- Hacking -

- Hacking -

Last update 09.10.2017 13:52:27

Introduction List Kategorie Subcategory 0 1 2 3 4 5 6 7 8 Hacker techniques

Researchers show how to clone Tesla S Key Fobs in a few seconds
12.9.2018 securityaffairs Hacking

Researchers demonstrated that it is possible to rapidly clone the wireless key fob of the expensive Tesla Model S and possibly other vehicles.
The team of experts COSIC research group at the KU Leuven University in Belgium has devised a new relay attack against the Passive Keyless Entry and Start (PKES) system that is used by many cars to unlock the doors and start the engine.

Passive keyless entry (PKE) operates automatically when the user is in proximity to the vehicle, it relies on a paired key fob.

We have already discussed relay attacks against PKES used by thieves to steal vehicles. Attackers use relaying messages between the vehicle and the key, to launch the attack they use a hacking device near the key and another one in the proximity of the car. The drawback of such kind of attacks is that the hacker can unlock the car and start the engine only while the legitimate key fob is in range.

A team from the COSIC research group at the KU Leuven university in Belgium has discovered a new attack method that can be used to clone key fobs in a few seconds and use the close to open and start a car everytime they want.

“During normal operation the car periodically advertises its identifier. The key will receive the car’s identifier, if it is the expected car identifier the key fob will reply, signaling it is ready to receive a challenge,” reads a blog post written by the experts.

“In the next step the car will transmit a random challenge to the key fob. The key fob computes a response and transmits it. After receiving the key fob’s response, the car must verify it before unlocking the doors. The same challenge response protocol is repeated to start the car.”

Tesla S key fob relay attack

The experts discovered several security weaknesses, the most worrisome one is the lack of mutual authentication, this means that an attacker with the knowledge of the vehicle’s identifier can get a response from the key fob that is broadcasted by the car.

Another severe security issue is that responses are computed using DST40 that is an outdated proprietary cipher that uses a 40-bit secret cryptographic key.

The new attacks technique devised by the experts is composed of the following four phases:

Phase 0: the adversary records one wake frame periodically transmitted by the car to learn the 2-byte car identifier.
Phase 1: the adversary can now impersonate the car and transmits two chosen 40-bit challenges to the key fob and records their respective 24-bit responses.
Phase 2: using the captured challenge response pairs and the TMTO table the 40-bit key can be recovered. The first pair is used to select the correct subset of keys and the second pair is used to find the real key among the approximately 216 candidate keys.
Phase 3: the adversary can now impersonate the key fob and thus unlock and start the car.

The attacker demonstrates that it is possible to use Proxmark 3 RFID analyzer tool from a distance of 1 meter. The distance can be increased to up to 8 meters using custom antennas and transmission hardware are used.

The experts successfully tested the attack on the PKES system used in the Tesla Model S, but highlighted that this PKES system is manufactured by Pektron and is used by many other car vendors (i.e. McLaren, Karma and Triumph).

Tesla has already fixed the problems with the help of the research team.

The experts reported the flaw to Tesla in August and the vendor fixed the problems with their help in the recent weeks.

Tesla rolled out improved cryptography for key fobs and introduced an optional feature called “PIN to Drive,” that requests a PIN to be the driver before the vehicle can be driven.

Other 3,700 MikroTik Routers compromised in cryptoJacking campaigns
11.9.2018 securityaffairs Hacking

Thousands of unpatched MikroTik Routers are involved in new cryptocurrency mining campaigns.
The exploit code for the CVE-2018-14847 vulnerabilities is becoming a commodity in the hacking underground, just after its disclosure crooks started using it to compromise MikroTik routers. Thousands of unpatched devices are mining for cryptocurrency at the moment.

Earlier August, experts uncovered a massive crypto jacking campaign that was targeting MikroTik routers to inject a Coinhive cryptocurrency mining script in the web traffic.

The campaign started in Brazil, but it is rapidly expanded to other countries targeting MikroTik routers all over the world, over 200,000 devices were compromised.

Even if the vendor released a security fix that addresses the flaw in April, the number of not updated routers is still very high.

Last week. experts from the security firm Qihoo 360 Netlab discovered more than 7,500 MikroTik routers that have been compromised to enable Socks4 proxy maliciously, allowing attackers to hijack the traffic of the hacked devices.

The researchers scanned the Internet for vulnerable devices, they found more than 5,000K devices with open TCP/8291 port, and 1,200k of them are Mikrotik devices, within which 370k (30.83%) are CVE-2018-14847 vulnerable.

Summarizing, more than 370,000 of 1.2 million MikroTik routers are still vulnerable to the CVE-2018-14847 exploit because owners have not updated them.

Most of the vulnerable devices are located in Brazil, Russia, and Indonesia.

Now the researcher Troy Mursch noticed that the infected MikroTik routers from the latest campaign open a websockets tunnel to a web browser mining script.

“According to the researcher, the malware increases the CPU activity of an infected MikroTik router to about 80% and maintain it at this level.” reads a blog post published by BleepingComputer.

“This gives room for other tasks to run and mine for cryptocurrency at the same time, in the hope of keeping the activity hidden from the user.”

Bad Packets Report
@bad_packets
· Sep 10, 2018
🚨 CRYPTOJACKING MALWARE DETECTED 🚨
URL: https://play.feesocrald[.]com/app.js
Opens websocket connections to: https://s*.soodatmish[.]com/@urlscanio archive: https://urlscan.io/responses/3cfaacb2e8ee3e7cc5685deddfed7e34bf7595015307fee64dd3c196c1d4ed93/ …

Currently found on 3,700+ compromised MikroTik routers: https://www.shodan.io/search?query=html%3A%22https%3A%2F%2Fplay.feesocrald.com%2Fapp.js%22 … pic.twitter.com/ykDxayszM5

View image on Twitter

Bad Packets Report
@bad_packets
Example infected #MikroTik router: http://187.45.50[.]35:8080
CPU usage of client throttled to ~80% pic.twitter.com/b7HOrEz6Tg

3:49 AM - Sep 10, 2018

4
See Bad Packets Report's other Tweets
Twitter Ads info and privacy
The expert found 3,734 devices by querying Shodan for MikroTik routers running the mining tool, and the number is growing.

Most of the routers compromised in this campaign are located in Brazil (2,612) and Argentina (480).

shodan MikroTik cryptojacking

Earlier August the researcher who goes online with the Twitter handle MalwareHunterBR uncovered a massive cryptojacking campaign that targeted MikroTik routers. The hackers aimed to change the configuration of the devices to inject a Coinhive cryptocurrency mining script in the users’ web traffic.

View image on TwitterView image on TwitterView image on Twitter

MalwareHunterBR
@MalwareHunterBR
another mass exploitation against @mikrotik_com devices (https://github.com/mrmtwoj/0day-mikrotik …)
hxxp://170.79.26.28/
CoinHive.Anonymous('hsFAjjijTyibpVjCmfJzlfWH3hFqWVT3', #coinhive

1:31 PM - Jul 30, 2018
62
53 people are talking about this
Twitter Ads info and privacy
According to Trustwave the hackers were exploiting a zero-day flaw in the MikroTik routers to inject a copy of the Coinhive library in the traffic passing through the MikroTik routers.

Attackers Made 9,000 Unauthorized Database Queries in Equifax Hack: Report
10.9.2018 securityweek Hacking

It took Equifax 76 days to detect the massive 2017 data breach, despite the fact that attackers had conducted roughly 9,000 unauthorized queries on its databases, according to a new report from the U.S. Government Accountability Office (GAO).

In mid-May 2017, malicious actors exploited a known vulnerability in the Apache Struts development framework to gain access to Equifax systems. The company said the breach affected roughly 145 million customers – mostly in the U.S., but also in Canada and the United Kingdom. The incident resulted in social security numbers, dates of birth, email addresses, addresses, driver’s license numbers, payment cards, dispute documents, and other data getting compromised.

Now, roughly one year after the breach came to light, the GAO published a report detailing the Equifax breach. The agency’s report, commissioned by several U.S. senators and representatives, is based on documents from Equifax and the cybersecurity consultants called in by the company following the breach, public statements filed by Equifax, and documents from the Internal Revenue Service (IRS), Social Security Administration (SSA), and U.S. Postal Service (USPS).

According to the GAO report, attackers started scanning Equifax’s systems for the Struts vulnerability just a few days after the existence of the security hole was made public. One of the affected systems was an online dispute portal, on which the attackers gained the ability to execute system-level commands. That enabled them to start querying tens of databases in an effort to find personally identifiable information (PII).

Equifax’s security systems not only failed to detect the Struts vulnerability in the online portal, they also failed to detect the attackers once they gained access.

The GAO says the hackers executed roughly 9,000 database queries, some of which returned personal information. The breach was ultimately detected by the company’s security team during routine checks.

“As reported by Equifax, a network administrator conducting routine checks of the operating status and configuration of IT systems discovered that a misconfigured piece of equipment allowed attackers to communicate with compromised servers and steal data without detection. Specifically, while Equifax had installed a device to inspect network traffic or evidence of malicious activity, a misconfiguration allowed encrypted traffic to pass through the network without being inspected,” the GAO report reads.

The misconfiguration was caused by a digital certificate that had expired 10 months before the breach occurred, which allowed the attackers to run commands and exfiltrate data over an encrypted connection without being detected.

The investigation that followed the breach also revealed that the credit reporting agency had failed to implement proper network segmentation, enabling malicious actors to access many databases beyond those related to the online dispute portal that they initially hacked.

Another problem highlighted in the report is related to the fact that credentials for accessing multiple databases were stored without being encrypted in one database that the attackers accessed.

The GAO pointed out that the 9,000 queries run by the attackers showed the lack of restrictions for the frequency of database queries – the number of queries conducted for normal operations would have been much smaller.

The report notes that the IRS, SSA and USPS, which conducted their own investigations into the incident, made some modifications to their contracts with Equifax – they changed notification requirements for future breaches – and the IRS even terminated one of its contracts.

However, following the GAO report, many rushed to point out that no real actions were taken against Equifax.

The Consumers Union, the advocacy division of Consumer Reports, noted that not much has changed since the incident became public.

“Americans remain largely in the dark about the practices of the credit reporting industry—and, more generally, largely unable to control the use of their personal information,” the organization said. “Equifax itself has suffered minimal consequences and continues to do business more or less as before. And the legal and regulatory system governing the credit reporting industry and data security more broadly remains inadequate, despite some recent progress.”

Senator Elizabeth Warren, one of the officials who commissioned the GAO report and who a few months ago published a report of her own, commented, “One year after they publicly revealed the massive 2017 breach, Equifax and other big credit reporting agencies keep profiting off a business model that rewards their failure to protect personal information - and the Trump Administration and Republican-controlled Congress have done nothing.”

Experts warn of 7,500+ MikroTik Routers that are hijacking owners’ traffic
4.9.2018 securityaffairs Hacking

The security firm Qihoo 360 Netlab discovered more than 7,500 MikroTik routers that have been compromised to enable Socks4 proxy maliciously
Earlier August, experts uncovered a massive crypto jacking campaign that was targeting MikroTik routers to inject a Coinhive cryptocurrency mining script in the web traffic.

The campaign started in Brazil, but it is rapidly expanded to other countries targeting MikroTik routers all over the world, over 200,000 devices were compromised.

Now experts from the security firm Qihoo 360 Netlab discovered more than 7,500 MikroTik routers that have been compromised to enable Socks4 proxy maliciously, allowing attackers to hijack the traffic of the hacked devices.

“What’s more, we have observed massive number of victims having their Socks4 proxy enabled on the device by one single malicious actor.” reads the analysis published by Qihoo 360 Netlab.

“More interestingly, we also discovered that more than 7,500+ victims are being actively eavesdropped, with their traffic being forwarded to IPs controlled by unknown attackers.”

According to the researchers, since Mid-July the hackers are exploiting the CVE-2018-14847 vulnerability in MikroTik routers to carry out the attacks.

The CVE-2018-14847 flaw was first revealed by WikiLeaks as part of the CIA Vault7 dump, the code for the exploitation of the issue was included in the hacking tool Chimay Red.

The Chimay Red hacking tool leverages 2 exploits, the Winbox Any Directory File Read (CVE-2018-14847) and Webfig Remote Code Execution Vulnerability.

Communication ports associated with the Winbox and Webfig are TCP/8291, TCP/80, and TCP/8080.

Summarizing, more than 370,000 of 1.2 million MikroTik routers are still vulnerable to the CVE-2018-14847 exploit because owners have not updated them.

Most of the vulnerable devices are located in Brazil, Russia, and Indonesia.

Mikrotik routers vulnerable

Netlab experts have detected a malware exploiting the CVE-2018-14847 vulnerability in the Mikrotik routers to perform a broad range of malicious activities, including traffic hijacking and CoinHive mining code injection.

The analysis shared by the experts includes the attack scenarios.

CoinHive Mining Code Injection
Once enabled the Mikrotik RouterOS HTTP proxy, the attackers hijack the HTTP proxy requests to a local HTTP 403 error page which injects a link for web mining code from Coinhive. Anyway the mining code used in this way cannot work because all the external web resources, including coinhive.com ones, are blocked by the proxy ACLs set by attackers themselves.”

Maliciously Enabling Sock4 Proxy
The attackers enabled the Socks4 port or TCP/4153 on victims device, in this way the attacker gain persistence on the router even after it has been rebooted (IP change) by periodically reporting its latest IP address to the attacker’s URL.

“a total of 239K IPs are confirmed to have Socks4 proxy enabled maliciously. The Socks4 port is mostly TCP/4153, and very interestingly, the Socks4 proxy config only allows access from one single net-block 95.154.216.128/25.” states the report

“In order for the attacker to gain control even after device reboot(ip change), the device is configured to run a scheduled task to periodically report its latest IP address by accessing a specific attacker’s URL.”

Experts pointed out that all the 239,000 IP addresses only allow access from 95.154.216.128/25, actually mainly from the 95.154.216.167 address.

Eavesdropping
The MikroTik RouterOS devices to capture packets on the router and forward them to the specified Stream server, this feature could be abused by attackers to forward the traffic to IP addresses controlled by them. Experts noticed that a significant number of devices have their traffic going to the 37.1.207.114 IP.

Don’t waste time, update the MikroTik devices and also check if the HTTP proxy, Socks4 proxy, and network traffic capture function are being abused by attackers.

Compromising Proxy Call Session Control Function (P-CSCF) using VoLTE
4.9.2018 securityaffairs Hacking

The IP Multimedia Subsystem (IMS) facilitates telecom operators in delivering multimedia applications and voice traffic over IP transport. Proxy Call Session Control Function (P-CSCF) is the first node in IMS Platform (figure 1) to interact with the User Equipment (UE) when initiating a VoLTE call. P-CSCF
figure 1 – Placement of Proxy Call Session Control Function in IMS Platform
Identify and Compromise Proxy Call Session Control Function with VoLTE phone:
1) Initiate a call with VoLTE phone and simultaneously open phone’s terminal to list currently established sessions. It was possible to identify the IP address of serving P-CSCF node, connected on port 5060 (figure 2).

P-CSCF
figure 2 – Identifying P-CSCF node connected on port 5060 (SIP protocol)
2) Management console of an application server and Proxy Call Session Control Function application (figure 3 & figure 4) were found by performing a service scan on identified IP address.

P-CSCF
figure 3 – P-CSCF applications’s management console
P-CSCF
figure 4 – Application server’s management console
3) Application server, Oracle Glassfish, was found to be weakly configured and could be accessed using weak credentials (figure 5).

P-CSCF
figure 5 – Access to Oracle Glassfish server using weak credentials
4) A reverse shell was triggered using a web shell and gained root access of the P-CSCF node (figure 6).

P-CSCF
figure 6 – Gained root access to P-CSCF (IMS)
After gaining access to the IMS platform, Attacker can compromise other core telecom components in the network.

To prevent such attacks, telecom operators should ensure traffic segregation between user plane, control plane, and management plane. It is highly recommended to patch all the core network elements with the latest security patches released by the vendor. Also, develop and implement minimum security guidelines before integrating nodes in the network.

Hope you enjoyed reading, suggestions are always welcome.

The original post is available at:
https://www.hardw00t.io/2018/09/compromising-p-cscf-using-volte.html

Parental control spyware app Family Orbit hacked, pictures of hundreds of monitored children were exposed
4.9.2018 securityaffairs Hacking

The company that sells the parental control spyware app Family Orbit has been hacked, pictures of hundreds of monitored children were left online.
The company that sells the parental control spyware app Family Orbit has been hacked, the pictures of hundreds of monitored children were left online only protected by a password.

According to Motherboard that first reported the news, the Family Orbit spyware left exposed nearly 281 GB of data online. The hacker discovered the huge trove of data that was stored on an unsecured server and reported the discovery to Motherboard. The hacker found the key on the cloud servers of the spyware app.

“A company that sells spyware to parents left the pictures of hundreds of monitored children online, only protected by a password that almost anyone could find, according to a hacker.” states Motherboard.

“The hacker, who’s mainly known for having hacked spyware maker Retina-X, wiping its servers (twice), said he was able to find the key to the cloud servers of Family Orbit, a company that that markets itself as “the best parental control app to protect your kids.” The servers contained the photos intercepted by the spyware, according to the hacker. The company confirmed the breach to Motherboard.”

Family Orbit spyware

Experts found a Rackspace with about 3,836 containers that also included video footages.

“I had all photos uploaded from the phones of kids being monitored, and also some screenshots of the developer’s desktops which exposed passwords and other secrets,” stated the unidentified hacker.

Motherboard also verified the data breach and stated that the data belonged to active users who used those email addresses to register to the service. Motherboard assessed 6 of the email addresses and concluded that the addresses were active.

The data was protected by an easy-to-guess password only. He found the key on the cloud servers of the spyware app.
The hacker who discovered the unprotected server is the same who hacked the server of another spyware, Retina-X, two times.

The company confirmed the data breach to Motherboard, its representative told Motherboard that the API key is stored encrypted in the app, and that the company observed “unusual bandwidth” used in their cloud storage.

“We have immediately changed our API key and login credentials. The sales and the services have been taken offline until we ensure all vulnerabilities are fixed,” the representative said via email.

The incident is not isolated, companies that sell spyware are a privileged target of hackers that protest against the abuse of technology for surveillance purposes.

In the last 18 months, other eight companies that sell spyware have been hacked, they are FlexiSpy, Retina-X, TheTruthSpy, Mobistealth, Spy Master Pro, Spyfone and SpyHuman.

John McAfee’s Bitfi cryptocurrency wallet was hacked by a security duo
4.9.2018 securityaffairs Hacking

A security duo composed of Saleem Rashid and Ryan Castellucci demonstrated that it is possible to hack the John McAfee’s Bitfi cryptocurrency wallet.
Today let’s discuss John McAfee’s cryptocurrency wallet, the Bitfi wallet, defined by the popular cyber security expert “unhackable.”

Unfortunately, nothing is unhackable, and the Bitfi wallet was already hacked two times.

The Bitfi wallet is an Android-powered hardware device for storing cryptocurrencies and crypto assets.

A team of security researchers called THCMKACGASSCO devised a new attack that could allow them to steal all the stored funds from an unmodified Bitfi wallet.

The wallet relies on a user-generated secret phrase and a “salt” value to cryptographically scramble the secret phrase. The experts who devised the attack explained that the secret phrase and salt can be obtained allowing the attackers to generate the private keys and stole the funds.

“The Android-powered $120 wallet relies on a user-generated secret phrase and a “salt” value — like a phone number — to cryptographically scramble the secret phrase. The idea is that the two unique values ensure that your funds remain secure.” reported Techcrunch.com.

“But the researchers say that the secret phrase and salt can be extracted, allowing private keys to be generated and the funds stolen”

The security duo composed of Saleem Rashid and Ryan Castellucci, members of a the THCMKACGASSCO, developed the exploits for the attack and published a video PoC for the hack. In the video PoC is shown that setting a secret phrase and salt, and running a local exploit, it is possible to extract the keys from the device.

The video shows the attack can take less than two minutes to be executed.

Saleem "Unhackable" Rashid
@spudowiar
· Aug 30, 2018
Bill Powell of @Bitfi6 discussing the single assumption upon which the entirety of @Bitfi6's ridiculous UNHACKABLE claim lies

could you even IMAGINE if this assumption was proved false?https://cryptovest.com/news/interview-bitfi-explains-drama-behind-allegedly-hacked-wallets/ … pic.twitter.com/pn07hAf2uP

View image on Twitter

Saleem "Unhackable" Rashid
@spudowiar
on a completely unrelated note, here is a @Bitfi6 being cold boot attacked.

it turns out that rooting the device does not wipe RAM clean. who would have thought it!?

🎶 i feel this music is very appropriate for @Bitfi6 🎶 pic.twitter.com/jpSnYBd9Vk

10:53 PM - Aug 30, 2018

486
209 people are talking about this
Twitter Ads info and privacy
Rashid explained that they discovered that the keys are stored in the memory longer than Bitfi claims. The experts have devised a technique to run code on the hardware wallet without erasing the content of memory that included the keys, then they were able to extract the content of the m2mory including the keys.

The bad news is that the attack is trivial to carry out and doesn’t require any specific hardware as explained by Andrew Tierney, a security researcher with Pen Test Partners who verified the new attack.

Tierney was one of the members of the hacking team that carried out the first Bitfi attack.

Ask Cybergibbons!
@cybergibbons
Well, that's a transaction made with a MitMed Bitfi, with the phrase and seed being sent to a remote machine.

That sounds a lot like Bounty 2 to me.

2:51 PM - Aug 13, 2018
252
101 people are talking about this
Twitter Ads info and privacy
McAfee offered a $250,000 bounty for anyone who could successfully carry out an attack on the wallet that will result with the theft of the coins.

Bitfi did not pay out the bug bounty because the attack demonstrated by the researchers was outside the scope of the bounty.

John McAfee
✔
@officialmcafee
The press claiming the BitFi wallet has been hacked. Utter nonsense. The wallet is hacked when someone gets the coins. No-one got any coins. Gaining root access in an attempt to get the coins is not a hack. It's a failed attempt. All these alleged "hacks" did not get the coins.

8:17 PM - Aug 3, 2018
1,115
655 people are talking about this
Twitter Ads info and privacy

Matthew Green
@matthew_d_green
I haven’t really been following this Bitfi nonsense, but I do so love when companies threaten security researchers.

1:39 PM - Aug 6, 2018
448
149 people are talking about this
Twitter Ads info and privacy

Differently from the first hack, this second one demonstrated by the security duo seems to in scope for the bug bounty.

Bill Powel, vice president of operations at Bitfi, told TechCrunch in an email that the company defines a hack “as anything that would allow an attacker to access funds held by the wallet.”

After the researchers published the video PoC of the attack, Bitfi announced to have hired an experienced security manager, who is confirming vulnerabilities that have been identified by researchers.

184 people are talking about this
Twitter Ads info and privacy
Rashid will not publicly disclose the exploit code to avoid hackers using it.

TrendMicro links Urpage hacking crew to other threat actors
4.9.2018 securityaffairs Hacking

Last week, security researchers from Trend Micro discovered a new threat actor, tracked as Urpage, that shares similarities with other three hacking crews.
Researchers from Trend Micro linked a recently discovered actor, tracked as Urpage, to the hacking groups known as Bahamut, Confucius, and Patchwork.

Trend Micro first connected the Confucius group to the Patchwork crew in early 2018, then discovered many similarities between the groups.

The Patchwork (aka Dropping Elephant and Chinastrats) was first spotted by Kaspersky Lab in 2016, when the group targeted organizations in multiple industries, The activities of the group are focused on diplomatic and government targets, in some campaigns it also targeted private businesses.

China’s foreign relations efforts appear appeared to represent the main interest of the Patchwork group.

“In this case we dig deeper into the possible connection between cyberattacks by focusing on the similarities an unnamed threat actor shares with Confucius, Patchwork, and another threat actor called Bahamut. For the sake of this report, we will call this unnamed threat actor “Urpage.”” reads the analysis published by Trend Micro.

“What sets Urpage attacks apart is its targeting of InPage, a word processor for Urdu and Arabic languages. However, its Delphi backdoor component, which it has in common with Confucius and Patchwork, and its apparent use of Bahamut-like malware, is what makes it more intriguing as it connects Urpage to these other known threats.”

Back to the present, the Urpage hackers target InPage word processor used for Urdu and Arabic languages for both Windows and Mac systems. The attackers leverage a Delphi backdoor that links it to Confucius and Patchwork groups, as well as an Android malware similar to Bahamut one.

The Android malware used by the Urpage group connects its own command and control (C&C) infrastructure.

Some of the C&C websites used by the group also act as phishing sites that lure users into downloading malicious applications.

“The threat actor sets up these fake websites describing the application and linking to the Google Play Store to download it, like in the case of the malicious website, pikrpro[.]eu, seen below” continues the report.

The Urpage malware is a data stealer like the Bahamut applications, it can collect data from the infected host such as network information and the MAC address, it can steal SMS messages and contacts, record audio, retrieve GPS location, and steal files with specific extensions.

Experts noticed that some C&C also host other malicious documents that link the Urpage group to the other groups.

Urpage

One of the C&Cs was hosting a weaponized RTF file that triggers the CVE-2017-8750 flaw and an InPage file that exploits CVE-2017-12824.

Another similarity between Urpage and the other groups is the use of the same Delphi file stealer.

Concluding, the Urpage appears to be linked to the other threat actors, a link that is very close with the Patchwork group that leverages the same Android application, uses the same the registration pattern for C&C and the infrastructure is close to an old Patchwork domain.

The evidence collected by the experts suggest the attacks conducted by the groups are part of a wider coordinated operation.

“The many similarities and connections show that threat actors do not work in isolation, and that attacks do not necessarily appear from out of nowhere. This may even suggest that a single development team may be behind this attack — maybe a single paid group that has sold its tools and services to other groups with different goals and targets. We’ve summarized all the mentioned findings in the table below.” concludes Trend Micro.

Man Accused of Hacking Into Bank Account, Stealing $300,000
29.8.2018 securityweek Hacking

HARTFORD, Conn. (AP) — Police have arrested a Connecticut man they allege hacked into someone's retirement account and stole more than $300,000.

Hartford police say 36-year-old Kwadjo Osei-Wusu, of Manchester, was arrested Friday and charged with money laundering, larceny and conspiracy to commit identity theft.

Police say the FBI began investigating fraudulent activity on the Wells Fargo account in March.

Authorities say the account was compromised in 2014, and more than $300,000 was stolen and then deposited in several fraudulent bank accounts.

The stolen funds were then withdrawn as cashier checks, cashed and turned over to Osei-Wusu.

Police say the scheme involved "sophisticated levels of cyber hacking."

Osei-Wusu was held on $450,000 bond pending a Tuesday court appearance and could not be reached. No attorney was listed for him in online judicial records.

Google Tells Toomey Hackers Tried to Infiltrate Staff Email
28.8.2018 securityweek Hacking BigBrothers

Google has alerted U.S. Sen. Pat Toomey's office that hackers with ties to a "nation-state" sent phishing emails to old campaign email accounts, a spokesman for the Pennsylvania Republican said Friday.

Toomey's office was notified this week about the attempt to infiltrate email accounts, said spokesman Steve Kelly. He said the dormant accounts hadn't been used since the end of the 2016 campaign, and the staffers they're attached to no longer work for Toomey. The nation-state wasn't identified.

"This underscores the cybersecurity threats our government, campaigns, and elections are currently facing," he said. "It is essential that Congress impose tough penalties on any entity that undermines our institutions."

Toomey currently isn't running for office and the effort would not have affected the upcoming midterm elections.

Google told Toomey's office that the emails appeared to be exploratory, Kelly said. Based on scans for spam, phishing and malware, the emails likely did not contain malware or links to a credential-phishing site, he said.

A Google spokesman said the company wasn't commenting on the phishing attempt.

The notification is the latest by a tech company of suspected Kremlin attempts to spy on U.S. elected officials and campaigns and potentially meddle in U.S. politics.

Google's warning to Toomey comes just weeks after a Microsoft discovery led Sen. Claire McCaskill, a Missouri Democrat who is running for re-election, to reveal that state-backed Russian hackers tried unsuccessfully to infiltrate her Senate computer network last fall.

That effort recalled what U.S. prosecutors called in a July 13 indictment a concerted effort by Russian military operatives ahead of the 2016 election focused on helping to elect Republican Donald Trump to the presidency by exposing internal divisions in the Democratic Party meant to discredit his opponent, Hillary Clinton. The indictment says the Russian agents broke into Democratic national organization servers and stole and leaked damaging emails.

On Tuesday, Microsoft disclosed what it called new Russian espionage efforts targeting U.S. political groups — this time conservative Republican foes that have promoted sanctions to punish the Kremlin for military aggression against Ukraine.

The company said a group tied to the Russian government created fake websites — presumably to steal passwords or plant spyware— that appeared to spoof two American conservative organizations: the Hudson Institute and the International Republican Institute. Three other fake sites were designed to look as if they belonged to the U.S. Senate.

The Kremlin denied involvement.

Intel Simplifies Microcode Update License Following Complaints
24.8.2018 securityweek Hacking

Intel has made significant changes to the license for its latest CPU microcode updates after users complained that the previous version banned benchmarks and comparison tests.

Since January, when researchers disclosed the existence of the speculative execution vulnerabilities known as Spectre and Meltdown, Intel has released several rounds of microcode updates designed to prevent these and similar attacks.

The latest updates are designed to address three vulnerabilities tracked as Foreshadow or L1 Terminal Fault (L1TF). Microsoft and Linux distributions have begun distributing the microcode updates for these flaws, but some people noticed that the license file delivered with the updates prohibits benchmarking.

“Unless expressly permitted under the Agreement, You will not, and will not allow any third party to [...] publish or provide any Software benchmark or comparison test results,” the license read.

The mitigations for speculative execution vulnerabilities have been known to have a significant impact on performance in some cases. In the case of the Foreshadow flaws, Intel and Microsoft said there should not be any performance degradation on consumer PCs and many data center workloads. However, some data center workloads may be slowed down.

Someone at Intel apparently attempted to prevent users from making public the results of performance impact testing for the latest mitigations, but people quickly noticed.

“Lots of people are interested in the speed penalty incurred in the microcode fixes, and Intel has now attempted to gag anyone who would collect information for reporting about those penalties, through a restriction in their license,” Bruce Perens, one of the founders of the open source movement, wrote in a blog post.

“Bad move. The correct way to handle security problems is to own up to the damage, publish mitigations, and make it possible for your customers to get along. Hiding how they are damaged is unacceptable. Silencing free speech by those who would merely publish benchmarks? Bad business. Customers can’t trust your components when you do that,” he added.

Lucas Holt, project lead at MidnightBSD, noted on Twitter, “Performance is so bad on the latest spectre patch that intel had to prohibit publishing benchmarks.”

Following complaints, Intel has decided to significantly simplify the license. It now only says that redistributions of the microcode updates must include a copyright notice and a disclaimer, Intel’s name cannot be used to endorse or support products derived from its software, and that reverse engineering or disassembly of its software are not permitted.

“We have simplified the Intel license to make it easier to distribute CPU microcode updates,” said Imad Sousou, corporate VP and GM of Intel’s Open Source Technology Center. “As an active member of the open source community, we continue to welcome all feedback and thank the community.”

Intel allows microcode update benchmarks after user complaints

Dark Tequila Añejo
22.8.2018 Kaspersky Hacking

Dark Tequila is a complex malicious campaign targeting Mexican users, with the primary purpose of stealing financial information, as well as login credentials to popular websites that range from code versioning repositories to public file storage accounts and domain registrars.

A multi-stage payload is delivered to the victim only when certain conditions are met; avoiding infection when security suites are installed or the sample is being run in an analysis environment. From the target list retrieved from the final payload, this particular campaign targets customers of several Mexican banking institutions and contains some comments embedded in the code written in the Spanish language, using words only spoken in Latin America.

Most of the victims are located in Mexico. The campaign has been active since at least 2013, so it is a very ‘añejo’ (mature) product. There are two known infection vectors: spear-phishing and infection by USB device.

The threat actor behind it strictly monitors and controls all operations. If there is a casual infection, which is not in Mexico or is not of interest, the malware is uninstalled remotely from the victim’s machine.

(Translation for “Abrir la carpeta para ver los archivos” – “Open folder to see files”. The word “Archivos” is used by Spanish speakers from Latin America only)

The Dark Tequila malware and its supporting infrastructure are unusually sophisticated for a financial fraud operation. The malicious implant contains all the modules required for the operation and, when instructed to do so by het command server, different modules decrypt and activate. All stolen data is uploaded to the server in encrypted form.

This campaign modules are as follows:

Module 1, which is responsible for communication with the command and control server. It verifies if a man-in-the-middle network check is being performed, by validating the certificates with a few very popular websites.
Module 2 – CleanUp. If the service detects any kind of ‘suspicious’ activity in the environment, such as the fact that it is running on a virtual machine, or that debugging tools are running in the background, it will execute this module to perform a full cleanup of the system, removing the persistence service as well as any files created previously on the system.
Module 3 – Keylogger and Windows Monitor. This is designed to steal credentials from a long list of online banking sites, as well as generic Cpanels, Plesk, online flight reservation systems, Microsoft Office365, IBM lotus notes clients, Zimbra email, Bitbucket, Amazon, GoDaddy, Register, Namecheap, Dropbox, Softlayer, Rackspace, and other services.
Module 4 – Information stealer, which is designed to steal saved passwords in email and FTP clients, as well as from browsers.
Module 5 – The USB infector. This copies an executable file to a removable drive to run automatically. This enables the malware to move offline through the victim’s network, even when only one machine was initially compromised via spear-phishing. When another USB is connected to the infected computer, it automatically becomes infected, and ready to spread the malware to another target.
Module 6 – The service watchdog. This service is responsible for making sure that the malware is running properly.
The campaign remains active. It is designed to be deployed in any part of the world, and attack any targets according to the interests of the threat actor behind it. Kaspersky Lab detects the campaign as Trojan.Win32.DarkTequila and Trojan.Win64.DarkTequila.

Reference hashes:
4f49a01e02e8c47d84480f6fb92700aa091133c894821fff83c7502c7af136d9
dce2d575bef073079c658edfa872a15546b422ad2b74267d33b386dc7cc85b47

Reference C2s:
https://46[.]17[.]97[.]12/website/
https://174[.]37[.]6[.]34/98157cdfe45945293201e71acb2394d2
https://75[.]126[.]60[.]251/store/

Anonymous Hackers Target Spain Sites in Catalonia Protest
21.8.2018 securityweek Hacking

Hackers from the Anonymous collective claimed responsibility for bringing down government websites in Spain on Monday in a protest against Madrid's efforts to block Catalonia's separatist drive.

The sites, which included the official websites of the Constitutional Court and the economy and foreign ministries, went offline on Monday and could still not be accessed by early evening.

Anonymous, a loosely knit group that has attacked financial and government websites around the world, said it orchestrated the shutdowns.

"Hey Spain, we see that you are still hurting the Catalan people. This is not a joke. We will hurt your government as well!," the group wrote in a statement posted on its Twitter feed.

Anonymous temporarily blocked the Constitutional Court's website in October 2017 just as Spain's central government prepared to announce unprecedented measures to seize powers from Catalonia's regional government over its threat to break away from the rest of the country.

The hacker group originated in 2003, adopting the Guy Fawkes mask as its symbol. The mask is a stylised portrayal of an oversized smile, red cheeks and a wide moustache upturned at both ends.

Anonymous collective brought down Spain sites to support Catalonia
21.8.2018 securityaffairs Hacking

Anonymous targeted many governments websites in Spain to protest against the Government’s efforts to block Catalonia ‘s separatist wave.
Members of the notorious Anonymous collective claimed responsibility for bringing down several government websites in Spain on Monday to protest against the decision of the government to block Catalonia’s separatist drive.

Anonymous brought down the websites of the Constitutional Court and the economy and foreign ministries on Monday as part of an operation called #OpCatalunya.

vanessa junqué ©️
@vanessajunque
#OpCatalunya: New attacks against Spanish Government

Administracion Website and Consejo Transparencia are #TangoDown#Anonymous

4:23 PM - Aug 20, 2018
17
15 people are talking about this
Twitter Ads info and privacy
“Hey Spain, we see that you are still hurting the Catalan people. This is not a joke. We will hurt your government as well!,” reads a message published by Anonymous on Twitter.

Catalonia

This isn’t the first time that the collective target the Constitutional Court’s website, in October 2017 while Spain’s government was announcing the seizure of powers from Catalonia’s regional government due to the separatist movements in the region.

Hundreds of Instagram accounts were hijacked in a coordinated attack
16.8.2018 securityweek Hacking

Hundreds of Instagram accounts were hijacked in what appears to be the result of a coordinated attack, all the accounts share common signs of compromise.
Alleged attackers have hijacked Instagram accounts and modified personal information making impossible to restore the accounts.

The number of Instagram accounts that was hacked has increased since the beginning of August, all the victims were logged out of their accounts, their personal and contact information were deleted, personal email address was changed.

The attackers changed victims’ email addresses with one associated to a Russian domain (.ru).

The media outlet Mashable first reported the spike in the account takeover.

“Like half a dozen other hacking victims who spoke with Mashable, her profile photo had been changed, as had all the contact information linked to the account, which was now linked to an email with a .ru Russian domain.” reported Mashable.

“Megan and Krista’s experiences are not isolated cases. They are two of hundreds of Instagram users who have reported similar attacks since the beginning of the month.”

More than 5,000 tweets from 899 accounts were mentioning Instagram hacks in the last seven days, many users have been desperately tweeting at Instagram’s Twitter account requesting support.

Numerous reports of hacks were reported on Reddit, and Mashable reported a Google Trends search that shows a spike in searches for “Instagram hacked” on Aug. 8, and again on Aug. 11.

Instagram accounts hacked

Instagram hacked accounts have had their profile photos changed with Disney- or Pixar-themed film images.

“A number of Instagram users have taken to social media to report a mysterious hack in which their profile photos are replaced by random stills from films.” reported the BBC.

It’s not clear how hackers have hacked the Instagram accounts, there are some cases in which owner s of the accounts explained that they were using two-factor authentication (2FA).

“The extra security measure didn’t protect Chris Woznicki, who was using two-factor authentication at the time his account was hacked 10 days ago. Woznicki says Instagram sent him security emails notifying him the email address on his account had been changed (once again, to a .ru address) and 2FA had been disabled. But by the time he saw the messages, it was too late and he had already lost access to his account, which had 660 followers. Others have reported similar occurrences. “continues Mashable.

Instagram confirmed it is aware of the problems that some users are facing, below an excerpt from an Instagram security advisory:

“We are aware that some people are having difficulty accessing their Instagram accounts. As we investigate this issue, we wanted to share the below guidance to help keep your account secure:

If you received an email from us notifying you of a change in your email address, and you did not initiate this change – please click the link marked ‘revert this change’ in the email, and then change your password.
We advise you pick a strong password. Use a combination of at least six numbers, letters and punctuation marks (like ! and &). It should be different from other passwords you use elsewhere on the internet.
You can also use the steps outlined on this page to restore your account. Please use a new, secure email address to restore your account.
Finally, revoke access to any suspicious third-party apps and turn on two-factor authentication for additional security. Our current two-factor authentication allows people to secure their account via text, and we’re working on additional two-factor functionality with more to share soon.”
It isn’t the first time that Instagram faces such kind of problems, in September 2017 6 million celebrities Instagram High-Profiles data were offered for sale on DoxaGram website.

For more information, users can visit the Instagram Help Centre that includes instructions to restore a compromised account.

Hundreds of Instagram accounts were hijacked in a coordinated attack
15.8.2018 securityaffairs Hacking

The attackers changed victims’ email addresses with one associated to a Russian domain (.ru).

The media outlet Mashable first reported the spike in the account takeover.

“Megan and Krista’s experiences are not isolated cases. They are two of hundreds of Instagram users who have reported similar attacks since the beginning of the month.”

More than 5,000 tweets from 899 accounts were mentioning Instagram hacks in the last seven days, many users have been desperately tweeting at Instagram’s Twitter account requesting support.

Numerous reports of hacks were reported on Reddit, and Mashable reported a Google Trends search that shows a spike in searches for “Instagram hacked” on Aug. 8, and again on Aug. 11.

Instagram accounts hacked

Instagram hacked accounts have had their profile photos changed with Disney- or Pixar-themed film images.

“A number of Instagram users have taken to social media to report a mysterious hack in which their profile photos are replaced by random stills from films.” reported the BBC.

It’s not clear how hackers have hacked the Instagram accounts, there are some cases in which owner s of the accounts explained that they were using two-factor authentication (2FA).

Instagram confirmed it is aware of the problems that some users are facing, below an excerpt from an Instagram security advisory:

“We are aware that some people are having difficulty accessing their Instagram accounts. As we investigate this issue, we wanted to share the below guidance to help keep your account secure:

For more information, users can visit the Instagram Help Centre that includes instructions to restore a compromised account.

Foreshadow: New Speculative Execution Flaws Found in Intel CPUs
15.8.2018 securityweek Hacking

Researchers and several major tech companies on Tuesday disclosed the details of three new speculative execution side-channel vulnerabilities affecting Intel processors.

The flaws, tracked as Foreshadow and L1 Terminal Fault (L1TF), were discovered independently by two research teams, who reported their findings to Intel in January, shortly after the existence of the notorious Spectre and Meltdown vulnerabilities was made public.

There are three Foreshadow vulnerabilities: CVE-2018-3615, which impacts Intel’s Software Guard Extensions (SGX); CVE-2018-3620, which impacts operating systems and System Management Mode (SMM); and CVE-2018-3646, which affects virtualization software and Virtual Machine Monitors (VMM).Foreshadow: New speculative execution vulnerability in Intel processors

“Each variety of L1TF could potentially allow unauthorized disclosure of information residing in the L1 data cache, a small pool of memory within each processor core designed to store information about what the processor core is most likely to do next,” Intel said.

Researchers initially discovered the SGX vulnerability and Intel identified the two other issues while analyzing the cause of Foreshadow.

“While it was previously believed that SGX is resilient to speculative execution attacks (such as Meltdown and Spectre), Foreshadow demonstrates how speculative execution can be exploited for reading the contents of SGX-protected memory as well as extracting the machine’s private attestation key. Making things worse, due to SGX’s privacy features, an attestation report cannot be linked to the identity of its signer. Thus, it only takes a single compromised SGX machine to erode trust in the entire SGX ecosystem,” researchers said.

“[Foreshadow-NG] attacks can potentially be used to read any information residing in the L1 cache, including information belonging to the System Management Mode (SMM), the Operating System's Kernel, or Hypervisor. Perhaps most devastating, Foreshadow-NG might also be used to read information stored in other virtual machines running on the same third-party cloud, presenting a risk to cloud infrastructure. Finally, in some cases, Foreshadow-NG might bypass previous mitigations against speculative execution attacks, including countermeasures to Meltdown and Spectre,” they explained.

The security holes impact Intel’s Core and Xeon processors. According to the company, the patches released for these vulnerabilities don’t have a significant impact on performance, either on PC clients or data center workloads.

There is no indication that these vulnerabilities have been exploited for malicious purposes. Impacted tech companies have released patches and mitigations, which should prevent attacks when combined with the software and microcode updates released in response to Meltdown and Spectre.

AMD says its products are not impacted by Foreshadow or Foreshadow-NG due to the company’s “hardware paging architecture protections.”

“We are advising customers running AMD EPYC™ processors in their data centers, including in virtualized environments, to not implement Foreshadow-related software mitigations for their AMD platforms,” AMD told SecurityWeek in an emailed statement.

Advisories and blog posts containing technical details on Foreshadow have been published by Microsoft, Cisco, Oracle, VMware, Linux kernel developers, the Xen Project, Red Hat, SUSE and others. The researchers who discovered Foreshadow have also set up a dedicated website where users can get more information.

Key Reuse opens to attacks on IPsec IKE, Cisco, Huawei, ZyXEL products are affected
14.8.2018 securityaffairs Hacking

Security expert demonstrated that reusing a key pair across different versions and modes of IPsec IKE open the doors to attacks. Many vendors are affected
Security researchers from the University of Opole in Poland and the Ruhr-University Bochum in Germany have devised a new attack technique that allows cracking encrypted communications.

The products of several vendors, including Cisco, Huawei, ZyXEL, and Clavister, are vulnerable to the attack.

The experts will present their findings this week at the 27th USENIX Security Symposium, meantime they have released a research paper.

“In this paper, we show that reusing a key pair across different versions and modes of IKE can lead to cross-protocol authentication bypasses, enabling the impersonation of a victim host or network by attackers. We exploit a Bleichenbacher oracle in an IKEv1 mode, where RSA encrypted nonces are used for authentication.” reads the paper.

“Using this exploit, we break these RSA encryption based modes, and in addition break RSA signature-based authentication in both IKEv1 and IKEv2.”

The experts focused their analysis on the impact of key reuse on Internet Protocol Security (IPsec). IPsec is used for virtual private networks (VPNs). The cryptographic key for IPsec leverages the Internet Key Exchange (IKE) protocol, which has two versions, IKEv1 and IKEv2.

The experts have also described an offline dictionary attack against the PSK (Pre-Shared Key) based IKE modes, thus covering all available authentication mechanisms of IKE.

The researchers found Bleichenbacher oracles in the IKEv1 implementations of Cisco (CVE-2018-0131), Huawei (CVE2017-17305), Clavister (CVE-2018-8753), and ZyXEL (CVE-2018-9129).

Major vendors, including Cisco, Huawei and ZyXEL have published security advisories for this vulnerability.

The Cisco’s advisory describes the issue as an issue in the implementation of RSA-encrypted nonces in the IOS and IOS XE software. A remote unauthenticated attacker can obtain the encrypted nonces of an IKEv1 session by sending specially crafted ciphertexts to the targeted system.

“A vulnerability in the implementation of RSA-encrypted nonces in Cisco IOS Software and Cisco IOS XE Software could allow an unauthenticated, remote attacker to obtain the encrypted nonces of an Internet Key Exchange Version 1 (IKEv1) session.” reads the advisory published by Cisco.

“The vulnerability exists because the affected software responds incorrectly to decryption failures. An attacker could exploit this vulnerability sending crafted ciphertexts to a device configured with IKEv1 that uses RSA-encrypted nonces. A successful exploit could allow the attacker to obtain the encrypted nonces.”

According to ZyXEL, the Bleichenbacher attack works against the ZyWALL and USG series network security appliances, the vendor already released firmware updates that address the vulnerability.

According to the Huawei’s advisory, its firewall products are affected by the flaw.

Nigerian Man Found Guilty on Charges Related to Hacking
13.8.2018 securityweek Hacking

ATLANTA (AP) — A jury in Atlanta has convicted a Nigerian man on federal charges related to hacking universities.

Prosecutors said in a news release Monday that 34-year-old Olayinka Olaniyi and co-defendant 29-year-old Damilola Solomon Ibiwoye ran several phishing scams targeting employees at U.S. colleges and universities, including Georgia Tech and the University of Virginia.

Prosecutors say they obtained employee logins and passwords and used them to steal payroll deposits and to file fraudulent tax returns.

Olaniyi was convicted last week of conspiracy to commit wire fraud, computer fraud and aggravated identity theft. He is to be sentenced Oct. 22.

Ibiwoye, who's also from Nigeria, pleaded guilty to similar charges. He was sentenced to serve three years and three months in prison.

DNS Hijacking targets Brazilian financial institutions

12.8.2018 securityaffairs Hacking

Crooks are targeting DLink DSL modem routers in Brazil to redirect users to fake bank websites by changing the DNS settings.

With this trick, cybercriminals steal login credentials for bank accounts, Radware researchers reported.

The attackers change the DNS settings pointing the network devices to DNS servers they control, in this campaign the experts observed crooks using two DNS servers, 69.162.89.185 and 198.50.222.136. The two DNS servers resolve the logical address for Banco de Brasil (www.bb.com.br) and Itau Unibanco (hostname www.itau.com.br) to bogus clones.

“The research center has been tracking malicious activity targeting DLink DSL modem routers in Brazil since June 8th. Via old exploits dating from 2015, a malicious agent is attempting to modify the DNS server settings in the routers of Brazilian residents, redirecting all their DNS requests through a malicious DNS server.” reads the analysis published by Radware.

“The malicious DNS server is hijacking requests for the hostname of Banco de Brasil (www.bb.com.br) and redirecting to a fake, cloned website hosted on the same malicious DNS server which has no connection whatsoever to the legitimate Banco de Brasil website.”

Hackers are using old exploits dating from 2015 that work on some models of DLink DSL devices, they only have to run for vulnerable routers online and change their DNS settings.

The experts highlighted that the hijacking is performed without any user interaction.

“The attack is insidious in the sense that a user is completely unaware of the change. The hijacking works without crafting or changing URLs in the user’s browser. A user can use any browser and his/her regular shortcuts, the user can type in the URL manually or even use it from mobile devices, such as a smart phone or tablet.” reads the alert published by Radware.

“The user will still be sent to the malicious website instead of to their requested website and the hijacking effectively works at the gateway level.”

Attackers carried out phishing campaigns with crafted URLs and malvertising campaigns attempting to change the DNS configuration from within the user’s browser. Such kind of attack is not a novelty, hackers are using similar techniques since 2014, in 2016, an exploit tool known as RouterHunterBr 2.0 was published online and used the same malicious URLs, but Radware is not aware of currently of abuse originating from this tool.

Radware has recorded several infections attempts for an old D-Link DSL router exploits since June 12.

DNS hijacking
The malicious URL used in the campaign appear as:

DNS hijacking 2

Several exploits for multiple DSL routers, mostly D-Link, were available online since February, 2015:

Shuttle Tech ADSL Modem-Router 915 WM / Unauthenticated Remote DNS Change. Exploit http://www.exploit-db.com/exploits/35995/
D-Link DSL-2740R / Unauthenticated Remote DNS Change Exploit http://www.exploit-db.com/exploits/35917/
D-Link DSL-2640B Unauthenticated Remote DNS Change Exploit https://www.exploit-db.com/exploits/37237/
D-Link DSL-2780B DLink_1.01.14 – Unauthenticated Remote DNS Change https://www.exploit-db.com/exploits/37237/
D-Link DSL-2730B AU_2.01 – Authentication Bypass DNS Change https://www.exploit-db.com/exploits/37240/
D-Link DSL-526B ADSL2+ AU_2.01 – Unauthenticated Remote DNS Change https://www.exploit-db.com/exploits/37241/
Once the victims visit the fake websites, they will be asked for bank info, including agency number, account number, mobile phone number, card pin, eight-digit pin, and a CABB number.

The experts noticed that the phishing websites used in the campaign are flagged as not secure in the URL address.

Radware reported the campaigns to the financial institutions targeted by the attacks and fake websites have since been taken offline.

“A convenient way for checking DNS servers used by your devices and router is through websites like http://www.whatsmydnsserver.com/.
Only modems and routers that were not updated in the last two years can be exploited. Updates will protect the owner of the device and also prevent devices being enslaved for use in DDoS attacks or used to conceal targeted attacks.” recommends Radware.

Leaked GitHub API Token Exposed Homebrew Software Repositories
9.8.2018 securityweek Hacking

A GitHub API token leaked from Homebrew’s Jenkins provided a security researcher with access to core Homebrew software repositories (repos).

Around since 2009, Homebrew is a free and open-source software package management system that is integrated with command line and which allows for simple installation of software on macOS machines.

On July 31, 2018, security researcher Eric Holmes discovered that an exposed token provided him with commit access to Homebrew/brew, Homebrew/homebrew-core, and Homebrew/formulae.brew.sh repositories.

With hundreds of thousands of people using Homebrew, the potential impact of the compromise was disastrous. By modifying a highly popular package, such as openssl, the researcher could have pushed the malicious code directly to a large number of users.

“If I were a malicious actor, I could have made a small, likely unnoticed change to the openssl formulae, placing a backdoor on any machine that installed it,” Holmes explained.

The issue, which was addressed the same day that it was discovered, did not result in compromised packages, Homebrew lead maintainer Mike McQuaid reveals.

The exposed token had elevated scopes, but the GitHub Support team has verified that it hasn’t been used to perform any pushes to Homebrew/brew or Homebrew/homebrew-core.

“Within a few hours the credentials had been revoked, replaced and sanitised within Jenkins so they would not be revealed in future. Homebrew/brew and Homebrew/homebrew-core were updated so non-administrators on those repositories cannot push directly to master,” McQuaid says.

He also explains that the team also enforced stronger security by updating most repositories in the Homebrew organization “to require CI checks from a pull request to pass before changes can be pushed to master.”

In addition to enabling branch protection and requiring reviews on additional repositories, the Homebrew team also required all maintainers to review and prune their personal access tokens and disable SMS fallback for 2FA.

“We try our best to behave as a for-profit company would do in terms of timely response to security issues but this is heavily limited by our lack of resources. For example, in this the Homebrew maintainer who resolved the above issues was on paternity leave from work and the primary carer for their child and had to reach a quick resolution while their child had a nap,” McQuaid notes.

In the wake of recent incidents with compromised Gentoo Linux and Arch Linux AUR repositories, it is increasingly clear that malicious actors can cause a great deal of damage by targeting the supply chain. This is exactly what last year’s CCleaner and NotPetya attacks demonstrated as well.

“This is my growing concern, and it’s been proven time and time again that package managers, and credential leaks, are a weak point in the security of the internet, and that supply chain attacks are a real and persistent threat. This is not a weakness in Homebrew, but rather a systemic problem in the industry, and one where we need more security research,” Holmes concludes.

BGP Hijacking Attacks Target US Payment Processors
8.8.2018 securityweek Hacking

Several payment processing companies in the United States were targeted recently in BGP hijacking attacks whose goal was to redirect users to malicious websites, Oracle reported last week.

The Border Gateway Protocol (BGP) controls the route of data across the Web. BGP hijacking, also known as prefix or route hijacking, is carried out by taking over IP address groups by corrupting the routing tables that store the path to a network.

In the past months, Oracle, which gained deep visibility into Web traffic after acquiring Dyn in 2016, has observed several instances of malicious actors trying to force users to their websites by targeting authoritative DNS servers in BGP hijacking attacks.

The attackers used rogue DNS servers to return forged DNS responses to users trying to access a certain website. They maximized the duration of an attack with long time-to-live (TTL) values in those forged responses so that DNS servers would hold the fake DNS entries in their cache for an extended period.

“[The] perpetrators showed attention to detail, setting the TTL of the forged response to ~5 days. The normal TTL for the targeted domains was 10 minutes (600 seconds). By configuring a very long TTL, the forged record could persist in the DNS caching layer for an extended period of time, long after the BGP hijack had stopped,” explained Doug Madory, Director of Internet Analysis at Oracle's Internet Intelligence team.

Oracle spotted the first BGP hijacking attempt on July 6, when an Indonesian ISP announced some prefixes associated with Vantiv, a brand owned by US-based payment processing company Worldpay.

The same prefixes were also announced on July 10 by a Malaysian ISP. At the same time, someone hijacked domains associated with Datawire, which is described as a “connectivity service that transports financial transactions securely and reliably over the public Internet to payment processing systems.”

On July 11, someone started hijacking prefixes associated with Mercury Payment Systems, which is also owned by Worldpay. The previously targeted prefixes were then once again hijacked on July 12.

While the initial BGP attacks did not have a significant impact, the last hijacks, which involved Vantiv domains, lasted for nearly three hours, Oracle reported.

A similar attack was seen by the company in April, when cybercriminals attempted to conduct a BGP hijack of Amazon's authoritative DNS service in an effort to redirect users of a cryptocurrency wallet to a fake website set up to steal their money. Evidence suggests that the recent attacks are linked to the ones from April.

Hacking WiFi Password in a few steps using a new attack on WPA/WPA2
8.8.2018 securityaffairs Hacking

A security researcher has devised a new WiFi hacking technique that could be exploited to easily crack WiFi passwords of most modern routers.
The security researcher Jens ‘Atom’ Steube, lead developer of the popular password-cracking tool Hashcat, has devised a new WiFi hacking technique that could be exploited to easily crack WiFi passwords of most modern routers.

The new WiFi hacking technique allows to crack WPA/WPA2 wireless network protocols with Pairwise Master Key Identifier (PMKID)-based roaming features enabled.

The expert was analyzing the recently launched WPA3 security standard when accidentally the new technique.

“This attack was discovered accidentally while looking for new ways to attack the new WPA3 security standard. WPA3 will be much harder to attack because of its modern key establishment protocol called “Simultaneous Authentication of Equals” (SAE).” Steube wrote in a post.

“The main difference from existing attacks is that in this attack, capture of a full EAPOL 4-way handshake is not required. The new attack is performed on the RSN IE (Robust Security Network Information Element) of a single EAPOL frame.”

Older attack techniques required capturing a full 4-way handshake of Extensible Authentication Protocol over LAN (EAPOL), that is a network port authentication protocol. The new attack technique, differently from the previous ones, targets the Robust Secure Network Information Element (RSN IE).
The RSN protocol was designed for establishing secure communications over an 802.11 wireless network and it is part of the 802.11i (WPA) standard. Every time it attempts to establish a secure communication channel, the RSN broadcasts an RSN IE message within the network.

The Robust Security Network protocol has the PMKID (Pairwise Master Key Identifier), that is the key needed to establish a connection between a client and an access point.

An attacker can obtain the WPA PSK (Pre-Shared Key) password from the PMKID.

The WPA PSK is used in the “Personal” version of WPA and is designed for home and small office networks.

“Since the PMK is the same as in a regular EAPOL 4-way handshake this is an ideal attacking vector,” Steube added.

“We receive all the data we need in the first EAPOL frame from the AP.”

Below the description of the technique step by step:

Step 1 — An attacker can use a tool like hcxdumptool (v4.2.0 or higher) to request the PMKID from the targeted access point and dump the received frame to a file.

$ ./hcxdumptool -o test.pcapng -i wlp39s0f3u4u5 –enable_statusStep 2 — Run hcxpcaptool tool to convert the captured data from pcapng format to a hash format accepted by hashcat

$ ./hcxpcaptool -z test.16800 test.pcapng

Step 3 — Use Hashcat (v4.2.0 or higher) password cracking tool to obtain the WPA PSK (Pre-Shared Key) password that is the password of the target wireless network.

$ ./hashcat -m 16800 test.16800 -a 3 -w 3 ‘?l?l?l?l?l?lt!’The time to crack the password depends on its complexity.

“At this time, we do not know for which vendors or for how many routers this technique will work, but we think it will work against all 802.11i/p/q/r networks with roaming functions enabled (most modern routers).” Steube concluded.

“The main advantages of this attack are as follow:

No more regular users required – because the attacker directly communicates with the AP (aka “client-less” attack)
No more waiting for a complete 4-way handshake between the regular user and the AP
No more eventual retransmissions of EAPOL frames (which can lead to uncrackable results)
No more eventual invalid passwords sent by the regular user
No more lost EAPOL frames when the regular user or the AP is too far away from the attacker
No more fixing of nonce and replaycounter values required (resulting in slightly higher speeds)
No more special output format (pcap, hccapx, etc.) – final data will appear as regular hex encoded string”
If you are searching for a good step by step explanation, give a look at the blog post published by the penetration tester Adam Toscher.

The new attack technique does not work against the recently introduced WPA3 security protocol.

The WPA3 protocol is “much harder to attack because of its modern key establishment protocol called “Simultaneous Authentication of Equals” (SAE).”

New Method Discovered for Cracking WPA2 Wi-Fi Passwords
7.8.2018 securityweek Hacking

Developers of the popular password cracking tool Hashcat have identified a new method that can in some cases be used to obtain a network’s Wi-Fi Protected Access (WPA) or Wi-Fi Protected Access II (WPA2) password.

Jens ‘Atom’ Steube, the lead developer of Hashcat, revealed that the new attack method was discovered by accident during an analysis of the recently launched WPA3 security standard.

According to Steube, the main difference between the new and older attacks is that the new method does not require capturing a full 4-way handshake of Extensible Authentication Protocol over LAN (EAPOL), which is a network port authentication protocol. Instead, the attack targets the Robust Secure Network Information Element (RSN IE).

RSN is a protocol designed for establishing secure communications over an 802.11 wireless network and is part of the 802.11i (WPA) standard. When it begins to establish a secure communication channel, RSN broadcasts an RSN IE message across the network.

One of the capabilities of RSN is PMKID (Pairwise Master Key Identifier), from which an attacker can obtain the WPA PSK (Pre-Shared Key) password. WPA PSK is used in the “Personal” version of WPA and is designed for home and small office networks.

“Since the PMK is the same as in a regular EAPOL 4-way handshake this is an ideal attacking vector,” Steube explained in a post on the Hashcat forum. “We receive all the data we need in the first EAPOL frame from the AP.”

An attacker can use the hcxdumptool tool to request the PMKID from the targeted access point and dump the received frame to a file. Hcxdumptool can then be used to obtain a hash of the password that Hashcat can crack. The recommendation is that the tool be run for up to 10 minutes before aborting the process.

Penetration tester Adam Toscher has published a blog post explaining step-by-step how such an attack can be conducted. The method has been tested by several individuals and while some claim to have successfully reproduced the attack, others say they haven’t been able to do so.

Some members of the industry pointed out that while this new method can make the attack easier to conduct, brute-forcing is still involved, which means a strong password represents an efficient mitigation. Experts also noted that WPA Enterprise (i.e. systems using WPA2-EAP) is not impacted.

New WPA2 attack method

As for WPA3, Steube noted that it’s “much harder to attack because of its modern key establishment protocol called ‘Simultaneous Authentication of Equals’ (SAE).”

Ex-Tesla Worker Accused of Hacking Seeks $1M in Counterclaim

6.8.2018 securityweek Hacking

Tesla Breach

RENO, Nev. (AP) — A former Tesla Inc. employee at the electric car maker's battery plant in Nevada is seeking at least $1 million in defamation damages after it accused him of sabotage, hacking into computers and stealing confidential information leaked to the media.

Lawyers for Martin Tripp filed a counterclaim in federal court this week alleging any damages Tesla incurred were caused or contributed to by Tesla's "own negligence, acts or omissions."

Tripp alleges that between $150 million and $200 million worth of battery module parts for Tesla's Model 3 vehicle were incorrectly handled as scrap earlier this year. He said more than 700 dented and/or punctured battery modules were not discarded and instead were being shipped or were in the process of being shipped to customers.

A punctured battery could pose a fire risk.

Tesla officials did not respond to repeated requests for comment from The Associated Press on Thursday.

Tripp said he was recruited by Tesla, moved to Sparks, Nevada, from Wisconsin and started working at the battery factory in October 2017 as a lead process engineering technician. He was fired June 19.

Tesla filed the lawsuit against Tripp on June 20, three days after Musk warned employees of sabotage from within the company.

In the months prior, Tripp witnessed "several concerning business practices" inconsistent with Tesla's representations to investors and the general public, according to his counterclaim filed in U.S. District Court in Reno on Tuesday.

Tripp said he repeatedly questioned supervisors about the large quantities of waste and scrap vehicle parts he observed "lying haphazardly on the ground inside the Gigafactory." But his concerns were never addressed or resolved, Tripp said.

Tripp said he emailed CEO Elon Musk directly about his concerns on May 16 before Musk was scheduled to visit the factory east of Sparks that night. Later that day, Tripp said his manager asked him to forward the email he sent to Musk "so that I can avoid getting fired tonight," according to the lawsuit.

His counterclaim says a design engineer also told Tripp to clean up the production line area so Musk wouldn't see the mounds of scrap and waste lying on the ground, but Tripp declined to do so because he wanted Musk "to see how the Gigafactory was actually being operated." He said he was reassigned to a different position the following day.

Tesla's original lawsuit said Tripp admitted to Tesla investigators that he wrote software that transferred several gigabytes of data outside the company, including dozens of photographs and a video, according to the lawsuit filed Wednesday. Hacking software from Tripp also was running on three computer systems of other employees "so that the data would be exported even after he left the company and so that those individuals would be falsely implicated," the lawsuit alleged.

The lawsuit said Tripp made false claims about the information he stole, including claims that Tesla used punctured battery cells in the Model 3, and claims about the amount and value of scrap material generated by Tesla's manufacturing process. Some of the claims made it into media stories about the company, but media organizations are not identified in the lawsuit.

Tripp, a former aviation electronics technician in the U.S. Navy who worked two decades in the electronic and engineering industries, said in his counterclaim he "did not sabotage Tesla or its operations" and his actions "were necessary, reasonable and/or privileged."

He acknowledged in the counterclaim that he had made claims about the scrap and punctured battery cells being used in Model 3 vehicles. But he said he did not direct code changes to the Tesla Manufacturing Operating System under false user names or export large amounts of highly sensitive Tesla data as Musk had asserted.

After he was reassigned to a new position, Tripp "learned of and witnessed additional unnerving, dangerous and wasteful business practices," including employees systematically reusing parts and battery cells that had been previously discarded as waste, the suit said.

The scrap problem dramatically increased in March 2018 when Tesla initiated a company-wide effort to reach its publicized goal of producing 2,500 Model 3 vehicles per week, the lawsuit said. It said the production push — with an objective of making 5,000 vehicles per week by July 2018 — was known as the "March to 2,500."

TCM Bank: website misconfiguration exposed applicant data for 16 months
6.8.2018 securityaffairs Hacking

TCM Bank announced that a Web site misconfiguration exposed applicant data for 16 months, between early March 2017 and mid-July 2018
TCM Bank, a subsidiary of ICBA Bancard, serves as a trusted advisor to community banks, it serves as a direct issuer of credit cards for more than 750 small and community U.S. banks who prefer not to issue cards themselves.

TCM Bank announced that a Web site misconfiguration exposed applicant data for 16 months, including names, addresses, dates of birth and Social Security numbers.

“In a letter being mailed to affected customers today, TCM said the information exposed was data that card applicants uploaded to a Web site managed by a third party vendor.” wrote the popular investigator Brian Krebs.

“TCM said it learned of the issue on July 16, 2018, and had the problem fixed by the following day.”

Thousands of people who applied for cards between early March 2017 and mid-July 2018 were affected by the incident.

The company notified the incident to the affected customers via email, data exposed belongs to card applicants uploaded to a Web site managed by a third party vendor.

The attorney Bruce Radke who is helping TCM confirmed that the number of affected customers is less than 10,000.

“It was less than 25 percent of the applications we processed during the relevant time period that were potentially affected, and less than one percent of our cardholder base was affected here,” Radke said.

“We’ve since confirmed the issue has been corrected, and we’re requiring the vendor to look at their technologies and procedures to detect and prevent similar issues going forward.”

TCM Bank

Businesses have to carefully review the level of security implemented by their partners to avoid those third-party incidents could have a significant impact on their operations.

“Many companies that experience a data breach or data leak are quick to place blame for the incident on a third-party that mishandled sensitive information. Sometimes this blame is entirely warranted, but more often such claims ring hollow in the ears of those affected — particularly when they come from banks and security providers.” concludes Krebs.

“Managing third-party risk can be challenging, especially for organizations with hundreds or thousands of partners”

Student Charged in Elaborate Digital Money Theft Scheme

3.8.2018 securityweek Hacking

LOS ANGELES (AP) — A Massachusetts college student who was named his high school's valedictorian for his savvy tech skills hacked into unsuspecting investors' personal cellphones, email and social media accounts to steal at least $2 million in digital currency like Bitcoin, according to documents provided by California prosecutors Wednesday.

Joel Ortiz was taken into custody July 12 at Los Angeles International Airport ahead of a flight to Boston, according to prosecutors. The 20-year-old faces more than two dozen charges including grand theft, identity theft and computer hacking, court documents show. He's held on $1 million bail.

The Santa Clara County, California, public defender's office, which is representing Ortiz, declined comment. A number listed for his home in Boston was disconnected.

The elaborate scheme involved taking over victims' phones, allowing him to reset passwords and access online accounts containing electronic assets in the form of Bitcoin, Coinbase, Bittrex and Binance, the criminal complaint said.

In one case Ortiz allegedly walked into an AT&T store and impersonated a victim in order to get a new SIM card, which gave him control of the victim's phone. He obtained access to the victim's "financial and personal identifying information, tax returns, private passwords" and siphoned $10,000 from a cryptocurrency account, according to police report.

In several instances Ortiz allegedly impersonated victims over text messages and convinced friends and family members to "loan" him digital funds, court documents said.

At one point Ortiz allegedly stole $10,000 from a California resident, and then tried to get more, calling the victim's wife and sending a text to the victim's daughter that said "TELL YOUR DAD TO GIVE US BITCOIN," the documents said.

Court documents identify more than 20 victims who live in California, and prosecutors say they know of additional victims outside of the state.

Ortiz enrolled at the University of Massachusetts Boston and studies information technology, said school spokesman DeWayne Lehman.

Ortiz was the 2016 valedictorian of Another Course to College, a small public college preparatory school in Boston, and was honored alongside other top students across the city at a luncheon that year with Democratic Mayor Marty Walsh and other officials at a downtown hotel.

At his school, Ortiz was the lead robot software programmer on its robotics team, taught other students the basics of software coding and "led efforts to teach computer science," according to a Boston Public Schools' press release touting the students' accomplishments.

The school system said Ortiz "loves science and technology," is fluent in Spanish and speaks conversational Chinese.

Boston Public Schools spokesman Daniel O'Brien declined to comment.

Half a Billion Enterprise Devices Exposed by DNS Rebinding
23.7.2018 securityweek Hacking

Nearly half a billion devices used by enterprises are exposed to cyberattacks by DNS rebinding, according to a study conducted by IoT security firm Armis.

DNS rebinding, an attack method that has been known for more than a decade, allows a remote hacker to bypass the targeted entity’s network firewall and abuse their web browser to directly communicate with devices on the local network and exploit any vulnerabilities they may have. Getting the target to access a malicious page or view a malicious advertisement is often enough to conduct an attack that can lead to theft of sensitive information and taking control of vulnerable devices.

Google Project Zero researcher Tavis Ormandy revealed a few months ago that DNS rebinding could be used to exploit critical flaws in BitTorrent’s uTorrent application and the Transmission BitTorrent client.

More recently, researcher Brannon Dorsey showed how malicious actors could exploit vulnerabilities in Google Home and Chromecast devices, Roku TVs, Sonos Wi-Fi speakers, routers, and smart thermostats via DNS rebinding.

Armis, the firm that discovered the Bluetooth flaws dubbed BlueBorne, conducted its own research on the impact of DNS rebinding on enterprises.

The company estimates that there are 496 million enterprise devices worldwide that are exposed due to DNS rebinding. This includes 165 million printers, 160 million IP cameras, 124 million IP phones, 28 million smart TVs, 14 million switches and routers, and 5 million media players.

Number of devices vulnerable to DNS rebinding attacks

“Because of the widespread use of the types of devices listed above within enterprises, Armis can say that nearly all enterprises are susceptible to DNS rebinding attacks,” Armis said.

As an example of vulnerabilities that can be exploited as a result of DNS rebinding, the company highlighted the flaws patched this month by Cisco in its IP phones. Armis also pointed to the critical security holes discovered recently in Axis and Foscam cameras.

As for printers, researchers noted, “Unfortunately, printers are one of the least managed, most poorly configured devices in the enterprise. Aside from adjusting basic network configurations, enterprises typically deploy printers with default settings, making them an ideal target for a DNS rebinding attack.”

In an attack scenario described by Armis, the attacker simply needs to trick the targeted user into visiting a specially crafted website which hosts JavaScript code that will be executed in the victim’s browser. The JavaScript code instructs the browser to scan local IP addresses in search of vulnerable devices.

Once vulnerable systems are identified, the attacker can use DNS rebinding to send arbitrary commands (e.g. log into the web server) directly to the IP address of the compromised IoT device. The attacker can also establish an outbound connection to the C&C server and chances are that none of these communications will be detected or blocked by security products.

Since DNS rebinding is possible due to how DNS and web browsers work, Armis believes the best way for enterprises to protect their networks against attacks is to monitor all devices for signs of a breach, perform a risk analysis of IoT devices to determine which systems are vulnerable, and ensure that the devices are secure, including by applying software patches and disabling unnecessary services.

Software Supply Chain Increasingly Targeted in Attacks: Survey
23.7.2018 securityweek Hacking

Organizations increasingly have to deal with cyberattacks targeting the software supply chain and in many cases they are not adequately prepared to respond to such incidents, according to a report published on Monday by endpoint security firm CrowdStrike.

In supply chain attacks, malicious actors target software makers in an effort to modify their products so that they perform malicious actions of provide a backdoor into the targeted environment.

The NotPetya attack, which involved a Ukrainian tax software firm, and the CCleaner incident, which involved hacking of distribution servers at Piriform, are some of the most well-known examples, but supply chain attacks are becoming increasingly common.

Vanson Bourne, on behalf of CrowdStrike, surveyed 1,300 senior IT decision makers and security professionals in the U.S., Canada, Mexico, the U.K., Australia, Japan, Germany and Singapore in April and May.

The Securing the Supply Chain report shows that roughly one-third of organizations are concerned about supply chain attacks, with 18% and 38% saying that the risk is high and moderate, respectively.

Approximately two-thirds of respondents have experienced some form of supply chain attack. The biotechnology and pharmaceutical sector takes the lead with 82% of organizations encountering such an incident, including 45% being hit in the last 12 months. Other sectors more likely to encounter supply chain attacks include hospitality, entertainment and media (74%), IT and technology (74%), engineering (73%), healthcare (70%) and insurance (68%).

Supply chain attacks

On average, organizations believe it would take them 10 hours to detect an incident, 13 hours to react, 15 hours to respond, and 25 hours to remediate it, which totals 63 hours, the report shows.

A vast majority of respondents that have encountered a supply chain incident reported a financial impact, with an average cost of roughly $1.1 million. The highest costs were reported by the hospitality, entertainment and media sector ($1.44 million) and the lowest in the government sector ($329,000).

Some companies have also paid a ransom to recover from a supply chain attack, with many respondents saying their own organization or others in their industry had paid.

In addition to financial loss, organizations experienced various types of drawbacks following an attack, including the necessity to completely rebuild IT systems (36%), spend more on security (36%), and service/operations disruption (34%).

When it comes to response strategies, over one-third of respondents said they had a comprehensive strategy in place when they suffered an attack and more than half had some level of response pre-planned.

Trust in suppliers is not very high, with only 35% of respondents saying they had been totally certain they would be informed of a cybersecurity incident. On the other hand, 39% of those surveyed said they had lost trust in a supplier over the past year.

Less than a third of the organizations that took part in the survey vetted all suppliers in the past 12 months, and the high profile attacks that came to light last year made the vetting process more rigorous in 59% of cases. Executives have also started changing their attitude in regards to this threat, with 31% becoming more involved, 49% planning to become more involved, and 13% taking more of an interest.

Charitable Hackers Collaborate in Deep Web Forums
19.7.2018 securityweek Hacking

Through Multiple Methods and Collaborations, Many Hackers Donate Money to Good Causes

Sun Tzu is a cliche in cybersecurity, but no less valid for that. He wrote, "If you know the enemy and know yourself, you need not fear the result of a hundred battles." Security researchers infiltrate the deep web forums to understand both the enemy and his weapons -- and sometimes they can be surprised by what they find.

Last month, Trustwave's SpiderLabs blog posted a discussion on the cybercriminal members of underground forums with the title, 'Underground Code of Honor'. In this blog is brief mention of hackers' charitable works. Now Ziv Mador, VP of security research at Trustwave, has given SecurityWeek more details of a well-organized charitable element found in numerous deep web forums.

He explained that Trustwave was investigating the modular structure of the underground. Different groups specialize in specific aspects of cybercrime and sell their products or services to other groups. One group might specialize in running botnets and botnet servers. Another might specialize in developing malware -- and each might sell their services to the other to meet a specific demand.

During this research, the researchers came across charity-themed communications; and decided to investigate further. "And the more we delved," said Mador, "the more fascinating it became. We found that through multiple methods and collaborations these hackers actually donate a lot of money to good causes." The most frequent donations, he said, are for orphanages and hospitals (especially children's hospitals).

Trustwave particularly looked at three different forums: two Russian-speaking and one English-speaking. There were immediate differences. In the English-speaking forum, charitable donations tended be from individuals. In the Russian-speaking forums they were collaborative campaigns. This could be partly cultural (individualism versus team working) or partly economic (eastern European hackers really needing to collaborate in order to collect sufficient funds).

Whatever the reasons, however, the Russian-speaking hackers have developed relatively sophisticated 'giving campaigns'. "Near the Russian new year (7 January), they ran a campaign and used the money raised to buy equipment for hospitals and supplies for orphanages." The hospital equipment included stretchers, inhalers, and bacteria-killing lamps." They even have plans to buy heart-rate monitors; and are working with a contractor to remodel a particular department in one particular hospital.

The orphanage supplies included toiletries such as hair brushes, tooth brushes and toothpaste. With money left over, they bought 25 kilos of fresh fruit, since 'sweets are not healthy for the kids'. These supplies were delivered by hand (about 15 bags full), and photographic evidence of the hand-over, and the kids, were posted as proof to the forum.

If all this seems just a little bit 'Robin Hood', it's a comparison not lost to the hackers themselves. "Anyone can become a modern Robin Hood" one hacker posted to the forum. But perhaps the most intriguing charitable act has been the development of a 'needy support' capability. "They have established a process in one of the forums," explained Mador, "where parents of children who are sick and the families are poor, can submit a request for support. So, if a child needs some medication or surgery and the parents cannot pay for it, they can submit a request for support with supporting documents -- and there is a very specific post in one of the underground forums specifying exactly what documents are needed to get support from the forum."

It's not just the members that get involved. One forum promises to donate half the money it collects to the charitable work. It gets this from two primary sources -- using the forum for advertising; and through arbitration services. "If two forum members get into conflict," said Mador; "let's say one bought a service from another one, and promises were not fulfilled, they go to arbitration. Here the forum administrator will work with them to decide on who is right and who is wrong; and to determine any compensation. Part of that compensation goes to the arbitration fund -- and part of that goes to charity."

One of the forums publishes a list of donators and amounts. The names are obviously false or online handles -- but some individuals can still be recognized. Petr Severa donated more than $100. He is now better known as Peter Yuryevich Levashov, after being arrested while holidaying in Spain and extradited to the U.S. He is now awaiting trial in Connecticut on eight charges, and faces 50 years in jail.

As the cybercriminals' charitable work grows, so too does a need for improved administration. "In one of the forums," said Mador, "it was suggested that since this charitable work takes time and effort, it needed a manager to manage the whole process. It was further suggested that they should hire a woman -- and it specifically had to be a woman -- to manage the funds. They also mentioned that their 'punchers' would check the candidates' information." Punchers are people in the criminal underground who have expertise in getting confidential information about people -- so the candidates should expect a pretty invasive background check on their credentials.

The picture painted really is one of the romantic Robin Hood idea: robbing the rich to pay the poor. Mador doesn't accept this, finding the situation to be more ironic than romantic. It would take an analysis by psychologists and sociologists to understand the causes and motives behind the rise of underground charitable work; but Mador does concede that there may be an element of cultural patriotism among some of the Russian and eastern European hackers.

Ilia Kolochenko, CEO of High-Tech Bridge, sees nothing attractive in the phenomenon -- he finds it alarming and an indication of a growing breakdown in government authority and increasing anarchy. "The substance of the charity is certainly laudable and justified. However," he told SecurityWeek, "it also serves as a harbinger of the global cybersecurity crisis. Governments and law authorities are unable to protect their citizens in the digital space anymore. Cybercriminals are undermining governmental authority by helping indigent people abandoned by the state. What will be the next? Cybercriminals offering private protection in the digital space for a reasonable cost affordable to the citizens? Governments will lose their authority and power, and Robin Hoods will reign.”

Chicago-based data security and compliance solutions firm Trustwave was acquired by Singapore Telecommunications (Singtel) for $810 million in cash in April 2015.

Trump Says 'Might' Ask Putin to Extradite Accused Russian Hackers
18.7.2018 securityweek Hacking

Donald Trump has said he may ask Vladimir Putin during their upcoming summit meeting to extradite to the US 12 Russian intelligence officers accused of attempting to interfere with the 2016 presidential election.

Speaking in an interview with CBS Evening News conducted on Saturday ahead of his meeting with the Russian leader in Helsinki on Monday, the US president also sought to temper expectations about how much could be achieved.

Asked whether he would press his Russian counterpart to send to the US members of the Russian military intelligence agency accused of hacking Hillary Clinton's failed presidential campaign, he said: "Well, I might.

"I hadn't thought of that. But I certainly, I'll be asking about it, but again, this was during the Obama administration. They were doing whatever it was during the Obama administration," he told CBS's Jeff Glor on "Face the Nation."

Speaking before the summit in Helsinki, Trump added that his Republican Party had also been the target of Russian hacking efforts but had superior cyber security measures in place.

"I think the DNC (Democratic National Committee) should be ashamed of themselves for allowing themselves to be hacked," he said. "They had bad defenses and they were able to be hacked. But I heard they were trying to hack the Republicans too. But -- and this may be wrong -- but they had much stronger defenses."

CNN reported in January last year that then-FBI Director James Comey told a Senate panel that "old emails" of the Republican National Committee had been the target of hacking -- but the material was not publicly released -- and there was no sign the current RNC or the Trump campaign had been successfully hacked.

The indictments issued Friday by special counsel Robert Mueller allege that the Russian hackers publicly released tens of thousands of stolen Democratic emails and documents using "fictitious online personas."

Mueller is investigating possible collusion between Trump's campaign and Russia.

"If the Russians wanted to exfiltrate data from the RNC and use it against Donald Trump, they would have done so," Democratic Congressman Adam Schiff said on CNN's "State of the Union" Sunday.

While Trump blamed the administration of former president Barack Obama, not Russia, after the indictments, US ambassador to Moscow Jon Huntsman said Sunday that "Russia is guilty of involvement and mischief in our election this last go-around."

He said the summit is important as the start of a dialogue, not only about election meddling but a range of issues.

- At boiling point -

Huntsman said on "Fox News Sunday" that Trump "is genuinely looking forward to sitting across the table and trying to reduce the tension in a relationship where our collective blood pressure is off-the-charts high."

The two presidents have shared personal bonhomie in the past, but beyond the alleged hacking of the US election, their countries are deeply divided on a host of other issues including Syria and Ukraine.

Before coming to Europe, Trump predicted his meeting with Putin could be the "easiest" stage of a tour that included stops in Brussels and Britain.

But he told CBS that he was going into it with "low expectations."

Trump also defended his decision to hold the meeting after opposition Democrats, and Republican Senator John McCain, said the summit should be canceled in the wake of the indictments.

"I believe it's really good. So having meetings with Russia, China, North Korea, I believe in it. Nothing bad is going to come out of it, and maybe some good will come out," the president said in broadcast excerpts. The rest of the interview will air on Monday.

Trump told CBS that "Russia is a foe in certain respects," and also named the European Union and China as "foes" economically, over trade practices for which Washington has imposed sanctions, sparking a trade war.

US National Security Adviser John Bolton said that, after the indictments, Trump "can put this on the table and say, this is a serious matter that we need to talk about."

He told ABC's "This Week" that "it's very important that the president has a direct one-on-one conversation" with Putin, and European leaders have expressed support for it.

Hacker Offers Access to Machine at International Airport for $10
18.7.2018 securityweek Hacking

The cost of RDP (Remote Desktop Protocol) access to a system located at a major international airport is only $10 on the Dark Web, McAfee has discovered.

RDP, a proprietary Microsoft protocol that provides access to remote machines through a graphical interface, was designed for administration purposes, but cybercriminals are increasingly using it as part of their arsenal of attack tools.

In fact, numerous malware families have adopted RDP over the past several years, which resulted in the technique becoming more popular than email for ransomware distribution.

SamSam, the ransomware behind multiple attacks against healthcare organizations, has adopted the technique as well. SamSam was the malware used to infect customer-facing applications and some internal services at the City of Atlanta (recovery would cost the city over $10 million).

As McAfee has discovered, it’s actually incredibly easy for cybercriminals to gain RDP access to high-value networks: they only need to access an underground market and spend an initial $10 or less, or conduct their own scans for accessible systems.

The researchers looked into several RDP shops, offering between 15 to more than 40,000 RDP connections for sale. The largest of these shops is the Ultimate Anonymity Service (UAS), a Russian business, followed by Blackpass, Flyded, and xDedic (which was first analyzed in June 2016).

On these marketplaces, cybercriminals sell RDP access to a broad range of systems, ranging from Windows XP to Windows 10, with Windows 2008 and 2012 Server being the most popular (at around 11,000 and 6,500, respectively). Prices range from $3 (for a simple configuration) to $19 (for a high-bandwidth system with admin rights).

Access to systems running Windows Embedded Standard (or Windows IOT) is also available, including hundreds of similar configurations associated with municipalities, housing associations, and healthcare institutions in the Netherlands. Multiple government systems worldwide were also being sold.

On the UAS Shop, the researchers also found a newly added Windows Server 2008 R2 Standard machine available at only $10, and they eventually discovered it was located in a major International airport in the United States.

The investigation also revealed that the system had three user accounts available, one being an administrator account, while the other two were associated with a company specializing in airport security and building automation and with another specializing in camera surveillance and video analytics for airports.

“We did not explore the full level of access of these accounts, but a compromise could offer a great foothold and lateral movement through the network using tools such as Mimikatz,” McAfee points out.

An account found on another system led the researchers to a domain that appears to be related to “the airport’s automated transit system, the passenger transport system that connects terminals.” This system too was accessible from the Internet.

“Now we know that attackers, like the SamSam group, can indeed use an RDP shop to gain access to a potential high-value ransomware victim. We found that access to a system associated with a major international airport can be bought for only $10—with no zero-day exploit, elaborate phishing campaign, or watering hole attack,” the researchers underline.

While remote access to systems might be essential for administrators, it can also become a liability if not properly secured. Furthermore, with RPD shops stockpiling addresses of vulnerable machines, cybercriminals do not need to put a lot of effort into selecting victims: they only need to make a simple online purchase.

“In addition to selling RDP, some of these shops offer a lively trade in social security numbers, credit card data, and logins to online shops. […] BlackPass offered the widest variety of products. The most prolific of these brokers provide one-stop access to all the tools used to commit fraud: RDP access into computers, social security numbers and other integral data to set up loans or open bank accounts,” McAfee said.

German Hosting Firm DomainFactory Hacked
12.7.2018 securityweek Hacking

DomainFactory, a Germany-based web hosting services provider of GoDaddy-owned Host Europe Group, informed customers late last week that their personal and financial information was exposed after a hacker gained access to some of its systems.

According to DomainFactory, one of the largest hosting firms in Germany, the breach occurred in late January, but the company only learned of the incident on July 3 after the hacker started disclosing samples of the stolen information on the DomainFactory forum.

The hack is still being investigated, but the attacker appears to have gained access to data such as customer name, company name, customer number, address, email address, phone number, DomainFactory phone password, date of birth, and bank name and account number.

The company says it has secured the point of entry used by the hacker, but has warned customers that the compromised information may be misused for financial fraud and other types of attacks.

Users have been instructed to change their passwords, including for their DomainFactory, DomainFactory phone, email, FTP, SSH and MySQL accounts.

According to German publication Heise, the hacker published a post on the DomainFactory forum on July 3 claiming to have gained access to one of the company’s customer databases. Both Heise and some of the impacted users have confirmed that the data appears to be legitimate.

The hacker has created the Twitter account “@NaHabedere” and claims to be from Austria. He told Heise that he breached DomainFactory in an effort to obtain information on a person who owes him money and decided to disclose the hack after the company failed to notify customers. The hacker apparently does not plan on selling or publishing the data he obtained.

DomainFactory has shut down its forum following the breach. Users have been advised to monitor their bank statements and report any suspicious activity to authorities.

Two More Traders Convicted in Newswire Hacking Scheme
12.7.2018 securityweek Hacking

Two more individuals, a hedge fund manager and a securities trader, have been convicted by a U.S. court for their role in a $30 million scheme that involved hacking major newswire companies.

Vitaly Korchevsky, a 53-year-old former hedge fund manager from Pennsylvania, and Vladislav Khalupsky, a 47-year-old securities trader residing in New York and Ukraine, have been convicted in a Brooklyn federal court on charges of conspiracy to commit wire fraud, conspiracy to commit securities fraud and computer intrusion, conspiracy to commit money laundering, and securities fraud. They each face up to 20 years in prison for their crimes.

The scheme involved Ukraine-based hackers breaking into the systems of Marketwired, PR Newswire and Business Wire between February 2010 and August 2015, and stealing as many as 150,000 press releases. The hackers sent the stolen press releases containing nonpublic financial information to several traders who quickly monetized it.

Korchevsky and Khalupsky are said to have traded based on nonpublic press releases issued by hundreds of companies, including Align Technology, CA Technologies, Caterpillar, HP, Home Depot, Panera Bread, and Verisign.

According to authorities, Korchevsky made more than $15 million over the course of the scheme, while Khalupsky, who traded for the criminal network and received a percentage of the profits, made at least $500,000.

“The evidence at trial also demonstrated that the defendants went to great lengths to conceal their roles in the criminal scheme,” the Justice Department said. “The conspirators used separate phones, computers and hotspots to conduct their illegal trading activity, and routinely deleted emails and/or destroyed hardware that contained evidence of their crimes. The conspirators also directed that payments received for the illegal profits they generated for the criminal network be made to offshore shell companies.”

Korchevsky and Khalupsky were among nine individuals accused of making $30 million through the newswire hacking scheme. Three of the suspects are still at large, but all the others, including a Ukrainian national responsible for hacking into the newswire firms, have been convicted or pleaded guilty.

The scheme involved many people, not just the nine individuals charged by the Justice Department. A separate civil case filed by the U.S. Securities and Exchange Commission (SEC) names 34 people who allegedly made $100 million in unlawful profits through this operation.

A tainted version of Arch Linux PDF reader package found in a user-provided AUR
12.7.2018 securityaffairs Hacking

Hackers have poisoned the Arch Linux PDF reader package named “acroread” that was found in a user-provided Arch User Repository (AUR),
Hackers have poisoned the Arch Linux PDF reader package, this means that users who have downloaded recently a PDF viewer named “acroread” may have been compromised.

ThePDF reader package has been tainted with a malware and Arch Linux has removed the user-provided AUR (Arch User Repository).

This incident raises the discussion about the installation of software from untrusted sources and the possibility that threat actors poison the supply chain.

The specific user repository had been abandoned by its maintainer leaving open the doors for a threat actor.

Someone using the handle “xeactor” modified the package by adding a downloader script that loads a malicious code hosted on a server maintained by the attackers.

The maintainer Eli Schwartz quickly reverted the commits after discovering the hack, it also suspended the account of xeactor.

“The acroread AUR package appears to have been compromised: look at https://aur.archlinux.org/cgit/aur.git/commit/?h=acroread&id= b3fec9f2f16703c2dae9e793f75ad6e0d98509bc (and in particular that curl|bash line!). Not exactly sure who to contact, but I assume someone on this list can get things sorted out.” wrote Schwartz.

“Account suspended, commit reverted using Trusted User privileges.”

Schwartz also discovered two other packages that were tainted with a similar technique, both have been removed.

The user Bennett Piater wrote in the Arch Linux mailing that he noticed a suspect script that creates ‘compromised.txt’ in the root and all home folders.”

“Looks to me like this is more of a warning than anything else, no? Why would he create those files otherwise, given how much attention that would attract?” Piater said.

for x in /root /home/*; do
if [[ -w "$x/compromised.txt" ]]; then
echo "$FULL_LOG" > "$x/compromised.txt"
fi
done
The acroread was used by attackers as a dropper and the script would set the systemd to restart on a regular basis, a circumstance confirmed by Schwartz too.

“Side note on the acroread pastes: https://ptpb.pw/~xwas executed by the PKGBUILD, which in turn executed https://ptpb.pw/~u. But the thing it installed declares an ssupload()function then tries to execute the contents of $uploader to actually upload the data collection.” wrote Schwartz.

Arch Linux PDF reader package

The good news is that the malicious software could not work.

Arch maintainer Giancarlo Razzolini tried to downplay the problem explaining the usage of AUR clearly could expose users at risk, but it is their choice.

“This would be a warning for what exactly? That orphaned packages can be adopted by anyone? That we have a big bold disclaimer on the front page of the AUR clearly stating that you should use any content at your own risk? This thread is attracting way more attention than warranted. I’m surprised that this type of silly package takeover and malware introduction doesn’t happen more often.” wrote Razzolini.

“This is why we insist users always download the PKGBUILD from the AUR, inspect it and build it themselves. Helpers that do everything automatically and users that don’t pay attention, *will* have issues. You should use helpers even more so at your risk than the AUR itself.”

Do you want penetrate an airport network? An RDP access to internal machine goes for $10 on the dark web.
12.7.2018 securityaffairs Hacking

The access to a system at a major international airport via RDP (Remote Desktop Protocol) could be paid only $10 on the Dark Web.
Experts at McAfee have discovered hackers offering RDP access to compromised machines worldwide while analyzing several black markets.

The researchers discovered shops offering between 15 to more than 40,000 RDP connections for sale, the largest one is the Russian Ultimate Anonymity Service (UAS).

The second-largest RDP shop experts researched is BlackPass, where it is possible to find the widest variety of products, including RDP access into computers.

Other RDP shops in the dark web are Flyded, and xDedic that was discovered by experts from Kaspersky in June 2016.

RDP offers Dark Web shops

Crooks are increasingly leveraging RDP connections in their attacks, many campaigns used RDP to distribute malware, such as the SamSam ransomware.

Cybercriminals also started offering in the dark web RDP accessed to high-value networks for less than $1 or scanning services for accessible systems.

Sellers in major black marketplaces offer RDP accesses to a broad range of systems, ranging from Windows XP to Windows 10. The experts noticed that Windows 2008 and 2012 Server are the most popular with 11,000 and 6,500 accesses respectively.

“The advertised systems ranged from Windows XP through Windows 10. Windows 2008 and 2012 Server were the most abundant systems, with around 11,000 and 6,500, respectively, for sale.” reads the analysis published by McAfee.

“Prices ranged from around US $3 for a simple configuration to $19 for a high-bandwidth system that offered access with administrator rights.”

Experts also found accesses to systems running Windows Embedded Standard (or Windows IOT), the offers at UAS Shop and BlackPass were characterized by hundreds of identically configured machines associated with municipalities, housing associations, and healthcare institutions in the Netherlands. The offer of black markets also includes multiple government systems worldwide.

Analyzing the UAS Shop, the researchers discovered a recently added Windows Server 2008 R2 Standard machine available at only $10 that was located in a major International airport in the United States.

The seller was offering it with three user accounts, the administrator account, and other two associated with a company specializing in airport security and building automation and with another specializing in camera surveillance and video analytics for airports.

Such kind of accesses could be very dangerous because they offer an entry point in critical infrastructure for attackers.

The surprises are not ended, the researchers found an account on another system associated with a domain that appears to be related to “the airport’s automated transit system, the passenger transport system that connects terminals.”

“Governments and organizations spend billions of dollars every year to secure the computer systems we trust. But even a state-of-the-art solution cannot provide security when the backdoor is left open or carries only a simple padlock.”

HP iLO servers running outdated firmware could be remotely hacked
11.7.2018 securityaffairs Hacking

Hewlett Packard Integrated Lights-Out 4 (HP iLO 4) servers are affected by a critical Bypass Authentication vulnerability, technical details and a PoC code have been published online.
The flaw, tracked as CVE-2017-12542, received a severity score of 9.8 out of 10 because it is very simple to exploit.

“Integrated Lights-Out, or iLO, is a proprietary embedded server management technology by Hewlett-Packard which provides out-of-band management facilities. The physical connection is an Ethernet port that can be found on most Proliant servers and microservers of the 300 and above series.” reads Wikipedia.

iLO cards allow administrators to perform a broad range of management activities in a company network, including to install firmware remotely and provide access to a remote console.

The flaw was discovered by three security researchers (Fabien Périgaud from Synacktiv, Alexandre Gazet from Airbus, and the independent security researcher Joffrey Czarny) last year and potentially expose any iLO servers exposed online at risk.

The flaw could be exploited by a remote authenticated attack to access to HP iLO consoles, extract cleartext passwords, execute malware, and even replace iLO firmware.

The experts discovered that it is possible to exploit issue by using a cURL request and 29 letter “A” characters:

curl -H "Connection: AAAAAAAAAAAAAAAAAAAAAAAAAAAAA"
In the following images, the experts demonstrate how to bypass iLO authentication, in this case how to retrieve a local user’s password in cleartext.

The good news is that HP addressed the flaw in August 2017 with the release of the iLO 4 firmware version 2.54, for this reason, system administrators need to upgrade their servers.

The flaw affects HP iLO 4 servers running firmware version prior to 2.53.

The experts presented their findings at some security conferences, including the ReCon Brussels (Slides, research paper ) and SSTIC 2018.

The PoC exploits for the flaw are available at the following URLs:

https://www.exploit-db.com/exploits/44005/
https://github.com/skelsec/CVE-2017-12542/blob/master/exploit_1.py
A Metasploit module for the flaw is available here.

GoDaddy-owned hosting company Domainfactory hacked
11.7.2018 securityaffairs Hacking

The hosting company Domainfactory has taken down its forums after hackers posted messages claiming to have breached into its infrastructure.
While I was writing about the Timehope security breach, another incident is making the headlines, the victim is the German hosting company Domainfactory.

The hosting company, that was owned by GoDaddy since 2016, has taken down its forums after hackers posted messages informing visitors that they have breached into the Domainfactory infrastructure.

DomainFactory hacked 3.jpeg
Source Heise.de

The company notified the data breach to the customers and asked them to change their passwords.

“On July 3, 2018, a person in the DomainFactory forum claimed access to DomainFactory customer data. We initiated a detailed investigation and found that customer data was accessed by an outside party without authorization. The access route is now secured.” wrote a company representative.

“We contact all customers with the recommendation to update their DomainFactory passwords. Instructions for changing your passwords can be found here:
https://www.df.eu/blog/pw/

We have notified the data protection authority and commissioned external experts with the investigation. The protection of the data of our customers is paramount and we regret the inconvenience this incident causes, very much.”

The company notified the data protection authorities and is investigating the hack with the help of external experts.

The Domainfactory staff first learned of the incident in the early evening of July 3, 2018, the security team dated the data breach as January 28, 2018.

A first investigation confirmed that unauthorized third parties could have had access to the several categories of data, including customer name, company name, customer number, address, E-mail addresses, phone number, DomainFactory phone password, date of birth, bank name and account number (eg IBAN or BIC), and Schufa score.

In response to the attack, the company secured the breached systems.

The hack was disclosed by the German media outlet Heise, that noticed the strange messages of the hackers published on the forums.

The German journalist Fabian Scherschel also posted on Twitter (in German) that he noticed a thread, before public disclosure of the incident, “in which Lauter #Domainfactory customers ask a hacker about their data because DF does not respond to their requests”

Fabian A. Scherschel
@fabsh
Ich sitze hier in nem Twitter-Thread in dem lauter #Domainfactory-Kunden einen Hacker nach ihren Daten fragen, weil DF nicht auf ihre Anfragen reagiert. Ist das jetzt schon #PostDSGVO? 😅

Hintergrund: https://heise.de/-4104495

5:16 PM - Jul 7, 2018

Datenleck bei Domainfactory: Kunden sollen Passwörter ändern
Nachdem weitere Details zum Angriff auf Domainfactory bekannt wurden, bittet der Hoster alle seine Kunden, ihre Passwörter zu ändern.

heise.de
57
29 people are talking about this
Twitter Ads info and privacy
According to the Heise, hackers exploited a variant of the Dirty Cow flaw to breach into the systems.

Gentoo Publishes Incident Report After GitHub Hack

5.7.2018 securityweek Hacking

Gentoo GitHub account hacked

Maintainers of the Gentoo Linux distribution published an incident report on Wednesday after someone hijacked one of the organization’s GitHub accounts and planted malicious code.

The attack started on June 28 and the hacker (or hackers) not only changed content in compromised repositories, but also locked out Gentoo developers from the targeted GitHub account. This made the attack “loud” – Gentoo believes the hackers could have maintained access longer had they been quieter.

GitHub could not be used by Gentoo for a total of five days as a result of the incident. The breach also led to a disruption of the Gentoo Proxy Maintainers Project as it uses GitHub to submit pull requests, and all past pull requests were disconnected from their original commits.

The attacker also attempted to wipe users’ files by adding “rm-rf” to some repositories, but Gentoo believes this method was unlikely to work due to “various technical guards.”

The GitHub account was compromised after the hacker gained access to an admin account that had a predictable password.

“Evidence collected suggests a password scheme where disclosure on one site made it easy to guess passwords for unrelated webpages,” Gentoo wrote in its incident report.

The incident report summarizes the lessons learned by Gentoo following the incident and the actions taken or planned in response. These actions include making frequent backups, requiring the use of two-factor authentication (2FA) and introducing support for hardware-based 2FA, reducing the number of users with elevated privileges, auditing logins, publishing password policies, and suggesting the use of password managers.

Gentoo is also working on an incident response plan, particularly for sharing information about a security incident with users.

The maintainers of the Linux distribution believe the breach has been contained and restored the impacted GitHub page.

Misconfigured Java web server component Jolokia expose website at cyber attacks
26.6.2018 securityaffairs Hacking

Several websites using the misconfigured Java web server component Jolokia, including those operated by financial organizations. are exposed to cyber attacks.
Websites using a misconfigured Java web server component are exposed to cyber attacks. Several high-profile websites including those operated by financial organizations were affected by issues.

The security researcher Mat Mannion discovered some flaws in Jolokia Java Management Extensions (JMX) that could result in denial of service, information disclosure and other potential attacks against Java web servers.

According to Mannion, some distributions of Jolokia, such as the WAR agent, are “insecure by default.”

“Unfortunately, in a lot of cases this doesn’t happen, and the Jolokia agent is simply deployed as
jolokia.war
or similar. If Tomcat then serves requests directly or behind a reverse proxy, this then leaves the Jolokia endpoint visible by a reliable URL. If this isn’t then secured by a firewall (or similar), the /jolokia endpoint can be left open to the whole Internet without authentication.” reads the security advisory published by Mannion.

“Tomcat (and other servlet containers) export an enormous amount of information over JMX and Jolokia allows execution of arbitrary commands against these MBeans, which can lead to sensitive information disclosure or a DoS [denial of service],”

Jolokia flaws

The expert also published a proof-of-concept exploit against an Apache Tomcat 8 servlet container, but he noticed that it could be easily used against any other webserver.

The expert scanned the Internet for misconfigured Jolokia domains and discovered many vulnerable websites, then notified them via HackerOne.

“I wrote a small program to scan the Alexa top 1 million websites and to check for an unsecured /jolokia endpoint. If found, this discloses the servlet container and version.” wrote the expert.

“For each domain, the following URLs were attempted:

http://$DOMAIN$/jolokia
http://www.$DOMAIN$/jolokia
http://$DOMAIN$:8080/jolokia
https://$DOMAIN$/jolokia
https://www.$DOMAIN$/jolokia
https://$DOMAIN$:8443/jolokia"
Out of the 1,000,000 domains, the results were:

RESULT NO. OF DOMAINS
Exploitable 147
401 2016
Other 2xx 340488
Other 4xx 205645
Timeout/error 451704
The 401 response indicates that connections to Jolokia were secured through some kind of authentication.

Fortunately, many websites addressed the issue before the expert made public its discovery.

Mannion also notified a maintainer on the Jolokia and Apache security team, below the timeline of the issue.

DATE EVENT
24th May 2018 Initial discovery, start scan
25th May 2018 Disclosure to HackerOne
26th-28th May 2018 Disclosure to affected domains, maintainer of Jolokia and Apache security team
25th June 2018 Public disclosure

According to the experts, North Korea is behind the SWIFT attacks in Latin America
24.6.2018 securityaffairs APT Hacking

SWIFT hackers continue to target banks worldwide, the last string of attacks hit financial institutions across Latin America.
According to three people with knowledge of the matter cited by Cyberscoop the attacks were carried by North Korea-linked APT groups that targeted also other banks

Recent attacks hit Mexico’s Bancomext and Chile’s Bank of Chile, in both cases the attackers used a variant of the dreaded disk wiper KilllDisk to infect the systems of the banks and steal funds through the SWIFT payment system.

“North Korea was involved in both breaches, the sources said, adding that they were tied to others that haven’t yet been disclosed.” states Cyberscoop.

“Two sources reviewed inside information about the breach investigations, which are still ongoing. Confidential technical reports about the incidents are already being shared within private information sharing groups comprised of other financial institutions.”

Investigations conducted by many security firms on past security breaches always linked North Korea to the attacks against the SWIFT systems.

At the time it is not clear attack vector, but experts believe hackers targeted the banks with spear phishing campaigns or using credentials obtained from other breaches.

Bancomtext and Bank of Chile aren’t the only victims of the hackers, the Mexican financial institution Banorte suffered a similar security breach.

North Korea-linked hackers appeared as focused on financial institutions in Latin America, Eastern Europe, and Southeast Asia.

“SWIFT doesn’t comment on the attribution of cyberattacks – that is a question for law enforcement – but we can say that the cyber threat facing the financial community is fast increasing in terms of sophistication … [we’re unaware of] evidence that SWIFT’s own network or core messaging services have ever been compromised. Rather, in each of the incidents customers first suffered security breaches within their local environments.” reads statement send by a SWIFT spokesperson via email.

Once the hackers have penetrated the organizations, they will usually exploit vulnerabilities in a banks funds’ “transfer initiation environments,” to steal credentials and make fraudulent and irrevocable transfers.

Attackers also adopted “diversionary smokescreens” by using wiper malware to make hard the attribution of the attack and the response to the incidents.

“Shared malware variants between the multiple incidents, known as”MBR Killer” and “Bootwreck/killdisk,” caused systems to wipe boot data and other forensic records. The North Korean hackers have been seen using a combination of different wipers in their attacks.” added CyberScoop.

“The group who attacked the Mexican bank used both in their attack,” said Fernando Merces, a senior threat researcher with Trend Micro, an international cybersecurity firm. “There was also an MBR Killer used in a Taiwanese bank a few years ago … The financial sector sees these attacks most frequently. The attacks have been seen globally.”

The use of the MBR Killer alone doesn’t represent an evidence of the involvement of a specific threat actor because its code was posted to a cybercrime forum and was reused by a wide range of actors.

In this case, forensic experts collected other indicators suggesting the involvement of the North Korea’s “Lazarus Group” in Latin America.

“CyberScoop obtained a confidential intelligence report, labelled “TLP: Amber,” authored May 29 by New York-based intelligence firm Flashpoint. That report further connected MBR Killer to the Chile case. The report states that this module had been “leveraged to hide the evidence of successful bank network penetrations.”” concludes CyberScoop.

Even if the attackers attempted to destroy any evidence, the analysis of TTPs allows attributing the attack to Pyongyang.

“Attackers often delete any evidence of fraudulent transactions on victim’s local system, but SWIFT can … [provide] the header data of the messages that SWIFT received from the impacted organization,” the SWIFT spokesperson added.

According to the Mexican financial media outlet, El Financiero hackers compromised Mexico’s interbank transfer system, aka “Sistema de Pagos Electrónicos Interbancarios” (SPEI), with the FALLCHILL, a RAT associated with North Korea-linked APT groups.

Ex-CIA employee Joshua Adam Schulte charged with leaking Vault 7 dumps
20.6.2018 securityaffairs Hacking

An Ex-CIA employee, Joshua Adam Schulte (29), has been charged with stealing classified national defense information and sharing Vault 7 dumps with WikiLeaks.
Yesterday, the Department of Justice announced that Schulte has been charged with 13 count indictment.

In middle May, both The New York Times and The Washington Post, revealed the name of the alleged source of the Vault 7 leak, the man who passed the secret documents to Wikileaks. According to his LinkedIn profile, Schulte worked for the NSA for five months in 2010 as a systems engineer, after this experience, he joined the CIA as a software engineer and he left the CIA in November 2016.

Schulte was identified a few days after WikiLeaks started leaking the precious dumps.

Schulte was arrested for possession of child pornography, he was charged on three counts of receipt, possession and transportation of child pornography in August 2017.

The man was released in September 2017, but in December he was arrested again for violating the conditions of his release.

“SCHULTE, 29, of New York, New York, is charged with one count each of (i) illegal gathering of national defense information, (ii) illegal transmission of lawfully possessed national defense information, (iii) illegal transmission of unlawfully possessed national defense information, (iv) unauthorized access to a computer to obtain classified information, (v) theft of Government property, (vi) unauthorized access of a computer to obtain information from a Department or Agency of the United States, (vii) causing transmission of a harmful computer program, information, code, or command, (viii) making material false statements to representatives of the FBI, (ix) obstruction of justice, (x) receipt of child pornography, (xi) possession of child pornography, (xii) transportation of child pornography, and (xiii) copyright infringement. ” reads the press release published by the DoJ.

According to the DoJ, Schulte used his access to CIA’s networks while working for the intelligence agency.

“Joshua Schulte, a former employee of the CIA, allegedly used his access at the agency to transmit classified material to an outside organization,” said Geoffrey S. Berman, US Attorney for the Southern District of New York. “During the course of this investigation, federal agents also discovered alleged child pornography in Schulte’s New York City residence. We and our law enforcement partners are committed to protecting national security information and ensuring that those trusted to handle it honor their important responsibilities. Unlawful disclosure of classified intelligence can pose a grave threat to our national security, potentially endangering the safety of Americans.”

Vault 7 dumps

Schulte always denied the accusations for being involved in Vault 7 data leak, he believes that the authorities suspected him due to the fact that he had left the CIA a few months before the beginning of the data leak.

World Cup: US Spy Warns Russians Will Hack Phones, Computers
14.6.2018 securityweek Hacking

A top US intelligence official warned football fans traveling to Russia for the World Cup that their phones and computers could be hacked by Moscow's cyber spies.

William Evanina, Director of the National Counterintelligence and Security Center, said that in Russia, even people who believe they are too unimportant to be hacked can be targeted.

"Anyone traveling to Russia to attend the World Cup should be clear-eyed about the cyber risks involved," Evanina said in a statement.

"If you're planning on taking a mobile phone, laptop, PDA, or other electronic device with you -- make no mistake -- any data on those devices (especially your personally identifiable information) may be accessed by the Russian government or cyber criminals."

Evanina, in charge of the agency that assesses and counters the threat to the Untied States from foreign espionage, said that people attending the World Cup, which begins on Thursday, should leave behind any devices they can do without.

For devices they take with them, they should remove the battery when it is not in use, he said.

"Corporate and government officials are most at risk, but don’t assume you're too insignificant to be targeted."

Hackers Can Hijack, Sink Ships: Researchers
9.6.2018 securityweek Hacking

Vulnerable ship tracker by Pen Test Partners

Insecure configurations and vulnerabilities in communications and navigation systems can allow hackers to remotely track, hijack and sink ships, according to researchers at penetration testing and cybersecurity firm Pen Test Partners.

In October 2017, Pen Test Partners presented its research into vulnerabilities affecting the satellite communications (satcom) systems used by vessels. The company has continued to analyze software and hardware used in the maritime industry and found that they are affected by serious flaws.

It has also created an interactive map that can be used to track vulnerable ships. The tracker combines data from Shodan with GPS coordinates and it can show vulnerable ships in real time. However, the company will only periodically refresh the data shown on the map in an effort to prevent abuse.

Satellite communications is the component that exposes ships to remote hacker attacks, as shown by Pen Test Partners last year and, at around the same time, by researchers at IOActive.

While there are some vulnerabilities in these systems themselves, the main issue is that many satcom terminals continue to use default credentials, allowing unauthorized users to gain admin-level access.

Many of the security holes disclosed this week by Pen Test Partners can be mitigated by setting a strong administrator password on the satcom terminal. Other serious issues discovered by researchers have been reported to Cobham, whose Fleet One terminal was used in experiments, and have not been disclosed.

According to researchers, once an attacker gains access to the terminal, they can replace the firmware due to the lack of proper validation checks or downgrade it to an older and more vulnerable version, and they can edit the web application running on the terminal. Experts also discovered poorly protected admin passwords in configuration files.

An even bigger problem, researchers warn, is that once an attacker gains access to the satcom terminal, they can move laterally to other systems. One of them is the Electronic Chart Display and Information System (ECDIS), which is used by vessels for navigation.

Since the ECDIS can be connected directly to the autopilot feature, hacking this system can allow an attacker to take control of a ship.

“We tested over 20 different ECDIS units and found all sorts of crazy security flaws. Most ran old operating systems, including one popular in the military that still runs Windows NT,” explained Pen Test Partners researcher Ken Munro.

In one case, the ECDIS had a poorly protected configuration interface that allowed an attacker to spoof the position of the GPS receiver on the ship and make the vessel “jump” to a slightly different location.

Reconfiguring the ECDIS can also allow an attacker to change the size of the targeted ship as seen by other nearby vessels via the automatic identification system (AIS) tracker.

“So, simply spoof the ECDIS using the vulnerable config interface, ‘grow’ the ship and ‘jump’ it in to the shipping lanes,” Munro explained. “Other ships’ AIS will alert the ship’s captain to a collision scenario. It would be a brave captain indeed to continue down a busy, narrow shipping lane whilst the collision alarms are sounding. Block the English Channel and you may start to affect our supply chain.”

Another attack scenario described by Pen Test Partners targets the operational technology (OT) systems on board a ship. These systems are used to control steering, engines, ballast pumps and other components, and they communicate via the NMEA 0183 protocol.

Since messages sent over NMEA 0183 don’t use any authentication, encryption or validation, a man-in-the-middle (MitM) attacker can modify the data and, for example, inject small errors that would cause the ship to alter its course when autopilot is engaged, researchers warn.

“The advent of always-on satellite connections has exposed shipping to hacking attacks. Vessel owners and operators need to address these issues quickly, or more shipping security incidents will occur. What we’ve only seen in the movies will quickly become reality,” Munro concluded.

26 Million Users Hit by Ticketfly Hack
6.6.2018 securityweek Hacking

Ticketfly, the ticket distribution service owned by Eventbrite, has started restoring services after its website was defaced by a hacker who also gained access to user information.

The attack took place on or around May 30, when a hacker decided to exploit a vulnerability he had found in Ticketfly systems. The attacker, using the online moniker “IsHaKdZ,” reportedly asked the company to pay 1 bitcoin for information on the security hole. Since Ticketfly did not comply with his request, IsHaKdZ defaced ticketfly.com and the websites of several music venues.

The hacker also stole and leaked the details of Ticketfly customers and employees. Troy Hunt, the owner of the Have I Been Pwned data breach notification service, has analyzed the data and determined that over 26 million unique users are impacted. The compromised data includes email addresses, names, physical addresses and phone numbers.

The hack appears to have targeted Ticketfly’s WordPress-based assets. WordPress is also used for Ticketfly-powered websites provided to music venues, which would explain how the hacker managed to deface several sites.

Ticketfly hacked

Ticketfly says it has started restoring some of the affected services, including Box Office, Emailer, reporting, scanning, printing, and ticket purchasing systems.

“We’re rolling out a secure website solution as an alternative to your Ticketfly-powered site to meet your immediate needs. We’ve built a secure, non-WordPress based website solution with your existing domain, and your site will appear sometime today,” the company told customers in an updated FAQ.

The company has not shared too many details on the impact of the breach, but it has confirmed that names, addresses, email addresses, and phone numbers belonging to Ticketfly fans have been compromised.

“Our investigation into the incident is ongoing. It's critical that the information we share with you is accurate and backed by certainty. We are working with a team of forensic cybersecurity experts; the reality is cyber incidents are unique, and the investigations typically take more time than one would like because the full picture of what happened isn't always quick to develop,” Ticketfly said.

Visa payments DOWN: Millions affected by a service disruption
2.6.2018 securityweek Hacking

The Visa card payment system is suffering a widespread outage across Europe, millions of users were unable to make payments using their cards.
Shoppers and travelers were unable to make payments with their cards since at around 2.30pm on Friday across Europe.

At the time of writing, Visa confirmed the widespread problems but did not provide any details on the cause.

VISA

Visa and major banks informed their customers also through social media, while major retailers confirmed that users were not able to pay with their cards.

The problems suffered by Visa Payments are currently affecting also MasterCard and Amex because the two services were rerouting some transactions via Visa’s IT network.

Visa UK
✔
@VisaUK
We are currently experiencing a service disruption which is preventing some Visa transactions in Europe from being processed. We are investigating the cause and working as quickly as possible to resolve the situation. We will keep you updated.

6:49 PM - Jun 1, 2018
162
476 people are talking about this
Twitter Ads info and privacy

Bank of Ireland
✔
@bankofireland
We are aware some customers are experiencing Visa debit card issues. This is impacting multiple banks across Europe. We will update when we know more. Cash withdrawals can be made at any BOI ATM.

5:19 PM - Jun 1, 2018
10
19 people are talking about this
Twitter Ads info and privacy
“We are unable to accept Visa card payments currently. No retailers are able to accept Visa cards.” said Marks & Spencer.

Ticketfly website was compromised, the hacker also stole customers’ data
2.6.2018 securityweek Hacking

The website of the events ticketing company Ticketfly was shut down after a hacker who calls himself “IsHaKdZ” compromised it.
The hacker defaced the Ticketfly website with a picture of Guy Fawkes and a warning that read “Your Security Down im Not Sorry.” The attacker also published a yandex.com email account along with the following message:

“Ticketfly HacKeD By IsHaKdZ. Your Security Down im Not Sorry. Next time I will publish database ‘backstage’ (sic).”

The hacker also warned administrators that it has access to a database titled “backstage,” he shared links to files containing customer and client information, including names, physical addresses, phone numbers and email addresses.

Ticketfly hacked

Ticketfly, which is owned by Eventbrite, has taken down the site in response to the incident and posted a data breach notification.

“We are currently investigating a cybersecurity incident targeting Ticketfly.com that has resulted in the compromise of some client and customer information. After learning of the incident, we immediately launched an investigation, and out of an abundance of caution, we took the site down while we work to address the issue.” reads the data breach notification published by the company,

“Out of an abundance of caution, we have taken all Ticketfly systems temporarily offline as we continue to look into the issue. We are working to bring our systems back online as soon as possible,”

Troy Hunt
✔
@troyhunt
Seeing a lot of tweets about a breach at @ticketfly right now: https://twitter.com/search?q=ticketfly&src=typd …

6:38 AM - May 31, 2018
18
See Troy Hunt's other Tweets
Twitter Ads info and privacy
Everyone has purchased tickets via the Ticketfly platform will have to print them out and bring a photo ID to the venue hosting the event. Tiketfly provides printed guest lists to the venue.

People who have tickets purchased by other people may need to show the original payment card used to buy the ticket, a copy of the original buyer’s ID, and an authorization note from the original buyer.

Motherboard has spoken with the hacker who confirmed that initially attempted to contact the company to report a vulnerability in the website but without success. He asked for the payment of 1 bitcoin di disclose the issue, but without receiving reply he decided to exploit the flaw.

Motherboard confirmed the authenticity at least some of the records stored in the files leaked by the hacker.

“In an email conversation with Motherboard, the hacker claimed to have warned Ticketfly of a vulnerability that allowed him to take control of “all database” for Ticketfly and its website.” wrote Lorenzo Bicchierai on Motherboard. “The hacker said they asked for 1 bitcoin to share the details of the vulnerability but did not get a reply. The hacker shared what appears to be two emails between him and a series of Ticketfly employees in which the hacker mentions the vulnerability.”

The company confirmed that is still investigating the issue in order to determine the extent of the security breach.

“Our investigation into the incident is ongoing. We’re putting all of our resources to confirm the extent of the unauthorized access. We’re committed to communicating with all customers once we have more information about the scope of the issue,” Ticketfly told customers.” continues the notification.

The Cobalt Hacking crew is still active even after the arrest of its leader
29.5.2018 securityaffairs Hacking

Group-IB has released a new report on Cobalt group’s attacks against banks and financial sector organizations worldwide after the arrest of its leader.
Threat intelligence firm Group-IB published an interesting report titiled “Cobalt: Evolution and Joint Operations” on the joint operations of Cobalt and Anunak (Carbanak) groups after the arrest of the leader in March 2018.

Researchers reported that the most recent campaign associated with Cobalt group is dated May 23, 2018 and aimed at banks in Russia and CIS countries.

The analysis of the content of the spear phishing messages suggest attackers are also targeting western financial organizations.

Interestingly, the spear-phishing messages sent by the hackers were disguised as fake Kaspersky security alerts.

“The first wave of the phishing campaign was tracked on May 23 at 13:21 Moscow time. For the first time in Cobalt’s practice, phishing emails were sent acting as a major anti-virus vendor.” reads the press release issued by Group-IB.

“The user received a “complaint” in English that activity was recorded from their computer that violated existing legislation. The recipient was asked to read the attached letter and provide detailed explanations. If the response was not received within 48 hours, the “anti-virus company” threatened to impose sanctions on the recipient’s web resources. In order to download the letter, the user was asked to follow the link, which would then infect the Bank employee’s computer.”

Cobalt attack

Group-IB attributed the attack to Cobalt due to the involvement of Coblnt Trojan, a malware exclusively observed in campaigns of the threat actor.

The phishing emails were sent the domain “kaspersky-corporate.comthat was registered by the same person that registered other domains used by the Cobalt group for its campaigns.

Experts highlighted the high quality of phishing messages, the text in perfect English and it is stylized as a “legal complaint”, while the fake website kaspersky-corporate.com also has a high level of quality. This quality suggests a possible collaboration of Cobalt with other criminal gangs like Anunak.

The report also analyzed past the attacks aimed at SWIFT system, researchers concluded that the advanced understanding of banking technology and money laundering capabilities was the result of a collaboration with other threat actors.

“Following the 2016 SWIFT incidents, attacks involving interbank transfer systems ceased and Cobalt switched focus to other critical systems in banks such as ATMs. This was followed by Card Processing attacks which provide a safer withdraw process for Money Mules.” continues the report.

“Cobalt’s first major attack was against First Bank in Taiwan where attackers managed to steal over $2 million dollars. Following this, Cobalt was then successful in targeting the card processing systems at a bank in Kazakhstan taking over two months to prepare their attack and successfully steal $600,000 through card processing. These attacks were then perfected and intensified in 2017 across tens of incidents.”

The Cobalt group has also conducted ‘supply chain’ attacks like the one powered in February 2017 against a system integrator to later hit organizations in Russia and former CIS countries. In 2017 Cobalt infiltrated at least other four system integrators.

Cobalt’s attacks also hit non-typical targets like the one that in March 2017 hit a company providing electronic wallets and payment terminals.

Cobalt group always modified its tools across the years, it also used a modified version of Petya Ransomware to erase evidence of the attack after a failed attempt to steal from their ATM systems.

“Cobalt is still active: its members continue attacks on financial organizations and other companies worldwide,” comments Dmitry Volkov, Group-IB CTO. “We have technical proof of collaboration between Cobalt and Carbanak. In order to enable business and market regulators to take preventative measures against these criminals, we provide our customers indicators to protect them from phishing, identify the infrastructure and methods still used by these criminals.”

Hackers defaced screens at Mashhad airport in Iran protesting the government
28.5.2018 securityaffairs Hacking

On Thursday 24th May, hackers defaced the screens at the Mashhad airport in Iran to protest ùthe Government and the military’s activities in the Middle East.
On Thursday 24th May, hackers defaced the screens at the airport in Mashhad city in Iran. The anonymous group of hackers defaced the screens that were displaying anti-government messages, they also protest the military’s activities in the Middle East.

“Social media reports from Mashhad posted pictures of defaced arrival and departure monitors at the city’s airport showing a statement protesting against Iran’s military presence in the Middle East.” reads a blog post published by Radio Farda.

“Hackers protested to “wasting Iranians lives and financial resources in Gaza, Lebanon and Syria by the Islamic Revolution Guards Corps (IRGC),” according to a statement on the boards.”

The messages were in the Persian language, the hackers accuse the Iranian government of wasting Iranian lives and resources in Lebanon, Syria, and Gaza.

“Wasting Iranians lives and financial resources in Gaza, Lebanon, and Syria by the Islamic Revolution Guards Corps (IRGC),” said the deface message appeared on the screens at the airport.

Hackers defaced screens at Mashhad airport in Iran protesting against the government

According to Radio Farda, a group named Tapandegan (Palpitaters) expressed support for the people of the city of Kazeroon in Fars Province that have been demonstrating against the government for months.

The group of hackers also took control of the email account of the Mashhad airport civil aviation head, Mohsen Eidizadeh and used it to spread the news of the hack.

The hackers also asked people at the airport to share pictures of defaced screens and post them on social media platforms using the hashtag “#Protests_alloverthecountry, #اعتراضات_سراسری” as result, hundreds of Iranians posted the images on Twitter.

View image on TwitterView image on TwitterView image on Twitter

M. Hanif Jazayeri
@HanifJazayeri
Hackers take control of monitors at Iran's Mashhad Airport displaying signs in support of #IranProtests. The signs reads "How much longer?" and carry the Farsi hashtag calling for nationwide protests. #اعتراضات_سراسری#FreeIran2018 #IranRegimeChange (May 24, 2018)

12:36 PM - May 25, 2018
488
396 people are talking about this
Twitter Ads info and privacy
Since December 2017, the city of Mashhad is the theatre of heated protests against the government and the unsustainable prices in the country.

The massive anti-government demonstrations later spread to over 100 other Iranian cities.

A bug in T-Mobile site allowed anyone see any customer’s account details
27.5.2018 securityaffairs Incindent Hacking

A flaw in T-Mobile’s website allowed anyone to access the personal account details of any customer by providing their mobile number.
The bug discovered by the researcher Ryan Stevenson resides in the T-Mobile subdomain promotool.t-mobile.com used by the staff as a customer care portal to access the company’s internal tools.

The promotool.t-mobile.com subdomain contained a hidden API that would return customer data simply by invoking it with the customer’s cell phone number as a parameter.

The data leak was caused by the lack of any authentication mechanism for calling the API, in this way anyone could have had access to any customer record including full name, postal address, billing account number, and in some cases information about tax identification numbers.

The exposed records also included references to account PINs used by customers as a security question when they contact the customer case, this means that an attacker could use that information to impersonate a customer and take over its account.

“Although the API is understood to be used by T-Mobile staff to look up account details, it wasn’t protected with a password and could be easily used by anyone.” reported ZDnet.

“The returned data included a customer’s full name, postal address, billing account number, and in some cases information about tax identification numbers. The data also included customers’ account information, such as if a bill is past-due or if the customer had their service suspended.”

t-mobile-data leak

Searching for the portal on the Wayback Machine we can verify that the subdomain is online at least since October.

Stevenson reported the flaw to the telco giant in early April, the company quickly disabled the API and awarded the researcher of $1,000 under its bug bounty program.

“The bug bounty program exists so that researchers can alert us to vulnerabilities, which is what happened here, and we support this type of responsible and coordinated disclosure.” said T-Mobile spokesperson.

“The bug was patched as soon as possible and we have no evidence that any customer information was accessed,” the spokesperson added.

This isn’t the first time that T-Mobile discovered such kind of issues, in October Motherboard reported another API accessible from a different T-Mobile subdomain.

In February, Motherboard journalist Lorenzo Franceschi-Bicchierai published an interesting post on SIM hijacking reporting that T-Mobile customers were victims of an info disclosure exploit.

Experts warn: it is too easy to steal WiFi access key from TalkTalk ‘s Super Routers
24.5.2018 securityaffairs Hacking

Home Wi-Fi networks in the UK using Super Router provided by TalkTalk ISP are affected by a vulnerability that exposes them to cyber attacks.
Security researchers at software house IndigoFuzz have discovered a security flaw in the implementation of the WPS feature of the TalkTalk Super Router that can be exploited to compromise to steal the gateway’s wireless network password and take over them.

Experts reported the issue to TalkTalk ISP back in 2014, but currently the vulnerability is still present.

The routers implement a WPS pairing option that is turned on by default, but due to the security issues affecting WPS protocol an attacker within range can easily extract the Wi-Fi password of the device by using hacking tools available online.

“The vulnerability discovered allows the attacker to discover the Super Router’s WiFi Password by attacking the WPS feature in the router which is always switched on, even if the WPS pairing button is not used.” reads the blog post published by Indigofuzz.

According to IndigoFuzz’s advisory on Monday, the routers provide a WPS pairing option that is always turned on. Because that WPS connection is insecure, an attacker within range can exploit it using readily available hacking tools (i.e. Software ‘Dumpper’ available on Sourceforge (Tested with v.91.2)), and thus extract the router’s Wi-Fi password.

Attackers just need to be in the range of a TalkTalk Super Router, then probe it for the Wi-Fi password exploiting the insecure WPS feature and gain the gateway’s password.

Below the procedure described by the experts to compromise a network using the TalkTalk Super Router and obtain the WiFi access key.

Step 1: Run Dumpper and navigate to the WPS tab and select the target WiFi BSSID.
Step 2: Click ‘WpsWin’ to begin probing the BSSID for the WPS pin.
Step 3: After a couple of seconds, the WiFi access key to this network will be displayed bottom right.
talktalk Super Router 3

The experts explained that this attack is scalable to a broad range of TalkTalk Super Routers.

“This method has proven successful on multiple TalkTalk Super Routers belonging to consenting parties which is enough to suggest that this vulnerability affects all TalkTalk Super Routers of this particular model/version,” concluded the IndigoFuzz experts.

“TalkTalk have been notified of this vulnerability in the past and have failed to patch it many years later.”

Below the Timeline shared by the experts:

21 May 2018 Delivered to TalkTalk.
21 May 2018 Date of public release.
IndigoFuzz decided to immediately publicly disclose the issue because TalkTalk hasn’t taken any action since its first reports in 2014.

“The purpose of this article is to encourage TalkTalk to immediately patch this vulnerability in order to protect their customers,” concluded the experts.

Misconfigured CalAmp server allowed hacker to take over a lot of vehicles
20.5.2018 securityaffairs Hacking

Security researchers discovered that a misconfigured server operated by the CalAmp company could allow anyone to access account data and takeover the associated vehicle.
CalAmp is a company that provides backend services for several well-known systems.

Security researchers Vangelis Stykas and George Lavdanis discovered that a misconfigured server operated by the CalAmp company could allow anyone to access account data and takeover the associated vehicle.

The experts were searching for security vulnerabilities in the Viper SmartStart system, a device that allows users to remotely start, lock, unlock, or locate their vehicles directly using a mobile app on their smartphones.

As with many other mobile applications, it used secure connections with SSL and Certificate Pinning (Hard-code in the client the certificate is known to be used by the server) to automatically reject a connection from sites that offer bogus SSL certificates.

The experts noticed that the app was connecting to mysmartstart.com domain and also to the third party domain (https://colt.calamp-ts.com/), it is the Calamp.com Lender Outlook service.

The experts discovered that using the credentials for the user created from the viper app it was possible to login the panel.

“This panel seemed to be the frontend for Calamp.com Lender Outlook service. We tried our user created from the viper app, to login and it worked!” reads the blog post published by Stykas.

“This was a different panel which seemed to be targeted to the companies that have multiple sub-accounts and a lot of vehicles so that they can manage them.”

CalAmp car hacking.png

Further tests allowed the researchers to verify that the portal was secured, but during the assessment, the experts discovered that the reports were delivered by another dedicated server running tibco jasperreports software.

This was the first time the experts analyzed this type of server, they had to improvise and after removing all parameters they discovered they were logged in as a user with limited rights but with access to a lot of reports.

“None of us were familiar with that so we had to improvise. Removing all the parameters we found out that we were already logged in with a limited user that had access to A LOT of reports.” continues the report.

“We had to run all those reports for our vehicles right? Well the ids for the user was passed automatically from the frontend but now we had to provide them from the panel as an input.And…well..we could provide any number we wanted.”

The researchers gained access to all the reports for all the vehicles (including location history), and also data sources with usernames (the passwords were masked and there was no possibility to export them).

The server also allowed for the copying and editing any existing reports.

“We could not create a report or an adhoc or pretty much anything else, but we could copy paste existing ones and edit them so we can do pretty much anything.We could also edit the report and add arbitrary XSS to steal information but this was not something that we (or anyone in their right lawful mind) would want to do.” continues the report.

The availability of all production databases on the server, including CalAmp connect device outlook, was exploited by the researchers to take over a user account via the mobile application. If the attacker knows the older password for the account can simply walk to the car, unlock it, start the engine, and possibly steal the vehicle.

According to the experts the exploitation of the flaw could allow:

Well the very obvious just change the user password to a known one go to the car, unlock, start and leave.
Get all the reports of where everyone was
Stop the engine while someone was driving ?
Start the engine when you shouldn’t.
Get all the users and leak.
As we haven’t actually seen the hardware we might be able to pass can bus messages though the app ?
Get all the IoT devices from connect database or reset a password there and start poking around.
Really the possibilities are endless…
The experts reported the issue to CalAmp at the beginning of May 2018, and the company addressed the flaw in ten days.

Mexican central bank confirmed that SWIFT hackers stole millions of dollars from Mexican Banks
17.5.2018 securityaffairs Hacking

The head of the Mexican central bank, Alejandro Diaz de Leon announced this week that hackers were involved in shadowy transfers of between $18 million and $20 million.
Mexican central bank is the last victim of the SWIFT hackers, officials at the bank confirmed this week that hackers hit the payments system and stole millions of dollars from domestic banks.

The attack was discovered in late April and presents many similarities with past attacks against the SWIFT systems.

The Mexican central bank did not disclose the name of the banks that were hit by the cyber attack and did not detail the overall amount of money that crooks have stolen.

According to Alejandro Diaz de Leon, head of Mexico’s central bank, crooks were able to complete illicit transactions of $18 million to $20 million.

“Central bank Governor Alejandro Diaz de Leon said on Monday that the country had seen an unprecedented attack on payment system connections and that he hoped that measures being taken would stop future incidents.” reported the Reuters.

“A source close to the government’s investigation said more than 300 million had been siphoned out of banks, but it was not clear how much had subsequently been taken out in cash withdrawals.”

Mexican central bank cyberheist

According to reports, Mexico’s central following the latest cyber attacks has created a cybersecurity division, and it has instituted a one-day waiting period on electronic funds transfers of more than $2,500.

“Perhaps, some financial institutions perceived the attacks in Bangladesh as something very distant,” said Alejandro Diaz de Leon who believes that some Mexican banks may not have invested in sufficient security measures.

“But criminals look for vulnerability and once they see it they are going to exploit it.”

Mexican depositors won’t be affected, but the overall losses for the local banks could be greater than initially thought.

Hackers Divert Funds From Mexico Banks, Amount Unclear: Official
16.5.2018 securityweek Hacking

Hackers have stolen an unknown amount of money from banks in Mexico in a series of cyber attacks on the country's interbank payments system, an official said Monday.

At least five attacks on the Mexican central bank's Interbank Electronic Payments System (SPEI) were carried out in April and May, said Lorenza Martinez, director general of the corporate payments and services system at the central bank.

"Some transactions were introduced that were not recognized by the issuing bank," she told Radio Centro.

"In some cases these transfers made it through to the destination bank and were withdrawn in cash."

She declined to reveal which banks were targeted.

Some Mexican media outlets have put the amount stolen at 400 million pesos ($20.4 million), but Martinez denied those reports.

"The amount is currently being analyzed. Some of the transfers were stopped, and the funds are currently being returned," she said.

She said the money stolen belonged to the banks themselves and that clients' funds were never affected.

The interbank payments system allows banks to make real-time transfers to each other.

They connect via their own computer systems or an external provider -- the point where the attacks appear to have taken place, Martinez said.

After the attacks were detected, banks switched to a slower but more secure method.

No new attacks have been registered since.

Hackers Divert Funds From Mexico Banks, Amount Unclear: Official
14.5.2018 securityweek Hacking

Hackers have stolen an unknown amount of money from banks in Mexico in a series of cyber attacks on the country's interbank payments system, an official said Monday.

"Some transactions were introduced that were not recognized by the issuing bank," she told Radio Centro.

"In some cases these transfers made it through to the destination bank and were withdrawn in cash."

She declined to reveal which banks were targeted.

Some Mexican media outlets have put the amount stolen at 400 million pesos ($20.4 million), but Martinez denied those reports.

"The amount is currently being analyzed. Some of the transfers were stopped, and the funds are currently being returned," she said.

She said the money stolen belonged to the banks themselves and that clients' funds were never affected.

The interbank payments system allows banks to make real-time transfers to each other.

They connect via their own computer systems or an external provider -- the point where the attacks appear to have taken place, Martinez said.

After the attacks were detected, banks switched to a slower but more secure method.

No new attacks have been registered since.

Mining passwords from dozens of public Trello boards
11.5.2018 securityaffairs Hacking

Trello, when an error in the publishing strategy is able to put at risk the private data of a huge community of unaware users.
A “Security enthusiastic” found a vulnerability in the Trello web management and now with a simple dork is possible to query to mine passwords from dozens of public Trello boards.

trello 2

Our story begins form @Trello Twitter account where we read:

“Trusted by millions, Trello is the visual collaboration tool that creates a shared perspective on any project.” Yes, “trusted by millions”: but those millions probably didn’t understand the meaning “Public” of the Trello Boards, which they used as “Private” space while they are not.

In fact now, even trusting Trello, millions of users risk having their personal data exposed – including credential, private information, reserved information of their projects. In fact, they are now, while we are writing, having they sensitive data exposed on the Internet, thanks to a dork that can be easily used with Google.

The author of the discovery is Kushagra Pathak who talks about him as a Cyber-security enthusiast in his Twitter profile @xKushagra and has reported this incredible research written in his truly amazing blog post.

A few days ago, as he says, while researching a Bug Bounty program for Jiira with a simple dork like this:

trello 3

has, inputting “trello.com” in the [company_name] place, made an amazing discovery: Google query returns Trello Boards where are published every kind of information.

Giving a better look at the results he “found that a lot of individuals and companies are putting their sensitive information on their public Trello Boards.”. Yes, it’ amazing but happened: what kind of information they have put on the Trello Boards? “Information like unfixed bugs and security vulnerabilities, the credentials of their social media accounts, email accounts, server and admin dashboards”, all this has been indexed by all the search engines so they can easily find them. He twitted this
trello 3

Kushagra Pathak
@xKushagra
#bugbountytip #osint: Search for public Trello boards of companies, to find login credentials, API keys, etc. or if you aren't lucky enough, then you may find companies' Team Boards sometimes with tasks to fix security vulnerabilities

11:30 AM - Apr 25, 2018
178
83 people are talking about this
Twitter Ads info and privacy
So digging in the details he “went on to modify the search query to focus on Trello Boards containing the passwords for Gmail accounts.”

With this simple dork the result was really incredible:

Many passwords in clear were repowered by Google as shown in the following figure.

So Trello Boars have been under a huge misunderstanding: they were “Public” borders not Private ones, but their users didn’t know it, or they didn’t consider it.

Then some user used the public Trello Boards as “as a fancy public password manager for their organization’s credentials.”, as Kushagra Pathak writes.

Then every kind of the search is then possible: by email (AoL, Yahoo, Mail.com) by protocol (SSH, FTP), everything is possible to search even business emails, social media accounts, website analytics, Stripe, AdWords accounts.

At this point, I have contributed to spread the info around the world.

Odisseus
@_odisseus
#Trello is an online tool for managing projects and personal tasks and with a dork is possible to exfiltrate business emails, Jira credentials, and sensitive internal information of Bug Bounty Programs.
Via @xKushagra https://medium.freecodecamp.org/discovering-the-hidden-mine-of-credentials-and-sensitive-information-8e5ccfef2724 …

9:18 AM - May 11, 2018
132
109 people are talking about this
Twitter Ads info and privacy
Kushagra Pathak has also discovered almost than 25 Companies were leaking very sensitive information and, as a proven Ethical Hacker, he reported quickly the Trello vulnerability to them, facing a very tedious and challenging task.

The only ironic side of this story is that to find the right person or the right contact mail it has been easy: they were all on the Trello Boards.

There is a less ironic thing: what about the Bug Bounty? Our hero, who discovered this vulnerable, has found among the exposed companies one company running a Bug Bounty Program, but he hasn’t be rewarded at all: “Unfortunately, they didn’t reward me because it was an issue for which they currently don’t pay”, he said.

A Simple Tool Released to Protect Dasan GPON Routers from Remote Hacking
11.5.2018 thehackernews Hacking

Since hackers have started exploiting two recently disclosed unpatched critical vulnerabilities found in GPON home routers, security researchers have now released an unofficial patch to help millions of affected users left vulnerable by their device manufacturer.
Last week, researchers at vpnMentor disclosed details of—an authentication bypass (CVE-2018-10561) and a root-remote code execution vulnerability (CVE-2018-10562)—in many models of Gigabit-capable Passive Optical Network (GPON) routers manufacturer by South Korea-based DASAN Zhone Solutions.
If exploited, the first vulnerability lets an attacker easily bypass the login authentication page just by appending ?images/ to the URL in the browser's address bar.
However, when coupled with the second flaw that allows command injection, unauthenticated attackers can remotely execute malicious commands on the affected device and modified DNS settings, eventually allowing them to take full control of the device remotely.
Shortly after the details of the vulnerabilities went public, security researchers at Chinese IT security firm Qihoo 360 Netlab found that threat actors have started exploiting both the flaws to add the vulnerable routers into their botnet malware networks.

Moreover, a working proof-of-concept (PoC) exploit, written in python, for GPON router vulnerabilities has already been released on GitHub by an independent security researcher, eventually making exploitation easier for even unskilled hackers.
The researchers even published a video demonstration showing how the attack works.
Here's How to Secure Your GPON Wi-Fi Router

Researchers at vpnMentor already reported the issues to Dasan, but the company has not yet released any fix for the issue, and the researchers believe that the patch is not in development either.
What's worse? At the time of writing, almost a million vulnerable GPON routers are still exposed on the Internet and can be easily hijacked.
However, even if there is no official patch available, users can protect their devices by disabling remote administration and using a firewall to prevent outside access from the public Internet.
Making these changes to your vulnerable router would restrict access to the local network only, within the range of your Wi-Fi network, effectively reducing the attack surface by eliminating remote attackers.
If you are unsure about these settings, vpnMentor has done this job for you by providing an online "user-friendly" solution that automatically modifies your router settings on your behalf, keeping you away from remote attacks.
"It was created to help mitigate the vulnerabilities until an official patch is released," the researchers said. "This tool disables the web server in a way that is not easy to reverse, it can be done with another patch script, but if you are not comfortable with the command line we suggest firewalling your device until an official patch is released."
To use this tool, all you need open this web page, and scroll down to the input form asking for the IP address of your exposed GPON router (local LAN address, not WAN), a new password for SSH/Telnet on your router.
In a separate tab open your router's web interface using https in the URL and then press "Run Patch" on the vpnMentor to continue and apply changes.
You can apply the patch to secure your devices, but it should be noted that it is not an official patch from the manufacturer and we do not encourage users to run any third-party scripts or patches on their devices.
So, users should either wait for official fixes or apply changes manually, when possible.

Hackers Found Using A New Way to Bypass Microsoft Office 365 Safe Links
11.5.2018 thehackernews Hacking
Security researchers revealed a way around that some hacking groups have been found using in the wild to bypass a security feature of Microsoft Office 365, which is originally designed to protect users from malware and phishing attacks.
Dubbed Safe Links, the feature has been included in Office 365 software as part of Microsoft's Advanced Threat Protection (ATP) solution that works by replacing all URLs in an incoming email with Microsoft-owned secure URLs.
So, every time a user clicks on a link provided in an email, it first sends the user to a Microsoft owned domain, where the company immediately checks the original URL for anything suspicious. If Microsoft's scanners detect any malicious element, it then warns users about it, and if not, it redirects the user to the original link.

However, researchers at cloud security company Avanan have revealed how attackers have been bypassing the Safe Links feature by using a technique called, "baseStriker attack."
BaseStriker attack involves using the <base> tag in the header of an HTML email—which is used to defines a default base URI, or URL, for relative links in a document or web page.
In other words, if the <base> URL is defined, then all subsequent relative links will use that URL as a starting point.

As shown in the above screenshot, the researchers compared HTML code of a traditional phishing email with the one that uses a <base> tag to split up the malicious link in a way that Safe Links fails to identify and replace the partial hyperlink, eventually redirecting victims to the phishing site, when clicked.
Researchers have even provided a video demonstration, which shows the baseStriker attack in action.
The researchers tested the baseStriker attack against several configurations and found that "anyone using Office 365 in any configuration is vulnerable," be it web-based client, mobile app or desktop application of OutLook.

Proofpoint is also found vulnerable to the baseStriker attack. However, Gmail users and those protecting their Office 365 with Mimecast are not impacted by this issue.
So far, researchers have only seen hackers using the baseStriker attack to send phishing emails, but they believe the attack can be leveraged to distribute ransomware, malware and other malicious software.

Avanan reported the issue to both Microsoft and Proofpoint earlier last weekend, but there is no patch available to fix the problem at the time of writing.

Tech giant Telstra warns cloud customers they’re at risk of hack due to a SNAFU
11.5.2018 securityaffairs Hacking

On May 4th Tech giant Telstra discovered a vulnerability in its service that could potentially expose customers of its cloud who run self-managed resources.
Telstra is a leading provider of mobile phones, mobile devices, home phones and broadband internet. On May 4th, the company has discovered a vulnerability in its service that could potentially expose users of its cloud who run self-managed resources.

Telstra told its users that their “internet facing servers are potentially vulnerable to malware or other malicious activity,” the experts from the company urge to “delete or disable” the “TOPS or TIRC account (privileged administrator accounts) on self-managed servers”.

Telstra managed resources

The company sent to users of self-managed servers a letter and advised customers of Telstra-managed servers that they’re in the clear.

“We’ve also taken steps to access your account and remove the TOPS or TIRC accounts to minimise the risk on your behalf,” reads the advisory issued by the company.

“We’re still encouraging you to check your account settings and remove/disable any unused accounts as we can’t confirm at this stage if we’ll be successful updating the accounts from our end.”

Experts speculate that TOPS and TIRC Telstra accounts are using default passwords, attackers can easily use them to access them.

“Our customers’ security is our number one priority. We identified a weakness, moved quickly to address it and worked closely with our customers to ensure the necessary steps were taken to fully secure their systems.” a Telstra spokesperson told El Reg.

At the time of writing, there are no info on the origin of the security issue.

Are you using Python module ‘SSH Decorator’? Newer versions include a backdoor
9.5.2018 securityaffairs Hacking

A backdoor was discovered in the Python module named SSH Decorator (ssh-decorate), that was developed by Israeli developer Uri Goren.
Are you using the Python module ‘SSH Decorator’? You need to check the version number, because newer versions include a backdoor.

The library was developed to handle SSH connections from Python code.

Early this week, a developer noticed that multiple backdoored versions of the SSH Decorate module, the malicious code included in the library allowed to collect users’ SSH credentials and sent the data to a remote server controlled by the attackers.

The remote server that received stolen data is accessible at the following address:

SSH Decorator Python SSH Backdoor 1

SSH Decorator Python SSH Backdoor 2

The following images were shared bleepingcomputer.com that first reported the news.

SSH Decorator Python SSH Backdoor 1 SSH Decorator Python SSH Backdoor 2

The Israeli developer Uri Goren, once notified to the problem, confirmed that backdoor was added by attackers.

Initially, the developer has updated the password for the PyPI Python central repo hub and published a sanitized version of the package.

“I have updated my PyPI password, and reposted the package under a new name ssh-decorator,” he said.

“I have also updated the readme of the repository, to make sure my users are also aware of this incident.”

“It has been brought to our attention, that previous versions of this module had been hijacked and uploaded to PyPi unlawfully. Make sure you look at the code of this package (or any other package that asks for your credentials) prior to using it.” reads the README file.

The presence of the backdoor in the SSH Decorator module alerted many users on Reddit, many of them accused Goren that for this reason decided to take down the package from both GitHub and PyPI — the Python central repo hub.

Developers that use the SH Decorator (ssh-decorate) module need to use the last safe version was 0.27, later version 0.28 through 0.31 were compromised.

Nintendo Switches Hacked to Run Linux—Unpatchable Exploit Released
9.5.2018 thehackernews Hacking

Two separate teams of security researchers have published working proof-of-concept exploits for an unpatchable vulnerability in Nvidia's Tegra line of embedded processors that comes on all currently available Nintendo Switch consoles.
Dubbed Fusée Gelée and ShofEL2, the exploits lead to a coldboot execution hack that can be leveraged by device owners to install Linux, run unofficial games, custom firmware, and other unsigned code on Nintendo Switch consoles, which is typically not possible.
Both exploits take advantage of a buffer overflow vulnerability in the USB software stack of read-only boot instruction ROM (IROM/bootROM), allowing unauthenticated arbitrary code execution on the game console before any lock-out operations (that protect the chip's bootROM) take effect.
The buffer overflow vulnerability occurs when a device owner sends an "excessive length" argument to an incorrectly coded USB control procedure, which overflows a crucial direct memory access (DMA) buffer in the bootROM, eventually allowing data to be copied into the protected application stack and giving attackers the ability to execute code of their choice.

In other words, a user can overload a Direct Memory Access (DMA) buffer within the bootROM and then execute it to gain high-level access on the device before the security part of the boot process comes into play.
"This execution can then be used to exfiltrate secrets and to load arbitrary code onto the main CPU Complex (CCPLEX) application processors at the highest possible level of privilege (typically as the TrustZone Secure Monitor at PL3/EL3)," hardware hacker Katherine Temkin of ReSwitched, who released Fusée Gelée, said.
However, the exploitation requires users to have physical access to the hardware console to force the Switch into USB recovery mode (RCM), which can simply be done by pressing and shorting out certain pins on the right Joy-Con connector, without actually opening the system.

By the way, fail0verflow said a simple piece of wire from the hardware store could be used to bridge Pin 10 and Pin 7 on the console's right Joy-Con connector, while Temkin suggested that simply exposing and bending the pins in question would also work.
Once done, you can connect the Switch to your computer using a cable (USB A → USB C) and then run any of the available exploits.
Fusée Gelée, released by Temkin, allows device owners only to display device data on the screen, while she promised to release more scripts and full technical details about exploiting Fusée Gelée on June 15, 2018, unless someone else made them public.
She is also working on customized Nintendo Switch firmware called Atmosphère, which can be installed via Fusée Gelée.

On the other hand, ShofEL2 exploit released by famous fail0verflow team allows users to install Linux on Nintendo Switches.
"We already caused temporary damage to one LCD panel with bad power sequencing code. Seriously, do not complain if something goes wrong," fail0verflow team warns.
Meanwhile, another team of hardware hackers Team Xecutor is also preparing to sell an easy-to-use consumer version of the exploit, which the team claims, will "work on any Nintendo Switch console regardless of the currently installed firmware, and will be completely future proof."
Nintendo Can't Fix the Vulnerability Using Firmware Update
The vulnerability is not just limited to the Nintendo Switch and affects Nvidia's entire line of Tegra X1 processors, according to Temkin.
"Fusée Gelée was responsibly disclosed to NVIDIA earlier, and forwarded to several vendors (including Nintendo) as a courtesy," Temkin says.
Since the bootROM component comes integrated into Tegra devices to control the device boot-up routine and all happens in Read-Only memory, the vulnerability cannot be patched by Nintendo with a simple software or firmware update.
"Since this bug is in the Boot ROM, it cannot be patched without a hardware revision, meaning all Switch units in existence today are vulnerable, forever," fail0verflow says. "Nintendo can only patch Boot ROM bugs during the manufacturing process."
So, it is possible for the company to address this issue in the future using some hardware modifications, but do not expect any fix for the Switches that you already own.

PDF Files Can Silently Leak NTLM Credentials
30.4.2018 securityweek Hacking

NTML credentials can be stolen via malicious Portable Document Format (PDF) files without any user interaction, Check Point security researchers warn.

Attackers looking to steal the credentials for the NT LAN Manager (NTLM) authentication protocol (which consist of a domain name, a user name, and a one-way hash of the user's password) can do so by abusing a feature where remote documents and files can be embedded inside PDF files.

PDF files, the security researchers explain, consist primarily of objects, together with Document structure, File structure, and content streams. There are eight basic types of objects, including dictionaries, and a malicious actor can abuse these to steal NTLM credentials.

A dictionary object represents a table containing pairs of objects, called entries, where the first element is the key (a name) and the second element is the value (may be any kind of object). Represented by dictionary objects, the pages of a document are called page objects and consist of required and optional entries.

One of the optional entries is the /AA entry, defining actions performed when a page is opened (/O entry) or closed (/C entry). An action dictionary is held within /O (/C) and consists of 3 required entries: /S, /F, and /D, describing the type of action to be performed – GoToR (Go To Remote) and GoToE (Go To Embedded) –, the location location of the other PDF, and the location to go to within the document.

“By injecting a malicious entry (using the fields described above together with his SMB server details via the ‘/F’ key), an attacker can entice arbitrary targets to open the crafted PDF file which then automatically leaks their NTLM hash, challenge, user, host name and domain details,” Check Point explains.

The security researchers, who also published a proof-of-concept, explain that the victim has no way of noticing the abnormal behavior. There is no evidence of the action being performed, nor a security alert.

Once the PDF file has been executed, the NTLM details are sent to the attacker’s server to be used for various SMB relay attacks.

According to Check Point, the issue likely impacts all PDF-viewers for Windows, as all of them will reveal the NTLM credentials.

The security researchers informed Adobe on the vulnerability, but the company said a fix won’t be released, because Microsoft is already offering users the possibility to prevent such attacks from happening in the first place.

In October 2017, the software giant made some optional Windows NTLM Single Sign-On (SSO) authentication changes to prevent “authentication with resources that are not marked as internal by the Windows Firewall.”

“Microsoft is releasing this new functionality as a mitigation to NTLM dictionary attacks. Microsoft continues to recommend that customers move to public key authentication methods for applications which do not support modern authentication, and use negotiate with Kerberos authentication whenever possible,” the company explained in an advisory.

Hackers Target Poorly Patched Oracle WebLogic Flaw
By Eduard Kovacs on April 30, 2018

Hackers have been scanning the Internet for Oracle WebLogic Server installations that can be taken over using a recently addressed vulnerability. While patched systems should be protected against attacks, experts claim the fix implemented by Oracle can be bypassed.

One of the 254 issues resolved by Oracle with its April 2018 CPU is CVE-2018-2628, a critical remote command execution flaw affecting versions 10.3.6.0, 12.1.3.0, 12.2.1.2 and 12.2.1.3 of the Oracle WebLogic Server (Fusion Middleware) Java EE application server. Oracle has credited Liao Xinxi of the NSFOCUS Security Team and an individual who uses the online moniker loopx9 for reporting this security hole to the company.

Unauthenticated attackers can exploit this vulnerability remotely via the T3 transport protocol on TCP port 7001 and the task is made easy by the fact that proof-of-concept (PoC) code has already been made available.

One of the first people to disclose details of the vulnerability was Liao Xinxi himself. Developer Davide Tampellini used that information along with PoC code released by others to create a weaponized exploit that can be used to spawn a remote shell.

GreyNoise Intelligence reported seeing a “large spike” in devices scanning the Web for port 7001 shortly after the first PoCs surfaced. GreyNoise’s reports are backed by data from other companies, including SANS and Qihoo 360.

While there have not been any reports of servers actually being hacked using CVE-2018-2628, Oracle WebLogic Server has been known to be targeted by malicious actors. For instance, FireEye revealed in February that cybercriminals had been exploiting CVE-2017-10271, a WebLogic Server flaw patched by Oracle in October 2017, to deliver cryptocurrency miners. A possibly related threat group was also spotted recently exploiting the Drupal vulnerability known as Drupalgeddon2.

While users should in theory be protected against attacks exploiting CVE-2018-2628 if they have applied Oracle’s patch, a China-based security researcher who uses the online moniker Pyn3rd claims the fix can be easily bypassed.

Researcher Kevin Beaumont confirmed that bypassing the patch is possible and advised users to block port 7001 to mitigate attacks.

Oracle WebLogic flaw exploited in the wild

SecurityWeek has reached out to Oracle for comment and will update this article if the company responds.

How to use weaponized PDF documents to steal Windows credentials
28.4.2018 securityaffairs Hacking

Weaponized documents are the main ingredient for almost any spam and spear-phishing campaign, let’s see how to steal windows credentials with specially crafted PDF files.
Weaponized documents are the main ingredient for almost any spam and spear-phishing campaign.

Weaponized PDF files can be used by threat actors to steal Windows credentials, precisely the associated NTLM hashes, without any user interaction.

According to a research published by Assaf Baharav, a security expert at Check Point, the attackers just need to trick victims into opening a file.

According to Check Point researchers, rather than exploiting the vulnerability in Microsoft Word files or Outlook’s handling of RTF files, attackers take advantage of a feature that allows embedding remote documents and files inside a PDF file.

Baharav explained that attackers could take advantage of features natively found in the PDF standard to steal NTLM hashes, rather than exploiting a flaw in Microsoft Word files or RTF files.

“The attacker can then use this to inject malicious content into a PDF and so when that PDF is opened, the target automatically leaks credentials in the form of NTLM hashes.” wrote Baharav.

The researcher used a specially crafted PDF document for his proof-of-concept.

When a victim would open the PDF document it would automatically contact a remote SMB server controlled by the attacker, but don’t forget that SMB requests include the NTLM hash for the authentication process.

“The NTLM details are leaked through the SMB traffic and sent to the attacker’s server which can be further used to cause various SMB relay attacks.” continues the expert.

weaponized PDF SMB attack NTLM hash

Using this trick the attacker can obtain the NTLM hash and use tools available online to recover the original password.

Such kind of attack is stealth, it is impossible for the victims to notice any abnormal behavior.

Similar techniques leveraging SMB requests were used in the past by several threat actors, but with other types of documents or OS features (i.e. Office documents, shared folders authentication, Outlook)

According to Check Point, almost any Windows PDF-viewer is affected by this security flaw and will reveal the NTLM credentials.

Baharav successfully tested the attack on Adobe Acrobat and FoxIT Reader.

The experts followed a 90 days disclosure policy by notifying both Adobe and Foxit the vulnerability.

Adobe replied that will not fix the issue because it considers the flaw linked to the OS, meanwhile FoxIT still has not responded.

Adobe experts are referring to Microsoft Security Advisory ADV170014, released in October 2017 that implements a mechanism and provides instructions on how users could disable NTLM SSO authentication on Windows operating systems.

Below the reply from Adobe:

“Thank you for checking in on this case. Microsoft issued an optional security enhancement [0] late last year that provides customers with the ability to disable NTLM SSO authentication as a method for public resources. With this mitigation available to customers, we are not planning to make changes in Acrobat.“

F-Secure experts devised a Master Key that unlocks millions of hotel rooms
27.4.2018 securityaffairs Hacking

A security duo has built a master key that could be used to unlock doors of hotel rooms using the Vision by VingCard digital lock technology.
Do you travel often? Probably you don’t know that hackers can unlock your room door without using the master key due to a critical design vulnerability in a popular and widely used electronic lock system.

The affected locking system is the Vision by VingCard manufactured by Assa Abloy, the flaw can be exploited to unlock hotel rooms worldwide.

The Vision by VingCard locking system is currently deployed in more than 42,000 facilities in 166 different countries.

The vulnerability was discovered by Tomi Tuominen and Timo Hirvonen, security researchers at F-Secure researchers. The security duo has built a master key that could be used to unlock doors of the hotel rooms using the Vision by VingCard digital lock technology.

“You can imagine what a malicious person could do with the power to enter any hotel room, with a master key created basically out of thin air,” says Tomi Tuominen, Practice Leader at F-Secure Cyber Security Services.

“He worked side by side with F-Secure’s Timo Hirvonen, Senior Security Consultant, to devise a way to exploit the software system, known as Vision by VingCard.”

Let’s see how hackers have built their ‘Master Key,’ step by step. First, the attacker needs to get access to an electronic keycard used in the target facility, no matter it is currently active, experts noticed that even an expired key from a stay five years ago will work.

“The device can then be used instead of a key to bypass any lock in the facility, or alternatively, to overwrite an existing key with the newly created master key.”

The attacker can read the electronic key (RFID or magstripe) remotely by standing close to a hotel guest or employee having a keycard in his pocket. Another option consists of booking a room and then use that card as the source.

At this point, the attacker would need to write the electronic key and to do it he can use a portable programmer. Such kind of device is very cheap, it can be bought online for a few hundred dollars.

Tomi and Timo developed a custom software that allows creating a master key within minutes. The experts devised a custom-tailored device (actually an RFID reader/writer) that they held close to the VingCard locking system, it then tries different keys in less than one minute and finds the master key to unlock the door.

“An attacker will read the key and use a small hardware device to derive more keys to the facility. These derived keys can be tested against any lock in the same building. Within minutes the device is able to generate a master key to the facility. The device can then be used instead of a key to bypass any lock in the facility, or alternatively, to overwrite an existing key with the newly created master key.” continues the post published by F-Secure.

“The needed hardware is available online for a few hundred euros. However, it is the custom software developed by Tomi and Timo that makes the attack possible.”

The researchers notified Assa Abloy of their discovery in April 2017, since then the experts helped the manufacturer in fixing the issue.

Assa Abloy has recently issued a security update to address the vulnerability.

hotel rooms hack

The experts will not publish the technical details of the attack nor will they make any the custom-hardware available.

The good news is that to date, the experts are not aware of any attacks in the wild exploiting the flaw they discovered.

Below a video PoC of the hack.

In addition, the two experts also discovered that the Vision software could be exploited within the same network to get access to sensitive customer data.

Do Not Disturb app will protect your device from evil maid attacks
26.4.2018 securityaffairs Hacking

Former NSA expert and white hat hacker Patrick Wardle has released an app named Do Not Disturb app that can be used to detect attacks powered by attackers with physical access to the device (so-called “evil maid” attacks).
Patrick Wardle app Version 1.0.0 was built explicitly to protect unattended laptops continually monitors the system for events that may indicate a precursor of “evil maid” attack. According to Wardle, the Not Disturb app watches for ‘lid open’ events, the expert credited @thegrugq for the idea.

“If you’ve shut your laptop (and thus triggered sleep mode), the majority of physical access attacks may require the lid to be opened in order for the attack to succeed.” wrote Wardle.

“Such attacks could include:

Logging in locally as root, by exploiting a bug such as ‘#iamroot’
Locally logging in via credentials captured by a hidden camera
Inserting a malicious device into a USB or Thunderbolt port.
Again, most of these attacks require a closed laptop to be opened…either to awake it (i.e. to process a malicious device) or for the attacker to interact with the laptop!”

Once the Do Not Disturb app has detected a lid open event, it will take a series of actions. The app is able to display a local alert, send an alert to a remote Apple device (iPhone or iPad), log the attacker’s actions (creation of new processes, USB insertions, etc.), run custom scripts that could wipe sensitive data, disable the USB interfaces, or automatically re-lock the device every few seconds.

Wardle’s company Digita Security, has also released an iOS companion app for Do Not Disturb (available on the Apple Store) that allows users to associate their devices with the Do Not Disturb app, an operation that is necessary to receive alerts and notifications in case of attack.

“While the iOS companion application is free, after the first week of remote alerts/tasking, one will have to subscribe to a monthly ($0.99) or yearly ($9.99) to maintain this functionality. The Mac application, is and will always be 100% free 🙂 ” added Wardle.
“The iOS companion application is completely optional, and only required if one is interested in receiving remote DND alerts.”

Wardle plans to introduce new features in the future versions of the Do Not Disturb app that will include the management of more “lid open” events.

Hotel Rooms Around the World Susceptible to Silent Breach
26.4.2018 securityweek Hacking

Vision by VingCard

In 2003, researchers from F-Secure were attending a security conference in Berlin -- specifically, the ph-neutral hacker conference -- when a laptop was stolen from a locked hotel room. They reported the theft to the hotel staff, but felt they weren't taken too seriously because, dressed in typical hacker gear, "We kinda looked like a bunch of hippies."

More to the point, however, there was no sign of the door being forced, nor any indication from the electronic locking system's logs that anyone had entered the room in their absence.

The locking system was Assa Abloy's Vision by VingCard -- a state-of-the-art system from one of the world's most trusted and widely-used facilities security firms. In short, the laptop was stolen by a ghost that could pass through locked doors and leave no trace.

Vision by VingCard is deployed in 166 different countries, 40,000 facilities, and millions of doors.

F-Secure researchers told SecurityWeek, "Our guy was working on some really interesting and specific stuff; and, yes, it would absolutely have been of interest to any 3, 4 or 5 letter agency in many different nation-states." Without naming their victim researcher, they added, "This was not some Joe-average researcher, and we have always been 100% sure that the laptop was stolen."

With this background it is not surprising that the researchers started to investigate the locking system. Specifically, they were looking for a Vision by VingCard vulnerability that could be exploited without trace -- and eventually they found one. It took thousands of hours work over the last 15 years examining the system and looking for the tiniest errors of logic.

"We wanted to find out if it's possible to bypass the electronic lock without leaving a trace," said Timo Hirvonen, senior security consultant at F-Secure. "Building a secure access control system is very difficult because there are so many things you need to get right. Only after we thoroughly understood how it was designed were we able to identify seemingly innocuous shortcomings. We creatively combined these shortcomings to come up with a method for creating master keys."

In summary, with any existing, old or expired keycard to any room on the system, it is possible to generate a master key that can be used to gain entry to any of the hotel rooms without leaving a trace on the system. An attacker could book a room and then use that keycard as the source; or could even read the data remotely by standing close to someone who has a card in a pocket -- in a hotel elevator, for example.

"You can imagine what a malicious person could do with the power to enter any hotel room, with a master key created basically out of thin air," commented Tomi Tuominen, practice leader at F-Secure Cyber Security Services. Property, such as F-Secure's laptop, could be physically removed; or an evil maid attack on any discovered laptop could deliver malware or perhaps prepare the device for remote control by usurping the Intel Management Engine BIOS Extension (MEBx).

Hirvonen explained the process of developing a master card to access a room. The first requirement is to obtain any keycard, current or expired, to any door in the target facility. A custom-tailored device (actually a Proxmark RFID token reader/writer) is then held close to the target lock. The device tries different keys, and in an average of less than one minute, locates the master key and unlocks the door. "The final step is that you either use the device as the master key, or you write the master key back to your keycard. This only has to be done once. You have found the master key and you can access any room in the hotel."

The basic Proxmark can be bought online for around 300 euros; but, added Hirvonen, "It is our custom software that does the work. It emulates different keys, and one of those will be the master key." He explained further. "On paper, it looks as if the keyspace is too big to crack so quickly using brute force. But we were able to combine small technical design flaws with a process vulnerability that allowed us to reduce the keyspace from a gazillion to something that could be brute forced in an average of 20 tries."

The capacity of the card is 64 bytes; and of those some 48 bytes are usable. It includes multiple different data fields on the card. "Once we identified the eleven different data fields," continued Hirvonen, "we realized that what remained could feasibly be attacked."

F-Secure reported its findings to Assa Abloy in April 2017, and for the last year the two firms have worked on a solution. At first, Assa Abloy thought the solution would simply be to increase the keyspace on the cards -- a theoretical solution that F-Secure repeatedly demonstrated didn't work in practice. The real solution has included effective randomization of the whole keyspace; and Assa Abloy has now released an update for its systems.

"Because of Assa Abloy's diligence and willingness to address the problems identified by our research," says Tuominen in an associated blog published today, "the hospitality world is now a safer place. We urge any establishment using this software to apply the update as soon as possible."

Full technical details of the attack will not be released by F-Secure, and Tuominen and Hirvonen have stressed that they are unaware of this exploit ever being used in the wild. But then, how would you detect the phantom use of a forged master keycard that leaves no trace on the system logs?

Honeypot Shows the Power of Automation in the Hands of Hackers
18.4.2018 securityweek Hacking

Honeypot Experiment Shows the Commoditization of Using Bots to Perform Low-level Hacking Tasks

Next-gen endpoint detection and response firm Cybereason wanted to test two hypotheses: first, that hackers are ignoring free information in the underground forums; and second, that bots have become more sophisticated and dangerous than is often believed.

To do this, it set up a sophisticated honeypot system that masqueraded as a financial services company. For the first hypothesis, it dropped remote desktop protocol (RDP) access credentials for three servers on dark markets and paste sites. The passwords were complex, but everything needed to break in was dropped in plaintext, with the cover story of a lucky skiddie who found the information but didn't know what to do with it. He was giving away the information to build trust and foster goodwill.

The first hypothesis was proven. Nobody touched or attempted to use the credentials. "They might as well not have existed," Cybereason's senior director for intelligence services, Ross Rustici, told SecurityWeek. Hackers no longer trust the markets near the surface of the dark web, probably considering them to be full of government agents and security researchers. Instead, they work in closed forums in the deep web where access to outsiders -- and hacker newbies -- is difficult.

Or they work alone, without relying on untrustworthy human-to-human interaction, and with greater reliance on bots. This was the second purpose on the financial services honeypot -- to gauge how sophisticated these bots have become.

This part of the project had two phases. The first was to set up additional RDP services with weak passwords, and, writes Rustici in an associated blog, "we opened up several other services to see which ports were scanned the most and if there was a large difference in functionality once they broke in."

Within two hours of creating the weak RDP services, he told SecurityWeek, "they got popped by a bunch of different stuff probably using rainbow tables." It was what he expected -- simple bots, scanning, brute forcing, and performing the rudimentary tasks that would help the operator decide to incorporate the network into a botnet or keep the credentials for future use.

"But then we got lucky," he said. "One particular bot not only popped the box, but then started doing exploit analysis right off the bat." This bot was essentially a complete and automated hacking kit. It did a network recon. "It tried to figure out where it was, and what the machine name was. It created false user names and accounts, so the attacker would have sustained backdoor access into the system should the weak password get changed or somebody try to take out the initial intrusion."

This was an aggressive and stealthy bot. It was aggressive in the speed and extent of its functions, and stealthy through its use of PowerShell scripts. "The attacker had cobbled together a bunch of PowerShell scripts, a bit of Python and a couple of open source utilities (MimiKatz and probably Netcat) and, within minutes, it could pretty much own every node on the network without the hacker having to get into the network and get dirty. It did everything that a normal intrusion would take hours to do, and essentially reduced the dwell time on the endpoint from 2 hours (which would be average) to minutes."

Only the use of MimiKatz and Netcat would provide easily visible red flags for the defenders; but Rustici commented, "It all happens so fast and largely quietly that it would probably be missed by 50% of the controls currently on the market." Basically, the bot broke in, looked around, dropped its own backdoor and withdrew in minutes and without human interaction.

"Two days later," Rustici told SecurityWeek, "we saw a human come into that network using one of the created accounts and start poking around on the box and looking for specific information. He already had the road map from the bot. He knew what he was looking for -- and so he just literally popped up the RDP, went in and then started pulling files back. He then installed a mail program and emailed himself 3 GB of exfiltration.

"It was interesting," he added, "because although you see a lot of bot activity, it's rare you see interaction between a human and a bot and how cybercriminals are monetizing this brute force access that they're getting through scanning the web. The way they moved into the environment also shows how much data the bot gathered and how useful that data was to whoever was using it."

Cybereason still has, he said, "some sleuthing" to do. Is the bot, "run and operated by a group that is selling access on the deep web closed forums based off the information they pull back, or was it the same person operating the bot who came in and stole the data?" The two-days delay between the bot and the human activity could just be a cooling off period, it could be the length of time taken to sell on the data, or it could be an indication of the number of genuine networks popped by the bot -- with what was to all intents and purposes a financial services company bumped towards the top of the list for further exploitation.

What is almost certain, however, is that we will see more of this type of automated hacking in the future. "I think the attack method is already commoditized," says Rustici. "I think we got lucky in that we saw it happen so quickly after we opened up the ports, I think we got a little unlucky in the fact that we didn't see more of it. The scripting and the automation is the way that both attackers and defenders are going -- it's the only way that you can keep up with the amount of devices that exist online -- the attack surface that you either have to defend or penetrate."

As access to specific information becomes more valuable, he added, "you're going to see a lot more people take this approach rather than the traditional DDoS botnet type activity that bots are more generally associated with -- especially with monetizing DDoS getting harder and the industry getting better at mitigating it. I think we are going to see a lot more actors move towards this type of automated recon. They can either sell the information or do some doxing and try to hold the whole network to ransom in new ways beyond the traditional ransomware infection."

In short, automated intrusion and reconnaissance is the natural evolution of hacking methodologies: "It's sort of worming 2.0 -- and I think we are going to see a lot of people playing with this kind of technology."

Boston, MA-based Cybereason raised $100 million in Series D funding from SoftBank Corp in June 2017. This increased total investment in the firm to $189 million since its inception in 2012. It raised $25 million in Series B financing and $59 million in Series C financing, both in 2015.