack is said to have been 500 Gbps, which would be among the largest DDoS’s on record,”

While some of the experts blamed Russia for the attack, Radware reported that the attack was launched by systems located in the UK.

According to Bleeping Computer, behind the attack, there is a hacker group named Apophis Squad.

“In a private conversation with Bleeping Computer today, one of the group’s members detailed yesterday’s chain of events.” read a blog post published by Bleeping Computer.

“The Apophis member says they targeted ProtonMail at random while testing a beta version of a DDoS booter service the group is developing and preparing to launch.”

The leader of the group told Bleeping Computer that their first attack downed the encrypted email provider for 60 seconds,

Initially, the Apophis Squad was not interested in harass ProtonMail, but decided to prolong the attack after ProtonMail’s CTO, Bart Butler, responded to one of their tweets calling the group “clowns.”

ProtonMail Squad ProtonMail DDoS

Today the group continued to target ProtonMail with another DDoS attack consisting of a TCP-SYN flood that peaked at 70 Gbps.

ProtonMail wasn’t the only target of the hackers, they also targeted Tutanota for a short time.

We are experiencing a DDoS attack and are currently working on mitigating this. Thank you for your patience.

12:37 AM - Jun 28, 18
46 people are talking about this
Twitter Ads info and privacy
The Apophis Squad group is currently developing a DDoS booter service that they advertised in the last days on Twitter and on Discord. Their service promises multi-vectors attacks leveraging NTP, DNS, SSDP, Memcached, LDAP, HTTP, CloudFlare bypass, VSE, ARME, Torshammer, and XML-RPC.

The group is based in Russia, but in a private conversation with BleepingComputer, the group said that it isn’t so.

Significant DDoS Attack on ProtonMail Blamed on Russia-Linked Group
28.6.18 securityweek Attack

Encrypted email provider ProtonMail was hit by a significant distributed denial-of-service (DDoS) attack that appears to have been carried out by a group linked to Russia.

ProtonMail informed customers on Wednesday morning that its network was targeted in a sustained attack. The organization said that while emails would be delayed, they were not lost as a result of the incident. Some users reported that the attack impacted the ProtonVPN VPN service as well.

ProtonMail hit by Ddos attack

Services were restored roughly three hours after the initial announcement was made.

“The attacks went on for several hours, although the outages were far more brief, usually several minutes at a time with the longest outage on the order of 10 minutes,” ProtonMail stated.

The company says it deals with DDoS attacks on a daily basis, but this attack was more significant and its DDoS protection provider, Radware, needed more time than usual to prepare mitigations.

“While we don't yet have our own measurement of the attack size, we have traced the attack back to a group that claims to have ties to Russia, and the attack is said to have been 500 Gbps, which would be among the largest DDoS's on record,” ProtonMail said in a post on Reddit.

The DDoS attack on ProtonMail may have been significant, but it does not compare to a recent attack that hit an unnamed U.S.-based service provider, which peaked at 1.7 Tbps.

A few hours after ProtonMail announced the attack, Germany-based secure email service provider Tutanota also informed users that it had been experiencing a DDoS attack, but it’s unclear if the incidents are related. Tutanota told customers that services had been restored roughly one hour later.

UPDATE. Radware told SecurityWeek that it believes the attackers are actually based in the UK, not Russia.

"We can’t confirm attack size as it varied at different points in the attack. However we can confirm that the attack was high volumetric, multi-vector attack. It included several UDP refection attacks, multiple TCP bursts, and Syn floods," Radware said.

SSDP Diffraction Abused for DDoS Amplification
28.6.18 securityweek Attack

The Simple Service Discovery Protocol (SSDP) can be abused to launch a new type of distributed denial of service (DDoS) attacks where devices respond with a non-standard port, NETSCOUT Arbor reports.

The technique, referred to as SSDP diffraction, results in UDP packets with ephemeral source and destination ports. This makes mitigation more difficult, as packet content would require inspection to filter the flood of SSDP replies and non-initial fragments.

The issue, NETSCOUT Arbor says, is that a large number of CPE (customer-provided equipment) devices use the open source library libupnp. What’s more, attackers appear aware of said behavior and “may choose a pool of these misbehaving victims based on the efficacy of their attack.”

Most of the roughly 5 million SSDP servers reachable via the Internet would respond from an ephemeral source port and, with SSDP diffraction attacks using such ephemeral ports able to defeat naïve port filtering mitigations, DDoS protection faces a problem, the researchers suggest in a report (PDF).

SSDP, which was designed for service discovery over a local network, uses text-based HTTP messages over UDP (also known as HTTPU) on port 1900. It would respond to both packets with multicast addresses as source or destination (which only work on local network) and with unicast addresses (which are routed via the Internet).

SSDP-based reflection/amplification attacks became popular several years ago, but mitigation is straightforward, as the attack packets originate from a specific source port and contain an HTTPU response, while also having an ephemeral destination port from the original spoofed request.

“Almost all uses of SSDP occur on the local network, and most large organizations don’t rely on the protocol for mission-critical applications, so packets with a UDP/1900 source port can generally be filtered at network boundaries during a crisis,” NETSCOUT Arbor explains.

However, the DDoS protection firm also observed attacks able to bypass mitigations by leveraging SSDP diffraction: they would use high-numbered ports as the source and destination instead of relying solely on UDP/1900 source port HTTPU packets.

“Clearly either the attacker, or the author of the attack tool, was aware of the difference in efficacy of both the normal attack and the diffraction attack,” the researchers say.

After scanning the Internet for SSDP devices, the researchers discovered that over half of them would respond with UDP packets with a source port other than 1900.

China emerged as the country with most responding devices, both behaving (responding with a source port of 1900) and misbehaving (responding with other source ports). Russia, Vietnam, South Korea, and Venezuela are also top sources of misbehaving devices.

Further investigation revealed that libupnp (Portable SDK for UPnP Devices) might be responsible for the bad behavior: not only does it create “a new socket for responses, resulting in a new ephemeral port,” but also uses by default the unique Server HTTPU header and the X-User-Agent: redsonic HTTPU header, both of which appear representative for the misbehaving set of devices.

“Attacks will always incrementally evolve just enough evade defenses. In this case we identified an effective new twist on an old, well-understood attack type. This revelation reminds us that defenders must constantly be aware of evolving attack methods and be as adaptable as the attackers. This specific attack highlights two trends we see time again: old code containing bugs being re-used in new consumer products, and subsequent exposure of those vulnerable populations,” NETSCOUT Arbor concludes.

China-linked Hackers Targeting Air-Gapped Systems: Report
26.6.18 securityweek  Attack

The cyber espionage group known as "Tick" has been targeting a secure USB drive built by a South Korean defense company, likely in an attempt to compromise air-gaped systems, Palo Alto Networks reports.

Also known as Bronze Butler, Tick is believed to be based in China and to have been active for at least a decade, although it was detailed for the first time only in April 2016. The group is mainly targeting Japan and South Korea, but variants of their malware were also observed in attacks on organizations in Russia, Singapore, and China.

To date, the group has been observed employing a variety of custom malware families, including Minzen, Datper, Nioupale (aka Daserf), and HomamDownloader.

The attempt to weaponize a secure USB drive is an attack technique uncommon for the actor, which led security researchers to the conclusion that the assault was likely aiming at air-gapped systems (machines that are not connected to the public Internet).

The malware used in these attacks was designed to target systems running Windows XP or Windows Server 2003, which are older, out-of-support OS versions. Air-gapped systems, Palo Alto says, are commonly used in many countries by government, military, and defense contractors, and other industry verticals.

Although no public reports of the attack were published until now, the malware observed in this incident was likely used many years ago.

“Based on the data collected, we do not believe this malware is part of any active threat campaign,” Palo Alto says.

Although they don’t have a complete picture of the past attack, the researchers believe Tick managed to compromise the secure USB drive model and load a malicious file onto an unknown number of devices, which are supposedly certified as secure by the South Korean ITSCC.

The group also created a malware family dubbed SymonLoader, which is somehow loaded on older Windows systems machines, where it continuously looks for these specific USB drives. When detecting the presence of a targeted secure USB drive, SymonLoader attempts to load the unknown malicious file using APIs that directly access the file system (saves the file to the temp directory and executes it).

Without a compromised USB drive or the unknown malicious file, the security researchers were not able to determine the manner in which the USB drives have been compromised.

“Specifically, we do not know if there has been a successful compromise in the supply-chain making these devices, or if these have been compromised post-manufacturing and distributed using other means such as social engineering,” Palo Alto notes.

The malware loader was observed being installed by a Trojanized version of a legitimate Japanese language GO game, which was first observed on January 21, 18. Previously, the Trojanized application was seen dropping HomamDownloader, which can install malicious files from a remote command and control (C&C) server.

“Despite the differences from previous samples, we believe this sample is related to the Tick group because the shellcode in the Trojanized Japanese game is exactly the same as that found in the Trojanized Korean programs described earlier. Also, SymonLoader shares code with HomamDownloader,” Palo Alto says.

The analyzed SymonLoader sample was apparently created on September, 26, 2012, when both Windows 7 and Windows Server 2008 were already released at that time. The malware, however, specifically targets only Windows XP and Windows Server 2003, and only searches for USB drives built by a South Korean company that develops information and communication security equipment for military, police, government agencies and public institutions.

“The attacker encrypted the unknown executable file and concealed it at the ending part of the secure USB storage in advance. The hidden data is not accessible through logical file operation APIs, such as ReadFile(). Instead, SymonLoader uses Logical Block Addressing (LBA) and SCSI commands to read the data physically from the particular expected location on the removable drive,” the researchers explain.

Google Devices Leak Precise Physical Locations: Researcher
21.6.18 securityweek  Attack

A newly discovered attack against Google Home and Chromecast devices can reveal a user’s precise physical location, a security researcher has discovered.

The issue, Tripwire’s Craig Young reveals, is related to two problems common to Internet of Things (IoT) devices: the rare use of authentication for connections received on a local network and the frequent use of HTTP for configuration or control. Because of these poor design choices, websites can sometimes interact with network devices.

Young discovered that Google’s Home app, which is used to configure Google Home and Chromecast, performs some tasks using a local HTTP server, and some commands are sent directly to the device, without authentication.

The app implies that the user should be logged into a Google account linked with the target device, but no authentication mechanism is built into the protocol level, Young says.

Using an attack technique called DNS rebinding, the security researcher was able to “use data extracted from the devices to determine their physical location with astonishing accuracy.” Young also published the video below detailing the attack.

Through DNS rebinding, an attacker can implement a piece of code on a website to bridge to the local network and bypass the same-origin policy (SOP).

The code points to a subdomain of the site, while the DNS server is configured to respond alternatively with an address that both the attacker and localhost control. When the victim accesses the website, the browser resolves to the attacker-controlled DNS server, which has a short time to live (TTL), and then switches to localhost.

“I was able to create a basic end-to-end attack that worked for me in Linux, Windows and macOS using Chrome or Firefox. Starting from a generic URL, my attack first identifies the local subnet and then scans it looking for the Google devices and registers a subdomain ID to initiate DNS rebinding on the victim. About a minute after the page had loaded, I was looking at my house on Google Maps,” Young says.

The security researchers also notes that, even in incognito mode, Google Maps can typically locate a device within 10 meters. This is apparently possible through the analysis of Wi-Fi access point data and triangulation using information collected from devices that opted into Google’s enhanced location services.

The newly discovered attack, the researcher says, can be leveraged for blackmail or extortion purposes, in scams like fake FBI or IRS threats to release sensitive information or photos to friends and family.

Furthermore, because DNS rebinding is not the only way to exploit this bug, browser extensions and mobile apps can abuse “their unrestricted network access to directly query the devices without relying on or waiting for a DNS cache refresh.” Thus, advertisers can obtain location data and correlate it to other tracked web activity to tie it to a real-world identity.

“These problems are not specific to Google devices. Over the years that I’ve been auditing embedded devices, it is not the first time that I’ve seen a device supplying WiFi survey data or other unique device details like serial numbers. Smart TV’s, for example, commonly identify themselves with a unique screen ID as part of the DIAL protocol used to support Cast-like functionality,” Young says.

While the best mitigation is to completely disconnect devices, Young agrees that in today’s connected world such an option might not be possible. However, there are steps users can take to minimize exposure.

One way to dealing with this is network segmentation, where all connected devices use their own network, separate from the normal home network where all Internet browsing occurs. Adding a second router on the network, specifically for these connected devices, is the best option for most users, the researcher suggests.

Using a DNS rebind protection solution is another way to prevent such an attack. According to Young, the DNS software commonly used in consumer routers does include DNS rebind protection, although it isn’t always enabled or easy to enable. Deploying a local DNS server with rebinding protections enabled is also an option.

“In the face of DNS rebinding and mobile apps, all services running on the local network (and especially HTTP services) must be designed as if they were directly exposed to the Internet. We must assume that any data accessible on the local network without credentials is also accessible to hostile adversaries. This means that all requests must be authenticated and all unauthenticated responses should be as generic as possible,” Young says.

Many Drupal Sites Still Vulnerable to Drupalgeddon2 Attacks
6.6.18 securityweek Attack

At least 115,000 websites powered by version 7 of the Drupal content management system are still vulnerable to Drupalgeddon2 attacks, despite patches being available since late March.

The flaw dubbed Drupalgeddon2 is officially tracked as CVE-18-7600. It allows a remote attacker to execute arbitrary code and take complete control of a website running Drupal 6, 7 or 8. The issue has been patched since the release of versions 7.58, 8.5.1, 8.3.9 and 8.4.6, with fixes also available for Drupal 6, which is no longer supported since February 2016.

Drupalgeddon2 has been exploited by malicious actors for both server-side and client-side attacks that deliver cryptocurrency miners, backdoors, RATs and tech support scams.Many Drupal websites still affected by Drupalgeddon 2 vulnerability

Despite the high risk of attacks, many administrators of Drupal websites still haven’t applied the patches.

Researcher Troy Mursch has conducted an analysis of Drupal 7 websites – Drupal 7 is the most widely used version and it currently powers more than 830,000 sites – and found that many are still vulnerable.

Mursch identified nearly 500,000 Drupal 7 websites through the PublicWWW source code search engine and found that 115,070 had been running outdated and vulnerable versions of the CMS. The analysis showed that roughly 134,000 sites had not been vulnerable, while for 225,000 the version they had been using could not be determined.

“Numerous vulnerable sites found in the Alexa Top 1 Million included websites of major educational institutions in the United States and government organizations around the world. Other notable unpatched sites found were of a large television network, a multinational mass media and entertainment conglomerate, and two well-known computer hardware manufacturers,” Mursch wrote on his Bad Packets Report blog.

The list of vulnerable websites has not been made public, but the researcher did send it to US-CERT and the Drupal Security Team.

While conducting the analysis, Mursch discovered a significant cryptojacking campaign that leverages the Coinhive service. Malicious actors managed to compromise at least 258 Drupal sites and abused them to mine for cryptocurrency. The list of victims included the Attorney General’s Office in Colorado, a police department in Belgium, and Fiat-owned automotive parts manufacturer Magneti Marelli.

An India-based research organization hit by this campaign had updated Drupal, but it failed to remove the malicious code. As the Drupal Security Team warned, updating the CMS does not remove malicious code from already compromised websites.

This is the second cryptojacking campaign discovered by Mursch since the disclosure of Drupalgeddon2. In early May, he reported discovering more than 300 websites hacked in a similar operation, including sites belonging to universities and governments.

During the analysis of Drupalgeddon2, the Drupal Security Team and developer Jasper Mattsson, who also reported the original vulnerability, identified another flaw. This second vulnerability, tracked as CVE-18-7602 and dubbed by some Drupalgeddon3, has also been exploited in the wild.

Hardcoded Credentials Expose Yokogawa Controllers to Attacks
3.6.18 securityweek Attack

Japanese electrical engineering company Yokogawa has released firmware updates for its STARDOM controllers to address a critical vulnerability that can be exploited remotely to take control of the device.

Yokogawa’s STARDOM FCJ, FCN-100, FCN-RTU and FCN-500 controllers running firmware version R4.02 or earlier have a hardcoded username and password that can be used by an attacker with access to the network to log in to the device and execute system commands.

The flaw is tracked as CVE-18-10592 and it has been rated critical by both ICS-CERT and Yokogawa itself. The issue was discovered by VDLab, an industrial cybersecurity lab set up by Chinese companies Venustech and Dongfang Electric.Critical vulnerability found in Yokogawa controllers

The vendor patched the vulnerability with the release of version R4.10. Customers have been advised to update the firmware on their devices and also implement overall security measures to protect their systems.

Critical vulnerability found in Yokogawa controllers

The FCN-500 product has been designed for high reliability and speed, and it includes features designed to ensure that processes are not interrupted even if a module is replaced. The FCN-RTU model is designed for inhospitable locations where low power consumption is needed. The products are used worldwide in the energy, critical manufacturing, and food and agriculture sectors. The FCJ and FCN-100 models were discontinued in mid-2016.

Yokogawa has published a total of four security advisories this year. One published in January warns customers that CENTUM and Exaopc products are affected by a vulnerability that allows a local attacker to trigger false system and process alarms, and prevent alarm notifications from being displayed to the user.

An advisory from late April describes authentication bypass and denial-of-service (DoS) flaws affecting Vnet/IP switches. The company has also alerted customers to the risks introduced by the use of the Intel Management Engine, which has several potentially serious vulnerabilities.

Punycode Makes SMiShing Attacks More Deceiving
2.6.18 securityweek Attack

Phishing attacks carried out via text messages that use the “Punycode” technique to make nefarious URLs look legitimate are becoming more popular, cloud security firm Zscaler says.

Referred to as SMiShing, SMS phishing is a technique where attackers use text messages in an attempt to trick users into clicking a link that usually leads to malware or asks for sensitive information from the victims.

Recently, cybercriminals engaged in SMiShing campaigns started using Punycode (a technique also known as homograph attack) to deceive users into believing they are accessing a legitimate link. Specifically, the attackers replace one or more characters in the URL with similar-looking characters that are represented differently in Punycode.

Attacks leveraging Punycode are not new and have been targeting Office 365 business users and Chrome and Firefox users, but only recently they started occurring more frequently in text message attacks.

SMiShing has been on the rise since the beginning of the year, and the adoption of new techniques clearly make it an important threat.

The use of Punycode as part of SMiShing campaigns increases the chances for successful compromise, as mobile phone users are unlikely to notice the modified URL.

In one of the observed incidents, the unsuspecting user received a WhatsApp message pretending to be a link to a Jet Airways offer of free air tickets. Although looking like the actual jetairways.com website, the link was using a homograph attack, thus getting the user to xn-jetarways-ypb.com instead.

If the link is accessed on an iPhone, Safari attempts to load the phishing website without displaying the correct link. Chrome on Android, however, displays the correct link (shows the URL in Punycode format) instead.

“The Web browsers decide whether to display the IDN or Punycode format based on conditions like the presence of certain characters which can spoof the separators like "." or "/", determining whether all characters come from same language, if characters belong to allowable combinations or by checking if the domain belongs to whitelisted TLDs,” Zscaler explains.

The domain used as part of the observed attack was newly registered, within the last two weeks, the researchers say. They also note that, after being served the phishing page, victims are redirected to another domain, newuewfarben[.]com, which can be used to serve malware.

“SMiShing has been on a rise in year 18 and the addition of homograph technique will continue to make it more effective against unsuspecting mobile users. Web browsers have implemented protections against homograph attacks, but because of the legitimate use of Punycode characters, it becomes very difficult for the developers to implement a foolproof fix. Attackers leverage this to work around the rules and create homographs which are displayed as IDNs despite being malicious in nature,” Zscaler concludes.

Crashing HDDs by launching an attack with sonic and ultrasonic signals

2.6.18 securityaffairs Attack

A team of researchers from the University of Michigan and Zhejiang University has devised a method to cause physical damage to hard drives by using sonic and ultrasonic signals.
An attacker just needs to play ultrasonic sounds through a built-in speaker of a target computer or by using a speaker in its proximity.

The principle is simple, the technique leverages specially crafted acoustic signals to cause significant vibrations in the HDDs components that could cause severe damage.

Modern HDDs use shock sensors to prevent the head crash, but the team of researchers has demonstrated that sonic and ultrasonic sounds could cause false positives in the shock sensor, causing a drive to park the head in a wrong position.

“We created and modeled a new feedback controller that could be deployed as a firmware update to attenuate the intentional acoustic interference. Our sensor fusion method prevents unnecessary head parking by detecting ultrasonic triggering
of the shock sensor” reads the paper published by the experts.

ultrasonic signals attacks

The experts have demonstrated how to use the technique in a real-world attacks targeting HDDs in desktop computers and CCTV (Closed-Circuit Television) systems.

These attackers just need to trick victims into playing a malicious sound attached to an email or triggered visiting a specially crafted web page.

“Our case studies show that an attacker can use the effects from hard disk drive vulnerabilities to launch system level consequences such as crashing Windows on a laptop using the built-in speaker and preventing surveillance systems from recording video. We delve into the details of the Windows and Linux operating systems to uncover the root causes of the crash in the I/O request stack” continues the experts.

The experts tested the technique against various HDD from several vendors, including Seagate, Toshiba, and Western Digital. The discovery was interesting, the ultrasonic waves took just 5-8 seconds to cause severe interferences.

ultrasonic signals attacks

Sound interferences with a duration greater than 105 seconds caused the Western Digital HDD in the video-surveillance device to stop recording from the beginning of the vibration until the device was restarted.

“Recordings from periods of interference less than 105 seconds exhibited video loss from about 12 seconds after being subjected to acoustic induced vibration until the
vibration subsided. In contrast, (2) interference for periods of 105 seconds or longer resulted in video loss from the beginning of the vibration until the device was restarted.” continues the paper.

“In the case that a victim user is not physically near the system being attacked, an adversary can use any frequency to attack the system. The system’s live camera stream never displays an indication of an attack. Also, the system does not provide any method to learn of audio in the environment. Thus, if a victim user were not physically near the system, an adversary can use audible signals while remaining undetected.”

The tests demonstrated that an attacker can disrupt HDDs in desktops and laptops running both Windows and Linux operating system.

The experts were able to cause a Dell XPS 15 9550 laptops to freeze in 45 seconds and crash when the laptop was tricked to play malicious audio over its built-in speaker in 125 seconds.

The paper also includes recommendations to detect or prevent such type of attacks, including a new feedback controller to attenuate the acoustic interference that could be deployed as a firmware update.

Another countermeasure against attacks leveraging sonic and ultrasonic signals could be a sensor fusion method to prevent unnecessary head parking by detecting ultrasonic triggering of the shock sensor.

The last solution is represented by noise dampening materials to attenuate the signal.

Attack Bypasses AMD's Virtual Machine Encryption
29.5.18 securityweek Attack 

A group of German researchers has devised a new attack method capable of bypassing AMD’s Secure Encrypted Virtualization (SEV).

Used by AMD data-center processors, SEV is a hardware feature that provides secure encryption of virtual machines (VMs) to protect VM memory from physical attacks and cross-VM and hypervisor-based attacks.

In a whitepaper (PDF), Fraunhofer AISEC researchers present an attack carried out from a malicious hypervisor and capable of “extracting the full contents of main memory in plaintext from SEV-encrypted virtual machines.” Named SEVered, the attack requires a remote communication service running in the VM.

The researchers say their attack can be used to extract all memory contents, even if the targeted VM is under high load. SEVered’s effectiveness was tested on a recent AMD SEV-enabled server platform running various services, in encrypted virtual machines.

SEV can transparently encrypt individual VMs using a Secure Processor (SP), where an individual key is used to encrypt the memory of each protected VM within the SP. The implementation in hardware is meant to protect the system against memory attacks, while also preventing hypervisors (HVs) from accessing sensitive VM data.

“With SEVered, we demonstrate that it is nevertheless possible for a malicious HV to extract all memory of an SEV-encrypted VM in plaintext. We base SEVered on the observation that the page-wise encryption of main memory lacks integrity protection,” the researchers note.

The HV, the whitepaper reads, is responsible for maintaining the VM’s Guest Physical Address (GPA) to Host Physical Address (HPA) mapping in main memory, which allows an attacker in control of the HV to change the memory layout of the VM in the HV.

“We use this capability to trick a service in the VM, such as a web server, into returning arbitrary pages of the VM in plaintext upon the request of a resource from outside,” the researchers explain.

For that, they first identify the encrypted pages in memory corresponding to the resource, then repeatedly send requests “for the same resource to the service while re-mapping the identified memory pages,” which results in extracting all the VM’s memory in plaintext.

“SEVered neither requires detailed knowledge of the target VM or service, nor a malicious process colluding from inside the VM. Our attack is also resistant to noise, i.e., concurrent activity in the target VM, and dynamically adapts to different noise levels,” the paper reads.

The researchers claim SEVered is feasible in practice and could allow an attacker to extract the entire memory from a SEV-protected VM within reasonable time. They also say that the attack manages critical aspects such as noise during the identification and the resource stickiness well, but note that there is room for improvements.

Software-based countermeasures, the researchers say, are insufficient to prevent the attack. The issue could be solved by providing “a full-featured integrity and freshness protection of guest-pages additional to the encryption.” However, the researchers agree that such a solution would incur a high silicon cost to protect full VMs.

“A low-cost efficient solution could be to securely combine the hash of the page’s content with the guest-assigned GPA. This ensures that pages cannot easily be swapped by changing the GPA to HPA mapping. Adding a nonce additionally ensures that an old page for the GPA cannot be replayed into the guest by a malicious HV. Integration of such an approach into AMD SEV could effectively prevent remapping,” the paper reads.

According to the researchers, not even AMD's SEV with Encrypted State (SEV-ES) would be immune to SEVered, as the attack does not require access to any VM state encrypted by SEV-ES.

Memcached Servers Abused for Massive Amplification DDoS Attacks
28.2.18 thehackernews

Cybercriminals have figured out a way to abuse widely-used Memcached servers to launch over 51,000 times powerful DDoS attacks than their original strength, which could result in knocking down of major websites and Internet infrastructure.
In recent days, security researchers at Cloudflare, Arbor Networks, and Chinese security firm Qihoo 360 noticed that hackers are now abusing "Memcached" to amplify their DDoS attacks by an unprecedented factor of 51,200.
Memcached is a popular open-source and easily deployable distributed caching system that allows objects to be stored in memory and has been designed to work with a large number of open connections. Memcached server runs over TCP or UDP port 11211.
The Memcached application has been designed to speed up dynamic web applications by reducing stress on the database that helps administrators to increase performance and scale web applications. It's widely used by thousands of websites, including Facebook, Flickr, Twitter, Reddit, YouTube, and Github.
Dubbed Memcrashed by Cloudflare, the attack apparently abuses unprotected Memcached servers that have UDP enabled in order to deliver DDoS attacks 51,200 times their original strength, making it the most prominent amplification method ever used in the wild so far.
How Memcrashed DDoS Amplification Attack Works?

Like other amplification methods where hackers send a small request from a spoofed IP address to get a much larger response in return, Memcrashed amplification attack also works by sending a forged request to the targeted server (vulnerable UDP server) on port 11211 using a spoofed IP address that matches the victim's IP.
According to the researchers, just a few bytes of the request sent to the vulnerable server can trigger the response of tens of thousands of times bigger.
"15 bytes of request triggered 134KB of response. This is amplification factor of 10,000x! In practice we've seen a 15-byte request result in a 750kB response (that's a 51,200x amplification)," Cloudflare says.
According to the researchers, most of the Memcached servers being abused for amplification DDoS attacks are hosted at OVH, Digital Ocean, Sakura and other small hosting providers.
In total, researchers have seen only 5,729 unique source IP addresses associated with vulnerable Memcached servers, but they are "expecting to see much larger attacks in future, as Shodan reports 88,000 open Memcached servers." Cloudflare says.
"At peak we've seen 260Gbps of inbound UDP memcached traffic. This is massive for a new amplification vector. But the numbers don't lie. It's possible because all the reflected packets are very large," Cloudflare says.
Arbor Networks noted that the Memcached priming queries used in these attacks could also be directed towards TCP port 11211 on abusable Memcached servers.

But TCP is not currently considered a high-risk Memcached reflection/amplification vector because TCP queries cannot be reliably spoofed.
The popularly known DDoS amplification attack vectors that we reported in the past include poorly secured domain name system (DNS) resolution servers, which amplify volumes by about 50 times, and network time protocol (NTP), which increases traffic volumes by nearly 58 times.
Mitigation: How to Fix Memcached Servers?
One of the easiest ways to prevent your Memcached servers from being abused as reflectors is firewalling, blocking or rate-limiting UDP on source port 11211.
Since Memcached listens on INADDR_ANY and runs with UDP support enabled by default, administrators are advised to disable UDP support if they are not using it.
The attack size potentially created by Memcached reflection cannot be easily defended against by Internet Service Providers (ISPs), as long as IP spoofing is permissible on the internet.

Memcached Abused for DDoS Amplification Attacks
28.7.18 securityweek

Malicious actors have started abusing the memcached protocol to launch distributed denial-of-service (DDoS) attacks, Cloudflare and Arbor Networks warned on Tuesday.

Memcached is a free and open source distributed memory caching system designed to work with a large number of open connections. Clients can communicate with memcached servers via TCP or UDP on port 11211.

Cloudflare noticed in recent days that memcached has been abused for DDoS amplification attacks, and so have Arbor Networks and Chinese security firm Qihoo 360. Cloudflare has dubbed this type of attack Memcrashed.

Attackers are apparently abusing unprotected memcached servers that have UDP enabled. Similar to other amplification methods, the attacker sends a request to the targeted server on port 11211 using a spoofed IP address that matches the IP of the victim. The request sent to the server is just a few bytes, but the response can be tens of thousands of times bigger, resulting in a significant attack.

The largest memcached DDoS attack observed by Cloudflare peaked at 260 Gbps, but Arbor Networks reported seeing attacks that peaked at 500 Gbps and even more.

“I was surprised to learn that memcached does UDP, but there you go!” said CloudFlare’s Marek Majkowski. “The protocol specification shows that it's one of the best protocols to use for amplification ever! There are absolutely zero checks, and the data WILL be delivered to the client, with blazing speed! Furthermore, the request can be tiny and the response huge (up to 1MB).”

Arbor Networks noted that the type of queries used in these attacks can also be directed at TCP port 11211, but since TCP queries cannot be reliably spoofed, this protocol is less likely to be abused. The company pointed out that Chinese researchers warned about the possibility of attacks abusing memcached in November.

In the attacks seen by Cloudflare, attackers abused servers from all around the world, but mostly from North America and Europe. A majority of the servers are hosted by OVH, DigitalOcean and Sakura.

The attacks monitored by the content delivery network (CDN) came from roughly 5,700 unique IPs associated with memcached servers, but experts expect to see much larger attacks in the future considering that Shodan shows nearly 88,000 open servers. A majority of the exposed systems are in the United States, followed by China and France.

Location of exposed memcached servers

“Arbor’s current assessment is that, as with most other DDoS attack methodologies, memcached DDoS attacks were initially – and for a very brief interval – employed manually by skilled attackers; they have subsequently been weaponized and made available to attackers of all skill levels via so-called ‘booter/stresser’ DDoS-for-hire botnets,” Arbor Networks researchers said in a blog post. “The rapid increase in the prevalence of these attacks indicates that this relatively new attack vector was weaponized and broadly leveraged by attackers within a relatively short interval.”

Cloudflare recommends disabling UDP support unless it’s needed, and advised system administrators to ensure that their servers are not accessible from the Web. Internet service providers (ISPs) can also contribute to mitigating these and other types of amplification attacks by fixing vulnerable protocols and preventing IP spoofing.

Disappearing bytes: Reverse engineering the MS Office RTF parser
24.2.18 Kaspersky
Microsoft Office was a prime target for attacks in 2017. As well as the large number of vulnerabilities discovered and proof-of-concept exploits published, malware authors felt it necessary to prevent detection of ‘one-day’ and ‘old-day’ exploits by antivirus software. It also became clear that using RTF parsing features and peculiarities are no longer enough to effectively evade detection. Along with the rise of MS Office exploitation, when RTF is used as a container for an exploit, we encountered lots of samples that were ‘exploiting’ the implementation of Microsoft Word’s RTF parser to confuse all other third-party RTF parsers, including those used in AV software.

To achieve parsing exactly like that in MS Office, we needed to reverse-engineer it.

I decided to look first at MS Office 2010, because when it comes to parsing it’s better to look at an older implementation. I then compared my findings with those found in newer versions.

An RTF parser comprises a state machine with 37 states, 22 of which are unique:

We’ll look at the most significant states and those that have an influence on the parsing of \objdata, a destination control word that contains the object data. Microsoft OLE links, Microsoft OLE embedded objects, and Macintosh Edition Manager subscriber objects are represented in RTF as objects. These states are:












// …


Microsoft Office is shipped without debug symbols, meaning it wasn’t possible to recover the original state names. However, I believe I’ve chosen suitable names according to their underlying functionality.

The first state executed on an opened RTF file is PARSER_BEGIN. In most cases, it’s also executed after processing a control word. The main goal of this state is to determine the next state according to encountered char, destination, and other values stored in the ‘this’ structure and set by control word processors. By default the next state is PARSER_CHECK_CONTROL_WORD.


// … – checks that we dont need

while (data.pos != data.end)


byte = *(uint8_t*)data.pos;


if (this->bin_size > 0)


goto unexpected_char;


// …

if (byte == 9)


// …



if (byte == 0xA || byte == 0xD)


// …



if (byte == ‘\\’)


uint8_t byte1 = *(uint8_t*)data.pos;

if (byte1 == ‘\”)


if (this->destination == listname ||

this->destination == fonttbl ||

this->destination == revtbl ||

this->destination == falt ||

this->destination == leveltext ||

this->destination == levelnumbers ||

this->destination == liststylename ||

this->destination == protusertbl ||

this->destination == lsdlockedexcept)

goto unexpected_char;


// …



if (byte1 == ‘u’)


// …




// …



if (byte == ‘{‘)



// …



if (byte == ‘}’)






// it will set next state depending on destination / or go to unexpected_cmd to do more checks and magic

// …

if (this->destination == pict ||

this->destination == objdata ||

this->destination == objalias ||

this->destination == objsect ||

this->destination == datafield ||

this->destination == fontemb ||

this->destination == svb ||

this->destination == macro ||

this->destination == tci ||

this->destination == datastore ||

this->destination == mmconnectstrdata ||

this->destination == mmodsoudldata ||

this->destination == macrosig)






// …




PARSER_CHECK_CONTROL_WORD will check if the next char is the start of a control word or if it’s a control symbol, and will set the next state accordingly.


byte = *(uint8_t*)data.pos;

if ((byte >= ‘a’ && byte <= ‘z’) || (byte == ‘ ‘) || (byte >= ‘A’ && byte <= ‘Z’))



this->cmd_len = 0;





this->temp[0] = 1;

this->temp[1] = byte;

this->temp[2] = 0;


this->cmd_len = 1;



The states PARSER_PARSE_CONTROL_WORD and PARSER_PARSE_CONTROL_WORD_NUM_PARAMETER will store the null-terminated control word that is made up of ASCII alphabetical characters and a null-terminated numeric parameter (if it exists) in a temporary buffer of a fixed size.


pos = this->temp + 1;

parsed = this->temp + 1;

while (data.pos != data.end)


byte = *(uint8_t*)data.pos;

// length of null-terminated strings cmd + num should be <= 0xFF

if ((byte == ‘-‘) || (byte >= ‘0’ && byte <= ‘9’))


//if parsed == temp_end

// goto raise_exception

*parsed = 0;


pos = parsed;

if (parsed >= temp_end)


parsed = temp_end – 1;

*parsed = 0;


this->cmd_len = pos – (this->temp + 1);




this->cmd_len = pos – (this->temp + 1);

*parsed = byte;


pos = parsed;




if (byte == ‘ ‘)



if (parsed >= temp_end)


parsed = temp_end – 1;


*parsed = 0;


this->cmd_len = pos – (this->temp + 1);



if ((byte >= ‘a’ && byte <= ‘z’) || (byte >= ‘A’ && byte <= ‘Z’))


if (parsed – this->temp >= 0xFF)


if (parsed >= temp_end)


parsed = temp_end – 1;


*parsed = 0;


this->cmd_len = pos – (this->temp + 1);



//if parsed == temp_end

// goto raise_exception

*parsed = byte;


pos = parsed;





if (parsed >= temp_end)


parsed = temp_end – 1;


*parsed = 0;


this->cmd_len = pos – (this->temp + 1);






while (data.pos != data.end)


byte = *(uint8_t*)data.pos;

// length of null-terminated strings cmd + num should be <= 0xFF

if (byte == ‘ ‘)



if (parsed >= temp_end)


parsed = temp_end – 1;


*parsed = 0;




if (byte >= ‘0’ && byte <= ‘9’)


if (parsed – this->temp >= 0xFF)


if (parsed >= temp_end)


parsed = temp_end – 1;


*parsed = 0;




//if parsed == temp_end

// goto raise_exception

*parsed = byte;






if (parsed >= temp_end)


parsed = temp_end – 1;


*parsed = 0;














this->state = state;


state = this->state;


Then it is processed in the state PARSER_PROCESS_CMD that calls another function responsible for processing control words and control symbols. It takes into account the current state and sets the next state.

There are multiple states responsible for parsing hex-data. The most interesting for us is PARSER_PARSE_HEX_DATA – as you can see, it’s set in PARSER_BEGIN if the destination objdata is set.


parsed_data = this->temp;

if (this->bin_size <= 0)


while (data.pos != data.end)


byte = *(uint8_t*)data.pos;

if (byte == ‘{‘ || byte == ‘}’ || byte == ‘\\’)



if (parsed_data != this->temp)


push_data(parsed_data – this->temp);

parsed_data = this->temp;




if (this->flag & 0x4000)





if (byte >= ‘0’ && byte <= ‘9’)


val = byte – 0x30;


else if (byte >= ‘a’ && byte <= ‘f’)


val = byte – 0x57;


else if (byte >= ‘A’ && byte <= ‘F’)


val = byte – 0x37;


else if (byte == 9 || byte == 0xA || byte == 0xD || byte == 0x20)







// show message that there are not enough memory

this->flag |= 0x4000;




if (this->flag & 0x8000)


this->hex_data_byte = val << 4;

this->flag &= 0x7FFF;




if (parsed_data == temp_end)



parsed_data = this->temp;


this->hex_data_byte |= val;

*parsed_data = this->hex_data_byte;


this->flag |= 0x8000;







if (this->flag & 0x4000)


uint32_t size;

if (this->bin_size <= data.end – data.pos)


size = this->bin_size;




size = data.end – data.pos;


this->bin_size -= size;

data.pos += size;




while (this->bin_size > 0)


if (parsed_data == temp_end)



parsed_data = this->temp;


byte = *(uint8_t*)data.pos;

*parsed_data = byte;







if (parsed_data != this->temp)


push_data(parsed_data – this->temp);

parsed_data = this->temp;



This state will parse hexadecimal data and binary data if set.

The states PARSER_PARSE_HEX_NUM_MSB and PARSER_PARSE_HEX_NUM_LSB are used together to parse hex values (data of the \panose control word and \’ control symbol).


this->flag |= 0x8000;

this->hex_num_byte = 0;



// …

byte = *(uint8_t*)data.pos;


val = 0;

if (byte – ‘0’ <= 9)


val = byte – 0x30;


else if (byte – ‘a’ <= 5)


val = byte – 0x57;


else if (byte – ‘A’ <= 5)


val = byte – 0x37;


this->hex_num_byte |= val << ((this->flag >> 0xF) << 2);

this->flag = ((~this->flag ^ this->flag) & 0x7FFF) ^ ~this->flag;

if (this->flag & 0x8000)


// …








State reset
Looking at PARSER_PARSE_HEX_NUM_MSB, PARSER_PARSE_HEX_NUM_LSB and PARSER_PARSE_HEX_DATA, it is easy to spot a bug. Even if they use a different variable to store the decoded hex value, they use the same bit to determine which nibble is now decoded – high (most significant bits, or MSB) or low (less significant bits, or LSB). And PARSER_PARSE_HEX_NUM_MSB always resets this bit to MSB.

It is therefore possible to make bytes disappear in the PARSER_PARSE_HEX_DATA context by triggering a change of state to PARSER_PARSE_HEX_NUM_MSB.

For this to work it is enough to put \’XX in the data that comes after the \objdata control word. In this case, when the parser encounters \ in state PARSER_PARSE_HEX_DATA it will return to state PARSER_BEGIN and after that will go to state PARSER_PROCESS_CMD. The handler for the \’ control symbol will not change a destination, but will change the next state to PARSER_PARSE_HEX_NUM_MSB. After PARSER_PARSE_HEX_NUM_MSB and PARSER_PARSE_HEX_NUM_LSB control is transferred back to PARSER_BEGIN and eventually to PARSER_PARSE_HEX_DATA because the destination is still equal to objdata. After all that, the next byte will be decoded as a high nibble.

It is also worth noting that PARSER_PARSE_HEX_NUM_LSB does not check if the provided value is a valid hexadecimal; therefore, after \’ there could be absolutely any two bytes.

This behavior can be observed in the following example:

“f\’cc” will be removed from the final result

When control is transferred for the first time to the PARSER_PARSE_HEX_DATA state, after the \objdata control word is processed, the MSB bit is already set. Let’s look at how it happens and how this example will be processed:

After some reverse engineering of the keyword processing function, I found a list of all the control words and their corresponding structures:

With this information we can locate and look at the objdata constructor:

You can see it sets the MSB bit, allocates a new buffer and replaces the old pointer with a new one. Therefore, the data decoded between two \objdata control words is never used.

“d0cf11e0a1b11ae1” will be removed from the final result

Final destination
We know that if \’ or \objdata is put in data, it will change the output. What about other control words and control symbols? There are more than 1500 of them!

Mostly nothing.

As some control words represent a destination, they can’t be used – they change the objdata destination on their own, and to decode an object the objdata destination is needed.

Other control words do not affect objdata destination.

The only one way to change the destination so that it’s possible to return to the objdata destination without losing previously decoded data is to use special symbols – opening brace ({) and closing brace (}). These symbols indicate the start and end of a group.

When the parser encounters the end of a group in state PARSER_BEGIN, the destination that was set before the start of the group will be restored.

Therefore, by putting {\aftncn FF} after \objdata, FF will not get into the decoded data because FF now applies to the destination aftncn and will be handled according to this destination.

However, by using {\aftnnalc FF}, FF will get into the decoded data because the destination is still equal to objdata.

It is also worth noting that {\objdata FF} still can’t be used because the buffer will not be restored.

An accurate list of all destination control words was created with a simple fuzzer.

Fixed-size buffer
Another obfuscation technique that comes to mind while looking at the code of an RTF parser is not related to this ‘MSB’ bug, but can also be used to remove bytes from a hex-stream. The technique’s related to the temporary buffer size and how a control word and numeric parameter are parsed in the states PARSER_PARSE_CONTROL_WORD and PARSER_PARSE_CONTROL_WORD_NUM_PARAMETER. You can see an example of its use in the following screenshot.

In this example the size of the data that will be removed as part of the numeric parameter is calculated using the formula: 0xFF (size of temporary buffer) – 0xB (size of ‘oldlinewrap’) – 2 (null-terminator characters) = 0xF2.

Unnecessary data
While the techniques described above are related to general RTF parsing, the processing of some specific keywords conceals some further confusion.

According to the specification states, if \* was encountered right before a control word or control symbol that was not found in the lookup table, its considered an unknown destination group and all the data up to the closing brace } that closes this group should be discarded. The lookup table in MS Office contains control words that are not present in the specification and it raises concerns that it will be changed in future, affecting parsing of the same document on different versions of MS Office. When the function responsible for processing keywords encounters such cases or one of the specific control words (such as \comment, \generator, \nonshppict and so on), it will set the state PARSER_SKIP_DATA and the number for encountered opening braces { to 1.



// …


// …






// …


Kind of magic
During analysis of the PARSER_SKIP_DATA* states I found things that are the opposite not only to the specification but also to the rest of the parser code.

While looking for the \bin control word, this states will skip data, changing the number of encountered opening and closing braces until that number equals zero. The hidden catch lies in the way the numeric parameter is processed.

First of all, the maximum allowed length of the numeric parameter is increased up to 0xFF – it’s calculated without considering the length of the control word.

The second catch is that the numeric parameter is not numeric anymore! The parser allows not only decimal characters but also Latin characters to pass. Then this parameter is passed to custom strtol, making it possible to specify the length of data that should be skipped without considering opening and closing braces as a hexadecimal number.

Obfuscations with the use of these two primitives have not yet been encountered in the wild.

Reverse engineering has proved to be the most effective way to build a parser, and in the case of RTF it would most likely be impossible to achieve the desired behavior otherwise.

Exact parsing depends on small implementation details and algorithmic bugs rather than on a specification that could be confusing or state things that are not true.

Kaspersky Lab products detect all kinds of RTF obfuscation and perform the most correct processing of RTF files, providing the best protection to our end users.

A new multi-stage attack deploys a password stealer without using macros
20.2.18 securityaffairs
Vulnerebility  Attack

Security researchers at Trustwave spotted a new malicious campaign that uses a multi-stage attack to deploy a password stealer.
Researchers at Trustwave have spotted a new malware-based campaign that uses a multi-stage infection to deploy a password stealer malware.

Hackers leverage the infamous Necurs botnet to distribute spam emails delivering Microsoft Office documents that embedded malicious macros.

DOCX attachments used by the attackers contain an embedded OLE object that has external references, the external access is provided to remote OLE objects to be referenced in the document.xml.rels.

“Anyone can easily manipulate data in a Word 2007 file programmatically or manually. As shown below, the DOCX attachment contains an embedded OLE object that has external references. This ‘feature’ allows external access to remote OLE objects to be referenced in the document.xml.rels.” states the analysis published by trustwave.

“When user opens the DOCX file, it causes a remote document file to be accessed from the URL: hxxp://gamestoredownload[.]download/WS-word2017pa[.]doc. This is actually a RTF file that is downloaded and executed.”

Once the victim opened the file, it will attempt to trigger the CVE-2017-11882 memory-corruption flaw that was used by many threat actors in the wild, including the Cobalt hacking group. Microsoft fixed the vulnerability in November, the CVE-2017-11882 flaw was discovered by the security researchers at Embedi, it affects the MS Office component EQNEDT32.EXE that is responsible for insertion and editing of equations (OLE objects) in documents.

The component fails to properly handle objects in the memory, a bug that could be exploited by the attacker to execute malicious code in the context of the logged-in user.

Back to the macro-based Multi-Stage attack discovered by Trustwave, the RTF file accessed after the victim opens the DOCX files executes an MSHTA command line to download and execute a remote HTA file.

The HTA file contains VBScript with obfuscated code that decodes to a PowerShell Script designed to eventually downloads and executes a remote binary file that is a Password Stealer Malware.

“The malware steals credentials from email, ftp, and browser programs by concatenating available strings in the memory and usage of the APIs RegOpenKeyExW and PathFileExistsW to check if registry or paths of various programs exist.” continues the analysis.

multi-stage attack

The password stealer will send data to the command and control server (C&C) via an HTTP POST.

The most interesting aspect of this attack is the use of multiple stages to deliver the final payload, an approach that Trustwave calls unusual.

Malware researchers at Trustwave highlighted that a so long infection chain is more likely to fail compared to other technique implemented in other attacks.

“It’s pretty unusual to find so many stages and vectors being used to download malware. Indeed, this approach can be very risky for the malware author. If any one stage fails, it will have a domino effect on the whole process. Another noticeable point is that the attack uses file types (DOCX, RTF and HTA), that are not often blocked by email or network gateways unlike the more obvious scripting languages like VBS, JScript or WSF.” concludes Trustwave.

The analysis published by Trustwave includes the Indicators of Compromise (IoCs).